Additional fixes for CVE-2017-9800: Malicious server can execute arbitrary
command on client and a number of crash fixes.
https://svn.apache.org/repos/asf/subversion/tags/1.9.10/CHANGES
Drop upstream SHA1 hash as that is no longer listed. Also add a hash for
the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
upmpdcli 1.4.0 uses both the `uint64_t` and `u_int64_t` type. `uintN_t` is
standard C99 type available in `<stdint.h>`, whereas `u_intN_t` is defined in
`<sys/types.h>`.
Because of the missing include of `<sys/types.h>` building upmpdcli breaks now
when building with the musl C library, which is very strict:
```
src/mediaserver/cdplugins/netfetch.h:71:5: error: ‘u_int64_t’ does not name a type
u_int64_t datacount() {
```
Add a patch from upstream which fixes the issue by replacing `u_int64_t`
with `uint64_t`.
Fixes:
http://autobuild.buildroot.net/results/f3082d2fdda8d73dbd9d3b65a08d844934066ef7
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused. [Hank Ibell]
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data. [Stefan Eissing]
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.38
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The website for rp-pppoe moved from Roaring Penguin's main site to
a personal project page.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update URL to point at the project page vs just the GIT repository
containing the source code.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since riscv64 works with linux default defconfig, this patch drop custom config.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Tested-by: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In version 0.9.0 wavemon uses the GLIBC-specific extension `on_exit()`
which is not available in musl and uClibc.
According to the Linux kernel man page [1]: "Portable application should
avoid this function, and use the standard atexit(3) instead."
Add patch from upstream which is fixing this issue by dropping
`on_exit()` and using the standard `atexit()` instead. Note, that the commit
message of the upstream patch was changed to add some useful information.
[1] http://man7.org/linux/man-pages/man3/on_exit.3.html
Backported from: f6e20c9c6e9b50963caaf5483248d329473a6815
Fixes:
http://autobuild.buildroot.net/results/ae54441c65fe9a1bdcf743aa7f6a208e5545ca29http://autobuild.buildroot.net/results/40fd66e6a351a1acd537ade715ab3e993eddb1c1
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the upstream release announcement:
"""
This release makes improvements with respect to default thread stack size,
including increasing the default from 80k to 128k, increasing the default
guard size from 4k to 8k, and allowing the default to be increased via ELF
headers so that programs that need larger stacks can be build without
source-level changes, using just LDFLAGS. Insufficient stack size for AIO
threads on kernels that don't honor the constant MINSIGSTKSZ is also fixed.
The glob core has been rewritten to fix inability to see past
searchable-but-unreadable path components, and to avoid excessive stack usage
and unnecessary syscalls. The tsearch AVL tree implementation has also been
rewritten for better size and performance. The math library adds more native
single-instruction implementations for arm, s390x, powerpc, and x86_64.
Various bugs are fixed, including several possible deadlocks, one of which was
a new regression in 1.1.20.
"""
Drop upstream patch 0002 which is included in the release.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For 4.20 support.
git shortlog --invert-grep --grep travis --no-merges 143ff2b17de63ce931c4f758771969e75c09a4c7..
Roman Stratiienko (1):
mali: support building against 4.20
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update to install in /sbin as expected by other applications
such as strongswan instead of /usr/sbin
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It seems tekui has parallel build issues since November 2017:
- Fatal error: can't create build/posix/directfb_lua.lo: No such file or directory
- /home/peko/autobuild/instance-3/output/host/bin/microblazeel-buildroot-linux-uclibc-ar: ../../lib/posix/libtekdebug.a: No such file or directory
- Fatal error: can't create build/posix/visual_mod.lo: No such file or directory
So disable parallel build
Fixes:
- http://autobuild.buildroot.org/results/0732568fcbaa6829154fa91c352b52f074384df0
- http://autobuild.buildroot.org/results/580593e79bc4ecdea1dc71d16607e5c88f87403c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
upmpdcli switched license from GPL-2.0+ to LGPL-2.1+, therefore update
the hash file for the license file "COPYING".
Note, that upmpdcli depends on libupnpp 0.17.0.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libupnpp 0.17.0 adds compatibility for libupnp 1.8. Therefore, we prefer
selecting libupnp 1.8 and falling back to libupnp 1.6.
Drop patch 0001, which has been merged upstream.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2018-19935: Allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via an empty string in the
message argument to the imap_mail function.
https://www.cvedetails.com/cve/CVE-2018-19935/
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php moved from pcre to pcre2 since bump to version 7.3 and
a5bc5aed71
This fixes a build failure: without this change, if BR2_PACKAGE_PCRE is
set, external pcre support in php is (wrongly) enabled with
--with-pcre-regex but because pcre2 was not found, php fallbacks on
built-in pcre2 without the "SLJIT_SINGLE_THREADED hack"
Fixes:
- http://autobuild.buildroot.org/results/40ef339019203d2cc49d388e222cf17c3ca37944
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 745f884e41.
This was the wrong fix: issue is that php moves from pcre to pcre2 since
version 7.3.0 and
a5bc5aed71
This patch will always disable external pcre2 support and raise a build
failure when toolchaine does not have pthread
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default syslog-ng installs a .service that requires a config file at
/etc/default, so provide one with the default values.
It's also necessary to enable the service by means of a symlink created
at /etc/systemd/system/multi-user.target.wants.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Reviewed-by: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other
products, allows remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via crafted text with
invalid Unicode sequences.
https://nvd.nist.gov/vuln/detail/CVE-2018-15120
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
CVE-2017-14634: In libsndfile 1.0.28, a divide-by-zero error exists in the
function double64_init() in double64.c, which may lead to DoS when playing a
crafted audio file
CVE-2017-17456: The function d2alaw_array() in alaw.c of libsndfile
1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address
0x000000000000), a different vulnerability than CVE-2017-14245
CVE-2017-17457: The function d2ulaw_array() in ulaw.c of libsndfile
1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address
0x000000000000), a different vulnerability than CVE-2017-14246
CVE-2018-13139: A stack-based buffer overflow in psf_memset in common.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
audio file. The vulnerability can be triggered by the executable
sndfile-deinterleave
CVE-2018-19661: An issue was discovered in libsndfile 1.0.28. There is a
buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a
denial of service
CVE-2018-19662: An issue was discovered in libsndfile 1.0.28. There is a
buffer over-read in the function i2alaw_array in alaw.c that will lead to a
denial of service
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>