aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* package/imagemagick: security bump to version 7.0.10-622020.02.xGravatar Peter Seiderer26 hours2-3/+3
| | | | | | | | | | | | | | | | | | | | | | Fixes the following security issue: CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and 7.0.10-57 in gem.c. This flaw allows an attacker who submits a crafted file that is processed by ImageMagick to trigger undefined behavior through a division by zero. The highest threat from this vulnerability is to system availability. For more details, see the bugtracker: https://github.com/ImageMagick/ImageMagick/issues/3077 - bump version to 7.0.10-62 - update license file hash (copyright year update) Signed-off-by: Peter Seiderer <ps.report@gmx.net> [Peter: mention security fix] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a11b6beab99c75dc955c436cd54c0e1f581762a8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/nodejs: security bump to version v12.21.0Gravatar Peter Korsgaard27 hours2-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. CVE-2021-22884: DNS rebinding in --inspect Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160. For more details, see the advisory: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7cb44a20116fb95a8ef8f6406ef24c2041daa8a7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python3: security bump to version 3.8.8Gravatar Peter Korsgaard41 hours3-195/+5
| | | | | | | | | | | | | | | | | | | Fixes the following security issue: - CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator https://bugs.python.org/issue42967 And fixes a number of issues. For details, see the changelog: https://docs.python.org/release/3.8.8/whatsnew/changelog.html Drop the now upstreamed security patch and update the license hash for a change of copyright year: -2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation; +2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation; Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/fakeroot: fix glibc detection on patch for new wrappersGravatar Ryan Barnett6 days1-0/+63
| | | | | | | | | | | | | | | | | | | | Commit f45925a951318e9e53bead80b363e004301adc6f add the patch: 0003-libfakeroot.c-add-wrappers-for-new-glibc-2.33-symbol.patch which allowed fakeroot to be compiled with GLIBC 2.33 or above. However, this introduce a bug for building with a non-GLIBC based toolchain as a GLIBC macro - __GLIBC_PREREQ - is used on the same line as the detection of GLIBC. Fix this by backporting the fix to this incorrect macro from upstream commit: https://salsa.debian.org/clint/fakeroot/-/commit/8090dffdad8fda86dccd47ce7a7db8840bdf7d7b CC: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: security bump to version 9.11.28Gravatar Peter Korsgaard7 days5-99/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issue: - CVE-2020-8625: When tkey-gssapi-keytab or tkey-gssapi-credential was configured, a specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO (a protocol enabling negotiation of the security mechanism to use for GSSAPI authentication). This flaw could be exploited to crash named. Theoretically, it also enabled remote code execution, but achieving the latter is very difficult in real-world conditions For details, see the advisory: https://kb.isc.org/docs/cve-2020-8625 In addition, 9.11.26-27 fixed a number of issues, see the release notes for details: https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html Drop now upstreamed patches, update the GPG key for the 2021-2022 variant and update the COPYRIGHT hash for a change of year: -Copyright (C) 1996-2020 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2021 Internet Systems Consortium, Inc. ("ISC") Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6376decbda3b1373dfaa5a67ff5cb37f0276a7dc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: disable backtrace supportGravatar Peter Seiderer7 days1-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | Disable backtrace support, fixes linking failure for uclibc/musl based toolchains. Fixes: - http://autobuild.buildroot.net/results/7a1a140314bc8d134f9eeb95ef2e46e7fb0ce9fd/ .../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../isc/.libs/libisc.so: undefined reference to `_Unwind_GetIP' - http://autobuild.buildroot.net/results/f0db5fe7fc6860b7270c784989c451e2e7aa2afb/ .../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../isc/.libs/libisc.so: undefined reference to `_Unwind_GetIP' - http://autobuild.buildroot.net/results/cb963298885df37f1e5c4d3ab3989773c01c54fc/ .../arm-buildroot-linux-musleabihf/bin/ld: ../isc/.libs/libisc.so: undefined reference to `_Unwind_GetIP' Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 700674b45c86d28570ecb50d657ac7f6dfd89784) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: fix compile/linking failureGravatar Peter Seiderer7 days3-0/+94
| | | | | | | | | | | | | | | Fixes: - http://autobuild.buildroot.net/results/966a3de94aa97fa8e9895eede29c9cbfb4bd7301 .../host/lib/gcc/arm-buildroot-linux-musleabihf/9.3.0/../../../../arm-buildroot-linux-musleabihf/bin/ld: warning: libisccfg.so.163, needed by ../../lib/bind9/.libs/libbind9.so, not found (try using -rpath or -rpath-link) .../host/lib/gcc/arm-buildroot-linux-musleabihf/9.3.0/../../../../arm-buildroot-linux-musleabihf/bin/ld: ../../lib/bind9/.libs/libbind9.so: undefined reference to `cfg_obj_line' Signed-off-by: Peter Seiderer <ps.report@gmx.net> [Peter: replace by upstream patches] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e4af234d3caa39e34fde68a39150c7fac0363a63) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: drop unrecognized optionGravatar Fabrice Fontaine7 days1-1/+1
| | | | | | | | | | | | Drop --enable-newstats option which is not recognized Unrecognized options: --disable-gtk-doc, --disable-gtk-doc-html, --disable-doc, --disable-docs, --disable-documentation, --with-xmlto, --with-fop, --disable-dependency-tracking, --disable-nls, --enable-newstats Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a2be92afc28fa006f17a7a01d93f75d3611b7212) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: bump version to 9.11.25Gravatar Bernd Kuhls7 days2-3/+3
| | | | | | | | | | | Release notes: https://ftp.isc.org/isc/bind9/9.11.25/RELEASE-NOTES-bind-9.11.25.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Reviewed-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 39b582eba40ed2919aca66b10b66dcee77ee02ca) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: fix license hashGravatar Fabrice Fontaine7 days1-1/+1
| | | | | | | | | | | | | | Commit 9679d3f0218519ea7a01f3b5fefb7f6dd23b138e forgot to update hash of COPYRIGHT which was updated to replace http by https: https://gitlab.isc.org/isc-projects/bind9/-/commit/400171aee8db87c3973987980327051a58a20a80 Fixes: - http://autobuild.buildroot.org/results/db614a6fa1e17af2fa5c1d4a0d51cdf770893ca9 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ac6dbae320231a02e1b9b69c8c9250e6854aaaa9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: bump to version 9.11.24Gravatar Petr Vorel7 days3-11/+22
| | | | | | | | | Turn 0001-cross.patch into git patch. Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9679d3f0218519ea7a01f3b5fefb7f6dd23b138e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/irqbalance: fix irqbalance/irqbalance-ui socket communicationGravatar Peter Seiderer7 days1-0/+105
| | | | | | | | | | | | | | | | | | Add patch to fix irqbalance/irqbalance-ui socket communication by fixing uint64_t printf format usage. Fixes: $ irqbalance-ui Invalid data sent. Unexpected token: (null)TYPE Signed-off-by: Peter Seiderer <ps.report@gmx.net> [yann.morin.1998@free.fr: - do an actual backport as upstream applied the patch ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit f204e5874082f01170c26f4e6cddca20ad517dbd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/irqbalance: fix sysv startup script (add mkdir /run/irqbalance)Gravatar Peter Seiderer7 days1-0/+2
| | | | | | | | | | | | | | | | | | | | - add mkdir -p /run/irqbalance to sysv startup script needed to create socket /run/irqbalance/irqbalance<pid>.sock Fixes: - Bug 13541 [1] daemon.warn /usr/sbin/irqbalance: Daemon couldn't be bound to the file-based socket. [1] https://bugs.busybox.net/show_bug.cgi?id=13541 Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com> Signed-off-by: Peter Seiderer <ps.report@gmx.net> [yann.morin.1998@free.fr: only create in start case] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 4a95f38f306411ca750a676b81326dc7ec67bcaa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/irqbalance: fix systemd startup script (add RuntimeDirectory)Gravatar Peter Seiderer7 days1-0/+1
| | | | | | | | | | | | | | | | | | | - add RuntimeDirectory=irqbalance to create /run/irqbalanace needed to create socket /run/irqbalance/irqbalance<pid>.sock Fixes: - Bug 13541 [1] /usr/sbin/irqbalance[158]: Daemon couldn't be bound to the file-based socket. [1] https://bugs.busybox.net/show_bug.cgi?id=13541 Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com> Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 60518c1d7680bff5efe879ee86f48e6092239c03) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: remove Scott FanGravatar Scott Fan7 days1-4/+0
| | | | | | | Signed-off-by: Scott Fan <fancp2007@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d1054e851cb17a73cd2a94292a8acddbf530751a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* utils/scanpypi: use python3 explicitlyGravatar Thomas Petazzoni7 days1-1/+1
| | | | | | | | | | | | | | | scanpypi is python3 compatible. In addition, it executes the setup.py of Python modules to extract the relevant information. Since these are more and more commonly using python3 constructs, using "python" to run scanpypi causes problems on systems that have python2 installed as python, when trying to parse setup.py scripts with python3 constructs. Fixes part of #13516. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit ee8b6808169e1e61b4318b44fbc706ec888c605d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-django: security bump to version 3.0.13Gravatar Peter Korsgaard7 days2-4/+4
| | | | | | | | | | | | | | | | | | | | Fixes the following security issue: - CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl() Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details. For more details, see the advisory: https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 82abd78a01fc832f758fc2b2d7326879500fb786) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* CHANGES: correct 2020.02.11 release date2020.02.11Gravatar Peter Korsgaard2021-02-171-1/+1
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* Update for 2020.02.11Gravatar Peter Korsgaard2021-02-173-3/+24
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: security bump to version 1.1.1jGravatar Peter Korsgaard2021-02-172-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash() The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. - CVE-2021-23839: Incorrect SSLv2 rollback protection OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. - CVE-2021-23840: Integer overflow in CipherUpdate Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. For more details, see the advisory: https://www.openssl.org/news/secadv/20210216.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4745a484a6dd72e6aa7b56952535504b8252d6a6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/tzdate: use classic 'fat' format for uClibc/glibc compatibilityGravatar Peter Korsgaard2021-02-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/1019385940 FAIL: test_run (tests.core.test_timezone.TestGlibcNonDefaultLimitedTimezone) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builds/buildroot.org/buildroot/support/testing/tests/core/test_timezone.py", line 66, in test_run self.assertEqual(tz[0].strip(), "EST") AssertionError: '' != 'EST' Commit 7868289fd5348 (package/zic: bump version to 2020f) bumped the zic version to 2020f, which changed the default output format from the classic "fat" format to the new "slim" format: https://github.com/eggert/tz/commit/6ba6f2117b95eab345a7ed9159cef939e30c4cd3 The slim format is unfortunately not supported by glibc < 2.28 or uClibc, so explicitly request the classic "fat" format. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 1efb7b9618f4aee4e1614b7aa942c16a1052f768) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/orc: fix powerpc build with headers < 4.11Gravatar Fabrice Fontaine2021-02-171-0/+70
| | | | | | | | | | | | | Autobuilder failures are raised with bootlin toolchains but it affects orc since version 0.4.30 Fixes: - http://autobuild.buildroot.org/results/0821e96cba3e455edd47b87485501d892fc7ac6a Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 31c430cf5b82ab315eefdeeb105ba2ab11105917) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: drop Rahul Jain, user no longer existsGravatar Thomas Petazzoni2021-02-171-4/+0
| | | | | | | | | <rahul.jain@imgtec.com>: host mxa-00376f01.gslb.pphosted.com[185.132.180.163] said: 550 5.1.1 User Unknown (in reply to RCPT TO command) Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit be7be1a086453dd5bcae92d8c600523566947a7b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: drop Guillaume Gardet, domain no longer existsGravatar Thomas Petazzoni2021-02-171-5/+0
| | | | | | | | | | The oliseo.fr domain no longer responds to SMTP requests: smtplib.SMTPRecipientsRefused: {'Guillaume Gardet <guillaume.gardet@oliseo.fr>': (550, b'5.1.2 <guillaume.gardet@oliseo.fr>: Recipient address rejected: Domain not found')} Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e79c34a5214d574558406b96601273227a1b133d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/fakeroot: add upstream patches to fix glibc 2.33 compatibilityGravatar Jörg Krause2021-02-174-0/+192
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Glibc 2.33 removed `_STAT_VER`. On host systems, which updated to glibc 2.33, building host-fakeroot breaks: ``` In file included from communicate.h:20, from libfakeroot.c:60: libfakeroot.c: In function ‘chown’: libfakeroot.c:99:40: error: ‘_STAT_VER’ undeclared (first use in this function) 99 | #define INT_NEXT_STAT(a,b) NEXT_STAT64(_STAT_VER,a,b) ``` The issue has been discussed on some system package threads, e.g.: https://bugs.archlinux.org/task/69572 https://bugzilla.redhat.com/show_bug.cgi?id=1889862#c13 A patch set was prepared by Ilya Lipnitskiy which included two other patches not related to the glibc 2.33 compatibility and prepared as merge request for upstream: https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg57280.html Upstream accepted the merge request: https://salsa.debian.org/clint/fakeroot/-/merge_requests/10 Note, that this patch series only contains the necessay patches for glibc 2.33 compatibility. Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> [Peter: drop patch numbering (PATCH x/y) as pointed out by check-package] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: security bump version to 2.0.25Gravatar Michael Vetter2021-02-172-2/+2
| | | | | | | | | | | | | | | Changes: * Fix memory-related bugs in the JPEG-2000 codec resulting from attempting to decode invalid code streams. (#264, #265) This fix is associated with CVE-2021-26926 and CVE-2021-26927. * Fix wrong return value under some compilers (#260) * Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259) Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 72b801010c867b2a222603e3951a012e57a6f2c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: Bump to 2.0.24Gravatar Michael Vetter2021-02-172-2/+2
| | | | | | | | | | | | | Changes: * Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH for easier access to the JasPer version. * Fixes stack overflow bug on Windows, where variable-length arrays are not available. (#256) Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7a5c61d59be35c059e96730cd70a92d47cb4e8e0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dnsmasq: bump version to 2.84Gravatar Peter Seiderer2021-02-172-2/+2
| | | | | | | | | | | | | | Bugfix release, fixing a regression introduced in 2.83. For more details, see the announcement: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014640.html Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 8fcdd2023ee6bc2efd96a3b43fec103f2afa0e2f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 2dada92a307382b7de4df6469734027d1c5a0f50) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/postgresql: security bump to version 12.6Gravatar Peter Korsgaard2021-02-152-6/+6
| | | | | | | | | | | | | | | | | | | Fixes the following security issue: - CVE-2021-3393: Partition constraint violation errors leak values of denied columns A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions to exploit are more rare. For more details, see the announcement: https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/ Update the COPYRIGHT hash dur to a copyright year bump: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c09f6882d6f78bde26fcc1e1a3da11c274de596a Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xterm: security bump to version 366Gravatar Peter Korsgaard2021-02-142-3/+3
| | | | | | | | | | | | Fixes the following security issue: CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit fd6f7061ca6ef8a2d1bfc67451ee3535c3814f00) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xterm: bump version to 363Gravatar Bernd Kuhls2021-02-142-2/+2
| | | | | | | | | Changelog: https://invisible-island.net/xterm/xterm.log.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 145e377a0af8881e93ec01929352e73b6a4459ae) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xterm: bump version to 358Gravatar Sergio Prado2021-02-142-3/+3
| | | | | | | | | | | | Separate the fields in the hash file by two spaces. Change the hash of the license: - Copyright message changed from 2018,2019 to 2019,2020 Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 650f0aa3e27e4c950fa9216d806fc39cdf11eada) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/subversion: security bump to version 1.14.1Gravatar Peter Korsgaard2021-02-142-3/+3
| | | | | | | | | | | | | | | | | | Fixes the following security issue: CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion mod_authz_svn Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. For more details, see the advisory: https://subversion.apache.org/security/CVE-2020-17525-advisory.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4109401acdb195d16c3f32219492ed53f83206b7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/subversion: drop first patchGravatar Fabrice Fontaine2021-02-142-24/+0
| | | | | | | | | | | | | | First patch is not needed since version 1.8.0 and https://github.com/apache/subversion/commit/f071ec0c26cdf47e89fa90b31d2233ee1a2b00c2 Indeed, as spotted by upstream when sending them this patch, the original expressions will not mangle '-mfloat-gprs=double' because the patterns contain a trailing space. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9670aa285250e1ee4fc44fa0134137961494cdeb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/subversion: bump to version 1.14.0Gravatar Fabrice Fontaine2021-02-142-3/+3
| | | | | | | | | https://subversion.apache.org/docs/release-notes/1.14.html Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 484412b62d938ff75f3437934c112580590acf1f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/subversion: bump to version 1.13.0Gravatar Fabrice Fontaine2021-02-142-5/+5
| | | | | | | | | | - Update site to get latest release - Update indentation of hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 85aeb5b3506e32426e75e385ce835b02c0a65be3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/kodi-inputstream-adaptive: update project URLGravatar Bernd Kuhls2021-02-142-2/+2
| | | | | | | | | Reference: https://github.com/xbmc/repo-binary-addons/pull/143 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit fd72673d91a4b3326640bfb799d1af1926acd3ad) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sox: use old-format tarball hashGravatar Peter Korsgaard2021-02-141-1/+1
| | | | | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/8185a765ba246f51e8b24b5bf2058b25b9b0c05c/ http://autobuild.buildroot.net/results/50fdcb3cff40249c2656caf3eb627b2e68a76a87/ Commit 6406e08e4e25dd (package/sox: security bump to latest git commit) bumped the version of sox to a recent git hash, but added the tarball hash using the new "br1" format, which has only been added post-2020.11. Add the old-format hash to fix the build. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/connman: add option to enable wireguard supportGravatar James Hilliard2021-02-142-0/+11
| | | | | | | Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 2cb778612565e8395c8814a047fc58cc5d746722) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-cli: bump version to 19.03.15Gravatar Peter Korsgaard2021-02-112-2/+2
| | | | | | | | | Bugfix release, fixing the following issue: - Check contexts before importing them to reduce risk of extracted files escaping context store Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-engine: security bump to version 19.03.15Gravatar Peter Korsgaard2021-02-112-2/+2
| | | | | | | | | | | | | Fixes the following security issues: - CVE-2021-21285 Prevent an invalid image from crashing docker daemon https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8 - CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* utils/getdeveloperlib.py: reduce Cc: list based on package infrasGravatar Thomas Petazzoni2021-02-111-12/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a developer has package/pkg-<infra>.mk assigned to him/her in the DEVELOPERS file, this has 3 implications: (1) Patches adding new packages using this infrastructure are Cc'ed to this developer. This is done by the analyze_patch() function, which matches the regexp r"^\+\$\(eval \$\((host-)?([^-]*)-package\)\)$" in the patch, i.e where an added line contains a reference to the infra maintained by the developer. (2) Patches touching the package/pkg-<infra>.mk file itself are Cc'ed to this developer. (3) Any patch touching a package using this infra are also Cc'ed to this developer. Point (3) causes a significant amount of patches to be sent to developers who have package/pkg-generic.mk and package/pkg-autotools.mk assigned to them in the DEVELOPERS file. Basically, all patches touching generic or autotools packages get CC'ed to such developers, which causes a massive amount of patches to be received. So this patch adjusts the getdeveloperlib.py to drop point (3), but preserves point (1) and (2). Indeed, it makes sense to be Cc'ed on new package additions (to make a review that they use the package infrastructure correctly), and it makes sense to be Cc'ed on patches that touch the infrastructure code itself. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 38b0560f4ee1f113e32ce2cf59a08c37a967150d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/intel-microcode: security bump to version 20201118Gravatar Peter Korsgaard2021-02-102-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - CVE-2020-8694: Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html - CVE-2020-8695: Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html - CVE-2020-8698: Improper removal of sensitive information before storage or transfer in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9974d8836295797fdaa73f4ad61f741101b0c677) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/connman: add upstream security fixes for CVE-2021-2667{5, 6}Gravatar Peter Korsgaard2021-02-103-0/+309
| | | | | | | | | | | | | | Fixes the following security issues: - CVE-2021-26675: Remote (adjacent network) code execution flaw - CVE-2021-26676: Remote stack information leak For details, see the advisory: https://www.openwall.com/lists/oss-security/2021/02/08/2 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit cf1dd7e007156f1995c0c1586b66bcdf8bd83655) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/connman: remove _GNU_SOURCE patchGravatar Petr Vorel2021-02-101-30/+0
| | | | | | | | | Not needed any more. Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 14191cd119d2366cb0ecb2f8f363e500bb02cbed) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/connman: bump to 1.38Gravatar Petr Vorel2021-02-102-2/+2
| | | | | | | Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit c121114ad2844007b0dc2ea3783f2a65ad44dd7e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/connman: re-organize configure options and dependenciesGravatar Petr Vorel2021-02-101-16/+57
| | | | | | | | | | Use style typical for Buildroot. Suggested-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 69aa5c5d695c64f75bd079d968a3d622f916045c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mosquitto: bump version to 1.6.13Gravatar Peter Korsgaard2021-02-102-3/+3
| | | | | | | Includes a number of bugfixes. For details, see the announcement: https://mosquitto.org/blog/2021/02/version-2-0-7-released/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/rauc: package/rauc: bump version to 1.5.1Gravatar Bartosz Bilas2021-02-103-46/+3
| | | | | | | | | Removed patch applied upstream. Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f786969f2abdddee4f10bc5eb2475c06864535cb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 5.{4, 10}.x 4.{4, 9, 14, 19} seriesGravatar Bernd Kuhls2021-02-103-11/+11
| | | | | | | | | | | | | | | | | | Stick to 4.4.255 / 4.4.255 even though .256 is ready, as the wraparound of the minor version may cause problems: https://lkml.org/lkml/2021/2/5/747 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.256 https://lkml.org/lkml/2021/2/5/862 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.256 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> [Peter: stick to 4.{4,9}.255] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b2dad74686978b2f9545295003d3eb5ffc68bb5b) [Peter: drop 5.10.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>