diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index e9f1a2d4bbdf..bb8271cfb44e 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -12,7 +12,13 @@ let then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH"; - generic = { version, hash, patches ? [] }: stdenv.mkDerivation rec { + generic = + { version + , hash + , patches ? [] + , knownVulnerabilities ? [] + }: stdenv.mkDerivation rec + { pname = "libressl"; inherit version; @@ -80,6 +86,7 @@ let license = with licenses; [ publicDomain bsdOriginal bsd0 bsd3 gpl3 isc openssl ]; platforms = platforms.all; maintainers = with maintainers; [ thoughtpolice fpletz ]; + inherit knownVulnerabilities; }; }; @@ -87,11 +94,22 @@ in { libressl_3_4 = generic { version = "3.4.3"; hash = "sha256-/4i//jVIGLPM9UXjyv5FTFAxx6dyFwdPUzJx1jw38I0="; + knownVulnerabilities = [ "Support ended 2022-10-14." ]; + patches = [ + (fetchpatch { + # https://marc.info/?l=libressl&m=167582148932407&w=2 + name = "backport-type-confusion-fix.patch"; + url = "https://raw.githubusercontent.com/libressl/portable/30dc760ed1d7c70766b135500950d8ca9d17b13a/patches/x509_genn.c.diff"; + sha256 = "sha256-N9jsOueqposDWZwaR+n/v/cHgNiZbZ644d8/wKjN2/M="; + stripLen = 2; + extraPrefix = "crypto/"; + }) + ]; }; libressl_3_5 = generic { - version = "3.5.3"; - hash = "sha256-OrXl6u9pziDGsXDuZNeFtCI19I8uYrCV/KXXtmcriyg="; + version = "3.5.4"; + hash = "sha256-A3naE0Si9xrUpOO+MO+dgu7N3Of43CrmZjGh3+FDQ6w="; patches = [ # Fix endianness detection on aarch64-darwin, issue #181187 @@ -104,7 +122,7 @@ in { }; libressl_3_6 = generic { - version = "3.6.1"; - hash = "sha256-rPrGExbpO5GcKNYtUwN8pzTehcRrTXA/Gf2Dlc8AZ3Q="; + version = "3.6.2"; + hash = "sha256-S+gP/wc3Rs9QtKjlur4nlayumMaxMqngJRm0Rd+/0DM="; }; }