From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 2Nt5BMQ6mGbgOAEAe85BDQ:P1 (envelope-from ) for ; Wed, 17 Jul 2024 21:42:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id 2Nt5BMQ6mGbgOAEAe85BDQ (envelope-from ) for ; Wed, 17 Jul 2024 23:42:28 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b="1 RVPm+9"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=YlbYnThT; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1721252548; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=9lGZxYYMoUe9Vr7xkOtxuueFjHQ17DKpxk+MES7T9hg=; b=S6fGA5hqqaRoJHWTvB/cuPeN94Q/xcsPvF7tlEyVSreBSzk39sZENIRhAGHkpuhPIZGXQW ZSOutfXwivdCnLg4uMydbZLiqZvwRDAe+u0dnAEeCFFcMItylpKPgs5BL8THnWVUB5lm/z uZ52TLj7X7NFDRS9YCeR+ELJqLmKhgprEsuoRwc+Cy6s37zGZAIcIQ0Z1Gt+DyeEEUwb1p iHHCNokkXOR9no1u2jbqaPWvaxfcKjkFCBtvR9596ouuLqZn7RzPXiuKIrFOuKq3ytdsr5 lB69j08iOpBRkIBhCxIJL04TygYPhLGbyVotcUwATopDdbatqpkJeOLABX2dEg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1721252548; a=rsa-sha256; cv=none; b=WhTmg5frOYUbviCzUQdI9fOCLBLo/Jh2EDOPaN9q2CMrAlH7Tvuf8wZzd5GdeO+0j2rAMf ZyBSCmcjyfSOkDtiWCdIso6e4QJckCIT4N7A+1CgMkg8YjPUi5tMDbpQcXAGtcVkEvSc3j ThicNR1kwJuM5czas8pGLxtpQZEniHfg0fFjJMe/B5SISiWwuSm/TIcWkNg0L6byopGufe 32r/2NGBQDNpzq8wMI5da/KIvgO10KPCFmXAxt3o2sqqJmvC2kj58LWcS3XwfdhYNWYe7I BEq9XqFFjqfmwm5vZiY3lO0fck+XtY8qJj9IeVRYdyKyBW+GH5qvScvWoQhADQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b="1 RVPm+9"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=YlbYnThT; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C9D0E757AB for ; Wed, 17 Jul 2024 23:42:26 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sUCHu-0000Bs-LL; Wed, 17 Jul 2024 17:34:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sUCHt-0000BX-Iu for guix-devel@gnu.org; Wed, 17 Jul 2024 17:34:13 -0400 Received: from fhigh8-smtp.messagingengine.com ([103.168.172.159]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sUCHr-0007hR-KG for guix-devel@gnu.org; Wed, 17 Jul 2024 17:34:13 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 5E40D11400D0; Wed, 17 Jul 2024 17:34:10 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 17 Jul 2024 17:34:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=mesmtp; t=1721252050; x= 1721338450; bh=9lGZxYYMoUe9Vr7xkOtxuueFjHQ17DKpxk+MES7T9hg=; b=1 RVPm+9oJsdxetATyMfETj5HqxbVQgdxXauyTMaqkFjsM7KrTs5EgptycucsLchr9 S5uKM92RhOSyirTcip1EAistyq9f3lbi+MO+Yw3zQyMSMoUoFJ8sZAngV/Pjfjqo P3zGXJlIspTxWxJ7qODRsFE2l8FhtSmWz9omgPa69E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1721252050; x=1721338450; bh=9lGZxYYMoUe9Vr7xkOtxuueFjHQ1 7DKpxk+MES7T9hg=; b=YlbYnThTdRJtnAD9EvlCQronb3r6m6mjfh800nij9DUq GDo3785IlKet0zDRTUB59GHhE1cIF7ckyrZWHt9A909daguN4RQX6YHzutH4WqiN iTjf4ianV4kNRwTbpEh99YchjbkhZLuarY7iAUgY98FUELfav8lIpA61jomI9q7D zJc5382jXxzgLVbCUYDvIk1PwF8br0BlCoVupxjdhteavBJMtPSmS9V4a+Kkg0XK CJQY52/x25XomXHEtGrYznsWsOEqmc//qhiXLPuFIVjFavV9SaAAviXkig73KgoC C4K0V2VXKq3orhSclzjuF2QQTkKJ4OEjjapnUfEGjA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrgeekgddtudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepieetudehfeekueefleegudfhjefgle ehfeeluefhfeffgfeuudelhedvjeelieetnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 17 Jul 2024 17:34:09 -0400 (EDT) Date: Wed, 17 Jul 2024 17:34:07 -0400 From: Leo Famulari To: jgart Cc: guix-devel@gnu.org Subject: Re: gunicorn and CVE-2024-1135 Message-ID: References: <4a1b351d338405125e9b5a4c6f868b27ad109ae6@dismail.de> <651ba6daed4e305955a43dd1a20487bf95b8b1c5@dismail.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <651ba6daed4e305955a43dd1a20487bf95b8b1c5@dismail.de> Received-SPF: pass client-ip=103.168.172.159; envelope-from=leo@famulari.name; helo=fhigh8-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -7.10 X-Spam-Score: -7.10 X-Migadu-Queue-Id: C9D0E757AB X-Migadu-Scanner: mx11.migadu.com X-TUID: B4VC3sBJ31BM On Wed, Jul 17, 2024 at 09:21:53PM +0000, jgart wrote: > > I'm not sure I understand the question. Gunicorn-next contains the CVE > > > > fix, but gunicorn does not? Is that correct? > > Yep, that is correct. gunicorn does not contain the fix and gunicorn-next does contain the fix. Okay. Is there a reason to create gunicorn-next rather than updating gunicorn? We can't simply remove gunicorn without also removing the packages that depend on it, or making it so that those packages do not depend on it. Otherwise, Guix will not build, and we won't have successfully mitigated the vulnerability for our users.