diff options
| author | Vladimír Čunát <v@cunat.cz> | 2022-05-10 11:14:51 +0200 |
|---|---|---|
| committer | Vladimír Čunát <v@cunat.cz> | 2022-05-10 11:14:51 +0200 |
| commit | b50627e93a40a334f499a51c62ac6ac0f38cc78d (patch) | |
| tree | ccd19973c839de59a8277fa6cc3b36b55b938fa3 | |
| parent | Merge pull request #171948 from NixOS/backport-171918-to-release-21.11 (diff) | |
| parent | Merge release-21.11 into staging-next-21.11 (diff) | |
| download | nixpkgs-b50627e93a40a334f499a51c62ac6ac0f38cc78d.tar.gz | |
Merge #171795: staging-next-21.11: iteration 13 - 2022-05-06
| -rw-r--r-- | pkgs/data/misc/cacert/default.nix | 4 | ||||
| -rw-r--r-- | pkgs/development/libraries/libxml2/default.nix | 20 | ||||
| -rw-r--r-- | pkgs/development/libraries/openssl/default.nix | 4 |
3 files changed, 24 insertions, 4 deletions
diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 4e9925147a35..2e09cad2fbf3 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.74"; + srcVersion = "3.77"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -35,7 +35,7 @@ let src = if nssOverride != null then nssOverride.src else fetchurl { url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; - sha256 = "0mnhdkm4galhpvfz4rv0918jwmjlwkvcvb1f5va8f3zlz48qi4l8"; + sha256 = "1pfy33b51914sivqyaxdwfd930hzb77gm07z4f57hnyk5xddypl2"; }; dontBuild = true; diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index bc11c9cfea1f..17ae7514a2b4 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -35,6 +35,26 @@ stdenv.mkDerivation rec { url = "https://gitlab.gnome.org/GNOME/libxml2/commit/85b1792e37b131e7a51af98a37f92472e8de5f3f.patch"; sha256 = "epqlNs2S0Zczox3KyCB6R2aJKh87lXydlZ0x6tLHweE="; }) + + # Fix [CVE-2022-23308] Use-after-free of ID and IDREF attributes + # See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.13 + # TODO: Remove once this package is >= v2.9.13 + (fetchpatch { + name = "libxml2-CVE-2022-23308-Use-after-free-of-ID-and-IDREF-attributes.patch"; + url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e.patch"; + sha256 = "1rwb2xbvddkqgigdq9vjzqqaj6hhrhzk8m6hkcicqrc4ik9d636r"; + }) + + # Fix [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer + # See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14 + # Page https://nvd.nist.gov/vuln/detail/CVE-2022-29824 links the fix commits for + # `libxml2` master and the 2.9.14 backport we use here. + # TODO: Remove once this package is >= v2.9.14 + (fetchpatch { + name = "libxml2-CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch"; + url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab.patch"; + sha256 = "1kyzxh8fp5sfyqi9zghd7c2d32ld0mvp8hrk55mnvkg7aq42j0nz"; + }) ]; outputs = [ "bin" "dev" "out" "man" "doc" ] diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index d0bf9e5c8f5b..24c8ed71d4bb 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -190,8 +190,8 @@ in { }; openssl_1_1 = common rec { - version = "1.1.1n"; - sha256 = "sha256-QNzrUaT2pSdb3g5r8g70uRv8Mu1XwFUuLo4VRjNysXo="; + version = "1.1.1o"; + sha256 = "sha256-k4SisFcN2ANYhBRkZ3EV33he25QccSEfdQdtcv5rQ48="; patches = [ ./1.1/nix-ssl-cert-file.patch |