Build without SSP fails since bump to version 0.27.4 in commit
bcace42942
This is due to the fact that
bbe0b70840
removed the wrong GCC_ prefix from HAS_FSTACK_PROTECTOR_STRONG variable
Fixes:
- http://autobuild.buildroot.org/results/ae4635899124c602c70d2b342a76f95c34aa4a3d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b18d9d6191)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE so that files are actually concatenated
as described in the help text.
Signed-off-by: Mirza Kapetanovic <mirza.kapetanovic@gmail.com>
Reviewed-by: Matthew Weber <matthew.weber@collins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d8f5a017b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2016-4983 is an issue in a postinstall script in the dovecot rpm,
which is part of the Red Hat packaging and not part of upstream dovecot
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 948e71689a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2019-15513 was fixed upstream in 2015 with commit
19e29ffc15dbd958e8e6a648ee0982c68353516f, which is older than the commit
we currently use in LIBUCI_VERSION.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: reword comment and commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 46273a8eb9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 2eaa6d0f36 (boot/uboot: fix uboot building host tools on x86
architecture) added use of $(PKG_CONFIG_HOST_BINARY), but forgot to add
the corresponding build-ordr dependency.
Add this missing depenency now.
Additionally, the associated test had an explicit host pkgconf enbled in
its configuration. This is superfluous now that uboot properly depends
on host-pkgconf, so drop that from the test.
Note: it hapenned to work, because host-pkgconf, when explicitly enabled
in the configuration, and without per-package directories, would build
before uboot and thus be available. This would fail with PPD, though,
and thus would break for TLPB.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0edfec1e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The make all command run the tools/makefile on the process.
This makefile use "pkg-config" command to support static link.
The issue is the use of pkg-config configured for crosscompiling
to build binaries tools for host architecture.
To fix it, I add pkg-config environment variable to configure it for host.
Add a test to avoid future regress on the build of U-boot.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[yann.morin.1998@free.fr:
- fix mixed space-TAB indentation
- fix check-package
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2eaa6d0f36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Avahi 0.8 allows a local denial of service (NULL pointer dereference and
daemon crash) against avahi-daemon via the D-Bus interface or a "ping
.local" command.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit dd7b9fa02b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
PuTTY through 0.75 proceeds with establishing an SSH session even if it
has never sent a substantive authentication response. This makes it
easier for an attacker-controlled SSH server to present a later spoofed
authentication prompt (that the attacker can use to capture credential
data, and use that data for purposes that are undesired by the client
user).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1352b59eb2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 56b28d3ee1 (mpg123: bump to version 1.13.1) added the
--disable-lfs-alias option, without explaining why it was needed.
However, this causes undefined references for apps that want to link
against mpg123.
The help for that option is pretty explicit that this is a dangerous
option to use:
disable alias wrappers for largefile bitness (mpg123_seek_32 or
mpg123_seek_64 in addition to mpg123_seek, or the other way around;
It is a mess, do not play with this!)
The default is that it is enabled, so leave it at it.
Signed-off-by: Bruno Marie <gameblabla@protonmail.com>
[yann.morin.1998@free.fr: rework commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 49e436f482)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gobject-introspection is an optional dependency which is enabled by
default since version 0.1.8 and
0388646bdb
Fixes:
- http://autobuild.buildroot.org/results/1cba7aa233e19472a69ffc2d8f7324d363a22deb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit aade2fd293)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Various security, performance, accuracy and stability issues have been
fixed, including a critical evasion assigned CVE-2021-35063.
https://forum.suricata.io/t/suricata-6-0-3-and-5-0-7-released/1489
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4c429c3f8c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes the following CVEs:
- CVE-2021-3570 linuxptp: missing length check of forwarded messages
- CVE-2021-3571 linuxptp: wrong length of one-step follow-up in transparent clock
See mailing list post for details: https://sourceforge.net/p/linuxptp/mailman/message/37315519/
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a7f3dc0a02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-33503: An issue was discovered in urllib3 before 1.26.5.
When provided with a URL containing many @ characters in the authority
component, the authority regular expression exhibits catastrophic
backtracking, causing a denial of service if a URL were passed as a
parameter or redirected to via an HTTP redirect.
https://github.com/urllib3/urllib3/blob/1.26.6/CHANGES.rst
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56a105f9fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We have a chicken and egg problem: validation of DNSSEC signatures
doesn't work without a correct clock, but to set the correct clock we
need to contact NTP servers which requires resolving a hostname, which
would normally require DNSSEC validation.
Let's break the cycle by excluding NTP hostname resolution from
validation for now.
Details:
abf4e5c1d3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2db53caca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building openal we were seeing the assert failure:
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourcePausev
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourceStopv
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourceRewindv
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourcePlayv
collect2: error: ld returned 1 exit status
So add patches to fix this binutils assert link failure on OpenRisc.
It's been suggested upstream and it's pending here:
https://sourceware.org/pipermail/binutils/2021-July/117334.html
Fixes:
http://autobuild.buildroot.net/results/c96/c96f2600f227d6c76114b9fbc41f74a57e40415a/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e3b3432fc0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
================================================================================
Redis 6.0.15 Released Wed Jul 21 16:32:19 IDT 2021
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues that affect
authenticated client connections on 32-bit versions. MODERATE otherwise.
Fix integer overflow in BITFIELD on 32-bit versions (CVE-2021-32761).
An integer overflow bug in Redis version 2.2 or newer can be exploited using the
BITFIELD command to corrupt the heap and potentially result with remote code
execution.
See https://github.com/redis/redis/blob/6.0.15/00-RELEASENOTES
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. For details, see the NEWS file:
https://github.com/GNOME/gtk/blob/3.24.29/NEWS
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 767ed6b72e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. For details, see the NEWS file:
https://github.com/GNOME/pango/blob/1.48.7/NEWS
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 98caa3077b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. From NEWS:
This is bugfix release, fixing bugs that could make the RSA
decryption functions crash on invalid inputs.
Upgrading to the new version is strongly recommended. For
applications that want to support older versions of Nettle,
the bug can be worked around by adding a check that the RSA
ciphertext is in the range 0 < ciphertext < n, before
attempting to decrypt it.
https://lists.gnu.org/archive/html/info-gnu/2021-06/msg00002.html
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2e5cb51680)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop unneeded select on pcre which has been added by commit
d35873ab0c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f2629973a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following static build failure with nginx raised since bump of
libmodsecurity to version 3.0.5 in commit
464d0be380:
/home/buildroot/autobuild/instance-2/output-1/host/lib/gcc/xtensa-buildroot-linux-uclibc/10.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/instance-2/output-1/host/bin/../xtensa-buildroot-linux-uclibc/sysroot/usr/lib/libmodsecurity.a(libmodsecurity_la-transaction.o): in function `std::basic_streambuf<char, std::char_traits<char> >::sbumpc() [clone .isra.0]':
transaction.cc:(.text+0x40): undefined reference to `std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose()'
Fixes:
- http://autobuild.buildroot.org/results/e5a9eb8448980f1c5cafe97180b7d1f48ddf02ca
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 489cbfd7df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security Impacting Issues
Handle URI received with uri-fragment
[@martinhsv]
- Drop patches (already in version) and so drop autoreconf
- Static linking is supported since
f76a1a667b
- Update indentation in hash file (two spaces)
https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 464d0be380)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop AC_CHECK_FILE workaround as it is not needed since version 3.0.4:
8af8cad907
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 82f5293d73)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Unfortunately, this e-mail is boucing:
<ycardaillac@sepro-group.com>: host
seprogroup-com01c.mail.protection.outlook.com[104.47.9.36] said: 550 5.4.1
Recipient address rejected: Access denied. AS(201806281)
[VE1EUR03FT036.eop-EUR03.prod.protection.outlook.com] (in reply to RCPT TO
command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
And remove myself from freescale related parts
Signed-off-by: André Zwing <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix CVE-2020-13949: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC
clients could send short messages which would result in a large memory
allocation, potentially leading to denial of service.
- Disable javascript and nodejs which have been added with
61d502075b
- Update hash of LICENSE, license for windows-specific files added:
98854c4874https://github.com/apache/thrift/blob/v0.14.1/CHANGES.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7ecbb956e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
WITH_QT4 has been dropped since version 0.13.0 and
1735542542
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5675f09e58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
host-e2fsprogs package overwrites the fsck program and some
manpages previously installed by host-util-linux package.
This patch simply disables fsck in host-e2fsprogs.
host-e2fsprogs is used to build final ext{2,3,4} images.
The missing host-e2fsprogs fsck tool (filesystem integrity check
tool) in HOST_DIR should not lead to issues.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7b7c8cc672)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some packages such as python-idna has a LICENSE.md file:
https://github.com/kjd/idna/blob/master/LICENSE.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 60aa896904)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0f01b69885)
[Peter: drop rename as berkeleydb patch not in branch]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4899d9ec1b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
