NixOS · Mar 8, 2021 · Mar 15, 2021 · Mar 15, 2021 · Mar 20, 2021 · Mar 20, 2021
diff --git a/pkgs/development/libraries/glib/default.nix b/pkgs/development/libraries/glib/default.nix
@@ -45,11 +45,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "glib";
-  version = "2.64.5";
+  version = "2.64.6";
 
   src = fetchurl {
     url = "mirror://gnome/sources/glib/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "04fczq693wivkqd2qxvvi3sncqgznsvzfiiwsll1rbayf795pgcw";
+    sha256 = "1wakp3zl9hs7p86br415qhrq6dnnmjmfcvq18vq72k0nf1xf0vn3";
   };
 
   patches = optionals stdenv.isDarwin [

diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix
@@ -8,7 +8,7 @@
 
 assert guileBindings -> guile != null;
 let
-  version = "3.6.15";
+  version = "3.7.1";
 
   # XXX: Gnulib's `test-select' fails on FreeBSD:
   # https://hydra.nixos.org/build/2962084/nixlog/1/raw .
@@ -23,8 +23,8 @@ stdenv.mkDerivation {
   inherit version;
 
   src = fetchurl {
-    url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz";
-    sha256 = "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f";
+    url = "mirror://gnupg/gnutls/v3.7/gnutls-${version}.tar.xz";
+    sha256 = "0vxcbig87sdc73h58pmcpbi4al1zgcxid1jn67mhcpna7sbdfxrp";
   };
 
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
@@ -42,9 +42,7 @@ stdenv.mkDerivation {
   #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
   #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
   # Change p11-kit test to use pkg-config to find p11-kit
-  postPatch = lib.optionalString (lib.versionAtLeast version "3.4") ''
-    sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' -i tests/cert-tests/name-constraints
-  '' + lib.optionalString (lib.versionAtLeast version "3.6") ''
+  postPatch = lib.optionalString (lib.versionAtLeast version "3.6") ''
     sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
     sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
     sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh

diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix
@@ -1,5 +1,6 @@
 { stdenv
 , fetchurl
+, fetchpatch
 
 , pkgconfig
 
@@ -19,6 +20,32 @@ stdenv.mkDerivation rec {
 
   outputs = [ "bin" "dev" "out" "man" "doc" ];
 
+  patches = [
+    # https://gitlab.com/libtiff/libtiff/-/merge_requests/160
+    (fetchpatch {
+      name = "CVE-2020-35523.1.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/712fe9f5b9795c5a3e80f38db90dad11e6a8bb6a.patch";
+      sha256 = "1h4jrilnhc50qzjxljcm0471i4inwr790b1dzdf6qvwf7fqi6wky";
+    })
+    (fetchpatch {
+      name = "CVE-2020-35523.2.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2.patch";
+      sha256 = "01rzwf5xk5mf3j362g74h9qc45cnmqr0c14w5xj3p8mk160cd74q";
+    })
+    # https://gitlab.com/libtiff/libtiff/-/merge_requests/159
+    (fetchpatch {
+      name = "CVE-2020-35524.1.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330.patch";
+      sha256 = "1lac51lsvap6wzdg1rssnq2adrpxd3bqrsdm40qd88mpa0g3rsfb";
+    })
+    (fetchpatch {
+      name = "CVE-2020-35524.2.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2.patch";
+      sha256 = "0v559fpsgnmhzgjhsp7fkm3hwrfjv2042lrczd32c0yb9jbrqxvi";
+    })
+
+  ];
+
   nativeBuildInputs = [ pkgconfig ];
 
   propagatedBuildInputs = [ zlib libjpeg xz ]; #TODO: opengl support (bogus configure detection)

diff --git a/pkgs/development/libraries/nettle/default.nix b/pkgs/development/libraries/nettle/default.nix
@@ -1,10 +1,10 @@
 { callPackage, fetchurl, ... } @ args:
 
 callPackage ./generic.nix (args // rec {
-  version = "3.6";
+  version = "3.7.2";
 
   src = fetchurl {
     url = "mirror://gnu/nettle/nettle-${version}.tar.gz";
-    sha256 = "1wg3sprl0bzy49cmbwwm91vw67hk1x5i3ksdygsciyxz587hsk6j";
+    sha256 = "0qpi1qp3bcvqdsaxy2pzg530db95x8qjahkynxgwvr6dy5760ald";
   };
 })
diff --git a/pkgs/development/libraries/nettle/generic.nix b/pkgs/development/libraries/nettle/generic.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation ({
   nativeBuildInputs = [ gnum4 ];
   propagatedBuildInputs = [ gmp ];
 
-  configureFlags = [ "--enable-fat" ]; # runtime selection of HW-accelerated code
+  configureFlags = [ "--enable-fat" ]; # runtime selection of HW-accelerated code; it's default since 3.7
 
   doCheck = (stdenv.hostPlatform.system != "i686-cygwin" && !stdenv.isDarwin);
 

diff --git a/pkgs/development/libraries/popt/default.nix b/pkgs/development/libraries/popt/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "popt";
-  version = "1.16";
+  version = "1.18";
 
   src = fetchurl {
     url = "mirror://debian/pool/main/p/popt/popt_${version}.orig.tar.gz";
-    sha256 = "1j2c61nn2n351nhj4d25mnf3vpiddcykq005w2h6kw79dwlysa77";
+    sha256 = "1lf5zlj5rbg6s4bww7hbhpca97prgprnarx978vcwa0bl81vqnai";
   };
 
   patches = stdenv.lib.optionals stdenv.isCygwin [

diff --git a/pkgs/development/python-modules/django/2_2.nix b/pkgs/development/python-modules/django/2_2.nix
@@ -6,13 +6,13 @@
 
 buildPythonPackage rec {
   pname = "Django";
-  version = "2.2.18";
+  version = "2.2.19";
 
   disabled = !isPy3k;
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1d0b91343i9n0qz8xia1fbm4s3q8wi98nyc9a3acncm0w3sr9jf9";
+    sha256 = "0hysjf8bz4g8xrn2cdx6pmawimpyr6ag2fg3jxsnc1byr3g3bhih";
   };
 
   patches = stdenv.lib.optional withGdal

diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix
@@ -0,0 +1,116 @@
+{ pname
+, version
+, extraDesc ? ""
+, src
+, extraPatches ? []
+, extraNativeBuildInputs ? []
+, extraMeta ? {}
+}:
+
+{ lib, stdenv
+, fetchurl
+, fetchpatch
+, zlib
+, openssl
+, libedit
+, pkg-config
+, pam
+, etcDir ? null
+, withKerberos ? true
+, kerberos
+, libfido2
+, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
+, linkOpenssl ? true
+}:
+
+with lib;
+stdenv.mkDerivation rec {
+  inherit pname version src;
+
+  patches = [
+    ./locale_archive.patch
+
+    # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
+    ./dont_create_privsep_path.patch
+  ] ++ extraPatches;
+
+  postPatch =
+    # On Hydra this makes installation fail (sometimes?),
+    # and nix store doesn't allow such fancy permission bits anyway.
+    ''
+      substituteInPlace Makefile.in --replace '$(INSTALL) -m 4711' '$(INSTALL) -m 0711'
+    '';
+
+  nativeBuildInputs = [ pkg-config ]
+    ++ optional withKerberos kerberos.dev
+    ++ extraNativeBuildInputs;
+  buildInputs = [ zlib openssl libedit ]
+    ++ optional withFIDO libfido2
+    ++ optional withKerberos kerberos
+    ++ optional stdenv.isLinux pam;
+
+  preConfigure = ''
+    # Setting LD causes `configure' and `make' to disagree about which linker
+    # to use: `configure' wants `gcc', but `make' wants `ld'.
+    unset LD
+  ''
+  # Upstream build system does not support static build, so we fall back
+  # on fragile patching of configure script.
+  #
+  # libedit is found by pkg-config, but without --static flag, required
+  # to get also transitive dependencies for static linkage, hence sed
+  # expression.
+  #
+  # Kerberos can be found either by krb5-config or by fall-back shell
+  # code in openssh's configure.ac. Neither of them support static
+  # build, but patching code for krb5-config is simpler, so to get it
+  # into PATH, kerberos.dev is added into buildInputs.
+  + optionalString stdenv.hostPlatform.isStatic ''
+    sed -i "s,PKGCONFIG --libs,PKGCONFIG --libs --static,g" configure
+    sed -i 's#KRB5CONF --libs`#KRB5CONF --libs` -lkrb5support -lkeyutils#g' configure
+    sed -i 's#KRB5CONF --libs gssapi`#KRB5CONF --libs gssapi` -lkrb5support -lkeyutils#g' configure
+  '';
+
+  # I set --disable-strip because later we strip anyway. And it fails to strip
+  # properly when cross building.
+  configureFlags = [
+    "--sbindir=\${out}/bin"
+    "--localstatedir=/var"
+    "--with-pid-dir=/run"
+    "--with-mantype=man"
+    "--with-libedit=yes"
+    "--disable-strip"
+    (if stdenv.isLinux then "--with-pam" else "--without-pam")
+  ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
+    ++ optional withFIDO "--with-security-key-builtin=yes"
+    ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}")
+    ++ optional stdenv.isDarwin "--disable-libutil"
+    ++ optional (!linkOpenssl) "--without-openssl";
+
+  buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
+
+  enableParallelBuilding = true;
+
+  hardeningEnable = [ "pie" ];
+
+  postInstall = ''
+    # Install ssh-copy-id, it's very useful.
+    cp contrib/ssh-copy-id $out/bin/
+    chmod +x $out/bin/ssh-copy-id
+    cp contrib/ssh-copy-id.1 $out/share/man/man1/
+  '';
+
+  installTargets = [ "install-nokeys" ];
+  installFlags = [
+    "sysconfdir=\${out}/etc/ssh"
+  ];
+
+  meta = {
+    description = "An implementation of the SSH protocol${extraDesc}";
+    homepage = "https://www.openssh.com/";
+    changelog = "https://www.openssh.com/releasenotes.html";
+    license = licenses.bsd2;
+    platforms = platforms.unix ++ platforms.windows;
+    maintainers = with maintainers; [ eelco aneeshusa ];
+  } // extraMeta;
+}