Commit Graph

52613 Commits

Author SHA1 Message Date
Heiko Thiery
9ff7b61705 package/pkg-generic.mk: enable hash checks for svn tarbals
With commit 89f5e98932 support for
reproducible archives was added. Thus archives generated from svn do no
longer needs to be added to BR_NO_CHECK_HASH_FOR.

Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-25 23:20:15 +02:00
Fabrice Fontaine
18079e20a7 package/lrzip: bump to 7f3bf46203bf45ea115d8bd9f310ea219be88af4
This bump contains only one commit that fix a build failure with asm:
844b8c057c

Fixes:
 - http://autobuild.buildroot.org/results/800d8a97966ef75dbf20e85ec8a02766ba02cc76

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:55:18 +02:00
Romain Naour
58af9a70cc package/qemu: remove csky fork
We have a qemu fork for csky cpus [1] but since qemu version
bump to 4.2.0 [2] and libssh2/libssh change the csky build is
broken.

The csky fork is based on Qemu 3.0.0 but unlike autotools packages
any unknown option is handled as error.

Since we don't want to support all options from previous qemu
release and the github repository has been removed [3] and the
only remaining archive is located on http://sources.buildroot.net,
remove the qemu csky fork as suggested by [4].

[1] https://git.buildroot.net/buildroot/commit/?id=f816e5b276f1ef15840bec6667f1e8219717ab7d
[2] https://git.buildroot.net/buildroot/commit/?id=0ea17054ce7dfc54efca5634133cef786445e7b1
[3] https://github.com/c-sky/qemu
[4] http://lists.busybox.net/pipermail/buildroot/2020-May/281885.html

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Guo Ren <ren_guo@c-sky.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
[Peter: move patches out of 4.2.0 subdir]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:52:53 +02:00
Yann E. MORIN
90dd780391 package/wiringpi: remove
The author has completely ripped off the git tree, so the sources
are no longer available, with that message:
    "Please look for alternatives for wiringPi"

And indeed there is a better alternative, using the kernel GPIO
subsystem and drivers.

Note that queezelite looses that functionality now, but upstream
squeezelite has done changes to do without wiringpi (hint for an
upgrade?).

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Hiroshi Kawashima <kei-k@ca2.so-net.ne.jp>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:48:44 +02:00
Yann E. MORIN
97551eb176 package/speexdsp+tremor: switch to new git repository
The original git server on git.xiph.org died, and the Xiph project has
now moved on to host their repositories on gitlab.comn instead.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:30:23 +02:00
Yann E. MORIN
fb57a54cf8 package: don't use BR2_KERNEL_MIRROR for git downloads
The git repositories are not served on the kernel.org CDN:

    fatal: repository 'https://cdn.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/' not found

Switch to explicitly use the git.kernel.org server.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:29:50 +02:00
Bernd Kuhls
c5e932613e package/ffmpeg: bump version to 4.2.3
Removed patch included in upstream release, reformatted hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:20:40 +02:00
Fabrice Fontaine
39bfd50410 package/wireshark: security bump to version 3.2.4
Fix CVE-2020-13164: In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and
2.6.0 to 2.6.16, the NFS dissector could crash. This was addressed in
epan/dissectors/packet-nfs.c by preventing excessive recursion, such as
for a cycle in the directory graph on a filesystem.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:19:02 +02:00
Fabrice Fontaine
2e0beffb74 package/fio: fix build on sh4
Fixes:
 - http://autobuild.buildroot.org/results/6dc82572ae1369aa5c9954b6e61777766c5aa3b4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 22:04:35 +02:00
Joachim Nilsson
de2b78143c docs/manual: new chapter on release engineering
Describe release engineering and development phases of the project.

Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 21:59:21 +02:00
Yann E. MORIN
9827283641 package/ltrace: directly use s.b.o to fetch the archive
During the migration from alioth to gitlab, the git repository for ltrace
was not migrated. There is a repository on gitlab.com, owned by the debian
maintainer, but that repository does not contain the sha1 we know of:
    https://gitlab.com/cespedes/ltrace

s.b.o. is the only known location so far to host the archive, so switch
to it.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 21:58:27 +02:00
Peter Korsgaard
89a5d21627 package/bind: security bump to version 9.11.19
Fixes the following security issues:

- (9.11.18) DNS rebinding protection was ineffective when BIND 9 is
  configured as a forwarding DNS server.  Found and responsibly reported by
  Tobias Klein.  [GL #1574]

- (9.11.19) To prevent exhaustion of server resources by a maliciously
  configured domain, the number of recursive queries that can be triggered
  by a request before aborting recursion has been further limited.  Root and
  top-level domain servers are no longer exempt from the
  max-recursion-queries limit.  Fetches for missing name server address
  records are limited to 4 for any domain.  This issue was disclosed in
  CVE-2020-8616.  [GL #1388]

- (9.11.19) Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure.  This was disclosed in CVE-2020-8617.  [GL #1703]

Also update the COPYRIGHT hash for a change of copyright year and adjust the
spacing for the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 21:57:30 +02:00
Jérémy Rosen
26c32d933e packages/systemd: fix double getty on console
When selecting "console" for the automatic getty, the buildroot logic
would collide with systemd's internal console detection logic, resulting
in two getty being started on the console.

This commit fixes that by doing nothing when "console" is selected and
letting systemd-getty-generator deal with starting the proper getty.

Note that if something other than the console is selected
* Things will work properly, even if the selected terminal is also the
  console
* A getty will still be started on the console.
  This is what systemd has been doing on buildroot since the beginning. it
  could be disabled but I left it for backward compatibility

Fixes: #12361
Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-23 00:10:18 +02:00
Fabrice Fontaine
03fbb81b8b package/dovecot: security bump to version 2.3.10.1
- Fix CVE-2020-10957: In Dovecot before 2.3.10.1, unauthenticated
  sending of malformed parameters to a NOOP command causes a NULL
  Pointer Dereference and crash in submission-login, submission, or
  lmtp.
- Fix CVE-2020-10958: In Dovecot before 2.3.10.1, a crafted SMTP/LMTP
  message triggers an unauthenticated use-after-free bug in
  submission-login, submission, or lmtp, and can lead to a crash under
  circumstances involving many newlines after a command.
- Fix CVE-2020-10967: In Dovecot before 2.3.10.1, remote
  unauthenticated attackers can crash the lmtp or submission process by
  sending mail with an empty localpart.
- Drop first patch (already in version) and so autoreconf
- Update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-22 20:54:49 +02:00
Fabrice Fontaine
6d7df70016 package/dovecot: drop first patch
First patch is not needed since version 2.3.0 and
08259c1f20

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-22 20:54:23 +02:00
Bernd Kuhls
af325be5db package/kodi: bump version to 18.7-Leia
Release notes: http://www.kodi.tv/article/kodi-leia-187-release

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-22 14:07:08 +02:00
Stefan Ott
796cc10fa0 package/unbound: bump version to 1.10.1 for security fixes
Fixes the following security vulnerabilities:

CVE-2020-12662: Unbound can be tricked into amplifying an incoming query
  into a large number of queries directed to a target.

CVE-2020-12663: Malformed answers from upstream name servers can be used
  to make Unbound unresponsive.

Signed-off-by: Stefan Ott <stefan@ott.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-22 14:06:01 +02:00
Peter Korsgaard
497e3dff7e Update for 2020.05-rc2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-22 11:53:24 +02:00
Fabrice Fontaine
cb6eb5db79 package/freerdp: security bump to version 2.1.1
>From ChangeLog:
- CVE: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage
- CVE: GHSL-2020-101 OOB Read in security_fips_decrypt due to
  uninitialized value
- CVE: GHSL-2020-102 OOB Write in crypto_rsa_common
- Enforce synchronous legacy RDP encryption count (#6156)
- Fixed some leaks and crashes missed in 2.1.0
- Removed dynamic channel listener limits
- Lots of resource cleanup fixes (clang sanitizers)

https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-22 09:57:37 +02:00
Fabrice Fontaine
a00db9f808 DEVELOPERS: remove python-pycrypto
Commit 7ef76ed32f forgot to remove
python-pycrypto entry from DEVELOPERS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-21 17:05:20 +02:00
Fabrice Fontaine
bcc02f5fe5 package/libpam-tacplus: fix build when time_t is 64 bits
Fixes:
 - http://autobuild.buildroot.org/results/874433d8cb30d21332f23024081a8b6d7b3254ae

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:55:38 +02:00
Heiko Thiery
19f726b988 package/vboot-utils: fix -fno-common build failure
Added upstream patch for fixing build failure when using GCC10 as a host
compiler (-fno-common is now default).

Fixes:
http://autobuild.buildroot.net/results/aca662d9fd7052f3b361b731cd266edb3b6c41b0
http://autobuild.buildroot.net/results/6546b284cf306a2fde3c69d67daf9aacffa9e143
http://autobuild.buildroot.net/results/db20bb3c11a1a9558a5d8021015c6915f99097c8

Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:49:25 +02:00
Romain Naour
7ef76ed32f package/python-pycrypto: remove package
This package doesn't work with Python 3.8 since the code contains
time.clock() that was deprecated in Python 3.3 and removed in Python 3.8.

Instead of applying non upstream patches from Fedora [1], python-pycrypto
was replaced by python-pycryptodomex for crda and optee-os package.
Now we can remove safely this package.

[1] http://lists.busybox.net/pipermail/buildroot/2020-April/280683.html

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/498144209

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:47:29 +02:00
Romain Naour
82b7400175 boot/optee-os: replace pycrypto by pycryptodomex
>From [1] included in optee-os release 3.7.0:
"PyCryptodome is a fork of PyCrypto, which is not maintained any more
(the last release dates back to 2013 [2]). It exposes almost the same
API, but there are a few incompatibilities [3]."

pem_to_pub_c.py/sign.py scripts still use pycrypto that is replaced
by pycryptodomex. Add a patch to use pycryptodomex but don't use
upstream commit since it also switches from the algorithm
TEE_ALG_RSASSA_PKCS1_V1_5_SHA256 to TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256
when replacing pycrypto to pycryptodomex [4].

[1] 90ad245043
[2] https://pypi.org/project/pycrypto/#history
[3] https://pycryptodome.readthedocs.io/en/latest/src/vs_pycrypto.html
[4] ababd72d2f

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/526035730

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:46:21 +02:00
Romain Naour
8d05237b60 package/crda: replace pycrypto by pycryptodomex
>From [1]:
"PyCryptodome is a fork of PyCrypto, which is not maintained any more
(the last release dates back to 2013 [2]). It exposes almost the same
API, but there are a few incompatibilities [3]."

[1] 90ad245043
[2] https://pypi.org/project/pycrypto/#history
[3] https://pycryptodome.readthedocs.io/en/latest/src/vs_pycrypto.html

Update the patch 0001-crda-support-python-3-in-utils-key2pub.py.patch
since it add pycrypto.

>From [4]
"CRDA is no longer needed as of kernel v4.15 since commit 007f6c5e6eb45
("cfg80211: support loading regulatory database as firmware file") added
support to use the kernel's firmware request API which looks for the
firmware on /lib/firmware. Because of this CRDA is legacy software for
older kernels. It will continue to be maintained."

[4] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/tree/README?id=9856751feaf7b102547cea678a5da6c94252d83d#n8

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:45:47 +02:00
Romain Naour
3db1e5fbcb package/python-pycryptodomex: add host variant
Adding a host variant will allow to replace host-python-pycrypto by
host-python-pycryptodomex for the crda and optee-os packages.

From [1]:
"PyCryptodome is a fork of PyCrypto, which is not maintained any more
(the last release dates back to 2013 [2]). It exposes almost the same
API, but there are a few incompatibilities [3]."

[1] 90ad245043
[2] https://pypi.org/project/pycrypto/#history
[3] https://pycryptodome.readthedocs.io/en/latest/src/vs_pycrypto.html

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:44:55 +02:00
Thomas Petazzoni
4e60247be6 package/xerces: fix coding style in Config.in
We generally use on "depends on" for each toolchain option, so let's
do this as well in package/xerces/Config.in.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:42:59 +02:00
Jared Bents
850d9cbafc package/xerces: add enable network option
Update to add the option to compile xerces with network
enabled by default so it can be unselected to compile
without network support.

When network support is enabled the Network Accessor feature
will decode schema urls and if they don't appear as localhost
or local files, it will open a stream (socket) session with
the remote server. In an embedded setting having the option to
disable this allows:
 * cleaner audit logging
 * smaller security attack surface
 * less library dependencies
 * no behind the scenes failed session attempts

Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:42:42 +02:00
Bernd Kuhls
6480cf63dc package/kodi-pvr-wmc: bump version to 2.4.6-Leia
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:37:23 +02:00
Bernd Kuhls
64f04c35f3 package/kodi-pvr-pctv: bump version to 2.4.7-Leia
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:37:18 +02:00
Bernd Kuhls
ac53acc640 package/kodi-pvr-mythtv: bump version to 5.10.16-Leia
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:37:15 +02:00
Bernd Kuhls
678d52b099 package/kodi-pvr-filmon: bump version to 2.4.6-Leia
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:37:10 +02:00
Bernd Kuhls
285101c048 package/kodi-pvr-argustv: bump version to 3.5.6-Leia
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:37:07 +02:00
Bernd Kuhls
f1b335d439 package/kodi-inputstream-adaptive: bump version to 2.4.5
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:37:01 +02:00
James Hilliard
f953135b72 package/ser2net: bump to version 4.1.8
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:33:40 +02:00
Stephan Hoffmann
6cff754157 DEVELOPERS: add Stephan Hoffmann for libhttpserver
I added this package while working for Grandcentrix but
am willing to maintain it further.

Signed-off-by: Stephan Hoffmann <sho@relinux.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:33:00 +02:00
Stephan Hoffmann
64a2bfcf8f package/mtdev2tuio: remove package
mtdev2tuio breaks the builds every now and then and is not
maintained upstream. It does not seem to be useful any more.

Signed-off-by: Stephan Hoffmann <sho@relinux.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:20:47 +02:00
Ryan Coe
285986ae59 package/mariadb: security bump to 10.3.23
Add two spaces in hash file.

Remove patch 0002 as it has been applied upstream.

Release notes:
https://mariadb.com/kb/en/library/mariadb-10323-release-notes/

Changelog:
https://mariadb.com/kb/en/library/mariadb-10323-changelog/

Fixes the following security vulnerabilities:
CVE-2020-2752 - Vulnerability in the MySQL Client product of Oracle MySQL
(component: C API). Supported versions that are affected are 5.6.47 and
prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Client. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Client.

CVE-2020-2812 - Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: Stored Procedure). Supported versions that are affected
are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily
exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.

CVE-2020-2814 - Vulnerability in the MySQL Server product of Oracle MySQL
(component: InnoDB). Supported versions that are affected are 5.6.47 and
prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.

CVE-2020-2760 - Vulnerability in the MySQL Server product of Oracle MySQL
(component: InnoDB). Supported versions that are affected are 5.7.29 and
prior and 8.0.19 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server as well as unauthorized update, insert or
delete access to some of MySQL Server accessible data.

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:20:15 +02:00
Joseph Kogut
70eab17ee2 package/python-sentry-sdk: bump to version 0.14.4
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:19:00 +02:00
Stefan Sørensen
7c16bf5449 package/libpwquality: bump version to 1.4.2
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:18:41 +02:00
Grzegorz Blach
c195b88479 package/python-redis: bump to version 3.5.2
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:17:45 +02:00
Grzegorz Blach
10b1abfcb5 package/python-crontab: bump to version 2.5.1
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:16:59 +02:00
Petr Vorel
5ebed9c966 package/feh: bump to version 3.4
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:16:42 +02:00
Fabrice Fontaine
ca0547ffea package/libexif: security bump to version 0.6.22
- Switch site to github
- Drop patches (already in version)
- Fix the following CVEs:
  - CVE-2020-13114: Time consumption DoS when parsing canon array
    markers
  - CVE-2020-13113: Potential use of uninitialized memory
  - CVE-2020-13112: Various buffer overread fixes due to integer
    overflows in maker notes
  - CVE-2020-0093: read overflow
  - CVE-2020-12767: fixed division by zero

https://github.com/libexif/libexif/releases/tag/libexif-0_6_22-release

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-19 21:59:51 +02:00
Thomas Petazzoni
78e7807112 package/bison: make installation relocatable
Our current host-bison installation is not relocatable, so if you
generate the SDK, and install it in a different location, bison will
no longer work with failures such as:

bison: /home/user/buildroot/output/host/share/bison/m4sugar/m4sugar.m4: cannot open: No such file or directory

This particular issue is already resolved upstream by the addition of
"relocatable" support, which we enable using --enable-relocatable.

Once this issue is fixed, a second one pops up: the path to the m4
program itself is also hardcoded. So we add a patch to fix that as
well. The patch has been submitted upstream, which have requested for
further refinements not applicable to the Buildroot context; in the
meantime, we carry that patch.

Fixes:

  https://bugs.busybox.net/show_bug.cgi?id=12656

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: add reference to the upstream submission]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-19 21:22:59 +02:00
Yann E. MORIN
39ae8290aa Revert "package/cracklib: add python3 support"
This reverts commit f584595424.
It in fact depends on a previous patch to python that was not applied
[0], as upstream believes it is dangerous [1], and is still debating the
proper solution [2].

[0] https://patchwork.ozlabs.org/project/buildroot/patch/20200202205306.1785085-1-fontaine.fabrice@gmail.com/
[1] https://bugs.python.org/issue39026#msg369309
[2] https://bugs.python.org/issue39026

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-19 21:08:11 +02:00
Fabrice Fontaine
f584595424 package/cracklib: add python3 support
python bindings supports python3 since version 2.8.19 and
219de98766

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-19 21:01:13 +02:00
Stefan Sørensen
42617caa72 package/p7zip: fix build with gcc 10
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-19 20:49:05 +02:00
Stefan Sørensen
9e9c242fb7 package/openldap: security bump to version 2.4.50
Security fixes:
 CVE-2020-12243: Fixed slapd to limit depth of nested filters

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-19 20:47:29 +02:00
Thomas Petazzoni
aa13c9667c DEVELOPERS: drop Stephan Hoffmann
His e-mail is no longer working:

<stephan.hoffmann@ext.grandcentrix.net>: host aspmx.l.google.com[74.125.133.26]
    said: 550-5.2.1 The email account that you tried to reach is disabled.
    Learn more at 550 5.2.1  https://support.google.com/mail/?p=DisabledUser
    o3si10331209wre.302 - gsmtp (in reply to RCPT TO command)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-18 09:59:24 +02:00