From 408888a29b97cd6f89b528966d853f486149f6d5 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Fri, 26 Aug 2022 23:14:51 +0200 Subject: [PATCH] package/libtirpc: security bump to version 1.3.3 Fix CVE-2021-46828: In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections. https://sourceforge.net/projects/libtirpc/files/libtirpc/1.3.3/Release-1.3.3.txt/download Signed-off-by: Fabrice Fontaine Reviewed-by: Petr Vorel Signed-off-by: Yann E. MORIN --- package/libtirpc/libtirpc.hash | 4 ++-- package/libtirpc/libtirpc.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libtirpc/libtirpc.hash b/package/libtirpc/libtirpc.hash index 56c1d9de3f..1efc3e47e2 100644 --- a/package/libtirpc/libtirpc.hash +++ b/package/libtirpc/libtirpc.hash @@ -1,5 +1,5 @@ # From sourceforge's info on download page: -sha1 51d75be0e5acc094a888f40042b23e128d163cb5 libtirpc-1.3.2.tar.bz2 +sha1 6e52c39148494e4836e2d5d4f28b11ddfa65394b libtirpc-1.3.3.tar.bz2 # Locally computed -sha256 e24eb88b8ce7db3b7ca6eb80115dd1284abc5ec32a8deccfed2224fc2532b9fd libtirpc-1.3.2.tar.bz2 +sha256 6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3 libtirpc-1.3.3.tar.bz2 sha256 17cf6098f95bdbb269f0bbc68e76c88fe20487ca7ec53f454923ab4256ecd2e7 COPYING diff --git a/package/libtirpc/libtirpc.mk b/package/libtirpc/libtirpc.mk index 9d3c4b5a94..179adc97d0 100644 --- a/package/libtirpc/libtirpc.mk +++ b/package/libtirpc/libtirpc.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBTIRPC_VERSION = 1.3.2 +LIBTIRPC_VERSION = 1.3.3 LIBTIRPC_SOURCE = libtirpc-$(LIBTIRPC_VERSION).tar.bz2 LIBTIRPC_SITE = http://downloads.sourceforge.net/project/libtirpc/libtirpc/$(LIBTIRPC_VERSION) LIBTIRPC_LICENSE = BSD-3-Clause