The golang infrastructure automatically expands the list of licenses
with a little blurb that the licenses for vendored dependencies might be
missing in the list.
However, when a package does not define a license, the resulting text is
sub-optimal, resulting in a manifest that contains (with a leading
comma, yes):
, vendored dependencies licenses probably not listed
In that case, pointing out some unkown licensing terms may be part of
unkonwn licensing terms is superfluous.
Instead, just let the legal infra do its job, and report an "unkown"
license altogether.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 01a4614d10)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The licensing terms are inherited from the target variant to the host
variant: when the host _LICENSE is empty, then the value of the target
_LICENSE is used.
However, for the cargo infra, we want to append a little blurb about
vendored depndencies. If the package is a host-only, then it would
inherit the target _LICENSE, i.e. the variable without the leading
HOST_. If that is defined, this is inherited in the generic-package part
of the infra, but in the cargo infra, we saw an empty variable, and so
we would not add the vendoring blurb.
We can't move the condition appending that blurb, after we called into
the generic-package infra, otherwise in that case, we'd have the
opposite issue for packages that are both target and host packages,
where the blurb would be duplicated for host packages...
Instead, we workaround the issue by duplicating the heuristic to inherit
the target value, from the generic- into the cargo-package infra.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 049ea7b389)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The cargo infrastructure automatically expands the list of licenses with
a little blurb that the licenses for vendored dependencies might be
missing in the list.
However, when a package does not define a license, the resulting text is
sub-optimal, resulting in a manifest that contains (with a leading
comma, yes):
, vendored dependencies licenses probably not listed
In that case, pointing out some unkown licensing terms may be part of
unkonwn licensing terms is superfluous.
Instead, just let the legal infra do its job, and report an "unkown"
license altogether.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 0a8bc54e09)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
redis handling is wrong since the addition of the package in commit
736c4c1655. Indeed, freeradius-server
needs hiredis, not redis
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5a8d6014c7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
websocketpp had some ill-formed usage of template parameters which was
finally removed in C++20. Hence build fails when building with C++20
support enabled.
The patch is already in the develop branch but no new release was
done.
There are no autobuilder failures because websocketpp is a header-only
library, and there are no packages in Buildroot that depned on
websocketpp.
A build issue was encountered when bumping an internal project to
C++20. This issue triggered quite some bug reports in the project [0]
and there are backports to other package managers like vcpkg [1] and
conan [2].
[0] https://github.com/zaphoyd/websocketpp/pull/1060
[1] https://github.com/microsoft/vcpkg/pull/23669
[2] https://github.com/conan-io/conan-center-index/pull/15295
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
[Thomas: extend commit log with details provided by Michael.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9ac1a76fcf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a yet-to-be published security issue TROVE-2023-004. From the
announcement:
https://forum.torproject.org/t/security-release-0-4-7-16-and-0-4-8-8/10064
We are releasing an emergency security release fixing a high security bug
affecting relays.
This is tracked by the TROVE-2023-004 92 for which we’ll make the ticket
public once the packages and network has started to upgrade.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️northern.tech:mender is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/detail/F90CE0C3-FCE6-40AA-8C0D-EDE2C81BD67B
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f4a9cdb1f8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following (Windows-only) security issue:
CVE-2023-46695: Potential denial of service vulnerability in UsernameField
on Windows
The NFKC normalization is slow on Windows. As a consequence,
django.contrib.auth.forms.UsernameField was subject to a potential denial of
service attack via certain inputs with a very large number of Unicode
characters.
In order to avoid the vulnerability, invalid values longer than
UsernameField.max_length are no longer normalized, since they cannot pass
validation anyway.
https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
apache uses pkgconfig to find dependencies such as lua, nhgttp2, openssl
and systemd.
For openssl, pkgconfig is used since version 2.1.1 and
0d4387dedc
resulting in the following build failure since at least bump to version
2.4.54 in commit 78e5a9c40e:
ac_cv_path_PKGCONFIG=/usr/bin/pkg-config
[...]
configure:28669: checking for SSL_CTX_new
configure:28669: /home/buildroot/autobuild/instance-1/output-1/host/bin/armeb-buildroot-linux-uclibcgnueabi-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O3 -g0 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -L/home/buildroot/autobuild/instance-1/output-1/host/armeb-buildroot-linux-uclibcgnueabi/sysroot/usr/bin/../../../../armeb-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -L/usr/lib conftest.c -lssl -lcrypto -lpthread >&5
armeb-buildroot-linux-uclibcgnueabi-gcc: ERROR: unsafe header/library path used in cross-compilation: '-L/usr/lib'
Fixes:
- http://autobuild.buildroot.org/results/d85c86ee1070582014c7b29b39f9a9f356988220
- http://autobuild.buildroot.org/results/55d6bad8572138e200730d3a9f2dd1b9048fd95d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1f6b53b1a4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable provisioning client when building statically to avoid the
following build failure raised since bump to version LTS_01_2022_Ref01
in commit 06bb3640c1 and
1de399fd48
which enabled provisioning client by default:
/home/buildroot/autobuild/instance-3/output-1/build/azure-iot-sdk-c-LTS_01_2023_Ref02/provisioning_client/deps/utpm/src/tpm_comm_linux.c:13:10: fatal error: dlfcn.h: No such file or directory
13 | #include <dlfcn.h>
| ^~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/894188649f66d9917e1ed94989ebe307102ab28c
- http://autobuild.buildroot.org/results/735b96c842796f309c33a0545eeb2e8f8d1f75ca
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce0d4efa76)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add missing BR2_OPTIMIZE_FAST dependency to BR2_PACKAGE_ZABBIX_SERVER
to avoid the following build failure raised since commit
e702a05d89:
checking for Zabbix server/proxy database selection... error
configure: error: No database selected for Zabbix server/proxy. Use --with-mysql or --with-oracle or --with-postgresql or --with-sqlite3.
Fixes:
- http://autobuild.buildroot.org/results/ab403b45761c82f49a9380564bf10d3e7ae935f2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6da2b51a66)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
TF-A prints a version string at boot which includes the version number as
specified in the Makefile and additional "build" information, specified by
the BUILD_STRING parameter:
https://trustedfirmware-a.readthedocs.io/en/v2.9/getting_started/build-options.html
BUILD_STRING: Input string for VERSION_STRING, which allows the TF-A build
to be uniquely identified. Defaults to the current git commit id.
This is implemented as:
# Default build string (git branch and commit)
ifeq (${BUILD_STRING},)
BUILD_STRING := $(shell git describe --always --dirty --tags 2> /dev/null)
endif
https://github.com/ARM-software/arm-trusted-firmware/blob/master/Makefile#L225-L228
Which is never correct in the context of Buildroot, as the TF-A build
directory is never a git repo, and git will move up the directory tree and
possibly and (possibly) pick up the git version of Buildroot instead.
To fix that, explicitly set BUILD_STRING to the version of the package.
Pass it before BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES so it
can still be overridden by the user if needed.
strings images/tf-a-* | egrep '^v2\.'
v2.9(debug):2023.08-859-g99d78b52a0
v2.9(debug):v2.9
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5a8a7530bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️xiph:opusfile is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/detail/BB1B035B-FCF0-4854-AB18-0FD1181B0CC3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 522f25ed42)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2023-45158: An OS command injection vulnerability exists in
web2py 2.24.1 and earlier. When the product is configured to use
notifySendHandler for logging (not the default configuration), a crafted
web request may execute an arbitrary OS command on the web server using
the product.
https://jvn.jp/en/jp/JVN80476432https://github.com/web2py/web2py/compare/v2.24.1...v2.26.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 30cb3d784c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️lwp\:\:protocol\:\:https_project:lwp\:\:protocol\:\:https is a
valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/detail/804408BE-097D-4FE3-B6DB-29324871C6B9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b32e4fa760)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 547552a9cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the generic package infrastructure removed auto derivation of
host dependencies [1] (2016.08), the host dependencies must be
explicitly set.
While adding the nettle host variant [2] the gmp dependency was not
duplicated and host-nettle was built without host-gmp (or built with
gmp installed on the build machine).
While building host-gnutls required for building mkeficapsule u-boot
tool, the configure script check if Libhogweed (nettle's companion
library) is build with libgmp support.
If internal toolchain is used, luckily host-gmp is built before
building host-nettle (and host-gnutls). But when using prebuilt
external toolchain, following error shows up :
Libhogweed (nettle's companion library) 3.6 was not found. Note that you must compile nettle with gmp support.
[1] 4bdb067e38
[2] dac6e30118
[3] eb24bfa808
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit db3a730e8c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
nettle uses m4 during its build process. Without it, the build fails
with:
m4 ./m4-utils.m4 ./asm.m4 config.m4 machine.m4 aes-decrypt-internal.asm >aes-decrypt-internal.s
/bin/sh: 1: m4: not found
For the target package this is not visible, as the existing gmp
dependency pulls in host-m4. But technically speaking, nettle needs
host-m4 directly, so it makes sense to have this dependency.
For the host package, it clearly fails to build, but probably isn't
very visible as most systems have m4 installed system-wide: this was
noticed when building inside Buildroot's minimal Docker
container. There are no recorded autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d4ca1b03c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog:
https://github.com/OpenVPN/openvpn/blob/v2.5.9/Changes.rst
This is a small bugfix release, and the last version for 2.5.x
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This maybe the last patch for OpenSSL 1.1.1 LTS, it had reached
end-of-life on 2023-09-11.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Medium] A fix was added, but still under review for completeness, for a
Bleichenbacher style attack, leading to being able to decrypt a saved
TLS connection and potentially forge a signature after probing with a
large number of trial connections. This issue is around RSA decryption
and affects static RSA cipher suites on the server side, which are not
recommended to be used and are off by default. Static RSA cipher suites
were also removed from the TLS 1.3 protocol and only present in TLS 1.2
and lower. All padding versions of RSA decrypt are affected since the
code under review is outside of the padding processing. Information
about the private keys is NOT compromised in affected code. It's
recommended to disable static RSA cipher suites and update the version
of wolfSSL used if using RSA private decryption alone outside of TLS.
https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c4658ede71)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
An issue was discovered in the C AMQP client library (aka rabbitmq-c)
through 0.13.0 for RabbitMQ. Credentials can only be entered on the
command line (e.g., for amqp-publish or amqp-consume) and are thus
visible to local attackers by listing a process and its arguments.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c3fcaeaaa7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop --without-x (now unrecognized)
- Fix CVE-2023-40745: LibTIFF is vulnerable to an integer overflow. This
flaw allows remote attackers to cause a denial of service (application
crash) or possibly execute an arbitrary code via a crafted tiff image,
which triggers a heap-based buffer overflow.
- Fix CVE-2023-41175: A vulnerability was found in libtiff due to
multiple potential integer overflows in raw2tiff.c. This flaw allows
remote attackers to cause a denial of service or possibly execute an
arbitrary code via a crafted tiff image, which triggers a heap-based
buffer overflow.
https://libtiff.gitlab.io/libtiff/releases/v4.6.0.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e96b1c4b0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version)
- tests can be disabled since version 1.2.3 and
e2e3d6b14e
- docs can be disabled since version 1.2.3 and
af6c10e8be
- Fix CVE-2023-46228: zchunk before 1.3.2 has multiple integer overflows
via malformed zchunk files to lib/comp/comp.c, lib/comp/zstd/zstd.c,
lib/dl/multipart.c, or lib/header.c.
https://github.com/zchunk/zchunk/compare/1.2.2...1.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8716942ca6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️zchunk:zchunk is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/detail/480C0B83-3109-49EE-9E06-7866A54878CA
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3499c75ccf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
git.code.sf.net is available over HTTPS, so use that for security and
consistency with the other packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 99d525028f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
git.code.sf.net is available over HTTPS, so use that for security and
consistency with the other packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f2a590750f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that we have HTTPS support for sources.buildroot.net (through Lets
encrypt / Cloudflare), it makes sense to default to it for our backup site.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 05296ced36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host-riscv64-elf-toolchain package was missing a hash file, add it now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit cf2dcaa1ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host-mxsldr package was missing a hash file, add it now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fefcfddc5e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
MiniZip in zlib through 1.3 has an integer overflow and resultant
heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long
filename, comment, or extra field. NOTE: MiniZip is not a supported part
of the zlib product.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de7bc4ada2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
