3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

667 commits

Author SHA1 Message Date
Antoine Eiche 0bd3f82a67 qemu: fix the url of patch for CVE-2016-9921 and CVE-2016-9922 2017-01-20 11:02:22 +01:00
Franz Pletz 260d97ca25
runc: add patches to fix CVE-2016-9962 2017-01-11 12:11:29 +01:00
Franz Pletz 0aa4931671
runc: 2016-06-15 -> 1.0.0-rc2 2017-01-11 10:59:27 +01:00
Franz Pletz 4df30fc74f
containerd: 0.2.3 -> 0.2.5 2017-01-11 10:59:26 +01:00
Franz Pletz cb07316773
docker: 1.12.5 -> 1.12.6
Fixes CVE-2016-9962.
2017-01-11 10:59:24 +01:00
Graham Christensen f5ca9a4212
Merge branch 'roundup-15' 2016-12-28 21:04:51 -05:00
Antoine Eiche bc63738c6f
qemu: fix CVE-2016-9921 and CVE-2016-9922 2016-12-28 20:37:00 -05:00
Antoine Eiche a5dd311208
qemu: fix CVE-2016-9911 2016-12-28 20:36:53 -05:00
Michael Raskin 442623e499 qemu_28: init at 2.8.0; not updating the main Qemu expression yet because there were some claims about NixOS test fragility 2016-12-28 15:04:51 +01:00
Graham Christensen 4e6c7faf36
xen: patch for many XSAs
- XSA-190
 - XSA-191
 - XSA-192
 - XSA-193
 - XSA-195
 - XSA-196
 - XSA-198
 - XSA-200
 - XSA_202
 - XSA-204
2016-12-21 14:37:47 -05:00
Daiderd Jordan 49e3190efa
Revert "xhyve: update and fix to use our Hypervisor framework"
This reverts commit f3b65f67d9.
2016-12-20 13:02:27 +01:00
Eelco Dolstra 8a0843c3c4
qemu-kvm: Mark the version for tests
(cherry picked from commit d58a4ec1ba)
2016-12-20 10:52:46 +01:00
Dan Peebles f3b65f67d9 xhyve: update and fix to use our Hypervisor framework 2016-12-19 19:47:24 -05:00
aszlig c5e5dccd13
Merge pull request #21201 (VirtualBox 5.1.10)
This brings VirtualBox to the latest upstream version, which also fixes
building the modules against kernel 4.9.0.

Tested against all the the "virtualbox" subtests on x86_64-linux.
2016-12-17 15:46:06 +01:00
Tim Steinbach a5a98290b7
docker: 1.12.3 -> 1.12.5 2016-12-16 08:57:08 -05:00
aszlig 38ea64e867
qemu_test: Make chown() calls to the store a no-op
The "misc" NixOS test is using Nix to query the store and it tries to
change the ownership of it while doing so.

This fails if Nix is not in a seccomp-sandboxed userid namespace, so
let's make chown() a no-op when applied to store paths.

Fixes the misc test (and possibly future tests) on older Nix versions.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-12-16 13:06:25 +01:00
Eelco Dolstra 705829b29a Merge pull request #20500 from aszlig/qemu-patched-for-nixos-tests
nixos/tests: Use a patched QEMU for testing
2016-12-15 12:38:29 +01:00
Peter Hoeg bea3209d5f virtualbox: 5.1.8 -> 5.1.10 2016-12-15 16:20:33 +08:00
Tim Steinbach 4f0592680c
rkt: 1.20.0 -> 1.21.0 2016-12-11 21:10:28 -05:00
Graham Christensen a2d6e8a2eb
xen: Fix patch hashes
I had used nix-prefetch-url, where fetchpatch doesn't support it.
2016-12-09 07:22:35 -05:00
Graham Christensen 86da9839b1
xen: Patch for CVE-2016-9385, CVE-2016-9377, and CVE-2016-9378 2016-12-07 20:16:05 -05:00
Tuomas Tynkkynen 8a4d6516ee Merge remote-tracking branch 'upstream/staging' into master 2016-11-30 00:34:23 +02:00
Tim Steinbach e24df8ea69 rkt: 1.19.0 -> 1.20.0 (#20697) 2016-11-26 17:18:00 +00:00
Vladimír Čunát 925b335607
Merge branch 'master' into staging 2016-11-26 11:27:09 +01:00
Frederik Rietdijk 97259c811e qemu: use python2 2016-11-24 22:28:03 +01:00
Franz Pletz 336bacfa1d
qemu: add patch to fix CVE-2016-7907
cc #20647
2016-11-23 23:23:49 -05:00
Bjørn Forsman bbe5f99e0b qemu: add curl to buildInputs
Enables support for accessing files over HTTP:

  qemu-system-x86_64 -drive media=cdrom,file=http://host/path.iso,readonly

Increases the closures size from 445 to 447 MiB.
2016-11-23 17:44:02 +01:00
Vladimír Čunát b69f568f4c
Merge branch 'staging'
Hydra rebuild looks fine; only a few Darwin jobs is queued:
http://hydra.nixos.org/eval/1304891?compare=1304807
2016-11-19 04:35:51 +01:00
Franz Pletz f4a318b528
qemu: add patches for CVE-2016-7994 & CVE-2016-8668 2016-11-17 22:00:44 +01:00
aszlig 6cfb3b6364
nixos/tests: Use a patched QEMU for testing
The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.

Starting with NixOS/nix@5e51ffb1c2, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.

This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.

So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.

In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).

Tested against the "misc" and "printing" tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-17 17:16:16 +01:00
Vladimír Čunát b5e89fe9bf
Merge branch 'master' into staging 2016-11-15 00:20:19 +01:00
Justin Bedo 04121437be
singularity: init 2.2 2016-11-15 09:11:53 +11:00
Frederik Rietdijk 84e9328028 virtualbox: python is always needed
even when not building bindings.
2016-11-14 19:09:25 +01:00
Tim Steinbach ecd1a53df6
rkt: 1.18.0 -> 1.19.0 2016-11-10 21:06:20 -05:00
Tobias Geerinckx-Rice 583af41f3c
remotebox: 2.1 -> 2.2 2016-11-09 02:24:46 +01:00
Frederik Rietdijk a18ac150a3 virtinst: use python2 2016-11-08 22:48:55 +01:00
Frederik Rietdijk 95c54db397 virtualbox: use python2
and remove python buildInput. Python should only be added when
`pythonBindings` is true.
2016-11-08 22:48:54 +01:00
Tim Steinbach 1ae2f86a32
rkt: 1.17.0 -> 1.18.0 2016-11-05 22:27:42 -04:00
Tobias Geerinckx-Rice c4f41a0a61
remotebox: 2.0 -> 2.1 2016-11-05 18:44:10 +01:00
Franz Pletz 25c01931bb
qemu: add patches to fix lots of CVEs
Patches from Debian and upstream git repo.

Fixes:

 * CVE-2016-6836
 * CVE-2016-7155
 * CVE-2016-7156
 * CVE-2016-7157
 * CVE-2016-7421
 * CVE-2016-7422
 * CVE-2016-7423
 * CVE-2016-7466
 * CVE-2016-8909
 * CVE-2016-8910
 * CVE-2016-9102
 * CVE-2016-9103
 * CVE-2016-9104
 * CVE-2016-9105
 * CVE-2016-9106

cc #20078
2016-11-03 02:45:16 +01:00
Tim Steinbach 282532e702
docker: 1.12.2 -> 1.12.3 2016-10-27 12:46:04 -04:00
Graham Christensen 69e8bac9cd
virtualbox: 5.1.6 -> 5.1.8 for many CVEs:
From LWN:
From the NVD entries:

CVE-2016-5501: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality,
integrity, and availability via vectors related to Core, a different
vulnerability than CVE-2016-5538.

CVE-2016-5538: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality,
integrity, and availability via vectors related to Core, a different
vulnerability than CVE-2016-5501.

CVE-2016-5605: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.1.4 in Oracle Virtualization allows remote
attackers to affect confidentiality and integrity via vectors related
to VRDE.

CVE-2016-5608: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect availability via vectors
related to Core, a different vulnerability than CVE-2016-5613.

CVE-2016-5610: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality,
integrity, and availability via vectors related to Core.

CVE-2016-5611: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect confidentiality via
vectors related to Core.

CVE-2016-5613: Unspecified vulnerability in the Oracle VM VirtualBox
component before 5.0.28 and 5.1.x before 5.1.8 in Oracle
Virtualization allows local users to affect availability via vectors
related to Core, a different vulnerability than CVE-2016-5608.
2016-10-26 22:18:00 -04:00
Frederik Rietdijk 7077a270bf Merge remote-tracking branch 'upstream/master' into HEAD 2016-10-26 13:06:43 +02:00
Tuomas Tynkkynen c78ccb92ec cbfstool: git-2015-07-09 -> 4.5
Fixes build.
2016-10-22 21:07:33 +03:00
Frederik Rietdijk e56832d730 Merge remote-tracking branch 'upstream/master' into HEAD 2016-10-22 17:23:24 +02:00
Frederik Rietdijk bd12c10993 openstack: use python2 2016-10-22 16:47:22 +02:00
Frederik Rietdijk 4833f8bada xen: use python2 2016-10-22 16:47:21 +02:00
Jörg Thalheim a3f38b9adc
rancher-compose: set version during build 2016-10-22 14:40:30 +02:00
Vladimír Čunát 4d5b893002 Merge #19081: gnome-3.22
Also master commits are brought in.
2016-10-20 23:04:10 +02:00
Derek Gonyeo a0295e21c5 rkt: libsystemd fix (#19658)
As of systemd 231, the LD_LIBRARY_PATH fix applied in the installPhase of rkt's
build was no longer valid, causing rkt to fail to work. This patch changes the
path to point to the new location of libsystemd, which is in ${systemd.lib}.
2016-10-18 20:00:44 +02:00