I’ve been working on setting a mail server using NixOS 23.05 and I have functionality close to where I want it. I decided to analyze a few of the included packages for any security issues and I found a number of problems (at least based on version numbers).
I have manually updated my nix files using overlays to upgrade clamav, redis and rspamd (although I think that’s just bug fixes) to the most current upstream release. I’m not much of a Git/Github user, but if I were to somehow submit these changes to nixpkgs, would they be accepted? I’m wondering if security issues are always patched, or if there needs to be a specific CVSS score that would be required, etc…?
Clamav: Version 1.0.1 is in 23.05, with 1.0.3 being the stable 1.x series available upstream. Version 1.0.1 is vulnerable to CVE-2023-20197, CVE-2023-20212 and an issue with the included version of unrar.
Redis: Version 7.0.12 is in 23.05, with 7.0.13 being the stable 7.x series available upstream. Version 7.0.12 is vulnerable to CVE-2023-41053.
Glibc: Version 2.37-8 is in 23.05 and is vulnerable to CVE-2023-4911. Although I do see that there is a patch submitted for that.