New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nghttp2: backport fix for CVE-2018-1000168 [18.03] #42888
Conversation
backports commit nghttp2/nghttp2@b1bd603
@GrahamcOfBorg eval |
@GrahamcOfBorg eval |
@GrahamcOfBorg build nghttp2 |
Success on aarch64-linux (full log) Attempted: nghttp2 Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: nghttp2 Partial log (click to expand)
|
At 24k rebuilds this fix should probably go to staging-18.03 first if we want to do it. |
Success on x86_64-darwin (full log) Attempted: nghttp2 Partial log (click to expand)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
backports commit nghttp2/nghttp2@b1bd603
This fixes CVE-2018-1000168 according to
https://security-tracker.debian.org/tracker/CVE-2018-1000168
cc #42883
I dropped the test part of the patch because the expression has
doCheck = false
.The patch is copied into nixpkgs because fetchpatch depends on nghttp2 via curl which creates a circular dependency.
I only tested compilation of nghttp2 and curl.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)