aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* package/iptables: bump to version 1.8.32019.02.xGravatar Baruch Siach3 days7-256/+2
| | | | | | | | | | | Drop upstream patches. Fixes a buffer overflow issue in iptables-save parsing. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 326a9ae2e5cd1e13abd1ea3de2a17909086e221c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libgpg-error: fix build with gawk 5.0Gravatar Bernd Kuhls5 days2-0/+164
| | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/e815bed0e7b3d9cbf50ebf605666a50e7032e5a1/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> (cherry picked from commit d503003c36dc9433202b9f017ea0ea7bc8140d16) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libnss: fix build failure on aarch64_beGravatar Giulio Benetti5 days1-0/+36
| | | | | | | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/bfd29593bb6c53d3e9e2d02d2ed6bea360d99c00/ In libnss there is a bug leading to build failure due to double declared functions. This is due to 2 different #ifdef statements treating the same function-set. Add patch to fix this by making the 2 #ifdef statements equal. Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 82187f94814b3b46fdc23fe6f84a5c6fae85c86d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libnss: security bump to version 3.46Gravatar Giulio Benetti5 days2-2/+2
| | | | | | | | | | | | | | | | | | Fixes the following security issues: (3.44.1) CVE-2019-11729: More thorough input checking CVE-2019-11719: Don't unnecessarily strip leading 0's from key material during PKCS11 import CVE-2019-11727: Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 Note: This version requires nspr 4.22 or newer provided by the previous patch. Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 7e509333accb638f4387f6e18e63b4d554f8b564) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libnspr: bump to version 4.22Gravatar Giulio Benetti5 days5-50/+49
| | | | | | | | | Rework all 3 patches to make that applicable to 4.22 version. Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 385b5686a03f9abc8de3f7ad46cdfc624418df66) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libnspr: add patch for nds32 support.Gravatar Nylon Chen5 days1-0/+74
| | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/9380435440c977eeaf98a1ffa80f411f07f62482/ Signed-off-by: Nylon Chen <nylon7@andestech.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3388027e0de83f5e2a38f5ba34fb09268bc6b7d7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: remove Kevin Joly, e-mail is bouncingGravatar Thomas Petazzoni5 days1-3/+0
| | | | | | | | | | | | | Kevin Joly (kevin.joly@sensefly.com)<mailto:kevin.joly@sensefly.com> Your message couldn't be delivered to the recipient because you don't have permission to send to it. Looking at his LinkedIn profile, he left SenseFly in January 2019, which quite certainly explains why his @sensefly.com e-mail address is no longer working. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 55814b8ef9163efeecf54eb9cd0bdbf1ec3ce9ea) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* configs/aarch64_efi: fix typo AARCH64 -> ARM64Gravatar Romain Naour5 days1-1/+1
| | | | | | | | | | | | | | | | There is no option BR2_TARGET_GRUB2_AARCH64_EFI but BR2_TARGET_GRUB2_ARM64_EFI in grub2 package. BR2_TARGET_GRUB2_ARM64_EFI was introduced by the commit [1]. [1] 273a27804a18c5e232907d5ef6bd01957cf090d7 Signed-off-by: Romain Naour <romain.naour@smile.fr> Cc: Erico Nunes <nunes.erico@gmail.com> Reviewed-by: Erico Nunes <nunes.erico@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 0525ca471160b0da8c1159c3ffbbdaeded93682f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/asterisk: security bump to version 16.5.1Gravatar Peter Korsgaard5 days2-2/+2
| | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: AST-2019-004: Crash when negotiating for T.38 with a declined stream When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk. https://downloads.asterisk.org/pub/security/AST-2019-004.pdf AST-2019-005: Remote Crash Vulnerability in audio transcoding When audio frames are given to the audio transcoding support in Asterisk the number of samples are examined and as part of this a message is output to indicate that no samples are present. A change was done to suppress this message for a particular scenario in which the message was not relevant. This change assumed that information about the origin of a frame will always exist when in reality it may not. https://downloads.asterisk.org/pub/security/AST-2019-005.pdf Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 965e26fd999edb8f14b44be54ffd872293da93c6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/asterisk: bump version to 16.5.0Gravatar Bernd Kuhls5 days2-2/+2
| | | | | | | | | | Release notes: https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-16-current-summary.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 45ea73584b32a2ffd21315ed14798441014ff296) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/exim: security bump to version 4.92.2Gravatar Peter Korsgaard5 days2-2/+2
| | | | | | | | | | | | | Fixes CVE-2019-15846: Local or remote attacker can execute programs with root privileges For details, see the advisory: https://exim.org/static/doc/security/CVE-2019-15846.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit f2c8428bdeba5d395552ec8ba4daaf3a76855ef0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/e2fsprogs: bump to version 1.44.6Gravatar Peter Korsgaard5 days2-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes a number of bugs: - If files are created while e4defrag is running, it's quite possible for succeed_cnt to be larger than total_count, in which case the number of failures (calculated via total_count - succeed_cnt) will overflow and become a very large unsigned number. (Addresses Debian Bug: #888899) - Fix e2fsck so it can correctly handle directories > 2 GiB when the largedir feature is enabled. - Fix mke2fs's hugefile creation so that we correctly reserve enough metadata blocks for a given file system size. Otherwise for certain unfortunately sized disks/partitions, the hugefile creation would fail. (Addresses Google Bug: 123239032) - Fix the libext2fs library to be more robust against invalid block group descriptors to prevent e2fsprogs from crashing (or possibly being p0wned) by maliciously modified file systems. (Addresses Google Bugs: 119171089, 119929050) - Fix mke2fs and debugfs so they can correctly copy in files > 2 GiB. - Fix debugfs so its stat command can correct supportly display directory sizes > 2 GiB. - Fix memory leaks in debugfs, mke2fs, and e2freefrag. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/cups: security bump to version 2.2.12Gravatar Fabrice Fontaine5 days3-303/+2
| | | | | | | | | | | - Remove fifth patch (already in version) - Fix CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 44c5c95760b0beb96725ba3e0125aaf0cbc7f302) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/cups: bump to version 2.2.11 and add gzip fixGravatar Sam Bobroff5 days3-2/+303
| | | | | | | | | | | | | | | | | | | | | | | This patch bumps cups to version 2.2.11 so that an upstream fix will apply cleanly. The upstream fix corrects a build failure when GZIP is set in the build environment, as it is for buildroot's reproducible builds, as shown below: gzip: /bin/gzip.gz: Permission denied gzip: /bin/gzip.gz: Permission denied Makefile:114: recipe for target 'install-data' failed The patch will be included upstream in version 2.2.12. Fixes: - http://autobuild.buildroot.net/results/c4e0f6a3c79c9cb083a08f811b7d4838efef50f9/ Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 8a698b73131c05ef4647b9b04e3db79629abbd5d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/linux-headers: fix whitespace error in Config.in.hostGravatar Arnout Vandecappelle (Essensium/Mind)2019-09-071-1/+1
| | | | | | | | | The cherry-pick from master introduced a space-before-tab error. This is reported by check-package. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/287919259 Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/dropbear: add upstream patch to fix norootlogin (-w) with pamGravatar Peter Korsgaard2019-09-051-0/+35
| | | | | | | | | Fixes #12181 The security fix for CVE-2018-15599 broke the norootlogin (-w) handling when pam support is enabled. Add an upstream patch to fix it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/samba4: security bump to version 4.9.13Gravatar Peter Korsgaard2019-09-042-3/+3
| | | | | | | | | | Release notes: https://www.samba.org/samba/history/samba-4.9.13.html Fixes CVE-2019-10197 Combination of parameters and permissions can allow user to escape from the share path definition. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/unzip: add security patch from DebianGravatar Sébastien Szymanski2019-09-042-16/+18
| | | | | | | | | | | | | | | | | | | | Fix the URL and add a new patch. Quoting changelog [1]: unzip (6.0-25) unstable; urgency=medium * Apply one more patch by Mark Adler: - Do not raise a zip bomb alert for a misplaced central directory. This should allow Firefox to build again. Closes: #932404. Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now. -- Santiago Vila <sanvila@debian.org> Sat, 27 Jul 2019 18:01:36 +0200 [1] https://sources.debian.org/data/main/u/unzip/6.0-25/debian/changelog Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8a1a7dff4f223b5f585ece8ec23929a0b7cf798c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/qemu: fixup patches after 3.1.1 bumpGravatar Peter Korsgaard2019-09-041-60/+0
| | | | | | | | | | | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/71f/71f711d30ddc9edc8da0d1a60636e7a13b546ebe/ Commit a0b032ad859b2e6e8cd (package/qemu: security bump to version 3.1.1) bumped the version but didn't update the patch subdirectory name, so the patches were now ignored. This was then backported to 2019.02.x / 2019.05.x where the sub directory did not exist - So the patches _WHERE_ used, but failed to apply as patch 0002 is now upstream. Fix that by removing the patch. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [Peter: drop subdirectory] (cherry picked from commit c796c83037072d616a6d47a1177dd5f16a21539c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* Update for 2019.02.52019.02.5Gravatar Peter Korsgaard2019-09-022-2/+39
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* CHANGES: Add missing issues header for 2019.02.3Gravatar Peter Korsgaard2019-09-021-0/+2
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-numpy: add reverse dependency on packages using python-numpyGravatar Alexandre PAYEN2019-09-022-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since commit 1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed[1] is merged, a new build failure occurs when selecting packages which needs python-numpy as dependency. This fix a build issue[2] by adding the correct reverse dependencies to the following packages : - gnuradio (for python support) - opencv3 (for python support) - piglit - python-matplotlib So : - adding to every listed packages `depends on !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)` and add a comment to explain what happend. [1] https://git.buildroot.net/buildroot/commit/?id=1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed [2] http://autobuild.buildroot.org/results/b76/b76b6cf9602bcf5df69a7276762eab54cf74007b Signed-off-by: Alexandre PAYEN <alexandre.payen@smile.fr> Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com> Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Damien DUVAL <damien.duval@smile.fr> Cc: Romain Naour <romain.naour@smile.fr> Reviewed-by: Romain Naour <romain.naour@smile.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7a546b87d5b8781b03f3ba5d311d61f4169ee899) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/php: security bump version to 7.3.9Gravatar Bernd Kuhls2019-09-022-2/+2
| | | | | | | | | | | | | Release notes: https://www.php.net/archive/2019.php#2019-08-29-1 Changelog: https://www.php.net/ChangeLog-7.php#7.3.9 Fixes CVE-2019-13224 & CVE-2019-13225: https://bugs.mageia.org/show_bug.cgi?id=25380 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0c5acbbcb60522303be22656a214204ba560c9f3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.2.x seriesGravatar Bernd Kuhls2019-09-023-10/+10
| | | | | | | | Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [Peter: drop 5.2.x bump] (cherry picked from commit b6255a16eefff3b79fe2ebbbc6eb54e19af163b4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/webkitgtk: security bump to version 2.24.4Gravatar Adrian Perez de Castro2019-09-022-5/+5
| | | | | | | | | | | | | | | | | | | | | | This is a minor release which includes fixes for CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676, CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and CVE-2019-8688. This release also contains many build fixes, a few media playback improvements, and a Web compatibility fix. For a complete list, the full release notes at: https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html The detailed security advisory can be found at: https://webkitgtk.org/security/WSA-2019-0004.html Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 046b09f776bcb4358ba1b19b14d1906e187daa6c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/xfont_font-util: bump version to 1.3.2Gravatar Bernd Kuhls2019-09-022-4/+6
| | | | | | | | | | | Added all hashes provided by upstream and license hash. Fixes a crash on 32bit archs. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 09472e11dded79c7a033bdfa07b35ec67a645ac9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/xfont_font-util: add license hashGravatar Adam Duskett2019-09-021-0/+3
| | | | | | | Signed-off-by: Adam Duskett <Aduskett@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit be110da4a7dd72ff8e8d33925e6ab73fb56ed21f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/libxcb: bump version to 1.13.1Gravatar Bernd Kuhls2019-09-022-6/+5
| | | | | | | | | Upstream does not provide a sha512 hash anymore. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 53e1150671d80eb6ec32117ba6edfd5e7bff5c2b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot-pigeonhole: security bump version to 0.5.7.2Gravatar Bernd Kuhls2019-09-022-2/+2
| | | | | | | | | | | | | | | Release notes: https://dovecot.org/pipermail/dovecot/2019-August/116876.html Fixes * CVE-2019-11500: ManageSieve protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 77b2dd9a538e8686d65e843b26cb4c06e61fddb1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot-pigeonhole: bump version to 0.5.7.1Gravatar Bernd Kuhls2019-09-022-2/+2
| | | | | | | | | | Release notes: https://dovecot.org/pipermail/dovecot/2019-July/116622.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 267197f593cbe4627a1ab947832f4afabad10e46) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot-pigeonhole: bump version to 0.5.7Gravatar Bernd Kuhls2019-09-022-2/+2
| | | | | | | | | | Release notes: https://dovecot.org/pipermail/dovecot-news/2019-July/000413.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 29367651e045766545a82f197a4a7199f5dd5518) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot: security bump version to 2.3.7.2Gravatar Bernd Kuhls2019-09-022-2/+2
| | | | | | | | | | | | | | | Release notes: https://dovecot.org/pipermail/dovecot/2019-August/116874.html Fixes * CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4afd405effdb56af0e09ee83ec4511deb835e630) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot: bump version to 2.3.7.1Gravatar Bernd Kuhls2019-09-022-2/+2
| | | | | | | | | | Release notes: https://dovecot.org/pipermail/dovecot/2019-July/116622.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d873c4d9abd19200bed345cd00c896669ba60beb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot: bump version to 2.3.7Gravatar Bernd Kuhls2019-09-022-3/+3
| | | | | | | | | | Switched _SITE to dovecot.org according to release notes: https://dovecot.org/pipermail/dovecot-news/2019-July/000412.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f24cb3414f7f84eaf565244aa889437df28eedba) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python: add upstream security fix for CVE-2019-9740Gravatar Peter Korsgaard2019-09-021-0/+216
| | | | | | | | | | | | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e941599f69e6b50f860cb2b704a838875247a317) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/qemu: security bump to version 3.1.1Gravatar Peter Korsgaard2019-09-022-2/+2
| | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2018-16872: A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a0b032ad859b2e6e8cd5c6ba1c294526fd2bfed9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/openldap: security bump to version 2.4.48Gravatar Sørensen, Stefan2019-09-022-6/+6
| | | | | | | | | | | | | | | | Security fixes: CVE-2019-13057: Fixed slapd to restrict rootDN proxyauthz to its own databases CVE-2019-13565: Fixed slapd to initialize SASL SSF per connection Full changelog: https://www.openldap.org/lists/openldap-announce/201907/msg00001.html Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> [Peter: fix sha256 hash line] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ca2dea3b7588b36b15f8057c0b6d5fb5e66c0da2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/openldap: fix static linking wih atomicsGravatar Fabrice Fontaine2019-09-021-0/+56
| | | | | | | | | | | | | | | | | | | openldap uses its own libtool, static build with atomic fails with our patches since February 6th 2019 on: /bin/sh ../../libtool --mode=link /home/buildroot/autobuild/run/instance-0/output/host/bin/or1k-linux-gcc -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -static -static -o idtest idtest.o liblber.la ../../libraries/liblutil/liblutil.a -L/home/buildroot/autobuild/run/instance-0/output/host/bin/../or1k-buildroot-linux-uclibc/sysroot/usr/lib -lssl -L/home/buildroot/autobuild/run/instance-0/output/host/bin/../or1k-buildroot-linux-uclibc/sysroot/usr/lib -lz -pthread -latomic -lcrypto -lz -pthread -latomic /home/buildroot/autobuild/run/instance-0/output/host/bin/or1k-linux-gcc -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -static -static -o etest etest.o -pthread -pthread ./.libs/liblber.a -L/home/buildroot/autobuild/run/instance-0/output/host/bin/../or1k-buildroot-linux-uclibc/sysroot/usr/lib ../../libraries/liblutil/liblutil.a -lssl -lcrypto -lz -pthread /home/buildroot/autobuild/run/instance-0/output/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/5.4.0/../../../../or1k-buildroot-linux-uclibc/lib//libatomic.so To fix this error, revert the openldap commit that raises this issue Fixes: - http://autobuild.buildroot.org/results/ab4f85fd21cacfaef6b0b43a38da6a4a1d32ecb6 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6e609d37d31a2866ad4d76e8e098941b66e81f5a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/openldap: bump to version 2.4.47Gravatar Fabrice Fontaine2019-09-022-6/+6
| | | | | | | Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3102d7d87cd9d8a378bdc1bdadca3ae368311bf4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/intel-microcode: security bump version to 20190618Gravatar Bernd Kuhls2019-09-022-3/+3
| | | | | | | | | | | Release notes: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/master/releasenote Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Reviewed-by: Carlos Santos <unixmania@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4e5e44278a06a042a916a0363fec0a16c3998b84) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/vlc: security bump version to 3.0.8Gravatar Bernd Kuhls2019-09-022-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | Release notes: https://www.videolan.org/developers/vlc-branch/NEWS Fixes the following security bugs: * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) * Fix a read buffer overflow in the FAAD decoder * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) * Fix a use after free in the ASF demuxer (CVE-2019-14533) * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) * Fix a null dereference in the dvdnav demuxer * Fix a null dereference in the ASF demuxer (CVE-2019-14534) * Fix a null dereference in the AVI demuxer * Fix a division by zero in the CAF demuxer (CVE-2019-14498) * Fix a division by zero in the ASF demuxer (CVE-2019-14535) Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ad9efda5789550711b6da7757478a8efae04cee1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/vlc: bump version to 3.0.7.1Gravatar Bernd Kuhls2019-09-022-7/+7
| | | | | | | | | | Fixes green-flickering bug with Windows AMD drivers: https://forum.videolan.org/viewtopic.php?p=492405#p492405 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 4e5b4397588e5809ca0d8a6682520044da1ab57a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libmodplug: bump version to 0.8.9Gravatar Bernd Kuhls2019-09-022-2/+2
| | | | | | | | | | Needed for security bump of vlc to 3.0.8: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=48f014768dc22ecad23d0e9f53c38805a3aff832 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 661949b3f5e08aed9f0240d872bbb14d9aa12d34) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/nginx: security bump to version 1.16.1Gravatar Peter Korsgaard2019-09-022-2/+2
| | | | | | | | | | | | | | | Fixes the following security issues: Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). For details, see the advisory: https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 24309ef4ab7f5c9b85233ebd98ccc6657f70f271) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/nginx: bump to version 1.16.0Gravatar Adam Duskett2019-09-022-2/+2
| | | | | | | Signed-off-by: Adam Duskett <Aduskett@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0574e8166e039332be8890957cb16249a7230bad) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/nginx: bump version to 1.15.12Gravatar Adam Duskett2019-09-023-5/+5
| | | | | | | | | | | | | | The license file hash has been modified due to copyright year updates: - * Copyright (C) 2002-2018 Igor Sysoev - * Copyright (C) 2011-2018 Nginx, Inc. + * Copyright (C) 2002-2019 Igor Sysoev + * Copyright (C) 2011-2019 Nginx, Inc. Signed-off-by: Adam Duskett <Aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 05ca4c1343d4d2e2a18ad6b9e399414cd14dcb4f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/squid: remove trailing whitespaceGravatar Arnout Vandecappelle (Essensium/Mind)2019-09-021-1/+1
| | | | | | | | | | Commit 7792c4f1bc introduced trailing whitespace. Remove it. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/276636839 Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit ac7d6c81f40ac126c8b589fa8ff6a488d0ee972b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/squid: security bump to version 4.8Gravatar Fabrice Fontaine2019-09-023-5/+49
| | | | | | | | | | | | | | | | | | | | | | | | | - Add a patch to fix cross-compilation - Fix the following CVEs: - SQUID-2019:6 (CVE-2019-13345), Jul 12, 2019 Fixed from 4.8 Multiple Cross-Site Scripting issues in cachemgr.cgi - SQUID-2019:5 (CVE-2019-12527), Jul 12, 2019 Fixed from 4.8 Heap Overflow issue in HTTP Basic Authentication processing - SQUID-2019:3 (CVE-2019-12525), Jul 12, 2019 Fixed from 4.8 Denial of Service in HTTP Digest Authentication processing - SQUID-2019:2 (CVE-2019-12529), Jul 12, 2019 Fixed from 4.8 Denial of Service in HTTP Basic Authentication processing - SQUID-2019:1 (CVE-2019-12824), Jul 12, 2019 Fixed from 4.8 Denial of Service issue in cachemgr.cgi Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7792c4f1bc8ec0827d07dc75f60668b2ec81a785) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/squid: bump to version 4.6Gravatar Fabrice Fontaine2019-09-023-86/+5
| | | | | | | | | | | - Remove patch (already in version): https://github.com/squid-cache/squid/commit/c34582b9e8c40529db7eb9c490b081a37972f6d4 - Drop autoreconf Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 46d76b3b1384d35507541e3b86c46467f0971776) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/musl: add upstream security fixes for CVE-2019-14697Gravatar Peter Korsgaard2019-09-022-0/+237
| | | | | | | | | | | Fixes CVE-2019-14697: musl libc 1.1.23 and earlier x87 float stack imbalance For more details, see the oss-security discussion: https://www.openwall.com/lists/oss-security/2019/08/05/6 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit da3b34bd0ae0172683cbc1bd898d6d0d295333d3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>