Merge remote-tracking branch 'upstream/master' into hardened-stdenv

12 files changed, 65 insertions, 61 deletions

diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index eaf427d61a36..5e7010def541 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -18,11 +18,11 @@ assert scpSupport -> libssh2 != null;
 assert c-aresSupport -> c-ares != null;
 
 stdenv.mkDerivation rec {
-  name = "curl-7.50.0";
+  name = "curl-7.50.1";
 
   src = fetchurl {
     url = "http://curl.haxx.se/download/${name}.tar.bz2";
-    sha256 = "16psxjcl25i7v5x71193nkq2anm5mj8pfziq5iwxnj3znwnzx3b0";
+    sha256 = "0mjidq4q0hikhis2d35kzkhx6xfcgl875mk5ph5d98fa9kswa4iw";
   };
 
   outputs = [ "dev" "out" "bin" "man" "docdev" ];
diff --git a/pkgs/tools/networking/dibbler/default.nix b/pkgs/tools/networking/dibbler/default.nix
new file mode 100644
index 000000000000..82ef3b218d08
--- /dev/null
+++ b/pkgs/tools/networking/dibbler/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  name = "dibbler-${version}";
+  version = "1.0.1";
+
+  src = fetchurl {
+    url = "http://www.klub.com.pl/dhcpv6/dibbler/${name}.tar.gz";
+    sha256 = "18bnwkvax02scjdg5z8gvrkvy1lhssfnlpsaqb5kkh30w1vri1i7";
+  };
+
+  configureFlags = [
+    "--enable-resolvconf"
+  ];
+
+  meta = with stdenv.lib; {
+    description = "Portable DHCPv6 implementation";
+    homepage = http://www.klub.com.pl/dhcpv6/;
+    license = licenses.gpl2;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/pkgs/tools/networking/email/default.nix b/pkgs/tools/networking/email/default.nix
index 23501c29e23f..017da63a1e92 100644
--- a/pkgs/tools/networking/email/default.nix
+++ b/pkgs/tools/networking/email/default.nix
@@ -2,11 +2,10 @@
 
 let
   eMailSrc = fetchFromGitHub {
-    #awaiting acceptance of https://github.com/deanproxy/eMail/pull/29
-    owner = "jerith666";
+    owner = "deanproxy";
     repo = "eMail";
-    rev = "d9fd259f952b573d320916ee34e807dd3dd24b1f";
-    sha256 = "0q4ly4bhlv6lrlj5kmjs491aah1afmkjyw63i9yqnz4d2k6npvl9";
+    rev = "7d23c8f508a52bd8809e2af4290417829b6bb5ae";
+    sha256 = "1cxxzhm36civ6vjdgrk7mfmlzkih44kdii6l2xgy4r434s8rzcpn";
   };
 
   srcRoot = "eMail-${eMailSrc.rev}-src";
diff --git a/pkgs/tools/networking/gandi-cli/default.nix b/pkgs/tools/networking/gandi-cli/default.nix
index 2f95123ba212..c2bf6702c5f6 100644
--- a/pkgs/tools/networking/gandi-cli/default.nix
+++ b/pkgs/tools/networking/gandi-cli/default.nix
@@ -5,10 +5,10 @@ with pythonPackages;
 buildPythonPackage rec {
   namePrefix = "";
   name = "gandi-cli-${version}";
-  version = "0.18";
+  version = "0.19";
 
   src = fetchFromGitHub {
-    sha256 = "045gnz345nfbi1g7j3gcyzrxrx3hcidaxzr05cb49rcr8nmqh1s3";
+    sha256 = "0xbf97p75zl6sjxqcgmaa4p5rax2h6ixn8srwdr4rsx2zz9dpwgp";
     rev = version;
     repo = "gandi.cli";
     owner = "Gandi";
diff --git a/pkgs/tools/networking/getmail/default.nix b/pkgs/tools/networking/getmail/default.nix
index 3eb0e9d2a90a..6f280257692c 100644
--- a/pkgs/tools/networking/getmail/default.nix
+++ b/pkgs/tools/networking/getmail/default.nix
@@ -1,13 +1,13 @@
 { stdenv, fetchurl, buildPythonApplication }:
 
 buildPythonApplication rec {
-  version = "4.49.0";
+  version = "4.50.0";
   name = "getmail-${version}";
   namePrefix = "";
 
   src = fetchurl {
     url = "http://pyropus.ca/software/getmail/old-versions/${name}.tar.gz";
-    sha256 = "1m0yzxd05fklwbmjj1n2q4sx397c1j5qi9a0r5fv3h8pplz4lv0w";
+    sha256 = "1hcb5079mkcx3gglfycrhglrgg4jsa499br50yjrh9sal6wpgg7w";
   };
 
   doCheck = false;
diff --git a/pkgs/tools/networking/libreswan/default.nix b/pkgs/tools/networking/libreswan/default.nix
index a2204f9664a1..213051bdf8db 100644
--- a/pkgs/tools/networking/libreswan/default.nix
+++ b/pkgs/tools/networking/libreswan/default.nix
@@ -6,7 +6,7 @@
 
 let
   optional = stdenv.lib.optional;
-  version = "3.17";
+  version = "3.18";
   name = "libreswan-${version}";
   binPath = stdenv.lib.makeBinPath [
     bash iproute iptables procps coreutils gnused gawk nss.tools which python
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://download.libreswan.org/${name}.tar.gz";
-    sha256 = "00qd1n6f5w4xr06yanfpnbnn7y7rq2m878ifa3hh13bdgzsqdhi8";
+    sha256 = "0zginnakxw7m79zrdvfdvliaiyg78zgqfqkks9z5d1rjj5w13xig";
   };
 
   nativeBuildInputs = [ makeWrapper ];
diff --git a/pkgs/tools/networking/mosh/default.nix b/pkgs/tools/networking/mosh/default.nix
index 80feeafdbca4..9a7737e0195a 100644
--- a/pkgs/tools/networking/mosh/default.nix
+++ b/pkgs/tools/networking/mosh/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, zlib, boost, protobuf, ncurses, pkgconfig, IOTty
+{ stdenv, fetchurl, zlib, protobuf, ncurses, pkgconfig, IOTty
 , makeWrapper, perl, openssl, autoreconfHook, fetchpatch }:
 
 stdenv.mkDerivation rec {
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1qsb0y882yfgwnpy6f98pi5xqm6kykdsrxzvaal37hs7szjhky0s";
   };
 
-  buildInputs = [ autoreconfHook boost protobuf ncurses zlib pkgconfig IOTty makeWrapper perl openssl ];
+  buildInputs = [ autoreconfHook protobuf ncurses zlib pkgconfig IOTty makeWrapper perl openssl ];
 
   patches = [
     # remove automake detection macro patch on next release as it is already on mosh master
diff --git a/pkgs/tools/networking/network-manager/l2tp.nix b/pkgs/tools/networking/network-manager/l2tp.nix
index af3b193798f6..5e09bb7229f8 100644
--- a/pkgs/tools/networking/network-manager/l2tp.nix
+++ b/pkgs/tools/networking/network-manager/l2tp.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, automake, autoconf, libtool, intltool, pkgconfig
-, networkmanager, networkmanagerapplet, ppp, xl2tpd, strongswan, libsecret
-, withGnome ? true, gnome3 }:
+, networkmanager, ppp, xl2tpd, strongswan, libsecret
+, withGnome ? true, gnome3, networkmanagerapplet }:
 
 stdenv.mkDerivation rec {
   name    = "${pname}${if withGnome then "-gnome" else ""}-${version}";
@@ -14,8 +14,8 @@ stdenv.mkDerivation rec {
     sha256 = "01f39ghc37vw4n4i7whyikgqz8vzxf41q9fsv2gfw1g501cny1j2";
   };
 
-  buildInputs = [ networkmanager ppp networkmanagerapplet libsecret ]
-    ++ stdenv.lib.optionals withGnome [ gnome3.gtk gnome3.libgnome_keyring ];
+  buildInputs = [ networkmanager ppp libsecret ]
+    ++ stdenv.lib.optionals withGnome [ gnome3.gtk gnome3.libgnome_keyring networkmanagerapplet ];
 
   nativeBuildInputs = [ automake autoconf libtool intltool pkgconfig ];
 
diff --git a/pkgs/tools/networking/offlineimap/default.nix b/pkgs/tools/networking/offlineimap/default.nix
index 42f72ef7e368..6f74df38ad0b 100644
--- a/pkgs/tools/networking/offlineimap/default.nix
+++ b/pkgs/tools/networking/offlineimap/default.nix
@@ -1,7 +1,7 @@
 { stdenv, fetchFromGitHub, pythonPackages, sqlite3 }:
 
 pythonPackages.buildPythonApplication rec {
-  version = "7.0.2";
+  version = "7.0.4";
   name = "offlineimap-${version}";
   namePrefix = "";
 
@@ -9,7 +9,7 @@ pythonPackages.buildPythonApplication rec {
     owner = "OfflineIMAP";
     repo = "offlineimap";
     rev = "v${version}";
-    sha256 = "1xwblb1nvqq6gkxjynzsw31xja07qday58x5jqak8sp3d4lqw2h2";
+    sha256 = "1ixm4qp3gljbnbi40h8n6j7c0pzk1ry8hpm4bcf7n68gc07r557n";
   };
 
   doCheck = false;
diff --git a/pkgs/tools/networking/openssh/CVE-2015-8325.patch b/pkgs/tools/networking/openssh/CVE-2015-8325.patch
deleted file mode 100644
index c752726aeae7..000000000000
--- a/pkgs/tools/networking/openssh/CVE-2015-8325.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Wed, 13 Apr 2016 10:39:57 +1000
-Subject: [PATCH] ignore PAM environment vars when UseLogin=yes
-
-If PAM is configured to read user-specified environment variables
-and UseLogin=yes in sshd_config, then a hostile local user may
-attack /bin/login via LD_PRELOAD or similar environment variables
-set via PAM.
-
-CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
----
- session.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/session.c b/session.c
-index 4859245..4653b09 100644
---- a/session.c
-+++ b/session.c
-@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
- 	 * Pull in any environment variables that may have
- 	 * been set by PAM.
- 	 */
--	if (options.use_pam) {
-+	if (options.use_pam && !options.use_login) {
- 		char **p;
- 
- 		p = fetch_pam_child_environment();
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index a0cb0795a261..8f4c0aa54dfa 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -27,11 +27,12 @@ with stdenv.lib;
 stdenv.mkDerivation rec {
   # Please ensure that openssh_with_kerberos still builds when
   # bumping the version here!
-  name = "openssh-7.2p2";
+  name = "openssh-${version}";
+  version = "7.3p1";
 
   src = fetchurl {
     url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
-    sha256 = "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7";
+    sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz";
   };
 
   prePatch = optionalString hpnSupport
@@ -44,7 +45,6 @@ stdenv.mkDerivation rec {
     [
       ./locale_archive.patch
       ./fix-host-key-algorithms-plus.patch
-      ./CVE-2015-8325.patch
 
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
       ./dont_create_privsep_path.patch
diff --git a/pkgs/tools/networking/tlsdate/default.nix b/pkgs/tools/networking/tlsdate/default.nix
index a7721b563b3f..66ead809d0bb 100644
--- a/pkgs/tools/networking/tlsdate/default.nix
+++ b/pkgs/tools/networking/tlsdate/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit
+{ stdenv, fetchFromGitHub, fetchpatch
 , autoconf
 , automake
 , libevent
@@ -7,15 +7,25 @@
 , openssl
 }:
 
-stdenv.mkDerivation {
-  name = "tlsdate-0.0.12";
+stdenv.mkDerivation rec {
+  version = "0.0.13";
+  name = "tlsdate-${version}";
 
-  src = fetchgit {
-    url = https://github.com/ioerror/tlsdate;
-    rev = "fd04f48ed60eb773c8e34d27ef2ee12ee7559a41";
-    sha256 = "0naxlsanpgixj509z4mbzl41r2nn5wi6q2lp10a7xgcmcb4cgnbf";
+  src = fetchFromGitHub {
+    owner = "ioerror";
+    repo = "tlsdate";
+    rev = name;
+    sha256 = "0w3v63qmbhpqlxjsvf4k3zp90k6mdzi8cdpgshan9iphy1f44xgl";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "tlsdate-no_sslv3.patch";
+      url = "https://github.com/ioerror/tlsdate/commit/f9d3cba7536d1679e98172ccbddad32bc9ae490c.patch";
+      sha256 = "0prv46vxvb4paxaswmc6ix0kd5sp0552i5msdldnhg9fysbac8s0";
+    })
+  ];
+
   buildInputs = [
     autoconf
     automake
@@ -32,10 +42,10 @@ stdenv.mkDerivation {
 
   doCheck = true;
 
-  meta = {
+  meta = with stdenv.lib; {
     description = "Secure parasitic rdate replacement";
     homepage = https://github.com/ioerror/tlsdate;
-    maintainers = [ stdenv.lib.maintainers.tv ];
-    platforms = stdenv.lib.platforms.allBut [ "darwin" ];
+    maintainers = with maintainers; [ tv fpletz ];
+    platforms = platforms.allBut [ "darwin" ];
   };
 }