From patchwork Sat Oct 21 04:20:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philip McGrath X-Patchwork-Id: 55108 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 41ED627BBE2; Sat, 21 Oct 2023 05:21:55 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id DCF1627BBE9 for ; Sat, 21 Oct 2023 05:21:49 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qu3UX-00009x-Tj; Sat, 21 Oct 2023 00:21:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qu3UW-00009l-4P for guix-patches@gnu.org; Sat, 21 Oct 2023 00:21:36 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qu3UV-0003gr-CW for guix-patches@gnu.org; Sat, 21 Oct 2023 00:21:35 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qu3Uw-00067L-KA for guix-patches@gnu.org; Sat, 21 Oct 2023 00:22:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#66658] [PATCH] gnu: nghttp2: Replace with 1.57.0. Resent-From: Philip McGrath Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 21 Oct 2023 04:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 66658 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 66658@debbugs.gnu.org Cc: Philip McGrath X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.169786211723502 (code B ref -1); Sat, 21 Oct 2023 04:22:02 +0000 Received: (at submit) by debbugs.gnu.org; 21 Oct 2023 04:21:57 +0000 Received: from localhost ([127.0.0.1]:42017 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu3Um-00066w-T1 for submit@debbugs.gnu.org; Sat, 21 Oct 2023 00:21:57 -0400 Received: from lists.gnu.org ([2001:470:142::17]:40846) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu3Ui-00066f-12 for submit@debbugs.gnu.org; Sat, 21 Oct 2023 00:21:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qu3U7-000070-Cw for guix-patches@gnu.org; Sat, 21 Oct 2023 00:21:12 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qu3U1-0003RB-M3 for guix-patches@gnu.org; Sat, 21 Oct 2023 00:21:10 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id EC52432009E2; Sat, 21 Oct 2023 00:21:01 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sat, 21 Oct 2023 00:21:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= philipmcgrath.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=fm3; t= 1697862061; x=1697948461; bh=xvhRYB1rR4UDMgqmojzQJT9DWDlDdQw7kVb eXYb0LqU=; b=brkjXRwJsjZkpw/0fy7Zu3ZXJIJgw62yKq8j3tINdcPaE+njOhJ AFoT2WXa4L0+A8v+cYx+YdnOq/+bdDw1JCx7LkpgSFxrBf1rMonvbuniW1TV+oi3 8fVG24pb2WZyBeczsB8NaPFdNfssw1YnbIqASKUzZCF0zq6TlrcJYOTGEqRwmRwu La+G/uj+RGM1Hn/pdrB109lfk7M/K+9TsoRvYGu5rVoHM0jZSNCjNJ4v87HdZIPl VZXOCJAd3y9SZYRRWKIuOQBW8f2EUfelnjYLB1YBRYA04Q/FT1yyij0XRi/LJX01 D7UaGorMrQCMZY/ea4X2P9KOjV9dE1MY/OA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1697862061; x=1697948461; bh=xvhRYB1rR4UDM gqmojzQJT9DWDlDdQw7kVbeXYb0LqU=; b=Jx1yV5fIkc/i8K2zWbPoKPp6+GOqu nhL2641z3/tPwjgT0B0aRy/R3m/Xw5BEObe1jQUQoYwl6LNJ2JSFJWKxELhaAKLI 4Jj4/Z/UGyLuTOqBV1s+8bJT1k3ObGjy726o4S2xGxiVJAdEOuXDdLd7ue+3JPfH E9J73ScmzZIph50l2fMy1L5HtDxFhVsFaGIYfWDuftsvrI5KoTNdw+ELMXsFsMUz 4YF+tEJgrgYRmdYpoAaIK1mnYFUEk3PmDqvHCxy7SJlPSEzka3Q2+9+TxbvBA0vi mdfRg/cDRbVFu0+Y/DW6MefJ1fxFLFTFfMyFiHC4dDkQ2NqdgXU3dZ4pQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrjeelgdejlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhephffvvefufffkofgggfestdekredtre dttdenucfhrhhomheprfhhihhlihhpucfotgfirhgrthhhuceophhhihhlihhpsehphhhi lhhiphhmtghgrhgrthhhrdgtohhmqeenucggtffrrghtthgvrhhnpefhgeejuefhteffud egfeetheffkeffueduudetgfeigeeijeffhfeuveefgeekfeenucffohhmrghinhepghhi thhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepphhhihhlihhpsehphhhilhhiphhmtghgrhgrthhhrdgtohhm X-ME-Proxy: Feedback-ID: i2b1146f3:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 21 Oct 2023 00:21:00 -0400 (EDT) From: Philip McGrath Date: Sat, 21 Oct 2023 00:20:30 -0400 Message-ID: <4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Received-SPF: pass client-ip=64.147.123.25; envelope-from=philip@philipmcgrath.com; helo=wout2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This release mitigates CVE-2023-44487. * gnu/packages/web.scm (nghttp2-1.57): New variable. (nghttp2)[replacement]: Use it. --- I've never attempted to create a graft before, and I have **definitely not** tested this adequately, but `guix refresh` says: > Building the following 7989 packages would ensure 20638 dependent packages > are rebuilt: so it seems like a graft would be needed. The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg Philip gnu/packages/web.scm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) base-commit: fed6ac2ae182597a492b17a29ed8b26986498755 diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index b46286c690..4a66fada51 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -7958,6 +7958,7 @@ (define-public nghttp2 (package (name "nghttp2") (version "1.49.0") + (replacement nghttp2-1.57) (source (origin (method url-fetch) @@ -8068,6 +8069,19 @@ (define-public nghttp2-for-node (("print \\(ver >= '3\\.8'\\)") "print (tuple(map(int, ver.split('.'))) >= (3,8))"))))))))))) +(define-public nghttp2-1.57 + (package + (inherit nghttp2) + (version "1.57.0") + (source (origin + (method url-fetch) + (uri (string-append "https://github.com/nghttp2/nghttp2/" + "releases/download/v" version "/" + "nghttp2-" version ".tar.xz")) + (sha256 + (base32 + "0n598w7w8rqdqiay2fad3a11253hibakan5c4vjkpx09648v044j")))))) + (define-public hpcguix-web (package (name "hpcguix-web")