Various security, performance, accuracy, and stability issues have been
fixed.
https://forum.suricata.io/t/suricata-6-0-6-and-5-0-10-released
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2092909249)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixes a WebKitWebProcess leak, MPRIS/MediaSession
support, adds a missing ATSPI a11y interface, and security patches
for CVE-2022-22677 and CVE-2022-26710.
Release notes:
https://webkitgtk.org/2022/07/05/webkitgtk2.36.4-released.html
Accompanying security advisory:
https://webkitgtk.org/security/WSA-2022-0006.html
One patch is now included in the packaged release, and another with a
build fix imported, which is actually a revert of a patch that made it
into the release but can cause linking issues when using LTO.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 008ab9474e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixes a WPEWebProcess leak, MPRIS/MediaSession support,
adds a missing ATSPI a11y interface, and security patches for
CVE-2022-22677 and CVE-2022-26710.
Release notes:
https://wpewebkit.org/release/wpewebkit-2.36.4.html
Accompanying security advisory:
https://wpewebkit.org/security/WSA-2022-0006.html
One patch is not included in the packaged release, and another with a
build fix imported, which is actually a revert of a patch that made it
into the release but can cause linking issues when using LTO.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8cd727c3af)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-34903: GnuPG through 2.3.6, in unusual situations where an
attacker possesses any secret-key information from a victim's keyring
and other constraints (e.g., use of GPGME) are met, allows signature
forgery via injection into the status line.
https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5a0a9227ba)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5645990b88)
[Peter: drop 5.17.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a bug-fix release, fixing a variety of small issues.
https://gitlab.com/muttmua/mutt/-/blob/mutt-2-2-6-rel/ChangeLog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14da23e861)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The previous location 'Libraries / Graphics' does not fit the purpose
of this package, we display it next to Pulseaudio instead.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c38ea2e43a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
AES OCB fails to encrypt some bytes (CVE-2022-2097)
===================================================
Severity: MODERATE
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9cf73b3fe1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Move kconfig comment below the "if BR2_PACKAGE_BIND...endif" block so
that the two sub-options are presented in menuconfig as subordinate to
"bind" package selection rather than equal to it as if they were
unrelated.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0d566b8cc7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The help section of "BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_REDUNDANT"
refers to U-Boot configuration option "CONFIG_ENV_SIZE_REDUND" which is
removed since U-Boot v2020.01, so remove this reference.
We may replace this with a reference to "CONFIG_ENV_OFFSET_REDUND" as
another indicator that a redundant environment image should be created.
This also fixes a minor typo in the same file.
Signed-off-by: Dominik Michael Rauh <dmrauh@posteo.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c3ebeca440)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libsndfile is only used for examples and tests so disable it
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit eb8bef884b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 5b679d7806 forgot to set
--{dis,en}able-alsa
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5ef445e84f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Open-Source IPA shlibs need to be signed in order to be runnable within
the same process, otherwise they are deemed Closed-Source and run in
another process and communicate over IPC.
The shlib installed on the target should be the same as the one signed
by libcamera during package creation otherwise the signature won't match
the shlib.
Buildroot sanitizes RPATH in a post build process. meson gets rid of
rpath while installing so we don't need to do it manually.
Buildroot may strip symbols, so we need to do the same before signing.
Signing the IPA shlibs is done by the meson install target, so we need
to strip the IPA shlibs, so after the build but before the install,
which a post-build hooks fits the best.
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
[yann.morin.1998@free.fr: slight rewording of commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bba4dad9aa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release addresses several security problems including CVE-2022-30595.
https://github.com/python-pillow/Pillow/releases/tag/9.1.1
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 83548c33fa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The c_rehash script allows command injection (CVE-2022-2068)
============================================================
Severity: Moderate
In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection were
found by code review.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the
shell.
This script is distributed by some operating systems in a manner where
it is automatically executed. On such operating systems, an attacker
could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
https://www.openssl.org/news/secadv/20220621.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 026f35d9e7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gaël Portay is apparently no longer at Collabora:
<gael.portay@collabora.com>: host mail.collabora.co.uk[46.235.227.172] said:
550 5.1.1 <gael.portay@collabora.com>: Recipient address rejected: User
unknown in local recipient table (in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 91562c9045)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=14881
The package provides a library and a .pc file, so install it into staging as
well.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit faeebe0858)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-2085: A NULL pointer dereference vulnerability was found in
Ghostscript, which occurs when it tries to render a large number of bits
in memory. When allocating a buffer device, it relies on an
init_device_procs defined for the device that uses it as a prototype
that depends upon the number of bits per pixel. For bpp > 64,
mem_x_device is used and does not have an init_device_procs defined.
This flaw allows an attacker to parse a large number of bits (more than
64 bits per pixel), which triggers a NULL pointer dereference flaw,
causing an application to crash.
Drop patch (already in version)
https://www.ghostscript.com/doc/9.56.0/News.htmhttps://www.ghostscript.com/doc/9.56.1/News.htm
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit df91a970b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf46a455bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: https://github.com/jedisct1/pure-ftpd/blob/master/ChangeLog
Updated copyright hash due to copyright year bump:
cf1a9705c6
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ad54a80465)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure without sched_yield raised since bump to
version 7.84.0 in commit b034109dd6:
In file included from easy.c:89:
easy_lock.h: In function 'curl_simple_lock_lock':
easy_lock.h:56:7: error: implicit declaration of function 'sched_yield' [-Werror=implicit-function-declaration]
56 | sched_yield();
| ^~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/fbc80a0002d640210c81a4c518856c02669059b7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Tested-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a5adc9b658)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
nginx has been replaced by f5 since February 2022:
<cpe-item name="cpe:/a:nginx:nginx:1.18.0" deprecated="true" deprecation_date="2022-02-22T19:26:32.967Z">
<reference href="https://nginx.org/en/CHANGES-1.18">Change Log</reference>
<cpe-23:cpe23-item name="cpe:2.3🅰️nginx:nginx:1.18.0:*:*:*:*:*:*:*">
<cpe-23:deprecated-by name="cpe:2.3🅰️f5:nginx:1.18.0:*:*:*:*:*:*:*" type="NAME_CORRECTION"/>
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Af5%3Anginx
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3bd30f4a13)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with musl-fts raised since bump to
version 4.4.1 in commit cc66cf922b and
e1f4c2ac91:
/home/giuliobenetti/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/powerpc-buildroot-linux-uclibc/10.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld: tcpreplay-tcpreplay.o: in function `main':
tcpreplay.c:(.text.startup+0x21c): undefined reference to `fts_open'
Fixes:
- http://autobuild.buildroot.org/results/e47940b5b158395329c0132bb1bbea429c4dc249
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4138151e44)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-45386: tcpreplay 4.3.4 has a Reachable Assertion in
add_tree_ipv6() at tree.c
- Fix CVE-2021-45387: tcpreplay 4.3.4 has a Reachable Assertion in
add_tree_ipv4() at tree.c.
https://github.com/appneta/tcpreplay/blob/v4.4.1/docs/CHANGELOG
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cc66cf922b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
PJSIP is a free and open source multimedia communication library written
in C language implementing standard based protocols such as SIP, SDP,
RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a
stack buffer overflow vulnerability affects PJSIP users that use STUN in
their applications, either by: setting a STUN server in their
account/media config in PJSUA/PJSUA2 level, or directly using
`pjlib-util/stun_simple` API.
https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7ea3831685)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following guile build failure without NPTL raised since the
addition of bdwgc in commit b0476427f6 and
7896408d41:
configure:60776: checking for GC_is_heap_ptr
configure:60776: /home/buildroot/autobuild/instance-2/output-1/host/bin/arm-buildroot-linux-uclibcgnueabi-gcc -std=gnu11 -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O1 -g0 -DHAVE_GC_SET_FINALIZER_NOTIFIER -DHAVE_GC_GET_HEAP_USAGE_SAFE -DHAVE_GC_GET_FREE_SPACE_DIVISOR -DHAVE_GC_SET_FINALIZE_ON_DEMAND -flto -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c -L/home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -latomic_ops -lgc -lpthread -ldl -latomic -lm >&5
/home/buildroot/autobuild/instance-2/output-1/host/lib/gcc/arm-buildroot-linux-uclibcgnueabi/10.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: /home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libgc.so: undefined reference to `pthread_getattr_np'
[...]
In file included from ../libguile/alist.h:26,
from ../libguile.h:31,
from guile.c:38:
../libguile/pairs.h:205:1: error: conflicting types for 'GC_is_heap_ptr'
205 | GC_is_heap_ptr (void *ptr)
| ^~~~~~~~~~~~~~
In file included from ../libguile/bdw-gc.h:48,
from ../libguile/gc.h:142,
from ../libguile/pairs.h:26,
from ../libguile/alist.h:26,
from ../libguile.h:31,
from guile.c:38:
/home/buildroot/autobuild/instance-2/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/include/gc/gc.h:551:20: note: previous declaration of 'GC_is_heap_ptr' was here
551 | GC_API int GC_CALL GC_is_heap_ptr(const void *);
| ^~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/819f231a60fc81f9a8dd07bf5411aa9d8f78c3bb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 41d60d0164)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop patch which is now upstream.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 613a3ac3d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a9281777a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7ceabd4846)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5b073d8bbc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 347af9f125)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop patch which is now upstream.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 88d70d2c2b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
