The 0.10 line offers minor improvements and bug fixes.
The previous security bump from 0.9.1 to 0.9.2 fixed CVE-2022-46149,
which was also present in 0.10.2, but is fixed within 0.10.3.
Signed-off-by: Joel Carlson <JoelsonCarl@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix CVE-2022-46149: Cap'n Proto is a data interchange format and remote
procedure call (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1,
0.9.2, and 0.10.3, as well as versions of Cap'n Proto's Rust
implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to
out-of-bounds read due to logic error handling list-of-list. This issue
may lead someone to remotely segfault a peer by sending it a malicious
message, if the victim performs certain actions on a list-of-pointer
type. Exfiltration of memory is possible if the victim performs
additional certain actions on a list-of-pointer type. To be vulnerable,
an application must perform a specific sequence of actions, described in
the GitHub Security Advisory. The bug is present in inlined code,
therefore the fix will require rebuilding dependent applications. Cap'n
Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and
0.10.3.
https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hxhttps://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
openssl is an optional dependency that is enabled by default since
version 0.7.0 and
23db5e3fd9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The new version requires an extra features in the toolchain and won't
build with a specific gcc bug, therefore two new toolchain options are
added as dependencies:
* !BR2_TOOLCHAIN_HAS_GCC_BUG_64735
* BR2_TOOLCHAIN_HAS_UCONTEXT
Signed-off-by: Koen Martens <gmc@sonologic.nl>
Reviewed-by: Joel Carlson <JoelsonCarl@gmail.com>
Tested-by: Joel Carlson <JoelsonCarl@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The patch against 0.6.1 has been merged upstream,
and has been removed from this package.
A small change has been made to the LICENSE file:
"Cloudflare, Inc." was added in the copyright
declaration.
Signed-off-by: Koen Martens <gmc@sonologic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On Github, a large number of projects name their tag vXYZ (i.e v3.0,
v0.1, etc.). In some packages we do:
<pkg>_VERSION = v0.3
<pkg>_SITE = $(call github foo,bar,$(<pkg>_VERSION))
And in some other packages we do:
<pkg>_VERSION = 0.3
<pkg>_SITE = $(call github foo,bar,v$(<pkg>_VERSION))
I.e in one case we consider the version to be v0.3, in the other case
we consider 0.3 to be the version.
The problem with v0.3 is that when used in conjunction with
release-monitoring.org, it doesn't work very well, because
release-monitoring.org has the concept of "version prefix" and using
that they drop the "v" prefix for the version.
Therefore, a number of packages in Buildroot have a version that
doesn't match with release-monitoring.org because Buildroot has 'v0.3'
and release-monitoring.org has '0.3'.
Since really the version number of 0.3, is makes sense to update our
packages to drop this 'v'.
This commit only addresses the (common) case of github packages where
the prefix is simply 'v'. Other cases will be handled by separate
commits. Also, there are a few cases that couldn't be handled
mechanically that aren't covered by this commit.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
[Arnout: don't change flatbuffers, json-for-modern-cpp, libpagekite,
python-scapy3k, softether]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Adds the capnproto package. This also builds a host variant to generate
the capnp compiler that can be used to compile message definitions into
C++ code. Includes a patch from upstream to fix an issue with uclibc.
Signed-off-by: Koen Martens <gmc@sonologic.nl>
Signed-off-by: Joel Carlson <JoelsonCarl@gmail.com>
[Thomas: only link with -latomic when BR2_TOOLCHAIN_HAS_LIBATOMIC=y.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>