gunicorn and CVE-2024-1135

gunicorn and CVE-2024-1135

[jgart]

Hi Guixers,

What should we do in the event that we don't have time to quickly fix packages that depend on a package that has an open CVE on it?

For example,

I provided gunicorn-next in a recent commit to master which fixes CVE-2024-1135 but I don't have time at the moment to fix the bad gunicorn's dependents* against gunicorn-next.

Should we just remove the bad gunicorn and break the packages that depend on it in order to mitigate the risk of CVE-2024-1135?

all the best,

jgart

https://nvd.nist.gov/vuln/detail/CVE-2024-1135

ps

Excuse the previous blank email. I pressed send by accident ;()

* Building the following 6 packages would ensure 15 dependent packages are rebuilt: python-baltica@1.1.2 python-mailman-hyperkitty@1.2.0 python-falcon-cors@1.1.7 python-funsor@0.4.5 python-matplotlib-documentation@3.8.2 scregseg@0.1.3

Re: gunicorn and CVE-2024-1135

[Leo Famulari]

On Wed, Jul 17, 2024 at 04:08:34AM +0000, jgart wrote:
> I provided gunicorn-next in a recent commit to master which fixes CVE-2024-1135 but I don't have time at the moment to fix the bad gunicorn's dependents* against gunicorn-next.

I'm not sure I understand the question. Gunicorn-next contains the CVE
fix, but gunicorn does not? Is that correct?

Re: gunicorn and CVE-2024-1135

[jgart]

> I'm not sure I understand the question. Gunicorn-next contains the CVE
> 
> fix, but gunicorn does not? Is that correct?

Yep, that is correct. gunicorn does not contain the fix and gunicorn-next does contain the fix.

Re: gunicorn and CVE-2024-1135

[Leo Famulari]

On Wed, Jul 17, 2024 at 09:21:53PM +0000, jgart wrote:
> > I'm not sure I understand the question. Gunicorn-next contains the CVE
> > 
> > fix, but gunicorn does not? Is that correct?
> 
> Yep, that is correct. gunicorn does not contain the fix and gunicorn-next does contain the fix.

Okay. Is there a reason to create gunicorn-next rather than updating
gunicorn?

We can't simply remove gunicorn without also removing the packages that
depend on it, or making it so that those packages do not depend on it.
Otherwise, Guix will not build, and we won't have successfully mitigated
the vulnerability for our users.

Re: gunicorn and CVE-2024-1135

[jgart]

> Okay. Is there a reason to create gunicorn-next rather than updating
> 
> gunicorn?

Hi Leo,

Yes, time. Updating the packages that depend on that bad gunicorn will take time which I don't have at the moment to fix them, unfortunately.

I might not be able to get to updating all those packages until maybe up to 2 or more weeks from now depending on how busy I am.

> Otherwise, Guix will not build, and we won't have successfully mitigated
> 
> the vulnerability for our users.

Yep, I just made the gunicorn-next package available for anyone that wants to use it but it's not integrated into the dependents as listed by `guix refresh -l gunicorn@20.1.0`. It is standalone.


If anyone would like to work on it before I am able to get to it feel free.

I just thought I'd let people know here in case it is higher priority for anyone else.

all best,

jgart