Commit Graph

56003 Commits

Author SHA1 Message Date
Fabrice Fontaine
f0feed4e47 package/jpeg-turbo: add CPE variables
cpe:2.3🅰️libjpeg-turbo:libjpeg-turbo is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibjpeg-turbo%3Alibjpeg-turbo

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 21:37:43 +01:00
Fabrice Fontaine
fea76b1e90 package/tiff: add CPE variables
cpe:2.3🅰️libtiff:libtiff is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtiff%3Alibtiff

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 21:37:42 +01:00
Fabrice Fontaine
d94ac06d0d package/rabbitmq-c: set RABBITMQ_C_CPE_ID_VALID
cpe:2.3🅰️rabbitmq-c_project:rabbitmq-c is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Arabbitmq-c_project%3Arabbitmq-c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 21:37:40 +01:00
Fabrice Fontaine
d12f7f839d package/libpam-tacplus: add CPE variables
cpe:2.3🅰️pam_tacplus_project:pam_tacplus is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apam_tacplus_project%3Apam_tacplus

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 21:37:39 +01:00
Fabrice Fontaine
bbb31dac92 package/e2fsprogs: set E2FSPROGS_CPE_ID_VALID
cpe:2.3🅰️e2fsprogs_project:e2fsprogs is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ae2fsprogs_project%3Ae2fsprogs

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 21:37:38 +01:00
Fabrice Fontaine
173eabf3b6 package/bootstrap: add BOOTSRAP_CPE_ID_VENDOR
cpe:2.3🅰️getbootstrap:bootstrap is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agetbootstrap%3Abootstrap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 14:01:05 +01:00
Fabrice Fontaine
b84a4ed139 package/libsndfile: set LIBSNDFILE_CPE_ID_VALID
cpe:2.3🅰️libsndfile_project:libsndfile is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibsndfile_project%3Alibsndfile

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 14:01:04 +01:00
Fabrice Fontaine
1b0a7c6a91 package/bubblewwrap: add BUBBLEWRAP_CPE_ID_VENDOR
cpe:2.3🅰️projectatomic:bubblewrap is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aprojectatomic%3Abubblewrap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 14:00:33 +01:00
Fabrice Fontaine
bc418e0174 package/rdesktop: add RDESKTOP_CPE_ID_VENDOR
cpe:2.3🅰️rdesktop:rdesktop is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ardesktop%3Ardesktop

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-02 14:00:15 +01:00
Titouan Christophe
cbd5f7e3a9 package/redis: security bump to v6.0.12
From the release notes:
(https://github.com/redis/redis/blob/6.0.12/00-RELEASENOTES)

================================================================================
Redis 6.0.11     Released Mon Feb 22 16:13:23 IST 2021
================================================================================

Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), LOW
otherwise.

Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.

================================================================================
Redis 6.0.12     Released Mon Mar  1 17:29:52 IST 2021
================================================================================

Upgrade urgency: LOW, fixes a compilation issue.

Bug fixes:
* Fix compilation error on non-glibc systems if jemalloc is not used (#8533)

Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-02 09:34:22 +01:00
Peter Korsgaard
f6e9e22ac9 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 10}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-02 08:54:44 +01:00
Fabrice Fontaine
dd6bcc0916 package/gstreamer1/gst1-plugins-bad: add sctp option
sctp unconditionnally uses __sync_*_4 intrinsics in
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/blob/master/ext/sctp/usrsctp/usrsctplib/user_atomic.h

As a result, this will raise the following build failure with bootlin
sparc toolchain:

/srv/storage/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/9.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: ext/sctp/usrsctp/libusrsctp-static.a(usrsctplib_user_socket.c.o): in function `usrsctp_conninput':
user_socket.c:(.text+0x3004): undefined reference to `__sync_fetch_and_add_4'

sctp uses an internal version of usrsctp (which is not available in
buildroot) and is available since version 1.15.1:
e2f06326ea

Fixes:
 - http://autobuild.buildroot.org/results/981b11ae9746d1eef40c1797398c4f6c16f005bd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 23:55:09 +01:00
Francois Perrad
9aba85e3f5 package/prosody: security bump to 0.11.8
From the release notes:
https://blog.prosody.im/prosody-0.11.8-released/

This release also fixes a security issue, where channel binding, which
connects the authentication layer (i.e.  SASL) with the security layer (i.e.
TLS) to detect man-in-the-middle attacks, could be used on connections
encrypted with TLS 1.3, despite the holy texts declaring this undefined.

https://issues.prosody.im/1542

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: mark as security bump, expand commit text]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 23:21:54 +01:00
Yann E. MORIN
3673b0c7e2 configs: rename a bunch of friendlyarm boards
We have defconfigs for quite a few friendlyarm boards, but the
naming for the defconfigs for those boards is inconsistent: some
start with 'friendlyarm_' while others don't.

Although the number of boards starting with 'friendlyarm_' is
less than those which do not, we still choose to rename the
boards so all have the 'friendlyarm_' prefix.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chakra Divi <chakra@openedev.com>
Cc: Davide Viti <zinosat@gmail.com>
Cc: Marek Belisko <marek.belisko@open-nandra.com>
Cc: Suniel Mahesh <sunil@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 22:53:35 +01:00
Peter Seiderer
955d6c099b package/util-linux: disable runuser for the host build
runuser allows running commands as another user, but needs to run as
root to be able to setuid(). But Buildroot does not require running as
root, and so runuser can't be used.

Incientally, that fixes host build in case unsuitable libs are found on
the system:
    http://lists.busybox.net/pipermail/buildroot/2021-February/304261.html

Reported-by: GA K <guyarkam@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - expand the commit log with a more fundamental explanation that
    runuser can't be used anyway
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-01 22:35:51 +01:00
Fabrice Fontaine
9598b7a00b package/tpm2-pkcs11: needs threads
tpm2-pkcs11 fails to build without threads since its addition with
commit 42db2c7236

Fixes:
 - http://autobuild.buildroot.org/results/8218776da34cc4a20663ae6737ad7727b12d8cd2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 22:34:22 +01:00
Peter Korsgaard
e276d14cd8 package/privoxy: security bump to version 3.0.32
Privoxy 3.0.32 fixes a number of security issues:

- Security/Reliability:
  - ssplit(): Remove an assertion that could be triggered with a
    crafted CGI request.
    Commit 2256d7b4d67. OVE-20210203-0001.
    Reported by: Joshua Rogers (Opera)
  - cgi_send_banner(): Overrule invalid image types. Prevents a
    crash with a crafted CGI request if Privoxy is toggled off.
    Commit e711c505c48. OVE-20210206-0001.
    Reported by: Joshua Rogers (Opera)
  - socks5_connect(): Don't try to send credentials when none are
    configured. Fixes a crash due to a NULL-pointer dereference
    when the socks server misbehaves.
    Commit 85817cc55b9. OVE-20210207-0001.
    Reported by: Joshua Rogers (Opera)
  - chunked_body_is_complete(): Prevent an invalid read of size two.
    Commit a912ba7bc9c. OVE-20210205-0001.
    Reported by: Joshua Rogers (Opera)
  - Obsolete pcre: Prevent invalid memory accesses with an invalid
    pattern passed to pcre_compile(). Note that the obsolete pcre code
    is scheduled to be removed before the 3.0.33 release. There has been
    a warning since 2008 already.
    Commit 28512e5b624. OVE-20210222-0001.
    Reported by: Joshua Rogers (Opera)

for more details, see the announcement:
https://www.openwall.com/lists/oss-security/2021/02/28/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-01 22:27:32 +01:00
Fabrice Fontaine
54d4d623e6 package/ushare: bump to version 2.1
Fix SOAP action responses which are broken since the switch to latest
version of libupnp (1.14.x) in version 2.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 22:25:02 +01:00
Fabrice Fontaine
2b96966b64 package/jbig2dec: add JBIG2DEC_CPE_ID_VENDOR
cpe:2.3🅰️artifex:jbig2dec is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aartifex%3Ajbig2dec

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 20:18:59 +01:00
Fabrice Fontaine
1cc2fcee3a package/putty: add PUTTY_CPE_ID_VENDOR
cpe:2.3🅰️putty:putty is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aputty%3Aputty

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 20:18:54 +01:00
Fabrice Fontaine
85eee9c632 package/python-urllib3: add CPE variables
cpe:2.3🅰️python:urllib3 is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Aurllib3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 20:18:46 +01:00
Fabrice Fontaine
e60d5bde27 package/python3: add CPE variables
cpe:2.3🅰️python:python is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Apython

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 20:18:43 +01:00
Fabrice Fontaine
0b348dd516 package/python-aiohttp-session: add CPE variables
cpe:2.3🅰️aiohttp-session_project:aiohttp-session is a valid CPE
identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaiohttp-session_project%3Aaiohttp-session

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 20:18:41 +01:00
Fabrice Fontaine
d56054b6e9 package/libbsd: add LIBBSD_CPE_ID_VENDOR
cpe:2.3🅰️freedesktop:libbsd is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afreedesktop%3Alibbsd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 20:18:34 +01:00
Titouan Christophe
6e6fed30fa package/mosquitto: bump to v2.0.8
Mosquitto 2.0.8 is bugfix release. See the announcement:
https://mosquitto.org/blog/2021/02/version-2-0-8-released/

Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 17:07:59 +01:00
Christian Stewart
6609cd0d88 package/openssh: security bump to version 8.4p1
Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in
the scp.c toremote function, as demonstrated by backtick characters in the
destination argument. NOTE: the vendor reportedly has stated that they
intentionally omit validation of "anomalous argument transfers" because that
could "stand a great chance of breaking existing workflows."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 17:07:30 +01:00
Fabrice Fontaine
dfd44046f3 package/haproxy: bump to version 2.2.9
https://www.mail-archive.com/haproxy@formilux.org/msg39744.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-01 16:57:45 +01:00
Peter Korsgaard
4c5b27fbef Update for 2021.02-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 18:34:56 +01:00
Peter Korsgaard
0e60a9aa83 package/python-aiohttp: security bump to version 3.7.4
Fixes the following security issue:

CVE-2021-21330: Open redirect vulnerability in aiohttp
(normalize_path_middleware middleware)

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async
HTTP client/server framework, is prone to an open redirect vulnerability.  A
maliciously crafted link to an aiohttp-based web-server could redirect the
browser to a different website.

For more details, see the advisory:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-27 16:55:28 +01:00
Fabrice Fontaine
908d967170 package/libglib2: security bump to version 2.66.7
- Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
  2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
  with a buffer of 4GB or more on a 64-bit platform, the length would be
  truncated modulo 2**32, causing unintended length truncation.
- Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
  2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
  integer overflow on 64-bit platforms due to an implicit cast from 64
  bits to 32 bits. The overflow could potentially lead to memory
  corruption.

https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-27 16:54:50 +01:00
Fabrice Fontaine
f4f42d03d6 package/openntpd: add OPENNTPD_CPE_ID_VENDOR
cpe:2.3🅰️openntpd:openntpd is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aopenntpd%3Aopenntpd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-27 16:53:46 +01:00
Peter Korsgaard
2d6a0ea93e package/openldap: add upstream security fix for CVE-2021-27212
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
failure in slapd can occur in the issuerAndThisUpdateCheck function via a
crafted packet, resulting in a denial of service (daemon exit) via a short
timestamp.  This is related to schema_init.c and checkTime.

For more details, see the bugtracker:
https://bugs.openldap.org/show_bug.cgi?id=9454

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-27 09:10:45 +01:00
Peter Korsgaard
6ca1a7c277 package/screen: add security fix for CVE-2021-26937
encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a
denial of service (invalid write access and application crash) or possibly
have unspecified other impact via a crafted UTF-8 character sequence.

For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2021/02/09/3

So far no fix has been added to upstream git, and a number of early proposed
fixes caused regressions, so pull the security fix from the screen 4.8.0-5
Debian package.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-27 09:05:56 +01:00
Peter Seiderer
42c80b515a package/imagemagick: disable remaining config options (heic, jxl, openjp2)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:39:17 +01:00
Peter Seiderer
2f47cfade4 package/imagemagick: add optional libraw support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:39:09 +01:00
Peter Seiderer
d6667f3141 package/imagemagick: add optional zstd support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:38:57 +01:00
Peter Seiderer
32479efafe package/imagemagick: add optional libzip support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:38:42 +01:00
Peter Seiderer
a11b6beab9 package/imagemagick: security bump to version 7.0.10-62
Fixes the following security issue:

CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and
7.0.10-57 in gem.c.  This flaw allows an attacker who submits a crafted file
that is processed by ImageMagick to trigger undefined behavior through a
division by zero.  The highest threat from this vulnerability is to system
availability.

For more details, see the bugtracker:
https://github.com/ImageMagick/ImageMagick/issues/3077

- bump version to 7.0.10-62
- update license file hash (copyright year update)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:28:41 +01:00
Markus Mayer
ba05d01476 package/readline: disable bracketed paste by default
As of readline 8.1, "bracketed paste" is enabled by default. However,
the feature causes control characters to appear in captured (telnet)
session output. This can throw off pattern matching if the output is to
be processed by scripts.

Let's keep the previous default of leaving this feature disabled and
provide a configuration option for users to enable it.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[yann.morin.1998@free.fr:
  - explicit enable/disable
  - no indentation in conditional block
  - rewrap help text
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-26 22:42:56 +01:00
Romain Naour
8ef20378b7 package/qemu: disable tests
tests/fp/fp-bench.c use fenv.h that is not always provided
by the libc (uClibc).

To workaround this issue, add an new meson option to
disable tests while building Qemu.

Fixes:
http://autobuild.buildroot.net/results/53f5d8baa994d599b9da013ee643b82353366ec3/build-end.log

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-26 09:32:20 +01:00
Fabrice Fontaine
6e9409ea3b package/botan: avoid empty -l
Add upstream patch to fix upstream commit
af63fe89228172e5a395f7e6491fae3bfa9da4b1 which was added to buildroot in
commit d71de4143d

Fixes:
 - http://autobuild.buildroot.org/results/801007860b7787b28b2b2e3611b59350034a3694

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:58:22 +01:00
Fabrice Fontaine
1b3c8ce97f package/libuwsc: disable example
BUILD_EXAMPLE=OFF is already passed by cmake-package

Fixes:
 - http://autobuild.buildroot.org/results/f5256d5a3a86112f008506f1910d0600c491a2a0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:47:05 +01:00
Fabrice Fontaine
ceb2317a7a package/brltty: fix build with gcc < 5
Fix build of brltty in version 6.2 with gcc < 5

Fixes:
 - http://autobuild.buildroot.org/results/b758c6ffc7a14b24d5482e65ba6f90bc046ebd01

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: do an actual backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:38:16 +01:00
Fabrice Fontaine
c79f050de7 package/babeltrace2: link with libatomic if needed
Fix build of babeltrace2 in version 2.0.3 with Bootlin SPARC uclibc
toolchain added with commit 1348c569d0

Fixes:
 - http://autobuild.buildroot.org/results/31770bf70f9ce4e3be8fb310d084b214820c6829

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:27:20 +01:00
Fabrice Fontaine
51b5df23b2 package/elfutils: link with libatomic if needed
Fix build of elfutils 0.181 with Bootlin SPARC uclibc toolchain added
with commit 1348c569d0

Fixes:
 - http://autobuild.buildroot.org/results/31ce9e3861c6229a7869a15d322f5d2f5bfc6165

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:21:38 +01:00
Fabrice Fontaine
aead2e1ec2 package/intel-mediasdk: disable samples and tutorials
Disable samples and tutorials which are enabled by default and fail to
build with gcc 10 without upstream commit:
c7d40371eb

Fixes:
 - http://autobuild.buildroot.org/results/9ee28e5dc0b2ba854766d9bc82b95c28be2722d3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:11:40 +01:00
Peter Korsgaard
7cb44a2011 package/nodejs: security bump to version v12.21.0
Fixes the following security issues:

CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion

Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors.  If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g.  a file.  If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.

CVE-2021-22884: DNS rebinding in --inspect

Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”.  When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network.  If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain.  As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 21:29:29 +01:00
Andreas Klinger
81e0421285 package/ply: build needs flex and bison
Building needs flex and bison installed on the host system.

Fixes:
http://autobuild.buildroot.net/results/7cfe75725f4746367f2870ee9545f31ba56f6ec1

Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 20:30:20 +01:00
Fabrice Fontaine
028aa3986d package/screen: add SCREEN_CPE_ID_VENDOR
cpe:2.3🅰️gnu:screen is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Ascreen

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 20:11:22 +01:00
Fabrice Fontaine
879772f8e7 package/xterm: add XTERM_CPE_ID_VENDOR
cpe:2.3🅰️invisible-island:xterm is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ainvisible-island%3Axterm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 20:11:11 +01:00