Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jasper: 2.0.14 -> 2.0.16 #57681

Merged
merged 1 commit into from Mar 23, 2019
Merged

jasper: 2.0.14 -> 2.0.16 #57681

merged 1 commit into from Mar 23, 2019

Conversation

pSub
Copy link
Member

@pSub pSub commented Mar 15, 2019
edited

Motivation for this change

Release 2.0.16 fixes CVE-2018-19539. Should be backported to 18.09 and 19.03

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@pSub pSub changed the base branch from master to staging March 15, 2019 10:50
@pSub pSub changed the base branch from staging to master March 15, 2019 10:51
@ryantm
Copy link
Member

ryantm commented Mar 15, 2019

@GrahamcOfBorg build jasper

@ryantm
Copy link
Member

ryantm commented Mar 15, 2019
edited

@pSub, please consider adding yourself to the GrahamcOfBorg known users so your PRs can be built automatically.

pSub added a commit to pSub/ofborg that referenced this pull request Mar 15, 2019
@pSub
extra-known-users: add myself (pSub)
084f825 
@ryantm suggested to myself to known users (NixOS/nixpkgs#57681 (comment)).
@pSub pSub mentioned this pull request Mar 15, 2019
Merged
@pSub
Copy link
Member Author

pSub commented Mar 15, 2019

@ryantm Thank you for the hint. I've done so NixOS/ofborg#330.

@andir
Copy link
Member

andir commented Mar 23, 2019
edited

@pSub Thanks for looking into this.

jasper looks a bit messy in general.. I am tempted to argue for just marking it as insecure with the list of known vulnerabilities. (CVE-2018-18873 CVE-2018-19139 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541 CVE-2018-19542 CVE-2018-19543 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622 CVE-2018-9252).

Looking through the mentioned issues there seem to be a few more patches available and some that can be improved upon. (e.g. jasper-software/jasper#200, jasper-software/jasper#182, jasper-software/jasper#164).

I think we can safely merge and backport this change already but should keep an eye out on further patches and releases

andir
andir approved these changes Mar 23, 2019
View reviewed changes
Copy link
Member

@andir andir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, see my comment for some concerns / thoughts.

@pSub
Copy link
Member Author

pSub commented Mar 23, 2019

@andir Thanks for your feedback. I'll keep and eye on jasper and mark it as insecure if the list of open vulnerabilities stays that long for the longer term.

@pSub pSub merged commit 923cfbd into staging Mar 23, 2019
@pSub pSub deleted the update-jasper branch March 23, 2019 13:19
@pSub
Copy link
Member Author

pSub commented Mar 23, 2019

I've cherry-picked the commit into staging-{18.09, 19.03}.

@c0bw3b c0bw3b mentioned this pull request Nov 17, 2019
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andir andir andir approved these changes

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 501-1000 10.rebuild-darwin: 501+ 10.rebuild-linux: 501+ 10.rebuild-linux: 2501-5000 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pSub @ryantm @andir @GrahamcOfBorg