aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* package/dtv-scan-tables: switch upstream locationGravatar Yann E. MORIN2020-12-211-1/+1
| | | | | | | | The old git tree is unreachable now, switch to using the new one. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit c7bd3805bded7c840731956c97233b0607a78e3f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/qt5base: fix build with TI SGX GL stackGravatar Yann E. MORIN2020-12-211-0/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | qt5base FTBFS with TI SGX GL stack because it defines a type that is incompatible with that expected by Qt. Fix that by adapting a mix of upstream bug reports, upstream tentative patch, and various comments on various Qt forums, none of which were satisfying for various reasons explained in each resource: - https://bugreports.qt.io/browse/QTBUG-72567 - https://codereview.qt-project.org/c/qt/qtbase/+/248270 - https://forum.qt.io/topic/88588/qtbase-compilation-error-with-device-linux-rasp-pi3-g-qeglfskmsgbmwindow-cpp/8 - https://forum.qt.io/topic/91596/raspberry-pi-3-compiling-qt-5-11-0-problem/6 - https://patchwork.ozlabs.org/project/buildroot/patch/20200702201125.3639873-1-aduskett@gmail.com/#2579598 ... which, mixed together with my little understanding of Qt, GL, and C++, gave a relatively simple patch that overcomes the build failure on TI's SGX, while at the same time keeping buildability and functionality on other platforms. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Adam Duskett <aduskett@gmail.com> Cc: Markus <zehnder@live.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit cf7f3112f6a4d83a3802cb5bc1abf1a048541773) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ti-sgx-demos: use KMS-based demosGravatar Adam Duskett2020-12-211-1/+1
| | | | | | | | | | | | Weston does not work with the ti-sgx SDK, so switch to using the KMS-based demos. Signed-off-by: Adam Duskett <Aduskett@gmail.com> [yann.morin.1998@free.fr: split off into its own patch] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 29ff603f0845d505c0c331efdccf03cfccfbea42) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* configs/beaglebone_qt5: switch to using KMS instead of wayland+westonGravatar Adam Duskett2020-12-213-5/+27
| | | | | | | | | | | | weston does not work on the ti-sgx SDK, so switch to using KMS directly, and drop the wayland-related config options. Signed-off-by: Adam Duskett <Aduskett@gmail.com> [yann.morin.1998@free.fr: split into its own patch] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 8efc5dce98f9795d97b7a3452f9be4a774032379) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ruby: add upstream security fix for CVE-2020-25613Gravatar Peter Korsgaard2020-12-191-0/+43
| | | | | | | For details, see the advisory: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libressl: security bump to version 3.1.5Gravatar Peter Korsgaard2020-12-132-2/+2
| | | | | | | | | | | Fixes the following security issues: * Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference. https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mbedtls: security bump to version 2.16.9Gravatar Fabrice Fontaine2020-12-132-3/+3
| | | | | | | | | https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 455387fa3a8c075c10cd87f44e88fcbdee9fff50) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-pyparsing: update link to projectGravatar Marcin Niestroj2020-12-131-1/+1
| | | | | | | | | Old link no longer works, so replace that with link to GitHub. Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 1cec1e3f7f7a2412d2d4b29abe984d78b10cd269) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/paho-mqtt-c: bump to version 1.3.7Gravatar Julien Grossholtz2020-12-132-2/+2
| | | | | | | | | | | | Paho-mqtt-c maintainance release. It fixes some bugs including client times out and buffer overflow: https://github.com/eclipse/paho.mqtt.c/milestone/9?closed=1 Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 71e0d12ed1fbc3a9c6e315d990e63a19df831f52) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/paho-mqtt-c: bump to version 1.3.6Gravatar Fabrice Fontaine2020-12-132-3/+3
| | | | | | | | | | | | Update LICENSE hash, EDL version has been fixed with https://github.com/eclipse/paho.mqtt.c/commit/34ec96cac554c4ae1527b92433730233f1bdca40 https://github.com/eclipse/paho.mqtt.c/milestone/11?closed=1 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6eba48124efef25ffc97284d5308124bd087d865) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: security bump to 2.0.23Gravatar Michael Vetter2020-12-132-2/+2
| | | | | | | | | | Changes: * Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ac9f50f204899ff502e0d57ac900753beb0ee031) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: fix tarball name in hash fileGravatar Fabrice Fontaine2020-12-131-2/+2
| | | | | | | | | | | | | | | tarball name was not updated by commit 0ca16ace62dc407f73ded69792dd6a9f22492a6e While at it also update indentation in hash file (two spaces) Fixes: - http://autobuild.buildroot.org/results/1356d309d45b5eedeec375e2fdc0cf2ad7839a55 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 245c643fc74435e6a97d8bd502bbccb171127a72) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: bump to version 2.0.22Gravatar Michael Vetter2020-12-132-2/+2
| | | | | | | Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 0ca16ace62dc407f73ded69792dd6a9f22492a6e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: bump to version 2.0.21Gravatar Michael Vetter2020-12-132-2/+2
| | | | | | | Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3c133b50b4e584b7e04f2db450f92096b9af307a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: bump to version 2.0.20Gravatar Michael Vetter2020-12-132-2/+2
| | | | | | | | | Bump JasPer to 2.0.20 Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a108bbf38ea7d5491134d0746aa33a8f2d422eb5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ca-certificates: bump version to 20200601Gravatar Bernd Kuhls2020-12-132-5/+5
| | | | | | | | | | | | Reformatted hashes. Updated license hash due to upstream commit: https://salsa.debian.org/debian/ca-certificates/-/commit/1e2be69b0823dfb56dc3981b7547afd181e066cc Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit dae31592214d14f48ec967e5b78565c5e9bdc5cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: security bump version to 1.1.1iGravatar Bernd Kuhls2020-12-134-5/+9
| | | | | | | | | | | | | Rebased patches 0001 & 0004. Fixes CVE-2020-1971. Changelog: https://www.openssl.org/news/changelog.html#openssl-111 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5cf57efbd3492bf38eaf904e99d9c7d230fede27) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: bump to version 1.1.1hGravatar Peter Korsgaard2020-12-132-3/+3
| | | | | | | | | | For details, see the release notes: https://www.openssl.org/news/openssl-1.1.1-notes.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 35fad96c2cbe0244187fea08cc7f4215b6c8559e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/flare-engine: require sdl2_image with png supportGravatar Romain Naour2020-12-131-0/+1
| | | | | | | | | | flare-engine fail to start if sdl2_image library is build without libpng support. Signed-off-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6c4328a5abae7a89103e1cd399c73dba4bbac63c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/xserver_xorg-server: bump version to 1.20.10Gravatar Bernd Kuhls2020-12-1310-236/+5
| | | | | | | | | | | | Release notes: https://lists.x.org/archives/xorg-announce/2020-December/003067.html Remove patches which were applied upstream. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 5f6e3c0962176855715a24fc0a028ebca11ac742) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11vnc: fix CVE-2020-29074Gravatar Fabrice Fontaine2020-12-122-0/+27
| | | | | | | | | | scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3b6a105af87662f2ecca3fe4717fea11e267b0c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-containerd: security bump to version 1.4.3Gravatar Peter Korsgaard2020-12-122-2/+2
| | | | | | | | | | | | | | | | | | Fixes the following security issue: - CVE-2020-15257: Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. For more details, see the advisory: https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1e1d1278c7112f44ce694958047ee512f20b4360) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-containerd: bump to version 1.4.1Gravatar Christian Stewart2020-12-122-2/+2
| | | | | | | Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 87a8cbe617862747a3bd739d366154ccd30b769c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-containerd: bump to version 1.4.0Gravatar Christian Stewart2020-12-122-3/+3
| | | | | | | Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 04b2afc65bdb9c1c0c3435e08710adc7cd231016) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/netsurf: fix build with gcc 10Gravatar Fabrice Fontaine2020-12-121-0/+37
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/e81568c2b4f5ef5d055c9b94e624ba2d23f50d16 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8137735818d19f07038ad9df1b56a5a4c97d0f52) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/netsurf: renumber patchesGravatar Fabrice Fontaine2020-12-122-0/+0
| | | | | | | Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 16bc610e51dbd6f16dc3b36be61feb721ce11262) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libcap: fix libcap.pcGravatar Fabrice Fontaine2020-12-121-7/+13
| | | | | | | | | | | | | | | | | | | | | libcap builds an incorrect libcap.pc because libdir is pulled from the host os: ifndef lib lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2) endif Fix this error by passing lib=lib and prefix in {HOST_LIBCAP,LIBCAP}_BUILD_CMDS Fixes: - https://bugs.buildroot.org/show_bug.cgi?id=13276 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Reviewed-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 07f8ea39139299c83777a338a30cd480633d5706) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/xserver_xorg-server: add upstream security fixes for ↵Gravatar Peter Korsgaard2020-12-122-0/+231
| | | | | | | | | | | | | | | | | | | | | | | CVE-2020-14360 / 25712 Fixes the following security issues: * CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access Insufficient checks on the lengths of the XkbSetMap request can lead to out of bounds memory accesses in the X server. * CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow Insufficient checks on input of the XkbSetDeviceInfo request can lead to a buffer overflow on the head in the X server. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2020/12/01/3 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit c773336463bc605e2e5ceb8288937b7aacb26d04) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/setserial: add license hashGravatar Bernd Kuhls2020-12-111-2/+4
| | | | | | | | | | | | Also reformatted hash file. Fixes: http://autobuild.buildroot.net/results/d1c/d1ccecc74755155664cd17c8d33721c804a37b25/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 23d8b04295c2cd99302dbb87be7367b282a6cd83) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/privoxy: security bump to version 3.0.29Gravatar Peter Korsgaard2020-12-112-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From the release notes: - Security/Reliability: - Fixed memory leaks when a response is buffered and the buffer limit is reached or Privoxy is running out of memory. Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001. Sponsored by: Robert Klemme - Fixed a memory leak in the show-status CGI handler when no action files are configured. Commit c62254a686. OVE-20201118-0002. Sponsored by: Robert Klemme - Fixed a memory leak in the show-status CGI handler when no filter files are configured. Commit 1b1370f7a8a. OVE-20201118-0003. Sponsored by: Robert Klemme - Fixes a memory leak when client tags are active. Commit 245e1cf32. OVE-20201118-0004. Sponsored by: Robert Klemme - Fixed a memory leak if multiple filters are executed and the last one is skipped due to a pcre error. Commit 5cfb7bc8fe. OVE-20201118-0005. - Prevent an unlikely dereference of a NULL-pointer that could result in a crash if accept-intercepted-requests was enabled, Privoxy failed to get the request destination from the Host header and a memory allocation failed. Commit 7530132349. CID 267165. OVE-20201118-0006. - Fixed memory leaks in the client-tags CGI handler when client tags are configured and memory allocations fail. Commit cf5640eb2a. CID 267168. OVE-20201118-0007. - Fixed memory leaks in the show-status CGI handler when memory allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3. CID 305233. OVE-20201118-0008. For more details, see the announcement: https://www.openwall.com/lists/oss-security/2020/11/29/1 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9ef54b7d0bc7163b54f35c0ce618beb40a6ed22f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libplist: drop duplicated COPYING hashGravatar Fabrice Fontaine2020-12-111-1/+0
| | | | | | | | | | Commit 762119b4c5489352a889c2627eb37906647c375d resulted in a duplicated line for COPYING hash so drop it Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 26c2db20d83d2d2800f63d97d28dc74fbe2a2625) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/lynx: fix reproducible build issuesGravatar Peter Korsgaard2020-12-111-1/+8
| | | | | | | | | | | | Fixes (part of) http://autobuild.buildroot.net/results/23fe4365ca65f37eace8265a70fbfb9723b8ee9d/ Lynx by default contains logic to generate a "configuration info" HTML page, which leaks build paths, and adds the build timestamp to the version output. Disable both when building in reproducible mode. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 3fb7c63687ac4a2d3ef07d2aa425b1922ad69792) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jemalloc: add jemalloc-config to _CONFIG_SCRIPTS handlingGravatar Peter Korsgaard2020-12-111-0/+1
| | | | | | | | | | | | | | Fixes (part of) http://autobuild.buildroot.net/results/23fe4365ca65f37eace8265a70fbfb9723b8ee9d/ jemalloc installs a jemalloc-config script, leaking build paths and breaking reproducible builds (and per-package builds). Add it to _CONFIG_SCRIPTS so the paths get fixed up for staging and the script removed from target. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 288ece60bbe182a2192d5553ba15cbdeedea3ba6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mariadb: security bump to version 10.3.27Gravatar Peter Korsgaard2020-12-112-6/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - CVE-2020-15180: during SST a joiner sends an sst method name to the donor. Donor then appends it to the "wsrep_sst_" string to get the name of the sst script to use, e.g. wsrep_sst_rsync. There is no validation or filtering here, so if the malicious joiner sends, for example, "rsync `rm -rf /`" the donor will execute that too. - CVE-2020-14812: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2020-14765: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2020-14776: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2020-14789: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2020-28912: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf describes a named pipe privilege vulnerability, specifically for MySQL, where an unprivileged user, located on the same machine as the server, can act as man-in-the-middle between server and client. Additionally, 10.3.27 fixes a regression added in 10.3.26. Drop weak md5/sha1 checksums. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 163334a707a0d85480019d83b23a341e470c37ce) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bustle: fix licenseGravatar Fabrice Fontaine2020-12-111-1/+1
| | | | | | | | | | bustle binaries are licensed under GPL-3.0: https://gitlab.freedesktop.org/bustle/bustle/-/blob/bustle-0.7.5/LICENSE Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f3ca4f10864009f3b43695366f6cd2504634d7b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/proftpd: security bump to version 1.3.6eGravatar Fabrice Fontaine2020-12-112-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1.3.6e --------- + Fixed null pointer deference in mod_sftp when using SCP incorrectly (Issue #1043). 1.3.6d --------- + Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959). 1.3.6c --------- + Fixed regression in directory listing latency (Issue #863). + Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for converting them to supported format. + Fixed use-after-free vulnerability during data transfers (Issue #903) [CVE-2020-9273] + Fixed out-of-bounds read in mod_cap by updating the bundled libcap (Issue #902) [CVE-2020-9272] http://proftpd.org/docs/RELEASE_NOTES-1.3.6e Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [Peter: mark as security bump, add CVEs] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7ba4aa92981107462e23c4a7d2b1ef291743fe81) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/slirp: add upstream security fix for CVE-2020-29129 / CVE-2020-29130Gravatar Peter Korsgaard2020-12-112-0/+63
| | | | | | | | | | | While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' routines, ensure that pkt_len is large enough to accommodate the respective protocol headers, lest it should do an OOB access. Add check to avoid it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 282fc60ed4bbf30f0c74fe0434053b472eca356b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/qemu: use a system-wide slirpGravatar Fabrice Fontaine2020-12-112-2/+5
| | | | | | | | | | | | | Use a system-wide slirp now that we switched to the up to date https://gitlab.freedesktop.org/slirp/libslirp qemu already depends on libglib2 so we don't need to add any new dependencies Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7e237b79ad138dd296477c7ed631ca83f5145fc5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/vsftpd: S70vsftpd: correct -x argument to start-stop-daemonGravatar Peter Korsgaard2020-12-111-2/+2
| | | | | | | | | | | | | | Fixes #13341 The -x / --exec start-stop-daemon option expects the path to the executable, not just the name, leading to errors when running the init script: Starting vsftpd: start-stop-daemon: unable to stat //vsftpd (No such file or directory) Reported-by: tochansky@tochlab.net Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 405f76425d20ef2f84006f2f6db798c338691c13) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/minidlna: security bump version to 1.3.0Gravatar Bernd Kuhls2020-12-114-187/+4
| | | | | | | | | | | | | | | | | | | Changelog: https://sourceforge.net/p/minidlna/git/ci/master/tree/NEWS Fixes CVE-2020-28926 & CVE-2020-12695. Removed patch 0001 which was applied upstream: https://sourceforge.net/p/minidlna/git/ci/b5e75ff7d160a02632cab416ff0af66504c7db8b/ Removed patch 0002 which was not applied upstream, upstream applied a different fix for CVE-2020-12695: https://sourceforge.net/p/minidlna/git/ci/06ee114731612462eb1eb1266f0431ccf59269d2/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 30f6776c79d2e2cebd61bcef805ea4e1cfaa8055) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/php: security bump version to 7.4.13Gravatar Bernd Kuhls2020-12-114-6/+6
| | | | | | | | | | | | | | Rebased patches. Changelog: https://www.php.net/ChangeLog-7.php#7.4.13 According to the release notes this is a "security bug fix release": https://news-web.php.net/php.announce/301 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8c382620669f5cfae7c3150415a0ff01a2724726) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 9}.x seriesGravatar Peter Korsgaard2020-12-112-10/+10
| | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6ca12d89f1182b21aa922f92501cd641ab318398) [Peter: drop 5.9.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/thermald: fix time_t related compile failureGravatar Peter Seiderer2020-12-111-0/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add upstream patch [1] to fix (musl) time_t related compile failure. Fixes: - https://bugs.busybox.net/show_bug.cgi?id=13336 src/thd_trip_point.cpp: In member function ‘bool cthd_trip_point::thd_trip_point_check(int, unsigned int, int, bool*)’: src/thd_trip_point.cpp:250:19: error: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Werror=format=] 250 | thd_log_info("Too early to act zone:%d index %d tm %ld\n", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 251 | zone_id, cdev->thd_cdev_get_index(), 252 | tm - cdevs[i].last_op_time); | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | time_t {aka long long int} src/thermald.h:82:57: note: in definition of macro ‘thd_log_info’ 82 | #define thd_log_info(...) g_log(NULL, G_LOG_LEVEL_INFO, __VA_ARGS__) | ^~~~~~~~~~~ src/thd_trip_point.cpp:250:59: note: format string is defined here 250 | thd_log_info("Too early to act zone:%d index %d tm %ld\n", | ~~^ | | | long int | %lld [1] https://github.com/intel/thermal_daemon/commit/a7136682b9e6ebdb53c3c8b472bcd5039d62dc78.patch Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1672e250106d5c9a2003f40685e57610238a732e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/openrc: add upstream security fix for CVE-2018-21269Gravatar Heiko Thiery2020-12-112-0/+254
| | | | | | | | Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 2d38c5a4e58e6a9591e6bcd4e7febe68e915d0bb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/openrc: fix build with gcc 10Gravatar Heiko Thiery2020-12-111-0/+52
| | | | | | | | | | | Fixes: - https://bugs.busybox.net/show_bug.cgi?id=13331 Cc: mscdex@mscdex.net Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9d40f49dbba80da723268826487846930e61c64b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/cage: package does not require locale supportGravatar Paul Cercueil2020-12-111-3/+1
| | | | | | | | | | Drop dependency on BR2_ENABLE_LOCALE, which was marked as a dependency of wlroots, but wlroots does not depend on it anymore. Signed-off-by: Paul Cercueil <paul@crapouillou.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 210e9b7b245d6388097ba0dac0c51b82964d09fc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/wlroots: package does not require locale supportGravatar Paul Cercueil2020-12-111-3/+1
| | | | | | | | | | | | Drop dependency on BR2_ENABLE_LOCALE, which was marked as a dependency of libinput which is selected by wlroots. However, libinput does not depend on BR2_ENABLE_LOCALE since commit bef6b92b67e (package/libinput: remove dependency on BR2_ENABLE_LOCALE). Signed-off-by: Paul Cercueil <paul@crapouillou.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ae9d6fc6f40e417c603a769ed0e23a35b7f27cb7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xinetd: add upstream security fix for CVE-2013-4342Gravatar Peter Korsgaard2020-12-112-0/+32
| | | | | | | | | | | xinetd does not enforce the user and group configuration directives for TCPMUX services, which causes these services to be run as root and makes it easier for remote attackers to gain privileges by leveraging another vulnerability in a service. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d5abf5ff6188593dfc701decf8d33d38a924b45b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-pip: needs hashlib moduleGravatar Bartosz Bilas2020-12-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without hashlib module pip returns the following errors: # pip ValueError: unsupported hash type sha224 ERROR:root:code for hash sha256 was not found. Traceback (most recent call last): File "/usr/lib/python2.7/hashlib.py", line 147, in <module> File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor ValueError: unsupported hash type sha256 ERROR:root:code for hash sha384 was not found. Traceback (most recent call last): File "/usr/lib/python2.7/hashlib.py", line 147, in <module> File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor ValueError: unsupported hash type sha384 ERROR:root:code for hash sha512 was not found. Traceback (most recent call last): File "/usr/lib/python2.7/hashlib.py", line 147, in <module> File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor ValueError: unsupported hash type sha512 Traceback (most recent call last): File "/usr/bin/pip", line 11, in <module> load_entry_point('pip==20.0.2', 'console_scripts', 'pip')() File "/usr/lib/python2.7/site-packages/pip/_internal/cli/main.py", line 73, in main File "/usr/lib/python2.7/site-packages/pip/_internal/commands/__init__.py", line 96, in create_command File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module File "/usr/lib/python2.7/site-packages/pip/_internal/commands/install.py", line 24, in <module> File "/usr/lib/python2.7/site-packages/pip/_internal/cli/req_command.py", line 15, in <module> File "/usr/lib/python2.7/site-packages/pip/_internal/index/package_finder.py", line 21, in <module> File "/usr/lib/python2.7/site-packages/pip/_internal/index/collector.py", line 12, in <module> File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/__init__.py", line 43, in <module> File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/__init__.py", line 7, in <module> File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connectionpool.py", line 29, in <module> File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connection.py", line 40, in <module> File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/__init__.py", line 7, in <module> File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/ssl_.py", line 8, in <module> ImportError: cannot import name md5 Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d5e3e1144e2b1795ab9ca4deb9e25f6f98456232) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ncurses: mark CVE-2019-1759{4, 5} as fixed by 20191012 patchGravatar Peter Korsgaard2020-12-111-0/+3
| | | | | | | | | According to the NVE data, these are fixes in the 20191012 patch - So mark them as such. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f7fc4bf1b98a4f7a4c0ab90cd22a7b3b75a50706) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>