GNU bug report logs -
#46194
Doas vulnerability CVE-2019-25016
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 30 Jan 2021 20:52:02 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46194 in the body.
You can then email your comments to 46194 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#46194; Package
guix.
(Sat, 30 Jan 2021 20:52:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 30 Jan 2021 20:52:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Our package of doas is apparently vulnerable to CVE-2019-25016:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25016
Information forwarded
to
bug-guix <at> gnu.org:
bug#46194; Package
guix.
(Sun, 31 Jan 2021 19:42:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 46194 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/admin.scm (opendoas): Update to 6.8.1.
Fixes #46194.
---
As there isn't any service for this package (I'm working on it), it's quite
useless and there isn't any package depending on it. I guess very few
people, if any, are using it so I see no need for grafting here.
gnu/packages/admin.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 538e8d3eb4..1ddbea7a02 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1512,7 +1512,7 @@ commands and their arguments.")
(define-public opendoas
(package
(name "opendoas")
- (version "6.8")
+ (version "6.8.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -1521,7 +1521,7 @@ commands and their arguments.")
(file-name (git-file-name name version))
(sha256
(base32
- "1dlwnvy8r6slxcy260gfkximp1ms510wdslpfq9y6xvd2qi5izcb"))))
+ "0gfcssm21vdfg6kcrcc7hz1h4jmhy2zv29rfqyrrj3a6r9b5ah8p"))))
(build-system gnu-build-system)
(arguments
`(#:phases
--
2.29.2
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Sun, 31 Jan 2021 20:17:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sun, 31 Jan 2021 20:17:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 46194-done <at> debbugs.gnu.org (full text, mbox):
On Sun, Jan 31, 2021 at 08:41:07PM +0100, Brice Waegeneire wrote:
> * gnu/packages/admin.scm (opendoas): Update to 6.8.1.
>
> Fixes #46194.
> ---
> As there isn't any service for this package (I'm working on it), it's quite
> useless and there isn't any package depending on it. I guess very few
> people, if any, are using it so I see no need for grafting here.
Thanks! I pushed as 9c8156507abeb15f6d3816800c077fd99f861e3d
The question of "should it be grafted" depends on how many packages
depend on it:
$ guix refresh -l opendoas
No dependents other than itself: opendoas <at> 6.8
If `guix refresh` reports that more than 300 packages will be rebuilt,
security updates should use grafts, as specified in the manual section
Submitting Patches:
https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html
We don't want to wait for a 'staging' or 'core-updates' cycle for
security updates, so grafts let us cheat and push things directly to
master, without requiring expensive recompilation of dependent packages.
I know you could have pushed this yourself, although I did it on your
behalf. Now that we've clarified the use case of grafts, please feel
free to push things like this without review :)
The manual section Commit Access offers some guidelines:
"For patches that just add a new package, and a simple one, it’s OK to
commit, if you’re confident (which means you successfully built it in a
chroot setup, and have done a reasonable copyright and license
auditing). Likewise for package upgrades, except upgrades that trigger a
lot of rebuilds (for example, upgrading GnuTLS or GLib)."
Information forwarded
to
bug-guix <at> gnu.org:
bug#46194; Package
guix.
(Sun, 31 Jan 2021 20:36:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 46194 <at> debbugs.gnu.org (full text, mbox):
Brice,
On 2021-01-31 20:41, Brice Waegeneire wrote:
> * gnu/packages/admin.scm (opendoas): Update to 6.8.1.
Thanks for the prompt security bump! The number of CVE fixes I've
pushed for sudo the past year has made me reconsider its use in favour
of this package.
> As there isn't any service for this package (I'm working on it), it's
> quite
> useless
Services are nice to have but always optional: I doubt there's a package
in Guix that is 'useless' or unused because it lacks a service.
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 01 Mar 2021 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 193 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.