tjh.dev
+24
-4
pkgs/by-name/cu/curlMinimal/package.nix
+24
-4
pkgs/by-name/cu/curlMinimal/package.nix
···
103
103
hash = "sha256-Sgk5eaPC0C3i+8AFSaMncQB/LngDLG+qXs0vep4VICU=";
104
104
};
105
105
106
-
patches = [
107
-
# Backport of https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6
108
-
./0001-http2-fix-stream-window-size-after-unpausing.patch
109
-
];
106
+
patches =
107
+
[
108
+
# Backport of https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6
109
+
./0001-http2-fix-stream-window-size-after-unpausing.patch
110
+
]
111
+
++ lib.optionals wolfsslSupport [
112
+
(fetchpatch {
113
+
# https://curl.se/docs/CVE-2025-4947.html backported to 8.13. Remove when version is bumped to 8.14.
114
+
# Note that this works since fetchpatch uses curl, but does not use WolfSSL.
115
+
name = "curl-CVE-2025-4947.patch";
116
+
url = "https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e7125.diff";
117
+
hash = "sha256-z4IYAkg/RylTs1m8tbwI2tVqTCHkIpmkzdFBcRBJmH4=";
118
+
119
+
# All the test patches fail to apply (seemingly, they were added for 8.14)
120
+
includes = [ "lib/vquic/vquic-tls.c" ];
121
+
})
122
+
(fetchpatch {
123
+
# https://curl.se/docs/CVE-2025-5025.html backported to 8.13. Remove when version is bumped to 8.14.
124
+
# Note that this works since fetchpatch uses curl, but does not use WolfSSL.
125
+
name = "curl-CVE-2025-5025.patch";
126
+
url = "https://github.com/curl/curl/commit/e1f65937a96a451292e92313396.diff";
127
+
hash = "sha256-9k05eDGUA7XT+H4p8H8v0lYXC4cW7W2uvO+z4gLapX4=";
128
+
})
129
+
];
110
130
111
131
# this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
112
132
# necessary for FreeBSD code path in configure