For change log, see:
https://github.com/eclipse/mosquitto/blob/v2.0.19/ChangeLog.txt
The change log mention 2 security related fixes.
There is no allocated CVE.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bd127d0c3ffc57646f4908264728da4ea074241b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a test that runs the dtc commandline tools. To test devicetree
compilation, we use an example devicetree from the dtc project. The
example source is GPL-2.0+ licensed.
Signed-off-by: Brandon Maier <brandon.maier@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 9b690341602388b54c596c4510d770f58f4ad227)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
linux-pam 1.2.0 removed the use of yywrap, so the flex dependency is not
needed now (host-flex is still needed).
Fixes: #47
Signed-off-by: Damien Thébault <damien.thebault@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 600e273487baf76d4469bca43d42bd2c4b364db8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 86bb1b236 "boot/grub2: needs host-python3" [1] introduced a
dependency on host-python3.
Since grub does not have any specific requirements on host Python
modules, or recent host Python version, this commit replaces the
host-python3 dependency with BR2_PYTHON3_HOST_DEPENDENCY. This will
skip the host-python3 compilation if a sufficient version (3.4 or
greater at the time of this commit) is already present on host. This
will save build time.
This optimization was suggested by Peter, in [2].
Note 1: this commit was checked to ensure that grub is building with
Python 3.4.
Note 2: BR2_PYTHON3_HOST_DEPENDENCY was introduced in commit b60729784
"support/dependencies: add a check for python3" [3].
[1] 86bb1b2360
[2] https://lists.buildroot.org/pipermail/buildroot/2024-September/763967.html
[3] b60729784a
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a71fda371c1785f9e4364f05ab0a632e1946c53)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The previous repo is not available anymore.
Fixes:
https://autobuild.buildroot.org/results/8c8b073ce163131763fca978b400e596fcf39e62
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4e5fd24c8b7438672c475d0559200ff72c4b1cc7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3.7.5 fixed a number of security issues:
fix multiple vulnerabilities identified by SAST (#2251, #2256)
cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
lzop: prevent integer overflow (#2174)
rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
rar4: fix OOB in delta and audio filter (#2148, #2149)
rar4: fix out of boundary access with large files (#2179)
rar4: add boundary checks to rgb filter (#2210)
rar4: fix OOB access with unicode filenames (#2203)
rar5: clear 'data ready' cache on window buffer reallocs (#2265)
rpm: calculate huge header sizes correctly (#2158)
unzip: unify EOF handling (#2175)
util: fix out of boundary access in mktemp functions (#2160)
uu: stop processing if lines are too long (#2168)
And 3.7.6 fixed a tar regression introduced in 3.7.5
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab3c84e5e2391a7832f6baa2f20b28661f55dd2c)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Doctoring a defconfig is tedious, and it is not easy to update a
defconfig, as it requires manual copy-pasting, adding comments and so
on...
Instead, just require defconfigs to be generated with 'savedefconfig'.
Any details can/must be provided in the commit log.
Reported-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 17bdd10cb350e9c45926c2a5a05f278d104ee4c9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2024-35235: Cupsd Listen arbitrary chmod 0140777
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6fhttps://www.openwall.com/lists/oss-security/2024/06/11/1
Drop cups hash patches which are now upstream.
Rebase remaining patches.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8d835ffc524e2dab66ce1421240b9eb93c8f8f6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://www.python.org/downloads/release/python-31110/
Fixes CVE-2024-4032, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592,
CVE-2024-8088 and CVE-2023-27043.
The fixes for bundled libexpat are irrelevant for us because external expat
is used.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version fixes an out-of-bound reads in the MLSD command, so upgrading is recommended.
It also improves compatibility with various systems.
Update the COPYING hash because of a change in copyright year
Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5271e90a6a2cc7633f3f917391865d2f9df54142)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also add a missing article one line above.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Arnout: fix additional typo]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 4390361bb517db2e9764b512304f3de41458c666)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream curl commit f057de5a1a950 ("libcurl.pc: add `Requires.private`,
`Requires` for static linking") deals with proper pkg-config
configuration since version 8.9.0.
Our local libcurl.pc modification we added back in commit 61d322c3d2
(package/cURL: fix static link whith openSSL) is no longer needed.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
[yann.morin.1998@free.fr: this is not a "revert", reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a5cef5339bd26f9d161d080d352d4adfe7627434)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2023-7256: Clean up sock_initaddress() and its callers to avoid
double frees in some cases.
CVE-2024-8006: Fix pcap_findalldevs_ex() not to crash if passed a
file:// URL with a path to a directory that cannot be opened.
Changelog: bbcbc9174d/CHANGES
Signed-off-by: Akhilesh Nema <nemaakhilesh@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0982498c6735a2d90b5540370d17e48c31c962bc)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 89d39fc7a3 "initscripts: new package" moved the inittab
packaged for Busybox init from system/skeleton/etc to package/busybox.
The manual, however, still points to the old location, so let's fix it.
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 99b1685fd8db8e63c37edac4e544f62ead245b90)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6dc6a747fd44ab908f430c0895e6f6cbd03412e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7bd00d5506e8572f316a9b742b78039e0743d86b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0fa6bd5a964e8b8cd9d3728b0bb72d088d380a71)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a52fd38060f092edbb7f558217770e136899d19f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9e3fdb87f0e2a03e32c3a91875434f7b722a17d4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2e3c0ab1b7bbe8bb5a5abb493fc81e166593ac8f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9c604ef86f32ccb71e050cd92b2ab72659f9474c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0ab62e5d257bd36ca8fe5f570d18f6619fa11fbe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 064f879d960986f2e82ee0439b29cf487fcf85c9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
