Fixes the following security issue:
CVE-2021-21330: Open redirect vulnerability in aiohttp
(normalize_path_middleware middleware)
Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async
HTTP client/server framework, is prone to an open redirect vulnerability. A
maliciously crafted link to an aiohttp-based web-server could redirect the
browser to a different website.
For more details, see the advisory:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
with a buffer of 4GB or more on a 64-bit platform, the length would be
truncated modulo 2**32, causing unintended length truncation.
- Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
integer overflow on 64-bit platforms due to an implicit cast from 64
bits to 32 bits. The overflow could potentially lead to memory
corruption.
https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
failure in slapd can occur in the issuerAndThisUpdateCheck function via a
crafted packet, resulting in a denial of service (daemon exit) via a short
timestamp. This is related to schema_init.c and checkTime.
For more details, see the bugtracker:
https://bugs.openldap.org/show_bug.cgi?id=9454
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a
denial of service (invalid write access and application crash) or possibly
have unspecified other impact via a crafted UTF-8 character sequence.
For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2021/02/09/3
So far no fix has been added to upstream git, and a number of early proposed
fixes caused regressions, so pull the security fix from the screen 4.8.0-5
Debian package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and
7.0.10-57 in gem.c. This flaw allows an attacker who submits a crafted file
that is processed by ImageMagick to trigger undefined behavior through a
division by zero. The highest threat from this vulnerability is to system
availability.
For more details, see the bugtracker:
https://github.com/ImageMagick/ImageMagick/issues/3077
- bump version to 7.0.10-62
- update license file hash (copyright year update)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump the version of tar to 1.34 for host and target.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patch which has been merged into mainline.
LICENSING file identifies individual files in the tree, and some have
moved between 4.4.17 and 4.4.18 (upstream commit 3436c6a94b8d).
Fix two -spaces in hash file as well.
Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
[yann.morin.1998@free.fr:
- explain license hash change
- two-spaces in hash file
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
As of readline 8.1, "bracketed paste" is enabled by default. However,
the feature causes control characters to appear in captured (telnet)
session output. This can throw off pattern matching if the output is to
be processed by scripts.
Let's keep the previous default of leaving this feature disabled and
provide a configuration option for users to enable it.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[yann.morin.1998@free.fr:
- explicit enable/disable
- no indentation in conditional block
- rewrap help text
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
tests/fp/fp-bench.c use fenv.h that is not always provided
by the libc (uClibc).
To workaround this issue, add an new meson option to
disable tests while building Qemu.
Fixes:
http://autobuild.buildroot.net/results/53f5d8baa994d599b9da013ee643b82353366ec3/build-end.log
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors. If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g. a file. If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”. When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network. If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain. As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update COPYING hash; copyright year update:
-_Copyright (C) 1998-2020 Michal Trojnara_
+_Copyright (C) 1998-2021 Michal Trojnara_
See full changelog https://www.stunnel.org/NEWS.html
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a
query args separator
https://bugs.python.org/issue42967
And fixes a number of issues. For details, see the changelog:
https://docs.python.org/release/3.9.2/whatsnew/changelog.html
Drop the now upstreamed security patch and update the license hash for a
change of copyright year:
-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Along with the version bump the following changes were
needed to get the package built:
- since 1.1.1 PyUSB supports only Python3
- change download file name to lowercase
- the package now requires setuptools and setuptools_scm
- change LICENSE checksum as the copyright year changed to 2021
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To support building in (a subset of) the linux-firmware files into the
kernel using the CONFIG_EXTRA_FIRMWARE option, we need to ensure that the
firmware files are installed before the Linux kernel is built, similar to
how it is done for intel-microcode.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
