From b35b0a5f041cc00e2d38980166e1325585b90e0f Mon Sep 17 00:00:00 2001 From: oxalica Date: Sun, 30 May 2021 22:59:40 +0800 Subject: [PATCH 01/17] kbd: patch paths to decompressors (cherry picked from commit 449132738dc3128f664772f571ae2f39a17b39ab) --- pkgs/os-specific/linux/kbd/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/os-specific/linux/kbd/default.nix b/pkgs/os-specific/linux/kbd/default.nix index 467de4b029a..f362745e8d1 100644 --- a/pkgs/os-specific/linux/kbd/default.nix +++ b/pkgs/os-specific/linux/kbd/default.nix @@ -8,6 +8,10 @@ , check , pam , coreutils +, gzip +, bzip2 +, xz +, zstd }: stdenv.mkDerivation rec { @@ -38,6 +42,13 @@ stdenv.mkDerivation rec { mv fgGIod/trf{,-fgGIod}.map mv colemak/{en-latin9,colemak}.map popd + + # Fix paths to decompressors. Trailing space to avoid replacing `xz` in `".xz"`. + substituteInPlace src/libkbdfile/kbdfile.c \ + --replace 'gzip ' '${gzip}/bin/gzip ' \ + --replace 'bzip2 ' '${bzip2.bin}/bin/bzip2 ' \ + --replace 'xz ' '${xz.bin}/bin/xz ' \ + --replace 'zstd ' '${zstd.bin}/bin/zstd ' ''; postInstall = '' From a9f685005e0aa72b1587dc24a0726087036a2a36 Mon Sep 17 00:00:00 2001 From: oxalica Date: Mon, 31 May 2021 02:37:14 +0800 Subject: [PATCH 02/17] nixos/tests/kbd-setfont-decompress: init (cherry picked from commit 7fb927c9e54170c43e2579d1f0f20efd719ca7e8) --- nixos/tests/all-tests.nix | 1 + nixos/tests/kbd-setfont-decompress.nix | 21 +++++++++++++++++++++ pkgs/os-specific/linux/kbd/default.nix | 4 +++- 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/kbd-setfont-decompress.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index e3f92ce451c..1b8bf7a7b70 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -200,6 +200,7 @@ in jitsi-meet = handleTest ./jitsi-meet.nix {}; k3s = handleTest ./k3s.nix {}; kafka = handleTest ./kafka.nix {}; + kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {}; keepalived = handleTest ./keepalived.nix {}; keepassxc = handleTest ./keepassxc.nix {}; kerberos = handleTest ./kerberos/default.nix {}; diff --git a/nixos/tests/kbd-setfont-decompress.nix b/nixos/tests/kbd-setfont-decompress.nix new file mode 100644 index 00000000000..c3a495afac8 --- /dev/null +++ b/nixos/tests/kbd-setfont-decompress.nix @@ -0,0 +1,21 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: +{ + name = "kbd-setfont-decompress"; + + meta.maintainers = with lib.maintainers; [ oxalica ]; + + machine = { ... }: {}; + + testScript = '' + machine.succeed("gzip -cd ${pkgs.terminus_font}/share/consolefonts/ter-v16b.psf.gz >font.psf") + machine.succeed("gzip font.psf.gz") + machine.succeed("bzip2 font.psf.bz2") + machine.succeed("xz font.psf.xz") + machine.succeed("zstd font.psf.zst") + # setfont returns 0 even on error. + assert machine.succeed("PATH= ${pkgs.kbd}/bin/setfont font.psf.gz 2>&1") == "" + assert machine.succeed("PATH= ${pkgs.kbd}/bin/setfont font.psf.bz2 2>&1") == "" + assert machine.succeed("PATH= ${pkgs.kbd}/bin/setfont font.psf.xz 2>&1") == "" + assert machine.succeed("PATH= ${pkgs.kbd}/bin/setfont font.psf.zst 2>&1") == "" + ''; +}) diff --git a/pkgs/os-specific/linux/kbd/default.nix b/pkgs/os-specific/linux/kbd/default.nix index f362745e8d1..c7a59e59cab 100644 --- a/pkgs/os-specific/linux/kbd/default.nix +++ b/pkgs/os-specific/linux/kbd/default.nix @@ -61,7 +61,9 @@ stdenv.mkDerivation rec { buildInputs = [ check pam ]; nativeBuildInputs = [ autoreconfHook pkg-config flex ]; - passthru.tests = nixosTests.keymap; + passthru.tests = { + inherit (nixosTests) keymap kbd-setfont-decompress; + }; meta = with lib; { homepage = "https://kbd-project.org/"; From 7f0f0b2807a73b5e65baf0c8d4bd0937984ac230 Mon Sep 17 00:00:00 2001 From: Konstantin Alekseev Date: Mon, 24 May 2021 12:46:46 +0300 Subject: [PATCH 03/17] sqlite: 3.35.2 -> 3.35.5 (cherry picked from commit 3c1bcd240bb437680b69775d5c324449a02dd135) --- pkgs/development/libraries/sqlite/default.nix | 9 +++++++-- pkgs/development/libraries/sqlite/tools.nix | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix index 50b52b905a9..e2331d89751 100644 --- a/pkgs/development/libraries/sqlite/default.nix +++ b/pkgs/development/libraries/sqlite/default.nix @@ -12,12 +12,12 @@ in stdenv.mkDerivation rec { pname = "sqlite"; - version = "3.35.2"; + version = "3.35.5"; # NB! Make sure to update ./tools.nix src (in the same directory). src = fetchurl { url = "https://sqlite.org/2021/sqlite-autoconf-${archiveVersion version}.tar.gz"; - sha256 = "1bfczv5006ycwr1vw7xbq7cmys0jvfr8awmx7wi1b40zyj0yss8j"; + sha256 = "9StypcMZw+UW7XqS4SMTmm6Hrwii3EPXdXck9hMubbA="; }; outputs = [ "bin" "dev" "out" ]; @@ -25,6 +25,11 @@ stdenv.mkDerivation rec { buildInputs = [ zlib ] ++ optionals interactive [ readline ncurses ]; + # required for aarch64 but applied for all arches for simplicity + preConfigure = '' + patchShebangs configure + ''; + configureFlags = [ "--enable-threadsafe" ] ++ optional interactive "--enable-readline"; NIX_CFLAGS_COMPILE = toString [ diff --git a/pkgs/development/libraries/sqlite/tools.nix b/pkgs/development/libraries/sqlite/tools.nix index 45bcda727ed..298e87516fe 100644 --- a/pkgs/development/libraries/sqlite/tools.nix +++ b/pkgs/development/libraries/sqlite/tools.nix @@ -4,11 +4,11 @@ let archiveVersion = import ./archive-version.nix lib; mkTool = { pname, makeTarget, description, homepage }: stdenv.mkDerivation rec { inherit pname; - version = "3.35.2"; + version = "3.35.5"; src = assert version == sqlite.version; fetchurl { url = "https://sqlite.org/2021/sqlite-src-${archiveVersion version}.zip"; - sha256 = "00w7qggrdxpcrs4rfpqkjhcghi8pcx6zzjim9wlz6vsrxlr9dwva"; + sha256 = "9StypcMZw+UW7XqS4SMTmm6Hrwii3EPXdXck9hMubbA="; }; nativeBuildInputs = [ unzip ]; From 1e0edddaff2c76f7fb5919f638f50adbed0523d9 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 30 May 2021 18:12:53 +0100 Subject: [PATCH 04/17] curl: add patches for CVE-2021-22897, CVE-2021-22898 & CVE-2021-22901 (cherry picked from commit 742c60f6f839e23822d29b668071baa653253656) --- .../networking/curl/CVE-2021-22897.patch | 64 +++ .../networking/curl/CVE-2021-22898.patch | 25 + .../networking/curl/CVE-2021-22901.patch | 437 ++++++++++++++++++ pkgs/tools/networking/curl/default.nix | 6 + 4 files changed, 532 insertions(+) create mode 100644 pkgs/tools/networking/curl/CVE-2021-22897.patch create mode 100644 pkgs/tools/networking/curl/CVE-2021-22898.patch create mode 100644 pkgs/tools/networking/curl/CVE-2021-22901.patch diff --git a/pkgs/tools/networking/curl/CVE-2021-22897.patch b/pkgs/tools/networking/curl/CVE-2021-22897.patch new file mode 100644 index 00000000000..a4888879503 --- /dev/null +++ b/pkgs/tools/networking/curl/CVE-2021-22897.patch @@ -0,0 +1,64 @@ +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 23 Apr 2021 10:54:10 +0200 +Subject: [PATCH] schannel: don't use static to store selected ciphers + +CVE-2021-22897 + +Bug: https://curl.se/docs/CVE-2021-22897.html +--- + lib/vtls/schannel.c | 9 +++++---- + lib/vtls/schannel.h | 3 +++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 8c25ac5dd5a5..dba7072273a9 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -328,12 +328,12 @@ get_alg_id_by_name(char *name) + } + + static CURLcode +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, ++ int *algIds) + { + char *startCur = ciphers; + int algCount = 0; +- static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/ +- while(startCur && (0 != *startCur) && (algCount < 45)) { ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) { + long alg = strtol(startCur, 0, 0); + if(!alg) + alg = get_alg_id_by_name(startCur); +@@ -593,7 +593,8 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, + } + + if(SSL_CONN_CONFIG(cipher_list)) { +- result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list)); ++ result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list), ++ BACKEND->algIds); + if(CURLE_OK != result) { + failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG"); + return result; +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h +index 2952caa1a5a1..77853aa30f96 100644 +--- a/lib/vtls/schannel.h ++++ b/lib/vtls/schannel.h +@@ -71,6 +71,8 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, + #endif + #endif + ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */ ++ + struct Curl_schannel_cred { + CredHandle cred_handle; + TimeStamp time_stamp; +@@ -102,6 +104,7 @@ struct ssl_backend_data { + #ifdef HAS_MANUAL_VERIFY_API + bool use_manual_cred_validation; /* true if manual cred validation is used */ + #endif ++ ALG_ID algIds[NUMOF_CIPHERS]; + }; + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ + diff --git a/pkgs/tools/networking/curl/CVE-2021-22898.patch b/pkgs/tools/networking/curl/CVE-2021-22898.patch new file mode 100644 index 00000000000..ea4d2cb37e8 --- /dev/null +++ b/pkgs/tools/networking/curl/CVE-2021-22898.patch @@ -0,0 +1,25 @@ +From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 26e0658ba9cc..fdd137fb0c04 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); diff --git a/pkgs/tools/networking/curl/CVE-2021-22901.patch b/pkgs/tools/networking/curl/CVE-2021-22901.patch new file mode 100644 index 00000000000..6bd70aa41b1 --- /dev/null +++ b/pkgs/tools/networking/curl/CVE-2021-22901.patch @@ -0,0 +1,437 @@ +Based on upstream 7f4a9a9b2a49547eae24d2e19bc5c346e9026479, modified by ris to +apply without 0c55fbab45bedb761766109d41c3da49c4bc66c6 + +diff --git a/lib/multi.c b/lib/multi.c +index 54365f399e9b..1b3e261c682a 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -878,8 +878,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) + void Curl_detach_connnection(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; +- if(conn) ++ if(conn) { + Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); ++ Curl_ssl_detach_conn(data, conn); ++ } + data->conn = NULL; + } + +@@ -896,6 +898,7 @@ void Curl_attach_connnection(struct Curl_easy *data, + data->conn = conn; + Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data, + &data->conn_queue); ++ Curl_ssl_associate_conn(data, conn); + } + + static int waitconnect_getsock(struct connectdata *conn, +diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c +index c648f624579b..ca953769d1ba 100644 +--- a/lib/vtls/gskit.c ++++ b/lib/vtls/gskit.c +@@ -1304,7 +1304,9 @@ const struct Curl_ssl Curl_ssl_gskit = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_GSKIT */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index a10c0dbcca05..ecde5c44deeb 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1656,7 +1656,9 @@ const struct Curl_ssl Curl_ssl_gnutls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- gtls_sha256sum /* sha256sum */ ++ gtls_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_GNUTLS */ +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index ca77de58667c..3a0be0f04b4f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -1093,7 +1093,9 @@ const struct Curl_ssl Curl_ssl_mbedtls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- mbedtls_sha256sum /* sha256sum */ ++ mbedtls_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_MBEDTLS */ +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c +index f16c77c27fe0..bf8600d3230b 100644 +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -666,7 +666,9 @@ const struct Curl_ssl Curl_ssl_mesalink = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 2aa4bdaa134f..1582b1e580a9 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2465,7 +2465,9 @@ const struct Curl_ssl Curl_ssl_nss = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + nss_false_start, /* false_start */ +- nss_sha256sum /* sha256sum */ ++ nss_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_NSS */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 1521600dd5f6..ebd7abc3b4ac 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -240,6 +240,10 @@ struct ssl_backend_data { + #endif + }; + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ + /* + * Number of bytes to read from the random number seed file. This must be + * a finite value (because some entropy "files" like /dev/urandom have +@@ -2581,6 +2585,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + ctx_option_t ctx_options = 0; ++ void *ssl_sessionid = NULL; + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + bool sni; +@@ -3225,46 +3230,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + } + #endif + +- /* Check if there's a cached ID we can/should use here! */ +- if(SSL_SET_OPTION(primary.sessionid)) { +- void *ssl_sessionid = NULL; +- int data_idx = ossl_get_ssl_data_index(); +- int connectdata_idx = ossl_get_ssl_conn_index(); +- int sockindex_idx = ossl_get_ssl_sockindex_index(); +- int proxy_idx = ossl_get_proxy_index(); +- +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && +- proxy_idx >= 0) { +- /* Store the data needed for the "new session" callback. +- * The sockindex is stored as a pointer to an array element. */ +- SSL_set_ex_data(backend->handle, data_idx, data); +- SSL_set_ex_data(backend->handle, connectdata_idx, conn); +- SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); +-#ifndef CURL_DISABLE_PROXY +- SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: +- NULL); +-#else +- SSL_set_ex_data(backend->handle, proxy_idx, NULL); +-#endif +- +- } ++ ossl_associate_connection(data, conn, sockindex); + +- Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, +- &ssl_sessionid, NULL, sockindex)) { +- /* we got a session id, use it! */ +- if(!SSL_set_session(backend->handle, ssl_sessionid)) { +- Curl_ssl_sessionid_unlock(data); +- failf(data, "SSL: SSL_set_session failed: %s", +- ossl_strerror(ERR_get_error(), error_buffer, +- sizeof(error_buffer))); +- return CURLE_SSL_CONNECT_ERROR; +- } +- /* Informational message */ +- infof(data, "SSL re-using session ID\n"); ++ Curl_ssl_sessionid_lock(data); ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { ++ /* we got a session id, use it! */ ++ if(!SSL_set_session(backend->handle, ssl_sessionid)) { ++ Curl_ssl_sessionid_unlock(data); ++ failf(data, "SSL: SSL_set_session failed: %s", ++ ossl_strerror(ERR_get_error(), error_buffer, ++ sizeof(error_buffer))); ++ return CURLE_SSL_CONNECT_ERROR; + } +- Curl_ssl_sessionid_unlock(data); ++ /* Informational message */ ++ infof(data, "SSL re-using session ID\n"); + } ++ Curl_ssl_sessionid_unlock(data); + + #ifndef CURL_DISABLE_PROXY + if(conn->proxy_ssl[sockindex].use) { +@@ -4498,6 +4480,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl, + (void *)backend->ctx : (void *)backend->handle; + } + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex) ++{ ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Store the data needed for the "new session" callback. ++ * The sockindex is stored as a pointer to an array element. */ ++ SSL_set_ex_data(backend->handle, data_idx, data); ++ SSL_set_ex_data(backend->handle, connectdata_idx, conn); ++ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ } ++ } ++} ++ ++/* ++ * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after ++ * the handshake. If the transfer that sets up the callback gets killed before ++ * this callback arrives, we must make sure to properly clear the data to ++ * avoid UAF problems. A future optimization could be to instead store another ++ * transfer that might still be using the same connection. ++ */ ++ ++static void ossl_disassociate_connection(struct Curl_easy *data, ++ int sockindex) ++{ ++ struct connectdata *conn = data->conn; ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ bool isproxy = FALSE; ++ bool incache; ++ void *old_ssl_sessionid = NULL; ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Invalidate the session cache entry, if any */ ++ isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE; ++ ++ /* Disable references to data in "new session" callback to avoid ++ * accessing a stale pointer. */ ++ SSL_set_ex_data(backend->handle, data_idx, NULL); ++ SSL_set_ex_data(backend->handle, connectdata_idx, NULL); ++ SSL_set_ex_data(backend->handle, sockindex_idx, NULL); ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++ } ++ ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); ++ if(incache) ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ Curl_ssl_sessionid_unlock(data); ++ } ++} ++ + const struct Curl_ssl Curl_ssl_openssl = { + { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */ + +@@ -4533,10 +4599,12 @@ const struct Curl_ssl Curl_ssl_openssl = { + ossl_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) +- ossl_sha256sum /* sha256sum */ ++ ossl_sha256sum, /* sha256sum */ + #else +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ + #endif ++ ossl_associate_connection, /* associate_connection */ ++ ossl_disassociate_connection /* disassociate_connection */ + }; + + #endif /* USE_OPENSSL */ +diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c +index 9dfbd2c3c4c2..161f3bf51d75 100644 +--- a/lib/vtls/rustls.c ++++ b/lib/vtls/rustls.c +@@ -604,7 +604,9 @@ const struct Curl_ssl Curl_ssl_rustls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_RUSTLS */ +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index dba7072273a9..2bcf11db2576 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -329,7 +329,7 @@ get_alg_id_by_name(char *name) + + static CURLcode + set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, +- int *algIds) ++ ALG_ID *algIds) + { + char *startCur = ciphers; + int algCount = 0; +@@ -2433,7 +2433,9 @@ const struct Curl_ssl Curl_ssl_schannel = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- schannel_sha256sum /* sha256sum */ ++ schannel_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_SCHANNEL */ +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 4276b89cfb3a..8b1e84ed7715 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -3453,6 +3453,8 @@ const struct Curl_ssl Curl_ssl_sectransp = { + Curl_none_engines_list, /* engines_list */ + sectransp_false_start, /* false_start */ + sectransp_sha256sum /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #ifdef __clang__ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index d63fd5c76386..65f4f773dd63 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -586,6 +586,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + return CURLE_OK; + } + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->associate_connection) { ++ Curl_ssl->associate_connection(data, conn, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET); ++ } ++} ++ ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->disassociate_connection) { ++ Curl_ssl->disassociate_connection(data, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->disassociate_connection(data, SECONDARYSOCKET); ++ } ++} + + void Curl_ssl_close_all(struct Curl_easy *data) + { +@@ -1214,7 +1233,9 @@ static const struct Curl_ssl Curl_ssl_multi = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + const struct Curl_ssl *Curl_ssl = +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index a22d526ca810..7f93e7aedb21 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -84,6 +84,11 @@ struct Curl_ssl { + bool (*false_start)(void); + CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, + unsigned char *sha256sum, size_t sha256sumlen); ++ ++ void (*associate_connection)(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ void (*disassociate_connection)(struct Curl_easy *data, int sockindex); + }; + + #ifdef USE_SSL +@@ -283,6 +288,11 @@ bool Curl_ssl_cert_status_request(void); + + bool Curl_ssl_false_start(void); + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++ + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ + + #else /* if not USE_SSL */ +@@ -309,6 +319,8 @@ bool Curl_ssl_false_start(void); + #define Curl_ssl_cert_status_request() FALSE + #define Curl_ssl_false_start() FALSE + #define Curl_ssl_tls13_ciphersuites() FALSE ++#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt ++#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt + #endif + + #endif /* HEADER_CURL_VTLS_H */ +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index 02fcd236697e..60e27e366252 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -1125,7 +1125,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- wolfssl_sha256sum /* sha256sum */ ++ wolfssl_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 05b91bfba05..984a6ecaaef 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -52,6 +52,12 @@ stdenv.mkDerivation rec { sha256 = "1scmfrp0c27pkd7yva9k50miprjpsyfbb33apx72qc9igm6ii3ks"; }; + patches = [ + ./CVE-2021-22897.patch + ./CVE-2021-22898.patch + ./CVE-2021-22901.patch + ]; + outputs = [ "bin" "dev" "out" "man" "devdoc" ]; separateDebugInfo = stdenv.isLinux; From ffcb3c66fafa1cbbf04ea56a310a5a53ee559bd0 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Tue, 1 Jun 2021 23:11:58 +0200 Subject: [PATCH 05/17] cacert: 3.63 -> 3.66 mozilla says this is CA version 2.50, up from 2.48 in nss 3.63 (cherry picked from commit e579e93b6517c29af8b84641d2ec16a064d34c8b) --- pkgs/data/misc/cacert/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 17bb30a54b8..b4a8ebc4ef2 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -10,7 +10,7 @@ with lib; let - version = "3.63"; + version = "3.66"; underscoreVersion = builtins.replaceStrings ["."] ["_"] version; in @@ -20,7 +20,7 @@ stdenv.mkDerivation { src = fetchurl { url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/nss-${version}.tar.gz"; - sha256 = "0892xbjcaw6g4rd2rs4qa37nbda248cjrgxa4faaw0licbpjyb8q"; + sha256 = "1jfdnh5l4k57r2vb07s06hqi7m2qzk0d9x25lsdsrw3cflx9x9w9"; }; certdata2pem = fetchurl { From e2960f429bb5e8b14f34bf0cb057e7294bc59f2f Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sun, 30 May 2021 16:54:09 +0200 Subject: [PATCH 06/17] cacerts: Make updater script aware of the nss_latest attribute Usually, on the stable channel, we have a nss_latest attribute that is more up to date than the nss attribute (which is usually frozen during branch-off and only receives security updates). Cacerts are a sensitive matter and should be updated more frequently than the stable NSS package, if required. By making the update script aware of the nss_latest attribute we can prefer that when it exists. By having this change in the unstable branch of Nixpgks we can carry it from release to release without requiring more churn from those doing the stable release maintenance. (cherry picked from commit 4e318bcca19e7972d1fa8b15c4eadf85e3d5a6a1) --- pkgs/data/misc/cacert/update.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh index 7bf3d46cb02..1c286dc6206 100755 --- a/pkgs/data/misc/cacert/update.sh +++ b/pkgs/data/misc/cacert/update.sh @@ -12,6 +12,14 @@ # # As of this writing there are a few magnitudes more packages depending on # cacert than on nss. +# +# If the current nixpkgs revision contains the attribute `nss_latest` that will +# be used instead of `nss`. This is done to help the stable branch maintenance +# where (usually) after branch-off during the first Firefox upgrade that +# requries a new NSS version that attribute is introduced. +# By having this change in the unstable branch we can safely carry it from +# release to release without requiring more backport churn on those doing the +# stable maintenance. set -ex @@ -20,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs (_: { inherit (nss) src version; })).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder From 781ccf32d0105bca2244849f4a00823cbc511be1 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 2 Jun 2021 15:23:05 +0200 Subject: [PATCH 07/17] python3Packages.django: 2.2.22 -> 2.2.24 https://docs.djangoproject.com/en/dev/releases/2.2.24/ https://www.djangoproject.com/weblog/2021/jun/02/security-releases/ Fixes: CVE-2021-33203, CVE-2021-33571 (cherry picked from commit 6c7db95feac1200c98614b5a5cd1a84d40252e70) --- pkgs/development/python-modules/django/2.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/django/2.nix b/pkgs/development/python-modules/django/2.nix index e0d3cd12f8f..67946ab0d72 100644 --- a/pkgs/development/python-modules/django/2.nix +++ b/pkgs/development/python-modules/django/2.nix @@ -6,13 +6,13 @@ buildPythonPackage rec { pname = "Django"; - version = "2.2.22"; + version = "2.2.24"; disabled = !isPy3k; src = fetchPypi { inherit pname version; - sha256 = "db2214db1c99017cbd971e58824e6f424375154fe358afc30e976f5b99fc6060"; + sha256 = "1dvx3x85lggm91x7mpvaf9nmpxyz7r97pbpnmr2k1qfy0c7gyf9k"; }; patches = lib.optional withGdal From db7ab2c8d20319e0c915c80600a1c26734895176 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 2 Jun 2021 15:24:18 +0200 Subject: [PATCH 08/17] python3Packages.django_3: 3.2.2 -> 3.2.4 https://docs.djangoproject.com/en/dev/releases/3.2.4/ https://www.djangoproject.com/weblog/2021/jun/02/security-releases/ Fixes: CVE-2021-33203, CVE-2021-33571 (cherry picked from commit 794c6633b6396a0a3c2a5d54c52e629403f0672e) --- pkgs/development/python-modules/django/3.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/django/3.nix b/pkgs/development/python-modules/django/3.nix index 321582946b3..ae6187e207e 100644 --- a/pkgs/development/python-modules/django/3.nix +++ b/pkgs/development/python-modules/django/3.nix @@ -13,13 +13,13 @@ buildPythonPackage rec { pname = "Django"; - version = "3.2.2"; + version = "3.2.4"; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - sha256 = "0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d"; + sha256 = "15pjwyvrx4n8gi8n51b14wp54bg4jqapr25p52597zn6ikdxijb6"; }; patches = lib.optional withGdal From 99995bc9308507bb5443cc703b067083199f216b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 5 Jun 2021 07:34:46 +0200 Subject: [PATCH 09/17] zstd.patches: clean up This was discussed on PR #125185. --- pkgs/tools/compression/zstd/default.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/compression/zstd/default.nix b/pkgs/tools/compression/zstd/default.nix index 2740ebde5bd..9c42e4f6d27 100644 --- a/pkgs/tools/compression/zstd/default.nix +++ b/pkgs/tools/compression/zstd/default.nix @@ -24,12 +24,13 @@ stdenv.mkDerivation rec { # This patches makes sure we do not attempt to use the MD5 implementation # of the host platform when running the tests ./playtests-darwin.patch - ] ++ lib.optional stdenv.is32bit - (fetchpatch { # https://github.com/facebook/zstd/pull/2606 + # https://github.com/facebook/zstd/pull/2606 + (fetchpatch { name = "test-memory-usage.diff"; - url = "https://github.com/facebook/zstd/commit/6f40571a.diff"; + url = "https://github.com/facebook/zstd/commit/6f40571ae2feb8bfa0a56f9871b6ee3084085fc2.diff"; sha256 = "1484k5b99wplv9vjvvxjn88l13hlay6bynhq3zh1nd34whyi1kd0"; - }); + }) + ]; postPatch = lib.optionalString (!static) '' From 894d6ab2deb3427f49c86815b093b20fdeb10fbf Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 5 Jun 2021 04:50:31 +0200 Subject: [PATCH 10/17] postgresql_13: 13.2 -> 13.3 Fixes: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029 (cherry picked from commit 3318a937ef800d2ba7818dc50be01bc4319dc0ad) --- pkgs/servers/sql/postgresql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/default.nix b/pkgs/servers/sql/postgresql/default.nix index 63446a684b2..426ff820408 100644 --- a/pkgs/servers/sql/postgresql/default.nix +++ b/pkgs/servers/sql/postgresql/default.nix @@ -233,9 +233,9 @@ in self: { }; postgresql_13 = self.callPackage generic { - version = "13.2"; + version = "13.3"; psqlSchema = "13"; - sha256 = "1z5d847jnajcfr3wa6jn52a8xjhamvwzmz18xlm5nvxqip8grmsz"; + sha256 = "18dliq7h2l8irffhyyhdmfwx3si515q6gds3cxdjb9n7m17lbn9w"; this = self.postgresql_13; thisAttr = "postgresql_13"; inherit self; From 942a01e232a6be883a4455ace52228ff3f53d2f8 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 5 Jun 2021 04:54:33 +0200 Subject: [PATCH 11/17] postgresql_12: 12.6 -> 12.7 Fixes: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029 (cherry picked from commit b786157de875702c9a40b0945597ba25e83d918c) --- pkgs/servers/sql/postgresql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/default.nix b/pkgs/servers/sql/postgresql/default.nix index 426ff820408..70d272cc554 100644 --- a/pkgs/servers/sql/postgresql/default.nix +++ b/pkgs/servers/sql/postgresql/default.nix @@ -224,9 +224,9 @@ in self: { }; postgresql_12 = self.callPackage generic { - version = "12.6"; + version = "12.7"; psqlSchema = "12"; - sha256 = "028asz92mi3706zabfs8w9z03mzyx62d1l71qy9zdwfabj6xjzfz"; + sha256 = "15frsmsl1n2i4p76ji0wng4lvnlzw6f01br4cs5xr3n88wgp9444"; this = self.postgresql_12; thisAttr = "postgresql_12"; inherit self; From 8d97696b861f88eb1932d81adcc92f5ebc488e2d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 5 Jun 2021 04:54:53 +0200 Subject: [PATCH 12/17] postgresql_11: 11.11 -> 11.12 Fixes: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029 (cherry picked from commit daedf20fa605c859a3c4b4c60d1ad0ba88261d4e) --- pkgs/servers/sql/postgresql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/default.nix b/pkgs/servers/sql/postgresql/default.nix index 70d272cc554..9f7646cdda3 100644 --- a/pkgs/servers/sql/postgresql/default.nix +++ b/pkgs/servers/sql/postgresql/default.nix @@ -215,9 +215,9 @@ in self: { }; postgresql_11 = self.callPackage generic { - version = "11.11"; + version = "11.12"; psqlSchema = "11.1"; # should be 11, but changing it is invasive - sha256 = "0v0qk298nxmpzpgsxcsxma328hdkyzd7fwjs0zsn6zavl5zpnq20"; + sha256 = "016bacpmqxc676ipzc1l8zv1jj44mjz7dv7jhqazg3ibdfqxiyc7"; this = self.postgresql_11; thisAttr = "postgresql_11"; inherit self; From 731e67c87146fdf826bee1a2fc14d2853f8b9888 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 5 Jun 2021 04:55:13 +0200 Subject: [PATCH 13/17] postgresql_10: 10.16 -> 10.17 Fixes: CVE-2021-32027, CVE-2021-32028 (cherry picked from commit 376197bc5e9501febea4b6ab46b8073374d52c08) --- pkgs/servers/sql/postgresql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/default.nix b/pkgs/servers/sql/postgresql/default.nix index 9f7646cdda3..1f6d59a5b3e 100644 --- a/pkgs/servers/sql/postgresql/default.nix +++ b/pkgs/servers/sql/postgresql/default.nix @@ -205,9 +205,9 @@ in self: { }; postgresql_10 = self.callPackage generic { - version = "10.16"; + version = "10.17"; psqlSchema = "10.0"; # should be 10, but changing it is invasive - sha256 = "1cvv8qw0gkkczqhiwx6ns7w88dwkvdz4cvb2d4ff14363f5p2p53"; + sha256 = "0v5jahkqm6gkq67s4bac3h7297bscn2ab6y128idi73cc1qq1wjs"; this = self.postgresql_10; thisAttr = "postgresql_10"; inherit self; From 4a7770bfd62539cd15570a765496c96210246007 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 5 Jun 2021 04:55:36 +0200 Subject: [PATCH 14/17] postgresql_9_6: 9.6.21 -> 9.6.22 Fixes: CVE-2021-32027, CVE-2021-32028 (cherry picked from commit 062e1e595fe8bde889c73c2954fb2c5617dcf42c) --- pkgs/servers/sql/postgresql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/default.nix b/pkgs/servers/sql/postgresql/default.nix index 1f6d59a5b3e..6ab4ecbec4b 100644 --- a/pkgs/servers/sql/postgresql/default.nix +++ b/pkgs/servers/sql/postgresql/default.nix @@ -196,9 +196,9 @@ let in self: { postgresql_9_6 = self.callPackage generic { - version = "9.6.21"; + version = "9.6.22"; psqlSchema = "9.6"; - sha256 = "0d0ngpadf1i7c0i2psaxcbmiwx8334ibcsn283n9fp4853pyl3wk"; + sha256 = "0c19kzrj5ib5ygmavf5d6qvxdwrxzzz6jz1r2dl5b815208cscix"; this = self.postgresql_9_6; thisAttr = "postgresql_9_6"; inherit self; From 4af78d9ddb1e229694a5b80da8248c96dfbe549f Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Fri, 4 Jun 2021 10:54:31 +0200 Subject: [PATCH 15/17] python3Packages.certifi: 2020.12.5 -> 2021.05.30 (cherry picked from commit 32e061be5275054fa6cc227d0ebaf76fd0288e02) --- pkgs/development/python-modules/certifi/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/development/python-modules/certifi/default.nix b/pkgs/development/python-modules/certifi/default.nix index eac32816cac..7ca69acb88d 100644 --- a/pkgs/development/python-modules/certifi/default.nix +++ b/pkgs/development/python-modules/certifi/default.nix @@ -5,21 +5,21 @@ buildPythonPackage rec { pname = "certifi"; - version = "2020.12.5"; + version = "2021.5.30"; src = fetchPypi { inherit pname version; - sha256 = "177mdbw0livdjvp17sz6wsfrc32838m9y59v871gpgv2888raj8s"; + sha256 = "sha256-K792/UMpYBOLPvbdo93gVE8ny/hUbEWOYLrzcZF7qe4="; }; pythonImportsCheck = [ "certifi" ]; dontUseSetuptoolsCheck = true; - meta = { + meta = with lib; { homepage = "https://certifi.io/"; description = "Python package for providing Mozilla's CA Bundle"; - license = lib.licenses.isc; - maintainers = with lib.maintainers; [ koral ]; + license = licenses.isc; + maintainers = with maintainers; [ koral ]; }; } From d607e3143ff1314468c2f4afc9f46d7ea6ece7cf Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Fri, 4 Jun 2021 10:57:32 +0200 Subject: [PATCH 16/17] python3Packages.certifi: enable tests (cherry picked from commit 19f90b99e7451160d3a13a404d5a8194ef60a27a) --- .../python-modules/certifi/default.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/pkgs/development/python-modules/certifi/default.nix b/pkgs/development/python-modules/certifi/default.nix index 7ca69acb88d..d0ae968b0be 100644 --- a/pkgs/development/python-modules/certifi/default.nix +++ b/pkgs/development/python-modules/certifi/default.nix @@ -1,20 +1,25 @@ { lib -, fetchPypi , buildPythonPackage +, fetchFromGitHub +, pytestCheckHook }: buildPythonPackage rec { pname = "certifi"; - version = "2021.5.30"; + version = "2021.05.30"; - src = fetchPypi { - inherit pname version; - sha256 = "sha256-K792/UMpYBOLPvbdo93gVE8ny/hUbEWOYLrzcZF7qe4="; + src = fetchFromGitHub { + owner = pname; + repo = "python-certifi"; + rev = version; + sha256 = "1i4ljsc47iac6kl1w4w6x0qia08s9z394z9lbyzc05pm7y8a3cmj"; }; - pythonImportsCheck = [ "certifi" ]; + checkInputs = [ + pytestCheckHook + ]; - dontUseSetuptoolsCheck = true; + pythonImportsCheck = [ "certifi" ]; meta = with lib; { homepage = "https://certifi.io/"; From 403fb2db479bed6dc8028bca4580f6265ed05763 Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Mon, 7 Jun 2021 08:34:38 +0200 Subject: [PATCH 17/17] nixos/gnome: fix option label It is no longer GNOME 3. (cherry picked from commit 99fcca7b6bc850e1c1c47e9fbad41fc3264170f6) --- nixos/modules/services/x11/desktop-managers/gnome.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index bacada9cbe7..bf7fa08cea7 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -174,7 +174,7 @@ in enable = mkOption { type = types.bool; default = false; - description = "Enable Gnome 3 desktop manager."; + description = "Enable GNOME desktop manager."; }; sessionPath = mkOption { @@ -259,7 +259,7 @@ in (mkIf (cfg.enable || flashbackEnabled) { # Seed our configuration into nixos-generate-config system.nixos-generate-config.desktopConfiguration = ['' - # Enable the GNOME 3 Desktop Environment. + # Enable the GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; ''];