Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

treewide: add CVE-2024-9680 as a known vulnerability to Firefox forks #347601

Merged
merged 2 commits into from
Oct 9, 2024
Merged

treewide: add CVE-2024-9680 as a known vulnerability to Firefox forks #347601

merged 2 commits into from
Oct 9, 2024

Conversation

Scrumplex
Copy link
Member

@Scrumplex Scrumplex commented Oct 9, 2024
edited
Loading

See https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680

Floorp: Floorp-Projects/Floorp#1468
Librewolf: Waiting for AppImage update

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@emilazy
Copy link
Member

emilazy commented Oct 9, 2024

I am not sure we should be carrying Firefox forks that need us to notify them of critical RCE CVEs. If Floorp don’t react quickly we might want to consider removal.

@emilazy emilazy added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.05 labels Oct 9, 2024
@emilazy emilazy merged commit 6422c78 into NixOS:master Oct 9, 2024
17 of 18 checks passed
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 9, 2024

Backport failed for release-24.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-24.05
git worktree add -d .worktree/backport-347601-to-release-24.05 origin/release-24.05
cd .worktree/backport-347601-to-release-24.05
git switch --create backport-347601-to-release-24.05
git cherry-pick -x b119e084e6d09367fe4fe84f4f384be90cbb6421 73223431f76e311407b0e5ede9e8fceb11dc5e50

@emilazy emilazy mentioned this pull request Oct 9, 2024
Merged
13 tasks
@SuperSandro2000
Copy link
Member

I am asking again why knowVulnerabilities prevents Hydra builds. It makes no sense and forbids anyone without a compile server to still use the package. It is more or less equal to marking the package broken.

@emilazy
Copy link
Member

emilazy commented Oct 11, 2024

For some packages I can understand it, but… why on earth would you want to use a Firefox variant with a remote code execution vulnerability being actively exploited in the wild?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Scrumplex @emilazy @SuperSandro2000