Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redmine: 5.1.4 -> 5.1.5 #365684

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

redmine: 5.1.4 -> 5.1.5 #365684

wants to merge 1 commit into from
+66 −65

Conversation

felixsinger
Copy link
Member

Update Redmine and also used gems.

Updating gems fixes the following CVEs:

The following vulnerabilities remain:

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@felixsinger felixsinger added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.11 Backport PR automatically labels Dec 16, 2024
@felixsinger
Copy link
Member Author

@GrahamcOfBorg test redmine

@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Dec 16, 2024
@felixsinger
Copy link
Member Author

For whatever reason mariadb is unable to start :/

@ofborg ofborg bot added 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-linux: 1 labels Dec 17, 2024
@aanderse
Copy link
Member

For whatever reason mariadb is unable to start :/

any success resolving that?

The following vulnerabilities remain:

since we're vendoring those dependencies into redmine it sounds like we should add the following to meta:

knownVulnerabilities = [ "CVE-2024-54133" "GHSA-r95h-9x8f-r3f7" ];

@wegank wegank added 12.approvals: 1 This PR was reviewed and approved by one reputable person 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in the package labels Dec 18, 2024
@felixsinger
Copy link
Member Author

@GrahamcOfBorg test redmine

@felixsinger
Copy link
Member Author

@GrahamcOfBorg test redmine

@felixsinger
redmine: 5.1.4 -> 5.1.5
e0d4495 
Update Redmine and used gems. Also, remove x86_64-linux from bundler
platforms because the gem dependencies are messed up.

Updating gems fixes the following CVEs:

  * CVE-2024-53985
  * CVE-2024-53986
  * CVE-2024-53987
  * CVE-2024-53988
  * CVE-2024-53989

The following vulnerabilities remain:

  * CVE-2024-54133
  * GHSA-r95h-9x8f-r3f7

Signed-off-by: Felix Singer <[email protected]>
@felixsinger
Copy link
Member Author

@GrahamcOfBorg test redmine

@felixsinger
Copy link
Member Author

felixsinger commented Dec 21, 2024
edited
Loading

For whatever reason mariadb is unable to start :/

any success resolving that?

Fixed it. x86_64-linux needed to be removed from bundler platforms. Added a line to the update script. That messed up the gems. I feel like the list gets longer and longer :D

The following vulnerabilities remain:

since we're vendoring those dependencies into redmine it sounds like we should add the following to meta:

knownVulnerabilities = [ "CVE-2024-54133" "GHSA-r95h-9x8f-r3f7" ];

With that the tests aren't executed as "insecure" packages need to be allowed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@megheaiulian megheaiulian megheaiulian approved these changes

@aanderse aanderse Awaiting requested review from aanderse

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 11.by: package-maintainer This PR was created by the maintainer of the package it changes 12.approvals: 1 This PR was reviewed and approved by one reputable person 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in the package backport release-24.11 Backport PR automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@felixsinger @aanderse @megheaiulian @wegank