This patch bumps Linux CIP RT to version 4.19.132-cip30-rt12
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c009545716)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps Linux CIP to version 4.19.132-cip30
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50d243cda9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The update to 2020.79 contains several other changes that may not be
appropriate for the LTS branch, hence just backport the single fix.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 812cc01f69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version fixes https://github.com/ndilieto/uacme/issues/22
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5946c1fe99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version includes a new binary named "ualpn", a proxying
ACMEv2 tls-alpn-01 responder.
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6fb42fd549)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 066d552499)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release fix some bugs in the broker and client libraries,
as well as building with below C99 suport.
Read the whole announcement on:
https://mosquitto.org/blog/2020/05/version-1-6-8-released/
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 466bce9c9b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-13254: Potential data leakage via malformed memcached keys
In cases where a memcached backend does not perform key validation,
passing malformed cache keys could result in a key collision, and
potential data leakage. In order to avoid this vulnerability, key
validation is added to the memcached cache backends.
- CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
Query parameters for the admin ForeignKeyRawIdWidget were not properly URL
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures
query parameters are correctly URL encoded.
For details, see the announcement:
https://docs.djangoproject.com/en/dev/releases/3.0.7/
Additionally, 3.0.5..3.0.7 contains a number of non-security related
bugfixes.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 36d78abceb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
[CVE-2020-10543] Buffer overflow caused by a crafted regular
expression
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a
crafted regular expression
[CVE-2020-12723] Buffer overflow caused by a crafted regular
expression
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 13ceb980a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-15049: Cache Poisoning Issue in HTTP Request processing
- Fix CVE-2020-14058: Denial of Service issue in TLS handshake
- Fix CVE-2020-14059: Denial of Service when using SMP cache
This version also fix a build failure with systemd
Fixes:
- http://autobuild.buildroot.org/results/4f586c497577d6c96289e821430fa2c2f61eda2a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b5eef337ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
systemd is an optional dependency (enabled by default) since version
4.11 and
6fa8c66435
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a70bcb531c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch adds a missing extern on the outfile
variable in genisoimage.h.
Signed-off-by: Urja Rannikko <urjaman@gmail.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7d50d04729)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2020-10108
In Twisted Web through 19.10.0, there was an HTTP request splitting
vulnerability. When presented with two content-length headers, it
ignored the first header. When the second content-length value was
set to zero, the request body was interpreted as a pipelined request.
CVE-2020-10109
In Twisted Web through 19.10.0, there was an HTTP request splitting
vulnerability. When presented with a content-length and a chunked
encoding header, the content-length took precedence and the remainder
of the request body was interpreted as a pipelined request.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-14155: libpcre in PCRE before 8.44 allows an integer overflow via
a large number after a (?C substring.
Additionally:
- Update first patch
- Update hash of license file (update in year)
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a92e06c352)
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
* Fix SOCKS proxy resolver sometimes not being used when resolving addresses
via Happy Eyeballs (CVE-2020-6750) (#1989)
* Fix potential relative read when calling g_printerr(), which could lead to a
denial of service from a setuid-root process being used to block access to the
TTY for another user (#1919)
* Several race condition/crash fixes (!1353, !1357)
For more details, see the NEWS file:
https://download.gnome.org/sources/glib/2.62/glib-2.62.5.news
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[Peter: describe security issues]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- bpo-41162: Audit hooks are now cleared later during finalization to avoid
missing events.
- bpo-29778: Ensure python3.dll is loaded from correct locations when Python
is embedded (CVE-2020-15523).
- bpo-41004: The __hash__() methods of ipaddress.IPv4Interface and
ipaddress.IPv6Interface incorrectly generated constant hash values of 32
and 128 respectively. This resulted in always causing hash collisions.
The fix uses hash() to generate hash values for the tuple of (address,
mask length, network address).
- bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to
guard against header injection attacks.
For more details, see the changelog:
https://docs.python.org/release/3.8.4/whatsnew/changelog.html#security
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d6ff343d67)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using ccache to build the exim package, the HOSTCC value contains
spaces, that are incorrectly interpreted by exim's Makefilei, which uses
the first word of ${CC} to test compiler options. This breaks the build
with "unrecognized option" ccache errors.
Fix that by wrapping the HOSTCC variable in double quotes, as it is done
for other variables that follow.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
[yann.morin.1998@free.fr: slight rewording of commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a9486e337a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update label as suggested by Stéphane Veyret, as -Ofast is potentially
dangerous, and may break packages.
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=13046
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3e186cee00)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also separate the fields in the hash file by two spaces.
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7ebfb17eaf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Explicitly do not install udev rules and systemd units when installing
the host version of e2fsprogs, as we do not need those files when
calling host tools provided by e2fsprogs from Buildroot.
This fixes a weird issue I encountered: host-e2fsprogs was built and
installed without any issue when building an image from scratch. But
any attempt to rebuild host-e2fsprogs alone was failing during the
installation steps as it tried to install files to the host system.
This is because e2fsprogs' build system (autotools) is using the
prefix given at configuration time when installing its binaries,
configuration files, man pages, etc... but not when installing its
systemd units and udev rules.
The issue did not arise when building it from scratch, as
host-e2fsprogs do not have a dependency on host-udev/systemd, so its
configure script did not automatically enable udev/systemd
installation steps at first.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ea6ddd3671)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The rule to create the staging symlink has it depend on BASE_DIR, and
the symlink is created in BASE_DIR, which means that when the symlink
is created, BASE_DIR is updated, and thus made more recent than the
symlink itself.
As a consequence, every time one runs 'make', the symlink will be older
than BASE_DIR, and so will be re-created.
Ditto for the host symlink when the user has elected to have an
out-of-tree host dir.
Fix that by changing to using an order-only dependency.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7d38e58d4c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and
the database/sql, net/http, and reflect packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 593254c6f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.13.13 (released 2020/07/14) includes security fixes to the
crypto/x509 and net/http packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e31919878d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Get official tarball and its hash
- Update indentation in hash file (two spaces)
This is a fairly important release which includes performance
improvements and new major CLI features. It also fixes a few corner
cases, making it a recommended upgrade.
https://github.com/facebook/zstd/releases/tag/v1.4.5https://github.com/facebook/zstd/releases/tag/v1.4.4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 510b339818)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2020-7921: (4.0.15) Improper serialization of internal state in the
authorization subsystem in MongoDB Server's authorization subsystem
permits a user with valid credentials to bypass IP whitelisting protection
mechanisms following administrative action.
Plus a number of other bugfixes. For details, see the release notes:
https://docs.mongodb.com/manual/release-notes/4.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
oracle-mysql won't built its own bundled zlib since commit
6fed83a030 so don't unconditionally link
with zlib instead use mysql_config to retrieve cflags and libs as
suggested by Thomas Petazzoni in review of first iteration
Fixes:
- No autobuilder failures yet
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit efffb3ea45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gtkvncviewer has been added since version 0.9.13 and
2650cfc17b,
disable it as it is only an example
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c89f62cec6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop all patches (already in version)
- Fix CVE-2018-21247: An issue was discovered in LibVNCServer before
0.9.13. There is an information leak (of uninitialized memory contents)
in the libvncclient/rfbproto.c ConnectToRFBRepeater function.
- Fix CVE-2019-20839: libvncclient/sockets.c in LibVNCServer before
0.9.13 has a buffer overflow via a long socket filename.
- Fix CVE-2019-20840: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/ws_decode.c can lead to a crash because of
unaligned accesses in hybiReadAndDecode.
- Fix CVE-2020-14396: An issue was discovered in LibVNCServer before
0.9.13. libvncclient/tls_openssl.c has a NULL pointer dereference.
- Fix CVE-2020-14397: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/rfbregion.c has a NULL pointer dereference.
- Fix CVE-2020-14398: An issue was discovered in LibVNCServer before
0.9.13. An improperly closed TCP connection causes an infinite loop in
libvncclient/sockets.c.
- Fix CVE-2020-14399: An issue was discovered in LibVNCServer before
0.9.13. Byte-aligned data is accessed through uint32_t pointers in
libvncclient/rfbproto.c.
- Fix CVE-2020-14400: An issue was discovered in LibVNCServer before
0.9.13. Byte-aligned data is accessed through uint16_t pointers in
libvncserver/translate.c.
- Fix CVE-2020-14401: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/scale.c has a pixel_value integer overflow.
- Fix CVE-2020-14402: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/corre.c allows out-of-bounds access via
encodings.
- Fix CVE-2020-14403: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/hextile.c allows out-of-bounds access via
encodings.
- Fix CVE-2020-14404: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/rre.c allows out-of-bounds access via encodings.
- Fix CVE-2020-14405: An issue was discovered in LibVNCServer before
0.9.13. libvncclient/rfbproto.c does not limit TextChat size.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e1b60ef181)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-14148: The Server-Server protocol implementation in
ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated
by the IRC_NJOIN() function.
- Fix a static build failure with openssl thanks to
ad86a41eee
- Update indentation in hash file (two spaces)
Fixes:
- http://autobuild.buildroot.org/results/078a7afc432786316a1d2ea03f96444ff741b942
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 53f92e65ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
* CVE-2020-8619: It was possible to trigger an INSIST failure when a
zone with an interior wildcard label was queried in a certain
pattern.
Release notes:
https://ftp.isc.org/isc/bind9/cur/9.11/RELEASE-NOTES-bind-9.11.20.txt
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc7740825a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 'package/rpi-firmware: fix startup file names' ([1]) the
start and fixup file names are normalized to start.elf/fixup.dat,
adjust the rpi4 genimage config files accordingly.
Fixes:
ERROR: file(rpi-firmware/fixup4.dat): stat(.../images/rpi-firmware/fixup4.dat) failed: No such file or directory
ERROR: vfat(boot.vfat): could not setup rpi-firmware/fixup4.dat
[1] https://git.buildroot.net/buildroot/commit/?id=1bdc0334ff6273761b2e7fda730cdcc7e1f46862
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 59c3426c51)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2020-7212 (1.25.2 - 1.25.7)
The _encode_invalid_chars function does not remove duplicate percent
encodings in the _percent_encodings array, which combined with the
normalization step could take O(N^2) time to compute for a URL of
length N. This results in a marginally higher CPU consumption
compared to the potential linear time achieved by deduplicating
the _percent_encodings array.
CC: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fc57db8401)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As spotted by Thomas Petazzoni during review of
https://patchwork.ozlabs.org/project/buildroot/patch/20200713215943.2240412-1-fontaine.fabrice@gmail.com,
oracle-mysql uses its bundled version of zlib if it is not found on the
system
So explictly disable zlib if needed and add a patch fixing build
failures without it
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6fed83a030)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EXIV2_ENABLE_LIBXMP has been dropped since version 0.27 and
2784b1f7f7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e5310ad13e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EXIV2_ENABLE_BUILD_SAMPLES has been renamed into EXIV2_BUILD_SAMPLES
since version 0.27 and
60d436c969
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9188421331)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prior to gzip 1.10, the compression pipeline used with PCF fonts was
not reproducible due to the implicit -N/--name injecting a timestamp:
$ cat /path/to/file | gzip > /path/to/file.gz
This updates Portable Compiled Format font packages to have a host-gzip
dependency, so gzip version 1.10 or newer will reliably be used.
This change does not affect encodings, which use a seemingly
synonymous compression pipeline, but that happens to be reproducible
with gzip versions at least as old as version 1.3.13:
$ gzip < /path/to/file > /path/to/file.gz
Reported-by: Jordan Speicher <jspeicher@xes-inc.com>
Signed-off-by: Aaron Sierra <asierra@xes-inc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 10082b2e43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
