Message ID | 4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com |
---|---|
State | New |
Headers | show |
Series | [bug#66658] gnu: nghttp2: Replace with 1.57.0. | expand |
Hi Philip, Philip McGrath <philip@philipmcgrath.com> skribis: > This release mitigates CVE-2023-44487. > > * gnu/packages/web.scm (nghttp2-1.57): New variable. > (nghttp2)[replacement]: Use it. > --- > > I've never attempted to create a graft before, and I have **definitely not** > tested this adequately, but `guix refresh` says: > >> Building the following 7989 packages would ensure 20638 dependent packages >> are rebuilt: > > so it seems like a graft would be needed. Indeed. The two seem to be ABI-compatible: --8<---------------cut here---------------start------------->8--- $ guix shell libabigail -- abidiff /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14 Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 2 Added function symbols not referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 2 Added function symbols not referenced by debug info: [A] nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation [A] nghttp2_option_set_stream_reset_rate_limit $ readelf -a /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 |grep SONAME 0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14] $ readelf -a /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14 |grep SONAME 0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14] --8<---------------cut here---------------end--------------->8--- (Bit questionable that the SONAME is exactly the same. Oh well.) > The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at: > https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg Applied, thanks! Ludo’.
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index b46286c690..4a66fada51 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -7958,6 +7958,7 @@ (define-public nghttp2 (package (name "nghttp2") (version "1.49.0") + (replacement nghttp2-1.57) (source (origin (method url-fetch) @@ -8068,6 +8069,19 @@ (define-public nghttp2-for-node (("print \\(ver >= '3\\.8'\\)") "print (tuple(map(int, ver.split('.'))) >= (3,8))"))))))))))) +(define-public nghttp2-1.57 + (package + (inherit nghttp2) + (version "1.57.0") + (source (origin + (method url-fetch) + (uri (string-append "https://github.com/nghttp2/nghttp2/" + "releases/download/v" version "/" + "nghttp2-" version ".tar.xz")) + (sha256 + (base32 + "0n598w7w8rqdqiay2fad3a11253hibakan5c4vjkpx09648v044j")))))) + (define-public hpcguix-web (package (name "hpcguix-web")