Commit Graph

47005 Commits

Author SHA1 Message Date
Bernd Kuhls
0c5acbbcb6 package/php: security bump version to 7.3.9
Release notes: https://www.php.net/archive/2019.php#2019-08-29-1
Changelog: https://www.php.net/ChangeLog-7.php#7.3.9

Fixes CVE-2019-13224 & CVE-2019-13225:
https://bugs.mageia.org/show_bug.cgi?id=25380

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 19:42:57 +02:00
Bernd Kuhls
b6255a16ee {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.2.x series
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 19:25:28 +02:00
Adrian Perez de Castro
c38766d6a6 package/wpewebkit: security bump to version 2.24.3
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669,
CVE-2019-8673, CVE-2019-8676, CVE-2019-8678, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, and CVE-2019-8690.

This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes are available at:

  https://wpewebkit.org/release/wpewebkit-2.24.3.html

The detailed security advisory can be found at:

  https://wpewebkit.org/security/WSA-2019-0004.html

Patch "0001-Build-failure-after-r243644-in-GTK-Li.patch" is now unneeded
because it is one of the build fixes included in this release.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 16:39:32 +02:00
Adrian Perez de Castro
046b09f776 package/webkitgtk: security bump to version 2.24.4
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676,
CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and
CVE-2019-8688.

This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes at:

  https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html

The detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2019-0004.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 16:34:39 +02:00
Peter Korsgaard
268bdf0360 configs/roseapplepi_defconfig: use gcc 7.x
The old 3.10.x based vendor kernel does not build correctly with gcc 8.x.

While there is basic s500 support in the mainline kernel, there is not yet a
mmc driver so it isn't quite a replacement yet.

Stick to the vender kernel for now and revert back to gcc 7.x, hopefully
mainline support will be more complete once gcc 7.x gets dropped.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 21:52:01 +02:00
Bernd Kuhls
09472e11dd package/x11r7/xfont_font-util: bump version to 1.3.2
Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:44:51 +02:00
Bernd Kuhls
53e1150671 package/x11r7/libxcb: bump version to 1.13.1
Upstream does not provide a sha512 hash anymore.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:39:54 +02:00
Peter Korsgaard
cd8ab1853d Update for 2019.08-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:02:48 +02:00
Bernd Kuhls
77b2dd9a53 package/dovecot-pigeonhole: security bump version to 0.5.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116876.html

Fixes
* CVE-2019-11500: ManageSieve protocol parser does not properly handle
  NUL byte when scanning data in quoted strings, leading to out of
  bounds heap memory writes. Found by Nick Roessler and Rafi Rubin.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 17:16:42 +02:00
Bernd Kuhls
4afd405eff package/dovecot: security bump version to 2.3.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116874.html

Fixes
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 17:16:34 +02:00
Peter Korsgaard
e941599f69 package/python: add upstream security fix for CVE-2019-9740
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
in Python 3.x through 3.7.3.  CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string after a ?
character) followed by an HTTP header or a Redis command.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 15:04:22 +02:00
Peter Korsgaard
a0b032ad85 package/qemu: security bump to version 3.1.1
Fixes the following security issues:

CVE-2018-16872: A flaw was found in qemu Media Transfer Protocol (MTP).  The
code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and
directories in usb_mtp_object_readdir doesn't consider that the underlying
filesystem may have changed since the time lstat(2) was called in
usb_mtp_object_alloc, a classical TOCTTOU problem.  An attacker with write
access to the host filesystem shared with a guest can use this property to
navigate the host filesystem in the context of the QEMU process and read any
file the QEMU process has access to.  Access to the filesystem may be local
or via a network share protocol such as CIFS.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 15:04:16 +02:00
Sørensen, Stefan
ca2dea3b75 package/openldap: security bump to version 2.4.48
Security fixes:
CVE-2019-13057: Fixed slapd to restrict rootDN proxyauthz to its own databases
CVE-2019-13565: Fixed slapd to initialize SASL SSF per connection

Full changelog:
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[Peter: fix sha256 hash line]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-27 23:19:40 +02:00
Bernd Kuhls
4e5e44278a package/intel-microcode: security bump version to 20190618
Release notes:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/master/releasenote

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-27 23:07:55 +02:00
Peter Korsgaard
b907d344d8 package/mpg123: security bump to version 1.25.12
>From the release notes:
- Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames
  (oss-fuzz-bug 15975). The earlier fix around the same location needed
  one thought more. Actually, another though was needed, oss-fuzz-bug 16009
  documents the incomplete fix.

- Fix an invalid write of one zero byte for empty ID3v2 frames that demand
  de-unsyncing (oss-fuzz-bug 16050).

- Fix dynamic build with gcc -fsanitize=address (check for all dl functions
  before deciding that separate -ldl is not needed).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-27 22:18:05 +02:00
Bernd Kuhls
ad9efda578 package/vlc: security bump version to 3.0.8
Release notes: https://www.videolan.org/developers/vlc-branch/NEWS

Fixes the following security bugs:
 * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
 * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
 * Fix a read buffer overflow in the FAAD decoder
 * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
 * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
 * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
 * Fix a use after free in the ASF demuxer (CVE-2019-14533)
 * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
 * Fix a null dereference in the dvdnav demuxer
 * Fix a null dereference in the ASF demuxer (CVE-2019-14534)
 * Fix a null dereference in the AVI demuxer
 * Fix a division by zero in the CAF demuxer (CVE-2019-14498)
 * Fix a division by zero in the ASF demuxer (CVE-2019-14535)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:51:45 +02:00
Bernd Kuhls
661949b3f5 package/libmodplug: bump version to 0.8.9
Needed for security bump of vlc to 3.0.8:
http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=48f014768dc22ecad23d0e9f53c38805a3aff832

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:51:38 +02:00
Baruch Siach
2604f55093 package/strace: disable for riscv32
strace does not support riscv32 yet.

https://lists.strace.io/pipermail/strace-devel/2019-August/009068.html

Fixes:
http://autobuild.buildroot.net/results/912776cc1da1719806058516a2cc2a47c8dbad9b/

Cc: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:51:05 +02:00
Bernd Kuhls
e7606d31f9 package/samba4: bump version to 4.10.7
Release notes of this bugfix release:
https://www.samba.org/samba/history/samba-4.10.7.html

Removed 0005-disable_gnutls_build_fix.patch, applied upstream:
https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=8128ceceb8702e596183dd509dd6f952a2f4efc2

Renumbered remaining patches.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:50:26 +02:00
Bernd Kuhls
914ba20600 package/clamav: security bump version to 0.101.4
Fixes CVE-2019-12900 and adds an additional fix for CVE-2019-12625.

Release notes:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:49:12 +02:00
Peter Korsgaard
24309ef4ab package/nginx: security bump to version 1.16.1
Fixes the following security issues:

       Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).

For details, see the advisory:
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:48:20 +02:00
Romain Naour
295307700b package/gcc: allow uclibc only for gcc or1k (5.x)
uClibc doesn't build with the upstream binutils 2.32.x and gcc or1k
port due to the following error:

LD libuClibc-1.0.31.so
/opt/openrisc--uclibc--bleeding-edge-1/lib/gcc/or1k-buildroot-linux-uclibc/9.2.0/../../../../or1k-buildroot-linux-uclibc/bin/ld:
libc/libc_so.a(or1k_clone.os): pc-relative relocation against dynamic symbol
__syscall_error

See:
https://gitlab.com/kubu93/toolchains-builder/-/jobs/270854456

This error message come from a new check in binutils 2.32.x:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=f2c1801f6255a3f9f483ae2f07c7d7da0ddae4af

This issue has been reported on the uClibc-ng mailing list:
https://mailman.uclibc-ng.org/pipermail/devel/2019-August/001885.html

Since gcc 9.1 needs binutils 2.32.x or later to build successfully for
or1k, there is no binutils version left that can build gcc 9.1 and
uClibc.

For now, disable uClibc if gcc 9.1 is used for or1k.

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
[Arnout: invert the logic, like in the rest of the file]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-21 23:50:33 +02:00
Romain Naour
e0ba09768e package/gcc: gcc 9.x for or1k needs binutils >= 2.32
With binutils 2.30.x or 2.31.x, the assembler doesn't
support the code generated by gcc 9.1:

Error: junk at end of line `l.movhi r17,gotoffha(.LC0)'

gotoffha is supported by binutils since version 2.32 [1].
It was added by the ork1 gcc port merged into gcc 9.x [2].

So, for or1k we can select gcc 9.x only if binutils 2.32
(or later) is selected.

Tested using qemu_or1k_defconfig and selecting musl libc,
binutils 2.32 and gcc 9.1.

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=1c4f3780f7d939402cfe555007ebff45c8e38951
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=d61fdfe71cfd42aa6454f2267a48c97820918fe3

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
[Arnout: invert the logic, like in the rest of the file]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-21 23:46:10 +02:00
Pierre-Jean Texier
1e4e7db74c package/libmicrohttpd: bump to version 0.9.66
See https://lists.gnu.org/archive/html/libmicrohttpd/2019-08/msg00000.html

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b4da9642c5)
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-21 23:12:15 +02:00
Arnout Vandecappelle (Essensium/Mind)
ac7d6c81f4 package/squid: remove trailing whitespace
Commit 7792c4f1bc introduced trailing whitespace. Remove it.

Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/276636839

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-21 22:44:42 +02:00
Fabrice Fontaine
7792c4f1bc package/squid: security bump to version 4.8
- Add a patch to fix cross-compilation
- Fix the following CVEs:
  - SQUID-2019:6 (CVE-2019-13345), Jul 12, 2019
    Fixed from 4.8
    Multiple Cross-Site Scripting issues in cachemgr.cgi
  - SQUID-2019:5 (CVE-2019-12527), Jul 12, 2019
    Fixed from 4.8
    Heap Overflow issue in HTTP Basic Authentication processing
  - SQUID-2019:3 (CVE-2019-12525), Jul 12, 2019
    Fixed from 4.8
    Denial of Service in HTTP Digest Authentication processing
  - SQUID-2019:2 (CVE-2019-12529), Jul 12, 2019
    Fixed from 4.8
    Denial of Service in HTTP Basic Authentication processing
  - SQUID-2019:1 (CVE-2019-12824), Jul 12, 2019
    Fixed from 4.8
    Denial of Service issue in cachemgr.cgi

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-21 08:29:23 +02:00
Peter Korsgaard
f3221f1abf Update for 2019.08-rc2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 14:39:52 +02:00
Peter Korsgaard
b84261e5ca package/go: bump version to 1.12.9
For post-1.12.8 fixes. From the release notes:

go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and
math/big packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 13:22:33 +02:00
Peter Korsgaard
da3b34bd0a package/musl: add upstream security fixes for CVE-2019-14697
Fixes CVE-2019-14697: musl libc 1.1.23 and earlier x87 float stack imbalance

For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2019/08/05/6

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 13:21:19 +02:00
Thomas Petazzoni
1b5f961bcb package/gstreamer1/gst1-plugins-base: fix dispmanx option
There is a typo in the handling of the
BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_DISPMANX option: we're adding
dispmax to GST1_PLUGINS_BASE_WINSYS_LIST, which causes the following
build failure:

meson.build:1:0: ERROR: Options "dispmax" are not in allowed choices: "x11, wayland, win32, cocoa, dispmanx, viv-fb, gbm, auto"

We fix this by using the proper option name, "dispmanx" instead of the
slightly incorrect "dispmax".

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 13:20:12 +02:00
Thomas Petazzoni
939c0187ca package/quagga: unconditionally create /etc/quagga
/etc/quagga is listed in QUAGGA_PERMISSIONS, but is only created when
some of the quagga sub-options are enabled. When none of those
sub-options are enabled, /etc/quagga is not created, causing a build
failure when the filesystem images are created:

makedevs: line 1: recursive failed for /home/thomas/projets/outputs/quagga-minimal/build/buildroot-fs/tar/target/etc/quagga: No such file or directory

Since it is too cumbersome to maintain which sub-options exactly lead
to /etc/quagga being created, simply create /etc/quagga
unconditionally. It will simply be empty when the quagga package
doesn't install anything in it.

For the record, here is the list of files installed in /etc/quagga
when all quagga sub-options are enabled:

  bgpd.conf.sample bgpd.conf.sample2 isisd.conf.sample
  ospf6d.conf.sample ospfd.conf.sample pimd.conf.sample
  ripd.conf.sample ripngd.conf.sample vtysh.conf.sample
  zebra.conf.sample

Fixes:

  http://autobuild.buildroot.net/results/cdb66589909fd3996186f7db7d1f19a3b03d58a0/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 13:18:57 +02:00
Fabrice Fontaine
d7926d7cb5 package/giflib: add two upstream security fixes
- Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
  GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
  0.49.4, has a heap-based buffer overflow because a certain
  "Private->RunningCode - 2" array index is not checked. This will lead
  to a denial of service or possibly unspecified other impact.

- Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
  triggers a divide-by-zero exception in the decoder function DGifSlurp
  in dgif_lib.c if the height field of the ImageSize data structure is
  equal to zero.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-19 23:46:55 +02:00
Fabrice Fontaine
cc3da232e4 package/libssh2: switch site to https://www.libssh2.org/download
As spotted by Danomi during review of "libssh2: security bump to version
1.9.0" (https://patchwork.ozlabs.org/patch/1148776), it seems that
the tarball from github and libssh2.org/download are not the same. One
of the difference is that LIBSSH2_VERSION in include/libssh2.h is set to
"1.9.0_DEV" in github tarball whereas it is set to "1.9.0" in
libssh2.org/download.

So switch site to https://www.libssh2.org/download to get "official"
release

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-19 23:45:45 +02:00
Peter Korsgaard
a8bdbef245 CHANGES: update with recent changes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-19 23:34:17 +02:00
Fabrice Fontaine
eee9112ac5 package/mpd: fix build on sparc
Fixes:
 - http://autobuild.buildroot.org/results/8d757c4390facade75dd6cef808ea6ead9798c12

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-19 22:54:02 +02:00
Thomas Petazzoni
350cb0d32e package/mesa3d: allow VC4 driver on all ARM platforms
In commit 3e5926555b ("package/{mesa3d,
mesa3d-headers}: bump version to 17.1.2"), the dependency of VC4 on
BR2_arm was changed to BR2_ARM_CPU_HAS_NEON, which the reasoning that
upstream commit
https://cgit.freedesktop.org/mesa/mesa/commit/?h=17.1&id=4d30024238efa829cabc72c1601beeee18c3dbf2
made NEON mandatory. However, this commit (including its commit log)
clearly shows that there is compile-time detection on whether you're
using ARMv6 or ARMv7, and simply says there is no runtime detection
for that (which usually isn't very important in the context of
Buildroot). So, the VC4 driver can be used on ARMv6
RaspberryPis. Therefore, this commit reverts to the BR2_arm
dependency.

Note: while there are some ARMv7 without NEONs, all ARMv7 RaspberryPi
platforms do have NEON, so the compile-time checks done in the VC4
driver are good enough.

Fixes:

  https://bugs.busybox.net/show_bug.cgi?id=12126

Cc: Sahaj Sarup <sahajsarup@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-19 22:52:47 +02:00
Thomas Petazzoni
589b8cb7e2 package/pigpio: install to staging
The pigpio package installs programs and libraries to target, but does
not install the libraries and its headers to staging, while they may
be used by other packages. Let's install them, as was requested in bug

Fixes:

  https://bugs.busybox.net/show_bug.cgi?id=11741

Cc: vishalbhalani89@gmail.com
Cc: ivan.nazarenko@gmail.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 22:33:39 +02:00
Peter Korsgaard
bd30a142c8 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.2.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 22:33:15 +02:00
Thomas Petazzoni
8b7ca5169d docs/website: move sponsors of past events to "past sponsors"
In this commit, we:

 - move the sponsors of the Buildroot Meeting at ELCE 2018 to "Past
   Sponsors"

 - move Scaleway, as a sponsor of Hackathon in Paris in 2018 to "Past
   Sponsors"

 - merge the Free Electrons and Bootlin entries together in "Past
   Sponsors"

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 22:27:42 +02:00
Thomas Petazzoni
0116ce93a6 docs/website: announce Smile as sponsor for the next Buildroot meeting
Smile is going to provide the meeting room for the 3 days of our
meeting on October 25-27 in Lyon, France, right before the Embedded
Linux Conference Europe.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 22:27:42 +02:00
Arnout Vandecappelle (Essensium/Mind)
539f86571f dehydrated: critical bump to 0.6.5
On July 3, 2019, Let's Encrypt deployed new ACME server software that no
longer returns the 'id' field in the account information JSON.
Dehydrated relied on this field, even though it is not specified by RFC
8555. Because of this, dehydrated can no longer create a new account on
Let's Encrypt.

This was fixed by upstream commits be13dcd and 4f358e2. But the latter
broke ACMEv1 support so was fixed again in commit f60f2f8.

Cherry-picking this correctly is tricky, so instead just bump the
version. There are quite a few non-bugfix changes that are included this
way, but it's more risky to try to cherry-pick.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-19 19:09:22 +02:00
Adrian Perez de Castro
7fdf4f389e package/wpebackend-fdo: bump to version 1.2.2
This is a bugfix release which solves an underlinking issue, which would
prevent building in some situations (for example, when --no-undefined is
passed to the linker). Release notes:

  https://wpewebkit.org/release/wpebackend-fdo-1.2.2.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 15:59:02 +02:00
Adrian Perez de Castro
2da4cf6735 package/libwpe: bump to version 1.2.1
This is a bugfix release of libwpe, which fixes an issue with memory
allocation for the pasteboard, adds some missing Unicode-to-KeySym
conversions, and fixes a build issue. Full release notes:

  https://wpewebkit.org/release/libwpe-1.2.1.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 15:56:21 +02:00
Julien Grossholtz
6f337e09a5 configs/ts7680: bump Linux to 4.9, to fix build with gcc >= 8.x
The TS-7680 defconfig does not build with gcc 8.x and 9.x because it
uses an old 3.14 kernel. Technologic Systems, the board manufacturer
recently released an updated 4.9 based kernel on a separate repository
on github.

Bump the kernel release from 3.14.28 to 4.19.186 and update the linux
defconfig name as requested in the TS-7680 documentation [1].

[1] https://wiki.embeddedarm.com/wiki/TS-7680#Linux_4.9.y

Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 15:46:18 +02:00
Baruch Siach
33accec420 package/evtest: fix build with musl libc
Add a patch adding missing limits.h header include.

Fixes:
http://autobuild.buildroot.net/results/c5f1b95741b37f6d949b3407fff901a960c6b781/
http://autobuild.buildroot.net/results/b09a6b340f0a96081a55764b5dad0c2c31240cef/
http://autobuild.buildroot.net/results/90c7a092a5492699406d3f46e0039d253146b6b7/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-19 15:41:53 +02:00
Thomas Petazzoni
f6949cacfb configs/acmesystems_{aria,arietta}*: Linux kernel needs host-openssl
Since the bump of the Linux kernel version in the acmesystems
defconfigs in the following commits:

42ea31c114 configs/acmesystems_arietta_g25: bump Linux and AT91Bootstrap versions
ab10b5b3ee configs/acmesystems_aria_g25: bump Linux and AT91Bootstrap versions

The Linux kernel configuration in use needs host-openssl to build
successfully. This commit therefore adds the necessary
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y.

Fixes:

  https://gitlab.com/buildroot.org/buildroot/-/jobs/273673074 (acmesystems_arietta_g25_128mb_defconfig)
  https://gitlab.com/buildroot.org/buildroot/-/jobs/273673072 (acmesystems_aria_g25_128mb_defconfig)
  https://gitlab.com/buildroot.org/buildroot/-/jobs/273673075 (acmesystems_arietta_g25_256mb_defconfig)
  https://gitlab.com/buildroot.org/buildroot/-/jobs/273673073 (acmesystems_aria_g25_256mb_defconfig)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-18 21:56:28 +02:00
Fabrice Fontaine
dea6f1f303 package/libssh2: security bump to version 1.9.0
Fix CVE-2019-13115: In libssh2 before 1.9.0,
kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c
has an integer overflow that could lead to an out-of-bounds read in the
way packets are read from the server. A remote attacker who compromises
a SSH server may be able to disclose sensitive information or cause a
denial of service condition on the client system when a user connects to
the server. This is related to an _libssh2_check_length mistake, and is
different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-18 00:16:03 +02:00
Romain Naour
ac9c865a10 package/openblas: fix jaguar openblas target
In commit [1] Peter said he will use BOBCAT for
jaguar cpus. But JAGUAR was used instead.

Use BOBCAT as openblas target for JAGUAR cpus since
it is not listed in openblas's target list [2].

[1] 5e6fa93483
[2] https://github.com/xianyi/OpenBLAS/blob/release-0.3.0/TargetList.txt

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-18 00:03:57 +02:00
Fabrice Fontaine
e3f169fa78 package/libss7: add -fPIC
Fixes:
 - No autobuilder failures

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-17 22:27:52 +02:00
Fabrice Fontaine
fe9e709254 package/libpri: add -fPIC
Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=11961

[Retrieved (and updated to keep line under 80 characters) from:
https://bugs.buildroot.org/show_bug.cgi?id=11961]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-17 22:27:47 +02:00