[Nix-dev] Announcing: Security Tooling, nix-security-announce Mailing List
Graham Christensen
graham at grahamc.com
Sat Dec 3 01:00:51 CET 2016
Ok everyone, here is an update:
> Maybe the list was initially intended for announcing embargoed issues
No, this list is not for embargoed issues. We don't currently have this infrastructure. We are planning on working on this infrastructure in the first / second quarter of 2017.
> why is the security announcements mailing list invite-only?
The list was misconfigured. We want the announce list to be announce-only and no other discussion. It is now configured to allow anyone to subscribe / join, but only certain people to send mail. For discussion about issues, I would recommend emailing nix-dev.
> How do I subscribe?
- with a Google account, at https://groups.google.com/forum/#!forum/nix-security-announce
- without a Google account, I believe you can join the list without a Google account by emailing `nix-security-announce+subscribe at googlegroups.com`.
> why is that list not hosted on the same server as the other nix-related mailing lists?
The service which hosts the other mailing list seems to not be taking
new lists. This was a problem when Rob tried to set up the list, and we
agreed using a Google group should be okay, based on these criteria:
- I made sure list archives can be viewed without a Google account.
- I made sure list archives can be searched without having a Google
- account.
- I also made sure Google groups can be subscribed to without a Google
account.
...
## Security Updates (cross-posted to the list)
The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/20814.
master 16.09 Message Notes
--- --- --- ---
16995fc d573588 boehmgc: 7.2f -> 7.2g n/a
1e17f21 e7fc018 firefox: 50.0.1 -> 50.0.2 n/a
b04e23b bd39c43 firefox: 50.0 -> 5.0.1 for CVE-2016-9078 n/a
2d341ca 3bf46ba firefox-bin: 50.0 -> 50.0.1 n/a
36f980b 22389ae firefox-esr: security 45.5.0 -> 45.5.1 (#20841) n/a
18a3225 15f6c2d linux: 3.12.67 -> 3.12.68 n/a
5afc6b5 0dcdb9b linux: 4.1.35 -> 4.1.36 n/a
cc77360 c9dafb1 linux: 4.4.34 -> 4.4.35 n/a
654f5df 33287d9 linux: 4.4.35 -> 4.4.36 n/a
b47307b 5db1d94 linux: 4.8.10 -> 4.8.11 n/a
853b649 2ddf554 linux: 4.8.11 -> 4.8.12 n/a
a8eeef6 d35e2de lxc: 2.0.4 -> 2.0.6 (security) n/a
a9611a5 3275b2f mcabber: 1.0.3 -> 1.0.4 for 'roster push attack' n/a
0707962 e6fe609 mujs: 2016-09-21 -> 2016-11-30 for multiple CVEs n/a
5b6d52b 7fc197f nagios: 4.0.8 -> 4.2.3 n/a
c77011c a9523ed nagiosPluginsOfficial: 2.0.3 -> 2.1.4 n/a
b221fc1 d564833 nss: 3.27.1 -> 3.27.2 n/a
e700ff6 066166b perl-bignum: 0.43 -> 0.44 n/a
7d09138 d8e8bb4 perlPackages.DBDmysql: 4.033 -> 4.039 n/a
390f6a9 a5ffcd2 Revert "Revert "bzip2: patch for CVE-2016-3189"" n/a
7e40e89 997c6b9 rpcbind: patch for CVE-2015-7236 n/a
f4aab5b 4d15c98 thunderbird: 45.5.0 -> 45.5.1 n/a
5f4b3cd 24cd670 thunderbird-bin: 45.5.0 -> 45.5.1 n/a
eba91fa 8b7a082 tomcat6: 6.0.45 -> 6.0.48 n/a
3d0310d 1a0f5f8 tomcat7: 7.0.72 -> 7.0.73 n/a
42f1ae1 b036ad5 tomcat85: 8.5.5 -> 8.5.8 n/a
80a4750 c67cec2 tomcat8: 8.0.37 -> 8.0.39 n/a
5f78980 00fb14b tomcatUnstable: 9.0.0.M10 -> 9.0.0.M13 n/a
75cdbf4 805022c torbrowser: 6.0.6 -> 6.0.7 n/a
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161202/f5c6aaab/attachment.sig>
More information about the nix-dev
mailing list