upgrade-2020-05-17-d858110e35b #331
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![nixos-auto-pr[bot]](https://avatars.githubusercontent.com/in/19565?s=60&v=4){kind=small}
This bumps to the latest state of the systemd 242 stable, published at https://github.com/systemd/systemd-stable/tree/v243-stable. Should cover CVE-2020-1712. Git Log: f8dd0f2f15 (tag: v243.7, systemd-stable/v243-stable) Revert "Support Plugable UD-PRO8 dock" 1a5428c2ab hibernate-resume-generator: wait "infinitely" for the resume device eb3148c468 (tag: v243.6) hwdb: update to v245-rc1 f14fa558ae Fix typo in function name fb21e13e8e polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it 2e504c92d1 sd-bus: introduce API for re-enqueuing incoming messages 4d80c8f158 polkit: use structured initialization 54791aff01 polkit: on async pk requests, re-validate action/details 81532beddc polkit: reuse some common bus message appending code 4441844d58 bus-polkit: rename return error parameter to ret_error 31a1d569db shared: split out polkit stuff from bus-util.c → bus-polkit.c 560eb5babf test: adapt to the new capsh format 275b266bde meson: update efi path detection to gnu-efi-3.0.11 9239154545 presets: "disable" all passive targets by default a827c41851 shared/sysctl-util: normalize repeated slashes or dots to a single value fb1bfd6804 dhcp6: do not use T1 and T2 longer than one provided by the lease ca43a515c6 network: fix implicit type conversion warning by GCC-10 421eca7edf bootspec: parse random-seed-mode line in loader.conf 34e21fc6de sd-boot: fix typo df7b3a05c9 test: Synchronize journal before reading from it 9326efee71 sd-bus: fix introspection bug in signal parameter names 7bbdc56aaf efi: fix build. 486f8ca365 generator: order growfs for the root fs after systemd-remount-fs 56d442e29d loginctl: use /org/freedesktop/login1/session/auto when "lock-session" is called without argument 6ed1152282 Documentation update for x-systemd.{before,after} dba3efa34a man: fix typo in systemd.netdev Xfrm example 6f9a8621d8 timesyncd: log louder when we refuse a server due to root distance 0637255d3b resolved: drop DNSSEC root key that is not valid anymore 9a135baa40 journal: don't use startswith() on something that is not a NUL-terminated string 1ff3972a0f test: add test for systemd/systemd#14560 cac79b606b core: make sure StandardInput=file: doesn't get dup'ed to stdout/stderr by default 906ba9a67d pkgconf: add full generator paths 01b93e2c68 tree-wide: we forgot to destroy some bus errors 5c9455657e mount: make checks on perpetual mount units more lax 28c58beca1 core: never allow perpetual units to be masked d3b044b3e7 typo: "May modify to" -> "May modify" fd378d3d3c sysctl: downgrade message when we have no permission db4fbf5c61 Clarify journald.conf MaxLevelStore documentation c8365f71c0 logind: refuse overriding idle hint on tty sessions cd91f567b6 cgroup: update only siblings that got realized once c672dcd212 mount: mark an existing "mounting" unit from /proc/self/mountinfo as "just_mounted" a592a40564 journalctl: Correctly handle combination of --reverse and --lines (fixes NixOS#1596) 0aa144ab1d journalctl: Correctly handle --show-cursor in combination with --until or --since and --reverse 3b803a5e66 core: fix re-realization of cgroup siblings 7549dd40fc core: propagate service state to socket in more load states af6df343b2 man: describe "symlink" and "systemctl link" explicitly in UNIT FILE LOAD PATH a3c1ce25a7 core: be more restrictive on the dependency types we allow to be created transiently 2b9ec8384c udev: don't import parent ID_FS_ data on partitions ecd95c507c man: fix option name 0d4f06156b Support Plugable UD-PRO8 dock 7fba869abd gpt-auto: don't assume XBOOTLDR is vfat 494c281b67 man: fix documentation of IBM VIO device naming 7271fb056a man: slightly extend documentation on difference between ID_NET_NAME_ONBOARD and ID_NET_LABEL_ONBOARD 852ae28e68 boot: fix osrel parser 2613200370 udev: do not use exact match of file permission 46477397c1 network: lower the log-level of harmless message 7163b1fe86 hwdb: ignore keys added in kernel 5.5 92f90837dc systemctl: skip non-existent units in the 'cat' verb a67227cc99 systemd.exec: document the file system for EnvironmentFile paths cfb4c0aca5 systemd-analyze: fixed typo in documentation 017fddd998 test-condition: fix group check condition 9d5e3cb774 umount: show correct error message 252f1a5277 Revert "Drop dbus activation stub service" 20bbfac95e man: add section about user manager units c93ef60212 man: add remote-*.targets to the bootup sequence 55e0f99689 time-util: also use 32bit hack on EOVERFLOW 7afe2ecb02 [man] note which UID ranges will get user journals a43b67a4c9 [man] fix URL dedb26a8d6 analyze: badness if neither of RootImage and RootDirectory exists 714c93862a initrd: make udev cleanup service confict trigger and settle too 8932407ae1 man: we support growing xfs too these days 19af11dc07 time-util: deal with systems where userspace has 64bit time_t but kernel does not c90229d81d [import] fix stdin/stdout pipe behavior in import/export tar/raw 39910328da cryptsetup-generator: unconfuse writing of the device timeout fc5e6c87a4 shared/install: log syntax error for invalid DefaultInstance= 409c94a407 shared/install: provide a nicer error message for invalid WantedBy=/Required= values 70e8c1978a seccomp: real syscall numbers are >= 0 a0a1977d9a seccomp: more comprehensive protection against libseccomp's __NR_xyz namespace invasion 7f936c60d5 network: set ipv6 mtu after link-up or device mtu change b59d88cc62 man: fix typo in net-naming-scheme man page c5e5ac0958 man: fix typos (NixOS#14304) 9a2f26564d ipv4ll: do not reset conflict counter on restart bc9e1ebfdd Fix typo (duplicate "or") c6cb71b7e7 network: if /sys is rw, then udev should be around 67dcdfd956 nspawn: do not fail if udev is not running a7938a1bc6 Create parent directories when creating systemd-private subdirs 53aa44f873 network: do not return error but return UINT64_MAX if speed meter is disabled 65abf12674 core: swap priority can be negative b1cf452ff5 systemctl: enhance message about kexec missing kernel 07a0e5b425 man: use mkswap@ instead of makeswap@ 57dc017c6b journald: don't ask for the machine ID if we don't need it ac392a57c0 journalctl: pager_close() calls fflush(stdout) anyway as first thing ee7dfadc82 journald: remove unused field 471073f1b5 journalctl: return EOPNOTSUPP if pcre is not enabled 002ededb61 man: drop reference to machined, add one for journald instead fd3bd4be3b pid1: make TimeoutAbortSec settable for transient units eb2ef4d664 pid1: fix setting of DefaultTimeoutAbortSec 1d75e29b23 shared/ask-password-api: modify keyctl break value a16b1ee7e5 cryptsetup: reduce the chance that we will be OOM killed 4836fb010a core: write out correct field name when creating transient service units 3e2c547f6d udevd: don't use monitor after manager_exit() d42f7d45a8 Revert "udevd: fix crash when workers time out after exit is signal caught" c9a287eee8 man/systemd.link: Add missing verb *be* a67a3ae04b man: document all pager variables for systemctl and systemd 3a8fce3f38 core.timer: fix "systemd-analyze dump" and docs syntax inconsistencies wrt OnTimezoneChange= fdffd284b6 core/service: downgrade "scheduling restart" message to debug 733e7f19d3 travis: add missing closing quote sign 0d7b7817fc systemd-tmpfiles: don't install timer when service isn't installed either 0e7f83cd2b pam_systemd: prolong method call timeout when allocating session (cherry picked from commit 53488b2)
or vgo2nix might not be able to resolve some dependencies. (cherry picked from commit d2061f0)
(cherry picked from commit 281bd03)
[19.09] gitlab 12.8.5 -> 12.8.6
[19.09] systemd: 243.3 -> 243.7
(cherry picked from commit 243cd9f)
(cherry picked from commit 8330317)
cherry-picked 4665c94 Closes NixOS#81868
(cherry picked from commit 773462c)
(cherry picked from commit 41d8bb1)
(Older version finished on Hydra.)
(Older version finished on Hydra.)
Fixes CVE-2019-14889, issue NixOS#77264. Release notes: https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/ (cherry picked from commit 7ef8a42)
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543 Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2 (cherry picked from commit 18ac6ba)
https://www.samba.org/samba/history/security.html Tested: $ nix build -f nixos/release.nix tests.samba.x86_64-linux
(cherry picked from commit 500375e)
Contains only the version update from 8be61f7, the module-changes are not needed on 19.09 since the database is always configured properly here.
x86_64-linux rebuilds have finished, so let's merge to get the security fixes early.
(cherry picked from commit 291c735) /cc roundup NixOS#79725
includes fix for nC-SA-2020-015. See nextcloud/server#19976, the SA currently has a typo - adressed in nextcloud/security-advisories#21.
[19.09] nextcloud: 16.0.8 -> 16.0.9
…9.09 [19.09] Use qt5's mkDerivation in packages that otherwise crash
Kyndig on IRC noticed that building `ninja` from source would fail due to a patch 404'ing (because the repo appears to no longer exist). Fetch from upstream instead. (cherry picked from commit 91d4e9a) cc NixOS#85742
'toString false' results in an empty string, which, in this context, is a syntax error. Use boolToString instead. Fixes NixOS#86160 (cherry picked from commit c0a838d)
nixos/gitlab: Fix services.gitlab.enableStartTLSAuto
See https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/ for details. (cherry picked from commit d190292)
While it's already possible to invoke `update-data` with the `--rev` argument, one still needs to run all later phases manually. Fix this, by having `update-all` also accept a `--rev` argument, and pass it down to `update-data`. Also, make the help text a bit more usable, by suggesting the usual versioning scheme used these times. (cherry picked from commit 191c2c6)
(cherry picked from commit f7ddd30)
(cherry picked from commit c86c77b)
`bundix -l` doesn't work, as it treats bundler's warning about upgrading the lockfile version as an error, so invoke `bundle lock` manually. (cherry picked from commit 4c26ab4)
https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html This update includes 2 security fixes. CVEs: CVE-2020-6462 CVE-2020-6461 (cherry picked from commit db4aece)
Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability. (cherry picked from commit 704a018)
…+6062 [19.09] coturn: apply patch for CVE-2020-6061/6062
(cherry picked from commit 4644776)
…l-19.09 monotone: openssl in botan is not needed, so drop to avoid old openssl
https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 This contains some important security fixes, hence the package-bump.
[19.09] chromium: 81.0.4044.122 -> 81.0.4044.129 (backport)
(cherry picked from commit 9eb6dc7)
(cherry picked from commit fdd0d0d)
[19.09] gitlab: 12.8.9 -> 12.8.10
[19.09] salt: 2019.2.0 -> 2019.2.4
(cherry picked from commit 324e40f)
(cherry picked from commit 3911336)
(cherry picked from commit f3cc8dc)
[19.09] firefox: 75.0 -> 76.0
https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop.html This update includes 3 security fixes. CVEs: CVE-2020-6831 CVE-2020-6464 (cherry picked from commit dec3d5f)
chromium: 81.0.4044.129 -> 81.0.4044.138
https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/ (cherry picked from commit 10134fc) Re-tested both briefly on 19.09.
According to https://monerodocs.org/interacting/monerod-reference/#node-rpc-api the correct option is restricted-rpc, not restrict-rpc. (cherry picked from commit e7ab236)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request automatique
Avancement mise à jour