Commit Graph

70393 Commits

Author SHA1 Message Date
Fabrice Fontaine
38c4aa2826 package/libpjsip: security bump to version 2.14
Fix CVE-2023-38703: PJSIP is a free and open source multimedia
communication library written in C with high level API in C, C++, Java,
C#, and Python languages. SRTP is a higher level media transport which
is stacked upon a lower level media transport such as UDP and ICE.
Currently a higher level transport is not synchronized with its lower
level transport that may introduce use-after-free issue. This
vulnerability affects applications that have SRTP capability
(`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
than UDP. This vulnerability’s impact may range from unexpected
application termination to control flow hijack/memory corruption. The
patch is available as a commit in the master branch.

https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
https://github.com/pjsip/pjproject/releases/tag/2.14

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-02 09:40:33 +01:00
Peter Korsgaard
e6e16a6d18 DEVELOPERS: add Flávio Tapajós for rsyslog
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-02 09:37:38 +01:00
Flávio Tapajós
6358bb3a9b package/rsyslog: add libdbi-drivers optional dependency
Needed in order to use omlibdbi module

Signed-off-by: Flávio Tapajós <flavio.tapajos@newtesc.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-02 09:37:23 +01:00
Flávio Tapajós
03e66a35ea package/rsyslog: bump version to 8.2310.0
Signed-off-by: Flávio Tapajós <flavio.tapajos@newtesc.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-02 09:36:10 +01:00
Fabrice Fontaine
3d8e0a263f package/putty: fix static build
Fix the following static build failure raised since bump to version 0.78
in commit 5673ea3ce4:

In file included from /home/buildroot/autobuild/instance-0/output-1/build/putty-0.78/putty.h:8,
                 from /home/buildroot/autobuild/instance-0/output-1/build/putty-0.78/callback.c:8:
/home/buildroot/autobuild/instance-0/output-1/build/putty-0.78/unix/platform.h:11:10: fatal error: dlfcn.h: No such file or directory
   11 | #include <dlfcn.h>                     /* Dynamic library loading */
      |          ^~~~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/06f0b14bd0414f97b06070198e290fb3253348c5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-01 22:22:50 +01:00
Fabrice Fontaine
8b3993178d package/python-numpy: needs gcc >= 9
python-numpy needs gcc >= 8.4 since bump to version 1.25.0 in commit
ca63464e37 and
4002a7d421:

../output-1/build/host-python-numpy-1.25.0/meson.build:30:4: ERROR: Problem encountered: NumPy requires GCC >= 8.4

Fixes:
 - http://autobuild.buildroot.org/results/9ec82be71c908873112064792ace283049355031

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-01 21:21:15 +01:00
Fabrice Fontaine
89e6b474ea package/libzenoh-pico: add threads comment
Commit 3e76df02b3 forgot to add a comment
about threads dependency

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-01 21:18:45 +01:00
Fabrice Fontaine
67cb7d8d09 package/rtty: fix wolfssl build
Fix the following wolfssl build failure raised at least since bump to
version 7.4.0 in commit 6b5907bf65:

/home/autobuild/autobuild/instance-4/output-1/build/rtty-8.1.0/src/ssl/openssl.c: In function 'ssl_last_error_string':
/home/autobuild/autobuild/instance-4/output-1/build/rtty-8.1.0/src/ssl/openssl.c:143:24: error: implicit declaration of function 'ERR_peek_error_line_data'; did you mean 'wolfSSL_ERR_get_error_line_data'? [-Werror=implicit-function-declaration]
  143 |         ssl_err_code = ERR_peek_error_line_data(&file, &line, &data, &flags);
      |                        ^~~~~~~~~~~~~~~~~~~~~~~~
      |                        wolfSSL_ERR_get_error_line_data

Fixes:
 - http://autobuild.buildroot.org/results/9db9f1dcc6760de4b78771bb79f109c4efd06c36
 - http://autobuild.buildroot.org/results/16422af9469de114e552124542508c3b18ea8f19

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: don't force wolfssl-all]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-01 13:21:10 +01:00
José Luis Salvador Rufo
c068fc4fa0 package/zfs: bump version to 2.2.2
This release contains an important fix for a data corruption
bug. Full details are in the issue [1] and bug fix [2].

1. https://github.com/openzfs/zfs/issues/15526
2. https://github.com/openzfs/zfs/pull/15571

Signed-off-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-01 11:31:14 +01:00
José Luis Salvador Rufo
a44d1a1252 package/zfs: bump version to 2.2.0
Removed backported patch:
- bc3f12bfac.patch

Updated ZFS test to pass this new version; drop the explicit /pool
mountpoint option to rely on the default location (which happens to be
/pool already).

Signed-off-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
  - needed on master to further bump to a data-corruption fix
]
(cherry picked from commit d153e58d13)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-01 11:29:53 +01:00
Fabrice Fontaine
84b721c2bf package/xtables-addons: bump to version 3.24
This bump will fix the following build failure with kernel >= 6.2 thanks
to
51761c3fe2:

/home/buildroot/autobuild/instance-1/output-1/build/xtables-addons-3.22/extensions/xt_TARPIT.c:
In function 'xttarpit_honeypot':
/home/buildroot/autobuild/instance-1/output-1/build/xtables-addons-3.22/extensions/xt_TARPIT.c:110:26:
error: implicit declaration of function 'prandom_u32_max'; did you mean
'prandom_u32_state'? [-Werror=implicit-function-declaration]
  110 |                         (prandom_u32_max(0x20) - 0xf);
      |                          ^~~~~~~~~~~~~~~
      |                          prandom_u32_state

Fixes:
 - http://autobuild.buildroot.org/results/e8f2a0cb5b38ff98da97268c4b642554a0a732e1
 - http://autobuild.buildroot.org/results/0191ee0590c08b73f17b35a5c8521796693772b5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-01 11:05:38 +01:00
Fabrice Fontaine
5d4bc47149 package/xtables-addons: bump to version 3.24
This bump will fix the following build failure with kernel >= 6.2 thanks
to
51761c3fe2:

/home/buildroot/autobuild/instance-1/output-1/build/xtables-addons-3.22/extensions/xt_TARPIT.c:
In function 'xttarpit_honeypot':
/home/buildroot/autobuild/instance-1/output-1/build/xtables-addons-3.22/extensions/xt_TARPIT.c:110:26:
error: implicit declaration of function 'prandom_u32_max'; did you mean
'prandom_u32_state'? [-Werror=implicit-function-declaration]
  110 |                         (prandom_u32_max(0x20) - 0xf);
      |                          ^~~~~~~~~~~~~~~
      |                          prandom_u32_state

Fixes:
 - http://autobuild.buildroot.org/results/e8f2a0cb5b38ff98da97268c4b642554a0a732e1
 - http://autobuild.buildroot.org/results/0191ee0590c08b73f17b35a5c8521796693772b5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-01 11:02:27 +01:00
Fabrice Fontaine
e81dc9df53 package/xtables-addons: drop unrecognized option
--with-xtables is an unrecognized option since the addition of the
package in commit 490917387a:
a576f4d43e/configure.ac

configure: WARNING: unrecognized options: --disable-gtk-doc, --disable-gtk-doc-html, --disable-doc, --disable-docs, --disable-documentation, --with-xmlto, --with-fop, --enable-ipv6, --disable-nls, --with-xtables

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-01 11:01:39 +01:00
Adrian Perez de Castro
9152ef591b package/cog: bump to version 0.18.1
This is a small bugfix release which solves a build issue, a memory
leak, and fixes touch input on rotated screens with the DRM/KMS module.
Release notes:

  https://wpewebkit.org/release/cog-0.18.1.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-30 23:16:22 +01:00
Sébastien Szymanski
d590c2c939 package/libusb-compat: fix hash
Upstream re-released the v0.1.8 tarballs with autotools related stuff. [1]
That makes the hash test to fail:

ERROR: while checking hashes from package/libusb-compat//libusb-compat.hash
ERROR: libusb-compat-0.1.8.tar.bz2 has wrong sha256 hash:
ERROR: expected: 698c76484f3dec1e0175067cbd1556c3021e94e7f2313ae3ea6a66d900e00827
ERROR: got     : b692dcf674c070c8c0bee3c8230ce4ee5903f926d77dc8b968a4dd1b70f9b05c
ERROR: Incomplete download, or man-in-the-middle (MITM) attack

Update the hash and drop LIBUSB_COMPAT_AUTORECONF.

[1] https://github.com/libusb/libusb-compat-0.1/issues/28#issuecomment-1759400548

[Peter: use .tar.gz to not conflict with s.b.o]
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-30 23:14:07 +01:00
Fabrice Fontaine
5fcd48aff9 package/openfpgaloader: bump to version 0.11.0
This bump will fix the following build failure thanks to
933ed793e8:

In file included from /home/buildroot/autobuild/instance-3/output-1/build/openfpgaloader-0.10.0/src/jtag.hpp:13,
                 from /home/buildroot/autobuild/instance-3/output-1/build/openfpgaloader-0.10.0/src/device.hpp:13,
                 from /home/buildroot/autobuild/instance-3/output-1/build/openfpgaloader-0.10.0/src/efinix.hpp:11,
                 from /home/buildroot/autobuild/instance-3/output-1/build/openfpgaloader-0.10.0/src/efinix.cpp:6:
/home/buildroot/autobuild/instance-3/output-1/build/openfpgaloader-0.10.0/src/board.hpp:49:9: error: 'uint8_t' does not name a type
   49 |         uint8_t tms_pin; /*! TMS pin value */
      |         ^~~~~~~
/home/buildroot/autobuild/instance-3/output-1/build/openfpgaloader-0.10.0/src/board.hpp:12:1: note: 'uint8_t' is defined in header '<cstdint>'; did you forget to '#include <cstdint>'?
   11 | #include "cable.hpp"
  +++ |+#include <cstdint>
   12 |

https://github.com/trabucayre/openFPGALoader/releases/tag/v0.11.0

Fixes:
 - http://autobuild.buildroot.org/results/ee89dcc7430079195e2e9ff300e1320de848d3e3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-30 22:01:23 +01:00
Fabrice Fontaine
758d79faec package/imagemagick: security bump to version 7.1.1-21
Fix CVE-2023-1289, CVE-2023-2157, CVE-2023-34151, CVE-2023-34152,
CVE-2023-34153, CVE-2023-3428, CVE-2023-34474 and CVE-2023-34475

https://github.com/ImageMagick/Website/blob/main/ChangeLog.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-30 21:45:46 +01:00
Peter Korsgaard
0ed48b952b Update for 2023.11-rc2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 22:57:14 +01:00
Bernd Kuhls
d3eff1cd76 package/samba4: security bump version to 4.19.3
Fixes CVE-2018-14628:
https://www.samba.org/samba/security/CVE-2018-14628.html

Release notes:
https://www.samba.org/samba/history/samba-4.19.3.html

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 22:27:00 +01:00
Fabrice Fontaine
cb92494405 package/libgdiplus: needs C++
Unfortunately, libgdiplus unconditionally calls AC_PROG_CXX since
version 6.1 for google-based tests resulting in the following build
failure without C++ since commit
5b6dd17b86 and
4f98022306:

checking whether the C++ compiler works... no
configure: error: in `/home/thomas/autobuild/instance-3/output-1/build/libgdiplus-6.1':
configure: error: C++ compiler cannot create executables

Fixes:
 - http://autobuild.buildroot.org/results/3757921a2160ca209089a0b47414a445cc42e35e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 22:26:32 +01:00
Fabrice Fontaine
02e80e06c5 package/gsl: fix musl build on m68k
Update patch to fix the following musl build failure with m68k which is
only raised (for an unknown reason) since bump to version 2.7.1 in commit
3e48f8358e:

In file included from fp.c:6:
fp-gnum68k.c:21:10: fatal error: fpu_control.h: No such file or directory
   21 | #include <fpu_control.h>
      |          ^~~~~~~~~~~~~~~

Add also upstream link to first patch iteration which was sent in
November 2022 but didn't get it any reply (like most of the other emails
sent to bug-gsl@gnu.org ...)

Fixes:
 - http://autobuild.buildroot.org/results/e59636f6ac148807c1c67f09eef0e0a9f5d52303

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 10:21:19 +01:00
Fabrice Fontaine
273b634f24 package/openrc: fix uclibc handling
Fix issues spotted by Yann E. Morin in commit
ca169d1d0a:
 - BR2_TOOLCHAIN_BUILDROOT_UCLIBC -> BR2_TOOLCHAIN_USES_UCLIBC
 - Add dependency to openrc package and not only to init system

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 10:00:43 +01:00
Fabrice Fontaine
e88823d667 package/refpolicy: fix build with smartmontools
Fix the following build failure with smartmontools raised since bump to
version 2.20231002 in commit 68de45491b:

 Compiling targeted policy.33
 env LD_LIBRARY_PATH="/home/thomas/autobuild/instance-2/output-1/host/lib:/home/thomas/autobuild/instance-2/output-1/host/usr/lib" /home/thomas/autobuild/instance-2/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
 policy/modules/services/smartmon.te:146:ERROR 'type fsadm_exec_t is not within scope' at token ';' on line 237472:
 	allow smartmon_update_drivedb_t fsadm_exec_t:file { { getattr open map read execute ioctl } ioctl lock execute_no_trans };
 #line 146
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:80: policy.33] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/a01123de9a8c1927060e7e4748666bebfc82ea44

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 09:59:03 +01:00
Fabrice Fontaine
a82ff22698 package/qemu: fix selinux module
Fix the following refpolicy build failure raised since commit
aa8e38a516:

policy.conf:2509:ERROR 'attribute virt_ptynode is not declared' at token ';' on line 2509:
type qemu_device_t;
type qemu_devpts_t, virt_ptynode;

Fixes:
 - http://autobuild.buildroot.org/results/210db01ac72cabd42e1478900cdbfa4cf4b19bcb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 09:58:57 +01:00
Yann E. MORIN
fb72418160 package/erlang: disable for uclibc, fix glibc-build
Commit 2cfa86a54882(package/erlang: bump version to 26.0.2) added a
patch to restore building on uClibc.

However, that patch is not upstream, and has been rejected:

    https://github.com/erlang/otp/pull/7500

    Please open a PR to https://github.com/asmjit/asmjit instead and we
    will get the fix next time we sync with upstream. We do not want
    theirs and our implementation to diverge.

Furthermore, it happens to work on uClibc, because uClibc does not
expose sys/auxv.h, but it fails to work on glibc, because the define is
not propagated to "sub-trees", and thus is never defined where it is
checked for, even when sys/auxv.h is available. This causes build
failures such as:

    asmjit/core/cpuinfo.cpp: In function ‘void asmjit::_abi_1_10::detectHWCaps(CpuInfo&, long unsigned int, const LinuxHWCapMapping*, size_t)’:
    asmjit/core/cpuinfo.cpp:840:24: error: ‘getauxval’ was not declared in this scope
      840 |   unsigned long mask = getauxval(type);
          |                        ^~~~~~~~~
    asmjit/core/cpuinfo.cpp: In function ‘void asmjit::_abi_1_10::detectARMCpu(CpuInfo&)’:
    asmjit/core/cpuinfo.cpp:972:21: error: ‘AT_HWCAP’ was not declared in this scope
      972 |   detectHWCaps(cpu, AT_HWCAP, hwCapMapping, ASMJIT_ARRAY_SIZE(hwCapMapping));
          |                     ^~~~~~~~
    asmjit/core/cpuinfo.cpp:973:21: error: ‘AT_HWCAP2’ was not declared in this scope
      973 |   detectHWCaps(cpu, AT_HWCAP2, hwCapMapping2, ASMJIT_ARRAY_SIZE(hwCapMapping2));
          |                     ^~~~~~~~~

Yet, sys/auxv.h was detected at configure time:

    checking for sys/auxv.h... yes

This defconfig is enough to reproduce the error:

    BR2_aarch64=y
    BR2_TOOLCHAIN_EXTERNAL=y
    BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
    BR2_PACKAGE_ERLANG=y

Since upstream refused the patch, and there is no fix that was submitted
to the actual upstream (asmjit), drop the rejectred patch, and disable
for uClibc: the patch is incorrect, and we can't fix a build issue on
uClibc by introducing another on glibc.

Fixes:
    http://autobuild.buildroot.org/results/fc1/fc19bad2263bdfacea594217d5ddfde0e27895b1/
    http://autobuild.buildroot.org/results/114/11416d81d5b27fc0627b335a971154c088d5754a/

Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Bernd Kuhls <bernd@kuhls.net>
Cc: Maxim Kochetkov <fido_max@inbox.ru>

Changes v1 -> v2:
  - update comment when unavailable

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 08:41:30 +01:00
Francois Perrad
127986f3ed package/perl: security bump to 5.36.2
fix CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-29 08:37:29 +01:00
Bernd Kuhls
c9222fe0fc {linux, linux-headers}: bump 4.{14, 19}.x / 5.{4, 10, 15}.x / 6.{1, 5, 6}.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 23:56:50 +01:00
Fabrice Fontaine
ca169d1d0a system/Config.in: disable openrc with uclibc
openrc raises the following uclibc build failures since bump to version
0.51 in commit 730c90faa3:

../src/rc-abort/rc-abort.c: In function 'main':
../src/rc-abort/rc-abort.c:27:21: error: implicit declaration of function 'kill'; did you mean 'killpg'? [-Werror=implicit-function-declaration]
   27 |                 if (kill(pid, SIGUSR1) != 0)
      |                     ^~~~
      |                     killpg

../src/libeinfo/libeinfo.c: In function 'colour_terminal':
../src/libeinfo/libeinfo.c:319:26: error: implicit declaration of function 'fileno' [-Werror=implicit-function-declaration]
  319 |         if (f && !isatty(fileno(f)))
      |                          ^~~~~~

../src/librc/librc-misc.c: In function 'rc_getfile':
../src/librc/librc-misc.c:79:14: error: implicit declaration of function 'fileno'; did you mean 'd_fileno'? [-Werror=implicit-function-declaration]
   79 |         fd = fileno(fp);
      |              ^~~~~~
      |              d_fileno

../src/librc/librc-daemon.c: In function 'rc_service_daemons_crashed':
../src/librc/librc-daemon.c:633:37: error: implicit declaration of function 'kill'; did you mean 'killpg'? [-Werror=implicit-function-declaration]
  633 |                                 if (kill(pid, 0) == -1 && errno == ESRCH)
      |                                     ^~~~
      |                                     killpg

These build failures could be fixed by patching openrc but upstream
is not happy with this patch: https://github.com/OpenRC/openrc/pull/674.

So, as advised by Yann E. Morin, openrc is hidden away for uClibc, until
upstream has a proper fix.

Fixes:
 - http://autobuild.buildroot.org/results/494ef392a971ddb3c5c7b01e0149c6439018dbe7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 23:55:35 +01:00
Fabrice Fontaine
e5af07dce9 package/libxml2: security bump to version 2.11.6
Fix CVE-2023-45322: libxml2 through 2.11.5 has a use-after-free that can
only occur after a certain memory allocation fails. This occurs in
xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think
these issues are critical enough to warrant a CVE ID ... because an
attacker typically can't control when memory allocations fail."

https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.11.6/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 21:54:45 +01:00
Fabrice Fontaine
6bd302c631 package/vim: security bump to version 9.0.2136
Fix CVE-2023-46246, CVE-2023-48231, CVE-2023-48232, CVE-2023-48233,
CVE-2023-48234, CVE-2023-48235, CVE-2023-48236 and CVE-2023-48237

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 21:54:25 +01:00
Fabrice Fontaine
7fb3c96a7b package/squid: security bump to version 6.5
Fix CVE-2023-5824, CVE-2023-46724, CVE-2023-46846, CVE-2023-46847 and
CVE-2023-46848

https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3
https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g
https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w

https://github.com/squid-cache/squid/blob/SQUID_6_5/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 21:52:21 +01:00
Fabrice Fontaine
bc96e9da0d package/memcached: security bump to version 1.6.22
Fix CVE-2023-46852: In Memcached before 1.6.22, a buffer overflow exists
when processing multiget requests in proxy mode, if there are many
spaces after the "get" substring.

Fix CVE-2023-46853: In Memcached before 1.6.22, an off-by-one error
exists when processing proxy requests in proxy mode, if \n is used
instead of \r\n.

https://github.com/memcached/memcached/wiki/ReleaseNotes1622

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 21:51:38 +01:00
Fabrice Fontaine
d675873f4f package/vlc: security bump to version 3.0.20
Fix CVE-2023-47359: Videolan VLC prior to version 3.0.20 contains an
incorrect offset read that leads to a Heap-Based Buffer Overflow in
function GetPacket() and results in a memory corruption.

Fix CVE-2023-47360: Videolan VLC prior to version 3.0.20 contains an
Integer underflow that leads to an incorrect packet length.

https://code.videolan.org/videolan/vlc/-/blob/3.0.20/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 21:49:49 +01:00
Brandon Maier
8ad1a2eaa5 docs/website: fix favicon
When the favicon image was added in f26e61319f (docs/website: add
favicon.png), it was added to a different directory then where the header's
icon link points. This causes the favicon to fail to load with 404.

While we are here, remove the "shortcut" rel attribute as it is non-standard
and it's recommended not to use it[1].

[1] https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel#sect4

Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-28 21:49:36 +01:00
Fabrice Fontaine
aa0f115bf7 package/janet: needs MMU
janet unconditionally uses fork since version 1.32.0 and
4b8c1ac2d2
resulting in the following build failure since bump to version 1.32.1 in
commit c87abf01a9:

janet.c:(.text+0x19bbc): undefined reference to `fork'

Fixes:
 - http://autobuild.buildroot.org/results/f0771fc6c9905d3a6d60ce245df585b3c6096f7f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-28 17:03:41 +01:00
Fabrice Fontaine
1267a234ff package/motion: fix webp build
Fix the following build failure raised since bump of webp to version
1.3.2 in commit c88c1d3319:

/home/autobuild/autobuild/instance-9/output-1/host/lib/gcc/aarch64_be-buildroot-linux-uclibc/13.2.0/../../../../aarch64_be-buildroot-linux-uclibc/bin/ld: picture.o: undefined reference to symbol 'WebPMemoryWriterClear'
/home/autobuild/autobuild/instance-9/output-1/host/lib/gcc/aarch64_be-buildroot-linux-uclibc/13.2.0/../../../../aarch64_be-buildroot-linux-uclibc/bin/ld: /home/autobuild/autobuild/instance-9/output-1/host/aarch64_be-buildroot-linux-uclibc/sysroot/usr/lib64/libwebp.so.7: error adding symbols: DSO missing from command line

Fixes:
 - http://autobuild.buildroot.org/results/9b859a701debeaddf1f9909e16adc6811a620576

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-28 17:01:59 +01:00
Fabrice Fontaine
07dad085fa package/exfatprogs: security bump to version 1.2.2
Fix CVE-2023-45897: exfatprogs before 1.2.2 allows out-of-bounds memory
access, such as in read_file_dentry_set.

https://github.com/exfatprogs/exfatprogs/blob/1.2.2/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-28 16:59:11 +01:00
Bram Oosterhuis
9d27996289 package/rpi-firmware: bump version to 83dafbc
Version 83dafbc will match the with kernel 6.1.61

Signed-off-by: Bram Oosterhuis <dev@bybram.com>
Reviewed-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Tested-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:55:15 +01:00
Bram Oosterhuis
13ba668a2d configs/raspberrypi: bump Linux version to 6.1.61
Linux 6.1 has been marked LTS for a long time now. Time to bump
Linux for RaspberryPi's to the latest 6.1.61 Since April 2022
the RaspberryPi defconfigs have compressed kernel module enabled
by default. (see [1] and [2]).

To load compressed kernel modules kmod and xz packages are needed
because busybox doesn't support it.

For testing I used RaspberryPi 2, 3(32+64bit) and 4(32+64bit), all with mdev enabled.

[1] c45b4223a4
[2] https://github.com/raspberrypi/linux/issues/4966

Signed-off-by: Bram Oosterhuis <dev@bybram.com>
Reviewed-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Tested-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:55:08 +01:00
Peter Seiderer
fbf0a6ea42 board/raspberrypi/config_4_64bit.txt: remove testing dtoverlay entries (vc4-kms-v3d-pi4, imx219)
Remove private/testing dtoverlay entries (vc4-kms-v3d-pi4, imx219 and
commented out ov5647) wrongly introduced by commit 689b9ac439
("package/rpi-firmware: rework boot/config file handling") [1].

[1] https://git.buildroot.net/buildroot/commit/?id=689b9ac439ab7b507c8982b6102bddf59d03efbf

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:50:46 +01:00
Gaël PORTAY
5be42d8da3 board/raspberrypi: fix autoprobing of bluetooth driver
The commit 689b9ac439 (package/rpi-firmware: rework boot/config file
handling) has split in two the property:

	dtoverlay=miniuart-bt,krnbt=on

Into:

	dtoverlay=miniuart-bt
	dtoverlay=krnbt=on

The initial property contained the dtbo file miniuart-bt[1] and its
parameter krnbt=on[2][3].

The first syntax is correct while the second is not. The krnbt=on is not
a dtoverlay[4] but a dtparam[5]. Therefore the property dtparam must be
used instead.

This fixes:

	# cat /sys/firmware/devicetree/base/chosen/user-warnings
	Failed to load overlay 'krnbt=on'

[1]: https://github.com/raspberrypi/linux/blob/rpi-5.10.y/arch/arm/boot/dts/overlays/miniuart-bt-overlay.dts
[2]: https://github.com/raspberrypi/linux/blob/rpi-5.10.y/arch/arm/boot/dts/overlays/miniuart-bt-overlay.dts#L91
[3]: https://github.com/raspberrypi/linux/blob/rpi-5.10.y/arch/arm/boot/dts/overlays/README#L213-L215
[4]: https://www.raspberrypi.com/documentation/computers/config_txt.html#dtoverlay
[5]: https://www.raspberrypi.com/documentation/computers/config_txt.html#dtparam

Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:39:34 +01:00
Michael Nosthoff
fc7606010e package/re2: bump to version 2023.11.01
- libabseil-cpp is now a dependency
- required c++ standard is now c++14 [0] --> requires gcc8
- drop fix for gcc <= 5 introduced in 25fd3b0a52
  (c++ >= 14 is the default for gcc >= 8)
- update gcc required for depending packages qt5webengine & grpc

[0] 7c2552dd54

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:31:42 +01:00
Baruch Siach
83b799457f package/socat: bump to version 1.8.0.0
Update README hash for changed not related to license.

Change patch 0001 to git format. socat is now hosted on git. Also,
update to apply to current version.

Add upstream status to both patches.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:10:52 +01:00
Bagas Sanjaya
9b6c2acf59 package/git: bump to version 2.43.0
Bump the package version to 2.43.0. For the full changelog, see the
release announcement at [1].

Link: https://lore.kernel.org/git/xmqqzfz8l5or.fsf@gitster.g/ [1]
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:10:45 +01:00
Alexander Egorenkov
0868e3430b package/makedumpfile: bump to version 1.7.4
Release notes:
- https://github.com/makedumpfile/makedumpfile/releases/tag/1.7.4

Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:10:38 +01:00
Alexander Egorenkov
cc363e9a93 package/multipath-tools: bump to version 0.9.7
Change log:
- https://github.com/opensvc/multipath-tools/pull/77

Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 19:10:31 +01:00
Fabrice Fontaine
3da62675d7 package/exfatprogs: add EXFATPROGS_CPE_ID_VENDOR
cpe:2.3🅰️namjaejeon:exfatprogs is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/detail/F174A846-F275-4AD8-A0E3-6D0CEFDFF308

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 18:14:47 +01:00
Fabrice Fontaine
2c055121e7 package/x11r7/xwayland: add XWAYLAND_CPE_ID_VENDOR
cpe:2.3🅰️x.org:xwayland is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/detail/6F35318F-48A3-45B0-B70A-F953B7B0A0E8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: s/VEBDOR/VENDOR/]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-27 18:14:26 +01:00
Maxim Kochetkov
4d549c071d package/postgresql: security bump version to 15.5
Release notes:
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/

Fixes CVE-2023-5868, CVE-2023-5869, CVE-2023-5870.

Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-26 22:42:26 +01:00
Maxim Kochetkov
beafbb83ad package/timescaledb: bump version to 2.12.2
Release notes: https://github.com/timescale/timescaledb/blob/2.12.2/CHANGELOG.md

Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-11-26 22:40:53 +01:00