The envoy build often takes 7-8 hours and is among the last builds
finshing an evaluation. That is because we're scheduling it with -j2 on
a normal machine, when it has over 7000 objects to build, that
parallelize very well.
I’ve had an extended absence from Nix work and no longer actively
use a bunch of packages I used to maintain, so remove myself as a
maintainer from things I can’t usefully review/test changes for
as I ease back into things. This does unfortunately leave a few
packages orphaned (`stm32loader`, `tinyprog`, `python3Packages.fx2`,
and `python3Packages.jsonmerge`).
Contains security fixes for:
- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](GHSA-vcf8-7238-v74c)
Fixes CVE-2024-32760, CVE-2024-31079, CVE-2024-35200 and CVE-2024-34161.
Changes:
```
Changes with nginx 1.27.0 29 May 2024
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Feature: variables support in the "proxy_limit_rate",
"fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate"
directives.
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
option was used.
Thanks to Edgar Bonet.
*) Bugfixes in HTTP/3.
Changes with nginx 1.25.5 16 Apr 2024
*) Feature: virtual servers in the stream module.
*) Feature: the ngx_stream_pass_module.
*) Feature: the "deferred", "accept_filter", and "setfib" parameters of
the "listen" directive in the stream module.
*) Feature: cache line size detection for some architectures.
Thanks to Piotr Sikora.
*) Feature: support for Homebrew on Apple Silicon.
Thanks to Piotr Sikora.
*) Bugfix: Windows cross-compilation bugfixes and improvements.
Thanks to Piotr Sikora.
*) Bugfix: unexpected connection closure while using 0-RTT in QUIC.
Thanks to Vladimir Khomutov.
```
Fixes CVE-2024-32760, CVE-2024-31079, CVE-2024-35200 and CVE-2024-34161.
Note that the `nginxQuic` derivation rely on `nginxMainline`.
Changes:
```
Changes with nginx 1.26.1 29 May 2024
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
option was used.
Thanks to Edgar Bonet.
*) Bugfix: in HTTP/3.
```
Reduces nginx package size from 109.88 MiB to 41.99 MiB. Reduction of -67.88 MiB.
GD (libgd.github.io) is a library for the dynamic creation of images.
Co-authored-by: @ulrikstrid
