Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Move imports from six package after the standard modules. Resolves
pylint warnings.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In some cases which seem to depend on how toolchain headers
got installed or configured we may face well-known by now failure
fixed in upstream with [1]:
------------------------------>8----------------------------
In file included from nat/linux-ptrace.c:20:
nat/linux-ptrace.h:175:22: error: expected identifier before numeric constant
# define TRAP_HWBKPT 4
^
nat/linux-ptrace.h:175:22: error: expected '}' before numeric constant
In file included from .../output/host/arc-buildroot-linux-gnu/sysroot/usr/include/signal.h:58,
from build-gnulib/import/signal.h:52,
from .../output/host/arc-buildroot-linux-gnu/sysroot/usr/include/sys/wait.h:36,
from ./common/gdb_wait.h:23,
from nat/linux-ptrace.c:24:
.../output/host/arc-buildroot-linux-gnu/sysroot/usr/include/bits/siginfo-consts.h:156:1: note: to match this '{'
{
^
In file included from nat/linux-ptrace.c:20:
nat/linux-ptrace.h:175:22: error: expected unqualified-id before numeric constant
# define TRAP_HWBKPT 4
^
In file included from .../output/host/arc-buildroot-linux-gnu/sysroot/usr/include/features.h:428,
from .../output/host/arc-buildroot-linux-gnu/sysroot/usr/include/bits/libc-header-start.h:33,
from .../output/host/arc-buildroot-linux-gnu/sysroot/usr/include/stdio.h:27,
from build-gnulib/import/stdio.h:43,
from ./common/common-defs.h:52,
from nat/linux-ptrace.c:19:
.../output/host/arc-buildroot-linux-gnu/sysroot/usr/include/sys/wait.h:158:1: error: expected declaration before '}' token
__END_DECLS
^~~~~~~~~~~
------------------------------>8----------------------------
Back-porting the fix for ARC now to get predictably successful results.
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=5a6c3296a7a90694ad4042f6256f3da6d4fa4ee8
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The host forces HTTPS regardless. This can be seen in the build logs:
>>> host-libopenssl 1.0.2q Downloading
URL transformed to HTTPS due to an HSTS policy
--2018-12-10 09:53:27-- https://www.openssl.org/source/openssl-1.0.2q.tar.gz
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
check-package complains with:
package/qt5/qt5virtualkeyboard/Config.in:59: help text: <tab><2 spaces><62 chars> (http://nightly.buildroot.org/#writing-rules-config-in)
So let's rewrap the Config.in help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch extends the configure checks for re-entrant resolver
functions to fix uclibc builds.
Quoting Yann:
http://lists.busybox.net/pipermail/buildroot/2017-September/203004.html
"As a final stroke of genius, asterisk checks for the re-entrant variant
of res_ninit(), and concludes that all such functions are available,
including res_nsearch(). Uclibc-ng has the former but not the latter, so
the build fails. Since there is no cache variable for that check, we
can't pre-feed that result to configure, and fixing it is a bigger
endeavour. So we make asterisk depend on glibc for now, until someone
is brave enough to fix it."
Musl builds are still broken:
output/build/asterisk-16.0.0/include/asterisk/astmm.h:165:35:
error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘->’ token
Do_not_use_calloc__use_ast_calloc->fail(a, b)
output/build/asterisk-16.0.0/include/asterisk/astmm.h:169:77:
error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘->’ token
Do_not_use_free__use_ast_free_or_ast_std_free_for_remotely_allocated_memory->fail(a)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- removed patches applied upstream, re-numbered remaining patches
- not available for static builds anymore:
8e36064109
- fixed license hashes after upstream whitespace removal
fd0ca1c3f9
- removed configure options not provided by upstream anymore
- fixed configure error, the file is included in asterisk source:
checking for bridges/bridge_softmix/include/hrirs.h... configure:
error: cannot check for file existence when cross compiling
- added "-without-pjproject-bundled" as noted in
https://wiki.asterisk.org/wiki/display/AST/New+in+15
- upstream switched from ncurses to libedit:
d6fda173a4
- added libatomic when needed
- updated core sound package
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes configure error
checking for the ability of -lsrtp2 to be linked in a shared object... yes
checking for srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80 in -lsrtp2... yes
checking for srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80 in -lsrtp2... no
checking for srtp_crypto_policy_set_aes_gcm_128_8_auth in -lsrtp2... no
checking for srtp_shutdown in -lsrtp2... yes
checking for srtp2/srtp.h... (cached) yes
configure: WARNING: ***
configure: WARNING: *** OpenSSL required when using libsrtp2, checking for libsrtp instead.
configure: WARNING: ***
using this defconfig:
BR2_PACKAGE_LIBSRTP=y
BR2_PACKAGE_ASTERISK=y
Please note that openssl support in libsrtp is not available for static
builds:
https://git.buildroot.net/buildroot/tree/package/libsrtp/libsrtp.mk#n27
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Using default value (console) works well, so there is no reason to set
tty explicitly.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Using default value (console) works well, so there is no reason to set
tty explicitly. Additionally after selecting newer kernels (tested
with 4.19 and 4.20-rc3) ttyO0 no longer works due to missing device
node.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
GitLab has severe limitations imposed to triggers.
Using a variable in a regexp is not allowed:
| only:
| - /-$CI_JOB_NAME$/
| - /-\$CI_JOB_NAME$/
| - /-%CI_JOB_NAME%$/
Using the key 'variables' always lead to an AND with 'refs', so:
| only:
| refs:
| - branches
| - tags
| variables:
| - $CI_JOB_NAME == $CI_COMMIT_REF_NAME
would make the push of a tag not to trigger all jobs anymore.
Inheritance is used only for the second level of keys, so:
|.runtime_test: &runtime_test
| only:
| - tags
|tests.package.test_python_txaio.TestPythonPy2Txaio:
| <<: *runtime_test
| only:
| - /-TestPythonPy2Txaio$/
would override the entire key 'only', making the push of a tag not to
trigger all jobs anymore.
So, in order to have a trigger per job and still allow the push of a tag
to trigger all jobs (all this in a follow up patch), the regexp for each
job must be hardcoded in the .gitlab-ci.yml and also the inherited
values for key 'only' must be repeated for every job.
This is not a big issue, .gitlab-ci.yml is already automatically
generated from a template and there will be no need to hand-editing it
when jobs are added or removed.
Since the logic to generate the yaml file from the template will become
more complex, move the commands from the main Makefile to a script.
Using Python or other advanced scripting language for that script would
be the most versatile solution, but that would bring another dependency
on the host machine, pyyaml if Python is used. So every developer that
needs to run 'make .gitlab-ci.yml' and also the docker image used in the
GitLab pipelines would need to have pyyaml pre-installed.
Instead of adding the mentioned dependency, keep using a bash script.
While moving the commands to the script:
- mimic the behavior of the previous make target and fail on any
command that fails, by using 'set -e';
- break the original lines in one command per line, making the diff for
any patch to be applied to this file to look nicer;
- keep the script as simple as possible, without functions, just a
script that executes from the top to bottom;
- do not perform validations on the input parameters, any command that
fails already makes the script to fail;
- do not add an usage message, the script is not intended to be called
directly.
This patch does not change functionality.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
[Thomas: make the script output on stdout rather than take the output
file name as second argument.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
At this time :
- Lua 5.3.5 will be the last one of its serie.
- Lua 5.4 is up coming (lua-5.4.0-work2 is already available).
- Lua 5.2.4 was released on 2015.
For various reasons in the Lua ecosystem, the Lua 5.1 will stay.
On BR, Lua 5.3 is the default version since 2016.02.
So, the serie which could be removed is the 5.2.x.
We could wait some days for other user feedback.
Note: see discussion when 5.3.x was introduced :
http://lists.busybox.net/pipermail/buildroot/2015-January/117638.html
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
It allows controlling the keyboard using the arrow and return keys.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Enable mod_sql_sqlite as a compile time option
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add Buildroot's own .config file, as well as any package's .config file
(uclibc, linux, and busybox), for later inspection should a build fails,
notably due to changes in the kconfig-package infrastructure.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since commit 9f5b07fc64 ("configs: nexbox_a95x_defconfig: bump to
kernel 4.19.8"), the nexbox_a95x_defconfig needs host-openssl to build
the Linux kernel.
Fixes: https://gitlab.com/ymorin/buildroot/-/jobs/131924236
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Set it to NO by default and check if it is equal to NO. This is to
be more consistent with other boolean variables in Buildroot.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Handle the case where there is only one dependency described in
rebar.config, so when the line starts by '{deps' and ends by '}.'.
Before it was deleting this line but also all next lines until finding
a line that ends by '}.'.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since commit 38de434123 ("download: fix file:// BR2_PRIMARY_SITE
(download cache)"), the urlencode option is no longer passed to the
download backend, because we use ${backend} instead of
${backend_urlencode}.
We must get the urlencode information from backend_urlencode.
Signed-off-by: Damien Thébault <damien.thebault@vitec.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Thomas: rework commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The pkgconf project now has a website at pkgconf.org, and hosts its
tarballs at https://distfiles.dereferenced.org/pkgconf/, so this
commit updates the upstream location, and uses the xz-compressed
tarball as well.
pkgconf is bumped to 1.5.3. What prompted this update is the fact that
GStreamer uses the --define-prefix option when calling pkg-config, and
this option didn't exist in pkgconf 0.9.2.
The patch 0001-Fix-all-variables-sysroot-prefix-problem.patch is
dropped, because pkgconf now behaves properly, by prefixing all paths
with the sysroot. This has been verified by testing libdir and
includedir in zlib.pc, and adding some dummy pkgdatadir, mapdir and
sdkdir variables:
$ cat staging/usr/lib/pkgconfig/zlib.pc
prefix=/usr
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
sharedlibdir=${libdir}
includedir=${prefix}/include
pkgdatadir=${prefix}/pouet
mapdir=${prefix}/this/is/map/dir
sdkdir=${prefix}/this/is/sdk/dir
[...]
$ ./host/bin/pkg-config --variable=libdir zlib
./host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib
$ ./host/bin/pkg-config --variable=includedir zlib
./host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/include
$ ./host/bin/pkg-config --variable=mapdir zlib
./host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/this/is/map/dir
$ ./host/bin/pkg-config --variable=sdkdir zlib
./host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/this/is/sdk/dir
$ ./host/bin/pkg-config --variable=pkgdatadir zlib
./host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/pouet
So, the 0001-Fix-all-variables-sysroot-prefix-problem patch is no
longer necessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Jobs scheduler for managing background task (asyncio).
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Control remote side information.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security for aiohttp.web.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Server-sent events support for aiohttp.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sessions for aiohttp.web.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Retrieve a patch from upstream to include config.h otherwise build will
fail when trying to redefine strndup:
libmpd-internal.h:210:10: error: expected identifier or '(' before '__extension__'
char * strndup (const char *s, size_t n);
Indeed, without an include on config.h, HAVE_STRNDUP won't be defined
Fixes:
- http://autobuild.buildroot.org/results/a174818fa768b029d19b033139f9c5e0aaaed149
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch refers to [1] which says "Unfortuantely, arm-gcc defaults to
generating code for armv5t." Since we always explicitly pass the target
CPU for ARM, the default CPU shouldn't matter.
As suggested by Arnout [2], a test based on qemu_arm_versatile_defconfig
has been done without this patch and there is no regression.
[1] https://sourceware.org/ml/crossgcc/2008-05/msg00009.html
[2] http://lists.busybox.net/pipermail/buildroot/2018-May/222104.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch is present in Buildroot since a long time and has been rebased on
several version of gcc without beqing upstreamed. Also it only concern
contrib/regression, which is not used at all during the build...
As suggested by Arnout [1], a test based on qemu_x86_defconfig has
been done without this patch and there is no regression.
[1] http://lists.busybox.net/pipermail/buildroot/2018-May/222104.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Linux kernel builds fails with:
scripts/extract-cert.c:21:25: fatal error: openssl/bio.h: No such file or directory
#include <openssl/bio.h>
Because it needs host-openssl.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/131216892
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>