This bumps to the latest state of the systemd 242 stable, published at
https://github.com/systemd/systemd-stable/tree/v243-stable.

Should cover CVE-2020-1712.

Git Log:

f8dd0f2f15 (tag: v243.7, systemd-stable/v243-stable) Revert "Support Plugable UD-PRO8 dock"
1a5428c2ab hibernate-resume-generator: wait "infinitely" for the resume device
eb3148c468 (tag: v243.6) hwdb: update to v245-rc1
f14fa558ae Fix typo in function name
fb21e13e8e polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it
2e504c92d1 sd-bus: introduce API for re-enqueuing incoming messages
4d80c8f158 polkit: use structured initialization
54791aff01 polkit: on async pk requests, re-validate action/details
81532beddc polkit: reuse some common bus message appending code
4441844d58 bus-polkit: rename return error parameter to ret_error
31a1d569db shared: split out polkit stuff from bus-util.c → bus-polkit.c
560eb5babf test: adapt to the new capsh format
275b266bde meson: update efi path detection to gnu-efi-3.0.11
9239154545 presets: "disable" all passive targets by default
a827c41851 shared/sysctl-util: normalize repeated slashes or dots to a single value
fb1bfd6804 dhcp6: do not use T1 and T2 longer than one provided by the lease
ca43a515c6 network: fix implicit type conversion warning by GCC-10
421eca7edf bootspec: parse random-seed-mode line in loader.conf
34e21fc6de sd-boot: fix typo
df7b3a05c9 test: Synchronize journal before reading from it
9326efee71 sd-bus: fix introspection bug in signal parameter names
7bbdc56aaf efi: fix build.
486f8ca365 generator: order growfs for the root fs after systemd-remount-fs
56d442e29d loginctl: use /org/freedesktop/login1/session/auto when "lock-session" is called without argument
6ed1152282 Documentation update for x-systemd.{before,after}
dba3efa34a man: fix typo in systemd.netdev Xfrm example
6f9a8621d8 timesyncd: log louder when we refuse a server due to root distance
0637255d3b resolved: drop DNSSEC root key that is not valid anymore
9a135baa40 journal: don't use startswith() on something that is not a NUL-terminated string
1ff3972a0f test: add test for systemd/systemd#14560
cac79b606b core: make sure StandardInput=file: doesn't get dup'ed to stdout/stderr by default
906ba9a67d pkgconf: add full generator paths
01b93e2c68 tree-wide: we forgot to destroy some bus errors
5c9455657e mount: make checks on perpetual mount units more lax
28c58beca1 core: never allow perpetual units to be masked
d3b044b3e7 typo: "May modify to" -> "May modify"
fd378d3d3c sysctl: downgrade message when we have no permission
db4fbf5c61 Clarify journald.conf MaxLevelStore documentation
c8365f71c0 logind: refuse overriding idle hint on tty sessions
cd91f567b6 cgroup: update only siblings that got realized once
c672dcd212 mount: mark an existing "mounting" unit from /proc/self/mountinfo as "just_mounted"
a592a40564 journalctl: Correctly handle combination of --reverse and --lines (fixes NixOS#1596)
0aa144ab1d journalctl: Correctly handle --show-cursor in combination with --until or --since and --reverse
3b803a5e66 core: fix re-realization of cgroup siblings
7549dd40fc core: propagate service state to socket in more load states
af6df343b2 man: describe "symlink" and "systemctl link" explicitly in UNIT FILE LOAD PATH
a3c1ce25a7 core: be more restrictive on the dependency types we allow to be created transiently
2b9ec8384c udev: don't import parent ID_FS_ data on partitions
ecd95c507c man: fix option name
0d4f06156b Support Plugable UD-PRO8 dock
7fba869abd gpt-auto: don't assume XBOOTLDR is vfat
494c281b67 man: fix documentation of IBM VIO device naming
7271fb056a man: slightly extend documentation on difference between ID_NET_NAME_ONBOARD and ID_NET_LABEL_ONBOARD
852ae28e68 boot: fix osrel parser
2613200370 udev: do not use exact match of file permission
46477397c1 network: lower the log-level of harmless message
7163b1fe86 hwdb: ignore keys added in kernel 5.5
92f90837dc systemctl: skip non-existent units in the 'cat' verb
a67227cc99 systemd.exec: document the file system for EnvironmentFile paths
cfb4c0aca5 systemd-analyze: fixed typo in documentation
017fddd998 test-condition: fix group check condition
9d5e3cb774 umount: show correct error message
252f1a5277 Revert "Drop dbus activation stub service"
20bbfac95e man: add section about user manager units
c93ef60212 man: add remote-*.targets to the bootup sequence
55e0f99689 time-util: also use 32bit hack on EOVERFLOW
7afe2ecb02 [man] note which UID ranges will get user journals
a43b67a4c9 [man] fix URL
dedb26a8d6 analyze: badness if neither of RootImage and RootDirectory exists
714c93862a initrd: make udev cleanup service confict trigger and settle too
8932407ae1 man: we support growing xfs too these days
19af11dc07 time-util: deal with systems where userspace has 64bit time_t but kernel does not
c90229d81d [import] fix stdin/stdout pipe behavior in import/export tar/raw
39910328da cryptsetup-generator: unconfuse writing of the device timeout
fc5e6c87a4 shared/install: log syntax error for invalid DefaultInstance=
409c94a407 shared/install: provide a nicer error message for invalid WantedBy=/Required= values
70e8c1978a seccomp: real syscall numbers are >= 0
a0a1977d9a seccomp: more comprehensive protection against libseccomp's __NR_xyz namespace invasion
7f936c60d5 network: set ipv6 mtu after link-up or device mtu change
b59d88cc62 man: fix typo in net-naming-scheme man page
c5e5ac0958 man: fix typos (NixOS#14304)
9a2f26564d ipv4ll: do not reset conflict counter on restart
bc9e1ebfdd Fix typo (duplicate "or")
c6cb71b7e7 network: if /sys is rw, then udev should be around
67dcdfd956 nspawn: do not fail if udev is not running
a7938a1bc6 Create parent directories when creating systemd-private subdirs
53aa44f873 network: do not return error but return UINT64_MAX if speed meter is disabled
65abf12674 core: swap priority can be negative
b1cf452ff5 systemctl: enhance message about kexec missing kernel
07a0e5b425 man: use mkswap@ instead of makeswap@
57dc017c6b journald: don't ask for the machine ID if we don't need it
ac392a57c0 journalctl: pager_close() calls fflush(stdout) anyway as first thing
ee7dfadc82 journald: remove unused field
471073f1b5 journalctl: return EOPNOTSUPP if pcre is not enabled
002ededb61 man: drop reference to machined, add one for journald instead
fd3bd4be3b pid1: make TimeoutAbortSec settable for transient units
eb2ef4d664 pid1: fix setting of DefaultTimeoutAbortSec
1d75e29b23 shared/ask-password-api: modify keyctl break value
a16b1ee7e5 cryptsetup: reduce the chance that we will be OOM killed
4836fb010a core: write out correct field name when creating transient service units
3e2c547f6d udevd: don't use monitor after manager_exit()
d42f7d45a8 Revert "udevd: fix crash when workers time out after exit is signal caught"
c9a287eee8 man/systemd.link: Add missing verb *be*
a67a3ae04b man: document all pager variables for systemctl and systemd
3a8fce3f38 core.timer: fix "systemd-analyze dump" and docs syntax inconsistencies wrt OnTimezoneChange=
fdffd284b6 core/service: downgrade "scheduling restart" message to debug
733e7f19d3 travis: add missing closing quote sign
0d7b7817fc systemd-tmpfiles: don't install timer when service isn't installed either
0e7f83cd2b pam_systemd: prolong method call timeout when allocating session

(cherry picked from commit 53488b2)

This test fails due to OOM on the VM. Setting the memory of the VM to
1024 lets the test succeed.

Cc: @flokli
(cherry picked from commit 534f133)

or vgo2nix might not be able to resolve some dependencies.

(cherry picked from commit d2061f0)

https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/
(cherry picked from commit ab3b836)

(cherry picked from commit 281bd03)

[19.09] gitlab 12.8.5 -> 12.8.6

[19.09] systemd: 243.3 -> 243.7

(cherry picked from commit 243cd9f)

(cherry picked from commit 8330317)

cherry-picked 4665c94

Closes NixOS#81868

(cherry picked from commit 773462c)

(cherry picked from commit 41d8bb1)

fix CVE-2019-14866, backport

(Older version finished on Hydra.)

(Older version finished on Hydra.)

Fixes CVE-2019-14889, issue NixOS#77264.
Release notes: https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/

(cherry picked from commit 7ef8a42)

Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543
Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2

(cherry picked from commit 18ac6ba)

https://www.samba.org/samba/history/security.html
Tested: $ nix build -f nixos/release.nix tests.samba.x86_64-linux

(cherry picked from commit 500375e)

Contains only the version update from 8be61f7,
the module-changes are not needed on 19.09 since the database is always
configured properly here.

x86_64-linux rebuilds have finished, so let's merge
to get the security fixes early.

(cherry picked from commit 291c735)
/cc roundup NixOS#79725

includes fix for nC-SA-2020-015.

See nextcloud/server#19976, the SA currently
has a typo - adressed in
nextcloud/security-advisories#21.

[19.09] nextcloud: 16.0.8 -> 16.0.9

The substitition in smtpd/parse.y isn't necessary anymore.
The hardcoded /usr/libexec/ has been replaced by a PATH_LIBEXEC #define,
which will be set properly by the build system.

(cherry picked from commit 9658850)

Fixes critical vulnerability:
  https://www.mail-archive.com/[email protected]/msg04850.html

(cherry picked from commit 7b9bd59)

(cherry picked from commit 77da495)

Release notes aren't available at this time [1] it is likely to be
related to a recent mail to oss-security (either [2] or [3]).

[1] https://www.mail-archive.com/[email protected]/msg04888.html
[2] https://www.openwall.com/lists/oss-security/2020/02/24/5
[3] https://www.openwall.com/lists/oss-security/2020/02/24/4

(cherry picked from commit 09725e5)

This reverts commit 4f69f2c.

We backported the latest opensmtpd version.

This reverts commit f5c74e6.

Already included in the opensmtpd version.

build fails against our local libressl version

opensmtpd: 6.4.2p1 -> 6.6.4p1 [backport 19.09]

a "Low severity" [0] security issue:

> Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
> in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

(cherry picked from commit abecf82)

Since Go 1.13, `GOSUMDB` defaults to "sum.golang.org", to consult the
checksum database of the main module's go.sum.

We already use the default behavior when building `go-modules`, but Go
tries to consult the checksum database again when building the module,
and fails because since it requires `cacert` and `git` which are not
propagated when building the package.

(cherry picked from commit c5733e7)

Signed-off-by: Martin Baillie <[email protected]>
(cherry picked from commit 6e055c9)

Fixes a severe bug with subnet routing.

Signed-off-by: David Anderson <[email protected]>
(cherry picked from commit f61f686)

[19.09] openssl: 1.1.1d -> 1.1.1e

keep brave up-to-date

(cherry picked from commit 418e3e4)
Reason: Browsers should be kept up-to-date for security reasons

…_1.4.96

[19 09] brave 1.4.95 to 1.5.112

(cherry picked from commit 09f55f8)

https://lists.zx2c4.com/pipermail/wireguard/2020-March/005188.html
(cherry picked from commit e758e95)

This reverts commit 41f1484.

openssl 1.1.1e introduces breaking changes in its EOF handling.

https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html

This update includes 13 security fixes.

CVEs:
CVE-2020-6422 CVE-2020-6424 CVE-2020-6425 CVE-2020-6426 CVE-2020-6427
CVE-2020-6428 CVE-2020-6429 CVE-2019-20503 CVE-2020-6449

Note: The release of version 81 is currently on pause:
https://chromereleases.googleblog.com/2020/03/upcoming-chrome-and-chrome-os-releases.html
(cherry picked from commit fe60ff7)

https://lists.zx2c4.com/pipermail/wireguard/2020-March/005191.html
(cherry picked from commit 19ceeb6)

[19.09] chromium: 80.0.3987.132 -> 80.0.3987.149 (backport)

Changelog: https://github.com/nodejs/node/releases/tag/v12.15.0

Changelog: https://github.com/nodejs/node/releases/tag/v12.16.0

Changelog: https://github.com/nodejs/node/releases/tag/v12.16.1

fetchpatch can't be used here and fetchurl from GitHub
like in PR NixOS#82928 has the risk of breaking the hash later;
fortunately the patches aren't too large.

This fixes the regressed python3Packages.pyopenssl build
and should unblock both channels.

(cherry picked from commit 913e6b5)

(cherry picked from commit bf453da)

(cherry picked from commit 9e98d47)

@Frostman is not in maintainers-list.nix on 19.09.
This fails the build of the `channel` and `tarball` jobs on the small
jobset.

Follow-up of NixOS#83102

[19.09 unblock] grafana: Drop Frostman from maintainers

(cherry picked from commit f9fcf29)

The tag points to the same commit hash, so the binary
is unchanged.

Signed-off-by: David Anderson <[email protected]>
(cherry picked from commit 3fa813e)

Tailscale does not support Go 1.12.

Signed-off-by: David Anderson <[email protected]>

Moved from nixos-homepage.

(cherry picked from commit d6ec410)

(cherry picked from commit 4052f9b)

(cherry picked from commit e51c7f6)

Some changes were made after final review of the package. There was a
missing runtime dependency that was discovered after merge of the
backport

(cherry picked from commit 9fe4a63)
Reason: The dependency can make the package work or not

https://about.gitlab.com/releases/2020/03/16/gitlab-12-8-7-released/
(cherry picked from commit 3a173c1)

….2.0-with_fix

[19.09] protonvpn ng 2.2.0 to 2.2.2

(cherry picked from commit 5c47359)

[19.09] signal-desktop: 1.32.1 -> 1.32.2 (backport)

(cherry picked from commit 0e5d457)

With quotes it doesn't match the Wire's screen, causing the window to not be grouped under its icon in Gnome.

(cherry picked from commit da587da)

(cherry picked from commit 38aa1ca)

[19.09] signal-desktop: 1.32.2 -> 1.32.3 (backport)

(cherry picked from commit 8ab04fd)

(cherry picked from commit 425efa5)

tailscale: init at 0.97-0 [backport 19.09]

While our ETag patch works pretty fine if it comes to serving data off
store paths, it unfortunately broke something that might be a bit more
common, namely when using regexes to extract path components of
location directives for example.

Recently, @devhell has reported a bug with a nginx location directive
like this:

  location ~^/\~([a-z0-9_]+)(/.*)?$" {
    alias /home/$1/public_html$2;
  }

While this might look harmless at first glance, it does however cause
issues with our ETag patch. The alias directive gets broken up by nginx
like this:

  *2 http script copy: "/home/"
  *2 http script capture: "foo"
  *2 http script copy: "/public_html/"
  *2 http script capture: "bar.txt"

In our patch however, we use realpath(3) to get the canonicalised path
from ngx_http_core_loc_conf_s.root, which returns the *configured* value
from the root or alias directive. So in the example above, realpath(3)
boils down to the following syscalls:

  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)

During my review[1] of the initial patch, I didn't actually notice that
what we're doing here is returning NGX_ERROR if the realpath(3) call
fails, which in turn causes an HTTP 500 error.

Since our patch actually made the canonicalisation (and thus additional
syscalls) necessary, we really shouldn't introduce an additional error
so let's - at least for now - silently skip return value if realpath(3)
has failed.

However since we're using the unaltered root from the config we have
another issue, consider this root:

  /nix/store/...-abcde/$1

Calling realpath(3) on this path will fail (except if there's a file
called "$1" of course), so even this fix is not enough because it
results in the ETag not being set to the store path hash.

While this is very ugly and we should fix this very soon, it's not as
serious as getting HTTP 500 errors for serving static files.

I added a small NixOS VM test, which uses the example above as a
regression test.

It seems that my memory is failing these days, since apparently I *knew*
about this issue since digging for existing issues in nixpkgs, I found
this similar pull request which I even reviewed:

NixOS#66532

However, since the comments weren't addressed and the author hasn't
responded to the pull request, I decided to keep this very commit and do
a follow-up pull request.

[1]: NixOS#48337

Signed-off-by: aszlig <[email protected]>
Reported-by: @devhell
Acked-by: @7c6f434c
Acked-by: @yorickvP
Merges: NixOS#80671
Fixes: NixOS#66532
(cherry picked from commit e1d63ad)

It seems the quoting breaks it just like in da587da

(cherry picked from commit e50bb280cbf5339ed671b0a7208e6aba4002c713)
(cherry picked from commit f8ccef5)

…-bin_release-19.09

[19.09] tor-browser-bundle-bin: 9.0.5 -> 9.0.7