https://security-tracker.debian.org/tracker/CVE-2019-6293https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976
"But this bug does not cause stack overflows in the generated code.
The function and file referred to in the bug (mark_beginning_as_normal
in nfa.c) are part of the flex code generator, not part of the
generated code. If flex crashes before generating any code, that
can hardly be a vulnerability. If flex does not crash, the generated
code is fine (or perhaps subject to other unreported bugs, who knows,
but the NFA has been generated correctly)."
Upstream has chosen to not provide a fix
https://github.com/westes/flex/issues/414
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: use actual upstream URL]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 120d1241d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is specific to the npm package that installs cmake, so isn't
relevant to Buildroot.
14241ed09f/meta/recipes-devtools/cmake/cmake.inchttps://nvd.nist.gov/vuln/detail/CVE-2016-10642#vulnCurrentDescriptionTitle
"cmake installs the cmake x86 linux binaries. cmake downloads
binary resources over HTTP, which leaves it vulnerable to
MITM attacks. It may be possible to cause remote code
execution (RCE) by swapping out the requested binary with
an attacker controlled binary if the attacker is on the
network or positioned in between the user and the remote server."
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5ce1e773b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There had existed in one of the ISC BIND libraries a bug in a
function that was used by dhcpd when operating in DHCPv6 mode.
There was also a bug in dhcpd relating to the use of this function
per its documentation, but the bug in the library function
prevented this from causing any harm. All releases of dhcpd from
ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known
to not present issues like this.
Affects: Builds of dhcpd versions prior to version 4.4.1 when
using BIND versions 9.11.2 or later.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6470
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 23fb8dd2d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This CVE is only relevant to the configuration of a specific
RHEL release (6.x).
https://bugzilla.redhat.com/show_bug.cgi?id=1447743
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 357dd51bbd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SHOBJ_STATUS=unsupported was added in commit
4a2af11cba to work around a limitation
of the configure script that forgot to set this variable in
static-linking configurations.
It turns out that this issue has been fixed upstream as of bash 5.0:
https://git.savannah.gnu.org/cgit/bash.git/diff/configure.ac?id=d233b485e83c3a784b803fb894280773f16f2deb
(see hunk @@ -1151,6 +1179,9 @@)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 24656c23f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want bash to be installed as /bin/bash. For ages, Buildroot has
been doing this by overriding exec_prefix at install time. First of
all, it would be preferred to do this at configure time. But also,
overriding exec_prefix not only changes where "bash" goes, but also
where the pkgconfig file goes. Due to this, bash.pc goes into
/lib/pkgconfig/, and doesn't get removed by target-finalize.
Since all we want is to have 'bash' as /bin/bash, simply pass
--bindir=/bin at configure time. This allows to use the default target
installation logic for autotools-package. We keep a post-install
target hook to remove /bin/bashbug.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 73aed53c82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The server part of pupnp (libupnp) appears to be vulnerable to DNS-rebinding
attacks because it does not check the value of the `Host` header.
Fixes CVE-2021-29462
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0f23267bc2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix vulnerability to DNS-rebind attacks.
This security fix addresses the same vulnerability isue which was reported
for libupnp (which libnpupnp is derived from) in CVE-2021-29462.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit adea5b316e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From https://www.lesbonscomptes.com/upmpdcli/pages/releases.html:
2021-03-13 libnpupnp 4.1.1
* Fix HEAD requests. Samsung TVs now work with Gerbera + libnpupnp
2021-03-13 libnpupnp 4.1.0
* Send SERVER and USER-AGENT headers in misc places where mandated or useful.
* Add API for the client code to set the user-agent and server string values
* Fix building and running with --disable-ipv6
* Misc portability fixes.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e1fa1334d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix static build with uclibc which is raised since bump to version
2020-12-R3 in commit 14522a8f9d
Fixes:
- http://autobuild.buildroot.org/results/69dcb7ac99e63fca342e4d52d9311d1ee1931911
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 72bb0380da)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since version flup-1.0.3.dev20151210, flup needs Python 3. This was
apparently missed in Buildroot commit
ff0f53c04d, which bumped flup from
1.0.3.dev-20110405 to 1.0.3.dev20161029.
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1d1c092542)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a patch release that fixes some minor bugs, tidies the code for
many compiler warnings, and improves windows compatibility. Upgrading
from v2.3.1 is recommended for most people, and essential for people
using platforms experiencing bugs #214 or #207.
https://github.com/librsync/librsync/releases/tag/v2.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1ab117d35a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
chardet is a mandatory runtime dependency since version 0.8.2 and
e9344a0916
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a74eaaaa9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️gnu:libtool:2.4.6:* is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3🅰️gnu:libtool
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: drop version from reference URL]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8c9724026c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️python:setuptools:* is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3🅰️python:setuptools
Note: 63332c33aa already added those for the python(2) variant.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr:
- add reference to 63332c33aa
- move up, right after license
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c819d20834)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️python:decorator:* is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3🅰️python:decorator
Note: 4783e5fd8c already added those for the python(2) variant.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr:
- add reference to 4783e5fd8c
- move up, right after license
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8b154320f0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️popt_project:popt:* is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3🅰️popt_project:popt
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: move up, right after license]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ba18dc36a4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️gnu:make:* is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3🅰️gnu:make
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: move up, right after license]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c15daccf1e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release with important bugfixes:
https://github.com/timescale/timescaledb/releases/tag/2.0.2
This maintenance release contains bugfixes since the 2.0.1 release. We
deem it high priority for upgrading.
The bug fixes in this release address issues with joins, the status of
background jobs, and disabling compression. It also includes
enhancements to continuous aggregates, including improved validation
of policies and optimizations for faster refreshes when there are a
lot of invalidations.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old at91bootstrap version (1.x) uses a strange variant of the BSD
license, called "BSD Source Code Attribution" and referenced by SPDX
as BSD-Source-Code.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3887e8c095)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog:
- fix for memory leak in set of listen-to property
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 99362e8d17)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-20305: A flaw was found in Nettle in versions before 3.7.2,
where several Nettle signature verification functions (GOST DSA, EDDSA &
ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply
function being called with out-of-range scalers, possibly resulting in
incorrect results. This flaw allows an attacker to force an invalid
signature, causing an assertion failure or possible validation. The
highest threat to this vulnerability is to confidentiality, integrity,
as well as system availability.
https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.7.2_release_20210321/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ed653df573)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
