Skip to content

[25.05] backport security updates for openssl, libpng, nodejs#1117

Merged
leona-ya merged 19 commits intonixos-25.05from
PL-135137-security-updates
Jan 30, 2026
Merged

[25.05] backport security updates for openssl, libpng, nodejs#1117
leona-ya merged 19 commits intonixos-25.05from
PL-135137-security-updates

Conversation

@osnyx
Copy link
Copy Markdown
Member

@osnyx osnyx commented Jan 28, 2026
edited
Loading

pull in security updates for the following packages:

   "libpng": {
-    "name": "libpng-1.6.46",
+    "name": "libpng-1.6.54",
-    "version": "1.6.46"
-    "version": "1.6.54"
   },
   "nodejs": {
-    "name": "nodejs-22.20.0",
+    "name": "nodejs-22.21.1",
     "pname": "nodejs",
-    "version": "22.20.0"
+    "version": "22.21.1"
   },
   "nodejs_20": {
-    "name": "nodejs-20.19.6",
+    "name": "nodejs-20.20.0",
     "pname": "nodejs",
-    "version": "20.19.6"
+    "version": "20.20.0"
   },
   "nodejs_22": {
-    "name": "nodejs-22.20.0",
+    "name": "nodejs-22.21.1",
     "pname": "nodejs",
-    "version": "22.20.0"
+    "version": "22.21.1"
   },
   "nspr": {
     "name": "nspr-4.38",
@@ -635,9 +635,9 @@
     "version": "10.0p2"
   },
   "openssl": {
-    "name": "openssl-3.4.3",
+    "name": "openssl-3.4.4",
     "pname": "openssl",
-    "version": "3.4.3"
+    "version": "3.4.4"
   },
   "openssl_1_1": {
     "name": "openssl-1.1.1w",
@@ -645,9 +645,9 @@
     "version": "1.1.1w"
   },
   "openssl_3": {
-    "name": "openssl-3.0.18",
+    "name": "openssl-3.0.19",
     "pname": "openssl",
-    "version": "3.0.18"
+    "version": "3.0.19"
   },

github-actions[bot]
github-actions bot requested changes Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nixos-* and nixpkgs-* branches are pushed to by the channel release script and should not be merged into directly.

Please target release-25.05 instead.

@osnyx osnyx force-pushed the PL-135137-security-updates branch from 3f5ac37 to 52dcc18 Compare January 28, 2026 15:54
vcunat and others added 7 commits January 29, 2026 11:24
@vcunat @osnyx
openssl_3: 3.0.18 -> 3.0.19
5183da9 
The second item (severity: High) has possible unauthenticated RCE:
https://www.openwall.com/lists/oss-security/2026/01/27/5
https://github.com/openssl/openssl/blob/openssl-3.0.19/CHANGES.md#openssl-30

The patches differ in whitespace only, as that's what upstream changed.

(cherry picked from commit 3fccac4)
@osnyx
openssl_3_4: 3.4.3 -> 3.4.4
074588f 
This fixes the following CVEs:
- CVE-2025-11187
- CVE-2025-15467
- CVE-2025-15468
- CVE-2025-66199
- CVE-2025-68160
- CVE-2025-69418
- CVE-2025-69419
- CVE-2025-69420
- CVE-2025-69421
- CVE-2026-22795
- CVE-2026-22796
@vcunat @osnyx
libpng: 1.6.46 -> 1.6.54
57ffadb 
And refresh the APNG patches, too.
https://github.com/pnggroup/libpng/blob/02f2b4f4699f0ef9111a6534f093b53732df4452/ANNOUNCE
Medium severity fixes: CVE-2026-22695 + CVE-2026-22801

(cherry picked from commit 6eb2c09,
skipping several intermediate ones)

Co-authored-by: Oliver Schmidt <os@flyingcircus.io>
@aduh95 @osnyx
nodejs_24: 24.11.1 -> 24.12.0
ef7107f 
(cherry picked from commit 1d83921)
@aduh95 @osnyx
nodejs_20: 20.19.6 -> 20.20.0
036dfcb 
(cherry picked from commit 4cc0c83)
@aduh95 @osnyx
nodejs_24: 24.12.0 -> 24.13.0
e01e2f8 
(cherry picked from commit 50a648d)
@r-ryantm @osnyx
nodejs-slim: 22.20.0 -> 22.21.1
4636600 
(cherry picked from commit a297b0e)
@osnyx osnyx force-pushed the PL-135137-security-updates branch from 52dcc18 to 4636600 Compare January 29, 2026 10:26
osnyx and others added 12 commits January 29, 2026 12:40
@osnyx
quictls: fix build
8182e47 
quictls, being stuck at a state of openssl-3.3.0, was relying on patches
that were re-formatted for newer openssl releases.

quictls remains vulnerable and should be avoided, added a warning on
that.
@osnyx
haproxy: switch default tls backend to openssl
7ed82da 
quictls is abandoned with known vulnerabilities.
@FliegendeWurst @osnyx
libspng: disable broken tests
6a56365 
randy408/libspng#276
(cherry picked from commit 5db652b)
@r-ryantm @osnyx
dotnetCorePackages.sdk_9_0-bin: 9.0.307 -> 9.0.308
fed78fa 
(cherry picked from commit 2c7cec8)
@corngood @osnyx
dotnetCorePackages.sdk_10_0-bin: 10.0.100 -> 10.0.101
e50495a 
(cherry picked from commit 4209b59)
@corngood @osnyx
dotnetCorePackages.dotnet_10.vmr: 10.0.0 -> 10.0.1
7178dd5 
(cherry picked from commit 723a7b8)
@corngood @osnyx
dotnetCorePackages.sdk_8_0-bin: 8.0.416 -> 8.0.417
5fe9c09 
(cherry picked from commit 3c4d7a5)
@corngood @osnyx
dotnetCorePackages.sdk_9_0-bin: 9.0.308 -> 9.0.309
1748de3 
(cherry picked from commit 7ebb234)
@corngood @osnyx
dotnetCorePackages.sdk_10_0-bin: 10.0.101 -> 10.0.102
4d7914b 
(cherry picked from commit 470f2d9)
@corngood @osnyx
dotnetCorePackages.dotnet_8.vmr: 8.0.22 -> 8.0.23
b52bcfd 
(cherry picked from commit 736393d)
@corngood @osnyx
dotnetCorePackages.dotnet_9.vmr: 9.0.11 -> 9.0.12
ad36a16 
(cherry picked from commit cb4b72e)
@corngood @osnyx
dotnetCorePackages.dotnet_10.vmr: 10.0.1 -> 10.0.2
2188d5f 
(cherry picked from commit 4931a55)
@osnyx
Copy link
Copy Markdown
Member Author

osnyx commented Jan 29, 2026

Also updates libspng and dotnet to fix builds.

@osnyx osnyx requested a review from ctheune January 29, 2026 21:30
@leona-ya leona-ya merged commit 2188d5f into nixos-25.05 Jan 30, 2026
9 of 12 checks passed
@leona-ya leona-ya deleted the PL-135137-security-updates branch January 30, 2026 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] requested changes

@ctheune ctheune ctheune approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@osnyx @ctheune @leona-ya @vcunat @aduh95 @r-ryantm @FliegendeWurst @corngood