summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #98645 from raboof/rename-guide-to-nixpkgs-manual-19.09origin/nixpkgs-19.09-darwinorigin/nixos-19.09-smallorigin/nixos-19.09Rok Garbas2020-09-241-1/+1
|\ | | | | doc: rename guide to 'Nixpkgs Manual'
| * doc: rename guide to 'Nixpkgs Manual'Arnout Engelen2020-09-241-1/+1
|/ | | | | For consistency with 'NixOS Manual' and 'Nix Manual', to better match what it's often called in practice, and to match its URL and HTML title.
* Merge pull request #91009 from erictapen/19.09-libexif-0.6.22Florian Klink2020-06-191-35/+14
|\ | | | | [19.09] libexif: 0.6.21 -> 0.6.22 for security fixes
| * libexif: 0.6.21 -> 0.6.22Justin Humm2020-06-181-35/+14
|/ | | | | | | | Also: - build from git - enable cross compilation (cherry picked from commit e761cfe50ac6a9204af703e2bb91e89ba521db02)
* Merge pull request #88436 from mweinelt/19.09/dovecotJörg Thalheim2020-06-121-4/+5
|\
| * dovecot: v2.3.10 → v2.3.10.1Martin Weinelt2020-05-201-3/+4
| | | | | | | | | | Fixes: CVE-2020-10957, CVE-2020-10958, CVE-2020-10967 (cherry picked from commit 6cf48856d23260e34d7c9b278ad6a2ea7ddeb318)
| * dovecot: 2.3.9.3 -> 2.3.10R. RyanTM2020-05-201-3/+3
| | | | | | | | (cherry picked from commit 8d08f4536828387c6a2ba03cb4a0c23637e83774)
* | gnutls: 3.6.13 -> 3.6.14Cole Helbling2020-06-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | Fixes CVE-2020-13777 [1]. Changes: https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html [1] https://nvd.nist.gov/vuln/detail/CVE-2020-13777 (cherry picked from commit 1dba11754189f8, PR #89884) 19.09 isn't really supported anymore, but this CVE seems very important.
* | Merge pull request #86994 from toonn/release-19.09Florian Klink2020-06-061-4/+4
|\ \ | | | | | | wire-desktop: linux 3.17.2924 -> 3.18.2925, mac 3.17.3666 -> 3.18.3728
| * | wire-desktop: mac 3.17.3666 -> 3.18.3728toonn2020-06-021-2/+2
| | | | | | | | | | | | (cherry picked from commit 9535a4370b08175947ea06871c3f548dbb6aa94b)
| * | wire-desktop: linux 3.17.2924 -> 3.18.2925toonn2020-06-021-2/+2
| | | | | | | | | | | | (cherry picked from commit 3e2b6b99bff59aac7e2c961802583d350106192e)
* | | Merge #89474: thunderbird*: 68.8.0 -> 68.9.0 (security)Vladimír Čunát2020-06-062-247/+247
|/ / | | | | | | (cherry picked from commit 5a8cdcc278ee032b15b9ef415995131d2fae543c)
* | ip2unix: 2.1.2 -> 2.1.3aszlig2020-06-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upstream fixes: - Pass linker version script to the linker instead of the compiler. - Compile with `-fPIC` again (regression from version 2.1.2). - Out of bounds array access in `globpath`. - Handling of `epoll_ctl` calls (they're now replayed after replacing socket). - GCC 10 build errors and Clang warnings. While most of these fixes are more relevant for other distros, the linker script fix is actually a regression existing since a long time (version 1.x) and caused libip2unix to expose way too many symbols. Built and tested on i686-linux and x86_64-linux. Signed-off-by: aszlig <aszlig@nix.build> (cherry picked from commit 67325b12c641378d622051b73ada8ae808ba318d)
* | ip2unix: 2.1.1 -> 2.1.2aszlig2020-06-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | This fixes the issues with glibc 2.30, which were caused because glibc no longer allows to dlopen/LD_PRELOAD a PIE executable. So this release is essentially just a hotfix release which addresses this issue by splitting the executable and library. Signed-off-by: aszlig <aszlig@nix.build> Reported-by: @zimbatm (cherry picked from commit b51d39fbe44fc5c7c6fdb934c6e7de82127adfdf)
* | ffmpeg_2_8: 2.8.15 -> 2.8.16zowoq2020-05-311-2/+2
| | | | | | | | (cherry picked from commit cfaa8035d721dc526d4d719a506de15771add05d)
* | ffmpeg-full: 4.2.2 -> 4.2.3zowoq2020-05-311-3/+3
| | | | | | | | (cherry picked from commit f7c914e96e2f356110c99199e23590b9315cacf3)
* | ffmpeg_4: 4.2.2 -> 4.2.3zowoq2020-05-311-2/+2
| | | | | | | | (cherry picked from commit 0e384147f97fb4d7058dd9029dcec3dc79e6a0cb)
* | pdns-recursor: 4.2.0 -> 4.2.2 (security)Vladimír Čunát2020-05-231-2/+2
| | | | | | | | | | | | | | | | https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux NixPkgs master is on 4.3.x already; /cc that PR #88159 (cherry picked from commit 1a029774275d24991d161a68678c758a0d80452e)
* | bind: 9.14.9 -> 9.14.12 (security, PR #88159)Vladimír Čunát2020-05-231-2/+2
|/ | | | | | | | https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux (cherry picked from commit 13c485d63da8c7fa6a705dc0f4bbd42313beee6c) In BIND case these are quite severe DoS risks, so let me backport to 19.09.
* Merge pull request #88368 from primeos/chromium-eolLinus Heckemann2020-05-203-1/+20
|\ | | | | [19.09] chromium: Mark as insecure
| * chromium: Mark as insecureMichael Weiss2020-05-203-1/+20
|/ | | | | | | | | | | | | Since M81 won't receive any updates anymore and there are known vulnerabilities we should mark it as insecure so that users are aware of the risks. Updating Chromium to M83 is unfortunately too challenging for 19.09, but as of today we've already covered the one month period of security updates for "oldstable" and both 20.03 and nixos-unstable contain recent versions (i.e. users should either update to the current stable release or install Chromium from a different channel). nixos-unstable PR for M83: #88206
* Merge pull request #87772 from andir/19.09/firefoxAndreas Rammhold2020-05-141-3/+8
|\ | | | | [19.09] firefox: Add patch to fix AES GCM IV bit size
| * firefox: 76.0 -> 76.0.1Andreas Rammhold2020-05-141-2/+2
| | | | | | | | (cherry picked from commit b70435e43c540527e7650b652a5ec2690b2fc89b)
| * firefox: Add patch to fix AES GCM IV bit sizeaszlig2020-05-141-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Regression introduced by bce5268a216924820a486d09bc3aec7e8d6b8fa7. The bit size of the initialisation vector for AES GCM has been introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the ulIvBits field. Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it gets initialised to zero, which in turn causes IV generation to fail. I found out about this because WebRTC stopped working after updating to NSS 3.52 and so I started bisecting. Since there wasn't an obvious error in Firefox hinting towards NSS but instead just the video stream ended up as a "null" stream, I didn't suspect the NSS update to be the culprit at first. So I verified a few times and then also started bisecting the actual commit in NSS that caused the issue. This turned out to be the problematic change: https://phabricator.services.mozilla.com/D63241 > One notable change was caused by an inconsistancy between the spec and > the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra > field in the header that was not in the spec. OASIS considers the > header file to be normative, so PKCS#11 v3.0 resolved the issue in > favor of the header file definition. Since the test I've used[1] was a bit flaky, I still didn't believe the result of the bisect to be accurate, but after running the test several times leading same results I dug through the above change line by line to get more clues. It fortunately didn't take that long to stumble upon the ulIvBits change (which is actually documented in the NSS 3.52 release notes[4], but I managed to blatantly ignore it for some reason) and started checking the Firefox source tree for changes regarding that field. Initialisation of that new field has been introduced[2] in preparation for the 76 release, but subsequently got reverted[3] prior to the release, because Firefox 76 is expected to be shipped with NSS 3.51, which didn't have the ulIvBits field. The patch I'm adding here is just a reintroduction of that change, because we're using NSS 3.52. Not initialising that field will break WebRTC and WebCrypto, which I think the former seems to gain in popularity these days ;-) Tested the change against the mentioned VM test[1] and also by testing manually using Jitsi Meet and Nextcloud Talk. [1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk [2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1 [3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee [4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes Signed-off-by: aszlig <aszlig@nix.build> (cherry picked from commit 8fb49973ce4b5d8555d10ade3c27ea35fb5bdb4c & moved to packages.nix)
* | monero: fix rcp.restricted optionVojtěch Káně2020-05-111-1/+1
| | | | | | | | | | | | | | According to https://monerodocs.org/interacting/monerod-reference/#node-rpc-api the correct option is restricted-rpc, not restrict-rpc. (cherry picked from commit e7ab236cab9dd6e74526bee282caa001a3374c37)
* | Merge #87066: thunderbird*: 68.7.0 -> 68.8.0 (security)Vladimír Čunát2020-05-102-247/+247
|/ | | | | | | https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/ (cherry picked from commit 10134fc30160b0459e1e5043bed6ca671188fd4a) Re-tested both briefly on 19.09.
* Merge pull request #87078 from primeos/chromium-backportMichael Weiss2020-05-061-9/+9
|\ | | | | chromium: 81.0.4044.129 -> 81.0.4044.138
| * chromium: 81.0.4044.129 -> 81.0.4044.138Michael Weiss2020-05-061-9/+9
|/ | | | | | | | | https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop.html This update includes 3 security fixes. CVEs: CVE-2020-6831 CVE-2020-6464 (cherry picked from commit dec3d5f39f67dbb6254d139521005a0d5d306605)
* Merge pull request #86811 from andir/19.09/firefox76Andreas Rammhold2020-05-056-397/+424
|\ | | | | [19.09] firefox: 75.0 -> 76.0
| * firefox-esr-68: 68.7.0esr -> 68.8.0esrAndreas Rammhold2020-05-041-2/+2
| | | | | | | | (cherry picked from commit f3cc8dc6fa253c585c24410ef4bb3f13fe13802c)
| * firefox-bin: 75.0 -> 76.0Andreas Rammhold2020-05-041-385/+385
| | | | | | | | (cherry picked from commit 3911336cc64828e1d2638c4e3fa437b888b0d238)
| * firefox: 75.0 -> 76.0Andreas Rammhold2020-05-042-3/+26
| | | | | | | | (cherry picked from commit 324e40f0f4a80f63d9c84e117f2dbb3ce2113f26)
| * nss_3_52: 3.51 -> 3.52Andreas Rammhold2020-05-043-7/+11
|/
* Merge pull request #86651 from Flakebi/salt-19.09Benjamin Hipple2020-05-031-8/+25
|\ | | | | [19.09] salt: 2019.2.0 -> 2019.2.4
| * salt: 2019.2.0 -> 2019.2.4Flakebi2020-05-031-8/+25
|/ | | | Fixes CVE-2020-11651 and CVE-2020-11652
* Merge pull request #86461 from talyz/19.09-gitlab-12.8.10Florian Klink2020-05-014-10/+10
|\ | | | | [19.09] gitlab: 12.8.9 -> 12.8.10
| * gitlab: 12.8.9 -> 12.8.10Florian Klink2020-05-011-4/+4
| | | | | | | | (cherry picked from commit fdd0d0de1f0cc35937296ccee4bc6c99f63f657b)
| * gitaly: 12.8.9 -> 12.8.10Florian Klink2020-05-013-6/+6
|/ | | | (cherry picked from commit 9eb6dc762f67d09e4598ee2e35070821590e68dc)
* Merge pull request #86297 from primeos/chromium-backportMichael Weiss2020-04-301-9/+9
|\ | | | | [19.09] chromium: 81.0.4044.122 -> 81.0.4044.129 (backport)
| * chromium: 81.0.4044.122 -> 81.0.4044.129Michael Weiss2020-04-291-9/+9
| | | | | | | | | | | | | | | | | | https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html This update includes 2 security fixes. CVEs: CVE-2020-6462 CVE-2020-6461 (cherry picked from commit db4aece8849ddd9ea466a7a91cea3c2f875a15f8)
* | roundcube: 1.3.10 -> 1.3.11Maximilian Bosch2020-04-291-2/+2
| | | | | | | | | | | | https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 This contains some important security fixes, hence the package-bump.
* | Merge pull request #86340 from 7c6f434c/monotone-no-botan-openssl-19.09Michael Raskin2020-04-291-0/+1
|\ \ | | | | | | monotone: openssl in botan is not needed, so drop to avoid old openssl
| * | monotone: openssl in botan is not needed, so drop to avoid old opensslMichael Raskin2020-04-291-0/+1
|/ / | | | | | | (cherry picked from commit 4644776b2e95027eba4a7f3c4e1a9fd08a12e2f6)
* | Merge pull request #86271 from mweinelt/19.09/coturn/CVE-2020-6061+6062Alexey Shmalko2020-04-291-2/+9
|\ \ | |/ |/| [19.09] coturn: apply patch for CVE-2020-6061/6062
| * coturn: apply patch for CVE-2020-6061/6062Martin Weinelt2020-04-291-2/+9
|/ | | | | | | | | | | | | | | | Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability. (cherry picked from commit 704a018aaea16e044c1adf33accce6be2884911d)
* gitlab: update.py: invoke bundle lock manuallyMichael Fellinger2020-04-281-1/+3
| | | | | | | `bundix -l` doesn't work, as it treats bundler's warning about upgrading the lockfile version as an error, so invoke `bundle lock` manually. (cherry picked from commit 4c26ab4198b083f0647f1c0e64f985e211beff8f)
* gitaly: 12.8.8 -> 12.8.9Florian Klink2020-04-281-2/+2
| | | | (cherry picked from commit c86c77be0cf45023586e7252bfb05238ae6d38db)
* gitlab-workhorse: 8.21.1 -> 8.21.2Florian Klink2020-04-281-2/+2
| | | | (cherry picked from commit f7ddd30bef15238d6d9a12f48408d38571944d85)
* gitlab: support passing --rev to the `update-all` scriptFlorian Klink2020-04-281-3/+4
| | | | | | | | | | | | | While it's already possible to invoke `update-data` with the `--rev` argument, one still needs to run all later phases manually. Fix this, by having `update-all` also accept a `--rev` argument, and pass it down to `update-data`. Also, make the help text a bit more usable, by suggesting the usual versioning scheme used these times. (cherry picked from commit 191c2c67a409ae8cf3d3bee7811a7b10397efe81)
* gitlab: 12.8.8 -> 12.8.9Florian Klink2020-04-284-22/+22
| | | | | | | | See https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/ for details. (cherry picked from commit d1902923fae5e0056ef69de5e6cf52b1573de225)
generated by cgit v1.2.3 (git 2.52.0) at 2026-01-17 05:24:12 +0000