tjh.dev
commits
(cherry picked from commit 11238ffbe1d1102c6519c4852ab61352d3d36f31)
Signed-off-by: Domen Kožar <domen@dev.si>
(cherry picked from commit e6114781b0fad5345a2430fac3587d618273bda2)
Signed-off-by: Domen Kožar <domen@dev.si>
[...]
make modules -C /nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/build EXTRA_CFLAGS=-Werror-implicit-function-declaration M=/tmp/nix-build-spl-kernel-2017-11-16-4.14.9.drv-0/source/build
/nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/source/Makefile:939: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel". Stop.
This patch introduces kernel.moduleBuildDependencies to avoid the logic "stdenv.lib.optional (stdenv.lib.versionAtLeast kernel.version "4.14") libelf" in multiple places.
[dezgeg did some minor tweaks on top]
(cherry picked from commit e06dbe4f5b51850746ef2c363be8326a1a3e84bf)
(cherry picked from commit 5e2d96deb331b19fc1b69146c88a8128e8b6e466)
(cherry picked from commit 7726b4602709bbda969c021c56873a6eeebe97b2)
Fixes CVE-2017-7862.
(cherry picked from commit 25515ce9280dcb90cffc3fbd15e4ab2ac8ec0e38)
Reverse the PartOf dependency between network-setup and network-addresses-*
This was joint work of: @nh2, @domenkozar, @fpletz, @aszlig and @basvandijk
at the NixCon 2017 hackathon.
(cherry picked from commit 0a5ecde8085122835a9c8ffa2025e8ccb49ddb14)
(cherry picked from commit f41f5a8f77a09f9629b86d88f6a6b514e416d155)
(cherry picked from commit 3975f267abc305d4a197fe96c0cf5f49cbfc6d7d)
(cherry picked from commit ecdf4f1c51c0b1093b06c17fce29f6778ee6934f)
Fixes CVE-2017-13089, CVE-2017-13090.
(cherry picked from commit 3e29dd00fc43f585995dc470e7bb9717f6d9f46e)
(cherry picked from commit dc240d20696aeb26198aa744bc99cde5bc5cf69b)
They're relatively simple patches, used by Debian.
(cherry picked from commit 9bd930560292209b569158a0a591b59108dd4dd9)
(cherry picked from commit 4b756e48738dc0775dacb6b97280a17799d66147)
(cherry picked from commit bb493911516b812d5e03567836fb049c2ee02608)
(cherry picked from commit 6af0de6478a7028b6fd73fbd44cacf0c13c7be99)
Security update, see https://irssi.org/security/irssi_sa_2017_10.txt.
(cherry picked from commit c81563771985a19f9c44bca267b66374fba1b11f)
(cherry picked from commit a060b850f68906e8a5928aa24398a5d4ec76361f)
(cherry picked from commit 628c039326bd1f8e8a8009c0ea74cb99c3d82e3a)
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
(cherry picked from commit ea50efcc67cfa6c8331b54ff33ab791dacd52fe4)
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
(cherry picked from commit 629965a53251afa23a60c08c16000b732374b9f9)
"batch" is a shell script so invoking it via setuid wrapper never worked
anyway. (The kernel drops perms on executables with shebang.) A previous
nixpkgs commit made "batch" invoke the NixOS setuid "at" wrapper to gain
needed privileges.
Thanks to @yesbox for noticing.
(cherry picked from commit 497108b4568d01cefee6acdf92b738ee80e22023)
(cherry picked from commit 943730ff9b6b05c61ef75d7e2f3fae17d4cbdf4f)
(Fix trivial conflict in nixos/release.nix.)
Fixes https://github.com/NixOS/nixpkgs/issues/12392
(cherry picked from commit 38e6ae8e440d3c1eb53c7f2bae9dedd2fdf9a5bb)
(cherry picked from commit 514593ea31d7e67e8efa2f2ff26c9569d508a5ef)
CVE-2017-{12176,12177,12178,12183}
(cherry picked from commit 2baf618c3ee503b20fd55f0ba92b325a976de730)
CVE-2013-1988, CVE-2017-{13720,13722}
(cherry picked from commit 6328c76e7785791c0397f43eaace1f85cbf33164)
(cherry picked from commit 94fa59228a68b4bb4cb4074f46b91921eabdc5ed)
(cherry picked from commit 034c168aa29fa95c323125d970d4018d25ac7eee)
It fixes some reverse dependencies and it's very unlikely to worsen
something.
The output of ./configure shows all modules/plugins, both enabled and
disabled. With this info we can finally build the _complete_ list of
modules. We were missing these:
mod_authn_gssapi
mod_authn_ldap
mod_geoip
(I hit this as I was building lighttpd with ldap support and the NixOS
module said ldap was unsupported, due to these missing entries in
allKnownModules.)
(cherry picked from commit d26f8b5e00b4a436ec8f9b7fb1b55a0dbda440c5)
* mod_dirlisting is auto-loaded by lighttpd and should not be explicitly
loaded in the configuration file.
* The rest comes from looking at "ls -1 $lighttpd/lib/*.so" when
lighttpd is built with "enableMagnet" and "enableMysql".
(cherry picked from commit b339e6e13fb0869f5ac5ba13e8c38ab535549231)
(cherry picked from commit da93e6e6789dc52e24571179726813ca9d4eed61)
(cherry picked from commit 1afd97aa8f5893b92be5861d11b31c3ba9581f34)
otherwise fcronsighup is not found.
Set PATH to /run/current-system/sw/bin does not seems to be used by service file anyway.
(cherry picked from commit e34e28e573568a0cad99d3e6aec3f78408d9cdbc)
CVE-2017-{13721,13723}
https://lists.x.org/archives/xorg-announce/2017-October/002808.html
(cherry picked from commits 07efaaa722a8bf288 and 35b4c8be511d6f)
For multiple CVE's:
- CVE-2017-0898
- CVE-2017-10784
- CVE-2017-14033
- CVE-2017-14064
See https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
(cherry picked from commit 547fba51407afed4c3885cd935cf23702e386be8)
(cherry picked from commit ec2c46923078ceda67f944ae09bcb4d435d45ce5)
It needs rustc-1.17, and I don't see how to port it ATM. /cc #30143
... to avoid mass rebuilds for now. (Bumped in parent merge.)
(cherry picked from commit a7159d3cdae0fc8a38b2a3a24b0fc240ebf85d9b)
(cherry picked from commit 84952fc2920e0b490ddbea483b7ab7e3e25db929)
(cherry picked from commit 6ef6484dd645a7d1d6b1d3d993988ba5833a5701)
(cherry picked from commit c06a10e05fedcd49c4b2f88a435e9aad64395d0a)
https://curl.haxx.se/docs/adv_20171004.html
(cherry picked from commit a98b96824db90446895c7cbf2c4931ef9ad9cb68)
(cherry picked from commit 135a841d9124f0c27750ee909d02a84bff23b44e)
Fixes CVE-2017-14061, CVE-2017-14062.
(cherry picked from commit 1ff1c6ac4a4c8bc7f237bc14d5ff2ca336f3f610)
See http://lists.gnu.org/archive/html/info-gnu/2017-07/msg00008.html
for release information
(cherry picked from commit e420be7ab5febf16a6e5612b0ce31b37d9587b98)
(cherry picked from commit b88296818de1f96745d529317c6047f651bade5b)
See https://lists.gnu.org/archive/html/info-gnu/2017-04/msg00011.html
for release information
(cherry picked from commit b8ee0d54aa11e9f23d4c7858b990374012ad2b2e)
See http://lists.gnu.org/archive/html/info-gnu/2017-04/msg00010.html
for release information. With this release the numbering scheme changed.
(cherry picked from commit 0c318375c8c89ef890c73e288ec5e384a57176b0)
(cherry picked from commit 9fc7f918eee2c8a145a5cbfab7bda03e6296c659)
(cherry picked from commit ed71a3a6785a9901e59bda5118e1f9a1fa341acc)
(cherry picked from commit ad2ae842bb452785247ba3801bd8d33b685205c6)
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494,
CVE-2017-14495, CVE-2017-14496.
(cherry picked from commit 2f188ff37f9a43985e351d6a1edb570031c44518)
(cherry picked from commit bc3ee6bfd47a3bab4c9491da51c550f4ec49106d)
(cherry picked from commit 11238ffbe1d1102c6519c4852ab61352d3d36f31)
Signed-off-by: Domen Kožar <domen@dev.si>
[...]
make modules -C /nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/build EXTRA_CFLAGS=-Werror-implicit-function-declaration M=/tmp/nix-build-spl-kernel-2017-11-16-4.14.9.drv-0/source/build
/nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/source/Makefile:939: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel". Stop.
This patch introduces kernel.moduleBuildDependencies to avoid the logic "stdenv.lib.optional (stdenv.lib.versionAtLeast kernel.version "4.14") libelf" in multiple places.
[dezgeg did some minor tweaks on top]
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
(cherry picked from commit ea50efcc67cfa6c8331b54ff33ab791dacd52fe4)
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
(cherry picked from commit 629965a53251afa23a60c08c16000b732374b9f9)
"batch" is a shell script so invoking it via setuid wrapper never worked
anyway. (The kernel drops perms on executables with shebang.) A previous
nixpkgs commit made "batch" invoke the NixOS setuid "at" wrapper to gain
needed privileges.
Thanks to @yesbox for noticing.
(cherry picked from commit 497108b4568d01cefee6acdf92b738ee80e22023)
The output of ./configure shows all modules/plugins, both enabled and
disabled. With this info we can finally build the _complete_ list of
modules. We were missing these:
mod_authn_gssapi
mod_authn_ldap
mod_geoip
(I hit this as I was building lighttpd with ldap support and the NixOS
module said ldap was unsupported, due to these missing entries in
allKnownModules.)
(cherry picked from commit d26f8b5e00b4a436ec8f9b7fb1b55a0dbda440c5)