gcc-8.1 for xtensa miscompiles uClibc dynamic linker due to gcc PR
target/65416. The build completes successfully, but the binary is
non-functional because the following fragment in the _dl_get_ready_to_run
in ld-uClibc.so overwrites register spill area on stack causing register
corruption in the previous call frame and a subsequent crash:
419f: f0c1b2 addi a11, a1, -16
41a2: 1ba9 s32i.n a10, a11, 4
41a4: 0bc9 s32i.n a12, a11, 0
41a6: 5127f2 l32i a15, a7, 0x144
41a9: 1765b2 s32i a11, a5, 92
41ac: 4e2782 l32i a8, a7, 0x138
41af: 146af2 s32i a15, a10, 80
41b2: 001b10 movsp a1, a11
The crash terminates the init process and causes kernel panic.
The fix prevents reordering of movsp opcode and any access to the stack
frame memory and is applicable to all existing gcc versions.
[Peter: drop gcc-8.x patch]
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 91e0fc0bf4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On some architectures, atomic binutils are provided by the libatomic
library from gcc. Linking with libatomic is therefore necessary,
otherwise the build fails with:
sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line
This is often for example the case on sparcv8 32 bit.
Fixes:
http://autobuild.buildroot.net/results/fd6bee70ff20bee9607a9f6f557a3a793d00cd9f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: use LIBS instead of LDFLAGS.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 265e25834f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Both plugins `geometryloaders' and `renderplugins' are available since
Qt 5.9.
Fixes:
>>> qt53d 5.6.3 Installing to target
cp -dpf /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt53D*.so.*
/home/gportay/src/buildroot/output/target/usr/lib
cp -dpfr /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/qt/plugins/geometryloaders
/home/gportay/src/buildroot/output/target/usr/lib/qt/plugins
cp: cannot stat '/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/qt/plugins/geometryloaders': No such file or directory
package/pkg-generic.mk:310: recipe for target '/home/gportay/src/buildroot/output/build/qt53d-5.6.3/.stamp_target_installed' failed
make[2]: *** [/home/gportay/src/buildroot/output/build/qt53d-5.6.3/.stamp_target_installed] Error 1
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Gaël PORTAY <<a href="mailto:gael.portay@savoirfairelinux.com" target="_blank" rel="noreferrer">gael.portay@savoirfairelinux.com</a>><br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e922bbc7ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adds WTF platform support for the 32-bits armv8-a architectures.
Fixes:
In file included from ../3rdparty/javascriptcore/JavaScriptCore/config.h:26,
from ../3rdparty/javascriptcore/JavaScriptCore/pcre/pcre_compile.cpp:44:
../3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h:370:6: error: #error "Not supported ARM architecture"
# error "Not supported ARM architecture"
^~~~~
The patch is based on two upstream fixes in WebKit[1][2].
See also commit cea7aa873a.
[1]: 313d9fc4bd
[2]: 98f0de0709
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 15706f86ba)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The recent procps-ng security bump in commit 88ec06ad48 (procps-ng:
security bump to version 3.3.15) of the 2018.02.x branch, introduced use
of fopencookie() which is a GNU extension that musl version 1.1.8 does
not implement. Backporting the security fixes alone is not feasible.
Disable procps-ng for musl libc toolchains.
Propagate this dependency to procps-ng reverse dependencies that used to
allow build with musl, openvmtools and tovid.
Fixes:
http://autobuild.buildroot.net/results/eac/eac700c61e277689b46fd617b6ddcbf94b5271e5/http://autobuild.buildroot.net/results/baa/baac54b934d5ac07d3604ae3c6016595e4d7014a/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Do for elf2flt what we did for binutils: replace the hardlinks (which
break rpath handling) with copies of the individaul tools.
See previous commit (package/binutils: switch from symlinks to copies
and commit f9cffb6af4 (binutils: replace hard-links with soft-links to
fix rpath) for the complete story.
Fixes: #11031.
Reported-by: Christophe Priouzeau <christophe.priouzeau@st.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Christophe Priouzeau <christophe.priouzeau@st.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b370693400)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f9cffb6af4 (binutils: replace hard-links with soft-links to fix
rpath) has a side effect that when we build for a noMMU target, elf2flt
will in turn replace some of the programs installed by binutils, with
its own wrappers.
For example, it will rename host/TUPLE/bin/ld to ld.real, and add its
own wrapper in place of the original. It does the same for
host/bin/TUPLE-ld and host/bin/TUPLE-ld.real.
However, we had already made ld a symlink to ../../bin/TUPLE-ld, so
host/TUPLE/bin/ld.real will still point to host/bin/TUPLE-ld when we
want it to point to ld.real instead...
This ultimately confuses gcc later on.
Of course, the culprit is also elf2flt, which also installs similar
hardlinks that would ultimately exhibit the same rpath issue as the
one fixed by f9cffb6af4. Note: we haven't had an issue so far with
that, because those tools installed by elf2flt only link with libz,
which is most often present on the host system. So, all seem well,
but is nonetheless broken; this will be fixed in a subsequent commit.
But back on topic. If we were to fix elf2flt with similar symlinks,
gcc still gets confused. The underlying reason for this confusion is
not entirely clear, though... It looks like something is trying to
dereference symlinks and gets confused by the result somehow...
So, in an attempt to restore some sanity in all this mess, we try to
restore the previous behaviour, we no longer use symlinks but just copy
the individual tools.
Fixes: #11031.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Christophe Priouzeau <christophe.priouzeau@st.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bb0164a8b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On older build systems with old coreutils, using relative symbolic link
(ln -r) does not work, and causes failed builds. Workaround is to use
normal symbolic link with a relative path. e.g. ../../$(BINDIR)
This fix is dependent on bumping cups-filters version to 1.20.1 because
of autotools issue with Makefile.am changes.
Fixes:
http://autobuild.buildroot.net/results/77a6369f3530a2a6a055f7fd664f1ad424274d77
Signed-off-by: Olivier Schonken <olivier.schonken@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ef60ef83c9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Rename the prompt string for consistency with the package directory
name.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5da9637ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- (CVE-2018-7167): Fixes Denial of Service vulnerability where calling
Buffer.fill() could hang
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during
cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
See https://nodejs.org/en/blog/release/v8.11.3/ for more details
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 64baf3def7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
================================================================================
Redis 3.2.12 Released Wed Jun 13 12:43:01 CEST 2018
================================================================================
Upgrade urgency CRITICAL:
* Multilple security issues fixed.
* Backport of an older AOF fsync=always fix. Check 4.x release notes.
* Backport of a *SCAN bug. Sometimes elements could be missing from the scan.
* Other minor things.
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
For more details about the lua related security issues, see the blog:
http://antirez.com/news/119
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3bf2745a0f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
scancpan is now in utils not in supports/scripts
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4b4f77e84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-10360: The do_core_note function in readelf.c in
libmagic.a in file 5.33 allows remote attackers to cause a denial of
service (out-of-bounds read and application crash) via a crafted ELF
file.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 89be4c7b0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added license hashes, added optional dependency to libseccomp provided
by upstream in this version bump.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit eacca09a8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12015 - In Perl through 5.26.2, the Archive::Tar module
allows remote attackers to bypass a directory-traversal protection
mechanism, and overwrite arbitrary files, via an archive file containing a
symlink and a regular file with the same name.
Patch from
ae65651eab
with path rewritten to match perl tarball.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 66760f2734)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As noted in the sourceforge page, the project is not using sourceforge
anymore. Use the gitweb summary page instead.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a74a41d834)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Apply modifications made in recent commits:
- 456ea9871e busybox: add /dev/std{in, out, err} symlinks to inittab
- 13dbe73782 busybox: reduce number of mkdir calls in inittab
- 8a89d290d4 busybox: add an inittab entry to activate swap
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a3df894e83)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is a call to swapoff in the shutdown sequence, so call "swapon -a"
on startup. As stated in the swapon man page,
All devices marked as "swap" in /etc/fstab are made available, except
for those with the "noauto" option. Devices that are already being
used as swap are silently skipped.
So even if the system has some init script to start/stop swap (e.g. from
a rootfs ovelay) calling swapon/swapoff would be harmless.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d524cc7d9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is a call to swapoff in the shutdown sequence, so call "swapon -a"
on startup. As stated in the swapon man page,
All devices marked as "swap" in /etc/fstab are made available, except
for those with the "noauto" option. Devices that are already being
used as swap are silently skipped.
So even if the system has some init script to start/stop swap (e.g. from
a rootfs ovelay) calling swapon/swapoff would be harmless.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d2a091c96b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some applications, e.g. bashs process subsitution feature, rely on the
convention of `/dev/fd` being a symbolic link to `/proc/self/fd`.
This symbolic link and his companions `/dev/std*` are created by (e)udev [1],
but not by mdev, resulting in the following error when using the following
expression:
```
bash: /dev/fd/62: No such file or directory
```
For the sake of simplicity, lets fix this by creating the symlinks in inittab.
It is only really needed if eudev isn't used, but it doesn't really hurt to
create them even if eudev will recreate them afterwards.
Note, that we do not create the symlink `/dev/core` as `/proc/kcore` is
not available on all platforms, e.g. ARM, and the feature is not much
appreciated [2].
[1] 8943501993/src/shared/dev-setup.c (L35-L40)
[2] https://lwn.net/Articles/45315/
[Peter: redirect errors to /dev/null for ro rootfs]
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6919fc5566)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some applications, e.g. bashs process subsitution feature, rely on the
convention of `/dev/fd` being a symbolic link to `/proc/self/fd`.
This symbolic link and his companions `/dev/std*` are created by (e)udev [1],
but not by mdev, resulting in the following error when using the following
expression:
```
bash: /dev/fd/62: No such file or directory
```
For the sake of simplicity, lets fix this by creating the symlinks in inittab.
It is only really needed if eudev isn't used, but it doesn't really hurt to
create them even if eudev will recreate them afterwards.
Note, that we do not create the symlink `/dev/core` as `/proc/kcore` is
not available on all platforms, e.g. ARM, and the feature is not much
appreciated [2].
[1] 8943501993/src/shared/dev-setup.c (L35-L40)
[2] https://lwn.net/Articles/45315/
[Peter: redirect output (errors) to /dev/null for ro rootfs]
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 456ea9871e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The default sysvinit inittab does two separate mkdir calls to create
/dev/pts and /dev/shm. Reduce this to call mkdir only once for both
directories.
This removes id "si3" but keeps ids "si4".."si9" intact rather than
renumbering them. This would just increase the turmoil without any
practical effect.
Based on commit e9db8122fb, by Florian La Roche <F.LaRoche@pilz.de>.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dc267db6ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
triggerhappy uses pkg-config to detect the systemd library. Make sure it
uses the target pkg-config, not the host one.
Fixes build failure when the host has systemd pkg-config files:
.../host/bin/arm-linux-gcc -static th-cmd.o cmdsocket.o -lsystemd -o th-cmd
.../host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/6.4.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: cannot find -lsystemd
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b4a7145b0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12020: Unsanitized file names might cause injection of
terminal control characters into the status output of gnupg.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0647268416)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12020: Unsanitized file names might cause injection of
terminal control characters into the status output of gnupg.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b78a365b56)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The manual is GPL-2, and points to the COPYING file in the repository.
When we do a rendering of the manual for a specific version, that URL
is currently always poitning to the latest version of the COPYING file.
If we ever have to change the content of that file (e.g. to add a new
exception, more clarifications, a license change, or whatever), then
an old manual would point to that newer version, which would then be
incorrect.
Include the sha1 of the commit in the URL, so that the manual always
point to the tree at the time the manual was rendered, not the time
it is consulted. Contrary to the informative text above, use the full
sha1, not the shortened one.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 529219ba96)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-7225 - An issue was discovered in LibVNCServer through
0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize
msg.cct.length, leading to access to uninitialized and potentially sensitive
data or possibly unspecified other impact (e.g., an integer overflow) via
specially crafted VNC packets.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a4f7700f0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 1.25.4 fixes CVE-2017-9545, for details see release notes:
http://www.mpg123.org/cgi-bin/news.cgi
Added upstream hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cb67c1d55b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://mariadb.com/kb/en/mariadb-10133-release-notes/
Changelog: https://mariadb.com/kb/en/mariadb-10133-changelog/
Fixes the following security vulnerabilities:
CVE-2018-2782 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
CVE-2018-2784 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
CVE-2018-2787 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server as well as unauthorized update, insert or
delete access to some of MySQL Server accessible data.
CVE-2018-2766 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
CVE-2018-2755 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Replication). Supported versions that are affected
are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to
exploit vulnerability allows unauthenticated attacker with logon to the
infrastructure where MySQL Server executes to compromise MySQL Server.
Successful attacks require human interaction from a person other than the
attacker and while the vulnerability is in MySQL Server, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of MySQL Server.
CVE-2018-2819 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and
prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2817 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2761 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Client programs). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to
exploit vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2781 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2771 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Locking). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to
exploit vulnerability allows high privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2813 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized read access to a subset of MySQL
Server accessible data.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5fbacdd59f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2017-5029
- Remove first patch (already in version)
- Add a dependency to host-pkgconf and remove libxml2 options: see
abf537ebb2
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eca8704dcf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Executing "/etc/init.d/S29netplug start" multiple times resulted in
multiple instances of netplugd.
Pass "-p /var/run/netplug.pid" to netplugd, so it creates the PID file
that start-stop-daemon needs to know that netplugd is already running.
Also use the pid file to stop netplugd, instead of the daemon name.
Fixes https://bugs.busybox.net/show_bug.cgi?id=10661
Reported-by: Joachim Krueger <mail2k@web.de>
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3c6a5bdd3e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We are working to make all sysvinit scripts conformant to a pattern and
/etc/default/ seems to be a good choice, since 34 packages already get
optional configurations from files at that directory.
netplug still installs an init script at /etc/rc.d/init.d/. This will
be fixed in a future patch that will refactor the init scripts.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4adaa581b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The test doesn't make sense. It just exits without any error if the
binary doesn't exist, which is silly.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b77c9d265e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
