gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
hmpffff has joined #nixos-security
hmpffff_ has quit [Ping timeout: 264 seconds]
pie_ has quit [Quit: pie_]
andi- has quit [Remote host closed the connection]
andi- has joined #nixos-security
justanotheruser has quit [Ping timeout: 245 seconds]
justanotheruser has joined #nixos-security
Henson has joined #nixos-security
<Henson> gchristensen: hello, are you around?
<Henson> andi-: hello, are you around?
<gchristensen> hi
<andi-> Henson: yes
<Henson> hey, I think I patched the OpenSSH NixOS derivation to close two CVE vulnerabilities. I just downloaded the Debian source package, which includes patches for two of the vulnerabilities, and added them into the list of patches already in the derivation. It patches cleanly and builds properly, and the Debian version is the same as the NixOS version.
<Henson> so I suppose that means I've done it correctly. Or is there some kind of testing that needs to be done beyond that?
<andi-> Henson: well that sounds okay for now. Can you open a PR? I can review ist.
<Henson> there's also one vulnerability CVE-2019-6110 for which I can't find a patch. One the debian security tracker https://security-tracker.debian.org/tracker/CVE-2019-6110 it says this vulerability isn't important enough to fix
<Henson> andi-: ok, that's the next step I'll need to figure out how to do :-)
<andi-> Henson: feel free to ask me anything to get that done
<aanderse> <3 Henson
<{^_^}> Henson's karma got increased to 2
<Henson> well, maybe just tell me if these steps are correct: log in to GitHub, fork the NixPkgs repository to my account, clone it out from my account to my computer, add the changes I've made, push it back to my account, and then (this is the part I've never done) ask for a pull request from my Github fork of Nixpkgs to the master Nixpkgs?
<andi-> Henson: yes, once you push to a branch in your fork GitHub will show you a "Create Pull Request" button
<andi-> and from there on it should be straight forward
<Henson> are the unstable and various nixos channels in nixpkgs tags or branches?
<andi-> master = unstable
<andi-> just open the PR against master
<Henson> ok
<andi-> there is release-yy.xx for each of the releases
<andi-> usually we backport those changes to the release branches (if required and feasible)
<Henson> ok
<Henson> I'll give that a try
<Henson> how was the list of vulnerabilities at broken.sh created? Was it done automatically or manually?
<andi-> it is all automatically
<Henson> how does it know if a package is vulerable?
<andi-> It tries to parse the version, package name and applies patches from a JSON export of nixpkgs and searches the NVD database dumps
pie_ has joined #nixos-security
Henson has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
justanotheruser has quit [Ping timeout: 245 seconds]
pietranera has quit [Quit: Leaving.]
justanotheruser has joined #nixos-security
justanotheruser has quit [Client Quit]
hmpffff has quit [Quit: nchrrrr…]
pie_ has quit [Ping timeout: 252 seconds]
pie_ has joined #nixos-security
justanotheruser has joined #nixos-security
hmpffff has joined #nixos-security
erictapen has joined #nixos-security
{`-`} has joined #nixos-security
hexa- has quit [Quit: WeeChat 2.5]
hexa- has joined #nixos-security
justanotheruser has quit [Ping timeout: 248 seconds]
hmpffff has quit [Quit: nchrrrr…]
justanotheruser has joined #nixos-security
justanotheruser has quit [Client Quit]
ghuntley_ has joined #nixos-security
ghuntley has quit [*.net *.split]
ghuntley_ is now known as ghuntley
hmpffff has joined #nixos-security
hmpffff has quit [Quit: nchrrrr…]
{^_^} has quit [Read error: Connection reset by peer]
{^_^} has joined #nixos-security
erictapen has quit [Ping timeout: 245 seconds]