lix/blacklisting/blacklist.xml

<blacklist>


<item id='openssl-0.9.7d-obsolete'>
  <condition>
    <within>
      <traverse><true /></traverse>
      <hasAttr name='outputHash' value='1b49e90fc8a75c3a507c0a624529aca5' />
    </within>
  </condition>
  <reason>
    Race condition in CRL checking code.  Upgrade to 0.9.7e.
  </reason>
  <severity class="all" level="low" />
</item>


<item id='zlib-1.2.1-security' type='security'>
  <condition>
    <within>
      <traverse>
        <not><hasAttr name='outputHash' value='.+' /></not>
      </traverse>
      <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' />
    </within>
  </condition>
  <reason>
    Zlib 1.2.1 is vulnerable to a denial-of-service condition.  See
    http://www.kb.cert.org/vuls/id/238678.  Upgrade to 1.2.2.
  </reason>
  <severity class="server" level="critical" />
  <severity class="client" level="medium" />
</item>


<!--
<item id='libpng-1.2.7-crash'>
  <condition>
    <containsName name="libpng" comparison="lte" version="1.2.7" />
  </condition>
  <reason>
    libpng 1.2.7 is vulnerable to a crash bug.  See
    http://www.libpng.org/pub/png/libpng.html.  Upgrade to 1.2.8.
  </reason>
  <severity class="client" level="low" />
</item>
-->


<!--
<item id='subversion-without-zlib' type='improvement'>

  <condition>
    <withinOutputClosure>
      <not>
        <containsName name='zlib' />
      </not>
    </withinOutputClosure>
  </condition>

  <reason>
    Subversion can be compiled with Zlib compression support, which is a good thing.
  </reason>

</item>
-->

</blacklist>
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00			`<blacklist>`

* Use XML::LibXML. 2005-03-07 14:54:52 +00:00
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00			`<item id='openssl-0.9.7d-obsolete'>`
			`<condition>`
* In the checker, do traversals of the dependency graph explicitly. A conditional expression in the blacklist can specify when to continue/stop a traversal. For example, in <condition> <within> <traverse> <not><hasAttr name='outputHash' value='.+' /></not> </traverse> <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' /> </within> </condition> we traverse the dependency graph, not following the dependencies of `fetchurl' derivations (as indicated by the presence of an `outputHash' attribute - this is a bit ugly). The resulting set of paths is scanned for a fetch of a file with the given hash, in this case, the hash of zlib-1.2.1.tar.gz (which has a security bug). The intent is that a dependency on zlib is not a problem if it is in a `fetchurl' derivation, since that's build-time only. (Other build-time uses of zlib might be a problem, e.g., static linking.) 2005-03-07 16:26:05 +00:00			`<within>`
			`<traverse><true /></traverse>`
			`<hasAttr name='outputHash' value='1b49e90fc8a75c3a507c0a624529aca5' />`
			`</within>`
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00			`</condition>`
			`<reason>`
			`Race condition in CRL checking code. Upgrade to 0.9.7e.`
			`</reason>`
			`<severity class="all" level="low" />`
			`</item>`


* Use XML::LibXML. 2005-03-07 14:54:52 +00:00			`<item id='zlib-1.2.1-security' type='security'>`
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00			`<condition>`
* In the checker, do traversals of the dependency graph explicitly. A conditional expression in the blacklist can specify when to continue/stop a traversal. For example, in <condition> <within> <traverse> <not><hasAttr name='outputHash' value='.+' /></not> </traverse> <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' /> </within> </condition> we traverse the dependency graph, not following the dependencies of `fetchurl' derivations (as indicated by the presence of an `outputHash' attribute - this is a bit ugly). The resulting set of paths is scanned for a fetch of a file with the given hash, in this case, the hash of zlib-1.2.1.tar.gz (which has a security bug). The intent is that a dependency on zlib is not a problem if it is in a `fetchurl' derivation, since that's build-time only. (Other build-time uses of zlib might be a problem, e.g., static linking.) 2005-03-07 16:26:05 +00:00			`<within>`
* Use XML::LibXML. 2005-03-07 14:54:52 +00:00			`<traverse>`
* In the checker, do traversals of the dependency graph explicitly. A conditional expression in the blacklist can specify when to continue/stop a traversal. For example, in <condition> <within> <traverse> <not><hasAttr name='outputHash' value='.+' /></not> </traverse> <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' /> </within> </condition> we traverse the dependency graph, not following the dependencies of `fetchurl' derivations (as indicated by the presence of an `outputHash' attribute - this is a bit ugly). The resulting set of paths is scanned for a fetch of a file with the given hash, in this case, the hash of zlib-1.2.1.tar.gz (which has a security bug). The intent is that a dependency on zlib is not a problem if it is in a `fetchurl' derivation, since that's build-time only. (Other build-time uses of zlib might be a problem, e.g., static linking.) 2005-03-07 16:26:05 +00:00			`<not><hasAttr name='outputHash' value='.+' /></not>`
* Use XML::LibXML. 2005-03-07 14:54:52 +00:00			`</traverse>`
* In the checker, do traversals of the dependency graph explicitly. A conditional expression in the blacklist can specify when to continue/stop a traversal. For example, in <condition> <within> <traverse> <not><hasAttr name='outputHash' value='.+' /></not> </traverse> <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' /> </within> </condition> we traverse the dependency graph, not following the dependencies of `fetchurl' derivations (as indicated by the presence of an `outputHash' attribute - this is a bit ugly). The resulting set of paths is scanned for a fetch of a file with the given hash, in this case, the hash of zlib-1.2.1.tar.gz (which has a security bug). The intent is that a dependency on zlib is not a problem if it is in a `fetchurl' derivation, since that's build-time only. (Other build-time uses of zlib might be a problem, e.g., static linking.) 2005-03-07 16:26:05 +00:00			`<hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' />`
			`</within>`
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00			`</condition>`
			`<reason>`
			`Zlib 1.2.1 is vulnerable to a denial-of-service condition. See`
			`http://www.kb.cert.org/vuls/id/238678. Upgrade to 1.2.2.`
			`</reason>`
			`<severity class="server" level="critical" />`
			`<severity class="client" level="medium" />`
			`</item>`


* Use XML::LibXML. 2005-03-07 14:54:52 +00:00			`<!--`
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00			`<item id='libpng-1.2.7-crash'>`
			`<condition>`
			`<containsName name="libpng" comparison="lte" version="1.2.7" />`
			`</condition>`
			`<reason>`
			`libpng 1.2.7 is vulnerable to a crash bug. See`
			`http://www.libpng.org/pub/png/libpng.html. Upgrade to 1.2.8.`
			`</reason>`
			`<severity class="client" level="low" />`
			`</item>`
* Use XML::LibXML. 2005-03-07 14:54:52 +00:00			`-->`


			`<!--`
			`<item id='subversion-without-zlib' type='improvement'>`

			`<condition>`
			`<withinOutputClosure>`
			`<not>`
			`<containsName name='zlib' />`
			`</not>`
			`</withinOutputClosure>`
			`</condition>`
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00
* Use XML::LibXML. 2005-03-07 14:54:52 +00:00			`<reason>`
			`Subversion can be compiled with Zlib compression support, which is a good thing.`
			`</reason>`

			`</item>`
			`-->`
* Concept for a simple blacklist. 2005-03-02 15:57:35 +00:00
			`</blacklist>`