| Age | Commit message (Collapse) | Author |
|---|
|
|
|
We can use use `stdenv.hostPlatform.isStatic` instead, and move the
logic per package. The least opionated benefit of this is that it makes
it much easier to replace packages with modified ones, as there is no
longer any issue of overlay order.
CC @FRidh @matthewbauer
|
|
Fixes: CVE-2020-1971
Closes: #106218
|
|
This reverts commit c778945806b44d46ec16bc4302e7e7163e6bab97.
I believe this is exactly what brings the staging branch into
the right shape after the last merge from master (through staging-next);
otherwise part of staging changes would be lost
(due to being already reachable from master but reverted).
|
|
I'm sorry; I didn't notice it contained staging commits.
This reverts commit 17f5305b6c20df795c365368d2d868266519599e, reversing
changes made to a8a018ddc0a8b5c3d4fa94c94b672c37356bc075.
|
|
|
|
This adds a warning to the top of each “boot” package that reads:
Note: this package is used for bootstrapping fetchurl, and thus cannot
use fetchpatch! All mutable patches (generated by GitHub or cgit) that
are needed here should be included directly in Nixpkgs as files.
This makes it clear to maintainer that they may need to treat this
package a little differently than others. Importantly, we can’t use
fetchpatch here due to using <nix/fetchurl.nix>. To avoid having stale
hashes, we need to include patches that are subject to changing
overtime (for instance, gitweb’s patches contain a version number at
the bottom).
|
|
Fixes: CVE-2020-1967
Segmentation fault in SSL_check_chain (CVE-2020-1967)
=====================================================
Severity: High
Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack.
OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This
issue did not affect OpenSSL versions prior to 1.1.1d.
Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g
This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
- -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
Kaduk.
|
|
|
|
|
|
|
|
|
|
https://github.com/pyca/pyopenssl/issues/899#issuecomment-607709065
The tests in python3.pkgs.pyopenssl succeed!
Fixing this problem we experienced is listed as the only major change:
https://www.openssl.org/news/openssl-1.1.1-notes.html
|
|
fetchpatch can't be used here and fetchurl from GitHub
like in PR #82928 has the risk of breaking the hash later;
fortunately the patches aren't too large.
(cherry picked from commit 2071e3be28ee0d6ec46056352c88b88f5c0d7f60)
|
|
|
|
|
|
No vulnerabilities are know so far (to me), but still I'd go this way.
Especially for 20.03 it seems better to deprecate it before official
release happens.
Current casualties:
$ ./maintainers/scripts/rebuild-amount.sh --print HEAD HEAD^
Estimating rebuild amount by counting changed Hydra jobs.
87 x86_64-darwin
161 x86_64-linux
|
|
Thanks to python3Minimal. This reverts part of c2038483f #79738.
|
|
It's certainly better to have those two caveats than not evaluate.
Both seem rather niche. Unfortunately I failed to find a better way.
I started testing builds of several cross variants; all seem OK.
|
|
* pkgsStatic: make OpenSSL 1.1 compile
|
|
fixes #77779
|
|
|
|
Fixes #77266: CVE-2019-1551
https://www.openssl.org/news/secadv/20191206.txt
(cherry picked from commit 961d0cf9f5f5e762eacb1ceda10d45cd35a81662)
Oops - I realized too late that the rebuild amount is minimal,
so why not have it immediately in master.
|
|
fix openssl for cross compilation
|
|
unbreaks pkgsi686Linux.openssl_1_0_2
|
|
|
|
|
|
|
|
This reverts commit f8a8fc6c7c079de430fa528f688ddac781bcef16.
|
|
This reverts commit 41af38f3728bd64b80721c44ed1fb019978cbc1b, reversing
changes made to f0fec244ca380b9d3e617ee7b419c59758c8b0f1.
Let's delay this. We have some serious regressions.
|
|
|
|
(cherry picked from commit 76d54c72acaaa32e2c1f8b13002f0ceac3b7b06f)
|
|
(cherry picked from commit aa6327c29c2de41a61db5aef8444385c531d4cc2)
|
|
|
|
|
|
|
|
|
|
treewide replacement of
stdenv.mkDerivation rec {
name = "*-${version}";
version = "*";
to pname
|
|
* treewide: remove unused variables
* making ofborg happy
|
|
This reverts commit aae4c114a4f8e722ed221d47ecbb6a391682bca9.
|
|
https://mta.openssl.org/pipermail/openssl-announce/2019-May/000153.html
|
|
https://mta.openssl.org/pipermail/openssl-announce/2019-May/000151.html
|
|
Closes https://github.com/NixOS/nixpkgs/pull/61827.
Fixes https://github.com/NixOS/nixpkgs/issues/60107.
|
|
|
|
|
|
Fixes https://github.com/NixOS/nixpkgs/issues/54437
|
|
This prevents cluttering up openssl_1_1.out with many megabytes of
documentation.
Fixes #51659
|
|
|
|
Fixes issue #50921. Build result was depending on build perl instead of
host perl which broke cross compilation.
|
|
|
