Skip to content

[staging-25.11] python3Packages.pyopenssl: backport 26.0 security fixes#510573

Merged
mweinelt merged 1 commit into
NixOS:staging-25.11from
mweinelt:nixos-25.11-pyopenssl-26.0-fixes
Apr 16, 2026
Merged

[staging-25.11] python3Packages.pyopenssl: backport 26.0 security fixes#510573
mweinelt merged 1 commit into
NixOS:staging-25.11from
mweinelt:nixos-25.11-pyopenssl-26.0-fixes

Conversation

@mweinelt

Copy link
Copy Markdown
Member

Fixes: CVE-2026-27459, CVE-2026-27448

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@mweinelt mweinelt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Apr 16, 2026
@mweinelt mweinelt changed the title python3Packages.pyopenssl: backport 26.0 security fixes [staging-25.11] python3Packages.pyopenssl: backport 26.0 security fixes Apr 16, 2026
@mweinelt mweinelt enabled auto-merge April 16, 2026 12:25

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

Please follow the backporting guidelines and cherry-pick with the -x flag.
This requires changes to the unstable master and staging branches first, before backporting them.

Occasionally, commits are not cherry-picked at all, for example when updating minor versions of packages which have already advanced to the next major on unstable.
These commits can optionally be marked with a Not-cherry-picked-because: <reason> footer.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Warning

Couldn't locate the cherry-picked commit's hash in the commit message of b03b950.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

@mweinelt mweinelt mentioned this pull request Apr 16, 2026
3 tasks
@mweinelt mweinelt added this pull request to the merge queue Apr 16, 2026
@nixpkgs-ci nixpkgs-ci Bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 6.topic: python Python is a high-level, general-purpose programming language. 4.workflow: backport This targets a stable branch labels Apr 16, 2026
Merged via the queue into NixOS:staging-25.11 with commit 785f55f Apr 16, 2026
34 checks passed
@mweinelt mweinelt deleted the nixos-25.11-pyopenssl-26.0-fixes branch April 16, 2026 12:40
@vcunat

vcunat commented May 5, 2026

Copy link
Copy Markdown
Member

ceph uses version 23.1.1 where these patches don't apply. I avoided them in 1100ff6 but who knows about the security implications.

/cc ceph.meta.maintainers: @adevress @alexanderkjeldaas @johanot @krav @nh2 @benaryorg and the staging-next-25.11 PR #507470

@benaryorg

Copy link
Copy Markdown
Contributor

ceph uses version 23.1.1 where these patches don't apply

According to OpenCVE CVE-2026-27459 applies to >= 22.0.0, < 26.0.0 and CVE-2026-27448 to >= 0.14.0, < 26.0.0 so this might actually be an issue.

26.05 will ship Ceph Tentacle which is back to using the regular nixpkgs versions for all things Python with no vendoring, so this is an issue specifically for 25.11 and the time it remains supported, but nonetheless an issue.
I'll have a go at backporting them, will report back later today.

@benaryorg

Copy link
Copy Markdown
Contributor

The probability that Ceph actually uses those callbacks is low (though I haven't checked), but actually backporting is more or less trivial.
The changes are very localized and the brunt of the merge conflict comes from the Changelog which we can just not pull in.

Attached is a cherry-pick of the 57f09bb and d41a814 commits onto the 23.1.x branch (which is equivalent to the 23.1.1 tag)
I've tested none of it so far, and it may be woefully superfluous, but actually backporting was easy enough, so vendoring these patches until 25.11 runs out of support may be the path of least resistance.

Feel free to pick this up here, otherwise I'll see if I get around to opening a proper PR tomorrow.

@benaryorg benaryorg mentioned this pull request May 23, 2026
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 6.topic: python Python is a high-level, general-purpose programming language. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants