Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[pull] frq-nixos-19.09 from NixOS:nixos-19.09 #216

Open
wants to merge 452 commits into
base: frq-nixos-19.09
Choose a base branch
from

Conversation

pull[bot]
Copy link

@pull pull bot commented Feb 22, 2020

See Commits and Changes for more details.


Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull bot added ⤵️ pull merge-conflict Resolve conflicts manually labels Feb 22, 2020
Ma27 and others added 28 commits March 16, 2020 11:53
Contains only the version update from 8be61f7,
the module-changes are not needed on 19.09 since the database is always
configured properly here.
x86_64-linux rebuilds have finished, so let's merge
to get the security fixes early.
(cherry picked from commit 291c735)
/cc roundup #79725
includes fix for nC-SA-2020-015.

See nextcloud/server#19976, the SA currently
has a typo - adressed in
nextcloud/security-advisories#21.
[19.09] nextcloud: 16.0.8 -> 16.0.9
The substitition in smtpd/parse.y isn't necessary anymore.
The hardcoded /usr/libexec/ has been replaced by a PATH_LIBEXEC #define,
which will be set properly by the build system.

(cherry picked from commit 9658850)
(cherry picked from commit 77da495)
Release notes aren't available at this time [1] it is likely to be
related to a recent mail to oss-security (either [2] or [3]).

[1] https://www.mail-archive.com/[email protected]/msg04888.html
[2] https://www.openwall.com/lists/oss-security/2020/02/24/5
[3] https://www.openwall.com/lists/oss-security/2020/02/24/4

(cherry picked from commit 09725e5)
This reverts commit 4f69f2c.

We backported the latest opensmtpd version.
This reverts commit f5c74e6.

Already included in the opensmtpd version.
build fails against our local libressl version
opensmtpd: 6.4.2p1 -> 6.6.4p1 [backport 19.09]
a "Low severity" [0] security issue:

> Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
> in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

(cherry picked from commit abecf82)
Since Go 1.13, `GOSUMDB` defaults to "sum.golang.org", to consult the
checksum database of the main module's go.sum.

We already use the default behavior when building `go-modules`, but Go
tries to consult the checksum database again when building the module,
and fails because since it requires `cacert` and `git` which are not
propagated when building the package.

(cherry picked from commit c5733e7)
Signed-off-by: Martin Baillie <[email protected]>
(cherry picked from commit 6e055c9)
Fixes a severe bug with subnet routing.

Signed-off-by: David Anderson <[email protected]>
(cherry picked from commit f61f686)
[19.09] openssl: 1.1.1d -> 1.1.1e
keep brave up-to-date

(cherry picked from commit 418e3e4)
Reason: Browsers should be kept up-to-date for security reasons
(cherry picked from commit 09f55f8)
This reverts commit 41f1484.

openssl 1.1.1e introduces breaking changes in its EOF handling.
andir and others added 30 commits May 4, 2020 19:40
chromium: 81.0.4044.129 -> 81.0.4044.138
According to https://monerodocs.org/interacting/monerod-reference/#node-rpc-api
the correct option is restricted-rpc, not restrict-rpc.

(cherry picked from commit e7ab236)
Regression introduced by bce5268.

The bit size of the initialisation vector for AES GCM has been
introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the
ulIvBits field.

Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it
gets initialised to zero, which in turn causes IV generation to fail.

I found out about this because WebRTC stopped working after updating to
NSS 3.52 and so I started bisecting.

Since there wasn't an obvious error in Firefox hinting towards NSS but
instead just the video stream ended up as a "null" stream, I didn't
suspect the NSS update to be the culprit at first. So I verified a few
times and then also started bisecting the actual commit in NSS that
caused the issue.

This turned out to be the problematic change:

https://phabricator.services.mozilla.com/D63241

> One notable change was caused by an inconsistancy between the spec and
> the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra
> field in the header that was not in the spec. OASIS considers the
> header file to be normative, so PKCS#11 v3.0 resolved the issue in
> favor of the header file definition.

Since the test I've used[1] was a bit flaky, I still didn't believe the
result of the bisect to be accurate, but after running the test several
times leading same results I dug through the above change line by line
to get more clues.

It fortunately didn't take that long to stumble upon the ulIvBits change
(which is actually documented in the NSS 3.52 release notes[4], but I
managed to blatantly ignore it for some reason) and started checking the
Firefox source tree for changes regarding that field.

Initialisation of that new field has been introduced[2] in preparation
for the 76 release, but subsequently got reverted[3] prior to the
release, because Firefox 76 is expected to be shipped with NSS 3.51,
which didn't have the ulIvBits field.

The patch I'm adding here is just a reintroduction of that change,
because we're using NSS 3.52. Not initialising that field will break
WebRTC and WebCrypto, which I think the former seems to gain in
popularity these days ;-)

Tested the change against the mentioned VM test[1] and also by testing
manually using Jitsi Meet and Nextcloud Talk.

[1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk
[2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1
[3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee
[4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes

Signed-off-by: aszlig <[email protected]>
(cherry picked from commit 8fb4997 & moved to packages.nix)
(cherry picked from commit b70435e)
[19.09] firefox: Add patch to fix AES GCM IV bit size
Since M81 won't receive any updates anymore and there are known
vulnerabilities we should mark it as insecure so that users are aware of
the risks.
Updating Chromium to M83 is unfortunately too challenging for
19.09, but as of today we've already covered the one month period of
security updates for "oldstable" and both 20.03 and nixos-unstable
contain recent versions (i.e. users should either update to the current
stable release or install Chromium from a different channel).

nixos-unstable PR for M83: #88206
[19.09] chromium: Mark as insecure
(cherry picked from commit 8d08f45)
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/
$ nix build -f nixos/release.nix tests.bind.x86_64-linux

(cherry picked from commit 13c485d)
In BIND case these are quite severe DoS risks, so let me backport to 19.09.
https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/
$ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux
NixPkgs master is on 4.3.x already; /cc that PR #88159

(cherry picked from commit 1a02977)
(cherry picked from commit 0e38414)
(cherry picked from commit f7c914e)
(cherry picked from commit cfaa803)
This fixes the issues with glibc 2.30, which were caused because glibc
no longer allows to dlopen/LD_PRELOAD a PIE executable.

So this release is essentially just a hotfix release which addresses
this issue by splitting the executable and library.

Signed-off-by: aszlig <[email protected]>
Reported-by: @zimbatm
(cherry picked from commit b51d39f)
Upstream fixes:

  - Pass linker version script to the linker instead of the compiler.
  - Compile with `-fPIC` again (regression from version 2.1.2).
  - Out of bounds array access in `globpath`.
  - Handling of `epoll_ctl` calls (they're now replayed after replacing
    socket).
  - GCC 10 build errors and Clang warnings.

While most of these fixes are more relevant for other distros, the
linker script fix is actually a regression existing since a long time
(version 1.x) and caused libip2unix to expose way too many symbols.

Built and tested on i686-linux and x86_64-linux.

Signed-off-by: aszlig <[email protected]>
(cherry picked from commit 67325b1)
wire-desktop: linux 3.17.2924 -> 3.18.2925, mac 3.17.3666 -> 3.18.3728
Fixes CVE-2020-13777 [1].

Changes: https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-13777

(cherry picked from commit 1dba117, PR #89884)
19.09 isn't really supported anymore, but this CVE seems very important.
Also:
- build from git
- enable cross compilation

(cherry picked from commit e761cfe)
[19.09] libexif: 0.6.21 -> 0.6.22 for security fixes
For consistency with 'NixOS Manual' and 'Nix Manual', to better match what it's
often called in practice, and to match its URL and HTML title.
…19.09

doc: rename guide to 'Nixpkgs Manual'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
⤵️ pull merge-conflict Resolve conflicts manually
Projects
None yet
Development

Successfully merging this pull request may close these issues.