Skip to content

Vulnerability rollup 11 (WIP) #20816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Dec 1, 2016
Merged

Vulnerability rollup 11 (WIP) #20816

merged 15 commits into from
Dec 1, 2016
+28 −24

Conversation

grahamc
Copy link
Member

@grahamc grahamc commented Nov 30, 2016
edited
Loading

Motivation for this change

#20814

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@grahamc
mcabber: 1.0.3 -> 1.0.4 for 'roster push attack'

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
a9611a5
@grahamc
mujs: 2016-09-21 -> 2016-11-30 for multiple CVEs

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
0707962 
 - CVE-2016-7504
 - CVE-2016-7505
 - CVE-2016-7506
 - CVE-2016-9017
 - CVE-2016-9108
 - CVE-2016-9109
 - CVE-2016-9294

See more information: https://lwn.net/Vulnerabilities/707361/
@grahamc grahamc added 1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. labels Nov 30, 2016
@mention-bot
Copy link

@grahamc, thanks for your PR! By analyzing the history of the files in this pull request, we identified @7c6f434c, @pSub and @aszlig to be potential reviewers.

@grahamc grahamc changed the title Vulnerability rollup 10 (WIP) Vulnerability rollup 11 (WIP) Nov 30, 2016
@grahamc
perlPackages.DBDmysql: 4.033 -> 4.039

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
7d09138
@grahamc
maatkit: update URL

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
0cff959
@vcunat
Copy link
Member

vcunat commented Nov 30, 2016

I wonder, why don't you push these to master directly?

@grahamc
Copy link
Member Author

grahamc commented Nov 30, 2016

Sure --

I usually work on these some in the morning and then some again in the evening. Sometimes I'll have one or more mass rebuild-triggering issues. Darwin is really sensitive to multiple world-rebuilds, because they only have a few machines and can't scale up like linux can.

I also like to do a bit of testing to make sure my changes don't break other packages.

To take care of these issues, I've been making a "rollup" branch which contains all my patches, making sure it looks good, and then merging all at once.

I open the PR because my NixOS testing tools work best with PRs :)

@grahamc
tomcat6: 6.0.45 -> 6.0.48

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
eba91fa 
For CVE-2016-8735, a remote code execution vulnerability.
@grahamc
tomcat7: 7.0.72 -> 7.0.73

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
3d0310d 
For CVE-2016-8735, a remote code execution vulnerability.
@grahamc
tomcat8: 8.0.37 -> 8.0.39
80a4750 
For CVE-2016-8735, a remote code execution vulnerability.
@grahamc
tomcat85: 8.5.5 -> 8.5.8
42f1ae1 
For CVE-2016-8735, a remote code execution vulnerability.
@grahamc
tomcatUnstable: 9.0.0.M10 -> 9.0.0.M13
5f78980 
For CVE-2016-8735, a remote code execution vulnerability.
@grahamc grahamc force-pushed the vulnerability-rollup-10 branch from 0435349 to 57b3bb9 Compare November 30, 2016 23:43
@grahamc grahamc force-pushed the vulnerability-rollup-10 branch from 57b3bb9 to 9c71508 Compare November 30, 2016 23:44
@grahamc
Copy link
Member Author

grahamc commented Nov 30, 2016

Ok, with the bzip push this is officially a mass rebuild :)

@grahamc grahamc added 1.severity: mass-darwin-rebuild This PR causes a large number of packages to rebuild on Darwin 1.severity: mass-rebuild This PR causes a large number of packages to rebuild labels Nov 30, 2016
@grahamc
Copy link
Member Author

grahamc commented Dec 1, 2016

I reverted bzip2 to make it easier to test subsequent patches. Will delete the revert later.

@grahamc grahamc force-pushed the vulnerability-rollup-10 branch from 3d184d4 to 6393ca6 Compare December 1, 2016 00:08
@grahamc
Copy link
Member Author

grahamc commented Dec 1, 2016

lol, then I added icu for more rebuild. Reverting that too. Will delete later.

@grahamc
Copy link
Member Author

grahamc commented Dec 1, 2016

Alright, this is getting ready to merge, just waiting on merging a few simpler PRs before this one.

@grahamc grahamc merged commit 9639356 into NixOS:master Dec 1, 2016
@grahamc grahamc deleted the vulnerability-rollup-10 branch April 11, 2018 18:32
@samueldr samueldr removed the 9.needs: port to stable A PR needs a backport to the stable release. label Apr 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: mass-darwin-rebuild This PR causes a large number of packages to rebuild on Darwin 1.severity: mass-rebuild This PR causes a large number of packages to rebuild 1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@grahamc @mention-bot @vcunat @joachifm @samueldr