Fixes the following security vulnerabilities:
EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) was discovered not to validate fragmentation reassembly state
properly for a case where an unexpected fragment could be received. This
could result in process termination due to NULL pointer dereference.
For details, see the advisory:
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2019-7317: png_image_free in png.c in libpng 1.6.36 has a use-after-free
because png_image_free_function is called under png_safe_execute.
Update license hash for a change in copyright year and typo fixes.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes the following security issues:
- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
https://kb.isc.org/docs/cve-2018-5743
- CVE-2019-6467: An error in the nxdomain redirect feature can cause
BIND to exit with an INSIST assertion failure in query.c
https://kb.isc.org/docs/cve-2019-6467
- CVE-2019-6468: BIND Supported Preview Edition can exit with an
assertion failure if nxdomain-redirect is used
https://kb.isc.org/docs/cve-2019-6468
Add an upstream patch to fix building on architectures where bind does not
implement isc_atomic_*.
Upstream moved to a 2019 signing key, so update comment in .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
NetworkManager now has an internal DHCP client. Therefor, there is no
need to select either the DHCPCD or DHCP_CLIENT package to get DHCP.
Remove the forced select of one of those packages.
The internal DHCP client has become NetworkManager's preferred DHCP
client, so it seems reasonable that it effectively becomes the default,
unless DHCPCD or DHCP_CLIENT are intentionally enabled.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit bumps Linux & Linux-headers to 5.0 and U-Boot to version 2019.01
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Pierre-Jean Texier <a class="moz-txt-link-rfc2396E" href="mailto:pjtexier@koncepto.io"><pjtexier@koncepto.io></a>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issue:
* CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is
enabled. This could be used rather easily to cause a DoS. Similar
crash also happens during mail delivery when using invalid UTF8 in
From or Subject header when OX push notification driver is used.
https://dovecot.org/pipermail/dovecot-news/2019-April/000406.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issue:
- CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles
certain cases where the desired set of CA certificates is different from
the OS store of CA certificates, which results in SSL connections
succeeding in situations where a verification failure is the correct
outcome. This is related to use of the ssl_context, ca_certs, or
ca_certs_dir argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
LibreSSL 2.9.1 now has a test that requires libtls.a, however, when building a
shared library only build, the --disable-static flag is passed to libressl,
which prevents the building of libtls.a.
With libtls.a not being built, the following error occurs:
libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'. Stop.
There are three options to fix this:
1) Stick with autotools, and provide a patch that removes building anything in
the tests folder.
2) Pass --enable-static to LIBRESSL_CONF_OPTS
3) Change the package type to cmake, as a cmake build does not have this issue.
Changing the package type to cmake is the least impactful, it also has the added
benefit of being able to remove the 0001-remove-test-z-DESTDIR-from-ltmain.patch
file.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove upstream patch 0001-Fix-3091.patch.
Add enet, libsquish and nettle new dependencies.
Add host-pkgconf since the CMakeLists.txt now use pkg-config
for enet.
Make sure that glew and wiiuse libraries from staging are
used instead of bundled versions.
See:
http://blog.supertuxkart.net/2019/04/supertuxkart-10-release.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
enet will be used by supertuxkart 1.0.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following ffbe46a529 ("linux: simplify
LINUX_BUILD_CMDS"), the Linux kernel build for
qemu_ppc_virtex_ml507_defconfig builds an image format that needs
mkimage.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/199339544
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following ffbe46a529 ("linux: simplify
LINUX_BUILD_CMDS"), the Linux kernel build for
qemu_ppc_mpc8544ds_defconfig builds an image format that needs
mkimage.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/199339543
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following ffbe46a529 ("linux: simplify
LINUX_BUILD_CMDS"), the Linux kernel build for
qemu_nios2_10m50_defconfig builds an image format that needs mkimage.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/199339537
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following ffbe46a529 ("linux: simplify
LINUX_BUILD_CMDS"), the Linux kernel build for beaglebone_defconfig
builds more things, including some .itb files, which require mkimage
with FIT support.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/199339433
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Switch to https://chromium.googlesource.com/libyuv/libyuv which is
the official repository and still active (updated this month).
Current site has not been updated since 2015.
- Drop second patch (already in version)
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update license hash for libv4l1-kernelcode-license.txt (Mauro Carvalho
e-mail address update).
Changelog (since 1.16.3):
- Update my e-mail on all places
- dvb-sat: rename Astra 1E to Astra 19.2 E and move it to beginning
- Qt5: test for Desktop OpenGL presence
- Qt5: fixup Qt OpenGL automake conditionals
- dvbv5-zap.c: fix compile warning
- dvbv5-tools: be sure to zero struct arguments
- dvbv5-zap: improve program exit code
- libdvbv5: leaks and double free in dvb_fe_open_fname()
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch bumps corkscrew package to version v2.0.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch bumps python-can to version 3.1.1, it removes md5 sum from
hash file cause it's not present anymore on the pypi website.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
python-setuptools-scm v1.15.6 was released in 2017 and is now
obsolete. Multiple versions have been released released to resolve
various issues:
https://github.com/pypa/setuptools_scm/blob/master/CHANGELOG.rst.
While at it, we add the hash for the license file.
Signed-off-by: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested against systemd and glib-networking.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Thomas: use the upstream-uploaded tarball and not the github macro,
which allows to have the tarball that really matches upstream's GPG
signature]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In additon:
- Rebase both patches to work with the new version.
- Add the dependency libconfig
All tests pass:
- br-arm-full [1/6]: OK
- br-arm-cortex-a9-glibc [2/6]: OK
- br-arm-cortex-m4-full [3/6]: SKIPPED
- br-x86-64-musl [4/6]: OK
- br-arm-full-static [5/6]: SKIPPED
- sourcery-arm [6/6]: OK
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
WolfSSL 4.0.0 has been released, it includes new features and fixes. The
full changelog is available here [1].
Update the wolfssl package to stable version 4.0.0, and the
corresponding hash file.
[1] https://www.wolfssl.com/docs/wolfssl-changelog/
Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Additionally, backport an upstream patch with which valgrind can now
be compiled for MIPS32r6/MIPS64r6 and reenable valgrind for those
architectures in the Config.in file.
Moreover, remove a patch which is not needed anymore since
https://bugs.kde.org/show_bug.cgi?id=400975 has been resolved, also
making AUTORECONF = YES no longer necessary.
Signed-off-by: Stefan Maksimovic <stefan.maksimovic@rt-rk.com>
[Thomas: improve commit log, add reference to upstream commit]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issue:
- CVE-2019-11068: libxslt through 1.1.33 allows bypass of a protection
mechanism because callers of xsltCheckRead and xsltCheckWrite permit
access even upon receiving a -1 error code. xsltCheckRead can return -1
for a crafted URL that is not actually invalid and is subsequently loaded.
Upstream bugtracker issue not yet public:
https://gitlab.gnome.org/GNOME/libxslt/issues/12
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch bumps the Linux CIP version to v4.4.176-cip31.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Suricata is a free and open source, mature, fast and robust
network threat detection engine.
The Suricata engine is capable of real time intrusion
detection (IDS), inline intrusion prevention (IPS), network
security monitoring (NSM) and offline pcap processing.
https://suricata-ids.org
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The autotools build system is in the process of being deprecated and
replaced with meson for weston. Because of this we need to pass the
--enable-autotools flag when running configure to enable autotools
builds.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When BR2_PACKAGE_ZLIB=y, we enable zlib support in the bind included
in dhcp, but we forget to add zlib to DHCP_DEPENDENCIES, so it doesn't
get built before dhcp, causing build failures.
Fixes:
http://autobuild.buildroot.net/results/5a33057ceaf3f53e6ba9deab3f214a4c8a644352/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When configuring qt5base, qmake is built, but it's not built in parallel
mode. This is due to MAKEFLAGS having 2 dashes on its tail, so this:
MAKEFLAGS="$(MAKEFLAGS) -j$(PARALLEL_JOBS)"
expands in this(i.e. 5 njobs):
MAKEFLAGS="--no-print-directory -- -j5"
and -j5 gets ignored due to "--" preceeding -j5.
Double dashes are part of $(MAKEFLAGS) only when evaluated by shell.
Swap $(MAKEFLAGS) and -j$(PARALLEL_JOBS) to avoid having "--" before
-j$(PARALLEL_JOBS), this way -j$(PARALLEL_JOBS) won't be ignored by
./configure.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Tested-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
