Commit Graph

45303 Commits

Author SHA1 Message Date
Giulio Benetti
015a96b4e0 package/libnss: security bump to version 3.47
Fixes the following security issues:
CVE-2019-11756: Remove refcounting from sftk_FreeSession

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 551d81c079)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:44:21 +01:00
Giulio Benetti
bdcc34b08e package/libnspr: bump to version 4.23
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a8be14639c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:44:14 +01:00
Bernd Kuhls
f514fd353e package/libnss: bump version to 3.46.1
Release notes:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46.1_release_notes

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0d7903b227)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:43:46 +01:00
Asaf Kahlon
39862bd5ca package/python: security bump to version 2.7.17
This release fixes CVE-2019-9740, CVE-2019-9948, CVE-2019-15903.

Adjust 0002-Fix-get_python_inc-for-cross-compilation.patch for 2.7.17.

Remove the following patches (now on upstream):
* 0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch
* 0036-bpo-36216-Add-check-for-characters-in-netloc-that-no.patch
* 0037-3.7-bpo-36216-Only-print-test-messages-when-verbose-.patch
* 0038-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
* 0039-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
* 0040-2.7-bpo-36742-Fix-urlparse.urlsplit-error-message-fo.patch
* 0041-bpo-30458-Disallow-control-chars-in-http-URLs-GH-127.patch

Full release details at:
https://github.com/python/cpython/blob/v2.7.17/Misc/NEWS.d/2.7.17rc1.rst

run-tests results:
10:30:20 TestPython2                              Starting
10:30:21 TestPython2                              Building
10:37:37 TestPython2                              Building done
10:37:47 TestPython2                              Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 448.616s

OK

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7df07cb611)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:25:42 +01:00
Bernd Kuhls
c6a1ad2383 package/ghostscript: security bump version to 9.50
Fixes CVE-2019-10216:
https://security-tracker.debian.org/tracker/CVE-2019-10216

Removed patch applied upstream.

Release notes:
https://ghostscript.com/pipermail/gs-devel/2019-October/010232.html

Changelog:
https://www.ghostscript.com/doc/9.50/News.htm

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1da3fa7863)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:23:24 +01:00
Carlos Santos
2fc92d3fa2 package/libseccomp: circumvent uClibc-ng bug on x86_64
On uClibc up to at least v1.0.32, syscall() for x86_64 is defined in
libc/sysdeps/linux/x86_64/syscall.S as

syscall:
        movq %rdi, %rax         /* Syscall number -> rax.  */
        movq %rsi, %rdi         /* shift arg1 - arg5.  */
        movq %rdx, %rsi
        movq %rcx, %rdx
        movq %r8, %r10
        movq %r9, %r8
        movq 8(%rsp),%r9        /* arg6 is on the stack.  */
        syscall                 /* Do the system call.  */
        cmpq $-4095, %rax       /* Check %rax for error.  */
        jae __syscall_error     /* Branch forward if it failed.  */
        ret                     /* Return to caller.  */

And __syscall_error is defined in
libc/sysdeps/linux/x86_64/__syscall_error.c as

int __syscall_error(void) attribute_hidden;
int __syscall_error(void)
{
        register int err_no __asm__ ("%rcx");
        __asm__ ("mov %rax, %rcx\n\t"
                 "neg %rcx");
        __set_errno(err_no);
        return -1;
}

Notice that __syscall_error returns -1 as a 32-bit int in %rax, a 64-bit
register i.e. 0x00000000ffffffff (decimal 4294967295). When this value
is compared to -1 in _sys_chk_seccomp_flag_kernel() the result is false,
leading the function to always return 0.

Prevent the error by coercing the return value of syscall() to int in a
temporary variable before comparing it to -1. We could use just an (int)
cast but the variable makes the code more readable and the machine code
generated by the compiler is the same in both cases.

All other syscall() invocations were inspected and they either already
coerce the result to int or do not compare it to -1.

The same problem probably occurs on other 64-bit systems but so far only
x86_64 was tested.

A bug report is being submitted to uClibc.

Upstream status: https://github.com/seccomp/libseccomp/pull/175

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 440c7a9d9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:16:04 +01:00
Carlos Santos
fa672ffa47 package/libseccomp: bump to version 2.4.1
Fixes a BPF generation bug where the optimizer mistakenly identified
duplicate BPF code blocks.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d5787d1ab1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:15:41 +01:00
Bernd Kuhls
83e6a62dcb {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.3.x series
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e59d65073f)
[Peter: drop 5.3.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 10:11:26 +01:00
Yann E. MORIN
e204fde85a package/unscd: bump version to 0.53
Version 0.53 has a fix for INVALIDATE and SHUTDOWN requests being
ignored.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Doug Kehn <rdkehn@yahoo.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2de1289282)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 09:47:38 +01:00
Paulo Matos
b931e03858 package/qemu: fix qemu 3.1.1.1 to build with glibc-2.29
These patches are already in qemu upstream under:
- 184943d827ce09375284e6fbb9fd5eeb9e369529
- 71ba74f67eaca21b0cc9d96f534ad3b9a7161400

They rename gettid() to sys_gettid() to avoid clash with glibc

Signed-off-by: Paulo Matos <pmatos@igalia.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9dcca3ae40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 09:39:40 +01:00
Carlos Santos
a73f23c816 package/qemu: move patch 3 to the 3.1.1.1 subdir
Required since the bump from 3.1.1.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1ef6d39565)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 09:39:28 +01:00
Carlos Santos
e85562a8ca package/qemu: fix crash with uClibc-ng
On uClibc-ng sysconf(_SC_LEVEL1_{I,D}CACHE_LINESIZE) returns -1, which
is a valid result, meaning that the limit is indeterminate. Add a patch
that handles this situation using fallback values instead of crashing
due to an assertion failure.

Upstream status:
   https://lists.nongnu.org/archive/html/qemu-devel/2019-10/msg04115.html

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5e968678fd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 09:39:19 +01:00
Alexey Brodkin
f8a06f697d package/qemu: bump to hot-fix release 3.1.1.1
Fixes a couple of important things and among other things the build of
pvrdma code:

----------------------->8---------------------
  In function 'create_qp':
  hw/rdma/vmw/pvrdma_cmd.c:517:16: error: 'rc' undeclared
----------------------->8---------------------

Bumped into this build problem while building vanilla
qemu_arm_versatile_defconfig.

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Alexander Dahl <post@lespocky.de>
Cc: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4bed6dbec9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 09:38:57 +01:00
Fabrice Fontaine
8853554bb9 package/qemu: fix build with kernel >= 5.2
Fixes:
 - http://autobuild.buildroot.org/results/9bc0ed3ce74ec5e09263f625477393d5149eb872

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 347bc0bb1e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-30 09:37:49 +01:00
Peter Korsgaard
2fc977c2f9 DEVELOPERS: add Peter Korsgaard for wireguard
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e440f7d86c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-29 14:24:13 +01:00
James Hilliard
37cbd5315c package/intel-microcode: bump to version 20190918
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 62dbc17ef4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-29 11:59:36 +01:00
Baruch Siach
032d818c4c package/tcpdump: security bump to version 4.9.3
CHANGES summary:

    Fix buffer overflow/overread vulnerabilities:
      CVE-2017-16808 (AoE)
      CVE-2018-14468 (FrameRelay)
      CVE-2018-14469 (IKEv1)
      CVE-2018-14470 (BABEL)
      CVE-2018-14466 (AFS/RX)
      CVE-2018-14461 (LDP)
      CVE-2018-14462 (ICMP)
      CVE-2018-14465 (RSVP)
      CVE-2018-14881 (BGP)
      CVE-2018-14464 (LMP)
      CVE-2018-14463 (VRRP)
      CVE-2018-14467 (BGP)
      CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
      CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
      CVE-2018-14880 (OSPF6)
      CVE-2018-16451 (SMB)
      CVE-2018-14882 (RPL)
      CVE-2018-16227 (802.11)
      CVE-2018-16229 (DCCP)
      CVE-2018-16301 (was fixed in libpcap)
      CVE-2018-16230 (BGP)
      CVE-2018-16452 (SMB)
      CVE-2018-16300 (BGP)
      CVE-2018-16228 (HNCP)
      CVE-2019-15166 (LMP)
      CVE-2019-15167 (VRRP)
    Fix for cmdline argument/local issues:
      CVE-2018-14879 (tcpdump -V)

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d4d17e52d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-29 11:52:44 +01:00
Baruch Siach
c4c53ce237 package/sudo: security bump to version 1.8.28
Fixes CVE-2019-14287: a sudo user may be able to run a command as root
when the Runas specification explicitly disallows root access as long as
the ALL keyword is listed first.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4a96d62749)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-29 11:49:50 +01:00
Fabrice Fontaine
90de6c5aa2 package/sudo: bump to version 1.8.27
Update hash of license file:
 - update in year
 - add arc4random.c, arc4random_uniform.c and getentropy.c license (ISC)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 276072dbd4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-29 11:49:43 +01:00
Pierre-Jean Texier
1ae81ba8ed package/mongoose: security bump to version 6.16
Fixes the following security vulnerability:

CVE-2019-13503: mq_parse_http in mongoose.c in Mongoose 6.15
has a heap-based buffer over-read.

See https://github.com/cesanta/mongoose/releases/tag/6.16

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit aeee0b9bd7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-29 11:38:48 +01:00
Bernd Kuhls
0d75c93fdb {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{2, 3}.x series
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 32042f42cb)
[Peter: drop 5.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-29 10:20:10 +01:00
Thomas Petazzoni
87ac0a720b docs/manual: fix Config.in option that cargo packages must depend on
Back in commit 025b863e6f, the option
BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS was introduced, to
separate the option that host packages needing Rust should depend on
(BR2_PACKAGE_HOST_RUSTC_ARCH_SUPPORTS) from the option that target
packages needing Rust should depend on
(BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS).

Since the example in the manual is showing a target package, we must
use BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Sam Voss <sam.voss@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit edee45b843)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 17:38:30 +01:00
Heiko Thiery
24301c3557 utils/test-pkg: ensure to exit with an error upon failure
This commit modifies the main() function so that it returns the sum of
build and legal errors, making sure the overall test-pkg script exists
with a non-zero error code upon failure.

Signed-off-by: Heiko Thiery <heiko.thiery@kontron.com>
[Thomas: improved commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5093435f66)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 17:34:04 +01:00
Fabrice Fontaine
652f52b646 package/sdl_mixer: disable parallel build
Build sometimes fails on:
Fatal error: can't create build/load_aiff.o: No such file or directory

Fixes:
 - http://autobuild.buildroot.org/results/c800ef60d8af0cd76f2f1de9aff573120ebd8ada

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fcc22749e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 14:21:43 +01:00
Fabrice Fontaine
977593ef74 package/vtun: fix static linking with atomic
Fixes:
 - http://autobuild.buildroot.org/results/908707cdd16c5b89197c226a3e259f8943a5474e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cff14017f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 14:14:02 +01:00
Asaf Kahlon
10f0e76d33 package/python-pysnmp-apps: update license to BSD-2-Clause
The license file for this application is BSD-2-Clause and not
BSD-3-Clause as we currently state in the _LICENSE variable.

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1eb8252cce)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 13:57:23 +01:00
Vivien Didelot
77719adc19 DEVELOPERS: change Ash Charles' email address
Ash is no longer working at Savoir-faire Linux. Update his email
address in the DEVELOPERS file.

Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e32e92233f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 13:50:20 +01:00
Francois Perrad
99162d55f1 package/lua-sdl2: fix install path
WITH_LUAVER must be set with a value depending of Lua interpreter,
by this way, the module is installed in the correct location

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Tested-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2d1ec39e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 10:57:06 +01:00
Thomas Petazzoni
c9a56c1cd3 DEVELOPERS: remove Morgan Delestre
Morgan's e-mail is bouncing:

"""
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  m.delestre@sinters.fr
    retry timeout exceeded
"""

And I was confirmed by CORJON Julien <CORJON.J@ecagroup.com> that
Morgan is no longer at ECA/Sinters.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6015b46865)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 10:55:37 +01:00
Thomas Petazzoni
7ec414a837 DEVELOPERS: remove Jonathan Liu
In a private e-mail answering one of our notifications about packages
being outdated, Jonathan replied:

"""
I switched from Buildroot to OpenEmbedded in 2013 so am no longer actively
involved with Buildroot.
Please unsubscribe me from outdated package notifications.
"""

So let's remove him from the DEVELOPERS file.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 175c3f8b2d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 10:54:55 +01:00
Bernd Kuhls
8ed81d55da package/libpcap: security bump version to 1.9.1
Removed patch applied upstream.

Changelog: https://www.tcpdump.org/libpcap-changes.txt

Quoting changelog:
"Five CVE-2019-15161, CVE-2019-15162, CVE-2019-15163, CVE-2019-15164,
 CVE-2019-15165
 Fixes for CVE-2018-16301, errors in pcapng reading."

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7df3dfee55)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 10:44:20 +01:00
Romain Naour
4606c0a78b DEVELOPERS: add Romain Naour for clang, clinfo, libclc and llvm packages
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7fe2e9e48b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 10:28:26 +01:00
Bernd Kuhls
69df3d8e16 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{2, 3}.x series
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 17ec040ff5)
[Peter: drop 5.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 09:43:43 +01:00
Peter Korsgaard
a9b6cb7cca package/ruby: security bump to version 2.4.9
Fixes the following security vulnerability:

(Bundled jquery)
- CVE-2012-6708: jQuery before 1.9.0 is vulnerable to Cross-site Scripting
  (XSS) attacks.  The jQuery(strInput) function does not differentiate
  selectors from HTML in a reliable fashion.  In vulnerable versions, jQuery
  determined whether the input was HTML by looking for the '<' character
  anywhere in the string, giving attackers more flexibility when attempting
  to construct a malicious payload.  In fixed versions, jQuery only deems
  the input to be HTML if it explicitly starts with the '<' character,
  limiting exploitability only to attackers who can control the beginning of
  a string, which is far less common.

- CVE-2015-9251: jQuery before 3.0.0 is vulnerable to Cross-site Scripting
  (XSS) attacks when a cross-domain Ajax request is performed without the
  dataType option, causing text/javascript responses to be executed.

https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/

- CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test

https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)

https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?

https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/

- CVE-2019-16201: Regular Expression Denial of Service vulnerability of
  WEBrick's Digest access authentication

https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/

2.4.9 fixes a packaging bug in 2.4.8:

https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit dc487302b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-25 23:46:46 +02:00
Ricardo Martincoski
bf01b685ce support/testing: provide entropy to lua tests
Newer versions of lua-http require entropy.
Switch to use armv5 builtin kernel that already provides entropy for all
lua tests.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/269139374
https://gitlab.com/buildroot.org/buildroot/-/jobs/269139376

Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Francois Perrad <francois.perrad@gadz.org>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit eb6b0fd87a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-16 14:09:58 +02:00
Ricardo Martincoski
e8335c0097 support/testing: provide entropy to perl tests
Newer versions of perl-io-socket-ssl require entropy.
Switch to use armv5 builtin kernel that already provides entropy for all
perl tests.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/269139402

Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Francois Perrad <francois.perrad@gadz.org>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a565917046)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-16 14:07:04 +02:00
Ricardo Martincoski
f650b34ca4 support/testing: add builtin armv5 kernel 4.19 with entropy
More and more packages being tested by the test infra, e.g. syslog-ng,
need entropy at startup, usually reading from /dev/random.

Some test cases can also depend on a kernel version newer than the
builtin ones already provided by the test infra:
 - 3.11.0 for armv5;
 - 4.0.0 for armv7.

Add a new builtin kernel to be used by such test cases.
Add it for armv5 so most test cases that switch to use this kernel can
keep using BASIC_TOOLCHAIN_CONFIG.
Use the same kernel version and kernel config as qemu_arm_versatile plus
HW_RANDOM_VIRTIO for VirtIORNG to be usable.
Copy the actual binary file from the syslog-ng runtime test at current
master @ 29e1cb8884.

Since there is already a 'kernel-versatile' file on autobuild.buildroot.net
and we must keep it with this name for reproducibility purposes, create a
simple naming convention for newer builtin kernel images and dtb files:
kernel-<defconfig>-<kernel_series_version>
<dtb_name>-<kernel_series_version>.dtb
Pass '-device virtio-rng-pci' to qemu when this kernel is used.

Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: use this new kernel instead of the old builtin/armv5 kernel]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7acb32dabb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-16 14:03:12 +02:00
Peter Korsgaard
d371c87626 package/cups-filters: fix ln -r workaround for older patch versions
Fixes:
http://autobuild.buildroot.net/results/d06/d06f908cbe80340312bdfe1b75cb577b68cd46d8/

0001-install-support-old-ln-versions-without-the-r-option.patch adds a
ln-srf script for older distributions to emulate 'ln -r', but GNU patch <
2.7 does not handle the git patch permission extensions - So ensure it is
executable.

https://savannah.gnu.org/forum/forum.php?forum_id=7361

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-05 08:02:29 +02:00
Giulio Benetti
5ef39137f1 toolchain: introduce BR2_TOOLCHAIN_HAS_GCC_BUG_68485
GCC hangs while building brotli for the Microblaze Arch:
http://autobuild.buildroot.net/results/d86/d86251974a0a348a64d9a1d1fd7d02dd4aff0792/

Originally reported for gpsd:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68485

Still not fixed. Every Microblaze Gcc version up to and including 9.1
is affected.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 42fc571bca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-04 21:02:12 +02:00
Peter Korsgaard
4564d8f397 Update for 2019.02.6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-03 17:10:38 +02:00
Peter Korsgaard
9ae7501c92 package/mongodb: security bump to version 4.0.12
Fixes the following (low severity) security vulnerabilities:

4.0.9:

- CVE-2019-2386: After user deletion in MongoDB Server the improper
  invalidation of authorization sessions allows an authenticated user's
  session to persist and become conflated with new accounts, if those
  accounts reuse the names of deleted ones
  https://jira.mongodb.org/browse/SERVER-38984

4.0.11:

- CVE-2019-2389: Incorrect scoping of kill operations in MongoDB Server's
  packaged SysV init scripts allow users with write access to the PID file
  to insert arbitrary PIDs to be killed when the root user stops the MongoDB
  process via SysV init
  https://jira.mongodb.org/browse/SERVER-40563

- CVE-2019-2390: An unprivileged user or program on Microsoft Windows which
  can create OpenSSL configuration files in a fixed location may cause
  utility programs shipped with MongoDB server versions less than 4.0.11
  https://jira.mongodb.org/browse/SERVER-42233

Plus a number of other bugfixes. For details, see the release notes:
https://docs.mongodb.com/manual/release-notes/4.0/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 165e9c163c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 21:32:01 +02:00
Bernd Kuhls
838637cc2c package/putty: security bump version to 0.73
Added upstream-provided sha1 hash.

Changelog:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 71d2911e26)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 18:03:37 +02:00
Baruch Siach
4477836160 package/putty: bump to version 0.72
Drop upstream patches.

Remove autoreconf; we no longer patch configure.ac.

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2047dd9d22)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 18:03:29 +02:00
Peter Korsgaard
4899b7526c {linux, linux-headers}: bump 4.19.x / 5.{2, 3}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 04e9fdb1c6)
[Peter: drop 5.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 18:01:49 +02:00
André Hentschel
adf5f6c9af DEVELOPERS: remove myself from azure-iot-sdk-c
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fbc54866a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 17:50:21 +02:00
Peter Korsgaard
442fefbacf package/go: add Debian backport of upstream security fix
Fixes the following security vulnerability:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  https://github.com/golang/go/issues/34540

Upstream has not provided a go 1.11.x release with a fix for this, so
instead include the Debian backport of the upstream security fix from:

https://sources.debian.org/src/golang-1.11/1.11.6-1+deb10u2/debian/patches/0007-Fix-CVE-2019-16276.patch/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 17:44:41 +02:00
Julien Béraud
90d8317a94 qt5base: Add patch to fix compile issue with gcc9
Fixes an issue when building Qt5 on a machine that has gcc9 as the
system compiler.

Original commit in qt5base:
a52d7861ed

Signed-off-by: Julien Beraud <julien.beraud@orolia.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: drop patch number]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-01 23:49:53 +02:00
Jagan Teki
097f80cdd7 package/swupdate: fix typo in BR2_PACKAGE_LIBCURL in the help text
Config.in documented BR2_LIBCURL for swupdate but the actual
package name is BR2_PACKAGE_LIBCURL

Fix by updating the same in Config.in

Cc: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5abe6f2bf7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-01 11:45:10 +02:00
Yegor Yefremov
58f9faa8ca configs/beaglebone_defconfig: use default console device
OMAP kernels use 8250 driver by default. Hence the name of
the console device is not /dev/ttyO0 but /dev/ttyS0.
Use /dev/console in order to handle the console independently
of the selected driver.

Tested in BeagleBone Black board.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 68b5b79b2f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-01 11:44:43 +02:00
Bernd Kuhls
f1964cb01d {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.2.x series
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 80d32c942a)
[Peter: drop 5.2.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-01 11:39:28 +02:00