As described in the announcement, this fixes a security issue:
There is one security fix in this release:
- Fix for a newly discovered security issue known as the 'Terrapin'
attack, also numbered CVE-2023-48795. The issue affects widely-used
OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
cipher system, and 'encrypt-then-MAC' mode.
In order to benefit from the fix, you must be using a fixed version
of PuTTY _and_ a server with the fix, so that they can agree to
adopt a modified version of the protocol. Alternatively, you may be
able to reconfigure PuTTY to avoid selecting any of the affected
modes.
If PuTTY 0.80 connects to an SSH server without the fix, it will
warn you if the initial protocol negotiation chooses an insecure
mode to run the connection in, so that you can abandon the
connection. If it's possible to alter PuTTY's configuration to
avoid the problem, then the warning message will tell you how to do
it.
https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This runtime test verifies the existence of the tftpy module when
selected.
Signed-off-by: Colin Foster <colin.foster@in-advantage.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
RISC-V 64bit qemu virt machine support has been added in edk2
version "stable202302". See [1].
Since edk2-stable202308, introduced in buildroot in commit 5c9f310
"boot/edk2: bump to version edk2-stable202308", it is now possible
to boot the edk2 UEFI shell in qemu.
This commit adds this early RISC-V support to edk2.
The RISC-V edk2 UEFI shell can be booted in Buildroot with the
following commands:
# Build EDK2 images
cat > .config <<EOF
BR2_riscv=y
BR2_RISCV_64=y
BR2_PACKAGE_HOST_QEMU=y
BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
BR2_TARGET_EDK2=y
EOF
make olddefconfig
make
# edk2 image size should fit the 32MB of qemu pflash memories
truncate -s 32M output/images/RISCV_VIRT_CODE.fd
truncate -s 32M output/images/RISCV_VIRT_VARS.fd
# Start qemu:
output/host/usr/bin/qemu-system-riscv64 \
-M virt,pflash0=pflash0,pflash1=pflash1,acpi=off \
-nographic \
-blockdev node-name=pflash0,driver=file,read-only=on,filename=output/images/RISCV_VIRT_CODE.fd \
-blockdev node-name=pflash1,driver=file,filename=output/images/RISCV_VIRT_VARS.fd
Note: a Qemu version >= 8.0.0 is needed to properly start edk2. A qemu
version on the host system might not be sufficient. This is why the
Buildroot host-qemu is built in this config example.
[1] https://github.com/tianocore/edk2/releases/tag/edk2-stable202302
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
After 10 years we don't have to justify the fork anymore, as it has been
the new upstream for that long now.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
For release announce on mailing list, see [1].
For release general news, see [2].
This commit removes all package patches, as they are all included in
this version.
The .checkpackageignore file is updated accordingly (the entry for
patch 0001 is removed).
This commit also removes GRUB2_AVOID_AUTORECONF hooks, since patch
0001 is removed.
This commit also removes the GRUB2_IGNORE_CVES entries associated to
the removed patches. The version bump should now explicitly exclude
those CVEs. For patches 8 and 9, the upstream commit IDs were
incorrectly recorded:
- patch 8 mentioned d5caac8ab79d068ad9a41030c772d03a4d4fbd7b while
the actual commit is 5bff31cdb6b93d738f850834e6291df1d0b136fa
- patch 9 mentioned 166a4d61448f74745afe1dac2f2cfb85d04909bf while
the actual commit is 347880a13c239b4c2811c94c9a7cf78b607332e3
Finally, this commit introduces a new patch, adding a missing file in
the release tarball.
[1] https://lists.gnu.org/archive/html/grub-devel/2023-12/msg00052.html
[2] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=blob;f=NEWS;hb=refs/tags/grub-2.12
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Adds BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH for riscv32 and riscv64.
Otherwise, riscv targets fall back to the linux-generic libopenssl
configs. This exacerbates the issue partially addressed in
openssl/openssl#22871 which causes build failures.
Fixes a mispelling in upstream causing 0builds for riscv32 to fail when
linking.
Signed-off-by: Grant Nichol <me@grantnichol.com>
[yann.morin.1998@free.fr: squash the two commits together]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:
* CVE-2010-4756: The glob implementation in the GNU C Library (aka
glibc or libc6) allows remote authenticated users to cause a denial
of service (CPU and memory consumption) via crafted glob expressions
that do not match any pathnames. glibc maintainers position: "That's
standard POSIX behaviour implemented by (e)glibc. Applications using
glob need to impose limits for themselves"
* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass stack guard
protection. The component is: nptl. The attack vector is: Exploit
stack buffer overflow vulnerability and use this bypass
vulnerability to bypass stack guard. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
current loaded library with malicious ELF file. The impact is: In
worst case attacker may evaluate privileges. The component is:
libld. The attack vector is: Attacker sends 2 ELF files to victim
and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass ASLR using cache of
thread stack and heap. The component is: glibc. NOTE: Upstream
comments indicate "this is being treated as a non-security bug and
no real threat. glibc maintainers position: "Not treated as a
security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may guess the heap addresses of
pthread_created thread. The component is: glibc. NOTE: the vendor's
position is "ASLR bypass itself is not a vulnerability. Glibc
maintainers position: "Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
As reported in bug 15895, the GLIBC_VERSION field having a value
looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it
prevents the CPE/CVE matching with the NVD database to work correctly.
This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from
GLIBC_VERSION, by extracting the base version.
Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have
clearly been fixed between 2.38 and
2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number
of other CVEs still affecting the glibc package, but they are not
related to this
2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range.
Fixes: #15895
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
According to the source file:
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Much like weston, this is a runtime dependency.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add new python-contourpy runtime dependency.
Add new python-pybind dependency.
Add new host-python-setuptools-scm build dependency.
Update setup.cfg to new mplsetup.cfg install location.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add new python-urwid-readline runtime dependency.
Add new python-packaging runtime dependency.
Remove no longer required python-setuptools runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
this file could be required by some native modules
note: compat-5.3.c is included by compat-5.3.h
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
the project has moved to the organization “Lunar Modules”,
see https://github.com/lunarmodules/
diff LICENCE:
-Copyright (c) 2015 Kepler Project.
+Copyright (C) 1994-2020 Lua.org, PUC-Rio.
+Copyright (C) 2013-2023 The Lua-Compat-5.3 authors.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
It turns out that wildcard expansion, * and ?, is not performed in
matching lists {...}, at least in the vim plugin. The spec is not clear
about that, but refer to "pattern matching through Unix shell-style
wildcards" [0].
So, let's consider that this is not supported. Expand the patterns into
one section each, rather than use a list.
[0] https://spec.editorconfig.org/
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop local patches that have been upstreamed.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Macleod Thompson <peter.macleod.thompson@gmail.com>
[Peter: fix filename in .hash file]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
OpenSSH 9.6 was released on 2023-12-18.
This release contains fixes for a newly-discovered weakness in the
SSH transport protocol (the "Terrapin" attack), a logic error relating
to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for
programs that invoke ssh(1) with user or hostnames containing invalid
characters.
https://www.openssh.com/txt/release-9.6
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure raised since bump of libressl to version
3.8.2 in commit 21eca49ed5:
./keys.c:167:35: error: 'ENGINE_METHOD_ALL' undeclared (first use in this function)
167 | if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
| ^~~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/37cc05b78a7004caa1b45d896121f059a4f8ca00
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Git shortlog:
Ben Wolsieffer (3):
fork: generate stub on no-MMU systems
arm: elf-fdpic.h: avoid void pointer subtraction
libpthread/nptl: make default stack size configurable
Greg Ungerer (1):
elf: support ELF binaries in noMMU
Marcus Haehnel (3):
fnmatch: fix possible access beyond of parameter string
getaddrinfo.c: Avoid misleading indentation warning
linuxthreads: Avoid unused variable warning
Marcus Hähnel (1):
setjmp.h: Fix C++ build and avoid duplicate throw declaration
Max Filippov (1):
daemon.c: make _fork_parent static inline again
Paul Iannetta (1):
kvx: fix asm syntax
Pavel Kozlov (6):
setrlimit/getrlimit: fix prlimit64 syscall use for 32-bit CPUs
Fix -Warray-parameter warning for __sigsetjmp
prlimit: add name redirection and fix incorrect parameters to syscall
arc: add acq/rel variants for atomic cmpxchg/xchg
arc: remove read ahead in asm strcmp code for ARCHS
rlimit: fix 64-bit RLIM64_INFINITY macro
Waldemar Brodkorb (8):
aarch64: add hwcap header file
fcntl.h: declare f_owner_ex for all architectures
arm: add hwcap header file
lm32: disable ctor/dtor
aarch64: disable lazy relocations
riscv64: define __NR_riscv_flush_icache if not available
depend on __UCLIBC_HAVE_STATX__
bump version for 1.0.45 release
Yann Sionneau (9):
fstatat64: define it as a wrapper of statx if the kernel does not support fstatat64 syscall
fstat: add missing return value statement for the statx wrapping case
add support for systems without legacy setrlimit/getrlimit syscalls
fstatat: add wrapper that uses statx for non-legacy arch
kvx: add support for kv3-2 (Coolidge v2 SoC)
kvx: atomic: rework using compiler builtins
kvx: align specification of user regs
kvx: define that kvx port supports statx syscall
kvx: use a custom stat.h header
lordrasmus (8):
add vsdo support
fix file permissions
fix getauxval() on aarch64 gcc 11
vdso support missing file
c6x compile fix vdso support
gettimeofday() only include ldso.h if vdso support is activated
vdso support for x86_64
gitignore
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Release notes:
https://www.openssl.org/blog/blog/2023/11/23/OpenSSL32/
Removed patch 0001 and added no-docs configure option due to
956b4c75dc
Removed patch 0003 due to
78634e8ac2
Removed patch 0006 which is included in this release
e1b6ecbab4
Renumbered remaining patches.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
