From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms13.migadu.com with LMTPS
	id wAOzOO9Dl2Zb+QAA62LTzQ:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 17 Jul 2024 04:09:35 +0000
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id wAOzOO9Dl2Zb+QAA62LTzQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 17 Jul 2024 06:09:20 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=dismail.de header.s=20190914 header.b=VYmDyPRZ;
	dmarc=pass (policy=reject) header.from=dismail.de;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1721189359;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=/kX+SKi6Cawno5UnOpBDstkakgo6H6Gqg90D1qLyqJs=;
	b=MM7J8KJBPjbsbM3QsLHCPudWTd5TSLoIKh/kUfqVneBoSX6qnHtimtdD1KH4YMqK/NWy3b
	/Zu+e28+S0hDyMel2d8SgHIzH64VdgiijpaPmkk7jBub3C8BSaGcMJgpolyLjMHOzZnrZI
	g+bleVz9mFuSjGGF+Gn0qgx7Kxc6GuJyPLnkeFzKs+yDj3Sz1DxCZx4RwqhvCGQHSDu0yw
	4MEPn7q9pHanP1yrmtc8mbvfkXUv1C9Fi7klHTWo8SHSXzfEbNRKIqPlAefqaKDfMX0cpb
	rLHMlb8gNIDpWmZ7XZexb1r9NfWLbJwr+ZkLF4WdWIQnsbn3K6hvdco/bPuAKA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1721189359; a=rsa-sha256; cv=none;
	b=K/qOPKecSKlZ5Jg5n+V+oVLkr6Y6wUDybC4ceqHrV7GcukTFlynX5Nk93IYj2tltrB5jqB
	g7CcZG+WqTPoMlyEOL763/ZB4vgb3Ed7Icqk/2Z+se4K37wOxrLasPD5g8CGIA8AFfuSAn
	Rv0udBV6fYnFXaYeNas3lQKEaNpNii68LUeRDm+bchQTDc6ESgJQIbF7xBXp3/3Ei4FtfA
	HyfrZ9NrYlWn6Ul2jtFRoSVxvGPBPFELR5rA1Tc3G8Nxs646kQpRYqOxYlHaP1iPKTFtjV
	ovJQR4JP8F2ZGLVB/1P1BIS9p2NTNCGdTJT36rIHfW+4lmSvpR+IFqoDci775w==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=dismail.de header.s=20190914 header.b=VYmDyPRZ;
	dmarc=pass (policy=reject) header.from=dismail.de;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 974941ECAD
	for <larch@yhetil.org>; Wed, 17 Jul 2024 06:09:19 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1sTvy5-0001Bh-SN; Wed, 17 Jul 2024 00:08:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jgart@dismail.de>) id 1sTvy4-0001BS-IZ
 for guix-devel@gnu.org; Wed, 17 Jul 2024 00:08:40 -0400
Received: from mx2.dismail.de ([159.69.191.136])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jgart@dismail.de>) id 1sTvy2-0004rk-HK
 for guix-devel@gnu.org; Wed, 17 Jul 2024 00:08:40 -0400
Received: from mx2.dismail.de (localhost [127.0.0.1])
 by mx2.dismail.de (OpenSMTPD) with ESMTP id 63fc7d32;
 Wed, 17 Jul 2024 06:08:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=
 mime-version:date:content-type:content-transfer-encoding:from
 :message-id:subject:to; s=20190914; bh=/kX+SKi6Cawno5UnOpBDstkak
 go6H6Gqg90D1qLyqJs=; b=VYmDyPRZJI8TPWXjSM8VBpcOPe6TyJjTJFb4DkstF
 0AS5qQS1iDQmQxGfN3f1aGGkyhleRx/kNnIAJXjyRpKSoGwxb38DHjNWoGCp4t4G
 QerbXxOzeH8QoC5npNFsQliZXT1H/yTeqDZzJCU4aAOVz1AKWpPPhdSnwVH7ahgJ
 cCTDF9lcTNEZgIuLTU0Svwc9dWgjTZ1MkFGJPSBR/vrsemXgqykbmqBXGvPwDhzK
 0RZWHysiFvcmsMb50OGegDwlXE853udPd/6Xnkl4LCJ2beDiL4QuDq2ForJunn0p
 snYyG6aMHs/Zx5I+0aHCIY23FDK/RwYc0lGCDb3I491xg==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
 by mx2.dismail.de (OpenSMTPD) with ESMTP id 799c4cb1;
 Wed, 17 Jul 2024 06:08:35 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
 by smtp2.dismail.de (OpenSMTPD) with ESMTP id d9155f28;
 Wed, 17 Jul 2024 06:08:35 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id 8598fc1e
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Wed, 17 Jul 2024 06:08:34 +0200 (CEST)
MIME-Version: 1.0
Date: Wed, 17 Jul 2024 04:08:34 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: "jgart" <jgart@dismail.de>
Message-ID: <4a1b351d338405125e9b5a4c6f868b27ad109ae6@dismail.de>
TLS-Required: No
Subject: gunicorn and CVE-2024-1135
To: guix-devel@gnu.org
Received-SPF: pass client-ip=159.69.191.136; envelope-from=jgart@dismail.de;
 helo=mx2.dismail.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Queue-Id: 974941ECAD
X-Migadu-Scanner: mx12.migadu.com
X-Migadu-Spam-Score: -9.58
X-Spam-Score: -9.58
X-TUID: cCiSlhtE929Q

Hi Guixers,

What should we do in the event that we don't have time to quickly fix pac=
kages that depend on a package that has an open CVE on it?

For example,

I provided gunicorn-next in a recent commit to master which fixes CVE-202=
4-1135 but I don't have time at the moment to fix the bad gunicorn's depe=
ndents* against gunicorn-next.

Should we just remove the bad gunicorn and break the packages that depend=
 on it in order to mitigate the risk of CVE-2024-1135?

all the best,

jgart

https://nvd.nist.gov/vuln/detail/CVE-2024-1135

ps

Excuse the previous blank email. I pressed send by accident ;()

* Building the following 6 packages would ensure 15 dependent packages ar=
e rebuilt: python-baltica@1.1.2 python-mailman-hyperkitty@1.2.0 python-fa=
lcon-cors@1.1.7 python-funsor@0.4.5 python-matplotlib-documentation@3.8.2=
 scregseg@0.1.3