Commit Graph

54631 Commits

Author SHA1 Message Date
Fabrice Fontaine
6e85ab4449 package/radvd: bump to version 2.19
Drop patch (already in version) and so autoreconf

http://www.litech.org/radvd/CHANGES.txt:w

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 21:36:02 +01:00
Michael Nosthoff
548964cd99 package/{protobuf, python-protobuf}: bump to version 3.14.0
python-protobuf: drop patch 0001 as it is applied upstream

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 21:30:59 +01:00
Mircea GLIGA
ee64a2eaad package/mbuffer: bump to version 20200929
Signed-off-by: Mircea GLIGA <mgliga@bitdefender.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 21:28:18 +01:00
Aleksander Morgado
d3343d3f7a package/modem-manager: bump to version 1.14.8
There should be no longer any need for the ac_cv_prog_XSLTPROC_CHECK
hack, this release already removes xsltproc from being a build
dependency when building from dist tarballs.

https://lists.freedesktop.org/archives/modemmanager-devel/2020-November/008279.html

Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 21:20:53 +01:00
Asaf Kahlon
74486e3ce1 package/spdlog: bump to version 1.8.1
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 21:19:23 +01:00
Asaf Kahlon
1931f9abf9 package/{libuv, uvw}: bump to versions 1.40.0, 2.8.0_libuv_v1.40
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 21:19:10 +01:00
Fabrice Fontaine
aa5a363a34 package/bctoolbox: drop GIT_EXECUTABLE
GIT_EXECUTABLE is not needed since version 4.3.0 and
a92ea8672f
6c2e02ffb1

CMake Warning:
  Manually-specified variables were not used by the project:

    BUILD_DOC
    BUILD_DOCS
    BUILD_EXAMPLE
    BUILD_EXAMPLES
    BUILD_TEST
    BUILD_TESTING
    BUILD_TESTS
    GIT_EXECUTABLE

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 20:59:34 +01:00
Fabrice Fontaine
c7a369a907 package/c-ares: security bump to version 1.17.0
- avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
  fuzzing
- Avoid theoretical buffer overflow in RC4 loop comparison
- Empty hquery->name could lead to invalid memory access
- ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
  passed in

https://c-ares.haxx.se/changelog.html#1_17_0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 20:57:50 +01:00
Peter Korsgaard
9bbb6efc81 docs/website: update for 2020.02.8
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 09:07:28 +01:00
Peter Korsgaard
00e80cb176 Update for 2020.02.8
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a4832641bc)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 09:05:20 +01:00
Peter Korsgaard
e2f77f00af docs/website: update for 2020.08.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 23:46:25 +01:00
Peter Korsgaard
3e71de9103 Update for 2020.08.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5a90d87d33)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 23:46:25 +01:00
Fabrice Fontaine
61de073194 package/qemu: fix build with 64 bits time_t
Fix build of qemu 5.0.0 and above with 64 bites time_t

Fixes:
 - http://autobuild.buildroot.org/results/efd4474fb4b6c0ce0ab3838ce130429c51e43bbb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:40:45 +01:00
Fabrice Fontaine
00e644adb1 package/harfbuzz: fix build without threads
Fixes:
 - http://autobuild.buildroot.org/results/70c98e89b1d5e5b651d1f6928dc53f465103f57a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:32:30 +01:00
Garret Kelly
1271867831 boot/uboot: fix custom repo error message
When using a custom git or mercurial repository for u-boot the error message
indicating a version had not been provided incorrectly stated that the URL was
missing. Update the error message to indicate that it's the version that's
missing.

Signed-off-by: Garret Kelly <garret.kelly@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:30:56 +01:00
Fabrice Fontaine
6fe0298eec package/numactl: needs -fPIC
This will avoid the following build failure with qemu 5.0.0 and above:

/srv/storage/autobuild/run/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/8.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: /srv/storage/autobuild/run/instance-2/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/lib/../lib64/libnuma.a(libnuma.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a PIE object; recompile with -fPIC

Fixes:
 - http://autobuild.buildroot.org/results/616dff216a215dc0494c846d337e03e0795b2fb2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:29:58 +01:00
Bernd Kuhls
0901355c11 package/dovecot-pigeonhole: fix build with per-package directories
Fix wrong path in usr/lib/dovecot-config which was copied from the
dovecot staging dir.

Fixes:
http://autobuild.buildroot.net/results/5fb/5fb1cd57bc3fdf4f75019c7b25d65ef887eea539/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:20:18 +01:00
Bernd Kuhls
aaa21d40b3 package/samba4: bump version to 4.11.16
Release notes: https://www.samba.org/samba/history/samba-4.11.16.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:07:27 +01:00
Romain Naour
3b7753fb49 package/libpam-tacplus: remove duplicate LIBPAM_TACPLUS_AUTORECONF
The commit [1] added a second LIBPAM_TACPLUS_AUTORECONF
because we are now patching configure.ac.
But LIBPAM_TACPLUS_AUTORECONF was already used because the
package is fetched from github.

[1] bd85d82f61

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/849509860

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:02:53 +01:00
Baruch Siach
b8de3cb374 package/openntpd: needs host-bison
Build fails when no yacc alternative is installed.

Fixes:
http://autobuild.buildroot.net/results/1ba8e339cbb5646663d0bf4e158d89e54433b242/
http://autobuild.buildroot.net/results/a00a53d6635c64e72c50d4841658155de5380110/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 19:54:51 +01:00
Fabrice Fontaine
41236c61b1 package/xorriso: fix host option
--disable-bzip2 is not a recognized option so replace it by
--disable-libbz2 to match the target logic.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 17:16:54 +01:00
Thomas Petazzoni
4ceae1b2ed DEVELOPERS: drop Trent Piepho
We change Trent's e-mail address in commit
1c20802d4b, but it turns out the new one
also doesn't work:

<trent.piepho@synapse.com>: host
    synapse-com.mail.protection.outlook.com[104.47.57.138] said: 550 5.4.1
    Recipient address rejected: Access denied. AS(201806281)
    [DM6NAM11FT063.eop-nam11.prod.protection.outlook.com] (in reply to RCPT TO
    command)

So let's drop Trent entirely, which orphans the libp11 package.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 17:15:24 +01:00
Fabrice Fontaine
8e68f00b91 package/postgresql: security bump to version 12.5
Fix the following CVEs:
- CVE-2020-25695: Multiple features escape "security restricted
  operation" sandbox
- CVE-2020-25694: Reconnection can downgrade connection security
  settings
- CVE-2020-25696: psql's \gset allows overwriting specially treated
  variables

https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 17:14:52 +01:00
Fabrice Fontaine
f1bce086f6 package/redis: security bump to version 6.0.9
This release fixes a potential heap overflow when using a heap allocator
other than jemalloc or glibc's malloc. See:
https://github.com/redis/redis/pull/7963

https://raw.githubusercontent.com/redis/redis/6.0/00-RELEASENOTES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 17:14:27 +01:00
Yann E. MORIN
c8721261c7 Revert "package/linux-backports: bump version to 5.8"
This reverts commit d2159da6a0.
which should not have been applied to master, but to next...

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-11-15 22:20:50 +01:00
Julien Olivain
d2159da6a0 package/linux-backports: bump version to 5.8
Attempting to compile this package with newer Kernel version (e.g. v5.4)
fails with message:

   Generating local configuration database from kernel ...Kernel version parse failed!

Upgrading the package to 5.8 fixes this issue. Anyways, v4.4 is now
rather old and beat the very purpose of having newer drivers in older
kernels.

Since backports tag v4.14-rc4-1, the requirement on minimal kernel
version changed from 3.0 to 3.10. See commit [1]. The minimal kernel
version check is changed accordingly.

License files are also updated: the linux backports package copies the
license files from the kernel version used for its generation. v5.8 is
now "GPL-2.0 WITH Linux-syscall-note". However, there is no such SPDX
identifier (contrary to what is said in the COPYING file), so we keep it
as GPL-2.0 (which also keeps it aligned to what we have in linux.mk).

[1] https://git.kernel.org/pub/scm/linux/kernel/git/backports/backports.git/commit/?id=a0d05f9f9ca50ea8b1d60726fac6b54167257e76

Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
[yann.morin.1998@free.fr: keep license as GPL-2.0, like for linux]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-11-15 22:14:57 +01:00
Peter Korsgaard
6a33ea03b4 Update for 2020.11-rc2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:51:08 +01:00
Bartosz Bilas
abeebe1ea8 package/rauc: disable systemd for host build
Since there is not necessary to have support of systemd within the host
variant let's disable it unconditionally to solve the following errors:

/usr/bin/install -c -m 644 data/rauc.service '/usr/lib/systemd/system'
/usr/bin/install: cannot create regular file '/usr/lib/systemd/system/rauc.service': Permission denied
/usr/bin/install -c -m 644 data/de.pengutronix.rauc.conf 'no'
make[4]: *** [Makefile:1700: install-nodist_systemdunitDATA] Error 1
make[4]: *** Waiting for unfinished jobs....

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:30:19 +01:00
Thomas Petazzoni
8477c41244 toolchain/toolchain-external/toolchain-external-arm-arm: add dependency on NEON
While testing Buildroot on a Cortex-A5 that doesn't provide NEON, we
found out that a system generated with the ARM toolchain from Arm
didn't boot. It turns out that this ARM toolchain is built with:

  --with-arch=armv7-a --with-fpu=neon --with-float=hard --with-mode=thumb

So, it uses NEON as its FPU, which means it can only work on CPU cores
that have NEON support. This commit adds the appropriate dependency to
the toolchain-external-arm-arm package, and adjusts the Config.in help
text accordingly.

While at it, it also drops the part of the Config.in help text that
says the code is tuned for Cortex-A9, as it is not the case: it was
the case for the Linaro toolchain (built with --with-tune=cortex-a9),
but not for the ARM toolchain, for which no specific --with-tune is
passed.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:20:12 +01:00
Fabrice Fontaine
e3a663f570 package/tcpdump: fix CVE-2020-8037
The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a
large amount of memory.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:18:27 +01:00
Fabrice Fontaine
bd85d82f61 package/libpam-tacplus: disable -Werror
Fixes:
 - http://autobuild.buildroot.org/results/5c17226f12eba104d907693ec37fc101cc6d447f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:17:56 +01:00
Fabrice Fontaine
710d71ad4a package/mp4v2: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/4655626f1827245648a566a7223f247a130714c5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:16:40 +01:00
Romain Naour
3277694825 package/cryptsetup: really break circular dependency
The commit [1] should fix a circular dependency by
using util-linux-libs instead of util-linux if
BR2_PACKAGE_UTIL_LINUX_LIBS is set.

But util-linux is still in CRYPTSETUP_DEPENDENCIES.
Remove it to really break the circular dependency.

[1] e3c86f5c9e

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Reviewed-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-11-14 09:09:26 +01:00
Julien Olivain
464bb73b92 package/linux-backports: fix kernel version check
The commit 05fea6e4a6 "infra/pkg-kconfig:
do not rely on package's .config as a timestamp" broke the kernel
version check of this linux-backports package (it was no longer
executed). Since linux-4.19, the kernel's build system internally
touches its .config file, so it can no longer be used as a stamp file.
The stamp file defined in KCONFIG_STAMP_DOTCONFIG variable of
pkg-kconfig infra need to be used instead.

This commit fixes the kernel version check.

Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-11-13 22:20:23 +01:00
Baruch Siach
2310d3588c package/luajit: drop static build handling
Static build of luajit is disabled since commit b2e8f28efa
("package/luajit: disable for static build"). Remove the related
BUILDMODE handling as well.

Cc: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:14:09 +01:00
Fabrice Fontaine
7f156471ab package/quota: bump to version 4.06
- Drop patch (already in version) and so autoreconf
- Update hash of COPYING (mailing address updated:
  b6bb53e112)
- Update indentation in hash file (two spaces)

https://sourceforge.net/p/linuxquota/code/ci/v4.06/tree/Changelog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:12:03 +01:00
Fabrice Fontaine
e39b019bec package/python-thrift: bump to version 0.13.0
Updated through scanpypi

https://github.com/apache/thrift/blob/v0.13.0/CHANGES.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:09:23 +01:00
Fabrice Fontaine
f3ef4d26dc package/python-yatl: bump to version 20200711.1
https://github.com/web2py/yatl/compare/v20200430.1...master

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:09:00 +01:00
Fabrice Fontaine
75750b45ef package/sshfs: bump to version 3.7.1
Drop patch (already in version)

https://github.com/libfuse/sshfs/blob/sshfs-3.7.1/ChangeLog.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:08:26 +01:00
Romain Naour
7a5873ce5a toolchain/toolchain-buildroot: only riscv64 is supported by uClibc-ng
The commit [1] enabled riscv32 and riscv64 for uClibc-ng
internal toolchain backend but only riscv64 is curently
supported by uClibc-ng.

The initial patch [2] from Mark Corbin is only about riscv64.

Remove riscv32 from uClibc-ng supported architecture list.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981656

[1] 209a082478
[2] bd9810e176

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:05:05 +01:00
Václav Kubernát
409b292887 package/perf: if zstd is enabled, depend on it
Enables the "-z" flag.

Signed-off-by: Václav Kubernát <sir.venceslas@gmail.com>
Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:55:26 +01:00
Václav Kubernát
99facff76c package/perf: if audit is enabled, depend on it
Enables the `perf trace` command.

Signed-off-by: Václav Kubernát <sir.venceslas@gmail.com>
Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:55:21 +01:00
Fabrice Fontaine
f452490b93 package/suricata: link with libatomic if needed
Fix build of suricata 6.0.0 with mips32r6

app-layer-ftp.o: In function `FTPCheckMemcap':
app-layer-ftp.c:(.text+0x284): undefined reference to `__atomic_load_8'
app-layer-ftp.c:(.text+0x2d8): undefined reference to `__atomic_fetch_add_8'

Fixes:
 - http://autobuild.buildroot.org/results/f574005204905250702df32b61c85d427ab4feda

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:52:12 +01:00
Bartosz Bilas
fefdd0511e package/rauc: prevent occurring the error when directory exists
Add -p argument that ignore that specified directory already exists.

Fixes:
 mkdir: cannot create directory ‘/home/bartekk/buildroot-2020.11-rc1/output/target/usr/lib/systemd/system/rauc.service.d’: File exists

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:50:07 +01:00
Peter Korsgaard
7269a73102 package/go: security bump to 1.15.5
Fixes the following security issues:

- math/big: panic during recursive division of very large numbers

  A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
  ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted
  large inputs.  For the panic to happen, the divisor or modulo argument
  must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on
  64-bit architectures).  Multiple math/big.Rat methods are similarly affected.

  crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may
  panic when provided crafted public keys and signatures.  crypto/ecdsa and
  crypto/elliptic operations may only be affected if custom CurveParams with
  unusually large field sizes (several times larger than the largest
  supported curve, P-521) are in use.  Using crypto/x509.Verify on a crafted
  X.509 certificate chain can lead to a panic, even if the certificates
  don’t chain to a trusted root.  The chain can be delivered via a
  crypto/tls connection to a client, or to a server that accepts and
  verifies client certificates.  net/http clients can be made to crash by an
  HTTPS server, while net/http servers that accept client certificates will
  recover the panic and are unaffected.

  Moreover, an application might crash invoking
  crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
  request or during a golang.org/x/crypto/otr conversation.  Parsing a
  golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
  Finally, a golang.org/x/crypto/ssh client can panic due to a malformed
  host key, while a server could panic if either PublicKeyCallback accepts a
  malformed public key, or if IsUserAuthority accepts a certificate with a
  malformed public key.

  Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting
  this.  Thanks to Rémy Oudompheng and Robert Griesemer for their help
  developing and validating the fix.

  This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.

- cmd/go: arbitrary code execution at build time through cgo

  The go command may execute arbitrary code at build time when cgo is in
  use.  This may occur when running go get on a malicious package, or any
  other command that builds untrusted code.

  This can be caused by malicious gcc flags specified via a #cgo directive,
  or by a malicious symbol name in a linked object file.

  Thanks to Imre Rad and to Chris Brown and Tempus Ex respectively for
  reporting these issues.

  These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
  golang.org/issue/42556 and golang.org/issue/42559 respectively.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:48:20 +01:00
Peter Korsgaard
041cde5c26 package/wireguard-linux-compat: bump version to 1.0.20201112
Fixes a build issue with linux 5.4.76+.  For details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-November/005997.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:28:18 +01:00
Peter Korsgaard
0b817d8c8e {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 9}.x series
Including the fix for CVE-2020-8694:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:28:13 +01:00
Bernd Kuhls
345b4aa6ce package/tor: security bump version to 0.4.4.6
Release notes: https://blog.torproject.org/node/1952

Fixes TROVE-2020-005.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 11:39:06 +01:00
Romain Naour
a5fa2469e6 configs/rock64_defconfig: remove defconfig
The rock64 defconfig is currently broken [1][2] since a while due to
incompatibility between uboot-2017.09-rockchip-ayufan fork and pylibfdt.
Even with the latest uboot-2017.09-rockchip-ayufan fork version [3],
it doesn't build.

The original submitter tried the uboot upstream rock64-rk3328_defconfig
but the board doesn't boot [4].

In order to not release 2020.05 with a broken defconfig, let's remove
it. It can be re-added later once the uboot issue has been resolved.

[1] 2020.05-rc2: https://gitlab.com/buildroot.org/buildroot/-/jobs/563613273
[2] 2020.02: https://gitlab.com/buildroot.org/buildroot/-/jobs/548596102
[3] https://github.com/ayufan-rock64/linux-u-boot/releases/tag/2017.09-rockchip-ayufan-1065-g95f6152134
[4] http://lists.busybox.net/pipermail/buildroot/2020-May/282164.html

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Michał Łyszczek <michal.lyszczek@bofc.pl>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-11-12 23:11:13 +01:00
Romain Naour
b6bf8b2169 package/python-lmdb: bump to version 0.99
This version fix the runtime issue with python 3.9 since _Py_ForgetReference()
was removed from the limited C API [1].

$ python sample_python_crossbar.py
/usr/bin/python3.9: symbol '_Py_ForgetReference': can't resolve symbol

python-lmbd 0.99 contain a refactoring removing _Py_ForgetReference()
from the code.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981961
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981979

[1] https://docs.python.org/3/whatsnew/3.9.html#id3
[2] 22a3724bdc

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-12 22:32:38 +01:00