nixpkgs-update/CVENOTES.org

• Issues
  • https://github.com/NixOS/nixpkgs/pull/74184#issuecomment-565891652
• Fixed
  • uzbl: 0.9.0 -> 0.9.1
  • terraform: 0.12.7 -> 0.12.9
  • tor: 0.4.1.5 -> 0.4.1.6
  • arena: 1.1 -> 1.06
  • thrift
  • go: 1.13.3 -> 1.13.4
  • kanboard: 1.2.11 -> 1.2.12

Issues

https://github.com/NixOS/nixpkgs/pull/74184#issuecomment-565891652

Fixed

uzbl: 0.9.0 -> 0.9.1

• CVE-2010-0011
• CVE-2010-2809

Both CVEs refer to matchers that are date based releases, but the author of the library switched to normal version numbering after that, so these CVEs are reported as relevant even though they are not.

terraform: 0.12.7 -> 0.12.9

• CVE-2018-9057

https://nvd.nist.gov/products/cpe/detail/492339?keyword=cpe:2.3🅰️hashicorp:terraform:1.12.0:*:*:*:*:aws:*:*&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.3

CVE only applies to terraform-providers-aws, but you can only tell that by looking at the "Target Software" part.

tor: 0.4.1.5 -> 0.4.1.6

https://nvd.nist.gov/vuln/detail/CVE-2017-16541

the CPE mistakenly uses tor for the product id when the product id should be torbrowser

arena: 1.1 -> 1.06

• CVE-2018-8843
• CVE-2019-15567 Not rockwellautomation:arena Not openforis:arena

thrift

Apache Thrift vs Facebook Thrift

go: 1.13.3 -> 1.13.4

https://github.com/NixOS/nixpkgs/pull/72516

Looks like maybe go used to use dates for versions and now uses regular versions

kanboard: 1.2.11 -> 1.2.12

https://github.com/NixOS/nixpkgs/pull/74429 cve is about a kanboard plugin provided by jenkins not kanboard itself