forked from NixOS/nixpkgs
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upgrade-2020-05-25-2efedf8fc74 #339
Open
nixos-auto-pr
wants to merge
337
commits into
nixos-19.09
Choose a base branch
from
upgrade-2020-05-25-2efedf8fc74
base: nixos-19.09
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(cherry picked from commit 281bd03)
[19.09] gitlab 12.8.5 -> 12.8.6
[19.09] systemd: 243.3 -> 243.7
(cherry picked from commit 243cd9f)
(cherry picked from commit 8330317)
cherry-picked 4665c94 Closes NixOS#81868
(cherry picked from commit 773462c)
(cherry picked from commit 41d8bb1)
(Older version finished on Hydra.)
(Older version finished on Hydra.)
Fixes CVE-2019-14889, issue NixOS#77264. Release notes: https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/ (cherry picked from commit 7ef8a42)
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543 Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2 (cherry picked from commit 18ac6ba)
https://www.samba.org/samba/history/security.html Tested: $ nix build -f nixos/release.nix tests.samba.x86_64-linux
(cherry picked from commit 500375e)
Contains only the version update from 8be61f7, the module-changes are not needed on 19.09 since the database is always configured properly here.
x86_64-linux rebuilds have finished, so let's merge to get the security fixes early.
(cherry picked from commit 291c735) /cc roundup NixOS#79725
includes fix for nC-SA-2020-015. See nextcloud/server#19976, the SA currently has a typo - adressed in nextcloud/security-advisories#21.
[19.09] nextcloud: 16.0.8 -> 16.0.9
The substitition in smtpd/parse.y isn't necessary anymore. The hardcoded /usr/libexec/ has been replaced by a PATH_LIBEXEC #define, which will be set properly by the build system. (cherry picked from commit 9658850)
Fixes critical vulnerability: https://www.mail-archive.com/[email protected]/msg04850.html (cherry picked from commit 7b9bd59)
(cherry picked from commit 77da495)
Release notes aren't available at this time [1] it is likely to be related to a recent mail to oss-security (either [2] or [3]). [1] https://www.mail-archive.com/[email protected]/msg04888.html [2] https://www.openwall.com/lists/oss-security/2020/02/24/5 [3] https://www.openwall.com/lists/oss-security/2020/02/24/4 (cherry picked from commit 09725e5)
While it's already possible to invoke `update-data` with the `--rev` argument, one still needs to run all later phases manually. Fix this, by having `update-all` also accept a `--rev` argument, and pass it down to `update-data`. Also, make the help text a bit more usable, by suggesting the usual versioning scheme used these times. (cherry picked from commit 191c2c6)
(cherry picked from commit f7ddd30)
(cherry picked from commit c86c77b)
`bundix -l` doesn't work, as it treats bundler's warning about upgrading the lockfile version as an error, so invoke `bundle lock` manually. (cherry picked from commit 4c26ab4)
https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html This update includes 2 security fixes. CVEs: CVE-2020-6462 CVE-2020-6461 (cherry picked from commit db4aece)
Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability. (cherry picked from commit 704a018)
…+6062 [19.09] coturn: apply patch for CVE-2020-6061/6062
(cherry picked from commit 4644776)
…l-19.09 monotone: openssl in botan is not needed, so drop to avoid old openssl
https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 This contains some important security fixes, hence the package-bump.
[19.09] chromium: 81.0.4044.122 -> 81.0.4044.129 (backport)
(cherry picked from commit 9eb6dc7)
(cherry picked from commit fdd0d0d)
[19.09] gitlab: 12.8.9 -> 12.8.10
[19.09] salt: 2019.2.0 -> 2019.2.4
(cherry picked from commit 324e40f)
(cherry picked from commit 3911336)
(cherry picked from commit f3cc8dc)
[19.09] firefox: 75.0 -> 76.0
https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop.html This update includes 3 security fixes. CVEs: CVE-2020-6831 CVE-2020-6464 (cherry picked from commit dec3d5f)
chromium: 81.0.4044.129 -> 81.0.4044.138
https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/ (cherry picked from commit 10134fc) Re-tested both briefly on 19.09.
According to https://monerodocs.org/interacting/monerod-reference/#node-rpc-api the correct option is restricted-rpc, not restrict-rpc. (cherry picked from commit e7ab236)
Regression introduced by bce5268. The bit size of the initialisation vector for AES GCM has been introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the ulIvBits field. Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it gets initialised to zero, which in turn causes IV generation to fail. I found out about this because WebRTC stopped working after updating to NSS 3.52 and so I started bisecting. Since there wasn't an obvious error in Firefox hinting towards NSS but instead just the video stream ended up as a "null" stream, I didn't suspect the NSS update to be the culprit at first. So I verified a few times and then also started bisecting the actual commit in NSS that caused the issue. This turned out to be the problematic change: https://phabricator.services.mozilla.com/D63241 > One notable change was caused by an inconsistancy between the spec and > the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra > field in the header that was not in the spec. OASIS considers the > header file to be normative, so PKCS#11 v3.0 resolved the issue in > favor of the header file definition. Since the test I've used[1] was a bit flaky, I still didn't believe the result of the bisect to be accurate, but after running the test several times leading same results I dug through the above change line by line to get more clues. It fortunately didn't take that long to stumble upon the ulIvBits change (which is actually documented in the NSS 3.52 release notes[4], but I managed to blatantly ignore it for some reason) and started checking the Firefox source tree for changes regarding that field. Initialisation of that new field has been introduced[2] in preparation for the 76 release, but subsequently got reverted[3] prior to the release, because Firefox 76 is expected to be shipped with NSS 3.51, which didn't have the ulIvBits field. The patch I'm adding here is just a reintroduction of that change, because we're using NSS 3.52. Not initialising that field will break WebRTC and WebCrypto, which I think the former seems to gain in popularity these days ;-) Tested the change against the mentioned VM test[1] and also by testing manually using Jitsi Meet and Nextcloud Talk. [1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk [2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1 [3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee [4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes Signed-off-by: aszlig <[email protected]> (cherry picked from commit 8fb4997 & moved to packages.nix)
(cherry picked from commit b70435e)
[19.09] firefox: Add patch to fix AES GCM IV bit size
Since M81 won't receive any updates anymore and there are known vulnerabilities we should mark it as insecure so that users are aware of the risks. Updating Chromium to M83 is unfortunately too challenging for 19.09, but as of today we've already covered the one month period of security updates for "oldstable" and both 20.03 and nixos-unstable contain recent versions (i.e. users should either update to the current stable release or install Chromium from a different channel). nixos-unstable PR for M83: NixOS#88206
[19.09] chromium: Mark as insecure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request automatique
Avancement mise à jour