Commit graph

205773 commits

Author SHA1 Message Date
Andreas Rammhold
b21b92947e ansible_2_6: 2.6.17 -> 2.6.20
This addresses the following security issues:

  * CVE-2019-14846 - Several Ansible plugins could disclose aws
    credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
    lookup/aws_account_attribute.py, and lookup/aws_secret.py,
    lookup/aws_ssm.py use the boto3 library from the Ansible process. The
    boto3 library logs credentials at log level DEBUG. If Ansible's
    logging was enabled (by setting LOG_PATH to a value) Ansible would set
    the global log level to DEBUG. This was inherited by boto and would
    then log boto credentials to the file specified by LOG_PATH. This did
    not affect aws ansible modules as those are executed in a separate
    process. This has been fixed by switching to log level INFO
  * Convert CLI provided passwords to text initially, to prevent unsafe
    context being lost when converting from bytes->text during post
    processing of PlayContext. This prevents CLI provided passwords from
    being incorrectly templated (CVE-2019-14856)
  * properly hide parameters marked with no_log in suboptions when
    invalid parameters are passed to the module (CVE-2019-14858)
  * resolves CVE-2019-10206, by avoiding templating passwords from
    prompt as it is probable they have special characters.
  * Handle improper variable substitution that was happening in
    safe_eval, it was always meant to just do 'type enforcement' and have
    Jinja2 deal with all variable interpolation. Also see CVE-2019-10156

Changelog: 9bdb89f740/changelogs/CHANGELOG-v2.6.rst
2019-12-15 21:25:07 +01:00
Andreas Rammhold
71cde971c7 ansible_2_8: 2.8.4 -> 2.8.7
This addresses the following security issues:

  * Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864)
  * CVE-2019-14846 - Several Ansible plugins could disclose aws
    credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
    lookup/aws_account_attribute.py, and lookup/aws_secret.py,
    lookup/aws_ssm.py use the boto3 library from the Ansible process. The
    boto3 library logs credentials at log level DEBUG. If Ansible's
    logging was enabled (by setting LOG_PATH to a value) Ansible would set
    the global log level to DEBUG. This was inherited by boto and would
    then log boto credentials to the file specified by LOG_PATH. This did
    not affect aws ansible modules as those are executed in a separate
    process. This has been fixed by switching to log level INFO
  * Convert CLI provided passwords to text initially, to prevent unsafe
    context being lost when converting from bytes->text during post
    processing of PlayContext. This prevents CLI provided passwords from
    being incorrectly templated (CVE-2019-14856)
  * properly hide parameters marked with no_log in suboptions when
    invalid parameters are passed to the module (CVE-2019-14858)

Changelog: 24220a618a/changelogs/CHANGELOG-v2.8.rst
2019-12-15 21:25:02 +01:00
Andreas Rammhold
64e2791092 ansible_2_7: 2.7.11 -> 2.7.15
This fixes the following security issues:
  * Ansible: Splunk and Sumologic callback plugins leak sensitive data
    in logs (CVE-2019-14864)
  * CVE-2019-14846 - Several Ansible plugins could disclose aws
    credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
    lookup/aws_account_attribute.py, and lookup/aws_secret.py,
    lookup/aws_ssm.py use the boto3 library from the Ansible process. The
    boto3 library logs credentials at log level DEBUG. If Ansible's
    logging was enabled (by setting LOG_PATH to a value) Ansible would set
    the global log level to DEBUG. This was inherited by boto and would
    then log boto credentials to the file specified by LOG_PATH. This did
    not affect aws ansible modules as those are executed in a separate
    process. This has been fixed by switching to log level INFO
  * Convert CLI provided passwords to text initially, to prevent unsafe
    context being lost when converting from bytes->text during post
    processing of PlayContext. This prevents CLI provided passwords from
    being incorrectly templated (CVE-2019-14856)
  * properly hide parameters marked with no_log in suboptions when invalid
    parameters are passed to the module (CVE-2019-14858)
  * resolves CVE-2019-10206, by avoiding templating passwords from
    prompt as it is probable they have special characters.
  * Handle improper variable substitution that was happening in
    safe_eval, it was always meant to just do 'type enforcement' and have
    Jinja2 deal with all variable interpolation. Also see CVE-2019-10156

Changelog: 0623dedf2d/changelogs/CHANGELOG-v2.7.rst (v2-7-15)
2019-12-15 21:24:59 +01:00
Mario Rodas
6b3720b395
Merge pull request #75675 from marsam/update-git-gone
gitAndTools.git-gone: 0.1.2 -> 0.2.0
2019-12-15 15:21:19 -05:00
Mario Rodas
22a8e0eb85
Merge pull request #75398 from r-ryantm/auto-update/tpm2-tools
tpm2-tools: 4.0.1 -> 4.1
2019-12-15 15:20:48 -05:00
Nikolay Korotkiy
38294e3051
gpxlab: init at 0.7.0 2019-12-15 22:53:06 +03:00
Andreas Rammhold
5d3607b2da
spamassassin: 3.4.2 -> 3.4.3
Two security issues have been fixed in this release:
  * CVE-2019-12420 for Multipart Denial of Service Vulnerability
  * CVE-2018-11805 for nefarious CF files can be configured to
    run system commands without any output or errors.

https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
2019-12-15 20:48:56 +01:00
Graham Christensen
aa4a1b01d5
Merge pull request #75516 from ivan/chromium-79.0.3945.79
chromium: 78.0.3904.108 -> 79.0.3945.79
2019-12-15 14:48:34 -05:00
Mario Rodas
eb2d272efd
Merge pull request #75671 from clayrat/tparsec-update
idrisPackages.tparsec: 2019-06-18 -> 2019-09-19
2019-12-15 14:43:44 -05:00
Andreas Rammhold
e1699e3c71
thunderbird-bin: 68.2.2 -> 68.3.0 2019-12-15 20:37:50 +01:00
Andreas Rammhold
cd394340d8
dovecot: 2.3.8 -> 2.3.9.2
Update to latest version & updated the patch file to match with the
lastest verison.

Fixes the following security issue:
  * CVE-2019-19722: Mails with group addresses in From or To fields
    caused crash in push notification drivers.
2019-12-15 20:11:01 +01:00
Frederik Rietdijk
49b3d9ae62 Merge staging into staging-next 2019-12-15 18:49:26 +01:00
Frederik Rietdijk
47efb03cd3 Merge master into staging-next 2019-12-15 18:49:15 +01:00
Will Dietz
3e046ee556 gst_all_1.gstreamer: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
0de5452c84 gst_all_1.gst-vaapi: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
94dd6d0789 gst_all_1.gst-plugins-ugly: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
d12f31a0da gst_all_1.gst-plugins-base: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
800ba7974e gst_all_1.gst-libav: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
a4f6196485 gst_all_1.gst-validate: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
8040ac8b79 gst_all_1.gst-rtsp-server: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
560c4c9fdb gst_all_1.gst-plugins-good: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
6c1f9493ed gst_all_1.gst-plugins-bad: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Will Dietz
04f53c483e gst_all_1.gst-editing-services: 1.16.1 -> 1.16.2 2019-12-15 18:49:13 +01:00
Robert Scott
183ef82f98 libreswan: 3.18 -> 3.29 (security)
addressing CVE-2019-12312 & CVE-2019-10155
2019-12-15 18:48:53 +01:00
Robert Scott
d17ecebcf0 unbound: install headers etc for libevent support as postInstall step 2019-12-15 18:48:53 +01:00
Will Dietz
d67f29261d nghttp2: 1.39.2 -> 1.40.0 2019-12-15 18:45:29 +01:00
R. RyanTM
ef135db301 libuv: 1.33.1 -> 1.34.0 2019-12-15 18:45:16 +01:00
cap
2978ca2180 aircrack-ng: fixed missing dependency for airmon-ng 2019-12-15 18:38:43 +01:00
Marco A L Barbosa
5425557214 tectonic: 0.1.11 -> 0.1.12 (#75396) 2019-12-15 11:27:41 -05:00
Danylo Hlynskyi
d206f2304f
nixos containers: disable NixOS manual in container config. (#75659)
This makes ~2.5x speed up of an empty container instantiate, hence reduces
rebuild time of system with many declarative containers.

Note that this doesn't affect production systems much, becaseu those most
likely already include `minimal.nix` profile.
2019-12-15 18:21:52 +02:00
Robert Hensing
9696d79fea
Merge pull request #75691 from thefloweringash/chromium-maintainer
chromium: add thefloweringash (myself) as maintainer
2019-12-15 16:44:57 +01:00
Frederik Rietdijk
08eaac6be3
Merge pull request #75452 from NixOS/staging-next
Staging next
2019-12-15 16:28:08 +01:00
Frederik Rietdijk
c5720f531b python.pkgs.pyopengl: fix pname of src 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
573b9ccfef python.pkgs.setuptools: 41.6.0 -> 42.0.2 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
8d1430889f python: xattr: 0.9.6 -> 0.9.7 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
757bf39a31 python: xarray: 0.14.0 -> 0.14.1 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
6817b1f835 python: wasabi: 0.4.0 -> 0.4.2 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
6aa6c8b55b python: virtualenv: 16.7.7 -> 16.7.8 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
815b98c137 python: validators: 0.14.0 -> 0.14.1 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
6b347877bd python: uamqp: 1.2.3 -> 1.2.4 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
5d95fcbd6e python: tox: 3.14.1 -> 3.14.2 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
845cecee49 python: tifffile: 2019.7.26 -> 2019.7.26.2 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
56ce4f46ac python: testfixtures: 6.10.2 -> 6.10.3 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
e2db90be3d python: statsmodels: 0.10.1 -> 0.10.2 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
935c75fda1 python: squaremap: 1.0.4 -> 1.0.5 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
7365a96639 python: sqlmap: 1.3.11 -> 1.3.12 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
ab25bcfb5d python: sentry-sdk: 0.13.2 -> 0.13.5 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
1379225ff0 python: semantic_version: 2.8.2 -> 2.8.3 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
8911e95c8c python: scipy: 1.3.2 -> 1.3.3 2019-12-15 16:23:16 +01:00
Frederik Rietdijk
ef3f0927ef python: runway-python: 0.5.3 -> 0.5.4 2019-12-15 16:23:16 +01:00