Commit Graph

56982 Commits

Author SHA1 Message Date
Fabrice Fontaine
52ad97d00d package/domoticz: select boost atomic
domoticz does not use Boost::atomic but cmake is so "smart" that it
(wrongly) assumes that Boost::thread depends on Boost:date_time and
Boost::atomic since boost version 1.54:

set(_Boost_THREAD_DEPENDENCIES chrono date_time atomic)

Extracted from:
 - https://gitlab.kitware.com/cmake/cmake/-/blob/master/Modules/FindBoost.cmake#L1113

As we can't patch every cmake on the field, just select boost atomic

It should be noted that build failures are only raised since commit
8a46b41b4a as this commit drop the patch
that was decreasing cmake version but also removing:

target_link_libraries(domoticz Boost::thread Boost::system)

Fixes:
 - http://autobuild.buildroot.org/results/4306c0a725ed9a34bd55550df428866db6e4f052
 - http://autobuild.buildroot.org/results/2478e7a2ec1c63dcc2b36d29a39004468b230211

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-26 21:48:44 +02:00
Fabrice Fontaine
49b6578f88 Revert "package/domoticz: drop boost date-time dependency"
This reverts commit 4b4d98e2c5 as
Boost::date_time is still used by domoticz (in pmain/Scheduler.cpp and
push/BasePush.cpp)

Fixes:
 - http://autobuild.buildroot.org/results/493a2e93fe6121f118293a268f986ee51009b7e8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-26 21:48:43 +02:00
Romain Naour
0dbf78bce1 package/localedef: bump to version 2.32-23
resync the version with glibc package.

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-04-26 21:27:29 +02:00
Michael Walle
4f0ace6d9b configs/kontron_smarc_sal28: use kernel 5.12
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-04-26 21:23:25 +02:00
Michael Walle
528b310cdb {linux, linux-headers}: add version 5.12
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-04-26 21:18:43 +02:00
James Hilliard
a6d88d3ba5 package/pipewire: bump to version 0.3.26
Add pipewire optional dependencies/configurations.

This bump will fix a build failure with bluez plugin and gcc 10

Fixes:
 - http://autobuild.buildroot.org/results/ab2edff9ae6b67d17bee2a11098b046ad754eee1

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-04-26 21:17:41 +02:00
James Hilliard
c73d0e4b57 package/weston: add patch to support pipewire 0.3 API
This is required when building weston against the latest pipewire
release.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-04-26 21:05:20 +02:00
Bernd Kuhls
90bb7b6765 package/python-dnspython: enable host build
Needed for Samba 4.14.x:
2420b7c6d2 (bc16f0673dfbb473658dfd16961cdbf12f02ea5a_8_15)

Fixes:
http://autobuild.buildroot.net/results/7dc/7dc7e304cb4e9afb157326dd5e4ae38711e91cad/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-26 19:54:11 +02:00
Matt Weber
5793a9e7fd package/libqmi: add _CPE_ID_VENDOR
cpe:2.3🅰️libqmi_project:libqmi:* is a valid CPE identifier for this package:

 https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3🅰️libqmi_project:libqmi

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-25 22:34:00 +02:00
Fabrice Fontaine
996942710a package/pipewire: needs headers >= 3.18
v4l2 plugin needs headers >= 3.18 since
4cb90f3b86
(so since its addition to buildroot in commit
75c86f90c7) because of
V4L2_PIX_FMT_ARGB555X which is only available since
fcc0d3db28

v4l2 plugin can't be disabled until
8d71d2dab8

Fixes:
 - http://autobuild.buildroot.org/results/b887b6ccd2c22bb3214c07d1281ad486438fb58e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-25 22:02:41 +02:00
Fabrice Fontaine
b92c7a8527 package/libfreefare: drop threads dependency
This dependency should have dropped by commit
1a49188a69 which removed threads
dependency from libnfc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-25 21:30:11 +02:00
Fabrice Fontaine
75fa35e1ea package/multipath-tools: fix legal-info
Commit 55a7382564 forgot to update hash of
REAMDE.md (changes are not related to license:
021c2df40f
748d445373)

Fixes:
 - http://autobuild.buildroot.org/results/9aa925b1a3fe8f0e38bef742c42304101b89b6b2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-25 10:51:51 +02:00
Fabrice Fontaine
a8eef7d2e6 package/uboot-tools: fix build with FIT
Build with FIT is broken since bump to version 2021.04 in commit
a4c38ae470

Fake a generated/autoconf.h with just the needed stuff as suggested by
Yann E. Morin in
https://patchwork.ozlabs.org/project/buildroot/patch/20210422210559.707845-1-fontaine.fabrice@gmail.com

It seems that an empty file is enough as make options are still
interpreted

As a side-effect, drop third patch

Fixes:
 - http://autobuild.buildroot.org/results/5771a7413c98ec202c9623672787a1eee74da5e0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-25 10:42:07 +02:00
Fabrice Fontaine
3ab8aefa87 support/dependencies: set cmake version min to 3.16
domoticz requires cmake 3.16 since version 2020.2 and
275effddf0

Fixes:
 - http://autobuild.buildroot.org/results/0caec85c70341036a039dbc337ad99196b6005a9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 23:10:17 +02:00
Fabrice Fontaine
2ce62b6423 package/cmake: bump to version 3.16.9
Update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 23:10:17 +02:00
Francois Perrad
864f46ca61 package/perl-role-tiny: bump to version 2.002004
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:53 +02:00
Francois Perrad
4a76be3a1c package/perl-path-tiny: bump to version 0.118
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:51 +02:00
Francois Perrad
cd1d56bcde package/perl-net-ssh2: bump to version 0.72
diff README.pod:
-Copyright (C) 2011 - 2019 by Salvador FandiE<ntilde>o (salva@cpan.org).
+Copyright (C) 2011 - 2020 by Salvador FandiE<ntilde>o (salva@cpan.org).

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:50 +02:00
Francois Perrad
f40bd47602 package/perl-moo: bump to version 2.005004
diff LICENSE:
-This software is Copyright (c) 2020 by mst - Matt S. Trout (cpan:MSTROUT) <mst@shadowcat.co.uk>.
+This software is Copyright (c) 2021 by mst - Matt S. Trout (cpan:MSTROUT) <mst@shadowcat.co.uk>.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:48 +02:00
Francois Perrad
7545da304d package/perl-mojolicious-plugin-authentication: bump to version 1.36
diff LICENSE:
-This software is copyright (c) 2018 by Ben van Staveren.
+This software is copyright (c) 2021 by Ben van Staveren.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:47 +02:00
Francois Perrad
0c2a7ff2a9 package/perl-mojolicious: bump to version 9.17
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:46 +02:00
Francois Perrad
b3dd1034d5 package/perl-libwww-perl: bump to version 6.53
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:44 +02:00
Francois Perrad
9962e3020c package/perl-io-socket-ssl: bump to version 2.070
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:43 +02:00
Francois Perrad
db25a336cc package/perl-date-manip: bump to version 6.85
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 22:46:42 +02:00
Thomas Petazzoni
4ed540ddf5 package/numactl: make available on all architectures
Since its introduction in commit
b05e74ff92 in 2013, numactl has had an
explicit list of architectures that it supports. Interestingly, this
list does not include ARM, and now that rt-tests unconditionally needs
numactl, it meant the rt-tests package was no longer available on ARM.

Further investigation revealed that there is nothing in recent
versions of numactl that appears to be architecture-specific. It does
build with all of Buildroot toolchains currently used in the
autobuilders.

The only necessary changes are:

 * Exclude no-MMU architectures, as madvise() is used in the code
   base, and this is not available on no-MMU architectures.

 * Make sure to use -latomic when needed, as some atomic operations
   are used.

 * Backport a patch that fixes the .symver usage, which only affects
   really old gcc versions: only the old ARM Sourcery toolchain was
   affected by this. Newer gcc versions support the gcc "symver"
   attribute, so that the code that directly emits the assembly
   .symver directive is not invoked.

With these changes, numactl builds successfully on all our supported
toolchains.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 22:07:45 +02:00
Fabrice Fontaine
281b11105a package/libp11: bump to version 0.4.11
Update indentation in hash file (two spaces)

https://github.com/OpenSC/libp11/releases/tag/libp11-0.4.11

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:15:54 +02:00
Fabrice Fontaine
5c81a1a833 package/python-pytrie: bump to version 0.4.0
- python 2 support has been dropped since
  a60a601d85
- Use LICENSE instead of PKG-INFO which is available in the official
  tarball since
  1ba5d547df
- Update indentation in hash file (two spaces)

https://github.com/gsakkis/pytrie/blob/0.4.0/README.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:15:49 +02:00
Fabrice Fontaine
ee87422f97 package/python-sortedcontainers: bump to version 2.3.0
- Update indentation in hash file (two spaces)
- Update hash of LICENSE file (update in year:
  d127cdde5f)

https://github.com/grantjenks/python-sortedcontainers/blob/v2.3.0/HISTORY.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:15:16 +02:00
Fabrice Fontaine
9192f465ea package/usb_modeswitch: bump to version 2.6.1
Update indentation in hash file (two spaces)

https://www.draisberghof.de/usb_modeswitch/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:15:04 +02:00
Adam Duskett
2711944ae0 package/mender-artifact: bump version to 3.5.1
Also update various license hashes

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:14:28 +02:00
Adam Duskett
b32f95290f package/mender: bump version to 2.6.0
Also update the progressbarlicense hash due to a year bump

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:14:10 +02:00
Stephane Viau
46d2cfdf90 configs/freescale_imx8*: bump BSP components to lf-5.10.y-1.0.0
Bump ATF, U-Boot and Linux kernel to the NXP BSP 5.10.y_1.0.0 versions.

Signed-off-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:13:21 +02:00
Stephane Viau
fee1e1b85a configs/freescale_imx8m*: bump BSP components to lf-5.10.y-1.0.0
Bump ATF, U-Boot and Linux kernel to the NXP BSP 5.10.y_1.0.0 versions.

Signed-off-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:13:15 +02:00
Stephane Viau
1bc82677b6 configs/freescale_imx7dsabresd: bump BSP components to lf-5.10.y-1.0.0
Bump ATF, U-Boot and Linux kernel to the NXP BSP 5.10.y-1.0.0 versions.

Signed-off-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:13:12 +02:00
Stephane Viau
9c64575b0f configs/freescale_imx6*: bump BSP components to lf-5.10.y-1.0.0
Bump ATF, U-Boot and Linux kernel to the NXP BSP 5.10.y-1.0.0 versions.

Signed-off-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:13:09 +02:00
Sébastien Szymanski
6bfd10d6f4 package/freescale-imx/imx-sc-firmware: bump to version 1.8.0
- Same version as NXP release 5.10.9_1.0.0
- EULA/COPYING: update to LA_OPT_NXP_Software_License v19

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Stephane Viau <stephane.viau@oss.nxp.com>
Tested-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:11:41 +02:00
Sébastien Szymanski
a76cd6496f package/freescale-imx/imx-seco: bump to version 3.7.5
- Same version as NXP release 5.10.9_1.0.0

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Stephane Viau <stephane.viau@oss.nxp.com>
Tested-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:11:34 +02:00
Sébastien Szymanski
4bffe42d00 package/freescale-imx/imx-gpu-g2d: bump to version 6.4.3.p1.2
- Same version as NXP release 5.10.9_1.0.0
- EULA/COPYING: update to LA_OPT_NXP_Software_License v19

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:11:25 +02:00
Sébastien Szymanski
8283e838f0 package/freescale-imx/imx-gpu-viv: bump to version 6.4.3.p1.2
- Same version as NXP release 5.10.9_1.0.0
- EULA/COPYING: update to LA_OPT_NXP_Software_License v19

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:11:09 +02:00
Sébastien Szymanski
ef25382932 package/freescale-imx/firmware-imx: bump version to 8.11
- Same version as NXP release 5.10.9_1.0.0
- EULA/COPYING: update to LA_OPT_NXP_Software_License v19

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:11:00 +02:00
Sébastien Szymanski
e8a70dad10 package/freescale-imx/imx-vpu-hantro: bump version to 1.21.0
- Same version as NXP release 5.10.9_1.0.0
- EULA/COPYING: update to LA_OPT_NXP_Software_License v19

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Stephane Viau <stephane.viau@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:10:54 +02:00
Thomas Petazzoni
5e15bebd08 package/uftrace: fix build on i386
The --arch value on i386 must be "i386", and not i486, i586 or i686,
so let's have a special case for BR2_i386, and use $(BR2_ARCH) for the
other supported CPU architectures.

Fixes:

  http://autobuild.buildroot.net/results/01a28789bcec9af66137cbce5a8fda2d606de99f/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-24 18:09:55 +02:00
Sébastien Szymanski
96142a5426 package/freescale-imx/imx-vpu: fix {EULA, COPYING} file hashes
Commit a646cd27b1 (package/freescale-imx/imx-vpu: bump version to
5.4.39.3) somehow messed up when updating the hashes of the licene
files:

    >>> imx-vpu 5.4.39.3 Collecting legal info
    ERROR: EULA has wrong sha256 hash:
    ERROR: expected: a39da2e94bd8b99eaac4325633854620ea3a55145259c3a7748c610a80714cfc
    ERROR: got     : 7ffad92e72e5f6b23027e7cf93a770a4acef00a92dcf79f22701ed401c5478c0
    ERROR: Incomplete download, or man-in-the-middle (MITM) attack

    ERROR: COPYING has wrong sha256 hash:
    ERROR: expected: 69cbb76b3f10ac5a8c36f34df7bbdf50825815560c00a946fff2922365ef01a2
    ERROR: got     : 2ceab29de5ea533b86f570bcc4e9ddbfb5fe85a1da4978a8613ff3fd9bed781d
    ERROR: Incomplete download, or man-in-the-middle (MITM) attack

The most probable cause is some confusion with imx-vpu-hantro, as the
faulty hashes reported above are those found in imx-vpu-hantro.

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[yann.morin.1998@free.fr: rewrite commit log with a probably reason]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 17:59:13 +02:00
Matt Weber
9486774bbf package/tar: ignore CVE-2007-4476
https://security-tracker.debian.org/tracker/CVE-2007-4476

Currently NVD has this incorrectly tagged for all versions.
The bug trackers on different distros show it was generally
fixed in versions >= 1.16 but because the impacted source
code is in the GNU paxutils, it is hard to follow in what
cases tar has been fixed around that 1.16 version.

https://bugs.gentoo.org/196978

https://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/9336/Buffer-overflow-in-the-safer-name-suffix-function-in-GNU-tar.html

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:28:06 +02:00
Matt Weber
fb4402b516 package/rsyslog: ignore CVE-2015-3243
https://security-tracker.debian.org/tracker/CVE-2015-3243
 "Rsyslog uses weak permissions for generating log files."

Ignoring this CVE for Buildroot as normally there are not local
users and a build could customize the rsyslog.conf to be more
restrictive ($FileCreateMode 0640).

Example fix from Alpino Linux
 3cb5210cda

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:28:05 +02:00
Matt Weber
675769791b package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
Commit 4b21273d71 added upstream (security) patches up to 20200118
and in the commit description it outlines these CVEs were patched.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:28:04 +02:00
Matt Weber
2f6a6b8e50 package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
The CVE can be ignored when the internal TLS impl isn't used.

https://security-tracker.debian.org/tracker/CVE-2021-30004
 "Issue only affects the "internal" TLS implementation
 (CONFIG_TLS=internal)"

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:28:03 +02:00
Matt Weber
3d3348fd03 package/hostapd: ignore CVE-2021-30004 when using openssl
The CVE can be ignored when the internal TLS impl isn't used.

https://security-tracker.debian.org/tracker/CVE-2021-30004
 "Issue only affects the "internal" TLS implementation
 (CONFIG_TLS=internal)"

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:28:02 +02:00
Matt Weber
120d1241d8 package/flex: ignore CVE-2019-6293
https://security-tracker.debian.org/tracker/CVE-2019-6293

https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976
 "But this bug does not cause stack overflows in the generated code.
 The function and file referred to in the bug (mark_beginning_as_normal
 in nfa.c) are part of the flex code generator, not part of the
 generated code. If flex crashes before generating any code, that
 can hardly be a vulnerability. If flex does not crash, the generated
 code is fine (or perhaps subject to other unreported bugs, who knows,
 but the NFA has been generated correctly)."

Upstream has chosen to not provide a fix
 https://github.com/westes/flex/issues/414

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: use actual upstream URL]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:25:33 +02:00
Matt Weber
5ce1e773b9 package/cmake: ignore CVE-2016-10642
This is specific to the npm package that installs cmake, so isn't
relevant to Buildroot.
14241ed09f/meta/recipes-devtools/cmake/cmake.inc

https://nvd.nist.gov/vuln/detail/CVE-2016-10642#vulnCurrentDescriptionTitle
 "cmake installs the cmake x86 linux binaries. cmake downloads
 binary resources over HTTP, which leaves it vulnerable to
 MITM attacks. It may be possible to cause remote code
 execution (RCE) by swapping out the requested binary with
 an attacker controlled binary if the attacker is on the
 network or positioned in between the user and the remote server."

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:25:31 +02:00