nixpkgs-update/CVENOTES.org

* Issues
** https://github.com/NixOS/nixpkgs/pull/74184#issuecomment-565891652
* Fixed
** uzbl: 0.9.0 -> 0.9.1
  - [[https://nvd.nist.gov/vuln/detail/CVE-2010-0011][CVE-2010-0011]]
  - [[https://nvd.nist.gov/vuln/detail/CVE-2010-2809][CVE-2010-2809]]

  Both CVEs refer to matchers that are date based releases, but the
  author of the library switched to normal version numbering after
  that, so these CVEs are reported as relevant even though they are
  not.
** terraform: 0.12.7 -> 0.12.9
   - [[https://nvd.nist.gov/vuln/detail/CVE-2018-9057][CVE-2018-9057]]

   https://nvd.nist.gov/products/cpe/detail/492339?keyword=cpe:2.3:a:hashicorp:terraform:1.12.0:*:*:*:*:aws:*:*&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.3

   CVE only applies to terraform-providers-aws, but you can only tell that by looking at the "Target Software" part.
** tor: 0.4.1.5 -> 0.4.1.6
   https://nvd.nist.gov/vuln/detail/CVE-2017-16541

  the CPE mistakenly uses tor for the product id when the product id should be torbrowser
** arena: 1.1 -> 1.06
  - [[https://nvd.nist.gov/vuln/detail/CVE-2018-8843][CVE-2018-8843]]
  - [[https://nvd.nist.gov/vuln/detail/CVE-2019-15567][CVE-2019-15567]]

   Not rockwellautomation:arena
   Not openforis:arena
** thrift
   Apache Thrift vs Facebook Thrift
** go: 1.13.3 -> 1.13.4
   https://github.com/NixOS/nixpkgs/pull/72516

   Looks like maybe go used to use dates for versions and now uses
   regular versions
** kanboard: 1.2.11 -> 1.2.12
   https://github.com/NixOS/nixpkgs/pull/74429
   cve is about a kanboard plugin provided by jenkins not kanboard itself
[CVE] fix CVENOTES merge resolution mistakes 2019-11-25 08:36:49 +03:00			`* Issues`
[CVE] add isuse relating to doas 2019-12-21 17:48:31 +03:00			`** https://github.com/NixOS/nixpkgs/pull/74184#issuecomment-565891652`
[CVE] fix go issues, improve uzbl handling Before it was going to always ignore certain uzbl CVEs, but now it only ignores them if the version doesn't look like a date (start with four numbers). 2019-11-25 03:16:29 +03:00			`* Fixed`
[CVE] fix thrift issues 2019-11-25 02:19:30 +03:00			`** uzbl: 0.9.0 -> 0.9.1`
[CVE] Fix links 2019-11-05 17:53:23 +03:00			`- [[https://nvd.nist.gov/vuln/detail/CVE-2010-0011][CVE-2010-0011]]`
			`- [[https://nvd.nist.gov/vuln/detail/CVE-2010-2809][CVE-2010-2809]]`
add notes researching CVE failed matches 2019-10-07 02:16:31 +03:00
			`Both CVEs refer to matchers that are date based releases, but the`
			`author of the library switched to normal version numbering after`
			`that, so these CVEs are reported as relevant even though they are`
			`not.`
[CVE] fix thrift issues 2019-11-25 02:19:30 +03:00			`** terraform: 0.12.7 -> 0.12.9`
Merge branch 'cve' 2019-11-25 08:35:18 +03:00			`- [[https://nvd.nist.gov/vuln/detail/CVE-2018-9057][CVE-2018-9057]]`
add notes researching CVE failed matches 2019-10-07 02:16:31 +03:00
[CVE] fix thrift issues 2019-11-25 02:19:30 +03:00			`https://nvd.nist.gov/products/cpe/detail/492339?keyword=cpe:2.3:a:hashicorp:terraform:1.12.0:::::aws::&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.3`
add notes researching CVE failed matches 2019-10-07 02:16:31 +03:00
[CVE] fix thrift issues 2019-11-25 02:19:30 +03:00			`CVE only applies to terraform-providers-aws, but you can only tell that by looking at the "Target Software" part.`
			`** tor: 0.4.1.5 -> 0.4.1.6`
			`https://nvd.nist.gov/vuln/detail/CVE-2017-16541`
add notes researching CVE failed matches 2019-10-07 02:16:31 +03:00
			`the CPE mistakenly uses tor for the product id when the product id should be torbrowser`
[CVE] fix thrift issues 2019-11-25 02:19:30 +03:00			`** arena: 1.1 -> 1.06`
[CVE] Fix links 2019-11-05 17:53:23 +03:00			`- [[https://nvd.nist.gov/vuln/detail/CVE-2018-8843][CVE-2018-8843]]`
			`- [[https://nvd.nist.gov/vuln/detail/CVE-2019-15567][CVE-2019-15567]]`
update CVE notes 2019-10-12 17:34:52 +03:00
[CVE] fix thrift issues 2019-11-25 02:19:30 +03:00			`Not rockwellautomation:arena`
			`Not openforis:arena`
			`** thrift`
			`Apache Thrift vs Facebook Thrift`
[CVE] fix go issues, improve uzbl handling Before it was going to always ignore certain uzbl CVEs, but now it only ignores them if the version doesn't look like a date (start with four numbers). 2019-11-25 03:16:29 +03:00			`** go: 1.13.3 -> 1.13.4`
			`https://github.com/NixOS/nixpkgs/pull/72516`
[CVE] add note about golang 2019-11-02 06:53:39 +03:00
[CVE] fix go issues, improve uzbl handling Before it was going to always ignore certain uzbl CVEs, but now it only ignores them if the version doesn't look like a date (start with four numbers). 2019-11-25 03:16:29 +03:00			`Looks like maybe go used to use dates for versions and now uses`
			`regular versions`
[CVE] fix kanboard issue 2019-12-08 07:56:08 +03:00			`** kanboard: 1.2.11 -> 1.2.12`
			`https://github.com/NixOS/nixpkgs/pull/74429`
			`cve is about a kanboard plugin provided by jenkins not kanboard itself`