unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* gunicorn and CVE-2024-1135
@ 2024-07-17  4:08 jgart
  2024-07-17 14:29 ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: jgart @ 2024-07-17  4:08 UTC (permalink / raw)
  To: guix-devel

Hi Guixers,

What should we do in the event that we don't have time to quickly fix packages that depend on a package that has an open CVE on it?

For example,

I provided gunicorn-next in a recent commit to master which fixes CVE-2024-1135 but I don't have time at the moment to fix the bad gunicorn's dependents* against gunicorn-next.

Should we just remove the bad gunicorn and break the packages that depend on it in order to mitigate the risk of CVE-2024-1135?

all the best,

jgart

https://nvd.nist.gov/vuln/detail/CVE-2024-1135

ps

Excuse the previous blank email. I pressed send by accident ;()

* Building the following 6 packages would ensure 15 dependent packages are rebuilt: python-baltica@1.1.2 python-mailman-hyperkitty@1.2.0 python-falcon-cors@1.1.7 python-funsor@0.4.5 python-matplotlib-documentation@3.8.2 scregseg@0.1.3


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-07-18  2:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-17  4:08 gunicorn and CVE-2024-1135 jgart
2024-07-17 14:29 ` Leo Famulari
2024-07-17 21:21   ` jgart
2024-07-17 21:34     ` Leo Famulari
2024-07-18  2:40       ` jgart

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).