Fixes a number of CVEs:
- a DNS request hijacking vulnerability. (CVE-2017-0902)
- an ANSI escape sequence vulnerability. (CVE-2017-0899)
- a DoS vulnerability in the query command. (CVE-2017-0900)
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901)
This fixes:
Traceback (most recent call last):
File "/nix/store/7f9arl3f9xyj8sm05mkanh2mlp217192-glusterfs-3.10.2/libexec/glusterfs/glusterfind/changelog.py", line 22, in <module>
import libgfchangelog
File "/nix/store/7f9arl3f9xyj8sm05mkanh2mlp217192-glusterfs-3.10.2/libexec/glusterfs/glusterfind/libgfchangelog.py", line 21, in <module>
libgfc = CDLL("libgfchangelog.so", use_errno=True, mode=RTLD_GLOBAL)
File "/nix/store/nlyr5ankhi7yvva8zndi718zj37js270-python-2.7.13-env/lib/python2.7/ctypes/__init__.py", line 362, in __init__
self._handle = _dlopen(self._name, mode)
OSError: libgfchangelog.so: cannot open shared object file: No such file or directory
Connection to 10.0.0.2 closed.
when running `glusterfind pre`.
Done by setting PYTHONPATH/LD_LIBRARY_PATH as for the other
Python scripts.
Fixes error
File "/nix/store/lxpsl84km87xpk59nai6a33ihgpfs7qr-glusterfs-3.10.2/libexec/glusterfs/glusterfind/changelog.py", line 105, in populate_pgfid_and_inodegfid
file_xattrs = xattr.list(p)
AttributeError: 'module' object has no attribute 'list'
when using `glusterfind pre`.
Set LD=$CC to fix this build error:
...
ExtUtils::Mkbootstrap::Mkbootstrap('blib/arch/auto/Boost/Geometry/Utils/Utils.bs')
ld -shared -O2 -L/nix/store/sgjc1147vi5hd57ck9xgck5xjkydg5lz-glibc-2.25/lib -fstack-protector-strong -o blib/arch/auto/Boost/Geometry/Utils/Utils.so buildtmp/Utils.o -lstdc++
buildtmp/Utils.o: In function `_GLOBAL__sub_I_Utils.c':
Utils.c:(.text.startup+0x1a): undefined reference to `__dso_handle'
/nix/store/yf4p5w2v4h4i8rja9zw1akp007av624j-binutils-2.28.1/bin/ld: buildtmp/Utils.o: relocation R_X86_64_PC32 against undefined hidden symbol `__dso_handle' can not be used when making a shared object
/nix/store/yf4p5w2v4h4i8rja9zw1akp007av624j-binutils-2.28.1/bin/ld: final link failed: Bad value
error building blib/arch/auto/Boost/Geometry/Utils/Utils.so from buildtmp/Utils.o at /nix/store/7q2hps69zkj501lsmvnd2ry95mmdbh80-perl-5.24.2/lib/perl5/5.24.2/ExtUtils/CBuilder/Base.pm line 321.
builder for ‘/nix/store/bdwqvgxlgcqsmlqfh0d74jkpw96p78kh-perl-Boost-Geometry-Utils-0.15.drv’ failed with exit code 2
error: build of ‘/nix/store/bdwqvgxlgcqsmlqfh0d74jkpw96p78kh-perl-Boost-Geometry-Utils-0.15.drv’ failed
I realize that advanced users like to configure services with Nix
attrsets, but I don't think we should remove the option to use the
(configuration) language provided by upstream.
While we tell pip not to fetch (with the `--no-index` option),
`setuptools` can do so itself. In the past we used a `distutils.cfg`
with `allow-hosts = None` to prevent setuptools from fetching itself.
This was removed when we started building wheels in
2562f94de4e4fd2ddc677187fa2e2848L69.
The `dist-utils.cfg` code was still there, and adding it to
`buildInputs` is sufficient.
Tested with python.pkgs.passlib by removing the `checkInputs` / `nose`.
Otherwise if you try to listing all available packages, you will get a
hard error on platforms not supported by this package. Consequently the
tarball job was broken.