From c57281c274df6bc5bfc86313fb072b58e115ebe0 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sun, 4 Jul 2021 13:52:49 +0200 Subject: [PATCH 1/6] trafficserver: 9.0.1 -> 9.0.2 Fixes CVE-2021-32566 and CVE-2021-32567. (cherry picked from commit d41e86c67ff65b898be3952bf66f803a121cd083) --- nixos/tests/trafficserver.nix | 1 + pkgs/servers/http/trafficserver/default.nix | 11 ++--------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/nixos/tests/trafficserver.nix b/nixos/tests/trafficserver.nix index 3979a1b4a48..983ded4f172 100644 --- a/nixos/tests/trafficserver.nix +++ b/nixos/tests/trafficserver.nix @@ -104,6 +104,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { ats.wait_for_open_port(80) httpbin.wait_for_unit("httpbin") httpbin.wait_for_open_port(80) + client.wait_for_unit("network-online.target") with subtest("Traffic Server is running"): out = ats.succeed("traffic_ctl server status") diff --git a/pkgs/servers/http/trafficserver/default.nix b/pkgs/servers/http/trafficserver/default.nix index 4a7f9854d18..e7ce72e086e 100644 --- a/pkgs/servers/http/trafficserver/default.nix +++ b/pkgs/servers/http/trafficserver/default.nix @@ -49,11 +49,11 @@ stdenv.mkDerivation rec { pname = "trafficserver"; - version = "9.0.1"; + version = "9.0.2"; src = fetchurl { url = "mirror://apache/trafficserver/trafficserver-${version}.tar.bz2"; - sha256 = "1q164pvfmbqh3gzy3bqy96lwd0fdbhz78r06pd92p7rmkqwx005z"; + sha256 = "0r05iqmnnjq259nsibncgfrfsr0l4h3hsafizvgfl9zgmrkm6izz"; }; patches = [ @@ -63,13 +63,6 @@ stdenv.mkDerivation rec { url = "https://github.com/apache/trafficserver/commit/19d3af481cf74c91fbf713fc9d2f8b138ed5fbaf.diff"; sha256 = "0z1ikgpp00rzrrcqh97931586yn9wbksgai9xlkcjd5cg8gq0150"; }) - - # Fixes a bug in tspush which pushes incorrect contents to cache - # https://github.com/apache/trafficserver/pull/7696 - (fetchpatch { - url = "https://github.com/apache/trafficserver/commit/b08215272872f452787915cd3a8e0b0ea0b88385.diff"; - sha256 = "0axk8x1xvd8wvpgcxgyqqg7kgxyxwfgwmisq3xnk1da0cqv9cx9f"; - }) ]; # NOTE: The upstream README indicates that flex is needed for some features, From 04644c993de859e0ef5766253d5cbd79a6d509f7 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Thu, 15 Jul 2021 18:51:53 +0200 Subject: [PATCH 2/6] fig2dev: apply patch for CVE-2021-3561 (cherry picked from commit 57aff6b0ae29df302511c60d979dfe8349bd8a92) --- pkgs/applications/graphics/fig2dev/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/applications/graphics/fig2dev/default.nix b/pkgs/applications/graphics/fig2dev/default.nix index c7484f4cbfe..31d14185dcd 100644 --- a/pkgs/applications/graphics/fig2dev/default.nix +++ b/pkgs/applications/graphics/fig2dev/default.nix @@ -1,6 +1,7 @@ { lib , stdenv , fetchurl +, fetchpatch , ghostscript , libpng , makeWrapper @@ -20,6 +21,15 @@ stdenv.mkDerivation rec { sha256 = "1bm75lf9j54qpbjx8hzp6ixaayp1x9w4v3yxl6vxyw8g5m4sqdk3"; }; + patches = [ + (fetchpatch { + name = "CVE-2021-3561.patch"; + # Using Debian patch since it is not possible to download it directly from Sourceforge + url = "https://sources.debian.org/data/main/f/fig2dev/1:3.2.8-3/debian/patches/33_sanitize-color.patch"; + sha256 = "1bppr3li03nj4qjibnddr2f38mpk55pcn5z6k98pf00gabq33fgs"; + }) + ]; + nativeBuildInputs = [ makeWrapper ]; buildInputs = [ libpng ]; From 70ff5095e857d9d3b8c11df13a02cadcc8659973 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 16 Jul 2021 11:07:46 +0200 Subject: [PATCH 3/6] gitea: 1.14.4 -> 1.14.5 ChangeLog: https://github.com/go-gitea/gitea/releases/tag/v1.14.5 (cherry picked from commit a8e46cd7dc1d7fdd3a09e4d07aa634f9f2f65bff) --- pkgs/applications/version-management/gitea/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/version-management/gitea/default.nix b/pkgs/applications/version-management/gitea/default.nix index 258e81acedf..bd61d984c62 100644 --- a/pkgs/applications/version-management/gitea/default.nix +++ b/pkgs/applications/version-management/gitea/default.nix @@ -16,12 +16,12 @@ with lib; buildGoPackage rec { pname = "gitea"; - version = "1.14.4"; + version = "1.14.5"; # not fetching directly from the git repo, because that lacks several vendor files for the web UI src = fetchurl { url = "https://github.com/go-gitea/gitea/releases/download/v${version}/gitea-src-${version}.tar.gz"; - sha256 = "sha256-sl/Vml8QmwZEAd2PIYWQcP7s6NYeomGJQGKhRiddtoo="; + sha256 = "sha256-8nwLVpe/5IjXJqO179lN80B/3WGUL3LKM8OWdh/bYOE="; }; unpackPhase = '' From 61ed04ae69cef94e2932666d7388060b3d879dfc Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Wed, 2 Jun 2021 16:54:27 +0200 Subject: [PATCH 4/6] python2Packages.convertdate: fix hash This derivation was introduced in commit e1d60a05af55daadaeaf85d14869459b9b8c9635 with version 2.2.2 but the sha256 hash in that commit actually corresponded to version 2.2.1, as you can see below: $ nix-prefetch-github --rev "v2.2.1" fitnr convertdate | jq '.sha256' "1xgi7x9b9kxm0q51bqnmwdm5lp8vwhx5yk4d1b23r37spz9dbhw5" (cherry picked from commit 3e84c7ea0d3872e660ba0f3a8c2a0971e7df5dd6) --- pkgs/development/python-modules/convertdate/2.2.x.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/convertdate/2.2.x.nix b/pkgs/development/python-modules/convertdate/2.2.x.nix index d67f4c5a344..1145a61ca4f 100644 --- a/pkgs/development/python-modules/convertdate/2.2.x.nix +++ b/pkgs/development/python-modules/convertdate/2.2.x.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { owner = "fitnr"; repo = pname; rev = "v${version}"; - sha256 = "1xgi7x9b9kxm0q51bqnmwdm5lp8vwhx5yk4d1b23r37spz9dbhw5"; + sha256 = "07x1j6jgkmrzdpv2lhpp4n16621mpmlylvwdwsggdjivhzvc3x9q"; }; propagatedBuildInputs = [ From b840bd41db6b2ca3990144c928476866b556a057 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 17 Jul 2021 10:33:10 +0200 Subject: [PATCH 5/6] openresty: 1.19.3.1 -> 1.19.3.2 Fixes CVE-2021-23017. https://openresty.org/en/ann-1019003002.html (cherry picked from commit 2dbdca1aa4ce10d3de8e40dcdeed6df6bde4175c) --- pkgs/servers/http/openresty/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/servers/http/openresty/default.nix b/pkgs/servers/http/openresty/default.nix index 96451764990..71490b34280 100644 --- a/pkgs/servers/http/openresty/default.nix +++ b/pkgs/servers/http/openresty/default.nix @@ -9,11 +9,11 @@ callPackage ../nginx/generic.nix args rec { pname = "openresty"; nginxVersion = "1.19.3"; - version = "${nginxVersion}.1"; + version = "${nginxVersion}.2"; src = fetchurl { url = "https://openresty.org/download/openresty-${version}.tar.gz"; - sha256 = "0p9xn0xgbk6nmjfb25a3d6bwxm8q23igkixqma5fpygla6fcsvzk"; + sha256 = "1fav3qykckqcyw9ksi8s61prpwab44zbcvj95rwfpfqgk5jffh6f"; }; # generic.nix applies fixPatch on top of every patch defined there. This @@ -44,7 +44,7 @@ callPackage ../nginx/generic.nix args rec { meta = { description = "A fast web application server built on Nginx"; - homepage = "http://openresty.org"; + homepage = "https://openresty.org"; license = lib.licenses.bsd2; platforms = lib.platforms.all; maintainers = with lib.maintainers; [ thoughtpolice lblasc emily ]; From 01e9acfe66c488146a069e2835fbb431815be1e3 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 17 Jul 2021 10:42:04 +0200 Subject: [PATCH 6/6] putty: 0.74 -> 0.75 Fixes CVE-2021-36367. (cherry picked from commit 2931283a42b800a10088738261ea422a69499c8e) --- pkgs/applications/networking/remote/putty/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/remote/putty/default.nix b/pkgs/applications/networking/remote/putty/default.nix index e7544258acf..aab30c24e20 100644 --- a/pkgs/applications/networking/remote/putty/default.nix +++ b/pkgs/applications/networking/remote/putty/default.nix @@ -3,7 +3,7 @@ }: stdenv.mkDerivation rec { - version = "0.74"; + version = "0.75"; pname = "putty"; src = fetchurl { @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { "https://the.earth.li/~sgtatham/putty/${version}/${pname}-${version}.tar.gz" "ftp://ftp.wayne.edu/putty/putty-website-mirror/${version}/${pname}-${version}.tar.gz" ]; - sha256 = "0zc43g8ycyf712cdrja4k8ih5s3agw1k0nq0jkifdn8xwn4d7mfx"; + sha256 = "1xgrr1fbirw79zafspg2b6crzfmlfw910y79md4r7gnxgq1kn5yk"; }; # glib-2.62 deprecations