Commit Graph

109503 Commits

Author SHA1 Message Date
Franz Pletz
196bf8b0c7 Merge pull request #26750 from mayflower/fix/stack-clash-hardening
Mitigate Stack Clash
2017-06-22 01:53:14 +02:00
Franz Pletz
5e2df7039d
libmicrohttpd: 0.9.53 -> 0.9.55 2017-06-22 01:34:18 +02:00
Franz Pletz
0977c17f83
sqlite3: 3.19.2 -> 3.19.3 2017-06-22 01:33:55 +02:00
mimadrid
4d93d257f7 sqlite3: 3.17.0 -> 3.19.2 2017-06-22 01:24:31 +02:00
Franz Pletz
2296bf394e
glibc: patch CVE-2017-1000366 (stack clash) 2017-06-22 00:44:35 +02:00
Franz Pletz
aab71b31d5
linux: patch CVE-2017-1000364 (stack clash) 2017-06-22 00:44:28 +02:00
Franz Pletz
16aa92305b
exim: patch CVE-2017-1000369 (stack clash) 2017-06-22 00:44:05 +02:00
Franz Pletz
6a850d2b11
coreutils: fix tests depending on setuid/setgid bits 2017-06-22 00:41:53 +02:00
Franz Pletz
4150f5e8ba
cc-wrapper: add stackcheck hardening (stack clash)
This fixes the Stack Clash issue rediscovered by Qualys. See
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
for more information on the topic, specifically section III.

We don't have the kernel mitigation available because it is a Grsecurity
feature which we don't support anymore. Other distributions like Gentoo
Hardened and Arch already have `-fstack-check` enabled by default.

See the Gentoo page on Stack Clash for more information on this solution:
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash

This unfortunately doesn't apply to clang because `-fstack-check` is a
noop there. Note that the GCC implementation also has problems that could
be exploited to circumvent these checks but it is still better than
keeping it disabled.
2017-06-22 00:41:53 +02:00
Franz Pletz
6338c50a84
Merge branch 'master' into staging 2017-06-22 00:41:25 +02:00
Franz Pletz
29a485a8cd
libev: 4.22 -> 4.24 2017-06-22 00:38:44 +02:00
Franz Pletz
5389caab83
utillinux: 2.29.2 -> 2.30 2017-06-22 00:38:44 +02:00
Franz Pletz
dd3f2e648a
linux_hardened_copperhead: init at 4.11.6.c 2017-06-21 23:49:00 +02:00
Franz Pletz
febe37a24a
webkitgtk: 2.16.3 -> 2.16.4 for multiple CVEs
Fixes:

  * CVE-2017-2538
  * CVE-2017-2424

See https://webkitgtk.org/security/WSA-2017-0005.html
2017-06-21 23:49:00 +02:00
Daiderd Jordan
7469eb9fed
stress: enable on darwin 2017-06-21 23:26:43 +02:00
Graham Christensen
dd265313e7 Merge pull request #26736 from grahamc/improve-nixos-test-debug
Improve nixos test debug
2017-06-21 17:26:18 -04:00
Michael Raskin
bc47794ab5 quicklispPackages: update
Escape things by default in derivation names (i.e. digit cannot be the
first character etc.)

Update Quicklisp (tracking upstream); list new missing dependencies

Add some minimal README about ql-to-nix
2017-06-21 22:17:48 +02:00
Jörg Thalheim
e89e96a755 linux_4_11: renable CONFIG_UPROBE_EVENTS
CONFIG_UPROBE_EVENT was renamed to CONFIG_UPROBE_EVENTS.
2017-06-21 17:16:46 +01:00
Domen Kožar
7bd918b364
hydra-evaluator: depend on jq 2017-06-21 15:35:07 +02:00
Domen Kožar
be4a4ef701
hydra: 2017-04-26 -> 2017-06-21 2017-06-21 15:30:02 +02:00
Franz Pletz
cfdb9769ce
unrar: 5.4.5 -> 5.5.5 (security)
Fixes arbitrary memory write.

See https://bugs.chromium.org/p/project-zero/issues/detail?id=1286
2017-06-21 14:38:26 +02:00
Domen Kožar
f237eeb6a8
moreutils: address comment on 14a320ace8 2017-06-21 13:44:17 +02:00
Franz Pletz
5521b542a2
openvpn: 2.4.2 -> 2.4.3
See https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

Fixed:

  * CVE-2017-7508
  * CVE-2017-7520
  * CVE-2017-7521
  * CVE-2017-7512
  * CVE-2017-7522
2017-06-21 13:36:10 +02:00
Tim Steinbach
f1ea37c1b4 Merge pull request #26735 from NeQuissimus/minikube_0_19_1
minikube: 0.19.0 -> 0.19.1
2017-06-21 07:31:29 -04:00
Jörg Thalheim
d3ceaccb42 nerdtree-git-plugin: init at 2017-03-12 2017-06-21 10:23:21 +01:00
Jörg Thalheim
a3f054d8ad
dino: 2017-06-13 -> 2017-06-21 2017-06-21 09:42:46 +01:00
Peter Hoeg
b8297ff08a bundler: 1.15.0 -> 1.15.1 2017-06-21 15:29:05 +08:00
Frederik Rietdijk
0d20c7e2f5 python.pkgs: several maintenance bumps 2017-06-21 09:03:40 +02:00
Daiderd Jordan
031d26eb24 Merge pull request #26709 from robx/fix-python-protobuf-v2
python-modules/protobuf: fix darwin build by passing C++ includes exp…
2017-06-21 08:52:13 +02:00
Michael Raskin
bb65640784 Merge pull request #26728 from MP2E/wine-staging-update
wineStaging, wineUnstable: 2.7 -> 2.10
2017-06-21 08:09:07 +02:00
Graham Christensen
3f40fcabbf
nixos tests: waitForWindow: output a list of windows we see prior to the final check
machine: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d'
    machine: exit status 0
    machine: Last chance to match /(?^:dfiirst configuration)/ on the the window list, which currently contains:
    machine: [i3 con] container around 0xf8a5f0, i3: first configuration, [i3 con] floatingcon around 0xf8c260, [i3 con] container around 0xf8a380, i3bar for output Virtual-1, [i3 con] bottom dockarea Virtual-1, [i3 con] workspace 1, [i3 con] content Virtual-1, [i3 con] top dockarea Virtual-1, [i3 con] output Virtual-1, [i3 con] workspace __i3_scratch, [i3 con] content __i3, [i3 con] pseudo-output __i3, i3
2017-06-20 21:16:35 -04:00
Graham Christensen
1b833015b7
nixos tests: waitForText: output the detected screen content prior to the last attempt
machine: Last chance to match /(?^:BALICE)/ on the screen, which currently contains:
    machine: performing optical character recognition
    machine: sending monitor command: screendump /tmp/nix-build-vm-test-run-sddm.drv-0/ocrin.ppm
    machine: Session Layout

    O O

    0 1 : 0 9

    Wednesday, June 21, 2017

    |_ I

    Select your user and enter password
2017-06-20 21:10:34 -04:00
Graham Christensen
348785eec0
nixos tests: waitUntilTTYMatches: Log TTY contents on last try
If the test has not passed yet, on the last attempt it now outputs:

    machine: Last chance to match /logine: / on TTY2, which currently contains:
    machine: running command: fold -w$(stty -F /dev/tty2 size | awk '{print $2}') /dev/vcs2
    machine: exit status 0
    machine:

    <<< Welcome to NixOS 17.09.git.a804ef4 (x86_64) - tty2 >>>

    machine login:

to help debug the problem. Notice the "logine" typo in my check.
2017-06-20 20:57:39 -04:00
Graham Christensen
56435c1404
nixos tests: retry: Count down to 0, and pass remaining attempts to the sub
Allows test functions to output diagnostic information on failure.
2017-06-20 20:54:33 -04:00
Tim Steinbach
fdc7cf8238
minikube: 0.19.0 -> 0.19.1 2017-06-20 19:32:29 -04:00
Michael Weiss
d04286be34 quiterss: 0.18.5 -> 0.18.6 2017-06-20 23:31:02 +02:00
Pascal Wittmann
065bb61330
moreutils: fix darwin build 2017-06-20 22:39:51 +02:00
Volth
8fe525b6c7 mtr: do not do 'setcap' on installPhase, it would fail anyway 2017-06-20 22:22:29 +02:00
Shea Levy
a21ddfb158 pythonPackages.bcdoc: Disable tests 2017-06-20 16:08:47 -04:00
Isaac Shapira
6fd606bdf3 awscli: 1.11.95 -> 1.11.105 2017-06-20 14:00:14 -06:00
Cray Elliott
922d706e81 wineStaging: 2.7 -> 2.10
wineUnstable: 2.7 -> 2.10
2017-06-20 11:23:37 -07:00
Domen Kožar
14a320ace8
moreutils: fix build on darwin 2017-06-20 16:42:49 +02:00
Pascal Wittmann
613dd68ab6 Merge pull request #26725 from schneefux/pkg.wallabag
wallabag: 2.2.2 -> 2.2.3
2017-06-20 15:31:24 +02:00
Domen Kožar
53c5b9163e
vulnix: fix eval 2017-06-20 14:12:56 +02:00
Domen Kožar
843b3faa18
Revert "cli53: 0.4.4 -> 0.8.8"
This reverts commit c25b145815.
2017-06-20 14:04:14 +02:00
Domen Kožar
8ae8e51dc3
Revert "fix eval"
This reverts commit 650f64c779.
2017-06-20 14:03:57 +02:00
Domen Kožar
650f64c779
fix eval 2017-06-20 14:01:53 +02:00
schneefux
c02e26f8a0
wallabag: 2.2.2 -> 2.2.3 2017-06-20 13:30:38 +02:00
Robin Gloster
908157c6c5
prometheus-blackbox-exporter: 0.4.0 -> 0.5.0 2017-06-20 12:04:55 +02:00
Jörg Thalheim
b6bacc4bb2 llvmPackage_{3.4,3.5,3.7,3.8,3.9}: fix output of llvm-config
llvm-config is a tool to output compile and linker flags, when compiling against llvm.

The tool however outputs static library names despite libllvm is build
as shared library on nixos. This was fixed for llvm 3.4, 3.5 and 3.7.

For llvm 3.8 and 3.9 it printed the library extension twice (.so.so).
This was fixed in 4.0 and the patch is backported to 3.8 and 3.9 in
this pull request.

```
$ for i in 34 35 37 38 39; do echo "\nllvm-$i"; nix-shell -p llvmPackages_$i.llvm --run 'llvm-config --libnames'; done

llvm-34
libLLVMInstrumentation.so libLLVMIRReader.so libLLVMAsmParser.so
...

llvm-35
libLLVMLTO.so libLLVMObjCARCOpts.so libLLVMLinker.so libLLVMipo.so
...

llvm-37
libLLVMLTO.so libLLVMObjCARCOpts.so libLLVMLinker.so libLLVMBitWriter.so
...

llvm-38
libLLVM-3.8.1.so

llvm-39
libLLVM-3.9.so
```

fixes #26713
2017-06-20 10:22:06 +01:00