Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
215 commits
Select commit Hold shift + click to select a range
64d3ca2
python3Packages.superqt: move pyqt5 to optional deps
LordGrimmauld Feb 5, 2026
3fa281c
python3Packages.qtconsole: move to qt6
LordGrimmauld Feb 7, 2026
28daf46
python3Packages.qtawesome: move to qt6
LordGrimmauld Feb 7, 2026
730c539
spyder: move to qt6
LordGrimmauld Feb 7, 2026
d0618a0
fmt: 12.0.0 -> 12.1.0
StarryReverie Dec 14, 2025
6269f26
[Backport staging-25.11] Various (spyder): Move to Qt6 #500663 (#502886)
kirillrdy Mar 24, 2026
b60ec32
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Mar 25, 2026
b2d2ab4
python3Packages.pygments: patch CVE-2026-4539
ryand56 Mar 25, 2026
11faed9
[Backport staging-25.11] python3Packages.pygments: patch CVE-2026-453…
Sigmanificient Mar 26, 2026
58a21c6
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Mar 26, 2026
6aea74e
nixos/grub: re-install grub on package change
osnyx Feb 23, 2026
c27c455
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Mar 27, 2026
0213e99
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Mar 28, 2026
8bb19f2
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Mar 29, 2026
0f18155
mbedtls: build with -fzero-init-padding-bits=unions
alyssais Mar 28, 2026
da357dc
spidermonkey_140: 140.5.0 -> 140.6.0
bobby285271 Dec 9, 2025
18b81be
spidermonkey_140: 140.6.0 -> 140.7.0
bobby285271 Jan 19, 2026
54869c8
spidermonkey_140: 140.7.0 -> 140.7.1
bobby285271 Feb 18, 2026
9b8a404
spidermonkey_140: 140.7.1 -> 140.9.0
whispersofthedawn Mar 28, 2026
c34fc8d
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Mar 30, 2026
d5f1f58
[25.11] spidermonkey_140: 140.5.0 -> 140.9.0 (#504740)
bobby285271 Mar 30, 2026
a0c618c
libde265: 1.0.16 -> 1.0.18
trofi Mar 22, 2026
4975b63
[Backport staging-25.11] libde265: 1.0.16 -> 1.0.18 (#505141)
philiptaron Mar 31, 2026
f173420
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Mar 31, 2026
6321d65
glibc: 2.40-218 -> 2.40-224
Ma27 Mar 31, 2026
816bd76
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 1, 2026
88492b7
libpng: 1.6.55 -> 1.6.56
vcunat Apr 1, 2026
c579382
[25.11] glibc: 2.40-218 -> 2.40-224, fix CVE-2026-4437 (#505427)
Ma27 Apr 1, 2026
237ea8c
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 2, 2026
f1ef3f3
[Backport staging-25.11] mbedtls: build with -fzero-init-padding-bits…
vcunat Apr 2, 2026
5c51a61
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 3, 2026
1ef14cb
wolfSSL: correct `meta.license`
emilazy Mar 28, 2026
cf32fb0
vde2: correct `meta.license`
emilazy Mar 28, 2026
adac477
vde2: make Musl patch unconditional
emilazy Mar 28, 2026
ec78367
vde2: remove obsolete Darwin workaround
emilazy Mar 28, 2026
16c17be
vde2: switch to Mbed TLS
emilazy Mar 28, 2026
28c19ae
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 3, 2026
0eb084c
[25.11] {wolfssl,vde2}: correct `meta.license`; vde2: switch to Mbed …
emilazy Apr 4, 2026
a527488
mupdf: 1.26.10 -> 1.27.0
r-ryantm Dec 17, 2025
a4388d1
mupdf: remove patches that made it into the release
veprbl Jan 25, 2026
bd180cb
[Backport staging-25.11] mupdf: 1.26.10 -> 1.27.0 (#506701)
fpletz Apr 4, 2026
0a672a5
mupdf: fix build of vendored freeglut with gcc15
ghpzin Oct 7, 2025
cc5643f
[Backport staging-25.11] mupdf: fix build of vendored freeglut with g…
fpletz Apr 4, 2026
672d37e
mupdf: 1.27.0 -> 1.27.2
fpletz Apr 4, 2026
a762af9
python3Packages.cryptography{,.vectors}: 46.0.5 -> 46.0.6
mdaniels5757 Mar 28, 2026
a8814b7
[Backport staging-25.11] python3Packages.cryptography{,.vectors}: 46.…
mdaniels5757 Apr 4, 2026
d618b72
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 5, 2026
c5682f2
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 5, 2026
cb537d3
[Backport staging-25.11] mupdf: 1.27.0 -> 1.27.2 (#506727)
fpletz Apr 5, 2026
d9aedfa
nghttp2: 1.67.1 -> 1.68.1
bddvlpr Mar 30, 2026
0886c15
dash: 0.5.13.1 -> 0.5.13.2
r-ryantm Mar 21, 2026
d3063c5
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 6, 2026
a6c24f2
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 6, 2026
2663784
cryptsetup: 2.8.4 -> 2.8.6
r-ryantm Apr 3, 2026
7773e8a
util-linux: add in-tree comments for patches
balsoft Dec 11, 2025
13735ec
util-linux: Ensure that liblastlog is linked with libpam
numinit Feb 28, 2026
bf28042
util-linux: 2.41.3 -> 2.41.4
numinit Apr 6, 2026
358fa47
[Backport staging-25.11] cryptsetup: 2.8.4 -> 2.8.6 (#507183)
r-vdp Apr 6, 2026
d1aa721
python3Packages.requests: 2.32.5 -> 2.33.1
mweinelt Apr 6, 2026
d7515a3
nixos/modules: import intel-npu module
mweinelt Apr 6, 2026
0536b27
nixos/nixos-generate-config: drop intel-npu import
mweinelt Apr 6, 2026
f4a8b10
[Backport staging-25.11] nixos/hardware/cpu/intel/npu: import module …
mweinelt Apr 7, 2026
b9c8df6
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 7, 2026
0908f5d
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 7, 2026
4bbe228
libopenmpt: 0.8.5 -> 0.8.6
trofi Mar 31, 2026
2881509
systemd: fix `/etc/localtime` symlink
emilylange Apr 4, 2026
e618a60
nixos/tests/timezone: extend to test systemd `/etc/timezone` regression
emilylange Apr 4, 2026
633c8f0
python3Packages.django_4: 4.2.29 -> 4.2.30
mweinelt Apr 7, 2026
717f0e1
python3Packages.django_4: 4.2.29 -> 4.2.30 (#507736)
mweinelt Apr 7, 2026
96cf275
python3Packages.aiohttp: 3.13.3 -> 3.13.4
dotlambda Mar 29, 2026
00611b5
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 8, 2026
e6aa550
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 8, 2026
1d24d12
vim: 9.2.0106 -> 9.2.0272
Fovir-GitHub Mar 31, 2026
63fdadd
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 9, 2026
66880d0
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 9, 2026
bdbd1d4
[Backport staging-25.11] util-linux: 2.41.3 -> 2.41.4 (#507199)
Atemu Apr 9, 2026
ee856b9
python3Packages.cryptography: 46.0.6 -> 46.0.7
fabaff Apr 9, 2026
5617a65
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 10, 2026
4325382
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 10, 2026
d738c62
[Backport staging-25.11] vim: 9.1.2148 -> 9.2.0272 (#507980)
philiptaron Apr 10, 2026
54e23f4
[Backport staging-25.11] python3Packages.cryptography: 46.0.6 -> 46.0…
mdaniels5757 Apr 10, 2026
987ddaa
[25.11] libopenmpt: 0.8.5 -> 0.8.6 (#507604)
OPNA2608 Apr 10, 2026
c1f3965
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 11, 2026
1b127eb
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 11, 2026
fe3afaa
go_1_25: 1.25.8 -> 1.25.9
herbetom Apr 9, 2026
b518c99
libjpeg8: 3.1.2 -> 3.1.3
r-ryantm Dec 10, 2025
de7f0c0
xz: 5.8.1 -> 5.8.2
trofi Dec 19, 2025
632186c
[Backport staging-25.11] dash: 0.5.13.1 -> 0.5.13.2 (#507042)
vcunat Apr 11, 2026
03830ca
[Backport staging-25.11] libjpeg: 3.1.2 -> 3.1.3 (#508927)
vcunat Apr 11, 2026
39df345
[Backport staging-25.11] xz: 5.8.1 -> 5.8.2 (#508928)
vcunat Apr 11, 2026
11dc9c6
libjpeg8: 3.1.3 -> 3.1.4
r-ryantm Mar 26, 2026
5303469
[Backport staging-25.11] libjpeg: 3.1.3 -> 3.1.4 (#508930)
vcunat Apr 11, 2026
7b87ff0
xz: 5.8.2 -> 5.8.3
trofi Apr 1, 2026
3fce5c9
[Backport staging-25.11] xz: 5.8.2 -> 5.8.3 (#508932)
vcunat Apr 11, 2026
e22f574
[Backport staging-25.11] libpng: 1.6.55 -> 1.6.56 (#505756)
vcunat Apr 11, 2026
09c0bd2
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 12, 2026
d1703ee
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 12, 2026
e233c13
openssl_3: 3.0.19 -> 3.0.20
MarcelCoding Apr 8, 2026
69058a7
openssl_3_6: 3.6.1 -> 3.6.2
MarcelCoding Apr 8, 2026
8128d18
openssl: cleanup already upstreamed patches
thillux Apr 9, 2026
4ce6a91
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 13, 2026
8544d12
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 13, 2026
3ef7f58
wolfssl: 5.9.0 -> 5.9.1
vifino Apr 10, 2026
1447596
[Backport staging-25.11] go_1_25: 1.25.8 -> 1.25.9 (#508811)
yuyuyureka Apr 13, 2026
72fd9c1
xdg-user-dirs: re-enable xdg autostart
kajusnau Feb 11, 2026
bdcd56c
mbedtls: Skip -fzero-init-padding-bits on GCC 14
raphaelr Apr 13, 2026
449e7da
coreutils: skip flaky du tests
karimKandil0 Apr 11, 2026
1043dbe
[Backport staging-25.11] coreutils: skip flaky du tests (#509761)
mdaniels5757 Apr 13, 2026
2aa9e66
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 14, 2026
8afdf3c
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 14, 2026
1d306e1
mbedtls: Skip -fzero-init-padding-bits on GCC 14 (#509686)
SuperSandro2000 Apr 14, 2026
0138ac0
imagemagick: 7.1.2-18 -> 7.1.2-19
Hythera Apr 14, 2026
f31b6fb
[Backport staging-25.11] imagemagick: 7.1.2-18 -> 7.1.2-19 (#510076)
rhendric Apr 14, 2026
d2e7ea8
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 15, 2026
64647c1
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 15, 2026
0b72895
jq: apply CVE patches
ncfavier Apr 14, 2026
ca9cecc
[Backport staging-25.11] jq: apply CVE patches (#510395)
ncfavier Apr 15, 2026
0398980
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 16, 2026
cfee034
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 16, 2026
267afd6
python3Packages.pillow: apply patch for CVE-2026-40192
LeSuisse Apr 16, 2026
b03b950
python3Packages.pyopenssl: backport 26.0 security fixes
mweinelt Apr 16, 2026
785f55f
[staging-25.11] python3Packages.pyopenssl: backport 26.0 security fix…
mweinelt Apr 16, 2026
934c5c1
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 17, 2026
6c51487
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 17, 2026
2b4c2ce
[Backport staging-25.11] wolfssl: 5.9.0 -> 5.9.1 (#509526)
nixpkgs-ci[bot] Apr 17, 2026
6f67bd1
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 18, 2026
2af519c
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 18, 2026
26fac71
[Backport staging-25.11] python3Packages.aiohttp: 3.13.3 -> 3.13.4 (#…
dotlambda Apr 18, 2026
61ab8c7
[Backport staging-25.11] xdg-user-dirs: re-enable xdg autostart (#509…
donovanglover Apr 18, 2026
458782d
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 19, 2026
014e821
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 19, 2026
8133641
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 20, 2026
8ef388f
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 20, 2026
8a97e77
openssh: 10.2p1 -> 10.3p1
numinit Apr 6, 2026
4484a4f
openssh_gssapi: update patch to latest
numinit Apr 6, 2026
c2d363f
aws-c-event-stream: 0.5.7 -> 0.7.0, fix CVE-2026-5190
matteo-pacini Apr 15, 2026
39417f5
cacert: 3.121 -> 3.123
mweinelt Apr 16, 2026
7cb6a9b
[Backport staging-25.11] cacert: 3.121 -> 3.123 (#511831)
mweinelt Apr 20, 2026
c614c66
nixos/systemd: fix modprobe
nikstur Apr 6, 2026
bd5cb08
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 21, 2026
e8cdc5c
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 21, 2026
07fddb4
mimir: 3.0.4 -> 3.0.5
adamcstephens Apr 3, 2026
9fb9389
mimir: fix escape
mdaniels5757 Apr 4, 2026
6feb573
mimir: 3.0.5 -> 3.0.6
r-ryantm Apr 21, 2026
35a8c5f
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 22, 2026
b740ec2
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 22, 2026
807d02a
[Backport staging-25.11] nixos/systemd: fix modprobe (#511891)
arianvp Apr 22, 2026
a3cc5d3
nodejs_{20,22}: disable broken openssl tests
MarcelCoding Apr 16, 2026
b9665f6
[staging-25.11 backport] nodejs_{20,22}: disable broken openssl tests…
aduh95 Apr 22, 2026
3cddc65
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 23, 2026
74e8c24
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 23, 2026
b0ad867
[Staging 25.11] python3Packages.pillow: apply patch for CVE-2026-4019…
dotlambda Apr 23, 2026
6df8b97
systemd: 258.5 -> 258.7
LeSuisse Apr 12, 2026
ad20684
libgudev: disable test-gudevdevice
arianvp Apr 23, 2026
e3393eb
[Backport release-25.11] mimir: 3.0.4 -> 3.0.6 (#512185)
adamcstephens Apr 23, 2026
67f593d
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 24, 2026
9607573
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 24, 2026
82c1dba
[Backport staging-25.11] openssl: 3.0.19 -> 3.0.20, 3.6.1 -> 3.6.2 (#…
vcunat Apr 24, 2026
95908e6
nss: 3.112.3 -> 3.112.5
mweinelt Apr 23, 2026
653402a
nghttp3: 1.12.0 -> 1.13.0
r-ryantm Nov 23, 2025
54f8a25
ngtcp2: 1.17.0 -> 1.18.0
r-ryantm Nov 27, 2025
37fe379
nghttp3: 1.13.0 -> 1.13.1
trofi Dec 3, 2025
aa687c1
ngtcp2: 1.18.0 -> 1.19.0
r-ryantm Jan 11, 2026
3a1b0c7
nghttp3: 1.13.1 -> 1.14.0
trofi Dec 27, 2025
4b51ce3
ngtcp2: 1.19.0 -> 1.22.0
r-ryantm Apr 4, 2026
5589935
nghttp3: 1.14.0 -> 1.15.0
r-ryantm Feb 23, 2026
23b1b7a
ngtcp2: 1.22.0 -> 1.22.1
Hythera Apr 17, 2026
6b9e201
[25.11] fmt_12: 12.0.0 -> 12.1.0 (#503097)
vcunat Apr 24, 2026
d75a938
[Backport release-25.11] nixos/grub: re-install grub on package chang…
vcunat Apr 24, 2026
f3f3298
[Backport staging-25.11] nghttp2: 1.67.1 -> 1.68.1 (#507041)
vcunat Apr 24, 2026
c060711
[Backport staging-25.11] python3Packages.requests: 2.32.5 -> 2.33.1 (…
vcunat Apr 24, 2026
a4f8f5f
[Staging 25.11] systemd: 258.5 -> 258.7 (#512827)
vcunat Apr 24, 2026
0c0e2e0
[Backport staging-25.11] aws-c-event-stream: 0.5.7 -> 0.7.0, fixes CV…
vcunat Apr 24, 2026
b836bac
[Backport staging-25.11] nss: 3.112.3 -> 3.112.5 (#513044)
vcunat Apr 24, 2026
554c109
[25.11] nghttp3: 1.12.0 -> 1.15.0; ngtcp2: 1.17.0 -> 1.22.1 (#513064)
vcunat Apr 24, 2026
2c439b6
[Backport staging-25.11] openssh: 10.2p1 -> 10.3p1; update to latest …
vcunat Apr 24, 2026
c6f802e
[Backport staging-25.11] systemd: fix `/etc/localtime` symlink (#507634)
vcunat Apr 24, 2026
597459f
libarchive: 3.8.6 -> 3.8.7
whispersofthedawn Apr 13, 2026
5518e79
[Backport staging-25.11] libarchive: 3.8.6 -> 3.8.7 (#513183)
vcunat Apr 24, 2026
ab4233f
Merge branch 'staging-25.11' into staging-next-25.11
vcunat Apr 24, 2026
be8443c
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 25, 2026
32896a6
Merge staging-next-25.11 into staging-25.11
nixpkgs-ci[bot] Apr 25, 2026
ff86ebf
python3Packages.python-multipart: add patches for CVE-2026-40347
risicle Apr 23, 2026
fdc3ad6
xorg.libXpm: 3.5.17 -> 3.5.18
r-ryantm Jan 26, 2026
afd23a6
xorg.libXpm: 3.5.18 -> 3.5.19
trofi Apr 22, 2026
c8f0943
vim: 9.2.0272 -> 9.2.0340
notklea Apr 14, 2026
255e02f
[Backport staging-25.11] python3Packages.python-multipart: add patche…
vcunat Apr 25, 2026
13ca630
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 26, 2026
dd48b0f
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 27, 2026
2133e71
gdk-pixbuf: 2.44.5 -> 2.44.6
vcunat Apr 27, 2026
ce76748
gdk-pixbuf: fixup after the last update
bobby285271 Apr 25, 2026
5d1a9db
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 28, 2026
e6f2ca9
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 29, 2026
3439853
knot-resolver_6: 6.2.0 -> 6.3.0
vcunat Apr 27, 2026
ff3ce7e
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] Apr 30, 2026
0b624a2
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] May 1, 2026
c05a366
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] May 2, 2026
8de909e
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] May 3, 2026
98de0f5
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] May 4, 2026
db5d76f
thunderbird-latest-unwrapped: 150.0 -> 150.0.1
r-ryantm May 3, 2026
9e8379c
python3Packages.astropy: 7.1.0 -> 7.1.1
dotlambda Nov 25, 2025
f1df17f
python3Packages.astropy: fix OMP_NUM_THREADS going 0
mweinelt Jan 21, 2026
b21bb05
python3Packages.astropy: 7.1.1 -> 7.2.0
mweinelt Jan 21, 2026
b1a890f
python3Packages.astropy-iers-data: 0.2025.8.4.0.42.59 -> 0.2025.11.24…
dotlambda Nov 25, 2025
2d93779
python3Packages.astropy-iers-data: 0.2025.11.24.0.39.11 -> 0.2026.1.1…
mweinelt Jan 21, 2026
112e0b4
Merge release-25.11 into staging-next-25.11
vcunat May 4, 2026
79b78a2
[Backport 25.11] thunderbird-latest-unwrapped: 150.0 -> 150.0.1 (#516…
vcunat May 4, 2026
e7c34e4
[Backport 25.11] knot-resolver_6: 6.2.0 -> 6.3.0 (#514715)
vcunat May 4, 2026
c58ace3
python3Packages.psycopg: disable slow tests
mweinelt Feb 27, 2026
8cd95fa
Merge release-25.11 into staging-next-25.11
nixpkgs-ci[bot] May 5, 2026
4a2e83c
mupdf: fixup build of the vendored freeglut
vcunat May 5, 2026
6ee8f6e
python3Packages.aioboto3: disable DynamoDB tests with aiobotocore 3.x
superherointj Apr 25, 2026
1100ff6
ceph: fixup build of its pyopenssl
vcunat May 5, 2026
9ac8a36
ceph: fix nixfmt
vcunat May 5, 2026
48ecfdc
Merge release-25.11 into staging-next-25.11
vcunat May 5, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion nixos/modules/installer/tools/nixos-generate-config.pl
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,6 @@ sub pciCheck {
($device eq "0xfd3e" || $device eq "0x7d1d" || $device eq "0xad1d" ||
$device eq "0x643e" || $device eq "0xb03e"))
{
push @imports, "(modulesPath + \"/hardware/cpu/intel-npu.nix\")";
push @attrs, "hardware.cpu.intel.npu.enable = true;";
}

Expand Down
19 changes: 13 additions & 6 deletions nixos/modules/system/boot/loader/grub/install-grub.pl
Original file line number Diff line number Diff line change
Expand Up @@ -685,12 +685,14 @@ sub getEfiTarget {
efi => '$',
devices => '$',
efiMountPoint => '$',
grub => '$',
grubEfi => '$',
extraGrubInstallArgs => '@',
});
# If you add something to the state file, only add it to the end
# because it is read line-by-line.
sub readGrubState {
my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "", extraGrubInstallArgs => () );
my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "", grub => "", grubEfi => "", extraGrubInstallArgs => () );
open my $fh, "<", "$bootPath/grub/state" or return $defaultGrubState;
local $/ = "\n";
my $name = <$fh>;
Expand Down Expand Up @@ -721,8 +723,10 @@ sub readGrubState {
}
my %jsonState = %{decode_json($jsonStateLine)};
my @extraGrubInstallArgs = exists($jsonState{'extraGrubInstallArgs'}) ? @{$jsonState{'extraGrubInstallArgs'}} : ();
my $grubValue = exists($jsonState{'grub'}) ? $jsonState{'grub'} : "";
my $grubEfiValue = exists($jsonState{'grubEfi'}) ? $jsonState{'grubEfi'} : "";
close $fh;
my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint, extraGrubInstallArgs => \@extraGrubInstallArgs );
my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint, extraGrubInstallArgs => \@extraGrubInstallArgs, grub => $grubValue, grubEfi => $grubEfiValue );
return $grubState
}

Expand All @@ -734,15 +738,16 @@ sub readGrubState {

my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference());
my $extraGrubInstallArgsDiffer = scalar (List::Compare->new( '-u', '-a', \@extraGrubInstallArgs, \@prevExtraGrubInstallArgs)->get_symmetric_difference());
my $nameDiffer = get("fullName") ne $prevGrubState->name;
my $versionDiffer = get("fullVersion") ne $prevGrubState->version;
my $efiDiffer = $efiTarget ne $prevGrubState->efi;
my $efiMountPointDiffer = $efiSysMountPoint ne $prevGrubState->efiMountPoint;
# re-installing grub once the package store path changes is necessary, because
# introducing patches or adjusting builds does not always bump the version number
my $grubStorePathsDiffer = ($grub ne $prevGrubState->grub) || ($grubEfi ne $prevGrubState->grubEfi);
if (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1") {
warn "NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER";
$ENV{'NIXOS_INSTALL_BOOTLOADER'} = "1";
}
my $requireNewInstall = $devicesDiffer || $extraGrubInstallArgsDiffer || $nameDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_BOOTLOADER'} // "") eq "1");
my $requireNewInstall = $devicesDiffer || $extraGrubInstallArgsDiffer || $efiDiffer || $efiMountPointDiffer || $grubStorePathsDiffer || (($ENV{'NIXOS_INSTALL_BOOTLOADER'} // "") eq "1");

# install a symlink so that grub can detect the boot drive
my $tmpDir = File::Temp::tempdir(CLEANUP => 1) or die "Failed to create temporary space: $!";
Expand Down Expand Up @@ -795,7 +800,9 @@ sub readGrubState {
print $fh join( ",", @deviceTargets ), "\n" or die;
print $fh $efiSysMountPoint, "\n" or die;
my %jsonState = (
extraGrubInstallArgs => \@extraGrubInstallArgs
extraGrubInstallArgs => \@extraGrubInstallArgs,
grub => $grub,
grubEfi => $grubEfi
);
my $jsonStateLine = encode_json(\%jsonState);
print $fh $jsonStateLine, "\n" or die;
Expand Down
4 changes: 4 additions & 0 deletions nixos/modules/system/boot/systemd.nix
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,10 @@ in
path = [ pkgs.util-linux ];
overrideStrategy = "asDropin";
};
systemd.services."modprobe@" = {
restartIfChanged = false;
serviceConfig.ExecSearchPath = lib.makeBinPath [ pkgs.kmod ];
};
systemd.services.systemd-random-seed.restartIfChanged = false;
systemd.services.systemd-remount-fs.restartIfChanged = false;
systemd.services.systemd-update-utmp.restartIfChanged = false;
Expand Down
5 changes: 5 additions & 0 deletions nixos/tests/systemd-misc.nix
Original file line number Diff line number Diff line change
Expand Up @@ -60,5 +60,10 @@ in
machine.succeed("systemctl status example.service | grep 'Active: active'")

machine.succeed("systemctl show --property TasksMax --value user-1000.slice | grep 100")

with subtest("modprobe@ services work"):
modprobe_service_status = machine.succeed("systemctl show --property ExecMainStatus modprobe@configfs.service")
print(modprobe_service_status)
t.assertEqual("ExecMainStatus=0\n", modprobe_service_status)
'';
}
12 changes: 12 additions & 0 deletions nixos/tests/timezone.nix
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,18 @@
print(date_result)
assert date_result == "1970-01-01 09:00:00\n", "Timezone was not adjusted"

# Stop systemd-timedated.service to clear /etc/localtime read cache
node_nulltz.systemctl("stop systemd-timedated.service")
timedatectl_result = node_nulltz.succeed("timedatectl status")
print(timedatectl_result)
assert "Asia/Tokyo" in timedatectl_result, "'timedatectl status' output is missing 'Asia/Tokyo'"

with subtest("imperative - Ensure /etc/localtime symlink includes '/zoneinfo/' like icu expects"):
# https://github.com/unicode-org/icu/blob/release-78.3/icu4c/source/common/putil.cpp#L686-L695
readlink_result = node_nulltz.succeed("readlink --no-newline /etc/localtime")
print(readlink_result)
assert "/zoneinfo/" in readlink_result, f"/etc/localtime symlink is missing '/zoneinfo/': {readlink_result}"

with subtest("imperative - Ensure timezone adjustment persists across reboot"):
# Adjustment should persist across a reboot
node_nulltz.shutdown()
Expand Down
4 changes: 2 additions & 2 deletions pkgs/applications/editors/vim/common.nix
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{ lib, fetchFromGitHub }:
rec {
version = "9.1.2148";
version = "9.2.0340";

outputs = [
"out"
Expand All @@ -11,7 +11,7 @@ rec {
owner = "vim";
repo = "vim";
rev = "v${version}";
hash = "sha256-4ZEbfpffPp6kqSQRp7NFioWGRdG+JsVf7unU0Hqn/Xk=";
hash = "sha256-jCnOVIafx+0o1nlHv7QJQrmxs1IAxh9BBshDOFdZdCM=";
};

enableParallelBuilding = true;
Expand Down
4 changes: 2 additions & 2 deletions pkgs/applications/graphics/ImageMagick/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -85,13 +85,13 @@ in

stdenv.mkDerivation (finalAttrs: {
pname = "imagemagick";
version = "7.1.2-18";
version = "7.1.2-19";

src = fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
tag = finalAttrs.version;
hash = "sha256-bt8PlCeEWaRsdMe/FP4HSgmzi1OATjH2Kx233OgleyI=";
hash = "sha256-4uASM+GRTe0ES6FdshUMMkVof4IlLV+CMm2l+v5qZN0=";
};

outputs = [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ rec {
thunderbird = thunderbird-latest;

thunderbird-latest = common {
version = "150.0";
sha512 = "6e0770de0aeabdd9372b491ae0a6d20238ff154b70982de21c73b903003398f36d8f56c679ca893a1e5646a25add9e9e126ae1b6ee1f836290104b61eb09dac1";
version = "150.0.1";
sha512 = "bf3d33357965cd144decef7c8865b6c18043502aea8d090d93fe29555379b924e3925d58276411f38fdcdc87b54ab3ae7d6aa6619feec9b856f8f227225cb375";

updateScript = callPackage ./update.nix {
attrPath = "thunderbirdPackages.thunderbird-latest";
Expand Down
6 changes: 3 additions & 3 deletions pkgs/by-name/aw/aws-c-event-stream/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,13 @@
stdenv.mkDerivation rec {
pname = "aws-c-event-stream";
# nixpkgs-update: no auto update
version = "0.5.7";
version = "0.7.0";

src = fetchFromGitHub {
owner = "awslabs";
repo = "aws-c-event-stream";
rev = "v${version}";
hash = "sha256-JvjUrIj1bh5WZEzkauLSLIolxrT8CKIMjO7p1c35XZI=";
tag = "v${version}";
hash = "sha256-jMtLJjKC7TuNZ0c0Nc3+KRh226RBl0omkiKNXXBltoc=";
};

nativeBuildInputs = [ cmake ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/by-name/ca/cacert/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ let
lib.concatStringsSep "\n\n" extraCertificateStrings
);

version = "3.121";
version = "3.123";
meta = {
homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers";
description = "Bundle of X.509 certificates of public Certificate Authorities (CA)";
Expand Down Expand Up @@ -48,7 +48,7 @@ stdenv.mkDerivation {
"https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}"
"https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}"
];
hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM=";
hash = "sha256-dxMO+RITdyhEVh+9OqMdQTslwqx/V2/qO8O7/375NIk=";
};

unpackPhase = ''
Expand Down
1 change: 1 addition & 0 deletions pkgs/by-name/ce/ceph/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,7 @@ let
inherit version;
hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc=";
};
patches = [ ]; # those two CVE patches do not apply (!)
disabledTests = old.disabledTests or [ ] ++ [
"test_export_md5_digest"
];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/by-name/cr/cryptsetup/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

stdenv.mkDerivation (finalAttrs: {
pname = "cryptsetup";
version = "2.8.4";
version = "2.8.6";

outputs = [
"bin"
Expand All @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
url =
"mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/"
+ "cryptsetup-${finalAttrs.version}.tar.xz";
hash = "sha256-RD5G+JZMmsx4D0Va+7jiOqDo7X7FBM/FngT0BvoeioM=";
hash = "sha256-gAQmX9mTiF0I97Yz2+BWhR3hohAwdhOk693HQ/zO/lo=";
};

patches = [
Expand Down
4 changes: 2 additions & 2 deletions pkgs/by-name/da/dash/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@

stdenv.mkDerivation (finalAttrs: {
pname = "dash";
version = "0.5.13.1";
version = "0.5.13.2";

src = fetchurl {
url = "http://gondor.apana.org.au/~herbert/dash/files/dash-${finalAttrs.version}.tar.gz";
hash = "sha256-2ScbzgnBJ9mGbiXAEVgt3HWrmIlYoEvE2FU6O48w43A=";
hash = "sha256-5xNoJrHu1s4xk+iv+i9wsbK5Fo3ZH/p9209G6eYgVP4=";
};

strictDeps = true;
Expand Down
49 changes: 49 additions & 0 deletions pkgs/by-name/jq/jq/CVE-2026-32316.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
From e47e56d226519635768e6aab2f38f0ab037c09e5 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Thu, 12 Mar 2026 20:28:43 +0900
Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and
`jvp_string_copy_replace_bad`

In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
allocation followed by a large `memcpy`.

In `jvp_string_copy_replace_bad`, the output buffer size calculation
`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
allocation followed by a large write.

Add overflow checks to both functions to return an error for strings
that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.
---
src/jv.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/jv.c b/src/jv.c
index 722a539391..2a62b48419 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) {
const char* end = data + length;
const char* i = data;

- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+ // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+ uint64_t maxlength = (uint64_t)length * 3 + 1;
+ if (maxlength >= INT_MAX) {
+ return jv_invalid_with_msg(jv_string("String too long"));
+ }
+
jvp_string* s = jvp_string_alloc(maxlength);
char* out = s->data;
int c = 0;
@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) {
static jv jvp_string_append(jv string, const char* data, uint32_t len) {
jvp_string* s = jvp_string_ptr(string);
uint32_t currlen = jvp_string_length(s);
+ if ((uint64_t)currlen + len >= INT_MAX) {
+ jv_free(string);
+ return jv_invalid_with_msg(jv_string("String too long"));
+ }

if (jvp_refcnt_unshared(string.u.ptr) &&
jvp_string_remaining_space(s) >= len) {
66 changes: 66 additions & 0 deletions pkgs/by-name/jq/jq/CVE-2026-33947.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
From fb59f1491058d58bdc3e8dd28f1773d1ac690a1f Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Mon, 13 Apr 2026 11:23:40 +0900
Subject: [PATCH] Limit path depth to prevent stack overflow

Deeply nested path arrays can cause unbounded recursion in
`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
stack overflow. Add a depth limit of 10000 to match the
existing `tojson` depth limit. This fixes CVE-2026-33947.
---
src/jv_aux.c | 21 +++++++++++++++++++++
2 files changed, 46 insertions(+)

diff --git a/src/jv_aux.c b/src/jv_aux.c
index 018f380b10..fd5ff96684 100644
--- a/src/jv_aux.c
+++ b/src/jv_aux.c
@@ -365,6 +365,10 @@ static jv jv_dels(jv t, jv keys) {
return t;
}

+#ifndef MAX_PATH_DEPTH
+#define MAX_PATH_DEPTH (10000)
+#endif
+
jv jv_setpath(jv root, jv path, jv value) {
if (jv_get_kind(path) != JV_KIND_ARRAY) {
jv_free(value);
@@ -372,6 +376,12 @@ jv jv_setpath(jv root, jv path, jv value) {
jv_free(path);
return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
}
+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+ jv_free(value);
+ jv_free(root);
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path too deep"));
+ }
if (!jv_is_valid(root)){
jv_free(value);
jv_free(path);
@@ -424,6 +434,11 @@ jv jv_getpath(jv root, jv path) {
jv_free(path);
return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
}
+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+ jv_free(root);
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path too deep"));
+ }
if (!jv_is_valid(root)) {
jv_free(path);
return root;
@@ -502,6 +517,12 @@ jv jv_delpaths(jv object, jv paths) {
jv_free(elem);
return err;
}
+ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
+ jv_free(object);
+ jv_free(paths);
+ jv_free(elem);
+ return jv_invalid_with_msg(jv_string("Path too deep"));
+ }
jv_free(elem);
}
if (jv_array_length(jv_copy(paths)) == 0) {
45 changes: 45 additions & 0 deletions pkgs/by-name/jq/jq/CVE-2026-33948.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
From 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Mon, 13 Apr 2026 08:46:11 +0900
Subject: [PATCH] Fix NUL truncation in the JSON parser

This fixes CVE-2026-33948.
---
src/util.c | 8 +-------
tests/shtest | 6 ++++++
2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/util.c b/src/util.c
index fdfdb96d88..80d65fc808 100644
--- a/src/util.c
+++ b/src/util.c
@@ -312,13 +312,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
if (p != NULL)
state->current_line++;

- if (p == NULL && state->parser != NULL) {
- /*
- * There should be no NULs in JSON texts (but JSON text
- * sequences are another story).
- */
- state->buf_valid_len = strlen(state->buf);
- } else if (p == NULL && feof(state->current_input)) {
+ if (p == NULL && feof(state->current_input)) {
size_t i;

/*
diff --git a/tests/shtest b/tests/shtest
index cb88745277..370f7b7c69 100755
--- a/tests/shtest
+++ b/tests/shtest
@@ -880,4 +880,10 @@ $JQ -nf $d/prog.jq 2> $d/out && {
}
diff $d/out $d/expected

+# CVE-2026-33948: No NUL truncation in the JSON parser
+if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
+ printf 'Error expected but jq exited successfully\n' 1>&2
+ exit 1
+fi
+
exit 0
Loading
Loading