From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 8CehHjzVSWAiKAAA0tVLHw (envelope-from ) for ; Thu, 11 Mar 2021 08:30:52 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id aMRyGjzVSWCyAQAA1q6Kng (envelope-from ) for ; Thu, 11 Mar 2021 08:30:52 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1146B28DB4 for ; Thu, 11 Mar 2021 09:30:52 +0100 (CET) Received: from localhost ([::1]:40948 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKGiZ-0008Cb-8E for larch@yhetil.org; Thu, 11 Mar 2021 03:30:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41338) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKGhy-0008C9-Ul for guix-devel@gnu.org; Thu, 11 Mar 2021 03:30:15 -0500 Received: from world.peace.net ([64.112.178.59]:46434) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKGht-0004Ve-7l for guix-devel@gnu.org; Thu, 11 Mar 2021 03:30:14 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lKGhr-0006Hc-8P; Thu, 11 Mar 2021 03:30:07 -0500 From: Mark H Weaver To: =?utf-8?Q?L=C3=A9o?= Le Bouter , guix-devel@gnu.org Subject: Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219 In-Reply-To: <2fa8c4679e127f5e8a3e1dd4fa7d6ad73b1d83d3.camel@zaclys.net> References: <2fa8c4679e127f5e8a3e1dd4fa7d6ad73b1d83d3.camel@zaclys.net> Date: Thu, 11 Mar 2021 03:28:37 -0500 Message-ID: <87im5ygkkv.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615451452; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=IG5hdGjoW4X3JMXYEouOk5L76KZ2lDtzgMRIW3kZqjY=; b=Lum/21dlRS6z4QZqzHxoqenJP8LHlWnJVZBPO+LLogin8tXmhyaKI42vbYAMYQbH9d/P80 dxJRjW//7YddnYUzZJqw2DqMGRvU9pWAlUrWLYx/RPEcXQJI+87Z0JCPtxAIw7mctGq9Q5 wQE3GDY0JdHWKxOIjla6ar3TurYl5sntYSkFKkqbTpXtKL7pax/RkVoUuCqwukI6DiZ6X9 CkEYzjV1iy+4v8kSGXpsoyoXPpI3bW1ttERZOKyc0G940NlUo/4i++cqnvW2hRWCRfxFVu 5Z4IkyeV4OSVN0JrHLa2I7lHQuu9lL4beNqrNVJXcIq3EpDfLShKf1ippORkhw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615451452; a=rsa-sha256; cv=none; b=hRDtGWkaq13A0NyWC71kBBMMA+Ln7guyzOmAfg5rPPieScH2/I4Kw+FNor13Oe5IsCNjdC e5lhdX1dKemKbPXiV72i55FyRK/s0G5iTIZqCnqnD9lwN0fXxDDakMBoBdWg5yogQS7bsf 2WCgm669UkIkn33ZBBTW8UYfQjw2QiTkhsP/Uy07PYmy+M8raVYNMuBVAIVHIarNcRYKeL D/I7ugWpZc7kOJNy7+2pKOJTYy6Ged9hoT/lunCF8QO3RPG6AKcwrbKr5oC14kKhWGjmXv lXySiF2DEszSQVe4zwBvfyhKb8Ss8m3m6BaY3ZtXOhjekCXLrNljCIjaFVkPzQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.39 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 1146B28DB4 X-Spam-Score: -2.39 X-Migadu-Scanner: scn0.migadu.com X-TUID: q/3hhm8h4ask Hi L=C3=A9o, Thanks for bringing this to our attention. L=C3=A9o Le Bouter writes: > Upstream does not provide fixes for the 2.62.x series so we need to > backport ourselves. One does not follow from the other. Besides upstream, there exist other competent organizations (such as Debian, Red Hat, and Ubuntu) that provide security support for their stable OS releases, and publish backported fixes as part of that work. > I would rather switch to upstream-supported version (2.66.x or later) > as backporting patches does not appear sustainable for us, we already > have enough on our plate. As I wrote in another thread: I'll backport the fixes for CVE-2021-27218 and CVE-2021-27219 to our version of Glib, based on the backports already published by Ubuntu for Glib 2.56.4 and 2.64.4. Regards, Mark