aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update for 2017.02.112017.02.112017.02.xGravatar Peter Korsgaard2018-04-112-2/+22
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* wireshark: bump version to 2.2.14 (security)Gravatar André Hentschel2018-04-112-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Security fixes since 2.2.12: - wnpa-sec-2018-15 The MP4 dissector could crash. (Bug 13777) - wnpa-sec-2018-16 The ADB dissector could crash. (Bug 14460) - wnpa-sec-2018-17 The IEEE 802.15.4 dissector could crash. (Bug 14468) - wnpa-sec-2018-18 The NBAP dissector could crash. (Bug 14471) - wnpa-sec-2018-19 The VLAN dissector could crash. (Bug 14469) - wnpa-sec-2018-20 The LWAPP dissector could crash. (Bug 14467) - wnpa-sec-2018-23 The Kerberos dissector could crash. (Bug 14576) - wnpa-sec-2018-05 The IEEE 802.11 dissector could crash. Bug 14442, CVE-2018-7335 - wnpa-sec-2018-06 Multiple dissectors could go into large infinite loops. All ASN.1 BER dissectors (Bug 14444), along with the DICOM (Bug 14411), DMP (Bug 14408), LLTD (Bug 14419), OpenFlow (Bug 14420), RELOAD (Bug 14445), RPCoRDMA (Bug 14449), RPKI-Router (Bug 14414), S7COMM (Bug 14423), SCCP (Bug 14413), Thread (Bug 14428), Thrift (Bug 14379), USB (Bug 14421), and WCCP (Bug 14412) dissectors were susceptible. - wnpa-sec-2018-07 The UMTS MAC dissector could crash. Bug 14339, CVE-2018-7334 - wnpa-sec-2018-09 The FCP dissector could crash. Bug 14374, CVE-2018-7336 - wnpa-sec-2018-10 The SIGCOMP dissector could crash. Bug 14398, CVE-2018-7320 - wnpa-sec-2018-11 The pcapng file parser could crash. Bug 14403, CVE-2018-7420 - wnpa-sec-2018-12 The IPMI dissector could crash. Bug 14409, CVE-2018-7417 - wnpa-sec-2018-13 The SIGCOMP dissector could crash. Bug 14410, CVE-2018-7418 - wnpa-sec-2018-14 The NBAP disssector could crash. Bug 14443, CVE-2018-7419 Full release notes: https://www.wireshark.org/docs/relnotes/wireshark-2.2.14.html Signed-off-by: André Hentschel <nerv@dawncrow.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit c5c87c2bb61efb31421b345bdbf6931b882ff6a9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 14, 15}.x seriesGravatar Fabio Estevam2018-04-111-2/+2
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 2661d47425f866cf56617d2928b6b96566db8de4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* python-webpy: use webpy-0.39 tagGravatar Peter Korsgaard2018-04-112-3/+2
| | | | | | | | | | | No functional change, but upstream has now tagged the release, so use the tag instead of the sha1. https://github.com/webpy/webpy/issues/449 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 01320bb9ff297bac38a4c9bc32ae505ac79d600f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* python-webpy: security bump to version 0.39Gravatar Peter Korsgaard2018-04-112-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | >From the changelog: 2018-02-28 0.39 * Fixed a security issue with the form module (tx Orange Tsai) * Fixed a security issue with the db module (tx Adrián Brav and Orange Tsai) 2016-07-08 0.38 .. * Fixed a potential remote exeution risk in `reparam` (tx Adrián Brav) License files are still not included on pypi, so continue to use the git repo. Upstream has unfortunately not tagged 0.39, so use the latest commit on the 0.39 branch. A request to fix this has been submitted: https://github.com/webpy/webpy/issues/449 0.39 now uses setuptools, so change the _SETUP_TYPE. Add hashes for the license files. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ce559162fca39c273583bea0dbed643229769d8c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* python-webpy: needs hashlib support in pythonGravatar Peter Korsgaard2018-04-111-0/+1
| | | | | | | | | | | | webpy uses hashlib for session handling, so ensure it is available: web/session.py: import hashlib web/session.py: sha1 = hashlib.sha1 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 543b0d50fbbb552296749d0cf18443aacfc6e58d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* openblas: drop SSE_GENERIC targetGravatar Peter Korsgaard2018-04-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #10856 The SSE_GENERIC target fails to build with a "sgemm_kernel.o: No such file or directory" error. Several upstream bug reports exist for this: https://github.com/xianyi/OpenBLAS/issues/502 https://github.com/xianyi/OpenBLAS/issues/685 In both cases, upstream suggests using a different target definition instead. E.G. from issue 685: You may use NORTHWOOD on x86: make TARGET=NORTHWOOD that uses SSE2 instructions. It's very hard to find non-SSE2 x86 CPUs today. For x86-64 use the PRESCOTT target So drop the SSE_GENERIC target. The only x86_64 variant we support not covered by a more specific openblas target is the default variant, nocona and jaguar. Nocona was a Xeon variant of the P4 "Prescott" architecture, so use the PRESCOTT openblas target: https://en.wikipedia.org/wiki/Xeon#Nocona_and_Irwindale Jaguar is from the Bobcat family, so use the BOBCAT openblas target: https://en.wikipedia.org/wiki/List_of_AMD_microprocessors#Bobcat_core_architecture_(APU) [Peter: add Jaguar as pointed out by Arnout] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5e6fa93483caac317ab8844feb2ae9c07078a6c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* opencv3: fix Python module build for Python 3.xGravatar Sasha Shyrokov2018-04-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the OpenCV3 Python support is enabled with Python 3.x, it builds properly, and the resulting .so file is built for the target architecture, but its name is wrong: output/target/usr/lib/python3.6/site-packages/cv2.cpython-36m-x86_64-linux-gnu.so This prevents Python 3.x from importing the module: >>> import cv2 Traceback (most recent call last): File "<stdin>", line 1, in <module> ModuleNotFoundError: No module named 'cv2' In order to fix this, we simply need to pass PKG_PYTHON_DISTUTILS_ENV in the environment. The Python module then gets named: output/target/usr/lib/python3.6/site-packages/cv2.cpython-36m-arm-linux-gnueabi.so And can be imported properly: >>> import cv2 >>> This solution was suggested by Arnout Vandecappelle in https://stackoverflow.com/questions/49059035/buildroot-opencv3-python-package-builds-for-the-wrong-target. With Python 2.x, the module is named just cv2.so so this problem isn't visible. However, for consistency, we also pass PKG_PYTHON_DISTUTILS_ENV when building against Python 2.x, by putting the OPENCV3_CONF_ENV assignment inside the BR2_PACKAGE_OPENCV3_LIB_PYTHON condition, but outside the BR2_PACKAGE_PYTHON3/BR2_PACKAGE_PYTHON condition. Signed-off-by: Sasha Shyrokov <alexander-shyrokov@idexx.com> [Thomas: extend the commit log, apply the solution to Python 2.x.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 8ba80282c3bb580c6a45ea114e70acac98fe1690) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xterm: Avoid freetype2 path poisoning using imakeGravatar Valentin Korenblit2018-04-111-0/+3
| | | | | | | | | | | | | | | | | | | | | | | When imake is installed on the host, it tries to include freetype headers from host, so we must override ac_cv_path_IMAKE to avoid this. Extract from config.log: configure:14803: checking if we should use imake to help configure:14820: result: yes configure:14829: checking for xmkmf configure:14846: found /usr/bin/xmkmf configure:14857: result: /usr/bin/xmkmf configure:14920: testing Using /usr/bin/xmkmf ... configure:15015: testing IMAKE_CFLAGS -I. -I/usr/include/freetype2 Signed-off-by: Valentin Korenblit <valentin.korenblit@smile.fr> [Thomas: pass ac_cv_path_IMAKE="" as suggested by Romain Naour.] Reviewed-by: Romain Naour <romain.naour@smile.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6d0316dc7b14f6cd2d44e92c6ab581a6ab385234) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 14, 15}.x seriesGravatar Fabio Estevam2018-04-111-2/+2
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6e17a16dc728845bcfad48230b8db9c375acd31e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* openssl: security bump to version 1.0.2oGravatar Peter Korsgaard2018-04-112-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733) Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) This issue has been reported in a previous OpenSSL security advisory and a fix was provided for OpenSSL 1.0.2. Due to the low severity no fix was released at that time for OpenSSL 1.1.0. The fix is now available in OpenSSL 1.1.0h. There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). For more details, see https://www.openssl.org/news/secadv/20180327.txt The copyright year changed in LICENSE, so adjust the hash to match. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6938c219d80e2267f8e25f3fc37f955ab723cc55) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* sngrep: fix libgcrypt handlingGravatar Peter Korsgaard2018-04-111-1/+2
| | | | | | | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/f1c6494133806b9fc26ae3ce9e9c6a22fa2eda6f/ Commit 6205b75873c (sngrep: gnutls support also needs libgcrypt) ensured that --with-gnutls is only used when both gnutls and libgcrypt are enabled, but it didn't ensure libgcrypt gets built before sngrep or told the configure script where to find libgcrypt-config, breaking the build. Fix both issues. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ae7d59eaae1c55d707b2a70437a84c280f598572) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{1, 4, 9, 14, 15}.x seriesGravatar Fabio Estevam2018-04-111-3/+3
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9ef8f6b061b552012b767b83c7b21e5e3fb9fff7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* xerces: add upstream security fixGravatar Baruch Siach2018-04-111-0/+22
| | | | | | | | | | | | | | | | | CVE-2017-12627: dereference of a NULL pointer while processing the path to the DTD. xerces 3.2.1 includes this patch. But this version also added AC_RUN_IFELSE to its configure script, making cross compilation harder. Switching to cmake is also problematic since the minimum required cmake version is 3.2.0. The host dependencies check currently allows minimum cmake version 3.1. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 142c8cc8d525f687ce199cc0163d48892e8a81f7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 14, 15}.x seriesGravatar Fabio Estevam2018-04-111-2/+2
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d9534c816383ac45e75ae042b7c668406d9e8b1f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: security bump to version 2.4.33Gravatar Bernd Kuhls2018-04-112-3/+4
| | | | | | | | | | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.33 Fixes CVE-2017-15710, CVE-2018-1283, CVE-2018-1303, CVE-2018-1301, CVE-2017-15715, CVE-2018-1312, CVE-2018-1302. Added license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 65193bf3c93ec6922979907ce87fc82a73b25268) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: bump version to 2.4.29Gravatar Bernd Kuhls2018-04-112-3/+3
| | | | | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.29 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 386ca343c514b4c7e30217ee688eb2d273585661) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: bump to version 2.4.28Gravatar Bernd Kuhls2018-04-113-33/+3
| | | | | | | | | | | | Fix for CVE-2017-9798 is included in this release, so this patch is removed. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> [Update commit log: not a security bump] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 1cff68251e6cd2fe8ed421d7b07813256342a150) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/imagemagick: security bump version to 7.0.7-27Gravatar Bernd Kuhls2018-04-112-2/+3
| | | | | | | | | | | | Fixes CVE-2018-6405 (upstream Github PR 964) and many others: http://www.imagemagick.org/script/changelog.php Added license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 31086ea1de511b57e8377d9fa6b0fe7350b1e753) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 3.2.x and 4.{14, 15}.x seriesGravatar Bernd Kuhls2018-04-111-1/+1
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b83a4d3d69d5daa871812bd4c4803acef789e318) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* tremor: security bump to fix CVE-2018-5146Gravatar Peter Korsgaard2018-04-112-3/+6
| | | | | | | | | | | | | | | | Prevent out-of-bounds write in codebook decoding. Codebooks that are not an exact divisor of the partition size are now truncated to fit within the partition. Upstream has migrated from subversion to git, so change to git and bump the version to include the fix for CVE-2018-5146. While we're at it, also add a hash file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 80266c95052024381898cada4c51d44207fddd80) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 3.2.x and 4.{1, 14, 15}.x seriesGravatar Fabio Estevam2018-04-111-2/+2
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit cd0fd093523b558cdcf282c1d1497bc2a494f4e0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4,9}.x seriesGravatar Peter Korsgaard2018-04-111-2/+2
| | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 50cd46b39f4af495a4c9d15f0e5d3df272e33c7c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* irssi: security bump to version 1.0.7Gravatar Peter Korsgaard2018-04-112-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: Use after free when server is disconnected during netsplits. Incomplete fix of CVE-2017-7191. Found by Joseph Bisch. (CWE-416, CWE-825) - CVE-2018-7054 [2] was assigned to this issue. Use after free when SASL messages are received in unexpected order. Found by Joseph Bisch. (CWE-416, CWE-691) - CVE-2018-7053 [3] was assigned to this issue. Null pointer dereference when an “empty” nick has been observed by Irssi. Found by Joseph Bisch. (CWE-476, CWE-475) - CVE-2018-7050 [4] was assigned to this issue. When the number of windows exceed the available space, Irssi would crash due to Null pointer dereference. Found by Joseph Bisch. (CWE-690) - CVE-2018-7052 [5] was assigned to this issue. Certain nick names could result in out of bounds access when printing theme strings. Found by Oss-Fuzz. (CWE-126) - CVE-2018-7051 [6] was assigned to this issue. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 181ef8a1d01ddfa2be0b59ea85eb8902b0ce12c0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* libcurl: security bump to version 7.59.0Gravatar Baruch Siach2018-04-112-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | CVE-2018-1000120: curl could be fooled into writing a zero byte out of bounds when curl is told to work on an FTP URL with the setting to only issue a single CWD command, if the directory part of the URL contains a "%00" sequence. https://curl.haxx.se/docs/adv_2018-9cd6.html CVE-2018-1000121: curl might dereference a near-NULL address when getting an LDAP URL. https://curl.haxx.se/docs/adv_2018-97a2.html CVE-2018-1000122: When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. https://curl.haxx.se/docs/adv_2018-b047.html Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit bf3476e5b1527ac91c0a12949be7da5253ea66c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* libpjsip: security bump to 2.7.2Gravatar Adam Duskett2018-04-112-4/+4
| | | | | | | | | | | | | | | Fixes the following vulnerabilities: - CVE-2018-1000098: Crash when parsing SDP with an invalid media format description - CVE-2018-1000099: Crash when receiving SDP with invalid fmtp attribute [Peter: add CVE info] Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ed0d9d6f36dfc3e99ee70cc34de0c380925e871f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* samba4: security bump to version 4.5.16Gravatar Peter Korsgaard2018-04-112-2/+2
| | | | | | | | | | | | | | | CVE-2018-1050: Vulnerability to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. https://www.samba.org/samba/security/CVE-2018-1050.html CVE-2018-1057: Authenticated users might change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers). https://www.samba.org/samba/security/CVE-2018-1057.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 14, 15}.x seriesGravatar Fabio Estevam2018-04-111-2/+2
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 03b5b444f155ead9c73c2ed2596948de671c5fb9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux: Config.in: correct typo in kernel compression format help textGravatar Peter Korsgaard2018-04-111-1/+1
| | | | | | | | s/build/built/. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d233cc72c4b901f1ea0ae4ce895ff665bd0b78d9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* busybox: add upstream post-1.27.2 httpd fixGravatar Peter Korsgaard2018-04-101-0/+27
| | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ec58149009776f63767644f9a3409f420c271766) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* busybox: bump to version 1.27.2Gravatar Adam Duskett2018-04-102-4/+4
| | | | | | | Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 5cdb463e442d63f0ba361e7348d0ed56cb9b63d0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* busybox: disable new TLS supportGravatar Thomas Petazzoni2018-04-102-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Busybox 1.17.1 has added built-in TLS support. Unfortunately, it fails to build on i686 with gcc 4.8, with: networking/tls_pstm_mul_comba.c: In function 'pstm_mul_comba': networking/tls_pstm_mul_comba.c:82:1: error: 'asm' operand has impossible constraints asm( \ ^ networking/tls_pstm_mul_comba.c:279:4: note: in expansion of macro 'MULADD' MULADD(*tmpx++, *tmpy--); ^ make[3]: *** [networking/tls_pstm_mul_comba.o] Error 1 make[2]: *** [networking] Error 2 Since TLS support is a new feature in 1.27, and wasn't present until now, let's disable it to avoid the build failure. The bug has been reported upstream at http://lists.busybox.net/pipermail/busybox/2017-July/085713.html. Fixes: http://autobuild.buildroot.net/results/d973f9a2fbf0f52104f4943b902183e9dbf163a7/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit d5507262f37506d6b1b48eb409ed8bc3f08d3e47) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* Revert "busybox: add upstream post-1.26.2 fixes"Gravatar Peter Korsgaard2018-04-106-1194/+0
| | | | | | | | This reverts commit ace9345c96fe013468a7ab548b69dd1510e463c8. With the bump to 1.27.x, these are no longer needed. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* busybox: bump version to 1.27.1Gravatar Adam Duskett2018-04-104-141/+217
| | | | | | | | | | In addition, update busybox-minimal.config and busybox.config by loading the config files and saving them back. Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 8cea29361770bd740b9799ac9b0b09ec131d7117) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{9, 14}.x seriesGravatar Fabio Estevam2018-04-101-1/+1
| | | | | | | | [Peter: drop 4.14.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 59e8b056ab1ed0e32b1913a9eee7d66a3c39ff0b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* dhcp: add upstream security fixesGravatar Baruch Siach2018-04-102-0/+99
| | | | | | | | | | | | | | | | | | | | CVE-2018-5732: The DHCP client incorrectly handled certain malformed responses. A remote attacker could use this issue to cause the DHCP client to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the dhclient AppArmor profile. CVE-2018-5733: The DHCP server incorrectly handled reference counting. A remote attacker could possibly use this issue to cause the DHCP server to crash, resulting in a denial of service. Both issues are fixed in version 4.4.1. But we are close to release, so backport the fixes instead of bumping version. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 047cec5993223944d0765468f11aa137d3ade543) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/clamav: security bump to version 0.99.4Gravatar Bernd Kuhls2018-04-102-2/+2
| | | | | | | | | | | | | Fixes CVE-2012-6706, CVE-2017-6419, CVE-2017-11423, CVE-2018-1000085 & CVE-2018-0202. For details see upstream announcement: http://lists.clamav.net/pipermail/clamav-announce/2018/000029.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d02cbe22dab7f2f0424d7a4f3274ea2459269dbe) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* mosquitto: unbreak build with websockets and !libopensslGravatar Peter Korsgaard2018-04-101-0/+49
| | | | | | | | | Fixes: http://autobuild.buildroot.net/results/d69/d693f3e3f1c73ccf54ac7076623e436355a9d901/b Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 63dfbca2c3ad509504e9118a49d396210917b079) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* mosquitto: security bump to version 1.4.15Gravatar Peter Korsgaard2018-04-102-3/+3
| | | | | | | | | | | | | | | | | | Fixes CVE-2017-7651: Unauthenticated clients can send a crafted CONNECT packet which causes large amounts of memory use in the broker. If multiple clients do this, an out of memory situation can occur and the system may become unresponsive or the broker will be killed by the operating system. The fix addresses the problem by limiting the permissible size for CONNECT packet, and by adding a memory_limit configuration option that allows the broker to self limit the amount of memory it uses. The hash of new tarball is not (yet) available through download.php, so use a locally calculated hash. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f4df4a18e5dd4702f842e61ee815f13afd93c366) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* mosquitto: bump version to 1.4.14Gravatar Peter Korsgaard2018-04-102-8/+9
| | | | | | | | | | | | | | | Drop CVE 2017-9868 patch as that is now upstream. 1.4.14 is a bugfix release, fixing significant websocket performance / correctness issues. Use HTTPS for the download as the server uses HSTS, thus saving a redirect. While we're at it, add hashes for the license files. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1b76bf7669d6482e61a82be9cd5d3c8806dabba6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* mosquitto: clarify that patch hash is locally calculatedGravatar Peter Korsgaard2018-04-101-0/+1
| | | | | | | | | | Commit e51d69a3b (mosquitto: specify that hash is taken from upstream) changed the .hash description header, but the upstream hash only applies to the tarball, not the patch. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1ef8c2239339f52e35572e485db306df9012d500) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* mosquitto: specify that hash is taken from upstreamGravatar Vicente Olivert Riera2018-04-101-1/+1
| | | | | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit d8dc97ee5ed10c75666e500b6752497690ea6853) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot: security bump to version 2.3.4Gravatar Bernd Kuhls2018-04-103-35/+2
| | | | | | | | | | | | | Fixes CVE-2017-15130, CVE-2017-14461 & CVE-2017-15132: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html Removed patch applied upstream: https://github.com/dovecot/core/commit/a008617e811673064fd657acf517dc4a12493d29 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7c970b06ea4cfc235eefedd967551d165c1dd7ca) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 14, 15}.x seriesGravatar Fabio Estevam2018-04-101-2/+2
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit fcf28ee36115003254ec671fde3fcc219f7c0a0d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* wavpack: add upstream security fixesGravatar Peter Korsgaard2018-04-103-0/+228
| | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2018-6767: A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file. CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file. CVE-2018-7254: The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4de7e07e6efba7dae79a7f61f397864873272fd3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* wavpack: don't download patch from GithubGravatar Thomas Petazzoni2018-04-103-4/+70
| | | | | | | | | | Patches downloaded from Github are not stable, so bring them in the tree. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0a2576d37ebb4175aea1daf3c14c947df39cdcaa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 3.2.x seriesGravatar Bernd Kuhls2018-04-101-1/+1
| | | | | | | Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e8e9bb3267930fd053add7b9eef85749362a1d0a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* check-host-tar.sh: blacklist tar 1.30+Gravatar Peter Korsgaard2018-04-101-9/+24
| | | | | | | | | | | | | | | | | Tar 1.30 changed the --numeric-owner output for filenames > 100 characters, leading to hash mismatches for the tar archives we create ourselves from git. This is really a fix for a bug in earlier tar versions regarding deterministic output, so it is unlikely to be reverted in later versions. For more details, see: http://lists.busybox.net/pipermail/buildroot/2018-January/211222.html To work around this issue, blacklist tar 1.30+ similar to how we do it for pre-1.17 versions so Buildroot falls back to building host-tar. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b8fa273d500b44153e9939f0a100e97db2ff63ed) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* dependencies.mk: check for valid host-tar before other host dependenciesGravatar Peter Korsgaard2018-04-101-1/+4
| | | | | | | | | | | | | | | | | | | | host-{cmake,lzip,xz} needs host-tar to extract their source code tarball, so we need to ensure that host-tar gets added to DEPENDENCIES_HOST_PREREQ before these in case they are both needed, otherwise the tools will fail to extract. With the upcoming change to blacklist modern tar versions this situation is likely to trigger more often. The real solution to this issue is the <foo>_EXTRACT_DEPENDENCIES rework, but that series is a bit too intrusive to add this close to 2018.02, so therefore this hack. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7c09cb82b75f30eba7a9daaae5e77a604f6e49c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 14, 15}.x seriesGravatar Fabio Estevam2018-04-101-2/+2
| | | | | | | | [Peter: drop 4.14.x / 4.15.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1e7ee5a686dc74f18242a9c07623cf12065505c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>