Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3b9b10e49bec
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 107ffbb22ad7
Choose a head ref
  • 13 commits
  • 8 files changed
  • 5 contributors

Commits on Jan 30, 2020

  1. cpio: 2.12 -> 2.13 

    See https://lists.gnu.org/archive/html/info-gnu/2019-11/msg00002.html
for release information.

Fixes CVE-2019-14866
    @lsix @wamserma
    lsix authored and wamserma committed Jan 30, 2020
    Copy the full SHA
    16ff9f6 View commit details

Commits on Feb 10, 2020

  1. Merge #79740: libssh2: patch CVE-2019-17498 (into staging) 

    (cherry picked from commit 4ff2a16)
    @vcunat
    vcunat committed Feb 10, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    d9f1f8c View commit details

Commits on Mar 12, 2020

  1. Merge release-19.09 into staging-19.09

    @FRidh
    FRidh committed Mar 12, 2020
    Copy the full SHA
    8d27ad5 View commit details

Commits on Mar 15, 2020

  1. Merge #78736: cpio: 2.12 -> 2.13 (into staging-19.09) 

    fix CVE-2019-14866, backport
    @vcunat
    vcunat committed Mar 15, 2020
    Copy the full SHA
    c26a26d View commit details

  2. Merge branch 'staging-19.09' into release-19.09 

    (Older version finished on Hydra.)
    @vcunat
    vcunat committed Mar 15, 2020
    Copy the full SHA
    021b296 View commit details

  3. Merge branch 'staging-19.09' into release-19.09 

    (Older version finished on Hydra.)
    @vcunat
    vcunat committed Mar 15, 2020
    Copy the full SHA
    686362c View commit details

  4. Merge branch 'release-19.09' into staging-19.09

    @vcunat
    vcunat committed Mar 15, 2020
    Copy the full SHA
    0c2b734 View commit details

  5. libssh: 0.8.7 -> 0.8.8 

    Fixes CVE-2019-14889, issue #77264.
Release notes: https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/

(cherry picked from commit 7ef8a42)
    @mmilata @vcunat
    mmilata authored and vcunat committed Mar 15, 2020
    Copy the full SHA
    45f415a View commit details

  6. lz4: 1.9.1 -> 1.9.2 (PR #82437) 

    Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543
Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2

(cherry picked from commit 18ac6ba)
    @mmilata @vcunat
    mmilata authored and vcunat committed Mar 15, 2020
    Copy the full SHA
    cdd33cb View commit details

  7. samba4: patch all remaining security issues 

    https://www.samba.org/samba/history/security.html
Tested: $ nix build -f nixos/release.nix tests.samba.x86_64-linux
    @vcunat
    vcunat committed Mar 15, 2020
    Copy the full SHA
    7d27cc8 View commit details

Commits on Mar 16, 2020

  1. python3Packages.signedjson: 1.0.0 -> 1.1.0 

    (cherry picked from commit 500375e)
    @Ma27
    Ma27 committed Mar 16, 2020
    Copy the full SHA
    a9d4746 View commit details

  2. matrix-synapse: 1.9.1 -> 1.11.1 

    Contains only the version update from 8be61f7,
the module-changes are not needed on 19.09 since the database is always
configured properly here.
    @Ma27
    Ma27 committed Mar 16, 2020
    Copy the full SHA
    dce33f1 View commit details

  3. Merge branch 'staging-19.09' into release-19.09 

    x86_64-linux rebuilds have finished, so let's merge
to get the security fixes early.
    @vcunat
    vcunat committed Mar 16, 2020
    Copy the full SHA
    107ffbb View commit details
8 changes: 5 additions & 3 deletions pkgs/development/libraries/libssh/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
{ stdenv, fetchurl, pkgconfig, cmake, zlib, openssl, libsodium }:

stdenv.mkDerivation rec {
name = "libssh-0.8.7";
pname = "libssh";
version = "0.8.8";

src = fetchurl {
url = "https://www.libssh.org/files/0.8/${name}.tar.xz";
sha256 = "14nmwfnnrhkwcfk5hn7azl905ivbh4wllmsbw5abd80b5yi4qc23";
url = "https://www.libssh.org/files/0.8/${pname}-${version}.tar.xz";
sha256 = "1qk5bm9r6199jbfk54f8w24vkl52051g8s3kmq4z2kdc6vbpy4jb";
};

postPatch = ''
@@ -22,6 +23,7 @@ stdenv.mkDerivation rec {

meta = with stdenv.lib; {
description = "SSH client library";
homepage = "https://libssh.org";
license = licenses.lgpl2Plus;
maintainers = with maintainers; [ sander ];
platforms = platforms.all;
9 changes: 9 additions & 0 deletions pkgs/development/libraries/libssh2/default.nix
View file
Original file line number Diff line number Diff line change
@@ -14,6 +14,15 @@ stdenv.mkDerivation rec {
buildInputs = [ openssl zlib ]
++ stdenv.lib.optional stdenv.hostPlatform.isMinGW windows.mingw_w64;

patches = [
# not able to use fetchpatch here: infinite recursion
(fetchurl {
name = "CVE-2019-17498.patch";
url = "https://github.com/libssh2/libssh2/pull/402.patch";
sha256 = "1n9s2mcz5dkw0xpm3c5x4hzj8bar4i6z0pr1rmqjplhfg888vdvc";
})
];

meta = with stdenv.lib; {
description = "A client-side C library implementing the SSH2 protocol";
homepage = https://www.libssh2.org;
7 changes: 4 additions & 3 deletions pkgs/development/python-modules/signedjson/default.nix
View file
Original file line number Diff line number Diff line change
@@ -4,19 +4,20 @@
, canonicaljson
, unpaddedbase64
, pynacl
, typing-extensions
}:

buildPythonPackage rec {
pname = "signedjson";
version = "1.0.0";
version = "1.1.0";

src = fetchgit {
url = "https://github.com/matrix-org/python-signedjson.git";
rev = "refs/tags/v${version}";
sha256 = "0b8xxhc3npd4567kqapfp4gs7m0h057xam3an7424az262ind82n";
sha256 = "18s388hm3babnvakbbgfqk0jzq25nnznvhygywd3azp9b4yzmd5c";
};

propagatedBuildInputs = [ canonicaljson unpaddedbase64 pynacl ];
propagatedBuildInputs = [ canonicaljson unpaddedbase64 pynacl typing-extensions ];

meta = with stdenv.lib; {
homepage = https://pypi.org/project/signedjson/;
4 changes: 2 additions & 2 deletions pkgs/servers/matrix-synapse/default.nix
View file
Original file line number Diff line number Diff line change
@@ -23,11 +23,11 @@ let

in buildPythonApplication rec {
pname = "matrix-synapse";
version = "1.9.1";
version = "1.11.1";

src = fetchPypi {
inherit pname version;
sha256 = "13csf18dchm75vw251a7h57diag94vw6rhg8kkkbpi35cibn0cz2";
sha256 = "0xd4bxsmk67r6pfj5lh0hn36r8z51mxsl39fjfrfdidvl1qqbxnk";
};

patches = [
5 changes: 5 additions & 0 deletions pkgs/servers/samba/4.x.nix
View file
Original file line number Diff line number Diff line change
@@ -34,6 +34,11 @@ stdenv.mkDerivation rec {
./patch-source3__libads__kerberos_keytab.c.patch
./4.x-no-persistent-install-dynconfig.patch
./4.x-fix-makeflags-parsing.patch
(fetchurl {
name = "CVE-2019-14902+CVE-2019-14907+CVE-2019-19344.patch";
url = "https://www.samba.org/samba/ftp/patches/security/samba-4.10.11-security-2020-01-21.patch";
sha256 = "1mglfzyb6wv85rrlspqa0hlga1c9f3v123j2dvywrsp3waxhb651";
})
];

nativeBuildInputs = optionals stdenv.isDarwin [ rpcgen fixDarwinDylibNames ];
29 changes: 0 additions & 29 deletions pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch
View file

This file was deleted.

20 changes: 3 additions & 17 deletions pkgs/tools/archivers/cpio/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,30 +1,16 @@
{ stdenv, fetchurl, fetchpatch }:
{ stdenv, fetchurl }:

let
version = "2.12";
version = "2.13";
name = "cpio-${version}";
in stdenv.mkDerivation {
inherit name;

src = fetchurl {
url = "mirror://gnu/cpio/${name}.tar.bz2";
sha256 = "0vi9q475h1rki53100zml75vxsykzyhrn70hidy41s5c2rc8r6bh";
sha256 = "0vbgnhkawdllgnkdn6zn1f56fczwk0518krakz2qbwhxmv2vvdga";
};

patches = [
(fetchpatch {
name = "CVE-2015-1197-cpio-2.12.patch";
url = "https://gist.github.com/nckx/70b0bfa80ddfb86c2967/"
+ "raw/e9b40d4d4b701f584f826775b75beb10751dc884/"
+ "CVE-2015-1197-cpio-2.12.patch";
sha256 = "0ph43m4lavwkc4gnl5h9p3da4kb1pnhwk5l2qsky70dqri8pcr8v";
})

# Report: http://www.openwall.com/lists/oss-security/2016/01/19/4
# Patch from https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
./CVE-2016-2037-out-of-bounds-write.patch
];

preConfigure = if stdenv.isCygwin then ''
sed -i gnu/fpending.h -e 's,include <stdio_ext.h>,,'
'' else null;
14 changes: 3 additions & 11 deletions pkgs/tools/compression/lz4/default.nix
View file
Original file line number Diff line number Diff line change
@@ -4,23 +4,15 @@

stdenv.mkDerivation rec {
pname = "lz4";
version = "1.9.1";
version = "1.9.2";

src = fetchFromGitHub {
sha256 = "1l1caxrik1hqs40vj3bpv1pikw6b74cfazv5c0v6g48zpcbmshl0";
sha256 = "0lpaypmk70ag2ks3kf2dl4ac3ba40n5kc1ainkp9wfjawz76mh61";
rev = "v${version}";
repo = pname;
owner = pname;
};

patches = [
# Fix detection of Darwin
(fetchpatch {
url = "https://github.com/lz4/lz4/commit/024216ef7394b6411eeaa5b52d0cec9953a44249.patch";
sha256 = "0j0j2pr6pkplxf083hlwl5q4cfp86q3wd8mc64bcfcr7ysc5pzl3";
})
];

# TODO(@Ericson2314): Separate binaries and libraries
outputs = [ "out" "dev" ];

@@ -65,7 +57,7 @@ stdenv.mkDerivation rec {
multiple GB/s per core, typically reaching RAM speed limits on
multi-core systems.
'';
homepage = https://lz4.github.io/lz4/;
homepage = "https://lz4.github.io/lz4/";
license = with licenses; [ bsd2 gpl2Plus ];
platforms = platforms.all;
};