Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a7ceb2536ab1
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 511766df7a36
Choose a head ref
  • 4 commits
  • 2 files changed
  • 3 contributors

Commits on Apr 29, 2020

  1. coturn: apply patch for CVE-2020-6061/6062 

    Fixes: CVE-2020-6061, CVE-2020-6062

An exploitable heap overflow vulnerability exists in the way CoTURN
4.5.1.1 web server parses POST requests. A specially crafted HTTP
POST request can lead to information leaks and other misbehavior.
An attacker needs to send an HTTPS request to trigger this vulnerability.

An exploitable denial-of-service vulnerability exists in the way
CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
HTTP POST request can lead to server crash and denial of service.
An attacker needs to send an HTTP request to trigger this vulnerability.

(cherry picked from commit 704a018)
    @mweinelt
    mweinelt committed Apr 29, 2020

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    ac3ed15 View commit details

  2. Merge pull request #86271 from mweinelt/19.09/coturn/CVE-2020-6061+6062 

    [19.09] coturn: apply patch for CVE-2020-6061/6062
    @rasendubi
    rasendubi authored Apr 29, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    1d06d40 View commit details

  3. monotone: openssl in botan is not needed, so drop to avoid old openssl 

    (cherry picked from commit 4644776)
    @7c6f434c
    7c6f434c committed Apr 29, 2020
    Copy the full SHA
    e27493e View commit details

  4. Merge pull request #86340 from 7c6f434c/monotone-no-botan-openssl-19.09 

    monotone: openssl in botan is not needed, so drop to avoid old openssl
    @7c6f434c
    7c6f434c authored Apr 29, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    511766d View commit details
Showing with 10 additions and 2 deletions.
  1. +9 −2 pkgs/servers/coturn/default.nix
  2. +1 −0 pkgs/top-level/all-packages.nix
11 changes: 9 additions & 2 deletions pkgs/servers/coturn/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ stdenv, fetchFromGitHub, openssl, libevent }:
{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }:

stdenv.mkDerivation rec {
pname = "coturn";
@@ -13,7 +13,14 @@ stdenv.mkDerivation rec {

buildInputs = [ openssl libevent ];

patches = [ ./pure-configure.patch ];
patches = [
./pure-configure.patch
(fetchpatch {
name = "CVE-2020-6061+6062.patch";
url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch";
sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2";
})
];

meta = with stdenv.lib; {
homepage = https://coturn.net/;
1 change: 1 addition & 0 deletions pkgs/top-level/all-packages.nix
View file
Original file line number Diff line number Diff line change
@@ -19437,6 +19437,7 @@ in

monotone = callPackage ../applications/version-management/monotone {
lua = lua5;
botan = botan.override (x: { openssl = null; });
};

inherit (ocaml-ng.ocamlPackages_4_01_0) monotoneViz;