Fixes CVE-2018-10933:
libssh versions 0.6 and above have an authentication bypass
vulnerability in the server code. By presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
initiate authentication, the attacker could successfully authentciate
without any credentials.
Source:
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
(cherry picked from commit eca462813d7586063deb5c9989ae9bcef29f9495)
This release adds support for building with cmake!
So switch to that eagerly instead of fighting with bam.
(if nothing else cmake is the devil we know...)
Also:
* fixup 'DATA_DIR' so programs can find resources
(without need for wrappers)
* install readme+license as previously done ("docs")
* don't install tools since not built or installed by default
* esp since doesn't appear to have non-adhoc method for installation
* other distros don't seem to include
(cherry picked from commit 18258bae34ad16e808a2f5447962008d082fd19f)
Fixes CVE-2018-18541.
Semi-automatic update. These checks were done:
- built on NixOS
- Warning: no binary found that responded to help or version flags. (This warning appears even if the package isn't expected to have binaries.)
- found 1.4.15 with grep in /nix/store/7nifpbj16dlhljb2jwbwxyv4wx1zwa1y-mosquitto-1.4.15
- found 1.4.15 in filename of file in /nix/store/7nifpbj16dlhljb2jwbwxyv4wx1zwa1y-mosquitto-1.4.15
(cherry picked from commit a28a2e382970fb94a4e07b09946aafe799b5f391)
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
for unprivileged users to specify the allow_other option even when
this was forbidden in /etc/fuse.conf. The vulnerability is present
only on systems where SELinux is active (including in permissive
mode).
- libfuse no longer segfaults when fuse_interrupted() is called outside
the event loop.
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount
options must now match a hard-coded whitelist. It is expected that
this whitelist covers all regular use-cases.
- Fixed rename deadlock on FreeBSD.
(cherry picked from commit ec1082c58fec2f0739855d4dc01df6fdd335e0a3)
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
for unprivileged users to specify the allow_other option even when
this was forbidden in /etc/fuse.conf. The vulnerability is present
only on systems where SELinux is active (including in permissive
mode).
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount
options must now match a hard-coded whitelist. It is expected that
this whitelist covers all regular use-cases.
- Added a test of seekdir to test_syscalls.
- Fixed readdir bug when non-zero offsets are given to filler and the
filesystem client, after reading a whole directory, re-reads it from a
non-zero offset e. g. by calling seekdir followed by readdir.
(cherry picked from commit 46cd782b43416969b1f11232ecf5b80e798a92a2)
Stop using bin/mount.fuse from fuse3 for fuse2 (mount.fuse from fuse3
isn't guaranteed to remain backwards compatible).
(cherry picked from commit c00b5bf6a2ec642c7088c22f825d56629ebbba5e)
[18.03] Backport Signal-Desktop
Reason: Signal-Desktop displayed the following message: "This version of
Signal Desktop has expired. Please upgrade to the latest version to
continue messaging." (see #48436).
Skipped 1.15.1 due to upstream issues (see GitHub), 1.15.2 and 1.15.3
should be fine (at least there are fewer issues).
(cherry picked from commit c7e04336a71df05d3c761782fbb8439462c133b0)
Thought this could be useful for others as well. Unfortunately it will
also override the UI language.
Example usage:
environment.systemPackages = with pkgs; [
(signal-desktop.override {
spellcheckerLanguage = "de_DE";
})
];
(cherry picked from commit 9ef1406a9918f3414d081563ba34084c5e187a58)