From b0f1fea52fefd053ecf942296936606303eb3898 Mon Sep 17 00:00:00 2001 From: Red Davies Date: Tue, 24 Nov 2020 20:42:29 -0500 Subject: [PATCH 01/17] cassandra_2_1: 2.1.20 -> 2.1.22 Reason: Fixes CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability Description: It is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely. 2.1.x users should upgrade to 2.1.22 --- pkgs/servers/nosql/cassandra/2.1.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/nosql/cassandra/2.1.nix b/pkgs/servers/nosql/cassandra/2.1.nix index d73e242a9422..76c1130c469f 100644 --- a/pkgs/servers/nosql/cassandra/2.1.nix +++ b/pkgs/servers/nosql/cassandra/2.1.nix @@ -1,6 +1,6 @@ { callPackage, ... } @ args: callPackage ./generic.nix (args // { - version = "2.1.20"; - sha256 = "0ik7a4jg3s3xnyrj1sa0rvbh066fv1y2202l7cv6nbca72pgyl6a"; + version = "2.1.22"; + sha256 = "1wk57dz0kmc6d5y8d8dkx269lzh3ark3751z734gxncwdlclcyz3"; }) From ee1b13dd13ef956b01a290f4da2b13e37830cd25 Mon Sep 17 00:00:00 2001 From: Red Davies Date: Tue, 24 Nov 2020 20:58:37 -0500 Subject: [PATCH 02/17] cassandra_2_2: 2.2.14 -> 2.2.19 Reason: Fixes CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability Description: It is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely. 2.2.x users should upgrade to 2.2.18 --- pkgs/servers/nosql/cassandra/2.2.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/nosql/cassandra/2.2.nix b/pkgs/servers/nosql/cassandra/2.2.nix index f9966b1ccd5b..919fb44ee2e7 100644 --- a/pkgs/servers/nosql/cassandra/2.2.nix +++ b/pkgs/servers/nosql/cassandra/2.2.nix @@ -1,6 +1,6 @@ { callPackage, ... } @ args: callPackage ./generic.nix (args // { - version = "2.2.14"; - sha256 = "1b2x3q1ach44qg07sh8wr7d8a10n36w5522drd3p35djbiwa3d9q"; + version = "2.2.19"; + sha256 = "1f8axpxxpmzlb22k3lqsnw3096qjp6xd36brvq5xbdk698jw15jl"; }) From 1416482f638471162e7ef40b7d269de1af82066f Mon Sep 17 00:00:00 2001 From: squalus Date: Mon, 7 Dec 2020 22:37:09 +0000 Subject: [PATCH 03/17] ungoogled-chromium: 86.0.4240.183-1 -> 87.0.4280.88-1 based on chromium master@68d1006c --- .../browsers/ungoogled-chromium/browser.nix | 1 - .../browsers/ungoogled-chromium/common.nix | 25 +++------- .../browsers/ungoogled-chromium/default.nix | 6 +-- .../ungoogled-chromium/ungoogled-src.nix | 6 +-- .../browsers/ungoogled-chromium/update.py | 16 ++++++ .../ungoogled-chromium/upstream-info.json | 49 ++++++++++--------- 6 files changed, 53 insertions(+), 50 deletions(-) diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix index c5cbee196521..c23a8cead3a7 100644 --- a/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix @@ -82,6 +82,5 @@ mkChromiumDerivation (base: rec { platforms = platforms.linux; hydraPlatforms = if channel == "stable" then ["aarch64-linux" "x86_64-linux"] else []; timeout = 172800; # 48 hours (increased from the Hydra default of 10h) - broken = channel == "dev"; # Blocked on https://bugs.chromium.org/p/chromium/issues/detail?id=1141896 }; }) diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix index 2accb1a7ab21..17814c26caa4 100644 --- a/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix @@ -18,20 +18,14 @@ , ffmpeg, libxslt, libxml2, at-spi2-core , jre8 , pipewire_0_2 +, libva # optional dependencies , libgcrypt ? null # gnomeSupport || cupsSupport -, libva ? null # useVaapi , libdrm ? null, wayland ? null, mesa ? null, libxkbcommon ? null # useOzone # package customization -, useOzone ? false -, useVaapi ? !(useOzone || stdenv.isAarch64) # Built if supported, but disabled in the wrapper -# VA-API TODOs: -# - Ozone: M81 fails to build due to "ozone_platform_gbm = false" -# - Possible solutions: Write a patch to fix the build (wrong gn dependencies) -# or build with minigbm -# - AArch64: Causes serious regressions (https://github.com/NixOS/nixpkgs/pull/85253#issuecomment-614405879) +, useOzone ? true , gnomeSupport ? false, gnome ? null , gnomeKeyringSupport ? false, libgnome-keyring3 ? null , proprietaryCodecs ? true @@ -148,8 +142,8 @@ let pciutils protobuf speechd libXdamage at-spi2-core jre pipewire_0_2 - ] ++ optional useVaapi libva - ++ optional gnomeKeyringSupport libgnome-keyring3 + libva + ] ++ optional gnomeKeyringSupport libgnome-keyring3 ++ optionals gnomeSupport [ gnome.GConf libgcrypt ] ++ optionals cupsSupport [ libgcrypt cups ] ++ optional pulseSupport libpulseaudio @@ -159,9 +153,6 @@ let ./patches/no-build-timestamps.patch # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed) ./patches/widevine-79.patch # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags # ++ optional (versionRange "68" "72") ( githubPatch "" "0000000000000000000000000000000000000000000000000000000000000000" ) - ] ++ optionals (useVaapi && versionRange "86" "87") [ - # Check for enable-accelerated-video-decode on Linux: - (githubPatch "54deb9811ca9bd2327def5c05ba6987b8c7a0897" "11jvxjlkzz1hm0pvfyr88j7z3zbwzplyl5idkx92l2lzv4459c8d") ]; postPatch = '' @@ -234,9 +225,8 @@ let custom_toolchain = "//build/toolchain/linux/unbundle:default"; host_toolchain = "//build/toolchain/linux/unbundle:default"; is_official_build = true; - is_debug = false; - proprietary_codecs = false; + use_vaapi = !stdenv.isAarch64; # TODO: Remove once M88 is released use_sysroot = false; use_gnome_keyring = gnomeKeyringSupport; use_gio = gnomeSupport; @@ -252,7 +242,6 @@ let rtc_use_pipewire = true; treat_warnings_as_errors = false; - is_clang = stdenv.cc.isClang; clang_use_chrome_plugins = false; blink_symbol_level = 0; symbol_level = 0; @@ -270,14 +259,11 @@ let proprietary_codecs = true; enable_hangout_services_extension = true; ffmpeg_branding = "Chrome"; - } // optionalAttrs useVaapi { - use_vaapi = true; } // optionalAttrs pulseSupport { use_pulseaudio = true; link_pulseaudio = true; } // optionalAttrs useOzone { use_ozone = true; - ozone_platform_gbm = false; use_xkbcommon = true; use_glib = true; use_gtk = true; @@ -286,6 +272,7 @@ let use_system_libdrm = true; system_wayland_scanner_path = "${wayland}/bin/wayland-scanner"; } // optionalAttrs ungoogled { + chrome_pgo_phase = 0; enable_hangout_services_extension = false; enable_js_type_check = false; enable_mdns = false; diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix index b02c91c6e230..b75d271ace55 100644 --- a/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix @@ -16,7 +16,6 @@ , enableWideVine ? false , enableVaapi ? false # Disabled by default due to unofficial support , ungoogled ? true -, useOzone ? false , cupsSupport ? true , pulseSupport ? config.pulseaudio or stdenv.isLinux , commandLineArgs ? "" @@ -35,7 +34,7 @@ let mkChromiumDerivation = callPackage ./common.nix ({ inherit channel gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs - cupsSupport pulseSupport useOzone; + cupsSupport pulseSupport; inherit ungoogled; gnChromium = gn.overrideAttrs (oldAttrs: { inherit (upstream-info.deps.gn) version; @@ -43,9 +42,6 @@ let inherit (upstream-info.deps.gn) url rev sha256; }; }); - } // lib.optionalAttrs (lib.versionAtLeast upstream-info.version "87") { - useOzone = true; # YAY: https://chromium-review.googlesource.com/c/chromium/src/+/2382834 \o/ - useVaapi = !stdenv.isAarch64; # TODO: Might be best to not set use_vaapi anymore (default is fine) }); browser = callPackage ./browser.nix { inherit channel enableWideVine; }; diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix index 73c9796aaa96..26f2f730a41d 100644 --- a/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix @@ -1,6 +1,6 @@ { - "86.0.4240.183" = { - rev = "86.0.4240.183-1"; - sha256 = "0528l2wr5bpl1cwsxzl5zxz1gw91kffkh5j1kzmc5n7m4mscqxyc"; + "87.0.4280.88" = { + rev = "87.0.4280.88-1"; + sha256 = "0w2137w8hfcgl6f938hqnb4ffp33v5r8vdzxrvs814w7dszkiqgg"; }; } diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/update.py b/pkgs/applications/networking/browsers/ungoogled-chromium/update.py index b404ca555bff..9e1f0aec598d 100755 --- a/pkgs/applications/networking/browsers/ungoogled-chromium/update.py +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/update.py @@ -38,6 +38,20 @@ def get_file_revision(revision, file_path): with urlopen(url) as http_response: return http_response.read() +def get_matching_chromedriver(version): + # See https://chromedriver.chromium.org/downloads/version-selection + build = re.sub('.[0-9]+$', '', version) + chromedriver_version_url = f'https://chromedriver.storage.googleapis.com/LATEST_RELEASE_{build}' + with urlopen(chromedriver_version_url) as http_response: + chromedriver_version = http_response.read().decode() + def get_chromedriver_url(system): + return f'https://chromedriver.storage.googleapis.com/{chromedriver_version}/chromedriver_{system}.zip' + return { + 'version': chromedriver_version, + 'sha256_linux': nix_prefetch_url(get_chromedriver_url('linux64')), + 'sha256_darwin': nix_prefetch_url(get_chromedriver_url('mac64')) + } + def get_channel_dependencies(channel): deps = get_file_revision(channel['version'], 'DEPS') gn_pattern = b"'gn_version': 'git_revision:([0-9a-f]{40})'" @@ -85,6 +99,8 @@ with urlopen(HISTORY_URL) as resp: continue channel['deps'] = get_channel_dependencies(channel) + if channel_name == 'stable': + channel['chromedriver'] = get_matching_chromedriver(channel['version']) channels[channel_name] = channel diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.json b/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.json index 565f884c5102..6343dd4b2468 100644 --- a/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.json +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.json @@ -1,21 +1,8 @@ { "stable": { - "version": "86.0.4240.183", - "sha256": "1g39i82js7fm4fqb8i66d6xs0kzqjxzi4vzvvwz5y9rkbikcc4ma", - "sha256bin64": "1r0dxqsx6j19hgwr3v2sdlb2vd7gb961c4wba4ymd8wy8j8pzly9", - "deps": { - "gn": { - "version": "2020-08-07", - "url": "https://gn.googlesource.com/gn", - "rev": "e327ffdc503815916db2543ec000226a8df45163", - "sha256": "0kvlfj3www84zp1vmxh76x8fdjm9hyk8lkh2vdsidafpmm75fphr" - } - } - }, - "beta": { - "version": "87.0.4280.40", - "sha256": "07xh76fl257np68way6i5rf64qbvirkfddy7m5gvqb0fzcqd7dp3", - "sha256bin64": "1b2z0aqlh28pqrk6dmabxp1d4mvp9iyfmi4kqmns4cdpg0qgaf41", + "version": "87.0.4280.88", + "sha256": "1h09g9b2zxad85vd146ymvg3w2kpngpi78yig3dn1vrmhwr4aiiy", + "sha256bin64": "0n3fm6wf8zfkv135d50xl8xxrnng3q55vyxkck1da8jyvh18bijb", "deps": { "gn": { "version": "2020-09-09", @@ -23,18 +10,36 @@ "rev": "e002e68a48d1c82648eadde2f6aafa20d08c36f2", "sha256": "0x4c7amxwzxs39grqs3dnnz0531mpf1p75niq7zhinyfqm86i4dk" } + }, + "chromedriver": { + "version": "87.0.4280.88", + "sha256_linux": "141mr2jiy3nslwd3s43m4i6plkv9wv5fgi78cn7mz0ac9x6fpcgx", + "sha256_darwin": "048hsqp6575r980m769lzznvxypmfcwn89f1d3ik751ymzmb5r78" + } + }, + "beta": { + "version": "88.0.4324.27", + "sha256": "0mciiyh3sn2zrl8g6znylc2pm9sb0wzsclgavf7mmlknri5sjblc", + "sha256bin64": "0qf2j1j3p94s724rwh8fydpjn88cs9yxxhjf5axvqwi7q3h35cfx", + "deps": { + "gn": { + "version": "2020-11-05", + "url": "https://gn.googlesource.com/gn", + "rev": "53d92014bf94c3893886470a1c7c1289f8818db0", + "sha256": "1xcm07qjk6m2czi150fiqqxql067i832adck6zxrishm70c9jbr9" + } } }, "dev": { - "version": "88.0.4300.0", - "sha256": "00cfs2rp4h8ybn2snr1d8ygg635hx7q5gv2aqriy1j6f8a1pgh1b", - "sha256bin64": "110r1m14h91212nx6pfhn8wkics7wlwx1608l5cqsxxcpvpzl3pv", + "version": "89.0.4343.0", + "sha256": "0jmc1l0lysl5zax98fjhzsfq3c1sqh3n3xscidafflx362wcfpwa", + "sha256bin64": "1v6xik8kf531y0g5xj0c8szjmak0qvh77kwkw7p7hqxqmnwwp06d", "deps": { "gn": { - "version": "2020-09-09", + "version": "2020-11-05", "url": "https://gn.googlesource.com/gn", - "rev": "e002e68a48d1c82648eadde2f6aafa20d08c36f2", - "sha256": "0x4c7amxwzxs39grqs3dnnz0531mpf1p75niq7zhinyfqm86i4dk" + "rev": "53d92014bf94c3893886470a1c7c1289f8818db0", + "sha256": "1xcm07qjk6m2czi150fiqqxql067i832adck6zxrishm70c9jbr9" } } } From f162839a1eda1a79df211c56660faf051d9511b9 Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Tue, 8 Dec 2020 18:04:49 -0800 Subject: [PATCH 04/17] steam: fix electron launchers --- pkgs/games/steam/fhsenv.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/games/steam/fhsenv.nix b/pkgs/games/steam/fhsenv.nix index ecd318e64c66..34b2fe198539 100644 --- a/pkgs/games/steam/fhsenv.nix +++ b/pkgs/games/steam/fhsenv.nix @@ -35,6 +35,10 @@ let # Steam VR procps usbutils + + # electron based launchers need newer versions of these libraries than what runtime provides + mesa + sqlite ] ++ lib.optional withJava jdk8 # TODO: upgrade https://github.com/NixOS/nixpkgs/pull/89731 ++ lib.optional withPrimus primus ++ extraPkgs pkgs; @@ -175,7 +179,6 @@ in buildFHSUserEnv rec { libidn tbb wayland - mesa libxkbcommon # Other things from runtime From 6c52434eb0015ec5ab17adca2a08b4acbfb88e68 Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Tue, 8 Dec 2020 18:20:44 -0800 Subject: [PATCH 05/17] buildFHSUserEnvBubblewrap: expand unshare options --- .../build-fhs-userenv-bubblewrap/default.nix | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix index 3a3c9e932fdb..b40569a479bc 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix @@ -1,20 +1,27 @@ -{ callPackage, runCommandLocal, writeShellScriptBin, stdenv, coreutils, bubblewrap }: - -let buildFHSEnv = callPackage ./env.nix { }; in +{ lib, callPackage, runCommandLocal, writeShellScriptBin, stdenv, coreutils, bubblewrap }: args @ { - name, - runScript ? "bash", - extraInstallCommands ? "", - meta ? {}, - passthru ? {}, - ... + name +, runScript ? "bash" +, extraInstallCommands ? "" +, meta ? {} +, passthru ? {} +, unshareUser ? true +, unshareIpc ? true +, unsharePid ? true +, unshareNet ? false +, unshareUts ? true +, unshareCgroup ? true +, ... }: with builtins; let + buildFHSEnv = callPackage ./env.nix { }; + env = buildFHSEnv (removeAttrs args [ "runScript" "extraInstallCommands" "meta" "passthru" + "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" ]); chrootenv = callPackage ./chrootenv {}; @@ -92,8 +99,12 @@ let --dev-bind /dev /dev --proc /proc --chdir "$(pwd)" - --unshare-all - --share-net + ${lib.optionalString unshareUser "--unshare-user"} + ${lib.optionalString unshareIpc "--unshare-ipc"} + ${lib.optionalString unsharePid "--unshare-pid"} + ${lib.optionalString unshareNet "--unshare-net"} + ${lib.optionalString unshareUts "--unshare-uts"} + ${lib.optionalString unshareCgroup "--unshare-cgroup"} --die-with-parent --ro-bind /nix /nix ${etcBindFlags} From 2831a66be623796185ccadcacda16eb5bcd2dc8e Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Tue, 8 Dec 2020 18:42:56 -0800 Subject: [PATCH 06/17] steam: share ipc, fix some gui launchers --- pkgs/games/steam/fhsenv.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/games/steam/fhsenv.nix b/pkgs/games/steam/fhsenv.nix index 34b2fe198539..d3d5b3a2271e 100644 --- a/pkgs/games/steam/fhsenv.nix +++ b/pkgs/games/steam/fhsenv.nix @@ -268,6 +268,10 @@ in buildFHSUserEnv rec { broken = nativeOnly; }; + # allows for some gui applications to share IPC + # this fixes certain issues where they don't render correctly + unshareIpc = false; + passthru.run = buildFHSUserEnv { name = "steam-run"; From db6c4b1bec15f5b7e5f5293e9221f4d0ada957ea Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 9 Dec 2020 12:26:31 +0100 Subject: [PATCH 07/17] element-desktop: 1.7.14 -> 1.7.15 ChangeLog: https://github.com/vector-im/element-desktop/releases/tag/v1.7.15 --- .../element/element-desktop-package.json | 8 ++++---- .../instant-messengers/element/element-desktop.nix | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkgs/applications/networking/instant-messengers/element/element-desktop-package.json b/pkgs/applications/networking/instant-messengers/element/element-desktop-package.json index f2d882ad75e4..2bc223d5c618 100644 --- a/pkgs/applications/networking/instant-messengers/element/element-desktop-package.json +++ b/pkgs/applications/networking/instant-messengers/element/element-desktop-package.json @@ -2,12 +2,12 @@ "name": "element-desktop", "productName": "Element", "main": "src/electron-main.js", - "version": "1.7.14", + "version": "1.7.15", "description": "A feature-rich client for Matrix.org", "author": "Element", "repository": { "type": "git", - "url": "https://github.com/vector-im/riot-desktop" + "url": "https://github.com/vector-im/element-desktop" }, "license": "Apache-2.0", "files": [], @@ -21,7 +21,7 @@ "build32": "electron-builder --ia32", "build64": "electron-builder --x64", "build": "electron-builder", - "docker:setup": "docker build -t riot-desktop-dockerbuild dockerbuild", + "docker:setup": "docker build -t element-desktop-dockerbuild dockerbuild", "docker:build:native": "scripts/in-docker.sh yarn run hak", "docker:build": "scripts/in-docker.sh yarn run build", "docker:install": "scripts/in-docker.sh yarn install", @@ -62,7 +62,7 @@ }, "build": { "appId": "im.riot.app", - "electronVersion": "10.1.3", + "electronVersion": "10.1.6", "files": [ "package.json", { diff --git a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix index 9a3dab920f40..d5dac9655ef4 100644 --- a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix +++ b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix @@ -8,12 +8,12 @@ let executableName = "element-desktop"; - version = "1.7.14"; + version = "1.7.15"; src = fetchFromGitHub { owner = "vector-im"; - repo = "riot-desktop"; + repo = "element-desktop"; rev = "v${version}"; - sha256 = "04zqvj7n803dwp4jkhiihhynp82birb14vamm6ys39a0zgs91cnv"; + sha256 = "sha256-7kWf8MXSB4/sX1bjMsfkzgzElS/AYu5VHAKGcqgvH54="; }; electron = electron_9; From 0d5608d9b5e407c72708f3c7a8dd739bbf45a5fe Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 9 Dec 2020 12:27:03 +0100 Subject: [PATCH 08/17] element-web: 1.7.14 -> 1.7.15 ChangeLog: https://github.com/vector-im/element-web/releases/tag/v1.7.15 Also had to replace `riot` with `element` in the download URL now as the artifacts were renamed in this release. --- .../networking/instant-messengers/element/element-web.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/networking/instant-messengers/element/element-web.nix b/pkgs/applications/networking/instant-messengers/element/element-web.nix index 46ac18af9ee5..44233d464758 100644 --- a/pkgs/applications/networking/instant-messengers/element/element-web.nix +++ b/pkgs/applications/networking/instant-messengers/element/element-web.nix @@ -12,11 +12,11 @@ let in stdenv.mkDerivation rec { pname = "element-web"; - version = "1.7.14"; + version = "1.7.15"; src = fetchurl { - url = "https://github.com/vector-im/riot-web/releases/download/v${version}/riot-v${version}.tar.gz"; - sha256 = "1wyk1si0dmlcskf25zmbijpz6505yzjxa7pvd3g2k9kxc49vi20j"; + url = "https://github.com/vector-im/element-web/releases/download/v${version}/element-v${version}.tar.gz"; + sha256 = "sha256-ZSi0OLA5dyPXn1NlZkkhCmWhrSryfyj/O6Ux1lO12ns="; }; installPhase = '' From 917cac46631803099c9ff414ac77964eee615365 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 9 Dec 2020 12:27:43 +0100 Subject: [PATCH 09/17] matrix-synapse: 1.23.0 -> 1.24.0 ChangeLog: https://github.com/matrix-org/synapse/releases/tag/v1.24.0 This release contains two security advisories: * CVE-2020-26257[1]: possible DDoS in the federation API. * CVE-2020-1971[2]: to be fixed in #106362[3]. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971 [3] https://github.com/NixOS/nixpkgs/pull/106362 --- pkgs/servers/matrix-synapse/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/matrix-synapse/default.nix b/pkgs/servers/matrix-synapse/default.nix index e6266268a935..39e1952e1e83 100644 --- a/pkgs/servers/matrix-synapse/default.nix +++ b/pkgs/servers/matrix-synapse/default.nix @@ -10,11 +10,11 @@ let in buildPythonApplication rec { pname = "matrix-synapse"; - version = "1.23.0"; + version = "1.24.0"; src = fetchPypi { inherit pname version; - sha256 = "18an6nvxq2g21rq5ph3xlnkl75dmilcrz4ykdydz37hs09z6q1al"; + sha256 = "sha256-yxcdFd7iVXbDIUx1lW73FKLy+BZfSspz60LKw7BCtl4="; }; patches = [ From 02b7ec6a942712db129d112d17da874b33061f5c Mon Sep 17 00:00:00 2001 From: 0x4A6F <0x4A6F@users.noreply.github.com> Date: Wed, 9 Dec 2020 11:53:39 +0000 Subject: [PATCH 10/17] routinator: 0.8.1 -> 0.8.2 --- pkgs/servers/routinator/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/servers/routinator/default.nix b/pkgs/servers/routinator/default.nix index a1de033af468..7cb28c49a50e 100644 --- a/pkgs/servers/routinator/default.nix +++ b/pkgs/servers/routinator/default.nix @@ -2,16 +2,16 @@ rustPlatform.buildRustPackage rec { pname = "routinator"; - version = "0.8.1"; + version = "0.8.2"; src = fetchFromGitHub { owner = "NLnetLabs"; repo = pname; rev = "v${version}"; - sha256 = "sha256-yH43FPeMohN6zpzEcLpbFBvO8Wz4IjuWRmsE19C7NIA="; + sha256 = "sha256-rxCgW4cuYNSJ9P+cBYWAYJsghz2bp9mpAh6AuwLoV5o="; }; - cargoSha256 = "14cbkvcvbjgc308lh1yj0715rnl035r5qwvfsip17xk5j3y8w1xr"; + cargoSha256 = "0fcp4b2b0mjddj4blr20gvp1ih3ldzzr04rm1m06i8d2lnl68i79"; meta = with stdenv.lib; { description = "An RPKI Validator written in Rust"; From b8c49dd5b151da375ef1f4d513e496db5fe8dd89 Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Wed, 9 Dec 2020 12:14:35 +0000 Subject: [PATCH 11/17] open-policy-agent: 0.25.1 -> 0.25.2 --- pkgs/development/tools/open-policy-agent/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/open-policy-agent/default.nix b/pkgs/development/tools/open-policy-agent/default.nix index 6b765162320c..98e966cbf537 100644 --- a/pkgs/development/tools/open-policy-agent/default.nix +++ b/pkgs/development/tools/open-policy-agent/default.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "open-policy-agent"; - version = "0.25.1"; + version = "0.25.2"; src = fetchFromGitHub { owner = "open-policy-agent"; repo = "opa"; rev = "v${version}"; - sha256 = "1vwyp46lxjar7wl4qjj1mlii4c1vm65kwgmnf1kkwh8i4c202zkx"; + sha256 = "0y4jd1dpq7cy9nfacpf5jbh705gmky44j78q32kq5v566lzrsvvp"; }; vendorSha256 = null; From dfc4b9d107c7df7aa66ed5d8b578f9575b5b721e Mon Sep 17 00:00:00 2001 From: Eduard-Mihai Burtescu Date: Wed, 9 Dec 2020 12:49:11 +0000 Subject: [PATCH 12/17] rustup: 1.22.1 -> 1.23.1 --- pkgs/development/tools/rust/rustup/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/tools/rust/rustup/default.nix b/pkgs/development/tools/rust/rustup/default.nix index e5ef80b87ee4..f846ed5f02e1 100644 --- a/pkgs/development/tools/rust/rustup/default.nix +++ b/pkgs/development/tools/rust/rustup/default.nix @@ -10,16 +10,16 @@ in rustPlatform.buildRustPackage rec { pname = "rustup"; - version = "1.22.1"; + version = "1.23.1"; src = fetchFromGitHub { owner = "rust-lang"; repo = "rustup"; rev = version; - sha256 = "0nf42pkyn87y0n93vd63bihx74h4bpisv74aqldg3vcav2iv35s1"; + sha256 = "1i3ipkq6j47bf9dh9j3axzj6z443jm4j651g38cxyrrx8b2s15x0"; }; - cargoSha256 = "0ghjrx7y25s6rjp06h0iyv4195x7daj57bqza01i1j4hm5nkhqhi"; + cargoSha256 = "1zkrrg5m0j9rk65g51v2zh404529p9z84qqb7bfyjmgiqlnh48ig"; nativeBuildInputs = [ makeWrapper pkgconfig ]; From e9158eca70ae59e73fae23be5d13d3fa0cfc78b4 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Wed, 9 Dec 2020 13:39:15 +0100 Subject: [PATCH 13/17] fetchfirefoxaddon: support for SRI hashes --- pkgs/build-support/fetchfirefoxaddon/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/build-support/fetchfirefoxaddon/default.nix b/pkgs/build-support/fetchfirefoxaddon/default.nix index 3426743b2cf1..4b7c68484d2e 100644 --- a/pkgs/build-support/fetchfirefoxaddon/default.nix +++ b/pkgs/build-support/fetchfirefoxaddon/default.nix @@ -5,6 +5,7 @@ , sha1 ? "" , sha256 ? "" , sha512 ? "" +, hash ? "" }: stdenv.mkDerivation rec { @@ -30,7 +31,7 @@ stdenv.mkDerivation rec { ''; src = fetchurl { url = url; - inherit md5 sha1 sha256 sha512; + inherit md5 sha1 sha256 sha512 hash; }; nativeBuildInputs = [ coreutils unzip zip jq ]; } From c5f714710c9214d66f604fa4e98341e94e10a70f Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Wed, 9 Dec 2020 14:47:30 +0100 Subject: [PATCH 14/17] alephone: 20150620 -> 1.3.1 --- pkgs/games/alephone/default.nix | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/pkgs/games/alephone/default.nix b/pkgs/games/alephone/default.nix index 879571df7a13..8dfef420a8d8 100644 --- a/pkgs/games/alephone/default.nix +++ b/pkgs/games/alephone/default.nix @@ -1,17 +1,18 @@ -{ stdenv, fetchurl, boost, curl, ffmpeg, icoutils, libmad, libogg, libpng -, libsndfile, libvorbis, lua, pkgconfig, SDL, SDL_image, SDL_net, SDL_ttf, smpeg -, speex, zziplib, zlib, makeWrapper, makeDesktopItem, unzip, alephone }: +{ stdenv, fetchurl, boost, curl, ffmpeg, icoutils, libGLU, libmad, libogg +, libpng, libsndfile, libvorbis, lua, pkgconfig, SDL2, SDL2_image, SDL2_net +, SDL2_ttf, smpeg, speex, zziplib, zlib, makeWrapper, makeDesktopItem, unzip +, alephone }: let self = stdenv.mkDerivation rec { outputs = [ "out" "icons" ]; pname = "alephone"; - version = "20150620"; + version = "1.3.1"; src = fetchurl { - url = - "https://github.com/Aleph-One-Marathon/alephone/releases/download/release-${version}/AlephOne-${version}.tar.bz2"; - sha256 = "0cz18fa3gx8mz5j09ywz8gq0r4q082kh6l9pbpwn8qjanzgn1wy0"; + url = let date = "20200904"; + in "https://github.com/Aleph-One-Marathon/alephone/releases/download/release-${date}/AlephOne-${date}.tar.bz2"; + sha256 = "13ck3mp9qd5pkiq6zwvr744bwvmnqkgj5vpf325sz1mcvnv7l8lh"; }; nativeBuildInputs = [ pkgconfig icoutils ]; @@ -20,16 +21,17 @@ let boost curl ffmpeg + libGLU libmad libsndfile libogg libpng libvorbis lua - SDL - SDL_image - SDL_net - SDL_ttf + SDL2 + SDL2_image + SDL2_net + SDL2_ttf smpeg speex zziplib From 253de1fcdb3b82a74a0bf128a7ae2a7b2fed0932 Mon Sep 17 00:00:00 2001 From: "R. RyanTM" Date: Wed, 9 Dec 2020 13:21:07 +0000 Subject: [PATCH 15/17] alephone-infinity: 20190331 -> 20200904 --- pkgs/games/alephone/infinity/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/games/alephone/infinity/default.nix b/pkgs/games/alephone/infinity/default.nix index fc3500d0eb94..5db83c579e4e 100644 --- a/pkgs/games/alephone/infinity/default.nix +++ b/pkgs/games/alephone/infinity/default.nix @@ -3,13 +3,13 @@ alephone.makeWrapper rec { pname = "marathon-infinity"; desktopName = "Marathon-Infinity"; - version = "20190331"; + version = "20200904"; icon = alephone.icons + "/marathon-infinity.png"; zip = fetchurl { url = "https://github.com/Aleph-One-Marathon/alephone/releases/download/release-${version}/MarathonInfinity-${version}-Data.zip"; - sha256 = "03vn91arnsm71dakbfzrdfwpwh5vkwildl7i16xqi1apinmvvh86"; + sha256 = "1n2zfiqjbakkk9dpnzfndqyvq3aml2kjrr2b1wm8g1n44nbc8clq"; }; meta = { From 092b294f1e2d91acbd31d82c001838e16b57552d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20de=20Kok?= Date: Wed, 9 Dec 2020 11:16:26 +0100 Subject: [PATCH 16/17] python3Packages.thinc: 7.4.3 -> 7.4.4 --- pkgs/development/python-modules/thinc/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/thinc/default.nix b/pkgs/development/python-modules/thinc/default.nix index 6e0fbcce37a6..f63b181a8a81 100644 --- a/pkgs/development/python-modules/thinc/default.nix +++ b/pkgs/development/python-modules/thinc/default.nix @@ -23,11 +23,11 @@ buildPythonPackage rec { pname = "thinc"; - version = "7.4.3"; + version = "7.4.4"; src = fetchPypi { inherit pname version; - sha256 = "c98491b083165f48bda95f5533f7d9dbd3980d32ad621bfe579ff08ef625a4d3"; + sha256 = "08cf5cf7d70135db931c9f9d6f3b1844c53046c88f6072675fc164884f44c9e2"; }; buildInputs = lib.optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ From 4f76b26033c57a98a62345e467687d423790e879 Mon Sep 17 00:00:00 2001 From: "R. RyanTM" Date: Wed, 9 Dec 2020 09:43:54 -0800 Subject: [PATCH 17/17] intel-media-driver: 20.4.2 -> 20.4.3 (#106407) --- pkgs/development/libraries/intel-media-driver/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/intel-media-driver/default.nix b/pkgs/development/libraries/intel-media-driver/default.nix index 43dbe6765699..ada25e10d503 100644 --- a/pkgs/development/libraries/intel-media-driver/default.nix +++ b/pkgs/development/libraries/intel-media-driver/default.nix @@ -5,13 +5,13 @@ stdenv.mkDerivation rec { pname = "intel-media-driver"; - version = "20.4.2"; + version = "20.4.3"; src = fetchFromGitHub { owner = "intel"; repo = "media-driver"; rev = "intel-media-${version}"; - sha256 = "1nz0f2chfm3rr8aggb7md0cmikwpd9159ql1rc59208nvl2fshrb"; + sha256 = "04a0hcw9f8fr96xpc1inc19mncssqzxmjba9cdvvh71n8j7n3yyw"; }; cmakeFlags = [