Re: [SONAME BUMP] capnproto 0.10.2
On Fri, Dec 2, 2022 at 4:13 PM Neal Gompa wrote: > > On Fri, Dec 2, 2022 at 10:07 AM Fabio Valentini wrote: > > > > On Thu, Dec 1, 2022 at 7:57 PM Neal Gompa wrote: > > > > > > Help would very much be appreciated, I'm currently underwater with other > > > work. > > > > I've prepared PRs with the version bumps for the different branches, > > including lists of packages that need to be rebuilt: > > > > - rawhide: https://src.fedoraproject.org/rpms/capnproto/pull-request/1 > > - f37: https://src.fedoraproject.org/rpms/capnproto/pull-request/2 > > - f36: https://src.fedoraproject.org/rpms/capnproto/pull-request/3 > > - epel9: https://src.fedoraproject.org/rpms/capnproto/pull-request/4 > > - epel8: https://src.fedoraproject.org/rpms/capnproto/pull-request/5 > > > > The version of capnproto in epel7 (v0.5 branch) no longer seems to be > > supported by upstream. > > If you think the changes and list of dependent packages look good, I > > can get builds started. > > These all look great, and I've given thumbs for all them. Go for it! All builds were successful, and updates have been filed: Rawhide: https://bodhi.fedoraproject.org/updates/FEDORA-2022-ef11bad952 F37: https://bodhi.fedoraproject.org/updates/FEDORA-2022-18023b665f F36: https://bodhi.fedoraproject.org/updates/FEDORA-2022-5d37367673 EPEL9: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-4b56675171 EPEL8: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-8108a34445 Let me know if there are any problems. Fabio ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [SONAME BUMP] capnproto 0.10.2
On Fri, Dec 2, 2022 at 10:07 AM Fabio Valentini wrote: > > On Thu, Dec 1, 2022 at 7:57 PM Neal Gompa wrote: > > > > Help would very much be appreciated, I'm currently underwater with other > > work. > > I've prepared PRs with the version bumps for the different branches, > including lists of packages that need to be rebuilt: > > - rawhide: https://src.fedoraproject.org/rpms/capnproto/pull-request/1 > - f37: https://src.fedoraproject.org/rpms/capnproto/pull-request/2 > - f36: https://src.fedoraproject.org/rpms/capnproto/pull-request/3 > - epel9: https://src.fedoraproject.org/rpms/capnproto/pull-request/4 > - epel8: https://src.fedoraproject.org/rpms/capnproto/pull-request/5 > > The version of capnproto in epel7 (v0.5 branch) no longer seems to be > supported by upstream. > If you think the changes and list of dependent packages look good, I > can get builds started. These all look great, and I've given thumbs for all them. Go for it! -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [SONAME BUMP] capnproto 0.10.2
On Thu, Dec 1, 2022 at 7:57 PM Neal Gompa wrote: > > Help would very much be appreciated, I'm currently underwater with other work. I've prepared PRs with the version bumps for the different branches, including lists of packages that need to be rebuilt: - rawhide: https://src.fedoraproject.org/rpms/capnproto/pull-request/1 - f37: https://src.fedoraproject.org/rpms/capnproto/pull-request/2 - f36: https://src.fedoraproject.org/rpms/capnproto/pull-request/3 - epel9: https://src.fedoraproject.org/rpms/capnproto/pull-request/4 - epel8: https://src.fedoraproject.org/rpms/capnproto/pull-request/5 The version of capnproto in epel7 (v0.5 branch) no longer seems to be supported by upstream. If you think the changes and list of dependent packages look good, I can get builds started. Fabio ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [SONAME BUMP] capnproto 0.10.2
On Thu, Dec 1, 2022 at 2:59 PM Fabio Valentini wrote: > > On Thu, Dec 1, 2022 at 7:57 PM Neal Gompa wrote: > > > > > If you need help with any of the rebuilds, feel free to ping me. > > > I'm currently handling the same CVE for the capnp Rust crate (where > > > thankfully only one application needs to be rebuilt). > > > > > > > Help would very much be appreciated, I'm currently underwater with other > > work. > > Sure. I'll look into it tomorrow, it's already getting late here. > I can prepare the Fedora updates, but I don't know how to handle EPEL > updates that change SONAME. > > So ... let this serve as notice that we'll likely update capnproto to > version 0.10.3 / 0.9.2 / 0.7.1 whatever version fixes that CVE for the > currently packaged branch, and will need to rebuild dependent > packages, as well (to fix the CVE *and* for the SONAME bump). > You handle it the same way you do for Fedora, just send an email to the epel-announce@ mailing list so everyone knows it's happening. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [SONAME BUMP] capnproto 0.10.2
On Thu, Dec 1, 2022 at 7:57 PM Neal Gompa wrote: > > > If you need help with any of the rebuilds, feel free to ping me. > > I'm currently handling the same CVE for the capnp Rust crate (where > > thankfully only one application needs to be rebuilt). > > > > Help would very much be appreciated, I'm currently underwater with other work. Sure. I'll look into it tomorrow, it's already getting late here. I can prepare the Fedora updates, but I don't know how to handle EPEL updates that change SONAME. So ... let this serve as notice that we'll likely update capnproto to version 0.10.3 / 0.9.2 / 0.7.1 whatever version fixes that CVE for the currently packaged branch, and will need to rebuild dependent packages, as well (to fix the CVE *and* for the SONAME bump). Fabio ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [SONAME BUMP] capnproto 0.10.2
On Thu, Dec 1, 2022 at 12:50 PM Fabio Valentini wrote: > > On Tue, Nov 29, 2022 at 10:17 PM Neal Gompa wrote: > > > > On Tue, Nov 29, 2022 at 9:25 AM Neal Gompa wrote: > > > > > > Hey all, > > > > > > capnproto 0.10.2 is being upgraded in Rawhide. As part of this, I'll > > > be rebuilding its reverse dependencies: > > > > > > * fastnetmon > > > * librime > > > * rr > > > * sonic-visualiser > > > > > > I'm taking care of all of this in a side-tag and will merge them into > > > Rawhide once everything is done. > > > > > > > This is now done: > > https://bodhi.fedoraproject.org/updates/FEDORA-2022-7c8341e00e > > Done just in time for a CVE to be filed against capnproto < 0.10.3 :D > > All currently available versions in Fedora and EPEL 7 (?), 8, and 9 > are vulnerable to CVE-2022-46149, according to the upstream advisory: > https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx > > And according to upstream, dependent packages will need to be rebuilt > too, because the affected capnproto code is inlined into binaries ... > Looking at what we currently have in Fedora, Rawhide and EPEL 9 will > need to be updated to v0.10.3, and f37 and f36 will need to be updated > to v0.9.2, and EPEL 8 will need to be updated to v0.7.1. Not sure > about EPEL 7, the version there is ancient, and the v0.5 branch is not > mentioned in the advisory. Actually, what's sort of crap is that reverse dependencies always have to be rebuilt because upstream uses the full version in the soname. It makes upgrading this library a pain. > > If you need help with any of the rebuilds, feel free to ping me. > I'm currently handling the same CVE for the capnp Rust crate (where > thankfully only one application needs to be rebuilt). > Help would very much be appreciated, I'm currently underwater with other work. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [SONAME BUMP] capnproto 0.10.2
On Tue, Nov 29, 2022 at 10:17 PM Neal Gompa wrote: > > On Tue, Nov 29, 2022 at 9:25 AM Neal Gompa wrote: > > > > Hey all, > > > > capnproto 0.10.2 is being upgraded in Rawhide. As part of this, I'll > > be rebuilding its reverse dependencies: > > > > * fastnetmon > > * librime > > * rr > > * sonic-visualiser > > > > I'm taking care of all of this in a side-tag and will merge them into > > Rawhide once everything is done. > > > > This is now done: > https://bodhi.fedoraproject.org/updates/FEDORA-2022-7c8341e00e Done just in time for a CVE to be filed against capnproto < 0.10.3 :D All currently available versions in Fedora and EPEL 7 (?), 8, and 9 are vulnerable to CVE-2022-46149, according to the upstream advisory: https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx And according to upstream, dependent packages will need to be rebuilt too, because the affected capnproto code is inlined into binaries ... Looking at what we currently have in Fedora, Rawhide and EPEL 9 will need to be updated to v0.10.3, and f37 and f36 will need to be updated to v0.9.2, and EPEL 8 will need to be updated to v0.7.1. Not sure about EPEL 7, the version there is ancient, and the v0.5 branch is not mentioned in the advisory. If you need help with any of the rebuilds, feel free to ping me. I'm currently handling the same CVE for the capnp Rust crate (where thankfully only one application needs to be rebuilt). Fabio ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [SONAME BUMP] capnproto 0.10.2
On Tue, Nov 29, 2022 at 9:25 AM Neal Gompa wrote: > > Hey all, > > capnproto 0.10.2 is being upgraded in Rawhide. As part of this, I'll > be rebuilding its reverse dependencies: > > * fastnetmon > * librime > * rr > * sonic-visualiser > > I'm taking care of all of this in a side-tag and will merge them into > Rawhide once everything is done. > This is now done: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7c8341e00e -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue