-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how to subscribe to security advisory notices for nixpkgs / nixos? #13515
Comments
Agreed - I will propose the priority for 16.09 release should be security updates tooling and advisories. |
I found a relevant nifty blog item; it even cites this issue. I suppose it's worth closing the loop:
|
Here are some security announcements. :) The following issues have been resolved in NixOS in unstable and 16.09. They remain potentially open on 16.03 and older. They will be released to 16.09 and unstable channels once Hydra's Fixes from September 22 (#18856)
Fixes from September 29 (#19075)Fixes from October 5 (#19253)
Fixes from October 12 (#19481)
|
Fix from this morning, October 18, to be released to 16.09 and unstable once hydra builds:
|
Fixes from October 19 (#19678), to be released to 16.09 and unstable once hydra builds:
On master only, upgrading KDE: 9cd8b4e but a proposed upgrade for KDE in 16.09: #19706 Chromium has an outstanding issue (https://lwn.net/Vulnerabilities/703767/) without any solution yet. Note, if you'd like to help on the next week's hunt please add a comment to issue #19678 :) |
Fixes from October 20 to be released to 16.09 and unstable once hydra builds:
|
@domenkozar it strikes me we could address the problem reported on this issue by:
I can post these notices anywhere. Some thoughts on where:
|
I don't think reusing a single issue thread will scale well. Keeping in mind #14819 (comment), IMO a RSS feed would be best; the RSS feed could be backed/generated from another system if wanted as well (e.g. a git repo). |
Every time https://github.com/NixOS/nixpkgs-channels is updated, the HEAD commit could be tagged as a release with an automatically generated release message from the the commit messages. Maybe grepping for CVE strings or something similar.. |
FWIW I'd rather avoid trying to be too automatic about it, or steeping this discussion in technical implementation details. As it stands now the process of generating the advisories is pretty trivial, especially in comparison to the effort in actually researching and applying the patches. |
Update, October 20: Privilege escalation vulnerability in the All Linux KernelsKernel updates in master and 16.09 include patches for CVE-2016-5195 (DirtyCow -- https://dirtycow.ninja/) https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails The hydra job for 16.09 (https://hydra.nixos.org/build/42415618) passed the |
Cross-posted from nix-dev: Hello Nixers, All Linux kernels since 2.6.22 have been vulnerable to a privilege escalation bug. Please upgrade immediately. This issue was discovered and patched on October 18. The fix was released yesterday, and the 16.09 channel now includes the fix for the following kernels:
When updating please ensure you have For unstable, only unstable-small has the patches:
Standard unstable will move forward when all tests have passed. All other kernels available in NixOS 16.09 and Unstable are vulnerable and have not yet received patches. This includes:
More information can be had at https://dirtycow.ninja/ Also included in this channel update are several fixes found in the latest vulnerability hunt. See:
If you would like to help with future hunts and patches, please leave a comment on #19678 and I'll make sure to ping you. Thank you, |
So the way to subscribe to security notices is to subscribe to this ticket? If so, please update NixOS support or something nearby. |
@dckc I don't think this ticket is official designated The Way to do it. I've been doing it as a stop-gap. Note my question (#13515 (comment)) about where should we do it long term. |
Update, October 22: Kernel buffer overflow patched. Not sure of severity.@NeQuissimus has upgraded our Linux kernels to the latest versions released today.
PS: @NeQuissimus has been an incredible help on keeping our kernels up to date lately. Thank you! |
Security fixes from 2016-10-26 01:54 UTCThe following issues have been resolved in NixOS in unstable and These patches will be released to the unstable and release-16.09 channels when
|
Security fixes from 2016-10-27 12:50 UTCThe following issues have been resolved in NixOS in unstable and These patches will be released to the unstable and release-16.09 channels when
There are additional patches waiting to land:
I'll provide an update when these stragglers are complete. Thank you, PS: If you would like to help with future hunts and patches, please leave a comment on #19884 and I'll make sure to ping you. |
Security advisories from 2016-10-27 22:37 UTCThe following issues have been resolved in NixOS in unstable and These patches will be released to the unstable and release-16.09 channels when
With the exception of Chromium (#19565) this closes out #19884. Thank you, PS: If you would like to help with future hunts and patches, please leave a comment on #19884 and I'll make sure to ping you. Update: 16.09's channel has moved forward and
|
Security advisories from 2016-11-05 01:12 UTCThe following issues have been resolved in NixOS in unstable and These patches will be released to the unstable and release-16.09 channels when
Still outstanding is a patch for tar (difficult due to bootstrapping,) and a patch for chromium which we're testing. P.S. Sorry for these being so late. Many of these haven't hit the stable channel yet, like the curl fixes. I'll try and shepherd these through, but am incredibly overloaded this week. Thank you to all contributors at #20078, especially @fpletz. Note: If you'd like to participate in the next one, please leave a comment at #20078 :) Update: These patches are available in the 16.09 channel. |
Thank you, Vladimír. I thought I had removed that from the list. Sorry, my
second mistake like this. I'll revisit this tooling.
Graham
…On Thu, Nov 24, 2016 at 4:04 PM Vladimír Čunát ***@***.***> wrote:
Note: the pciutils commit has no security implications, I believe (I
authored it).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13515 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAErrFMmCI7rJaLezN4ubzPCSLiort-jks5rBfvTgaJpZM4HkmLk>
.
|
I'm probably blind... but how do you subscribe to that forum to receive the messages by email? I do not see any subscribe, join or any similar option. |
Hi,
Sorry, obviously there has been an issue with the configuration. I will
update this issue until that is resolved.i will also let everyone know when
the list is fixed up.
Graham
…On Thu, Nov 24, 2016 at 6:28 PM Daniel Frank ***@***.***> wrote:
This is the last announcement to be posted to this list. All future
announcements will be sent to our new nix security list,
I'm probably blind... but how do you subscribe to that forum to receive
the messages by email? I do not see any subscribe, join or any similar
option.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13515 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAErrN_gj5d2ACCsCWOmnZdh9Jn5Ogfsks5rBh2JgaJpZM4HkmLk>
.
|
Ok everyone, here is an update:
No, this list is not for embargoed issues. We don't currently have this infrastructure. We are planning on working on this infrastructure in the first / second quarter of 2017.
The list was misconfigured. We want the announce list to be announce-only and no other discussion. It is now configured to allow anyone to subscribe / join, but only certain people to send mail. For discussion about issues, I would recommend emailing nix-dev.
The service which hosts the other mailing list seems to not be taking
Security Updates (cross-posted to the list)
|
Shall we close this issue? It's relatively long and seems resolved – people now can subscribe to that list. |
Good question, @vcunat, but I don't think so. Here are the remaining steps:
I think it should probably be a separate page on the nixos.org/nixos website. I've written up the following to this effect:
This needs editing and formatting as HTML, and preferably someone else added to that list with a key :) |
There's still the question of
Perhaps I should open a separate issue about this. The process above is largely about source code, not compiled / installed packages. The line is more blurry in nix than other distributions, but it's still relevant. |
Yes, I think that should be a separate issue. :) |
And the use case is not to update unless your system is (potentially) vulnerable, I guess? The problem there is that you currently can't know from the binaries themselves (in general), as e.g. applying a patch isn't observable in the name-version tuple. @domenkozar once suggested we added some files describing fixed CVEs in each binary path, but I can't see that in open tickets anymore and I don't remember why exactly it wasn't pursued in the end. I personally believe that if you're on the level that you care for vulnerabilities of your binaries, you want to track the nix-sources for them as well (and the configuration), as it's just practical in multiple ways. |
Found the thread I meant: #15660 |
👆 🎉 🥂 😮 👍 🥇 💯 So thrilling that this took less than a year to close. |
Very satisfying indeed. Great work, everybody! |
Hmm... the "Stable releases receive security updates ..." policy text isn't on the new security page. There hasn't been a decision against that, has there? Some variation of it will appear in due course, yes? |
@dckc looks like the decision has been in place for a few years now: https://nixos.org/nixos/manual/#sec-upgrading do you think we should duplicate this policy on the security page as well? (sorry I didn't note that I found those docs here) |
I didn't mean to refer to the issue of how far back security patches get ported but rather to the fact that there's a security update policy at all. That manual section has very little to say about security. Perhaps it suffices to say "As noted in Upgrading NixOS, we provide security updates to stable releases." But it would be nicer to elaborate, as in "We regularly review the LWN vulnerability list and make a best effort to see that these are addressed in stable releases of nixpkgs." |
There's nothing about security explicitly, so it could be more explicit, as security updates seem (currently) to be main purpose of the stable branch(es). |
The mailing list has gone silent since last year. The website only mentions this list. Is there a replacement to subscribe advisories somewhere? |
I see not much really, beyond what you get from the github label. Christian has stopped doing the roundups a few week ago (you can see them on that link), apparently, but the tool itself if public IIRC. |
Have opened #65105. What if we used GitHub for NixOS security advisories? |
tl;dr: I suggest an issue label or combination of labels dedicated to security advisories (vulnerabilities and updates / patches).
Describe your issue here
Nix is great, and as I use it more for hobby stuff, I'm thinking about using it at work (KUMC medical informatics) where we safeguard research data about a large collection of patients.
We have a few dozen linux servers; SLES in particular. We regularly apply SLES updates, so we get those updates whether we read their SUSE Update Advisories or not. For stuff we install on top of that, our general policy is to subscribe to security notices directly. For example:
I have been looking for something similar for nix packages. I sort of expected to see something on/near NixOS support, but no joy. Then I stumbled across the issues with the 1.severity: security label.
Stuff like #12437 on ffmpeg and #13506 on openssl are exactly what I'm looking for. But #7220 also bears that label, and it's more of a wide-ranging design discussion, not a particular vulnerability or update. It would work for me to filter out the "0.kind: enhancement" label or add "9.needs: package (update)" as a constraint, provided that emerges as the norm among the nix maintainers. An explicit link from NixOS support would be most helpful.
For reference, when I asked for reference information on the current list of labels, I learned about the NixOS/Nixpkgs repository labels thread.
For inspiration, a few more lists I found while researching this request:
It seems conventional to document "how to report security issues" on the same page.
Expected result
A security update policy on/near NixOS support.
Actual result
No clear security update norms.
Steps to reproduce
Look at NixOS support and pages nearby.
The text was updated successfully, but these errors were encountered: