Skip to content

[25.11] paperless-ngx: add patches for GHSA-24x5-wp64-9fcc, GHSA-7cq3-mhxq-w946, GHSA-28cf-xvcf-hw6m#480319

Merged
Mic92 merged 3 commits intoNixOS:release-25.11from
leona-ya:push-nxrsnxzlrrkk
Jan 17, 2026
Merged

[25.11] paperless-ngx: add patches for GHSA-24x5-wp64-9fcc, GHSA-7cq3-mhxq-w946, GHSA-28cf-xvcf-hw6m#480319
Mic92 merged 3 commits intoNixOS:release-25.11from
leona-ya:push-nxrsnxzlrrkk

Conversation

@leona-ya
Copy link
Member

@leona-ya leona-ya commented Jan 15, 2026
edited
Loading

GHSA-24x5-wp64-9fcc
GHSA-7cq3-mhxq-w946
GHSA-28cf-xvcf-hw6m
backport for #470544, #472259, #480318

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

github-actions[bot]
github-actions bot previously requested changes Jan 15, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Important

38f6c71 is not a cherry-pick, because: version on stable too old for bump. Please review this commit manually.

Important

8a5327c is not a cherry-pick, because: version on stable too old for bump. Please review this commit manually.

Important

a34a84e is not a cherry-pick, because: version on stable too old for bump. Please review this commit manually.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

@leona-ya leona-ya changed the title paperless-ngx: add patch for GHSA-28cf-xvcf-hw6m [25.11] paperless-ngx: add patch for GHSA-28cf-xvcf-hw6m Jan 15, 2026
@leona-ya leona-ya added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jan 15, 2026
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". 4.workflow: backport This targets a stable branch labels Jan 15, 2026
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Jan 15, 2026

We also lack patches for the other ~3 or so CVEs in the 2.20.X branch.

@leona-ya
paperless-ngx: add patch for GHSA-24x5-wp64-9fcc
38f6c71 
GHSA-24x5-wp64-9fcc

Not-cherry-picked-because: version on stable too old for bump
@leona-ya
paperless-ngx: add patch for GHSA-7cq3-mhxq-w946
8a5327c 
GHSA-7cq3-mhxq-w946

Not-cherry-picked-because: version on stable too old for bump
@leona-ya
paperless-ngx: add patch for GHSA-28cf-xvcf-hw6m
a34a84e 
GHSA-28cf-xvcf-hw6m

Not-cherry-picked-because: version on stable too old for bump
@leona-ya leona-ya changed the title [25.11] paperless-ngx: add patch for GHSA-28cf-xvcf-hw6m [25.11] paperless-ngx: add patches for GHSA-24x5-wp64-9fcc, GHSA-7cq3-mhxq-w946, GHSA-28cf-xvcf-hw6m Jan 15, 2026
@leona-ya
Copy link
Member Author

leona-ya commented Jan 15, 2026

paperless-ngx/paperless-ngx@9ba1d93 (GHSA-6653-vcx4-69mc) is still missing, this one doesn't apply cleanly. I don't know if we want to update 25.11 or whether I should backport that patch

@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. labels Jan 16, 2026
@Mic92 Mic92 enabled auto-merge January 17, 2026 11:28
@LeSuisse LeSuisse dismissed github-actions[bot]’s stale review January 17, 2026 12:05

Backport of security patches, this is fine.

@Mic92 Mic92 added this pull request to the merge queue Jan 17, 2026
Merged via the queue into NixOS:release-25.11 with commit 9b232b1 Jan 17, 2026
34 of 36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

@erikarvstedt erikarvstedt Awaiting requested review from erikarvstedt

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". 4.workflow: backport This targets a stable branch 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leona-ya @SuperSandro2000 @Mic92