From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 21 00:21:57 2023 Received: (at submit) by debbugs.gnu.org; 21 Oct 2023 04:21:57 +0000 Received: from localhost ([127.0.0.1]:42017 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu3Um-00066w-T1 for submit@debbugs.gnu.org; Sat, 21 Oct 2023 00:21:57 -0400 Received: from lists.gnu.org ([2001:470:142::17]:40846) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu3Ui-00066f-12 for submit@debbugs.gnu.org; Sat, 21 Oct 2023 00:21:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qu3U7-000070-Cw for guix-patches@gnu.org; Sat, 21 Oct 2023 00:21:12 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qu3U1-0003RB-M3 for guix-patches@gnu.org; Sat, 21 Oct 2023 00:21:10 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id EC52432009E2; Sat, 21 Oct 2023 00:21:01 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sat, 21 Oct 2023 00:21:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= philipmcgrath.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=fm3; t= 1697862061; x=1697948461; bh=xvhRYB1rR4UDMgqmojzQJT9DWDlDdQw7kVb eXYb0LqU=; b=brkjXRwJsjZkpw/0fy7Zu3ZXJIJgw62yKq8j3tINdcPaE+njOhJ AFoT2WXa4L0+A8v+cYx+YdnOq/+bdDw1JCx7LkpgSFxrBf1rMonvbuniW1TV+oi3 8fVG24pb2WZyBeczsB8NaPFdNfssw1YnbIqASKUzZCF0zq6TlrcJYOTGEqRwmRwu La+G/uj+RGM1Hn/pdrB109lfk7M/K+9TsoRvYGu5rVoHM0jZSNCjNJ4v87HdZIPl VZXOCJAd3y9SZYRRWKIuOQBW8f2EUfelnjYLB1YBRYA04Q/FT1yyij0XRi/LJX01 D7UaGorMrQCMZY/ea4X2P9KOjV9dE1MY/OA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1697862061; x=1697948461; bh=xvhRYB1rR4UDM gqmojzQJT9DWDlDdQw7kVbeXYb0LqU=; b=Jx1yV5fIkc/i8K2zWbPoKPp6+GOqu nhL2641z3/tPwjgT0B0aRy/R3m/Xw5BEObe1jQUQoYwl6LNJ2JSFJWKxELhaAKLI 4Jj4/Z/UGyLuTOqBV1s+8bJT1k3ObGjy726o4S2xGxiVJAdEOuXDdLd7ue+3JPfH E9J73ScmzZIph50l2fMy1L5HtDxFhVsFaGIYfWDuftsvrI5KoTNdw+ELMXsFsMUz 4YF+tEJgrgYRmdYpoAaIK1mnYFUEk3PmDqvHCxy7SJlPSEzka3Q2+9+TxbvBA0vi mdfRg/cDRbVFu0+Y/DW6MefJ1fxFLFTFfMyFiHC4dDkQ2NqdgXU3dZ4pQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrjeelgdejlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhephffvvefufffkofgggfestdekredtre dttdenucfhrhhomheprfhhihhlihhpucfotgfirhgrthhhuceophhhihhlihhpsehphhhi lhhiphhmtghgrhgrthhhrdgtohhmqeenucggtffrrghtthgvrhhnpefhgeejuefhteffud egfeetheffkeffueduudetgfeigeeijeffhfeuveefgeekfeenucffohhmrghinhepghhi thhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepphhhihhlihhpsehphhhilhhiphhmtghgrhgrthhhrdgtohhm X-ME-Proxy: Feedback-ID: i2b1146f3:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 21 Oct 2023 00:21:00 -0400 (EDT) From: Philip McGrath To: guix-patches@gnu.org Subject: [PATCH] gnu: nghttp2: Replace with 1.57.0. Date: Sat, 21 Oct 2023 00:20:30 -0400 Message-ID: <4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=64.147.123.25; envelope-from=philip@philipmcgrath.com; helo=wout2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: submit Cc: Philip McGrath X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This release mitigates CVE-2023-44487. * gnu/packages/web.scm (nghttp2-1.57): New variable. (nghttp2)[replacement]: Use it. --- I've never attempted to create a graft before, and I have **definitely not** tested this adequately, but `guix refresh` says: > Building the following 7989 packages would ensure 20638 dependent packages > are rebuilt: so it seems like a graft would be needed. The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg Philip gnu/packages/web.scm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index b46286c690..4a66fada51 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -7958,6 +7958,7 @@ (define-public nghttp2 (package (name "nghttp2") (version "1.49.0") + (replacement nghttp2-1.57) (source (origin (method url-fetch) @@ -8068,6 +8069,19 @@ (define-public nghttp2-for-node (("print \\(ver >= '3\\.8'\\)") "print (tuple(map(int, ver.split('.'))) >= (3,8))"))))))))))) +(define-public nghttp2-1.57 + (package + (inherit nghttp2) + (version "1.57.0") + (source (origin + (method url-fetch) + (uri (string-append "https://github.com/nghttp2/nghttp2/" + "releases/download/v" version "/" + "nghttp2-" version ".tar.xz")) + (sha256 + (base32 + "0n598w7w8rqdqiay2fad3a11253hibakan5c4vjkpx09648v044j")))))) + (define-public hpcguix-web (package (name "hpcguix-web") base-commit: fed6ac2ae182597a492b17a29ed8b26986498755 -- 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 21 00:30:10 2023 Received: (at control) by debbugs.gnu.org; 21 Oct 2023 04:30:10 +0000 Received: from localhost ([127.0.0.1]:42051 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu3co-0006Mi-3A for submit@debbugs.gnu.org; Sat, 21 Oct 2023 00:30:10 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:52627) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu3cl-0006L1-2P for control@debbugs.gnu.org; Sat, 21 Oct 2023 00:30:08 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.west.internal (Postfix) with ESMTP id 586AA32009FA; Sat, 21 Oct 2023 00:29:33 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Sat, 21 Oct 2023 00:29:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= philipmcgrath.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1697862572; x=1697948972; bh=rgxD1fBuV6 Sz9vJSoco10XcrAySm8ltxF9CLFjSXcRQ=; b=CkULvLDp/z9USt1LTCBR9BckzM 4J7cAJzqEct6KrgOF7UEwDKCQxqKhKWwWnFrHyxoxfB3GOJA8M3UxOCf2ROiNkQK n7VUMevoPefp+empanaNdX2mFZVn8Y9ZIO+MzDREx8gHFkMSwvbMm85WZy0IYDfu T6UV950Kg7KsABrDQImJ4Ilm4n6OPuiKFJIkVK+BgQ4De57qsiZrnmep6GLoT0jA KdhgMZ8Yj3ubir+u6c+z4lGbh9ODxB+ou2ALHyM81BEP/Rk6uCMBXid86d3K/Y+O l7yLkA7IqsYnIX8juj0XetKYbFvydOFFRK10hTgT1AgXAsFr/iO2mdnVekkg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1697862572; x= 1697948972; bh=rgxD1fBuV6Sz9vJSoco10XcrAySm8ltxF9CLFjSXcRQ=; b=o 1gec5HiGODCsd8dRWUgLEEuVLS3DYIQqEPwrdKrybTrT5jvoadsw8GqE4qzzvPi0 uK52Qjuy0nMrgMNObCzX6w1/0Yf+Hppgj3kW0L7fHEuUXmwKEfYwD4KGO+QX4rdl WAN8QRFZwXK0nrxntqkYGxShz2HdRdnN7AzwztW9mbxUM8JVNQpKy34EwbaYzVO/ saX5TaWCnm0SUUoSJI9M5tP51mm7hGjJD+SFmfyTX8ZFvEpJDZb+7zS7e0/xzY7w nHLcqbCHfirXrm4ChcItpzwPoVgqEp/9GXo/Kur64NCj+OFnlrBqZdYbadKpfenq zhZyFWimOhaQUB/ObsDzA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrjeelgdekudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhephffvvefufffkofgjfhgggfestdekre dtredttdenucfhrhhomheprfhhihhlihhpucfotgfirhgrthhhuceophhhihhlihhpsehp hhhilhhiphhmtghgrhgrthhhrdgtohhmqeenucggtffrrghtthgvrhhnpefghffgffejge dujedvvdegvdehfeevhedvffeuudduiedvhfegieelhedvhfeffeenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehphhhilhhiphesphhhihhlih hpmhgtghhrrghthhdrtghomh X-ME-Proxy: Feedback-ID: i2b1146f3:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 21 Oct 2023 00:29:31 -0400 (EDT) From: Philip McGrath To: control@debbugs.gnu.org Subject: control message for bug #66658 Date: Sat, 21 Oct 2023 00:28:56 -0400 Message-ID: <7df4f70a-f2e8-41d8-b928-52517f73df1f@philipmcgrath.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com> References: <4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control Cc: Philip McGrath X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) tags 66658 + security quit From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 29 19:36:23 2023 Received: (at 66658-done) by debbugs.gnu.org; 29 Oct 2023 23:36:23 +0000 Received: from localhost ([127.0.0.1]:44028 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qxFKQ-00080d-NZ for submit@debbugs.gnu.org; Sun, 29 Oct 2023 19:36:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41960) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qxFKO-00080K-AF for 66658-done@debbugs.gnu.org; Sun, 29 Oct 2023 19:36:20 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qxFJm-00064w-3j; Sun, 29 Oct 2023 19:35:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=m5VXXciJ72cW//Hh9FzG3GhzKWHgrQxRHWC60JX3hM0=; b=e8OnkCkP+wHwNhoQ2enA fWCKtZoH+iSd82ARU+KVa2NiZ7wwKZ3V+0kbii/xOa4qSSWUAhq7OXcafWsmOFv1j0ghmZUWYy7VD 3fdrVveXYoxwCkQ9faeWi5Yj9mR4AOKuOfO2qZgyNIPd05u5gY3WIy3zUUtxKlBXlPUMBh1BKmPqT WSVbgoaQ6YASbhhk0TwVb4vtnjK7U1o9ATtsgAp91LNBw06j0GmZtE6QKzLfgl9frhYavW+kWhyn2 JgXjDgyuVTLvhfKXiPXr2VhwM2alGr/PQGhPtRcv5kdJtxcYxw5m1UyRG7Q8E6KwDsAgHtMUu9gBH D9D24bNkIItaBQ==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Philip McGrath Subject: Re: [bug#66658] [PATCH] gnu: nghttp2: Replace with 1.57.0. In-Reply-To: <4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com> (Philip McGrath's message of "Sat, 21 Oct 2023 00:20:30 -0400") References: <4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com> Date: Mon, 30 Oct 2023 00:35:40 +0100 Message-ID: <871qdd6lyr.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66658-done Cc: 66658-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Philip, Philip McGrath skribis: > This release mitigates CVE-2023-44487. > > * gnu/packages/web.scm (nghttp2-1.57): New variable. > (nghttp2)[replacement]: Use it. > --- > > I've never attempted to create a graft before, and I have **definitely no= t** > tested this adequately, but `guix refresh` says: > >> Building the following 7989 packages would ensure 20638 dependent packag= es >> are rebuilt: > > so it seems like a graft would be needed. Indeed. The two seem to be ABI-compatible: --8<---------------cut here---------------start------------->8--- $ guix shell libabigail -- abidiff /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy= 0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 /gnu/store/kimb54icxfxyi51v5vnr= 6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14 Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 2 Added function symbols not r= eferenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not re= ferenced by debug info 2 Added function symbols not referenced by debug info: [A] nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation [A] nghttp2_option_set_stream_reset_rate_limit $ readelf -a /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib= /lib/libnghttp2.so.14 |grep SONAME 0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14] $ readelf -a /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-li= b/lib/libnghttp2.so.14 |grep SONAME 0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14] --8<---------------cut here---------------end--------------->8--- (Bit questionable that the SONAME is exactly the same. Oh well.) > The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at: > https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg Applied, thanks! Ludo=E2=80=99. From unknown Sun Jun 22 04:21:07 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 27 Nov 2023 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator