upgrade-2020-06-07-0a11634a29c #352
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![nixos-auto-pr[bot]](https://avatars.githubusercontent.com/in/19565?s=60&v=4){kind=small}
(cherry picked from commit 41d8bb1)
(Older version finished on Hydra.)
(Older version finished on Hydra.)
Fixes CVE-2019-14889, issue NixOS#77264. Release notes: https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/ (cherry picked from commit 7ef8a42)
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543 Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2 (cherry picked from commit 18ac6ba)
https://www.samba.org/samba/history/security.html Tested: $ nix build -f nixos/release.nix tests.samba.x86_64-linux
(cherry picked from commit 500375e)
Contains only the version update from 8be61f7, the module-changes are not needed on 19.09 since the database is always configured properly here.
x86_64-linux rebuilds have finished, so let's merge to get the security fixes early.
(cherry picked from commit 291c735) /cc roundup NixOS#79725
includes fix for nC-SA-2020-015. See nextcloud/server#19976, the SA currently has a typo - adressed in nextcloud/security-advisories#21.
[19.09] nextcloud: 16.0.8 -> 16.0.9
The substitition in smtpd/parse.y isn't necessary anymore. The hardcoded /usr/libexec/ has been replaced by a PATH_LIBEXEC #define, which will be set properly by the build system. (cherry picked from commit 9658850)
Fixes critical vulnerability: https://www.mail-archive.com/[email protected]/msg04850.html (cherry picked from commit 7b9bd59)
(cherry picked from commit 77da495)
Release notes aren't available at this time [1] it is likely to be related to a recent mail to oss-security (either [2] or [3]). [1] https://www.mail-archive.com/[email protected]/msg04888.html [2] https://www.openwall.com/lists/oss-security/2020/02/24/5 [3] https://www.openwall.com/lists/oss-security/2020/02/24/4 (cherry picked from commit 09725e5)
This reverts commit 4f69f2c. We backported the latest opensmtpd version.
This reverts commit f5c74e6. Already included in the opensmtpd version.
build fails against our local libressl version
opensmtpd: 6.4.2p1 -> 6.6.4p1 [backport 19.09]
a "Low severity" [0] security issue: > Fixed an overflow bug in the x64_64 Montgomery squaring procedure used > in exponentiation with 512-bit moduli (CVE-2019-1551) [0] https://www.openssl.org/news/vulnerabilities.html#y2019 (cherry picked from commit abecf82)
Since Go 1.13, `GOSUMDB` defaults to "sum.golang.org", to consult the checksum database of the main module's go.sum. We already use the default behavior when building `go-modules`, but Go tries to consult the checksum database again when building the module, and fails because since it requires `cacert` and `git` which are not propagated when building the package. (cherry picked from commit c5733e7)
Signed-off-by: Martin Baillie <[email protected]> (cherry picked from commit 6e055c9)
Fixes a severe bug with subnet routing. Signed-off-by: David Anderson <[email protected]> (cherry picked from commit f61f686)
[19.09] openssl: 1.1.1d -> 1.1.1e
(cherry picked from commit 9eb6dc7)
(cherry picked from commit fdd0d0d)
[19.09] gitlab: 12.8.9 -> 12.8.10
[19.09] salt: 2019.2.0 -> 2019.2.4
(cherry picked from commit 324e40f)
(cherry picked from commit 3911336)
(cherry picked from commit f3cc8dc)
[19.09] firefox: 75.0 -> 76.0
https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop.html This update includes 3 security fixes. CVEs: CVE-2020-6831 CVE-2020-6464 (cherry picked from commit dec3d5f)
chromium: 81.0.4044.129 -> 81.0.4044.138
https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/ (cherry picked from commit 10134fc) Re-tested both briefly on 19.09.
According to https://monerodocs.org/interacting/monerod-reference/#node-rpc-api the correct option is restricted-rpc, not restrict-rpc. (cherry picked from commit e7ab236)
Regression introduced by bce5268. The bit size of the initialisation vector for AES GCM has been introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the ulIvBits field. Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it gets initialised to zero, which in turn causes IV generation to fail. I found out about this because WebRTC stopped working after updating to NSS 3.52 and so I started bisecting. Since there wasn't an obvious error in Firefox hinting towards NSS but instead just the video stream ended up as a "null" stream, I didn't suspect the NSS update to be the culprit at first. So I verified a few times and then also started bisecting the actual commit in NSS that caused the issue. This turned out to be the problematic change: https://phabricator.services.mozilla.com/D63241 > One notable change was caused by an inconsistancy between the spec and > the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra > field in the header that was not in the spec. OASIS considers the > header file to be normative, so PKCS#11 v3.0 resolved the issue in > favor of the header file definition. Since the test I've used[1] was a bit flaky, I still didn't believe the result of the bisect to be accurate, but after running the test several times leading same results I dug through the above change line by line to get more clues. It fortunately didn't take that long to stumble upon the ulIvBits change (which is actually documented in the NSS 3.52 release notes[4], but I managed to blatantly ignore it for some reason) and started checking the Firefox source tree for changes regarding that field. Initialisation of that new field has been introduced[2] in preparation for the 76 release, but subsequently got reverted[3] prior to the release, because Firefox 76 is expected to be shipped with NSS 3.51, which didn't have the ulIvBits field. The patch I'm adding here is just a reintroduction of that change, because we're using NSS 3.52. Not initialising that field will break WebRTC and WebCrypto, which I think the former seems to gain in popularity these days ;-) Tested the change against the mentioned VM test[1] and also by testing manually using Jitsi Meet and Nextcloud Talk. [1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk [2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1 [3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee [4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes Signed-off-by: aszlig <[email protected]> (cherry picked from commit 8fb4997 & moved to packages.nix)
(cherry picked from commit b70435e)
[19.09] firefox: Add patch to fix AES GCM IV bit size
Since M81 won't receive any updates anymore and there are known vulnerabilities we should mark it as insecure so that users are aware of the risks. Updating Chromium to M83 is unfortunately too challenging for 19.09, but as of today we've already covered the one month period of security updates for "oldstable" and both 20.03 and nixos-unstable contain recent versions (i.e. users should either update to the current stable release or install Chromium from a different channel). nixos-unstable PR for M83: NixOS#88206
[19.09] chromium: Mark as insecure
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux (cherry picked from commit 13c485d) In BIND case these are quite severe DoS risks, so let me backport to 19.09.
https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux NixPkgs master is on 4.3.x already; /cc that PR NixOS#88159 (cherry picked from commit 1a02977)
(cherry picked from commit 0e38414)
(cherry picked from commit f7c914e)
(cherry picked from commit cfaa803)
This fixes the issues with glibc 2.30, which were caused because glibc no longer allows to dlopen/LD_PRELOAD a PIE executable. So this release is essentially just a hotfix release which addresses this issue by splitting the executable and library. Signed-off-by: aszlig <[email protected]> Reported-by: @zimbatm (cherry picked from commit b51d39f)
Upstream fixes:
- Pass linker version script to the linker instead of the compiler.
- Compile with `-fPIC` again (regression from version 2.1.2).
- Out of bounds array access in `globpath`.
- Handling of `epoll_ctl` calls (they're now replayed after replacing
socket).
- GCC 10 build errors and Clang warnings.
While most of these fixes are more relevant for other distros, the
linker script fix is actually a regression existing since a long time
(version 1.x) and caused libip2unix to expose way too many symbols.
Built and tested on i686-linux and x86_64-linux.
Signed-off-by: aszlig <[email protected]>
(cherry picked from commit 67325b1)
(cherry picked from commit 3e2b6b9)
(cherry picked from commit 9535a43)
(cherry picked from commit 5a8cdcc)
wire-desktop: linux 3.17.2924 -> 3.18.2925, mac 3.17.3666 -> 3.18.3728
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request automatique
Avancement mise à jour