zotero: mark as insecure (CVE-2023-5217) #262808
Conversation
Zotero 6 is based on Firefox 60 and has not patched this vulnerability. The next version is based on Firefox 102 (ESR) and has patched this, but is is still in beta. See also NixOS#258048.
mweinelt
added
backport release-23.05
1.severity: security
|
Successfully created backport PR for |
|
Git push to origin failed for release-23.05 with exitcode 1 |
1 similar comment
|
Git push to origin failed for release-23.05 with exitcode 1 |
|
Should we open a ticket against upstream? Where did you see what firefox version Zotero is based on? |
|
I mentioned how I got the Firefox version in this comment in the CVE-tracking issue. It's been raised in the Zotero dev mailing list before. I just posted a response to the mailing list conversation, but it is now awaiting approval. |
|
Hi, for those interested, I managed to package Zotero 7 built from source in https://github.com/camillemndn/nixos-config/tree/main/pkgs/applications/office/zotero, but I could not upstream it since it is based on Firefox 102 which is already deprecated... |
|
@camillemndn If nixpkgs would accept a binary build of Zotero based off of FF 102, it would be silly not to accept a source build based off the same. |
I agree, maybe you can reopen #227053 when Zotero 7 is stable. I closed it for now. |
Description of changes
Zotero 6 is based on Firefox 60 and has not patched this vulnerability. The next version is based on Firefox 102 (ESR) and has patched this, but is is still in beta.
See also #258048.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)