Vulnerability roundup 47 (release-18.09) #47122
Comments
|
master is #47121 |
Both versions are not maintained anymore upstream and have open security issues, e.g. https://nvd.nist.gov/vuln/detail/CVE-2014-5461. The same holds for lua5_1 but that seems to be in use in some places. Re NixOS#47122 Re NixOS#47123
vcunat
added
the
1.severity: security
|
|
|
@vcunat each CVE is reoprted only once per branch anyway |
|
According to RH-Errata (https://access.redhat.com/errata/RHSA-2016:2974) the gstreamer issue affects only the package |
|
For jquery-ui there is an new release How important is |
|
For
|
|
@periklis great job, thanks :) One request: please tick off the pkgs that you have been reviewed in the list at the top. |
Didn't get it - do you mean that the vuln is exploitable via a nixos test? |
|
@periklis Would it be feasible to provide PRs for both libarchive and libid3tag? |
|
@ckauhaus I will provide PRs for both libarchive and libid3tag in the next days. As for jquery-ui, sinse is used only for nixos-testing, i am not sure if we should patch by updating. wdyt? |
|
@ckauhaus unfortunately i cannot tick the items in the list at the top. |
|
The wpa_supplicant CVEs have already been fixed last year: ea50efc |
|
We're not affected by CVE-2014-2285 for net_snmp because we have the fixed version (fixed in >= 5.7.3_pre3 and we have 5.7.3) and our version of perl is new enough to be unaffected anyway (same for RHEL as in https://bugzilla.redhat.com/show_bug.cgi?id=1072778). |
|
CVE-2018-7263 in libmad is a duplicate of CVE-2017-11552 for libao. Doesn't seem to be fixed upstream and doesn't look to be reproducible. Not actionable for now. |
|
CVE-2017-17480 fixed in b3aff3a |
|
rsync CVE-2017-16548: see #38993 (comment) |
|
procps CVE-2018-1121: I'm satisfied by https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 |
|
Closing as 18.09 is no longer supported. |
Scanned nixos/release-combined.nix @ ef450ef. Filtered out previously reported CVEs. May contain false positives.
binutils-2.30 (search, files)
coreutils-8.29 (search, files)
exempi-2.4.5 (search, files)
ffmpeg-3.4.4 (search, files)
glibc-2.27 (search, files)
graphviz-2.40.1 (search, files)
gstreamer-0.10.36 (search, files)
jasper-2.0.14 (search, files)
jquery-ui-1.11.4 (search, files)
libarchive-3.3.2 (search, files)
libcroco-0.6.12 (search, files)
libid3tag-0.15.1b (search, files)
libmad-0.15.1b (search, files)
libsass-3.5.4 (search, files)
libsndfile-1.0.28 (search, files)
libtiff-4.0.9 (search, files)
libvorbis-1.3.6 (search, files)
lua-5.1.5 (search, files)
net-snmp-5.7.3 (search, files)
openjpeg-2.3.0 (search, files)
patch-2.7.6 (search, files)
procps-3.3.15 (search, files)
rsync-3.1.3 (search, files)
sddm-0.17.0 (search, files)
taglib-1.11.1 (search, files)
wildmidi-0.4.2 (search, files)
wpa_supplicant-2.6 (search, files)
zip-3.0 (search, files)
Cc: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7, @grahamc, @adisbladis, @fpletz, @vcunat
Contact @ckauhaus for any questions.
The text was updated successfully, but these errors were encountered: