aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update for 2016.11.32016.11.32016.11.xGravatar Peter Korsgaard2017-03-102-1/+9
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* wireshark: security bump to version 2.2.5Gravatar Gustavo Zacarias2017-03-082-3/+3
| | | | | | | | | | | | | | | | | | | | Fixes: wnpa-sec-2017-03 - LDSS dissector crash wnpa-sec-2017-04 - RTMTP dissector infinite loop wnpa-sec-2017-05 - WSP dissector infinite loop wnpa-sec-2017-06 - STANAG 4607 file parser infinite loop wnpa-sec-2017-07 - NetScaler file parser infinite loop wnpa-sec-2017-08 - NetScaler file parser crash wnpa-sec-2017-09 - K12 file parser crash wnpa-sec-2017-10 - IAX2 dissector infinite loop wnpa-sec-2017-11 - NetScaler file parser infinite loop Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit e9e594d99add12ec2b10f79a351cdd8bae093d0e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 785d474cb4a11b50f9f8744889df10fe7f855eea) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* gnutls: security bump to version 3.5.10Gravatar Gustavo Zacarias2017-03-082-2/+2
| | | | | | | | | | | | | | | | Fixes: GNUTLS-SA-2017-3A - Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. GNUTLS-SA-2017-3B - Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. GNUTLS-SA-2017-3C - Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 6fdb2b109bdec24ea426e0a6786ced7dbb591732) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* gnutls: bump version to 3.5.9Gravatar Peter Korsgaard2017-03-082-2/+2
| | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 743f5076df0a852f25d55c3bcb1d3e33eec07055) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* libcurl: security bump to version 7.53.0Gravatar Peter Korsgaard2017-02-262-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Fixes CVE-2017-2629 - curl SSL_VERIFYSTATUS ignored >From the advisory (http://www.openwall.com/lists/oss-security/2017/02/21/6): Curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error. Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit c5f5d9fa4e378f3b81f51284e32ee1c23ab2a575)
* dbus: security bump to version 1.10.16Gravatar Peter Korsgaard2017-02-262-2/+2
| | | | | | | | | | | | | | | >From http://www.openwall.com/lists/oss-security/2017/02/16/4 The latest dbus release 1.10.16 fixes two symlink attacks in non-production-suitable configurations. I am treating these as bugs rather than practical vulnerabilities, and very much hope neither of these is going to affect any real users, but I'm reporting them to oss-security in case there's an attack vector that I've missed. No CVEs assigned so far. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit c9556ed90f22185b3abf822f0fe07afea661938a)
* dbus: bump to version 1.10.14Gravatar Gustavo Zacarias2017-02-262-2/+2
| | | | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 3229c7c12d6edee36c9fe0c8755d8bbdfc092a52) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* stunnel: fix static linkGravatar Baruch Siach2017-02-261-1/+2
| | | | | | | | | | | | | | | | | zlib is a dependency of OpenSSL. Take that into account when linking statically. Fixes: http://autobuild.buildroot.net/results/dfe/dfe7c82c7976912378e33e03ea4c677bee6a778d/ http://autobuild.buildroot.net/results/48c/48cb55428613e91abfe8e71456182082d9eabb75/ http://autobuild.buildroot.net/results/810/81029efad8b9e2f48c26a7b20f62c90844fc86df/ and many more. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b575baeb1ad787dac1ce31343adfd6ee3415ca41) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* redis: bump to version 3.2.8Gravatar Gustavo Zacarias2017-02-162-3/+3
| | | | | | | | | | It fixes a regression in the 3.2.7 security release that can cause server deadlocks. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit f4cb8f2d4a9805ccdd084f16a25990e88da463c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* ntfs-3g: add security fix for CVE-2017-0358Gravatar Peter Korsgaard2017-02-162-0/+2
| | | | | | | | | | | | | | | | | | | Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and --dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. Notice that Buildroot does NOT install netfs-3g setuid root, but custom permission tables might be used, causing it to vulnerable to the above. ntfs-3g does not seem to have a publicly available version control system and no new releases have been made, so instead grab the patch from Debian. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6f971f354c14a8948477a0936668b8baae8ec86e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* vim: security bump to version 8.0.0329Gravatar Peter Korsgaard2017-02-162-2/+2
| | | | | | | | | | | | | | | | | Fixes: - CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened. - CVE-2017-5953: vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0e76cde70f651b17e74681d17fb0afb16400102d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.11.0-P3Gravatar Peter Korsgaard2017-02-162-3/+3
| | | | | | | | | | Fixes CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash: https://kb.isc.org/article/AA-01453 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b9141fc88b24b6e0d565f84ee768f3199f31a6cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* quagga: security bump to version 1.1.1Gravatar Baruch Siach2017-02-162-4/+10
| | | | | | | | | | | | Fixes CVE-2017-5495: Telnet interface input buffer allocates unbounded amounts of memory, leading to DoS. Add optional dependency on protobuf-c. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ae73226476e5ca449cf0b312aa03a18dfe31d3a9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* ntp: security bump to verserion 4.2.8p9Gravatar Adam Duskett2017-02-163-13/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This version of ntp fixes several vulnerabilities. CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 http://www.kb.cert.org/vuls/id/633847 In addition, libssl_compat.h is now included in many files, which references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h. Even if a you pass --disable-ssl as a configuration option, these files are now required. As such, I have also added openssl as a dependency, and it is now automatically selected when you select ntp. Signed-off-by: Adam Duskett <aduskett@codeblue.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ebf6f64b76059e31a85f982cb04f80ad5982dac3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* tcpdump: security bump to version 4.9.0Gravatar Baruch Siach2017-02-162-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Security fixes in this release (from the Debian changelog): + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 183b443e579b31b14bd95f98ecd95b2efc0554f7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* php: security bump version to 7.1.1Gravatar Vicente Olivert Riera2017-02-093-37/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 0006-Fix-php-fpm.service.in.patch already included: https://github.com/php/php-src/commit/bb19125781c0794da9a63fee62e263ff4efff661 Fixes: CVE-2016-10158 Loading a TIFF or JPEG malicious file can lead to a Denial-of-Service attack when the EXIF header is being parsed. CVE-2016-10159 Loading a malicious phar archive can cause an extensive memory allocation, leading to a Denial-of-Service attack on 32 bit computers. CVE-2016-10160 An attacker might remotely execute arbitrary code using a malicious phar archive. This is the consequence of an off-by-one memory corruption. CVE-2016-10161 An attacker with control of the unserialize() function argument can cause an out-of-bounce read. This could lead to a Denial-of-Service attack or a remote code execution. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 34be5012149dfc74432319a7df1eb627bb50bd27)
* imagemagick: fix build of png support when jpeg support is disabledGravatar Peter Korsgaard2017-02-061-0/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/d20/d20eecec8e7b947759185f77a6c8e610dd7393f3/ http://autobuild.buildroot.net/results/ee1/ee15efa8ae3f95244980810155ff7ba9f885a59d/ http://autobuild.buildroot.net/results/aa8/aa80f2fd4c7dd884ea8a1b55ad15a40c7bf40501/ http://autobuild.buildroot.net/results/9aa/9aaa044f78115d7f599ea09669c0d6bface5633e/ This combination is broken since 7.0.4-6. Since commit a9e228f8ac26 (Implemented a private PNG caNv (canvas) chunk), PNGsLong gets called unconditionally, but it is only defined if JPEG support is enabled (which defines JNG_SUPPORTED), breaking the build: MagickCore/.libs/libMagickCore-7.Q16HDRI.a(MagickCore_libMagickCore_7_Q16HDRI_la-png.o): In function `WriteOnePNGImage': png.c:(.text+0x748d): undefined reference to `PNGsLong' png.c:(.text+0x74b7): undefined reference to `PNGsLong' Fix it by adding a patch unconditionally defining the helper function. Patch submitted upstream. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit c6f8088fdd56384fb9dc61ca31a0c1772acfde93)
* imagemagick: security bump to version 7.0.4-6Gravatar Vicente Olivert Riera2017-02-032-2/+2
| | | | | | | | | | | | | Fixes an use of uninitialized data issue in MAT image format that may have security impact: https://github.com/ImageMagick/ImageMagick/issues/362 [Peter: extend commit message, mention (potential) security impact] Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e5f505efac725b7e12b22f1341ce0523df73a79f)
* imagemagick: bump version to 7.0.4-5Gravatar Vicente Olivert Riera2017-02-032-2/+2
| | | | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ad736e199cf9127688645cafc34c94a15251c623)
* imagemagick: bump version to 7.0.4-4Gravatar Vicente Olivert Riera2017-02-032-2/+2
| | | | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a89bdc363c637950fa86a015d99d90830a682dbe)
* redis: security bump to version 3.2.7Gravatar Vicente Olivert Riera2017-02-032-3/+3
| | | | | | | | | | | | | | | | | | | Release notes: https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/ From the notes: Upgrade urgency HIGH. This release fixes important security and correctness issues. It is especially important to upgrade for Redis Cluster users and for users running Redis in their laptop since a cross-scripting attack is fixed in this release. [Peter: extend description] Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit bbc042b91ef118cf2fc42b6b5558161c752ce6e8)
* redis: bump to version 3.2.6Gravatar Gustavo Zacarias2017-02-032-3/+3
| | | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4be266220ad766ef43c811b61344eb7d135af241)
* lcms2: add upstream security fix for CVE-2016-10165Gravatar Peter Korsgaard2017-01-311-0/+27
| | | | | | | | | | | | An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile. https://bugzilla.redhat.com/show_bug.cgi?id=1367357 Add upstream patch to fix it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit cd2e115a3feb501afc11d3c6ce29fd947a631cda)
* squid: security bump to version 3.5.24Gravatar Gustavo Zacarias2017-01-312-4/+4
| | | | | | | | | Fixes: * Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 545100159113c5b432511266018ab21e2dea864d)
* package/wavpack: security bump to version 5.1.0Gravatar Jörg Krause2017-01-302-2/+2
| | | | | | | | | | | | | Fixes: - CVE-2016-10169: global buffer overread in read_code / read_words.c - CVE-2016-10170: heap out of bounds read in WriteCaffHeader / caff.c - CVE-2016-10171: heap out of bounds read in unreorder_channels / wvunpack.c - CVE-2016-10172: heap oob read in read_new_config_info / open_utils.c [Peter: add CVE references] Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit dbc108d6729a082d247910d1476df358570036ab)
* package/wavpack: bump version to 5.0.0Gravatar Jörg Krause2017-01-302-2/+2
| | | | | | Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0dbe92b0d037bdcf40edeb29534e64bfd9a8a98b)
* openssl: security bump to version 1.0.2kGravatar Gustavo Zacarias2017-01-272-3/+3
| | | | | | | | | | | Fixes: CVE-2017-3731 - Truncated packet could crash via OOB read. CVE-2017-3732 - BN_mod_exp may produce incorrect results on x86_64 CVE-2016-7055 - Montgomery multiplication may produce incorrect results Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f9a6a2df56012b2ee6d171ca9371910c668bfa78)
* package/x11r7/xlib_libXpm: bump version to 3.5.12Gravatar Bernd Kuhls2017-01-252-3/+3
| | | | | | | | | | Fixes CVE-2016-10164: The affected code is prone to two 32 bit integer overflows while parsing extensions: the amount of extensions and their concatenated length. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit e9f66e194a43e9dac4a8c88bcb5b3253845cd805)
* Update for 2016.11.22016.11.2Gravatar Peter Korsgaard2017-01-252-1/+16
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* wireshark: security bump to version 2.2.4Gravatar Gustavo Zacarias2017-01-252-3/+3
| | | | | | | | | | Fixes: wnpa-sec-2017-01 - The ASTERIX dissector could go into an infinite loop. wnpa-sec-2017-02 - The DHCPv6 dissector could go into a large loop. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 2515437e51036f0ad2d89ca16d07cd5b022fdbe9)
* go: security bump to version 1.7.4Gravatar Peter Korsgaard2017-01-242-2/+2
| | | | | | | | | | | | | | | | | | | On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141. Thanks to Xy Ziemba for identifying and reporting this issue. The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965. Thanks to Simon Rawet for the report. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5c9db62171cefb125193a6f814a0046536fc76a1)
* core/br2-external: fix use of relative pathsGravatar Yann E. MORIN2017-01-231-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #9576 When the path to a br2-external tree is relative, make enters an endless recursive loop (paths elided for brevity): $ make BR2_EXTERNAL=.. foo_defconfig make[1]: stat: ../configs/../configs/../configs[...]/toto_defconfig: Filename too long make[1]: *** No rule to make target '../configs/../configs/../configs[...]/toto_defconfig', needed by '../configs/../configs/../configs[...]/toto_defconfig'. Stop. Makefile:79: recipe for target '_all' failed make: *** [_all] Error 2 It is a bit complex to understand the actual technical reason for this never-ending expansion; it seems it happens in the code generated by the percent_defconfig macro. Not sure why, though... But the root cause is the relative path. Just use absolute, canonical paths to br2-external trees. Always. [Peter: add bugzilla reference] Reported-by: outtierbert@gmail.com Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 05576fca13b129da8c7186ee2307981135d3391f)
* runc: security bump to fix CVE-2016-9962Gravatar Peter Korsgaard2017-01-232-2/+2
| | | | | | | | | | | | | RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit d6706dc430ebb1dade6f90a8d45503c23abec99d)
* runc: pass -extldflags '-static' in correct variableGravatar Fabrice Fontaine2017-01-231-1/+1
| | | | | | | | | | | | commit 9101ce5800 (runc: pass -extldflags '-static' on when BR2_STATIC_LIBS=y) contained a small copy/paste error, FLANNEL_GLDFLAGS was used instead of RUNC_GLDFLAGS. [Peter: refer to exact commit] Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b97e3c94a9798bbd7eb08f5bd1adb0417cde1fd1)
* docker-engine: security bump to version 1.12.6Gravatar Peter Korsgaard2017-01-232-3/+3
| | | | | | | | Fixes runC privilege escalation (CVE-2016-9962). Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 157ddf77e403c6ee00faef44fc32f8f679964204)
* docker-engine: fix docker version outputGravatar Christian Stewart2017-01-231-1/+4
| | | | | | | | | | | | | | | | | At compile-time the docker build scripts generate a version file used to build the output of the docker version command. This file is generated somewhat properly by the Buildroot build system, however the version number and commit ID are incorrectly formatted. This patch fixes the output to the correct format. This is important as some tools like WeaveWorks won't even start unless they can parse the Docker Version output correctly. [Peter: strip v from version using patsusbt] Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0533484eb7e2ff8500406035c59d2c3c2c07dda3)
* docker-engine: bump version to v1.12.5Gravatar Christian Stewart2017-01-232-2/+2
| | | | | | Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 3eddce6ea04a752388bec22a623320290a5834b5)
* opus: security bump to 1.1.4Gravatar Peter Korsgaard2017-01-232-2/+2
| | | | | | | | | | | Fixes CVE-2017-0381: A remote code execution vulnerability in silk/NLSF_stabilize.c in libopus in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit f00a528ce68e24bb9f162416a5cf25bdc65fce20)
* gd: security bump to version 2.2.4Gravatar Gustavo Zacarias2017-01-202-2/+2
| | | | | | | | | | | | | | | Fixes: CVE-2016-9317 - gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. CVE-2016-6912 - double-free in gdImageWebPtr() (without CVE): Potential unsigned underflow in gd_interpolation.c DOS vulnerability in gdImageCreateFromGd2Ctx() Signed Integer Overflow gd_io.c Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 39885cc5b0c6ff175fe3a115231bc2428840e7b7)
* rabbitmq-server: security bump to version 3.6.6Gravatar Peter Korsgaard2017-01-202-2/+2
| | | | | | | | | | | | | Fixes a critical authentication vulnerability in the MQTT plugin (CVE-2016-9877): MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a502f9acfd7ec5592d1e059e0180928b15abd59f)
* bind: security bump to version 9.11.0-P2Gravatar Peter Korsgaard2017-01-202-3/+3
| | | | | | | | | | | | | | | | | | | Bugfixes: - CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion - CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure - CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure - CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4bab93be70ba576668a9fa19d0ff92ce2b97c905)
* php: bump version to 7.1.0 (security)Gravatar Vicente Olivert Riera2017-01-122-2/+2
| | | | | | | | | | | | | | | | Fixed CVEs: - CVE-2016-9933 (imagefilltoborder stackoverflow on truecolor images) http://bugs.php.net/72696 - CVE-2016-9934 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow) http://bugs.php.net/73331 Full ChangeLog: http://php.net/ChangeLog-7.php#7.1.0 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e470b3fde7fe7e69fc5ec57fe8a5c8a4cd66c8cc)
* php-imagick: bump version to 3.4.3RC1Gravatar Vicente Olivert Riera2017-01-122-2/+2
| | | | | | | | | This version is marked as "stable" on php-imagick's website, plus is necessary for the upcoming php-7.1 version bump. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0cfddd92b67dc3208e89395368972d780e4d7cc1)
* gnutls: security bump to version 3.5.8Gravatar Gustavo Zacarias2017-01-123-9/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | The 3.5.x has been promoted to stable, hence 3.4.x is deprecated and 3.3.x kept as old-stable. libdane now specifies LGPLv2.1+ so drop the README kludge (which is also gone regarding licensing). libunistring is a new dependency, even though gnutls ships a builtin version we prefer to use unbundled to avoid duplication with other users and target size growth. Fixes: GNUTLS-SA-2017-01 - It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted X.509 certificate with Proxy Certificate Information extension present could lead to a double free. GNUTLS-SA-2017-02 - It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9b347c4acd15afd1368c2d1d24ca73557cb43ceb)
* gnutls: bump to version 3.4.17Gravatar Gustavo Zacarias2017-01-122-2/+2
| | | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 455487dbd1e6d616c1d82bafd4c6be6191d0c7b2)
* imagemagick: bump version to 7.0.4-3 (security)Gravatar Vicente Olivert Riera2017-01-122-2/+2
| | | | | | | | | | Fixes CVE-2016-8707 (Fix possible buffer overflow when writing compressed TIFFS). This CVE fix is included since 7.0.3-9: http://git.imagemagick.org/repos/ImageMagick/commit/fde5f55af94f189f16958535a9c22b439d71ac93 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 68e8c3b5a69a469b6d374b53b4542284a091c9a4)
* libvncserver: security bump to version 0.9.11Gravatar Peter Korsgaard2017-01-092-2/+2
| | | | | | | | | | | | Security related fixes: - Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 (CVE-2016-9941) - Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 (CVE-2016-9942) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 143ba54758f6edf87f15e3ab2eae68519201ca81)
* irssi: security bump to 0.8.21Gravatar Peter Korsgaard2017-01-092-2/+2
| | | | | | | | | | | | | | | | | | | | Bugfixes: - CVE-2017-5193: Correct a NULL pointer dereference in the nickcmp function found by Joseph Bisch (GL#1) - CVE-2017-5194: Correct an error when receiving invalid nick message (GL#4, #466) - CVE-2017-5195: Correct an out of bounds read in certain incomplete control codes found by Joseph Bisch (GL#2) - CVE-2017-5196: Correct an out of bounds read in certain incomplete character sequences found by Hanno Böck and independently by J. Bisch (GL#3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8528edfb3b3f6ee826c2339696c4c79c8ba5c938)
* gd: security bump to version 2.2.3Gravatar Peter Korsgaard2017-01-092-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Security related fixes: This flaw is caused by loading data from external sources (file, custom ctx, etc) and are hard to validate before calling libgd APIs: - fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766) - bug #248, fix Out-Of-Bounds Read in read_image_tga - gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132) Using application provided parameters, in these cases invalid data causes the issues: - Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207) - fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128) - improve color check for CropThreshold The build system now enables -Wall and -Werror by default, so pass --disable-werror to disable that. Notice that this issue has been fixed upstream post-2.2.3: https://github.com/libgd/libgd/issues/339 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 81dc283a00a6c1ed73bcb273b3ab23fc37a3a267)
* musl: security bump to version 1.1.16Gravatar Gustavo Zacarias2017-01-044-69/+2
| | | | | | | | | | | | Fixes: CVE-2016-8859 - fixes a serious under-allocation bug in regexec due to integer overflow. Drop upstream patch. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 63a7277107c32349d1aadd06e9c739503f33079e)