Commit Graph

69545 Commits

Author SHA1 Message Date
Peter Korsgaard
cfe830c9ee package/libfastjson: security bump to version 0.99.9.1
Fixes the equivalent of CVE-2020-12762, which was a json-c vulnerability:

https://github.com/advisories/GHSA-3797-gmjf-45gm

https://github.com/rsyslog/libfastjson/pull/166

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 20:08:09 +02:00
Bernd Kuhls
e99999d7cb package/libvpx: Add upstream security patch to fix CVE-2023-5217
Fixes CVE_2023-5217: Heap buffer overflow in vp8 encoding in libvpx in
Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote
attacker to potentially exploit heap corruption via a crafted HTML page.

https://www.openwall.com/lists/oss-security/2023/09/28/5

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: extend commit message, add _IGNORE_CVES]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 19:53:32 +02:00
Francois Perrad
236dc1015c package/mosquitto: bump to version 2.0.18
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 19:39:20 +02:00
Francois Perrad
c3edc92673 package/lua-messagepack: bump to version 0.5.3
diff COPYRIGHT:
    -Copyright (C) 2012-2019 Francois Perrad.
    +Copyright (C) 2012-2023 Francois Perrad.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 19:38:48 +02:00
Fabrice Fontaine
e4038b6af4 package/putty: fix legal info
Commit bf284bcfba forgot to update hash of
license file (year updated)

Fixes:
 - http://autobuild.buildroot.org/results/900b3fe8d4bf029c6bca6ca63c6e093e42cc1072

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 19:37:57 +02:00
Fabrice Fontaine
c6bf26cfb2 package/minizip-zlib: bump to version 1.3
https://github.com/madler/zlib/commits/v1.3/contrib/minizip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 19:37:32 +02:00
Brandon Maier
f64bdf8347 package/mtd: bump to version 2.1.6
https://lists.infradead.org/pipermail/linux-mtd/2023-August/100922.html

Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 19:34:22 +02:00
Fabrice Fontaine
9eff64e816 package/upx: bump to version 4.1.0
https://github.com/upx/upx/blob/v4.1.0/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 19:34:11 +02:00
Giulio Benetti
e4fcdc6801 package/mmc-utils: bump to version 2023-09-26
Fixes:
http://autobuild.buildroot.net/results/a53922c5db3e605a5e81e53c034f45017ebb7db7

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 14:22:42 +02:00
Bernd Kuhls
94b2dc586f package/samba4: bump version to 4.18.7
Release notes: https://www.samba.org/samba/history/samba-4.18.7.html

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 10:58:45 +02:00
Bernd Kuhls
3686d9fc17 package/php: bump version to 8.2.11
Changelog: https://www.php.net/ChangeLog-8.php#8.2.11
Release notes: https://www.php.net/releases/8_2_11.php

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 10:57:55 +02:00
Bernd Kuhls
3c7c04c46b package/sqlite: bump version to 3.43.1
Release notes: https://sqlite.org/releaselog/3_43_1.html

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 10:57:41 +02:00
Fabrice Fontaine
187b1f5238 package/pigz: bump to version 2.8
Update hash of README (update year and version:
fe4894f577)

https://zlib.net/pipermail/pigz-announce_zlib.net/2023-August/000018.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 10:55:17 +02:00
Fabrice Fontaine
c3becbedb0 package/nmon: bump to version 16p
Small improvements to on-screen use only. CLI -B and GUI 'B' to toggle
boxes around stats. CLI -^ and '^' to change units for Disk I/O KB/s ->
MB/s -> GB/s. This happen temporarily too if the size of the statistic
will not fit on-scree. Code changed to ensure clean compile for GCC 12
which does extra checks but got confused by some perfectly good C code!
Note: updated makefile makefile

https://nmon.sourceforge.io/pmwiki.php?n=Site.CompilingNmon

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 10:54:53 +02:00
Fabrice Fontaine
5e97bc1f05 package/stress-ng: drop LDFLAGS_EXTRA
Drop LDFLAGS_EXTRA to fix the following build failure raised since
commit 42f2518023:

/home/buildroot/autobuild/run/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/mipsel-buildroot-linux-gnu/12.3.0/../../../../mipsel-buildroot-linux-gnu/bin/ld: stress-crypt.o: in function `$L17':
stress-crypt.c:(.text+0x2dc): undefined reference to `crypt_r'

Fixes:
 - http://autobuild.buildroot.org/results/0c1d2ef59b88ebb3ae10bf8cb986280b4c1283eb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 09:52:03 +02:00
Giulio Benetti
3faf4085dc package/minicom: bump to version 2.9
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 09:47:51 +02:00
Peter Korsgaard
fc5cdeed72 board/raspberrypi: drop variant-specific genimage files
Now that we have a template generating an equivalent genimage configuration.

The generated genimage is identical to these +/- file ordering and a
trailing comma / newline that is ignored by genimage, E.G. for rpi3-64:

@@ -8,9 +8,10 @@
                        "rpi-firmware/cmdline.txt",
                        "rpi-firmware/config.txt",
                        "rpi-firmware/fixup.dat",
-                       "rpi-firmware/start.elf",
                        "rpi-firmware/overlays",
-                       "Image"
+                       "rpi-firmware/start.elf",
+                       "Image",
+
                }

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 09:12:46 +02:00
Peter Korsgaard
e37ee5acdc board/raspberrypi/post-image.sh: generate genimage config from template if not present
The rpi genimage configurations are all identical, except for the boot
partition files, which include:

- Device tree files (*.dtb)
- rpi-firmware files (rpi-firmware/*)
- Kernel image (Image/zImage)

All of these are quite simple to figure out programmatically based on the
content of BINARIES_DIR, so extend post-image.sh to fall back to generating
a genimage configuration based on genimage.cfg.in if a board specific one
does not exist.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 09:11:49 +02:00
Fabrice Fontaine
ce17f93e82 package/suricata: security bump to version 6.0.14
- Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
  adversary who controls an external source of rules), a dataset
  filename, that comes from a rule, may trigger absolute or relative
  directory traversal, and lead to write access to a local filesystem.
  This is addressed in 6.0.13 by requiring allow-absolute-filenames and
  allow-write (in the datasets rules configuration section) if an
  installation requires traversal/writing in this situation.
- Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
  controls an external source of Lua rules may be able to execute Lua
  code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
  is true in the security lua configuration section.
- Drop first patch (not needed since
  c8a3aa608e)

https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-28 23:03:52 +02:00
Fabrice Fontaine
e7988c7060 package/librsvg: security bump to version 2.50.9
Fix CVE-2023-38633: A directory traversal problem in the URL decoder of
librsvg before 2.56.3 could be used by local or remote attackers to
disclose files (on the local filesystem outside of the expected area),
as demonstrated by href=".?../../../../../../../../../../etc/passwd" in
an xi:include element.

https://gitlab.gnome.org/GNOME/librsvg/-/blob/2.50.9/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-28 22:59:34 +02:00
Brandon Maier
0a16452704 unifdef: add target package
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Reviewed-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-28 22:43:13 +02:00
Brandon Maier
d8cea23ce4 unifdef: add missing license
The COPYING also contains a BSD-3-Clause license. The BSD-3-Clause
applies to "manual page unifdef.1 and the portability support code in
the FreeBSD subdirectory". The BSD-2-Clause applies to everything else.

Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Reviewed-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-28 22:43:06 +02:00
Bernd Kuhls
9677f3a897 package/onevpl: disable tools
The tools are not needed at runtime, as they are mosty examples, or as
testing tools, the latter having additional dependencies.

Fixes:
http://autobuild.buildroot.net/results/059/059a8581fb809488ad6fa3183874395ebf3f0926/

This package is not part of any older buildroot release, no backport
necessary.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-28 22:32:45 +02:00
Yann E. MORIN
d574e2a4f4 package/nodejs: fix parallel build further
Commit 84c24ab1b5 (package/nodejs: fix parallel build) made use of
BR2_JLEVEL to set the number of jobs nodejs should use instead of using
the number of CPUs (+2).

However, BR2_JLEVEL can be set to 0 by the user, to let Buildroot detect
the number of CPUs (+1), and stores it in PARALLEL_JOBS, and leaves
BR2_JLEVEL untouched, so 0.

Thus, we can end up spawning a build by passing -j0 to ninja, which it
interprets as "no -limit yolo" and does not limit the number oj jobs it
spawns, which usually ends up in an OOM somewhere...

Fix this by using PARALLEL_JOBS.

Reported-by: Cédric & Co
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-28 22:05:26 +02:00
Alexander Dahl
bf284bcfba package/putty: bump version to 0.79
Bug fixes mostly.

Link: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 14:40:11 +02:00
Maxim Kochetkov
d15bc66b9a configs/visionfive2_defconfig: bump custom kernel version to 05533e9c31
Current kernel fails to build with GCC>=12:
  AS      arch/riscv/kernel/vdso/note.o
./arch/riscv/include/asm/vdso/gettimeofday.h: Assembler messages:
./arch/riscv/include/asm/vdso/gettimeofday.h:71: Error: unrecognized opcode `csrr a5,0xc01', extension `zicsr' required
./arch/riscv/include/asm/vdso/gettimeofday.h:71: Error: unrecognized opcode `csrr a5,0xc01', extension `zicsr' required

So use latest kernel from starfive repo.

Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 14:36:53 +02:00
Fabrice Fontaine
ede7d0bd77 package/liburcu: bump to version 0.14.0
- Drop second and third patches (already in version)
- C++ is mandatory since
  153b081a9b

https://github.com/urcu/userspace-rcu/blob/v0.14.0/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 14:06:24 +02:00
Fabrice Fontaine
1df2976f79 package/keepalived: bump to version 2.2.8
Drop all patches (already in version) and so drop autoreconf

https://www.keepalived.org/release-notes/Release-2.2.8.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 14:05:58 +02:00
Fabrice Fontaine
799512e149 package/libyang: security bump to version 2.1.111
- Fix CVE-2023-26916: libyang from v2.0.164 to v2.1.30 was discovered to
  contain a NULL pointer dereference via the function lys_parse_mem at
  lys_parse_mem.c.
- Fix CVE-2023-26917: libyang from v2.0.164 to v2.1.30 was discovered to
  contain a NULL pointer dereference via the function
  lysp_stmt_validate_value at lys_parse_mem.c.

https://github.com/CESNET/libyang/releases/tag/v2.1.55
https://github.com/CESNET/libyang/releases/tag/v2.1.80
https://github.com/CESNET/libyang/releases/tag/v2.1.111

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 11:26:52 +02:00
Fabrice Fontaine
54f6e1f81f package/bind: security bump to version 9.16.44
Fix CVE-2023-3341: The code that processes control channel messages sent
to `named` calls certain functions recursively during packet parsing.
Recursion depth is only limited by the maximum accepted packet size;
depending on the environment, this may cause the packet-parsing code to
run out of available stack memory, causing `named` to terminate
unexpectedly. Since each incoming control channel message is fully
parsed before its contents are authenticated, exploiting this flaw does
not require the attacker to hold a valid RNDC key; only network access
to the control channel's configured TCP port is necessary. This issue
affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18,
9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1
through 9.18.18-S1.

https://ftp.isc.org/isc/bind9/9.16.44/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 11:26:19 +02:00
Fabrice Fontaine
caa0b804a8 package/minizip: bump to version 4.0.1
https://github.com/zlib-ng/minizip-ng/releases/tag/3.0.8
https://github.com/zlib-ng/minizip-ng/releases/tag/3.0.9
https://github.com/zlib-ng/minizip-ng/releases/tag/3.0.10
https://github.com/zlib-ng/minizip-ng/releases/tag/4.0.0
https://github.com/zlib-ng/minizip-ng/releases/tag/4.0.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 11:25:45 +02:00
Fabrice Fontaine
d821de0e46 package/libhtp: bump to version 0.5.45
https://github.com/OISF/libhtp/blob/0.5.45/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 11:20:47 +02:00
Fabrice Fontaine
725580a26e package/json-c: bump to version 0.17
Disable building apps thanks to variable added by
bef40a342e

https://github.com/json-c/json-c/blob/json-c-0.17-20230812/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 11:20:21 +02:00
Bernd Kuhls
0876080307 package/tor: bump version to 0.4.8.7
Release notes:
https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 11:20:04 +02:00
Peter Korsgaard
28a6c12646 docs/website: Update for 2023.08.1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 00:25:28 +02:00
Peter Korsgaard
55fbb5519c Update for 2023.08.1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9266ab06e0)
[Peter: drop Makefile change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-28 00:22:36 +02:00
Fabrice Fontaine
05fbb29322 package/unixodbc: bump to version 2.3.12
Drop patch (already in version)

https://github.com/lurcher/unixODBC/releases/tag/2.3.12

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:13:26 +02:00
Fabrice Fontaine
c11478fb27 package/brotli: bump to version 1.1.0
Drop patches (already in version)

https://github.com/google/brotli/releases/tag/v1.1.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:12:33 +02:00
Fabrice Fontaine
7aa5e8f84f package/snappy: bump to version 1.1.10
Drop patch (already in version)

https://github.com/google/snappy/blob/1.1.10/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:11:38 +02:00
Fabrice Fontaine
197d0a4cb2 package/sg3_utils: bump to version 1.48
- Drop patches (already in version) and so drop autoreconf
- Update hash of BSD_LICENSE (update in year:
  551657bfbf)

https://github.com/hreinecke/sg3_utils/blob/v1.48/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:11:04 +02:00
Bernd Kuhls
c7cd67517c package/onevpl-intel-gpu: bump version to 23.3.3
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:09:43 +02:00
Bernd Kuhls
6b7f001a47 package/intel-mediadriver: bump version to 23.3.3
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:09:36 +02:00
Bernd Kuhls
ff82db21f8 package/intel-gmmlib: bump version to 22.3.12
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:09:27 +02:00
Bernd Kuhls
2a711479d3 package/linux-headers: drop 6.4.x option
The 6.4.x series is now EOL upstream, so drop the linux-headers option
and add legacy handling for it.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:06:30 +02:00
Bernd Kuhls
b5ba9f80ad linux: bump latest version to 6.5
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:06:19 +02:00
Bernd Kuhls
18d21c9cfc {toolchain, linux-headers}: add support for 6.5 headers
And add (and default to) 6.5 to linux-headers.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:06:02 +02:00
Bernd Kuhls
181cf756ca {linux, linux-headers}: bump 4.{14, 19}.x / 5.{4, 10, 15}.x / 6.{1, 4}.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:05:41 +02:00
Fabrice Fontaine
6ce55ab0ed package/memcached: bump to version 1.6.21
- Send first patch upstream
- Drop second and third patches (already in version) and so drop
  autoreconf

https://github.com/memcached/memcached/wiki/ReleaseNotes1618
https://github.com/memcached/memcached/wiki/ReleaseNotes1619
https://github.com/memcached/memcached/wiki/ReleaseNotes1620
https://github.com/memcached/memcached/wiki/ReleaseNotes1621

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:04:40 +02:00
Fabrice Fontaine
56c7da8e08 package/xxhash: bump to version 0.8.2
- Drop all patches (already in version)
- Update hash of LICENSE file (year updated with
  f035303b8a)

https://github.com/Cyan4973/xxHash/releases/tag/v0.8.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:04:14 +02:00
Fabrice Fontaine
757c81f126 package/openresolv: bump to version 3.13.2
https://github.com/NetworkConfiguration/openresolv/compare/v3.12.0...v3.13.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-27 21:03:50 +02:00