[Backport release-24.05] traefik: 3.0.4 -> 3.1.2, fix CVE-2024-45410 (#…

…344222) I've verified that the test example provided does work on x86_64-linux as expected, and that the other NixOS traefik tests doesn't fail from this. This looks good to me, and a severity 9.3 should probably be expedited. Comparing v3.1.2 to v3.1.3 also confirms that removals made in patch make perfect sense traefik/traefik@v3.1.2...v3.1.3 The bump from v3.0 to v3.1 does require minor migrations with limited scope https://doc.traefik.io/traefik/v3.1/migration/v3/#v30-to-v31, but aside from this being fine to backport since its a security release, major version bumps have in the past also been made without reservation #307794. I think this is solid.
NixOS · Sep 28, 2024 · ebbc94a · ebbc94a
2 parents a9a9e08 + 3002cd2
commit ebbc94a
Show file tree

Hide file tree

Showing 2 changed files with 789 additions and 3 deletions.
diff --git a/pkgs/servers/traefik/default.nix b/pkgs/servers/traefik/default.nix
@@ -2,16 +2,21 @@
 
 buildGoModule rec {
   pname = "traefik";
-  version = "3.0.4";
+  version = "3.1.2";
 
   # Archive with static assets for webui
   src = fetchzip {
     url = "https://github.com/traefik/traefik/releases/download/v${version}/traefik-v${version}.src.tar.gz";
-    hash = "sha256-9dxg9UL6wkoIs2ql+pLHzd2z+w83vzXYN6zRRLtIegQ=";
+    hash = "sha256-PHS4x9RDoc2zDPS1SaYYEeZVa4SyQpvqzPT/SDo1ygg=";
     stripRoot = false;
   };
 
-  vendorHash = "sha256-4zI4OL4UlaaefxRPQoUtjyn9M8yfuYOBOyYh6vTnMJg=";
+  patches = [
+    # Rebased onto v3.1.2 from https://github.com/traefik/traefik/pull/11077
+    ./fix-CVE-2024-45410.patch
+  ];
+
+  vendorHash = "sha256-xQPDlwu/mRdyvZW0qSCA9eko9pOQAMwh2vVJWzMnyfs=";
 
   subPackages = [ "cmd/traefik" ];