Commit Graph

56 Commits

Author SHA1 Message Date
Thomas Gerbet
5f23eb96cd ntp: 4.2.8p15 -> 4.2.8p17
Fixes CVE-2023-26555, CVE-2023-26551, CVE-2023-26552, CVE-2023-26553 and CVE-2023-26554.

Release announcement:
https://www.ntp.org/support/securitynotice/4_2_8p17-release-announcement/
https://www.ntp.org/support/securitynotice/4_2_8p16-release-announcement/
2023-07-13 23:13:09 +02:00
github-actions[bot]
fc17fe6417
Merge master into staging-next 2022-04-02 18:01:07 +00:00
Alyssa Ross
fd78240ac8
treewide: use lib.getLib for OpenSSL libraries
At some point, I'd like to make another attempt at
71f1f4884b ("openssl: stop static binaries referencing libs"), which
was reverted in 195c7da07d.  One problem with my previous attempt is
that I moved OpenSSL's libraries to a lib output, but many dependent
packages were hardcoding the out output as the location of the
libraries.  This patch fixes every such case I could find in the tree.
It won't have any effect immediately, but will mean these packages
will automatically use an OpenSSL lib output if it is reintroduced in
future.

This patch should cause very few rebuilds, because it shouldn't make
any change at all to most packages I'm touching.  The few rebuilds
that are introduced come from when I've changed a package builder not
to use variable names like openssl.out in scripts / substitution
patterns, which would be confusing since they don't hardcode the
output any more.

I started by making the following global replacements:

    ${pkgs.openssl.out}/lib -> ${lib.getLib pkgs.openssl}/lib
    ${openssl.out}/lib -> ${lib.getLib openssl}/lib

Then I removed the ".out" suffix when part of the argument to
lib.makeLibraryPath, since that function uses lib.getLib internally.

Then I fixed up cases where openssl was part of the -L flag to the
compiler/linker, since that unambigously is referring to libraries.

Then I manually investigated and fixed the following packages:

 - pycurl
 - citrix-workspace
 - ppp
 - wraith
 - unbound
 - gambit
 - acl2

I'm reasonably confindent in my fixes for all of them.

For acl2, since the openssl library paths are manually provided above
anyway, I don't think openssl is required separately as a build input
at all.  Removing it doesn't make a difference to the output size, the
file list, or the closure.

I've tested evaluation with the OfBorg meta checks, to protect against
introducing evaluation failures.
2022-03-30 15:10:00 +00:00
Maximilian Bosch
dbe99a0172
ntp: fix build w/glibc-2.34
Failing Hydra build: https://hydra.nixos.org/build/155170191

Patch derived from linuxfromscratch/openembedded.org[1][2].

[1] https://www.linuxfromscratch.org/blfs/view/svn/basicnet/ntp.html
[2] https://patchwork.openembedded.org/patch/180019/
2022-02-27 10:26:49 +01:00
Artturin
fd86d63e2f ntp: remove seccomp support
it causes issues and most distros dont enable it
see https://github.com/NixOS/nixpkgs/issues/140996
2021-11-01 00:44:20 +02:00
Felix Buehler
f95d9678a9 tools/networking: replace name with pname&version 2021-08-01 22:48:53 +02:00
Marc Seeger
f7cb740de8
ntp: set platforms to unix (#119644)
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2021-04-17 00:43:03 +02:00
Ben Siraphob
8c5d37129f pkgs/tools: stdenv.lib -> lib 2021-01-15 17:12:36 +07:00
Profpatsch
4a7f99d55d treewide: with stdenv.lib; in meta -> with lib;
Part of: https://github.com/NixOS/nixpkgs/issues/108938

meta = with stdenv.lib;

is a widely used pattern. We want to slowly remove
the `stdenv.lib` indirection and encourage people
to use `lib` directly. Thus let’s start with the meta
field.

This used a rewriting script to mostly automatically
replace all occurances of this pattern, and add the
`lib` argument to the package header if it doesn’t
exist yet.

The script in its current form is available at
https://cs.tvl.fyi/depot@2f807d7f141068d2d60676a89213eaa5353ca6e0/-/blob/users/Profpatsch/nixpkgs-rewriter/default.nix
2021-01-11 10:38:22 +01:00
R. RyanTM
95274b0b57 ntp: 4.2.8p14 -> 4.2.8p15 2020-07-05 20:27:41 +00:00
Michael Reilly
84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
R. RyanTM
281dd8bd44 ntp: 4.2.8p13 -> 4.2.8p14 2020-03-14 16:26:40 +00:00
Austin Seipp
f0ad5ebdfb nixos/{chrony,ntpd,openntpd}: add myself as maintainer
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2019-09-12 11:45:51 -05:00
Will Dietz
d7c23cc65f ntp: 4.2.8p12 -> 4.2.8p13 (#57059)
From http://www.ntp.org/index.html:
> ntp-4.2.8p13 was released on 07 March 2019.
> It addresses 1 medium-severity security issue in ntpd, and provides 17
> other non-security fixes and 1 improvements over 4.2.8p12.
2019-03-08 23:06:29 +01:00
David Costa
6759b7900e ntp: fix ntpd shutdown by using upstream patch
After a series of amendments the seccomp.patch made ntpd work properly
but only on 32-bit systems.
This commit replaces that patch with the one submitted upstream by
cleverca22 and that fixes the issue also on 64-bit systems.

Close #38627, #45885
2018-10-31 23:01:40 +00:00
volth
a4f4886ba3
ntp: fix cross-build 2018-10-12 12:48:59 +00:00
R. RyanTM
2524ad67da ntp: 4.2.8p11 -> 4.2.8p12 (#45180)
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/ntp/versions.
2018-08-21 14:49:38 +02:00
Markus Kowalewski
6aba5e26b3
ntp: add license 2018-08-17 23:52:16 +02:00
Richard Marko
91575dd285 pps-tools: init at 1.0.2, enable for chrony, gpsd, ntp (#42889) 2018-07-04 11:28:07 +00:00
Silvan Mosberger
57bccb3cb8 treewide: http -> https sources (#42676)
* treewide: http -> https sources

This updates the source urls of all top-level packages from http to
https where possible.

* buildtorrent: fix url and tab -> spaces
2018-06-28 20:43:35 +02:00
Michael Bishop
f115afa5d5 ntp: fix a missed syscall in seccomp
ntpd uses openat to adjust the drift file, which it only does after a few hours of uptime
2018-06-11 07:40:26 -03:00
R. RyanTM
81a0a3b39c ntp: 4.2.8p10 -> 4.2.8p11 (#40661)
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.

This update was made based on information from https://repology.org/metapackage/ntp/versions.

These checks were done:

- built on NixOS
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/calc_tickadj passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntp-wait passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntptrace passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/update-leap had a zero exit code or showed the expected version
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/sntp passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpd passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpdate had a zero exit code or showed the expected version
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpdc passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpq passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntp-keygen passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntptime had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/tickadj had a zero exit code or showed the expected version
- 8 of 12 passed binary check by having a zero exit code.
- 0 of 12 passed binary check by having the new version present in output.
- found 4.2.8p11 with grep in /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11
- directory tree listing: https://gist.github.com/643849ae077bac0514537c8aa923dd6d
- du listing: https://gist.github.com/1b2abf7cee80b022945ff72be1eb7070
2018-05-18 01:08:47 +02:00
Joachim F
bb771e0405 Merge pull request #24573 from ambrop72/ntpd-fix
ntpd: Add patch to allow getpid syscall in seccomp filter.
2017-04-06 11:06:13 +01:00
Jörg Thalheim
500818b997
ntp: 4.2.8p9 -> 4.2.8p10; fix 10 medium/4 low CVEs
http://nwtime.org/network-time-foundation-publishes-ntp-4-2-8-p10/
2017-04-02 23:06:43 +02:00
Ambroz Bizjak
35e0eea053 ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.

The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid()                                = ?

I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.

The fcntl and setsockopt system calls also had to be added.
2017-04-02 21:44:06 +02:00
Tuomas Tynkkynen
2d679dbe74 ntp: Don't use seccomp on non-x86
It only has the allowed system call numbers defined for i386 and x86_64
so it fails to build otherwise.
2016-11-26 20:38:17 +02:00
Franz Pletz
009e37d277
ntp: fix ntp-wait script, depends on perl 2016-11-21 23:25:21 +01:00
Franz Pletz
67fd21a170
ntp: use seccomp on linux 2016-11-21 23:11:05 +01:00
Franz Pletz
db66a95e5b
ntp: 4.2.8p8 -> 4.2.8p9
Includes fixes for 10 CVEs and contains other fixes.

See http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se.
2016-11-21 22:49:02 +01:00
Robin Gloster
5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Franz Pletz
bdf4c0d21f ntp: 4.2.8p6 -> 4.2.8p8 (security)
Fixes CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956.
2016-07-10 10:48:11 +02:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Robin Gloster
3b4765c9e5 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-28 16:32:57 +00:00
Franz Pletz
c691b6a858 ntp: 4.2.8p4 -> 4.2.8p6 (multiple CVEs)
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
2016-02-27 16:34:02 +01:00
Robin Gloster
631c09bbe5 checksec: clean up 2016-02-26 17:26:03 +00:00
Tobias Geerinckx-Rice
32d40f0f98 Remove no longer (or never) referenced patches
55 files changed, 6041 deletions. Tested with `nix-build -A tarball`.
2016-01-24 02:02:21 +01:00
koral
f510253de3 ntp: 4.2.8p3 -> 4.2.8p4 2015-11-08 13:44:11 +00:00
Mathnerd314
43b388fbd6 ntp: 4.2.8p2 -> 4.2.8p3 2015-09-05 18:35:45 -06:00
William A. Kennington III
bcbda5d95b ntp: Refactor and add signing support 2015-04-25 21:27:53 -07:00
William A. Kennington III
458c8381e0 ntp: 4.2.8 -> 4.2.8p2 2015-04-08 14:07:26 -07:00
Eelco Dolstra
782440310d ntp: Don't depend on openssl, don't install docs 2014-12-28 19:38:45 +01:00
Vladimír Čunát
0fbc5ddadb ntp: security update, and use libcrypto
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

The package would no longer build without libcrypto,
and it wouldn't find it without pkgconfig.
I checked that Debian and Arch do use openssl as a dependency,
so it's probably not so bad a thing to have.

CC maintainer @edolstra.
2014-12-25 12:30:53 +01:00
Eelco Dolstra
d451d12128 ntp: Update to 4.2.6p5 2014-02-03 23:44:11 +01:00
Lluís Batlle i Rossell
74ef91cfae Updating ntp
svn path=/nixpkgs/trunk/; revision=30290
2011-11-07 15:07:19 +00:00
Eelco Dolstra
4e94575014 * NTP updated to 4.2.6p2.
svn path=/nixpkgs/trunk/; revision=24118
2010-10-06 16:02:44 +00:00
Lluís Batlle i Rossell
5cbd244265 Updating ntp.
svn path=/nixpkgs/trunk/; revision=18916
2009-12-12 19:48:12 +00:00
Eelco Dolstra
6556756115 * ntp 4.2.4p7.
svn path=/nixpkgs/trunk/; revision=15828
2009-06-02 19:35:26 +00:00
Eelco Dolstra
5a594ea219 * Updated ntp.
svn path=/nixpkgs/trunk/; revision=14798
2009-03-31 09:26:20 +00:00
Eelco Dolstra
0548c19dbe * NTP 4.2.4p5 (and the old url was broken).
svn path=/nixpkgs/trunk/; revision=12883
2008-09-18 21:15:14 +00:00
Eelco Dolstra
e55c2246ff * ntp 4.2.4p4.
svn path=/nixpkgs/trunk/; revision=10217
2008-01-18 13:20:04 +00:00