diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 6fd4a6641cec5..d489c23c6b8d0 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -30,7 +30,7 @@ let ])); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.90"; + srcVersion = "3.92"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -45,7 +45,7 @@ let src = if nssOverride != null then nssOverride.src else fetchurl { url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; - hash = "sha256-ms1lNMQdjq0Z/Kb8s//+0vnwnEN8PXn+5qTuZoqqk7Y="; + hash = "sha256-PbGS1uiCA5rwKufq8yF+0RS7etg0FMZGdyq4Ah4kolQ="; }; dontBuild = true; diff --git a/pkgs/development/compilers/go/1.20.nix b/pkgs/development/compilers/go/1.20.nix index 18fa8db98792e..bd226f32157a9 100644 --- a/pkgs/development/compilers/go/1.20.nix +++ b/pkgs/development/compilers/go/1.20.nix @@ -46,11 +46,11 @@ let in stdenv.mkDerivation rec { pname = "go"; - version = "1.20.6"; + version = "1.20.7"; src = fetchurl { url = "https://go.dev/dl/go${version}.src.tar.gz"; - hash = "sha256-Yu5bxvtVuLro9wXgy434bWRTYmtOz5MnnihnCS4Lf3A="; + hash = "sha256-LF7pyeweczsNu8K9/tP2IwblHYFyvzj09OVCsnUg9Zc="; }; strictDeps = true; diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index 88115f61c151a..b969bdff25f74 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -107,13 +107,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-bad"; - version = "1.22.4"; + version = "1.22.5"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-6q9TIkVl6qvVBco5xtV2lxm0V5XPUyzhzrYOGy6+maw="; + hash = "sha256-5k51za/X/y/H/DToVbBrHj7SJ8wG+jeNF7vNdngMM4w="; }; patches = [ diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix index 399a7f4c01398..9c3884fc0d9e3 100644 --- a/pkgs/development/libraries/gstreamer/base/default.nix +++ b/pkgs/development/libraries/gstreamer/base/default.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gst-plugins-base"; - version = "1.22.4"; + version = "1.22.5"; outputs = [ "out" "dev" ]; @@ -53,7 +53,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-KSQk6C3qFwUoxCtFb2KolTK8q8BQjxkuNGcvuG9o5bg="; + hash = "sha256-7dQzi0XCapryjA01qrlkoCTDiEum9SDYQo3wQhLIyTo="; }; strictDeps = true; diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix index 1478e96120fc7..1a52a8ed42b54 100644 --- a/pkgs/development/libraries/gstreamer/core/default.nix +++ b/pkgs/development/libraries/gstreamer/core/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gstreamer"; - version = "1.22.4"; + version = "1.22.5"; outputs = [ "bin" @@ -36,7 +36,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-EcsEmLwWuT2LmdIvdfgpuNCr/YJUhAshIGGNtVMtxlU="; + hash = "sha256-RAjXkw84GAnoWReswZcS8XMmG6hb3yDFVnsqIbEZO2E="; }; depsBuildBuild = [ diff --git a/pkgs/development/libraries/gstreamer/devtools/default.nix b/pkgs/development/libraries/gstreamer/devtools/default.nix index b194d6e827533..6fcf867f05eaf 100644 --- a/pkgs/development/libraries/gstreamer/devtools/default.nix +++ b/pkgs/development/libraries/gstreamer/devtools/default.nix @@ -17,11 +17,11 @@ stdenv.mkDerivation rec { pname = "gst-devtools"; - version = "1.22.4"; + version = "1.22.5"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-TFIFPOjB33L9gXIen1PeOxRu3PLeKPYHvnBbzkz5CdE="; + hash = "sha256-Kt0VGapu6wHVRMuUKTaI7jvCB59rymB1v1wj0AoJIb4="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix index cc1244b1ecaea..a5926a776e30a 100644 --- a/pkgs/development/libraries/gstreamer/ges/default.nix +++ b/pkgs/development/libraries/gstreamer/ges/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "gst-editing-services"; - version = "1.22.4"; + version = "1.22.5"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-RThGz6RxoMHIAUVRvUhPvPM08ORDBZIxevuyN3Xmm9I="; + hash = "sha256-vM3TvWHYaCmxbODiBtthsz95SsF5JCP558xl110aMbU="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix index bd1a2af0769b5..dd956277be4d9 100644 --- a/pkgs/development/libraries/gstreamer/good/default.nix +++ b/pkgs/development/libraries/gstreamer/good/default.nix @@ -1,5 +1,6 @@ { lib, stdenv , fetchurl +, fetchpatch , meson , nasm , ninja @@ -52,15 +53,26 @@ assert raspiCameraSupport -> (stdenv.isLinux && stdenv.isAarch64); stdenv.mkDerivation rec { pname = "gst-plugins-good"; - version = "1.22.4"; + version = "1.22.5"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-1xIMEUap1yPVPVv+gHTaJXWoHwWYQ4dSk385u3yDO2o="; + hash = "sha256-tnsxMTpUxpKbgpadQdPP3y9Y21c/tfSR5rul2ErqB3g="; }; + # TODO: Patch is conditional to spare rebuilds during the current staging-next cycle and should be removed during the next bump + patches = lib.optionals qt5Support [ + # Needed until https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5083 is merged and released + (fetchpatch { + name = "gst-plugins-good-fix-qt5-without-viv-fb.patch"; + url = "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/03d8ef0b7c6e70eb936de0514831c1aafc763dcf.diff"; + hash = "sha256-17XU/W/TMPg5669O1EBXByAN/VwFu/0idTg5ze3M/D4="; + stripLen = 2; + }) + ]; + strictDeps = true; depsBuildBuild = [ pkg-config ]; diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix index c2fee6d1ea6b1..2309e8717e2b2 100644 --- a/pkgs/development/libraries/gstreamer/libav/default.nix +++ b/pkgs/development/libraries/gstreamer/libav/default.nix @@ -18,11 +18,11 @@ stdenv.mkDerivation rec { pname = "gst-libav"; - version = "1.22.4"; + version = "1.22.5"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-mnUbx0Dedo55HDepXwqSTGpB0S/X839UzmpOg0vhItM="; + hash = "sha256-hYPwwfT8sB7tEfoePCESZUOovXOe1Pwdsx91alqwHZo="; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix index 6cafa2b6daeb2..4344a0f124cf1 100644 --- a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix +++ b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { pname = "gst-rtsp-server"; - version = "1.22.4"; + version = "1.22.5"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-RmZhLXqZxg3NbwvbobenTSVioFAbKj4FdvCRa/HYgRs="; + hash = "sha256-80PrVJZOvU2MBxvl7srVhvKP6wFW4DbgaxSNDn/rscA="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix index e4fa679d9d24e..2392d7f341d73 100644 --- a/pkgs/development/libraries/gstreamer/ugly/default.nix +++ b/pkgs/development/libraries/gstreamer/ugly/default.nix @@ -26,13 +26,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-ugly"; - version = "1.22.4"; + version = "1.22.5"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-/7Rh/abAbTFsS+VoJjLMiQFFTtcrEJix4CIbxV5nPNc="; + hash = "sha256-JoBHOyGBWPGEZ8rD4cUCkbf/TgcQ3TUKWeqsvCnAmlQ="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix index 16ea4a303d9d2..2b32be937fd55 100644 --- a/pkgs/development/libraries/gstreamer/vaapi/default.nix +++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix @@ -24,11 +24,11 @@ stdenv.mkDerivation rec { pname = "gstreamer-vaapi"; - version = "1.22.4"; + version = "1.22.5"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-lnuONT2C0AgaaNxTY5sl2ftMqJv6HgYUA+DNfSNYW6Y="; + hash = "sha256-qaVQJnyVhN8OjHBDTTBHbo/QAYtzPBwe4z3q9CK9sks="; }; outputs = [ diff --git a/pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch b/pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch deleted file mode 100644 index d1622977b64dc..0000000000000 --- a/pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 4 Jul 2023 17:30:35 +0200 -Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode - -The AES-SIV mode allows for multiple associated data items -authenticated separately with any of these being 0 length. - -The provided implementation ignores such empty associated data -which is incorrect in regards to the RFC 5297 and is also -a security issue because such empty associated data then become -unauthenticated if an application expects to authenticate them. - -Fixes CVE-2023-2975 - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/21384) - -(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) ---- - .../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++------- - 1 file changed, 11 insertions(+), 7 deletions(-) - -diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c -index 45010b90db2a..b396c8651a32 100644 ---- a/providers/implementations/ciphers/cipher_aes_siv.c -+++ b/providers/implementations/ciphers/cipher_aes_siv.c -@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, - if (!ossl_prov_is_running()) - return 0; - -- if (inl == 0) { -- *outl = 0; -- return 1; -- } -+ /* Ignore just empty encryption/decryption call and not AAD. */ -+ if (out != NULL) { -+ if (inl == 0) { -+ if (outl != NULL) -+ *outl = 0; -+ return 1; -+ } - -- if (outsize < inl) { -- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -- return 0; -+ if (outsize < inl) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -+ return 0; -+ } - } - - if (ctx->hw->cipher(ctx, out, in, inl) <= 0) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index c65ee5f25f7e6..6102a58b24038 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -242,8 +242,8 @@ in { }; openssl_3 = common { - version = "3.0.9"; - sha256 = "sha256-6xqwR4FHQ2D3fDGKuJ2MWgOrw45j1lpgPKu/GwCh3JA="; + version = "3.0.10"; + sha256 = "sha256-F2HU9bE6ECi5tvPUuOF/6wztyTcPav5h1xk9LNzoMyM="; patches = [ ./3.0/nix-ssl-cert-file.patch @@ -251,9 +251,6 @@ in { # This patch disables build-time detection. ./3.0/openssl-disable-kernel-detection.patch - # https://www.openssl.org/news/secadv/20230714.txt - ./3.0/CVE-2023-2975.patch - (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch) diff --git a/pkgs/development/python-modules/gst-python/default.nix b/pkgs/development/python-modules/gst-python/default.nix index 9814e11ff7e54..efa4fba8513a6 100644 --- a/pkgs/development/python-modules/gst-python/default.nix +++ b/pkgs/development/python-modules/gst-python/default.nix @@ -14,7 +14,7 @@ buildPythonPackage rec { pname = "gst-python"; - version = "1.22.4"; + version = "1.22.5"; format = "other"; @@ -22,7 +22,7 @@ buildPythonPackage rec { src = fetchurl { url = "${meta.homepage}/src/gst-python/${pname}-${version}.tar.xz"; - hash = "sha256-4TAtzA8kUbZDgNzA3TuCc1eV6JUdyBLZONi6kfOIFj4="; + hash = "sha256-vwUjJBXPYBgUKuUd07iXu3NDJoe1zheGv0btximM5bA="; }; # Python 2.x is not supported. diff --git a/pkgs/development/python-modules/oscrypto/default.nix b/pkgs/development/python-modules/oscrypto/default.nix index 3f368ba7f1abe..92edbdf84eb9e 100644 --- a/pkgs/development/python-modules/oscrypto/default.nix +++ b/pkgs/development/python-modules/oscrypto/default.nix @@ -22,6 +22,10 @@ buildPythonPackage rec { hash = "sha256-CmDypmlc/kb6ONCUggjT1Iqd29xNSLRaGh5Hz36dvOw="; }; + patches = [ + ./support-openssl-3.0.10.patch + ]; + postPatch = '' for file in oscrypto/_openssl/_lib{crypto,ssl}_c{ffi,types}.py; do substituteInPlace $file \ diff --git a/pkgs/development/python-modules/oscrypto/support-openssl-3.0.10.patch b/pkgs/development/python-modules/oscrypto/support-openssl-3.0.10.patch new file mode 100644 index 0000000000000..585eb64eaa473 --- /dev/null +++ b/pkgs/development/python-modules/oscrypto/support-openssl-3.0.10.patch @@ -0,0 +1,11 @@ +https://github.com/wbond/oscrypto/issues/75 +--- a/oscrypto/_openssl/_libcrypto_cffi.py ++++ b/oscrypto/_openssl/_libcrypto_cffi.py +@@ -37,1 +37,1 @@ +-version_match = re.search('\\b(\\d\\.\\d\\.\\d[a-z]*)\\b', version_string) ++version_match = re.search('\\b(\\d\\.\\d\\.\\d+[a-z]*)\\b', version_string) +--- a/oscrypto/_openssl/_libcrypto_ctypes.py ++++ b/oscrypto/_openssl/_libcrypto_ctypes.py +@@ -40,1 +40,1 @@ +-version_match = re.search('\\b(\\d\\.\\d\\.\\d[a-z]*)\\b', version_string) ++version_match = re.search('\\b(\\d\\.\\d\\.\\d+[a-z]*)\\b', version_string) diff --git a/pkgs/misc/jackaudio/default.nix b/pkgs/misc/jackaudio/default.nix index 536c654f0be7f..1f91ff32d2772 100644 --- a/pkgs/misc/jackaudio/default.nix +++ b/pkgs/misc/jackaudio/default.nix @@ -1,5 +1,5 @@ { lib, stdenv, fetchFromGitHub, pkg-config, python3Packages, makeWrapper -, bash, libsamplerate, libsndfile, readline, eigen, celt +, libsamplerate, libsndfile, readline, eigen, celt , wafHook # Darwin Dependencies , aften, AudioUnit, CoreAudio, libobjc, Accelerate @@ -44,9 +44,8 @@ stdenv.mkDerivation (finalAttrs: { aften AudioUnit CoreAudio Accelerate libobjc ]; - prePatch = '' - substituteInPlace svnversion_regenerate.sh \ - --replace /bin/bash ${bash}/bin/bash + postPatch = '' + patchShebangs --build svnversion_regenerate.sh ''; dontAddWafCrossFlags = true;