summaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/curl.scm63
-rw-r--r--gnu/packages/fontutils.scm73
-rw-r--r--gnu/packages/ghostscript.scm4
-rw-r--r--gnu/packages/glib.scm40
-rw-r--r--gnu/packages/gnuzilla.scm4
-rw-r--r--gnu/packages/gtk.scm13
-rw-r--r--gnu/packages/image.scm17
-rw-r--r--gnu/packages/node.scm22
-rw-r--r--gnu/packages/openldap.scm49
-rw-r--r--gnu/packages/package-management.scm2
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2020-15900.patch36
-rw-r--r--gnu/packages/patches/ghostscript-freetype-compat.patch35
-rw-r--r--gnu/packages/patches/libssh2-CVE-2019-17498.patch126
-rw-r--r--gnu/packages/patches/python-CVE-2020-26116.patch47
-rw-r--r--gnu/packages/python.scm1
-rw-r--r--gnu/packages/ssh.scm5
-rw-r--r--gnu/packages/tls.scm76
-rw-r--r--gnu/packages/vpn.scm4
-rw-r--r--gnu/packages/web.scm32
-rw-r--r--gnu/packages/xorg.scm20
21 files changed, 361 insertions, 312 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index e649594017..5d14cbc7d3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1059,6 +1059,8 @@ dist_patch_DATA = \
%D%/packages/patches/ghc-monad-par-fix-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-html-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-latex-test.patch \
+ %D%/packages/patches/ghostscript-CVE-2020-15900.patch \
+ %D%/packages/patches/ghostscript-freetype-compat.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
@@ -1285,6 +1287,7 @@ dist_patch_DATA = \
%D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch \
%D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch \
%D%/packages/patches/libquicktime-ffmpeg.patch \
+ %D%/packages/patches/libssh2-CVE-2019-17498.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtgvoip-disable-sse2.patch \
%D%/packages/patches/libtgvoip-disable-webrtc.patch \
@@ -1518,6 +1521,7 @@ dist_patch_DATA = \
%D%/packages/patches/python-3.8-fix-tests.patch \
%D%/packages/patches/python-3.9-fix-tests.patch \
%D%/packages/patches/python-CVE-2018-14647.patch \
+ %D%/packages/patches/python-CVE-2020-26116.patch \
%D%/packages/patches/python-aionotify-0.2.0-py3.8.patch \
%D%/packages/patches/python-argcomplete-1.11.1-fish31.patch \
%D%/packages/patches/python-axolotl-AES-fix.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 33a2188d70..a09210bf04 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -2,7 +2,7 @@
;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
-;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
@@ -53,16 +53,15 @@
(define-public curl
(package
(name "curl")
- (version "7.69.1")
- (replacement curl-7.74.0)
+ (version "7.74.0")
(source (origin
- (method url-fetch)
- (uri (string-append "https://curl.haxx.se/download/curl-"
- version ".tar.xz"))
- (sha256
- (base32
- "0kwxh76iq9fblk7iyv4f75bmcmasarp2bcm1mm07wyvzd7kdbiq3"))
- (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
+ (patches (search-patches "curl-use-ssl-cert-env.patch"))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
@@ -126,25 +125,6 @@
(substitute* "tests/runtests.pl"
(("/bin/sh") (which "sh")))
- ;; XXX FIXME: Test #1510 seems to work on some machines and not
- ;; others, possibly based on the kernel version. It works on Guix System
- ;; on x86_64 with linux-libre-4.1, but fails on Hydra for both i686
- ;; and x86_64 with the following error:
- ;;
- ;; test 1510...[HTTP GET connection cache limit (CURLOPT_MAXCONNECTS)]
- ;;
- ;; 1510: output (log/stderr1510) FAILED:
- ;; --- log/check-expected 2015-06-27 07:45:53.166720834 +0000
- ;; +++ log/check-generated 2015-06-27 07:45:53.166720834 +0000
- ;; @@ -1,5 +1,5 @@
- ;; * Connection #0 to host server1.example.com left intact[LF]
- ;; * Connection #1 to host server2.example.com left intact[LF]
- ;; * Connection #2 to host server3.example.com left intact[LF]
- ;; -* Closing connection 0[LF]
- ;; +* Closing connection 1[LF]
- ;; * Connection #3 to host server4.example.com left intact[LF]
- (delete-file "tests/data/test1510")
-
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
@@ -171,31 +151,6 @@ tunneling, and so on.")
(name "curl-minimal")
(inputs (alist-delete "openldap" (package-inputs curl))))))
-;; Replacement package to fix multiple security vulnerabilities.
-(define curl-7.74.0
- (package
- (inherit curl)
- (version "7.74.0")
- (source (origin
- (inherit (package-source curl))
- (uri (string-append "https://curl.haxx.se/download/curl-"
- version ".tar.xz"))
- (sha256
- (base32
- "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))))
- (arguments
- (substitute-keyword-arguments (package-arguments curl)
- ((#:phases phases)
- `(modify-phases ,phases
- (replace 'check
- (lambda _
- ;; Test 1510 is now disabled upstream, and the test runner
- ;; complains that it can not disable a non-existing test.
- ;; Thus, override the phase to not delete the test.
- (substitute* "tests/runtests.pl"
- (("/bin/sh") (which "sh")))
- (invoke "make" "-C" "tests" "test")))))))))
-
(define-public kurly
(package
(name "kurly")
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index ed2e960938..0181536c37 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -8,7 +8,7 @@
;;; Copyright © 2017 Nikita <nikita@n0.is>
;;; Copyright © 2017, 2018, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2020 Roel Janssen <roel@gnu.org>
;;; Copyright © 2020 Nicolas Goaziou <mail@nicolasgoaziou.fr>
@@ -73,14 +73,14 @@
(define-public freetype
(package
(name "freetype")
- (version "2.10.1")
- (replacement freetype/fixed)
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://savannah/freetype/freetype-"
- version ".tar.xz"))
- (sha256 (base32
- "0vx2dg1jh5kq34dd6ifpjywkpapp8a7p1bvyq9yq5zi1i94gmnqn"))))
+ (version "2.10.4")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "mirror://savannah/freetype/freetype-"
+ version ".tar.xz"))
+ (sha256
+ (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46"))))
(build-system gnu-build-system)
(arguments
;; The use of "freetype-config" is deprecated, but other packages still
@@ -103,19 +103,6 @@ anti-aliased glyph bitmap generation with 256 gray levels.")
(license license:freetype) ; some files have other licenses
(home-page "https://www.freetype.org/")))
-(define freetype/fixed
- ;; Security fix for CVE-2020-15999.
- (package
- (inherit freetype)
- (version "2.10.4")
- (source
- (origin
- (method url-fetch)
- (uri (string-append "mirror://savannah/freetype/freetype-"
- version ".tar.xz"))
- (sha256
- (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46"))))))
-
(define-public ttfautohint
(package
(name "ttfautohint")
@@ -331,12 +318,6 @@ Font Format (WOFF).")
(define-public fontconfig
(package
(name "fontconfig")
-
- ;; This replacement is not security-related, but works around the fact
- ;; that gs-fonts are not recognized by newer versions of Pango, causing
- ;; many applications to fail to find fonts otherwise.
- (replacement fontconfig/font-dejavu)
-
(version "2.13.1")
(source (origin
(method url-fetch)
@@ -351,16 +332,19 @@ Font Format (WOFF).")
(propagated-inputs `(("expat" ,expat)
("freetype" ,freetype)
("libuuid" ,util-linux "lib")))
- (inputs `(("gs-fonts" ,gs-fonts)))
+ (inputs
+ ;; We use to use 'gs-fonts' but they are not recognized by newer versions
+ ;; of Pango, causing many applications to fail to find fonts otherwise.
+ `(("font-dejavu" ,font-dejavu)))
(native-inputs
`(("gperf" ,gperf)
("pkg-config" ,pkg-config)))
(arguments
`(#:configure-flags
(list "--with-cache-dir=/var/cache/fontconfig"
- ;; register gs-fonts as default fonts
+ ;; register the default fonts
(string-append "--with-default-fonts="
- (assoc-ref %build-inputs "gs-fonts")
+ (assoc-ref %build-inputs "font-dejavu")
"/share/fonts")
;; Register fonts from user and system profiles.
@@ -393,13 +377,6 @@ high quality, anti-aliased and subpixel rendered text on a display.")
"See COPYING in the distribution."))
(home-page "https://www.freedesktop.org/wiki/Software/fontconfig")))
-(define fontconfig/font-dejavu
- (package
- (inherit fontconfig)
- (inputs
- ;; XXX: Reuse the name to avoid having to override the configure flags.
- `(("gs-fonts" ,font-dejavu)))))
-
(define-public t1lib
(package
(name "t1lib")
@@ -575,16 +552,15 @@ using the above tables.")
(define-public libspiro
(package
(name "libspiro")
- (version "20190731")
- (replacement libspiro-20200505)
+ (version "20200505")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/fontforge/libspiro/releases"
- "/download/" version "/libspiro-" version ".tar.gz"))
+ "/download/" version "/libspiro-dist-" version ".tar.gz"))
(sha256
(base32
- "0m63x97b7aciviijprvy85gm03p2jsgslxn323zl9zn7qz6d3ir4"))))
+ "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags '("--disable-static")))
@@ -595,19 +571,6 @@ smooth contours with constant curvature at the spline joins.")
(license license:gpl2+)
(home-page "http://libspiro.sourceforge.net/")))
-(define libspiro-20200505
- (package
- (inherit libspiro)
- (version "20200505")
- (source
- (origin
- (method url-fetch)
- (uri (string-append "https://github.com/fontforge/libspiro/releases"
- "/download/" version "/libspiro-dist-" version ".tar.gz"))
- (sha256
- (base32
- "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6"))))))
-
(define-public libuninameslist
(package
(name "libuninameslist")
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 4d56f05cf2..03a516dc52 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -170,7 +170,9 @@ printing, and psresize, for adjusting page sizes.")
(sha256
(base32
"0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p"))
- (patches (search-patches "ghostscript-no-header-creationdate.patch"
+ (patches (search-patches "ghostscript-freetype-compat.patch"
+ "ghostscript-CVE-2020-15900.patch"
+ "ghostscript-no-header-creationdate.patch"
"ghostscript-no-header-id.patch"
"ghostscript-no-header-uuid.patch"))
(modules '((guix build utils)))
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 431111f811..9cc2b1b69e 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
@@ -91,7 +91,6 @@
(package
(name "dbus")
(version "1.12.16")
- (replacement dbus/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -100,7 +99,8 @@
(sha256
(base32
"107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl"))
- (patches (search-patches "dbus-helper-search-path.patch"))))
+ (patches (search-patches "dbus-CVE-2020-12049.patch"
+ "dbus-helper-search-path.patch"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
@@ -168,20 +168,10 @@ or through unencrypted TCP/IP suitable for use behind a firewall with
shared NFS home directories.")
(license license:gpl2+))) ; or Academic Free License 2.1
-;; Replacement package to fix CVE-2020-12049.
-(define dbus/fixed
- (package
- (inherit dbus)
- (source (origin
- (inherit (package-source dbus))
- (patches (append (search-patches "dbus-CVE-2020-12049.patch")
- (origin-patches (package-source dbus))))))))
-
(define glib
(package
(name "glib")
(version "2.62.6")
- (replacement glib-with-gio-patch)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnome/sources/"
@@ -190,7 +180,8 @@ shared NFS home directories.")
(sha256
(base32
"174bsmbmcvaw69ff9g60q5sx0fn23rkhqcwqz17h5s7sprps4kqh"))
- (patches (search-patches "glib-tests-timer.patch"))
+ (patches (search-patches "glib-appinfo-watch.patch"
+ "glib-tests-timer.patch"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -236,6 +227,17 @@ shared NFS home directories.")
(("gio-launch-desktop")
(string-append out "/libexec/gio-launch-desktop")))
#t)))
+ ;; TODO: Remove the conditional in the next core-updates cycle.
+ ;; Needed to build glib on slower ARM nodes.
+ ,@(if (string-prefix? "arm" (%current-system))
+ `((add-after 'unpack 'increase-test-timeout
+ (lambda _
+ (substitute* "meson.build"
+ (("test_timeout = 60")
+ "test_timeout = 90")
+ (("test_timeout_slow = 120")
+ "test_timeout_slow = 180")))))
+ '())
(add-before 'build 'pre-build
(lambda* (#:key inputs outputs #:allow-other-keys)
;; For tests/gdatetime.c.
@@ -388,16 +390,6 @@ dynamic loading, and an object system.")
(home-page "https://developer.gnome.org/glib/")
(license license:lgpl2.1+)))
-(define glib-with-gio-patch
- ;; GLib with a fix for <https://bugs.gnu.org/35594>.
- ;; TODO: Fold into 'glib' above in the next rebuild cycle.
- (package
- (inherit glib)
- (source (origin
- (inherit (package-source glib))
- (patches (cons (search-patch "glib-appinfo-watch.patch")
- (origin-patches (package-source glib))))))))
-
(define-public glib-with-documentation
;; glib's doc must be built in a separate package since it requires gtk-doc,
;; which in turn depends on glib.
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 0c432f5dc1..98b77a9515 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -935,7 +935,7 @@ from forcing GEXP-PROMISE."
("llvm" ,llvm)
("clang" ,clang)
("perl" ,perl)
- ("node" ,node-10.22)
+ ("node" ,node)
("python" ,python)
("python-2" ,python-2)
("python2-pysqlite" ,python2-pysqlite)
@@ -1604,7 +1604,7 @@ standards of the IceCat project.")
("clang" ,clang)
("llvm" ,llvm)
("nasm" ,nasm)
- ("node" ,node-10.22)
+ ("node" ,node)
("perl" ,perl)
("pkg-config" ,pkg-config)
("python" ,python)
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 3c930722b5..b4472a5e98 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -357,7 +357,18 @@ used throughout the world.")
(base32
"17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx"))))
(build-system gnu-build-system)
- (arguments '())))
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-after 'configure 'disable-layout-test
+ (lambda _
+ ;; This test requires that fontconfig uses bitmap fonts
+ ;; such as "gs-fonts"; however providing such a package
+ ;; alone is not enough, as the requirement comes from
+ ;; deeper in the font stack. Since this version of Pango
+ ;; is only used for librsvg, simply disable the test.
+ (substitute* "tests/Makefile"
+ (("test-layout\\$\\(EXEEXT\\)") ""))
+ #t)))))))
(define-public pangox-compat
(package
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 979b069415..dac1d654f6 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1613,15 +1613,14 @@ is hereby granted."))))
(define-public libjpeg-turbo
(package
(name "libjpeg-turbo")
- (version "2.0.4")
- (replacement libjpeg-turbo/fixed)
+ (version "2.0.5")
(source (origin
(method url-fetch)
(uri (string-append "mirror://sourceforge/libjpeg-turbo/"
version "/libjpeg-turbo-" version ".tar.gz"))
(sha256
(base32
- "01ill8bgjyk582wipx7sh7gj2nidylpbzvwhx0wkcm6mxx3qbp9k"))))
+ "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n"))))
(build-system cmake-build-system)
(native-inputs
`(("nasm" ,nasm)))
@@ -1671,18 +1670,6 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).")
license:ijg ;the libjpeg library and associated tools
license:zlib)))) ;the libjpeg-turbo SIMD extensions
-(define libjpeg-turbo/fixed
- (package
- (inherit libjpeg-turbo)
- (version "2.0.5")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
- version "/libjpeg-turbo-" version ".tar.gz"))
- (sha256
- (base32
- "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n"))))))
-
(define-deprecated libjpeg libjpeg-turbo)
(export libjpeg)
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index f04e39bbd5..66ef4f0905 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -48,14 +48,14 @@
(define-public node
(package
(name "node")
- (version "10.20.0")
+ (version "10.22.1")
(source (origin
(method url-fetch)
(uri (string-append "https://nodejs.org/dist/v" version
"/node-v" version ".tar.xz"))
(sha256
(base32
- "0cvjwnl0wkcsyw3kannbdv01s235wrnp11n2s6swzjx95gpichfi"))
+ "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))
(modules '((guix build utils)))
(snippet
`(begin
@@ -201,24 +201,6 @@ devices.")
(properties '((max-silent-time . 7200) ;2h, needed on ARM
(timeout . 21600))))) ;6h
-;; TODO: Make this the default node on core-updates. This cannot be done on
-;; master since this version of node requires a newer nghttp2 library at link
-;; time.
-(define-public node-10.22
- (package
- (inherit node)
- (version "10.22.1")
- (source (origin
- (inherit (package-source node))
- (uri (string-append "https://nodejs.org/dist/v" version
- "/node-v" version ".tar.xz"))
- (sha256
- (base32
- "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))))
- (inputs
- (alist-replace "nghttp2" (list nghttp2-1.41 "lib")
- (package-inputs node)))))
-
(define-public libnode
(package
(inherit node)
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 6e863388d8..fb917882e7 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
@@ -61,25 +61,23 @@
(define-public openldap
(package
(name "openldap")
- (replacement openldap-2.4.50)
- (version "2.4.49")
+ (version "2.4.50")
(source (origin
- (method url-fetch)
-
- ;; See <http://www.openldap.org/software/download/> for a list of
- ;; mirrors.
- (uri (list (string-append
- "ftp://mirror.switch.ch/mirror/OpenLDAP/"
- "openldap-release/openldap-" version ".tgz")
- (string-append
- "https://www.openldap.org/software/download/OpenLDAP/"
- "openldap-release/openldap-" version ".tgz")
- (string-append
- "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
- "openldap-release/openldap-" version ".tgz")))
- (sha256
- (base32
- "0vp524rsngdcykf6ki7vprsyg7gj8z7hszg8xwxz50219fa1gcg3"))))
+ (method url-fetch)
+ ;; See <http://www.openldap.org/software/download/> for a list of
+ ;; mirrors.
+ (uri (list (string-append
+ "ftp://mirror.switch.ch/mirror/OpenLDAP/"
+ "openldap-release/openldap-" version ".tgz")
+ (string-append
+ "https://www.openldap.org/software/download/OpenLDAP/"
+ "openldap-release/openldap-" version ".tgz")
+ (string-append
+ "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
+ "openldap-release/openldap-" version ".tgz")))
+ (sha256
+ (base32
+ "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))
(build-system gnu-build-system)
(inputs `(("bdb" ,bdb-5.3)
("cyrus-sasl" ,cyrus-sasl)
@@ -127,19 +125,6 @@
(license openldap2.8)
(home-page "https://www.openldap.org/")))
-(define openldap-2.4.50
- (package
- (inherit openldap)
- (version "2.4.50")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://www.openldap.org/software/download/"
- "OpenLDAP/openldap-release/openldap-" version
- ".tgz"))
- (sha256
- (base32
- "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))))
-
(define-public nss-pam-ldapd
(package
(name "nss-pam-ldapd")
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index df217c801f..801d74627b 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -405,7 +405,7 @@ $(prefix)/etc/init.d\n")))
("glibc-utf8-locales" ,glibc-utf8-locales)))
(propagated-inputs
- `(("gnutls" ,(if (%current-target-system) gnutls/fixed gnutls))
+ `(("gnutls" ,gnutls)
;; Avahi requires "glib" which doesn't cross-compile yet.
,@(if (%current-target-system)
'()
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
new file mode 100644
index 0000000000..b6658d7c7f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
@@ -0,0 +1,36 @@
+Fix CVE-2020-15900.
+
+https://cve.circl.lu/cve/CVE-2020-15900
+https://artifex.com/security-advisories/CVE-2020-15900
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+ return 0;
+ found:
+ op->tas.type_attrs = op1->tas.type_attrs;
+- op->value.bytes = ptr;
+- r_set_size(op, size);
++ op->value.bytes = ptr; /* match */
++ op->tas.rsize = size; /* match */
+ push(2);
+- op[-1] = *op1;
+- r_set_size(op - 1, ptr - op[-1].value.bytes);
+- op1->value.bytes = ptr + size;
+- r_set_size(op1, count + (!forward ? (size - 1) : 0));
++ op[-1] = *op1; /* pre */
++ op[-3].value.bytes = ptr + size; /* post */
++ if (forward) {
++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
++ op[-3].tas.rsize = count; /* post */
++ } else {
++ op[-1].tas.rsize = count; /* pre */
++ op[-3].tas.rsize -= count + size; /* post */
++ }
+ make_true(op);
+ return 0;
+ }
diff --git a/gnu/packages/patches/ghostscript-freetype-compat.patch b/gnu/packages/patches/ghostscript-freetype-compat.patch
new file mode 100644
index 0000000000..cc225b5ad6
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-freetype-compat.patch
@@ -0,0 +1,35 @@
+Fix build with FreeType 2.10.3 and newer.
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade
+
+diff --git a/base/fapi_ft.c b/base/fapi_ft.c
+--- a/base/fapi_ft.c
++++ b/base/fapi_ft.c
+@@ -125,7 +125,7 @@ static void
+ delete_inc_int_info(gs_fapi_server * a_server,
+ FT_IncrementalRec * a_inc_int_info);
+
+-FT_CALLBACK_DEF(void *)
++static void *
+ FF_alloc(FT_Memory memory, long size)
+ {
+ gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -133,7 +133,7 @@ FF_alloc(FT_Memory memory, long size)
+ return (gs_malloc(mem, size, 1, "FF_alloc"));
+ }
+
+-FT_CALLBACK_DEF(void *)
++static void *
+ FF_realloc(FT_Memory memory, long cur_size, long new_size, void *block)
+ {
+ gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -153,7 +153,7 @@ FT_CALLBACK_DEF(void *)
+ return (tmp);
+ }
+
+-FT_CALLBACK_DEF(void)
++static void
+ FF_free(FT_Memory memory, void *block)
+ {
+ gs_memory_t *mem = (gs_memory_t *) memory->user;
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
new file mode 100644
index 0000000000..6f69e562e2
--- /dev/null
+++ b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
@@ -0,0 +1,126 @@
+https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
+
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab62944..2e01bfc5d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ size_t datalen, int macstate)
+ {
+ int rc = 0;
+- char *message = NULL;
+- char *language = NULL;
++ unsigned char *message = NULL;
++ unsigned char *language = NULL;
+ size_t message_len = 0;
+ size_t language_len = 0;
+ LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ case SSH_MSG_DISCONNECT:
+ if(datalen >= 5) {
+- size_t reason = _libssh2_ntohu32(data + 1);
++ uint32_t reason = 0;
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr++; /* advance past type */
+
+- if(datalen >= 9) {
+- message_len = _libssh2_ntohu32(data + 5);
++ _libssh2_get_u32(&buf, &reason);
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+
+- if(message_len < datalen-13) {
+- /* 9 = packet_type(1) + reason(4) + message_len(4) */
+- message = (char *) data + 9;
+-
+- language_len =
+- _libssh2_ntohu32(data + 9 + message_len);
+- language = (char *) data + 9 + message_len + 4;
+-
+- if(language_len > (datalen-13-message_len)) {
+- /* bad input, clear info */
+- language = message = NULL;
+- language_len = message_len = 0;
+- }
+- }
+- else
+- /* bad size, clear it */
+- message_len = 0;
+- }
+ if(session->ssh_msg_disconnect) {
+- LIBSSH2_DISCONNECT(session, reason, message,
+- message_len, language, language_len);
++ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
++
+ _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+ "Disconnect(%d): %s(%s)", reason,
+ message, language);
+@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ int always_display = data[1];
+
+ if(datalen >= 6) {
+- message_len = _libssh2_ntohu32(data + 2);
+-
+- if(message_len <= (datalen - 10)) {
+- /* 6 = packet_type(1) + display(1) + message_len(4) */
+- message = (char *) data + 6;
+- language_len = _libssh2_ntohu32(data + 6 +
+- message_len);
+-
+- if(language_len <= (datalen - 10 - message_len))
+- language = (char *) data + 10 + message_len;
+- }
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 2; /* advance past type & always display */
++
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+ }
+
+ if(session->ssh_msg_debug) {
+- LIBSSH2_DEBUG(session, always_display, message,
+- message_len, language, language_len);
++ LIBSSH2_DEBUG(session, always_display,
++ (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
+ }
++
+ /*
+ * _libssh2_debug will actually truncate this for us so
+ * that it's not an inordinate about of data
+@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = 0;
+ unsigned char want_reply = 0;
+ len = _libssh2_ntohu32(data + 1);
+- if(datalen >= (6 + len)) {
++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch
new file mode 100644
index 0000000000..dc0571e964
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2020-26116.patch
@@ -0,0 +1,47 @@
+Fix CVE-2020-26116:
+
+https://cve.circl.lu/cve/CVE-2020-26116
+https://bugs.python.org/issue39603
+
+Taken from upstream (sans test and NEWS update):
+https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -147,6 +147,10 @@
+ # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
+ else:
+ raise CannotSendRequest(self.__state)
+
++ self._validate_method(method)
++
+ # Save the method for use later in the response phase
+ self._method = method
+
+@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
+ # ASCII also helps prevent CVE-2019-9740.
+ return request.encode('ascii')
+
++ def _validate_method(self, method):
++ """Validate a method name for putrequest."""
++ # prevent http header injection
++ match = _contains_disallowed_method_pchar_re.search(method)
++ if match:
++ raise ValueError(
++ f"method can't contain control characters. {method!r} "
++ f"(found at least {match.group()!r})")
++
+ def _validate_path(self, url):
+ """Validate a url for putrequest."""
+ # Prevent CVE-2019-9740.
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index fa9bf10e07..27e9b70432 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -370,6 +370,7 @@ data types.")
(uri (string-append "https://www.python.org/ftp/python/"
version "/Python-" version ".tar.xz"))
(patches (search-patches
+ "python-CVE-2020-26116.patch"
"python-3-fix-tests.patch"
"python-3.8-fix-tests.patch"
"python-3-deterministic-build-info.patch"
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 146177f7f3..0f2434d7c5 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -2,7 +2,7 @@
;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015, 2016, 2018, 2019 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2018, 2019, 2020 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016, 2019 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr>
;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
@@ -165,7 +165,8 @@ applications.")
version ".tar.gz"))
(sha256
(base32
- "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))))
+ "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))
+ (patches (search-patches "libssh2-CVE-2019-17498.patch"))))
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index ab2a1f8628..0724d4d5be 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -164,21 +164,19 @@ living in the same process.")
(define-public gnutls
(package
(name "gnutls")
- ;; XXX Unversion openconnect's "gnutls" input when ungrafting.
- (replacement gnutls/fixed)
- (version "3.6.12")
+ (version "3.6.15")
(source (origin
- (method url-fetch)
- (uri
+ (method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
;; schism (after version 3.1.5).
- (string-append "mirror://gnupg/gnutls/v"
- (version-major+minor version)
- "/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"))
- (sha256
- (base32
- "0jvca1qahn9lrwv6f5kfs95icirc15b2a8x9fzczyj996ipg3b5z"))))
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (patches (search-patches "gnutls-skip-trust-store-test.patch"
+ "gnutls-cross.patch"))
+ (sha256
+ (base32
+ "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
(build-system gnu-build-system)
(arguments
`(#:tests? ,(not (or (%current-target-system)
@@ -228,7 +226,11 @@ living in the same process.")
"debug"
"doc")) ;4.1 MiB of man pages
(native-inputs
- `(,@(if (hurd-target?) '()
+ `(,@(if (%current-target-system) ;for cross-build
+ `(("guile" ,guile-3.0)) ;to create .go files
+ '())
+ ,@(if (hurd-target?)
+ '()
`(("net-tools" ,net-tools)))
("pkg-config" ,pkg-config)
("which" ,which)
@@ -254,27 +256,6 @@ required structures.")
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
-;; Replacement package to fix multiple security vulnerabilities.
-(define-public gnutls/fixed
- (package
- (inherit gnutls)
- (version "3.6.15")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://gnupg/gnutls/v"
- (version-major+minor version)
- "/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"
- "gnutls-cross.patch"))
- (sha256
- (base32
- "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
- (native-inputs
- `(,@(if (%current-target-system) ;for cross-build
- `(("guile" ,guile-3.0)) ;to create .go files
- '())
- ,@(package-native-inputs gnutls)))))
-
(define-public gnutls/guile-2.0
;; GnuTLS for Guile 2.0.
(package/inherit gnutls
@@ -287,7 +268,7 @@ required structures.")
;; Authentication of Named Entities. This is required for GNS functionality
;; by GNUnet and gnURL. This is done in an extra package definition
;; to have the choice between GnuTLS with Dane and without Dane.
- (package/inherit gnutls/fixed
+ (package/inherit gnutls
(name "gnutls-dane")
(inputs `(("unbound" ,unbound)
,@(package-inputs gnutls)))))
@@ -306,8 +287,7 @@ required structures.")
(define-public openssl
(package
(name "openssl")
- (version "1.1.1f")
- (replacement openssl-1.1.1i)
+ (version "1.1.1i")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -317,10 +297,10 @@ required structures.")
(string-append "ftp://ftp.openssl.org/source/old/"
(string-trim-right version char-set:letter)
"/openssl-" version ".tar.gz")))
+ (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
(sha256
(base32
- "0d9zv9srjqivs8nn099fpbjv1wyhfcb8lzy491dpmfngdvz6nv0q"))
- (patches (search-patches "openssl-1.1-c-rehash-in.patch"))))
+ "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))
(build-system gnu-build-system)
(outputs '("out"
"doc" ;6.8 MiB of man3 pages and full HTML documentation
@@ -439,24 +419,6 @@ required structures.")
(license license:openssl)
(home-page "https://www.openssl.org/")))
-(define openssl-1.1.1i
- (package
- (inherit openssl)
- (version "1.1.1i")
- (source (origin
- (method url-fetch)
- (uri (list (string-append "https://www.openssl.org/source/openssl-"
- version ".tar.gz")
- (string-append "ftp://ftp.openssl.org/source/"
- "openssl-" version ".tar.gz")
- (string-append "ftp://ftp.openssl.org/source/old/"
- (string-trim-right version char-set:letter)
- "/openssl-" version ".tar.gz")))
- (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
- (sha256
- (base32
- "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))))
-
(define-public openssl-1.0
(package
(inherit openssl)
diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index c1f0b65e84..525d1ddb3f 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -264,9 +264,7 @@ the user specifically asks to proxy, so the @dfn{VPN} interface no longer
(build-system gnu-build-system)
(propagated-inputs
`(("libxml2" ,libxml2)
- ;; XXX ‘DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.’
- ;; See <https://gitlab.com/gnutls/gnutls/-/issues/960>.
- ("gnutls" ,gnutls/fixed)
+ ("gnutls" ,gnutls)
("zlib" ,zlib)))
(inputs
`(("lz4" ,lz4)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index bd1e7eccaa..5851251c6d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -900,7 +900,6 @@ data.")
(define-public json-c
(package
- (replacement json-c/fixed)
(name "json-c")
(version "0.14")
(source (origin
@@ -910,7 +909,8 @@ data.")
version ".tar.gz"))
(sha256
(base32
- "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk"))))
+ "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk"))
+ (patches (search-patches "json-c-CVE-2020-12762.patch"))))
(build-system cmake-build-system)
(home-page "https://github.com/json-c/json-c/wiki")
(synopsis "JSON implementation in C")
@@ -921,15 +921,6 @@ parse JSON-formatted strings back into the C representation of JSON objects.
It aims to conform to RFC 7159.")
(license license:x11)))
-(define json-c/fixed
- (package
- (inherit json-c)
- (name "json-c")
- (version "0.14")
- (source (origin
- (inherit (package-source json-c))
- (patches (search-patches "json-c-CVE-2020-12762.patch"))))))
-
;; TODO: Remove these old versions when all dependents have been updated.
(define-public json-c-0.13
(package
@@ -7447,8 +7438,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
(define-public nghttp2
(package
(name "nghttp2")
- (version "1.40.0")
- (replacement nghttp2-1.41)
+ (version "1.41.0")
(source
(origin
(method url-fetch)
@@ -7457,7 +7447,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
"nghttp2-" version ".tar.xz"))
(sha256
(base32
- "0wwhwv7cvi1vxpdjwvg0kpa4jzhszclpnwrwfcw728zz53a47z09"))))
+ "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb"))))
(build-system gnu-build-system)
(outputs (list "out"
"lib")) ; only libnghttp2
@@ -7531,20 +7521,6 @@ compressed JSON header blocks.
@end itemize\n")
(license license:expat)))
-(define-public nghttp2-1.41 ;fixes CVE-2020-11080
- (package
- (inherit nghttp2)
- (version "1.41.0")
- (source
- (origin
- (method url-fetch)
- (uri (string-append "https://github.com/nghttp2/nghttp2/"
- "releases/download/v" version "/"
- "nghttp2-" version ".tar.xz"))
- (sha256
- (base32
- "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb"))))))
-
(define-public hpcguix-web
(let ((commit "9de63562b06b4aef3a3afe5ecb18d3c91e57ee74")
(revision "5"))
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 3a26acc802..cd3a7d3765 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -2,7 +2,7 @@
;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014, 2015, 2017, 2018, 2020 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr>
;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
;;; Copyright © 2015 Cyrill Schenkel <cyrill.schenkel@gmail.com>
@@ -5473,8 +5473,7 @@ draggable titlebars and borders.")
(define-public libx11
(package
(name "libx11")
- (version "1.6.9")
- (replacement libx11/fixed)
+ (version "1.6.10")
(source
(origin
(method url-fetch)
@@ -5484,7 +5483,7 @@ draggable titlebars and borders.")
".tar.bz2"))
(sha256
(base32
- "1ldyn9c6pyx54sxzaw120n3q42rqi7b503aqmyjky6fn038fiiww"))))
+ "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g"))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ;8 MiB of man pages + XML
@@ -5512,19 +5511,6 @@ draggable titlebars and borders.")
(description "Xorg Core X11 protocol client library.")
(license license:x11)))
-(define libx11/fixed ; Fixes CVE-2020-14344
- (package
- (inherit libx11)
- (version "1.6.A")
- (source
- (origin
- (method url-fetch)
- (uri (string-append
- "mirror://xorg/individual/lib/libX11-1.6.10.tar.bz2"))
- (sha256
- (base32
- "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g"))))))
-
;; packages of height 5 in the propagated-inputs tree
(define-public libxcursor