From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id wAOzOO9Dl2Zb+QAA62LTzQ:P1 (envelope-from ) for ; Wed, 17 Jul 2024 04:09:35 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id wAOzOO9Dl2Zb+QAA62LTzQ (envelope-from ) for ; Wed, 17 Jul 2024 06:09:20 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=dismail.de header.s=20190914 header.b=VYmDyPRZ; dmarc=pass (policy=reject) header.from=dismail.de; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1721189359; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=/kX+SKi6Cawno5UnOpBDstkakgo6H6Gqg90D1qLyqJs=; b=MM7J8KJBPjbsbM3QsLHCPudWTd5TSLoIKh/kUfqVneBoSX6qnHtimtdD1KH4YMqK/NWy3b /Zu+e28+S0hDyMel2d8SgHIzH64VdgiijpaPmkk7jBub3C8BSaGcMJgpolyLjMHOzZnrZI g+bleVz9mFuSjGGF+Gn0qgx7Kxc6GuJyPLnkeFzKs+yDj3Sz1DxCZx4RwqhvCGQHSDu0yw 4MEPn7q9pHanP1yrmtc8mbvfkXUv1C9Fi7klHTWo8SHSXzfEbNRKIqPlAefqaKDfMX0cpb rLHMlb8gNIDpWmZ7XZexb1r9NfWLbJwr+ZkLF4WdWIQnsbn3K6hvdco/bPuAKA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1721189359; a=rsa-sha256; cv=none; b=K/qOPKecSKlZ5Jg5n+V+oVLkr6Y6wUDybC4ceqHrV7GcukTFlynX5Nk93IYj2tltrB5jqB g7CcZG+WqTPoMlyEOL763/ZB4vgb3Ed7Icqk/2Z+se4K37wOxrLasPD5g8CGIA8AFfuSAn Rv0udBV6fYnFXaYeNas3lQKEaNpNii68LUeRDm+bchQTDc6ESgJQIbF7xBXp3/3Ei4FtfA HyfrZ9NrYlWn6Ul2jtFRoSVxvGPBPFELR5rA1Tc3G8Nxs646kQpRYqOxYlHaP1iPKTFtjV ovJQR4JP8F2ZGLVB/1P1BIS9p2NTNCGdTJT36rIHfW+4lmSvpR+IFqoDci775w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=dismail.de header.s=20190914 header.b=VYmDyPRZ; dmarc=pass (policy=reject) header.from=dismail.de; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 974941ECAD for ; Wed, 17 Jul 2024 06:09:19 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sTvy5-0001Bh-SN; Wed, 17 Jul 2024 00:08:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sTvy4-0001BS-IZ for guix-devel@gnu.org; Wed, 17 Jul 2024 00:08:40 -0400 Received: from mx2.dismail.de ([159.69.191.136]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sTvy2-0004rk-HK for guix-devel@gnu.org; Wed, 17 Jul 2024 00:08:40 -0400 Received: from mx2.dismail.de (localhost [127.0.0.1]) by mx2.dismail.de (OpenSMTPD) with ESMTP id 63fc7d32; Wed, 17 Jul 2024 06:08:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h= mime-version:date:content-type:content-transfer-encoding:from :message-id:subject:to; s=20190914; bh=/kX+SKi6Cawno5UnOpBDstkak go6H6Gqg90D1qLyqJs=; b=VYmDyPRZJI8TPWXjSM8VBpcOPe6TyJjTJFb4DkstF 0AS5qQS1iDQmQxGfN3f1aGGkyhleRx/kNnIAJXjyRpKSoGwxb38DHjNWoGCp4t4G QerbXxOzeH8QoC5npNFsQliZXT1H/yTeqDZzJCU4aAOVz1AKWpPPhdSnwVH7ahgJ cCTDF9lcTNEZgIuLTU0Svwc9dWgjTZ1MkFGJPSBR/vrsemXgqykbmqBXGvPwDhzK 0RZWHysiFvcmsMb50OGegDwlXE853udPd/6Xnkl4LCJ2beDiL4QuDq2ForJunn0p snYyG6aMHs/Zx5I+0aHCIY23FDK/RwYc0lGCDb3I491xg== Received: from smtp2.dismail.de ( [10.240.26.12]) by mx2.dismail.de (OpenSMTPD) with ESMTP id 799c4cb1; Wed, 17 Jul 2024 06:08:35 +0200 (CEST) Received: from smtp2.dismail.de (localhost [127.0.0.1]) by smtp2.dismail.de (OpenSMTPD) with ESMTP id d9155f28; Wed, 17 Jul 2024 06:08:35 +0200 (CEST) Received: by dismail.de (OpenSMTPD) with ESMTPSA id 8598fc1e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 17 Jul 2024 06:08:34 +0200 (CEST) MIME-Version: 1.0 Date: Wed, 17 Jul 2024 04:08:34 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: "jgart" Message-ID: <4a1b351d338405125e9b5a4c6f868b27ad109ae6@dismail.de> TLS-Required: No Subject: gunicorn and CVE-2024-1135 To: guix-devel@gnu.org Received-SPF: pass client-ip=159.69.191.136; envelope-from=jgart@dismail.de; helo=mx2.dismail.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 974941ECAD X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -9.58 X-Spam-Score: -9.58 X-TUID: cCiSlhtE929Q Hi Guixers, What should we do in the event that we don't have time to quickly fix pac= kages that depend on a package that has an open CVE on it? For example, I provided gunicorn-next in a recent commit to master which fixes CVE-202= 4-1135 but I don't have time at the moment to fix the bad gunicorn's depe= ndents* against gunicorn-next. Should we just remove the bad gunicorn and break the packages that depend= on it in order to mitigate the risk of CVE-2024-1135? all the best, jgart https://nvd.nist.gov/vuln/detail/CVE-2024-1135 ps Excuse the previous blank email. I pressed send by accident ;() * Building the following 6 packages would ensure 15 dependent packages ar= e rebuilt: python-baltica@1.1.2 python-mailman-hyperkitty@1.2.0 python-fa= lcon-cors@1.1.7 python-funsor@0.4.5 python-matplotlib-documentation@3.8.2= scregseg@0.1.3