From f386db92db039d62a2c111b46953a15c143701e8 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 7 Apr 2026 18:05:06 -0400 Subject: [PATCH 01/14] avahi: Add disabled patch for CVE-2024-52615 The CVE-2024-52615 fix introduces another security issue, CVE-2025-59529. Instead CVE-2024-52615 will be mitigated via system configuration. --- pkgs/by-name/av/avahi/package.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/by-name/av/avahi/package.nix b/pkgs/by-name/av/avahi/package.nix index 09b9a602af55..630a4f398315 100644 --- a/pkgs/by-name/av/avahi/package.nix +++ b/pkgs/by-name/av/avahi/package.nix @@ -140,6 +140,16 @@ stdenv.mkDerivation rec { url = "https://github.com/avahi/avahi/commit/366e3798bdbd6b7bf24e59379f4a9a51af575ce9.patch"; hash = "sha256-9AdhtzrimmcpMmeyiFcjmDfG5nqr/S8cxWTaM1mzCWA="; }) + # https://github.com/avahi/avahi/pull/662 merged 2025-06-19 + # NOTE: CVE-2024-52615 is mitigated by the default NixOS configuration. + # NOTE: CVE-2025-59529 is introduced by 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942. + /* + (fetchpatch { + name = "CVE-2024-52615.patch"; # AKA GHSA-x6vp-f33h-h32g + url = "https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942.patch"; + hash = "sha256-rW6jmKg9oH44rRZow0zE4z6lfTlD8wpFUC8DaI/gruA="; + }) + */ ]; depsBuildBuild = [ From 10557b50b5e7d25289dbbbeea8ee6bab9acc2c3f Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Wed, 8 Apr 2026 10:09:37 -0400 Subject: [PATCH 02/14] avahi: Add commented-out `knownVulnerabilities` for CVE-2024-52615 It would be better if there was a way to mark those mitigated issues in a way that can be machine-consumed, without causing the package to be marked insecure. In actuality, the `insecure` bit for this particular vulnerability would dpeend on the daemon configuration. The package itself cannot depend on the system configuration. A warning could be added to the NixOS module when the mitigation is disabled. --- pkgs/by-name/av/avahi/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/av/avahi/package.nix b/pkgs/by-name/av/avahi/package.nix index 630a4f398315..a7eb3b7b0bb6 100644 --- a/pkgs/by-name/av/avahi/package.nix +++ b/pkgs/by-name/av/avahi/package.nix @@ -251,5 +251,10 @@ stdenv.mkDerivation rec { DNS") and DNS-SD (for "DNS-Based Service Discovery") protocols. ''; + + knownVulnerabilities = [ + # NOTE: CVE-2024-52615 mitigated by the default NixOS configuration. + # "CVE-2024-52615: Avahi Wide-Area DNS Uses Constant Source Port" + ]; }; } From 284f3600c416f97156f2ccee83dd008ef8616bbb Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 7 Apr 2026 18:08:55 -0400 Subject: [PATCH 03/14] avahi: Handle 5 security findings - CVE-2025-68276 / GHSA-mhf3-865v-g5rc - CVE-2025-68468 / GHSA-cp79-r4x9-vf52 - CVE-2025-68471 / GHSA-56rf-42xr-qmmg - CVE-2026-24401 / GHSA-h4vp-5m8j-f6w3 - CVE-2026-34933 / GHSA-w65r-6gxh-vhvc --- pkgs/by-name/av/avahi/package.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/pkgs/by-name/av/avahi/package.nix b/pkgs/by-name/av/avahi/package.nix index a7eb3b7b0bb6..94da6c3c0d0c 100644 --- a/pkgs/by-name/av/avahi/package.nix +++ b/pkgs/by-name/av/avahi/package.nix @@ -150,6 +150,34 @@ stdenv.mkDerivation rec { hash = "sha256-rW6jmKg9oH44rRZow0zE4z6lfTlD8wpFUC8DaI/gruA="; }) */ + # https://github.com/avahi/avahi/pull/806 merged 2025-12-17 + (fetchpatch { + name = "CVE-2025-68276.patch"; # AKA GHSA-mhf3-865v-g5rc + url = "https://github.com/avahi/avahi/commit/0c013e2e819be3bda74cecf48b5f64956cf8a760.patch"; + hash = "sha256-kNOwl2DC2FR7CFvPQBBEYaSUSbFnR/ETH9JNGMwzzLE="; + }) + (fetchpatch { + name = "CVE-2025-68468.patch"; # AKA GHSA-cp79-r4x9-vf52 + url = "https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a.patch"; + hash = "sha256-HkbKSN2LYqPfVnij1/n6ToN4vKugex3ZPxjHz6pN8eA="; + }) + (fetchpatch { + name = "CVE-2025-68471.patch"; # AKA GHSA-56rf-42xr-qmmg + url = "https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1.patch"; + hash = "sha256-V0OiC0UkZXhUnOUcrPZ+Xvph7MJMQ9DEXgVafoshSi4="; + }) + (fetchpatch { + name = "CVE-2026-24401.patch"; # AKA GHSA-h4vp-5m8j-f6w3 + url = "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524.patch"; + hash = "sha256-Iq7ghHS8gTJ5OeD6Bemis+wPJzKXb2P44qbtTaAaWZI="; + }) + # https://github.com/avahi/avahi/pull/891 merged 2026-04-01 + (fetchpatch { + name = "CVE-2026-34933.patch"; # AKA GHSA-w65r-6gxh-vhvc + url = "https://github.com/avahi/avahi/compare/0ccadca425af151ebb67f276e5cc88e50266a8e6%5E%5E...0ccadca425af151ebb67f276e5cc88e50266a8e6.patch"; + hash = "sha256-yi40iuQmTAW+nLsOIJhh7kg4vG/lqT/PCaSEBPfF2mw="; + }) + ]; depsBuildBuild = [ From 8074d489442e74f748847aadefa7de5e5ee440ea Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 7 Apr 2026 18:06:09 -0400 Subject: [PATCH 04/14] nixos/avahi: Disable wideArea by default (CVE-2024-52615) This mitigates: - CVE-2024-52615 / GHSA-x6vp-f33h-h32g - CVE-2025-59529 / GHSA-73wf-3xmj-x82q (by not fixing CVE-2024-52615) --- nixos/modules/services/networking/avahi-daemon.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 28efc39f8bce..55a90649ba43 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -155,8 +155,12 @@ in wideArea = lib.mkOption { type = lib.types.bool; - default = true; - description = "Whether to enable wide-area service discovery."; + default = false; + description = '' + Whether to enable wide-area service discovery. + + This is currently disabled by default as a mitigation for `CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`. + ''; }; reflector = lib.mkOption { From f715bbf5a4de2c4c1914548a657894f57a0a6881 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 7 Apr 2026 18:08:08 -0400 Subject: [PATCH 05/14] nixos/avahi: Warn when susceptible to CVE-2024-52615 --- nixos/modules/services/networking/avahi-daemon.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 55a90649ba43..b01b4b3b0eb8 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -283,6 +283,10 @@ in }; config = lib.mkIf cfg.enable { + warnings = [ + (lib.mkIf cfg.wideArea "Enabling `services.avahi.wideArea` exposes this system to `CVE-2024-52615`.") + ]; + users.users.avahi = { description = "avahi-daemon privilege separation user"; home = "/var/empty"; From 48f7a8d223320079073352f1d6f7c2f50d8322bc Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Thu, 9 Apr 2026 16:03:54 -0400 Subject: [PATCH 06/14] doc/release-notes: Document breaking change from avahi mitigation --- doc/release-notes/rl-2605.section.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/release-notes/rl-2605.section.md b/doc/release-notes/rl-2605.section.md index 32ef54ff4771..3b38a35f49bf 100644 --- a/doc/release-notes/rl-2605.section.md +++ b/doc/release-notes/rl-2605.section.md @@ -202,6 +202,8 @@ - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now. +- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g). + - `coreth` has been removed, as upstream has moved it into `avalanchego`. - `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream. From 45b3decff22b506cb166090db69ec9547302f1e8 Mon Sep 17 00:00:00 2001 From: TomaSajt <62384384+TomaSajt@users.noreply.github.com> Date: Fri, 1 May 2026 17:27:09 +0200 Subject: [PATCH 07/14] logseq: pin electron to electron_39 to fix plugin loading --- pkgs/by-name/lo/logseq/package.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/by-name/lo/logseq/package.nix b/pkgs/by-name/lo/logseq/package.nix index abb736643a60..b00e0193c009 100644 --- a/pkgs/by-name/lo/logseq/package.nix +++ b/pkgs/by-name/lo/logseq/package.nix @@ -22,10 +22,13 @@ xcbuild, zip, - electron, + electron_39, git, }: +let + electron = electron_39; +in stdenv.mkDerivation (finalAttrs: { pname = "logseq"; version = "0.10.15"; From 713a8161c76db02a12809490b8e30bcad074bcbe Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Thu, 7 May 2026 20:45:15 +0000 Subject: [PATCH 08/14] grpc-health-probe: 0.4.48 -> 0.4.49 --- pkgs/by-name/gr/grpc-health-probe/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/gr/grpc-health-probe/package.nix b/pkgs/by-name/gr/grpc-health-probe/package.nix index e229df63da30..58f26a4cff3c 100644 --- a/pkgs/by-name/gr/grpc-health-probe/package.nix +++ b/pkgs/by-name/gr/grpc-health-probe/package.nix @@ -7,13 +7,13 @@ buildGoModule (finalAttrs: { pname = "grpc-health-probe"; - version = "0.4.48"; + version = "0.4.49"; src = fetchFromGitHub { owner = "grpc-ecosystem"; repo = "grpc-health-probe"; rev = "v${finalAttrs.version}"; - hash = "sha256-W5B14om0oAKEm8XP5vYJzHv2Mplfv+2VapsvOnS0wTY="; + hash = "sha256-JH4Km8nlUffkga7oKgXXwqRYm/8oG9giLCFn1BZ1eVY="; }; tags = [ @@ -25,7 +25,7 @@ buildGoModule (finalAttrs: { "-X main.versionTag=${finalAttrs.version}" ]; - vendorHash = "sha256-3Ucro8FHOiSFHqGB2jwLshhzbkRdkZnJJFbNyuDX2QY="; + vendorHash = "sha256-97OFqr93G/6F58nF1riGFbCOtORPojMMU4IX9ivjSxg="; nativeInstallCheckInputs = [ versionCheckHook From 57f5a3c42879dc99464f91df820e35a43974e1ce Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 8 May 2026 03:15:37 +0000 Subject: [PATCH 09/14] python3Packages.pgmpy: 1.1.0 -> 1.1.2 --- pkgs/development/python-modules/pgmpy/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/pgmpy/default.nix b/pkgs/development/python-modules/pgmpy/default.nix index 295c936b3d5f..cd30e613f033 100644 --- a/pkgs/development/python-modules/pgmpy/default.nix +++ b/pkgs/development/python-modules/pgmpy/default.nix @@ -28,7 +28,7 @@ }: buildPythonPackage (finalAttrs: { pname = "pgmpy"; - version = "1.1.0"; + version = "1.1.2"; pyproject = true; src = fetchFromGitHub { From 6c3facbe56de25fd2ed205c766cad1fc46f1ae65 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 8 May 2026 05:44:52 +0000 Subject: [PATCH 10/14] mistral-vibe: 2.9.4 -> 2.9.5 --- pkgs/by-name/mi/mistral-vibe/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/mi/mistral-vibe/package.nix b/pkgs/by-name/mi/mistral-vibe/package.nix index 240d729627f1..184f4f0f0ab6 100644 --- a/pkgs/by-name/mi/mistral-vibe/package.nix +++ b/pkgs/by-name/mi/mistral-vibe/package.nix @@ -37,7 +37,7 @@ let in python3Packages.buildPythonApplication (finalAttrs: { pname = "mistral-vibe"; - version = "2.9.4"; + version = "2.9.5"; pyproject = true; __structuredAttrs = true; @@ -45,7 +45,7 @@ python3Packages.buildPythonApplication (finalAttrs: { owner = "mistralai"; repo = "mistral-vibe"; tag = "v${finalAttrs.version}"; - hash = "sha256-TOA1ybK41f3+/I5gCaPlAd3yo9N399l6JumWnATbS00="; + hash = "sha256-NiW4VZyQerFhDEDXOOTNzOpsPnZvoyxJWMfg9hHJJ8c="; }; build-system = with python3Packages; [ From 5fd5dc531da64b1b8c9d4a9baa3cfe40b446dbaa Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 8 May 2026 08:01:17 +0000 Subject: [PATCH 11/14] python3Packages.pdf2docx: 0.5.12 -> 0.5.13 --- pkgs/development/python-modules/pdf2docx/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/pdf2docx/default.nix b/pkgs/development/python-modules/pdf2docx/default.nix index 8b9b88b5fe0a..e8b4390fcdb2 100644 --- a/pkgs/development/python-modules/pdf2docx/default.nix +++ b/pkgs/development/python-modules/pdf2docx/default.nix @@ -15,7 +15,7 @@ setuptools, }: let - version = "0.5.12"; + version = "0.5.13"; in buildPythonPackage { pname = "pdf2docx"; @@ -26,7 +26,7 @@ buildPythonPackage { owner = "ArtifexSoftware"; repo = "pdf2docx"; tag = "v${version}"; - hash = "sha256-fn5MnuLCmqjl99Xvs9THwerkIyUeXwPQmn+znvWtgUE="; + hash = "sha256-GZ7aUTSGSly21lMiUOXc6Y8h9WY2zQQxF5M11PwTtCA="; }; build-system = [ From f32fd3c0cf6f34c74814b8d2a996ee56a8508798 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 8 May 2026 08:22:27 +0000 Subject: [PATCH 12/14] terraform: 1.15.0 -> 1.15.2 --- pkgs/applications/networking/cluster/terraform/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/cluster/terraform/default.nix b/pkgs/applications/networking/cluster/terraform/default.nix index 3b1614ecc892..e0a9677bce88 100644 --- a/pkgs/applications/networking/cluster/terraform/default.nix +++ b/pkgs/applications/networking/cluster/terraform/default.nix @@ -200,8 +200,8 @@ rec { mkTerraform = attrs: pluggable (generic attrs); terraform_1 = mkTerraform { - version = "1.15.0"; - hash = "sha256-cKgZFCPLusXXSjcff/PmKGIdSm3wRY1DpduXBRrgcDc="; + version = "1.15.2"; + hash = "sha256-jwmyZJHGfi2oO8FBebPKBQdXt61w02H6zbbqSXxMhMM="; vendorHash = "sha256-Gv6V5aXqTuQoG1StbD/7Ln2QrLpMsW6fbUJUkyZMkvk="; patches = [ ./provider-path-0_15.patch ]; passthru = { From bb8790440be627cac7315daed8dca4970f0cd997 Mon Sep 17 00:00:00 2001 From: luytan Date: Fri, 8 May 2026 10:10:20 +0200 Subject: [PATCH 13/14] asusd: remove default supergfxctl --- nixos/modules/services/hardware/asusd.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/hardware/asusd.nix b/nixos/modules/services/hardware/asusd.nix index 440f32c2b669..4956c86a1602 100644 --- a/nixos/modules/services/hardware/asusd.nix +++ b/nixos/modules/services/hardware/asusd.nix @@ -141,7 +141,6 @@ in systemd.packages = [ cfg.package ]; services.dbus.packages = [ cfg.package ]; services.udev.packages = [ cfg.package ]; - services.supergfxd.enable = lib.mkDefault true; }; meta.maintainers = pkgs.asusctl.meta.maintainers; From a466737f299ca031f0a64f75d256483d057f8452 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 8 May 2026 10:40:18 +0200 Subject: [PATCH 14/14] nixos/avahi: improve option description a bit Co-authored-by: Sandro --- nixos/modules/services/networking/avahi-daemon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index b01b4b3b0eb8..6ff86daf6a9e 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -159,7 +159,7 @@ in description = '' Whether to enable wide-area service discovery. - This is currently disabled by default as a mitigation for `CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`. + It is recommended to keep this options disabled as it exposes the system to `CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`. ''; };