* gunicorn and CVE-2024-1135
@ 2024-07-17 4:08 jgart
2024-07-17 14:29 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: jgart @ 2024-07-17 4:08 UTC (permalink / raw)
To: guix-devel
Hi Guixers,
What should we do in the event that we don't have time to quickly fix packages that depend on a package that has an open CVE on it?
For example,
I provided gunicorn-next in a recent commit to master which fixes CVE-2024-1135 but I don't have time at the moment to fix the bad gunicorn's dependents* against gunicorn-next.
Should we just remove the bad gunicorn and break the packages that depend on it in order to mitigate the risk of CVE-2024-1135?
all the best,
jgart
https://nvd.nist.gov/vuln/detail/CVE-2024-1135
ps
Excuse the previous blank email. I pressed send by accident ;()
* Building the following 6 packages would ensure 15 dependent packages are rebuilt: python-baltica@1.1.2 python-mailman-hyperkitty@1.2.0 python-falcon-cors@1.1.7 python-funsor@0.4.5 python-matplotlib-documentation@3.8.2 scregseg@0.1.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: gunicorn and CVE-2024-1135
2024-07-17 4:08 gunicorn and CVE-2024-1135 jgart
@ 2024-07-17 14:29 ` Leo Famulari
2024-07-17 21:21 ` jgart
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2024-07-17 14:29 UTC (permalink / raw)
To: jgart; +Cc: guix-devel
On Wed, Jul 17, 2024 at 04:08:34AM +0000, jgart wrote:
> I provided gunicorn-next in a recent commit to master which fixes CVE-2024-1135 but I don't have time at the moment to fix the bad gunicorn's dependents* against gunicorn-next.
I'm not sure I understand the question. Gunicorn-next contains the CVE
fix, but gunicorn does not? Is that correct?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: gunicorn and CVE-2024-1135
2024-07-17 14:29 ` Leo Famulari
@ 2024-07-17 21:21 ` jgart
2024-07-17 21:34 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: jgart @ 2024-07-17 21:21 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
> I'm not sure I understand the question. Gunicorn-next contains the CVE
>
> fix, but gunicorn does not? Is that correct?
Yep, that is correct. gunicorn does not contain the fix and gunicorn-next does contain the fix.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: gunicorn and CVE-2024-1135
2024-07-17 21:21 ` jgart
@ 2024-07-17 21:34 ` Leo Famulari
2024-07-18 2:40 ` jgart
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2024-07-17 21:34 UTC (permalink / raw)
To: jgart; +Cc: guix-devel
On Wed, Jul 17, 2024 at 09:21:53PM +0000, jgart wrote:
> > I'm not sure I understand the question. Gunicorn-next contains the CVE
> >
> > fix, but gunicorn does not? Is that correct?
>
> Yep, that is correct. gunicorn does not contain the fix and gunicorn-next does contain the fix.
Okay. Is there a reason to create gunicorn-next rather than updating
gunicorn?
We can't simply remove gunicorn without also removing the packages that
depend on it, or making it so that those packages do not depend on it.
Otherwise, Guix will not build, and we won't have successfully mitigated
the vulnerability for our users.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: gunicorn and CVE-2024-1135
2024-07-17 21:34 ` Leo Famulari
@ 2024-07-18 2:40 ` jgart
0 siblings, 0 replies; 5+ messages in thread
From: jgart @ 2024-07-18 2:40 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
> Okay. Is there a reason to create gunicorn-next rather than updating
>
> gunicorn?
Hi Leo,
Yes, time. Updating the packages that depend on that bad gunicorn will take time which I don't have at the moment to fix them, unfortunately.
I might not be able to get to updating all those packages until maybe up to 2 or more weeks from now depending on how busy I am.
> Otherwise, Guix will not build, and we won't have successfully mitigated
>
> the vulnerability for our users.
Yep, I just made the gunicorn-next package available for anyone that wants to use it but it's not integrated into the dependents as listed by `guix refresh -l gunicorn@20.1.0`. It is standalone.
If anyone would like to work on it before I am able to get to it feel free.
I just thought I'd let people know here in case it is higher priority for anyone else.
all best,
jgart
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-07-18 2:41 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-17 4:08 gunicorn and CVE-2024-1135 jgart
2024-07-17 14:29 ` Leo Famulari
2024-07-17 21:21 ` jgart
2024-07-17 21:34 ` Leo Famulari
2024-07-18 2:40 ` jgart
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).