diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index 499bef7e2375..55721a38cd8b 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -1,12 +1,28 @@ -{ fetchFromGitHub, stdenv, lib, pkg-config, autoreconfHook -, ncurses, gnutls, readline -, openssl, perl, sqlite, libjpeg, speex, pcre, libuuid -, ldns, libedit, yasm, which, libsndfile, libtiff, libxcrypt - +{ fetchFromGitHub +, fetchpatch +, stdenv +, lib +, pkg-config +, autoreconfHook +, ncurses +, gnutls +, readline +, openssl +, perl +, sqlite +, libjpeg +, speex +, pcre +, libuuid +, ldns +, libedit +, yasm +, which +, libsndfile +, libtiff +, libxcrypt , callPackage - , SystemConfiguration - , modules ? null , nixosTests }: @@ -110,6 +126,20 @@ stdenv.mkDerivation rec { done ''; + ## TODO Validate with the next upstream release + patches = [ + (fetchpatch { + name = "CVE-2023-44488.patch"; + url = "https://github.com/signalwire/freeswitch/commit/f1fb05214e4f427dcf922f531431ab649cf0622b.patch"; + hash = "sha256-6GMebE6O2EBx60NE2LSRVljaiLm9T4zTrkIpwGvaB08="; + }) + (fetchpatch { + name = "CVE-2023-5217.patch"; + url = "https://github.com/signalwire/freeswitch/commit/6f9e72c585265d8def8a613b36cd4f524c201980.patch"; + hash = "sha256-l64mBpyq/TzRM78n73kbuD0UNsk5zIH5QNJlMKdPfr4="; + }) + ]; + strictDeps = true; nativeBuildInputs = [ pkg-config autoreconfHook perl which yasm ]; buildInputs = [