staging-next-24.05 iteration 3 - 2024-07-30

pkgs/build-support/setup-hooks/separate-debug-info.sh

@@ -1,7 +1,7 @@
 export NIX_SET_BUILD_ID=1
 export NIX_LDFLAGS+=" --compress-debug-sections=zlib"
 export NIX_CFLAGS_COMPILE+=" -ggdb -Wa,--compress-debug-sections"
-export NIX_RUSTFLAGS+=" -g"
+export NIX_RUSTFLAGS+=" -g -C strip=none"
 
 fixupOutputHooks+=(_separateDebugInfo)
 

pkgs/by-name/me/meson/package.nix

@@ -18,13 +18,13 @@ let
 in
 python3.pkgs.buildPythonApplication rec {
   pname = "meson";
-  version = "1.4.1";
+  version = "1.4.2";
 
   src = fetchFromGitHub {
     owner = "mesonbuild";
     repo = "meson";
     rev = "refs/tags/${version}";
-    hash = "sha256-RBE4AUF5fymUA87JEDWtpUFXmVPFzdhZgDI7/kscTx4=";
+    hash = "sha256-IdhvhQHf4fEUmJo8CqvUCiyvH/55C+h+eCmOWhM/1ig=";
   };
 
   patches = [

pkgs/development/compilers/orc/default.nix

@@ -18,11 +18,11 @@
   inherit (lib) optional optionals;
 in stdenv.mkDerivation rec {
   pname = "orc";
-  version = "0.4.38";
+  version = "0.4.39";
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/orc/${pname}-${version}.tar.xz";
-    sha256 = "sha256-pVqY1HclZ6o/rtj7hNVAw9t36roW0+LhCwRPvJIoZo0=";
+    sha256 = "sha256-M+0jh/Sbgl+hucOwBy4F8lkUG4lUdK0IWuURQ9MEDMA=";
   };
 
   postPatch = lib.optionalString (stdenv.isDarwin && stdenv.isx86_64) ''

pkgs/development/haskell-modules/generic-builder.nix

@@ -226,9 +226,6 @@ let
 
   makeGhcOptions = opts: lib.concatStringsSep " " (map (opt: "--ghc-option=${opt}") opts);
 
-  crossCabalFlagsString =
-    lib.optionalString isCross (" " + lib.concatStringsSep " " crossCabalFlags);
-
   buildFlagsString = optionalString (buildFlags != []) (" " + concatStringsSep " " buildFlags);
 
   defaultConfigureFlags = [
@@ -590,7 +587,7 @@ stdenv.mkDerivation ({
         find dist/build -exec touch -d '1970-01-01T00:00:00Z' {} +
         ''
     + ''
-      ${setupCommand} build ${buildTarget}${crossCabalFlagsString}${buildFlagsString}
+      ${setupCommand} build ${buildTarget}${buildFlagsString}
       runHook postBuild
       '';
 

pkgs/development/interpreters/ruby/default.nix

@@ -307,8 +307,8 @@ in {
   };
 
   ruby_3_3 = generic {
-    version = rubyVersion "3" "3" "3" "";
-    hash = "sha256-g8BbIXfunDNbYxspuMB3tHcBZtAvpSfzqfakDRPzzOI=";
+    version = rubyVersion "3" "3" "4" "";
+    hash = "sha256-/mow+X1U4Cl2jy3fSSNpnEFs28Om6W2z4tVxbH25ajQ=";
     cargoHash = "sha256-GeelTMRFIyvz1QS2L+Q3KAnyQy7jc0ejhx3TdEFVEbk=";
   };
 

pkgs/development/libraries/gtk/3.x.nix

@@ -64,7 +64,7 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gtk+3";
-  version = "3.24.42";
+  version = "3.24.43";
 
   outputs = [ "out" "dev" ] ++ lib.optional withIntrospection "devdoc";
   outputBin = "dev";
@@ -78,7 +78,7 @@ stdenv.mkDerivation (finalAttrs: {
     inherit (finalAttrs) version;
   in fetchurl {
     url = "mirror://gnome/sources/gtk+/${lib.versions.majorMinor version}/gtk+-${version}.tar.xz";
-    sha256 = "sha256-UPifYVCS1N0Bu9dZcZ+L04Dl8Un2/XipRyXi3hEjd+I=";
+    hash = "sha256-fgTwZIUVA0uAa3SuXXdNh8/7GiqWxGjLW+R21Rvy88c=";
   };
 
   patches = [

pkgs/development/libraries/nss/esr.nix

@@ -1,4 +1,4 @@
 import ./generic.nix {
-  version = "3.90.2";
-  hash = "sha256-4r/LhKilkSeEhw/rl2IRAn5xMJ74W5ACg7fX0e4GQxA=";
+  version = "3.101.2";
+  hash = "sha256-i5K47pzQYOiD4vFHBN6VeqXEdPBOM7U1oSK0qSi2M2Y=";
 }

pkgs/development/libraries/nss/generic.nix

@@ -46,10 +46,6 @@ stdenv.mkDerivation rec {
     # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
     ./85_security_load_3.85+.patch
     ./fix-cross-compilation.patch
-  ] ++ lib.optionals (lib.versionOlder version "3.91") [
-    # https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
-    # https://phabricator.services.mozilla.com/D180068
-    ./remove-c25519-support.patch
   ];
 
   postPatch = ''

pkgs/development/python-modules/aiosmtpd/default.nix

@@ -9,11 +9,15 @@
   pythonOlder,
   setuptools,
   typing-extensions,
+
+  # for passthru.tests
+  django,
+  aiosmtplib,
 }:
 
 buildPythonPackage rec {
   pname = "aiosmtpd";
-  version = "1.4.5";
+  version = "1.4.6";
   pyproject = true;
 
   disabled = pythonOlder "3.6";
@@ -22,7 +26,7 @@ buildPythonPackage rec {
     owner = "aio-libs";
     repo = "aiosmtpd";
     rev = "refs/tags/v${version}";
-    hash = "sha256-8nQ4BVSLYgZHRGkbujy/olV/+GABlkDhe5wef3hyQpQ=";
+    hash = "sha256-Ih/xbWM9O/fFQiZezydlPlIr36fLRc2lLgdfxD5Jviw=";
   };
 
   nativeBuildInputs = [ setuptools ];
@@ -49,6 +53,10 @@ buildPythonPackage rec {
 
   pythonImportsCheck = [ "aiosmtpd" ];
 
+  passthru.tests = {
+    inherit django aiosmtplib;
+  };
+
   meta = with lib; {
     description = "Asyncio based SMTP server";
     mainProgram = "aiosmtpd";

pkgs/os-specific/linux/systemd/default.nix

@@ -179,7 +179,7 @@ assert withBootloader -> withEfi;
 let
   wantCurl = withRemote || withImportd;
   wantGcrypt = withResolved || withImportd;
-  version = "255.6";
+  version = "255.9";
 
   # Use the command below to update `releaseTimestamp` on every (major) version
   # change. More details in the commentary at mesonFlags.
@@ -197,7 +197,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "systemd";
     repo = "systemd-stable";
     rev = "v${version}";
-    hash = "sha256-ah0678iNfy0c5NhHhjn0roY6RoM8OE0hWyEt+qEGKRQ=";
+    hash = "sha256-fnMvBYyMRQrP2x//8ntGTSwoHOtFk2TQ4S5fwcsSLDU=";
   };
 
   # On major changes, or when otherwise required, you *must* :
@@ -411,7 +411,8 @@ stdenv.mkDerivation (finalAttrs: {
   hardeningDisable = [
     # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523
     "trivialautovarinit"
-  ];
+    # breaks clang -target bpf; should be fixed to filter target?
+  ] ++ (lib.optional withLibBPF "zerocallusedregs");
 
   nativeBuildInputs =
     [

pkgs/tools/networking/curl/0001-x509asn1-remove-superfluous-free.patch

@@ -0,0 +1,28 @@
+freeing stack buffer in utf8asn1str
+https://curl.se/docs/CVE-2024-6197.html
+
+From 8718ae9a4f4d4803530a3253a074021d612a85d4 Mon Sep 17 00:00:00 2001
+From: z2_ <[email protected]>
+Date: Fri, 28 Jun 2024 14:45:47 +0200
+Subject: [PATCH] x509asn1: remove superfluous free()
+
+(cherry picked from commit 3a537a4db9e65e545ec45b1b5d5575ee09a2569d)
+---
+ lib/vtls/x509asn1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index da079361d..2ccf6327a 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -389,7 +389,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
+         if(wc >= 0x00000800) {
+           if(wc >= 0x00010000) {
+             if(wc >= 0x00200000) {
+-              free(buf);
+               /* Invalid char. size for target encoding. */
+               return CURLE_WEIRD_SERVER_REPLY;
+             }
+-- 
+2.45.2
+

pkgs/tools/networking/curl/default.nix

@@ -59,10 +59,13 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-b+oqrGpGEPvQQAr7C83b5yWKZMY/H2jlhV68DGWXEM0=";
   };
 
-  patches = lib.optionals (lib.versionOlder finalAttrs.version "8.7.2") [
+  patches = [
     # https://github.com/curl/curl/pull/13219
     # https://github.com/newsboat/newsboat/issues/2728
     ./8.7.1-compression-fix.patch
+
+    # https://curl.se/docs/CVE-2024-6197.html
+    ./0001-x509asn1-remove-superfluous-free.patch
   ];
 
   postPatch = ''