Commit Graph

4 Commits

Author SHA1 Message Date
Fabrice Fontaine
05cc9e967c package/chartjs: add CPE variables
cpe:2.3🅰️chartjs:chart.js is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Achartjs%3Achart.js

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-23 21:34:33 +01:00
Joeri Barbarien
a20a86d7f6 package/chartjs: security bump to 2.9.4
CVE-2020-7746 (https://nvd.nist.gov/vuln/detail/CVE-2020-7746)

    The options parameter is not properly sanitized when it is processed.
    When the options are processed, the existing options (or the defaults
    options) are deeply merged with provided options. However, during this
    operation, the keys of the object being set are not checked, leading to
    a prototype pollution.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-01-19 18:56:51 +01:00
Thomas De Schampheleire
0244b11597 package/chartjs: move 'v' version prefix out of CHARTJS_VERSION
chartjs 2.9.3 has a security vulnerability (CVE-2020-7746) which is not
detected by the CVE scripts, presumably because our version variable starts
with a 'v'.

Move that 'v' prefix out of the version variable to fix that.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-01-19 18:56:37 +01:00
Joeri Barbarien
7ca94a367d package/chartjs: new package
Note: even though the Chart.js developers make specific tarballs on GitHub
(i.e. not simply 'source code' tarballs), they cannot be used in Buildroot
because their names do not encode a version number, e.g. 'Chart.js.zip'.
This means that on upgrades, the same tarball name would have different
contents and thus a different hash.

Signed-off-by: Joeri Barbarien <joeri.barbarien@nokia.com>
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-15 21:38:56 +01:00