wireshark: bump version to 2.2.14 (security)Security fixes since 2.2.12:
- wnpa-sec-2018-15
The MP4 dissector could crash. (Bug 13777)
- wnpa-sec-2018-16
The ADB dissector could crash. (Bug 14460)
- wnpa-sec-2018-17
The IEEE 802.15.4 dissector could crash. (Bug 14468)
- wnpa-sec-2018-18
The NBAP dissector could crash. (Bug 14471)
- wnpa-sec-2018-19
The VLAN dissector could crash. (Bug 14469)
- wnpa-sec-2018-20
The LWAPP diss...
python-webpy: use webpy-0.39 tagNo functional change, but upstream has now tagged the release, so use the
tag instead of the sha1.
https://github.com/webpy/webpy/issues/449
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 01320bb9ff297bac38a4c9bc32ae505ac79d600f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-webpy: security bump to version 0.39>From the changelog:
2018-02-28 0.39
* Fixed a security issue with the form module (tx Orange Tsai)
* Fixed a security issue with the db module (tx Adrián Brav and Orange Tsai)
2016-07-08 0.38
..
* Fixed a potential remote exeution risk in `reparam` (tx Adrián Brav)
License files are still not included on pypi, so continue to use the git
repo. Upstream has unfortunately not tagged 0.39, so u...
python-webpy: needs hashlib support in pythonwebpy uses hashlib for session handling, so ensure it is available:
web/session.py: import hashlib
web/session.py: sha1 = hashlib.sha1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 543b0d50fbbb552296749d0cf18443aacfc6e58d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openblas: drop SSE_GENERIC targetFixes #10856
The SSE_GENERIC target fails to build with a "sgemm_kernel.o: No such file
or directory" error. Several upstream bug reports exist for this:
https://github.com/xianyi/OpenBLAS/issues/502
https://github.com/xianyi/OpenBLAS/issues/685
In both cases, upstream suggests using a different target definition
instead. E.G. from issue 685:
You may use NORTHWOOD on x86: make TARGET=NORT...
opencv3: fix Python module build for Python 3.xWhen the OpenCV3 Python support is enabled with Python 3.x, it builds
properly, and the resulting .so file is built for the target
architecture, but its name is wrong:
output/target/usr/lib/python3.6/site-packages/cv2.cpython-36m-x86_64-linux-gnu.so
This prevents Python 3.x from importing the module:
>>> import cv2
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
Mo...
package/xterm: Avoid freetype2 path poisoning using imakeWhen imake is installed on the host, it tries to include
freetype headers from host, so we must override ac_cv_path_IMAKE
to avoid this.
Extract from config.log:
configure:14803: checking if we should use imake to help
configure:14820: result: yes
configure:14829: checking for xmkmf
configure:14846: found /usr/bin/xmkmf
configure:14857: result: /usr/bin/xmkmf
configure:14920: testing Using /u...
openssl: security bump to version 1.0.2oFixes the following security issues:
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack.
There are no such structures used within SSL/TLS th...
sngrep: fix libgcrypt handlingFixes:
http://autobuild.buildroot.net/results/f1c6494133806b9fc26ae3ce9e9c6a22fa2eda6f/
Commit 6205b75873c (sngrep: gnutls support also needs libgcrypt) ensured
that --with-gnutls is only used when both gnutls and libgcrypt are enabled,
but it didn't ensure libgcrypt gets built before sngrep or told the
configure script where to find libgcrypt-config, breaking the build.
Fix both issues.
Sig...
xerces: add upstream security fixCVE-2017-12627: dereference of a NULL pointer while processing the path
to the DTD.
xerces 3.2.1 includes this patch. But this version also added
AC_RUN_IFELSE to its configure script, making cross compilation harder.
Switching to cmake is also problematic since the minimum required cmake
version is 3.2.0. The host dependencies check currently allows minimum
cmake version 3.1.
Signed-off-by:...
package/apache: bump version to 2.4.29Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.29
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 386ca343c514b4c7e30217ee688eb2d273585661)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/apache: bump to version 2.4.28Fix for CVE-2017-9798 is included in this release, so this patch is
removed.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Update commit log: not a security bump]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1cff68251e6cd2fe8ed421d7b07813256342a150)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/imagemagick: security bump version to 7.0.7-27Fixes CVE-2018-6405 (upstream Github PR 964) and many others:
http://www.imagemagick.org/script/changelog.php
Added license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 31086ea1de511b57e8377d9fa6b0fe7350b1e753)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tremor: security bump to fix CVE-2018-5146Prevent out-of-bounds write in codebook decoding.
Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.
Upstream has migrated from subversion to git, so change to git and bump the
version to include the fix for CVE-2018-5146.
While we're at it, also add a hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked fro...
irssi: security bump to version 1.0.7Fixes the following security issues:
Use after free when server is disconnected during netsplits. Incomplete fix
of CVE-2017-7191. Found by Joseph Bisch. (CWE-416, CWE-825) -
CVE-2018-7054 [2] was assigned to this issue.
Use after free when SASL messages are received in unexpected order. Found
by Joseph Bisch. (CWE-416, CWE-691) - CVE-2018-7053 [3] was assigned to
this issue.
Null point...
libcurl: security bump to version 7.59.0CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.
https://curl.haxx.se/docs/adv_2018-9cd6.html
CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.
https://curl.haxx.se/docs/adv_2...
libpjsip: security bump to 2.7.2Fixes the following vulnerabilities:
- CVE-2018-1000098: Crash when parsing SDP with an invalid media format
description
- CVE-2018-1000099: Crash when receiving SDP with invalid fmtp attribute
[Peter: add CVE info]
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ed0d9d6f36dfc3e99ee70cc34de0c380925e871f)
Signe...
samba4: security bump to version 4.5.16CVE-2018-1050: Vulnerability to a denial of service attack when the RPC
spoolss service is configured to be run as an external daemon.
https://www.samba.org/samba/security/CVE-2018-1050.html
CVE-2018-1057: Authenticated users might change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).
https://www.samba.org/samba/security/CV...
linux: Config.in: correct typo in kernel compression format help texts/build/built/.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d233cc72c4b901f1ea0ae4ce895ff665bd0b78d9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
busybox: bump to version 1.27.2Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 5cdb463e442d63f0ba361e7348d0ed56cb9b63d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
busybox: disable new TLS supportBusybox 1.17.1 has added built-in TLS support. Unfortunately, it fails
to build on i686 with gcc 4.8, with:
networking/tls_pstm_mul_comba.c: In function 'pstm_mul_comba':
networking/tls_pstm_mul_comba.c:82:1: error: 'asm' operand has impossible constraints
asm( \
^
networking/tls_pstm_mul_comba.c:279:4: note: in expansion of macro 'MULADD'...
Revert "busybox: add upstream post-1.26.2 fixes"This reverts commit ace9345c96fe013468a7ab548b69dd1510e463c8.
With the bump to 1.27.x, these are no longer needed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
busybox: bump version to 1.27.1In addition, update busybox-minimal.config and busybox.config by loading the
config files and saving them back.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 8cea29361770bd740b9799ac9b0b09ec131d7117)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
dhcp: add upstream security fixesCVE-2018-5732: The DHCP client incorrectly handled certain malformed
responses. A remote attacker could use this issue to cause the DHCP
client to crash, resulting in a denial of service, or possibly execute
arbitrary code. In the default installation, attackers would be isolated
by the dhclient AppArmor profile.
CVE-2018-5733: The DHCP server incorrectly handled reference counting. A
remote a...
package/clamav: security bump to version 0.99.4Fixes CVE-2012-6706, CVE-2017-6419, CVE-2017-11423, CVE-2018-1000085 &
CVE-2018-0202.
For details see upstream announcement:
http://lists.clamav.net/pipermail/clamav-announce/2018/000029.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d02cbe22dab7f2f0424d7a4f3274ea2459269dbe)
Signed-off-by: Peter Korsgaa...
mosquitto: unbreak build with websockets and !libopensslFixes:
http://autobuild.buildroot.net/results/d69/d693f3e3f1c73ccf54ac7076623e436355a9d901/b
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 63dfbca2c3ad509504e9118a49d396210917b079)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mosquitto: security bump to version 1.4.15Fixes CVE-2017-7651: Unauthenticated clients can send a crafted CONNECT
packet which causes large amounts of memory use in the broker. If multiple
clients do this, an out of memory situation can occur and the system may
become unresponsive or the broker will be killed by the operating system.
The fix addresses the problem by limiting the permissible size for CONNECT
packet, and by adding a me...
mosquitto: bump version to 1.4.14Drop CVE 2017-9868 patch as that is now upstream.
1.4.14 is a bugfix release, fixing significant websocket performance /
correctness issues.
Use HTTPS for the download as the server uses HSTS, thus saving a redirect.
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b76bf7669d6482e61a82be9cd5d3c8806dabba6)
S...
mosquitto: clarify that patch hash is locally calculatedCommit e51d69a3b (mosquitto: specify that hash is taken from upstream)
changed the .hash description header, but the upstream hash only applies
to the tarball, not the patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1ef8c2239339f52e35572e485db306df9012d500)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mosquitto: specify that hash is taken from upstreamSigned-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d8dc97ee5ed10c75666e500b6752497690ea6853)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
wavpack: add upstream security fixesFixes the following security issues:
CVE-2018-6767: A stack-based buffer over-read in the ParseRiffHeaderConfig
function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to
cause a denial-of-service attack or possibly have unspecified other impact
via a maliciously crafted RF64 file.
CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file
of WavPack 5.1.0 allo...
wavpack: don't download patch from GithubPatches downloaded from Github are not stable, so bring them in the
tree.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0a2576d37ebb4175aea1daf3c14c947df39cdcaa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
check-host-tar.sh: blacklist tar 1.30+Tar 1.30 changed the --numeric-owner output for filenames > 100 characters,
leading to hash mismatches for the tar archives we create ourselves from
git. This is really a fix for a bug in earlier tar versions regarding
deterministic output, so it is unlikely to be reverted in later versions.
For more details, see:
http://lists.busybox.net/pipermail/buildroot/2018-January/211222.html
To work ...
dependencies.mk: check for valid host-tar before other host dependencieshost-{cmake,lzip,xz} needs host-tar to extract their source code tarball, so
we need to ensure that host-tar gets added to DEPENDENCIES_HOST_PREREQ
before these in case they are both needed, otherwise the tools will fail to
extract.
With the upcoming change to blacklist modern tar versions this situation is
likely to trigger more often.
The real solution to this issue is the <foo>_EXTRACT_DEP...
Peter Korsgaard
André Hentschel
Fabio Estevam
Sasha Shyrokov
Valentin Korenblit
Baruch Siach
Bernd Kuhls
Adam Duskett
Thomas Petazzoni
Vicente Olivert Riera