| Commit message (Expand) | Author | Age | Files | Lines |
|---|
| * | buildFHSEnv: disable security features by default•••The implicit contract of buildFHSUserEnv was that it allows to run
software built for a typical GNU/Linux distribution (not NixOS) without
patching it (patchelf, autoPatchelfHook, etc.). Note that this does not
inherently imply running untrusted programs.
buildFHSUserEnv was implemented by using chroot and assembling a
standard-compliant FHS environment in the new root. As expected, this
did not provide any kind of isolation between the system and the
programs.
However, when it was later reimplemented using bubblewrap
(PR #225748), which *is* a security tool, several isolation features
involving detaches Linux namespaces were turned on by default.
This decision has introduced a number of breakages that are very
difficult to debug and trace back to this change.
For example: `unshareIPC` breaks software audio mixing in programs using
ALSA (dmix) and `unsharePID` breaks gdb,
Since:
1. the security features were enable without any clear threat model;
2. `buildFHSEnvBubblewrap` is supposed to be a drop-in replacement of
`buildFHSEnvChrootenv` (see the release notes for NixOS 23.05);
3. the change is breaking in several common cases (security does not
come for free);
4. the contract was not changed, or at least communicated in a clear
way to the users;
all security features should be turned off by default.
P.S. It would be useful to create a variant of buildFHSEnv that does
provide some isolation. This could unshare some namespaces and mount
only limited parts of the filesystem.
Note that buildFHSEnv mounts every directory in / under the new root, so
again, very little is gained by unsharing alone.
(cherry picked from commit c945723356c17f0570217dedefac645721d6fb70)
origin/backport-253982-to-release-23.05 | rnhmjoj | 2023-10-22 | 1 | -5/+5 |
| * | Merge pull request #262639 from NixOS/backport-262627-to-release-23.05•••[Backport release-23.05] firefox-{beta,devedition}-unwrapped: 119.0b4 -> 119.0b9 | Martin Weinelt | 2023-10-22 | 1 | -4/+4 |
| |\ |
|
| | * | firefox-devedition-unwrapped: 119.0b4 -> 119.0b9•••(cherry picked from commit 3c76fece1dc2e55e42f6d11b33121bf667972bf4)
| Martin Weinelt | 2023-10-22 | 1 | -2/+2 |
| | * | firefox-beta-unwrapped: 119.0b4 -> 119.0b9•••(cherry picked from commit 7aa1e5d83241aca86b124d4dbe1818765c574e0c)
| Martin Weinelt | 2023-10-22 | 1 | -2/+2 |
| * | | nixos/lighttpd: add reload support•••Allow reloading the webserver, which is useful when e.g there are new
certificates available that we want lighttpd to use, but don't want to
completely shut down the server.
(cherry picked from commit d0e68ffb33fe4e89c7fb9263dcc800f5747e9bf6)
| Bjørn Forsman | 2023-10-22 | 2 | -0/+2 |
| * | | lighttpd: re-enable remaining disabled tests•••All tests work now.
(cherry picked from commit 409b6b8e0770a887d4695546306e252122fe10b8)
| Bjørn Forsman | 2023-10-22 | 1 | -6/+0 |
| * | | lighttpd: 1.4.71 -> 1.4.72•••The patch to disable legacy crypt tests (which were broken for us) isn't
needed anymore, so remove it.
(cherry picked from commit 87a6be96195c269c533c965b0bc2ce6c5a66ee51)
| Bjørn Forsman | 2023-10-22 | 2 | -42/+2 |
| * | | samba: 4.17.10 -> 4.17.12•••https://lists.samba.org/archive/samba-announce/2023/000651.html
Fixes CVE-2023-3961
Fixes CVE-2023-4091
Fixes CVE-2023-4154
Fixes CVE-2023-42669
Fixes CVE-2023-42670
| Yaya | 2023-10-22 | 1 | -2/+2 |
| |/ |
|
| * | Merge pull request #262556 from NixOS/backport-260555-to-release-23.05•••[Backport release-23.05] electron_{22,24}-bin: Mark EOL | Weijia Wang | 2023-10-22 | 1 | -1/+1 |
| |\ |
|
| | * | electron-{22,24}-bin: Mark EOL•••These are now EOL since 2023-10-10
https://endoflife.date/electron
Co-authored-by: Yureka <yuka@yuka.dev>
(cherry picked from commit 204fb0e622f6c10ce8ab4dacf6cc973e85e3e85b)
| Yaya | 2023-10-21 | 1 | -1/+1 |
| * | | libspf2: 2.2.12 -> 2.2.13 and make deps strict•••(cherry picked from commit 52574a4db602be666482bcf5f6827405f38df060)
| Janne Heß | 2023-10-21 | 1 | -13/+5 |
| * | | erofs-utils.meta.homepage: init•••(cherry picked from commit 77b6649ac311818131c9546c8c982479a7f0fd0b)
| Alyssa Ross | 2023-10-21 | 1 | -0/+1 |
| * | | Merge pull request #262512 from NixOS/backport-262108-to-release-23.05•••[Backport release-23.05] brave: 1.59.117 -> 1.59.120 | Nick Cao | 2023-10-21 | 1 | -2/+2 |
| |\ \
| |/
|/| |
|
| | * | brave: 1.59.117 -> 1.59.120•••https://community.brave.com/t/release-channel-1-59-120/511540
(cherry picked from commit 2ab715d5aa725a19592471b0e26a0cd44cc54d46)
origin/backport-262108-to-release-23.05 | Sean Buckley | 2023-10-21 | 1 | -2/+2 |
| * | | pulsar: mark vulnerable to multiple CVE's•••(cherry picked from commit d0339309ec65aa842532e18def5f4ee679876413)
| Mikael Fangel | 2023-10-21 | 1 | -0/+9 |
| * | | Merge pull request #262528 from NixOS/backport-260160-to-release-23.05•••[Backport release-23.05] signal-desktop: 6.32.0 -> 6.34.1, signal-desktop-beta: 6.33.0-beta.1 -> 6.35.0-beta.2 | Mauricio Collares | 2023-10-21 | 1 | -4/+4 |
| |\ \ |
|
| | * | | signal-desktop: 6.32.0 -> 6.34.1, signal-desktop-beta: 6.33.0-beta.1 -> 6.35....•••(cherry picked from commit 9bcbf00cc94fe3ab5c7aff6f05e0c533a7ffaf30)
| Eduardo Quiros | 2023-10-21 | 1 | -4/+4 |
| |/ / |
|
| * | | Merge pull request #261847 from NixOS/backport-261725-to-release-23.05•••[Backport release-23.05] roundcube: 1.6.3 -> 1.6.4 | Thomas Gerbet | 2023-10-21 | 1 | -2/+2 |
| |\ \ |
|
| | * | | roundcube: 1.6.3 -> 1.6.4•••ChangeLog: https://github.com/roundcube/roundcubemail/releases/tag/1.6.4
(cherry picked from commit 51eaa6521c808f4588dbbee0cbccaba0a3d4a2eb)
| Maximilian Bosch | 2023-10-18 | 1 | -2/+2 |
| * | | | Merge pull request #261929 from NixOS/backport-261876-to-release-23.05•••[Backport release-23.05] losslesscut-bin: 3.55.2 -> 3.58.0 | Thomas Gerbet | 2023-10-21 | 1 | -5/+5 |
| |\ \ \
| |_|/
|/| | |
|
| | * | | losslesscut-bin: 3.55.2 -> 3.58.0•••Provide Electron update against CVE-2023-4863 and CVE-2023-5129
(cherry picked from commit f4e599a7756807c8a23d96fb383c5b803fcc6f2a)
| Yueh-Shun Li | 2023-10-18 | 1 | -5/+5 |
| * | | | Merge pull request #261243 from JulienMalka/backport-260183•••[23.05] uptime-kuma: 1.21.3 -> 1.23.3 | Thomas Gerbet | 2023-10-21 | 1 | -9/+4 |
| |\ \ \ |
|
| | * | | | uptime-kuma: 1.21.3 -> 1.23.3 | Julien Malka | 2023-10-15 | 1 | -9/+4 |
| * | | | | Merge pull request #262385 from NixOS/backport-262075-to-release-23.05•••[Backport release-23.05] apacheHttpd: 2.4.57 -> 2.4.58 | Aaron Andersen | 2023-10-20 | 1 | -2/+2 |
| |\ \ \ \ |
|
| | * | | | | apacheHttpd: 2.4.57 -> 2.4.58•••(cherry picked from commit f2254da826b962e2478cdb875d5fcb867ab93cb3)
| Ivan Kozik | 2023-10-20 | 1 | -2/+2 |
| * | | | | | Merge pull request #262353 from NixOS/backport-262253-to-release-23.05 | Artturi | 2023-10-21 | 2 | -1/+2 |
| |\ \ \ \ \ |
|
| | * | | | | | fetchdocker: fix missing lib•••(cherry picked from commit 4b0c26515326d30faeefa7f4de5d82e21f235429)
| Artturin | 2023-10-20 | 2 | -1/+2 |
| * | | | | | | Merge pull request #262294 from markuskowa/upd-slurm-23.05•••[23.05] slurm: 23.02.3.1 -> 23.02.6.1 | markuskowa | 2023-10-20 | 1 | -2/+2 |
| |\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
|
| | * | | | | | slurm: 23.02.5.1 -> 23.02.6.1•••(cherry picked from commit ee87e374c7a299e6356cbd404254fd03c39f36fb)
| Markus Kowalewski | 2023-10-20 | 1 | -2/+2 |
| | * | | | | | slurm: 23.02.4 -> 23.02.5•••Bugfix release, see:
https://github.com/SchedMD/slurm/blob/cf1f82a65003f5f9bf0213ac024797b01779cf70/NEWS
(cherry picked from commit c5269e80aa05cc35bcd07267a3b28650c5dd5230)
| Tobias Poschwatta | 2023-10-20 | 1 | -2/+2 |
| | * | | | | | slurm: 23.02.3.1 -> 23.02.4.1•••(cherry picked from commit 933880f90414bad30cd2c06907d1dae49140ce13)
| Markus Kowalewski | 2023-10-20 | 1 | -2/+2 |
| * | | | | | | Merge #261766: thunderbird*: 115.3.1 -> 115.3.2•••...into release-23.05
| Vladimír Čunát | 2023-10-20 | 2 | -267/+267 |
| |\ \ \ \ \ \ |
|
| | * | | | | | | thunderbird-bin: 115.3.1 -> 115.3.2•••https://www.thunderbird.net/en-US/thunderbird/115.3.2/releasenotes/
(cherry picked from commit 5db529bb169af78f07bc2610c6c07891b27226a3)
| Vladimír Čunát | 2023-10-18 | 1 | -265/+265 |
| | * | | | | | | thunderbird: 115.3.1 -> 115.3.2•••https://www.thunderbird.net/en-US/thunderbird/115.3.2/releasenotes/
(cherry picked from commit 12376a0e832220d3557bb50f129eb450d9358e66)
| Vladimír Čunát | 2023-10-18 | 1 | -2/+2 |
| * | | | | | | | Merge pull request #262316 from emilylange/backport-262147-to-release-23.05•••[Backport release-23.05] {ungoogled-,}chromium: 118.0.5993.70 -> 118.0.5993.88, fix update.py | Emily | 2023-10-20 | 3 | -36/+59 |
| |\ \ \ \ \ \ \ |
|
| | * | | | | | | | ungoogled-chromium: 118.0.5993.70-1 -> 118.0.5993.88-1•••https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_17.html
This update includes 1 security fix.
(cherry picked from commit 658e9ad1ae0034c1ddf3fa74db18ebddabe82370)
| emilylange | 2023-10-20 | 1 | -5/+5 |
| | * | | | | | | | chromium: 118.0.5993.70 -> 118.0.5993.88•••https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_17.html
This update includes 1 security fix.
(cherry picked from commit b1b715ec69756098a428ed1f1f3ca28a45343a3b)
| emilylange | 2023-10-20 | 1 | -3/+3 |
| | * | | | | | | | chromium: fix update.py script•••This is needed as we very recently started re-compressing the upstream
`tar.xz` to stay under the closure size limit of hydra.nixos.org.
(cherry picked from commit 5766d04f9662b948abadf2b6e589c0e9e1079681)
| emilylange | 2023-10-20 | 2 | -28/+51 |
| * | | | | | | | | Merge pull request #262342 from vcunat/p/python3-saml-23.05•••python3.pkgs.python3-saml: fix more expired tests | Martin Weinelt | 2023-10-20 | 2 | -31/+12 |
| |\ \ \ \ \ \ \ \
| |_|_|_|/ / / /
|/| | | | | | | |
|
| | * | | | | | | | python3.pkgs.python3-saml: fix more expired tests•••Upstream has now fixed the tests we were previously disabling
ourselves, but in the meantime yet another test has started failing.
(cherry picked from commit 55ebc46e4b962ad2ec56f6be3a306575dddd40a9)
| Alyssa Ross | 2023-10-20 | 2 | -31/+12 |
| |/ / / / / / / |
|
| * | | | | | | | Merge pull request #262322 from NixOS/backport-262018-to-release-23.05•••[Backport release-23.05] bitcoin: 25.0 -> 25.1 | Pavol Rusnak | 2023-10-20 | 1 | -2/+2 |
| |\ \ \ \ \ \ \
| |/ / / / / /
|/| | | | | | |
|
| | * | | | | | | bitcoin: 25.0 -> 25.1•••(cherry picked from commit 53793ca0aecf67164c630ca34dbfde552a8ab085)
| fanquake | 2023-10-20 | 1 | -2/+2 |
| |/ / / / / / |
|
| * | | | | | | Merge pull request #262258 from NixOS/backport-262234-to-release-23.05•••[Backport release-23.05] nixVersions.nix_2_15: 2.15.2 -> 2.15.3 | Cole Mickens | 2023-10-20 | 1 | -2/+2 |
| |\ \ \ \ \ \ |
|
| | * | | | | | | nixVersions.nix_2_15: 2.15.2 -> 2.15.3•••(cherry picked from commit 5001944ed7a4c764fe131cda6e57de48f70f8d68)
| Cole Mickens | 2023-10-20 | 1 | -2/+2 |
| | | |/ / / /
| |/| | | | |
|
| * | | | | | | Merge pull request #262259 from NixOS/backport-262236-to-release-23.05•••[Backport release-23.05] nixVersions.nix_2_16: 2.16.1 -> 2.16.2 | Cole Mickens | 2023-10-20 | 1 | -2/+2 |
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
|
| | * | | | | | nixVersions.nix_2_16: 2.16.1 -> 2.16.2•••(cherry picked from commit f423b624bd8713160bede555202a842db60b0818)
| Cole Mickens | 2023-10-20 | 1 | -2/+2 |
| |/ / / / / |
|
| * | | | | | Merge pull request #262209 from NixOS/backport-262154-to-release-23.05•••[Backport release-23.05] Kernel updates for 2023-20-10 | K900 | 2023-10-20 | 2 | -11/+11 |
| |\ \ \ \ \ |
|
| | * | | | | | linux/hardened/patches/6.1: 6.1.57-hardened1 -> 6.1.58-hardened1•••(cherry picked from commit 056ec2e654b9636c74ff8b21c262a653a9ad7916)
origin/backport-262154-to-release-23.05 | K900 | 2023-10-20 | 1 | -5/+5 |
| | * | | | | | linux_5_15: 5.15.135 -> 5.15.136•••(cherry picked from commit d6c3cb9c91571735084694a4ac6785089e28570c)
| K900 | 2023-10-20 | 1 | -2/+2 |
| | * | | | | | linux_6_1: 6.1.58 -> 6.1.59•••(cherry picked from commit 4966c65d6d7f7c4815e370a0f6679c2c030fb48c)
| K900 | 2023-10-20 | 1 | -2/+2 |
