Triaging vulnerability roundups?

omasanori · August 23, 2020, 11:39pm

Hello,

Since I had decided to give NixOS a try for a server and some others, I started checking security issues on Nixpkgs. Then I found that some of the vulnerability roundups are no longer relevant or covered by newer ones. Some examples:

Vulnerability roundup 58: libsass-3.5.5: 3 advisories:
- CVE-2018-19826 is “closed as ‘won’t fix’ and ‘works as intended’ by design.” by the upstream project.
- CVE-2018-20190 was fixed in 3.6.0.
  NixOS 20.03 packages libsass 3.6.1 and unstable does 3.6.4. Thus, it is fixed in supported versions.
Vulnerability roundup 61: flex-2.6.4: 1 advisory:
- Covered by Vulnerability roundup 84: flex-2.6.4: 2 advisories

Questions:

Is triaging such cases on the issue tracker helpful for the security team and the whole community, or is it just noise?
If it is desired, which is better for reporting, commenting on each issue, or a Discourse topic?

vcunat · August 24, 2020, 4:45pm

It’s certainly useful. The roundups are mainly missing manpower. Verifying your comments is easier than doing all the work, especially once you get some reputation.
It seems best to comment on those tickets, but I’m not clear about how to best get attention of someone who can close it etc. Let’s try mentioning me if noone reacts within a couple days, we’ll see…

libsass: closed
flex: I’m not sure, but I’d say one is open for nixos-unstable and other one for nixos-20.03

omasanori · August 24, 2020, 5:41pm

Thank you so much for your responses! I will check in my spare time.

I see.

Indeed. It does make sense.

ckauhaus · August 31, 2020, 9:53am

Back from vacation

I’d second Vladimír: Help with reviewing all these vulnerabiilty reports is greatly appreciated.

omasanori · August 31, 2020, 4:07pm

Thank you for reply and responses on GitHub!