nix-phps icon indicating copy to clipboard operation
nix-phps copied to clipboard

Published 20 hours ago verified publisher icon fossar

openssl_1_1 is going to be marked as insecure/dropped

Open jtojnar opened this issue 2 years ago • 9 comments

Similar to #78, we might need to backport OpenSSL 3 compatibility patches (if possible).

Upstream issue: https://github.com/NixOS/nixpkgs/issues/210452

jtojnar avatar May 12 '23 17:05 jtojnar

it's marked as insecure now. drop pending, but probably still a few months ahead.

ajs124 avatar May 19 '23 15:05 ajs124

How are we going to tackle this thing in here?

drupol avatar Jun 04 '23 19:06 drupol

In the short term, overriding the meta is probably the easiest.

jtojnar avatar Jun 04 '23 19:06 jtojnar

And marking ~~the package as insecure~~ adding meta.knownVulnerabilities ? If yes, which vulnerability ?

drupol avatar Jun 04 '23 19:06 drupol

I'm also interested in resolution to this.

aanderse avatar Jun 04 '23 19:06 aanderse

And marking ~the package as insecure~ adding meta.knownVulnerabilities ? If yes, which vulnerability ?

Nixpkgs does that. So we would need to do the opposite – removing meta.knownVulnerabilities.

jtojnar avatar Jun 04 '23 19:06 jtojnar

Oooh. Ok.

drupol avatar Jun 04 '23 19:06 drupol

Your eyes here : https://github.com/fossar/nix-phps/pull/237

drupol avatar Jun 04 '23 19:06 drupol

We still need to deal with this once the package is removed. Ideally, we would patch PHP to use OpenSSL 3.

jtojnar avatar Jun 05 '23 15:06 jtojnar