From 2e4e6618cb8695b42c8cc63d0facb4b8f459017b Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Wed, 27 Mar 2024 21:20:42 +0100 Subject: [PATCH 1/2] curl: 8.6.0 -> 8.7.1 Fixes CVE-2024-2466, CVE-2024-2398, CVE-2024-2379 and CVE-2024-2004. Changes: https://curl.se/changes.html#8_7_1 --- pkgs/tools/networking/curl/default.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index c2438f1b5777..deaede8f9602 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -49,14 +49,14 @@ assert !((lib.count (x: x) [ gnutlsSupport opensslSupport wolfsslSupport rustlsS stdenv.mkDerivation (finalAttrs: { pname = "curl"; - version = "8.6.0"; + version = "8.7.1"; src = fetchurl { urls = [ "https://curl.haxx.se/download/curl-${finalAttrs.version}.tar.xz" "https://github.com/curl/curl/releases/download/curl-${builtins.replaceStrings [ "." ] [ "_" ] finalAttrs.version}/curl-${finalAttrs.version}.tar.xz" ]; - hash = "sha256-PM1V2Rr5UWU534BiX4GMc03G8uz5utozx2dl6ZEh2xU="; + hash = "sha256-b+oqrGpGEPvQQAr7C83b5yWKZMY/H2jlhV68DGWXEM0="; }; postPatch = '' @@ -196,6 +196,7 @@ stdenv.mkDerivation (finalAttrs: { # nginx-http3 = useThisCurl nixosTests.nginx-http3; nginx-http3 = nixosTests.nginx-http3; pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; + } // lib.optionalAttrs (stdenv.hostPlatform.system != "x86_64-darwin") { static = pkgsStatic.curl; } // lib.optionalAttrs (!stdenv.isDarwin) { fetchpatch = tests.fetchpatch.simple.override { fetchpatch = (fetchpatch.override { fetchurl = useThisCurl fetchurl; }) // { version = 1; }; }; @@ -210,7 +211,7 @@ stdenv.mkDerivation (finalAttrs: { maintainers = with maintainers; [ lovek323 ]; platforms = platforms.all; # Fails to link against static brotli or gss - broken = stdenv.hostPlatform.isStatic && (brotliSupport || gssSupport); + broken = stdenv.hostPlatform.isStatic && (brotliSupport || gssSupport || stdenv.hostPlatform.system == "x86_64-darwin"); pkgConfigModules = [ "libcurl" ]; mainProgram = "curl"; }; From 6ea5b5f2c55759ed8df79931912c8a01d86cbc5c Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sun, 7 Apr 2024 18:06:10 +0200 Subject: [PATCH 2/2] rustls-ffi: temporarily drop passthru.tests.curl It currently does not build but the situation is being handled upstream. --- pkgs/development/libraries/rustls-ffi/default.nix | 3 ++- pkgs/tools/networking/curl/default.nix | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/rustls-ffi/default.nix b/pkgs/development/libraries/rustls-ffi/default.nix index 46c16c9cc437..380405217e3d 100644 --- a/pkgs/development/libraries/rustls-ffi/default.nix +++ b/pkgs/development/libraries/rustls-ffi/default.nix @@ -28,7 +28,8 @@ rustPlatform.buildRustPackage rec { passthru.tests = { apacheHttpd = apacheHttpd.override { modTlsSupport = true; }; - curl = curl.override { opensslSupport = false; rustlsSupport = true; }; + # Currently broken notably because of https://github.com/curl/curl/issues/13248 + # curl = curl.override { opensslSupport = false; rustlsSupport = true; }; }; meta = with lib; { diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index deaede8f9602..6559a5cf4ecb 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -211,7 +211,7 @@ stdenv.mkDerivation (finalAttrs: { maintainers = with maintainers; [ lovek323 ]; platforms = platforms.all; # Fails to link against static brotli or gss - broken = stdenv.hostPlatform.isStatic && (brotliSupport || gssSupport || stdenv.hostPlatform.system == "x86_64-darwin"); + broken = (stdenv.hostPlatform.isStatic && (brotliSupport || gssSupport || stdenv.hostPlatform.system == "x86_64-darwin")) || rustlsSupport; pkgConfigModules = [ "libcurl" ]; mainProgram = "curl"; };