Commit Graph

167 Commits

Author SHA1 Message Date
Fabrice Fontaine
2ced8d5878 package/uftrace: bump to version 0.14
Add Upstream link to patch (even if it was rejected)

https://github.com/namhyung/uftrace/blob/v0.14/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-11-01 17:10:16 +01:00
Fabrice Fontaine
0c9dc366bf package/ace: bump to version 7.1.1
- Drop patches (already in version)
- C++14 is mandatory since version 7.1.0

https://github.com/DOCGroup/ACE_TAO/blob/ACE%2BTAO-7_1_1/ACE/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-11-01 12:45:11 +01:00
Adrian Perez de Castro
111986f435 package/cage: bump to version 0.1.5
Update Cage to version 0.1.5, which is a bug fix release that
supports using wlroots 0.16.x.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-11-01 12:25:52 +01:00
Fabrice Fontaine
8716942ca6 package/zchunk: security bump to version 1.3.2
- Drop patches (already in version)
- tests can be disabled since version 1.2.3 and
  e2e3d6b14e
- docs can be disabled since version 1.2.3 and
  af6c10e8be
- Fix CVE-2023-46228: zchunk before 1.3.2 has multiple integer overflows
  via malformed zchunk files to lib/comp/comp.c, lib/comp/zstd/zstd.c,
  lib/dl/multipart.c, or lib/header.c.

https://github.com/zchunk/zchunk/compare/1.2.2...1.3.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-10-28 22:49:02 +02:00
Peter Korsgaard
bbf9a9ba7a .checkpackageignore: drop now removed network-manager patches
Commit 0455f957a3 (package/network-manager: bump to version 1.44.2)
dropped the two patches but forgot to update .checkpackageignore.

Fix that.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-10-17 10:35:53 +02:00
Fabrice Fontaine
cef841bf7d package/libebml: bump to version 1.4.4
- Drop patch (already in version)
- C++14 is required since
  4159caf84c

https://github.com/Matroska-Org/libebml/blob/release-1.4.4/NEWS.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-10-10 22:47:18 +02:00
Arnout Vandecappelle
8cf183be9e .checkpackageingore: refresh
Commit 4cbc2af604 moved the nodejs patches
to the nodejs-src directory, but forgot to update .checkpackageignore
accordingly. Fix that, by running `make .checkpackageignore`.

Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-10-07 16:17:18 +02:00
Jens Maus
14c4bd7bf8 package/linux-tools: fix SysV init script
This commit fixes the S10hyperv SysV init script which expects binaries
to be locate in /sbin while they are installed in /usr/sbin. Please
note, that the systemd init scripts correctly reference them.
Furthermore, the SysV init script did not check for an actual HyperV
environment to be present, which is also corrected. In addition, this
commit also fixes check-package warnings regarding a missing DAEMON
definition.

Signed-off-by: Jens Maus <mail@jens-maus.de>
[Peter: drop from .checkpackageignore]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-10-01 11:47:27 +02:00
Fabrice Fontaine
d65b960859 package/powertop: bump to version 2.15
- Switch site to get latest version
- Replace patch by an upstreamable one

https://github.com/fenrus75/powertop/compare/v2.13...v2.15

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-30 19:18:30 +02:00
Fabrice Fontaine
4c32b3d9ff package/olsr: fix build with gpsd >= 3.25
Fix the following build failure with gpsd >= 3.25 raised since commit
3c7fece853:

In file included from src/configuration.h:50,
                 from src/configuration.c:46:
src/gpsdclient.h:64:8: error: redefinition of 'struct fixsource_t'
   64 | struct fixsource_t {
      |        ^~~~~~~~~~~
In file included from src/gpsdclient.h:49,
                 from src/configuration.h:50,
                 from src/configuration.c:46:
/tmp/instance-17/output-1/host/aarch64-buildroot-linux-gnu/sysroot/usr/include/gps.h:2714:8: note: originally defined here
 2714 | struct fixsource_t
      |        ^~~~~~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/47a619686bb47debd525c92aa7e14bee5c40ca9e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-30 19:11:12 +02:00
Yann E. MORIN
540e512f9f checkpagage: drop ignore pattern fr removed pppd patches
Commit 0c15169f5a (package/pppd: bump version to 2.5.0) forgot to drop
the check-package exclusion when it dropped the patches.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-30 00:27:32 +02:00
Fabrice Fontaine
60e899bfa0 package/freeipmi: bump to version 1.6.11
Drop patch (already in version) and so also drop autoreconf

https://lists.gnu.org/archive/html/freeipmi-announce/2023-06/msg00000.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 22:49:29 +02:00
Fabrice Fontaine
e1b2cd5835 package/neon: drop patches
Patches (and so autoreconf) are not needed since bump to version 0.32.4
in commit f39ac8336e and
9924d4d315

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 22:48:37 +02:00
Fabrice Fontaine
ce17f93e82 package/suricata: security bump to version 6.0.14
- Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
  adversary who controls an external source of rules), a dataset
  filename, that comes from a rule, may trigger absolute or relative
  directory traversal, and lead to write access to a local filesystem.
  This is addressed in 6.0.13 by requiring allow-absolute-filenames and
  allow-write (in the datasets rules configuration section) if an
  installation requires traversal/writing in this situation.
- Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
  controls an external source of Lua rules may be able to execute Lua
  code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
  is true in the security lua configuration section.
- Drop first patch (not needed since
  c8a3aa608e)

https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-28 23:03:52 +02:00
Fabrice Fontaine
ede7d0bd77 package/liburcu: bump to version 0.14.0
- Drop second and third patches (already in version)
- C++ is mandatory since
  153b081a9b

https://github.com/urcu/userspace-rcu/blob/v0.14.0/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 14:06:24 +02:00
Fabrice Fontaine
1df2976f79 package/keepalived: bump to version 2.2.8
Drop all patches (already in version) and so drop autoreconf

https://www.keepalived.org/release-notes/Release-2.2.8.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 14:05:58 +02:00
Fabrice Fontaine
05fbb29322 package/unixodbc: bump to version 2.3.12
Drop patch (already in version)

https://github.com/lurcher/unixODBC/releases/tag/2.3.12

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:13:26 +02:00
Fabrice Fontaine
c11478fb27 package/brotli: bump to version 1.1.0
Drop patches (already in version)

https://github.com/google/brotli/releases/tag/v1.1.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:12:33 +02:00
Fabrice Fontaine
7aa5e8f84f package/snappy: bump to version 1.1.10
Drop patch (already in version)

https://github.com/google/snappy/blob/1.1.10/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:11:38 +02:00
Fabrice Fontaine
197d0a4cb2 package/sg3_utils: bump to version 1.48
- Drop patches (already in version) and so drop autoreconf
- Update hash of BSD_LICENSE (update in year:
  551657bfbf)

https://github.com/hreinecke/sg3_utils/blob/v1.48/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:11:04 +02:00
Fabrice Fontaine
6ce55ab0ed package/memcached: bump to version 1.6.21
- Send first patch upstream
- Drop second and third patches (already in version) and so drop
  autoreconf

https://github.com/memcached/memcached/wiki/ReleaseNotes1618
https://github.com/memcached/memcached/wiki/ReleaseNotes1619
https://github.com/memcached/memcached/wiki/ReleaseNotes1620
https://github.com/memcached/memcached/wiki/ReleaseNotes1621

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:04:40 +02:00
Fabrice Fontaine
56c7da8e08 package/xxhash: bump to version 0.8.2
- Drop all patches (already in version)
- Update hash of LICENSE file (year updated with
  f035303b8a)

https://github.com/Cyan4973/xxHash/releases/tag/v0.8.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:04:14 +02:00
Fabrice Fontaine
c76f5f24c7 package/libdnet: bump to version 1.16.4
Drop second patch (already in version)

https://github.com/ofalk/libdnet/releases/tag/libdnet-1.16.2
https://github.com/ofalk/libdnet/releases/tag/libdnet-1.16.3
https://github.com/ofalk/libdnet/releases/tag/libdnet-1.16.4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 19:46:09 +02:00
Fabrice Fontaine
2314928cf8 package/open-iscsi: bump to version 2.1.9
- Drop patch (already in version)
- Drop license comment and add REAMDE and libopeniscsiusr/COPYING as
  license files due to
  10d50ed4bc

https://github.com/open-iscsi/open-iscsi/blob/2.1.9/Changelog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-24 12:25:19 +02:00
Peter Korsgaard
7447700f05 package/libpjsip: security bump to version 2.13.1
Fixes the following security vulnerability:

- CVE-2023-27585: Heap buffer overflow when parsing DNS packet
  https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr

Drop now upstreamed security fixes for CVE-2022-23537 and CVE-2022-23547.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-24 11:01:06 +02:00
Julien Olivain
ec8a9cc518 package/tcl: fix package patch
The commit 4e365d1768 "package/tcl: bump to version 8.6.13" did NOT
refreshed the package patch, because the patch was still applying
correctly and the package was working as expected.

It was refreshed in the previous bump, in commit 9cf314745a
"package/tcl: bump to version 8.6.12". This was part of 2022.02.

Looking closer at the patch content, the -/+ lines are exactly the
same. So this patch does not change anything. Since the file was kept
and the commit log mention a patch refresh, the intent was more
likely to carry over the old patch (which was declaring all libc
functions as "unbroken".

This commit actually refreshes this patch. It was regenerated with
git format-patch. Since the patch is renamed due to git format-patch,
the .checkpackageignore is updated accordingly.

Note:
This ancient patch will be removed soon, as an upstream commit [1],
not yet in a release, cleaned up and removed those old parts.

[1] 04d66a2571

Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:49:26 +02:00
Fabrice Fontaine
d170cde027 package/netatalk: security bump to version 3.1.17
- Drop patches (already in version) and so autoreconf
- Update COPYING hash (gpl mailing address updated with
  9bd45cc06e
  6a5997fbd6)
- Fix CVE-2022-43634: This vulnerability allows remote attackers to
  execute arbitrary code on affected installations of Netatalk.
  Authentication is not required to exploit this vulnerability. The
  specific flaw exists within the dsi_writeinit function. The issue
  results from the lack of proper validation of the length of
  user-supplied data prior to copying it to a fixed-length heap-based
  buffer. An attacker can leverage this vulnerability to execute code in
  the context of root. Was ZDI-CAN-17646.
- Fix CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl
  heap-based buffer overflow resulting in code execution via a crafted
  .appl file. This provides remote root access on some platforms such as
  FreeBSD (used for TrueNAS).
- Fix CVE-2023-42464: Validate data type in dalloc_value_for_key()

https://github.com/Netatalk/netatalk/blob/netatalk-3-1-17/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:42:01 +02:00
Fabrice Fontaine
4ccfb2561f package/freerdp: security bump to version 2.11.0
- Fix CVE-2023-39350 to CVE-2023-39354, CVE-2023-39356, CVE-2023-40181,
  CVE-2023-40186, CVE-2023-40188, CVE-2023-40567, CVE-2023-40569 and
  CVE-2023-40589
- Drop fourth patch (already in version)

https://github.com/FreeRDP/FreeRDP/releases/tag/2.11.0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxp4-rx7x-h2g8
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-2w9f-8wg4-8jfp
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hm8c-rcjg-c8qp
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-16 00:19:58 +02:00
Fabrice Fontaine
c89d7a2daf package/libqb: security bump to version 2.0.8
- Fix CVE-2023-39976: log_blackbox.c in libqb before 2.0.8 allows a
  buffer overflow via long log messages because the header size is not
  considered.
- Drop patch (already in version) and so autoreconf

https://github.com/ClusterLabs/libqb/compare/v2.0.6...v2.0.8
https://github.com/ClusterLabs/libqb/releases/tag/v2.0.7
https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-15 23:38:08 +02:00
Joachim Wiberg
046872a1f8 package/libteam: bump to v1.32
- Drop backported patches
 - Add necessary runner to kernel

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
[yann.morin.1998@free.fr: update .checkpackageignore]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-15 23:33:17 +02:00
Yann E. MORIN
bcee3ca6d6 support/download/git: fix shellcheck errors
The quoting around the expansion of ${relative_dir} was indeed incorrect
since it was introduced back in 8fe9894f65 (suport/download: fix git
wrapper with submodules on older git versions): it is in fact already
quoted as part of the whole sed expression.

${GIT} can contain more than one item, but we don't care about splitting
on spaces when we just print it for debug, so we can just quote it
rather than add an exception.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-14 23:02:20 +02:00
Niklas Cassel
443f7feeb6 package/elf2flt: update to version 2023.09
Several of our patches have been accepted upstream and are included in
elf2flt version 2023.09.

Patch 0001-elf2flt-handle-binutils-2.34.patch is upstream as of commit
c70b9f208979 ("elf2flt: handle binutils >= 2.34").

Patch 0002-elf2flt.ld-reinstate-32-byte-alignment-for-.data-sec.patch is
upstream as of commit 679c94adf27c ("elf2flt.ld: reinstate 32 byte
alignment for .data section").

Patch 0003-elf2flt-add-riscv-64-bits-support.patch is upstream as of
commit c5c8043c4d79 ("elf2flt: add riscv 64-bits support").

Patch 0008-riscv64-add-more-relocations-required-to-be-handled.patch was
squashed into upstream commit c5c8043c4d79 ("elf2flt: add riscv 64-bits
support") during upstreaming.

Patch 0006-xtensa-fix-text-relocations.patch is upstream as of commit
26dfb54a59c8 ("elf2flt: xtensa: fix text relocations").

Patch 0007-elf2flt-remove-use-of-BFD_VMA_FMT.patch is upstream as of
commit a36df7407d9e ("elf2flt: remove use of BFD_VMA_FMT").

Patch 0004-elf2flt-create-a-common-helper-function.patch simply added
a helper function to make the changes in the follow-up patch
0005-elf2flt-fix-fatal-error-regression-on-m68k-xtensa-ri.patch
less intrusive.

Patch 0005-elf2flt-fix-fatal-error-regression-on-m68k-xtensa-ri.patch
is no longer needed as upstream has reverted the commit that necessitated
this patch, see upstream commit 35c692ca4546 ("Revert "elf2flt: fix for
segfault on some ARM ELFs""). The problem that the reverted upstream patch
solved is now instead solved by the combination of upstream commits
7a59b265c2dc ("Revert "elf2flt: fix relocations for read-only data"") and
a934fb42cf59 ("elf2flt: force ARM.exidx section into text").

Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-14 22:32:49 +02:00
Peter Seiderer
dc4436245c package/speechd: bump version to 0.11.5
- remove 0001-add-disable-doc.patch (upstream applied, see [1])

For details see [2].

[1] 1dbc42684d
[2] https://github.com/brailcom/speechd/releases/tag/0.11.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-11 21:51:46 +02:00
Julien Olivain
01a5adfc15 package/libgpgme: bump to version 1.21.0
For change log, see [1] and [2].

This commit also drops the package patch, as an alternate upstream
commit is included in release, see [3]. Consequently, AUTORECONF = YES
is dropped as we're no longer patching the configure.ac script.

The option "--disable-cpp-test" is removed from _CONF_OPTS since it no
longer needed.

The file .checkpackageignore is also updated to reflect the patch
removal.

[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=log;h=gpgme-1.21.0
[2] https://dev.gnupg.org/T6585
[3] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commitdiff;h=e2103be390764f62b21a4e5d4fa90a7b78326787

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-10 21:05:59 +02:00
Adam Duskett
c69f12d1c1 package/php-gnupg: bump version to 1.5.1
Drop upstream patch

Signed-off-by: Adam Duskett <aduskett@gmail.comm>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-08 21:47:06 +02:00
Adam Duskett
1c0ec66203 package/php-amqp: bump version to 2.0.0
Drop upstream patches

Signed-off-by: Adam Duskett <aduskett@gmail.comm>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-08 21:46:49 +02:00
Peter Korsgaard
600e36f8f2 Merge branch 'next'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-07 16:50:14 +02:00
Thomas Devoogdt
de9187eca2 package/libsrtp: bump to version 2.5.0
https://github.com/cisco/libsrtp/releases/tag/v2.5.0

See detailed change log:
https://github.com/cisco/libsrtp/blob/v2.5.0/CHANGES#L3-L43

Dropped patch wich was already upstream.

Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-02 09:44:42 +02:00
Arnout Vandecappelle
6bee7c3eb2 .checkpackageignore: correct renamed path of openjdk 17.0.8+7 patch
Commit c1038fe47c renamed the patch, but didn't update
.checkpackageignore, leading to two failures:

.checkpackageignore:1055: ignored file package/openjdk/17.0.7+7/0001-Add-ARCv2-ISA-processors-support-to-Zero.patch is missing
package/openjdk/17.0.8+7/0001-Add-ARCv2-ISA-processors-support-to-Zero.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)

Rename the file in .checkpackageignore as well.

Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:57:01 +02:00
Thomas Petazzoni
65c99394ff boot/grub2: backport fixes for numerous CVEs
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).

So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.

It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.

This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.

All Grub test cases are working fine:

  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:54:23 +02:00
Bernd Kuhls
cb83990af5 package/tor: bump version to 0.4.8.4
Release notes:
https://forum.torproject.org/t/stable-release-0-4-8-4/8884

Removed all patches due to upstream commit adding compatibility with
LibreSSL 3.5:
f3dabd705f

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-25 19:11:25 +02:00
Bernd Kuhls
0a0786bc78 package/ytree: bump version to 2.05
Release notes: https://www.han.de/~werner/ytree.html

Removed patch which was applied upstream in a slightly changed way.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-25 19:08:56 +02:00
Julien Olivain
96a54b0907 package/screen: security bump to version 4.9.1
See release announce:
https://lists.gnu.org/archive/html/screen-users/2023-08/msg00000.html

Fixes:
CVE-2023-24626: https://www.cve.org/CVERecord?id=CVE-2023-24626

Note: Buildroot installs screen as setuid, so the described scenario
in CVE applies.

This commit also rebases all patches on this release. Patch were
regenerated with 'git format-patch -N', so patch file name changed in
this process. The file .checkpackageignore is also updated accordingly.

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-24 22:34:41 +02:00
Paul Cercueil
290f3985dd package/libiio: bump to version v0.25
The changelog is available here:
https://github.com/analogdevicesinc/libiio/releases/tag/v0.25

Remove the 0001 patch as it is included in the v0.25 version.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 21:22:45 +02:00
Zoltan Gyarmati
8ed8f00319 package/libusb-compat: bump to 0.1.8
Removing upstreamed patch and force autoreconf

Signed-off-by: Zoltan Gyarmati <zgyarmati@zgyarmati.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 20:29:27 +02:00
Yann E. MORIN
2423d9f16b Release 2023.08-rc2
-----BEGIN PGP SIGNATURE-----
 
 iG8EABECADAWIQSrB9gG0s50H7iG7lCwJbqLWcNjGQUCZOKHvRIcamFjbWV0QHVj
 bGliYy5vcmcACgkQsCW6i1nDYxn1/QCg2un/vUk0HEIbpn4d1fMRZFBDSlwAmKRp
 iO+4qkBgt1h+2LxZSJmNbPY=
 =nvGJ
 -----END PGP SIGNATURE-----

Merge tag '2023.08-rc2' into next

Conflicts:
  - .checkpackageignore
  - Makefile
  - board/versal/post-image.sh
  - package/sentry-cli/0001-Disable-SSL-support-for-the-curl-module.patch
      => keep version in next

  - Config.in.legacy
      => merge, introduce legacy comment for 2023.11

  - toolchain/toolchain-external/toolchain-external-bootlin/Config.in.options
      => regenerate, drop dependency on inexistant BR2_ARCH_NEEDS_GCC_AT_LEAST_14

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-08-21 21:36:17 +02:00
Waldemar Brodkorb
2298de6853 package/file: bump version to 5.45
Patch is included upstream.
See here for Changes in 5.45:
https://mailman.astron.com/pipermail/file/2023-July/001205.html
See here for Changes in 5.44:
https://mailman.astron.com/pipermail/file/2022-December/001042.html

The hash of src/vasprintf.c, which is used as one of the license
files, has been updated due to source code changes that do not affect
the licensing terms.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-21 13:16:24 +02:00
Clement Ramirez
d5162e790d package/connman: security bump version to 1.42
The 1.42 version of connman comes with the following CVEs fixes :
 - CVE-2022-32292
 - CVE-2022-32293
 - CVE-2023-28488

The first two CVEs have been fixed wuth upstream patches [0] which we
carry since 2f2b4c80f4 (package/connman: fix CVE-2022-3229{2,3}), now
included in this version bump; the third CVE [2] is also fixed by this
version bump [3].

[0] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd
    https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c
    https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a

[1] 2f2b4c80f4 package/connman: fix CVE-2022-3229{2,3}

[2] https://nvd.nist.gov/vuln/detail/CVE-2023-28488

[3] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138

Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
[yann.morin.1998@free.fr:
  - squash CVE-2023-28488 backport with version bump
  - reword commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-08-20 11:05:36 +02:00
Bernd Kuhls
f6a6e3a836 package/gettext-gnu: bump to version 0.22
Release notes:
https://lists.gnu.org/archive/html/info-gnu/2020-07/msg00009.html
https://lists.gnu.org/archive/html/info-gnu/2023-06/msg00003.html

Removed patch 0001, the patched file is not present in this release.
Removed patch 0002 which was applied upstream.

Added comment to gettext-tiny.mk about version bumps.

Since upstream commit
785a89e5df
gettext-runtime is a build-dependency for gettext-tools so we are
building the complete package for the host from now on.

Doing so we can drop the _POST_INSTALL_HOOK, and we can rely of the
in-tree libtextstyle.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-08-19 20:36:02 +02:00
Waldemar Brodkorb
af48ddb139 package/xfsprogs: bump version to 6.4.0
Patch 0003-libxfs-stop-overriding-MAP_SYNC-in-publicly-exported.patch is upstreamed.

See here for changes to the previous version:
https://fossies.org/linux/xfsprogs/doc/CHANGES

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-12 21:40:39 +02:00