Commit Graph

349 Commits

Author SHA1 Message Date
Vladimír Čunát
0c4852c7bc
Merge #179333: openssl_3_0: fix apparent x86_64 AVX512 RCE 2022-06-28 01:01:42 +02:00
Martin Weinelt
62b05d9742 Merge remote-tracking branch 'origin/master' into staging-next 2022-06-27 23:50:37 +02:00
Alyssa Ross
fd6a8fb894
openssl_3: rename from openssl_3_0
With their new versioning scheme, OpenSSL have committed[1] to API and
ABI compatibility for the whole 3.x.x release series, so we shouldn't
be overly specific in our attribute name.

[1]: https://www.openssl.org/blog/blog/2018/11/28/version/
2022-06-27 13:35:16 +00:00
Alyssa Ross
c59d1ebd6e
openssl_3_0: fix apparent x86_64 AVX512 RCE
Has been applied upstream.  No CVE.
2022-06-27 13:14:30 +00:00
Martin Weinelt
deb8ef1162 openssl_3_0: 3.0.3 -> 3.0.4
Fixes additional sanitization issues in the c_rehash script.

https://mta.openssl.org/pipermail/openssl-announce/2022-June/000227.html

Fixes: CVE-2022-2068
2022-06-21 18:02:47 +02:00
Martin Weinelt
0c21382922 openssl_1_1: 1.1.1o -> 1.1.1p
Fixes additional sanitization issues in the c_rehash script.

https://mta.openssl.org/pipermail/openssl-announce/2022-June/000226.html

Fixes: CVE-2022-2068
2022-06-21 18:02:47 +02:00
Jörg Thalheim
cc60c24909
openssl: disable ct feature in static mode (#173288)
For static binaries to be relocatable, they can't depend on data files.

Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 11:42:46 +02:00
github-actions[bot]
16684f8bd3
Merge master into staging-next 2022-05-04 12:01:10 +00:00
Martin Weinelt
c62eceb91e
openssl_3_0: 3.0.2 -> 3.0.3
- The c_rehash script allows command injection (CVE-2022-1292)
- OCSP_basic_verify may incorrectly verify the response signing
  certificate (CVE-2022-1343)
- Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
- Resource leakage when decoding certificates and keys (CVE-2022-1473)

https://mta.openssl.org/pipermail/openssl-announce/2022-May/000224.html

Fixes: CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473
2022-05-04 07:17:01 +02:00
Martin Weinelt
a7be3b2607
openssl_1_1: 1.1.1n -> 1.1.1o
Fixes command injection in the c_rehash script, which at the same time
is also considered obsolete and should be replaced by openssl rehash.

https://mta.openssl.org/pipermail/openssl-announce/2022-May/000224.html

Fixes: CVE-2022-1292
2022-05-03 18:05:18 +02:00
sternenseemann
a985b2bd99
Merge pull request #165746 from a-m-joseph/openssl-fix-mips64-abi-detection-when-not-cross-compiling
openssl: fix mips64 abi detection when not cross compiling
2022-04-11 22:41:29 +02:00
Adam Joseph
77d6781cdc openssl: specify the ABI explicitly on mips64
When *not* cross-compiling, OpenSSL will not attempt to detect the
host ABI.  For mips64, the OpenSSL authors have chosen to assume that
the n32 ABI is used.

Since nixpkgs knows the correct ABI based on stdenv.hostPlatform,
let's pass this information to OpenSSL explicitly.

At the moment (bootstrappable) nixpkgs on mips64 can only be used with
the n64 ABI due to the fact that boost-context (required by nix) does
not support the n32 ABI.  Without this commit the openssl expression
can be cross-compiled to a mips64 host, but a mips64 host cannot
self-compile the expression due to OpenSSL's incorrect assumption.

https://github.com/NixOS/nixpkgs/pull/165746#pullrequestreview-924423243
2022-04-11 11:23:19 -07:00
ajs124
49c51cdd51 openssl_1_0_2: drop 2022-04-04 15:37:05 +01:00
ajs124
0fae27376d cipherscan: drop 2022-04-04 15:10:43 +01:00
Martin Weinelt
72bb369245
openssl_1_1: 1.1.1m -> 1.1.1n
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1n/CHANGES#L10

Fixes: CVE-2022-0778
2022-03-15 16:39:33 +01:00
Martin Weinelt
384a708e6d
openssl_3_0: 3.0.1 -> 3.0.2
https://github.com/openssl/openssl/blob/openssl-3.0.2/CHANGES.md#changes-between-301-and-302-15-mar-2022

Fixes: CVE-2022-0778
2022-03-15 16:38:56 +01:00
Tom McLaughlin
d01b2cc71b
openssl: remove assert restricting withPerl=false (#156949) 2022-01-27 00:41:18 -05:00
taku0
7ab79bff9f openssl: remove with lib
See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279764
2022-01-20 09:19:19 -08:00
taku0
4a7fa6456d openssl_1_1: fix build on Darwin
See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279118
2022-01-20 09:19:19 -08:00
Dmitry Kalinkin
2ddda43924
Merge branch 'staging' into staging-next
Conflicts:
	pkgs/os-specific/linux/kernel/common-config.nix
2021-12-25 17:16:26 -05:00
7c6f434c
b0f154fd44
Merge pull request #147027 from Izorkin/update-nginx-ktls
nginxMainline: enable ktls support
2021-12-24 10:23:17 +00:00
Martin Weinelt
8cd976ffdb
Merge pull request #150733 from mweinelt/openssl 2021-12-21 03:33:37 +01:00
Martin Weinelt
29f216c48a
openssl_1_1: 1.1.1l -> 1.1.1m 2021-12-18 15:39:12 +01:00
Martin Weinelt
35a11522ba openssl_3_0: 3.0.0 -> 3.0.1 2021-12-15 10:56:04 +01:00
Izorkin
9419b653ba
openssl 3.0.0: enable ktls support 2021-11-27 09:39:56 +03:00
Janne Heß
83ab81ae89
Merge pull request #137004 from baloo/baloo/openssl/3.0.0-init
openssl3: init at 3.0.0
2021-11-05 13:02:47 +01:00
Zhaofeng Li
42dcdc2c3a openssl: Fix build configuration for riscv64-linux
Without this patch, OpenSSL would use the suboptimal linux-generic32
config when building natively on riscv64.
2021-10-15 15:53:41 -07:00
Peter Simons
476635afe1 Drop myself from meta.maintainers for most packages.
I'd like to reduce the number of Github notifications and
review requests I receive.
2021-10-14 11:01:27 +02:00
Arthur Gautier
613a0bffcd openssl: openssl3 is published under Apache License v2.0
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
2021-09-14 00:04:27 +00:00
Arthur Gautier
0db4ebbf1f openssl3: disable build-time feature detection
This enables KTLS support on linux.

Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
2021-09-07 23:21:54 +00:00
Arthur Gautier
7f25b31f07 openssl3: init at 3.0.0
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
2021-09-07 23:13:46 +00:00
Martin Weinelt
3d245b3a37 Revert "Revert "openssl: 1.1.1k -> 1.1.1l" (#135999)"
This reverts commit b2b0115e70.
2021-08-28 16:58:44 +02:00
Dmitry Kalinkin
b2b0115e70
Revert "openssl: 1.1.1k -> 1.1.1l" (#135999) 2021-08-27 23:36:39 -04:00
Martin Weinelt
174868d4fa
openssl: 1.1.1k -> 1.1.1l 2021-08-28 02:21:11 +02:00
Lisa Ugray
0a44a61f39
openssl-1.0.2u: Add patch for darwin64-arm64
openssl-1.0.2u doesn't have build flags for Apple's new arm chips
2021-08-10 19:34:31 -04:00
Jan Tojnar
e3dfa79441
Merge branch 'staging-next' into staging
Regenerated pkgs/servers/x11/xorg/default.nix to resolve the conflict.
2021-06-16 19:59:05 +02:00
Alyssa Ross
502de3c377
openssl: fix Darwin cross infinite recursion
stdenv depends on openssl, and isGNU depends on stdenv.

Thanks-to: sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org>
Fixes: https://github.com/NixOS/nixpkgs/issues/126829
2021-06-14 15:41:13 +00:00
Alyssa Ross
b0b5ef7286 stdenv: introduce dontAddStaticConfigureFlags
With removeUnknownConfigureFlags, it's impossible to express a package
that needs --enable-static, but will not accept --disable-shared,
without overriding the result of removeUnknownConfigureFlags _again_
in pkgs/top-level/static.nix.

It would be much better (and more in line with the rest of Nixpkgs) if
we encoded changes needed for static builds in package definitions
themselves, rather than in an ever-expanding list in static.nix.  This
is especially true when doing it in static.nix is going to require
multiple overrides to express what could be expressed with stdenv
options.

So as a step in that direction, and to fix the problem described
above, here I replace removeUnknownConfigureFlags with a new stdenv
option, dontAddStaticConfigureFlags.  With this mechanism, a package
that needs one but not both of the flags just needs to set
dontAddStaticConfigureFlags and then set up configureFlags manually
based on stdenv.hostPlatform.isStatic.
2021-06-11 14:16:05 -07:00
Andrew Childs
529346745c openssl: Apple Silicon support 2021-05-17 00:26:59 +09:00
github-actions[bot]
92003c2ff7
Merge staging-next into staging 2021-04-27 06:05:54 +00:00
brano543
dc9694c78e openssl: correct cross compile for mingw 2021-04-26 18:51:10 +00:00
Jonathan Ringer
9d8c015cb3
[staging] openssl: fix bin installation for static builds (#119825)
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2021-04-20 23:49:39 +02:00
Alyssa Ross
29058f9a43 openssl: add BSD support 2021-04-19 10:35:28 +00:00
Alyssa Ross
71326310d8 openssl: remove redundant platform check
This is already covered by the x86_64-linux check above.
2021-04-19 10:35:28 +00:00
github-actions[bot]
7c9222212f
Merge master into staging-next 2021-03-25 18:14:01 +00:00
Martin Weinelt
f69bf8fd28
openssl: 1.1.1j -> 1.1.1k 2021-03-25 14:46:34 +01:00
Andrew Childs
ef24a2815e openssl: cross compilation without host perl
The perl reference is in the interpreter line for c_rehash, so fix
that while we're here.
2021-03-13 17:46:32 +01:00
Martin Weinelt
ff613e296e
openssl: 1.1.1i -> 1.1.1j
https://www.openssl.org/news/secadv/20210216.txt

Fixes: CVE-2021-23839, CVE-2021-23840, CVE-2021-23841
2021-02-17 23:59:20 +01:00
Ben Siraphob
66e44425c6 pkgs/development/libraries: stdenv.lib -> lib 2021-01-21 19:11:02 -08:00
John Ericson
f52263ced0 treewide: Start to break up static overlay
We can use use `stdenv.hostPlatform.isStatic` instead, and move the
logic per package. The least opionated benefit of this is that it makes
it much easier to replace packages with modified ones, as there is no
longer any issue of overlay order.

CC @FRidh @matthewbauer
2021-01-03 19:18:16 +00:00