Skip to content

libssh2: apply patch for CVE-2023-48795 #275641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
risicle merged 1 commit into from
Dec 24, 2023
Merged

libssh2: apply patch for CVE-2023-48795 #275641

risicle merged 1 commit into from
Dec 24, 2023

Conversation

@leona-ya
Copy link
Member

@leona-ya leona-ya commented Dec 20, 2023

Description of changes

libssh2/libssh2@d34d925
https://terrapin-attack.com/

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@leona-ya
Copy link
Member Author

leona-ya commented Dec 20, 2023

We might want to include this in staging-next.

@leona-ya leona-ya added 1.severity: security Issues which raise a security issue, or PRs that fix one backport staging-23.05 labels Dec 20, 2023
kloenk
kloenk approved these changes Dec 20, 2023
View reviewed changes
Copy link
Member

@kloenk kloenk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

build on x86_64-linux, aarch64-linux and aarch64-darwin

@delroth delroth added the 12.approvals: 1 This PR was reviewed and approved by one person. label Dec 20, 2023
SuperSandro2000
SuperSandro2000 reviewed Dec 20, 2023
View reviewed changes
@delroth delroth added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Dec 20, 2023
@leona-ya leona-ya force-pushed the libssh2-cve-2023-48795 branch from 2caa17c to 1bfeb14 Compare December 20, 2023 21:39
@delroth delroth removed the 12.approvals: 2 This PR was reviewed and approved by two persons. label Dec 20, 2023
@delroth delroth added the 12.approvals: 2 This PR was reviewed and approved by two persons. label Dec 21, 2023
@leona-ya
Copy link
Member Author

leona-ya commented Dec 21, 2023

@ofborg eval

@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Dec 23, 2023

@ofborg eval

issue on staging

@risicle
Copy link
Contributor

risicle commented Dec 23, 2023

Cherry-picked to staging-next for testing, built tests from #276144 (apart from vlc obviously) on macos 12 x86_64.

@ofborg ofborg bot added the 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. label Dec 23, 2023
@ofborg ofborg bot requested a review from SuperSandro2000 December 23, 2023 02:01
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Dec 23, 2023
risicle
risicle approved these changes Dec 24, 2023
View reviewed changes
Copy link
Contributor

@risicle risicle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cherry-picked to staging-next for testing, built tests from #276144 on nixos x86_64. Built pkgsStatic, pkgsMusl, pkgsi686Linux variants.

@delroth delroth added 12.approvals: 3+ This PR was reviewed and approved by three or more persons. and removed 12.approvals: 2 This PR was reviewed and approved by two persons. labels Dec 24, 2023
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Dec 24, 2023

Can someone finally merge this?

@risicle risicle merged commit b0e46d7 into NixOS:staging Dec 24, 2023
@github-actions github-actions bot mentioned this pull request Dec 24, 2023
Merged
1 task
@github-actions
Copy link
Contributor

github-actions bot commented Dec 24, 2023

Successfully created backport PR for staging-23.05:

@github-actions github-actions bot mentioned this pull request Dec 24, 2023
Merged
1 task
@github-actions
Copy link
Contributor

github-actions bot commented Dec 24, 2023

Successfully created backport PR for staging-23.11:

@leona-ya leona-ya deleted the libssh2-cve-2023-48795 branch December 24, 2023 18:10
@vcunat
Copy link
Member

vcunat commented Dec 25, 2023

These rebuild *-darwin stdenvs and thus all darwin packages. It will take time, i.e. can't do direct -next merges. (I considered this for staging-next-23.05 right now – and dismissed.)

@reckenrode reckenrode mentioned this pull request Dec 25, 2023
Closed
13 tasks
@nixos-discourse
Copy link

nixos-discourse commented Dec 29, 2023

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/questions-about-security-updates-in-nixos-with-flake/37464/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@risicle risicle risicle approved these changes

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

+1 more reviewer

@kloenk kloenk kloenk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 3+ This PR was reviewed and approved by three or more persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@leona-ya @SuperSandro2000 @risicle @vcunat @nixos-discourse @kloenk @delroth