Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Survey 20221017 #4290

Merged
merged 60 commits into from
Nov 27, 2022
Merged

Security Survey 20221017 #4290

merged 60 commits into from
Nov 27, 2022

Conversation

CamberLoid
Copy link
Member

@CamberLoid CamberLoid commented Nov 10, 2022
edited
Loading

Topic Description

The topic includes a series of security updates. See issues mentioned below to see details.

As the PR is created, the version of packages will be frozen unless major vulnerabilities were disclosed.

Package(s) Affected

Core

  • zlib: Apply patch
  • aosc-aaa: Bump version

Non-core

Priority

  • openssl{,+32}: 1.1.1q
  • python-{2,3}: Patch + Update 3.10.8
  • git
  • curl
  • libxml2{,+32}: 2.9.12 -> 2.10.3
  • bind: 9.16.21 -> 9.16.33
  • dhcp: 4.4.1 -> 4.4.3.P1

Non-priority

  • cups: 2.4.0 -> 2.4.2
  • squid: 5.5 -> 5.7
  • kitty: 0.24.2 -> 0.26.4
  • openjpeg: 2.3.1 -> 2.5.0
  • chromium
  • google-chrome
  • poppler : REL Bump
  • xz: 5.2.5 -> 5.2.7
  • expat: 2.4.6 -> 2.5.0
  • vim:
  • unzip (Downgrade)
  • xterm: 351 -> 375
  • (New) libilbc
  • (New) bcg729
  • wireshark -> 4.0.0
  • ntfs-3g: 2022.5.17 -> 2022.10.3
  • rpm: 4.17.0 -> 4.18.0
  • libksba: 1.3.5 -> 1.6.2
  • open-vm-tools: 11.3.0 -> 12.1.0
  • libtiff: 4.0.10 -> 4.4.0
  • freerdp: 2.7.0 -> 2.8.1
  • lighttpd: Patch to fix cve
  • nokogiri: 1.13.3 -> 1.13.9
  • opensc: 0.20.0 -> 0.22.0
  • libgcrypt: 1.9.1 -> 1.9.4
  • mariadb: 10.9.4
  • virglrenderer: 0.10.3
  • sqlite: 3.39.4
  • xmlsec (as the update of libxml2): 1.2.36
  • fcgi: as dependency of lighttpd

Not an upgrade, but need to rebuild

  • cryptography: new for riscv64
  • gettext: Build for arm64 and loongson3. dependency of po4a, which is in xz's dependency graph.

Security Update?

Yes. TBA

Build Order

  • Core: zlib aosc-aaa
  • Priority: openssl python-{2,3} git curl libxml2 bind dhcp autobuild3
  • Others
    • common: cups squid kitty openjpeg poppler xz expat vim unzip xterm libilbc bcg729 ntfs-3g rpm libksba libtiff freerdp fcgi lighttpd nokogiri opensc libgcrypt mariadb virglrenderer sqlite xmlsec
    • AMD64: $common open-vm-tools google-chrome chromium
    • ARM64: gettext $common chromium
    • RISCV64: cryptography $common
    • LOONGSON3: gettext $common

Test Build(s) Done

Primary Architectures

  • AMD64 amd64
  • AArch64 arm64
  • 32-bit Optional Environment optenv32

Secondary Architectures

Architectural progress for "secondary," or experimental ports does not impede on merging of this topic.

  • Loongson 3 loongson3
  • RISC-V 64-bit riscv64

Update(s) Uploaded to Stable

Primary Architectures

  • AMD64 amd64
  • AArch64 arm64
  • 32-bit Optional Environment optenv32

Secondary Architectures

Architectural progress for "secondary," or experimental ports does not impede on merging of this topic.

  • Loongson 3 loongson3
  • RISC-V 64-bit riscv64

@MingcongBai MingcongBai added upgrade Topic/issue involves a package upgrade security Topic/issue involves a security issue/fixed priority High-priority issue/topic 0day Topic/issue involves a 0-day security issue and must be addressed immediately labels Nov 11, 2022
MingcongBai
MingcongBai requested changes Nov 11, 2022
View reviewed changes
extra-libs/libtiff/autobuild/defines Outdated Show resolved Hide resolved
extra-libs/poppler/spec Outdated Show resolved Hide resolved
@MingcongBai MingcongBai added question Question or suggestions needed has-fix Topic contains a fix for a known issue labels Nov 11, 2022
@CamberLoid CamberLoid force-pushed the security-survey-20221017 branch 2 times, most recently from 53cdbc5 to 521aa8e Compare November 12, 2022 13:40
MingcongBai
MingcongBai requested changes Nov 21, 2022
View reviewed changes
base-libs/expat/autobuild/beyond Outdated Show resolved Hide resolved
base-libs/expat/autobuild/defines Outdated Show resolved Hide resolved
base-libs/openssl/autobuild/build Outdated Show resolved Hide resolved
extra-admin/rpm/autobuild/prepare Outdated Show resolved Hide resolved
extra-libs/libtiff/autobuild/defines Outdated Show resolved Hide resolved
extra-libs/openjpeg/autobuild/defines Outdated Show resolved Hide resolved
@CamberLoid CamberLoid mentioned this pull request Nov 22, 2022
Closed
@CamberLoid CamberLoid force-pushed the security-survey-20221017 branch 2 times, most recently from 9bea368 to 857ec31 Compare November 23, 2022 05:16
@CamberLoid CamberLoid mentioned this pull request Nov 23, 2022
Closed
MingcongBai
MingcongBai requested changes Nov 26, 2022
View reviewed changes
base-libs/expat/autobuild/beyond Outdated Show resolved Hide resolved
extra-network/wireshark/autobuild/defines Outdated Show resolved Hide resolved
MingcongBai
MingcongBai previously approved these changes Nov 27, 2022
View reviewed changes
MingcongBai
MingcongBai previously approved these changes Nov 27, 2022
View reviewed changes
CamberLoid and others added 9 commits November 27, 2022 15:24
@CamberLoid
openssl: update to 1.1.1q (Security, #3958, #4249)
ca01ac5 
* Fixes CVE-2022-2068 and CVE-2022-1292
* Replace CROSS:-BUILD with ab_match_arch
* Change build configuration for riscv64 to `linux64-riscv64`

Signed-off-by: Camber Huang <camber@poi.science>
@CamberLoid
openssl+32: update to 1.1.1q (Security, #3958, #4249)
639268a 
* Fixes CVE-2022-{1292,2068,2097};
* Disable tests for optenv32 building

Signed-off-by: Camber Huang <camber@poi.science>
@CamberLoid
cups: update to 2.4.2 (Security, #4015)
a62cc54 
* Fixes CVE-2022-26691

Signed-off-by: Camber Huang <camber@poi.science>
@CamberLoid
bind: update to 9.16.33 (Security, #4250)
01e4889 
* Fix multiple security issues regarding to the bind utility.

Signed-off-by: Camber Huang <camber@poi.science>
@CamberLoid
dhcp: update to 4.4.3.P1 (Security, #4240)
663f3f9 
* From this version ISC's dhcp will become EOL, which means unless severe
security issue is founded the upstream may not release any further updates.
Due to such reasons the package may be dropped in future. Users are suggested
to switch another implementation like kea or dhcpcd.
* Dropped unneeded/outdated patch 0002-iproute2.patch
* Increase verbosity.

Signed-off-by: Camber Huang <camber@poi.science>
@MingcongBai @CamberLoid
zlib: (upstream patch) fix CVE-2022-37434; #4097
10ee2e3 
Signed-off-by: Camber Huang <camber@poi.science>
@CamberLoid
aosc-aaa: bump core to 9.1.5 for zlib security fix
d5e885e 
Signed-off-by: Camber Huang <camber@poi.science>
@CamberLoid
git: update to 2.38.1 (Security, #4265)
754cded 
* Fixes CVE-2022-{39253,39260}
* Updated systemd unit file from Archlinux

Ref: https://github.com/archlinux/svntogit-packages/blob/29f368bdeabc4dd6ae05a8f90ddfcab044c8c5b7/trunk/git-daemon@.service

Signed-off-by: Camber Huang <camber@poi.science>
@CamberLoid
python-2: fix mailcap vulnerabilty (Security, #4306)
a914b1b 
* Add a patch 0002-Ubuntu-CVE-2015-20107.patch to fix the security issue.

Signed-off-by: Camber Huang <camber@poi.science>
This was referenced Nov 29, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Open
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MingcongBai MingcongBai MingcongBai approved these changes

Assignees
No one assigned
Labels
0day Topic/issue involves a 0-day security issue and must be addressed immediately has-fix Topic contains a fix for a known issue priority High-priority issue/topic question Question or suggestions needed security Topic/issue involves a security issue/fixed upgrade Topic/issue involves a package upgrade
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CamberLoid @MingcongBai