mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-06 17:13:24 -05:00
Merge staging-next into staging
This commit is contained in:
commit
dd91387877
10 changed files with 69 additions and 14 deletions
|
|
@ -249,6 +249,8 @@
|
|||
|
||||
- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
|
||||
|
||||
- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
|
||||
|
||||
- `coreth` has been removed, as upstream has moved it into `avalanchego`.
|
||||
|
||||
- `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.
|
||||
|
|
|
|||
|
|
@ -141,7 +141,6 @@ in
|
|||
systemd.packages = [ cfg.package ];
|
||||
services.dbus.packages = [ cfg.package ];
|
||||
services.udev.packages = [ cfg.package ];
|
||||
services.supergfxd.enable = lib.mkDefault true;
|
||||
};
|
||||
|
||||
meta.maintainers = pkgs.asusctl.meta.maintainers;
|
||||
|
|
|
|||
|
|
@ -155,8 +155,12 @@ in
|
|||
|
||||
wideArea = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Whether to enable wide-area service discovery.";
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable wide-area service discovery.
|
||||
|
||||
It is recommended to keep this options disabled as it exposes the system to `CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`.
|
||||
'';
|
||||
};
|
||||
|
||||
reflector = lib.mkOption {
|
||||
|
|
@ -279,6 +283,10 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
warnings = [
|
||||
(lib.mkIf cfg.wideArea "Enabling `services.avahi.wideArea` exposes this system to `CVE-2024-52615`.")
|
||||
];
|
||||
|
||||
users.users.avahi = {
|
||||
description = "avahi-daemon privilege separation user";
|
||||
home = "/var/empty";
|
||||
|
|
|
|||
|
|
@ -200,8 +200,8 @@ rec {
|
|||
mkTerraform = attrs: pluggable (generic attrs);
|
||||
|
||||
terraform_1 = mkTerraform {
|
||||
version = "1.15.0";
|
||||
hash = "sha256-cKgZFCPLusXXSjcff/PmKGIdSm3wRY1DpduXBRrgcDc=";
|
||||
version = "1.15.2";
|
||||
hash = "sha256-jwmyZJHGfi2oO8FBebPKBQdXt61w02H6zbbqSXxMhMM=";
|
||||
vendorHash = "sha256-Gv6V5aXqTuQoG1StbD/7Ln2QrLpMsW6fbUJUkyZMkvk=";
|
||||
patches = [ ./provider-path-0_15.patch ];
|
||||
passthru = {
|
||||
|
|
|
|||
|
|
@ -140,6 +140,44 @@ stdenv.mkDerivation rec {
|
|||
url = "https://github.com/avahi/avahi/commit/366e3798bdbd6b7bf24e59379f4a9a51af575ce9.patch";
|
||||
hash = "sha256-9AdhtzrimmcpMmeyiFcjmDfG5nqr/S8cxWTaM1mzCWA=";
|
||||
})
|
||||
# https://github.com/avahi/avahi/pull/662 merged 2025-06-19
|
||||
# NOTE: CVE-2024-52615 is mitigated by the default NixOS configuration.
|
||||
# NOTE: CVE-2025-59529 is introduced by 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942.
|
||||
/*
|
||||
(fetchpatch {
|
||||
name = "CVE-2024-52615.patch"; # AKA GHSA-x6vp-f33h-h32g
|
||||
url = "https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942.patch";
|
||||
hash = "sha256-rW6jmKg9oH44rRZow0zE4z6lfTlD8wpFUC8DaI/gruA=";
|
||||
})
|
||||
*/
|
||||
# https://github.com/avahi/avahi/pull/806 merged 2025-12-17
|
||||
(fetchpatch {
|
||||
name = "CVE-2025-68276.patch"; # AKA GHSA-mhf3-865v-g5rc
|
||||
url = "https://github.com/avahi/avahi/commit/0c013e2e819be3bda74cecf48b5f64956cf8a760.patch";
|
||||
hash = "sha256-kNOwl2DC2FR7CFvPQBBEYaSUSbFnR/ETH9JNGMwzzLE=";
|
||||
})
|
||||
(fetchpatch {
|
||||
name = "CVE-2025-68468.patch"; # AKA GHSA-cp79-r4x9-vf52
|
||||
url = "https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a.patch";
|
||||
hash = "sha256-HkbKSN2LYqPfVnij1/n6ToN4vKugex3ZPxjHz6pN8eA=";
|
||||
})
|
||||
(fetchpatch {
|
||||
name = "CVE-2025-68471.patch"; # AKA GHSA-56rf-42xr-qmmg
|
||||
url = "https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1.patch";
|
||||
hash = "sha256-V0OiC0UkZXhUnOUcrPZ+Xvph7MJMQ9DEXgVafoshSi4=";
|
||||
})
|
||||
(fetchpatch {
|
||||
name = "CVE-2026-24401.patch"; # AKA GHSA-h4vp-5m8j-f6w3
|
||||
url = "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524.patch";
|
||||
hash = "sha256-Iq7ghHS8gTJ5OeD6Bemis+wPJzKXb2P44qbtTaAaWZI=";
|
||||
})
|
||||
# https://github.com/avahi/avahi/pull/891 merged 2026-04-01
|
||||
(fetchpatch {
|
||||
name = "CVE-2026-34933.patch"; # AKA GHSA-w65r-6gxh-vhvc
|
||||
url = "https://github.com/avahi/avahi/compare/0ccadca425af151ebb67f276e5cc88e50266a8e6%5E%5E...0ccadca425af151ebb67f276e5cc88e50266a8e6.patch";
|
||||
hash = "sha256-yi40iuQmTAW+nLsOIJhh7kg4vG/lqT/PCaSEBPfF2mw=";
|
||||
})
|
||||
|
||||
];
|
||||
|
||||
depsBuildBuild = [
|
||||
|
|
@ -243,5 +281,10 @@ stdenv.mkDerivation rec {
|
|||
DNS") and DNS-SD (for "DNS-Based Service Discovery")
|
||||
protocols.
|
||||
'';
|
||||
|
||||
knownVulnerabilities = [
|
||||
# NOTE: CVE-2024-52615 mitigated by the default NixOS configuration.
|
||||
# "CVE-2024-52615: Avahi Wide-Area DNS Uses Constant Source Port"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,13 +7,13 @@
|
|||
|
||||
buildGoModule (finalAttrs: {
|
||||
pname = "grpc-health-probe";
|
||||
version = "0.4.48";
|
||||
version = "0.4.49";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "grpc-ecosystem";
|
||||
repo = "grpc-health-probe";
|
||||
rev = "v${finalAttrs.version}";
|
||||
hash = "sha256-W5B14om0oAKEm8XP5vYJzHv2Mplfv+2VapsvOnS0wTY=";
|
||||
hash = "sha256-JH4Km8nlUffkga7oKgXXwqRYm/8oG9giLCFn1BZ1eVY=";
|
||||
};
|
||||
|
||||
tags = [
|
||||
|
|
@ -25,7 +25,7 @@ buildGoModule (finalAttrs: {
|
|||
"-X main.versionTag=${finalAttrs.version}"
|
||||
];
|
||||
|
||||
vendorHash = "sha256-3Ucro8FHOiSFHqGB2jwLshhzbkRdkZnJJFbNyuDX2QY=";
|
||||
vendorHash = "sha256-97OFqr93G/6F58nF1riGFbCOtORPojMMU4IX9ivjSxg=";
|
||||
|
||||
nativeInstallCheckInputs = [
|
||||
versionCheckHook
|
||||
|
|
|
|||
|
|
@ -22,10 +22,13 @@
|
|||
xcbuild,
|
||||
zip,
|
||||
|
||||
electron,
|
||||
electron_39,
|
||||
git,
|
||||
}:
|
||||
|
||||
let
|
||||
electron = electron_39;
|
||||
in
|
||||
stdenv.mkDerivation (finalAttrs: {
|
||||
pname = "logseq";
|
||||
version = "0.10.15";
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ let
|
|||
in
|
||||
python3Packages.buildPythonApplication (finalAttrs: {
|
||||
pname = "mistral-vibe";
|
||||
version = "2.9.4";
|
||||
version = "2.9.5";
|
||||
pyproject = true;
|
||||
__structuredAttrs = true;
|
||||
|
||||
|
|
@ -45,7 +45,7 @@ python3Packages.buildPythonApplication (finalAttrs: {
|
|||
owner = "mistralai";
|
||||
repo = "mistral-vibe";
|
||||
tag = "v${finalAttrs.version}";
|
||||
hash = "sha256-TOA1ybK41f3+/I5gCaPlAd3yo9N399l6JumWnATbS00=";
|
||||
hash = "sha256-NiW4VZyQerFhDEDXOOTNzOpsPnZvoyxJWMfg9hHJJ8c=";
|
||||
};
|
||||
|
||||
build-system = with python3Packages; [
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
setuptools,
|
||||
}:
|
||||
let
|
||||
version = "0.5.12";
|
||||
version = "0.5.13";
|
||||
in
|
||||
buildPythonPackage {
|
||||
pname = "pdf2docx";
|
||||
|
|
@ -26,7 +26,7 @@ buildPythonPackage {
|
|||
owner = "ArtifexSoftware";
|
||||
repo = "pdf2docx";
|
||||
tag = "v${version}";
|
||||
hash = "sha256-fn5MnuLCmqjl99Xvs9THwerkIyUeXwPQmn+znvWtgUE=";
|
||||
hash = "sha256-GZ7aUTSGSly21lMiUOXc6Y8h9WY2zQQxF5M11PwTtCA=";
|
||||
};
|
||||
|
||||
build-system = [
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
}:
|
||||
buildPythonPackage (finalAttrs: {
|
||||
pname = "pgmpy";
|
||||
version = "1.1.0";
|
||||
version = "1.1.2";
|
||||
pyproject = true;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue