Skip to content

ceph: pyopenssl CVE fixes#523433

Merged
vcunat merged 1 commit into
NixOS:release-25.11from
benaryorg:25-11-ceph-pyopenssl-cves
May 27, 2026
Merged

ceph: pyopenssl CVE fixes#523433
vcunat merged 1 commit into
NixOS:release-25.11from
benaryorg:25-11-ceph-pyopenssl-cves

Conversation

@benaryorg

@benaryorg benaryorg commented May 23, 2026

Copy link
Copy Markdown
Contributor

Belated fixes for some CVEs for the vendored pyopenssl.
The Ceph source code directly is very unlikely to use (and in particular misuse) the affected parts of the API.
Both set_cookie_generate_callback and set_tlsext_servername_callback have no actual occurrences in the tarball, so any use would be limited to dependencies, which would be hard to track.
The major merge conflicts for backporting have been changes to the changlog which I've simply cut from the diff altogether.
Contained should be the fixes and the tests only.

Since this version of Ceph is phased out with the ongoing release of 26.05, moving to the new release and thus Ceph Tentacle is the recommended approach anyway, this is sort of a stopgap measure.


Above is the commit message verbatim.

Links:

Directly against release-25.11 because this is just for 25.11.

Things done

Footnotes

  1. Commits only tested on top of nixos-25.11, since release-25.11 requires recompiling the Linux kernel and a bunch of other stuff atm and it's already unreasonably hot in this room.

  2. The commits that were cherry-picked for creating the patch themselves declare their AI affiliation, while the process of cherry-picking and everything surrounding it was done without any AI involvement whatsoever.

@nixpkgs-commit-check nixpkgs-commit-check Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Important

5115479 is not a cherry-pick, because: only applicable to 25.11. Please review this commit manually.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

@benaryorg benaryorg requested review from nh2 and vcunat May 23, 2026 18:24
@benaryorg

Copy link
Copy Markdown
Contributor Author

Error: The process '/usr/bin/git' failed with exit code 128

I'll just ignore those GH Action failures then I guess.

@nixpkgs-ci nixpkgs-ci Bot requested review from adevress, johanot and krav May 23, 2026 18:28
@nixpkgs-ci nixpkgs-ci Bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 4.workflow: backport This targets a stable branch labels May 23, 2026

@nh2 nh2 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff looks good to me

@nixpkgs-ci nixpkgs-ci Bot added 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. 2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". labels May 23, 2026
Belated fixes for some CVEs for the vendored pyopenssl.
The Ceph source code directly is very unlikely to use (and in particular misuse) the affected parts of the API.
Both `set_cookie_generate_callback` and `set_tlsext_servername_callback` have no actual occurrences in the tarball, so any use would be limited to dependencies, which would be hard to track.
The major merge conflicts for backporting have been changes to the changlog which I've simply cut from the diff altogether.
Contained should be the fixes and the tests only.

Since this version of Ceph is phased out with the ongoing release of 26.05, moving to the new release and thus Ceph Tentacle is the recommended approach anyway, this is sort of a stopgap measure.

Not-cherry-picked-because: only applicable to 25.11

Signed-off-by: benaryorg <binary@benary.org>
@benaryorg benaryorg force-pushed the 25-11-ceph-pyopenssl-cves branch from 14481a0 to 5115479 Compare May 24, 2026 00:02
@benaryorg

Copy link
Copy Markdown
Contributor Author

Made the bots marginally more happy, the diff is a noop.

@vcunat vcunat enabled auto-merge May 27, 2026 10:20
@vcunat vcunat added this pull request to the merge queue May 27, 2026
Merged via the queue into NixOS:release-25.11 with commit e19a38a May 27, 2026
31 of 33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". 4.workflow: backport This targets a stable branch 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants