pure-ftpd doesn't build with libressl 3.4.3 which doesn't include
f5674b4e23
resulting in the following build failure:
tls.c: In function 'tls_init_options':
tls.c:329:5: warning: implicit declaration of function 'SSL_CTX_set_num_tickets'; did you mean 'SSL_CTX_set_options'? [-Wimplicit-function-declaration]
SSL_CTX_set_num_tickets(tls_ctx, 0);
^~~~~~~~~~~~~~~~~~~~~~~
SSL_CTX_set_options
Fixes:
- http://autobuild.buildroot.org/results/f5d36180949278510199aa499e253780558c6ffe
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By returning a failure in the event that the initial seed doesn't exist,
we'd then skip creating a new seed, which means we'd never in fact have
an initial seed, and this script is therefore useless. Fix this by
checking for the existence of the seed file first, and just returning 0
if it's not there.
Reported-by: Nicolas Cavallari <Nicolas.Cavallari@green-communications.fr>
Reported-by: Eugen Hristev <Eugen.Hristev@microchip.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL
QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
For more details, see the advisory:
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
16.24.1:
CVE-2021-37706 / AST-2022-004: pjproject: integer underflow on STUN message
The header length on incoming STUN messages that contain an ERROR-CODE
attribute is not properly checked. This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use with a malicious
remote party.
https://seclists.org/fulldisclosure/2022/Mar/0
CVE-2022-23608 / AST-2022-005: pjproject: undefined behavior after freeing a
dialog set
When acting as a UAC, and when placing an outgoing call to a target that then
forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
after a dialog set is prematurely freed.
https://seclists.org/fulldisclosure/2022/Mar/1
CVE-2022-21723 / AST-2022-006: pjproject: unconstrained malformed multipart
SIP message
If an incoming SIP message contains a malformed multi-part body an out of
bounds read access may occur, which can result in undefined behavior. Note,
it’s currently uncertain if there is any externally exploitable vector
within Asterisk for this issue, but providing this as a security issue out
of caution.
https://seclists.org/fulldisclosure/2022/Mar/2
16.25.2:
CVE-2022-26498 / AST-2022-001: res_stir_shaken: resource exhaustion with
large files
When using STIR/SHAKEN, it’s possible to download files that are not
certificates. These files could be much larger than what you would expect to
download.
https://seclists.org/fulldisclosure/2022/Apr/17
CVE-2022-26499 / AST-2022-002: res_stir_shaken: SSRF vulnerability with
Identity header
When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to
interfaces such as localhost using the Identity header.
https://seclists.org/fulldisclosure/2022/Apr/18
CVE-2022-26651 / AST-2022-003: func_odbc: Possible SQL Injection
Some databases can use backslashes to escape certain characters, such as
backticks. If input is provided to func_odbc which includes backslashes it
is possible for func_odbc to construct a broken SQL query and the SQL query
to fail.
https://seclists.org/fulldisclosure/2022/Apr/19
Update hash of sha1.c after a doxygen comment update:
37c29b6a28
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2022-1328: mutt_decode_uuencoded() can read past the of the input line
Buffer Overflow in uudecoder in Mutt affecting all versions starting from
0.94.13 before 2.2.3 allows read past end of input line
For details, see the release notes:
https://marc.info/?l=mutt-users&m=164979464612885&w=2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SPI unconditionally uses GPIOHANDLE_SET_LINE_VALUES_IOCTL which is only
available since kernel 4.8 and
d7c51b47ac
resulting in the following build failure since switch to upstream in
commit 03fa36df7e:
linuxspi.c: In function 'linuxspi_reset_mcu':
linuxspi.c:102:28: error: storage size of 'data' isn't known
struct gpiohandle_data data;
^~~~
linuxspi.c:110:32: error: 'GPIOHANDLE_SET_LINE_VALUES_IOCTL' undeclared (first use in this function)
ret = ioctl(fd_linehandle, GPIOHANDLE_SET_LINE_VALUES_IOCTL, &data);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/769021040e5e9293584734e4f461baeaa6dd91cd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
BR2_PACKAGE_WPA_SUPPLICANT_WIRED also enables the MACSEC_LINUX
driver. This driver requires libnl.
Also fix CONFIG_DRIVER_MACSEC option to enable only the generic
Linux driver and not QCA extensions.
Fixes:
http://autobuild.buildroot.net/results/2dea7dee521794b306cc610601fda322987e6cd0
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Reviewed-by: Sergey Matyukevich <geomatsi@gmail.com>
[Arnout: add Config.in comment, simplify CONFIG_ENABLE]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
- Update site to get latest version
- Switch to generic-package and drop patches as upstream doesn't provide
autotools support
- License is MIT since version 1.12.15
- This bump will fix the following build failure with BR2_OPTIMIZE_FAST:
src/sqlite3.c: In function 'sqlite3IsNaN':
src/sqlite3.c:21797:3: error: #error SQLite will not work correctly with the -ffast-math option of GCC.
21797 | # error SQLite will not work correctly with the -ffast-math option of GCC.
| ^~~~~
- This bump will also fix security issues by bumping sqlite to 3.36.0
- Update indentation in hash file (two spaces)
http://sqlitewrapper.kompex-online.com/index.php?content=changelog
Fixes:
- http://autobuild.buildroot.org/results/63e07345b97faa6d6239933f1790c6f2e02da77f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Internal bind libraries are not installed to target since commit
0c8dd6ebd6 resulting in the following
runtime failure:
Starting DHCP server: /usr/sbin/dhcpd: error while loading shared libraries: libirs.so.161: cannot open shared object file: No such file or directory
RANLIB must also be set to avoid the following build failure at install
step:
libtool: install: arceb-buildroot-linux-uclibc-ranlib /home/fabrice/buildroot/output/per-package/dhcp/target/usr/lib/libisccfg.a
/home/fabrice/buildroot/output/build/dhcp-4.4.3/bind/bind-9.11.36/libtool: line 1719: arceb-buildroot-linux-uclibc-ranlib: command not found
Fixes:
- No autobuilder failures (reported by Eugen.Hristev@microchip.com)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
docker-proxy (libnetwork) has not added a release tag for a long time. Use
the latest master commit hash from 04 Apr 2022 instead.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-28544: SVN authz protected copyfrom paths regression
Subversion servers reveal 'copyfrom' paths that should be hidden according
to configured path-based authorization (authz) rules. When a node has
been copied from a protected location, users with access to the copy can
see the `copyfrom' path of the original. This also reveals the fact that
the node was copied. Only the 'copyfrom' path is revealed; not its
contents. Both httpd and svnserve servers are vulnerable.
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
- CVE-2022-24070: Subversion's mod_dav_svn is vulnerable to memory corruption
While looking up path-based authorization rules, mod_dav_svn servers may
attempt to use memory which has already been freed.
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
Drop no longer needed patch and autoreconf, as this is now fixed upstream:
https://svn.apache.org/viewvc?view=revision&revision=1881534
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2022-24765:
On multi-user machines, Git users might find themselves unexpectedly in
a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended
for all users and another user created a repository in `/scratch/.git`.
Merely having a Git-aware prompt that runs `git status` (or `git diff`)
and navigating to a directory which is supposedly not a Git worktree, or
opening such a directory in an editor or IDE such as VS Code or Atom, will
potentially run commands defined by that other user via
`/scratch/.git/config`.
https://www.openwall.com/lists/oss-security/2022/04/12/7
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.17.9 (released 2022-04-12) includes security fixes to the
crypto/elliptic and encoding/pem packages, as well as bug fixes to the
linker and runtime.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Override CPPFLAGS to fix the following build failure with BR2_OPTIMIZE_0
raised since bump to version 0.14.0 in commit
cd707a9112 and
0e7b2b0300:
/home/autobuild/autobuild/instance-15/output-1/host/i686-buildroot-linux-gnu/sysroot/usr/include/features.h:412:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
configure adds -D_FORTIFY_SOURCE to CPPFLAGS if it is not already
defined. However, we don't want _FORTIFY_SOURCE to be enabled unless
it's enabled by Buildroot (for exactly the above reason). Therefore,
override CPPFLAGS in th build step to remove _FORTIFY_SOURCE again.
It should be noted that upstream already rejected a PR to remove
-Werror: https://github.com/smuellerDD/libkcapi/pull/132
Fixes:
- http://autobuild.buildroot.org/results/35141ea3046f5a4593e0b27ef92e4ace6bc0be66
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Drop patches that are now upstream.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
systemd doesn't plan to fix the following build failure with libressl
(https://github.com/systemd/systemd/issues/14928) and ED25519 support
is still not available in libressl
(https://github.com/libressl-portable/portable/issues/393 opened for
more than 3 years):
../src/home/homed-manager.c: In function ‘manager_generate_key_pair’:
../src/home/homed-manager.c:1393:35: error: ‘EVP_PKEY_ED25519’ undeclared (first use in this function); did you mean ‘EVP_PKEY_DSA1’?
1393 | ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
| ^~~~~~~~~~~~~~~~
| EVP_PKEY_DSA1
Fixes:
- http://autobuild.buildroot.org/results/47f31b36f123c4be4661f4fde2d1f7385c5d0ed5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Remove the hard coded disabling of altivec and vsx, and instead use the
BR2_POWERPC_CPU_HAS_VSX and BR2_POWERPC_CPU_HAS_ALTIVEC variables to
control the flags.
Signed-off-by: Joel Stanley <joel@jms.id.au>
[Arnout: rewrite with $(if ...) and --enable]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Set NSS_DISABLE_CRYPTO_VSX which is available since version 3.64 and
9dab43371d
to avoid the following build failure on powerpc:
cc1: warning: '-mvsx' requires hardware floating point
cc1: error: '-mno-vsx' turns off '-mcrypto'
Passing this option on non-powerpc is harmless.
Fixes:
- http://autobuild.buildroot.org/results/6bedb5b658f6c9c16c26c73a524a995e5e84fcc8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Introduced to allow VSX to be selectively enabled for packages that
support it. Initially used by libnss.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
zlib-ng's build system does not correctly detect if it supports the
Power8 feature. Force it off to fix building for configurations that
don't support the vector builtin functions.
For example, building for BR2_powerpc_601:
warning: implicit declaration of function ‘vec_xl’; did you mean
‘vec_rl’? [-Wimplicit-function-declaration]
93 | vbuf = vec_xl(0, (unsigned char *) buf);
This logic was incorrectly removed in commit 04e26cb7fe.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes:
cc1: error: ‘-fcf-protection’ is not compatible with this target
The new Ubuntu GCC packages (e.g. Ubuntu 11.2.0-7ubuntu2, 11.2.0) turn
on ‘-fcf-protection’ globally, which causes a build failure in the x86
realmode code. Turn it off explicitly on compilers that understand this
option.
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following build failure raised since switch to meson-package in
commit 1db1322639 and
957a015157:
The following exception(s) were encountered:
Running "/home/autobuild/autobuild/instance-14/output-1/host/bin/or1k-buildroot-linux-musl-g++ --version" gave "[Errno 2] No such file or directory: '/home/autobuild/autobuild/instance-14/output-1/host/bin/or1k-buildroot-linux-musl-g++'"
Fixes:
- http://autobuild.buildroot.org/results/1d52c8100414aa384572b23006a13f9b806d2d5a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The wireplumber currently as "dbus" in its DEPENDENCIES, but it does
not select/depend on it at the Kconfig level. A simple configuration
such as:
BR2_PACKAGE_LUA=y
BR2_PACKAGE_PIPEWIRE=y
BR2_PACKAGE_WIREPLUMBER=y
Therefore fails to build with:
Makefile:576: *** dbus is in the dependency chain of wireplumber that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in. Stop.
Since dbus is actually an optional dependency of wireplumber, this
commit fixes the issue by really handling it as an optional
dependency.
Fixes: c9a3c10417 ("package/wireplumber: new package")
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Her e-mail address at Collabora is bouncing:
host bhuna.collabora.co.uk[/private/dovecot-lmtp] said: 550 5.1.1
<mylene.josserand@collabora.com> User doesn't exist: mylene.josserand@collabora.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currentlym this kernel module can be built by any architecture and this
leads to many failures. Since it's very unlikely that Mali will be part
of architectures other than AArch64 and arm let's depend on BR2_aarch64
and BR2_arm only.
Fixes:
http://autobuild.buildroot.net/results/f94885ef76865c3888d6cc52b35c93a742f92f3a
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Security vulnerabilies will be fixed by bumping internal bind from
9.11.14 to 9.11.36
- Drop patch (already in version)
- This bump will also fix the following build failure on platforms
without stdatomic lock free thanks to
261c84d91d
stats.c: In function 'setcounter':
stats.c:300:29: error: 'val' undeclared (first use in this function); did you mean 'value'?
300 | stats->counters[counter] = val;
| ^~~
| value
- Update hash of license file (ISC address updated and preamble removed:
429a56d73cee868403d0)
https://gitlab.isc.org/isc-projects/dhcp/-/blob/v4_4_3/RELNOTES
Fixes:
- http://autobuild.buildroot.org/results/e4d027b5bcda852d0b5a54035de5ed37499a4ef0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This is quite a version jump, so there are a lot of individual changes,
see: https://github.com/warmcat/libwebsockets/blob/v4.3.1/changelog
LICENSE has also changed:
- More items with license "MIT" were added:
- lib/misc/base64-decode.c
- lib/plat/windows/windows-resolv.c
- One more item with a 2-Clause BSD license was added:
- lib/misc/ieeehalfprecision.c
- Sublicense texts were copied into LICENSE
These should still be compatible with "MIT with exceptions" stated in
`libwebsockets.mk`.
Signed-off-by: Johannes Agricola <johannes.agricola@work-microwave.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Building gen tool of the internal (bundled) bind needs to be for host, not target
Switch to use internal build in commit 0c8dd6ebd6
overlooked this.
Building dns library in /home/autobuild/autobuild/instance-13/output-1/build/dhcp-4.4.2-P1/bind/bind-9.11.14/lib/dns
/bin/sh: line 1: ./gen: cannot execute binary file: Exec format error
Thus, we need to set not just CC, but also CFLAGS etc. otherwise the
target CFLAGS etc. will be inherited from top-level configure.
Fixes:
- http://autobuild.buildroot.org/results/da6fd904d1a6bae73b6ff89dd008de1f459bb7d7/
Signed-off-by: Tim Hammer <Tim.Hammer@orolia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following build failure without NPTL raised since bump to
version 14.1 in commit c9bd029115 and
44bf3d5083:
In file included from pthread_barrier_wait.c:16:
../../src/include/port/pg_pthread.h:31:3: error: conflicting types for 'pthread_barrier_t'
31 | } pthread_barrier_t;
| ^~~~~~~~~~~~~~~~~
In file included from /home/autobuild/autobuild/instance-11/output-1/host/arc-buildroot-linux-uclibc/sysroot/usr/include/bits/uClibc_stdio.h:114,
from /home/autobuild/autobuild/instance-11/output-1/host/arc-buildroot-linux-uclibc/sysroot/usr/include/stdio.h:71,
from ../../src/include/c.h:59,
from pthread_barrier_wait.c:14:
/home/autobuild/autobuild/instance-11/output-1/host/arc-buildroot-linux-uclibc/sysroot/usr/include/bits/pthreadtypes.h:135:3: note: previous declaration of 'pthread_barrier_t' was here
135 | } pthread_barrier_t;
| ^~~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/70acbe121236ef0905c4466d4f7a0839723d2c49
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Set LSOF_AR and LSOF_CC to be able to drop first patch which is not
upstreamable: https://github.com/lsof-org/lsof/issues/197
$(TARGET_CONFIGURE_OPTS) must also be removed to avoid overriding AR
and so we can drop LSOF_CFLAGS_OVERRIDE=1 and third patch
DEBUG="$(TARGET_CFLAGS)" can also be dropped from LSOF_BUILD_CMDS as it
is already set in LSOF_CONFIGURE_CMDS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: add quotes around TARGET_CC]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes the following security issues:
- The rules for acceptance of records into the cache have been tightened to
prevent the possibility of poisoning if forwarders send records outside
the configured bailiwick. (CVE-2021-25220)
- TCP connections with keep-response-order enabled could leave the TCP
sockets in the CLOSE_WAIT state when the client did not properly shut down
the connection. (CVE-2022-0396)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with BR2_SHARED_STATIC_LIBS:
CMake Error at src/CMakeLists.txt:56 (add_library):
add_library cannot create target "belr" because another target with the
same name already exists. The existing target is a static library created
in source directory
Fixes:
- http://autobuild.buildroot.org/results/d1ef96c8f370b5a522985c37f1681dd10bbc15bb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: simplify/add comment explaining why]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
