stockholm/krebs/2configs/security-workarounds.nix

{ config, lib, pkgs, ... }:
{
  # OpenSSL pre-3.0.7 vulnerabilities
  nixpkgs.overlays = [
    (self: super: {
      exim =
        super.exim.overrideAttrs (old: let
          key = if builtins.hasAttr "preBuild" old then
            "preBuild"
          else
            "configurePhase";
        in {
          buildInputs = old.buildInputs ++ [ self.gnutls ];
          ${key} = /* sh */ ''
            ${old.${key}}
            sed -Ei '
              s:^USE_OPENSSL=.*:# &:
              s:^# (USE_GNUTLS)=.*:\1=yes:
              s:^# (USE_GNUTLS_PC=.*):\1:
            ' Local/Makefile
          '';
        });
    })
  ];
  # OpenSSL pre-3.0.7 vulnerabilities
  services.nginx.package = lib.mkDefault (pkgs.nginxStable.override { openssl = pkgs.libressl; });
}
l: workaround for CVE-2021-4034 2022-01-26 11:17:04 +00:00			`{ config, lib, pkgs, ... }:`
l 2: add security-workarounds 2017-02-25 23:02:06 +00:00			`{`
security-workarounds: add comments to openSSL 3 fixes 2022-11-01 10:16:19 +00:00			`# OpenSSL pre-3.0.7 vulnerabilities`
security-workarounds: let exim run with gnutls 2022-11-01 10:09:48 +00:00			`nixpkgs.overlays = [`
			`(self: super: {`
			`exim =`
security-workarounds exim: make nixos-unstable compatible 2022-11-01 13:20:37 +00:00			`super.exim.overrideAttrs (old: let`
			`key = if builtins.hasAttr "preBuild" old then`
			`"preBuild"`
			`else`
			`"configurePhase";`
			`in {`
security-workarounds: let exim run with gnutls 2022-11-01 10:09:48 +00:00			`buildInputs = old.buildInputs ++ [ self.gnutls ];`
security-workarounds exim: make nixos-unstable compatible 2022-11-01 13:20:37 +00:00			`${key} = /* sh */ ''`
			`${old.${key}}`
security-workarounds: let exim run with gnutls 2022-11-01 10:09:48 +00:00			`sed -Ei '`
			`s:^USE_OPENSSL=.*:# &:`
			`s:^# (USE_GNUTLS)=.*:\1=yes:`
			`s:^# (USE_GNUTLS_PC=.*):\1:`
			`' Local/Makefile`
			`'';`
			`});`
			`})`
			`];`
security-workarounds: add comments to openSSL 3 fixes 2022-11-01 10:16:19 +00:00			`# OpenSSL pre-3.0.7 vulnerabilities`
security-workarounds: let nginx run with libressl 2022-11-01 10:03:24 +00:00			`services.nginx.package = lib.mkDefault (pkgs.nginxStable.override { openssl = pkgs.libressl; });`
l 2: add security-workarounds 2017-02-25 23:02:06 +00:00			`}`