GNU bug report logs -
#66658
[PATCH] gnu: nghttp2: Replace with 1.57.0.
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 66658 in the body.
You can then email your comments to 66658 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#66658; Package
guix-patches.
(Sat, 21 Oct 2023 04:22:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Philip McGrath <philip <at> philipmcgrath.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 21 Oct 2023 04:22:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This release mitigates CVE-2023-44487.
* gnu/packages/web.scm (nghttp2-1.57): New variable.
(nghttp2)[replacement]: Use it.
---
I've never attempted to create a graft before, and I have **definitely not**
tested this adequately, but `guix refresh` says:
> Building the following 7989 packages would ensure 20638 dependent packages
> are rebuilt:
so it seems like a graft would be needed.
The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at:
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
Philip
gnu/packages/web.scm | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index b46286c690..4a66fada51 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -7958,6 +7958,7 @@ (define-public nghttp2
(package
(name "nghttp2")
(version "1.49.0")
+ (replacement nghttp2-1.57)
(source
(origin
(method url-fetch)
@@ -8068,6 +8069,19 @@ (define-public nghttp2-for-node
(("print \\(ver >= '3\\.8'\\)")
"print (tuple(map(int, ver.split('.'))) >= (3,8))")))))))))))
+(define-public nghttp2-1.57
+ (package
+ (inherit nghttp2)
+ (version "1.57.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/nghttp2/nghttp2/"
+ "releases/download/v" version "/"
+ "nghttp2-" version ".tar.xz"))
+ (sha256
+ (base32
+ "0n598w7w8rqdqiay2fad3a11253hibakan5c4vjkpx09648v044j"))))))
+
(define-public hpcguix-web
(package
(name "hpcguix-web")
base-commit: fed6ac2ae182597a492b17a29ed8b26986498755
--
2.41.0
Added tag(s) security.
Request was from
Philip McGrath <philip <at> philipmcgrath.com>
to
control <at> debbugs.gnu.org.
(Sat, 21 Oct 2023 04:31:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Sun, 29 Oct 2023 23:37:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Philip McGrath <philip <at> philipmcgrath.com>:
bug acknowledged by developer.
(Sun, 29 Oct 2023 23:37:02 GMT)
Full text and
rfc822 format available.
Message #12 received at 66658-done <at> debbugs.gnu.org (full text, mbox):
Hi Philip,
Philip McGrath <philip <at> philipmcgrath.com> skribis:
> This release mitigates CVE-2023-44487.
>
> * gnu/packages/web.scm (nghttp2-1.57): New variable.
> (nghttp2)[replacement]: Use it.
> ---
>
> I've never attempted to create a graft before, and I have **definitely not**
> tested this adequately, but `guix refresh` says:
>
>> Building the following 7989 packages would ensure 20638 dependent packages
>> are rebuilt:
>
> so it seems like a graft would be needed.
Indeed.
The two seem to be ABI-compatible:
--8<---------------cut here---------------start------------->8---
$ guix shell libabigail -- abidiff /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 2 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
2 Added function symbols not referenced by debug info:
[A] nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
[A] nghttp2_option_set_stream_reset_rate_limit
$ readelf -a /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 |grep SONAME
0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14]
$ readelf -a /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14 |grep SONAME
0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14]
--8<---------------cut here---------------end--------------->8---
(Bit questionable that the SONAME is exactly the same. Oh well.)
> The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at:
> https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
Applied, thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 27 Nov 2023 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 207 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.