Fixes the following security issues:
(3.44.1)
CVE-2019-11729: More thorough input checking
CVE-2019-11719: Don't unnecessarily strip leading 0's from key material
during PKCS11 import
CVE-2019-11727: Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
Note:
This version requires nspr 4.22 or newer provided by the previous patch.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Rework all 3 patches to make that applicable to 4.22 version.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
See http://www.lighttpd.net/2019/5/27/1.4.54/
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In order for the bitcoin version to match what is given by
release-monitoring.org, the 'v' prefix should be encoded in
BITCOIN_SITE and not BITCOIN_VERSION.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Kevin Joly (kevin.joly@sensefly.com)<mailto:kevin.joly@sensefly.com>
Your message couldn't be delivered to the recipient because you don't have permission to send to it.
Looking at his LinkedIn profile, he left SenseFly in January 2019,
which quite certainly explains why his @sensefly.com e-mail address is
no longer working.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We couldn't track down the reason why the profile sets $PAGER other
than that it has always been there.
However, it defeats pager autodetection by various tool (systemctl,
nmcli, etc.) that would otherwise prefer less to more, in case both
were available.
Let's drop it. My desktop Linux distro (Fedora) doesn't seem to set it
either and the universe doesn't seem to have collapsed yet.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
There is no option BR2_TARGET_GRUB2_AARCH64_EFI but
BR2_TARGET_GRUB2_ARM64_EFI in grub2 package.
BR2_TARGET_GRUB2_ARM64_EFI was introduced by the commit [1].
[1] 273a27804a
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Erico Nunes <nunes.erico@gmail.com>
Reviewed-by: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update hash of license file (source file has been updated)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
glibc since 2.28 dropped DES encryption routines setkey() and encrypt(),
but uclibc still provides them. So, if building with uclibc, we can
avoid using huge openssl library.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove dependencies on libraries NetworkManager no longer uses.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit aee34c479a, network-manager
was bumped to 1.20.0. As part of this bump, the libnm-util/ subfolder
was removed, and therefore libnm-util/COPYING no longer exists,
breaking the legal-info of this package.
The only remaining COPYING file is at the top-level. However, it
documents only the GPL-2.0 license, while in fact many parts of
network-manager, especially libraries, are under LGPL-2.0. This is
well explained in the CONTRIBUTING file, which states:
"""
Legal
-----
NetworkManager is partly licensed under terms of GNU Lesser General Public License
version 2 or later (LGPL-2.0+). That is for example the case for libnm.
For historical reasons, the daemon itself is licensed under terms of GNU General
Public License, version 2 or later (GPL-2.0+). See the license comment in the source
files.
Note that all new contributions to NetworkManager MUST be made under terms of
LGPL-2.0+, that is also the case for parts that are currently licensed GPL-2.0+.
The reason for that is that we might eventually relicense everything as LGPL and
new contributions already must agree with that future change.
"""
So, we keep GPL-2.0 and LGPL-2.0 as license, drop libnm-util/COPYING
from the LICENSE_FILES variable, and instead add the CONTRIBUTING
file. We also add a comment above the LICENSE variable.
Fixes:
http://autobuild.buildroot.net/results/44ce11d110a508821f76aae7ce996c1814c6a453/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gmp has optional C++ support, which is disabled by default. Let's
enabled it conditionally depending on the BR2_INSTALL_LIBSTDCPP
option.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
After hostapd update to 2.9, the patch provided no longer works,
although applies. Moreover, AP support for Realtek chips is broken
anyway in kernels > 4.9.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com>
[Thomas: add Config.in.legacy handling]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
AST-2019-004: Crash when negotiating for T.38 with a declined stream
When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint
responds with a declined media stream a crash will then occur in Asterisk.
https://downloads.asterisk.org/pub/security/AST-2019-004.pdf
AST-2019-005: Remote Crash Vulnerability in audio transcoding
When audio frames are given to the audio transcoding support in Asterisk the
number of samples are examined and as part of this a message is output to
indicate that no samples are present. A change was done to suppress this
message for a particular scenario in which the message was not relevant. This
change assumed that information about the origin of a frame will always exist
when in reality it may not.
https://downloads.asterisk.org/pub/security/AST-2019-005.pdf
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2019-15846: Local or remote attacker can execute programs with
root privileges
For details, see the advisory:
https://exim.org/static/doc/security/CVE-2019-15846.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
According to https://sourceforge.net/projects/libdmtx the project was
moved to https://github.com/dmtx so update project URL in Config.in.
Updated license hash due to upstream commit
b65ff367ad
Added AUTORECONF because the github tarball does not include a
configure script.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update hash of license file (year, authors, files have been updated)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since configure is using PKG_CHECK_MODULES macro, we need to
unconditionally depends on host-pkgconf.
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://www.samba.org/samba/history/samba-4.10.8.html
Fixes CVE-2019-10197
Combination of parameters and permissions can allow user
to escape from the share path definition.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the URL and add a new patch. Quoting changelog [1]:
unzip (6.0-25) unstable; urgency=medium
* Apply one more patch by Mark Adler:
- Do not raise a zip bomb alert for a misplaced central directory.
This should allow Firefox to build again. Closes: #932404.
Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now.
-- Santiago Vila <sanvila@debian.org> Sat, 27 Jul 2019 18:01:36 +0200
[1] https://sources.debian.org/data/main/u/unzip/6.0-25/debian/changelog
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove --enable-cxx, this option has been removed since version 8.1 and
346a9e70c0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit a0b032ad85 (package/qemu: security bump to version 3.1.1)
bumped the version but didn't update the patch subdirectory name, so the
patches are now ignored.
Fix that by renaming the directory. Drop
0002-configure-improve-usbfs-check.patch as that is now upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
