Commit Graph

47196 Commits

Author SHA1 Message Date
Giulio Benetti
3c961b8e77 package/at: bump version
Mainly this allows to drop 3 patches because they have been upstreamed.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:41:10 +02:00
Giulio Benetti
95990d5481 DEVELOPERS: add Giulio Benetti to at package
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:40:59 +02:00
Petr Vorel
a465dd54fc package/ofono: bump to version 1.30
Removed included in 1.30, refresh patch.

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:40:41 +02:00
Bernd Kuhls
53e1150671 package/x11r7/libxcb: bump version to 1.13.1
Upstream does not provide a sha512 hash anymore.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:39:54 +02:00
Bernd Kuhls
1ca7cdc2bf package/vdr: bump version to 2.4.1
Release notes:
https://www.linuxtv.org/pipermail/vdr/2019-June/029497.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:38:40 +02:00
Bernd Kuhls
41f8c443b3 package/pngquant: bump version to 2.12.5
Upstream now provides a sha256 hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:34:46 +02:00
Bernd Kuhls
cea0941d1f package/libvpx: bump version to 1.8.1
Rebased patch.

Changelog: https://github.com/webmproject/libvpx/blob/master/CHANGELOG

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:33:30 +02:00
Peter Korsgaard
cd8ab1853d Update for 2019.08-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 23:02:48 +02:00
Bernd Kuhls
77b2dd9a53 package/dovecot-pigeonhole: security bump version to 0.5.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116876.html

Fixes
* CVE-2019-11500: ManageSieve protocol parser does not properly handle
  NUL byte when scanning data in quoted strings, leading to out of
  bounds heap memory writes. Found by Nick Roessler and Rafi Rubin.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 17:16:42 +02:00
Bernd Kuhls
4afd405eff package/dovecot: security bump version to 2.3.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116874.html

Fixes
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 17:16:34 +02:00
Peter Korsgaard
e941599f69 package/python: add upstream security fix for CVE-2019-9740
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
in Python 3.x through 3.7.3.  CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string after a ?
character) followed by an HTTP header or a Redis command.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 15:04:22 +02:00
Peter Korsgaard
a0b032ad85 package/qemu: security bump to version 3.1.1
Fixes the following security issues:

CVE-2018-16872: A flaw was found in qemu Media Transfer Protocol (MTP).  The
code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and
directories in usb_mtp_object_readdir doesn't consider that the underlying
filesystem may have changed since the time lstat(2) was called in
usb_mtp_object_alloc, a classical TOCTTOU problem.  An attacker with write
access to the host filesystem shared with a guest can use this property to
navigate the host filesystem in the context of the QEMU process and read any
file the QEMU process has access to.  Access to the filesystem may be local
or via a network share protocol such as CIFS.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 15:04:16 +02:00
Bernd Kuhls
e0b0870304 package/file: bump version to 5.37
Changelog: https://github.com/file/file/blob/master/ChangeLog
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:50:51 +02:00
Bernd Kuhls
3cf36896ee package/boinc: bump version to 7.16.1
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:50:29 +02:00
Bernd Kuhls
45ea73584b package/asterisk: bump version to 16.5.0
Release notes:
https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-16-current-summary.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:49:32 +02:00
Bernd Kuhls
85f4b77123 package/apr: bump version to 1.7.0
Release notes: http://www.apache.org/dist/apr/CHANGES-APR-1.7

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:43:25 +02:00
Bernd Kuhls
a5f4a45792 package/x265: bump version to 3.1.2
Release notes:
https://bitbucket.org/multicoreware/x265/src/Release_3.1/doc/reST/releasenotes.rst

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:43:17 +02:00
Bernd Kuhls
89337e4f39 package/flac: bump version to 1.3.3
Changelog: https://xiph.org/flac/changelog.html

Removed patch applied upstream, removed autoreconf:
https://git.xiph.org/?p=flac.git;a=commitdiff;h=55721556161e6ab209f940f5023bc44b4051524a

Added all hashes provided by upstream and license hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:40:08 +02:00
Bernd Kuhls
a9c509934e package/gnutls: bump version to 3.6.9
Release notes:
https://lists.gnupg.org/pipermail/gnutls-help/2019-July/004556.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:40:00 +02:00
Bernd Kuhls
92cda2a137 package/hwdata: bump version to 0.326
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:38:58 +02:00
Bernd Kuhls
fade4c28ad package/hdparm: bump version to 9.58
Release notes:
https://sourceforge.net/p/hdparm/news/2018/10/hdparm-957-is-released/
https://sourceforge.net/p/hdparm/news/2018/10/hdparm-958-is-released/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:38:38 +02:00
Bernd Kuhls
f2ffdbee2a package/wpa_supplicant: security bump version to 2.9
Fixes https://w1.fi/security/2019-6/

Removed patch applied upstream:
http://w1.fi/cgit/hostap/commit/?id=f2973fa39d6109f0f34969e91551a98dc340d537

Removed all other upstream patches which are included in this release.

Release notes:
http://lists.infradead.org/pipermail/hostap/2019-April/039979.html
http://lists.infradead.org/pipermail/hostap/2019-August/040373.html

Support for the old dbus interface was removed upstream:
http://w1.fi/cgit/hostap/commit/?id=6a8dee76d4090287c016680c009b1334e01b5fbd

Removed Config.in option, removed _NEW from remaining dbus option,
select BR2_PACKAGE_DBUS when needed and added Config.in.legacy options.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:36:42 +02:00
Bernd Kuhls
9aca253656 package/hostapd: security bump version to 2.9
Fixes https://w1.fi/security/2019-6/

Release notes:
http://lists.infradead.org/pipermail/hostap/2019-April/039979.html
http://lists.infradead.org/pipermail/hostap/2019-August/040373.html

This release includes all patches from https://w1.fi/security/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:33:15 +02:00
Fabrice Fontaine
14044441f0 package/faketime: bump to version 0.9.8
- Remove first patch (already in version)
- Remove second patch (not needed since merge of
  https://github.com/wolfcw/libfaketime/pull/161)
- Add hash for license file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:28:16 +02:00
Petr Vorel
ec29cbd2dd package/libmbim: bump to version 1.18.2
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:28:00 +02:00
Petr Vorel
a8f7e0b3e6 package/feh: bump to version 3.2.1
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:27:50 +02:00
Petr Vorel
c31258e6e7 package/links: bump to version 2.19
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:25:57 +02:00
Bernd Kuhls
04869ca17f package/libatomic_ops: bump version to 7.6.10
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:25:08 +02:00
Bernd Kuhls
ed835efe20 package/joe: bump version to 4.6
Added license hash.

Release notes:
https://sourceforge.net/p/joe-editor/mercurial/ci/default/tree/NEWS.md

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 14:24:52 +02:00
Sørensen, Stefan
ca2dea3b75 package/openldap: security bump to version 2.4.48
Security fixes:
CVE-2019-13057: Fixed slapd to restrict rootDN proxyauthz to its own databases
CVE-2019-13565: Fixed slapd to initialize SASL SSF per connection

Full changelog:
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[Peter: fix sha256 hash line]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-27 23:19:40 +02:00
Baruch Siach
eb3ed2af54 package/strace: fix build with v5.2 kernel headers
Add upstream patch with a workaround to incompatible change in kernel
headers.

Regenerate the v4l2_pix_fmts.h header which is pre-generated from
v4l2_pix_fmts.in in the strace tarball.

Fixes:
http://autobuild.buildroot.net/results/5494c9e21e623a9b7d87e06d86ed5e95d696c21a/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-27 23:14:42 +02:00
Bernd Kuhls
4e5e44278a package/intel-microcode: security bump version to 20190618
Release notes:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/master/releasenote

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-27 23:07:55 +02:00
Peter Korsgaard
b907d344d8 package/mpg123: security bump to version 1.25.12
>From the release notes:
- Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames
  (oss-fuzz-bug 15975). The earlier fix around the same location needed
  one thought more. Actually, another though was needed, oss-fuzz-bug 16009
  documents the incomplete fix.

- Fix an invalid write of one zero byte for empty ID3v2 frames that demand
  de-unsyncing (oss-fuzz-bug 16050).

- Fix dynamic build with gcc -fsanitize=address (check for all dl functions
  before deciding that separate -ldl is not needed).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-27 22:18:05 +02:00
Yann E. MORIN
20cbf17e0a support/graph-size: reorder colours assigned to sizes
Now that we can order packages from biggest to smallest, it makes sense
to assign the most aggressive colours to the biggest packages.

As such, reorder the current colours so that we have, in order:
  - red-ish
  - orange-ish
  - yellow-ish
  - purple-ish
  - eggplant-ish (is that even a colour? :-] )
  - some-indeterminate-blue-ish
  - dark-green-ish
  - light-green-ish

For the previous, smallest-first ordering, it does not matter much what
the ordering is: the actual colours are still somewhat-unpredictably
assigned to packages, depending on the cut-off limit...

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:51:47 +02:00
Yann E. MORIN
33c1ef88f8 support/graph-size: add option to sort packages in reverse size order
Currently, the packages are sorted smallest first, and biggest last
(with unknown and others second-to-last and last, resp.).

Add an option to invert the ordering (but keeping unknown and others at
their current positions).

This has the nice side effect that we can now control the colours
assigned to the biggest package(s), as the colours are cycled from the
first to the last. Currently, the biggest packages gets a redish colour,
which is appropriate, but the second gets a greenish one, which is not
as appropriate (but changing that can come later).

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:50:05 +02:00
Yann E. MORIN
1dbce133db support/graph-size: add option to report size with IEC prefixes
When dealing with embedded devices, storage is more often than not some
kind of flash device, on which the memory is usually counted as powers
of 1024 instead of powers of 1000. As such, people may prefer reports
using IEC prefixes [0] instead of the SI prefixes.

Add an option to that effect.

We use argparse's ability to use custom actions [1] [2], to provide a
set of options that act on a boolean, but has a single help entry and
internally ensures consistency of the settings. We could have been using
the more conventional store_true/store_false actions instead, but that
would have meant either two help entries, one for each set of options,
and/or some logic after parse_args() to check the validity of the
settings.

[0] https://en.wikipedia.org/wiki/Binary_prefix
[1] https://docs.python.org/2/library/argparse.html#action
[2] https://docs.python.org/2/library/argparse.html#argparse.Action

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:49:22 +02:00
Yann E. MORIN
e9cdabee71 support/graph-size: add option to change percentage to group in Others
Currently, we group packages that contribute less then 1%, into the
"Other" category.

However, in some cases, there can be a lot of very comparatively small
packages, and they may not exceed this limit, and so only the "Others"
category would be displayed, which is not nice.

Conversely, if there are a lot of packages, most of which only so
slightly exceeding this limit, then we get all of them in the graph,
which is not nice either.

Add a way for the developers to pass a different cut-off limit. As for
the dependency graph which has BR2_GRAPH_DEPS_OPTS, add the environment
variable BR2_GRAPH_SIZE_OPTS to carry those extra option (in preparation
for more to come, later).

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Arnout:
 - remove empty base class definition from Config;
 - use parser.error instead of ValueError for invalid argument.]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:44:27 +02:00
Yann E. MORIN
3fc3c4ac99 support/graph-size: display human-readable size
Currently, we forcibly report sizes in multiple of Kilobytes. In some
big configurations, the sizes of the system as a whole, as well as that
of individual packages, may exceed megabytes, and when some artistic
assets get used, even the gigabyte may get exceed.

These big sizes are not easy to read when expressed in kilobytes.

Additionally, some very small packages might have sizes below the
kilobyte (and when we can specify the cut-off grouping size, they may
get reported), and thus the size displayed for those would be 0 kB.

Add a helper function that can format a floating-point size into a
string with all the appropriate formatting:

  - there are at least 3 meaningfull digits visible, i.e. we display
    "3.14" or "10.4" instead of just "3" or "10", but for big number we
    don't care about too many precision either, so we report "100" or
    "1000", not "100.42" or "1000.27";

  - the proper SI prefix is appended, if needed.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:15:35 +02:00
Yann E. MORIN
e8de561436 support/graph-size: report 'Unknown" after all packages, but before "Others"
Currently, the "unknown" category may be reported anywhere, so it does
not really stand out when there are a lot of packages in the graph.

Move it towards the end, but right before the "other" category, so that
it is a bit more visible. Like for Others, don't report it if its size
is zero.

Also, make it title case (i.e. "Unknown" instead of "unknown").

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:12:37 +02:00
Yann E. MORIN
c68ee73924 support/graph-size: don't report "Others" if size is zero
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:08:18 +02:00
Yann E. MORIN
a2d20ca613 support/graph-size: introduce main()
It is nicer overall to have a main() function, like all our other
scripts tend to have too.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:08:01 +02:00
Yann E. MORIN
cecaf7001f support/graph-size: fix flake8 warnings
There are three E501 warnings returned by flake8, when run locally,
because we enforce a local 80-char limit, but that are not reported by
the gitlab-ci jobs because only a 132-char limit is required there.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Reviewed-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-26 22:07:50 +02:00
Bernd Kuhls
ad9efda578 package/vlc: security bump version to 3.0.8
Release notes: https://www.videolan.org/developers/vlc-branch/NEWS

Fixes the following security bugs:
 * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
 * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
 * Fix a read buffer overflow in the FAAD decoder
 * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
 * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
 * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
 * Fix a use after free in the ASF demuxer (CVE-2019-14533)
 * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
 * Fix a null dereference in the dvdnav demuxer
 * Fix a null dereference in the ASF demuxer (CVE-2019-14534)
 * Fix a null dereference in the AVI demuxer
 * Fix a division by zero in the CAF demuxer (CVE-2019-14498)
 * Fix a division by zero in the ASF demuxer (CVE-2019-14535)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:51:45 +02:00
Bernd Kuhls
661949b3f5 package/libmodplug: bump version to 0.8.9
Needed for security bump of vlc to 3.0.8:
http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=48f014768dc22ecad23d0e9f53c38805a3aff832

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:51:38 +02:00
Baruch Siach
2604f55093 package/strace: disable for riscv32
strace does not support riscv32 yet.

https://lists.strace.io/pipermail/strace-devel/2019-August/009068.html

Fixes:
http://autobuild.buildroot.net/results/912776cc1da1719806058516a2cc2a47c8dbad9b/

Cc: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:51:05 +02:00
Bernd Kuhls
e7606d31f9 package/samba4: bump version to 4.10.7
Release notes of this bugfix release:
https://www.samba.org/samba/history/samba-4.10.7.html

Removed 0005-disable_gnutls_build_fix.patch, applied upstream:
https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=8128ceceb8702e596183dd509dd6f952a2f4efc2

Renumbered remaining patches.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:50:26 +02:00
Bernd Kuhls
914ba20600 package/clamav: security bump version to 0.101.4
Fixes CVE-2019-12900 and adds an additional fix for CVE-2019-12625.

Release notes:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:49:12 +02:00
Peter Korsgaard
24309ef4ab package/nginx: security bump to version 1.16.1
Fixes the following security issues:

       Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).

For details, see the advisory:
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-25 08:48:20 +02:00
Arnout Vandecappelle (Essensium/Mind)
1fa9b0d267 Revert "package/util-linux: build programs and libraries in separate packages"
This commit was pushed accidentally, it was not yet ready for prime
time. A better way to implement it was proposed.

In addition, it still introduces a circular dependency: systemd ->
polkit -> libglib2 -> util-linux -> systemd

This reverts commit 335c77b667.
2019-08-23 00:29:51 +02:00
Romain Naour
295307700b package/gcc: allow uclibc only for gcc or1k (5.x)
uClibc doesn't build with the upstream binutils 2.32.x and gcc or1k
port due to the following error:

LD libuClibc-1.0.31.so
/opt/openrisc--uclibc--bleeding-edge-1/lib/gcc/or1k-buildroot-linux-uclibc/9.2.0/../../../../or1k-buildroot-linux-uclibc/bin/ld:
libc/libc_so.a(or1k_clone.os): pc-relative relocation against dynamic symbol
__syscall_error

See:
https://gitlab.com/kubu93/toolchains-builder/-/jobs/270854456

This error message come from a new check in binutils 2.32.x:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=f2c1801f6255a3f9f483ae2f07c7d7da0ddae4af

This issue has been reported on the uClibc-ng mailing list:
https://mailman.uclibc-ng.org/pipermail/devel/2019-August/001885.html

Since gcc 9.1 needs binutils 2.32.x or later to build successfully for
or1k, there is no binutils version left that can build gcc 9.1 and
uClibc.

For now, disable uClibc if gcc 9.1 is used for or1k.

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
[Arnout: invert the logic, like in the rest of the file]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-08-21 23:50:33 +02:00