h2o: apply patch for CVE-2025-8671

Given upstream does not make things easy to determine if there are some breaking changes or not, only the security fix is backported instead of the whole upgrade (#433400).
2026-01-11 18:32:23 +08:00 · 2025-08-23 10:31:48 +02:00
parent b1b3291469
commit b1fe6da0be
1 changed files with 11 additions and 0 deletions
--- a/pkgs/by-name/h2/h2o/package.nix
+++ b/pkgs/by-name/h2/h2o/package.nix
@@ -2,6 +2,7 @@
  lib,
  stdenv,
  fetchFromGitHub,
+  fetchpatch,
  pkg-config,
  cmake,
  makeWrapper,
@@ -32,6 +33,16 @@ stdenv.mkDerivation (finalAttrs: {
    sha256 = "sha256-sfOkyEhlLGmXjYqRoI/8pD6/NBY7q6K9y2vS7qwJmrw=";
  };

+  patches = [
+    (fetchpatch {
+      # https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq
+      # https://kb.cert.org/vuls/id/767506
+      name = "CVE-2025-8671.patch";
+      url = "https://github.com/h2o/h2o/commit/579ecfaca155d1f9f12bfd0cff6086dcda4b9692.patch";
+      hash = "sha256-bNnhx5RGBw6SmKmhlACHKPsnVUPzQUqHsunPdiayzv0=";
+    })
+  ];
+
  outputs = [
    "out"
    "man"