From 64d3ca21d0a1f4daf1df5480077dafff5249c09a Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Thu, 5 Feb 2026 13:21:38 +0100 Subject: [PATCH 01/96] python3Packages.superqt: move pyqt5 to optional deps (cherry picked from commit b2d704c63ec86bbff91696d5187646dd22d0a3c5) --- pkgs/development/python-modules/superqt/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/superqt/default.nix b/pkgs/development/python-modules/superqt/default.nix index aa0109a6b3b2d..35eac4d6118d1 100644 --- a/pkgs/development/python-modules/superqt/default.nix +++ b/pkgs/development/python-modules/superqt/default.nix @@ -37,7 +37,6 @@ buildPythonPackage rec { dependencies = [ pygments - pyqt5 qtpy typing-extensions ]; @@ -47,6 +46,7 @@ buildPythonPackage rec { pyside2 = [ pyside2 ]; pyside6 = [ pyside6 ]; pyqt6 = [ pyqt6 ]; + pyqt5 = [ pyqt5 ]; }; nativeCheckInputs = [ pytestCheckHook ]; From 3fa281cbb2c6cf528f2c24c1cedb25a26b71f324 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 7 Feb 2026 11:42:09 +0100 Subject: [PATCH 02/96] python3Packages.qtconsole: move to qt6 (cherry picked from commit 4b7b68576065f31e88385d87aabb70058cfcaec3) --- pkgs/development/python-modules/qtconsole/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/qtconsole/default.nix b/pkgs/development/python-modules/qtconsole/default.nix index a6382daba3789..e3d92b9de64aa 100644 --- a/pkgs/development/python-modules/qtconsole/default.nix +++ b/pkgs/development/python-modules/qtconsole/default.nix @@ -11,7 +11,7 @@ jupyter-core, jupyter-client, pygments, - pyqt5, + pyqt6, qtpy, traitlets, @@ -38,7 +38,7 @@ buildPythonPackage rec { jupyter-core jupyter-client pygments - pyqt5 + pyqt6 qtpy traitlets ]; From 28daf4681581b1e602591043280c26d2512b996f Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 7 Feb 2026 11:43:36 +0100 Subject: [PATCH 03/96] python3Packages.qtawesome: move to qt6 (cherry picked from commit 276400de414f947b746a58d163d9daf20b2adb0b) --- pkgs/development/python-modules/qtawesome/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/qtawesome/default.nix b/pkgs/development/python-modules/qtawesome/default.nix index f80fe3f9868e6..9b860a5bc5ca6 100644 --- a/pkgs/development/python-modules/qtawesome/default.nix +++ b/pkgs/development/python-modules/qtawesome/default.nix @@ -2,7 +2,7 @@ lib, buildPythonPackage, fetchFromGitHub, - pyqt5, + pyqt6, pytestCheckHook, pythonOlder, qtpy, @@ -23,7 +23,7 @@ buildPythonPackage rec { }; propagatedBuildInputs = [ - pyqt5 + pyqt6 qtpy ]; From 730c539ca1db285a9f9095d814f00ae8905a1d46 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 7 Feb 2026 11:43:58 +0100 Subject: [PATCH 04/96] spyder: move to qt6 (cherry picked from commit 5fafdd05ab640b29959d96c4863bb95696388c0c) --- .../python-modules/spyder/default.nix | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/pkgs/development/python-modules/spyder/default.nix b/pkgs/development/python-modules/spyder/default.nix index 34b1a155ab715..901e81578c395 100644 --- a/pkgs/development/python-modules/spyder/default.nix +++ b/pkgs/development/python-modules/spyder/default.nix @@ -4,7 +4,7 @@ fetchPypi, # nativeBuildInputs - pyqtwebengine, + pyqt6-webengine, # build-system setuptools, @@ -36,6 +36,7 @@ pylint-venv, pyls-spyder, pyopengl, + pyqt6, python-lsp-black, python-lsp-ruff, python-lsp-server, @@ -55,6 +56,7 @@ three-merge, watchdog, yarl, + qt6, }: buildPythonPackage rec { @@ -69,7 +71,7 @@ buildPythonPackage rec { patches = [ ./dont-clear-pythonpath.patch ]; - nativeBuildInputs = [ pyqtwebengine.wrapQtAppsHook ]; + nativeBuildInputs = [ qt6.wrapQtAppsHook ]; build-system = [ setuptools ]; @@ -78,6 +80,11 @@ buildPythonPackage rec { "python-lsp-server" ]; + buildInputs = [ + qt6.qtbase + qt6.qtwayland + ]; + dependencies = [ aiohttp asyncssh @@ -105,7 +112,7 @@ buildPythonPackage rec { pylint-venv pyls-spyder pyopengl - pyqtwebengine + pyqt6-webengine python-lsp-black python-lsp-ruff python-lsp-server @@ -125,12 +132,15 @@ buildPythonPackage rec { three-merge watchdog yarl + pyqt6 ] ++ python-lsp-server.optional-dependencies.all; # There is no test for spyder doCheck = false; + env.SPYDER_QT_BINDING = "pyqt6"; + postInstall = '' # Add Python libs to env so Spyder subprocesses # created to run compute kernels don't fail with ImportErrors From d0618a00c724cf32c1450a949f708dc65264cb15 Mon Sep 17 00:00:00 2001 From: Justin Chen <42143810+StarryReverie@users.noreply.github.com> Date: Sun, 14 Dec 2025 10:58:26 +0800 Subject: [PATCH 05/96] fmt: 12.0.0 -> 12.1.0 Changelog: https://github.com/fmtlib/fmt/releases/tag/12.1.0 Closes #465179 (cherry picked from commit c0d952e0dbf38c6e286c64644c2daf6bb8175f53) --- pkgs/development/libraries/fmt/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/fmt/default.nix b/pkgs/development/libraries/fmt/default.nix index 281acff35b354..3b9a89e670f42 100644 --- a/pkgs/development/libraries/fmt/default.nix +++ b/pkgs/development/libraries/fmt/default.nix @@ -99,7 +99,7 @@ in }; fmt_12 = generic { - version = "12.0.0"; - hash = "sha256-AZDmIeU1HbadC+K0TIAGogvVnxt0oE9U6ocpawIgl6g="; + version = "12.1.0"; + hash = "sha256-ZmI1Dv0ZabPlxa02OpERI47jp7zFfjpeWCy1WyuPYZ0="; }; } From b2d2ab4f43a1b90316bba92ea0ba10841b19af2e Mon Sep 17 00:00:00 2001 From: Ryan Omasta Date: Wed, 25 Mar 2026 01:14:07 -0600 Subject: [PATCH 06/96] python3Packages.pygments: patch CVE-2026-4539 (cherry picked from commit 4b94324556a0d802ad3316b936547dfed4842896) --- .../pygments/CVE-2026-4539.patch | 34 +++++++++++++++++++ .../python-modules/pygments/default.nix | 6 ++++ 2 files changed, 40 insertions(+) create mode 100644 pkgs/development/python-modules/pygments/CVE-2026-4539.patch diff --git a/pkgs/development/python-modules/pygments/CVE-2026-4539.patch b/pkgs/development/python-modules/pygments/CVE-2026-4539.patch new file mode 100644 index 0000000000000..5bd27874c8ad1 --- /dev/null +++ b/pkgs/development/python-modules/pygments/CVE-2026-4539.patch @@ -0,0 +1,34 @@ +From 2be805d86471efb8efd51886d4d11a33fa22a928 Mon Sep 17 00:00:00 2001 +From: "zam." +Date: Wed, 25 Mar 2026 11:47:14 +0700 +Subject: [PATCH] fix(lexers): prevent ReDoS in archetype lexer GUID and ID + patterns + +--- + pygments/lexers/archetype.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py +index 5b3eb21ae7..977b02f751 100644 +--- a/pygments/lexers/archetype.py ++++ b/pygments/lexers/archetype.py +@@ -35,8 +35,8 @@ class AtomsLexer(RegexLexer): + (r'([ \t]*)(--.*)$', bygroups(Whitespace, Comment)), + ], + 'archetype_id': [ +- (r'([ \t]*)(([a-zA-Z]\w+(\.[a-zA-Z]\w+)*::)?[a-zA-Z]\w+(-[a-zA-Z]\w+){2}' +- r'\.\w+[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', ++ (r'([ \t]*)(([a-zA-Z]\w{1,100}(\.[a-zA-Z]\w{1,100})*::)?[a-zA-Z]\w{1,100}(-[a-zA-Z]\w{1,100}){2}' ++ r'\.\w{1,100}[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', + bygroups(Whitespace, Name.Decorator)), + ], + 'date_constraints': [ +@@ -293,7 +293,7 @@ class AdlLexer(AtomsLexer): + # numbers and version ids + (r'\d+(\.\d+)*', Literal), + # Guids +- (r'(\d|[a-fA-F])+(-(\d|[a-fA-F])+){3,}', Literal), ++ (r'[0-9a-fA-F]{1,36}(-[0-9a-fA-F]{1,36}){3,}', Literal), + (r'\w+', Name.Class), + (r'"', String, 'string'), + (r'=', Operator), diff --git a/pkgs/development/python-modules/pygments/default.nix b/pkgs/development/python-modules/pygments/default.nix index 7966f6ebd742d..69e42e3aec4f1 100644 --- a/pkgs/development/python-modules/pygments/default.nix +++ b/pkgs/development/python-modules/pygments/default.nix @@ -23,6 +23,12 @@ let hash = "sha256-Y2yyR3zsf4lSU2lwvFM7xDdDVC9wOSrgJjdGAK3VuIc="; }; + patches = [ + # https://github.com/NixOS/nixpkgs/issues/502540 + # https://github.com/pygments/pygments/issues/3058 + ./CVE-2026-4539.patch + ]; + nativeBuildInputs = [ hatchling ]; # circular dependencies if enabled by default From 6aea74e291bef1787ac976ee84b54bbeb72a866d Mon Sep 17 00:00:00 2001 From: Oliver Schmidt Date: Mon, 23 Feb 2026 17:13:40 +0100 Subject: [PATCH 07/96] nixos/grub: re-install grub on package change Trigger re-installation of grub files when the store path of the grub package changes. This is consistent with how side-effects are executed in other parts of NixOS, e.g. systemd service management, and ensures that the actually running grub stays in sync with the grub package in the Nix store that is part of the system closure. In particular, this causes security patches or dependency changes to be taken into effect without the need to bump the package version. Impact: This change causes a re-installation of grub for all systems, due to the lack of a persisted grub store path in existing state files. Background: So far we only re-installed grub outside of the store when its its version, the package name, or some flags changed. This leads to the various security patches only fixing new installations of grub and not existing ones. This has been like this for over a decade, but it remains unclear why the implementation decision had been to be overly cautious with modifying boot loader side effects. Fixes #486315 PL-135147 (cherry picked from commit 41997d49dae6aec5b29a14b6e9b850835f52d911) --- .../system/boot/loader/grub/install-grub.pl | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index f5ae844da21f9..f61c91f02db8e 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -685,12 +685,14 @@ sub getEfiTarget { efi => '$', devices => '$', efiMountPoint => '$', + grub => '$', + grubEfi => '$', extraGrubInstallArgs => '@', }); # If you add something to the state file, only add it to the end # because it is read line-by-line. sub readGrubState { - my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "", extraGrubInstallArgs => () ); + my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "", grub => "", grubEfi => "", extraGrubInstallArgs => () ); open my $fh, "<", "$bootPath/grub/state" or return $defaultGrubState; local $/ = "\n"; my $name = <$fh>; @@ -721,8 +723,10 @@ sub readGrubState { } my %jsonState = %{decode_json($jsonStateLine)}; my @extraGrubInstallArgs = exists($jsonState{'extraGrubInstallArgs'}) ? @{$jsonState{'extraGrubInstallArgs'}} : (); + my $grubValue = exists($jsonState{'grub'}) ? $jsonState{'grub'} : ""; + my $grubEfiValue = exists($jsonState{'grubEfi'}) ? $jsonState{'grubEfi'} : ""; close $fh; - my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint, extraGrubInstallArgs => \@extraGrubInstallArgs ); + my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint, extraGrubInstallArgs => \@extraGrubInstallArgs, grub => $grubValue, grubEfi => $grubEfiValue ); return $grubState } @@ -734,15 +738,16 @@ sub readGrubState { my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference()); my $extraGrubInstallArgsDiffer = scalar (List::Compare->new( '-u', '-a', \@extraGrubInstallArgs, \@prevExtraGrubInstallArgs)->get_symmetric_difference()); -my $nameDiffer = get("fullName") ne $prevGrubState->name; -my $versionDiffer = get("fullVersion") ne $prevGrubState->version; my $efiDiffer = $efiTarget ne $prevGrubState->efi; my $efiMountPointDiffer = $efiSysMountPoint ne $prevGrubState->efiMountPoint; +# re-installing grub once the package store path changes is necessary, because +# introducing patches or adjusting builds does not always bump the version number +my $grubStorePathsDiffer = ($grub ne $prevGrubState->grub) || ($grubEfi ne $prevGrubState->grubEfi); if (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1") { warn "NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER"; $ENV{'NIXOS_INSTALL_BOOTLOADER'} = "1"; } -my $requireNewInstall = $devicesDiffer || $extraGrubInstallArgsDiffer || $nameDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_BOOTLOADER'} // "") eq "1"); +my $requireNewInstall = $devicesDiffer || $extraGrubInstallArgsDiffer || $efiDiffer || $efiMountPointDiffer || $grubStorePathsDiffer || (($ENV{'NIXOS_INSTALL_BOOTLOADER'} // "") eq "1"); # install a symlink so that grub can detect the boot drive my $tmpDir = File::Temp::tempdir(CLEANUP => 1) or die "Failed to create temporary space: $!"; @@ -795,7 +800,9 @@ sub readGrubState { print $fh join( ",", @deviceTargets ), "\n" or die; print $fh $efiSysMountPoint, "\n" or die; my %jsonState = ( - extraGrubInstallArgs => \@extraGrubInstallArgs + extraGrubInstallArgs => \@extraGrubInstallArgs, + grub => $grub, + grubEfi => $grubEfi ); my $jsonStateLine = encode_json(\%jsonState); print $fh $jsonStateLine, "\n" or die; From 0f1815594e9984cd6961b54c7a03ec81a1f5a4e7 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sat, 28 Mar 2026 09:10:29 +0100 Subject: [PATCH 08/96] mbedtls: build with -fzero-init-padding-bits=unions This fixes a test failure that shows up for us with musl on x86_64, but it's doing the wrong thing on all architectures and upstream doesn't seem in a hurry to fix the test[1]. It's also not clear to me that they have a robust way to even identify these widespread issues to apply the workarounds, so let's err on the safe side and make the compiler work in the way the codebase has been written to expect. (Upstream does not set this flag because they don't want to rely on non-standard compiler options[2].) Link: https://github.com/Mbed-TLS/TF-PSA-Crypto/pull/585 [1] Link: https://github.com/Mbed-TLS/mbedtls/issues/9885#issuecomment-2736295388 [2] (cherry picked from commit c46c3a5098abf54095b29e5ab77be1b88680c82b) --- pkgs/development/libraries/mbedtls/generic.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkgs/development/libraries/mbedtls/generic.nix b/pkgs/development/libraries/mbedtls/generic.nix index df19340cf0d83..2a7f436e9c67b 100644 --- a/pkgs/development/libraries/mbedtls/generic.nix +++ b/pkgs/development/libraries/mbedtls/generic.nix @@ -54,6 +54,23 @@ stdenv.mkDerivation rec { # the repository and do not need to be regenerated. See: # https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0 below "Requirement changes". "-DGEN_FILES=off" + ] + ++ lib.optionals stdenv.cc.isGNU [ + # mbedtls widely uses a pattern of starting unions with an + # unsigned int dummy member, and then initializing those unions to + # { 0 }. The problem with this is that it only initializes that + # first union member, so in the common case where the non-dummy + # members are larger than the dummy member, they will only be + # partially initialized since GCC 15[1]. Upstream has added + # ad-hoc memset calls to mitigate this issue, but initializers are + # also still widely used. To avoid the risk of using + # uninitialized memory, force the compiler to zero all bits of + # unions, not just the first element, until upstream has a + # systemic fix in place[2]. + # + # [1]: https://gcc.gnu.org/gcc-15/changes.html + # [2]: https://github.com/Mbed-TLS/mbedtls/issues/9885 + "-DCMAKE_C_FLAGS=-fzero-init-padding-bits=unions" ]; doCheck = true; From da357dcf55f5027c19da282391be40b2c0f8a7d3 Mon Sep 17 00:00:00 2001 From: Bobby Rong Date: Tue, 9 Dec 2025 23:14:24 +0800 Subject: [PATCH 09/96] spidermonkey_140: 140.5.0 -> 140.6.0 https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_6_0esr_RELEASE/js/src/build https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_6_0esr_RELEASE/build (cherry picked from commit 67c58b954466f721057012658e9cbe94c62ec8da) --- pkgs/development/interpreters/spidermonkey/140.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/spidermonkey/140.nix b/pkgs/development/interpreters/spidermonkey/140.nix index 862aa494d2404..8187047403b70 100644 --- a/pkgs/development/interpreters/spidermonkey/140.nix +++ b/pkgs/development/interpreters/spidermonkey/140.nix @@ -1,4 +1,4 @@ import ./common.nix { - version = "140.5.0"; - hash = "sha512-QSI2oly+oXG9W9U15Fw7pAlXqU4fjdOrdCQeCqHEB1/LjTlLlhlZnWDOPkVj5xLIJfqL7EQXlPIpNWgC9ysoYQ=="; + version = "140.6.0"; + hash = "sha512-7WZle9Sy2UeRiSJh18DA2VC09jDRKrKKd32TOTQnRRqaoSXloB7hXyrA/zeNC+B0oIWD3P/TVgkRK6Tm+a2nmA=="; } From 18b81be062d3930dd7501e58fd0b39f9350f8137 Mon Sep 17 00:00:00 2001 From: Bobby Rong Date: Mon, 19 Jan 2026 23:43:49 +0800 Subject: [PATCH 10/96] spidermonkey_140: 140.6.0 -> 140.7.0 https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_7_0esr_RELEASE/js/src/build https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_7_0esr_RELEASE/build (cherry picked from commit 4c0589f267b804683d9638daa92694b043493bff) --- pkgs/development/interpreters/spidermonkey/140.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/spidermonkey/140.nix b/pkgs/development/interpreters/spidermonkey/140.nix index 8187047403b70..cdba5d1e78eda 100644 --- a/pkgs/development/interpreters/spidermonkey/140.nix +++ b/pkgs/development/interpreters/spidermonkey/140.nix @@ -1,4 +1,4 @@ import ./common.nix { - version = "140.6.0"; - hash = "sha512-7WZle9Sy2UeRiSJh18DA2VC09jDRKrKKd32TOTQnRRqaoSXloB7hXyrA/zeNC+B0oIWD3P/TVgkRK6Tm+a2nmA=="; + version = "140.7.0"; + hash = "sha512-d4Gx4gMTDBzfKgwuywWpz6gkx11Gfn+sp4tmvVVoyCEyQRKuy3dIg9n0R69/pK3jZIj/EBclWvVRDI9kGZDkcg=="; } From 54869c87a5b66ec04ec05e7025461e50d626cb0e Mon Sep 17 00:00:00 2001 From: Bobby Rong Date: Wed, 18 Feb 2026 10:57:30 +0800 Subject: [PATCH 11/96] spidermonkey_140: 140.7.0 -> 140.7.1 https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_7_1esr_RELEASE/js/src/build https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_7_1esr_RELEASE/build (cherry picked from commit 5d61458fc2d9d3a17c7ca10169d5c25335a2dd1b) --- pkgs/development/interpreters/spidermonkey/140.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/spidermonkey/140.nix b/pkgs/development/interpreters/spidermonkey/140.nix index cdba5d1e78eda..f3ea1a1c1dd78 100644 --- a/pkgs/development/interpreters/spidermonkey/140.nix +++ b/pkgs/development/interpreters/spidermonkey/140.nix @@ -1,4 +1,4 @@ import ./common.nix { - version = "140.7.0"; - hash = "sha512-d4Gx4gMTDBzfKgwuywWpz6gkx11Gfn+sp4tmvVVoyCEyQRKuy3dIg9n0R69/pK3jZIj/EBclWvVRDI9kGZDkcg=="; + version = "140.7.1"; + hash = "sha512-fYZ/o8nJSQP2WDvnWtSqjZGPmPdMmcZhWg5AyvIcVFowFJEVIUh2aT7xdYoyDr3M7wF8SENlwZXlWZjM4IhmPA=="; } From 9b8a404e431d265014830f3fa6f74a0888c46547 Mon Sep 17 00:00:00 2001 From: whispers Date: Sat, 28 Mar 2026 15:23:05 -0400 Subject: [PATCH 12/96] spidermonkey_140: 140.7.1 -> 140.9.0 https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_9_0esr_RELEASE/js/src/build https://github.com/mozilla-firefox/firefox/commits/FIREFOX_140_9_0esr_RELEASE/build (cherry picked from commit 34562875e7b8eb2cc1a9941e044d5a4b337322fa) --- pkgs/development/interpreters/spidermonkey/140.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/spidermonkey/140.nix b/pkgs/development/interpreters/spidermonkey/140.nix index f3ea1a1c1dd78..f66957465bf98 100644 --- a/pkgs/development/interpreters/spidermonkey/140.nix +++ b/pkgs/development/interpreters/spidermonkey/140.nix @@ -1,4 +1,4 @@ import ./common.nix { - version = "140.7.1"; - hash = "sha512-fYZ/o8nJSQP2WDvnWtSqjZGPmPdMmcZhWg5AyvIcVFowFJEVIUh2aT7xdYoyDr3M7wF8SENlwZXlWZjM4IhmPA=="; + version = "140.9.0"; + hash = "sha512-vAP9KnPQCoi9Cjye6u/mGP+zQib7e8L6xKAiRv8p/gOEI793U4Jz7m+sJfsePk+pi7UiAmrjQnoK1fQdLsa6mA=="; } From a0c618ce3f112952d729ff8cd7954cf423cf8628 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 22 Mar 2026 06:15:38 +0000 Subject: [PATCH 13/96] libde265: 1.0.16 -> 1.0.18 Changes: https://github.com/strukturag/libde265/compare/v1.0.16...v1.0.18 (cherry picked from commit d7018b1d3a396fdb17284d1d4df3613abfc8e3cd) --- pkgs/by-name/li/libde265/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index a9c4b5d9dacd2..51e24c6ed5ac2 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.16"; + version = "1.0.18"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-4Y7tuVeDLoONU6/R/47QhGtzBiM9mtl4O++CN+KCUn4="; + hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I="; }; nativeBuildInputs = [ From 6321d656d5cbfa094f3f7b06a17736553d347861 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 31 Mar 2026 20:57:00 +0200 Subject: [PATCH 14/96] glibc: 2.40-218 -> 2.40-224 25.11 variant of #502536. --- .../libraries/glibc/2.40-master.patch | 769 ++++++++++++++++++ pkgs/development/libraries/glibc/common.nix | 4 +- 2 files changed, 771 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/glibc/2.40-master.patch b/pkgs/development/libraries/glibc/2.40-master.patch index 664c2935d536f..6a7fe260cf8ca 100644 --- a/pkgs/development/libraries/glibc/2.40-master.patch +++ b/pkgs/development/libraries/glibc/2.40-master.patch @@ -57195,3 +57195,772 @@ index a7362ef31b..4cd2364519 100644 } if ((flags & WRDE_APPEND) == 0) + +commit 3978f880413cb508ecc0c5d372479083fdf664cc +Author: Yury Khrustalev +Date: Thu Nov 6 12:57:58 2025 +0000 + + posix: Fix invalid flags test for p{write,read}v2 + + Two tests fail from time to time when a new flag is added for the + p{write,read}v2 functions in a new Linux kernel: + + - misc/tst-preadvwritev2 + - misc/tst-preadvwritev64v2 + + This disrupts when testing Glibc on a system with a newer kernel + and it seems we can try improve testing for invalid flags setting + all the bits that are not supposed to be supported (rather than + setting only the next unsupported bit). + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit 58a31b4316f1f687184eb147ffa1c676bc6a190e) + +diff --git a/misc/tst-preadvwritev2-common.c b/misc/tst-preadvwritev2-common.c +index 8e04ff7282..23ddf2e8b9 100644 +--- a/misc/tst-preadvwritev2-common.c ++++ b/misc/tst-preadvwritev2-common.c +@@ -106,9 +106,8 @@ do_test_with_invalid_iov (void) + static void + do_test_with_invalid_flags (void) + { +- /* Set the next bit from the mask of all supported flags. */ +- int invalid_flag = RWF_SUPPORTED != 0 ? __builtin_clz (RWF_SUPPORTED) : 2; +- invalid_flag = 0x1 << ((sizeof (int) * CHAR_BIT) - invalid_flag); ++ /* Set all the bits that are not used by the supported flags. */ ++ int invalid_flag = ~RWF_SUPPORTED; + + char buf[32]; + const struct iovec vec = { .iov_base = buf, .iov_len = sizeof (buf) }; + +commit b5f5f1f3d27d792c05f91dba8e815f2abb895a30 +Author: Florian Weimer +Date: Fri Nov 28 11:46:09 2025 +0100 + + iconvdata: Fix invalid pointer arithmetic in ANSI_X3.110 module + + The expression inptr + 1 can technically be invalid: if inptr == inend, + inptr may point one element past the end of an array. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit e98bd0c54d5e296ad1be91b6fe35260c6b87e733) + +diff --git a/iconvdata/ansi_x3.110.c b/iconvdata/ansi_x3.110.c +index 869cdf6540..44bd12a863 100644 +--- a/iconvdata/ansi_x3.110.c ++++ b/iconvdata/ansi_x3.110.c +@@ -407,7 +407,7 @@ static const char from_ucs4[][2] = + is also available. */ \ + uint32_t ch2; \ + \ +- if (inptr + 1 >= inend) \ ++ if (inend - inptr <= 1) \ + { \ + /* The second character is not available. */ \ + result = __GCONV_INCOMPLETE_INPUT; \ + +commit d951a94c7da83c5e37489d3daf5bbbf0b0c0d19a +Author: Florian Weimer +Date: Mon Jan 26 17:12:37 2026 +0100 + + posix: Run tst-wordexp-reuse-mem test + + The test was not properly scheduled for execution with a Makefile + dependency. + + Fixes commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 ("posix: Reset + wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814"). + + (cherry picked from commit bed2db02f3183e93f21d506786c5f884a1dec9e7) + +diff --git a/posix/Makefile b/posix/Makefile +index 0cd5572297..1a0e150d99 100644 +--- a/posix/Makefile ++++ b/posix/Makefile +@@ -492,7 +492,7 @@ tests-special += \ + $(objpfx)tst-pcre-mem.out \ + $(objpfx)tst-rxspencer-no-utf8-mem.out \ + $(objpfx)tst-vfork3-mem.out \ +- $(objpfx)tst-wordexp-reuse.out \ ++ $(objpfx)tst-wordexp-reuse-mem.out \ + # tests-special + endif + endif + +commit acf870165a07fb229e10e53b1fd53520e8c0cf9d +Author: Carlos O'Donell +Date: Fri Mar 20 16:43:33 2026 -0400 + + resolv: Count records correctly (CVE-2026-4437) + + The answer section boundary was previously ignored, and the code in + getanswer_ptr would iterate past the last resource record, but not + beyond the end of the returned data. This could lead to subsequent data + being interpreted as answer records, thus violating the DNS + specification. Such resource records could be maliciously crafted and + hidden from other tooling, but processed by the glibc stub resolver and + acted upon by the application. While we trust the data returned by the + configured recursive resolvers, we should not trust its format and + should validate it as required. It is a security issue to incorrectly + process the DNS protocol. + + A regression test is added for response section crossing. + + No regressions on x86_64-linux-gnu. + + Reviewed-by: Collin Funk + (cherry picked from commit 9f5f18aab40ec6b61fa49a007615e6077e9a979b) + +diff --git a/resolv/Makefile b/resolv/Makefile +index abff7fc007..7d2aa9b542 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -98,6 +98,7 @@ tests += \ + tst-resolv-basic \ + tst-resolv-binary \ + tst-resolv-byaddr \ ++ tst-resolv-dns-section \ + tst-resolv-edns \ + tst-resolv-invalid-cname \ + tst-resolv-network \ +@@ -109,6 +110,7 @@ tests += \ + tst-resolv-semi-failure \ + tst-resolv-short-response \ + tst-resolv-trailing \ ++ # tests + + # This test calls __res_context_send directly, which is not exported + # from libresolv. +@@ -286,6 +288,8 @@ $(objpfx)tst-resolv-aliases: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-basic: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-binary: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-byaddr: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-dns-section: $(objpfx)libresolv.so \ ++ $(shared-thread-library) + $(objpfx)tst-resolv-edns: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-network: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-res_init: $(objpfx)libresolv.so +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 95a7b3f0e5..74a7c08d0f 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -820,7 +820,7 @@ getanswer_ptr (unsigned char *packet, size_t packetlen, + /* expected_name may be updated to point into this buffer. */ + unsigned char name_buffer[NS_MAXCDNAME]; + +- while (ancount > 0) ++ for (; ancount > 0; --ancount) + { + struct ns_rr_wire rr; + if (!__ns_rr_cursor_next (&c, &rr)) +diff --git a/resolv/tst-resolv-dns-section.c b/resolv/tst-resolv-dns-section.c +new file mode 100644 +index 0000000000..1171baef51 +--- /dev/null ++++ b/resolv/tst-resolv-dns-section.c +@@ -0,0 +1,162 @@ ++/* Test handling of invalid section transitions (bug 34014). ++ Copyright (C) 2022-2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Name of test, and the second section type. */ ++struct item { ++ const char *test; ++ int ns_section; ++}; ++ ++static const struct item test_items[] = ++ { ++ { "Test crossing from ns_s_an to ns_s_ar.", ns_s_ar }, ++ { "Test crossing from ns_s_an to ns_s_an.", ns_s_ns }, ++ ++ { NULL, 0 }, ++ }; ++ ++/* The response is designed to contain the following: ++ - An Answer section with one T_PTR record that is skipped. ++ - A second section with a semantically invalid T_PTR record. ++ The original defect is that the response parsing would cross ++ section boundaries and handle the additional section T_PTR ++ as if it were an answer. A conforming implementation would ++ stop as soon as it reaches the end of the section. */ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ TEST_COMPARE (qclass, C_IN); ++ ++ /* We only test PTR. */ ++ TEST_COMPARE (qtype, T_PTR); ++ ++ unsigned int count; ++ char *tail = NULL; ++ ++ if (strstr (qname, "in-addr.arpa") != NULL ++ && sscanf (qname, "%u.%ms", &count, &tail) == 2) ++ TEST_COMPARE_STRING (tail, "0.168.192.in-addr.arpa"); ++ else if (sscanf (qname, "%x.%ms", &count, &tail) == 2) ++ { ++ TEST_COMPARE_STRING (tail, "\ ++0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"); ++ } ++ else ++ FAIL_EXIT1 ("invalid QNAME: %s\n", qname); ++ free (tail); ++ ++ /* We have a bounded number of possible tests. */ ++ TEST_VERIFY (count >= 0); ++ TEST_VERIFY (count <= 15); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ resolv_response_section (b, ns_s_an); ++ ++ /* Actual answer record, but the wrong name (skipped). */ ++ resolv_response_open_record (b, "1.0.0.10.in-addr.arpa", qclass, qtype, 60); ++ ++ /* Record the answer. */ ++ resolv_response_add_name (b, "test.ptr.example.net"); ++ resolv_response_close_record (b); ++ ++ /* Add a second section to test section boundary crossing. */ ++ resolv_response_section (b, test_items[count].ns_section); ++ /* Semantically incorrect, but hide a T_PTR entry. */ ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ resolv_response_add_name (b, "wrong.ptr.example.net"); ++ resolv_response_close_record (b); ++} ++ ++ ++/* Perform one check using a reverse lookup. */ ++static void ++check_reverse (int af, int count) ++{ ++ TEST_VERIFY (af == AF_INET || af == AF_INET6); ++ TEST_VERIFY (count < array_length (test_items)); ++ ++ char addr[sizeof (struct in6_addr)] = { 0 }; ++ socklen_t addrlen; ++ if (af == AF_INET) ++ { ++ addr[0] = (char) 192; ++ addr[1] = (char) 168; ++ addr[2] = (char) 0; ++ addr[3] = (char) count; ++ addrlen = 4; ++ } ++ else ++ { ++ addr[0] = 0x20; ++ addr[1] = 0x01; ++ addr[2] = 0x0d; ++ addr[3] = 0xb8; ++ addr[4] = addr[5] = addr[6] = addr[7] = 0x0; ++ addr[8] = addr[9] = addr[10] = addr[11] = 0x0; ++ addr[12] = 0x0; ++ addr[13] = 0x0; ++ addr[14] = 0x0; ++ addr[15] = count; ++ addrlen = 16; ++ } ++ ++ h_errno = 0; ++ struct hostent *answer = gethostbyaddr (addr, addrlen, af); ++ TEST_VERIFY (answer == NULL); ++ TEST_VERIFY (h_errno == NO_RECOVERY); ++ if (answer != NULL) ++ printf ("error: unexpected success: %s\n", ++ support_format_hostent (answer)); ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ for (int i = 0; test_items[i].test != NULL; i++) ++ { ++ check_reverse (AF_INET, i); ++ check_reverse (AF_INET6, i); ++ } ++ ++ resolv_test_end (obj); ++ ++ return 0; ++} ++ ++#include + +commit df2bb178a5a6119bcf9775d8c16961bfc5042dc1 +Author: Carlos O'Donell +Date: Fri Mar 20 17:14:33 2026 -0400 + + resolv: Check hostname for validity (CVE-2026-4438) + + The processed hostname in getanswer_ptr should be correctly checked to + avoid invalid characters from being allowed, including shell + metacharacters. It is a security issue to fail to check the returned + hostname for validity. + + A regression test is added for invalid metacharacters and other cases + of invalid or valid characters. + + No regressions on x86_64-linux-gnu. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit e10977481f4db4b2a3ce34fa4c3a1e26651ae312) + +diff --git a/resolv/Makefile b/resolv/Makefile +index 7d2aa9b542..20ffa9b5c8 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -101,6 +101,7 @@ tests += \ + tst-resolv-dns-section \ + tst-resolv-edns \ + tst-resolv-invalid-cname \ ++ tst-resolv-invalid-ptr \ + tst-resolv-network \ + tst-resolv-noaaaa \ + tst-resolv-noaaaa-vc \ +@@ -299,6 +300,8 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ + $(shared-thread-library) ++$(objpfx)tst-resolv-invalid-ptr: $(objpfx)libresolv.so \ ++ $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 74a7c08d0f..b8f5d61b2a 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -866,7 +866,7 @@ getanswer_ptr (unsigned char *packet, size_t packetlen, + char hname[MAXHOSTNAMELEN + 1]; + if (__ns_name_unpack (c.begin, c.end, rr.rdata, + name_buffer, sizeof (name_buffer)) < 0 +- || !__res_binary_hnok (expected_name) ++ || !__res_binary_hnok (name_buffer) + || __ns_name_ntop (name_buffer, hname, sizeof (hname)) < 0) + { + *h_errnop = NO_RECOVERY; +diff --git a/resolv/tst-resolv-invalid-ptr.c b/resolv/tst-resolv-invalid-ptr.c +new file mode 100644 +index 0000000000..0c802ab967 +--- /dev/null ++++ b/resolv/tst-resolv-invalid-ptr.c +@@ -0,0 +1,255 @@ ++/* Test handling of invalid T_PTR results (bug 34015). ++ Copyright (C) 2022-2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Name of test, the answer, the expected error return, and if we ++ expect the call to fail. */ ++struct item { ++ const char *test; ++ const char *answer; ++ int expected; ++ bool fail; ++}; ++ ++static const struct item test_items[] = ++ { ++ /* Test for invalid characters. */ ++ { "Invalid use of \"|\"", ++ "test.|.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"&\"", ++ "test.&.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \";\"", ++ "test.;.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"<\"", ++ "test.<.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \">\"", ++ "test.>.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"(\"", ++ "test.(.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \")\"", ++ "test.).ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"$\"", ++ "test.$.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"`\"", ++ "test.`.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\\"", ++ "test.\\.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\'\"", ++ "test.'.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\"\"", ++ "test.\".ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \" \"", ++ "test. .ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\t\"", ++ "test.\t.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\n\"", ++ "test.\n.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\r\"", ++ "test.\r.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"*\"", ++ "test.*.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"?\"", ++ "test.?.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"[\"", ++ "test.[.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"]\"", ++ "test.].ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \",\"", ++ "test.,.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"~\"", ++ "test.~.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \":\"", ++ "test.:.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"!\"", ++ "test.!.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"@\"", ++ "test.@.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"#\"", ++ "test.#.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"%\"", ++ "test.%%.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"^\"", ++ "test.^.ptr.example", NO_RECOVERY, true }, ++ ++ /* Test for invalid UTF-8 characters (2-byte, 4-byte, 6-byte). */ ++ { "Invalid use of UTF-8 (2-byte, U+00C0-U+00C2)", ++ "ÁÂÃ.test.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of UTF-8 (4-byte, U+0750-U+0752)", ++ "ݐݑݒ.test.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of UTF-8 (6-byte, U+0904-U+0906)", ++ "ऄअआ.test.ptr.example", NO_RECOVERY, true }, ++ ++ /* Test for "-" which may be valid depending on position. */ ++ { "Invalid leading \"-\"", ++ "-test.ptr.example", NO_RECOVERY, true }, ++ { "Valid trailing \"-\"", ++ "test-.ptr.example", 0, false }, ++ { "Valid mid-label use of \"-\"", ++ "te-st.ptr.example", 0, false }, ++ ++ /* Test for "_" which is always valid in any position. */ ++ { "Valid leading use of \"_\"", ++ "_test.ptr.example", 0, false }, ++ { "Valid mid-label use of \"_\"", ++ "te_st.ptr.example", 0, false }, ++ { "Valid trailing use of \"_\"", ++ "test_.ptr.example", 0, false }, ++ ++ /* Sanity test the broader set [A-Za-z0-9_-] of valid characters. */ ++ { "Valid \"[A-Z]\"", ++ "test.ABCDEFGHIJKLMNOPQRSTUVWXYZ.ptr.example", 0, false }, ++ { "Valid \"[a-z]\"", ++ "test.abcdefghijklmnopqrstuvwxyz.ptr.example", 0, false }, ++ { "Valid \"[0-9]\"", ++ "test.0123456789.ptr.example", 0, false }, ++ { "Valid mixed use of \"[A-Za-z0-9_-]\"", ++ "test.012abcABZ_-.ptr.example", 0, false }, ++ }; ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ TEST_COMPARE (qclass, C_IN); ++ ++ /* We only test PTR. */ ++ TEST_COMPARE (qtype, T_PTR); ++ ++ unsigned int count, count1; ++ char *tail = NULL; ++ ++ /* The test implementation can handle up to 255 tests. */ ++ if (strstr (qname, "in-addr.arpa") != NULL ++ && sscanf (qname, "%u.%ms", &count, &tail) == 2) ++ TEST_COMPARE_STRING (tail, "0.168.192.in-addr.arpa"); ++ else if (sscanf (qname, "%x.%x.%ms", &count, &count1, &tail) == 3) ++ { ++ TEST_COMPARE_STRING (tail, "\ ++0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"); ++ count |= count1 << 4; ++ } ++ else ++ FAIL_EXIT1 ("invalid QNAME: %s\n", qname); ++ free (tail); ++ ++ /* Cross check. Count has a fixed bound (soft limit). */ ++ TEST_VERIFY (count >= 0 && count <= 255); ++ ++ /* We have a fixed number of tests (hard limit). */ ++ TEST_VERIFY_EXIT (count < array_length (test_items)); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ resolv_response_section (b, ns_s_an); ++ ++ /* Actual answer record. */ ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ ++ /* Record the answer. */ ++ resolv_response_add_name (b, test_items[count].answer); ++ resolv_response_close_record (b); ++} ++ ++/* Perform one check using a reverse lookup. */ ++static void ++check_reverse (int af, int count) ++{ ++ TEST_VERIFY (af == AF_INET || af == AF_INET6); ++ TEST_VERIFY_EXIT (count < array_length (test_items)); ++ ++ /* Generate an address to query for each test. */ ++ char addr[sizeof (struct in6_addr)] = { 0 }; ++ socklen_t addrlen; ++ if (af == AF_INET) ++ { ++ addr[0] = (char) 192; ++ addr[1] = (char) 168; ++ addr[2] = (char) 0; ++ addr[3] = (char) count; ++ addrlen = 4; ++ } ++ else ++ { ++ addr[0] = 0x20; ++ addr[1] = 0x01; ++ addr[2] = 0x0d; ++ addr[3] = 0xb8; ++ addr[4] = addr[5] = addr[6] = addr[7] = 0x0; ++ addr[8] = addr[9] = addr[10] = addr[11] = 0x0; ++ addr[12] = 0x0; ++ addr[13] = 0x0; ++ addr[14] = 0x0; ++ addr[15] = (char) count; ++ addrlen = 16; ++ } ++ ++ h_errno = 0; ++ struct hostent *answer = gethostbyaddr (addr, addrlen, af); ++ ++ /* Verify h_errno is as expected. */ ++ TEST_COMPARE (h_errno, test_items[count].expected); ++ if (h_errno != test_items[count].expected) ++ /* And print more information if it's not. */ ++ printf ("INFO: %s\n", test_items[count].test); ++ ++ if (test_items[count].fail) ++ { ++ /* We expected a failure so verify answer is NULL. */ ++ TEST_VERIFY (answer == NULL); ++ /* If it's not NULL we should print out what we received. */ ++ if (answer != NULL) ++ printf ("error: unexpected success: %s\n", ++ support_format_hostent (answer)); ++ } ++ else ++ /* We don't expect a failure so answer must be valid. */ ++ TEST_COMPARE_STRING (answer->h_name, test_items[count].answer); ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ for (int i = 0; i < array_length (test_items); i++) ++ { ++ check_reverse (AF_INET, i); ++ check_reverse (AF_INET6, i); ++ } ++ resolv_test_end (obj); ++ ++ return 0; ++} ++ ++#include + +commit 573a7e46ecb32e2669cd83245f72697eabd7a7e8 +Author: Xi Ruoyao +Date: Tue Feb 3 16:20:12 2026 +0800 + + elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso + + The initialization process of libc.so calls mmap() several times and the + kernel may lay the maps into the gap. If all pages in the gap are + occupied, the test would not be able to find the gap with mmap() and the + test would fail. + + The failure reproduces most frequently on LoongArch because with the + commonly used page size (16 KiB) the gap only contains 4 pages and the + probability they are all occupied is not near to zero. + + With the changes in the patch, a test run may output: + + info: ld.so link map is not contiguous + info: object "/dev/zero" found at 0x7ffff1fe0000 - 0x7ffff1fe4000 + info: anonymous mapping found at 0x7ffff1fe4000 - 0x7ffff1fec000 + + Also take the chance to fix a mistake in the "object found at" message + which has puzzled me during the initial debug session. + + Signed-off-by: Xi Ruoyao + Reviewed-by: Adhemerval Zanella + (cherry picked from commit aed8390a6a22e5751fc12704c0c5f2a8271fc286) + +diff --git a/elf/tst-link-map-contiguous-ldso.c b/elf/tst-link-map-contiguous-ldso.c +index 04de808bb2..f0e26682f2 100644 +--- a/elf/tst-link-map-contiguous-ldso.c ++++ b/elf/tst-link-map-contiguous-ldso.c +@@ -18,15 +18,73 @@ + + #include + #include ++#include + #include + #include + #include + #include ++#include + #include + #include ++#include + #include + #include + ++/* Slow path in case we cannot find a gap with mmap (when the runtime has ++ mapped all the pages in the gap for some reason). */ ++static bool ++find_gap_with_proc_self_map (const struct link_map *l) ++{ ++ int pagesize = getpagesize (); ++ ++ support_need_proc ("Reads /proc/self/maps to find gap in ld.so mapping"); ++ ++ /* Parse /proc/self/maps and find all the mappings in the ld.so range ++ but not from ld.so. */ ++ FILE *f = xfopen ("/proc/self/maps", "r"); ++ char *line = NULL, *path_ldso = NULL; ++ size_t len; ++ bool found = false; ++ while (xgetline (&line, &len, f)) ++ { ++ uintptr_t from, to; ++ char *path = NULL; ++ int r = sscanf (line, "%" SCNxPTR "-%" SCNxPTR "%*s%*s%*s%*s%ms", ++ &from, &to, &path); ++ ++ TEST_VERIFY (r == 2 || r == 3); ++ TEST_COMPARE (from % pagesize, 0); ++ TEST_COMPARE (to % pagesize, 0); ++ ++ if (path_ldso == NULL && l->l_map_start == from) ++ { ++ TEST_COMPARE (r, 3); ++ path_ldso = path; ++ continue; ++ } ++ ++ if (from > l->l_map_start && to < l->l_map_end ++ && (r == 2 || (path_ldso != NULL && strcmp (path, path_ldso)))) ++ { ++ if (r == 2) ++ printf ("info: anonymous mapping found at 0x%" PRIxPTR " - 0x%" ++ PRIxPTR "\n", from, to); ++ else ++ printf ("info: object \"%s\" found at 0x%" PRIxPTR " - 0x%" ++ PRIxPTR "\n", path, from, to); ++ ++ found = true; ++ } ++ ++ free (path); ++ } ++ ++ free (path_ldso); ++ free (line); ++ xfclose (f); ++ return found; ++} ++ + static int + do_test (void) + { +@@ -64,16 +122,18 @@ do_test (void) + if ((void *) dlfo.dlfo_link_map != (void *) l) + { + printf ("info: object \"%s\" found at %p\n", +- dlfo.dlfo_link_map->l_name, ptr); ++ dlfo.dlfo_link_map->l_name, expected); + gap_found = true; + } + } + else + TEST_COMPARE (dlfo_ret, -1); ++ + xmunmap (ptr, 1); + addr += pagesize; + } +- if (!gap_found) ++ ++ if (!gap_found && !find_gap_with_proc_self_map (l)) + FAIL ("no ld.so gap found"); + } + else diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 858806671d3c3..e2740967c19f8 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -50,7 +50,7 @@ let version = "2.40"; - patchSuffix = "-218"; + patchSuffix = "-224"; sha256 = "sha256-GaiQF16SY9dI9ieZPeb0sa+c0h4D8IDkv7Oh+sECBaI="; in @@ -68,7 +68,7 @@ stdenv.mkDerivation ( /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. $ git fetch --all -p && git checkout origin/release/2.40/master && git describe - glibc-2.40-218-g9fe8576664 + glibc-2.40-224-g573a7e46ec $ git show --minimal --reverse glibc-2.40.. ':!ADVISORIES' > 2.40-master.patch To compare the archive contents zdiff can be used. From 88492b73a86b27d4b7d2b59cc5d5716255a82f81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 1 Apr 2026 19:20:15 +0200 Subject: [PATCH 15/96] libpng: 1.6.55 -> 1.6.56 https://github.com/pnggroup/libpng/blob/v1.6.56/ANNOUNCE https://seclists.org/oss-sec/2026/q1/387 Fixes: CVE-2026-33416 CVE-2026-33636 (cherry picked from commit 313251a2f74818c8dc660e10704192e8a8346eac) --- pkgs/development/libraries/libpng/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix index 074a520d8acb0..97c5d9d9ade91 100644 --- a/pkgs/development/libraries/libpng/default.nix +++ b/pkgs/development/libraries/libpng/default.nix @@ -10,21 +10,21 @@ assert zlib != null; let - patchVersion = "1.6.54"; + patchVersion = "1.6.56"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz"; - hash = "sha256-Vjj8RQDq9IRXtNfJ5VP9gqsB13MEpwB32DNoQp1E8bQ="; + hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g="; }; whenPatched = lib.optionalString apngSupport; in stdenv.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.55"; + version = "1.6.56"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0="; + hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" From 1ef14cb759f46d2450c8b92c6a3e5333d3c98c36 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 28 Mar 2026 18:20:55 +0000 Subject: [PATCH 16/96] wolfSSL: correct `meta.license` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upstream switched from `GPL-2.0-or-later` to `GPL-3.0-or-later` in a CVE‐fixing patch release: * * I’ll omit my opinion on the wisdom of that decision. (cherry picked from commit 5c6ab576b399cfe5abfbd8a593a0dee55d8086bf) --- pkgs/by-name/wo/wolfssl/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/by-name/wo/wolfssl/package.nix b/pkgs/by-name/wo/wolfssl/package.nix index e904c4dfefcca..2e6a0adb0951c 100644 --- a/pkgs/by-name/wo/wolfssl/package.nix +++ b/pkgs/by-name/wo/wolfssl/package.nix @@ -114,7 +114,7 @@ stdenv.mkDerivation (finalAttrs: { homepage = "https://www.wolfssl.com/"; changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable"; platforms = lib.platforms.all; - license = lib.licenses.gpl2Plus; + license = lib.licenses.gpl3Plus; maintainers = with lib.maintainers; [ fab vifino From cf32fb023d805d886fe9fc15045fe33967a81ab0 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 28 Mar 2026 18:20:55 +0000 Subject: [PATCH 17/96] vde2: correct `meta.license` (cherry picked from commit 12a57e93e221311b572a4c54dc19db5a2166f411) --- pkgs/by-name/vd/vde2/package.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/by-name/vd/vde2/package.nix b/pkgs/by-name/vd/vde2/package.nix index 15b9a19618499..467a5aa8765c4 100644 --- a/pkgs/by-name/vd/vde2/package.nix +++ b/pkgs/by-name/vd/vde2/package.nix @@ -41,6 +41,12 @@ stdenv.mkDerivation rec { homepage = "https://github.com/virtualsquare/vde-2"; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; platforms = lib.platforms.unix; - license = lib.licenses.gpl2Plus; + license = [ + # Effectively `lib.licenses.gpl2Only`, but file headers differ. + lib.licenses.gpl2Plus + lib.licenses.gpl2Only + # libvdeplug and code copied from glibc. + lib.licenses.lgpl21Plus + ]; }; } From adac477495ee63e1208df5fc268b787a3b74cf80 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 28 Mar 2026 18:37:30 +0000 Subject: [PATCH 18/96] vde2: make Musl patch unconditional (cherry picked from commit 217a550db5db52f46ca3ca4d664785430eb43b9e) --- pkgs/by-name/vd/vde2/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/by-name/vd/vde2/package.nix b/pkgs/by-name/vd/vde2/package.nix index 467a5aa8765c4..7f25ae2669866 100644 --- a/pkgs/by-name/vd/vde2/package.nix +++ b/pkgs/by-name/vd/vde2/package.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "sha256-Yf6QB7j5lYld2XtqhYspK4037lTtimoFc7nCavCP+mU="; }; - patches = lib.optionals stdenv.hostPlatform.isMusl [ + patches = [ (fetchpatch { url = "https://git.alpinelinux.org/aports/plain/main/vde2/musl-build-fix.patch?id=ddee2f86a48e087867d4a2c12849b2e3baccc238"; sha256 = "0b5382v541bkxhqylilcy34bh83ag96g71f39m070jzvi84kx8af"; From ec783677b65ad5ef965a74cb2f44f04bc3c69eaa Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 28 Mar 2026 18:20:55 +0000 Subject: [PATCH 19/96] vde2: remove obsolete Darwin workaround (cherry picked from commit 42c772cf00d3b5064336427973a61f4cb68acde6) --- pkgs/by-name/vd/vde2/package.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/by-name/vd/vde2/package.nix b/pkgs/by-name/vd/vde2/package.nix index 7f25ae2669866..663f4e9547eaf 100644 --- a/pkgs/by-name/vd/vde2/package.nix +++ b/pkgs/by-name/vd/vde2/package.nix @@ -26,10 +26,6 @@ stdenv.mkDerivation rec { }) ]; - preConfigure = lib.optionalString (lib.versionAtLeast stdenv.hostPlatform.darwinMinVersion "11") '' - MACOSX_DEPLOYMENT_TARGET=10.16 - ''; - nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ From 16c17bea63a1696bd9e1ca977f7ed8df570855a2 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 28 Mar 2026 18:20:55 +0000 Subject: [PATCH 20/96] vde2: switch to Mbed TLS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since wolfSSL ≥ 5.8.2 is `GPL-3.0-or-later` and VDEv2 is `GPL-2.0-only`, it’s a licence violation to redistribute binaries combining them. Thankfully, upstream has added support for Mbed TLS, though not yet cut a stable release with it. Backport the patch and switch to it. This also avoids pulling wolfSSL unnecessarily into the QEMU closure, which already contains Mbed TLS. It also conveniently fixes the build on Darwin. (cherry picked from commit 3d669a98fb8b35ae8ac4bcdd8c66c4ab0e9cd257) --- pkgs/by-name/vd/vde2/package.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/vd/vde2/package.nix b/pkgs/by-name/vd/vde2/package.nix index 663f4e9547eaf..e085c22f4029c 100644 --- a/pkgs/by-name/vd/vde2/package.nix +++ b/pkgs/by-name/vd/vde2/package.nix @@ -5,7 +5,7 @@ fetchpatch, autoreconfHook, libpcap, - wolfssl, + mbedtls, }: stdenv.mkDerivation rec { @@ -20,6 +20,13 @@ stdenv.mkDerivation rec { }; patches = [ + # See: + (fetchpatch { + name = "vde2-backport-mbedtls-support.patch"; + url = "https://github.com/virtualsquare/vde-2/commit/e3f701978a0a20e56cd9829353d110d4ddcedd90.patch"; + hash = "sha256-cq3yrA3w/K6J+RtwYX9AcG/nfctlAkc3aYJZpJxJXTQ="; + }) + (fetchpatch { url = "https://git.alpinelinux.org/aports/plain/main/vde2/musl-build-fix.patch?id=ddee2f86a48e087867d4a2c12849b2e3baccc238"; sha256 = "0b5382v541bkxhqylilcy34bh83ag96g71f39m070jzvi84kx8af"; @@ -30,7 +37,11 @@ stdenv.mkDerivation rec { buildInputs = [ libpcap - wolfssl + mbedtls + ]; + + configureFlags = [ + "--with-crypt=mbedtls" ]; meta = { From a5274883dcd2504aa0cca03d4481ccb65fc8a6a0 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 17 Dec 2025 16:21:06 +0000 Subject: [PATCH 21/96] mupdf: 1.26.10 -> 1.27.0 (cherry picked from commit 7a51cbe02659107f5be09ebcc27e3ebc821cb0b7) --- pkgs/by-name/mu/mupdf/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/mu/mupdf/package.nix b/pkgs/by-name/mu/mupdf/package.nix index cd1bea612afa1..71232eec36edb 100644 --- a/pkgs/by-name/mu/mupdf/package.nix +++ b/pkgs/by-name/mu/mupdf/package.nix @@ -65,12 +65,12 @@ let }); in stdenv.mkDerivation rec { - version = "1.26.10"; + version = "1.27.0"; pname = "mupdf"; src = fetchurl { url = "https://mupdf.com/downloads/archive/${pname}-${version}-source.tar.gz"; - hash = "sha256-FlPzW9j72XDwVSPv3H+G5B6XKOJWSjKVKW4Dz1mlFDc="; + hash = "sha256-riRCQW3kmRgtN6UmxvorrMejvtWoiNETygSERITf58Y="; }; patches = [ From a4388d143a50ef474c4546eb0408b6147736a46d Mon Sep 17 00:00:00 2001 From: Dmitry Kalinkin Date: Sun, 25 Jan 2026 18:05:06 -0500 Subject: [PATCH 22/96] mupdf: remove patches that made it into the release (cherry picked from commit 82c8e216dae90f635b71a0d0cbe55300c40f431d) --- pkgs/by-name/mu/mupdf/package.nix | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/pkgs/by-name/mu/mupdf/package.nix b/pkgs/by-name/mu/mupdf/package.nix index 71232eec36edb..0de0e0de9d41b 100644 --- a/pkgs/by-name/mu/mupdf/package.nix +++ b/pkgs/by-name/mu/mupdf/package.nix @@ -80,19 +80,6 @@ stdenv.mkDerivation rec { # Upstream C++ wrap script only defines fixed-sized integers on macOS but # this is required on aarch64-linux too. ./fix-cpp-build.patch - ] - # fix compatibility with Clang >= 20 - ++ lib.optionals enableCxx [ - (fetchpatch { - name = "scripts-wrap-parse.py-get_args-improve-caching-of-re.patch"; - url = "https://github.com/ArtifexSoftware/mupdf/commit/559e45ac8c134712cd8eaee01536ea3841e3a449.patch"; - hash = "sha256-gI3hzrNo6jj9eqQ9E/BJ3jxXi/sl1C5WRyYlkG3Gkfg="; - }) - (fetchpatch { - name = "scripts-wrap-parse.py-get_args-fix-for-libclang-20.patch"; - url = "https://github.com/ArtifexSoftware/mupdf/commit/4bbf411898341d3ba30f521a6c137a788793cd45.patch"; - hash = "sha256-cxKNziAGjpDwEw/9ZQHslMeJbiqYo80899BDkUOIX8g="; - }) ]; postPatch = '' From 0a672a5b3c5b95aa6a3a3ccc3335a522c3525798 Mon Sep 17 00:00:00 2001 From: ghpzin Date: Tue, 7 Oct 2025 14:26:14 +0300 Subject: [PATCH 23/96] mupdf: fix build of vendored freeglut with gcc15 - add patch from `freeglut` upstream to vendored fork version: https://www.github.com/freeglut/freeglut/pull/187 Fixes build failure with gcc15: ``` /build/source/src/x11/fg_init_x11.c:348:6: error: conflicting types for 'fgPlatformDestroyContext'; have 'void(SFG_PlatformDisplay, struct __GLXcontextRec *)' {aka 'void(struct tagSFG_PlatformDisplay, struct __GLXcontextRec *)'} 348 | void fgPlatformDestroyContext ( SFG_PlatformDisplay pDisplay, SFG_WindowContextType MContext ) | ^~~~~~~~~~~~~~~~~~~~~~~~ In file included from /build/source/src/x11/fg_init_x11.c:34: /build/source/src/egl/fg_init_egl.h:31:13: note: previous declaration of 'fgPlatformDestroyContext' with type 'void(void)' 31 | extern void fgPlatformDestroyContext(); | ^~~~~~~~~~~~~~~~~~~~~~~~ ``` (cherry picked from commit d933df8d01ddf3c6fdccd17039ec105fcfbd176d) --- pkgs/by-name/mu/mupdf/package.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/by-name/mu/mupdf/package.nix b/pkgs/by-name/mu/mupdf/package.nix index 0de0e0de9d41b..8c0df93dd0084 100644 --- a/pkgs/by-name/mu/mupdf/package.nix +++ b/pkgs/by-name/mu/mupdf/package.nix @@ -55,7 +55,15 @@ let hash = "sha256-0fuE0lm9rlAaok2Qe0V1uUrgP4AjMWgp3eTbw8G6PMM="; }; - patches = [ ]; + patches = [ + # Fix build with gcc15 + # https://github.com/freeglut/freeglut/pull/187 + (fetchpatch { + name = "freeglut-fix-fgPlatformDestroyContext-prototype-for-C23.patch"; + url = "https://github.com/freeglut/freeglut/commit/800772e993a3ceffa01ccf3fca449d3279cde338.patch"; + hash = "sha256-agXw3JHq81tx5514kkorvuU5mX4E3AV930hy1OJl4L0="; + }) + ]; # cmake 4 compatibility, upstream is dead postPatch = '' From 672d37ea2b50b3330ecb08c93740c1662d70bc70 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 4 Apr 2026 08:27:33 +0200 Subject: [PATCH 24/96] mupdf: 1.27.0 -> 1.27.2 Fix #505601, CVE-2026-3308. (cherry picked from commit 422838552733b01a0c63c6ec06d76a103b8d4fb1) --- pkgs/by-name/mu/mupdf/package.nix | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/pkgs/by-name/mu/mupdf/package.nix b/pkgs/by-name/mu/mupdf/package.nix index 8c0df93dd0084..8d8408044af95 100644 --- a/pkgs/by-name/mu/mupdf/package.nix +++ b/pkgs/by-name/mu/mupdf/package.nix @@ -51,20 +51,10 @@ let src = fetchFromGitHub { owner = "ArtifexSoftware"; repo = "thirdparty-freeglut"; - rev = "13ae6aa2c2f9a7b4266fc2e6116c876237f40477"; - hash = "sha256-0fuE0lm9rlAaok2Qe0V1uUrgP4AjMWgp3eTbw8G6PMM="; + rev = "d5e2256d571b3ef66fb60716c99e35e9d3e570a2"; + hash = "sha256-yVnVFh2KMpkRB0Emr1iiUwg8ZcPn/k4fnBtBsnv6jX0="; }; - patches = [ - # Fix build with gcc15 - # https://github.com/freeglut/freeglut/pull/187 - (fetchpatch { - name = "freeglut-fix-fgPlatformDestroyContext-prototype-for-C23.patch"; - url = "https://github.com/freeglut/freeglut/commit/800772e993a3ceffa01ccf3fca449d3279cde338.patch"; - hash = "sha256-agXw3JHq81tx5514kkorvuU5mX4E3AV930hy1OJl4L0="; - }) - ]; - # cmake 4 compatibility, upstream is dead postPatch = '' substituteInPlace CMakeLists.txt \ @@ -73,12 +63,12 @@ let }); in stdenv.mkDerivation rec { - version = "1.27.0"; + version = "1.27.2"; pname = "mupdf"; src = fetchurl { url = "https://mupdf.com/downloads/archive/${pname}-${version}-source.tar.gz"; - hash = "sha256-riRCQW3kmRgtN6UmxvorrMejvtWoiNETygSERITf58Y="; + hash = "sha256-VThnsTUwPcTCWrZ8XyNNjpAKDjbmboSE2ZrcBf4ehzc="; }; patches = [ From a762af95d997eaa49c7301a15c66be134b1df0c5 Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Fri, 27 Mar 2026 23:39:09 -0400 Subject: [PATCH 25/96] python3Packages.cryptography{,.vectors}: 46.0.5 -> 46.0.6 Changelog: https://cryptography.io/en/latest/changelog/#v46-0-6 (cherry picked from commit 8dbeb30f305eddd96da8a42a7615fb136b3b4a1b) --- pkgs/development/python-modules/cryptography/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix index eef08b32b5461..e990f1e6a1b8a 100644 --- a/pkgs/development/python-modules/cryptography/default.nix +++ b/pkgs/development/python-modules/cryptography/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "cryptography"; - version = "46.0.5"; + version = "46.0.6"; pyproject = true; disabled = pythonOlder "3.7"; @@ -31,7 +31,7 @@ buildPythonPackage rec { owner = "pyca"; repo = "cryptography"; tag = version; - hash = "sha256-jzdkAVMnKr0z1MBUgs6xjLnTZrqNOBwq3w56JDwgFgk="; + hash = "sha256-b6wQnPEf18ViqQVch+Jg1w0Cn372QKxLknD9rL4JjxY="; }; cargoDeps = rustPlatform.fetchCargoVendor { From d9aedfa58cde4be0ca3f4affcfc654d069ba337d Mon Sep 17 00:00:00 2001 From: Luna Simons Date: Mon, 30 Mar 2026 16:31:37 +0200 Subject: [PATCH 26/96] nghttp2: 1.67.1 -> 1.68.1 (cherry picked from commit e881fb4d865e41071a39310cd9bb9822e6b0574e) --- pkgs/by-name/ng/nghttp2/package.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ng/nghttp2/package.nix b/pkgs/by-name/ng/nghttp2/package.nix index a3a62ffa0e5c4..d82a8bc6ce4be 100644 --- a/pkgs/by-name/ng/nghttp2/package.nix +++ b/pkgs/by-name/ng/nghttp2/package.nix @@ -22,7 +22,6 @@ jemalloc, enablePython ? false, python3, - ncurses, # Unit tests ; we have to set TZDIR, which is a GNUism. enableTests ? stdenv.hostPlatform.isGnu, @@ -45,11 +44,11 @@ assert enableJemalloc -> enableApp; stdenv.mkDerivation rec { pname = "nghttp2"; - version = "1.67.1"; + version = "1.68.1"; src = fetchurl { url = "https://github.com/nghttp2/nghttp2/releases/download/v${version}/nghttp2-${version}.tar.bz2"; - hash = "sha256-37cg1CQ6eVBYn6JjI3i+te6a1ELpS3lLO44soowdfio="; + hash = "sha256-t2G1PLZJFmV+qEQ3lz1Qj9Z16Wuy/rlZOh5D0ZWavpU="; }; outputs = [ From 0886c155087aa8dfbe7ebd596f010a83d4ac31c7 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sat, 21 Mar 2026 12:32:45 +0000 Subject: [PATCH 27/96] dash: 0.5.13.1 -> 0.5.13.2 (cherry picked from commit 805e277b0b0addc9b3d04a185932a799f694448a) --- pkgs/by-name/da/dash/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/da/dash/package.nix b/pkgs/by-name/da/dash/package.nix index 030968dbc9040..6235e5193f8a1 100644 --- a/pkgs/by-name/da/dash/package.nix +++ b/pkgs/by-name/da/dash/package.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "dash"; - version = "0.5.13.1"; + version = "0.5.13.2"; src = fetchurl { url = "http://gondor.apana.org.au/~herbert/dash/files/dash-${finalAttrs.version}.tar.gz"; - hash = "sha256-2ScbzgnBJ9mGbiXAEVgt3HWrmIlYoEvE2FU6O48w43A="; + hash = "sha256-5xNoJrHu1s4xk+iv+i9wsbK5Fo3ZH/p9209G6eYgVP4="; }; strictDeps = true; From 26637846bdf12ef48f5602e9711b6053b626fd4b Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 3 Apr 2026 00:49:07 +0000 Subject: [PATCH 28/96] cryptsetup: 2.8.4 -> 2.8.6 (cherry picked from commit 95e5f7bf974226564675449beb009d3ffa00ff15) --- pkgs/by-name/cr/cryptsetup/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/cr/cryptsetup/package.nix b/pkgs/by-name/cr/cryptsetup/package.nix index 79a0af738ce08..0e1f0cf718807 100644 --- a/pkgs/by-name/cr/cryptsetup/package.nix +++ b/pkgs/by-name/cr/cryptsetup/package.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "cryptsetup"; - version = "2.8.4"; + version = "2.8.6"; outputs = [ "bin" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/" + "cryptsetup-${finalAttrs.version}.tar.xz"; - hash = "sha256-RD5G+JZMmsx4D0Va+7jiOqDo7X7FBM/FngT0BvoeioM="; + hash = "sha256-gAQmX9mTiF0I97Yz2+BWhR3hohAwdhOk693HQ/zO/lo="; }; patches = [ From 7773e8a80c3aa32aa3db20039a514c158f468644 Mon Sep 17 00:00:00 2001 From: Alexander Bantyev Date: Thu, 11 Dec 2025 10:11:37 +0100 Subject: [PATCH 29/96] util-linux: add in-tree comments for patches Adds in-tree comments for all patches, to better comply with the style guide. (cherry picked from commit 9754f5e62e2f9f990f3564f48918e0f2989f7976) --- pkgs/by-name/ut/util-linux/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/ut/util-linux/package.nix b/pkgs/by-name/ut/util-linux/package.nix index 0b1cb579bfd34..0cb22af94bd61 100644 --- a/pkgs/by-name/ut/util-linux/package.nix +++ b/pkgs/by-name/ut/util-linux/package.nix @@ -48,7 +48,12 @@ stdenv.mkDerivation (finalAttrs: { }; patches = [ + # Search $PATH for the shutdown binary instead of hard-coding /sbin/shutdown, + # which isn't valid on NixOS (and a compatibility link on most other modern + # distros anyway). ./rtcwake-search-PATH-for-shutdown.patch + # bits: only build when cpu_set_t is available + # Otherwise, the build fails on macOS (fetchurl { name = "bits-only-build-when-cpu_set_t-is-available.patch"; url = "https://lore.kernel.org/util-linux/20250501075806.88759-1-hi@alyssa.is/raw"; From 13735ecad18d5d4989c06ad1733a7ff501fd6b6b Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Sat, 28 Feb 2026 15:20:44 -0800 Subject: [PATCH 30/96] util-linux: Ensure that liblastlog is linked with libpam If we don't add this, we don't actually link with PAM; compare the before and after of `lib/security/pam_lastlog2.so`. ``` Dynamic section at offset 0x2ce8 contains 31 entries: Tag Type Name/Value 0x0000000000000001 (NEEDED) Shared library: [liblastlog2.so.2] 0x0000000000000001 (NEEDED) Shared library: [libsqlite3.so] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] 0x000000000000000e (SONAME) Library soname: [pam_lastlog2.so] ``` ``` Dynamic section at offset 0x2cd8 contains 32 entries: Tag Type Name/Value 0x0000000000000001 (NEEDED) Shared library: [libpam.so.0] 0x0000000000000001 (NEEDED) Shared library: [liblastlog2.so.2] 0x0000000000000001 (NEEDED) Shared library: [libsqlite3.so] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] 0x000000000000000e (SONAME) Library soname: [pam_lastlog2.so] ``` This causes issues like https://github.com/NixOS/nixpkgs/issues/493934 where the library has trouble linking with PAM symbols because it is not linked. (cherry picked from commit 71feb7ecf25178c749e027ecee64d32b4e20eb85) --- pkgs/by-name/ut/util-linux/package.nix | 9 +++- ...m_lastlog2-add-lpam-to-Makemodule.am.patch | 52 +++++++++++++++++++ 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 pkgs/by-name/ut/util-linux/pam_lastlog2-add-lpam-to-Makemodule.am.patch diff --git a/pkgs/by-name/ut/util-linux/package.nix b/pkgs/by-name/ut/util-linux/package.nix index 0cb22af94bd61..12571c909baaf 100644 --- a/pkgs/by-name/ut/util-linux/package.nix +++ b/pkgs/by-name/ut/util-linux/package.nix @@ -35,6 +35,9 @@ nixosTests, }: +# lastlog requires PAM, or else it's broken. +assert withLastlog -> pamSupport; + let isMinimal = cryptsetupSupport == false && !nlsSupport && !ncursesSupport && !systemdSupport; in @@ -52,6 +55,11 @@ stdenv.mkDerivation (finalAttrs: { # which isn't valid on NixOS (and a compatibility link on most other modern # distros anyway). ./rtcwake-search-PATH-for-shutdown.patch + + # pam_lastlog2: link with libpam + # see https://github.com/NixOS/nixpkgs/issues/493934 + ./pam_lastlog2-add-lpam-to-Makemodule.am.patch + # bits: only build when cpu_set_t is available # Otherwise, the build fails on macOS (fetchurl { @@ -202,7 +210,6 @@ stdenv.mkDerivation (finalAttrs: { moveToOutput "bin/lastlog2" "$lastlog" ln -svf "$lastlog/bin/"* $bin/bin/ - '' + lib.optionalString (withLastlog && systemdSupport) '' moveToOutput "lib/systemd/system/lastlog2-import.service" "$lastlog" diff --git a/pkgs/by-name/ut/util-linux/pam_lastlog2-add-lpam-to-Makemodule.am.patch b/pkgs/by-name/ut/util-linux/pam_lastlog2-add-lpam-to-Makemodule.am.patch new file mode 100644 index 0000000000000..3ffb12387bb69 --- /dev/null +++ b/pkgs/by-name/ut/util-linux/pam_lastlog2-add-lpam-to-Makemodule.am.patch @@ -0,0 +1,52 @@ +From c8e620c6bcd044786c59f822810fc973090dbfa2 Mon Sep 17 00:00:00 2001 +From: Morgan Jones +Date: Mon, 2 Mar 2026 11:03:39 -0800 +Subject: [PATCH] pam_lastlog2: add -lpam to Makemodule.am + +If we don't add this, we don't actually link with PAM; compare the +before and after of `lib/security/pam_lastlog2.so`. + +``` +Dynamic section at offset 0x2ce8 contains 31 entries: + Tag Type Name/Value + 0x0000000000000001 (NEEDED) Shared library: [liblastlog2.so.2] + 0x0000000000000001 (NEEDED) Shared library: [libsqlite3.so] + 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] + 0x000000000000000e (SONAME) Library soname: [pam_lastlog2.so] +``` + +``` +Dynamic section at offset 0x2cd8 contains 32 entries: + Tag Type Name/Value + 0x0000000000000001 (NEEDED) Shared library: [libpam.so.0] + 0x0000000000000001 (NEEDED) Shared library: [liblastlog2.so.2] + 0x0000000000000001 (NEEDED) Shared library: [libsqlite3.so] + 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] + 0x000000000000000e (SONAME) Library soname: [pam_lastlog2.so] +``` + +This causes issues like https://github.com/NixOS/nixpkgs/issues/493934 +where the library has trouble linking with PAM symbols because it is not +linked. + +Signed-off-by: Morgan Jones +--- + pam_lastlog2/src/Makemodule.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pam_lastlog2/src/Makemodule.am b/pam_lastlog2/src/Makemodule.am +index 40d597c58..629930853 100644 +--- a/pam_lastlog2/src/Makemodule.am ++++ b/pam_lastlog2/src/Makemodule.am +@@ -13,7 +13,7 @@ pam_lastlog2_la_CFLAGS = \ + + pam_lastlog2_la_LIBADD = liblastlog2.la + +-pam_lastlog2_la_LDFLAGS = $(SOLIB_LDFLAGS) -module -avoid-version -shared ++pam_lastlog2_la_LDFLAGS = $(SOLIB_LDFLAGS) -lpam -module -avoid-version -shared + if HAVE_VSCRIPT + pam_lastlog2_la_LDFLAGS += $(VSCRIPT_LDFLAGS),$(top_srcdir)/pam_lastlog2/src/pam_lastlog2.sym + endif +-- +2.50.1 + From bf28042b7252e5c7197866a73806447eb3d6c093 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Sun, 5 Apr 2026 17:09:48 -0700 Subject: [PATCH 31/96] util-linux: 2.41.3 -> 2.41.4 Pick up the patch from #507036. (cherry picked from commit 9cb7c50195654b80ea09a225a7c246f146462fca) --- pkgs/by-name/ut/util-linux/package.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/pkgs/by-name/ut/util-linux/package.nix b/pkgs/by-name/ut/util-linux/package.nix index 12571c909baaf..2b49ddc54ff20 100644 --- a/pkgs/by-name/ut/util-linux/package.nix +++ b/pkgs/by-name/ut/util-linux/package.nix @@ -43,11 +43,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "util-linux" + lib.optionalString isMinimal "-minimal"; - version = "2.41.3"; + version = "2.41.4"; src = fetchurl { url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor finalAttrs.version}/util-linux-${finalAttrs.version}.tar.xz"; - hash = "sha256-MzDYc/D861VguJp9wU5PMoi72IDpaQPtm1DsK1eZ5Ys="; + hash = "sha256-qMITzAYEiGJgKkKy0pmzQAAfbQXEQHtUnz4DUh34Nog="; }; patches = [ @@ -60,12 +60,10 @@ stdenv.mkDerivation (finalAttrs: { # see https://github.com/NixOS/nixpkgs/issues/493934 ./pam_lastlog2-add-lpam-to-Makemodule.am.patch - # bits: only build when cpu_set_t is available - # Otherwise, the build fails on macOS (fetchurl { - name = "bits-only-build-when-cpu_set_t-is-available.patch"; - url = "https://lore.kernel.org/util-linux/20250501075806.88759-1-hi@alyssa.is/raw"; - hash = "sha256-G7Cdv8636wJEjgt9am7PaDI8bpSF8sO9bFWEIiAL25A="; + name = "CVE-2026-3184.patch"; + url = "https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984.patch"; + hash = "sha256-bCITNB/k3CPcAYK4BXYFr1RWOsQ09PpgQw16SDZJES4="; }) ]; From d1aa7217f1c9441805ed770f8d58016cf3f194a7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 6 Apr 2026 17:40:05 +0200 Subject: [PATCH 32/96] python3Packages.requests: 2.32.5 -> 2.33.1 https://github.com/psf/requests/blob/v2.33.1/HISTORY.md Fixes: CVE-2026-25645 (cherry picked from commit f274c14a242e549f51866d5c2721dbd13f9660f3) --- pkgs/development/python-modules/requests/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/requests/default.nix b/pkgs/development/python-modules/requests/default.nix index c669a2591d7f8..e3fe547cd6c95 100644 --- a/pkgs/development/python-modules/requests/default.nix +++ b/pkgs/development/python-modules/requests/default.nix @@ -18,7 +18,7 @@ buildPythonPackage rec { pname = "requests"; - version = "2.32.5"; + version = "2.33.1"; pyproject = true; disabled = pythonOlder "3.9"; @@ -29,7 +29,7 @@ buildPythonPackage rec { owner = "psf"; repo = "requests"; tag = "v${version}"; - hash = "sha256-cEBalMFoYFaGG8M48k+OEBvzLegzrTNP1NxH2ljP6qg="; + hash = "sha256-cQnCTMmpdkvWwt7RFAIhAfmhVwGVn0Y8Z5Tr6lzDmS8="; }; build-system = [ setuptools ]; From d7515a3c672c2c184b13772cd383331dddb8508b Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 7 Apr 2026 01:35:26 +0200 Subject: [PATCH 33/96] nixos/modules: import intel-npu module This was missed twice during review. (cherry picked from commit e6fbe2b798b3711e4fedbd7c3c6293aa6aac1270) --- nixos/modules/module-list.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index db665792f4dac..c44ee5511b441 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -61,6 +61,7 @@ ./hardware/cpu/amd-ryzen-smu.nix ./hardware/cpu/amd-sev.nix ./hardware/cpu/intel-microcode.nix + ./hardware/cpu/intel-npu.nix ./hardware/cpu/intel-sgx.nix ./hardware/cpu/x86-msr.nix ./hardware/decklink.nix From 0536b27dd97b7a82830de99a9930080e527af37a Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 7 Apr 2026 01:36:04 +0200 Subject: [PATCH 34/96] nixos/nixos-generate-config: drop intel-npu import Loading modules at config gen time is wrong. This should only happen for profiles and the options should be available all the time instead. (cherry picked from commit 44cdcdf7aa52a4a71eaaae0bc215a71a4f297e18) --- nixos/modules/installer/tools/nixos-generate-config.pl | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index bbd0a093b998d..5eb43ecd33007 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -211,7 +211,6 @@ sub pciCheck { ($device eq "0xfd3e" || $device eq "0x7d1d" || $device eq "0xad1d" || $device eq "0x643e" || $device eq "0xb03e")) { - push @imports, "(modulesPath + \"/hardware/cpu/intel-npu.nix\")"; push @attrs, "hardware.cpu.intel.npu.enable = true;"; } From 4bbe228c9b9a8d02af62ddd586fe5fc238ddfad7 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Tue, 31 Mar 2026 06:24:07 +0100 Subject: [PATCH 35/96] libopenmpt: 0.8.5 -> 0.8.6 Changes: https://lib.openmpt.org/libopenmpt/2026/03/24/security-updates-0.8.6-0.7.19-0.6.28-0.5.42-0.4.54/ (cherry picked from commit c4fbdb63edb66f1ea0548686bcc6090d023a0849) --- pkgs/by-name/li/libopenmpt/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libopenmpt/package.nix b/pkgs/by-name/li/libopenmpt/package.nix index 2bef845c342ad..6aa838d55fa3b 100644 --- a/pkgs/by-name/li/libopenmpt/package.nix +++ b/pkgs/by-name/li/libopenmpt/package.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { pname = "libopenmpt"; - version = "0.8.5"; + version = "0.8.6"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz"; - hash = "sha256-9oCuq7P4TDcWna2H8V7YPymm67x/aJ+RLU2r7P8OMyQ="; + hash = "sha256-yqL6lZ44n0N02eLfOvXGM0UsEt2ARCy6LonLf/K5PFs="; }; enableParallelBuilding = true; From 2881509af001995a851ea469389576a8a219849c Mon Sep 17 00:00:00 2001 From: emilylange Date: Sat, 4 Apr 2026 05:06:44 +0200 Subject: [PATCH 36/96] systemd: fix `/etc/localtime` symlink This is essentially a revert of e8a805af1005ffeb98d4376dd2cbb9b9a809ab3b in favor of a proper fix because unlike first assumed, this affects not just systemd internally, but virtually any program that uses icu::TimeZone to read the system's time zone. And while we could patch icu, I believe this will take far too long and we arguably don't know who else depends on the same assumption icu made. All I know is every chromium-based browser[^0], including electron, calls icu::TimeZone::detectHostTimeZone(), which returns the special time zone Etc/Unknown instead of the configured one when using timedated, either directly via timedatectl set-timezone or via D-Bus. The reason for this is icu::TimeZone assumes[^1] every valid /etc/localtime symlink includes /zoneinfo/ before the zoneinfo (olson) timezone id. This is a pretty decent guess and also applied to NixOS since ever, up until we bumped systemd to v258 in 1c5d47dd782dd7e63d16978d4bc0c6065361bcd8, which included an upstream change that made the symlink relative. The issue is, a relative /etc/localtime symlink in other distros results in e.g. ../usr/share/zoneinfo/UTC, not zoneinfo/UTC. For NixOS, however, we patch systemd to use /etc/zoneinfo instead of /usr/share/zoneinfo. zoneinfo/UTC breaks the assumption icu::TimeZone makes, because zoneinfo/ is not /zoneinfo/. We could try to trick it by needlessly making the relative symlink ./zoneinfo/ instead, but this is both more fragile and makes the patch significantly larger. And as stated above already, we simply don't know who else makes similar assumptions. So to fix this for good, we force the symlink to be absolute, just like we had it prior to systemd v258. Note that we could also simply unconditionally set ~~~nix { systemd.services."systemd-timedated".environment.SYSTEMD_ETC_LOCALTIME = "/etc/localtime"; } ~~~ to make the symlink absolute. But I'd argue this would cause this edge-case to slowly slide into obscurity, almost asking for it to resurface in the future eventually. [0]: https://source.chromium.org/chromium/chromium/src/+/refs/tags/146.0.7680.177:services/device/time_zone_monitor/time_zone_monitor.cc;l=57-59;bpv=0 [1]: https://github.com/unicode-org/icu/blob/release-78.3/icu4c/source/common/putil.cpp#L686-L695 (cherry picked from commit 2fb95a568c107c7074f2d4ed25e63b6deaa496d2) --- ...e-usr-share-zoneinfo-to-etc-zoneinfo.patch | 37 +++++++++++++------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch index 254a63c1a1072..8168a7d755708 100644 --- a/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch +++ b/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch @@ -5,12 +5,12 @@ Subject: [PATCH] Change /usr/share/zoneinfo to /etc/zoneinfo NixOS uses this path. --- - man/localtime.xml | 4 ++-- - src/basic/time-util.c | 8 ++++---- - src/firstboot/firstboot.c | 9 +++------ - src/nspawn/nspawn.c | 4 ++-- - src/timedate/timedated.c | 8 ++++---- - 5 files changed, 15 insertions(+), 18 deletions(-) + man/localtime.xml | 4 ++-- + src/basic/time-util.c | 8 ++++---- + src/firstboot/firstboot.c | 9 +++------ + src/nspawn/nspawn.c | 4 ++-- + src/timedate/timedated.c | 15 +++++++++------ + 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/man/localtime.xml b/man/localtime.xml index 3a13e04a27..4fd58068a1 100644 @@ -35,7 +35,7 @@ index 3a13e04a27..4fd58068a1 100644 Etc/UTC. The resulting link should lead to the corresponding binary diff --git a/src/basic/time-util.c b/src/basic/time-util.c -index 55931a2546..2e00bd7539 100644 +index 5dd00af952..b97a41f6ac 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -1410,7 +1410,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) { @@ -70,7 +70,7 @@ index 55931a2546..2e00bd7539 100644 return r; /* Return EINVAL if not a symlink */ - const char *e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/"); -+ const char *e = PATH_STARTSWITH_SET(t, "/etc/zoneinfo/", "../etc/zoneinfo/", "zoneinfo/"); ++ const char *e = PATH_STARTSWITH_SET(t, "/etc/zoneinfo/", "../etc/zoneinfo/"); if (!e) return -EINVAL; if (!timezone_is_valid(e, LOG_DEBUG)) @@ -103,7 +103,7 @@ index 5ed6d3a9d2..f922d91a9d 100644 return log_error_errno(r, "Failed to create /etc/localtime symlink: %m"); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index 480a9c55c6..02c9ae6608 100644 +index a0052c1c88..cd4a48c9ef 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1821,8 +1821,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid @@ -112,13 +112,13 @@ index 480a9c55c6..02c9ae6608 100644 path, - "../usr/share/zoneinfo/", - "/usr/share/zoneinfo/"); -+ "../etc/zoneinfo/", "zoneinfo/", ++ "../etc/zoneinfo/", + "/etc/zoneinfo/"); } static bool etc_writable(void) { diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c -index 57f3413dc6..6a456fe601 100644 +index 1455830cba..6849ada033 100644 --- a/src/timedate/timedated.c +++ b/src/timedate/timedated.c @@ -266,7 +266,7 @@ static int context_read_data(Context *c) { @@ -139,7 +139,7 @@ index 57f3413dc6..6a456fe601 100644 if (unlink(etc_localtime()) < 0 && errno != ENOENT) return -errno; -@@ -298,9 +298,9 @@ static int context_write_data_timezone(Context *c) { +@@ -300,17 +300,20 @@ static int context_write_data_timezone(Context *c) { return 0; } @@ -151,3 +151,16 @@ index 57f3413dc6..6a456fe601 100644 if (!p) return -ENOMEM; + source = p; + } + +- return symlinkat_atomic_full(source, AT_FDCWD, etc_localtime(), +- !secure_getenv("SYSTEMD_ETC_LOCALTIME")); ++ /* With zoneinfo being at /etc/zoneinfo instead of /usr/share/zoneinfo on NixOS, and etc_localtime() left untouched ++ * at /etc/localtime, a relative symlink would look like zoneinfo/UTC instead of ../usr/share/zoneinfo/UTC. This is ++ * an issue because not just systemd itself (src/basic/time-util.c @@ get_timezone), but also others like icu::TimeZone ++ * reject such symlinks. Forcing the symlink to be absolute (/etc/zoneinfo/UTC) takes care of at least both of them. */ ++ return symlinkat_atomic_full(source, AT_FDCWD, etc_localtime(), /* flags */ 0); + } + + static const char* etc_adjtime(void) { From e618a6056b2412c77e860b2315ee3e9b2c073cec Mon Sep 17 00:00:00 2001 From: emilylange Date: Sat, 4 Apr 2026 05:07:59 +0200 Subject: [PATCH 37/96] nixos/tests/timezone: extend to test systemd `/etc/timezone` regression This should help to catch the regression described in 2fb95a568c107c7074f2d4ed25e63b6deaa496d2 if it ever does end up resurfacing. Please see that commit for more details on this. The tl;dr is: At the very least systemd and icu::TimeZone both make assumptions about how the /etc/localtime symlink they read should look like. In one of our systemd patches, we broke this for both itself and icu::TimeZone. And while we could extend our systemd patch, we cannot as easily patch icu and we don't know who else makes similar assumptions. (cherry picked from commit 4268e25679f320d9434d0bdec0d2d49719c09c5c) --- nixos/tests/timezone.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nixos/tests/timezone.nix b/nixos/tests/timezone.nix index b5d2f6779338f..938c6bed95342 100644 --- a/nixos/tests/timezone.nix +++ b/nixos/tests/timezone.nix @@ -44,6 +44,18 @@ print(date_result) assert date_result == "1970-01-01 09:00:00\n", "Timezone was not adjusted" + # Stop systemd-timedated.service to clear /etc/localtime read cache + node_nulltz.systemctl("stop systemd-timedated.service") + timedatectl_result = node_nulltz.succeed("timedatectl status") + print(timedatectl_result) + assert "Asia/Tokyo" in timedatectl_result, "'timedatectl status' output is missing 'Asia/Tokyo'" + + with subtest("imperative - Ensure /etc/localtime symlink includes '/zoneinfo/' like icu expects"): + # https://github.com/unicode-org/icu/blob/release-78.3/icu4c/source/common/putil.cpp#L686-L695 + readlink_result = node_nulltz.succeed("readlink --no-newline /etc/localtime") + print(readlink_result) + assert "/zoneinfo/" in readlink_result, f"/etc/localtime symlink is missing '/zoneinfo/': {readlink_result}" + with subtest("imperative - Ensure timezone adjustment persists across reboot"): # Adjustment should persist across a reboot node_nulltz.shutdown() From 633c8f09316943ffd7b2f6845f09e433ee9cfd94 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 7 Apr 2026 21:51:46 +0200 Subject: [PATCH 38/96] python3Packages.django_4: 4.2.29 -> 4.2.30 https://docs.djangoproject.com/en/4.2/releases/4.2.30/ https://www.djangoproject.com/weblog/2026/apr/07/security-releases/ Fixes: CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, CVE-2026-33034 --- pkgs/development/python-modules/django/4.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index 598dfcfb70568..33a4ff509e2a6 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -45,7 +45,7 @@ buildPythonPackage rec { pname = "django"; - version = "4.2.29"; + version = "4.2.30"; pyproject = true; disabled = pythonOlder "3.8"; @@ -54,7 +54,7 @@ buildPythonPackage rec { owner = "django"; repo = "django"; tag = version; - hash = "sha256-30OcLxtACSxLJ1jT+k7fmM8CyMyleXSPc+l7/3JZKzI="; + hash = "sha256-LbB5eiKy8chxLLe7Cz0qkN0Iv7CGYAvESnF8V84eCcU="; }; patches = [ From 96cf2753e26a07047ae1111d9ddfea6820acca3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 29 Mar 2026 08:48:48 -0700 Subject: [PATCH 39/96] python3Packages.aiohttp: 3.13.3 -> 3.13.4 Diff: https://github.com/aio-libs/aiohttp/compare/v3.13.3...v3.13.4 Changelog: https://docs.aiohttp.org/en/v3.13.4/changes.html (cherry picked from commit 7f37355e7c0c5df5892c51b5e4d700c07f9c4f16) --- pkgs/development/python-modules/aiohttp/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/aiohttp/default.nix b/pkgs/development/python-modules/aiohttp/default.nix index a3beffd1a863d..35d70f9198479 100644 --- a/pkgs/development/python-modules/aiohttp/default.nix +++ b/pkgs/development/python-modules/aiohttp/default.nix @@ -51,14 +51,14 @@ buildPythonPackage rec { pname = "aiohttp"; - version = "3.13.3"; + version = "3.13.4"; pyproject = true; src = fetchFromGitHub { owner = "aio-libs"; repo = "aiohttp"; tag = "v${version}"; - hash = "sha256-V+digrfigdA3hwd2xW47BACh3r07j6pGE8WFAGivZnA="; + hash = "sha256-/MpN8Lvdm6ZN18eLip0YXHEFzJqRsWWyx1HHfqTmjqA="; }; postPatch = '' From 1d24d12ccd8ef37e46c5ee45e3964550f2180ddb Mon Sep 17 00:00:00 2001 From: Fovir Date: Tue, 31 Mar 2026 12:37:46 +0800 Subject: [PATCH 40/96] vim: 9.2.0106 -> 9.2.0272 fix the [CVE vulnerability](https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh) (cherry picked from commit 03a67f01c5b24cf51891f9b8548e88fae5b70a81) --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index f5f18a30568e4..b72a14971cbe0 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.2148"; + version = "9.2.0272"; outputs = [ "out" @@ -11,7 +11,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-4ZEbfpffPp6kqSQRp7NFioWGRdG+JsVf7unU0Hqn/Xk="; + hash = "sha256-9y+dZYbwuIzgseXdg/k8fqZ5JiohgOiK00evMwF9HOM="; }; enableParallelBuilding = true; From ee856b932115ca33b246962d5330904060816945 Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Thu, 9 Apr 2026 13:58:38 +0200 Subject: [PATCH 41/96] python3Packages.cryptography: 46.0.6 -> 46.0.7 Changelog: https://cryptography.io/en/latest/changelog/#v46-0-7 CVE: CVE-2026-39892 (https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq) (cherry picked from commit 3620884cac636750716fff98bd0347e683f39d14) --- pkgs/development/python-modules/cryptography/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix index e990f1e6a1b8a..388b9bc8c276c 100644 --- a/pkgs/development/python-modules/cryptography/default.nix +++ b/pkgs/development/python-modules/cryptography/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "cryptography"; - version = "46.0.6"; + version = "46.0.7"; pyproject = true; disabled = pythonOlder "3.7"; @@ -31,7 +31,7 @@ buildPythonPackage rec { owner = "pyca"; repo = "cryptography"; tag = version; - hash = "sha256-b6wQnPEf18ViqQVch+Jg1w0Cn372QKxLknD9rL4JjxY="; + hash = "sha256-xMe+gQl4/CfoT+H21ltbo+aPILoRYCAlylsqnB7Ms8s="; }; cargoDeps = rustPlatform.fetchCargoVendor { From fe3afaa4213dd2652cf0d920318f19e8cdd81348 Mon Sep 17 00:00:00 2001 From: Tom Herbers Date: Fri, 10 Apr 2026 00:24:40 +0200 Subject: [PATCH 42/96] go_1_25: 1.25.8 -> 1.25.9 Changelog: https://go.dev/doc/devel/release#go1.25.minor (cherry picked from commit f8d24454ca5b834f76b40747ba2f730004ef3d31) --- pkgs/development/compilers/go/1.25.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/go/1.25.nix b/pkgs/development/compilers/go/1.25.nix index 3fdeb90035932..ed7f243279a1c 100644 --- a/pkgs/development/compilers/go/1.25.nix +++ b/pkgs/development/compilers/go/1.25.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.25.8"; + version = "1.25.9"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-6YjUokRqx/4/baoImljpk2pSo4E1Wt7ByJgyMKjWxZ4="; + hash = "sha256-DsnvjrzqCXqsN97K6fCachi0Uc2Wvn1u1RPY5Lz5Cc8="; }; strictDeps = true; From b518c99fbbacc3154b91f3ef4a7850222a3df51e Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 10 Dec 2025 22:51:09 +0000 Subject: [PATCH 43/96] libjpeg8: 3.1.2 -> 3.1.3 (cherry picked from commit f5fb6e4cc7d64debda5cf214a37391c1f0e41db1) --- pkgs/by-name/li/libjpeg_turbo/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libjpeg_turbo/package.nix b/pkgs/by-name/li/libjpeg_turbo/package.nix index e30ee22edbd5e..deeed0c7d87da 100644 --- a/pkgs/by-name/li/libjpeg_turbo/package.nix +++ b/pkgs/by-name/li/libjpeg_turbo/package.nix @@ -32,13 +32,13 @@ assert !(enableJpeg7 && enableJpeg8); # pick only one or none, not both stdenv.mkDerivation (finalAttrs: { pname = "libjpeg-turbo"; - version = "3.1.2"; + version = "3.1.3"; src = fetchFromGitHub { owner = "libjpeg-turbo"; repo = "libjpeg-turbo"; tag = finalAttrs.version; - hash = "sha256-tmeWLJxieV42f9ljSpKJoLER4QOYQLsLFC7jW54YZAk="; + hash = "sha256-jcdoCJlsDEr87i5MN4I6zARZVUxQfzdM0Ltg3IyrNRg="; }; patches = From de7f0c031c81dcf72edcf6943728696970934869 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Fri, 19 Dec 2025 06:17:22 +0000 Subject: [PATCH 44/96] xz: 5.8.1 -> 5.8.2 Changes: https://github.com/tukaani-project/xz/releases/tag/v5.8.2 (cherry picked from commit c539824a2e56612fced7d56c4cdb1c681cddfaff) --- pkgs/tools/compression/xz/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 89869d29fc996..756d8f6677a0a 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -15,13 +15,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "xz"; - version = "5.8.1"; + version = "5.8.2"; src = fetchurl { url = with finalAttrs; "https://github.com/tukaani-project/xz/releases/download/v${version}/xz-${version}.tar.xz"; - hash = "sha256-C1T3nfhZElBN4LFK7Hlx4/lkSRrxgS2DRHAFgHUTzZ4="; + hash = "sha256-iQlm7D9dXMFRB3h54VfAWTUApSL0E6xQuibSKpoUUhQ="; }; strictDeps = true; From 11dc9c6f3fe8a38fb5a58a3b20d77be7fa91dc20 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Thu, 26 Mar 2026 22:13:35 +0000 Subject: [PATCH 45/96] libjpeg8: 3.1.3 -> 3.1.4 (cherry picked from commit 41ff810d2421b01d32f113ce1b970d66616f7493) --- pkgs/by-name/li/libjpeg_turbo/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libjpeg_turbo/package.nix b/pkgs/by-name/li/libjpeg_turbo/package.nix index deeed0c7d87da..5156d1f87d5c6 100644 --- a/pkgs/by-name/li/libjpeg_turbo/package.nix +++ b/pkgs/by-name/li/libjpeg_turbo/package.nix @@ -32,13 +32,13 @@ assert !(enableJpeg7 && enableJpeg8); # pick only one or none, not both stdenv.mkDerivation (finalAttrs: { pname = "libjpeg-turbo"; - version = "3.1.3"; + version = "3.1.4"; src = fetchFromGitHub { owner = "libjpeg-turbo"; repo = "libjpeg-turbo"; tag = finalAttrs.version; - hash = "sha256-jcdoCJlsDEr87i5MN4I6zARZVUxQfzdM0Ltg3IyrNRg="; + hash = "sha256-mxmJejgUqS6OC0U0gHsHHe74X0MTVBY5OCbqxIyWa3Q="; }; patches = From 7b87ff0f32ddd0880014a139acac33b20eefd6e7 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Wed, 1 Apr 2026 21:18:41 +0100 Subject: [PATCH 46/96] xz: 5.8.2 -> 5.8.3 Changes: https://github.com/tukaani-project/xz/releases/tag/v5.8.3 (cherry picked from commit 4c12e84d3f3f12456f9b51ed1d1ab5234cb484fd) --- pkgs/tools/compression/xz/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 756d8f6677a0a..a0e1e67a577cd 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -15,13 +15,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "xz"; - version = "5.8.2"; + version = "5.8.3"; src = fetchurl { url = with finalAttrs; "https://github.com/tukaani-project/xz/releases/download/v${version}/xz-${version}.tar.xz"; - hash = "sha256-iQlm7D9dXMFRB3h54VfAWTUApSL0E6xQuibSKpoUUhQ="; + hash = "sha256-//H/zysNqE0wihTeUToaoj1OmqNGTRfmS5cUv90Lv7Y="; }; strictDeps = true; From e233c13cf710bc3449a6597418adff383a7ce637 Mon Sep 17 00:00:00 2001 From: Marcel Date: Wed, 8 Apr 2026 17:24:41 +0200 Subject: [PATCH 47/96] openssl_3: 3.0.19 -> 3.0.20 (cherry picked from commit 782609f5f75089d8f6e47f105fcb71b8a935412d) --- pkgs/development/libraries/openssl/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 460dc0af9cb94..f94a8d064e030 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -426,8 +426,8 @@ in }; openssl_3 = common { - version = "3.0.19"; - hash = "sha256-+lpBQ7iq4YvlPvLzyvKaLgdHQwuLx00y2IM1uUq2MHI="; + version = "3.0.20"; + hash = "sha256-yAoB38cOzk3CEWiTLDdzkELUBNRszIGlmG3XUxTs2m8="; patches = [ # Support for NIX_SSL_CERT_FILE, motivation: From 69058a711f5acdeb159e819b4a45a7a0573ad994 Mon Sep 17 00:00:00 2001 From: Marcel Date: Wed, 8 Apr 2026 17:25:24 +0200 Subject: [PATCH 48/96] openssl_3_6: 3.6.1 -> 3.6.2 (cherry picked from commit 8390a9a137608411c0e3921235f12af37c9819ec) --- pkgs/development/libraries/openssl/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index f94a8d064e030..c99c63800c8d2 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -452,8 +452,8 @@ in }; openssl_3_6 = common { - version = "3.6.1"; - hash = "sha256-sb/tzVson/Iq7ofJ1gD1FXZ+v0X3cWjLbWTyMfUYqC4="; + version = "3.6.2"; + hash = "sha256-qvUaH+BkOE+BHa6utOxNznNA7IvYkwJ+7mdq8x6DoE8="; patches = [ # Support for NIX_SSL_CERT_FILE, motivation: From 8128d184ca923c86ec1d453149cf8b16018faf7b Mon Sep 17 00:00:00 2001 From: Markus Theil Date: Thu, 9 Apr 2026 22:22:30 +0200 Subject: [PATCH 49/96] openssl: cleanup already upstreamed patches Signed-off-by: Markus Theil (cherry picked from commit f61a00a7530a0aad1fe8f71a22a2f20967d42407) --- .../openssl/3.6/mingw-define-netreset.patch | 30 ------------------- .../development/libraries/openssl/default.nix | 3 -- 2 files changed, 33 deletions(-) delete mode 100644 pkgs/development/libraries/openssl/3.6/mingw-define-netreset.patch diff --git a/pkgs/development/libraries/openssl/3.6/mingw-define-netreset.patch b/pkgs/development/libraries/openssl/3.6/mingw-define-netreset.patch deleted file mode 100644 index 6da9be22ff727..0000000000000 --- a/pkgs/development/libraries/openssl/3.6/mingw-define-netreset.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3d04d5b678c2f95975d1639dc21398b79308af54 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alexander=20Hansen=20F=C3=A6r=C3=B8y?= -Date: Wed, 28 Jan 2026 17:55:02 +0100 -Subject: [PATCH] Explicitly define `SIO_UDP_NETRESET` for MinGW builds. - -This patch explicitly defines the value `SIO_UDP_NETRESET` according to -both what Windows and ReactOS does. - -Fixes: #29818. ---- - ssl/quic/quic_reactor.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssl/quic/quic_reactor.c b/ssl/quic/quic_reactor.c -index a754f285bbe2b..d8ac969d02a69 100644 ---- a/ssl/quic/quic_reactor.c -+++ b/ssl/quic/quic_reactor.c -@@ -76,6 +76,12 @@ void ossl_quic_reactor_cleanup(QUIC_REACTOR *rtor) - } - - #if defined(OPENSSL_SYS_WINDOWS) -+ -+/* Work around for MinGW builds. */ -+#if defined(__MINGW32__) && !defined(SIO_UDP_NETRESET) -+# define SIO_UDP_NETRESET _WSAIOW(IOC_VENDOR, 15) -+#endif -+ - /* - * On Windows recvfrom() may return WSAECONNRESET when destination port - * used in preceding call to sendto() is no longer reachable. The reset diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index c99c63800c8d2..9de9e1cab2ae5 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -471,9 +471,6 @@ in else ./3.6/use-etc-ssl-certs.patch ) - ] - ++ lib.optionals stdenv.hostPlatform.isMinGW [ - ./3.6/mingw-define-netreset.patch ]; withDocs = true; From 3ef7f58f9040a2e6ee918f02cbbd041e5253688d Mon Sep 17 00:00:00 2001 From: Adrian Pistol Date: Fri, 10 Apr 2026 20:27:26 +0200 Subject: [PATCH 50/96] wolfssl: 5.9.0 -> 5.9.1 (cherry picked from commit 3040774c2f99756cc03c28dd78bbcb2bbd4e73f9) --- pkgs/by-name/wo/wolfssl/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/wo/wolfssl/package.nix b/pkgs/by-name/wo/wolfssl/package.nix index 8418be4e39d4a..9712703a5935f 100644 --- a/pkgs/by-name/wo/wolfssl/package.nix +++ b/pkgs/by-name/wo/wolfssl/package.nix @@ -17,13 +17,13 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "wolfssl-${variant}"; - version = "5.9.0"; + version = "5.9.1"; src = fetchFromGitHub { owner = "wolfSSL"; repo = "wolfssl"; tag = "v${finalAttrs.version}-stable"; - hash = "sha256-Ov59Zt0UskADQThdzr9wni2junSpy3jiABWpiGr8xtg="; + hash = "sha256-FyEb94hsO2BaTEi1CJRfCsUiT1xyWCzu7Uys81g2CBE="; }; postPatch = '' From 72fd9c167c694817798d04cf1ac6ce5713532a5d Mon Sep 17 00:00:00 2001 From: Kajus Naujokaitis Date: Wed, 11 Feb 2026 16:30:07 +0200 Subject: [PATCH 51/96] xdg-user-dirs: re-enable xdg autostart (cherry picked from commit d605abb1c380fcd0b004f8df2767500a35bb3259) --- pkgs/by-name/xd/xdg-user-dirs/package.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/by-name/xd/xdg-user-dirs/package.nix b/pkgs/by-name/xd/xdg-user-dirs/package.nix index c0423a044442b..772c5873fa044 100644 --- a/pkgs/by-name/xd/xdg-user-dirs/package.nix +++ b/pkgs/by-name/xd/xdg-user-dirs/package.nix @@ -46,6 +46,10 @@ stdenv.mkDerivation (finalAttrs: { substituteInPlace "$out/lib/systemd/user/xdg-user-dirs.service" \ --replace-fail "/usr/bin/xdg-user-dirs-update" "$out/bin/xdg-user-dirs-update" + + # Autostart, because the installed service is never explicitly enabled in NixOS + substituteInPlace "$out/etc/xdg/autostart/xdg-user-dirs.desktop" \ + --replace-fail "X-systemd-skip=true" "X-systemd-skip=false" ''; meta = { From bdcd56c3d695a19326f3a9374f77ad2ba9b9fa9c Mon Sep 17 00:00:00 2001 From: Raphael Robatsch Date: Mon, 13 Apr 2026 21:08:21 +0200 Subject: [PATCH 52/96] mbedtls: Skip -fzero-init-padding-bits on GCC 14 This flag is only supported since GCC 15, using it on earlier versions causes a compiler error. The flag restores the behaviour of earlier GCC versions when zero initializing the first member of an union. Therefore, GCC 14 and older already compile mbedtls the intended way. Link: https://github.com/NixOS/nixpkgs/pull/504318 Link: https://trofi.github.io/posts/328-c-union-init-and-gcc-15.html --- pkgs/development/libraries/mbedtls/generic.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/mbedtls/generic.nix b/pkgs/development/libraries/mbedtls/generic.nix index 2a7f436e9c67b..05e42594795a3 100644 --- a/pkgs/development/libraries/mbedtls/generic.nix +++ b/pkgs/development/libraries/mbedtls/generic.nix @@ -55,7 +55,7 @@ stdenv.mkDerivation rec { # https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0 below "Requirement changes". "-DGEN_FILES=off" ] - ++ lib.optionals stdenv.cc.isGNU [ + ++ lib.optionals (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "15.0") [ # mbedtls widely uses a pattern of starting unions with an # unsigned int dummy member, and then initializing those unions to # { 0 }. The problem with this is that it only initializes that From 449e7da763b163a893d7cbeafe9c0ec36a4c9e2f Mon Sep 17 00:00:00 2001 From: karimKandil0 Date: Sat, 11 Apr 2026 17:21:36 +0200 Subject: [PATCH 53/96] coreutils: skip flaky du tests tests/du/deref.sh and tests/du/inacc-dir.sh can fail depending on filesystem behavior due to non-deterministic disk usage. Other du tests are already skipped in nixpkgs, so extend the skip list accordingly. Fixes #508849 (cherry picked from commit 827a794ce4c87ac6dea043fd5ec5dd32e5331ed6) --- pkgs/tools/misc/coreutils/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index dd6cfcdb68d07..4018d96b386b6 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -115,6 +115,10 @@ stdenv.mkDerivation rec { # intermittent failures on builders, unknown reason sed '2i echo Skipping du basic test && exit 77' -i ./tests/du/basic.sh + # flaky on some filesystems due to non-deterministic disk usage + sed '2i echo Skipping du deref test && exit 77' -i ./tests/du/deref.sh + sed '2i echo Skipping du inacc-dir test && exit 77' -i ./tests/du/inacc-dir.sh + # fails when syscalls related to acl not being available, e.g. in sandboxed environment sed '2i echo Skipping ls -al with acl test && exit 77' -i ./tests/ls/acl.sh '' From 0138ac0e182a26cc47ef8fb3f4483ba4054af7bc Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Tue, 14 Apr 2026 14:58:15 +0200 Subject: [PATCH 54/96] imagemagick: 7.1.2-18 -> 7.1.2-19 changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md diff: https://github.com/ImageMagick/ImageMagick/compare/7.1.2-18...7.1.2-19 (cherry picked from commit 6089739e94edade5b533754902b006318e05c4ec) --- pkgs/applications/graphics/ImageMagick/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index 804d858bf078e..8114fac32fe78 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -85,13 +85,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-18"; + version = "7.1.2-19"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-bt8PlCeEWaRsdMe/FP4HSgmzi1OATjH2Kx233OgleyI="; + hash = "sha256-4uASM+GRTe0ES6FdshUMMkVof4IlLV+CMm2l+v5qZN0="; }; outputs = [ From 0b72895d01294a292140cd18120ef1024c79f744 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Na=C3=AFm=20Camille=20Favier?= Date: Tue, 14 Apr 2026 17:34:59 +0200 Subject: [PATCH 55/96] jq: apply CVE patches Apply upstream patches for CVE-2026-32316, CVE-2026-33947, CVE-2026-33948, CVE-2026-39979, and CVE-2026-40164. (cherry picked from commit be36545b301bb7e4e0f46dd949db092a30a963d2) --- pkgs/by-name/jq/jq/CVE-2026-32316.patch | 49 ++++++++++++++ pkgs/by-name/jq/jq/CVE-2026-33947.patch | 66 +++++++++++++++++++ pkgs/by-name/jq/jq/CVE-2026-33948.patch | 45 +++++++++++++ pkgs/by-name/jq/jq/CVE-2026-39979.patch | 27 ++++++++ pkgs/by-name/jq/jq/CVE-2026-40164.patch | 87 +++++++++++++++++++++++++ pkgs/by-name/jq/jq/package.nix | 5 ++ 6 files changed, 279 insertions(+) create mode 100644 pkgs/by-name/jq/jq/CVE-2026-32316.patch create mode 100644 pkgs/by-name/jq/jq/CVE-2026-33947.patch create mode 100644 pkgs/by-name/jq/jq/CVE-2026-33948.patch create mode 100644 pkgs/by-name/jq/jq/CVE-2026-39979.patch create mode 100644 pkgs/by-name/jq/jq/CVE-2026-40164.patch diff --git a/pkgs/by-name/jq/jq/CVE-2026-32316.patch b/pkgs/by-name/jq/jq/CVE-2026-32316.patch new file mode 100644 index 0000000000000..29d08c9adcd79 --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-32316.patch @@ -0,0 +1,49 @@ +From e47e56d226519635768e6aab2f38f0ab037c09e5 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Thu, 12 Mar 2026 20:28:43 +0900 +Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and + `jvp_string_copy_replace_bad` + +In `jvp_string_append`, the allocation size `(currlen + len) * 2` could +overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small +allocation followed by a large `memcpy`. + +In `jvp_string_copy_replace_bad`, the output buffer size calculation +`length * 3 + 1` could overflow `uint32_t`, again resulting in a small +allocation followed by a large write. + +Add overflow checks to both functions to return an error for strings +that would exceed `INT_MAX` in length. Fixes CVE-2026-32316. +--- + src/jv.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/jv.c b/src/jv.c +index 722a539391..2a62b48419 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) { + const char* end = data + length; + const char* i = data; + +- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD ++ // worst case: all bad bytes, each becomes a 3-byte U+FFFD ++ uint64_t maxlength = (uint64_t)length * 3 + 1; ++ if (maxlength >= INT_MAX) { ++ return jv_invalid_with_msg(jv_string("String too long")); ++ } ++ + jvp_string* s = jvp_string_alloc(maxlength); + char* out = s->data; + int c = 0; +@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) { + static jv jvp_string_append(jv string, const char* data, uint32_t len) { + jvp_string* s = jvp_string_ptr(string); + uint32_t currlen = jvp_string_length(s); ++ if ((uint64_t)currlen + len >= INT_MAX) { ++ jv_free(string); ++ return jv_invalid_with_msg(jv_string("String too long")); ++ } + + if (jvp_refcnt_unshared(string.u.ptr) && + jvp_string_remaining_space(s) >= len) { diff --git a/pkgs/by-name/jq/jq/CVE-2026-33947.patch b/pkgs/by-name/jq/jq/CVE-2026-33947.patch new file mode 100644 index 0000000000000..9f31fd82b0574 --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-33947.patch @@ -0,0 +1,66 @@ +From fb59f1491058d58bdc3e8dd28f1773d1ac690a1f Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 11:23:40 +0900 +Subject: [PATCH] Limit path depth to prevent stack overflow + +Deeply nested path arrays can cause unbounded recursion in +`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to +stack overflow. Add a depth limit of 10000 to match the +existing `tojson` depth limit. This fixes CVE-2026-33947. +--- + src/jv_aux.c | 21 +++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/src/jv_aux.c b/src/jv_aux.c +index 018f380b10..fd5ff96684 100644 +--- a/src/jv_aux.c ++++ b/src/jv_aux.c +@@ -365,6 +365,10 @@ static jv jv_dels(jv t, jv keys) { + return t; + } + ++#ifndef MAX_PATH_DEPTH ++#define MAX_PATH_DEPTH (10000) ++#endif ++ + jv jv_setpath(jv root, jv path, jv value) { + if (jv_get_kind(path) != JV_KIND_ARRAY) { + jv_free(value); +@@ -372,6 +376,12 @@ jv jv_setpath(jv root, jv path, jv value) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(value); ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)){ + jv_free(value); + jv_free(path); +@@ -424,6 +434,11 @@ jv jv_getpath(jv root, jv path) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)) { + jv_free(path); + return root; +@@ -502,6 +517,12 @@ jv jv_delpaths(jv object, jv paths) { + jv_free(elem); + return err; + } ++ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) { ++ jv_free(object); ++ jv_free(paths); ++ jv_free(elem); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + jv_free(elem); + } + if (jv_array_length(jv_copy(paths)) == 0) { diff --git a/pkgs/by-name/jq/jq/CVE-2026-33948.patch b/pkgs/by-name/jq/jq/CVE-2026-33948.patch new file mode 100644 index 0000000000000..5b6497e1469df --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-33948.patch @@ -0,0 +1,45 @@ +From 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 08:46:11 +0900 +Subject: [PATCH] Fix NUL truncation in the JSON parser + +This fixes CVE-2026-33948. +--- + src/util.c | 8 +------- + tests/shtest | 6 ++++++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/util.c b/src/util.c +index fdfdb96d88..80d65fc808 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -312,13 +312,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) { + if (p != NULL) + state->current_line++; + +- if (p == NULL && state->parser != NULL) { +- /* +- * There should be no NULs in JSON texts (but JSON text +- * sequences are another story). +- */ +- state->buf_valid_len = strlen(state->buf); +- } else if (p == NULL && feof(state->current_input)) { ++ if (p == NULL && feof(state->current_input)) { + size_t i; + + /* +diff --git a/tests/shtest b/tests/shtest +index cb88745277..370f7b7c69 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -880,4 +880,10 @@ $JQ -nf $d/prog.jq 2> $d/out && { + } + diff $d/out $d/expected + ++# CVE-2026-33948: No NUL truncation in the JSON parser ++if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then ++ printf 'Error expected but jq exited successfully\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff --git a/pkgs/by-name/jq/jq/CVE-2026-39979.patch b/pkgs/by-name/jq/jq/CVE-2026-39979.patch new file mode 100644 index 0000000000000..cc0c3d17f77f6 --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-39979.patch @@ -0,0 +1,27 @@ +From 2f09060afab23fe9390cce7cb860b10416e1bf5f Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 11:04:52 +0900 +Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized() + +This fixes CVE-2026-39979. + +Co-authored-by: Mattias Wadman +--- + src/jv_parse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/jv_parse.c b/src/jv_parse.c +index aa2054cc09..56847b5eaa 100644 +--- a/src/jv_parse.c ++++ b/src/jv_parse.c +@@ -893,8 +893,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) { + + if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) { + jv msg = jv_invalid_get_msg(value); +- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')", ++ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')", + jv_string_value(msg), ++ length, + string)); + jv_free(msg); + } diff --git a/pkgs/by-name/jq/jq/CVE-2026-40164.patch b/pkgs/by-name/jq/jq/CVE-2026-40164.patch new file mode 100644 index 0000000000000..483316f64b4bb --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-40164.patch @@ -0,0 +1,87 @@ +From 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 08:53:26 +0900 +Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks + +The hash function used a fixed seed, allowing attackers to craft colliding keys +and cause O(n^2) object parsing performance. Initialize the seed from a random +source at process startup to prevent the attack. This fixes CVE-2026-40164. + +Co-authored-by: Asaf Meizner +--- + configure.ac | 2 ++ + src/jv.c | 34 ++++++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 5dac42655a..f7067a4341 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define + AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], + [], [[#include ]]) + AC_FIND_FUNC([setlocale], [c], [#include ], [0,0]) ++AC_FIND_FUNC([arc4random], [c], [#include ], []) ++AC_FIND_FUNC([getentropy], [c], [#include ], [0, 0]) + + dnl Figure out if we have the pthread functions we actually need + AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include ], [NULL, NULL]) +diff --git a/src/jv.c b/src/jv.c +index 2a62b48419..607ac174f7 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -40,6 +40,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + #include "jv_alloc.h" + #include "jv.h" +@@ -1206,7 +1210,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) { + } + } + +-static const uint32_t HASH_SEED = 0x432A9843; ++static uint32_t hash_seed; ++static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; ++ ++static void jvp_hash_seed_init(void) { ++ uint32_t seed; ++#if defined(HAVE_ARC4RANDOM) ++ seed = arc4random(); ++#elif defined(HAVE_GETENTROPY) ++ if (getentropy(&seed, sizeof(seed)) != 0) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++#else ++ int fd = open("/dev/urandom", O_RDONLY); ++ if (fd >= 0) { ++ if (read(fd, &seed, sizeof(seed)) != 4) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ close(fd); ++ } else { ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ } ++#endif ++ hash_seed = seed; ++} ++ ++static uint32_t jvp_hash_seed(void) { ++ pthread_once(&hash_seed_once, jvp_hash_seed_init); ++ return hash_seed; ++} + + static uint32_t rotl32 (uint32_t x, int8_t r){ + return (x << r) | (x >> (32 - r)); +@@ -1225,7 +1255,7 @@ static uint32_t jvp_string_hash(jv jstr) { + int len = (int)jvp_string_length(str); + const int nblocks = len / 4; + +- uint32_t h1 = HASH_SEED; ++ uint32_t h1 = jvp_hash_seed(); + + const uint32_t c1 = 0xcc9e2d51; + const uint32_t c2 = 0x1b873593; diff --git a/pkgs/by-name/jq/jq/package.nix b/pkgs/by-name/jq/jq/package.nix index b2a0941a79fe4..31633d27ba033 100644 --- a/pkgs/by-name/jq/jq/package.nix +++ b/pkgs/by-name/jq/jq/package.nix @@ -32,6 +32,11 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./musl.patch + ./CVE-2026-32316.patch + ./CVE-2026-33947.patch + ./CVE-2026-33948.patch + ./CVE-2026-39979.patch + ./CVE-2026-40164.patch ] ++ lib.optionals stdenv.hostPlatform.is32bit [ # needed because epoch conversion test here is right at the end of 32 bit integer space From 267afd619efc138ac230b285ae924faec4b9bb43 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Thu, 16 Apr 2026 10:07:39 +0200 Subject: [PATCH 56/96] python3Packages.pillow: apply patch for CVE-2026-40192 https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j Fixes https://github.com/NixOS/nixpkgs/issues/510505 Not-cherry-picked-because: 12.2.0 release notes mentions API changes and the patch applies cleanly --- pkgs/development/python-modules/pillow/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/development/python-modules/pillow/default.nix b/pkgs/development/python-modules/pillow/default.nix index bc4007bd63c9b..94debf52dc9d3 100644 --- a/pkgs/development/python-modules/pillow/default.nix +++ b/pkgs/development/python-modules/pillow/default.nix @@ -4,6 +4,7 @@ buildPythonPackage, pythonOlder, fetchFromGitHub, + fetchpatch, # build-system setuptools, @@ -54,6 +55,15 @@ buildPythonPackage rec { hash = "sha256-NlmNabyoHiakwvomjivTA7N304ovNCMDSaBLSmcmZ7w="; }; + patches = [ + (fetchpatch { + # https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j + name = "CVE-2026-40192.patch"; + url = "https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628.patch"; + hash = "sha256-7Hh72WoD7Iy/aB1J7w5X6ge3wx4lPWAQrOR6luO0FOg="; + }) + ]; + build-system = [ setuptools pybind11 From b03b950370fae8294dbdbbf5c851b59362e4abb8 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 16 Apr 2026 14:24:41 +0200 Subject: [PATCH 57/96] python3Packages.pyopenssl: backport 26.0 security fixes Fixes: CVE-2026-27459, CVE-2026-27448 --- .../python-modules/pyopenssl/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkgs/development/python-modules/pyopenssl/default.nix b/pkgs/development/python-modules/pyopenssl/default.nix index 4d1273ad71fd0..4c61fa9bc75a6 100644 --- a/pkgs/development/python-modules/pyopenssl/default.nix +++ b/pkgs/development/python-modules/pyopenssl/default.nix @@ -3,6 +3,7 @@ stdenv, buildPythonPackage, fetchFromGitHub, + fetchpatch, openssl, setuptools, cryptography, @@ -26,6 +27,21 @@ buildPythonPackage rec { hash = "sha256-QF511MVyjfddmkTd2H7RNJeoWs+e0me4i55YGP4t910="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-27459.patch"; + url = "https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408.patch"; + excludes = [ "CHANGELOG.rst" ]; + hash = "sha256-pj1T6E8+wbLGeu9BinX95XUayn1CAm31QlvrNocKdDc="; + }) + (fetchpatch { + name = "CVE-2026-27448.patch"; + url = "https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0.patch"; + excludes = [ "CHANGELOG.rst" ]; + hash = "sha256-tpFgG92PxeAr2aN1NalqcV5CCPt8SJe68VacEXSFMUw="; + }) + ]; + outputs = [ "out" "dev" From 8a97e77d1b0e86e0c825ce44348090d568c62d14 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Sun, 5 Apr 2026 20:23:16 -0700 Subject: [PATCH 58/96] openssh: 10.2p1 -> 10.3p1 (cherry picked from commit 625b04014302131fed8732b0f6b2fcc441bb9991) --- pkgs/tools/networking/openssh/common.nix | 3 ++- pkgs/tools/networking/openssh/default.nix | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix index bafb82fa50909..68cc990af7a9a 100644 --- a/pkgs/tools/networking/openssh/common.nix +++ b/pkgs/tools/networking/openssh/common.nix @@ -71,7 +71,8 @@ stdenv.mkDerivation (finalAttrs: { # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch - + ] + ++ lib.optionals (lib.versionOlder finalAttrs.version "10.3") [ # See discussion in https://github.com/NixOS/nixpkgs/issues/466049 and # https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/23 (fetchpatch { diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 6e95321b3de1a..72a1e8d5c1594 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -14,11 +14,11 @@ in { openssh = common rec { pname = "openssh"; - version = "10.2p1"; + version = "10.3p1"; src = fetchurl { url = urlFor version; - hash = "sha256-zMQsBBmTeVkmP6Hb0W2vwYxWuYTANWLSk3zlamD3mLI="; + hash = "sha256-VmgqNruS3PS08Bb9jsjnQFm3mo3iXBXWcNcx59GORfQ="; }; extraPatches = [ From 4484a4feed6d950525fd90b70a87c0e29aa95e15 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Sun, 5 Apr 2026 20:30:43 -0700 Subject: [PATCH 59/96] openssh_gssapi: update patch to latest (cherry picked from commit aa13fbfb81d1819c2665f7c20bd0574c5f2795a1) --- pkgs/tools/networking/openssh/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 72a1e8d5c1594..35ece9ce73963 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -95,8 +95,8 @@ in (fetchpatch { name = "openssh-gssapi.patch"; - url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%2510.1p1-1/debian/patches/gssapi.patch"; - hash = "sha256-/wJ3AA+RscHjFRSeL0LENviKlCglpOi7HNuCxidpQV8="; + url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%2510.2p1-6/debian/patches/gssapi.patch"; + hash = "sha256-mYrJJrE6l0r/VYLWlOTGkKLzj9Dj4wOLgJyW/NLGaeo="; }) ]; From c2d363f2f2f453c9f85c2cb40d1e1319ff288fa9 Mon Sep 17 00:00:00 2001 From: Matteo Pacini Date: Wed, 15 Apr 2026 21:38:18 +0100 Subject: [PATCH 60/96] aws-c-event-stream: 0.5.7 -> 0.7.0, fix CVE-2026-5190 (cherry picked from commit a053d33da81c9ac93afc1644be1b3b7cb6b2f6bb) --- pkgs/by-name/aw/aws-c-event-stream/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/aw/aws-c-event-stream/package.nix b/pkgs/by-name/aw/aws-c-event-stream/package.nix index 7d61c6a35e310..ef411f92124b7 100644 --- a/pkgs/by-name/aw/aws-c-event-stream/package.nix +++ b/pkgs/by-name/aw/aws-c-event-stream/package.nix @@ -15,13 +15,13 @@ stdenv.mkDerivation rec { pname = "aws-c-event-stream"; # nixpkgs-update: no auto update - version = "0.5.7"; + version = "0.7.0"; src = fetchFromGitHub { owner = "awslabs"; repo = "aws-c-event-stream"; - rev = "v${version}"; - hash = "sha256-JvjUrIj1bh5WZEzkauLSLIolxrT8CKIMjO7p1c35XZI="; + tag = "v${version}"; + hash = "sha256-jMtLJjKC7TuNZ0c0Nc3+KRh226RBl0omkiKNXXBltoc="; }; nativeBuildInputs = [ cmake ]; From 39417f53bde41e6f094f7b79ac024d7108486b37 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 17 Apr 2026 00:53:45 +0200 Subject: [PATCH 61/96] cacert: 3.121 -> 3.123 (cherry picked from commit b7996f9430ef97b868ff8baf5afe8a9a9ee5f12b) --- pkgs/by-name/ca/cacert/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index 61c9fcded8c6b..31e0ebd808882 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -20,7 +20,7 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - version = "3.121"; + version = "3.123"; meta = { homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers"; description = "Bundle of X.509 certificates of public Certificate Authorities (CA)"; @@ -48,7 +48,7 @@ stdenv.mkDerivation { "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}" "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}" ]; - hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM="; + hash = "sha256-dxMO+RITdyhEVh+9OqMdQTslwqx/V2/qO8O7/375NIk="; }; unpackPhase = '' From c614c66d3017614b305844b845ebd2cf42ced150 Mon Sep 17 00:00:00 2001 From: nikstur Date: Tue, 7 Apr 2026 00:01:29 +0200 Subject: [PATCH 62/96] nixos/systemd: fix modprobe Upstream systemd changed how modprobe is discovered. It is now searched for on path. Thus, add the kmod package to the ExecSearchPath of the modprobe@.service. (cherry picked from commit d36077c0b686c91cea9d20edd58da632d4f28318) --- nixos/modules/system/boot/systemd.nix | 4 ++++ nixos/tests/systemd-misc.nix | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 3c827c3d6627c..7ee68146c650c 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -741,6 +741,10 @@ in path = [ pkgs.util-linux ]; overrideStrategy = "asDropin"; }; + systemd.services."modprobe@" = { + restartIfChanged = false; + serviceConfig.ExecSearchPath = lib.makeBinPath [ pkgs.kmod ]; + }; systemd.services.systemd-random-seed.restartIfChanged = false; systemd.services.systemd-remount-fs.restartIfChanged = false; systemd.services.systemd-update-utmp.restartIfChanged = false; diff --git a/nixos/tests/systemd-misc.nix b/nixos/tests/systemd-misc.nix index 2623f78add63b..30f9fe720059f 100644 --- a/nixos/tests/systemd-misc.nix +++ b/nixos/tests/systemd-misc.nix @@ -60,5 +60,10 @@ in machine.succeed("systemctl status example.service | grep 'Active: active'") machine.succeed("systemctl show --property TasksMax --value user-1000.slice | grep 100") + + with subtest("modprobe@ services work"): + modprobe_service_status = machine.succeed("systemctl show --property ExecMainStatus modprobe@configfs.service") + print(modprobe_service_status) + t.assertEqual("ExecMainStatus=0\n", modprobe_service_status) ''; } From 07fddb4762c1b41af488f70748623b23f655504e Mon Sep 17 00:00:00 2001 From: "Adam C. Stephens" Date: Fri, 3 Apr 2026 16:39:01 -0400 Subject: [PATCH 63/96] mimir: 3.0.4 -> 3.0.5 Changelog: https://github.com/grafana/mimir/releases/tag/mimir-3.0.5 (cherry picked from commit 0e449a7cb1d1670c84dac72969a9d971231686a9) --- pkgs/by-name/mi/mimir/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix index 55267f83054f1..34ac678352203 100644 --- a/pkgs/by-name/mi/mimir/package.nix +++ b/pkgs/by-name/mi/mimir/package.nix @@ -7,13 +7,13 @@ }: buildGoModule (finalAttrs: { pname = "mimir"; - version = "3.0.4"; + version = "3.0.5"; src = fetchFromGitHub { rev = "mimir-${finalAttrs.version}"; owner = "grafana"; repo = "mimir"; - hash = "sha256-AVH2hY9BhQ6R8WCw6DcdkUSBzm5cTWyBL1pbqnRMVdE="; + hash = "sha256-C7vfJrcFin4zv/wO9IWIzUPtjiOAoOEWcniCTNm1eRs="; }; vendorHash = null; @@ -39,7 +39,7 @@ buildGoModule (finalAttrs: { updateScript = nix-update-script { extraArgs = [ "--version-regex" - "mimir-([0-9.]+)" + "mimir-(3\.[0-9.]+)" ]; }; tests = { From 9fb93890048d1a84fa3df67d59fe42ae9f8989ad Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Sat, 4 Apr 2026 15:57:34 -0400 Subject: [PATCH 64/96] mimir: fix escape (cherry picked from commit 1940674cb414fbda5b742906b40c0cd17f9d99b6) --- pkgs/by-name/mi/mimir/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix index 34ac678352203..2b1fe31974d0f 100644 --- a/pkgs/by-name/mi/mimir/package.nix +++ b/pkgs/by-name/mi/mimir/package.nix @@ -39,7 +39,7 @@ buildGoModule (finalAttrs: { updateScript = nix-update-script { extraArgs = [ "--version-regex" - "mimir-(3\.[0-9.]+)" + "mimir-(3\\.[0-9.]+)" ]; }; tests = { From 6feb5735c96d084de64fc1b81f03a9ab81db2607 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 21 Apr 2026 05:11:27 +0000 Subject: [PATCH 65/96] mimir: 3.0.5 -> 3.0.6 (cherry picked from commit 767836426aef3f85424179fbb0a432ac09fdad9b) --- pkgs/by-name/mi/mimir/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix index 2b1fe31974d0f..ba5e0d5907ffa 100644 --- a/pkgs/by-name/mi/mimir/package.nix +++ b/pkgs/by-name/mi/mimir/package.nix @@ -7,13 +7,13 @@ }: buildGoModule (finalAttrs: { pname = "mimir"; - version = "3.0.5"; + version = "3.0.6"; src = fetchFromGitHub { rev = "mimir-${finalAttrs.version}"; owner = "grafana"; repo = "mimir"; - hash = "sha256-C7vfJrcFin4zv/wO9IWIzUPtjiOAoOEWcniCTNm1eRs="; + hash = "sha256-rz1Wzsnxt8eGf0rkI8pvhpft+EhTUsdFK4s+9QVn7dg="; }; vendorHash = null; From a3cc5d38c8701b1eb7b8a90242908fae2460a2bd Mon Sep 17 00:00:00 2001 From: Marcel Date: Thu, 16 Apr 2026 12:27:18 +0200 Subject: [PATCH 66/96] nodejs_{20,22}: disable broken openssl tests (cherry picked from commit f5248024d1a33a17fb381e9afb019b0189b2737c) --- pkgs/development/web/nodejs/nodejs.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index d11aafdb1713d..772aa6c816010 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -430,6 +430,12 @@ let ++ lib.optional ( majorVersion == "22" && stdenv.buildPlatform.isDarwin ) "test/sequential/test-http-server-request-timeouts-mixed.js" + # https://github.com/NixOS/nixpkgs/pull/507974#issuecomment-4249433124 + # OpenSSL reports different errors + # https://github.com/nodejs/node/pull/62629 + # patch does not apply + ++ lib.optional (!lib.versionAtLeast version "24") "test-tls-junk-server" + ++ lib.optional (majorVersion == "22") "test-tls-alert-handling" ) }" ]; From 6df8b971dd4ee39a3da70eb7218f7401fb779a0d Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sun, 12 Apr 2026 23:46:03 +0200 Subject: [PATCH 67/96] systemd: 258.5 -> 258.7 Fixes https://github.com/NixOS/nixpkgs/issues/508870 / CVE-2026-40225 Not-cherry-picked-because: unstable is using 260 --- pkgs/os-specific/linux/systemd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index acb4c053438cf..ba7fdacb2fe6f 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -207,13 +207,13 @@ let in stdenv.mkDerivation (finalAttrs: { inherit pname; - version = "258.5"; + version = "258.7"; src = fetchFromGitHub { owner = "systemd"; repo = "systemd"; rev = "v${finalAttrs.version}"; - hash = "sha256-3xz8q0R0gMAwRDV2QmYO0r/0Fw+9LOyR3O3XuMrTpgY="; + hash = "sha256-ehxf7szijCJGZ1lqZsvoDrahGp8P3IgWH6mUJ2Yx9S0="; }; # On major changes, or when otherwise required, you *must* : From ad206845cc359efc1eef48f36ad29ddefe01ab87 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Thu, 23 Apr 2026 18:14:37 +0200 Subject: [PATCH 68/96] libgudev: disable test-gudevdevice Works around https://gitlab.gnome.org/GNOME/libgudev/-/issues/10 This is (partial) backport of e01ab042879d3baf93072080a3339e6b2aa8213f Not-cherry-picked-because: 258.7 is a backported version of 259.5 --- pkgs/by-name/li/libgudev/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/li/libgudev/package.nix b/pkgs/by-name/li/libgudev/package.nix index 1db56931abc0c..5a673586c4832 100644 --- a/pkgs/by-name/li/libgudev/package.nix +++ b/pkgs/by-name/li/libgudev/package.nix @@ -74,6 +74,11 @@ stdenv.mkDerivation (finalAttrs: { (lib.mesonEnable "tests" finalAttrs.finalPackage.doCheck) ]; + # https://gitlab.gnome.org/GNOME/libgudev/-/issues/10 + preCheck = '' + mesonCheckFlagsArray=( $(meson test --list | grep -v test-gudevdevice) ) + ''; + passthru = { updateScript = gnome.updateScript { packageName = "libgudev"; From 95908e6fc2f720a1897d6f1fdcb40d4cddcc2554 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 24 Apr 2026 01:12:04 +0200 Subject: [PATCH 69/96] nss: 3.112.3 -> 3.112.5 https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_3_112_5.rst (cherry picked from commit 9a5093062002a795ebde4b306e10617a9cc40814) --- pkgs/development/libraries/nss/esr.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/nss/esr.nix b/pkgs/development/libraries/nss/esr.nix index 6e835d0dc71fb..b2f2f54591b3d 100644 --- a/pkgs/development/libraries/nss/esr.nix +++ b/pkgs/development/libraries/nss/esr.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "3.112.3"; - hash = "sha256-1gOfP3HM1irGuJ+ln6n1toJC46+K5Z7pGm26vSryU7M="; + version = "3.112.5"; + hash = "sha256-+u29CbE5IyapF5w4IeBXDiiNK7usVn30C08G5FWVC88="; filename = "esr.nix"; versionRegex = "NSS_(3)_(112)(?:_(\\d+))?_RTM"; } From 653402a327680a4271a85dd5b98e732660c10247 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 23 Nov 2025 07:40:19 +0000 Subject: [PATCH 70/96] nghttp3: 1.12.0 -> 1.13.0 (cherry picked from commit 49b9b8c0b5e5bcc698ffef5ea22f83c259fdb39a) --- pkgs/by-name/ng/nghttp3/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ng/nghttp3/package.nix b/pkgs/by-name/ng/nghttp3/package.nix index cff35f454d3a4..3885fc9b8ab7c 100644 --- a/pkgs/by-name/ng/nghttp3/package.nix +++ b/pkgs/by-name/ng/nghttp3/package.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "nghttp3"; - version = "1.12.0"; + version = "1.13.0"; src = fetchurl { url = "https://github.com/ngtcp2/nghttp3/releases/download/v${finalAttrs.version}/nghttp3-${finalAttrs.version}.tar.bz2"; - hash = "sha256-KFl4NTevIT1npc5Cd923nIlBrUXtv6XM3VLZz0/6Qi0="; + hash = "sha256-hl22uuyA5zo7cXIJVgajvK85I0iQbhBBGtaQb6SfRy4="; }; outputs = [ From 54f8a254bf9bc7067e92099ae1683af256fc5a73 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Thu, 27 Nov 2025 17:55:35 +0000 Subject: [PATCH 71/96] ngtcp2: 1.17.0 -> 1.18.0 (cherry picked from commit bbd09b2b5d68a90a3a58ea771affacbef837124a) --- pkgs/development/libraries/ngtcp2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ngtcp2/default.nix b/pkgs/development/libraries/ngtcp2/default.nix index cef563d99f7af..d5adaf38f7971 100644 --- a/pkgs/development/libraries/ngtcp2/default.nix +++ b/pkgs/development/libraries/ngtcp2/default.nix @@ -14,11 +14,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "ngtcp2"; - version = "1.17.0"; + version = "1.18.0"; src = fetchurl { url = "https://github.com/ngtcp2/ngtcp2/releases/download/v${finalAttrs.version}/ngtcp2-${finalAttrs.version}.tar.bz2"; - hash = "sha256-j8hYGdFp5il4pODbNlVILOdJUafqsMdmc3tXoxQY2mE="; + hash = "sha256-E7r7bFCdv2pw2WBaLIkuE/WuuTZnOZWHeKhXvHDOH6c="; }; outputs = [ From 37fe379ae38132aee6bb21e82daf2f13d4084590 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Wed, 3 Dec 2025 21:27:32 +0000 Subject: [PATCH 72/96] nghttp3: 1.13.0 -> 1.13.1 Changes: https://github.com/ngtcp2/nghttp3/releases/tag/v1.13.1 (cherry picked from commit 138a3a85e0b08a75c49668ba6d5bf493bf4bb833) --- pkgs/by-name/ng/nghttp3/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ng/nghttp3/package.nix b/pkgs/by-name/ng/nghttp3/package.nix index 3885fc9b8ab7c..410708dbb7f01 100644 --- a/pkgs/by-name/ng/nghttp3/package.nix +++ b/pkgs/by-name/ng/nghttp3/package.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "nghttp3"; - version = "1.13.0"; + version = "1.13.1"; src = fetchurl { url = "https://github.com/ngtcp2/nghttp3/releases/download/v${finalAttrs.version}/nghttp3-${finalAttrs.version}.tar.bz2"; - hash = "sha256-hl22uuyA5zo7cXIJVgajvK85I0iQbhBBGtaQb6SfRy4="; + hash = "sha256-8lH+Vm4oIdz9BChVN15QsevqxfHKeUjQDiFWPFgiHiA="; }; outputs = [ From aa687c1922e6b28ee8daf527bf11d6473115fc0c Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 11 Jan 2026 06:56:11 +0000 Subject: [PATCH 73/96] ngtcp2: 1.18.0 -> 1.19.0 (cherry picked from commit 24bc54120f0ac9ffd81254f9f1b40cdd431f7fb5) --- pkgs/development/libraries/ngtcp2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ngtcp2/default.nix b/pkgs/development/libraries/ngtcp2/default.nix index d5adaf38f7971..c200ed90b8b60 100644 --- a/pkgs/development/libraries/ngtcp2/default.nix +++ b/pkgs/development/libraries/ngtcp2/default.nix @@ -14,11 +14,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "ngtcp2"; - version = "1.18.0"; + version = "1.19.0"; src = fetchurl { url = "https://github.com/ngtcp2/ngtcp2/releases/download/v${finalAttrs.version}/ngtcp2-${finalAttrs.version}.tar.bz2"; - hash = "sha256-E7r7bFCdv2pw2WBaLIkuE/WuuTZnOZWHeKhXvHDOH6c="; + hash = "sha256-snZBbT1cChV4En+8Q2qXLRD0vK66g6aj2ukbQcxRqTI="; }; outputs = [ From 3a1b0c750d7df9dd664d0627eb36b07be1ffcefe Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sat, 27 Dec 2025 12:57:57 +0000 Subject: [PATCH 74/96] nghttp3: 1.13.1 -> 1.14.0 Changes: https://github.com/ngtcp2/nghttp3/releases/tag/v1.14.0 (cherry picked from commit 809fe74f4e6d3d7e1092eb21bd8049b0fdd7ad38) --- pkgs/by-name/ng/nghttp3/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ng/nghttp3/package.nix b/pkgs/by-name/ng/nghttp3/package.nix index 410708dbb7f01..5741d2dd8cc5b 100644 --- a/pkgs/by-name/ng/nghttp3/package.nix +++ b/pkgs/by-name/ng/nghttp3/package.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "nghttp3"; - version = "1.13.1"; + version = "1.14.0"; src = fetchurl { url = "https://github.com/ngtcp2/nghttp3/releases/download/v${finalAttrs.version}/nghttp3-${finalAttrs.version}.tar.bz2"; - hash = "sha256-8lH+Vm4oIdz9BChVN15QsevqxfHKeUjQDiFWPFgiHiA="; + hash = "sha256-JUi0zz3Bl6hB30/rBv1jfRlx4dahu+ES3KLsYYqz6UU="; }; outputs = [ From 4b51ce38b699b9712e4f0187af94801864359865 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sat, 4 Apr 2026 19:40:30 +0000 Subject: [PATCH 75/96] ngtcp2: 1.19.0 -> 1.22.0 (cherry picked from commit 60ecbe49a28a0ce65391e62de1f7c8bf4643bc1b) --- pkgs/development/libraries/ngtcp2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ngtcp2/default.nix b/pkgs/development/libraries/ngtcp2/default.nix index c200ed90b8b60..9d6ae5fdb680a 100644 --- a/pkgs/development/libraries/ngtcp2/default.nix +++ b/pkgs/development/libraries/ngtcp2/default.nix @@ -14,11 +14,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "ngtcp2"; - version = "1.19.0"; + version = "1.22.0"; src = fetchurl { url = "https://github.com/ngtcp2/ngtcp2/releases/download/v${finalAttrs.version}/ngtcp2-${finalAttrs.version}.tar.bz2"; - hash = "sha256-snZBbT1cChV4En+8Q2qXLRD0vK66g6aj2ukbQcxRqTI="; + hash = "sha256-P+q2i4PqGpbXur+mxvYYaYmJ2+HAm9dglpuCJ429GGM="; }; outputs = [ From 5589935f7898bf2201a29c43f65ef49fd76f5504 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Mon, 23 Feb 2026 21:16:10 +0000 Subject: [PATCH 76/96] nghttp3: 1.14.0 -> 1.15.0 (cherry picked from commit b40cd566cca356792ae2b274dd9f13a8eb31c4f9) --- pkgs/by-name/ng/nghttp3/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ng/nghttp3/package.nix b/pkgs/by-name/ng/nghttp3/package.nix index 5741d2dd8cc5b..d4dfa3d20d705 100644 --- a/pkgs/by-name/ng/nghttp3/package.nix +++ b/pkgs/by-name/ng/nghttp3/package.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "nghttp3"; - version = "1.14.0"; + version = "1.15.0"; src = fetchurl { url = "https://github.com/ngtcp2/nghttp3/releases/download/v${finalAttrs.version}/nghttp3-${finalAttrs.version}.tar.bz2"; - hash = "sha256-JUi0zz3Bl6hB30/rBv1jfRlx4dahu+ES3KLsYYqz6UU="; + hash = "sha256-xsSRpSgEgUCY5EZjDm78RZr8DT2nlS/+bL3As/mbK2I="; }; outputs = [ From 23b1b7afe6c71ec6af68f1bea5eaa1da33f3533f Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Fri, 17 Apr 2026 22:57:09 +0200 Subject: [PATCH 77/96] ngtcp2: 1.22.0 -> 1.22.1 changelog: https://github.com/ngtcp2/ngtcp2/releases/tag/v1.22.1 diff: https://github.com/ngtcp2/ngtcp2/compare/v1.22.0...v1.22.1 (cherry picked from commit 9da46051aff0118c570b7e56d1b6f6b67fc0f656) --- pkgs/development/libraries/ngtcp2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ngtcp2/default.nix b/pkgs/development/libraries/ngtcp2/default.nix index 9d6ae5fdb680a..0a660f088d68f 100644 --- a/pkgs/development/libraries/ngtcp2/default.nix +++ b/pkgs/development/libraries/ngtcp2/default.nix @@ -14,11 +14,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "ngtcp2"; - version = "1.22.0"; + version = "1.22.1"; src = fetchurl { url = "https://github.com/ngtcp2/ngtcp2/releases/download/v${finalAttrs.version}/ngtcp2-${finalAttrs.version}.tar.bz2"; - hash = "sha256-P+q2i4PqGpbXur+mxvYYaYmJ2+HAm9dglpuCJ429GGM="; + hash = "sha256-hzVHltWssZvzEMt3vgS9IgDDImWmvnyUuGMeJsjpPKQ="; }; outputs = [ From 597459f0696d3ffba617ed6895f0dadb7f399801 Mon Sep 17 00:00:00 2001 From: whispers Date: Mon, 13 Apr 2026 14:38:07 -0400 Subject: [PATCH 78/96] libarchive: 3.8.6 -> 3.8.7 Release: https://github.com/libarchive/libarchive/releases/tag/v3.8.7 Diff: https://github.com/libarchive/libarchive/compare/v3.8.6...v3.8.7 (cherry picked from commit b16ab340aad52c31249edc718d7417928f90f5ab) --- pkgs/by-name/li/libarchive/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libarchive/package.nix b/pkgs/by-name/li/libarchive/package.nix index 0c9dfead431d1..3b847df96d82b 100644 --- a/pkgs/by-name/li/libarchive/package.nix +++ b/pkgs/by-name/li/libarchive/package.nix @@ -31,13 +31,13 @@ assert xarSupport -> libxml2 != null; stdenv.mkDerivation (finalAttrs: { pname = "libarchive"; - version = "3.8.6"; + version = "3.8.7"; src = fetchFromGitHub { owner = "libarchive"; repo = "libarchive"; rev = "v${finalAttrs.version}"; - hash = "sha256-XNFw0h++7B3ODnEi50zd7q/j1bYQzL1IKB2q3p4IzB4="; + hash = "sha256-LpD+lE+0PZi/3nYDVPXhBQL9A7mvqelOzRLskVtg9Y0="; }; outputs = [ From ff86ebff2cbeaa5225f629be605a9f5b944be47e Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Thu, 23 Apr 2026 18:46:42 +0100 Subject: [PATCH 79/96] python3Packages.python-multipart: add patches for CVE-2026-40347 (cherry picked from commit 1baec23947f334b219725da84092cabc4f3fb013) --- .../CVE-2026-40347-part-2.patch | 106 ++++++++++++++++++ .../python-multipart/default.nix | 10 ++ 2 files changed, 116 insertions(+) create mode 100644 pkgs/development/python-modules/python-multipart/CVE-2026-40347-part-2.patch diff --git a/pkgs/development/python-modules/python-multipart/CVE-2026-40347-part-2.patch b/pkgs/development/python-modules/python-multipart/CVE-2026-40347-part-2.patch new file mode 100644 index 0000000000000..ea8e5b2e95f85 --- /dev/null +++ b/pkgs/development/python-modules/python-multipart/CVE-2026-40347-part-2.patch @@ -0,0 +1,106 @@ +Based on upstream d4452a78bbde94995dd3c0d1b4aff3610a5c472f, adjusted +to apply to 0.0.22 + +diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py +index 0f238c2..d2a597e 100644 +--- a/python_multipart/multipart.py ++++ b/python_multipart/multipart.py +@@ -1418,12 +1418,8 @@ class MultipartParser(BaseParser): + state = MultipartState.END + + elif state == MultipartState.END: +- # Don't do anything if chunk ends with CRLF. +- if c == CR and i + 1 < length and data[i + 1] == LF: +- i += 2 +- continue +- # Skip data after the last boundary. +- self.logger.warning("Skipping data after last boundary") ++ # Silently discard any epilogue data (RFC 2046 section 5.1.1 allows a CRLF and optional ++ # epilogue after the closing boundary). Django and Werkzeug do the same. + i = length + break + +diff --git a/tests/test_multipart.py b/tests/test_multipart.py +index 75982b6..3e8dd89 100644 +--- a/tests/test_multipart.py ++++ b/tests/test_multipart.py +@@ -1,6 +1,5 @@ + from __future__ import annotations + +-import logging + import os + import random + import sys +@@ -722,6 +721,14 @@ single_byte_tests = [ + "single_field_single_file", + ] + ++EPILOGUE_TEST_HEAD = ( ++ "--boundary\r\n" ++ 'Content-Disposition: form-data; name="file"; filename="filename.txt"\r\n' ++ "Content-Type: text/plain\r\n\r\n" ++ "hello\r\n" ++ "--boundary--" ++).encode("latin-1") ++ + + def split_all(val: bytes) -> Iterator[tuple[bytes, bytes]]: + """ +@@ -1266,7 +1273,7 @@ class TestFormParser(unittest.TestCase): + self.assert_file_data(files[0], b"hello") + + def test_multipart_parser_data_after_last_boundary(self) -> None: +- """This test makes sure that the parser does not handle when there is junk data after the last boundary.""" ++ """Parser must short-circuit on arbitrary epilogue data after the closing boundary (no O(N) scan).""" + num = 50_000_000 + data = ( + "--boundary\r\n" +@@ -1284,29 +1291,32 @@ class TestFormParser(unittest.TestCase): + f = FormParser("multipart/form-data", on_field=Mock(), on_file=on_file, boundary="boundary") + f.write(data.encode("latin-1")) + +- @pytest.fixture(autouse=True) +- def inject_fixtures(self, caplog: pytest.LogCaptureFixture) -> None: +- self._caplog = caplog +- +- def test_multipart_parser_data_end_with_crlf_without_warnings(self) -> None: +- """This test makes sure that the parser does not handle when the data ends with a CRLF.""" +- data = ( +- "--boundary\r\n" +- 'Content-Disposition: form-data; name="file"; filename="filename.txt"\r\n' +- "Content-Type: text/plain\r\n\r\n" +- "hello\r\n" +- "--boundary--\r\n" +- ) ++ @parametrize( ++ "chunks", ++ [ ++ [EPILOGUE_TEST_HEAD + b"\r\n"], ++ [EPILOGUE_TEST_HEAD + b"\r", b"\n"], ++ [EPILOGUE_TEST_HEAD, b"\r\n"], ++ [EPILOGUE_TEST_HEAD + b"\r\n--boundary\r\nthis is not a valid header\r\n\r\nnot a real part"], ++ ], ++ ) ++ def test_multipart_parser_ignores_epilogue(self, chunks: list[bytes]) -> None: ++ """Epilogue data after the closing boundary must be ignored. + ++ Covers both the single-chunk case and the case where trailing CRLF is split across `write()` calls. ++ The final case asserts that epilogue bytes are not parsed or validated. ++ """ + files: list[File] = [] + + def on_file(f: FileProtocol) -> None: + files.append(cast(File, f)) + + f = FormParser("multipart/form-data", on_field=Mock(), on_file=on_file, boundary="boundary") +- with self._caplog.at_level(logging.WARNING): +- f.write(data.encode("latin-1")) +- assert len(self._caplog.records) == 0 ++ for chunk in chunks: ++ f.write(chunk) ++ ++ assert len(files) == 1 ++ self.assert_file_data(files[0], b"hello") + + def test_max_size_multipart(self) -> None: + # Load test data. diff --git a/pkgs/development/python-modules/python-multipart/default.nix b/pkgs/development/python-modules/python-multipart/default.nix index 639b696624a26..a297bbc792ecc 100644 --- a/pkgs/development/python-modules/python-multipart/default.nix +++ b/pkgs/development/python-modules/python-multipart/default.nix @@ -2,6 +2,7 @@ lib, buildPythonPackage, fetchFromGitHub, + fetchpatch, hatchling, pytestCheckHook, mock, @@ -27,6 +28,15 @@ buildPythonPackage rec { hash = "sha256-y8wLGRvc7xSmkSyK77Tl5V6mMneS+dtmqBLZOhvmRSY="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-40347-part-1.patch"; + url = "https://github.com/Kludex/python-multipart/commit/6a7b76dd2653d99d8e5981d7ff09a4a047750b37.patch"; + hash = "sha256-W1nyYMMoaf+lsNze3ppPeAXN+swG1dScDibazePSt+k="; + }) + ./CVE-2026-40347-part-2.patch + ]; + build-system = [ hatchling ]; pythonImportsCheck = [ "python_multipart" ]; From fdc3ad690942ae71df83ca6b9a8d399949b333d7 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Mon, 26 Jan 2026 12:35:00 +0000 Subject: [PATCH 80/96] xorg.libXpm: 3.5.17 -> 3.5.18 (cherry picked from commit f9283d50e7513bd790a0687867658c7b02bc413e / PR #483984) The updates seem pretty minor to me: https://lists.x.org/archives/xorg/2026-January/062183.html --- pkgs/by-name/li/libxpm/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libxpm/package.nix b/pkgs/by-name/li/libxpm/package.nix index 8ffd2d3fd203b..2fa6270c21553 100644 --- a/pkgs/by-name/li/libxpm/package.nix +++ b/pkgs/by-name/li/libxpm/package.nix @@ -15,7 +15,7 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "libxpm"; - version = "3.5.17"; + version = "3.5.18"; outputs = [ "bin" @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://xorg/individual/lib/libXpm-${finalAttrs.version}.tar.xz"; - hash = "sha256-ZLMfgQGefTiMgisLKK+NUcRiK4Px8Mtvo/yV4nEibkM="; + hash = "sha256-tO15v8cYAA7e6DfVUcNShvC4RXbbDOB7u+vmCkr/oeQ="; }; strictDeps = true; From afd23a6b516bd056f28b599f4280b675a4200b3c Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Wed, 22 Apr 2026 21:20:00 +0100 Subject: [PATCH 81/96] xorg.libXpm: 3.5.18 -> 3.5.19 Changes: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/compare/libXpm-3.5.18...libXpm-3.5.19?from_project_id=724 (cherry picked from commit bdef44dfe971d60387aa20b51e56168ad05936ad / PR #512515) Fixes CVE-2026-4367 https://lists.x.org/archives/xorg-announce/2026-April/003690.html --- pkgs/by-name/li/libxpm/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libxpm/package.nix b/pkgs/by-name/li/libxpm/package.nix index 2fa6270c21553..09336f30f9300 100644 --- a/pkgs/by-name/li/libxpm/package.nix +++ b/pkgs/by-name/li/libxpm/package.nix @@ -15,7 +15,7 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "libxpm"; - version = "3.5.18"; + version = "3.5.19"; outputs = [ "bin" @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://xorg/individual/lib/libXpm-${finalAttrs.version}.tar.xz"; - hash = "sha256-tO15v8cYAA7e6DfVUcNShvC4RXbbDOB7u+vmCkr/oeQ="; + hash = "sha256-rTV21okiGjncco8ODcAsp7tqDXJMmnf9G/oemvg76QA="; }; strictDeps = true; From c8f09439b1b5f44d611eda9955cb4785e9004f58 Mon Sep 17 00:00:00 2001 From: klea Date: Tue, 14 Apr 2026 16:30:09 +0000 Subject: [PATCH 82/96] vim: 9.2.0272 -> 9.2.0340 Fixes several security issues: CVE-2026-34982 https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9 https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24 Cherry picked from commit 9ee15cb23d067993cf1c029feb9ae9a892b734c0 / PR #510019, kind of. As some people target staging* and some don't, the version updates get a bit messy sometimes. Part of the security update was in release-25.11..staging-25.11, so I'm adding the rest of the update to staging(-next)-25.11. It won't prevent anyone from bumping it directly on release-25.11, if they determine this is urgent. --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index b72a14971cbe0..e34d28ccd3028 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.2.0272"; + version = "9.2.0340"; outputs = [ "out" @@ -11,7 +11,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-9y+dZYbwuIzgseXdg/k8fqZ5JiohgOiK00evMwF9HOM="; + hash = "sha256-jCnOVIafx+0o1nlHv7QJQrmxs1IAxh9BBshDOFdZdCM="; }; enableParallelBuilding = true; From 2133e71351192669b4e4af1a4c52415a7f91a66f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 27 Apr 2026 16:16:44 +0200 Subject: [PATCH 83/96] gdk-pixbuf: 2.44.5 -> 2.44.6 Changes: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/blob/2.44.6/NEWS (cherry-picked from commit 9b8ae1fcb2774815492e9c0d7d9d97cbfc97cb9c / PR #507383) Fixes CVE-2026-5201 https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304 --- pkgs/development/libraries/gdk-pixbuf/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gdk-pixbuf/default.nix b/pkgs/development/libraries/gdk-pixbuf/default.nix index 8b782a3843049..196d9582cf809 100644 --- a/pkgs/development/libraries/gdk-pixbuf/default.nix +++ b/pkgs/development/libraries/gdk-pixbuf/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gdk-pixbuf"; - version = "2.44.5"; + version = "2.44.6"; outputs = [ "out" @@ -40,7 +40,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/gdk-pixbuf/${lib.versions.majorMinor finalAttrs.version}/gdk-pixbuf-${finalAttrs.version}.tar.xz"; - hash = "sha256-abk+CRObgMDuZhUD1g3rWlh0oxdytRhLnNVGKkEAq2g="; + hash = "sha256-FAwtC4mfz4U+6SsmNzydwijbzeCCCkJGaT9DKKJ0Zvo="; }; patches = [ From ce76748c2b051727f7fa964509373820a8cc1067 Mon Sep 17 00:00:00 2001 From: Bobby Rong Date: Sat, 25 Apr 2026 20:39:43 +0800 Subject: [PATCH 84/96] gdk-pixbuf: fixup after the last update https://github.com/NixOS/nixpkgs/pull/507383#issuecomment-4328244662 (cherry picked from commit 59dafcbd716f3ba6843842bb761c114069d08215) --- pkgs/development/libraries/gdk-pixbuf/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/development/libraries/gdk-pixbuf/default.nix b/pkgs/development/libraries/gdk-pixbuf/default.nix index 196d9582cf809..0a1e32428806d 100644 --- a/pkgs/development/libraries/gdk-pixbuf/default.nix +++ b/pkgs/development/libraries/gdk-pixbuf/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, + fetchpatch, nixosTests, fixDarwinDylibNames, meson, @@ -46,6 +47,13 @@ stdenv.mkDerivation (finalAttrs: { patches = [ # Move installed tests to a separate output ./installed-tests-path.patch + + # Fix loading of xpm module if built-in + # https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/267 + (fetchpatch { + url = "https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/62b8f9fd0bb3b862823cd34afce4b389fbd27569.patch"; + hash = "sha256-ECEIt8lq/jBtDdBetErKpap2PWGav10vqCXKCpIQSyA="; + }) ]; # gdk-pixbuf-thumbnailer is not wrapped therefore strictDeps will work @@ -83,6 +91,8 @@ stdenv.mkDerivation (finalAttrs: { ]; mesonFlags = [ + # https://gitlab.archlinux.org/archlinux/packaging/packages/gdk-pixbuf2/-/work_items/13 + "-Dlegacy_xpm=enabled" "-Dgio_sniffing=false" "-Dandroid=disabled" "-Dglycin=disabled" From 3439853cab615779aa99755ce00d1228becf1e3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 27 Apr 2026 18:20:44 +0200 Subject: [PATCH 85/96] knot-resolver_6: 6.2.0 -> 6.3.0 https://gitlab.nic.cz/knot/knot-resolver/-/releases/v6.3.0 (cherry picked from commit 5bbf21430d51800d1a585367fbcc3af9f93695c4) --- pkgs/by-name/kn/knot-resolver_6/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/kn/knot-resolver_6/package.nix b/pkgs/by-name/kn/knot-resolver_6/package.nix index 14021cc706795..3585e918e57ef 100644 --- a/pkgs/by-name/kn/knot-resolver_6/package.nix +++ b/pkgs/by-name/kn/knot-resolver_6/package.nix @@ -36,11 +36,11 @@ let # TODO: we could cut the `let` short here, but it would de-indent everything. unwrapped = stdenv.mkDerivation (finalAttrs: { pname = "knot-resolver_6"; - version = "6.2.0"; + version = "6.3.0"; src = fetchurl { url = "https://secure.nic.cz/files/knot-resolver/knot-resolver-${finalAttrs.version}.tar.xz"; - hash = "sha256-tEYzvIQxgMC8fHfPexX+VxJDrpkrTdt0r97kz6gDcBs="; + hash = "sha256-uHMGGX90NrSQecYzNkvF33GjkyNvsl6fzn0ESAvHUY4="; }; outputs = [ From db5d76fc2961f744b2e0299a5ac979aac2ca02bf Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 3 May 2026 22:21:07 +0000 Subject: [PATCH 86/96] thunderbird-latest-unwrapped: 150.0 -> 150.0.1 (cherry picked from commit 6065124acecbb4200cccdd9d9349fe41bc87c606) --- .../networking/mailreaders/thunderbird/packages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/mailreaders/thunderbird/packages.nix b/pkgs/applications/networking/mailreaders/thunderbird/packages.nix index 0b839ab9d9fbb..6ea375646a63d 100644 --- a/pkgs/applications/networking/mailreaders/thunderbird/packages.nix +++ b/pkgs/applications/networking/mailreaders/thunderbird/packages.nix @@ -73,8 +73,8 @@ rec { thunderbird = thunderbird-latest; thunderbird-latest = common { - version = "150.0"; - sha512 = "6e0770de0aeabdd9372b491ae0a6d20238ff154b70982de21c73b903003398f36d8f56c679ca893a1e5646a25add9e9e126ae1b6ee1f836290104b61eb09dac1"; + version = "150.0.1"; + sha512 = "bf3d33357965cd144decef7c8865b6c18043502aea8d090d93fe29555379b924e3925d58276411f38fdcdc87b54ab3ae7d6aa6619feec9b856f8f227225cb375"; updateScript = callPackage ./update.nix { attrPath = "thunderbirdPackages.thunderbird-latest"; From 9e8379ccfde2eb23ff4ea34fc2e97159b5b985e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 25 Nov 2025 12:09:07 -0800 Subject: [PATCH 87/96] python3Packages.astropy: 7.1.0 -> 7.1.1 Diff: https://github.com/astropy/astropy/compare/v7.1.0...v7.1.1 Changelog: https://docs.astropy.org/en/v7.1.1/changelog.html --- pkgs/development/python-modules/astropy/default.nix | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/pkgs/development/python-modules/astropy/default.nix b/pkgs/development/python-modules/astropy/default.nix index 0489821f7a82c..d07f43684f891 100644 --- a/pkgs/development/python-modules/astropy/default.nix +++ b/pkgs/development/python-modules/astropy/default.nix @@ -1,6 +1,6 @@ { lib, - fetchPypi, + fetchFromGitHub, buildPythonPackage, pythonOlder, @@ -55,14 +55,16 @@ buildPythonPackage rec { pname = "astropy"; - version = "7.1.0"; + version = "7.1.1"; pyproject = true; disabled = pythonOlder "3.11"; - src = fetchPypi { - inherit pname version; - hash = "sha256-yPJUMiKVsbjPJDA9bxVb9+/bbBKCiCuWbOMEDv+MU8U="; + src = fetchFromGitHub { + owner = "astropy"; + repo = "astropy"; + tag = "v${version}"; + hash = "sha256-cvwwTa6eJYncB2V6UCuBrQ5WRRvjgZF5/z4d7Z/uHc8="; }; env = lib.optionalAttrs stdenv.cc.isClang { @@ -159,6 +161,7 @@ buildPythonPackage rec { ''; meta = { + changelog = "https://docs.astropy.org/en/${src.tag}/changelog.html"; description = "Astronomy/Astrophysics library for Python"; homepage = "https://www.astropy.org"; license = lib.licenses.bsd3; From f1df17fe1dc363eb399881eb951c5c6056f2afd5 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 21 Jan 2026 17:32:24 +0100 Subject: [PATCH 88/96] python3Packages.astropy: fix OMP_NUM_THREADS going 0 --- pkgs/development/python-modules/astropy/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/python-modules/astropy/default.nix b/pkgs/development/python-modules/astropy/default.nix index d07f43684f891..5e30833f86d14 100644 --- a/pkgs/development/python-modules/astropy/default.nix +++ b/pkgs/development/python-modules/astropy/default.nix @@ -147,6 +147,10 @@ buildPythonPackage rec { preCheck = '' export HOME="$(mktemp -d)" export OMP_NUM_THREADS=$(( $NIX_BUILD_CORES / 4 )) + if [ $OMP_NUM_THREADS -eq 0 ]; then + export OMP_NUM_THREADS=1 + fi + # See https://github.com/astropy/astropy/issues/17649 and see # --hypothesis-profile=ci pytest flag below. cp conftest.py $out/ From b21bb05b8baa045e89a48877dcddb09b73e177fb Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 21 Jan 2026 18:31:47 +0100 Subject: [PATCH 89/96] python3Packages.astropy: 7.1.1 -> 7.2.0 https://docs.astropy.org/en/v7.2.0/changelog.html This commit was automatically generated using update-python-libraries. --- pkgs/development/python-modules/astropy/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/astropy/default.nix b/pkgs/development/python-modules/astropy/default.nix index 5e30833f86d14..105a23588120e 100644 --- a/pkgs/development/python-modules/astropy/default.nix +++ b/pkgs/development/python-modules/astropy/default.nix @@ -55,7 +55,7 @@ buildPythonPackage rec { pname = "astropy"; - version = "7.1.1"; + version = "7.2.0"; pyproject = true; disabled = pythonOlder "3.11"; @@ -64,7 +64,7 @@ buildPythonPackage rec { owner = "astropy"; repo = "astropy"; tag = "v${version}"; - hash = "sha256-cvwwTa6eJYncB2V6UCuBrQ5WRRvjgZF5/z4d7Z/uHc8="; + hash = "sha256-U9kCzyOZcttlUP0DUGkhJVkk96sBM/Gm/s5ZPJZcEoA="; }; env = lib.optionalAttrs stdenv.cc.isClang { From b1a890ff22830570ff50d47b7dc2e811bed045ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 25 Nov 2025 12:12:47 -0800 Subject: [PATCH 90/96] python3Packages.astropy-iers-data: 0.2025.8.4.0.42.59 -> 0.2025.11.24.0.39.11 Diff: https://github.com/astropy/astropy-iers-data/compare/v0.2025.8.4.0.42.59...v0.2025.11.24.0.39.11 Changelog: https://github.com/astropy/astropy-iers-data/releases/tag/v0.2025.11.24.0.39.11 --- .../development/python-modules/astropy-iers-data/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/astropy-iers-data/default.nix b/pkgs/development/python-modules/astropy-iers-data/default.nix index c737ec1190f2a..0226f800834a7 100644 --- a/pkgs/development/python-modules/astropy-iers-data/default.nix +++ b/pkgs/development/python-modules/astropy-iers-data/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "astropy-iers-data"; - version = "0.2025.8.4.0.42.59"; + version = "0.2025.11.24.0.39.11"; pyproject = true; src = fetchFromGitHub { owner = "astropy"; repo = "astropy-iers-data"; tag = "v${version}"; - hash = "sha256-Izqm626PZzjnMNUzPW2x15ER7fn5f9+m2X434vXV/yo="; + hash = "sha256-B8568fGvS76igIlEWIbsTczQYqL0nPISM8rfUrF/DS4="; }; build-system = [ @@ -29,6 +29,7 @@ buildPythonPackage rec { doCheck = false; meta = { + changelog = "https://github.com/astropy/astropy-iers-data/releases/tag/${src.tag}"; description = "IERS data maintained by @astrofrog and astropy.utils.iers maintainers"; homepage = "https://github.com/astropy/astropy-iers-data"; license = lib.licenses.bsd3; From 2d937793875ff277730334644c239813d564191f Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 21 Jan 2026 18:31:47 +0100 Subject: [PATCH 91/96] python3Packages.astropy-iers-data: 0.2025.11.24.0.39.11 -> 0.2026.1.19.0.42.31 https://github.com/astropy/astropy-iers-data/releases/tag/v0.2026.1.19.0.42.31 This commit was automatically generated using update-python-libraries. --- pkgs/development/python-modules/astropy-iers-data/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/astropy-iers-data/default.nix b/pkgs/development/python-modules/astropy-iers-data/default.nix index 0226f800834a7..dadecba128520 100644 --- a/pkgs/development/python-modules/astropy-iers-data/default.nix +++ b/pkgs/development/python-modules/astropy-iers-data/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "astropy-iers-data"; - version = "0.2025.11.24.0.39.11"; + version = "0.2026.1.19.0.42.31"; pyproject = true; src = fetchFromGitHub { owner = "astropy"; repo = "astropy-iers-data"; tag = "v${version}"; - hash = "sha256-B8568fGvS76igIlEWIbsTczQYqL0nPISM8rfUrF/DS4="; + hash = "sha256-psxVL7375xQuo6mqh+5rvv0xEuZNUOtFco1BrPPWLtg="; }; build-system = [ From c58ace3b979ed4142225711a564ffbb8bc0c407e Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 27 Feb 2026 02:30:15 +0100 Subject: [PATCH 92/96] python3Packages.psycopg: disable slow tests They are annoying and racy with pproxy. We're running over 5k tests, this is fine. (cherry picked from commit b9c75a3094f06c8050a4532a419c3f00e907f810) I just hope that it will solve the aarch64-linux issues: https://hydra.nixos.org/build/327737600#tabs-buildsteps --- pkgs/development/python-modules/psycopg/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/python-modules/psycopg/default.nix b/pkgs/development/python-modules/psycopg/default.nix index b6558b5ff6931..406592958ddd5 100644 --- a/pkgs/development/python-modules/psycopg/default.nix +++ b/pkgs/development/python-modules/psycopg/default.nix @@ -220,6 +220,7 @@ buildPythonPackage rec { "refcount" "timing" "flakey" + "slow" ]; postCheck = '' From 4a2e83ccebdd1f9164e892adad1938a540b6a559 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 5 May 2026 08:54:20 +0200 Subject: [PATCH 93/96] mupdf: fixup build of the vendored freeglut https://hydra.nixos.org/build/327340679/nixlog/2/tail --- pkgs/by-name/mu/mupdf/package.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/by-name/mu/mupdf/package.nix b/pkgs/by-name/mu/mupdf/package.nix index 8d8408044af95..80c24c63290ab 100644 --- a/pkgs/by-name/mu/mupdf/package.nix +++ b/pkgs/by-name/mu/mupdf/package.nix @@ -55,6 +55,8 @@ let hash = "sha256-yVnVFh2KMpkRB0Emr1iiUwg8ZcPn/k4fnBtBsnv6jX0="; }; + patches = [ ]; # the current patches won't apply + # cmake 4 compatibility, upstream is dead postPatch = '' substituteInPlace CMakeLists.txt \ From 6ee8f6e786157347595ea8b70365afe89bbb8d5b Mon Sep 17 00:00:00 2001 From: superherointj Date: Sat, 25 Apr 2026 18:35:30 -0300 Subject: [PATCH 94/96] python3Packages.aioboto3: disable DynamoDB tests with aiobotocore 3.x DynamoDB tests fail with aiobotocore 3.x due to HTTP header issue with moto: 'Duplicate Server header found'. This is the same issue that causes aiobotocore itself to disable its DynamoDB tests. Fixes 7 test failures: - test_dynamo_resource_query - test_dynamo_resource_put - test_dynamo_resource_batch_write_flush_on_exit_context - test_dynamo_resource_batch_write_flush_amount - test_flush_doesnt_reset_item_buffer - test_dynamo_resource_property - test_dynamo_resource_waiter (cherry picked from commit bba77e69fc1642c39698af393c4e379cfe26cf8e) https://hydra.nixos.org/build/327728584/nixlog/2/tail --- pkgs/development/python-modules/aioboto3/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/development/python-modules/aioboto3/default.nix b/pkgs/development/python-modules/aioboto3/default.nix index f11a8f3088626..57358c48dd4dc 100644 --- a/pkgs/development/python-modules/aioboto3/default.nix +++ b/pkgs/development/python-modules/aioboto3/default.nix @@ -60,6 +60,17 @@ buildPythonPackage rec { disabledTests = [ "test_patches" + ] + ++ [ + # DynamoDB tests fail with aiobotocore 3.x due to HTTP header issue with moto: + # "Duplicate 'Server' header found" - same issue as aiobotocore disables + "test_dynamo_resource_query" + "test_dynamo_resource_put" + "test_dynamo_resource_batch_write_flush_on_exit_context" + "test_dynamo_resource_batch_write_flush_amount" + "test_flush_doesnt_reset_item_buffer" + "test_dynamo_resource_property" + "test_dynamo_resource_waiter" ]; pythonImportsCheck = [ "aioboto3" ]; From 1100ff65ad783a94de661f77d3d1bee92402a657 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 5 May 2026 16:23:08 +0200 Subject: [PATCH 95/96] ceph: fixup build of its pyopenssl https://hydra.nixos.org/build/327692530/nixlog/1/tail These patches were added in b03b950370fae8294dbdbbf5c851b59362e4abb8 --- pkgs/by-name/ce/ceph/package.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/by-name/ce/ceph/package.nix b/pkgs/by-name/ce/ceph/package.nix index 0da840296dec6..fa04b53e9d2d7 100644 --- a/pkgs/by-name/ce/ceph/package.nix +++ b/pkgs/by-name/ce/ceph/package.nix @@ -282,6 +282,7 @@ let inherit version; hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc="; }; + patches = []; # those two CVE patches do not apply (!) disabledTests = old.disabledTests or [ ] ++ [ "test_export_md5_digest" ]; From 9ac8a36a250fe6dec1aa2c37437800c030fa5260 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 5 May 2026 16:39:41 +0200 Subject: [PATCH 96/96] ceph: fix nixfmt --- pkgs/by-name/ce/ceph/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/by-name/ce/ceph/package.nix b/pkgs/by-name/ce/ceph/package.nix index fa04b53e9d2d7..a39b06cb62a48 100644 --- a/pkgs/by-name/ce/ceph/package.nix +++ b/pkgs/by-name/ce/ceph/package.nix @@ -282,7 +282,7 @@ let inherit version; hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc="; }; - patches = []; # those two CVE patches do not apply (!) + patches = [ ]; # those two CVE patches do not apply (!) disabledTests = old.disabledTests or [ ] ++ [ "test_export_md5_digest" ];