What's the requirement for a package to be updated?

I’ve been working on setting a mail server using NixOS 23.05 and I have functionality close to where I want it. I decided to analyze a few of the included packages for any security issues and I found a number of problems (at least based on version numbers).

I have manually updated my nix files using overlays to upgrade clamav, redis and rspamd (although I think that’s just bug fixes) to the most current upstream release. I’m not much of a Git/Github user, but if I were to somehow submit these changes to nixpkgs, would they be accepted? I’m wondering if security issues are always patched, or if there needs to be a specific CVSS score that would be required, etc…?

Clamav: Version 1.0.1 is in 23.05, with 1.0.3 being the stable 1.x series available upstream. Version 1.0.1 is vulnerable to CVE-2023-20197, CVE-2023-20212 and an issue with the included version of unrar.

Redis: Version 7.0.12 is in 23.05, with 7.0.13 being the stable 7.x series available upstream. Version 7.0.12 is vulnerable to CVE-2023-41053.

Glibc: Version 2.37-8 is in 23.05 and is vulnerable to CVE-2023-4911. Although I do see that there is a patch submitted for that.

1 Like

The general take is that version updates (whether security driven or not) are always welcome on nixpkgs master. For the stable branch we usually try to keep versions and just pull in patches.

Security is taken serious and you can reach the relevant people here:

There is an interesting discussion around the time it takes to deliver security updates in Timely updates for NixOS