Merge #325769: staging-next-23.11 iteration 10origin/release-23.11origin/nixos-23.11-smallorigin/nixos-23.11

...into release-23.11

A bit late roundup of what's been staged during June.
Most likely we'll only ever make binaries for *-linux.
(darwin people hopefully use the darwin channel, so they'll get the older binaries)

9 files changed, 82 insertions, 17 deletions

diff --git a/pkgs/build-support/setup-hooks/strip.sh b/pkgs/build-support/setup-hooks/strip.sh
index ce41e6ea0562..49a350af1fa5 100644
--- a/pkgs/build-support/setup-hooks/strip.sh
+++ b/pkgs/build-support/setup-hooks/strip.sh
@@ -74,13 +74,17 @@ stripDirs() {
         echo "stripping (with command $cmd and flags $stripFlags) in $paths"
         local striperr
         striperr="$(mktemp --tmpdir="$TMPDIR" 'striperr.XXXXXX')"
-        # Do not strip lib/debug. This is a directory used by setup-hooks/separate-debug-info.sh.
-        find $paths -type f "${excludeFlags[@]}" -a '!' -path "$prefix/lib/debug/*" -print0 |
-            # Make sure we process files under symlinks only once. Otherwise
-            # 'strip` can corrupt files when writes to them in parallel:
-            #   https://github.com/NixOS/nixpkgs/issues/246147#issuecomment-1657072039
-            xargs -r -0 -n1 -- realpath -z | sort -u -z |
+        # Make sure we process files only once. `strip`ping the same file through different
+        # links in parallel can corrupt it:
+        #   https://github.com/NixOS/nixpkgs/issues/246147#issuecomment-1657072039
 
+        # Do not strip lib/debug. This is a directory used by setup-hooks/separate-debug-info.sh.
+        # Print out each file's device and inode (which will be the same if two files are hardlinked
+        # or are the same file found through different symlinks), followed by its path...
+        find $paths -type f "${excludeFlags[@]}" -a '!' -path "$prefix/lib/debug/*" -printf '%D-%i,%p\0' |
+            # ... sort/uniq by device/inode, then cut them out and keep the path, ...
+            sort -t, -k1,1 -u -z | cut -d, -f2- -z |
+            # and finally strip each unique path in parallel.
             xargs -r -0 -n1 -P "$NIX_BUILD_CORES" -- $cmd $stripFlags 2>"$striperr" || exit_code=$?
         # xargs exits with status code 123 if some but not all of the
         # processes fail. We don't care if some of the files couldn't
diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix
index 4b103f7f3289..517e1d87273b 100644
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@@ -20,7 +20,7 @@ let
   blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
   extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
 
-  srcVersion = "3.98";
+  srcVersion = "3.101";
   version = if nssOverride != null then nssOverride.version else srcVersion;
   meta = with lib; {
     homepage = "https://curl.haxx.se/docs/caextract.html";
@@ -37,7 +37,7 @@ let
       owner = "nss-dev";
       repo = "nss";
       rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM";
-      hash = "sha256-0p1HzspxyzhzX46O7ax8tmYiaFEBeqEqEvman4NIiQc=";
+      hash = "sha256-lO+81zYBBFwqcjh4cd/fpiznHZ9rTJpfDW/yF8phYts=";
     };
 
     dontBuild = true;
diff --git a/pkgs/development/compilers/go/1.21.nix b/pkgs/development/compilers/go/1.21.nix
index 55ce65ba1a7c..38a169758ab6 100644
--- a/pkgs/development/compilers/go/1.21.nix
+++ b/pkgs/development/compilers/go/1.21.nix
@@ -46,11 +46,11 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "go";
-  version = "1.21.10";
+  version = "1.21.11";
 
   src = fetchurl {
     url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz";
-    hash = "sha256-kA4K/okAwe5lqKjE8MWjygLc+FwdHLE6ZSviLCE5k5Q=";
+    hash = "sha256-Qq7pvytpVsdaetaqPwpRtYIf/qxX9aLnM6LW6uHm2dI=";
   };
 
   strictDeps = true;
diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 6cc22008ab8b..2ef46e1200bf 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -1894,7 +1894,13 @@ self: super: {
         install -Dm 555 '${self.pandoc}'/share/man/man1/* -t "$out"/share/man/man1/
       '' + (old.postInstall or "");
     }) (super.pandoc-cli.overrideScope pandoc-cli-overlay);
-    pandoc_3_1_9 = doDistribute (super.pandoc_3_1_9.overrideScope pandoc-cli-overlay);
+    pandoc_3_1_9 = appendPatches [
+      (fetchpatch {
+        name = "drop-usage-known-bad-actor-cdn.patch";
+        url = "https://github.com/jgm/pandoc/commit/5877ec546df29115163b36de32837f5e08506092.patch";
+        hash = "sha256-2ffdL2dS/hHWBjJcIHbae5OdL/VKlHNKUMDHRy3hqvc=";
+      })
+    ] (doDistribute (super.pandoc_3_1_9.overrideScope pandoc-cli-overlay));
     pandoc-lua-engine = super.pandoc-lua-engine.overrideScope pandoc-cli-overlay;
   })
     pandoc-cli
diff --git a/pkgs/development/libraries/libndp/default.nix b/pkgs/development/libraries/libndp/default.nix
index 6109c48b036e..0a8984dc90aa 100644
--- a/pkgs/development/libraries/libndp/default.nix
+++ b/pkgs/development/libraries/libndp/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, autoreconfHook }:
+{ lib, stdenv, fetchurl, fetchpatch, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "libndp";
@@ -9,6 +9,15 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-iP+2buLrUn8Ub1wC9cy8OLqX0rDVfrRr+6SIghqwwCs=";
   };
 
+  patches = [
+    (fetchpatch {
+      # https://github.com/jpirko/libndp/issues/26
+      name = "CVE-2024-5564.patch";
+      url = "https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af.patch";
+      hash = "sha256-O7AHjCqic7iUfMbKYLGgBAU+wdR9/MDWxBWJw+CFn/c=";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook ];
 
   meta = with lib; {
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 2c4c8dd562b8..32d02767705a 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -257,8 +257,8 @@ in {
   };
 
   openssl_3 = common {
-    version = "3.0.13";
-    hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM=";
+    version = "3.0.14";
+    hash = "sha256-7soDXU3U6E/CWEbZUtpil0hK+gZQpvhMaC453zpBI8o=";
 
     patches = [
       ./3.0/nix-ssl-cert-file.patch
@@ -280,8 +280,8 @@ in {
   };
 
   openssl_3_1 = common {
-    version = "3.1.5";
-    hash = "sha256-auAVRn2r8EabE5rakzGTJ74kuYJR/67O2gIhhI3AkmI=";
+    version = "3.1.6";
+    hash = "sha256-XSvkA2tHjvPLCoVMqbNTByw6DibYpW+PCrn7btMtONc=";
 
     patches = [
       ./3.0/nix-ssl-cert-file.patch
diff --git a/pkgs/development/python-modules/torch/default.nix b/pkgs/development/python-modules/torch/default.nix
index 70b71c8cdf88..36b1ada5ae30 100644
--- a/pkgs/development/python-modules/torch/default.nix
+++ b/pkgs/development/python-modules/torch/default.nix
@@ -145,7 +145,23 @@ in buildPythonPackage rec {
     hash = "sha256-xUj77yKz3IQ3gd/G32pI4OhL3LoN1zS7eFg0/0nZp5I=";
   };
 
-  patches = lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-31580.patch";
+      url = "https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81.patch";
+      hash = "sha256-UR9PesE+t7ekVh4cJlrCgFULLFgqZjWhgr3jFP+vuEQ=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-31583.patch";
+      url = "https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2.patch";
+      hash = "sha256-TtiB9d8VQ5dXXOHyq4N45uFW5csmxHsF6naPH4IrKlc=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-31584.patch";
+      url = "https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6.patch";
+      hash = "sha256-4IsdRfL0B+Rown4xqra8taqqOXf8NKCtSN9sPrOPQV8=";
+    })
+  ] ++ lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [
     # pthreadpool added support for Grand Central Dispatch in April
     # 2020. However, this relies on functionality (DISPATCH_APPLY_AUTO)
     # that is available starting with macOS 10.13. However, our current
diff --git a/pkgs/development/tools/documentation/doxygen/default.nix b/pkgs/development/tools/documentation/doxygen/default.nix
index d735637cb53d..5b026cda2cfc 100644
--- a/pkgs/development/tools/documentation/doxygen/default.nix
+++ b/pkgs/development/tools/documentation/doxygen/default.nix
@@ -2,6 +2,7 @@
 , stdenv
 , cmake
 , fetchFromGitHub
+, fetchpatch
 , python3
 , flex
 , bison
@@ -22,6 +23,14 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-ezeMQk+Vyi9qNsYwbaRRruaIYGY8stFf71W7GonXqco=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "drop-usage-bad-actor-polyfill.io.patch";
+      url = "https://github.com/doxygen/doxygen/commit/41e3eeed6d7c34d14f072cbfea5fe418fc65a760.patch";
+      hash = "sha256-vtuVO6v2Hccm2W+Ilv3a2kmBMrRyYLCYVWLyZKx0s7s=";
+    })
+  ];
+
   nativeBuildInputs = [
     cmake
     python3
diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix
index daf7758b1184..a561dbfe5310 100644
--- a/pkgs/misc/ghostscript/default.nix
+++ b/pkgs/misc/ghostscript/default.nix
@@ -2,6 +2,7 @@
 , stdenv
 , lib
 , fetchurl
+, fetchpatch
 , pkg-config
 , zlib
 , expat
@@ -71,6 +72,26 @@ stdenv.mkDerivation rec {
   patches = [
     ./urw-font-files.patch
     ./doc-no-ref.diff
+    (fetchpatch {
+      name = "CVE-2024-33870.patch";
+      url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=79aef19c685984dc3da2dc090450407d9fbcff80";
+      hash = "sha256-EZOtKbAkNujqAPoD1yWTggXYTdLPPR9uC898JByQwVs=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-33869.part-1.patch";
+      url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43";
+      hash = "sha256-ob2c4aawUxJcsLdhHX9/7CDNnnxO8k1LTqfar5Bgdo8=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-33869.part-2.patch";
+      url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4";
+      hash = "sha256-2Kx57WJvALpEjR8+uTbF3CBvO/9Ujl652L4Kf+mNRWo=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-33871.patch";
+      url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908";
+      hash = "sha256-a5+WY63lmu++cc8BGREWlIY4S1LEvWqeqTTfBnEY+YM=";
+    })
   ];
 
   outputs = [ "out" "man" "doc" ];