Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ab6dbf1c9f)
[Peter: drop 5.11.x/5.12.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security
========
* sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
option was enabled with a set of patterns that activated logging
in code that runs in the low-privilege sandboxed sshd process, the
log messages were constructed in such a way that printf(3) format
strings could effectively be specified the low-privilege code.
An attacker who had sucessfully exploited the low-privilege
process could use this to escape OpenSSH's sandboxing and attack
the high-privilege process. Exploitation of this weakness is
highly unlikely in practice as the LogVerbose option is not
enabled by default and is typically only used for debugging. No
vulnerabilities in the low-privilege process are currently known
to exist.
https://www.openssh.com/txt/release-8.6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 12916827e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️selinuxproject:refpolicy is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aselinuxproject%3Arefpolicy
Indeed, cpe:2.3🅰️tresys:refpolicy has been deprecated since April 21th:
<cpe-item name="cpe:/a:tresys:refpolicy:2.20180701" deprecated="true" deprecation_date="2021-04-21T16:55:43.710Z">
<title xml:lang="en-US">Tresys refpolicy 2.20180701</title>
<reference href="https://github.com/TresysTechnology/refpolicy">Product</reference>
<cpe-23:cpe23-item name="cpe:2.3🅰️tresys:refpolicy:2.20180701:*:*:*:*:*:*:*">
<cpe-23:deprecated-by name="cpe:2.3🅰️selinuxproject:refpolicy:2.20180701:*:*:*:*:*:*:*" type="NAME_CORRECTION"/>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bf1925cb97)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add two upstream patches fixing host gcc-11.x compile.
Fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13806
In file included from ../include/pthread.h:1,
from ../sysdeps/nptl/thread_db.h:25,
from ../nptl/descr.h:32,
from ../sysdeps/x86_64/nptl/tls.h:130,
from ../sysdeps/generic/libc-tsd.h:44,
from ./localeinfo.h:224,
from programs/ld-ctype.c:37:
../sysdeps/nptl/pthread.h:734:47: error: argument 1 of type ‘struct __jmp_buf_tag *’ declared as a pointer [-Werror=array-parameter=]
734 | extern int __sigsetjmp (struct __jmp_buf_tag *__env, int __savemask) __THROWNL;
| ~~~~~~~~~~~~~~~~~~~~~~^~~~~
In file included from ../include/setjmp.h:2,
from ../nptl/descr.h:24,
from ../sysdeps/x86_64/nptl/tls.h:130,
from ../sysdeps/generic/libc-tsd.h:44,
from ./localeinfo.h:224,
from programs/ld-ctype.c:37:
../setjmp/setjmp.h:54:46: note: previously declared as an array ‘struct __jmp_buf_tag[1]’
54 | extern int __sigsetjmp (struct __jmp_buf_tag __env[1], int __savemask) __THROWNL;
| ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4174f79a57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build is broken since bump of libxml2 to version 2.9.11 in commit
a241dcec41 because libxslt calls the
following command "${XML_CONFIG} --libs print" which will return an
error code since
2a357ab99e
Fixes:
- http://autobuild.buildroot.org/results/47ceb8c24c9ead8a450b7fea3266f760d6b77b4f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7320e5dd62)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-32918: DoS via insufficient memory consumption controls
It was discovered that default settings leave Prosody susceptible to
remote unauthenticated denial-of-service (DoS) attacks via memory
exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default
and recommended Lua version for Prosody 0.11.x series.
- CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
consumption
It was discovered that Prosody does not disable SSL/TLS renegotiation,
even though this is not used in XMPP. A malicious client may flood a
connection with renegotiation requests to consume excessive CPU resources
on the server.
- CVE-2021-32921: Use of timing-dependent string comparison with sensitive
values
It was discovered that Prosody does not use a constant-time algorithm for
comparing certain secret strings when running under Lua 5.2 or later.
This can potentially be used in a timing attack to reveal the contents of
secret strings to an attacker.
- CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
configuration
mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
the transfer of files and other data between XMPP clients.
It was discovered that the proxy65 component of Prosody allows open access
by default, even if neither of the users have an XMPP account on the local
server, allowing unrestricted use of the server’s bandwidth.
- CVE-2021-32919: Undocumented dialback-without-dialback option insecure
The undocumented option ‘dialback_without_dialback’ enabled an
experimental feature for server-to-server authentication. A flaw in this
feature meant it did not correctly authenticate remote servers, allowing a
remote server to impersonate another server when this option is enabled.
For more details, see the advisory:
https://prosody.im/security/advisory_20210512/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9c108afab8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Extend docker_compose_test() to expose /bin on the host to the container
through a volume mount and verify that /bin/busybox can be downloaded and
contains the right data.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit aa31d10808)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Extend docker_test() to expose a random (8888) port to verify that doesn't
fail, and extend the docker-compose test to run the busybox httpd in the
background, expose that as port 80 and verify that /etc/resolv.conf could be
fetched by wget.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4915b692c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
docker-engine 20.10.6 broke container port forwarding for hosts without IPv6
support:
docker: Error response from daemon: driver failed programming external
connectivity on endpoint naughty_moore
(038e9ed4b5ea77e1c52462d6d04ad001fbad9beb185a6511aadc217c8a271608): Error
starting userland proxy: listen tcp6 [::]:80: socket: address family not
supported by protocol.
Add a libnetwork patch from an upstream pull request to fix this, after
adjusting the patch to apply to docker-engine (which has libnetwork vendored
under vendor/github.com/docker/libnetwork):
- https://github.com/moby/libnetwork/pull/2635,
- https://github.com/moby/moby/pull/42322
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2fd33900f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-28899: Vulnerability in the
AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession,
and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession
subclasses in Networks LIVE555 Streaming Media before 2021.3.16.
http://live555.com/liveMedia/public/changelog.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6ad1c7f12e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6c1151936)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
OpenTyrian was previously managed in a Mercurial repository hosted on
Bitbucket. Mid-2020, Bitbucket shut off all its Mercurial repositories:
https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket
Since then, OpenTyrian's source code is inacessible, but we have had no
build failure associated as there is an old archive hosted on s.b.o, so
that all builds fallback to downloading that:
http://sources.buildroot.net/opentyrian/opentyrian-9c9f0ec3532b.tar.gz
However, the project has been revived (kinda) on github:
https://github.com/opentyrian/opentyrian
Git commit cf5dbeb69eebd9ef9afc4473088d9469b79589eb has been found to
be the closest, both in content and date, to the Mercuail reference
9c9f0ec3532b we were using. The only deltas are in Mercurial-specific
files:
b/.hg_archival.txt | 5 0 5 0 -----
b/.hgtags | 2 1 1 0 +-
2 files changed, 1 insertion(+), 6 deletions(-)
While at it, add a hash file.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Julien Boibessot <julien.boibessot@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 64e7c63528)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The comment dependencies need to be the inverse of the package
dependencies (fixes comment shown in menuconfig even if the package
is available).
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 03a8d70f52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update libxml2 to version 2.9.11, which incorporates all the patches
carried by Buildroot (which are hence removed), and includes fixes for
CVE-2020-7595, CVE-2019-20388, CVE-2020-24977, and CVE-2021-3541 (at
least), as per
https://gitlab.gnome.org/GNOME/libxml2/-/issues/186#note_1104945
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a241dcec41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/cf7c4f360f5464c700788cc8299fd086544c80e8/build-end.log
Older GNU make versions don't like the explicit undefine. It isn't really
needed as ifdef handles undefined and defined-to-the-empty-string the same
way, so just drop the undefine logic.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b8a1301e81)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
