Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

upgrade-2020-05-28-2efedf8fc74 #342

Open
wants to merge 337 commits into
base: nixos-19.09
Choose a base branch
from
This pull request is big! We’re only showing the most recent 250 commits.

Commits on Mar 12, 2020

  1. Configuration menu
    Copy the full SHA
    6e67910 View commit details
    Browse the repository at this point in the history
  2. linux: 4.4.215 -> 4.4.216

    NeQuissimus committed Mar 12, 2020
    Configuration menu
    Copy the full SHA
    4f40468 View commit details
    Browse the repository at this point in the history
  3. linux: 4.9.215 -> 4.9.216

    NeQuissimus committed Mar 12, 2020
    Configuration menu
    Copy the full SHA
    d4acdf5 View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    8d27ad5 View commit details
    Browse the repository at this point in the history
  5. gitaly: 12.8.5 -> 12.8.6

    (cherry picked from commit 281bd03)
    flokli committed Mar 12, 2020
    Configuration menu
    Copy the full SHA
    d4148a7 View commit details
    Browse the repository at this point in the history
  6. Merge pull request NixOS#82376 from flokli/19.09-gitlab-12.8.6

    [19.09] gitlab 12.8.5 -> 12.8.6
    flokli authored Mar 12, 2020
    Configuration menu
    Copy the full SHA
    71b727e View commit details
    Browse the repository at this point in the history
  7. Merge pull request NixOS#82354 from flokli/19.09-systemd-243.7

    [19.09] systemd: 243.3 -> 243.7
    flokli authored Mar 12, 2020
    Configuration menu
    Copy the full SHA
    68d2f83 View commit details
    Browse the repository at this point in the history

Commits on Mar 14, 2020

  1. thunderbird: 68.5.0 -> 68.6.0

    (cherry picked from commit 243cd9f)
    taku0 authored and alyssais committed Mar 14, 2020
    Configuration menu
    Copy the full SHA
    d0bdce3 View commit details
    Browse the repository at this point in the history
  2. thunderbird-bin: 68.5.0 -> 68.6.0

    (cherry picked from commit 8330317)
    taku0 authored and alyssais committed Mar 14, 2020
    Configuration menu
    Copy the full SHA
    64565f9 View commit details
    Browse the repository at this point in the history
  3. skypeforlinux: 8.51.0.92 -> 8.56.0.103

    cherry-picked 4665c94
    
    Closes NixOS#81868
    r-ryantm authored and FRidh committed Mar 14, 2020
    Configuration menu
    Copy the full SHA
    68ad45f View commit details
    Browse the repository at this point in the history
  4. openjpeg: add patch for CVE-2020-6851

    (cherry picked from commit 773462c)
    mmilata authored and alyssais committed Mar 14, 2020
    Configuration menu
    Copy the full SHA
    1524ffc View commit details
    Browse the repository at this point in the history
  5. openjpeg: add patch for CVE-2020-8112

    (cherry picked from commit 41d8bb1)
    mmilata authored and alyssais committed Mar 14, 2020
    Configuration menu
    Copy the full SHA
    3b9b10e View commit details
    Browse the repository at this point in the history

Commits on Mar 15, 2020

  1. Configuration menu
    Copy the full SHA
    c26a26d View commit details
    Browse the repository at this point in the history
  2. Merge branch 'staging-19.09' into release-19.09

    (Older version finished on Hydra.)
    vcunat committed Mar 15, 2020
    Configuration menu
    Copy the full SHA
    021b296 View commit details
    Browse the repository at this point in the history
  3. Merge branch 'staging-19.09' into release-19.09

    (Older version finished on Hydra.)
    vcunat committed Mar 15, 2020
    Configuration menu
    Copy the full SHA
    686362c View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    0c2b734 View commit details
    Browse the repository at this point in the history
  5. libssh: 0.8.7 -> 0.8.8

    mmilata authored and vcunat committed Mar 15, 2020
    Configuration menu
    Copy the full SHA
    45f415a View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    cdd33cb View commit details
    Browse the repository at this point in the history
  7. samba4: patch all remaining security issues

    https://www.samba.org/samba/history/security.html
    Tested: $ nix build -f nixos/release.nix tests.samba.x86_64-linux
    vcunat committed Mar 15, 2020
    Configuration menu
    Copy the full SHA
    7d27cc8 View commit details
    Browse the repository at this point in the history

Commits on Mar 16, 2020

  1. python3Packages.signedjson: 1.0.0 -> 1.1.0

    (cherry picked from commit 500375e)
    Ma27 committed Mar 16, 2020
    Configuration menu
    Copy the full SHA
    a9d4746 View commit details
    Browse the repository at this point in the history
  2. matrix-synapse: 1.9.1 -> 1.11.1

    Contains only the version update from 8be61f7,
    the module-changes are not needed on 19.09 since the database is always
    configured properly here.
    Ma27 committed Mar 16, 2020
    Configuration menu
    Copy the full SHA
    dce33f1 View commit details
    Browse the repository at this point in the history
  3. Merge branch 'staging-19.09' into release-19.09

    x86_64-linux rebuilds have finished, so let's merge
    to get the security fixes early.
    vcunat committed Mar 16, 2020
    Configuration menu
    Copy the full SHA
    107ffbb View commit details
    Browse the repository at this point in the history
  4. libxml2: add patch for CVE-2019-20388

    (cherry picked from commit 291c735)
    /cc roundup NixOS#79725
    mmilata authored and vcunat committed Mar 16, 2020
    Configuration menu
    Copy the full SHA
    9a808dd View commit details
    Browse the repository at this point in the history
  5. nextcloud: 16.0.8 -> 16.0.9

    includes fix for nC-SA-2020-015.
    
    See nextcloud/server#19976, the SA currently
    has a typo - adressed in
    nextcloud/security-advisories#21.
    flokli committed Mar 16, 2020
    Configuration menu
    Copy the full SHA
    311c3fd View commit details
    Browse the repository at this point in the history
  6. Merge pull request NixOS#82697 from flokli/19.09-nextcloud-16.0.9

    [19.09] nextcloud: 16.0.8 -> 16.0.9
    flokli authored Mar 16, 2020
    Configuration menu
    Copy the full SHA
    8d7fd7e View commit details
    Browse the repository at this point in the history

Commits on Mar 17, 2020

  1. Configuration menu
    Copy the full SHA
    4f69f2c View commit details
    Browse the repository at this point in the history
  2. opensmtpd: 6.4.2p1 -> 6.6.1p1

    The substitition in smtpd/parse.y isn't necessary anymore.
    The hardcoded /usr/libexec/ has been replaced by a PATH_LIBEXEC #define,
    which will be set properly by the build system.
    
    (cherry picked from commit 9658850)
    flokli authored and Mic92 committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    7db6a85 View commit details
    Browse the repository at this point in the history
  3. opensmtpd: 6.6.1p1 -> 6.6.2p1

    Fixes critical vulnerability:
      https://www.mail-archive.com/[email protected]/msg04850.html
    
    (cherry picked from commit 7b9bd59)
    fpletz authored and Mic92 committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    3ecd571 View commit details
    Browse the repository at this point in the history
  4. opensmtpd: 6.6.2p1 -> 6.6.3p1

    (cherry picked from commit 77da495)
    r-ryantm authored and Mic92 committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    7a106bd View commit details
    Browse the repository at this point in the history
  5. opensmtpd: 6.6.3p1 -> 6.6.4p1

    Release notes aren't available at this time [1] it is likely to be
    related to a recent mail to oss-security (either [2] or [3]).
    
    [1] https://www.mail-archive.com/[email protected]/msg04888.html
    [2] https://www.openwall.com/lists/oss-security/2020/02/24/5
    [3] https://www.openwall.com/lists/oss-security/2020/02/24/4
    
    (cherry picked from commit 09725e5)
    andir authored and Mic92 committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    521c676 View commit details
    Browse the repository at this point in the history
  6. Revert "opensmtpd: mark as insecure due to CVE-2020-8794 / NixOS#80978"

    This reverts commit 4f69f2c.
    
    We backported the latest opensmtpd version.
    Mic92 committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    ce282f0 View commit details
    Browse the repository at this point in the history
  7. Revert "opensmtpd: apply patch for CVE-2020-7247.patch"

    This reverts commit f5c74e6.
    
    Already included in the opensmtpd version.
    Mic92 committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    fe67f42 View commit details
    Browse the repository at this point in the history
  8. opensmtpd: build against openssl

    build fails against our local libressl version
    Mic92 committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    29431a0 View commit details
    Browse the repository at this point in the history
  9. Merge pull request NixOS#82775 from Mic92/opensmtpd-backport

    opensmtpd: 6.4.2p1 -> 6.6.4p1 [backport 19.09]
    obadz authored Mar 17, 2020
    Configuration menu
    Copy the full SHA
    bf7c0f0 View commit details
    Browse the repository at this point in the history
  10. openssl: 1.1.1d -> 1.1.1e

    a "Low severity" [0] security issue:
    
    > Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
    > in exponentiation with 512-bit moduli (CVE-2019-1551)
    
    [0] https://www.openssl.org/news/vulnerabilities.html#y2019
    
    (cherry picked from commit abecf82)
    andir committed Mar 17, 2020
    Configuration menu
    Copy the full SHA
    41f1484 View commit details
    Browse the repository at this point in the history
  11. Configuration menu
    Copy the full SHA
    30fdf95 View commit details
    Browse the repository at this point in the history

Commits on Mar 18, 2020

  1. buildGoModule: disable consult the checksum database on build

    Since Go 1.13, `GOSUMDB` defaults to "sum.golang.org", to consult the
    checksum database of the main module's go.sum.
    
    We already use the default behavior when building `go-modules`, but Go
    tries to consult the checksum database again when building the module,
    and fails because since it requires `cacert` and `git` which are not
    propagated when building the package.
    
    (cherry picked from commit c5733e7)
    marsam authored and danderson committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    0e1cf19 View commit details
    Browse the repository at this point in the history
  2. tailscale: init at 0.96-33

    Signed-off-by: Martin Baillie <[email protected]>
    (cherry picked from commit 6e055c9)
    Martin Baillie authored and danderson committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    dd9a493 View commit details
    Browse the repository at this point in the history
  3. tailscale: 0.96-33 -> 0.97-0.

    Fixes a severe bug with subnet routing.
    
    Signed-off-by: David Anderson <[email protected]>
    (cherry picked from commit f61f686)
    danderson committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    65ff637 View commit details
    Browse the repository at this point in the history
  4. Merge pull request NixOS#82791 from andir/19.09/openssl

    [19.09] openssl: 1.1.1d -> 1.1.1e
    andir authored Mar 18, 2020
    Configuration menu
    Copy the full SHA
    87834cb View commit details
    Browse the repository at this point in the history
  5. Configuration menu
    Copy the full SHA
    b0055f4 View commit details
    Browse the repository at this point in the history

Commits on Mar 19, 2020

  1. brave: 1.4.96 -> 1.5.112

    keep brave up-to-date
    
    (cherry picked from commit 418e3e4)
    Reason: Browsers should be kept up-to-date for security reasons
    JeffLabonte committed Mar 19, 2020
    Configuration menu
    Copy the full SHA
    0e01f4f View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#81789 from JeffLabonte/19_09-brave_1.4.95_to…

    …_1.4.96
    
    [19 09] brave 1.4.95 to 1.5.112
    grahamc authored Mar 19, 2020
    Configuration menu
    Copy the full SHA
    8963012 View commit details
    Browse the repository at this point in the history
  3. riot-web: 1.5.10 -> 1.5.13

    (cherry picked from commit 09f55f8)
    Ma27 committed Mar 19, 2020
    Configuration menu
    Copy the full SHA
    493a837 View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    5d89c0b View commit details
    Browse the repository at this point in the history
  5. Revert "openssl: 1.1.1d -> 1.1.1e"

    This reverts commit 41f1484.
    
    openssl 1.1.1e introduces breaking changes in its EOF handling.
    KamilaBorowska committed Mar 19, 2020
    Configuration menu
    Copy the full SHA
    49eed3a View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    359de6b View commit details
    Browse the repository at this point in the history

Commits on Mar 20, 2020

  1. Configuration menu
    Copy the full SHA
    490d066 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#82958 from primeos/chromium-backport

    [19.09] chromium: 80.0.3987.132 -> 80.0.3987.149 (backport)
    primeos authored Mar 20, 2020
    Configuration menu
    Copy the full SHA
    db12da3 View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    2cc4474 View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    9b2a26d View commit details
    Browse the repository at this point in the history
  5. Configuration menu
    Copy the full SHA
    8e47767 View commit details
    Browse the repository at this point in the history

Commits on Mar 21, 2020

  1. openssl(_1_1): patch CVE-2019-1551

    fetchpatch can't be used here and fetchurl from GitHub
    like in PR NixOS#82928 has the risk of breaking the hash later;
    fortunately the patches aren't too large.
    vcunat committed Mar 21, 2020
    Configuration menu
    Copy the full SHA
    2071e3b View commit details
    Browse the repository at this point in the history
  2. Merge openssl(_1_1) downgrade (into release-19.09)

    This fixes the regressed python3Packages.pyopenssl build
    and should unblock both channels.
    vcunat committed Mar 21, 2020
    Configuration menu
    Copy the full SHA
    b2d71b4 View commit details
    Browse the repository at this point in the history
  3. grafana: 6.6.2 -> 6.7.0

    (cherry picked from commit 913e6b5)
    Frostman authored and Ma27 committed Mar 21, 2020
    Configuration menu
    Copy the full SHA
    36cbcdc View commit details
    Browse the repository at this point in the history
  4. grafana: 6.7.0 -> 6.7.1

    (cherry picked from commit bf453da)
    Frostman authored and Ma27 committed Mar 21, 2020
    Configuration menu
    Copy the full SHA
    c3a9111 View commit details
    Browse the repository at this point in the history
  5. grafana: add Frostman to maintainers

    (cherry picked from commit 9e98d47)
    Frostman authored and Ma27 committed Mar 21, 2020
    Configuration menu
    Copy the full SHA
    85600b7 View commit details
    Browse the repository at this point in the history

Commits on Mar 22, 2020

  1. grafana: Drop Frostman from maintainers

    @Frostman is not in maintainers-list.nix on 19.09.
    This fails the build of the `channel` and `tarball` jobs on the small
    jobset.
    
    Follow-up of NixOS#83102
    dasJ committed Mar 22, 2020
    Configuration menu
    Copy the full SHA
    4aac2c3 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#83109 from helsinki-systems/bp-drop-frostman

    [19.09 unblock] grafana: Drop Frostman from maintainers
    Ma27 authored Mar 22, 2020
    Configuration menu
    Copy the full SHA
    8b8e73a View commit details
    Browse the repository at this point in the history
  3. linux: 5.4.24 -> 5.4.25

    (cherry picked from commit f9fcf29)
    NeQuissimus committed Mar 22, 2020
    Configuration menu
    Copy the full SHA
    534e341 View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    fb2dcec View commit details
    Browse the repository at this point in the history
  5. Configuration menu
    Copy the full SHA
    5801ac4 View commit details
    Browse the repository at this point in the history
  6. linux: 4.4.216 -> 4.4.217

    NeQuissimus committed Mar 22, 2020
    Configuration menu
    Copy the full SHA
    dbea1f6 View commit details
    Browse the repository at this point in the history
  7. linux: 4.9.216 -> 4.9.217

    NeQuissimus committed Mar 22, 2020
    Configuration menu
    Copy the full SHA
    7dfe28c View commit details
    Browse the repository at this point in the history
  8. linux: 5.4.25 -> 5.4.27

    NeQuissimus committed Mar 22, 2020
    Configuration menu
    Copy the full SHA
    216cd6c View commit details
    Browse the repository at this point in the history

Commits on Mar 23, 2020

  1. tailscale: switch version and git ref to use a tag.

    The tag points to the same commit hash, so the binary
    is unchanged.
    
    Signed-off-by: David Anderson <[email protected]>
    (cherry picked from commit 3fa813e)
    danderson committed Mar 23, 2020
    Configuration menu
    Copy the full SHA
    75569aa View commit details
    Browse the repository at this point in the history
  2. tailscale: build using Go 1.13 explicitly.

    Tailscale does not support Go 1.12.
    
    Signed-off-by: David Anderson <[email protected]>
    danderson committed Mar 23, 2020
    Configuration menu
    Copy the full SHA
    609a3da View commit details
    Browse the repository at this point in the history

Commits on Mar 24, 2020

  1. Add packages.json to the tarball job

    Moved from nixos-homepage.
    
    (cherry picked from commit d6ec410)
    edolstra committed Mar 24, 2020
    Configuration menu
    Copy the full SHA
    96c4045 View commit details
    Browse the repository at this point in the history
  2. Compress optionsJSON using brotli

    (cherry picked from commit 4052f9b)
    edolstra committed Mar 24, 2020
    Configuration menu
    Copy the full SHA
    0ce53c4 View commit details
    Browse the repository at this point in the history
  3. nixos/release-small.nix: Export options job

    (cherry picked from commit e51c7f6)
    edolstra committed Mar 24, 2020
    Configuration menu
    Copy the full SHA
    1a54743 View commit details
    Browse the repository at this point in the history

Commits on Mar 25, 2020

  1. protonvpn-cli-ng: 2.2.0 -> 2.2.2

    Some changes were made after final review of the package. There was a
    missing runtime dependency that was discovered after merge of the
    backport
    
    (cherry picked from commit 9fe4a63)
    Reason: The dependency can make the package work or not
    JeffLabonte committed Mar 25, 2020
    Configuration menu
    Copy the full SHA
    c0ce6d0 View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    da19ebc View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    67643b0 View commit details
    Browse the repository at this point in the history
  4. linux: 5.4.27 -> 5.4.28

    NeQuissimus committed Mar 25, 2020
    Configuration menu
    Copy the full SHA
    6f11eda View commit details
    Browse the repository at this point in the history

Commits on Mar 26, 2020

  1. Merge pull request NixOS#83328 from JeffLabonte/update_protonvpn_ng_2…

    ….2.0-with_fix
    
    [19.09] protonvpn ng 2.2.0 to 2.2.2
    bhipple authored Mar 26, 2020
    Configuration menu
    Copy the full SHA
    ae48415 View commit details
    Browse the repository at this point in the history
  2. signal-desktop: 1.32.1 -> 1.32.2

    (cherry picked from commit 5c47359)
    primeos committed Mar 26, 2020
    Configuration menu
    Copy the full SHA
    d5895b9 View commit details
    Browse the repository at this point in the history
  3. Merge pull request NixOS#83417 from primeos/signal-desktop-backport

    [19.09] signal-desktop: 1.32.1 -> 1.32.2 (backport)
    primeos authored Mar 26, 2020
    Configuration menu
    Copy the full SHA
    59c3b5f View commit details
    Browse the repository at this point in the history
  4. nix-bash-completions: 0.6.7 -> 0.6.8 (NixOS#81019)

    (cherry picked from commit 0e5d457)
    hedning authored and bjornfor committed Mar 26, 2020
    Configuration menu
    Copy the full SHA
    008fc89 View commit details
    Browse the repository at this point in the history
  5. wire-desktop: Fix StartupWMClass

    With quotes it doesn't match the Wire's screen, causing the window to not be grouped under its icon in Gnome.
    
    (cherry picked from commit da587da)
    arianvp authored and worldofpeace committed Mar 26, 2020
    Configuration menu
    Copy the full SHA
    df07596 View commit details
    Browse the repository at this point in the history
  6. signal-desktop: 1.32.2 -> 1.32.3

    (cherry picked from commit 38aa1ca)
    primeos committed Mar 26, 2020
    Configuration menu
    Copy the full SHA
    a932b1c View commit details
    Browse the repository at this point in the history
  7. Merge pull request NixOS#83450 from primeos/signal-desktop-backport

    [19.09] signal-desktop: 1.32.2 -> 1.32.3 (backport)
    primeos authored Mar 26, 2020
    Configuration menu
    Copy the full SHA
    3be8b45 View commit details
    Browse the repository at this point in the history

Commits on Mar 27, 2020

  1. gitlab: 12.8.7 -> 12.8.8

    (cherry picked from commit 8ab04fd)
    flokli authored and globin committed Mar 27, 2020
    Configuration menu
    Copy the full SHA
    fbdb1ae View commit details
    Browse the repository at this point in the history
  2. matrix-synapse: 1.11.1 -> 1.12.0

    (cherry picked from commit 425efa5)
    ajs124 authored and Ma27 committed Mar 27, 2020
    Configuration menu
    Copy the full SHA
    1881b34 View commit details
    Browse the repository at this point in the history
  3. Merge pull request NixOS#82831 from danderson/tailscale-19.09

    tailscale: init at 0.97-0 [backport 19.09]
    grahamc authored Mar 27, 2020
    Configuration menu
    Copy the full SHA
    64a3ccb View commit details
    Browse the repository at this point in the history
  4. bluez: apply patches for CVE-2020-0556

    bhipple authored and jonringer committed Mar 27, 2020
    Configuration menu
    Copy the full SHA
    939178c View commit details
    Browse the repository at this point in the history

Commits on Mar 28, 2020

  1. nginx: Fix ETag patch to ignore realpath(3) error

    While our ETag patch works pretty fine if it comes to serving data off
    store paths, it unfortunately broke something that might be a bit more
    common, namely when using regexes to extract path components of
    location directives for example.
    
    Recently, @devhell has reported a bug with a nginx location directive
    like this:
    
      location ~^/\~([a-z0-9_]+)(/.*)?$" {
        alias /home/$1/public_html$2;
      }
    
    While this might look harmless at first glance, it does however cause
    issues with our ETag patch. The alias directive gets broken up by nginx
    like this:
    
      *2 http script copy: "/home/"
      *2 http script capture: "foo"
      *2 http script copy: "/public_html/"
      *2 http script capture: "bar.txt"
    
    In our patch however, we use realpath(3) to get the canonicalised path
    from ngx_http_core_loc_conf_s.root, which returns the *configured* value
    from the root or alias directive. So in the example above, realpath(3)
    boils down to the following syscalls:
    
      lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
      lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)
    
    During my review[1] of the initial patch, I didn't actually notice that
    what we're doing here is returning NGX_ERROR if the realpath(3) call
    fails, which in turn causes an HTTP 500 error.
    
    Since our patch actually made the canonicalisation (and thus additional
    syscalls) necessary, we really shouldn't introduce an additional error
    so let's - at least for now - silently skip return value if realpath(3)
    has failed.
    
    However since we're using the unaltered root from the config we have
    another issue, consider this root:
    
      /nix/store/...-abcde/$1
    
    Calling realpath(3) on this path will fail (except if there's a file
    called "$1" of course), so even this fix is not enough because it
    results in the ETag not being set to the store path hash.
    
    While this is very ugly and we should fix this very soon, it's not as
    serious as getting HTTP 500 errors for serving static files.
    
    I added a small NixOS VM test, which uses the example above as a
    regression test.
    
    It seems that my memory is failing these days, since apparently I *knew*
    about this issue since digging for existing issues in nixpkgs, I found
    this similar pull request which I even reviewed:
    
    NixOS#66532
    
    However, since the comments weren't addressed and the author hasn't
    responded to the pull request, I decided to keep this very commit and do
    a follow-up pull request.
    
    [1]: NixOS#48337
    
    Signed-off-by: aszlig <[email protected]>
    Reported-by: @devhell
    Acked-by: @7c6f434c
    Acked-by: @yorickvP
    Merges: NixOS#80671
    Fixes: NixOS#66532
    (cherry picked from commit e1d63ad)
    aszlig committed Mar 28, 2020
    Configuration menu
    Copy the full SHA
    598a9cb View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    28dd9c3 View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    95d7551 View commit details
    Browse the repository at this point in the history
  4. riot-desktop: fix StartupWMClass

    It seems the quoting breaks it just like in da587da
    
    (cherry picked from commit e50bb280cbf5339ed671b0a7208e6aba4002c713)
    (cherry picked from commit f8ccef5)
    worldofpeace committed Mar 28, 2020
    Configuration menu
    Copy the full SHA
    54e8994 View commit details
    Browse the repository at this point in the history

Commits on Mar 29, 2020

  1. Merge pull request NixOS#83602 from scaredmushroom/tor-browser-bundle…

    …-bin_release-19.09
    
    [19.09] tor-browser-bundle-bin: 9.0.5 -> 9.0.7
    Ma27 authored Mar 29, 2020
    Configuration menu
    Copy the full SHA
    ace3bb3 View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    ac678d9 View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    e8f5908 View commit details
    Browse the repository at this point in the history
  4. Merge NixOS#83013: exiv2: patch CVE-2019-20421

    (cherry picked from commit 6d28c18)
    vcunat committed Mar 29, 2020
    Configuration menu
    Copy the full SHA
    1bf2637 View commit details
    Browse the repository at this point in the history
  5. brave: 1.5.112 -> 1.5.115

    Update the checkum and the version
    
    (cherry picked from commit fa5fc49)
    Reason: Browser must be kept up-to-date
    JeffLabonte authored and FRidh committed Mar 29, 2020
    Configuration menu
    Copy the full SHA
    e7ad715 View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    c7363c2 View commit details
    Browse the repository at this point in the history
  7. python3Packages.twisted: fix CVE-2020-10109

    Co-authored-by: worldofpeace <[email protected]>
    Ma27 and worldofpeace committed Mar 29, 2020
    Configuration menu
    Copy the full SHA
    2015db3 View commit details
    Browse the repository at this point in the history
  8. Configuration menu
    Copy the full SHA
    a8639df View commit details
    Browse the repository at this point in the history

Commits on Mar 30, 2020

  1. ghc-8.4.4.nix: Do not use git.haskell.org

    which was deprecated in 2018 and is now gone for good. I guess many
    won’t notice because the nix-cache kept the files around?
    
    (cherry picked from commit
    b872b8a and 29ca177)
    nomeata committed Mar 30, 2020
    Configuration menu
    Copy the full SHA
    856dbd1 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#83026 from wmertens/nodejs-backport

    Nodejs 12 backport from master
    wmertens authored Mar 30, 2020
    Configuration menu
    Copy the full SHA
    ce73818 View commit details
    Browse the repository at this point in the history
  3. mattermost-desktop: fix filechooser causing crash

    (cherry picked from commit 645a6fd)
    evils authored and veprbl committed Mar 30, 2020
    Configuration menu
    Copy the full SHA
    58dec78 View commit details
    Browse the repository at this point in the history
  4. mattermost-desktop: version 4.2.3 -> 4.3.1

    (cherry picked from commit f41b8aa)
    evils authored and veprbl committed Mar 30, 2020
    Configuration menu
    Copy the full SHA
    6d445f8 View commit details
    Browse the repository at this point in the history

Commits on Mar 31, 2020

  1. grafana: 6.7.1 -> 6.6.2

    This reverts commit 36cbcdc.
    This reverts commit c3a9111.
    
    Rationale for revert: 6.7.0-beta1 introduced a breaking change[1]
    which seems to break at least one popular grafana integration.
    
    [1] https://github.com/grafana/grafana/blob/master/CHANGELOG.md#670-beta1-2020-03-12
    Ma27 committed Mar 31, 2020
    Configuration menu
    Copy the full SHA
    85d879e View commit details
    Browse the repository at this point in the history

Commits on Apr 1, 2020

  1. Merge pull request NixOS#83516 from Ma27/synapse-19.09

    [19.09] matrix-synapse: 1.11.1 -> 1.12.0
    lheckemann authored Apr 1, 2020
    Configuration menu
    Copy the full SHA
    d011e47 View commit details
    Browse the repository at this point in the history
  2. ruby_2_5: 2.5.7 -> 2.5.8

    marsam authored and alyssais committed Apr 1, 2020
    Configuration menu
    Copy the full SHA
    6011c05 View commit details
    Browse the repository at this point in the history
  3. ruby_2_6: 2.6.5 -> 2.6.6

    marsam authored and alyssais committed Apr 1, 2020
    Configuration menu
    Copy the full SHA
    deb8fd1 View commit details
    Browse the repository at this point in the history
  4. linux: 5.4.28 -> 5.4.29

    NeQuissimus committed Apr 1, 2020
    Configuration menu
    Copy the full SHA
    926c763 View commit details
    Browse the repository at this point in the history

Commits on Apr 2, 2020

  1. chromium: fix webrtc interaction with pulseaudio

    The webrtc code suffered from a race condition when used
    with Pulseaudio. This lead to audio input breaking every
    couple of minutes during a webrtc session.
    
    (cherry picked from commit 81b18c3)
    peti authored and primeos committed Apr 2, 2020
    Configuration menu
    Copy the full SHA
    190fbfd View commit details
    Browse the repository at this point in the history
  2. chromium: I accidentally added the webrtc patch into the wrong section

    (cherry picked from commit b3c2908)
    peti authored and primeos committed Apr 2, 2020
    Configuration menu
    Copy the full SHA
    5ae092f View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    96614c2 View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    c221bb2 View commit details
    Browse the repository at this point in the history
  5. linux: 5.4.29 -> 5.4.30

    NeQuissimus committed Apr 2, 2020
    Configuration menu
    Copy the full SHA
    c5ad5d0 View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    7d82b77 View commit details
    Browse the repository at this point in the history
  7. Configuration menu
    Copy the full SHA
    c95a98e View commit details
    Browse the repository at this point in the history
  8. Configuration menu
    Copy the full SHA
    0ee9cef View commit details
    Browse the repository at this point in the history

Commits on Apr 3, 2020

  1. chromium: 80.0.3987.162 -> 80.0.3987.163

    https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop.html
    
    Note: This update contains only two fixes [0]. The fix that reverts a
    feature which caused a crash spike on 80.0.3987.162 [1] seems important
    for us (though the commit doesn't provide any data on the crash spike).
    
    [0]: https://chromium.googlesource.com/chromium/src/+log/80.0.3987.162..80.0.3987.163?pretty=fuller
    [1]: https://chromium.googlesource.com/chromium/src/+/fc11c43603c05a9ef77430a6b4081a01969d2bf4
    
    (cherry picked from commit cbd13f3)
    primeos committed Apr 3, 2020
    Configuration menu
    Copy the full SHA
    1ca8a06 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#84107 from primeos/chromium-backport

    [19.09] chromium: 80.0.3987.149 -> 80.0.3987.163 (backport)
    primeos authored Apr 3, 2020
    Configuration menu
    Copy the full SHA
    6ce362a View commit details
    Browse the repository at this point in the history

Commits on Apr 4, 2020

  1. Configuration menu
    Copy the full SHA
    7a429e7 View commit details
    Browse the repository at this point in the history
  2. firefox: 74.0 -> 74.0.1

    andir committed Apr 4, 2020
    Configuration menu
    Copy the full SHA
    f7f1d53 View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    a90f68b View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    3c0b770 View commit details
    Browse the repository at this point in the history
  5. firefox-bin: 74.0 -> 74.0.1

    andir committed Apr 4, 2020
    Configuration menu
    Copy the full SHA
    ca1ee17 View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    2d0be77 View commit details
    Browse the repository at this point in the history
  7. apacheHttpd: 2.4.41 -> 2.4.43

    (cherry picked from commit f26b2af)
    r-ryantm authored and aanderse committed Apr 4, 2020
    Configuration menu
    Copy the full SHA
    b3e1b81 View commit details
    Browse the repository at this point in the history
  8. Merge pull request NixOS#84251 from andir/19.09/firefox

    [19.09] firefox{,-bin}: 74.0 -> 74.0.1, firefox-esr: 68.6.0esr  -> 68.6.1esr
    andir authored Apr 4, 2020
    Configuration menu
    Copy the full SHA
    e10c65c View commit details
    Browse the repository at this point in the history

Commits on Apr 5, 2020

  1. Merge NixOS#84273: gnutls: 3.6.11.1 -> 3.6.13 [security]

    ... into staging.  Fixes CVE-2020-11501.
    
    (cherry picked from commit f91b34e)
    These bumps combined still seem quite safe in terms of regression
    likelihood.
    vcunat committed Apr 5, 2020
    Configuration menu
    Copy the full SHA
    c1ef04e View commit details
    Browse the repository at this point in the history

Commits on Apr 6, 2020

  1. wire-desktop: mac 3.15.3621 -> 3.16.3630

    (cherry picked from commit 39c5e1c)
    toonn committed Apr 6, 2020
    Configuration menu
    Copy the full SHA
    30b05e1 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#84496 from toonn/release-19.09

    [19.09] wire-desktop: mac 3.15.3621 -> 3.16.3630
    flokli authored Apr 6, 2020
    Configuration menu
    Copy the full SHA
    f86271a View commit details
    Browse the repository at this point in the history

Commits on Apr 7, 2020

  1. brave: 1.5.115 -> 1.5.123

    Update the checksum and the version of Brave package.
    
    (cherry picked from commit 7a80ead)
    Reason: Browsers must be kept up-to-date
    JeffLabonte committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    528b5b6 View commit details
    Browse the repository at this point in the history
  2. libvpx_1_8: init at 1.8.2

    Adding this as a new attribute as software is likely going to break when
    we switch the default from the 1.7 branch to 1.8.
    
    (cherry picked from commit 1859b5a)
    andir committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    832d4e9 View commit details
    Browse the repository at this point in the history
  3. firefox: prepare for version 75

    (cherry picked from commit 9de3c97)
    andir committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    70bca49 View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    0ffd59a View commit details
    Browse the repository at this point in the history
  5. firefox: 74.0.1 -> 75.0

    (cherry picked from commit 4a41fd7)
    andir committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    5f4b02f View commit details
    Browse the repository at this point in the history
  6. firefox-esr-68: 68.6.1esr -> 68.7.0esr

    (cherry picked from commit f56ea6c)
    andir committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    0280d88 View commit details
    Browse the repository at this point in the history
  7. firefox-bin: 74.0.1 -> 75.0

    (cherry picked from commit bab82e7)
    andir committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    9dda51b View commit details
    Browse the repository at this point in the history
  8. firefox-beta-bin: 75.0b11 -> 76.0b1

    (cherry picked from commit 9d6a7fd)
    andir committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    08a7e09 View commit details
    Browse the repository at this point in the history
  9. firefox-devedition-bin: 75.0b12 -> 76.0b1

    (cherry picked from commit 79fb589)
    andir committed Apr 7, 2020
    Configuration menu
    Copy the full SHA
    aaffe07 View commit details
    Browse the repository at this point in the history
  10. Merge pull request NixOS#84590 from andir/19.09/firefox

    [19.09] firefox: 74.0.1 -> 75.0
    andir authored Apr 7, 2020
    Configuration menu
    Copy the full SHA
    16d0add View commit details
    Browse the repository at this point in the history

Commits on Apr 8, 2020

  1. signal-desktop: 1.32.3 -> 1.33.0

    (cherry picked from commit fdedc5d)
    primeos committed Apr 8, 2020
    Configuration menu
    Copy the full SHA
    be180f6 View commit details
    Browse the repository at this point in the history
  2. chromium: Ignore unknown warning options

    This can e.g. save around 150k lines of unnecessary log messages which
    take up around 66% of the total lines (based on a log of 80.0.3987.100):
    29527 warning: unknown warning option '-Wno-bitwise-conditional-parentheses'; did you mean '-Wno-bitwise-op-parentheses'? [-Wunknown-warning-option]
    29527 warning: unknown warning option '-Wno-builtin-assume-aligned-alignment' [-Wunknown-warning-option]
    29527 warning: unknown warning option '-Wno-deprecated-copy'; did you mean '-Wno-deprecated'? [-Wunknown-warning-option]
    29527 warning: unknown warning option '-Wno-final-dtor-non-final-class'; did you mean '-Wno-abstract-final-class'? [-Wunknown-warning-option]
    29527 warning: unknown warning option '-Wno-implicit-int-float-conversion'; did you mean '-Wno-implicit-float-conversion'? [-Wunknown-warning-option]
    
    (cherry picked from commit 9f39148)
    primeos committed Apr 8, 2020
    Configuration menu
    Copy the full SHA
    82de063 View commit details
    Browse the repository at this point in the history
  3. chromiumDev: Remove a patch that is already applied

    This fixes the patch phase.
    I missed this problem in NixOS#83956.
    
    (cherry picked from commit 36c7123)
    primeos committed Apr 8, 2020
    Configuration menu
    Copy the full SHA
    631a5ef View commit details
    Browse the repository at this point in the history
  4. chromiumBeta: Fix the build

    This patch was also backported to M81 [0][1].
    
    [0]: https://chromium-review.googlesource.com/c/chromium/src/+/2091896
    [1]: chromium/chromium@bbf0fad
    
    (cherry picked from commit ff3bc51)
    primeos committed Apr 8, 2020
    Configuration menu
    Copy the full SHA
    dd0d0e6 View commit details
    Browse the repository at this point in the history
  5. Configuration menu
    Copy the full SHA
    7c60e5c View commit details
    Browse the repository at this point in the history
  6. Merge pull request NixOS#84708 from primeos/signal-desktop-backport

    [19.09] signal-desktop: 1.32.3 -> 1.33.0 (backport)
    primeos authored Apr 8, 2020
    Configuration menu
    Copy the full SHA
    35cfc19 View commit details
    Browse the repository at this point in the history
  7. linux: 5.4.30 -> 5.4.31

    NeQuissimus committed Apr 8, 2020
    Configuration menu
    Copy the full SHA
    6a8c4f7 View commit details
    Browse the repository at this point in the history
  8. Merge pull request NixOS#84709 from primeos/chromium-backport

    [19.09] chromium: 80.0.3987.163 -> 81.0.4044.92 (backport)
    primeos authored Apr 8, 2020
    Configuration menu
    Copy the full SHA
    7770f3a View commit details
    Browse the repository at this point in the history
  9. vocal: add missing glib-networking

    otherwise https is disabled
    
    (cherry picked from commit b9b8388)
    Mic92 authored and worldofpeace committed Apr 8, 2020
    Configuration menu
    Copy the full SHA
    77b9000 View commit details
    Browse the repository at this point in the history

Commits on Apr 9, 2020

  1. Merge pull request NixOS#84294 from aanderse/httpd-19.09

    apacheHttpd: 2.4.41 -> 2.4.43 [19.09]
    aanderse authored Apr 9, 2020
    Configuration menu
    Copy the full SHA
    52577ba View commit details
    Browse the repository at this point in the history
  2. linuxPackagesFor: wireguard: noop for kernel >= 5.6

    (cherry picked from commit 27ca6c2)
    
    Rationale for backport: it's explicitly supported to build a kernel with
    a custom tree. When using a 5.6 tree in a system configuration, eval
    will break since `wireguard` is still evaluated and throws an
    assertion-error on 5.6 or greater.
    d-xo authored and Ma27 committed Apr 9, 2020
    Configuration menu
    Copy the full SHA
    60c4ddb View commit details
    Browse the repository at this point in the history

Commits on Apr 10, 2020

  1. Configuration menu
    Copy the full SHA
    ebf64ea View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#84892 from andriokha/tor-browser-bundle-bin-…

    …9.0.9-release-19.09
    
    [19.09] tor-browser-bundle-bin: 9.0.7 -> 9.0.9
    joachifm authored Apr 10, 2020
    Configuration menu
    Copy the full SHA
    02f2241 View commit details
    Browse the repository at this point in the history

Commits on Apr 11, 2020

  1. Configuration menu
    Copy the full SHA
    99a27f4 View commit details
    Browse the repository at this point in the history

Commits on Apr 12, 2020

  1. Merge NixOS#83022: simutrans: 120.2.2 -> 120.4.1 (unbreak)

    (cherry picked from commit e7ca19f)
    vcunat committed Apr 12, 2020
    Configuration menu
    Copy the full SHA
    839cd8d View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#84536 from JeffLabonte/19.09-brave_1.5.115_t…

    …o_1.5.123
    
    brave: 1.5.115 -> 1.5.123
    marsam authored Apr 12, 2020
    Configuration menu
    Copy the full SHA
    5fa2612 View commit details
    Browse the repository at this point in the history

Commits on Apr 13, 2020

  1. linux: 4.4.218 -> 4.4.219

    NeQuissimus committed Apr 13, 2020
    Configuration menu
    Copy the full SHA
    f35e61d View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    f52196c View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    81ca80c View commit details
    Browse the repository at this point in the history
  4. linux: 4.9.218 -> 4.9.219

    NeQuissimus committed Apr 13, 2020
    Configuration menu
    Copy the full SHA
    fec536f View commit details
    Browse the repository at this point in the history
  5. linux: 5.4.31 -> 5.4.32

    NeQuissimus committed Apr 13, 2020
    Configuration menu
    Copy the full SHA
    ee95a68 View commit details
    Browse the repository at this point in the history

Commits on Apr 14, 2020

  1. luminance-hdr: use Qt5's mkDerivation

    (cherry picked from commit b233a19)
    dominikh authored and worldofpeace committed Apr 14, 2020
    Configuration menu
    Copy the full SHA
    f6c1d3b View commit details
    Browse the repository at this point in the history

Commits on Apr 15, 2020

  1. Merge pull request NixOS#79772 from wamserma/fix-aspell-CVEs-backport

    [19.09] aspell: 0.60.6.1 -> 0.60.8
    risicle authored Apr 15, 2020
    Configuration menu
    Copy the full SHA
    b67bc34 View commit details
    Browse the repository at this point in the history

Commits on Apr 16, 2020

  1. Configuration menu
    Copy the full SHA
    dd46307 View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    4f86f06 View commit details
    Browse the repository at this point in the history
  3. [19.09] flashplayer: 32.0.0.330 -> 32.0.0.363

    (cherry picked from commit ac374d4)
    
    Backported 32.0.0.363 to release 19.09 for important bug fixes.
    
    Also needed because old upstream release is no longer available.
    taku0 authored and tollb committed Apr 16, 2020
    Configuration menu
    Copy the full SHA
    6f5b979 View commit details
    Browse the repository at this point in the history
  4. chromium: 81.0.4044.92 -> 81.0.4044.113

    https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_15.html
    
    This update includes 1 security fix.
    
    CVEs: CVE-2020-6457
    (cherry picked from commit ef2c3ab)
    primeos committed Apr 16, 2020
    Configuration menu
    Copy the full SHA
    9cb226c View commit details
    Browse the repository at this point in the history
  5. Merge pull request NixOS#85409 from tollb/flashplayer-32.0.0.363-rele…

    …ase-19.09
    
    [19.09] flashplayer: 32.0.0.330 -> 32.0.0.363
    7c6f434c authored Apr 16, 2020
    Configuration menu
    Copy the full SHA
    9eeef58 View commit details
    Browse the repository at this point in the history

Commits on Apr 17, 2020

  1. Configuration menu
    Copy the full SHA
    648a695 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#85405 from primeos/chromium-backport

    [19.09] chromium: 81.0.4044.92 -> 81.0.4044.113 (backport)
    primeos authored Apr 17, 2020
    Configuration menu
    Copy the full SHA
    27c9e08 View commit details
    Browse the repository at this point in the history
  3. linux: 4.19.115 -> 4.19.116

    (cherry picked from commit d9258d3)
    NeQuissimus committed Apr 17, 2020
    Configuration menu
    Copy the full SHA
    6c9572a View commit details
    Browse the repository at this point in the history
  4. linux: 5.4.32 -> 5.4.33

    (cherry picked from commit e341107)
    NeQuissimus committed Apr 17, 2020
    Configuration menu
    Copy the full SHA
    36586a9 View commit details
    Browse the repository at this point in the history
  5. Merge pull request NixOS#85429 from zaninime/backport-nexus

    [19.09] nexus: 3.18.1-01 -> 3.22.0-02 (backport)
    Ma27 authored Apr 17, 2020
    Configuration menu
    Copy the full SHA
    fed820b View commit details
    Browse the repository at this point in the history

Commits on Apr 18, 2020

  1. maintainers: add wamserma

    Signed-off-by: Markus S. Wamser <[email protected]>
    wamserma authored and bhipple committed Apr 18, 2020
    Configuration menu
    Copy the full SHA
    3bd563f View commit details
    Browse the repository at this point in the history

Commits on Apr 19, 2020

  1. maintainers: backport gazally

    ehmry committed Apr 19, 2020
    Configuration menu
    Copy the full SHA
    fdd75ab View commit details
    Browse the repository at this point in the history
  2. yggdrasil: backport at 0.3.10

    Backport of Yggdrasil, NixOS module, and tests.
    ehmry committed Apr 19, 2020
    Configuration menu
    Copy the full SHA
    9237a09 View commit details
    Browse the repository at this point in the history

Commits on Apr 22, 2020

  1. chromium{Beta,Dev}: M81 -> M83 -> M84

    (cherry picked from commit cb5c0a4)
    Note: Only M81 is supported on 19.09. This is mainly to cherry-pick
    stable channel updates and avoid an insecure chromiumBeta.
    primeos committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    dff7016 View commit details
    Browse the repository at this point in the history
  2. chromiumBeta: Mark as broken

    primeos committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    c0439ba View commit details
    Browse the repository at this point in the history
  3. chromium: 81.0.4044.113 -> 81.0.4044.122

    https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_21.html
    
    This update includes 8 security fixes.
    
    CVEs: CVE-2020-6459 CVE-2020-6460 CVE-2020-645
    (cherry picked from commit a2df977)
    primeos committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    e45440a View commit details
    Browse the repository at this point in the history
  4. Merge pull request NixOS#85760 from primeos/chromium-backport

    [19.09] chromium: 81.0.4044.113 -> 81.0.4044.122 (backport)
    flokli authored Apr 22, 2020
    Configuration menu
    Copy the full SHA
    5a3490d View commit details
    Browse the repository at this point in the history
  5. Configuration menu
    Copy the full SHA
    a9750db View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    cae3ac8 View commit details
    Browse the repository at this point in the history
  7. enyo-doom: use qt5's mkDerivation

    (cherry picked from commit 83102fc)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    336ef08 View commit details
    Browse the repository at this point in the history
  8. httraqt: use qt5's mkDerivation

    (cherry picked from commit b98fa7c)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    fef4a36 View commit details
    Browse the repository at this point in the history
  9. yabause: use qt5's mkDerivation

    (cherry picked from commit f9ef2c1)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    a508612 View commit details
    Browse the repository at this point in the history
  10. calaos_installer: use qt5's mkDerivation

    (cherry picked from commit 5858162)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    640e0d4 View commit details
    Browse the repository at this point in the history
  11. caneda: use qt5's mkDerivation

    (cherry picked from commit 7d1c2c0)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    afc608d View commit details
    Browse the repository at this point in the history
  12. valentina: use qt5's mkDerivation

    (cherry picked from commit 01de13a)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    52ee2d5 View commit details
    Browse the repository at this point in the history
  13. traverso: use qt5's mkDerivation

    (cherry picked from commit 461843a)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    163b434 View commit details
    Browse the repository at this point in the history
  14. swift-im: use qt5's mkDerivation

    (cherry picked from commit 86aab71)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    8f63757 View commit details
    Browse the repository at this point in the history
  15. ricochet: use qt5's mkDerivation

    (cherry picked from commit 4b7193b)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    754a796 View commit details
    Browse the repository at this point in the history
  16. qstopmotion: use qt5's mkDerivation

    (cherry picked from commit e036261)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    c988766 View commit details
    Browse the repository at this point in the history
  17. qmediathekview: use qt5's mkDerivation

    (cherry picked from commit 5f70a20)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    fa24ad0 View commit details
    Browse the repository at this point in the history
  18. qcomicbook: use qt5's mkDerivation

    (cherry picked from commit 2986699)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    9b1849a View commit details
    Browse the repository at this point in the history
  19. phototonic: use qt5's mkDerivation

    (cherry picked from commit 606a15d)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    24490a6 View commit details
    Browse the repository at this point in the history
  20. openbrf: use qt5's mkDerivation

    (cherry picked from commit 9f0dba1)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    02635e3 View commit details
    Browse the repository at this point in the history
  21. okteta: use qt5's mkDerivation

    (cherry picked from commit affebc8)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    51e4700 View commit details
    Browse the repository at this point in the history
  22. mindforger: use qt5's mkDerivation

    (cherry picked from commit 22af8e8)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    c601b3e View commit details
    Browse the repository at this point in the history
  23. dfasma: use qt5's mkDerivation

    (cherry picked from commit 21d3ce5)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    7a6c6ba View commit details
    Browse the repository at this point in the history
  24. bomi: use qt5's mkDerivation

    Wrap Qt program manually, remove makeWrapper from nativeBuildInputs.
    
    (cherry picked from commit 98f1266)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    183bb76 View commit details
    Browse the repository at this point in the history
  25. awesomebump: use qt5's mkDerivation

    Wrap Qt program manually, remove makeWrapper from nativeBuildInputs.
    
    (cherry picked from commit a0a076b)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    77e281f View commit details
    Browse the repository at this point in the history
  26. aqemu: use qt5's mkDerivation

    (cherry picked from commit 4ee9179)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    1cbdf95 View commit details
    Browse the repository at this point in the history
  27. qt-box-editor: use qt5's mkDerivation

    (cherry picked from commit cc8d121)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    ef7e187 View commit details
    Browse the repository at this point in the history
  28. rocket: use qt5's mkDerivation

    (cherry picked from commit adae9f1)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    64301c0 View commit details
    Browse the repository at this point in the history
  29. pro-office-calculator: use qt5's mkDerivation

    (cherry picked from commit ec92227)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    641f664 View commit details
    Browse the repository at this point in the history
  30. iannix: use qt5's mkDerivation

    (cherry picked from commit 9384f48)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    0dd1ea1 View commit details
    Browse the repository at this point in the history
  31. glogg: use qt5's mkDerivation

    (cherry picked from commit 7dce1c5)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    7d215ac View commit details
    Browse the repository at this point in the history
  32. firebird-emu: use qt5's mkDerivation

    (cherry picked from commit 65050cd)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    8c7b082 View commit details
    Browse the repository at this point in the history
  33. colord-kde: use qt5's mkDerivation

    (cherry picked from commit 2e8962b)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    2ebfd55 View commit details
    Browse the repository at this point in the history
  34. candle: use qt5's mkDerivation

    (cherry picked from commit 1d8ea89)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    0b8156d View commit details
    Browse the repository at this point in the history
  35. tensor: use qt5's mkDerivation

    (cherry picked from commit d5b14e5)
    mmilata committed Apr 22, 2020
    Configuration menu
    Copy the full SHA
    dacd7f3 View commit details
    Browse the repository at this point in the history
  36. Configuration menu
    Copy the full SHA
    f37435d View commit details
    Browse the repository at this point in the history

Commits on Apr 23, 2020

  1. Configuration menu
    Copy the full SHA
    04273c3 View commit details
    Browse the repository at this point in the history
  2. Merge staging-19.09 into release-19.09

    Build security updates on release branch so *-small channel is updated as soon as possible.
    FRidh committed Apr 23, 2020
    Configuration menu
    Copy the full SHA
    9642f12 View commit details
    Browse the repository at this point in the history

Commits on Apr 25, 2020

  1. Configuration menu
    Copy the full SHA
    bfee698 View commit details
    Browse the repository at this point in the history
  2. gnome3.mutter328: backports from gnome-3-28

    (cherry picked from commit d0419f9)
    worldofpeace authored and jonringer committed Apr 25, 2020
    Configuration menu
    Copy the full SHA
    c4799f0 View commit details
    Browse the repository at this point in the history
  3. hostapd: apply patch for CVE-2019-16275

    AP mode PMF disconnection protection bypass
    
    Published: September 11, 2019
    Identifiers:
    - CVE-2019-16275
    Latest version available from: https://w1.fi/security/2019-7/
    
    Vulnerability
    
    hostapd (and wpa_supplicant when controlling AP mode) did not perform
    sufficient source address validation for some received Management frames
    and this could result in ending up sending a frame that caused
    associated stations to incorrectly believe they were disconnected from
    the network even if management frame protection (also known as PMF) was
    negotiated for the association. This could be considered to be a denial
    of service vulnerability since PMF is supposed to protect from this type
    of issues. It should be noted that if PMF is not enabled, there would be
    no protocol level protection against this type of denial service
    attacks.
    
    An attacker in radio range of the access point could inject a specially
    constructed unauthenticated IEEE 802.11 frame to the access point to
    cause associated stations to be disconnected and require a reconnection
    to the network.
    
    Vulnerable versions/configurations
    
    All hostapd and wpa_supplicants versions with PMF support
    (CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
    PMF being enabled (optional or required). In addition, this would be
    applicable only when using user space based MLME/SME in AP mode, i.e.,
    when hostapd (or wpa_supplicant when controlling AP mode) would process
    authentication and association management frames. This condition would
    be applicable mainly with drivers that use mac80211.
    
    Possible mitigation steps
    
    - Merge the following commit to wpa_supplicant/hostapd and rebuild:
    
      AP: Silently ignore management frame from unexpected source address
    
      This patch is available from https://w1.fi/security/2019-7/
    
    - Update to wpa_supplicant/hostapd v2.10 or newer, once available
    
    (cherry picked from commit 3e9f3a3)
    mweinelt committed Apr 25, 2020
    Configuration menu
    Copy the full SHA
    54a3772 View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    39a1ac5 View commit details
    Browse the repository at this point in the history
  5. Merge pull request NixOS#85805 from mmilata/qt5-mkDerivation-stdenv-1…

    …9.09
    
    [19.09] Use qt5's mkDerivation in packages that otherwise crash
    worldofpeace authored Apr 25, 2020
    Configuration menu
    Copy the full SHA
    e6d222f View commit details
    Browse the repository at this point in the history

Commits on Apr 26, 2020

  1. ninja: fix 404'ing patch

    Kyndig on IRC noticed that building `ninja` from source would fail due
    to a patch 404'ing (because the repo appears to no longer exist). Fetch
    from upstream instead.
    
    (cherry picked from commit 91d4e9a)
    cc NixOS#85742
    cole-h authored and veprbl committed Apr 26, 2020
    Configuration menu
    Copy the full SHA
    4a0df0c View commit details
    Browse the repository at this point in the history

Commits on Apr 28, 2020

  1. nixos/gitlab: Fix services.gitlab.enableStartTLSAuto

    'toString false' results in an empty string, which, in this context,
    is a syntax error. Use boolToString instead.
    
    Fixes NixOS#86160
    
    (cherry picked from commit c0a838d)
    talyz committed Apr 28, 2020
    Configuration menu
    Copy the full SHA
    f907dc9 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#86191 from talyz/release-19.09

    nixos/gitlab: Fix services.gitlab.enableStartTLSAuto
    talyz authored Apr 28, 2020
    Configuration menu
    Copy the full SHA
    9ffae2a View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    7b9f3c8 View commit details
    Browse the repository at this point in the history
  4. gitlab: support passing --rev to the update-all script

    While it's already possible to invoke `update-data` with the `--rev`
    argument, one still needs to run all later phases manually.
    
    Fix this, by having `update-all` also accept a `--rev` argument, and
    pass it down to `update-data`.
    
    Also, make the help text a bit more usable, by suggesting the usual
    versioning scheme used these times.
    
    (cherry picked from commit 191c2c6)
    flokli committed Apr 28, 2020
    Configuration menu
    Copy the full SHA
    57df0aa View commit details
    Browse the repository at this point in the history
  5. gitlab-workhorse: 8.21.1 -> 8.21.2

    (cherry picked from commit f7ddd30)
    flokli committed Apr 28, 2020
    Configuration menu
    Copy the full SHA
    767ca36 View commit details
    Browse the repository at this point in the history
  6. gitaly: 12.8.8 -> 12.8.9

    (cherry picked from commit c86c77b)
    flokli committed Apr 28, 2020
    Configuration menu
    Copy the full SHA
    68169a7 View commit details
    Browse the repository at this point in the history
  7. gitlab: update.py: invoke bundle lock manually

    `bundix -l` doesn't work, as it treats bundler's warning about upgrading
    the lockfile version as an error, so invoke `bundle lock` manually.
    
    (cherry picked from commit 4c26ab4)
    manveru authored and flokli committed Apr 28, 2020
    Configuration menu
    Copy the full SHA
    a7ceb25 View commit details
    Browse the repository at this point in the history

Commits on Apr 29, 2020

  1. Configuration menu
    Copy the full SHA
    4b39bb8 View commit details
    Browse the repository at this point in the history
  2. coturn: apply patch for CVE-2020-6061/6062

    Fixes: CVE-2020-6061, CVE-2020-6062
    
    An exploitable heap overflow vulnerability exists in the way CoTURN
    4.5.1.1 web server parses POST requests. A specially crafted HTTP
    POST request can lead to information leaks and other misbehavior.
    An attacker needs to send an HTTPS request to trigger this vulnerability.
    
    An exploitable denial-of-service vulnerability exists in the way
    CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
    HTTP POST request can lead to server crash and denial of service.
    An attacker needs to send an HTTP request to trigger this vulnerability.
    
    (cherry picked from commit 704a018)
    mweinelt committed Apr 29, 2020
    Configuration menu
    Copy the full SHA
    ac3ed15 View commit details
    Browse the repository at this point in the history
  3. Merge pull request NixOS#86271 from mweinelt/19.09/coturn/CVE-2020-6061

    …+6062
    
    [19.09] coturn: apply patch for CVE-2020-6061/6062
    rasendubi authored Apr 29, 2020
    Configuration menu
    Copy the full SHA
    1d06d40 View commit details
    Browse the repository at this point in the history
  4. monotone: openssl in botan is not needed, so drop to avoid old openssl

    (cherry picked from commit 4644776)
    7c6f434c committed Apr 29, 2020
    Configuration menu
    Copy the full SHA
    e27493e View commit details
    Browse the repository at this point in the history
  5. Merge pull request NixOS#86340 from 7c6f434c/monotone-no-botan-openss…

    …l-19.09
    
    monotone: openssl in botan is not needed, so drop to avoid old openssl
    7c6f434c authored Apr 29, 2020
    Configuration menu
    Copy the full SHA
    511766d View commit details
    Browse the repository at this point in the history
  6. roundcube: 1.3.10 -> 1.3.11

    https://github.com/roundcube/roundcubemail/releases/tag/1.3.11
    
    This contains some important security fixes, hence the package-bump.
    Ma27 committed Apr 29, 2020
    Configuration menu
    Copy the full SHA
    87819f9 View commit details
    Browse the repository at this point in the history

Commits on Apr 30, 2020

  1. Merge pull request NixOS#86297 from primeos/chromium-backport

    [19.09] chromium: 81.0.4044.122 -> 81.0.4044.129 (backport)
    primeos authored Apr 30, 2020
    Configuration menu
    Copy the full SHA
    322fd89 View commit details
    Browse the repository at this point in the history

Commits on May 1, 2020

  1. gitaly: 12.8.9 -> 12.8.10

    (cherry picked from commit 9eb6dc7)
    flokli authored and talyz committed May 1, 2020
    Configuration menu
    Copy the full SHA
    24d07de View commit details
    Browse the repository at this point in the history
  2. gitlab: 12.8.9 -> 12.8.10

    (cherry picked from commit fdd0d0d)
    flokli authored and talyz committed May 1, 2020
    Configuration menu
    Copy the full SHA
    a73c7cb View commit details
    Browse the repository at this point in the history
  3. Merge pull request NixOS#86461 from talyz/19.09-gitlab-12.8.10

    [19.09] gitlab: 12.8.9 -> 12.8.10
    flokli authored May 1, 2020
    Configuration menu
    Copy the full SHA
    85f3b47 View commit details
    Browse the repository at this point in the history

Commits on May 3, 2020

  1. Configuration menu
    Copy the full SHA
    7da8a5a View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#86651 from Flakebi/salt-19.09

    [19.09] salt: 2019.2.0 -> 2019.2.4
    bhipple authored May 3, 2020
    Configuration menu
    Copy the full SHA
    4f820be View commit details
    Browse the repository at this point in the history

Commits on May 4, 2020

  1. nss_3_52: 3.51 -> 3.52

    andir committed May 4, 2020
    Configuration menu
    Copy the full SHA
    0fa8e3c View commit details
    Browse the repository at this point in the history
  2. firefox: 75.0 -> 76.0

    (cherry picked from commit 324e40f)
    andir committed May 4, 2020
    Configuration menu
    Copy the full SHA
    72212cb View commit details
    Browse the repository at this point in the history
  3. firefox-bin: 75.0 -> 76.0

    (cherry picked from commit 3911336)
    andir committed May 4, 2020
    Configuration menu
    Copy the full SHA
    26316a2 View commit details
    Browse the repository at this point in the history
  4. firefox-esr-68: 68.7.0esr -> 68.8.0esr

    (cherry picked from commit f3cc8dc)
    andir committed May 4, 2020
    Configuration menu
    Copy the full SHA
    8f570a3 View commit details
    Browse the repository at this point in the history

Commits on May 5, 2020

  1. Merge pull request NixOS#86811 from andir/19.09/firefox76

    [19.09] firefox: 75.0 -> 76.0
    andir authored May 5, 2020
    Configuration menu
    Copy the full SHA
    3f1f251 View commit details
    Browse the repository at this point in the history

Commits on May 6, 2020

  1. Configuration menu
    Copy the full SHA
    b79f64b View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#87078 from primeos/chromium-backport

    chromium: 81.0.4044.129 -> 81.0.4044.138
    primeos authored May 6, 2020
    Configuration menu
    Copy the full SHA
    278db00 View commit details
    Browse the repository at this point in the history

Commits on May 10, 2020

  1. Configuration menu
    Copy the full SHA
    5967390 View commit details
    Browse the repository at this point in the history

Commits on May 11, 2020

  1. monero: fix rcp.restricted option

    According to https://monerodocs.org/interacting/monerod-reference/#node-rpc-api
    the correct option is restricted-rpc, not restrict-rpc.
    
    (cherry picked from commit e7ab236)
    vojta001 authored and rnhmjoj committed May 11, 2020
    Configuration menu
    Copy the full SHA
    d858110 View commit details
    Browse the repository at this point in the history

Commits on May 13, 2020

  1. firefox: Add patch to fix AES GCM IV bit size

    Regression introduced by bce5268.
    
    The bit size of the initialisation vector for AES GCM has been
    introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the
    ulIvBits field.
    
    Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it
    gets initialised to zero, which in turn causes IV generation to fail.
    
    I found out about this because WebRTC stopped working after updating to
    NSS 3.52 and so I started bisecting.
    
    Since there wasn't an obvious error in Firefox hinting towards NSS but
    instead just the video stream ended up as a "null" stream, I didn't
    suspect the NSS update to be the culprit at first. So I verified a few
    times and then also started bisecting the actual commit in NSS that
    caused the issue.
    
    This turned out to be the problematic change:
    
    https://phabricator.services.mozilla.com/D63241
    
    > One notable change was caused by an inconsistancy between the spec and
    > the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra
    > field in the header that was not in the spec. OASIS considers the
    > header file to be normative, so PKCS#11 v3.0 resolved the issue in
    > favor of the header file definition.
    
    Since the test I've used[1] was a bit flaky, I still didn't believe the
    result of the bisect to be accurate, but after running the test several
    times leading same results I dug through the above change line by line
    to get more clues.
    
    It fortunately didn't take that long to stumble upon the ulIvBits change
    (which is actually documented in the NSS 3.52 release notes[4], but I
    managed to blatantly ignore it for some reason) and started checking the
    Firefox source tree for changes regarding that field.
    
    Initialisation of that new field has been introduced[2] in preparation
    for the 76 release, but subsequently got reverted[3] prior to the
    release, because Firefox 76 is expected to be shipped with NSS 3.51,
    which didn't have the ulIvBits field.
    
    The patch I'm adding here is just a reintroduction of that change,
    because we're using NSS 3.52. Not initialising that field will break
    WebRTC and WebCrypto, which I think the former seems to gain in
    popularity these days ;-)
    
    Tested the change against the mentioned VM test[1] and also by testing
    manually using Jitsi Meet and Nextcloud Talk.
    
    [1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk
    [2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1
    [3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee
    [4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes
    
    Signed-off-by: aszlig <[email protected]>
    (cherry picked from commit 8fb4997 & moved to packages.nix)
    aszlig authored and andir committed May 13, 2020
    Configuration menu
    Copy the full SHA
    9cefaf9 View commit details
    Browse the repository at this point in the history

Commits on May 14, 2020

  1. firefox: 76.0 -> 76.0.1

    (cherry picked from commit b70435e)
    andir committed May 14, 2020
    Configuration menu
    Copy the full SHA
    810e561 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#87772 from andir/19.09/firefox

    [19.09] firefox: Add patch to fix AES GCM IV bit size
    andir authored May 14, 2020
    Configuration menu
    Copy the full SHA
    31dcaa5 View commit details
    Browse the repository at this point in the history

Commits on May 20, 2020

  1. chromium: Mark as insecure

    Since M81 won't receive any updates anymore and there are known
    vulnerabilities we should mark it as insecure so that users are aware of
    the risks.
    Updating Chromium to M83 is unfortunately too challenging for
    19.09, but as of today we've already covered the one month period of
    security updates for "oldstable" and both 20.03 and nixos-unstable
    contain recent versions (i.e. users should either update to the current
    stable release or install Chromium from a different channel).
    
    nixos-unstable PR for M83: NixOS#88206
    primeos committed May 20, 2020
    Configuration menu
    Copy the full SHA
    69e4ae5 View commit details
    Browse the repository at this point in the history
  2. Merge pull request NixOS#88368 from primeos/chromium-eol

    [19.09] chromium: Mark as insecure
    lheckemann authored May 20, 2020
    Configuration menu
    Copy the full SHA
    2efedf8 View commit details
    Browse the repository at this point in the history