Some kernel-selftests are using tput program, so make sure that
BR2_PACKAGE_NCURSES_TARGET_PROGS is selected.
[linux-4.19 selftests]$ git grep tput
[...]
futex/run.sh:tput setf 7 || tput setaf 7
futex/run.sh: tput sgr0
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 633e5121f8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
syslog-ng may segfault at startup (during library initialization, before
reaching main) in newer toolchains. I have witnessed it on aarch64 (but with
32-bit arm userland) with glibc 2.28.
Problem is described in syslog-ng issue #2263 [1], which in turn leads to a
problem in 'ivykis' which is shipped with syslog-ng, see ivykis issue #15
[2].
Root cause is that 'pthread_atfork' is used by ivykis but searched by its
configure script in libpthread_nonshared only. In newer toolchains, it seems
this symbol is in libc_nonshared.
Apply a patch someone proposed via pullrequest [3] to the ivykis project,
but which is at this moment not yet merged upstream.
[1] https://github.com/balabit/syslog-ng/issues/2263
[2] https://github.com/buytenh/ivykis/issues/15
[3] https://github.com/buytenh/ivykis/pull/16
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d1467eaa6b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The year was updated.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf6615d801)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also remove upstream patch 0033.
Fixes the following security issues:
- bpo-36216: Changes urlsplit() to raise ValueError when the URL contains
characters that decompose under IDNA encoding (NFKC-normalization) into
characters that affect how the URL is parsed.
- bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The
cert parser did not handle CRL distribution points with empty DP or URI
correctly. A malicious or buggy certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of
Cisco.
- bpo-35121: Don’t send cookies of domain A without Domain attribute to
domain B when domain A is a suffix match of domain B while using a
cookiejar with http.cookiejar.DefaultCookiePolicy policy. Patch by
Karthikeyan Singaravelan.
For more details, see the changelog:
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-3-final
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6afc83b60f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-3870:
During the provision of a new Active Directory DC, some files in the private/
directory are created world-writable.
https://www.samba.org/samba/security/CVE-2019-3870.html
- CVE-2019-3880:
Authenticated users with write permission can trigger a symlink traversal to
write or detect files outside the Samba share.
https://www.samba.org/samba/security/CVE-2019-3880.html
For more details, see the release notes:
https://www.samba.org/samba/history/samba-4.9.6.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a662ae308)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-3835, CVE-2019-3838: A specially crafted PostScript file
could use these flaws to have access to the file system outside of the
constrains imposed by -dSAFER.
Drop upstream patches.
Use the make subst function to compute the download site from version.
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 10a6ea5a30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On commit 027a8b29f1 pkg-config has been
added to retrieve OpenSSL dependencies, but it's been passed `libssl`
instead of `openssl`, this makes fail some linking. Indeed we need
OpenSSL dependency, so let's use `openssl` with pkg-config.
Substitute `libssl` with `openssl`.
Fixes:
http://autobuild.buildroot.net/results/b225425ee237852bd9fee4ca0b8d24f3e37d64f9/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e38641851a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
During linking one OpenSSL dependecy is missing(-latomic) on linking
library list.
- Substitute explicit library list with `pkg-config libssl` when
BR2_PACKAGE_OPENSSL is enabled. In such way all needed libraries
will be included in linking list.
- Add also `host-pkgconf` to CIVETWEB_DEPENDENCIES if
BR2_PACKAGE_OPENSSL is enabled to make it available for previous
point.
Fixes:
http://autobuild.buildroot.net/results/b2e210bdefe84f4ec9cfda79a33d81788fb7e66c/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 027a8b29f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update patch so -latomic (provided in LIBS) is added after openssl libs
(provided in $3)
Fixes:
- http://autobuild.buildroot.org/results/4b90b7d02e354ebf3d8f95023547bf4a18e0165e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 73c04d9448)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tss2-esys.pc contains a hardcoded -lgcrypt even though the openssl crypto
backend (as in Buildroot) may be used, leading to linker errors when using
esys.
Given that tpm2-tss doesn't allow static linking, there is no need to
explicitly list the crypto library dependency.
Cherry pick an upstream patch to fix this. Notice that the upstream patch
also changes the default crypto backend to openssl. As this isn't stricly
needed (we explicitly configure for openssl) and requires autoreconv, drop
the configure.ac hunk from the patch.
https://github.com/tpm2-software/tpm2-tss/pull/1173
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 55c4f7ca4b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license contains the "no endorsement" clause, so it should be listed as
BSD-3-Clause:
* Neither the name of Intel Corporation nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 92c7310d5b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Host version of this package needs pkg-conf the same way as target
package: for Makefiles library dependencies retrieving.
Fixes:
http://autobuild.buildroot.net/results/8543eb3815a67747349a2e60654d19b9804a3a89/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8bd63b0b4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When static linking some dependency library can be missing
(i.e. -latomic for -lcrypto) on linking libraries list. This is
because when static linking libraries dependencies are not
transparently linked into binary.
To avoid moving libraries before/after one another or add new ones
that are not needed at all in the dynamic linking case, we use `pkg-config --libs
LIBRARY` where LIBRARY is the library we "probe" for its existence and
dependency.
In this commit, we:
- Remove 0005-fix-static-link-zlib.patch where -lcrypto and -lz were
swapped, as it is no longer needed thanks to the following point.
- Replace it with 0005-Use-pkgconf-to-get-libs-deps.patch where
-lcrypto has been substituted with `pkg-config --libs libcrypto`
- Add host-pkgconf to ANDROID_TOOLS_DEPENDENCIES
Fixes:
http://autobuild.buildroot.net/results/d3d6679cfc8afe4467368bd3d31483172c1032de/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e4f77a2e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f2431fd9c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
* CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
that there is an uninitialized pointer access in gnutls versions 3.6.3 or
later which can be triggered by certain post-handshake messages
* CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
before 3.6.7. A memory corruption (double free) vulnerability in the
certificate verification API. Any client or server application that
verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
3.6.7.1 is identical to 3.6.7, but fixes a packaging issue in the release
tarball:
https://lists.gnutls.org/pipermail/gnutls-devel/2019-April/013086.html
HTTP URLs changed to HTTPS in COPYING, so update license hash.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1dd5576ccb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 426103703d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37371ff4f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Containerd is no longer maintained under the docker github project and now
has an official website, so refer to that in the help text.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 638504bcdf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Contains a number of bugfixes. For more details, see the announcement:
https://github.com/containerd/containerd/releases/tag/v1.2.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 20af865354)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 905e976a6a.
With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4b13a21692)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit ce76a98902.
With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 18fb2167f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This includes an improved fix for CVE-2019-5736 without the ~10MB memory
overhead per container and with fallback code using mkostemp(3) when
O_TMPFILE isn't available.
For more details, see the announcement:
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc7
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56f495a078)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: https://www.php.net/ChangeLog-7.php#7.3.4
Fixes these bugs, CVE-ID were not assigned yet:
Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s).
Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 614c1e2edd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Both patches are already included (a bit earlier in the file) in version
2.0.12, so drop the patches.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0fda716432)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ab5fbbd640)
[Peter: drop 5.0.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#11756
This fixes the following build error with newer binutils:
objcopy -O binary mbr.elf mbr.bin
perl /build/syslinux/src/syslinux/mbr/checksize.pl mbr.bin
mbr.bin: too big (452 > 440)
Corresponding bug reports:
- https://bugs.archlinux.org/task/60405
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906414
Strip the .note.gnu.property in the linker scripts for the MBRs.
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0ca17cdc92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
since version 1.7, coxpcall is only required with Lua 5.1
see, https://github.com/keplerproject/wsapi/pull/41
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b7b8a7f3ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Switch site to gitlab
- Remove second patch (already in version)
- Use new --{with,without}-usb option
- Add hash for license file
- Fix CVE-2017-6318
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a911b7d229)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-5953: Buffer overflow vulnerability
For more details, see the announcement:
https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00015.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d732da7a20)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fakeroot by default forwards {f,l,}chown calls to libc and ignores
permission issues, which may cause issues when building in restricted
environments like user namespaces as set up with bubblewrap where a chown
call with a uid/gid not mapped in the user namespace instead returns EINVAL.
This error is not masked by fakeroot and returned to the caller, causing
failures.
There is no real reason to really perform the *chown calls in the context of
Buildroot (as the calls will likely just fail and files are not accessed
outside the fakeroot environment any way).
This forwarding can be disabled by setting the FAKEROOTDONTTRYCHOWN
environment variable, so set it when fakeroot is executed.
Reported-by: Esben Nielsen <nielsen.esben@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 655acd1df0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I left DATACOM and will unlikely have access to the hardware required to
test the package.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c45394c1b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Include upstream commit 193f1e8 "glob: Do not assume glibc glob
internals". Without this if building glibc with host-make it will fail
with a segfault in make:
>>> glibc glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1 Building
PATH="/scratch/builds/host-make/host/bin:/scratch/builds/host-make/host/sbin:/home/sam/bin:/home/sam/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games" /scratch/builds/host-make/host/bin/host-make -j25 -C /scratch/builds/host-make/build/glibc-glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1/build
/scratch/builds/host-make/host/bin/host-make -r PARALLELMFLAGS="" -C /scratch/builds/host-make/build/glibc-glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1 objdir=`pwd` all
Segmentation fault (core dumped)
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a07f69c817)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The current address will soon become invalid so drop it before the
messages start bouncing.
Change-Id: If631cedcaaa55d927d99b18ff299324e9d439cb0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2387c9604)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Instead of stdout where it gets mixed with the normal output, confusing
software parsing the output (E.G. get-developers -e as git sendemail.ccCmd).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 83f82bd67a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tpm2-tools does not need dbus or libglib2, so remove them and the
corresponding toolchain dependencies.
The confusion may have come from the upstream travis configuration, which
also builds tpm2-abrmd (which uses dbus+libglib2).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f63a58c350)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of issues discovered post-3.1.3, including a completely
broken -T option handling. For details, see:
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.1.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b7a36629d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of issues discovered post-2.1.1. For details, see:
https://github.com/tpm2-software/tpm2-tss/releases/tag/2.1.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2c47079d38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2.22.7 contains a number of bugfixes. From the announcement:
- Fix rendering of glyphs in Hebrew (and possibly other languages) when
Unicode NFC normalization is used.
- Fix several crashes and race conditions.
https://webkitgtk.org/2019/03/01/webkitgtk2.22.7-released.html
Change SITE to https as the webserver uses HSTS.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d484ba63b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Contains a number of fixes for issues discovered post-2.9.8. From the
release notes:
- Fixed readdir bug when non-zero offsets are given to filler and the
filesystem client, after reading a whole directory, re-reads it from a
non-zero offset e.g. by calling seekdir followed by readdir.
https://github.com/libfuse/libfuse/releases/tag/fuse-2.9.9
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b6d842fea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No point in installing udev rules if nothing will use it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4cba22bbfa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes some omissions from the installation.
Install the udev rules.
Tell buildroot about the fuse device.
Apply setuid permissions on the fusermount tool.
Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ea62ff85b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
CVE-2019-9741: An issue was discovered in net/http in Go 1.11.5. CRLF
injection is possible if the attacker controls a url parameter, as
demonstrated by the second argument to http.NewRequest with \r\n followed by
an HTTP header or a Redis command.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From NEWS:
* Changes in Wget 1.20.2
** Fixed a buffer overflow vulnerability
For more details, see the announcement:
https://lists.gnu.org/archive/html/info-gnu/2019-04/msg00000.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c21d440c8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) SECURITY: CVE-2019-0197 (cve.mitre.org)
mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
request from http/1.1 to http/2 that was not the first request on a
connection could lead to a misconfiguration and crash. Servers that
never enabled the h2 protocol or only enabled it for https: and
did not set "H2Upgrade on" are unaffected by this issue.
[Stefan Eissing]
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0211 (cve.mitre.org)
MPMs unix: Fix a local priviledge escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
mod_php) from modifying it persistently to abuse the priviledged main
process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0217 (cve.mitre.org)
mod_auth_digest: Fix a race condition checking user credentials which
could allow a user with valid credentials to impersonate another,
under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
*) SECURITY: CVE-2019-0215 (cve.mitre.org)
mod_ssl: Fix access control bypass for per-location/per-dir client
certificate verification in TLSv1.3.
*) SECURITY: CVE-2019-0220 (cve.mitre.org)
Merge consecutive slashes in URL's. Opt-out with
`MergeSlashes OFF`. [Eric Covener]
For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.39
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 556ad6c25b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Loop relaxation logic in xtensa gas may produce code in which LEND
register doesn't match actual zero overhead loop end. Fix relaxation
code so that it produces a literal or a pair of const16 instructions
with associated relocation record that works correctly in the presence
of other relaxations. This fixes crash in X11 server caused by window
movement.
Loop relaxation has limited of 32K range, this fix removes this
limitation.
Fixes:
http://autobuild.buildroot.net/results/e05522ce540f4ac23f9a3a8fec724694d9a23101/
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 2.32 patch]
(cherry picked from commit 197b5f9d1c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
