tjh.dev
commits
If our old Nix can’t evaluate the Nixpkgs channel, try the fallback
from the new channel /first/. That way we can upgrade Nix to a newer
version and support breaking changes to Nix (like seen in the upgrade
o Nix 2.0).
This change should be backported to older NixOS versions!
(cherry picked from commit 475c8aa018bbdd99e7e9d693c7207cdccdcde7b3)
Security update for git on 17.09: 2.15.0 -> 2.15.2
This update fixes CVE-2018-10857 and CVE-2018-10859.
/cc #41748.
(cherry picked from commit 7ccece3227f1e8d97777b928a3ae241d8d752402)
Get libtiff on the same patch level as Debian. The imported patch file
contains:
CVE-2017-9935
CVE-2017-11613
CVE-2017-17095
CVE-2017-18013
CVE-2018-5784
CVE-2018-7456
Re #41750
(cherry picked from commit 16ee92eba9ed6306d573bdb310d19cf87f4a5066)
(cherry picked from commit 95aa3f4cc69c35c3c37ace4634df69e472749448)
(cherry picked from commit 219b1c1e1bfbf2ec56584c2e6fd7c1fb937d253a)
(cherry picked from commit a90294afe4da78a3a2ed1ac836ff72b9db4da9bd)
(cherry picked from commit 6cd06ae05b1f9abee685db5e6c6135934178d86a)
(cherry picked from commit e9e823c178d70b8562094ee07786e7483952919b)
(cherry picked from commit 627444cfc2354d79ade0a59b55e8182729e51e16)
The use of this function is disallowed in nixpkgs, and purely there for
the convenience of downstream users. This improves closure size without
any loss of functionality.
Do not kill udev during boot 17.09
(cherry picked from commit b15da3e3308d37b0c976ea809e3f4d07d7fdd6ad)
(cherry picked from commit 2b499afa63f01473a19c7166c1f3750fa45a1bab)
(cherry picked from commit b4c12eef3078e5f6a8df24a96ba71beac58ff52d)
On nixpkgs master/staging we have 2.32 - that includes this patch.
https://nvd.nist.gov/vuln/detail/CVE-2018-7738 claims 2.32-rc1 fixes
this and upstream master hasn't changed umount completion except for
this patch, so it has to be it. /cc #38994.
(cherry picked from commit 7979cb54e653aadb5b88198a7874976be0cf7388)
[release-17.09] slurm: Fix CVE-2018-7033
[17.09] quassel: 0.12.4 fix RCE & DOS
It was found that Quassel could be remotely crashed and had an
unauthenticated RCE vulnerability. The public annoucement can be found
on the oss-sec archive [1]. The added patches are supposed fix both issues.
[1] http://seclists.org/oss-sec/2018/q2/77
(cherry picked from commit 8ae91ea6a3d01afd49025cfd12f5e9ea53f2fdfb)
(cherry picked from commit 3a47c7e8f67c6ece266f570d6db9598856512ede)
libjpeg: 1.5.2 -> 1.5.3
Semi-automatic update generated by https://github.com/ryantm/nix-update tools. These checks were done:
- built on NixOS
- Warning: no binary found that responded to help or version flags. (This warning appears even if the package isn't expected to have binaries.)
- found 5.0.3 with grep in /nix/store/g5hcg35wmg25sgfjp7mvi4cx3shldbxd-libXfixes-5.0.3
- directory tree listing: https://gist.github.com/7398ada0908969ebbd1e7e629a1e0ef7
(cherry picked from commit 0e443ceb9e815fda4a580a484ea0b2627ee78509)
Only fixes CVE-2016-7944; /cc #38994.
(cherry picked from commit ce86b8f1b431c635eb1facc5d8b6954dc0ef5b7d)
(cherry picked from commit 19bc90f91111f9d02e5e68fcdb4135913b9569eb)
0.4.2 fixes the following CVEs:
CVE-2017-11661
CVE-2017-11662
CVE-2017-11663
CVE-2017-11664
Fixes #33877.
(cherry picked from commit b13230ce24848d5b8bd54d7aaaecbd1c3316742b)
[17.09] chromium: build with gcc7
flashplayer: 29.0.0.113 -> 29.0.0.140 [Critical security fixes]
(cherry picked from commit 896cc0847a30015e59dec8b968e9d024df66db36)
(cherry picked from commit 6ce61b12cd531768071c7fbf9a6a52bc79ec7f9f)
This makes the startup wrapper work as intended instead of
re-downgrading Dropbox after each time it updates itself.
(cherry picked from commit 7a9784c571a89455c88c7d79bab87b6d704944ae)
(krunner-pass): init at 1.3.0 on 17.09
cc https://github.com/NixOS/nix/issues/1951
(cherry picked from commit 7dafa09ed93e8fb932870d839b0668c9ed1c92ee)
r17.09: aws-auth: unstable-2017-07-24 -> unstable-2018-04-04
also re-enable for continuity on stable branch. this (perhaps final) release
should at least *work* with the rest of release-17.09 but will probably
see no further development and should remain "dropped" in master.
This is a maintenance bump of the golang 1.9 version.
Within the updates are a few bug fixes including an (extended?)
fix for CVE-2018-7187 [1].
The complete changelog is available at the golang GitHub project [2].
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187
[2] https://github.com/golang/go/issues?q=milestone%3AGo1.9.5
(cherry picked from commit e9f74b91d6f0d6997ee25cae6d100e6ba4b3a6eb)
(cherry picked from commit cac2a6596cbade2cb4b12d4b8f337dfa8d73f48f)
I can't reproduce the problem on an idle machine where it finishes in
112.954s, so let's hope this works.
https://hydra.nixos.org/build/68236758
(cherry picked from commit 8f0508ebc1f3a872ca8accfb26f10ebd49a0d4a1)
(cherry picked from commit f7dd6951aaa26087c8fd9f01bbe21f7c1254117b)
Argh, debugging NixOS tests takes forever…
veracrypt: 1.21 -> 1.22
(cherry picked from commit cace5017cb6f9347ac42613c122ea03277af23e5)
(cherry picked from commit f4b9da7c6a0f623e2e7175dbdecf5dc61da97639)
(cherry picked from commit 1784c7727a87d9b1bc2a2576c98d43113effdbd8)
[17.09] firefox{,-bin,-esr} updates for MFSA2018-10
[17.09] openssl{,1_1_0} update (1.0.2o, 1.1.0h)
This passes the correct compilation flags to the builder so we pick up
the path to sqlite, and (despite the fact that it's a development
version), also updates to version 1.55_07 to fix
https://github.com/DBD-SQLite/DBD-SQLite/issues/28
(cherry picked from commit 73a7d67795654d35647d217d6d1d3cb0f9cf0899)
Fixes MFSA2018-10 [1].
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/
(cherry picked from commit 24a2c3fe58d712617eff1dd6aa078ba0a26e3127)
Fixes MFSA2018-10 [1].
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/
(cherry picked from commit 6abbe39551bba6a0b201e313bda291b0ce33f95c)
Announcement can be found at [1].
[1] https://www.openssl.org/news/secadv/20180327.txt
(cherry picked from commit 4bf9b4a328e2f8e34be4da1732206a85a2900855)
If our old Nix can’t evaluate the Nixpkgs channel, try the fallback
from the new channel /first/. That way we can upgrade Nix to a newer
version and support breaking changes to Nix (like seen in the upgrade
o Nix 2.0).
This change should be backported to older NixOS versions!
(cherry picked from commit 475c8aa018bbdd99e7e9d693c7207cdccdcde7b3)
On nixpkgs master/staging we have 2.32 - that includes this patch.
https://nvd.nist.gov/vuln/detail/CVE-2018-7738 claims 2.32-rc1 fixes
this and upstream master hasn't changed umount completion except for
this patch, so it has to be it. /cc #38994.
(cherry picked from commit 7979cb54e653aadb5b88198a7874976be0cf7388)
It was found that Quassel could be remotely crashed and had an
unauthenticated RCE vulnerability. The public annoucement can be found
on the oss-sec archive [1]. The added patches are supposed fix both issues.
[1] http://seclists.org/oss-sec/2018/q2/77
(cherry picked from commit 8ae91ea6a3d01afd49025cfd12f5e9ea53f2fdfb)
Semi-automatic update generated by https://github.com/ryantm/nix-update tools. These checks were done:
- built on NixOS
- Warning: no binary found that responded to help or version flags. (This warning appears even if the package isn't expected to have binaries.)
- found 5.0.3 with grep in /nix/store/g5hcg35wmg25sgfjp7mvi4cx3shldbxd-libXfixes-5.0.3
- directory tree listing: https://gist.github.com/7398ada0908969ebbd1e7e629a1e0ef7
(cherry picked from commit 0e443ceb9e815fda4a580a484ea0b2627ee78509)
Only fixes CVE-2016-7944; /cc #38994.
(cherry picked from commit ce86b8f1b431c635eb1facc5d8b6954dc0ef5b7d)
This is a maintenance bump of the golang 1.9 version.
Within the updates are a few bug fixes including an (extended?)
fix for CVE-2018-7187 [1].
The complete changelog is available at the golang GitHub project [2].
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187
[2] https://github.com/golang/go/issues?q=milestone%3AGo1.9.5
(cherry picked from commit e9f74b91d6f0d6997ee25cae6d100e6ba4b3a6eb)