Commit Graph

57021 Commits

Author SHA1 Message Date
Peter Korsgaard
34ff4fc32d package/xen: add upstream xsa-36{0, 4, 8} security fixes
Fixes the following security issues:

- CVE-2021-3308: IRQ vector leak on x86
  https://xenbits.xenproject.org/xsa/advisory-360.html

- CVE-2021-26933: arm: The cache may not be cleaned for newly allocated
  scrubbed pages
  https://xenbits.xenproject.org/xsa/advisory-364.html

- CVE-2021-28687: HVM soft-reset crashes toolstack
  https://xenbits.xenproject.org/xsa/advisory-368.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:38:31 +02:00
Fabrice Fontaine
ed6e6ebdf3 package/janus-gateway: bump to version 0.10.10
https://github.com/meetecho/janus-gateway/blob/v0.10.10/CHANGELOG.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:38:22 +02:00
Fabrice Fontaine
7df870920c package/python-iso8601: bump to version 0.1.14
https://github.com/micktwomey/pyiso8601/releases/tag/0.1.14

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:37:59 +02:00
Thomas Petazzoni
a490687571 boot/grub2: ignore the last 3 remaining CVEs
An analysis of the last 3 remaining CVEs that are reported to affect
the grub2 package has allowed to ensure that we can safely ignore
them:

 * CVE-2020-14372 is already fixed by a patch we have in our patch
   stack for grub2

 * CVE-2019-14865 and CVE-2020-15705 are both distro-specific and do
   not affect grub2 upstream, nor grub2 with the stack of patches we
   have in Buildroot

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:36:48 +02:00
Fabrice Fontaine
8fd514caef package/libfreeglut: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/48c11cfc19784cc9c3ba5c6ba3d91ddae192734e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:35:15 +02:00
Fabrice Fontaine
b430894d63 package/python-py: security bump to version 1.10.0
Fix CVE-2020-29651: A denial of service via regular expression in the
py.path.svnwc component of py (aka python-py) through 1.9.0 could be
used by attackers to cause a compute-time denial of service attack by
supplying malicious input to the blame functionality.

Add py/_vendored_packages/iniconfig-1.1.1.dist-info/LICENSE (MIT) which
has been added with
94cf44fd41

https://github.com/pytest-dev/py/blob/1.10.0/CHANGELOG.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:33:50 +02:00
Fabrice Fontaine
24729c8971 package/python-py: add CPE variables
cpe:2.3🅰️pytest:py is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apytest%3Apy

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:33:42 +02:00
Fabrice Fontaine
4e53f3fc63 package/python-aiohttp: add CPE variables
cpe:2.3🅰️aiohttp_project:aiohttp is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaiohttp_project%3Aaiohttp

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:31:12 +02:00
Fabrice Fontaine
c845523fe2 package/python-pip: add CPE variables
cpe:2.3🅰️pypa:pip is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apypa%3Apip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:30:26 +02:00
Fabrice Fontaine
51cb6cfad4 package/python-pillow: add CPE variables
cpe:2.3🅰️python:pillow is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Apillow

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:29:18 +02:00
Fabrice Fontaine
398c3ca43e package/python-ipython: add CPE variables
cpe:2.3🅰️ipython:ipython is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aipython%3Aipython

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:29:08 +02:00
Fabrice Fontaine
d32bf2d6eb package/python-psutil: add CPE variables
cpe:2.3🅰️psutil_project:psutil is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apsutil_project%3Apsutil

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:28:28 +02:00
Peter Korsgaard
a14ce17ca6 package/python3: security bump to version 3.9.4
Fixes the following security issues:

- bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module
  which could be abused to read arbitrary files on the disk (directory
  traversal vulnerability).  Moreover, even source code of Python modules
  can contain sensitive data like passwords.  Vulnerability reported by
  David Schwörer.

- bpo-43285: ftplib no longer trusts the IP address value returned from the
  server in response to the PASV command by default.  This prevents a
  malicious FTP server from using the response to probe IPv4 address and
  port combinations on the client network.

  Code that requires the former vulnerable behavior may set a
  trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to
  True to re-enable it.

- bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and
  gc.get_referents().  Patch by Pablo Galindo.

Note: 3.9.3 was recalled due to introducing unintentional ABI
incompatibility, and fixes re-released as 3.9.4:

https://www.python.org/downloads/release/python-394/

Add host-autoreconf-archive, as it is needed for autoreconf since:
064bc07f24

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:28:12 +02:00
Fabrice Fontaine
e1cdaeb454 package/python-ecdsa: bump to version 0.16.1
Update indentation in hash file (two spaces)

https://github.com/tlsfuzzer/python-ecdsa/blob/python-ecdsa-0.16.1/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:34:10 +02:00
Fabrice Fontaine
fcba0aec7b package/python-paramiko: bump to version 2.7.2
Update indentation in hash file (two spaces)

https://github.com/paramiko/paramiko/blob/2.7.2/sites/www/changelog.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: fix LICENSE hash]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:33:19 +02:00
Fabrice Fontaine
57eaa13382 package/boinc: bump to version 7.16.16
Update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:30:12 +02:00
Fabrice Fontaine
f15bfa10ba package/ncmpc: bump to version 0.45
https://github.com/MusicPlayerDaemon/ncmpc/blob/v0.45/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:29:59 +02:00
Fabrice Fontaine
f06e88d009 package/whois: bump to version 5.5.9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:25:28 +02:00
Fabrice Fontaine
97b98d9fe8 package/python-yatl: bump to version 20210326.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:25:06 +02:00
Fabrice Fontaine
7f268154a0 package/python-jedi: bump to version 0.18.0
python 2 support has been dropped since version 0.18.0 and
d67dfba7f5

Add django-stubs license file (MIT)

https://github.com/davidhalter/jedi/blob/v0.18.0/CHANGELOG.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:22:55 +02:00
Fabrice Fontaine
cf3ce0e01f package/python-parso: bump to version 0.8.2
python 2 support has been dropped since versio 0.8.0 and
b601ade90b

https://github.com/davidhalter/parso/blob/v0.8.2/CHANGELOG.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:22:44 +02:00
Fabrice Fontaine
c1e6c33390 package/libgee: bump to version 0.20.4
https://gitlab.gnome.org/GNOME/libgee/-/blob/0.20.4/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:21:16 +02:00
Francois Perrad
2dd3a9f7cd package/enchant: bump to version 2.2.15
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:20:55 +02:00
Fabrice Fontaine
56ef730f40 package/libmaxminddb: bump to version 1.5.2
https://github.com/maxmind/libmaxminddb/blob/1.5.2/Changes.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:20:40 +02:00
Fabrice Fontaine
3962408c30 package/lcms2: bump to version 2.12
Update hash of COPYING (word wrap:
48a1b9a1ca)

https://littlecms.com/blog/2021/02/06/lcms2-2.12

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:19:56 +02:00
Fabrice Fontaine
241ab7cb3f package/scapy: add CPE variables
cpe:2.3🅰️scapy:scapy is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ascapy%3Ascapy

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:19:38 +02:00
Fabrice Fontaine
398103fbdd package/haproxy: bump to version 2.2.13
http://www.haproxy.org/download/2.2/src/CHANGELOG

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:18:16 +02:00
Fabrice Fontaine
1175f46044 package/python-networkx: add CPE variables
cpe:2.3🅰️python:networkx is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Anetworkx

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:16:44 +02:00
Fabrice Fontaine
f07f208e14 package/python-tornado: add CPE variables
cpe:2.3🅰️tornadoweb:tornado is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Atornadoweb%3Atornado

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:16:23 +02:00
Fabrice Fontaine
4fcc47d5ad package/python-pyro: add CPE variables
cpe:2.3🅰️pyro_project:pyro is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apyro_project%3Apyro

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:16:08 +02:00
Fabrice Fontaine
165f60a092 package/python-jinja2: add CPE variables
cpe:2.3🅰️pocoo:jinja2 is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apocoo%3Ajinja2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:15:42 +02:00
Fabrice Fontaine
497981ff34 package/janus-gateway: add CPE variables
cpe:2.3🅰️meetecho:janus is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ameetecho%3Ajanus

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:15:08 +02:00
Fabrice Fontaine
66b7d2ce1c package/python-docker: add CPE variables
cpe:2.3🅰️docker:docker-py is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Adocker%3Adocker-py

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:14:13 +02:00
Fabrice Fontaine
4783e5fd8c package/python-decorator: add CPE variables
cpe:2.3🅰️python:decorator is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Adecorator

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:14:05 +02:00
Fabrice Fontaine
09bd087911 package/python-bsdiff4: add CPE variables
cpe:2.3🅰️pypi:bsdiff4 is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apypi%3Absdiff4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 18:13:57 +02:00
Peter Korsgaard
6b595091c7 docs/website: update for 2020.02.12
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 14:03:54 +02:00
Peter Korsgaard
d81ac2e40f Update for 2020.02.12
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1a6bd98fa8)
[Peter: drop Makefile/Vagrantfile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 14:01:20 +02:00
Fabrice Fontaine
b3ba0f1d2f package/coreutils: fix build without threads
Build of coreutils without threads is broken since bump to version 8.32
in commit b4a0f9fb0e

Fixes:
 - http://autobuild.buildroot.org/results/8d00bdabef73daa2a1d1f4c6e183dda447a82134

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - do an actual backport of patch 0002
  - add upstream status for patch 0003
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-05 12:22:23 +02:00
Peter Korsgaard
cb81c441e3 docs/website: update for 2020.11.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 12:16:27 +02:00
Peter Korsgaard
20cc2c13d7 Update for 2020.11.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f748088fa6)
[Peter: drop Makefile/Vagrantfile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-05 12:13:08 +02:00
Fabrice Fontaine
f2720836b7 package/expat: bump to version 2.3.0
https://github.com/libexpat/libexpat/blob/R_2_3_0/expat/Changes

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-05 11:50:29 +02:00
Fabrice Fontaine
f684bc46ca package/python-web2py: add CPE variables
cpe:2.3🅰️web2py:web2py is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aweb2py%3Aweb2py

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-05 11:41:57 +02:00
Fabrice Fontaine
558bb6c8c1 package/python-sqlalchemy: add CPE variables
cpe:2.3🅰️sqlalchemy:sqlalchemy is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Asqlalchemy%3Asqlalchemy

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-05 11:41:55 +02:00
Fabrice Fontaine
86db0c3bae package/python-validators: add CPE variables
cpe:2.3🅰️validators_project:validators is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Avalidators_project%3Avalidators

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-05 11:41:54 +02:00
Fabrice Fontaine
4dcd1dcf67 package/python-m2crypto: add CPE variables
cpe:2.3🅰️m2crypto_project:m2crypto is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Am2crypto_project%3Am2crypto

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-05 11:41:53 +02:00
Peter Korsgaard
03c2a81231 package/python-pygments: security bump to version 2.7.4
Fixes the following security issues:

- CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to
  2.7.3 may lead to denial of service when performing syntax highlighting of
  a Standard ML (SML) source file, as demonstrated by input that only
  contains the "exception" keyword

- CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse
  programming languages rely heavily on regular expressions.  Some of the
  regular expressions have exponential or cubic worst-case complexity and
  are vulnerable to ReDoS.  By crafting malicious input, an attacker can
  cause a denial of service

Python 2.x support was dropped in pygments 2.6, so adjust (reverse)
dependencies:

Version 2.6
-----------
(released March 8, 2020)

- Running Pygments on Python 2.x is no longer supported.
  (The Python 2 lexer still exists.)

Adjust the license hash for a change of copyright years:
a590ac5ea7

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-05 11:06:44 +02:00
Fabrice Fontaine
94fa503d7b package/libvips: bump to version 8.10.6
Update indentation in hash file (two spaces)

https://github.com/libvips/libvips/blob/v8.10.6/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-05 11:04:31 +02:00
Bernd Kuhls
39232a0ffb package/{bluez5_utils, bluez5_utils-headers}: bump to version 5.58
Release notes:
http://www.bluez.org/release-of-bluez-5-58-and-5-57/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-05 11:00:47 +02:00
Bernd Kuhls
9988ca9ead package/ell: bump version to 0.39
Changelog:
https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog

Needed for bluez5_utils bump to 5.58:
http://www.bluez.org/release-of-bluez-5-58-and-5-57/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-05 11:00:14 +02:00
Bernd Kuhls
d38d99c77d package/samba4: AD DC support needs ADS
Needed due to upstream commit:
607c9ab307

Fixes:
http://autobuild.buildroot.net/results/b3f/b3fe797408b9041de37433602b3a47211818e44b/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-05 10:54:46 +02:00