This update bumps the package to the latest stable version containing a
few security fixes:
- CVE-2018-12386: Type confusion in JavaScript
A vulnerability in register allocation in JavaScript can lead to type
confusion, allowing for an arbitrary read and write. This leads to
remote code execution inside the sandboxed content process when
triggered.
- CVE-2018-12387
A vulnerability where the JavaScript JIT compiler inlines
Array.prototype.push with multiple arguments that results in the stack
pointer being off by 8 bytes after a bailout. This leaks a memory
address to the calling function which can be used as part of an
exploit inside the sandboxed content process.
Source: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/
(cherry picked from commit e7785f1148a8d9535b320eef4aa2d8cd8b64c400)
This update bumps the package to the latest stable version containing a
few security fixes:
- CVE-2018-12386: Type confusion in JavaScript
A vulnerability in register allocation in JavaScript can lead to type
confusion, allowing for an arbitrary read and write. This leads to
remote code execution inside the sandboxed content process when
triggered.
- CVE-2018-12387
A vulnerability where the JavaScript JIT compiler inlines
Array.prototype.push with multiple arguments that results in the stack
pointer being off by 8 bytes after a bailout. This leaks a memory
address to the calling function which can be used as part of an
exploit inside the sandboxed content process.
Source: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/
(cherry picked from commit 64d02660cb832ceaf1e3fe88c9c3e9a27609cbd4)
darwin.security_tool is currently broken in Mojave. See issue #45042
for more info. Our security_tool stuff comes from 10.9 so I suspect
that it needs an update.
Here I am putting in a hack to get things working again. This uses the
system provided security binary at /usr/bin/security to avoid the
issue in Haskell’s x509-system package. Unfortunately, this will break
with the sandbox. I am also working on a proper fix, but this requires
updating lots of Apple stuff (and also copumpkin’s new CF). You can
follow the progress on this branch:
https://github.com/matthewbauer/nixpkgs/tree/xcode-security
This commit should be backported to release-18.03 and release-18.09.
/cc @copumpkin @lnl7 @pikajude
PHP tries to discover the mysql default socket path during configure
phase by probing the file system:
cf3b852109/ext/mysqli/config.m4 (L4)
This obviously fails to discover /run/mysqld/mysqld.sock, which is being
used (hardcoded) across all MySQL flavours.
This leads to PHP having no mysql socket path set for the mysql[i]
extensions, and `/tmp/mysql.sock` set for pdo_mysql,
meaning one currently has to manually configure and set it in php.ini.
Luckily, PHP supports setting that path via
`--with-mysql-sock=/run/mysqld/mysqld.sock` during configure phase,
so let's do this as soon as one of the three modules is enabled.
(cherry picked from commit baa04e4204b80225c5086611f305a0c412dc9967)
A lot of the functionality of the z3 library depends on it being able to
find the z3 executable on $PATH. Hard-coding it here means it will never
be unable to find it and z3 doesn't need to pollute $PATH.
(cherry picked from commit c8598daad4dee3d15e312608b56ce50532830c90)
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/bitcoin/versions.
These checks were done:
- built on NixOS
- /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1/bin/bitcoind passed the binary check.
- /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1/bin/bitcoin-cli passed the binary check.
- /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1/bin/bitcoin-tx passed the binary check.
- /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1/bin/test_bitcoin passed the binary check.
- /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1/bin/bench_bitcoin passed the binary check.
- Warning: no invocation of /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1/bin/bitcoin-qt had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1/bin/test_bitcoin-qt had a zero exit code or showed the expected version
- 5 of 7 passed binary check by having a zero exit code.
- 0 of 7 passed binary check by having the new version present in output.
- found 0.16.1 with grep in /nix/store/5fjv944ikyak1s83624ay8i9h4gbs2c0-bitcoin-0.16.1
- directory tree listing: https://gist.github.com/a5e5d745910497ae913d4577342deba5
- du listing: https://gist.github.com/5f62bec50f6ab977a25c8ee0f118cb10
(cherry picked from commit 77f3ac7b7638b33ab198330eaabbd6e0a2e751a9)
This is only a minor bugfix release and updates the fallback CA root
certificates. For NixOS this is usually not required as the probe paths
will match there, but for non-NixOS users it might be helpful.
Signed-off-by: aszlig <aszlig@nix.build>
(cherry picked from commit 48d1c50f7ab8da79b24e567e546e876dd602c106)
Reason: This might be relevant for NixOps users on Mac OS X and the
update won't break anything that wasn't broken before.