diff options
| author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2005-03-07T16·26+0000 |
|---|---|---|
| committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2005-03-07T16·26+0000 |
| commit | 97c93526da4dfba1b92a11fb8522c07456d9e1ec (patch) | |
| tree | 70dddcc70c7f305d0c738ca6564c97969fdda164 /blacklisting/blacklist.xml | |
| parent | bfbc55cbc6b72aa14805131553c6b2547d3b6ee7 (diff) | |
* In the checker, do traversals of the dependency graph explicitly. A
conditional expression in the blacklist can specify when to
continue/stop a traversal. For example, in
<condition>
<within>
<traverse>
<not><hasAttr name='outputHash' value='.+' /></not>
</traverse>
<hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' />
</within>
</condition>
we traverse the dependency graph, not following the dependencies of
`fetchurl' derivations (as indicated by the presence of an
`outputHash' attribute - this is a bit ugly). The resulting set of
paths is scanned for a fetch of a file with the given hash, in this
case, the hash of zlib-1.2.1.tar.gz (which has a security bug). The
intent is that a dependency on zlib is not a problem if it is in a
`fetchurl' derivation, since that's build-time only. (Other
build-time uses of zlib *might* be a problem, e.g., static linking.)
Diffstat (limited to 'blacklisting/blacklist.xml')
| -rw-r--r-- | blacklisting/blacklist.xml | 20 |
1 files changed, 8 insertions, 12 deletions
diff --git a/blacklisting/blacklist.xml b/blacklisting/blacklist.xml index aec9113262a4..9c3339597148 100644 --- a/blacklisting/blacklist.xml +++ b/blacklisting/blacklist.xml @@ -1,32 +1,28 @@ <blacklist> -<!-- <item id='openssl-0.9.7d-obsolete'> <condition> - <containsSource - hash="sha256:1xf1749gdfw9f50mxa5rsnmwiwrb5mi0kg4siw8a73jykdp2i6ii" - origin="openssl-0.9.7d.tar.gz" /> + <within> + <traverse><true /></traverse> + <hasAttr name='outputHash' value='1b49e90fc8a75c3a507c0a624529aca5' /> + </within> </condition> <reason> Race condition in CRL checking code. Upgrade to 0.9.7e. </reason> <severity class="all" level="low" /> </item> ---> <item id='zlib-1.2.1-security' type='security'> <condition> - <containsSource - hash="sha256:1xf1749gdfw9f50mxa5rsnmwiwrb5mi0kg4siw8a73jykdp2i6ii" - origin="openssl-0.9.7d.tar.gz" /> -<!-- <within> + <within> <traverse> - <not><hasName name='*.tar.*' /></not> + <not><hasAttr name='outputHash' value='.+' /></not> </traverse> - <hasAttr name='md5' value='ef1cb003448b4a53517b8f25adb12452' /> - </within> --> + <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' /> + </within> </condition> <reason> Zlib 1.2.1 is vulnerable to a denial-of-service condition. See |