From 50b920e62d134f9405def9204a7e3442ee89e495 Mon Sep 17 00:00:00 2001 From: Simon Hauser Date: Fri, 25 Oct 2024 08:32:53 +0200 Subject: [PATCH 01/34] python312Packages.werkzeug: 3.0.4 -> 3.0.6 Changelog: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-5 https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-6 (cherry picked from commit 0b96d8b9a46a67429bdd757b99431f0378691632) --- pkgs/development/python-modules/werkzeug/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/werkzeug/default.nix b/pkgs/development/python-modules/werkzeug/default.nix index dbd79284dd6f4..5fcf13a5e2d15 100644 --- a/pkgs/development/python-modules/werkzeug/default.nix +++ b/pkgs/development/python-modules/werkzeug/default.nix @@ -29,14 +29,14 @@ buildPythonPackage rec { pname = "werkzeug"; - version = "3.0.4"; + version = "3.0.6"; pyproject = true; disabled = pythonOlder "3.8"; src = fetchPypi { inherit pname version; - hash = "sha256-NPI3FQayUN9NT4S/57CSHkdiUldiu9k2YUkJ/iXNcwY="; + hash = "sha256-qN1Z1N4oynBHGjTLp5vtX37y4Danazqwg1R0JG60H40="; }; build-system = [ flit-core ]; From f6eb2463c5d6f86bca9e199f18604a4bd6319a3a Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Thu, 7 Nov 2024 07:02:24 +0000 Subject: [PATCH 02/34] expat: 2.6.3 -> 2.6.4 Changes: https://github.com/libexpat/libexpat/blob/R_2_6_4/expat/Changes (cherry picked from commit cb37e29e3c52e3473770cadb1a241cb190b908e9) --- pkgs/development/libraries/expat/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/expat/default.nix b/pkgs/development/libraries/expat/default.nix index be4083e042765..dd6290dbddda8 100644 --- a/pkgs/development/libraries/expat/default.nix +++ b/pkgs/development/libraries/expat/default.nix @@ -16,7 +16,7 @@ # files. let - version = "2.6.3"; + version = "2.6.4"; tag = "R_${lib.replaceStrings ["."] ["_"] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-J02yVKaXm95arUBHY6cElWlA5GWEPyqb2e168i4sDvw="; + hash = "sha256-ppVina4EcFWzfVCg/0d20dRdCkyELPTM7hWEQfVf9+4="; }; strictDeps = true; From 229a8f75f509bc4095da85782086aa391bfc9de9 Mon Sep 17 00:00:00 2001 From: Tobias Mayer Date: Thu, 14 Nov 2024 09:30:39 +0100 Subject: [PATCH 03/34] ghostscript: fix installCheck on aarch64-darwin --- pkgs/misc/ghostscript/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index 51fa6cda5dee9..85c814cd9ba21 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -149,6 +149,10 @@ stdenv.mkDerivation rec { # validate dynamic linkage doInstallCheck = true; + preInstallCheck = if stdenv.hostPlatform.isDarwin then '' + DYLD_LIBRARY_PATH=$out/lib + export DYLD_LIBRARY_PATH + '' else null; installCheckPhase = '' runHook preInstallCheck From ba7ccafdbcd182d4d63fa54487cafd8b937c3665 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 16 Nov 2024 14:34:47 +0100 Subject: [PATCH 04/34] Reapply "postgresql_15: 15.8 -> 15.9" This reverts commit e13094a6f5a13eaf47d853c8d579d7cc3850ae90. --- pkgs/servers/sql/postgresql/15.nix | 4 ++-- pkgs/servers/sql/postgresql/generic.nix | 7 ------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/pkgs/servers/sql/postgresql/15.nix b/pkgs/servers/sql/postgresql/15.nix index 63f4928401ac6..8d484a97ec1c8 100644 --- a/pkgs/servers/sql/postgresql/15.nix +++ b/pkgs/servers/sql/postgresql/15.nix @@ -1,4 +1,4 @@ import ./generic.nix { - version = "15.8"; - hash = "sha256-RANRX5pp7rPv68mPMLjGlhIr/fiV6Ss7I/W452nty2o="; + version = "15.9"; + hash = "sha256-dPLUVlA18M9ynssFmUn6rxECy9k3WbNZgi+Y+CGYx4M="; } diff --git a/pkgs/servers/sql/postgresql/generic.nix b/pkgs/servers/sql/postgresql/generic.nix index e2cfda935a7fb..3ecf3e505728a 100644 --- a/pkgs/servers/sql/postgresql/generic.nix +++ b/pkgs/servers/sql/postgresql/generic.nix @@ -119,13 +119,6 @@ let src = ./patches/locale-binary-path.patch; locale = "${if stdenv.isDarwin then darwin.adv_cmds else lib.getBin stdenv.cc.libc}/bin/locale"; }) - ] ++ lib.optionals (atLeast "15" && olderThan "16") [ - # TODO: Remove this with the next set of minor releases - (fetchpatch ({ - url = "https://github.com/postgres/postgres/commit/b27622c90869aab63cfe22159a459c57768b0fa4.patch"; - hash = "sha256-7G+BkJULhyx6nlMEjClcr2PJg6awgymZHr2JgGhXanA="; - excludes = [ "doc/*" ]; - })) ] ++ lib.optionals stdenv'.hostPlatform.isMusl ( # Using fetchurl instead of fetchpatch on purpose: https://github.com/NixOS/nixpkgs/issues/240141 map fetchurl (lib.attrValues muslPatches) From 58afec363052b2565d8d7651919ec1e402290f2a Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 3 Oct 2024 21:53:17 +0200 Subject: [PATCH 05/34] nodejs_20: 20.17.0 -> 20.18.0 (cherry picked from commit 0789f53499110776ec56bd980c429b88d332dc7e) --- pkgs/development/web/nodejs/v20.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/nodejs/v20.nix b/pkgs/development/web/nodejs/v20.nix index 84b39868e611e..8d7731403367c 100644 --- a/pkgs/development/web/nodejs/v20.nix +++ b/pkgs/development/web/nodejs/v20.nix @@ -12,8 +12,8 @@ let in buildNodejs { inherit enableNpm; - version = "20.17.0"; - sha256 = "9abf03ac23362c60387ebb633a516303637145cb3c177be3348b16880fd8b28c"; + version = "20.18.0"; + sha256 = "7d9433e91fd88d82ba8de86e711ec41907638e227993d22e95126b02f6cd714a"; patches = [ ./disable-darwin-v8-system-instrumentation-node19.patch ./bypass-darwin-xcrun-node16.patch From 4eb946891176429af57927a6024c8d0381e1b850 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Wed, 20 Nov 2024 18:37:03 +0100 Subject: [PATCH 06/34] nodejs_20: 20.18.0 -> 20.18.1 (cherry picked from commit c91f75a39c419da555b55212d0c0a1053caf0cde) --- pkgs/development/web/nodejs/v20.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/nodejs/v20.nix b/pkgs/development/web/nodejs/v20.nix index 8d7731403367c..22aac85d0efc1 100644 --- a/pkgs/development/web/nodejs/v20.nix +++ b/pkgs/development/web/nodejs/v20.nix @@ -12,8 +12,8 @@ let in buildNodejs { inherit enableNpm; - version = "20.18.0"; - sha256 = "7d9433e91fd88d82ba8de86e711ec41907638e227993d22e95126b02f6cd714a"; + version = "20.18.1"; + sha256 = "91df43f8ab6c3f7be81522d73313dbdd5634bbca228ef0e6d9369fe0ab8cccd0"; patches = [ ./disable-darwin-v8-system-instrumentation-node19.patch ./bypass-darwin-xcrun-node16.patch From 8b3d3d5854495297ee537e505bab522c21e0762f Mon Sep 17 00:00:00 2001 From: Carlo Cabrera Date: Fri, 22 Nov 2024 14:39:21 +0800 Subject: [PATCH 07/34] ghostscript: fix install names on Darwin Fixes #355377. This should avoid the need to mess around with `install_name_tool` entirely. This mirrors what is done by Homebrew[^1] and MacPorts[^2]. This should also make the changes in #355853 and #357951 unnecessary. [^1]: https://github.com/Homebrew/homebrew-core/blob/5ca4f8ce766c69d49321fb7da1d297b8232f40cf/Formula/g/ghostscript.rb#L76 [^2]: https://github.com/macports/macports-ports/blob/d8a05520fa6a81fa5b0365068590aff184976b69/print/ghostscript/Portfile#L114 --- pkgs/misc/ghostscript/default.nix | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index 85c814cd9ba21..d47a2b8768b10 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -104,6 +104,8 @@ stdenv.mkDerivation rec { sed "s@^ZLIBDIR=.*@ZLIBDIR=${zlib.dev}/include@" -i configure.ac autoconf + '' + lib.optionalString stdenv.hostPlatform.isDarwin '' + export DARWIN_LDFLAGS_SO_PREFIX=$out/lib/ ''; configureFlags = [ @@ -140,19 +142,8 @@ stdenv.mkDerivation rec { done ''; - # dynamic library name only contains maj.min, eg. '9.53' - dylib_version = lib.versions.majorMinor version; - preFixup = lib.optionalString stdenv.isDarwin '' - install_name_tool -change libgs.dylib.$dylib_version $out/lib/libgs.dylib.$dylib_version $out/bin/gs - install_name_tool -change libgs.dylib.$dylib_version $out/lib/libgs.dylib.$dylib_version $out/bin/gsx - ''; - # validate dynamic linkage doInstallCheck = true; - preInstallCheck = if stdenv.hostPlatform.isDarwin then '' - DYLD_LIBRARY_PATH=$out/lib - export DYLD_LIBRARY_PATH - '' else null; installCheckPhase = '' runHook preInstallCheck From d81904f21553228fe803af05a12d772a20ca1117 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 21 Nov 2024 21:39:59 +0100 Subject: [PATCH 08/34] cacert: 3.104 -> 3.107 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/WH8hT2HA7RM (cherry picked from commit 34887f20f659bf5cd3ab182179a739ba32ba048a) --- pkgs/data/misc/cacert/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 35a628d1f6035..3096adf627411 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.104"; + srcVersion = "3.107"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -37,7 +37,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; - hash = "sha256-TEGEKocapU5OTqx69n8nrn/X3SZr49d1alHM73UnDJw="; + hash = "sha256-c6ks/pBvZHipNkmBy784s96zMYP+D9q3VlVrPVSohLw="; }; dontBuild = true; From ff3ffad6a83a3217f27f506f63bc021300c9a04c Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Fri, 22 Nov 2024 18:45:24 +0100 Subject: [PATCH 09/34] postgresql_13: 13.17 -> 13.18 Release notes: https://www.postgresql.org/about/news/postgresql-172-166-1510-1415-1318-and-1222-released-2965/ (cherry picked from commit 41dcc3c9746d282181c08b7531ff486b5fbe13f2) --- pkgs/servers/sql/postgresql/13.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/13.nix b/pkgs/servers/sql/postgresql/13.nix index 46dadcab65408..0219da508d093 100644 --- a/pkgs/servers/sql/postgresql/13.nix +++ b/pkgs/servers/sql/postgresql/13.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "13.17"; - hash = "sha256-AisKbnvDdKd37s4zcIiV17YMrgfUkrKGspaknXOV14s="; + version = "13.18"; + hash = "sha256-zuqSq+4qjBlAjSeLaN5qeLa9PbtPotZT+nynRdZmqrE="; muslPatches = { disable-test-collate-icu-utf8 = { url = "https://git.alpinelinux.org/aports/plain/main/postgresql13/disable-test-collate.icu.utf8.patch?id=69faa146ec9fff3b981511068f17f9e629d4688b"; From cc42ae0328e7ec37f95721ab85033e1c45c57f70 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Fri, 22 Nov 2024 18:45:41 +0100 Subject: [PATCH 10/34] postgresql_14: 14.14 -> 14.15 Release notes: https://www.postgresql.org/about/news/postgresql-172-166-1510-1415-1318-and-1222-released-2965/ (cherry picked from commit 3aa011583b3e362b63f468da2f54953fa289f8c7) --- pkgs/servers/sql/postgresql/14.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/14.nix b/pkgs/servers/sql/postgresql/14.nix index f2b5449d99c5f..500de98086833 100644 --- a/pkgs/servers/sql/postgresql/14.nix +++ b/pkgs/servers/sql/postgresql/14.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "14.14"; - hash = "sha256-hHJ/vM29Hv4B2N5kvBszCV23c60kV8787cLYJY68CdY="; + version = "14.15"; + hash = "sha256-AuiR4xS06e4ky9eAKNq3xz+cG6PjCDW8vvcf4iBAH8U="; muslPatches = { disable-test-collate-icu-utf8 = { url = "https://git.alpinelinux.org/aports/plain/main/postgresql14/disable-test-collate.icu.utf8.patch?id=56999e6d0265ceff5c5239f85fdd33e146f06cb7"; From 78cc55c521752c1dc1e76e068a7f638c5d2efe9a Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Fri, 22 Nov 2024 18:45:58 +0100 Subject: [PATCH 11/34] postgresql_15: 15.9 -> 15.10 Release notes: https://www.postgresql.org/about/news/postgresql-172-166-1510-1415-1318-and-1222-released-2965/ (cherry picked from commit 256921e7d3f563376e3eaf44328a65a67181e988) --- pkgs/servers/sql/postgresql/15.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/15.nix b/pkgs/servers/sql/postgresql/15.nix index 8d484a97ec1c8..a65def57b1ca9 100644 --- a/pkgs/servers/sql/postgresql/15.nix +++ b/pkgs/servers/sql/postgresql/15.nix @@ -1,4 +1,4 @@ import ./generic.nix { - version = "15.9"; - hash = "sha256-dPLUVlA18M9ynssFmUn6rxECy9k3WbNZgi+Y+CGYx4M="; + version = "15.10"; + hash = "sha256-VavnONRB8OWGWLPsb4gJenE7XjtzE59iMNe1xMOJ5XM="; } From 46221d92084f766205db79cbdea945cca5e62b87 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Fri, 22 Nov 2024 18:46:26 +0100 Subject: [PATCH 12/34] postgresql_16: 16.5 -> 16.6 Release notes: https://www.postgresql.org/about/news/postgresql-172-166-1510-1415-1318-and-1222-released-2965/ (cherry picked from commit f4ef8018ac170ca6dad34b354bfcd5ab91037a7d) --- pkgs/servers/sql/postgresql/16.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/16.nix b/pkgs/servers/sql/postgresql/16.nix index c02f02fc832e2..2b6e248625bd5 100644 --- a/pkgs/servers/sql/postgresql/16.nix +++ b/pkgs/servers/sql/postgresql/16.nix @@ -1,4 +1,4 @@ import ./generic.nix { - version = "16.5"; - hash = "sha256-psu7cDf5jLivp9OXC3xIBAzwKxFeOSU6DAN6i7jnePA="; + version = "16.6"; + hash = "sha256-Izac2szUUnCsXcww+p2iBdW+M/pQXh8XoEGNLK7KR3s="; } From 0db9d7919c44c09bd658f0906b60081c32595670 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 23 Nov 2024 13:07:51 +0100 Subject: [PATCH 13/34] postgresql_12: 12.21 -> 12.22 Release notes: https://www.postgresql.org/about/news/postgresql-172-166-1510-1415-1318-and-1222-released-2965/ --- pkgs/servers/sql/postgresql/12.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/sql/postgresql/12.nix b/pkgs/servers/sql/postgresql/12.nix index ebd358dc01a1d..1b572a8e7ef92 100644 --- a/pkgs/servers/sql/postgresql/12.nix +++ b/pkgs/servers/sql/postgresql/12.nix @@ -1,4 +1,4 @@ import ./generic.nix { - version = "12.21"; - hash = "sha256-bHEVUKwcx4KIZeWCPZ9Ffjva1vQyAXcWn5DkGb4MJ/I="; + version = "12.22"; + hash = "sha256-jfPAR0eCWJ08bzdLUTOxvRTRaAhu28E8bnLmfdRSejs="; } From 49dd96c247ebc737635890e26f3ef240424e5620 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 27 Nov 2024 04:43:05 +0100 Subject: [PATCH 14/34] openldap: 2.6.8 -> 2.6.9 (cherry picked from commit 12c819e43f6a6136f5625b76735fe095c66dd982) --- pkgs/development/libraries/openldap/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/openldap/default.nix b/pkgs/development/libraries/openldap/default.nix index aa91622264fe0..c232c9f0ed987 100644 --- a/pkgs/development/libraries/openldap/default.nix +++ b/pkgs/development/libraries/openldap/default.nix @@ -17,11 +17,11 @@ stdenv.mkDerivation rec { pname = "openldap"; - version = "2.6.8"; + version = "2.6.9"; src = fetchurl { url = "https://www.openldap.org/software/download/OpenLDAP/openldap-release/${pname}-${version}.tgz"; - hash = "sha256-SJaTI+lOO+OwPGoTKULcun741UXyrTVAFwkBn2lsPE4="; + hash = "sha256-LLfcc+nINA3/DZk1f7qleKvzDMZhnwUhlyxVVoHmsv8="; }; # TODO: separate "out" and "bin" From 9c2f1dd1c3c730089b9ce1e439b82f69356c4a7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 2 Dec 2024 16:37:19 +0100 Subject: [PATCH 15/34] libxml2: 2.12.7 -> 2.12.9 In particular, this fixes CVE-2024-40896: https://gitlab.gnome.org/GNOME/libxml2/-/issues/761#note_2176469 NixPkgs 24.11+ has newer libxml2 branches. /cc PR #342895 --- pkgs/development/libraries/libxml2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index d2e614b331a1a..40dab693b1a7f 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: rec { pname = "libxml2"; - version = "2.12.7"; + version = "2.12.9"; outputs = [ "bin" "dev" "out" "doc" ] ++ lib.optional pythonSupport "py" @@ -34,7 +34,7 @@ stdenv.mkDerivation (finalAttrs: rec { src = fetchurl { url = "mirror://gnome/sources/libxml2/${lib.versions.majorMinor version}/libxml2-${version}.tar.xz"; - hash = "sha256-JK54/xNjqXPm2L66lBp5RdoqwFbhm1OVautpJ/1s+1Y="; + hash = "sha256-WZEttTarVqOZZInqApl2jHvP/lcWnwI15/liqR9INZA="; }; strictDeps = true; From 61f406acd6713990e069198c89aba82c68b9f9ab Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sun, 1 Dec 2024 22:08:25 +0100 Subject: [PATCH 16/34] libsoup: apply patches for CVE-2024-52532, CVE-2024-52531 and CVE-2024-52530 (cherry picked from commit fc064c62cab15594b99cb395edb87928b1b4fbd8) --- .../development/libraries/libsoup/default.nix | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/pkgs/development/libraries/libsoup/default.nix b/pkgs/development/libraries/libsoup/default.nix index e92c59bc2f2c0..7ca5721c90c47 100644 --- a/pkgs/development/libraries/libsoup/default.nix +++ b/pkgs/development/libraries/libsoup/default.nix @@ -1,6 +1,7 @@ { stdenv , lib , fetchurl +, fetchpatch , glib , libxml2 , meson @@ -29,6 +30,34 @@ stdenv.mkDerivation rec { sha256 = "sha256-5Ld8Qc/EyMWgNfzcMgx7xs+3XvfFoDQVPfFBP6HZLxM="; }; + patches = [ + (fetchpatch { + name = "CVE-2024-52530.patch"; + url = "https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b.patch"; + hash = "sha256-WRLiW2B/xxr3hW0nmeRNrXtZL44S0nTptPRdTqBV8Iw="; + }) + (fetchpatch { + name = "CVE-2024-52531_1.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=4ce2f2dc8ba0c458edce0f039a087fb3ac57787e"; + hash = "sha256-wg1qz8xHcnTiinBTF0ECMkrsD8W6M4IbiKGgbJ1gp9o="; + }) + (fetchpatch { + name = "CVE-2024-52531_2.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=5866d63aed3500700c5f1d2868ff689bb2ba8b82"; + hash = "sha256-e/VXtKX+agCw+ESGbgQ83NaVNbB3jLTxL7+VgNGbZ7U="; + }) + (fetchpatch { + name = "CVE-2024-52532_1.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=98e096a0d2142e3c63de2cca7d4023f9c52ed2c6"; + hash = "sha256-h7k+HpcKlsVYlAONxTOiupMhsMkf2v246ouxLejurcY="; + }) + (fetchpatch { + name = "CVE-2024-52532_2.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=030e72420e8271299c324273f393d92f6d4bb53e"; + hash = "sha256-0BEJpEKgjmKACf53lHMglxhmevKsSXR4ejEoTtr4wII="; + }) + ]; + depsBuildBuild = [ pkg-config ]; From 3bfb930381b648594f4eca70ccfe4a80a55078d6 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 2 Oct 2024 02:51:07 +0200 Subject: [PATCH 17/34] python312: 3.12.6 -> 3.12.7 https://docs.python.org/release/3.12.7/whatsnew/changelog.html (cherry picked from commit 48d0511af5e4977cb912ecddb79787582994b907) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 867093563b209..489ca4b37af9f 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -79,10 +79,10 @@ in { sourceVersion = { major = "3"; minor = "12"; - patch = "6"; + patch = "7"; suffix = ""; }; - hash = "sha256-GZllgpjPL7g33/7Y/zwDPvDJjvIM9zxdX2a+1auJaXw="; + hash = "sha256-JIh7kuKv1KKsYCQZrUtZY3L2esmwdxkPRZq6OQ+vVVA="; inherit (darwin) configd; inherit passthruFun; }; From 700098e0fabacd6603580116b06dfcbaf4e315fb Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 4 Dec 2024 03:27:23 +0100 Subject: [PATCH 18/34] python313: 3.13.0 -> 3.13.1 https://docs.python.org/release/3.13.1/whatsnew/changelog.html (cherry picked from commit 1ec7e4eb52f097eaf65e4c6c94bd7fdced865944) --- pkgs/development/interpreters/python/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 489ca4b37af9f..f6976dacc0302 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -92,13 +92,14 @@ in { sourceVersion = { major = "3"; minor = "13"; - patch = "0"; + patch = "1"; suffix = ""; }; - hash = "sha256-CG3liC48sxDU3KSEV1IuLkgBjs1D2pzfgn9qB1nvsH0="; + hash = "sha256-nPlCe+6eIkLjh33Q9rZBwYU8pGHznWUDziYKWcgL8Nk="; inherit (darwin) configd; inherit passthruFun; }; + # Minimal versions of Python (built without optional dependencies) python3Minimal = (callPackage ./cpython ({ self = __splicedPackages.python3Minimal; From b458fe47dbcb3c40ec0887a311ac14fc22af7c99 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 6 Dec 2024 19:10:36 +0100 Subject: [PATCH 19/34] python312: fix memory exhaustion vulnerability in asyncio.protocols https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/ Fixes:CVE-2024-12254 (cherry picked from commit 861d0835305e5c15194c4c999c7365b443989b8a) --- .../python/cpython/3.12/CVE-2024-12254.patch | 45 +++++++++++++++++++ .../interpreters/python/cpython/default.nix | 2 + 2 files changed, 47 insertions(+) create mode 100644 pkgs/development/interpreters/python/cpython/3.12/CVE-2024-12254.patch diff --git a/pkgs/development/interpreters/python/cpython/3.12/CVE-2024-12254.patch b/pkgs/development/interpreters/python/cpython/3.12/CVE-2024-12254.patch new file mode 100644 index 0000000000000..1a19a41d8d4ab --- /dev/null +++ b/pkgs/development/interpreters/python/cpython/3.12/CVE-2024-12254.patch @@ -0,0 +1,45 @@ +From e991ac8f2037d78140e417cc9a9486223eb3e786 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 22:33:03 -0600 +Subject: [PATCH] gh-127655: Ensure `_SelectorSocketTransport.writelines` + pauses the protocol if needed (#127656) + +Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed. + +Co-authored-by: Kumar Aditya + +diff --git a/Lib/asyncio/selector_events.py b/Lib/asyncio/selector_events.py +index f94bf10b4225e7..f1ab9b12d69a5d 100644 +--- a/Lib/asyncio/selector_events.py ++++ b/Lib/asyncio/selector_events.py +@@ -1175,6 +1175,7 @@ def writelines(self, list_of_data): + # If the entire buffer couldn't be written, register a write handler + if self._buffer: + self._loop._add_writer(self._sock_fd, self._write_ready) ++ self._maybe_pause_protocol() + + def can_write_eof(self): + return True +diff --git a/Lib/test/test_asyncio/test_selector_events.py b/Lib/test/test_asyncio/test_selector_events.py +index aaeda33dd0c677..efca30f37414f9 100644 +--- a/Lib/test/test_asyncio/test_selector_events.py ++++ b/Lib/test/test_asyncio/test_selector_events.py +@@ -805,6 +805,18 @@ def test_writelines_send_partial(self): + self.assertTrue(self.sock.send.called) + self.assertTrue(self.loop.writers) + ++ def test_writelines_pauses_protocol(self): ++ data = memoryview(b'data') ++ self.sock.send.return_value = 2 ++ self.sock.send.fileno.return_value = 7 ++ ++ transport = self.socket_transport() ++ transport._high_water = 1 ++ transport.writelines([data]) ++ self.assertTrue(self.protocol.pause_writing.called) ++ self.assertTrue(self.sock.send.called) ++ self.assertTrue(self.loop.writers) ++ + @unittest.skipUnless(selector_events._HAS_SENDMSG, 'no sendmsg') + def test_write_sendmsg_full(self): + data = memoryview(b'data') diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index 9244e2a2838ef..d14551cf5be44 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -345,6 +345,8 @@ in with passthru; stdenv.mkDerivation (finalAttrs: { ] ++ optionals (pythonOlder "3.12") [ # https://github.com/python/cpython/issues/90656 ./loongarch-support.patch + ] ++ optionals (pythonAtLeast "3.12") [ + ./3.12/CVE-2024-12254.patch ] ++ optionals (pythonAtLeast "3.11" && pythonOlder "3.13") [ # backport fix for https://github.com/python/cpython/issues/95855 ./platform-triplet-detection.patch From 788522d9a8e48ae74fb581c5ee1c284974d71e15 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Mon, 4 Nov 2024 06:47:34 +0000 Subject: [PATCH 20/34] mpg123: 1.32.8 -> 1.32.9 Changes: https://www.mpg123.de/#2024-11-02 (cherry picked from commit 87ba2ce02b0182c9571e448badef96301512a170) --- pkgs/applications/audio/mpg123/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/audio/mpg123/default.nix b/pkgs/applications/audio/mpg123/default.nix index 1d4c619fb3491..5a90ea44a14c5 100644 --- a/pkgs/applications/audio/mpg123/default.nix +++ b/pkgs/applications/audio/mpg123/default.nix @@ -23,11 +23,11 @@ assert withConplay -> !libOnly; stdenv.mkDerivation rec { pname = "${lib.optionalString libOnly "lib"}mpg123"; - version = "1.32.8"; + version = "1.32.9"; src = fetchurl { url = "mirror://sourceforge/mpg123/mpg123-${version}.tar.bz2"; - hash = "sha256-/u4TdMeVQODkBd8LxF/eIK1nARQlw2GidZ4hRolKJ6c="; + hash = "sha256-A7YeQATpYLrPKs2toD7ZTTduaqsnpgFEe9SQjYQHspE="; }; outputs = [ From 3675c7f82ca821db2a33eb8739b03ec3da1dc4ad Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:49:17 +0100 Subject: [PATCH 21/34] gst_all_1.gstreamer: 1.24.3 -> 1.24.7 (cherry picked from commit 2f7222d34d9bd99616cc4ab190475e31e59ff4db) --- pkgs/development/libraries/gstreamer/core/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix index 3136b6f886755..b43ca9bf774e9 100644 --- a/pkgs/development/libraries/gstreamer/core/default.nix +++ b/pkgs/development/libraries/gstreamer/core/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gstreamer"; - version = "1.24.3"; + version = "1.24.7"; outputs = [ "bin" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-EiXvSjKfrhytxexyfaskmtVn6AcoeUk1Yc65HtNKpBQ="; + hash = "sha256-wOdbEkxSu3oMPc23NLKtJg6nKGqHRc8upinUyEnmqVg="; }; depsBuildBuild = [ From 875a593e3faca922cf0486f9bd170fa104ddca20 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:49:27 +0100 Subject: [PATCH 22/34] gst_all_1.gst-plugins-base: 1.24.3 -> 1.24.7 (cherry picked from commit 830fd9c48bf4a5fc00e8fbdf940730998c41d5af) --- pkgs/development/libraries/gstreamer/base/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix index f48fe22f50001..1cb841f69ef60 100644 --- a/pkgs/development/libraries/gstreamer/base/default.nix +++ b/pkgs/development/libraries/gstreamer/base/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gst-plugins-base"; - version = "1.24.3"; + version = "1.24.7"; outputs = [ "out" "dev" ]; @@ -54,7 +54,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-8QlDl+qnky8G5X67sHWqM6osduS3VjChawLI1K9Ggy4="; + hash = "sha256-FSjRdGo5Mpn1rBfr8ToypmAgLx4p0KhSoiUPagWaL9o="; }; strictDeps = true; From d12e76d071b7937fc374a33c58a8a5b4197208b7 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:49:36 +0100 Subject: [PATCH 23/34] gst_all_1.gst-plugins-good: 1.24.3 -> 1.24.7 (cherry picked from commit 4f18a0a9feae87fda6035b127579075608d9eadb) --- pkgs/development/libraries/gstreamer/good/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix index bd301e7b45c22..3f50c5f1d944d 100644 --- a/pkgs/development/libraries/gstreamer/good/default.nix +++ b/pkgs/development/libraries/gstreamer/good/default.nix @@ -58,13 +58,13 @@ assert raspiCameraSupport -> (stdenv.isLinux && stdenv.isAarch32); stdenv.mkDerivation rec { pname = "gst-plugins-good"; - version = "1.24.3"; + version = "1.24.7"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-FQ+RTmHcBWALaLiMoQPHzCJxMBWOOJ6p6hWfQFCi67A="; + hash = "sha256-dZrLEebeg3P/jLteerjrmjhjG+gc8kIgJnsAHrVVk8E="; }; patches = [ From d967143a050283222cf2cfe3c5458f0059b0cc79 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:49:46 +0100 Subject: [PATCH 24/34] gst_all_1.gst-plugins-bad: 1.24.3 -> 1.24.7 (cherry picked from commit 376d22b787a4c0593d363fa0ab9488120809598a) --- pkgs/development/libraries/gstreamer/bad/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index 91639c441b481..4ec3c898314a8 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -112,13 +112,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-bad"; - version = "1.24.3"; + version = "1.24.7"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-6Q8mx9ycdvSqWZt1jP1tjBDWoLnLJluiw8m984iFWPg="; + hash = "sha256-ddUT/AumNfsfOXhtiQtz+6xfS8iP858qn/YvS49CjyI="; }; patches = [ From 63c4cc1015c8b55f83468fe55d4da848c5970630 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:49:55 +0100 Subject: [PATCH 25/34] gst_all_1.gst-plugins-ugly: 1.24.3 -> 1.24.7 (cherry picked from commit 12eaa68d405a8bdedc1833d20dec9514492682cd) --- pkgs/development/libraries/gstreamer/ugly/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix index 0b39bad01020b..1aa0657a3b178 100644 --- a/pkgs/development/libraries/gstreamer/ugly/default.nix +++ b/pkgs/development/libraries/gstreamer/ugly/default.nix @@ -25,13 +25,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-ugly"; - version = "1.24.3"; + version = "1.24.7"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-TJUTQcTGSGMLb+EjTsET2B3S0khSm/K1R44K0HfIDtM="; + hash = "sha256-PclU/FP+GIg2cDIqHCFePGUpA24KabMPZHgc1AwmhZM="; }; nativeBuildInputs = [ From 3d98b74b9745fd9e1145d750c8e4d6147f5b78cd Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:50:07 +0100 Subject: [PATCH 26/34] gst_all_1.gst-libav: 1.24.3 -> 1.24.7 (cherry picked from commit d8e8d2560e1a870f3fae85eea5855728e66c1619) --- pkgs/development/libraries/gstreamer/libav/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix index 872627009e215..8cd77a19725cb 100644 --- a/pkgs/development/libraries/gstreamer/libav/default.nix +++ b/pkgs/development/libraries/gstreamer/libav/default.nix @@ -18,11 +18,11 @@ stdenv.mkDerivation rec { pname = "gst-libav"; - version = "1.24.3"; + version = "1.24.7"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-2cWxUkaKRcH6g1FBBCIJCnGScHrXTS4aQ2f1JU4YjZE="; + hash = "sha256-w+QXm6GDwtMQHt+H/3DdB+cox2al/uNObs3tdspYAt8="; }; outputs = [ "out" "dev" ]; From 4913960fff07974d2aae4364262f15d2a2945b22 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:50:17 +0100 Subject: [PATCH 27/34] gst_all_1.gst-vaapi: 1.24.3 -> 1.24.7 (cherry picked from commit e21f9ba00e7d37e74bf2a89bc0f4fa1799ae7c9d) --- pkgs/development/libraries/gstreamer/vaapi/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix index cdad2eaf232d9..bdbc511b86e3a 100644 --- a/pkgs/development/libraries/gstreamer/vaapi/default.nix +++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix @@ -24,11 +24,11 @@ stdenv.mkDerivation rec { pname = "gstreamer-vaapi"; - version = "1.24.3"; + version = "1.24.7"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-hF8u/g3KjasjTd6PsJHaLNBqnSpoNCK1bctoiVT5Bw4="; + hash = "sha256-OqXtnX9LWny2DYsDcNmD1ZOV3lRu52cEQBGA/Q/V7oY="; }; outputs = [ From 0b0f8a80bbf18672c354bcb1bf4934dd6ad8e4c0 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:50:25 +0100 Subject: [PATCH 28/34] gst_all_1.gst-rtsp-server: 1.24.3 -> 1.24.7 (cherry picked from commit 3f2e9f2ee84030cce0e5a82524b0c59f5c336db6) --- pkgs/development/libraries/gstreamer/rtsp-server/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix index db56d895f7876..15c41f0de697c 100644 --- a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix +++ b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { pname = "gst-rtsp-server"; - version = "1.24.3"; + version = "1.24.7"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-YmKOzKeLj1tRxZpNYCxl6SBf/FDDyDzWH6sfY0i2NWU="; + hash = "sha256-2ceOXNC+rTC/XnSvgOQefVAGGUYX/b9EuIvibla76Pk="; }; outputs = [ From 7d4886bffc213279ad01d1692a34c665a323f1f8 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:50:34 +0100 Subject: [PATCH 29/34] gst_all_1.gst-devtools: 1.24.3 -> 1.24.7 (cherry picked from commit aa1c0501b91f2e93d332f56c71092bc1ffbe7f87) --- pkgs/development/libraries/gstreamer/devtools/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/devtools/default.nix b/pkgs/development/libraries/gstreamer/devtools/default.nix index 44a79bb2c998d..82e5c7d48ea2d 100644 --- a/pkgs/development/libraries/gstreamer/devtools/default.nix +++ b/pkgs/development/libraries/gstreamer/devtools/default.nix @@ -17,11 +17,11 @@ stdenv.mkDerivation rec { pname = "gst-devtools"; - version = "1.24.3"; + version = "1.24.7"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-uREUov2Vj0Ks9EEYbofivsk1OO81qfgkgREZc2D/sjc="; + hash = "sha256-56p6I/pYfVjcWnu1Hvta159vKkxZh1ZMZvYztbvTixc="; }; outputs = [ From f6c39e9c270ba945dc3578ad3e602d2568470bb0 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:50:44 +0100 Subject: [PATCH 30/34] gst_all_1.gst-editing-services: 1.24.3 -> 1.24.7 (cherry picked from commit afacb0789d35e2ef591bf5e48b5164c6f704df28) --- pkgs/development/libraries/gstreamer/ges/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix index 79ece373b57d0..f715afa66f075 100644 --- a/pkgs/development/libraries/gstreamer/ges/default.nix +++ b/pkgs/development/libraries/gstreamer/ges/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "gst-editing-services"; - version = "1.24.3"; + version = "1.24.7"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-z3QyFWiLATkFzSyff+3aIeLTTIRDQJkMbqJdEKA3KT8="; + hash = "sha256-sjzDEqI/q3F+S2A/ByvkIJhPucndIHfiBraqmxHfKdg="; }; nativeBuildInputs = [ From 63a44b94c0bb90cc8668b357524b025e1c5d79f8 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 16:50:54 +0100 Subject: [PATCH 31/34] python3Packages.gst-python: 1.24.3 -> 1.24.7 (cherry picked from commit c129df75b68338d3b3b3b0892d5d78133ed850a4) --- pkgs/development/python-modules/gst-python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/gst-python/default.nix b/pkgs/development/python-modules/gst-python/default.nix index f2cc5a2edfac1..cfa05acb076ef 100644 --- a/pkgs/development/python-modules/gst-python/default.nix +++ b/pkgs/development/python-modules/gst-python/default.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { pname = "gst-python"; - version = "1.24.3"; + version = "1.24.7"; format = "other"; @@ -26,7 +26,7 @@ buildPythonPackage rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/gst-python/${pname}-${version}.tar.xz"; - hash = "sha256-7Ns+K6lOosgrk6jHFdWn4E+XJqiDjAprF2lJKP0ehZU="; + hash = "sha256-bD7gKyDICobiQkWwYQLa4A4BdobydAdib0TcA6w8pTo="; }; # Python 2.x is not supported. From 20b409608ae56709feb634f3dd2c2a0a1834db93 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 2 Sep 2024 19:41:24 +0100 Subject: [PATCH 32/34] gst_all_1.gst-plugins-bad: add patch for macOS < 12 SDK MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This now references `kVTVideoDecoderReferenceMissingErr`, which was added in the macOS 12 SDK. Unfortunately, our 12.3 SDK doesn’t work to build this package currently. This should hopefully be fixed after the SDK rework. (cherry picked from commit 69b18ff3ea8b8df4b85b0ce58ff2ce26f0e38163) --- .../gstreamer/bad/darwin-old-sdk-fix.patch | 49 +++++++++++++++++++ .../libraries/gstreamer/bad/default.nix | 5 ++ 2 files changed, 54 insertions(+) create mode 100644 pkgs/development/libraries/gstreamer/bad/darwin-old-sdk-fix.patch diff --git a/pkgs/development/libraries/gstreamer/bad/darwin-old-sdk-fix.patch b/pkgs/development/libraries/gstreamer/bad/darwin-old-sdk-fix.patch new file mode 100644 index 0000000000000..b525eaa7d55b8 --- /dev/null +++ b/pkgs/development/libraries/gstreamer/bad/darwin-old-sdk-fix.patch @@ -0,0 +1,49 @@ +From 816f2ccad16413a4961a0001fc02d8874d4fde47 Mon Sep 17 00:00:00 2001 +From: Alessandro Bono +Date: Wed, 10 Jul 2024 15:33:34 +0200 +Subject: [PATCH] vtdec: Use kVTVideoDecoderReferenceMissingErr only when + defined + +The enum value is declared present since macOS 10.8+[1]. Howerver, +the compilation now fails with the 10.15 SDK: +``` +../sys/applemedia/vtdec.c:1219:12: error: use of undeclared identifier 'kVTVideoDecoderReferenceMissingErr'; did you mean 'kVTVideoDecoderMalfunctionErr'? + case kVTVideoDecoderReferenceMissingErr: + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + kVTVideoDecoderMalfunctionErr +/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/Frameworks/VideoToolbox.framework/Headers/VTErrors.h:40:2: note: 'kVTVideoDecoderMalfunctionErr' declared here + kVTVideoDecoderMalfunctionErr = -12911, // c.f. -8960 + ^ +1 error generated. +``` + +Put the enum usage under #ifdef. When missing, the behavior will be +the same as before commit a5c437c6430cdce603e46e09400beb4c5b9f5374. + +[1] https://developer.apple.com/documentation/videotoolbox/kvtvideodecoderreferencemissingerr?language=objc +--- + sys/applemedia/vtdec.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sys/applemedia/vtdec.c b/sys/applemedia/vtdec.c +index 57fcbf9928a5..517c15365b52 100644 +--- a/sys/applemedia/vtdec.c ++++ b/sys/applemedia/vtdec.c +@@ -1216,12 +1216,14 @@ gst_vtdec_session_output_callback (void *decompression_output_ref_con, + + if (status != noErr) { + switch (status) { ++#ifdef kVTVideoDecoderReferenceMissingErr + case kVTVideoDecoderReferenceMissingErr: + /* ReferenceMissingErr is not critical, when it occurs the frame + * usually has the kVTDecodeInfo_FrameDropped flag set. Log only for debugging purposes. */ + GST_DEBUG_OBJECT (vtdec, "ReferenceMissingErr when decoding frame %d", + frame->decode_frame_number); + break; ++#endif + #ifndef HAVE_IOS + case codecBadDataErr: /* SW decoder on macOS uses a different code from the hardware one... */ + #endif +-- +GitLab + diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index 4ec3c898314a8..46fc02a7b3581 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -127,6 +127,11 @@ stdenv.mkDerivation rec { src = ./fix-paths.patch; inherit (addOpenGLRunpath) driverLink; }) + + # vtdec: Use kVTVideoDecoderReferenceMissingErr only when defined + # + # TODO: Remove this when the build with the newer SDK works. + ./darwin-old-sdk-fix.patch ]; nativeBuildInputs = [ From b9067b763e5f461d46c3c6726fb8502d2778e9a9 Mon Sep 17 00:00:00 2001 From: Reno Dakota Date: Sat, 14 Dec 2024 08:54:55 +0000 Subject: [PATCH 33/34] gst_all_1.*: 1.24.7 -> 1.24.10 https://discourse.gstreamer.org/t/gstreamer-1-24-10-stable-bug-fix-release/3683 (cherry picked from commit 5af5812fd49d93e1bca04333dd1afb250a321eb6) --- pkgs/development/libraries/gstreamer/bad/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/base/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/core/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/devtools/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/ges/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/good/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/libav/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/rtsp-server/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/ugly/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/vaapi/default.nix | 4 ++-- pkgs/development/python-modules/gst-python/default.nix | 4 ++-- 11 files changed, 22 insertions(+), 22 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index 46fc02a7b3581..02543b993edec 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -112,13 +112,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-bad"; - version = "1.24.7"; + version = "1.24.10"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-ddUT/AumNfsfOXhtiQtz+6xfS8iP858qn/YvS49CjyI="; + hash = "sha256-FwfjEDlQybrtNkqK8roEldaxE/zTbhBi3aX1grj4kE0="; }; patches = [ diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix index 1cb841f69ef60..f0543fb85cb37 100644 --- a/pkgs/development/libraries/gstreamer/base/default.nix +++ b/pkgs/development/libraries/gstreamer/base/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gst-plugins-base"; - version = "1.24.7"; + version = "1.24.10"; outputs = [ "out" "dev" ]; @@ -54,7 +54,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-FSjRdGo5Mpn1rBfr8ToypmAgLx4p0KhSoiUPagWaL9o="; + hash = "sha256-69V7G+kkxuJPMn3VW6udj7quvl4dyPynhBgqsrEtI+s="; }; strictDeps = true; diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix index b43ca9bf774e9..368755237e17f 100644 --- a/pkgs/development/libraries/gstreamer/core/default.nix +++ b/pkgs/development/libraries/gstreamer/core/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gstreamer"; - version = "1.24.7"; + version = "1.24.10"; outputs = [ "bin" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-wOdbEkxSu3oMPc23NLKtJg6nKGqHRc8upinUyEnmqVg="; + hash = "sha256-n8RbGjMuj4EvCelcKBzXWWn20WgtBiqBXbDnvAR1GP0="; }; depsBuildBuild = [ diff --git a/pkgs/development/libraries/gstreamer/devtools/default.nix b/pkgs/development/libraries/gstreamer/devtools/default.nix index 82e5c7d48ea2d..9c431dc51d0f0 100644 --- a/pkgs/development/libraries/gstreamer/devtools/default.nix +++ b/pkgs/development/libraries/gstreamer/devtools/default.nix @@ -17,11 +17,11 @@ stdenv.mkDerivation rec { pname = "gst-devtools"; - version = "1.24.7"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-56p6I/pYfVjcWnu1Hvta159vKkxZh1ZMZvYztbvTixc="; + hash = "sha256-KYNTcUiwqNUrrSo/TJ3MqAj9WqEvzO4lrMSkJ38HgOw="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix index f715afa66f075..1e7bdb1d611a8 100644 --- a/pkgs/development/libraries/gstreamer/ges/default.nix +++ b/pkgs/development/libraries/gstreamer/ges/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "gst-editing-services"; - version = "1.24.7"; + version = "1.24.10"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-sjzDEqI/q3F+S2A/ByvkIJhPucndIHfiBraqmxHfKdg="; + hash = "sha256-bwCxG05eNMKjLWTfUh3Kd1GdYm/MXjhjwCGL0SNn4XQ="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix index 3f50c5f1d944d..7273b38eec1d1 100644 --- a/pkgs/development/libraries/gstreamer/good/default.nix +++ b/pkgs/development/libraries/gstreamer/good/default.nix @@ -58,13 +58,13 @@ assert raspiCameraSupport -> (stdenv.isLinux && stdenv.isAarch32); stdenv.mkDerivation rec { pname = "gst-plugins-good"; - version = "1.24.7"; + version = "1.24.10"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-dZrLEebeg3P/jLteerjrmjhjG+gc8kIgJnsAHrVVk8E="; + hash = "sha256-/OdI+mbXqO4fsmFInlnQHj+nh2I9bVw1BoQW/nzQrLM="; }; patches = [ diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix index 8cd77a19725cb..4721f5e894aad 100644 --- a/pkgs/development/libraries/gstreamer/libav/default.nix +++ b/pkgs/development/libraries/gstreamer/libav/default.nix @@ -18,11 +18,11 @@ stdenv.mkDerivation rec { pname = "gst-libav"; - version = "1.24.7"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-w+QXm6GDwtMQHt+H/3DdB+cox2al/uNObs3tdspYAt8="; + hash = "sha256-TPLi2CBOVLqK+VGai5t/+m6VGnCHr6Df6DwSXUm7tfs="; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix index 15c41f0de697c..3967ad1696523 100644 --- a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix +++ b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { pname = "gst-rtsp-server"; - version = "1.24.7"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-2ceOXNC+rTC/XnSvgOQefVAGGUYX/b9EuIvibla76Pk="; + hash = "sha256-2yHf3Xvy5xhWTVVzeK2lNYtBHv4qPonp8Ph6dFN+Ktw="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix index 1aa0657a3b178..781ef18724010 100644 --- a/pkgs/development/libraries/gstreamer/ugly/default.nix +++ b/pkgs/development/libraries/gstreamer/ugly/default.nix @@ -25,13 +25,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-ugly"; - version = "1.24.7"; + version = "1.24.10"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-PclU/FP+GIg2cDIqHCFePGUpA24KabMPZHgc1AwmhZM="; + hash = "sha256-nfb9haclYkHvuyX4SzN1deOzRSZvXas4STceRpR3nxg="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix index bdbc511b86e3a..fc23aaa23998d 100644 --- a/pkgs/development/libraries/gstreamer/vaapi/default.nix +++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix @@ -24,11 +24,11 @@ stdenv.mkDerivation rec { pname = "gstreamer-vaapi"; - version = "1.24.7"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-OqXtnX9LWny2DYsDcNmD1ZOV3lRu52cEQBGA/Q/V7oY="; + hash = "sha256-IVk9veXGvNz+mRld7748P02gHLhfjsEKrpQ4h9Odikw="; }; outputs = [ diff --git a/pkgs/development/python-modules/gst-python/default.nix b/pkgs/development/python-modules/gst-python/default.nix index cfa05acb076ef..a5fd895521d62 100644 --- a/pkgs/development/python-modules/gst-python/default.nix +++ b/pkgs/development/python-modules/gst-python/default.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { pname = "gst-python"; - version = "1.24.7"; + version = "1.24.10"; format = "other"; @@ -26,7 +26,7 @@ buildPythonPackage rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/gst-python/${pname}-${version}.tar.xz"; - hash = "sha256-bD7gKyDICobiQkWwYQLa4A4BdobydAdib0TcA6w8pTo="; + hash = "sha256-E1vPi28UaLwx5WYECf6O04EJ8B3sRHQ1FKovprOGMwk"; }; # Python 2.x is not supported. From cca4f8e59e9479ced4f02f33530be367220d5826 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 22 Dec 2024 18:09:58 +0100 Subject: [PATCH 34/34] python312Packages.jinja2: 3.1.4 -> 3.1.5 https://github.com/pallets/jinja/releases/tag/3.1.5 https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699 Fixes: CVE-2024-56326, CVE-2024-56201 (cherry picked from commit 143eb2efc7b644bc8d / PR #367410) --- .../python-modules/jinja2/default.nix | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/pkgs/development/python-modules/jinja2/default.nix b/pkgs/development/python-modules/jinja2/default.nix index ba8f7048c5b6b..c8ceb94da0d9f 100644 --- a/pkgs/development/python-modules/jinja2/default.nix +++ b/pkgs/development/python-modules/jinja2/default.nix @@ -20,19 +20,29 @@ buildPythonPackage rec { pname = "jinja2"; - version = "3.1.4"; + version = "3.1.5"; pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-Sjruesu+cwOu3o6WSNE7i/iKQpKCqmEiqZPwrIAMs2k="; + hash = "sha256-j+//jcMDTie7gNZ8Zx64qbxCTA70wIJu2/8wTM7/Q7s="; }; - nativeBuildInputs = [ flit-core ]; + postPatch = '' + # Do not test with trio, it increases jinja2's dependency closure by a lot + # and everyone consuming these dependencies cannot rely on sphinxHook, + # because sphinx itself depends on jinja2. + substituteInPlace tests/test_async{,_filters}.py \ + --replace-fail "import trio" "" \ + --replace-fail ", trio.run" "" \ + --replace-fail ", \"trio\"" "" + ''; - propagatedBuildInputs = [ markupsafe ]; + build-system = [ flit-core ]; + + dependencies = [ markupsafe ]; passthru.optional-dependencies = { i18n = [ babel ];