fix(tazjin/tverskoy): Downgrade strongswan to 5.9.4 r/3757

Comments contain all the relevant info. Change-Id: I6d4a715889b562dc79148314092f698ceefcac88 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5221 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
author: Vincent Ambo <mail@tazj.in> 2022-02-03T22·53+0300
committer: tazjin <tazjin@tvl.su> 2022-02-03T23·08+0000
commit: 8099c11a121f47bd3a54fab7b6c53fa162c830bc (patch)
tree: 6fbf287d819a2722b25afd7cd3fd92f2172c6511 /third_party
parent: 7fcede0c5bd50f6790a99081c006134848ae0f75 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/third_party/overlays/strongswan-workaround.nix b/third_party/overlays/strongswan-workaround.nix
new file mode 100644
index 0000000000..a5c3c26ec9
--- /dev/null
+++ b/third_party/overlays/strongswan-workaround.nix
@@ -0,0 +1,25 @@
+# Workaround for an issue where strongswan 5.9.5 can not connect to
+# some servers that do not have a mitigation for CVE-2021-45079
+# applied.
+#
+# Of course ideally the servers would be patched, but the world is not
+# ideal.
+#
+# Only intended for use by //users/tazjin/nixos/...
+{ ... }:
+
+self: super: {
+  # Downgrade strongswan to 5.9.4
+  #
+  # See https://github.com/NixOS/nixpkgs/pull/156567
+  strongswan = super.strongswan.overrideAttrs (_: rec {
+    version = "5.9.4";
+
+    src = self.fetchFromGitHub {
+      owner = "strongswan";
+      repo = "strongswan";
+      rev = version;
+      sha256 = "1y1gs232x7hsbccjga9nbkf4bbi5wxazlkg00qd2v1nz86sfy4cd";
+    };
+  });
+}
author	Vincent Ambo <mail@tazj.in>	2022-02-03T22·53+0300
committer	tazjin <tazjin@tvl.su>	2022-02-03T23·08+0000
commit	8099c11a121f47bd3a54fab7b6c53fa162c830bc (patch)
tree	6fbf287d819a2722b25afd7cd3fd92f2172c6511 /third_party
parent	7fcede0c5bd50f6790a99081c006134848ae0f75 (diff)