Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a8e307e93c36
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: be81cfd9f878
Choose a head ref
  • 5 commits
  • 3 files changed
  • 3 contributors

Commits on Jul 21, 2018

  1. Merge pull request #43811 from taku0/oraclejdk-8u181 

    oraclejdk: 10.0.1 -> 10.0.2 [Critical security fixes]

(cherry picked from commit defa760)
    @srhb
    srhb committed Jul 21, 2018
    Copy the full SHA
    79e6571 View commit details

Commits on Oct 6, 2018

  1. ghostscript: 9.24 -> 9.25 (#47948) 

    Highlights in this release include:

This release fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files), and some additional security issues over the recent 9.24 release.

CVE-2018-16802
CVE-2018-17183

Note: The ps2epsi utility does not, and cannot call Ghostscript with the -dSAFER command line option. It should never be called with input from untrusted sources.

Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits.
PLEASE NOTE: We strongly urge users to upgrade to this latest release to avoid these issues.

As well as Ghostscript itself, jbig2dec has had a significant amount of work improving its robustness in the face of out specification files.

IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF).

The usual round of bug fixes, compatibility changes, and incremental improvements.

(cherry picked from commit 5b77b0d2f1eda9a42fe188eafb499230741e7925)
(cherry picked from commit dbcbf7c)
    @flokli @xeji
    flokli authored and xeji committed Oct 6, 2018

    Verified

    This commit was signed with the committer’s verified signature.
    delroth Pierre Bourdon
    GPG key ID: 6FB80DCD84DA0F1C
    Verified
    Learn about vigilant mode
    Copy the full SHA
    54a2076 View commit details

  2. Merge pull request #43842 from srhb/jdk-backport 

    Backport of #43811 jdk updates (help needed)
    @andir
    andir authored Oct 6, 2018

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    bfa517d View commit details

  3. oraclejdk8psu: mark as insecure 

    This is a sort port of 4d6f880 (#43811). The mentioned issues are not
being fixed in the release. The CPU release should be used instead.

Since someone might still need the PSU version it will just be marked as
insecure allowing the user to whitelist it, if required.
    @andir
    andir committed Oct 6, 2018

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    3b23342 View commit details

  4. Merge pull request #47959 from andir/18.03/oraclejdk 

    [18.03] oraclejdk8psu: mark as insecure
    @andir
    andir authored Oct 6, 2018
    Copy the full SHA
    be81cfd View commit details
Showing with 37 additions and 19 deletions.
  1. +4 −4 pkgs/development/compilers/oraclejdk/jdk10-linux.nix
  2. +31 −12 pkgs/development/compilers/oraclejdk/jdk8psu-linux.nix
  3. +2 −3 pkgs/misc/ghostscript/default.nix
8 changes: 4 additions & 4 deletions pkgs/development/compilers/oraclejdk/jdk10-linux.nix
View file
Original file line number Diff line number Diff line change
@@ -29,7 +29,7 @@ assert stdenv.system == "x86_64-linux";
assert swingSupport -> xorg != null;

let
version = "10.0.1";
version = "10.0.2";

downloadUrlBase = http://www.oracle.com/technetwork/java/javase/downloads;

@@ -52,19 +52,19 @@ let result = stdenv.mkDerivation rec {
requireFile {
name = "jdk-${version}_linux-x64_bin.tar.gz";
url = "${downloadUrlBase}/jdk10-downloads-4416644.html";
sha256 = "1975s6cn2lxb8jmxp236afvq6hhxqrx5jix8aqm46f5gwr2xd3mf";
sha256 = "0arpzac64apji1s8d0gzizkvrjz0fbhz7l34af1j0365ac6w4cv6";
}
else if packageType == "JRE" then
requireFile {
name = "jre-${version}_linux-x64_bin.tar.gz";
url = "${downloadUrlBase}/jre10-downloads-4417026.html";
sha256 = "11pb8cwzmalc6ax735m84g13jh1mrfc8g84b5qypnmqjjdv6fpiq";
sha256 = "0pc4a0a3fl6874vfaflf6jvpm9da647vp41pj0hihkspjyjhjabx";
}
else if packageType == "ServerJRE" then
requireFile {
name = "serverjre-${version}_linux-x64_bin.tar.gz";
url = "${downloadUrlBase}/sjre10-downloads-4417025.html";
sha256 = "0hvfqgr22sq9zyqc496vqgg5ail189h3a4pazp39i8n86brd48lw";
sha256 = "0hbcb4c6ncy0sbz02gyygyqcwkz0xpv4fwrx4sripia6vph9592c";
}
else abort "unknown package Type ${packageType}";

43 changes: 31 additions & 12 deletions pkgs/development/compilers/oraclejdk/jdk8psu-linux.nix
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,31 @@
import ./jdk-linux-base.nix {
productVersion = "8";
patchVersion = "172";
downloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html;
sha256.i686-linux = "0csskx8xis0dr1948j76fgrwwsj4gzdbjqfi7if4v4j62b9i0hqa";
sha256.x86_64-linux = "0inkx73rwv7cvn9lqcr3hmnm0sr89h1fh29yamikb4dn02a0p818";
sha256.armv7l-linux = "1576cb0rlc42dsnmh388gy1wjas7ac6g135s8h74x8sm4b56qpln";
sha256.aarch64-linux = "0zpkmq8zxmpifawj611fg67srki63haz02rm6xwfc5qm2lxx5g6s";
jceName = "jce_policy-8.zip";
jceDownloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html;
sha256JCE = "0n8b6b8qmwb14lllk2lk1q1ahd3za9fnjigz5xn65mpg48whl0pk";
}
{ callPackage, ... }@_args:
let
drv = import ./jdk-linux-base.nix {
productVersion = "8";
patchVersion = "172";
downloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html;
sha256.i686-linux = "0csskx8xis0dr1948j76fgrwwsj4gzdbjqfi7if4v4j62b9i0hqa";
sha256.x86_64-linux = "0inkx73rwv7cvn9lqcr3hmnm0sr89h1fh29yamikb4dn02a0p818";
sha256.armv7l-linux = "1576cb0rlc42dsnmh388gy1wjas7ac6g135s8h74x8sm4b56qpln";
sha256.aarch64-linux = "0zpkmq8zxmpifawj611fg67srki63haz02rm6xwfc5qm2lxx5g6s";
jceName = "jce_policy-8.zip";
jceDownloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html;
sha256JCE = "0n8b6b8qmwb14lllk2lk1q1ahd3za9fnjigz5xn65mpg48whl0pk";
};
args = removeAttrs _args ["callPackage"];
in
(callPackage drv args).overrideAttrs (attrs: {
meta = attrs.meta // {
knownVulnerabilities = [
# Issues from the latest CPU update that affect this PSU version
# https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA
"CVE-2018-2938"
"CVE-2018-2964"
"CVE-2018-2941"
"CVE-2018-2942"
"CVE-2018-2973"
"CVE-2018-2940"
"CVE-2018-2952"
];
};
})
5 changes: 2 additions & 3 deletions pkgs/misc/ghostscript/default.nix
View file
Original file line number Diff line number Diff line change
@@ -9,9 +9,8 @@ assert x11Support -> xlibsWrapper != null;
assert cupsSupport -> cups != null;
let
version = "9.${ver_min}";
ver_min = "24";
# ghostscript*.tar.xz in https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9xx/SHA512SUMS
sha512 = "dcbeeb5d3dd5ccaf949dc4be68363c50b1d35e647be4790a50b1bbf5f259f1d9181f705be27bfca708c4d270f945ff4b24e3db10b57800c1ee0ea7a40931c547";
ver_min = "25";
sha512 = "18pcqzva7pq2a9mmqf9pq8x4winb6qmzni49vq2qx50k60rwyv1kdmixik3ym2bpj5p1j8g0vb47w7w2cf4lba5q583ylpd8rshn73s";

fonts = stdenv.mkDerivation {
name = "ghostscript-fonts";