Commit Graph

50180 Commits

Author SHA1 Message Date
Thomas De Schampheleire
509db3b88a core: fix packages-file-list.txt after an incremental build
The package instrumentation step 'step_pkg_size' is populating the files:
    output/build/packages-file-list.txt
    output/build/packages-file-list-staging.txt
    output/build/packages-file-list-host.txt
by comparing the list of files before and after installation of a package,
with some clever tricks to detect changes to existing files etc.

As an optimization, instead of gathering this list before and after each
package, where the 'after-state' of one package is the same as the
'before-state' of the next package, only the 'after-state' is used and
is shared between packages.

This works fine, except at the end of the build, as explained next.

In the target-finalize step, many files will be touched. For example, files
like /etc/hosts, /etc/os-release, but also all object files that are
stripped, and all files touched by post-build scripts or created by rootfs
overlays. This means that the 'after-state' of the last package does not
reflect the actual situation after target-finalize is run.

For a single complete build this poses no problem. But, if one incrementally
rebuilds a package after the initial build, e.g. with 'make foo-rebuild',
then all changes that happened in target-finalize at the end of the initial
build (the 'after-state' of the last package built) will be detected as
changes caused by the rebuild of package foo. As a result, all these files
will incorrectly be treated as 'owned' by package foo.

Correct this situation by capturing a new state at the end of
target-finalize, so that the 'before-state' of an incremental build will be
correct.

Note: the reasoning above talks about packages-file-list.txt and
target-finalize, but also applies to
packages-file-list-staging.txt/staging-finalize and
packages-file-list-host.txt/host-finalize.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-17 22:19:33 +01:00
Yegor Yefremov
5abe7e4ce3 support/run-tests: reorder imports
Reorder imports using the isort utility to fix a warning from pylint3:

wrong-import-order: standard import "import multiprocessing" should be
placed before "import nose2"

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-17 10:13:08 +01:00
Yann E. MORIN
7868fa78d8 package.nfs-utils: drop extra empty line
Commit 12c0f68caf (package/nfs-utils: bump version to 2.4.3) added an
extra empty line, causing check-package to whine:

    package/nfs-utils/nfs-utils.mk:27: consecutive empty lines

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-17 09:39:02 +01:00
Romain Naour
278f908d55 configs/qemu{x86, x86_64}: add a serial console
The current Buildroot defconfigs for qemu_x86 and qemu_x86_64
instantiate a console on tty1, which appears on QEMU's
graphical window. Add a console on the serial port (ttyS0) to
be used later for gitlab testing.

This change is need since the script used for gitlab testing
needs to use a serial output with pexpect.

This change is similar to the one made for raspberrypi [1] to
handle HDMI and serial console:

This requires three changes:
 1. have two 'console=' entries in the kernel command line: tty1,
    then ttyS0;
 2. change BR2_TARGET_GENERIC_GETTY_PORT to "console", so it starts
    a getty on the last console= passed to the kernel, ttyS0;
 3. add a new getty on tty1 to the generated inittab.

Step 2 is actually obtained by removing BR2_TARGET_GENERIC_GETTY_PORT
entirely from the defconfigs, since "console" is the default value.

Step 3 requires a post-build script since the Buildroot makefiles can
configure only one console.

Note: instead of simply adding a new getty on ttyS0 (which would
work) this patch actually changes BR2_TARGET_GENERIC_GETTY_PORT to
instantiate a console on UART, then adds back tty1 via
post-build.sh. This is done only to avoid the "GENERIC_SERIAL" comment
where we instantiate a console on QEMU graphical window, then
instantiate a really-serial console on another line.

The result is these two inittab lines:

  console::respawn:/sbin/getty -L  console 0 vt100 # GENERIC_SERIAL
  tty1::respawn:/sbin/getty -L  tty1 0 vt100 # QEMU graphical window

[1] 20878a1017

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 22:24:56 +01:00
Romain Naour
722f8effec configs/qemu_pcc_mac99: build host-qemu for runtime testing
The commit [1] added host-qemu package for each qemu defconfig
for gitlab runtime testing.

[1] 29e1cb8884

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Joel Stanley <joel@jms.id.au>
Acked-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 22:23:09 +01:00
Romain Naour
a0105e95cb configs/qemu_ppc_mac99_defconfig: add usual comments for Kconfig symbols
This defconfig was generated by savedefconfig but we usually
use a manually modified defconfig to add some comments for
Kconfig symbols.

No content change intended.

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Joel Stanley <joel@jms.id.au>
Acked-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 22:21:38 +01:00
Adam Duskett
350dc80dcb package/janus-gateway: bump version to 0.8.1
Other changes:
  - Update License hash which properly adds the OpenSSL exception.

Tested with Debian 8:

br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]:   OK
 br-arm-cortex-m4-full [3/6]:   SKIPPED
        br-x86-64-musl [4/6]:   OK
    br-arm-full-static [5/6]:   SKIPPED
          sourcery-arm [6/6]:   OK

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 22:15:59 +01:00
Adam Duskett
0ea17054ce package/qemu: Bump to version 4.2.0
Other changes:
  - Remove upstream patches
  - Update COPYING.LIB hash as upstream updated the file to match the new LGPL
    2.1 license from upstream. See:
    f0d44cc446

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Romain Naour <romain.naour@gmail.com>
[Peter: change libssh2 to libssh as pointed out by Vincent Fazio]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 20:16:13 +01:00
Giulio Benetti
12c0f68caf package/nfs-utils: bump version to 2.4.3
Bump to version 2.4.3 of nfs-utils.  All patches have been upstreamed, so
drop them all.  It now needs rpcgen built by host-nfs-utils, to do this
let's pass its path to --with-rpcgen= instead of 'internal'.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
[Peter: drop AUTORECONF, explicitly depend on host-nfs-utils]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 17:34:21 +01:00
Giulio Benetti
ce084ccb76 package/minicom: bump version
For a minor fix.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 17:17:18 +01:00
Fabrice Fontaine
409921fd2e package/glslsandbox-player: remove 'v' prefix
Fixes version parsing for release-monitoring.org support

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 17:16:00 +01:00
Yegor Yefremov
ea31dc1cd4 support/run-tests: check for empty sequences in a pythonic way
According to PEP8 empty sequences should be checked as booleans.

Fixes the following PEP8 warning:
Do not use `len(SEQUENCE)` to determine if a sequence is empty

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:38:03 +01:00
Peter Korsgaard
dc43b918ec {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:27:10 +01:00
Peter Korsgaard
953538b650 linux: use correct conditional for wireguard kernel config fixup
Commit de591c5c3a (package/wireguard-linux-compat: new package) split up
the wireguard package in wireguard-tools and wireguard-linux-compat, but
forgot to update the conditional in linux.mk, so the kernel config fixups
needed for wireguard are no longer applied.

Update the conditional to use the BR2_PACKAGE_WIREGUARD_LINUX_COMPAT symbol
instead.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:27:05 +01:00
Peter Korsgaard
3db8324e7c package/wireguard-linux-compat: bump version to 0.0.20200215
Fixes a regression introduced in 0.0.20200214.  For details, see the
announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/005014.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:26:58 +01:00
Fabrice Fontaine
c40501b9ce package/libgpg-error: bump to version 1.37
- Remove patch (already in version)
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:26:31 +01:00
James Hilliard
a00757f78e package/python-cython: bump to version 0.29.15
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:25:43 +01:00
James Hilliard
4f20c1c42f package/python-simplejson: bump to version 3.17.0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:23:50 +01:00
James Hilliard
fcca4ef19d package/python-pyyaml: bump to version 5.3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:23:35 +01:00
James Hilliard
6a3d6c61b3 package/python-pyopenssl: bump to version 19.1.0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:23:17 +01:00
Fabrice Fontaine
5349c37e72 package/gensio: bump to version 1.5.1
- Update indentation of hash file (2 spaces)
- This will fix a build failure without threads thanks to
  8918de5b30
  and associated upstream patch

Fixes:
 - http://autobuild.buildroot.org/results/e94d0e0b46afc1223a74bcc471909f4adef0d6f3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:22:26 +01:00
Fabrice Fontaine
cc0c9915db package/libtorrent-rasterbar: bump to version 1.2.4
Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:22:07 +01:00
James Hilliard
fe659f55ee package/python-six: bump to version 1.14.0
License hash change is due to date update.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:21:44 +01:00
James Hilliard
e57d571b71 package/python-cryptography: bump to version 2.8
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 15:21:23 +01:00
Peter Korsgaard
abafaedd05 package/wpewebkit: security bump to version 2.26.4
Fixes the following security issues:

- CVE-2020-3862: Impact: A malicious website may be able to cause a denial
  of service.  Description: A denial of service issue was addressed with
  improved memory handling.

- CVE-2020-3864: Impact: A DOM object context may not have had a unique
  security origin.  Description: A logic issue was addressed with improved
  validation.

- CVE-2020-3865: Impact: A top-level DOM object context may have incorrectly
  been considered secure.  Description: A logic issue was addressed with
  improved validation.

- CVE-2020-3867: Impact: Processing maliciously crafted web content may lead
  to universal cross site scripting.  Description: A logic issue was
  addressed with improved state management.

- CVE-2020-3868: Impact: Processing maliciously crafted web content may lead
  to arbitrary code execution.  Description: Multiple memory corruption
  issues were addressed with improved memory handling.

For more details, see the advisory:
https://wpewebkit.org/security/WSA-2020-0002.html

While we are at it, adjust the white space in the .hash function to match
the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 12:54:51 +01:00
Peter Korsgaard
09af6d8bfd package/wpewebkit: needs >= GCC 7
CMakeLists.txt contains a toolchain check:

if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
    if (${CMAKE_CXX_COMPILER_VERSION} VERSION_LESS "7.3.0")
        message(FATAL_ERROR "GCC 7.3 or newer is required to build WebKit. Use a newer GCC version or Clang.")
    endif ()
endif ()

So bump the toolchain dependency to >= GCC 7.  The check is really about >=
7.3.0, but we do not have such detailed version checks.  Given that GCC
7.3.0 was released in January 2018 (and 7.1.0 in May 2017), most external
GCC 7.x toolchains probably use >= 7.3.0.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 12:54:45 +01:00
Peter Korsgaard
97ce61f633 package/webkitgtk: security bump to version 2.26.4
Fixes the following security issues:

- CVE-2020-3862: Impact: A malicious website may be able to cause a denial
  of service.  Description: A denial of service issue was addressed with
  improved memory handling.

- CVE-2020-3864: Impact: A DOM object context may not have had a unique
  security origin.  Description: A logic issue was addressed with improved
  validation.

- CVE-2020-3865: Impact: A top-level DOM object context may have incorrectly
  been considered secure.  Description: A logic issue was addressed with
  improved validation.

- CVE-2020-3867: Impact: Processing maliciously crafted web content may lead
  to universal cross site scripting.  Description: A logic issue was
  addressed with improved state management.

- CVE-2020-3868: Impact: Processing maliciously crafted web content may lead
  to arbitrary code execution.  Description: Multiple memory corruption
  issues were addressed with improved memory handling.

For more details, see the advisory:
https://webkitgtk.org/security/WSA-2020-0002.html

While we are at it, adjust the white space in the .hash function to match
the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 12:54:41 +01:00
Peter Korsgaard
ec1ff802df package/webkitgtk: needs >= GCC 7
CMakeLists.txt contains a toolchain check:

if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
    if (${CMAKE_CXX_COMPILER_VERSION} VERSION_LESS "7.3.0")
        message(FATAL_ERROR "GCC 7.3 or newer is required to build WebKit. Use a newer GCC version or Clang.")
    endif ()
endif ()

So bump the toolchain dependency to >= GCC 7.  The check is really about >=
7.3.0, but we do not have such detailed version checks.  Given that GCC
7.3.0 was released in January 2018 (and 7.1.0 in May 2017), most external
GCC 7.x toolchains probably use >= 7.3.0.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 12:54:37 +01:00
Baruch Siach
2a057339cc package/libcurl: rename curl binary config symbol
Package optional or choice config symbols are usually prefixed with the
package config symbol name. Rename BR2_PACKAGE_CURL to
BR2_PACKAGE_LIBCURL_CURL to conform.

Update references to the old name.

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 11:20:23 +01:00
Gary Bisson
8e267afcc2 package/mfgtools: fix build issue related to __time64_t
The tool fails to build on recent distros due to conflicting declaration
of __time64_t. Adding a check around the declaration to avoid
redefinition.

Patch not submitted upstream as the tool is not supported by NXP
anymore[1].

Fixes:
http://autobuild.buildroot.net/results/ca4498ad21a96ba2a38ca2467dadffdbb516355b/

[1] https://github.com/NXPmicro/mfgtools/pull/104

Signed-off-by: Gary Bisson <bisson.gary@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 11:17:24 +01:00
Thomas Petazzoni
ea796fc542 docs/manual: describe the new <pkg>_IGNORE_CVES variable
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 16:49:28 +01:00
Thomas Petazzoni
4a157be9ef support/scripts/pkg-stats: add support for CVE reporting
This commit extends the pkg-stats script to grab information about the
CVEs affecting the Buildroot packages.

To do so, it downloads the NVD database from
https://nvd.nist.gov/vuln/data-feeds in JSON format, and processes the
JSON file to determine which of our packages is affected by which
CVE. The information is then displayed in both the HTML output and the
JSON output of pkg-stats.

To use this feature, you have to pass the new --nvd-path option,
pointing to a writable directory where pkg-stats will store the NVD
database. If the local database is less than 24 hours old, it will not
re-download it. If it is more than 24 hours old, it will re-download
only the files that have really been updated by upstream NVD.

Packages can use the newly introduced <pkg>_IGNORE_CVES variable to
tell pkg-stats that some CVEs should be ignored: it can be because a
patch we have is fixing the CVE, or because the CVE doesn't apply in
our case.

>From an implementation point of view:

 - A new class CVE implement most of the required functionalities:
   - Downloading the yearly NVD files
   - Reading and extracting relevant data from these files
   - Matching Packages against a CVE

 - The statistics are extended with the total number of CVEs, and the
   total number of packages that have at least one CVE pending.

 - The HTML output is extended with these new details. There are no
   changes to the code generating the JSON output because the existing
   code is smart enough to automatically expose the new information.

This development is a collective effort with Titouan Christophe
<titouan.christophe@railnova.eu> and Thomas De Schampheleire
<thomas.de_schampheleire@nokia.com>.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 16:49:07 +01:00
Bernd Kuhls
be7ee2a088 package/{mesa3d, mesa3d-headers}: bump version to 19.3.4
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:06:45 +01:00
Fabrice Fontaine
589849add7 package/rocksdb: add gflags optional dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:06:13 +01:00
Fabrice Fontaine
b56e60e583 package/mono: fix build with powerpc
Fixes:
 - http://autobuild.buildroot.org/results/fff0dd08f71facbe367d982d19158ee084ae8047

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:04:49 +01:00
Peter Korsgaard
10fe3405df package/wireguard-linux-compat: bump version to 0.0.20200214
Includes misc fixes. For details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/005013.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:04:02 +01:00
Peter Korsgaard
832ff93c89 package/postgresql: security bump to version 12.2
Fixes the following security issues:

- CVE-2020-1720: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
  https://www.postgresql.org/about/news/2011/

Update the license hash for a change in copyright years:
-Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
+Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:02:10 +01:00
Peter Korsgaard
d524597e53 package/screen: bump version to 4.8.0
Fixes a memory corruption issue in OSC 49 handling.  Notice that this is
only enabled if screen is built with --enable-rxvt_osc, which isn't the case
in Buildroot. From the release notes:

As last fix, fixes potential memory overwrite of quite big size (~768
bytes), and even though I'm not sure about potential exploitability of
that issue, I highly recommend everyone to upgrade as soon as possible.
This issue is present at least since v.4.2.0 (haven't checked earlier).

https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html

Upstream changed the gnu.org URLs to use HTTPS, so adjust
0005-rename-sched_h.patch to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:01:50 +01:00
Romain Naour
579f26faa5 DEVELOPERS: add Romain Naour for toolchain topic
The first time I worked on the Buildroot's toolchain infra
was to add support for the Sourcery Codebench Standard
(licenced) edition toolchain (from Mentor Graphics) for
x86 target [1]. The series was rejected though.

But the knowledge gained from this work served to refactor
the toolchain-external infra in Buildroot [2].

Nowadays, I'm using toolchains-builder project to do
some toolchain build testing to keep GNU tools up to date
in Buildroot.

[1] http://lists.busybox.net/pipermail/buildroot/2014-November/112036.html
[2] http://lists.busybox.net/pipermail/buildroot/2016-October/175433.html
[3] https://gitlab.com/kubu93/toolchains-builder/

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:00:45 +01:00
Romain Naour
8ec71b5915 DEVELOPERS: add Romain Naour for Qemu defconfigs
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:00:18 +01:00
Romain Naour
62c666a006 DEVELOPERS: add Romain Naour for test_glxinfo test
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 12:00:01 +01:00
Romain Naour
faec5c583e support/testing/glxinfo: explicitely enable GLX
Since [1], the GLX support is enabled by BR2_PACKAGE_MESA3D_OPENGL_GLX
symbol.

Since [2], only one swrast provider can be built.
Keep BR2_PACKAGE_MESA3D_DRI_DRIVER_SWRAST.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/400391349

[1] 5cb821d563
[2] 09a0a28507

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:59:13 +01:00
Gilles Talis
84140d0007 package/ncdu: bump to version 1.14.2
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:58:38 +01:00
Gilles Talis
deec444492 package/libmicrohttpd: bump to version 0.9.70
Bugfix release. For details, see the release notes:
https://lists.gnu.org/archive/html/libmicrohttpd/2020-02/msg00006.html

Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:57:22 +01:00
Gilles Talis
c7faf7f996 package/libhttpparser: bump to version 2.9.3
Also dropped patch that was pushed upstream

Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:53:57 +01:00
Peter Korsgaard
9b15ef3505 package/go: bump version to 1.13.8
Includes fixes to the runtime, the crypto/x509, and net/http
packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:53:19 +01:00
Peter Korsgaard
250535975d package/dovecot: security bump to version 2.3.9.3
Fixes the following security issues:

- CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and
  lmtp processes
  lib-smtp doesn't handle truncated command parameters properly, resulting
  in infinite loop taking 100% CPU for the process.  This happens for LMTP
  (where it doesn't matter so much) and also for submission-login where
  unauthenticated users can trigger it.

- CVE-2020-7957: Specially crafted mail can crash snippet generation
  Snippet generation crashes if:
  - message is large enough that message-parser returns multiple body
    blocks
  - The first block(s) don't contain the full snippet (e.g.  full of
    whitespace)
  - input ends with '>'

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:50:40 +01:00
Fabrice Fontaine
25b1dc4613 package/parted: disable on uclibc
Like postgreSQL (and imagemagick), parted does not build against uClibc
with locales enabled, due to an uClibc bug, see
http://lists.uclibc.org/pipermail/uclibc/2014-April/048326.html:

In file included from atari.c:42:
atari.c: In function 'atr_part_correct':
atari.c:221:9: error: dereferencing pointer to incomplete type 'struct __uclibc_locale_struct'
  return isalnum_l(part->id[0], atr_c_locale)
         ^~~~~~~~~

So disable parted on uclibc

Fixes:
 - http://autobuild.buildroot.org/results/992518d340a9f32a0721d6e66936850c4c3ef2e4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-14 09:13:07 +01:00
Fabrice Fontaine
a17cb3532c package/udisks: add locale dependency
Commit b5f0c6efb2 forgot to propagate new
locale dependency from parted to udisks

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-14 09:09:49 +01:00
Fabrice Fontaine
08f07b302e package/python-pyparted: add locale dependency
Commit b5f0c6efb2 forgot to propagate new
locale dependency from parted to python-pyparted

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-14 09:09:15 +01:00