The rtl8821ce repository was updated to address for ABI changes to
Linux but our package was too far behind, resulting in breakages
as reported in #88068Fixes: #88068
We need to keep the passthru.filesInstalledToEtc and passthru.defaultBlacklistedPlugins in sync with the package contents so let's add a test to enforce that.
changes:
- aa0cb635f1 (tag: v245.6) network: L2TP fix crash
- 9774347b57 Fix typo.
- 2cac801f0f stat-util: trivial empty_or_null() tweaks
- b054e69bf9 Check ambient set against bounding set prior to applying ambient set
- bed695375a udev: when the BSD lock on a block device is taken, don't complain
- 66fcfdfde7 core: add forgotten return in error path
- 05dd19fad3 shared/efi-loader: remove check that uses absolute tick value
- 753a71ad1d gpt: include homed GPT partition type in well-known partition table
- 3668722049 units: don't set PrivateNetwork= in systemd-homed.service
- 2bca2d77d3 resolved-dns-query: remove dns_query_candidate_is_routable
- a3f6020432 sd-network: fix inverted error message
- a7a9fe3c93 network: allow empty assignment to PreferredLifetime=
- 8df6fc1241 Update resolvectl zsh completion
- c1a83277d0 shared: treat generator units as vendor units
- 1f382d818d tree-wide: fix bad errno checks
- 667c207683 bus-message: immediately reject messages with invalid type
- 116a8eadb6 bus-message: fix negative offset with ~empty message
- 4d5779d886 load-fragment: fix a typo
- c8b6de003a NEWS: retroactively document Family=
- cf6b8e6ec5 man: fix dir name in sysctl.d(5)
- 6d009b7a25 journalctl,elsewhere: make sure --file=foo fails with sane error msg if foo is not readable
- cf786ef164 makefs: log about OOM condition
- 0b1839822f blockdev: propagate one more unexpected error
- d78ce949d0 repart: don't insist on coming up on partition label ourselves
- 9e1363fcc6 journal: fix dropping first record during upload to remote journal
- 50cb4e418d meson: initialize time-epoch to reproducible builds compatible value
- 76abe079b7 limit-util: quieten a very common debug message that is misleading
- b3e484a3b1 shared: fix integer overflow in calendarspec
- 0c29eea969 repart: suppress complaints about lack of BLKRRPART when operating on regular file
- 3db52f5ed8 repart: explain when we exit early and don't do a thing
- d99cba3aaa mount: introduce mount_is_nofail() helper
- 7bc4bcea15 mount: default startup dependencies and default network ones are orthogonal
- 7fe617fa53 mount: introduce mount_add_default_ordering_dependencies()
- e1c091b6d4 automount: fix handling of default dependencies for automount units
- ae05a137c9 mount: let pid1 alone handle the default dependencies for mount units
- f1fb197176 mount: mount unit activated by automount unit should be only ordered against the automount unit
- c9bcc69703 generator: don't generate device dependencies for extrinsic mounts
- ebac09ea0a fstab-util: introduce fstab_is_extrinsic()
- a20e4ea0ed device: drop refuse_after
- 2799fffac1 man: drop some left-over mentions of StandardOutput=syslog
- 144aff9c3b sd-netlink: remove unused RTNL_WQUEUE_MAX define
- 34ca8df8e1 test: Add return 0 to main() function (even it is not strictly necessary)
- 6e03f328a9 network: 'cur' variable cannot be null, so simplify code
- 8d0c97f6ca tree-wide: Initialize _cleanup_ variables if needed
- 4f174e49ae netlink: Fix assert condition on n_containers
- 3905ce532c journald: Increase stdout buffer size sooner, when almost full
- 5a37eb7c61 core: don't bind varlink socket if running in test mode
- 33fff72ce6 pam_systemd: also print debug lines when ending a session
- ba9af79ccb pam_systemd_home: use correct macro for converting ptr to fd
- 6199235489 Fix misuse of PAM_PROMPT_ECHO_OFF in systemd-homed
- c180a2c452 shared/ethtool-util: hush gcc warnings about array bounds
- 1addba4aac core: fix compilation with gcc -O3
- 9c46b97161 random-util: use ERRNO_IS_NOT_SUPPORTED() macro
- d85f9093d2 tmpfiles: clarify that "!" lines are filtered before collisions are checked
- 2fac966a5c man: mention the exclamation mark and minus sign literally, to make things searchable
- 4f61be3373 man: clarify that exit status name mappings are unaffected by SuccessExitStatus=
- b747d74a41 seccomp-util: add new syscalls from kernel 5.6 to syscall filter table
- c30d8caf8b tree-wide: Replace assert() by assert_se() when there is side effect
- b6e8e3be7e networkctl: use uint64_t for link speed throughout
- be66ce6089 tree-wide: use CMSG_SPACE() (and not CMSG_LEN()) to allocate control buffers
- 1cb197798a man: suffix pam options with "=" where arg is required too
- a5fe01d3da test: Use assert_se() where variables are only checked by assert
- 6960efd198 tree-wide: Fix, replace assert() by assert_se() when there is side effect
- 93c1b03074 tree-wide: Mark as _unused_ variables that are only used in assert()
- c7679d7a9f tree-wide: Workaround -Wnonnull GCC bug
- 073b257fd7 man: bring example PAM snippet of pam_systemd and pam_systemd_home back in sync
- 855291a81c man: highlight relevant lines in pam_systemd_home.so example PAM snippet
- f89ad7c0fd login: include pam_systemd_home.so in the default PAM snippet we ship for user@.service
- 9357f9466f test: Skip test-boot-timestamps on permission denied
- cad4ebe14e sysusers: be extra careful when locking accounts
- 551e6f233a shared/install: print name of offending file in error
- c6a2e51232 systemctl: fix --root support in querying presets
- 6f1eedbfdd systemctl: fix hint when 'systemctl help' is given
- 925521df7c shared/unit-file: fix resolution of absoulute symlinks with --root
- 756ba362e8 man: mention that ProtectSystem= also takes care of /efi
- 4f77cf43b5 man: systemd.service: systemd-analyze exit-codes -> exit-status
- 7c6ea7a053 man: expand on the star…end/repetition time expressions
- e06b940792 calendarspec: be more graceful with two kinds of calendar expressions
- f3dd0b476d calendarspec: minor simplification
- 3581c16d56 shutdown: fix spacing in shutdown error message
- 9556255349 nspawn: mount custom paths before writing to /etc
- 37447b7e78 repart: fix partition maximum size segfault
- 7f231ba503 link: Add units and fix typo in (Rx|Tx)BufferSize= manpage. Clean up the implementation slightly
- e75d2cdb0b main: bump RLIMIT_MEMLOCK by physical RAM size
- e16b9a1e31 nspawn: be more careful with creating/chowning directories to overmount
- 765d184a69 homectl: say "home area" in more places
- c11bff4fa7 userdbctl: make --help fit in 80 columns
- 0e56c2ef3f shell-completion/zsh: update systemd-analyze completions
- 2bb580f994 zsh: fix disable/enable completion
- 607a19a309 cgroup-util: check for SYSFS_MAGIC when detecting cgroup format
- ddb3c38efc stat-util: no need to open a file to check fs type
- bd8842304c sysusers,tmpfiles: always mention error when failing to replace specifiers
- bdea9b65d2 sysusers: add accidentally forgotten 'return'
- 17b059774d man: document binfmt's new --unregister switch
- 560380d8ec binfmt: also unregister binfmt entries from unit
- 80835d9c51 binfmt: modernize code a bit
- a1745741b8 shutdown: unregister all binfmt_misc entries before entering shutdown loop
- b637445950 shared: add common helper for unregistering all binfmt entries
- 0215625e99 home: fix strv NUL termination
- 038988baa1 networkd: don't do lldp rx nor tx on bond devices
- 9512d576d9 sd-bus: Fix typo in sd_bus_message_append_array docs
- 63cef71dd0 shared: add NULL callback check in one more place
- 6b91ca22a2 core: fix unused variable warning when !HAVE_SECCOMP
- f7c1c79c57 udev: prepare memory for extra NUL termination for NULSTR
- 69e0ef0d99 tree-wide: use recvmsg_safe() at various places
- cd0a84d4e9 socket-util: add recvmsg_safe() wrapper that handles MSG_CTRUNC
- 2bb48c704b sd-bus: work around ubsan warning
- c147bba1fb shared: Don't try calling NULL callback in bus_wait_for_units_clear
- f907491463 run: don't wait for start job to complete when running interactively anyway
- d3d1550a5d man: Fix typo "multiplied with" -> "multiplied by"
- ae5a9f27c5 core: make sure we don't get confused when setting TERM for a tty fd
- a07d3eaf76 man: document that VirtualEthernetExtra= has nothing to do with Bridge=
- 35fe81078e core: add debug log when a job in the activation queue is not runnable
- a0cd882be8 core: add log_get_max_level check optimization in log_unit_full
- 2a6ad1093c util: return the correct correct wd from inotify helpers
- 9ec244c5c1 core: minor error code handling fixes
- a799283c91 man: document how to get the boot menu with zero time-out
- 7263e86c8d resolved: return org.freedesktop.resolve1.DnsError.NXDOMAIN on LLMNR resolution failure
- 6eab4c2b3e man: use manpages.ubuntu.com for resolvconf(8) link
- 75ccec5cde man: add a note that resolvconf updates /etc/resolv.conf in specific circumstances
- 3e3a31743a resolvectl: fix indentation of hexdump'ed packets
- 6576058fab journald: add configuration option for enabling/disabling audit during journald startup
- 52c5909f15 man/systemd-service: clarify env variable expansion
- ac08df59c0 resolved: fix typo in an unused function and add comment
After making `ffmpeg` point to the latest `ffmpeg_4`, all packages that
used `ffmpeg` without requiring a specific version now use ffmpeg_3
explicitly so they shouldn't change.
Changes:
- Copied linux-5.7.nix from linux-5.6.nix
- Add linux_5_7 and linuxPackages_5_7
- Update linux_latest to 5.7
Note:
The kernel patch 'kernelPatches.export_kernel_fpu_functions."5.3"' is
still applied as I copied the list from linux_5_7 (vs. linux_testing).
This patch is probably still required for the ZFS performance.
This was very similar to the Mesa issues fixed in
62e6d73a09: the user-written code is
looking up an unprefixed binutils program.
[I think we should have a way in Meson of specifying a program prefix in
the cross / native files, as a fallback for any program that isn't
explicitly specified. This could both be availible for user written
rules, and help with the default rules.]
Fixes https://github.com/NixOS/mobile-nixos/issues/161
We actually don't need to `strip` using `install`. Stripping is already
part of the fixup. This ends up being a fix we can apply universally,
but works around an issue where `install` doesn't know about the
prefixed `strip` binary.
"As usual lots of small fixes, across many utilities. Several qdisc now
have more parameters available. Devlink get most of the fixes." [0]
File changes (additions/removals):
+share/bash-completion/completions/devlink
+share/man/man8/devlink-dpipe.8.gz
+share/man/man8/tc-ct.8.gz
[0]: https://marc.info/?l=linux-netdev&m=159115579900638
The paths in the generated `systemd.pc` were flipped, fix this:
`systemdsystemunitpath`: `/nix/var/nix/profiles/default/lib/systemd/{user => system}`
`systemduserunitpath`: `/nix/var/nix/profiles/default/lib/systemd/{system => user}`
The paths actually used in the code (further below in that patch) were
correct, so keep them there.
Fixes#59473.
The multipath-tools makefiles use GZIP as a variable name but this is
also the name of the environment variable gzip uses to get its default
options.
Normally, this wouldn't get into the environment but nixpkgs exports
GZIP=-n in a setup hook. This in turn causes make to export its own
value for this variable. gzip objects to having -c in the environment
variable and aborts, causing the build to fail.
The fwupd service was failing on aarch64 with:
fwupd: Failed to load engine: Failed to load remotes: failed to load /etc/fwupd/remotes.d/dell-esrt.conf: No such file or directory
The /etc/fwupd/remotes.d/dell-esrt.conf symlink existed but it pointed to a non-existent file.
https://github.com/rhboot/fwupdate
This project is no longer supported.
All code has been merged directly into the fwupd project.
Please switch to that.
This config value ensures that when booting through e.g. UEFI, the
existing framebuffer contents stay put until the first character is
printed. As the default NixOS stage-1 immediately outputs a welcome
message on init, this does not impact it, but it will allow for a cleaner boot when
configured as such.
I hate the thing too even though I made it, and rather just get rid of
it. But we can't do that yet. In the meantime, this brings us more
inline with autoconf and will make it slightly easier for me to write a
pkg-config wrapper, which we need.
@the-kenny did a good job in the past and is set as maintainer in many package,
however since 2017-2018 he stopped contributing. To create less confusion
in pull requests when people try to request his feedback, I removed him as
maintainer from all packages.
The nss update is needed for security update of firefox.
For linux platforms only about 1k aarch64 rebuilds are missing;
the diff on Hydra looks OK. Darwin needs 20k more rebuilds,
but I don't think we want to wait for that.
vcunat tried tests.boot.biosCdrom.i686-linux - after small local
modification to make that attribute even exist. Installed file list
also looks fine in comparison with state before the breaking change;
hopefully it will work just fine.
Linux provides some tools to interact with the gpiochip interface (which
replaces the deprecated sysfs GPIO interface). Expose these as a
package.
The tool has not changed much recently, so there is no need to package a
version for each kernel.
It seems nix is much more permissive in applying patches than git am.
These patches were regenerated by running
`git am path/to/nixpkgs/pkgs/os-specific/linux/systemd/*.patch`,
and manually running `patch -p1 < path/to/nixpkgs/pkgs/os-specific/linux/systemd/*N.patch`
where necessary.
utillinux depends on systemd because:
* uuidd supports socket activation
* lslogins can show recent journal entries
* fstrim comes with a service file (and we use this in NixOS)
* logger can write journal entries
(See https://www.openembedded.org/pipermail/openembedded-core/2015-February/102069.html)
systemd doesn't depend on utillinux but on utillinuxMinimal which is a
version of utillinux without these features to avoid cyclic
dependencies.
With this change, the linux kernel (of which i don't fully understand
why it would depend on util-linux in the first place, but this was added in
https://github.com/NixOS/nixpkgs/pull/32137/files without too much
explanation) depends on the minimal version of util-linux too.
This makes it that every time we change build flags in systemd
the linux kernel doesn't have to wastefully rebuild.
AP mode PMF disconnection protection bypass
Published: September 11, 2019
Identifiers:
- CVE-2019-16275
Latest version available from: https://w1.fi/security/2019-7/
Vulnerability
hostapd (and wpa_supplicant when controlling AP mode) did not perform
sufficient source address validation for some received Management frames
and this could result in ending up sending a frame that caused
associated stations to incorrectly believe they were disconnected from
the network even if management frame protection (also known as PMF) was
negotiated for the association. This could be considered to be a denial
of service vulnerability since PMF is supposed to protect from this type
of issues. It should be noted that if PMF is not enabled, there would be
no protocol level protection against this type of denial service
attacks.
An attacker in radio range of the access point could inject a specially
constructed unauthenticated IEEE 802.11 frame to the access point to
cause associated stations to be disconnected and require a reconnection
to the network.
Vulnerable versions/configurations
All hostapd and wpa_supplicants versions with PMF support
(CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
PMF being enabled (optional or required). In addition, this would be
applicable only when using user space based MLME/SME in AP mode, i.e.,
when hostapd (or wpa_supplicant when controlling AP mode) would process
authentication and association management frames. This condition would
be applicable mainly with drivers that use mac80211.
Possible mitigation steps
- Merge the following commit to wpa_supplicant/hostapd and rebuild:
AP: Silently ignore management frame from unexpected source address
This patch is available from https://w1.fi/security/2019-7/
- Update to wpa_supplicant/hostapd v2.10 or newer, once available
This will avoid breaking the build whenever a non-major kernel update
happens. In the update script, we map each kernel version to the latest
patch for the latest kernel version less than or equal to what we
have packaged.