10 files changed, 158 insertions, 55 deletions
diff --git a/pkgs/tools/filesystems/bees/default.nix b/pkgs/tools/filesystems/bees/default.nix
index fd1166e1a301c..1dbb62ccb1b23 100644
--- a/pkgs/tools/filesystems/bees/default.nix
+++ b/pkgs/tools/filesystems/bees/default.nix
@@ -14,13 +14,13 @@ let
 
   bees = stdenv.mkDerivation rec {
     pname = "bees";
-    version = "0.9.3";
+    version = "0.10";
 
     src = fetchFromGitHub {
       owner = "Zygo";
       repo = "bees";
       rev = "v${version}";
-      sha256 = "sha256-krG8TzfOz3m7h3GfkBU+NJz7EdlXiWOOXY8bQRq9z4Q=";
+      hash = "sha256-f3P3BEd8uO6QOZ1/2hBzdcuOSggYvHxW3g9pGftKO8g=";
     };
 
     buildInputs = [
diff --git a/pkgs/tools/filesystems/btrfs-progs/default.nix b/pkgs/tools/filesystems/btrfs-progs/default.nix
index dc9f8a0a27d6f..ef3ba227ea6bb 100644
--- a/pkgs/tools/filesystems/btrfs-progs/default.nix
+++ b/pkgs/tools/filesystems/btrfs-progs/default.nix
@@ -10,11 +10,11 @@
 
 stdenv.mkDerivation rec {
   pname = "btrfs-progs";
-  version = "6.6.3";
+  version = "6.7";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/people/kdave/btrfs-progs/btrfs-progs-v${version}.tar.xz";
-    hash = "sha256-9BzlP2Zz/1Ue5KP+fclgHloN3mttCRd9H6ticYq8bZo=";
+    hash = "sha256-wn91UYW58tqzH0LoowPTa+0qPzNBzG117migplCiR2c=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/tools/filesystems/ceph/default.nix b/pkgs/tools/filesystems/ceph/default.nix
index f38cd4be880c0..fa87a6abfe754 100644
--- a/pkgs/tools/filesystems/ceph/default.nix
+++ b/pkgs/tools/filesystems/ceph/default.nix
@@ -50,6 +50,9 @@
 , zlib
 , zstd
 
+# Dependencies of overridden Python dependencies, hopefully we can remove these soon.
+, rustPlatform
+
 # Optional Dependencies
 , curl ? null
 , expat ? null
@@ -166,7 +169,67 @@ let
 
   # Watch out for python <> boost compatibility
   python = python310.override {
-    packageOverrides = self: super: {
+    packageOverrides = self: super: let cryptographyOverrideVersion = "40.0.1"; in {
+      # Ceph does not support `cryptography` > 40 yet:
+      # * https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602
+      # * Upstream issue: https://tracker.ceph.com/issues/63529
+      #   > Python Sub-Interpreter Model Used by ceph-mgr Incompatible With Python Modules Based on PyO3
+      #
+      # We pin the older `cryptography` 40 here;
+      # this also forces us to pin an older `pyopenssl` because the current one
+      # is not compatible with older `cryptography`, see:
+      #     https://github.com/pyca/pyopenssl/blob/d9752e44127ba36041b045417af8a0bf16ec4f1e/CHANGELOG.rst#2320-2023-05-30
+      cryptography = super.cryptography.overridePythonAttrs (old: rec {
+        version = cryptographyOverrideVersion;
+
+        src = fetchPypi {
+          inherit (old) pname;
+          version = cryptographyOverrideVersion;
+          hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
+        };
+
+        cargoDeps = rustPlatform.fetchCargoTarball {
+          inherit src;
+          sourceRoot = let cargoRoot = "src/rust"; in "${old.pname}-${cryptographyOverrideVersion}/${cargoRoot}";
+          name = "${old.pname}-${cryptographyOverrideVersion}";
+          hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";
+        };
+
+        patches = (old.patches or []) ++ [
+          # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
+          # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
+          ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
+        ];
+
+        # Tests would require overriding `cryptography-vectors`, which is not currently
+        # possible/desired, see: https://github.com/NixOS/nixpkgs/pull/281858#pullrequestreview-1841421866
+        doCheck = false;
+      });
+
+      # This is the most recent version of `pyopenssl` that's still compatible with `cryptography` 40.
+      # See https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602
+      pyopenssl = super.pyopenssl.overridePythonAttrs (old: rec {
+        version = "23.1.1";
+        src = fetchPypi {
+          pname = "pyOpenSSL";
+          inherit version;
+          hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc=";
+        };
+      });
+
+      # Ceph does not support `kubernetes` >= 19, see:
+      #     https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1900324090
+      kubernetes = super.kubernetes.overridePythonAttrs (old: rec {
+        version = "18.20.0";
+        src = fetchFromGitHub {
+          owner = "kubernetes-client";
+          repo = "python";
+          rev = "v${version}";
+          sha256 = "1sawp62j7h0yksmg9jlv4ik9b9i1a1w9syywc9mv8x89wibf5ql1";
+          fetchSubmodules = true;
+        };
+      });
+
     };
   };
 
diff --git a/pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch b/pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
new file mode 100644
index 0000000000000..7ca05cf7450f8
--- /dev/null
+++ b/pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
@@ -0,0 +1,44 @@
+commit 08dbad8552ecca85d3e38072f94eb864b143d218
+Author: Niklas Hambüchen <mail@nh2.me>
+Date:   Mon Jan 22 12:52:06 2024 +0000
+
+    Cherry-pick fix for CVE-2023-49083
+    
+    Cherry-Picked-From: f09c261ca10a31fe41b1262306db7f8f1da0e48a
+    Cherry-Picked-By: Niklas Hambüchen <mail@nh2.me>
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index a3fe1bce4..58e7207c4 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2383,9 +2383,12 @@ class Backend:
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
++        certs: list[x509.Certificate] = []
++        if p7.d.sign == self._ffi.NULL:
++            return certs
++
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 4e61c5ef5..d8170bfb9 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -89,6 +89,12 @@ class TestPKCS7Loading:
+                 mode="rb",
+             )
+ 
++    def test_load_pkcs7_empty_certificates(self, backend):
++        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
++
++        certificates = pkcs7.load_der_pkcs7_certificates(der)
++        assert certificates == []
++
+ 
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
diff --git a/pkgs/tools/filesystems/convoy/default.nix b/pkgs/tools/filesystems/convoy/default.nix
deleted file mode 100644
index 774568fdde17a..0000000000000
--- a/pkgs/tools/filesystems/convoy/default.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-# This file was generated by go2nix.
-{ lib, buildGoPackage, fetchFromGitHub, lvm2 }:
-
-buildGoPackage rec {
-  pname = "convoy";
-  version = "0.5.2";
-
-  goPackagePath = "github.com/rancher/convoy";
-
-  src = fetchFromGitHub {
-    rev = "v${version}";
-    owner = "rancher";
-    repo = "convoy";
-    sha256 = "09nygrxd5hril4xcfsvgjg74xxhhimznqq4sdk0f360c5ra0dbhj";
-  };
-
-  buildInputs = [lvm2];
-
-  meta = with lib; {
-    homepage = "https://github.com/rancher/convoy";
-    description = "A Docker volume plugin, managing persistent container volumes";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ offline ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/pkgs/tools/filesystems/garage/default.nix b/pkgs/tools/filesystems/garage/default.nix
index 894840d2dd04f..e34822845b406 100644
--- a/pkgs/tools/filesystems/garage/default.nix
+++ b/pkgs/tools/filesystems/garage/default.nix
@@ -24,6 +24,12 @@ let
       inherit sha256;
     };
 
+    postPatch = ''
+      # Starting in 0.9.x series, Garage is using mold in local development
+      # and this leaks in this packaging, we remove it to use the default linker.
+      rm .cargo/config.toml || true
+    '';
+
     inherit cargoSha256;
 
     nativeBuildInputs = [ protobuf pkg-config ];
@@ -68,6 +74,7 @@ let
 
     meta = {
       description = "S3-compatible object store for small self-hosted geo-distributed deployments";
+      changelog = "https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v${version}";
       homepage = "https://garagehq.deuxfleurs.fr";
       license = lib.licenses.agpl3Only;
       maintainers = with lib.maintainers; [ nickcao _0x4A6F teutat3s raitobezarius ];
@@ -82,28 +89,22 @@ rec {
   # we have to keep all the numbers in the version to handle major/minor/patch level.
   # for <1.0.
 
-  garage_0_8_4 = generic {
-    version = "0.8.4";
-    sha256 = "sha256-YgMw41ofM59h7OnHK1H8+Se5mZEdYypPIdkqbyX9qfs=";
-    cargoSha256 = "sha256-dEtksOVqy5wAPoqCuXJj3c4TB6UbR8PTaB70fbL6iR8=";
+  garage_0_8_5 = generic {
+    version = "0.8.5";
+    sha256 = "sha256-YRxkjETSmI1dcHP9qTPLcOMqXx9B2uplVR3bBjJWn3I=";
+    cargoSha256 = "sha256-VOcymlvqqQRdT1MFzRcMuD+Xo3fc3XTuRA12tW7ZjdI=";
+    broken = stdenv.isDarwin;
   };
 
-  garage_0_8 = garage_0_8_4;
-
-  garage_0_9_0 = (generic {
-    version = "0.9.0";
-    sha256 = "sha256-Bw7ohMAfnbkhl43k8KxYu2OJd5689PqDS0vAcgU09W8=";
-    cargoSha256 = "sha256-JqCt/8p24suQMRzEyTE2OkbzZCGUDLuGq32kCq3eZ7o=";
-  }).overrideAttrs (oldAttrs: {
-    patches = oldAttrs.patches or [ ] ++ [
-      (fetchpatch {
-        url = "https://git.deuxfleurs.fr/Deuxfleurs/garage/commit/c7f5dcd953ff1fdfa002a8bccfb43eafcc6fddd4.patch";
-        sha256 = "sha256-q7E6gtPjnj5O/K837LMP6LPEFcgdkifxRFrYzBuqkk0=";
-      })
-    ];
-  });
+  garage_0_8 = garage_0_8_5;
+
+  garage_0_9_1 = generic {
+    version = "0.9.1";
+    sha256 = "sha256-AXLaifVmZU4j5D/wKn/0TzhjHZBzZW1+tMyhsAo2eBU=";
+    cargoSha256 = "sha256-4/+OsM73TroBB1TGqare2xASO5KhqVyNkkss0Y0JZXg=";
+  };
 
-  garage_0_9 = garage_0_9_0;
+  garage_0_9 = garage_0_9_1;
 
   garage = garage_0_9;
 }
diff --git a/pkgs/tools/filesystems/gcsfuse/default.nix b/pkgs/tools/filesystems/gcsfuse/default.nix
index 500d5cb1f1f52..145fddb9222b5 100644
--- a/pkgs/tools/filesystems/gcsfuse/default.nix
+++ b/pkgs/tools/filesystems/gcsfuse/default.nix
@@ -5,13 +5,13 @@
 
 buildGoModule rec {
   pname = "gcsfuse";
-  version = "1.4.0";
+  version = "1.4.1";
 
   src = fetchFromGitHub {
     owner = "googlecloudplatform";
     repo = "gcsfuse";
     rev = "v${version}";
-    hash = "sha256-IrLbKBCguj2B1PvtUwCaPP+4NoLbJZRtcsNGMDDC8b8=";
+    hash = "sha256-xQWkrFuMvwloDjnIU2T1Fmfpc/2w3ISbyDhFmN/ETFA=";
   };
 
   vendorHash = "sha256-cIOjgoS3cW6GA697K0Loi76ed64Ev2jZbuOIPNRM1HU=";
diff --git a/pkgs/tools/filesystems/mergerfs/default.nix b/pkgs/tools/filesystems/mergerfs/default.nix
index 46c62b7ae4b07..699330fc70a8e 100644
--- a/pkgs/tools/filesystems/mergerfs/default.nix
+++ b/pkgs/tools/filesystems/mergerfs/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "mergerfs";
-  version = "2.38.0";
+  version = "2.38.1";
 
   src = fetchFromGitHub {
     owner = "trapexit";
     repo = pname;
     rev = version;
-    sha256 = "sha256-eENtsN9OqPpUQM+O8tPTBzDk26/F/zc2hZ4ZiXiDp2I=";
+    sha256 = "sha256-nPL+/tR09fPyeJtvUobwe38+yitwvQtLA+fxI5VPtyM=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/tools/filesystems/stratis-cli/default.nix b/pkgs/tools/filesystems/stratis-cli/default.nix
index 3a1838ef303eb..4c27b888bbaab 100644
--- a/pkgs/tools/filesystems/stratis-cli/default.nix
+++ b/pkgs/tools/filesystems/stratis-cli/default.nix
@@ -7,7 +7,7 @@
 python3Packages.buildPythonApplication rec {
   pname = "stratis-cli";
   version = "3.6.0";
-  format = "pyproject";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "stratis-storage";
@@ -16,6 +16,10 @@ python3Packages.buildPythonApplication rec {
     hash = "sha256-mLmjMofdr0U+Bfnkde7lJqPXkd1ICPYdlcsOm2nOcQA=";
   };
 
+  nativeBuildInputs = with python3Packages; [
+    setuptools
+  ];
+
   propagatedBuildInputs = with python3Packages; [
     dbus-client-gen
     dbus-python-client-gen
diff --git a/pkgs/tools/filesystems/stratisd/default.nix b/pkgs/tools/filesystems/stratisd/default.nix
index cd6ee0884637d..84a066e838e50 100644
--- a/pkgs/tools/filesystems/stratisd/default.nix
+++ b/pkgs/tools/filesystems/stratisd/default.nix
@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , rustPlatform
 , cargo
 , rustc
@@ -43,6 +44,22 @@ stdenv.mkDerivation rec {
     };
   };
 
+  patches = [
+    # Can be removed with the next release after v. 3.6.3
+    (fetchpatch {
+      name = "remove-unused-imports.patch";
+      url = "https://github.com/stratis-storage/stratisd/commit/78440de6e6ed8eab5ddd25dbdfb7804d0698f2a2.patch";
+      hash = "sha256-RW2nyAWaoIbqrgbhCApQsMXkJWtWoOWL3VO7fIImJgY=";
+    })
+
+    # Can be removed with the next release after v. 3.6.3
+    (fetchpatch {
+      name = "flag-import-not-used-in-build-as-test-only.patch";
+      url = "https://github.com/stratis-storage/stratisd/commit/0d1c67f71338d0ee6c1e6aa06f7fd6264ce9a4c5.patch";
+      hash = "sha256-6Nb8izUqYUirjy0dTFhITxoM/AKoChoc0w6Qm9K6+7I=";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace udev/61-stratisd.rules \
       --replace stratis-base32-decode "$out/lib/udev/stratis-base32-decode" \