--disable-vt has been dropped since version 2.0.0 and
94190bf04b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 210ec9c0d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
librsvg is an optional dependency which is enabled by default since
version 8.3.0 and
153886d2eb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit adc0e0c6af)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
zlib is an optional dependency which is enabled by default since version
8.4.2 and
5ab0001ec6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43a9cfd317)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
giflib is an optional dependency which is enabled by default since
version 8.3.0 and
d79407f285
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bd1a3a29de)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes:
* Fix potential null pointer dereference in the JP2/JPC decoder. (#269)
* Fix ignoring of JAS_STREAM_FILEOBJ_NOCLOSE at stream close time. (#286)
* Fix integral type sizing problem in JP2 codec. (#284)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7727703a8b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw
allows attackers to cause a denial of service (SEGV or buffer overflow
and application crash) or possibly have unspecified other impacts via a
crafted ELF. The highest threat from this vulnerability is to system
availability.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 92a6db4fc6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Backport an upstream patch to add support for riscv32. Although this is
a new feature (new arch support), this is an upstream commit, so we can
expect it to be available in a future release.
Fixes:
- http://autobuild.buildroot.org/results/1c399312dbec5d7a28ec90d62fdd8f47fa14ff4b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- technically, this is not a bug fix, but new arch support
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 08a0e9bd06)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/76a/76a411b78d764561457decd47b268f65059ba1b0/
Checking whether fcntl supports setting/geting hints : not found
..
Cross answers file /home/giuliobenetti/autobuild/run/instance-2/output-1/build/samba4-4.14.2/cache.txt is incomplete
Samba4 has added a check for fcntl F_{G,S}ET_RW_HINT /
F_{G,S}ET_FILE_RW_HINT handling since:
5084a69de1
Which is supported by the Linux kernel since 4.13 in commit
c75b1d9421f80f41 (fs: add fcntl() interface for setting/getting
write life time hints), so add it to the cache file.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a429233617)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix arbitrary data copied from signature header past signature
checking (CVE-2021-3421)
- Fix signature check bypass with corrupted package (CVE-2021-20271)
- Fix missing bounds checks in headerImport() and headerCheck()
(CVE-2021-20266)
- Fix missing sanity checks on header entry count and region data
overlap
- Fix access past end of header if the last entry is string type
- Fix unsafe headerCopyLoad() still used in codebase
Drop all patches (already in version)
https://rpm.org/wiki/Releases/4.16.1.3.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 768152e2a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Out-of-bound read access when parsing LLDP-MED civic address in
liblldpctl for malformed fields.
- Fix memory leak when receiving LLDPU with duplicate fields.
CVE-2020-27827.
- More memory leak fixes on duplicate TLVs in LLDP, CDP and EDP
(related to CVE-2020-27827).
https://github.com/lldpd/lldpd/blob/1.0.9/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5522b7526b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.15.11 (released 2021/04/01) includes fixes to cgo, the compiler, linker,
runtime, the go command, and the database/sql and net/http packages
https://golang.org/doc/go1.15
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
net-snmp-create-v3-user uses ps to check if snmpd is running. To know
how to invoke 'ps', the build system use 'which ps' and does other
checks for the output format of 'ps', therefore inspecting 'ps' on the
build machine instead of the target.
If the build machine runs a OS like Debian, that uses a merged-usr and a
PATH of '/usr/bin:/bin', then 'which ps' returns /usr/bin/ps, which will
not work on the target if it does not also use a merged-usr.
Hardcode 'ps' to be /bin/ps to fix this issue and to improve build
reproducibility.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 57d339f20b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
poppler is an optional dependency which is enabled by default since
version 8.3.0 and
8da4e706dd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26439a3bed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable samples which are built (but not installed) by default since at
least version 1.6.0 and
89e7a40fcc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1f639e7d10)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While not a requirement to run mender itself, the mender-connect package
requires this file to be installed to talk to mender.
Signed-off-by: Adam Duskett <Aduskett@rivian.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 948e2c3467)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The current linker flag "-X main.Version=$(MENDER_VERSION)" no longer points
to the correct location, which results in "version: unknown" when runnning
"mender -version." Update the linker flag to point to the correct location.
Signed-off-by: Adam Duskett <Aduskett@rivian.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5f7fa8838)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently there is a mix of calls to package/mender and $(MENDER_PKGDIR) in the
mender.mk file. Standardize the calls to only $(MENDER_PKGDIR).
Signed-off-by: Adam Duskett <Aduskett@rivian.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e6c2e3a869)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 10:
/home/buildroot/autobuild/run/instance-1/output-1/host/bin/aarch64-none-linux-gnu-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -I/home/buildroot/autobuild/run/instance-1/output-1/build/efivar-37/src/include/ -specs=/home/buildroot/autobuild/run/instance-1/output-1/build/efivar-37/gcc.specs -L. -fPIC -Wl,-z,muldefs -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -o efivar efivar.c -lefivar -ldl
In file included from efivar.h:28,
from efivar.c:40:
In function 'text_to_guid',
inlined from 'parse_name.constprop' at efivar.c:157:8:
guid.h:106:2: error: 'strncpy' output may be truncated copying 8 bytes from a string of length 38 [-Werror=stringop-truncation]
106 | strncpy(eightbytes, text, 8);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Fixes:
- http://autobuild.buildroot.org/results/fcba72d359f4128515560e9105384cd4deff5043
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 720deac3d9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
non existing tslib support has been dropped since version 2.0.14 and
4c96faee57
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 083cd205c7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This minor release fixes an issue which would cause applications using
wpewebkit and webkitgtk freeze under certain conditions during normal
browsing. Release notes:
https://wpewebkit.org/release/wpebackend-fdo-1.8.3.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b2e85cf0c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a WPA_SUPPLICANT_IGNORE_CVES entry for CVE-2021-27803 which was
fixed by commit 9ada4eb2f1, which we
have backported as
0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1a7cf592a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Current error string speaks only about "fragment" but here we also deal
with Kconfig files, so let's add "file or fragment" instead of "fragment".
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a7348f0f7d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of FRR 7.5 with lots of bug fixes:
https://github.com/FRRouting/frr/releases/tag/frr-7.5.1
Signed-off-by: Vadym Kochan <vadym.kochan@plvision.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7a4a3a0295)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
crywrap has been dropped since version 3.6.12 and
c991b52231
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 580f1fccc7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With that FASTD_CPE_ID expands to:
cpe:2.3🅰️fastd_project:fastd:21.0:*:*:*:*:*:*:*
That's the same as listed on
https://nvd.nist.gov/products/cpe/detail/826746
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ebe599de08)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
--enable-more-warnings has been dropped since version 1.26.0 and
9f31a45d5f
Instead, a new --disable-Werror option has been added, through the use
of AX_COMPILER_FLAGS, so use that to explicitly request wrnings not be
treated as errors.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: use --disable-Werror instead of nothing]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0de1a23c75)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-25097: HTTP Request Smuggling
Due to improper input validation Squid is vulnerable to an HTTP Request
Smuggling attack.
For more details, see the advisory:
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7b56384603)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-3119: Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer
dereferencing issue related to sqlcipher_export in crypto.c and
sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a
remote denial of service attack. For example, an SQL injection can be
used to execute the crafted SQL command sequence, which causes a
segmentation fault.
https://github.com/sqlcipher/sqlcipher/blob/v4.4.3/CHANGELOG.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f0a81de6b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-28363: The urllib3 library 1.26.x before 1.26.4 for Python
omits SSL certificate validation in some cases involving HTTPS to HTTPS
proxies. The initial connection to the HTTPS proxy (if an SSLContext
isn't given via proxy_config) doesn't verify the hostname of the
certificate. This means certificates for different servers that still
validate properly with the default urllib3 SSLContext will be silently
accepted.
https://github.com/urllib3/urllib3/blob/1.26.4/CHANGES.rst
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4a8c6746bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-28957: lxml 4.6.2 allows XSS. It places the HTML action
attribute into defs.link_attrs (in html/defs.py) for later use in input
sanitization, but does not do the same for the HTML5 formaction
attribute.
https://github.com/lxml/lxml/blob/lxml-4.6.3/CHANGES.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9d678ed1de)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-27928: A remote code execution issue was discovered in
MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18,
and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep
patch through 2021-03-03 for MySQL. An untrusted search path leads to
eval injection, in which a database SUPER user can execute OS commands
after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not
affect an Oracle product.
https://mariadb.com/kb/en/mariadb-10328-release-notes/https://mariadb.com/kb/en/mariadb-10328-changelog/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f06339f3fc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-07 0.9.36
* Fix sf.net issue #5 - its possible to issue a PUT request
without a CONTENT-TYPE. Assume an octet-stream in that case.
* Change the Prefix for variables to be the REQUEST_METHOD
(PUT/DELETE/GET/POST)
**** THIS IS A BREAKING CHANGE vs 0.9.33 ****
* Mitigations vs running haserl to get access to files not
available to the user.
- Fix CVE-2021-29133: Lack of verification in haserl, a component of
Alpine Linux Configuration Framework, before 0.9.36 allows local users
to read the contents of any file on the filesystem.
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 661ce9aac9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-22191: Improper URL handling in Wireshark 3.4.0 to 3.4.3
and 3.2.0 to 3.2.11 could allow remote code execution via via packet
injection or crafted capture file.
https://www.wireshark.org/security/wnpa-sec-2021-03.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 705b3dd78c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 5502a889dd
("configs/beaglebone_qt5: don't use custom post-image script") removed the use
of genimage_linux41.cfg but didn't remove the file.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8c60df5a77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream has switched to requiring python3, so change the dependency to
always use host-python3.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7e0c490f45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 9783c04aaf.
This commit is actually a workaround to get Meson passing `-libstdc++`
to the C linker. The correct fix is to pass the host C++ compiler to
Meson instead of the host C compiler using the `CXX_FOR_BUILD` variable.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7205247aae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f4a61d1ae2 introduced CC_FOR_BUILD and
CXX_FOR_BUILD to avoid detecting ccache.
Both values are set to `HOSTCC`. This causes issues where C++ files are
compiled with the C compiler without passing the `stdc++` flag to the
linker, too.
Therefore, switch to pass the C++ compiler to CXX_FOR_BUILD.
Correctly fixes:
http://autobuild.buildroot.org/results/871e1362c44e5b68a149e6a5dd3caf99ea0d904a
Commit 9783c04aaf proposed a fix which in
fact is a workaround to get Meson to pass the `stdc++` flag to the C
linker.
A follow-up commit will revert this commit, as it is no longer
needed.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 00d41f58eb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
