[Nix-dev] Assistance Required for Vulnerability Roundup #20 (389, jbig2dec, ming, nagios)

Graham Christensen graham at grahamc.com
Tue Feb 7 00:50:30 CET 2017 

Hello Nix devs,

This past roundup has been especially exhausting, and I'm hoping I can
get a bit of assistance before the next one opens up.

Here are four packages that I would like some help with. Some of them
may be tricky, some of the may be very easy. I'm not sure... but I'm
tired of looking at them. :(

Here is the roundup for discussion:
https://github.com/NixOS/nixpkgs/issues/22342

Thank you in advance,
Graham Christensen


389-ds-base: denial of service
------------------------------

LWN Link: https://lwn.net/Vulnerabilities/713059/
Unstable: 1.3.5.15
https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/ldap/389/default.nix

Stable: 1.3.3.9
https://github.com/NixOS/nixpkgs/blob/release-16.09/pkgs/servers/ldap/389/default.nix

 - Is upgrading stable from 1.3.5.15 to 1.3.3.9 safe?
 - Can we find patches to address the issue at hand?


jbig2dec: denial of service
---------------------------

LWN Link: https://lwn.net/Vulnerabilities/713054/
(it says Ghostscript, but I believe it to only be affecting the
    jbic2dec package.)

Unstable: 0.11
https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/jbig2dec/default.nix

Stable: 0.11
https://github.com/NixOS/nixpkgs/blob/release-16.09/pkgs/development/libraries/jbig2dec/default.nix

 - 0.13 isn't officially released yet, however debian is using it in
   some versions.
 - Are there patches available?
 - Should we go to 0.13 on unstable? What about stable?


ming: multiple vulnerabilities
------------------------------

LWN Link: https://lwn.net/Vulnerabilities/712664/

Unstable: 0.4.7
https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/ming/default.nix

Stable: 0.4.7
https://github.com/NixOS/nixpkgs/blob/release-16.09/pkgs/development/libraries/ming/default.nix

 - Generally unsure about this one or where to find a patch.
 - Perhaps easy to do.


nagios: command execution
-------------------------

LWN Link: https://lwn.net/Vulnerabilities/713145/

Unstable: 4.2.4
https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/monitoring/nagios/default.nix

Stable: 4.2.4
https://github.com/NixOS/nixpkgs/blob/release-16.09/pkgs/servers/monitoring/nagios/default.nix

 - Perhaps not applicable, as our version is fairly up to date.
 - Needs triage...

More information about the nix-dev mailing list