From af6946fc8efc74216bd4e9d31485f117fa60ade0 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 30 Dec 2025 18:44:50 +0100
Subject: [PATCH 1/2] discourse: 3.5.2 -> 3.5.3

https://meta.discourse.org/t/release-v3-5-3-security-and-maintenance-release/392357

Fixes: CVE-2025-64528
---
 pkgs/servers/web-apps/discourse/default.nix          | 4 ++--
 pkgs/servers/web-apps/discourse/rubyEnv/Gemfile      | 1 -
 pkgs/servers/web-apps/discourse/rubyEnv/Gemfile.lock | 5 ++---
 pkgs/servers/web-apps/discourse/rubyEnv/gemset.nix   | 4 ++--
 4 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/pkgs/servers/web-apps/discourse/default.nix b/pkgs/servers/web-apps/discourse/default.nix
index d01fea8b7dde..bba4c914a951 100644
--- a/pkgs/servers/web-apps/discourse/default.nix
+++ b/pkgs/servers/web-apps/discourse/default.nix
@@ -53,13 +53,13 @@
 }:
 
 let
-  version = "3.5.2";
+  version = "3.5.3";
 
   src = fetchFromGitHub {
     owner = "discourse";
     repo = "discourse";
     rev = "v${version}";
-    sha256 = "sha256-8Uzb0cjC3PUrh6Nlu6OJ09GKD+8KZq/IUba2NXLm1JI=";
+    sha256 = "sha256-2lx6vFxio2CkMWa0vmzUGTljz1WC9OzpNgSxKjYPn8g=";
   };
 
   ruby = ruby_3_3;
diff --git a/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile b/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile
index db988be77b72..1f4e17fe1622 100644
--- a/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile
+++ b/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile
@@ -15,7 +15,6 @@ gem "activemodel", "~> 8.0.0"
 gem "activerecord", "~> 8.0.0"
 gem "activesupport", "~> 8.0.0"
 gem "railties", "~> 8.0.0"
-gem "openssl", "~> 3.3.1"
 
 gem "propshaft"
 gem "json"
diff --git a/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile.lock b/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile.lock
index a4f1addb9a51..ff122cf2b84d 100644
--- a/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile.lock
+++ b/pkgs/servers/web-apps/discourse/rubyEnv/Gemfile.lock
@@ -383,7 +383,7 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
-    openssl (3.3.2)
+    openssl (3.3.0)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
     optimist (3.2.1)
@@ -826,7 +826,6 @@ DEPENDENCIES
   omniauth-google-oauth2
   omniauth-oauth2
   omniauth-twitter
-  openssl (~> 3.3.1)
   parallel
   parallel_tests
   pdf-reader
@@ -1079,7 +1078,7 @@ CHECKSUMS
   omniauth-oauth (1.2.1) sha256=25bf22c90234280fa825200490f03ff1ce7d76f1a4fbd6c882c6c5b169c58da8
   omniauth-oauth2 (1.7.3) sha256=3f5a8f99fa72e0f91d2abd7475ceb972a4ae67ed59e049f314c0c1bad81f4745
   omniauth-twitter (1.4.0) sha256=c5cc6c77cd767745ffa9ebbd5fbd694a3fa99d1d2d82a4d7def0bf3b6131b264
-  openssl (3.3.2) sha256=7f4e01215dc9c4be1fca71d692406be3e6340b39c1f71a47fea9c497decd0f6c
+  openssl (3.3.0) sha256=ff3a573fc97ab30f69483fddc80029f91669bf36532859bd182d1836f45aee79
   openssl-signature_algorithm (1.3.0) sha256=a3b40b5e8276162d4a6e50c7c97cdaf1446f9b2c3946a6fa2c14628e0c957e80
   optimist (3.2.1) sha256=8cf8a0fd69f3aa24ab48885d3a666717c27bc3d9edd6e976e18b9d771e72e34e
   ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912
diff --git a/pkgs/servers/web-apps/discourse/rubyEnv/gemset.nix b/pkgs/servers/web-apps/discourse/rubyEnv/gemset.nix
index 5a8dea76201b..248c7b7f5dcc 100644
--- a/pkgs/servers/web-apps/discourse/rubyEnv/gemset.nix
+++ b/pkgs/servers/web-apps/discourse/rubyEnv/gemset.nix
@@ -2125,10 +2125,10 @@
     platforms = [ ];
     source = {
       remotes = [ "https://rubygems.org" ];
-      sha256 = "0v0grpg9gi59zr3imxy1745k9rp3dd095mkir8gvxi69blhh2kkz";
+      sha256 = "0ygfbbs3c61d32ymja2k6sznj5pr540cip9z91lhzcvsr4zmffpz";
       type = "gem";
     };
-    version = "3.3.2";
+    version = "3.3.0";
   };
   openssl-signature_algorithm = {
     dependencies = [ "openssl" ];

From bd5293fd0a1a8363daeea185497c649342308f38 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 30 Dec 2025 19:16:20 +0100
Subject: [PATCH 2/2] nixos/tets/discourse: update dovecot unit name

The alias for dovecot2 has been removed.
---
 nixos/tests/discourse.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/tests/discourse.nix b/nixos/tests/discourse.nix
index fdf427291497..20c1e09f10c2 100644
--- a/nixos/tests/discourse.nix
+++ b/nixos/tests/discourse.nix
@@ -188,7 +188,7 @@ in
       )
 
       client.wait_for_unit("postfix.service")
-      client.wait_for_unit("dovecot2.service")
+      client.wait_for_unit("dovecot.service")
 
       discourse.succeed(
           "sudo -u discourse discourse-rake api_key:create_master[master] >api_key",