about summary refs log tree commit diff
path: root/third_party/overlays
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-02-03T22·53+0300
committertazjin <tazjin@tvl.su>2022-02-03T23·08+0000
commit8099c11a121f47bd3a54fab7b6c53fa162c830bc (patch)
tree6fbf287d819a2722b25afd7cd3fd92f2172c6511 /third_party/overlays
parent7fcede0c5bd50f6790a99081c006134848ae0f75 (diff)
fix(tazjin/tverskoy): Downgrade strongswan to 5.9.4 r/3757
Comments contain all the relevant info.

Change-Id: I6d4a715889b562dc79148314092f698ceefcac88
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5221
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Diffstat (limited to 'third_party/overlays')
-rw-r--r--third_party/overlays/strongswan-workaround.nix25
1 files changed, 25 insertions, 0 deletions
diff --git a/third_party/overlays/strongswan-workaround.nix b/third_party/overlays/strongswan-workaround.nix
new file mode 100644
index 000000000000..a5c3c26ec981
--- /dev/null
+++ b/third_party/overlays/strongswan-workaround.nix
@@ -0,0 +1,25 @@
+# Workaround for an issue where strongswan 5.9.5 can not connect to
+# some servers that do not have a mitigation for CVE-2021-45079
+# applied.
+#
+# Of course ideally the servers would be patched, but the world is not
+# ideal.
+#
+# Only intended for use by //users/tazjin/nixos/...
+{ ... }:
+
+self: super: {
+  # Downgrade strongswan to 5.9.4
+  #
+  # See https://github.com/NixOS/nixpkgs/pull/156567
+  strongswan = super.strongswan.overrideAttrs (_: rec {
+    version = "5.9.4";
+
+    src = self.fetchFromGitHub {
+      owner = "strongswan";
+      repo = "strongswan";
+      rev = version;
+      sha256 = "1y1gs232x7hsbccjga9nbkf4bbi5wxazlkg00qd2v1nz86sfy4cd";
+    };
+  });
+}