Fix CVE-2022-24128: Timescale TimescaleDB 1.x and 2.x before 2.5.2 may
allow privilege escalation during extension installation. The
installation process uses commands such as CREATE x IF NOT EXIST that
allow an unprivileged user to precreate objects. These objects will be
used by the installer (which executes as Superuser), leading to
privilege escalation. In order to be able to take advantage of this, an
unprivileged user would need to be able to create objects in a database
and then get a Superuser to install TimescaleDB into their database. (In
the fixed versions, the installation aborts when it finds that an object
already exists.)
"This release contains bug fixes since the 2.5.1 release.
This release is high priority for upgrade. We strongly recommend that
you upgrade as soon as possible."
https://github.com/timescale/timescaledb/releases/tag/2.5.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Release notes: https://www.samba.org/samba/history/samba-4.15.6.html
Added new answer to samba4-cache.txt needed due to upstream commit:
f7e31127e7
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switched _SITE to https and _SOURCE to .gz because upstream does not
provide a .xz tarball anymore.
Fixes CVE 2022-0547, changelog:
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix the following build failure without gl raised since bump to version
6.03 in commit cbcbd66b0f:
Note: The OpenGL 3D library is not being used.
Those demos which use 3D will not be built or installed.
That is most of them.
make: *** [package/pkg-generic.mk:282: /home/peko/autobuild/instance-0/output-1/build/xscreensaver-6.03/.stamp_configured] Error 1
A patch was sent to Jamie Zawinski to fix this failure and he replied:
"Why would you do that? I pretty much consider that an unsupported
configuration, since that's more than half of the savers at this point."
I told him that some embedded devices don't have gl and he replied:
"Such as? Just about every modern "embedded device" I'm aware of is more
performant than the desktop computers on which I developed many of those
GL hacks..."
So just add a dependency on gl.
Fixes:
- http://autobuild.buildroot.org/results/b76743a48d75b5b7539712318fa0b2937a157f88
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: keep --with-gl=yes]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bump OP-TEE OS package version to OP-TEE release 3.16.0 and set
BR2_TARGET_OPTEE_OS_LATEST to select
BR2_TARGET_OPTEE_OS_NEEDS_PYTHON_CRYPTOGRAPHY since
python-cryptography is now needed to build optee-os.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Newer version of optee-os (>= 3.16) uses python-cryptography instead of
python-pycryptodomex in python scripts. Add support to build these
newer versions by adding a new
BR2_TARGET_OPTEE_OS_NEEDS_PYTHON_CRYPTOGRAPHY option which will
select host-python-cryptography dependency when building optee-os.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Clément Léger <clement.leger@bootlin.com>
[yann.morin.1998@free.fr:
- move the _ARCH_DEPENDS option from the main symbol to thus new
symbol
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
It seems reasonable to expect that the download of the host and target
variants should usually be exactly the same and thus reuse the target
package values for the host package. This commits add support to
inherit host _DL_SUBDIR, _DOWNLOAD_DEPENDENCIES, _DL_ENV and
_DOwNLOAD_POST_PROCESS variables from target ones. These variables can
still be overriden if necessary for the host package.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
allows a remote web server to exfiltrate media files.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when
decoding a crafted file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
introspection needs host-doxygen and host-python-lxml since the addition
of the package in commit c9a3c10417 and
2e5b13f970
../output-1/build/wireplumber-0.4.8/docs/meson.build:14:0: ERROR: python3 is missing modules: lxml
Doxygen is required to build just the bare minimal (not the full
documentation) since
93c2e7d686
Fixes:
- http://autobuild.buildroot.org/results/24c524d86a3e2e67305f698644be9b15d4562488
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV
files. This issue triggered in function WavpackPackSamples of file
src/pack_utils.c, tainted variable cnt is too large, that makes pointer
sptr read beyond heap bound.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This has been like tht for ages (probably an implicit dependency check
in older versions), but now wget has explicit flags, so let's use them.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: expand commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Disable sample and tests (which are built by default since version 2.1:
530b272350)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The check_package_get_latest_version_by_distro() function analyzes the
data returned by release-monitoring.org. For two of our
packages (bento4 and qextserialport), release-monitoring.org returns
something that is a bit odd: it returns an entry with a
"stable_versions" field that contains an empty array. Our code was
ready to have or not have a "stable_versions" entry, but when it is
present, we assumed it was not an empty array. These two packages, for
some reason, break this assumption.
In order to solve this problem, this commit is more careful, and uses
the stable_versions field only if it exists and it has at least one
entry. The code is also reworked as a sequence of "if...elif...else"
to be more readable.
This fixes the following exception when running pkg-stats on the full
package set:
Task exception was never retrieved
future: <Task finished name='Task-10772' coro=<check_package_latest_version_get() done, defined at ./support/scripts/pkg-stats:532> exception=IndexError('list index out of range')>
Traceback (most recent call last):
File "./support/scripts/pkg-stats", line 535, in check_package_latest_version_get
if await check_package_get_latest_version_by_distro(session, pkg):
File "./support/scripts/pkg-stats", line 489, in check_package_get_latest_version_by_distro
version = data['stable_versions'][0] if 'stable_versions' in data else data['version'] if 'version' in data else None
IndexError: list index out of range
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: non-sequence tests as True]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
portaudio is an optional dependency (enabled by default) since the
addition of the package in commit
18a8630637
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
jack{1,2} is an optional dependency (enabled by default) since the
addition of the package in commit
18a8630637
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>