Commit Graph

658 Commits

Author SHA1 Message Date
Graham Christensen
4e6c7faf36
xen: patch for many XSAs
- XSA-190
 - XSA-191
 - XSA-192
 - XSA-193
 - XSA-195
 - XSA-196
 - XSA-198
 - XSA-200
 - XSA_202
 - XSA-204
2016-12-21 14:37:47 -05:00
Daiderd Jordan
49e3190efa
Revert "xhyve: update and fix to use our Hypervisor framework"
This reverts commit f3b65f67d9.
2016-12-20 13:02:27 +01:00
Eelco Dolstra
8a0843c3c4
qemu-kvm: Mark the version for tests
(cherry picked from commit d58a4ec1ba77e390c53c09ba6198b78f8568d495)
2016-12-20 10:52:46 +01:00
Dan Peebles
f3b65f67d9 xhyve: update and fix to use our Hypervisor framework 2016-12-19 19:47:24 -05:00
aszlig
c5e5dccd13
Merge pull request #21201 (VirtualBox 5.1.10)
This brings VirtualBox to the latest upstream version, which also fixes
building the modules against kernel 4.9.0.

Tested against all the the "virtualbox" subtests on x86_64-linux.
2016-12-17 15:46:06 +01:00
Tim Steinbach
a5a98290b7
docker: 1.12.3 -> 1.12.5 2016-12-16 08:57:08 -05:00
aszlig
38ea64e867
qemu_test: Make chown() calls to the store a no-op
The "misc" NixOS test is using Nix to query the store and it tries to
change the ownership of it while doing so.

This fails if Nix is not in a seccomp-sandboxed userid namespace, so
let's make chown() a no-op when applied to store paths.

Fixes the misc test (and possibly future tests) on older Nix versions.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-12-16 13:06:25 +01:00
Eelco Dolstra
705829b29a Merge pull request #20500 from aszlig/qemu-patched-for-nixos-tests
nixos/tests: Use a patched QEMU for testing
2016-12-15 12:38:29 +01:00
Peter Hoeg
bea3209d5f virtualbox: 5.1.8 -> 5.1.10 2016-12-15 16:20:33 +08:00
Tim Steinbach
4f0592680c
rkt: 1.20.0 -> 1.21.0 2016-12-11 21:10:28 -05:00
Graham Christensen
a2d6e8a2eb
xen: Fix patch hashes
I had used nix-prefetch-url, where fetchpatch doesn't support it.
2016-12-09 07:22:35 -05:00
Graham Christensen
86da9839b1
xen: Patch for CVE-2016-9385, CVE-2016-9377, and CVE-2016-9378 2016-12-07 20:16:05 -05:00
Tuomas Tynkkynen
8a4d6516ee Merge remote-tracking branch 'upstream/staging' into master 2016-11-30 00:34:23 +02:00
Tim Steinbach
e24df8ea69 rkt: 1.19.0 -> 1.20.0 (#20697) 2016-11-26 17:18:00 +00:00
Vladimír Čunát
925b335607
Merge branch 'master' into staging 2016-11-26 11:27:09 +01:00
Frederik Rietdijk
97259c811e qemu: use python2 2016-11-24 22:28:03 +01:00
Franz Pletz
336bacfa1d
qemu: add patch to fix CVE-2016-7907
cc #20647
2016-11-23 23:23:49 -05:00
Bjørn Forsman
bbe5f99e0b qemu: add curl to buildInputs
Enables support for accessing files over HTTP:

  qemu-system-x86_64 -drive media=cdrom,file=http://host/path.iso,readonly

Increases the closures size from 445 to 447 MiB.
2016-11-23 17:44:02 +01:00
Vladimír Čunát
b69f568f4c
Merge branch 'staging'
Hydra rebuild looks fine; only a few Darwin jobs is queued:
http://hydra.nixos.org/eval/1304891?compare=1304807
2016-11-19 04:35:51 +01:00
Franz Pletz
f4a318b528
qemu: add patches for CVE-2016-7994 & CVE-2016-8668 2016-11-17 22:00:44 +01:00
aszlig
6cfb3b6364
nixos/tests: Use a patched QEMU for testing
The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.

Starting with NixOS/nix@5e51ffb1c2, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.

This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.

So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.

In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).

Tested against the "misc" and "printing" tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-17 17:16:16 +01:00
Vladimír Čunát
b5e89fe9bf
Merge branch 'master' into staging 2016-11-15 00:20:19 +01:00
Justin Bedo
04121437be
singularity: init 2.2 2016-11-15 09:11:53 +11:00
Frederik Rietdijk
84e9328028 virtualbox: python is always needed
even when not building bindings.
2016-11-14 19:09:25 +01:00
Tim Steinbach
ecd1a53df6
rkt: 1.18.0 -> 1.19.0 2016-11-10 21:06:20 -05:00
Tobias Geerinckx-Rice
583af41f3c
remotebox: 2.1 -> 2.2 2016-11-09 02:24:46 +01:00
Frederik Rietdijk
a18ac150a3 virtinst: use python2 2016-11-08 22:48:55 +01:00
Frederik Rietdijk
95c54db397 virtualbox: use python2
and remove python buildInput. Python should only be added when
`pythonBindings` is true.
2016-11-08 22:48:54 +01:00
Tim Steinbach
1ae2f86a32
rkt: 1.17.0 -> 1.18.0 2016-11-05 22:27:42 -04:00
Tobias Geerinckx-Rice
c4f41a0a61
remotebox: 2.0 -> 2.1 2016-11-05 18:44:10 +01:00
Franz Pletz
25c01931bb
qemu: add patches to fix lots of CVEs
Patches from Debian and upstream git repo.

Fixes:

 * CVE-2016-6836
 * CVE-2016-7155
 * CVE-2016-7156
 * CVE-2016-7157
 * CVE-2016-7421
 * CVE-2016-7422
 * CVE-2016-7423
 * CVE-2016-7466
 * CVE-2016-8909
 * CVE-2016-8910
 * CVE-2016-9102
 * CVE-2016-9103
 * CVE-2016-9104
 * CVE-2016-9105
 * CVE-2016-9106

cc #20078
2016-11-03 02:45:16 +01:00
Tim Steinbach
282532e702
docker: 1.12.2 -> 1.12.3 2016-10-27 12:46:04 -04:00
Graham Christensen
69e8bac9cd
virtualbox: 5.1.6 -> 5.1.8 for many CVEs:
From LWN:
From the NVD entries:

CVE-2016-5501: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality,
integrity, and availability via vectors related to Core, a different
vulnerability than CVE-2016-5538.

CVE-2016-5538: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality,
integrity, and availability via vectors related to Core, a different
vulnerability than CVE-2016-5501.

CVE-2016-5605: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.1.4 in Oracle Virtualization allows remote
attackers to affect confidentiality and integrity via vectors related
to VRDE.

CVE-2016-5608: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect availability via vectors
related to Core, a different vulnerability than CVE-2016-5613.

CVE-2016-5610: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality,
integrity, and availability via vectors related to Core.

CVE-2016-5611: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality via
vectors related to Core.

CVE-2016-5613: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect availability via vectors
related to Core, a different vulnerability than CVE-2016-5608.
2016-10-26 22:18:00 -04:00
Frederik Rietdijk
7077a270bf Merge remote-tracking branch 'upstream/master' into HEAD 2016-10-26 13:06:43 +02:00
Tuomas Tynkkynen
c78ccb92ec cbfstool: git-2015-07-09 -> 4.5
Fixes build.
2016-10-22 21:07:33 +03:00
Frederik Rietdijk
e56832d730 Merge remote-tracking branch 'upstream/master' into HEAD 2016-10-22 17:23:24 +02:00
Frederik Rietdijk
bd12c10993 openstack: use python2 2016-10-22 16:47:22 +02:00
Frederik Rietdijk
4833f8bada xen: use python2 2016-10-22 16:47:21 +02:00
Jörg Thalheim
a3f38b9adc
rancher-compose: set version during build 2016-10-22 14:40:30 +02:00
Vladimír Čunát
4d5b893002 Merge #19081: gnome-3.22
Also master commits are brought in.
2016-10-20 23:04:10 +02:00
Derek Gonyeo
a0295e21c5 rkt: libsystemd fix (#19658)
As of systemd 231, the LD_LIBRARY_PATH fix applied in the installPhase of rkt's
build was no longer valid, causing rkt to fail to work. This patch changes the
path to point to the new location of libsystemd, which is in ${systemd.lib}.
2016-10-18 20:00:44 +02:00
Jörg Thalheim
dab4f0a720 Merge pull request #19506 from Mic92/rancher-compose
rancher-compose: init at 0.10.0
2016-10-15 22:11:19 +02:00
Jörg Thalheim
d60b74e7db
rancher-compose: init at 0.10.0 2016-10-15 22:06:33 +02:00
Graham Christensen
9b99c9a296 Merge pull request #19570 from NeQuissimus/rkt_1_17_0
rkt: 1.15.0 -> 1.17.0
2016-10-15 07:09:48 -04:00
Tim Steinbach
bb02cf71ef
rkt: 1.15.0 -> 1.17.0 2016-10-14 23:00:54 -04:00
Tim Steinbach
1a23e336a5
docker: 1.12.1 -> 1.12.2 2016-10-14 22:47:18 -04:00
Graham Christensen
4e89b237bc
xen: 4.5.2 -> 4.5.5, drop old versions 2016-10-14 17:09:18 -04:00
Vladimír Čunát
6eeea6effd Python: more evaluation fixups. 2016-10-14 00:03:12 +02:00
Robin Gloster
9838b80e91 docker-distribution: init at 2.5.1 2016-10-12 14:05:09 +02:00
Graham Christensen
86c9b471a6
openstack-neutron: mark as broken
https://github.com/NixOS/nixpkgs/issues/18856
2016-09-28 08:57:26 -04:00