Fixes the following security vulnerabilities:
CVE-2024-52531: GNOME libsoup before 3.6.1 allows a buffer overflow in
applications that perform conversion to UTF-8 in
soup_header_parse_param_list_strict. Input received over the network cannot
trigger this.
https://www.cve.org/CVERecord?id=CVE-2024-52531
CVE-2024-52532: GNOME libsoup before 3.6.1 has an infinite loop, and memory
consumption. during the reading of certain patterns of WebSocket data from
clients.
https://www.cve.org/CVERecord?id=CVE-2024-52532
Changelog: https://gitlab.gnome.org/GNOME/libsoup/-/blob/3.6.1/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b9120736a7e1e6c6e685d70a5a93e4d861422d70)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit adds a patch, which is already in Debian, fixing the build
with gcc 14.x:
/home/autobuild/autobuild/instance-7/output-1/build/host-cdrkit-1.1.11/genisoimage/genisoimage.c:1509:17: error: implicit declaration of function 'parse_checksum_algo' [-Wimplicit-function-declaration]
1509 | if (parse_checksum_algo(optarg, &checksum_algo_iso))
| ^~~~~~~~~~~~~~~~~~~
make[3]: *** [genisoimage/CMakeFiles/genisoimage.dir/build.make:76: genisoimage/CMakeFiles/genisoimage.dir/genisoimage.o] Error 1
Fixes:
http://autobuild.buildroot.net/results/a9cca8da22774ecafdbb382697aae71f78e348f4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0a0de4d86cd1fbeb5ff0439259b297756b3a5d98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 347def2fd1f062be5d335d06aaaec577c5fa1d68)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2024-53907: Potential denial-of-service in
django.utils.html.strip_tags()
The strip_tags() method and striptags template filter are subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is
subject to SQL injection if untrusted data is used as a lhs value.
Applications that use the jsonfield.has_key lookup through the __ syntax are
unaffected.
https://www.djangoproject.com/weblog/2024/dec/04/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
CVE-2024-46901: mod_dav_svn denial-of-service via control characters in
paths
It has been discovered that the patch for CVE-2013-1968 was incomplete
and unintentionally left mod_dav_svn vulnerable to control characters
in filenames.
https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
Subversion 1.14.4 also fixed a Windows-only vulnerability:
https://subversion.apache.org/security/CVE-2024-45720-advisory.txt
For change log, see:
https://svn.apache.org/repos/asf/subversion/tags/1.14.5/CHANGES
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to change log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9975d28aa3ffbda2b727979b2e322fc8986d6d1b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://lists.gnu.org/archive/html/bug-wget/2024-11/msg00002.html
Fixes the following vulnerabilities:
- CVE-2024-38428: url.c in GNU Wget through 1.24.5 mishandles semicolons in
the userinfo subcomponent of a URI, and thus there may be insecure
behavior in which data that was supposed to be in the userinfo
subcomponent is misinterpreted to be part of the host subcomponent.
https://nvd.nist.gov/vuln/detail/CVE-2024-38428
- CVE-2024-10524: Applications that use Wget to access a remote resource
using shorthand URLs and pass arbitrary user credentials in the URL are
vulnerable. In these cases attackers can enter crafted credentials which
will cause Wget to access an arbitrary host.
https://www.openwall.com/lists/oss-security/2024/11/18/6
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 295b2c4f8ecaf0b6e03725a6c8412795e91888c8)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The nettle package is distributed on the GNU project servers. See [1]
and [2]. Buildroot has the BR2_GNU_MIRROR configuration which can
be used for that purpose. See [3].
For consistency with all other GNU packages, this commit updates
the _SITE to use BR2_GNU_MIRROR.
Note: the nettle _SITE was updated to ftp.gnu.org in commit [4].
[1] https://www.lysator.liu.se/~nisse/nettle/
[2] https://www.gnu.org/prep/ftp.html
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2024.08.2/Config.in#L286
[4] 92f0ef5eaa
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 9ccc0f5642cf173bcc8d51f778331acfea9dbde8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The freeipmi package is distributed on the GNU project servers.
See [1] and [2]. Buildroot has the BR2_GNU_MIRROR configuration
which can be used for that purpose. See [3].
For consistency with all other GNU packages, this commit updates
the _SITE to use BR2_GNU_MIRROR.
[1] https://www.gnu.org/software/freeipmi/download.html
[2] https://www.gnu.org/prep/ftp.html
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2024.08.2/Config.in#L286
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit bfa2dbc2d679b88d8166359ec916590050fb5802)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The octave package is distributed on the GNU project servers. See [1]
and [2]. Buildroot has the BR2_GNU_MIRROR configuration which can
be used for that purpose. See [3].
For consistency with all other GNU packages, this commit updates
the _SITE to use BR2_GNU_MIRROR.
[1] https://www.octave.org/download
[2] https://www.gnu.org/prep/ftp.html
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2024.08.2/Config.in#L286
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit b0a1b0bab1238271ca99d6a453101d6b128b027a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As explained on [1], the primary GNU mirrors URL is https.
This commit updates BR2_GNU_MIRROR to switch to it.
[1] https://www.gnu.org/prep/ftp.html
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 0f9da3934b9fc1425db49526ab7735a601ac1edb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The grub2 package is distributed on the GNU project servers. See [1]
and [2]. Buildroot has the BR2_GNU_MIRROR configuration which can
be used for that purpose. See [3].
For consistency with all other GNU packages, this commit updates
the _SITE to use BR2_GNU_MIRROR.
Note: Commit [4] introduced the grub2 package using BR2_GNU_MIRROR.
Commit [5] changed it to use "http://ftp.gnu.org/gnu/grub" without
providing a justification for that change.
[1] https://www.gnu.org/software/grub/grub-download.html
[2] https://www.gnu.org/prep/ftp.html
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2024.08.2/Config.in#L286
[4] c24fdb3680
[5] 5ffafd2353
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 51858c4a34f73c52ac9ff36ba7facf8a8ab9b711)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The bc package is distributed on the GNU project servers. See [1]
and [2]. Buildroot has the BR2_GNU_MIRROR configuration which can
be used for that purpose. See [3]
For consistency with all other GNU packages, this commit updates
the _SITE to use BR2_GNU_MIRROR.
As a side note, the bc package was introduced long time ago using
BR2_GNU_MIRROR. See [4]. It was then updated to an alpha version
in [5]. When the alpha version was no longer needed, it was switched
to the main GNU download server in [6].
[1] https://www.gnu.org/software/bc/
[2] https://www.gnu.org/prep/ftp.html
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2024.08.2/Config.in#L286
[4] c95dcd4645
[5] 1faa7c344e
[6] ed7572cc7f
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 2956a3921548921adb5472e092901ff9d9861333)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the
mapped IPv4 address value for deciding properties. Properties which have
their behavior fixed are is_multicast, is_reserved, is_link_local,
is_global, and is_unspecified.
https://github.com/python/cpython/issues/122792
CVE-2024-9287, gh-124651: Properly quote template strings in venv activation
scripts.
https://github.com/python/cpython/issues/124651
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 21e5a9a96b1c25a7d3a5e92fd405afb6aafde605)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2e8cd8199c5024cf419336d509c8714cf560e8b4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0c6b8c989fcca8d057f7598f28eff377a018ed2f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 900bf91d104d412853ccc6970cad752c3d217699)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 34c671688741410a4eb4d83b38874dee00e9ebb9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9a46343df311961a8efb2a5e75c179eaa40b9a59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit aca49ab538f07b77aa57b9940b78239544dd256f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ee93f20f96b2f27ef4c512bf591f55ed4518b82a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 10c218ea7805c0384cf28ab95350dcc2dd821f79)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a4b0ba45a27aa8af4951aa52cdc9d5df59a41338)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ba08a37af572397aef2b38de8f45381d12f7f441)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bd1f401ecda59758a1a9dea5dbcea64c487d736c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2b51fbdc6abfffa98e9dd7d410e803744c08aaa9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 86a5b45755fbd1b238426e045982d5e56ad6b9a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e2f44b50602e51a3d279dbaa465093537a313638)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d6586d37ba4a155c7325b758217b7ad3a4fd4d5f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b253ae3054b8b21238e2f57803f780e7bc04daf1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b2d2ea4300520dcf88fd3efbfcacbe228058439e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f76956eac4ad711640993e7a3e1f1e7bc33de014)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a268afeb656109c89e06f08d23d389c658b254f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Found by codespell.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fa1a6177dd092f2bc614d8f491ff6890952233eb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.22.9 (released 2024-11-06) includes fixes to the linker.
go1.22.10 (released 2024-12-03) includes fixes to the runtime and the
syscall package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.22.8 (released 2024-10-01) includes fixes to cgo, maps, and syscall.
https://go.dev/doc/devel/release#go1.22.8
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 800ec5dd7f8087622fdd5ea0294c0cfad58ebb6f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/1959614f6ad63878c390a23770a6778830d6c698/
The tarball downloaded from codeberg has changed. Interesting enough, it is
only the compression that has changed, the uncompressed data is still
identical:
mkdir s.b.o codeberg
wget -P codeberg https://codeberg.org/dnkl/foot/archive/1.16.2.tar.gz
wget -P s.b.o http://sources.buildroot.org/foot/1.16.2.tar.gz
sha256sum */*
0e02af376e5f4a96eeb90470b7ad2e79a1d660db2a7d1aa772be43c7db00e475 codeberg/1.16.2.tar.gz
8060ec28cbf6e2e3d408665330da4bc48fd094d4f1265d7c58dc75c767463c29 s.b.o/1.16.2.tar.gz
gunzip */*
sha256sum */*
7b9fad0611c75d6ba8f53d12ad1366d53c8697240031a5b27334d173b76560fe codeberg/1.16.2.tar
7b9fad0611c75d6ba8f53d12ad1366d53c8697240031a5b27334d173b76560fe s.b.o/1.16.2.tar
Looking at the autobuilder history, this seems to have changed in
January/February, E.G. on January 20th the file hash was correct:
http://autobuild.buildroot.net/results/d4b90a505a035d9bab400ed65f94571854f74f24/
But on February 14th it wasn't:
http://autobuild.buildroot.net/results/2ff85fe3fba2d36c7f0358f2ce43e703aef5f4f0/
This was unfortunately only noticed once we started doing builds without the
s.b.o fallback. To fix it, change to a git clone instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28c982b5f4ea6f4e619ab02ab62407d764f7d9f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
