Open-source software for volunteer computing and grid computing.
Use the idle time on your computer to cure diseases, study global
warming, discover pulsars, and do many other types of scientific
research.
https://boinc.berkeley.edu
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Bernd:
- bumped to version 7.8.3
- removed patches which where applied upstream
- added myself to DEVELOPERS as well]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Upstream socat2 branch seems to be dead. Last commit is from January
2016 . Over the last few years socat2 received only fixes cherry picked
from the master 1.x branch. Most major general purpose distros only
package socat 1.x.
Drop the threads dependency; not needed for 1.x.
Mention the OpenSSL exception in the license. Add hashes for license
files.
Correct the autoconf comment. The tarball configure script is recent
enough. But since we patch configure.in and Makefile.in we still need to
autoconf.
All patches we carry for socat2 are also needed for socat 1.x.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
glibc upstream has ruled against doing regular point-releases, but they
do have a lot of interesting and important fixes for regressions and
security.
Backporting each patch, or cherry-picking individual patches is off
limits for us, so we just switch to using the currently-latest HEAD of
the maintenance branch instead.
The version number is obtained with:
$ git describe --match 'glibc-*' --abbrev=40 origin/release/2.26/master
The alternative options were:
- download the tarball from the git tree
--> does not work; not an option
- download the 2.26 tarball, and bundle the individual patches in
Buildroot
--> maintenance of patches is a burden; not an option
- download the 2.26 tarball, maintain the list of patches to download from
the git tree
--> not an option for the same reason
So we end up just doing a git clone. The git tree is today about ten
times the size of the tarball, so a rough estimate makes it at about ten
times the download time.
Also upstream doesn't officially provide an https download location [1].
There is one but it's not reliable, sometimes the connection time out and
end-up with a corrupted git repo:
fatal: unable to access 'https://sourceware.org/git/glibc.git/': Failed to connect to sourceware.org port 443: Connection timed out
So switch to using a git mirror from github which is updated once a day [2].
This allow at the same time to clone the git repository faster.
Note: The glibc 2.26 patches are not kept for the arc toolchain since they
are fixing an issue with the new float128 support introduced in x86, x86_64
and powerpc64le.
[1] https://sourceware.org/git/?p=glibc.git;a=summary
[2] https://github.com/bminor/glibc.git
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@openwide.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Evgeniy Didin <didin@synopsys.com>
CC: Alexey Brodkin <abrodkin@synopsys.com>
[Romain: bump 4b692dffb95ac4812b161eb6a16113d7e824982e]
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr: update comment to never decide on the mirror]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
All of the help messages come from http://www.boost.org/doc/libs/1_65_1/
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 05a2e38af2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reorganize so the optional composer option for the qt5wayland package shows up
as an indented option.
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2017-13089: The http.c:skip_short_body() function is called in some
circumstances, such as when processing redirects. When the response is sent
chunked, the chunk parser uses strtol() to read each chunk's length, but
doesn't check that the chunk length is a non-negative number. The code then
tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but
ends up passing the negative chunk length to connect.c:fd_read(). As
fd_read() takes an int argument, the high 32 bits of the chunk length are
discarded, leaving fd_read() with a completely attacker controlled length
argument.
CVE-2017-13090: The retr.c:fd_read_body() function is called when processing
OK responses. When the response is sent chunked, the chunk parser uses
strtol() to read each chunk's length, but doesn't check that the chunk
length is a non-negative number. The code then tries to read the chunk in
pieces of 8192 bytes by using the MIN() macro, but ends up passing the
negative chunk length to retr.c:fd_read(). As fd_read() takes an int
argument, the high 32 bits of the chunk length are discarded, leaving
fd_read() with a completely attacker controlled length argument. The
attacker can corrupt malloc metadata after the allocated buffer.
Drop now upstreamed patch and change to .tar.lz as .tar.xz is no longer
available.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains bugfixes; mostly for crashes and rendering issues, plus
one important fix for the layout or Arabic text.
Release notes:
https://webkitgtk.org/2017/10/27/webkitgtk2.18.2-released.html
Even though an acconpanying security advisory has not been published
for this release, the release contains fixes for several crashes (one
of them for the decoder of the very common GIF image format), which
arguably can be considered potential security issues.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-15906 - The process_open function in sftp-server.c in OpenSSH
before 7.6 does not properly prevent write operations in readonly mode,
which allows attackers to create zero-length files.
For more details, see the release notes:
https://www.openssh.com/txt/release-7.6
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3.2.11 fixes important issues. From the release notes:
================================================================================
Redis 3.2.11 Released Thu Sep 21 15:47:53 CEST 2017
================================================================================
Upgrade urgency HIGH: Potentially critical bugs fixed.
AOF flush on SHUTDOWN did not cared to really write the AOF buffers
(not in the kernel but in the Redis process memory) to disk before exiting.
Calling SHUTDOWN during traffic resulted into not every operation to be
persisted on disk.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-2888 - An exploitable integer overflow vulnerability exists
when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can
cause an integer overflow resulting in too little memory being allocated
which can lead to a buffer overflow and potential code execution. An
attacker can provide a specially crafted image file to trigger this
vulnerability.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/d59/d5992dcc9a49ee77afaebdcc9448ac1868fa7de1/http://autobuild.buildroot.net/results/e89/e894f21ce1983ee3bd8d65a8e59e1adab9a62707/
The configure script automatically enables support for the raspberry pi
video backend if it detects the rpi-userland package. Unfortunately it
hardcodes a number of include/linker paths unsuitable for cross compilation,
breaking the build:
if test x$enable_video = xyes -a x$enable_video_rpi = xyes; then
..
RPI_CFLAGS="-I/opt/vc/include -I/opt/vc/include/interface/vcos/pthreads -I/opt/vc/include/interface/vmcs_host/linux"
RPI_LDFLAGS="-L/opt/vc/lib -lbcm_host"
fi
So explicitly disable it until the configure script is fixed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a regression introduced in 8.8.0.
See https://nodejs.org/en/blog/release/v8.8.1/
Peter: apply on top of 8.8.0, mention that it fixes regression]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <<a href="mailto:peter@korsgaard.com">peter@korsgaard.com</a>><br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump version to 2.6.0.1 and refresh patches.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
(a) When installing themes with unterminated colour formatting
sequences, Irssi may access data beyond the end of the
string. (CWE-126) Found by Hanno Böck.
CVE-2017-15228 was assigned to this issue.
(b) While waiting for the channel synchronisation, Irssi may
incorrectly fail to remove destroyed channels from the query list,
resulting in use after free conditions when updating the state
later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672)
CVE-2017-15227 was assigned to this issue.
(c) Certain incorrectly formatted DCC CTCP messages could cause NULL
pointer dereference. Found by Joseph Bisch. This is a separate,
but similar issue to CVE-2017-9468. (CWE-690)
CVE-2017-15721 was assigned to this issue.
(d) Overlong nicks or targets may result in a NULL pointer dereference
while splitting the message. Found by Joseph Bisch. (CWE-690)
CVE-2017-15723 was assigned to this issue.
(e) In certain cases Irssi may fail to verify that a Safe channel ID
is long enough, causing reads beyond the end of the string. Found
by Joseph Bisch. (CWE-126)
CVE-2017-15722 was assigned to this issue.
For more details, see the advisory:
https://irssi.org/security/irssi_sa_2017_10.txt
While we're at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 20b6624f4b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>