Commit Graph

54631 Commits

Author SHA1 Message Date
Johan Oudinet
76f1573764 package/erlang-p1-yconf: bump version to 1.0.8
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 23:24:33 +01:00
Johan Oudinet
8edc25ca9b package/erlang-p1-mqtree: bump version to 1.0.10
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 23:24:33 +01:00
Johan Oudinet
add7a8aaa7 package/erlang-jiffy: bump version to 1.0.6
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 23:24:33 +01:00
Johan Oudinet
cab94833fa package/erlang-p1-xml: bump version to 1.1.44
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 23:24:33 +01:00
Johan Oudinet
b5dcddf452 package/erlang-p1-tls: bump version to 1.1.9
The license file hash has changed due to:

-Copyright 2002-2019 ProcessOne SARL
+Copyright 2002-2020 ProcessOne SARL

Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 23:24:33 +01:00
Johan Oudinet
5f47e7adb4 package/erlang-p1-zlib: bump version to 1.0.9
The license file hash has changed due to:

-Copyright 2002-2019 ProcessOne SARL
+Copyright 2002-2020 ProcessOne SARL

Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 23:24:17 +01:00
Fabrice Fontaine
07f8ea3913 package/libcap: fix libcap.pc
libcap builds an incorrect libcap.pc because libdir is pulled from the
host os:

ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif

Fix this error by passing lib=lib and prefix in
{HOST_LIBCAP,LIBCAP}_BUILD_CMDS

Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=13276

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 23:01:27 +01:00
Peter Korsgaard
c773336463 package/x11r7/xserver_xorg-server: add upstream security fixes for CVE-2020-14360 / 25712
Fixes the following security issues:

* CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access

  Insufficient checks on the lengths of the XkbSetMap request can lead to
  out of bounds memory accesses in the X server.

* CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow

  Insufficient checks on input of the XkbSetDeviceInfo request can lead to a
  buffer overflow on the head in the X server.

For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/12/01/3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 23:01:09 +01:00
Bernd Kuhls
692829d967 toolchain: add upstream fix for arc gcc
Fixes:
http://autobuild.buildroot.net/results/792/792e69eefc87d28b92972c452d5e230d86d9e114/

Upstream issue:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/issues/310

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 22:58:41 +01:00
Bernd Kuhls
0b4c7ba01c toolchain: update option descriptions for ARC tools arc-2020.09-release
https://git.buildroot.net/buildroot/commit/?id=0791abfba0227803b19895ea22326f4e17ac93dc

bumped
* Binutils 2.34.50 with additional ARC patches
* GCC 10.0.2 with additional ARC patches
* GDB 10.0.50 with additional ARC patches

but forgot to update the version numbers stored in option descriptions.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 22:56:11 +01:00
Johan Oudinet
5f932efd90 package/erlang-eimp: bump version to 1.0.17
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 22:54:23 +01:00
Johan Oudinet
fe282f13ba package/erlang-p1-cache-tab: bump version to 1.0.25
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 22:54:22 +01:00
Johan Oudinet
a68e516ac5 package/erlang-p1-utils: bump version to 1.0.20
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 22:54:20 +01:00
Fabrice Fontaine
c194d343fb package/s390-tools: also set HAVE_LIBCURL
Set HAVE_LIBCURL when libcurl is available to enable genprotimg and
libekmfweb:
https://github.com/ibm-s390-tools/s390-tools/blob/master/README.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 22:52:34 +01:00
Bernd Kuhls
23d8b04295 package/setserial: add license hash
Also reformatted hash file.

Fixes:
http://autobuild.buildroot.net/results/d1c/d1ccecc74755155664cd17c8d33721c804a37b25/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 22:50:33 +01:00
Peter Seiderer
4146241624 package/kmsxx: bump version to 5489056 and convert to meson build
- remove 0001-fix-compiler-errors-with-gcc-10.patch
  (upstream)

- remove 0002-added-include-string-to-card.h-to-follow-gcc10-porti.patch
  (upstream)

- convert to meson

- add patch to use system fmt instead of git submodule (fixes
  configure 'ERROR: Include dir ext/fmt/include does not exist.')

- add patch to use system pybind11 instead of git submodule (fixes
  configure 'ERROR: Include dir ext/pybind11/include does not exist.')

- add patch to use python only if pykms is enabled (fixes
  configure 'ERROR: Dependency "pybind11" not found, tried pkgconfig')

- add optional libevdev dependency (needed for utils/kmstouch)

- update LICENSE file hash (replaced short copyright notice and
  link to  http://mozilla.org/MPL/2.0/ with complete license text)

- lift toolchain headers requirement to at least 4.11 (include
  linux/dma-buf.h)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 22:47:29 +01:00
Fabrice Fontaine
eefebfe5df package/kmsxx: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/59f70fb725c2f07e27dc818839e02f2788ee490c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 22:47:29 +01:00
Peter Seiderer
a110a5cf4b package/fmt: bump version to 7.1.3
For details see [1], [2], [3] and [4].

[1] https://github.com/fmtlib/fmt/releases/tag/7.1.0
[2] https://github.com/fmtlib/fmt/releases/tag/7.1.1
[3] https://github.com/fmtlib/fmt/releases/tag/7.1.2
[4] https://github.com/fmtlib/fmt/releases/tag/7.1.3

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 22:47:29 +01:00
Angelo Compagnucci
ed3062319f package/cups-filters: bump to version 1.28.4
While bumping, removing upstreamed patches. Removing also autoreconf
step cause we are not patching it anymore.
License hash is changed due to remove of notice for file
filter/sys5ippprinter.c.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-01 22:43:39 +01:00
Fabrice Fontaine
b5b3870c98 package/s390-tools: fix build with netsnmp
Fix the following build failure:

/bin/sh: net-snmp-config: command not found
/home/buildroot/autobuild/run/instance-2/output-1/host/lib/gcc/s390x-buildroot-linux-gnu/9.3.0/../../../../s390x-buildroot-linux-gnu/bin/ld: osasnmpd.o: in function `main':
osasnmpd.c:(.text.startup+0xcc): undefined reference to `snmp_log_perror'

Moreover, replace perl-net-snmp dependency by netsnmp as osasnmpd is an
SNMP subagent for the net-snmp package:
https://github.com/ibm-s390-tools/s390-tools/blob/master/osasnmpd/osasnmpd.8

Fixes:
 - http://autobuild.buildroot.org/results/00796f2ebd5fb0e08ac7a05a9ee566f2bc4bd1c3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 22:42:58 +01:00
Julien Olivain
fe0f3f08da package/linux-firmware: install Ath10k QCA9377 sdio firmware
linux-firmware version 20201022 introduced a new sdio firmware for
QCA9377 sdio devices. Install it when support is selected.

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-01 22:41:08 +01:00
Julien Olivain
b2a0b879d5 package/linux-firmware: bump version to 20201022
This update is motivated by the inclusion SDIO firmware for QCA9377 WiFi
cards in this new version. See [1].

The license file "WHENCE" content/checksum has changed, since it's an
index of firmware provenance and their licenses, and many new firmware
files were added.

For the full linux-firmware change log, see tag 20201022 log [2].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=d7904d5b07a9e2c4cdd9f8b2c5a5faa9c6e665cf
[2] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/?h=20201022

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-01 22:41:08 +01:00
Julien Olivain
e68c25b227 package/linux-firmware: reformat hash file using the 2 spaces convention
For readability, this reformatting is done in a separate commit, as this
package contains many license files.

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-01 22:41:08 +01:00
Fabrice Fontaine
ac6dbae320 package/bind: fix license hash
Commit 9679d3f021 forgot to update hash of
COPYRIGHT which was updated to replace http by https:
400171aee8

Fixes:
 - http://autobuild.buildroot.org/results/db614a6fa1e17af2fa5c1d4a0d51cdf770893ca9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 22:39:48 +01:00
Angelo Compagnucci
8a8a873455 package/environment-setup: add better kernel handling
Exporting ARCH and KERNELDIR makes easier to compile an external kernel
or out of tree kernel modules.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-01 21:52:46 +01:00
Bernd Kuhls
1e66d99610 package/{mesa3d, mesa3d-headers}: bump version to 20.2.3
Release notes of this bugfix release:
https://lists.freedesktop.org/archives/mesa-announce/2020-November/000607.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 21:45:01 +01:00
Marcus Folkesson
4e060bf6bc package/libostree: bump to version 2020.8
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-01 21:44:28 +01:00
Angelo Compagnucci
c7f98d08fc package/python-pydal: bump to version 20200910.1
While bumping updating the sha256 computation method.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-01 21:38:48 +01:00
Angelo Compagnucci
85d36b4cf9 package/python-can: bump to verison 3.3.4
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-01 21:38:08 +01:00
Peter Korsgaard
9ef54b7d0b package/privoxy: security bump to version 3.0.29
From the release notes:

- Security/Reliability:
  - Fixed memory leaks when a response is buffered and the buffer
    limit is reached or Privoxy is running out of memory.
    Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no action files are configured. Commit c62254a686.
    OVE-20201118-0002.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no filter files are configured. Commit 1b1370f7a8a.
    OVE-20201118-0003.
    Sponsored by: Robert Klemme
  - Fixes a memory leak when client tags are active.
    Commit 245e1cf32. OVE-20201118-0004.
    Sponsored by: Robert Klemme
  - Fixed a memory leak if multiple filters are executed
    and the last one is skipped due to a pcre error.
    Commit 5cfb7bc8fe. OVE-20201118-0005.
  - Prevent an unlikely dereference of a NULL-pointer that
    could result in a crash if accept-intercepted-requests
    was enabled, Privoxy failed to get the request destination
    from the Host header and a memory allocation failed.
    Commit 7530132349. CID 267165. OVE-20201118-0006.
  - Fixed memory leaks in the client-tags CGI handler when
    client tags are configured and memory allocations fail.
    Commit cf5640eb2a. CID 267168. OVE-20201118-0007.
  - Fixed memory leaks in the show-status CGI handler when memory
    allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
    CID 305233. OVE-20201118-0008.

For more details, see the announcement:
https://www.openwall.com/lists/oss-security/2020/11/29/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-30 23:44:38 +01:00
Fabrice Fontaine
26c2db20d8 package/libplist: drop duplicated COPYING hash
Commit 762119b4c5 resulted in a duplicated
line for COPYING hash so drop it

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-30 23:44:03 +01:00
Peter Seiderer
376dc6c8df package/kmsxx: fix gcc-10.x compile
Backport upstream commit ([1]) adding missing string include.

Fixes:
  - http://autobuild.buildroot.net/results/53a5f023ae40db18f45ebe7578962914c2d22a44

  In file included from .../build/kmsxx-cb0786049f960f2bd383617151b01318e02e9ff9/kms++/inc/kms++/omap/omapcard.h:3,
                   from .../build/kmsxx-cb0786049f960f2bd383617151b01318e02e9ff9/kms++/src/omap/omapcard.cpp:2:
  .../build/kmsxx-cb0786049f960f2bd383617151b01318e02e9ff9/kms++/inc/kms++/card.h:17:18: error: 'string' in namespace 'std' does not name a type
     17 |  Card(const std::string& device);
        |                  ^~~~~~

[1] b53f9d383c.patch

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-29 22:21:37 +01:00
Peter Korsgaard
3fb7c63687 package/lynx: fix reproducible build issues
Fixes (part of) http://autobuild.buildroot.net/results/23fe4365ca65f37eace8265a70fbfb9723b8ee9d/

Lynx by default contains logic to generate a "configuration info" HTML page,
which leaks build paths, and adds the build timestamp to the version output.
Disable both when building in reproducible mode.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-29 22:20:42 +01:00
Peter Korsgaard
288ece60bb package/jemalloc: add jemalloc-config to _CONFIG_SCRIPTS handling
Fixes (part of) http://autobuild.buildroot.net/results/23fe4365ca65f37eace8265a70fbfb9723b8ee9d/

jemalloc installs a jemalloc-config script, leaking build paths and breaking
reproducible builds (and per-package builds).

Add it to _CONFIG_SCRIPTS so the paths get fixed up for staging and the
script removed from target.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-29 22:20:13 +01:00
Peter Korsgaard
163334a707 package/mariadb: security bump to version 10.3.27
Fixes the following security issues:

- CVE-2020-15180: during SST a joiner sends an sst method name to the donor.
  Donor then appends it to the "wsrep_sst_" string to get the name of the
  sst script to use, e.g.  wsrep_sst_rsync.  There is no validation or
  filtering here, so if the malicious joiner sends, for example, "rsync `rm
  -rf /`" the donor will execute that too.

- CVE-2020-14812: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: Server: Locking).  Supported versions that are affected are
  5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior.  Easily
  exploitable vulnerability allows high privileged attacker with network
  access via multiple protocols to compromise MySQL Server.  Successful
  attacks of this vulnerability can result in unauthorized ability to cause
  a hang or frequently repeatable crash (complete DOS) of MySQL Server.

- CVE-2020-14765: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: Server: FTS).  Supported versions that are affected are 5.6.49
  and prior, 5.7.31 and prior and 8.0.21 and prior.  Easily exploitable
  vulnerability allows low privileged attacker with network access via
  multiple protocols to compromise MySQL Server.  Successful attacks of this
  vulnerability can result in unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server.

- CVE-2020-14776: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: InnoDB).  Supported versions that are affected are 5.7.31 and
  prior and 8.0.21 and prior.  Easily exploitable vulnerability allows high
  privileged attacker with network access via multiple protocols to
  compromise MySQL Server.  Successful attacks of this vulnerability can
  result in unauthorized ability to cause a hang or frequently repeatable
  crash (complete DOS) of MySQL Server.

- CVE-2020-14789: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: Server: FTS).  Supported versions that are affected are 5.7.31
  and prior and 8.0.21 and prior.  Easily exploitable vulnerability allows
  high privileged attacker with network access via multiple protocols to
  compromise MySQL Server.  Successful attacks of this vulnerability can
  result in unauthorized ability to cause a hang or frequently repeatable
  crash (complete DOS) of MySQL Server.

- CVE-2020-28912:
  https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf
  describes a named pipe privilege vulnerability, specifically for MySQL,
  where an unprivileged user, located on the same machine as the server, can
  act as man-in-the-middle between server and client.

Additionally, 10.3.27 fixes a regression added in 10.3.26.

Drop weak md5/sha1 checksums.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-29 22:19:29 +01:00
Fabrice Fontaine
1782f2a425 package/gstreamer1/gst1-plugins-good: qmlgl needs gstreamer-gl-1.0
Build of qmlql fails without gstreamer-gl-1.0 since version 1.17.1 and
2ecba800bf

Fixes:
 - http://autobuild.buildroot.org/results/e1537ebac7cd70b6d868a8b7f0205ce3d8593508

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-29 22:17:39 +01:00
Fabrice Fontaine
f3ca4f1086 package/bustle: fix license
bustle binaries are licensed under GPL-3.0:
https://gitlab.freedesktop.org/bustle/bustle/-/blob/bustle-0.7.5/LICENSE

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-29 22:15:42 +01:00
Peter Korsgaard
a418d0ac51 Update for 2020.11-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 11:10:01 +01:00
Vincent Stehlé
d9144f098e configs/bananapi_m2_zero: bump Linux and U-Boot versions
Bump Linux kernel to 5.9.11 and U-Boot to 2020.10.

Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 10:54:30 +01:00
Vincent Stehlé
aa900caf19 configs/aarch64_efi: bump kernel version
Bump Linux kernel version to 5.9.11.

Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 10:53:53 +01:00
Francois Perrad
92abbd708e package/lua-lyaml: bump to version 6.2.7
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 10:52:49 +01:00
Fabrice Fontaine
7ba4aa9298 package/proftpd: security bump to version 1.3.6e
1.3.6e
---------
  + Fixed null pointer deference in mod_sftp when using SCP incorrectly
    (Issue #1043).

1.3.6d
---------
  + Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).

1.3.6c
---------
  + Fixed regression in directory listing latency (Issue #863).
  + Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for
    converting them to supported format.
  + Fixed use-after-free vulnerability during data transfers (Issue #903)
    [CVE-2020-9273]
  + Fixed out-of-bounds read in mod_cap by updating the bundled libcap
    (Issue #902) [CVE-2020-9272]

http://proftpd.org/docs/RELEASE_NOTES-1.3.6e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: mark as security bump, add CVEs]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 09:24:09 +01:00
Peter Korsgaard
282fc60ed4 package/slirp: add upstream security fix for CVE-2020-29129 / CVE-2020-29130
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 08:53:57 +01:00
Peter Seiderer
840f5065b3 package/libinput: bump version to 1.16.4
For details see [1].

[1] https://lists.freedesktop.org/archives/wayland-devel/2020-November/041664.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 08:52:46 +01:00
Fabrice Fontaine
79ca48c48b package/x11r7/xserver_xorg-xserver: drop obsolete patch
Drop second patch following upstream review:
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/555

Indeed, this patch has been dropped from openembedded since 2018 because
"it is forcing input to use SIGIO, despite the fact that since 2015
xserver has used an input thread.":
cde11398e6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-28 08:50:13 +01:00
Fabrice Fontaine
7e237b79ad package/qemu: use a system-wide slirp
Use a system-wide slirp now that we switched to the up to date
https://gitlab.freedesktop.org/slirp/libslirp

qemu already depends on libglib2 so we don't need to add any new
dependencies

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-27 18:25:49 +01:00
Peter Korsgaard
405f76425d package/vsftpd: S70vsftpd: correct -x argument to start-stop-daemon
Fixes #13341

The -x / --exec start-stop-daemon option expects the path to the executable,
not just the name, leading to errors when running the init script:

Starting vsftpd: start-stop-daemon: unable to stat //vsftpd (No such file or directory)

Reported-by: tochansky@tochlab.net
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-27 18:13:52 +01:00
Bernd Kuhls
30f6776c79 package/minidlna: security bump version to 1.3.0
Changelog:
https://sourceforge.net/p/minidlna/git/ci/master/tree/NEWS

Fixes CVE-2020-28926 & CVE-2020-12695.

Removed patch 0001 which was applied upstream:
b5e75ff7d1/

Removed patch 0002 which was not applied upstream, upstream applied
a different fix for CVE-2020-12695:
06ee114731/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-27 17:51:08 +01:00
Bernd Kuhls
8c38262066 package/php: security bump version to 7.4.13
Rebased patches.

Changelog: https://www.php.net/ChangeLog-7.php#7.4.13

According to the release notes this is a "security bug fix release":
https://news-web.php.net/php.announce/301

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-27 17:50:17 +01:00
Norbert Lange
f749946aa8 package/lz4: bump version to 1.9.3
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-27 17:48:57 +01:00