From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 30 15:51:28 2021 Received: (at submit) by debbugs.gnu.org; 30 Jan 2021 20:51:28 +0000 Received: from localhost ([127.0.0.1]:55887 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5xDM-0006XD-DX for submit@debbugs.gnu.org; Sat, 30 Jan 2021 15:51:28 -0500 Received: from lists.gnu.org ([209.51.188.17]:41984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5xDI-0006X3-JM for submit@debbugs.gnu.org; Sat, 30 Jan 2021 15:51:26 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38516) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5xDG-0001Yk-Hz for bug-guix@gnu.org; Sat, 30 Jan 2021 15:51:24 -0500 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:53551) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5xDC-0004Lw-1r for bug-guix@gnu.org; Sat, 30 Jan 2021 15:51:22 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id DB5D18A2; Sat, 30 Jan 2021 15:51:14 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Sat, 30 Jan 2021 15:51:15 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=T9l05B+sZXM/aYQh0ChsPTOstnmw0sNKWEVBRzGGNns=; b=tERxw HQJ+utAxAclLLKnRDV5VoAAFwI80e+wmiybUPmvj4BhKjuUi0rLXGYeefs+2oIGZ VRwet8ZXqOThKDUuJGftSHXYEQLr6gIOSyZiUZ/KTKlmTOYHsMChtt70KWxc4qAV aZwBOhyVCSlUU91qNFR+giynE4AUIbpoWbvAVc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=T9l05B+sZXM/aYQh0ChsPTOstnmw0 sNKWEVBRzGGNns=; b=gp/i8xld7K8ZcLuFzFCJ34htL3+BsYT2guYKKx/JnuvCF FSfcP3j4iEAOA9noqbYK8J9vqwgST2Ud69OT8mxhw6jves8amh/JxAaFKG1PQz+C RV4xzAzFFCpHN+WeZYB1LLTMuQGHDD+/s1b2/CUbeFli6T97YxVjnncb7VPIL4zP 6bvYnukwa0UeJyXUOUvBvLJpfY5uyUbB5k/YG3IuHVA0nsU3/llodA3AD28Drcyw rbRXzXQvvfgbpND+HdM8Vr+ofSYKVUF5oVYnSOhRFVDUwaG3LdHlqDv2Lz7la0on cUbImMaFjBlWC49vI6dArodXqw0TR+ecfykwzeIWg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeeggddugeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepvedutedvhfdvgfefheeiteffgfeutdetle fhteehudeuiedugfejtdeftdfgffegnecuffhomhgrihhnpehmihhtrhgvrdhorhhgnecu kfhppedutddtrdduuddrudeiledruddukeenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 4460224005D for ; Sat, 30 Jan 2021 15:51:14 -0500 (EST) Date: Sat, 30 Jan 2021 15:51:11 -0500 From: Leo Famulari To: bug-guix@gnu.org Subject: Doas vulnerability CVE-2019-25016 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=64.147.123.20; envelope-from=leo@famulari.name; helo=wout4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Our package of doas is apparently vulnerable to CVE-2019-25016: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25016 From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 31 14:41:25 2021 Received: (at 46194) by debbugs.gnu.org; 31 Jan 2021 19:41:25 +0000 Received: from localhost ([127.0.0.1]:58073 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6Ib6-0004DC-Ot for submit@debbugs.gnu.org; Sun, 31 Jan 2021 14:41:24 -0500 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:39361) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6Ib2-0004Cw-DJ for 46194@debbugs.gnu.org; Sun, 31 Jan 2021 14:41:23 -0500 X-Originating-IP: 176.181.186.101 Received: from localhost (i15-les02-ntr-176-181-186-101.sfr.lns.abo.bbox.fr [176.181.186.101]) (Authenticated sender: brice@waegenei.re) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id B7FFF240002 for <46194@debbugs.gnu.org>; Sun, 31 Jan 2021 19:41:13 +0000 (UTC) From: Brice Waegeneire To: 46194@debbugs.gnu.org Subject: [PATCH] gnu: opendoas: Update to 6.8.1. Date: Sun, 31 Jan 2021 20:41:07 +0100 Message-Id: <20210131194107.16894-1-brice@waegenei.re> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46194 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/packages/admin.scm (opendoas): Update to 6.8.1. Fixes #46194. --- As there isn't any service for this package (I'm working on it), it's quite useless and there isn't any package depending on it. I guess very few people, if any, are using it so I see no need for grafting here. gnu/packages/admin.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 538e8d3eb4..1ddbea7a02 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1512,7 +1512,7 @@ commands and their arguments.") (define-public opendoas (package (name "opendoas") - (version "6.8") + (version "6.8.1") (source (origin (method git-fetch) (uri (git-reference @@ -1521,7 +1521,7 @@ commands and their arguments.") (file-name (git-file-name name version)) (sha256 (base32 - "1dlwnvy8r6slxcy260gfkximp1ms510wdslpfq9y6xvd2qi5izcb")))) + "0gfcssm21vdfg6kcrcc7hz1h4jmhy2zv29rfqyrrj3a6r9b5ah8p")))) (build-system gnu-build-system) (arguments `(#:phases -- 2.29.2 From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 31 15:16:23 2021 Received: (at 46194-done) by debbugs.gnu.org; 31 Jan 2021 20:16:23 +0000 Received: from localhost ([127.0.0.1]:58123 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6J8w-000544-GI for submit@debbugs.gnu.org; Sun, 31 Jan 2021 15:16:23 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:39571) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6J8t-00053p-7p for 46194-done@debbugs.gnu.org; Sun, 31 Jan 2021 15:16:21 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 31B33762; Sun, 31 Jan 2021 15:16:13 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Sun, 31 Jan 2021 15:16:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=G+uelrTlUDt1eBcYZJs6rnXJeujpvW24afnh5X8rNjs=; b=0utP4OKBf0eA ZslFtHDL7+DFuMuSj2KcSWHqQvXSC+TCe3yRArMGpcaiEHTn4lKR6zrlOA0bMiBS ECbotoJeuE2SaxSZW7U4RRN2CRsvSu8ckq2+POcLG5ivC+HmCk0qkZnTYpOpeKdr gBsZI43t3yVakytio52Ody3gLFKIDW8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=G+uelrTlUDt1eBcYZJs6rnXJeujpvW24afnh5X8rN js=; b=HLpaToQSCplXbU8nEPgT7RURfkABx4h7ufAEL2i7m2hPIEFhH1A8oozwo C/tz0Dc6i9vtU7rLwM97FCzVORJ0ogiqIPm23W2gGXdkNRB23WYBxayYJF/CgGzq QnvULGa0Qt76U5xM6ckzSQCAffPcByB8vF0yErWku0sQtMEua87CqlYB2+2gUUQl 8q/nS+XI5e5iXXtYjYXC6NdkWrJM+AnEbOslToaDygMAaZGn+3b2HE1JirTUVsde hmMRU+pCoQ3JhsbjArRNuwhX3QYyoQ62y7rAeUVFxI/552U7PZRcDYPMj55QLWLv J3nh2YnNRhnqgNG1UXmg8xh72SSbA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeeigddufeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtugfgjgesthekredttddtjeenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepgfduffettedtkeekudfhgfefgfeifeegueeitedujeffleeiudeuieffgfdu gfdunecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 0BB9024005A; Sun, 31 Jan 2021 15:16:12 -0500 (EST) Date: Sun, 31 Jan 2021 15:16:06 -0500 From: Leo Famulari To: Brice Waegeneire Subject: Re: bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1. Message-ID: References: <20210131194107.16894-1-brice@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210131194107.16894-1-brice@waegenei.re> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46194-done Cc: 46194-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Sun, Jan 31, 2021 at 08:41:07PM +0100, Brice Waegeneire wrote: > * gnu/packages/admin.scm (opendoas): Update to 6.8.1. > > Fixes #46194. > --- > As there isn't any service for this package (I'm working on it), it's quite > useless and there isn't any package depending on it. I guess very few > people, if any, are using it so I see no need for grafting here. Thanks! I pushed as 9c8156507abeb15f6d3816800c077fd99f861e3d The question of "should it be grafted" depends on how many packages depend on it: $ guix refresh -l opendoas No dependents other than itself: opendoas@6.8 If `guix refresh` reports that more than 300 packages will be rebuilt, security updates should use grafts, as specified in the manual section Submitting Patches: https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html We don't want to wait for a 'staging' or 'core-updates' cycle for security updates, so grafts let us cheat and push things directly to master, without requiring expensive recompilation of dependent packages. I know you could have pushed this yourself, although I did it on your behalf. Now that we've clarified the use case of grafts, please feel free to push things like this without review :) The manual section Commit Access offers some guidelines: "For patches that just add a new package, and a simple one, it’s OK to commit, if you’re confident (which means you successfully built it in a chroot setup, and have done a reasonable copyright and license auditing). Likewise for package upgrades, except upgrades that trigger a lot of rebuilds (for example, upgrading GnuTLS or GLib)." From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 31 15:35:17 2021 Received: (at 46194) by debbugs.gnu.org; 31 Jan 2021 20:35:17 +0000 Received: from localhost ([127.0.0.1]:58176 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6JRD-0005ZT-QW for submit@debbugs.gnu.org; Sun, 31 Jan 2021 15:35:17 -0500 Received: from tobias.gr ([80.241.217.52]:38250) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6JRA-0005ZH-EL for 46194@debbugs.gnu.org; Sun, 31 Jan 2021 15:35:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=Zn1OuyyVEVAHIlevZnsFd5q+9mINbTX3dLze5f4D0EQ=; h=references: in-reply-to:subject:cc:to:from:date; b=OQ7Yflyk7cRE/fbtFVJJ/bWaEFe9N6L NmW1leQ9a+v6MmJr7dWywWxgVOYIIdH+qpnOWuS01pQ5e3ydTNlt/7LS+KqeaCkrXjU6nP RLTnI/y0S89Neppv/wBWkDx7H7bN+y7/8jYqy+qGD69KF1DMRpjVh5UAPTSbi71SlAYsjt ZP0nF/HEIOLzo9SB+DQHkVxkfWI48Az73MIotVJ8QTfIlg4WRHFlLLxMwjzNwbNPw9dfOH nQ/Fekn4Kxn/W8FYRdBcDMw0Xhi/k6PiN9Q5409F6ZFWtBPasTGR1QMJToSRMI6wFr92KC CQkL+Mb+0D/z+sDo7Jrmx7xMLlFylKg== Received: by submission.tobias.gr (OpenSMTPD) with ESMTP id 970c3cba; Sun, 31 Jan 2021 20:35:51 +0000 (UTC) MIME-Version: 1.0 Date: Sun, 31 Jan 2021 21:35:51 +0100 From: Tobias Geerinckx-Rice To: Brice Waegeneire Subject: Re: bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1. In-Reply-To: <20210131194107.16894-1-brice@waegenei.re> References: <20210131194107.16894-1-brice@waegenei.re> Message-ID: <72add1e6739099b060b00b4a707359c8@tobias.gr> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 46194 Cc: 46194@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Brice, On 2021-01-31 20:41, Brice Waegeneire wrote: > * gnu/packages/admin.scm (opendoas): Update to 6.8.1. Thanks for the prompt security bump! The number of CVE fixes I've pushed for sudo the past year has made me reconsider its use in favour of this package. > As there isn't any service for this package (I'm working on it), it's > quite > useless Services are nice to have but always optional: I doubt there's a package in Guix that is 'useless' or unused because it lacks a service. Kind regards, T G-R Sent from a Web browser. Excuse or enjoy my brevity. From unknown Wed Sep 10 06:21:08 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 01 Mar 2021 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator