This patch adds some packages I contributed to my entry.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit db49315a61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps Linux CIP RT to version 4.19.132-cip30-rt12
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c009545716)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps Linux CIP to version 4.19.132-cip30
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50d243cda9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The update to 2020.79 contains several other changes that may not be
appropriate for the LTS branch, hence just backport the single fix.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release fix some bugs in the broker and client libraries,
as well as building with below C99 suport.
Read the whole announcement on:
https://mosquitto.org/blog/2020/05/version-1-6-8-released/
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 466bce9c9b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-13254: Potential data leakage via malformed memcached keys
In cases where a memcached backend does not perform key validation,
passing malformed cache keys could result in a key collision, and
potential data leakage. In order to avoid this vulnerability, key
validation is added to the memcached cache backends.
- CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
Query parameters for the admin ForeignKeyRawIdWidget were not properly URL
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures
query parameters are correctly URL encoded.
For details, see the announcement:
https://docs.djangoproject.com/en/dev/releases/3.0.7/
Additionally, 3.0.5..3.0.7 contains a number of non-security related
bugfixes.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 36d78abceb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
[CVE-2020-10543] Buffer overflow caused by a crafted regular
expression
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a
crafted regular expression
[CVE-2020-12723] Buffer overflow caused by a crafted regular
expression
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 13ceb980a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-15049: Cache Poisoning Issue in HTTP Request processing
- Fix CVE-2020-14058: Denial of Service issue in TLS handshake
- Fix CVE-2020-14059: Denial of Service when using SMP cache
This version also fix a build failure with systemd
Fixes:
- http://autobuild.buildroot.org/results/4f586c497577d6c96289e821430fa2c2f61eda2a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b5eef337ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
systemd is an optional dependency (enabled by default) since version
4.11 and
6fa8c66435
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a70bcb531c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch adds a missing extern on the outfile
variable in genisoimage.h.
Signed-off-by: Urja Rannikko <urjaman@gmail.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7d50d04729)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version mainly fixes build issues with more
recent kernels.
98b163a cryptlib.c: fix build on kernel v5.5+
7e72f67 enabled the support for TLS1.1 - AES128-SHA1 - AES256-SHA1
9e76506 Fix build for Linux 5.8-rc1
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 74217ada85)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- bpo-41162: Audit hooks are now cleared later during finalization to avoid
missing events.
- bpo-29778: Ensure python3.dll is loaded from correct locations when Python
is embedded (CVE-2020-15523).
- bpo-41004: The __hash__() methods of ipaddress.IPv4Interface and
ipaddress.IPv6Interface incorrectly generated constant hash values of 32
and 128 respectively. This resulted in always causing hash collisions.
The fix uses hash() to generate hash values for the tuple of (address,
mask length, network address).
- bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to
guard against header injection attacks.
For more details, see the changelog:
https://docs.python.org/release/3.8.4/whatsnew/changelog.html#security
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d6ff343d67)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For details see [1].
- drop 0001-meson.build-use-local-include-path-for-tools.patch
(upstream [2])
- drop 0003-meson.build-enable-static-library-build.patch
(upstream [3])
[1] https://lists.freedesktop.org/archives/input-tools/2020-July/001541.html
[2] fe8238a71a
[3] a9d324f82b
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6641c8a927)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using ccache to build the exim package, the HOSTCC value contains
spaces, that are incorrectly interpreted by exim's Makefilei, which uses
the first word of ${CC} to test compiler options. This breaks the build
with "unrecognized option" ccache errors.
Fix that by wrapping the HOSTCC variable in double quotes, as it is done
for other variables that follow.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
[yann.morin.1998@free.fr: slight rewording of commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a9486e337a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update label as suggested by Stéphane Veyret, as -Ofast is potentially
dangerous, and may break packages.
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=13046
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3e186cee00)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also separate the fields in the hash file by two spaces.
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7ebfb17eaf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Explicitly do not install udev rules and systemd units when installing
the host version of e2fsprogs, as we do not need those files when
calling host tools provided by e2fsprogs from Buildroot.
This fixes a weird issue I encountered: host-e2fsprogs was built and
installed without any issue when building an image from scratch. But
any attempt to rebuild host-e2fsprogs alone was failing during the
installation steps as it tried to install files to the host system.
This is because e2fsprogs' build system (autotools) is using the
prefix given at configuration time when installing its binaries,
configuration files, man pages, etc... but not when installing its
systemd units and udev rules.
The issue did not arise when building it from scratch, as
host-e2fsprogs do not have a dependency on host-udev/systemd, so its
configure script did not automatically enable udev/systemd
installation steps at first.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ea6ddd3671)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The rule to create the staging symlink has it depend on BASE_DIR, and
the symlink is created in BASE_DIR, which means that when the symlink
is created, BASE_DIR is updated, and thus made more recent than the
symlink itself.
As a consequence, every time one runs 'make', the symlink will be older
than BASE_DIR, and so will be re-created.
Ditto for the host symlink when the user has elected to have an
out-of-tree host dir.
Fix that by changing to using an order-only dependency.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7d38e58d4c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and
the database/sql, net/http, and reflect packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 593254c6f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.13.13 (released 2020/07/14) includes security fixes to the
crypto/x509 and net/http packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e31919878d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build will fail if gobject-introspection is built before network-manager
but python-gobject is not:
configure: error: "--enable-introspection aims to build the settings documentation. This requires GObject introspection for python (pygobject)
To avoid this build failure and because we don't need documentation,
just disable introspection
Fixes:
- http://autobuild.buildroot.org/results/d3b1bc2fa7559e66465033c455176761d6e184d1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit adfb36c07d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Get official tarball and its hash
- Update indentation in hash file (two spaces)
This is a fairly important release which includes performance
improvements and new major CLI features. It also fixes a few corner
cases, making it a recommended upgrade.
https://github.com/facebook/zstd/releases/tag/v1.4.5https://github.com/facebook/zstd/releases/tag/v1.4.4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 510b339818)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following security issues:
- SERVER-45514 [FLE] Reject document validators with encryption-related
keywords if the validationAction is “warn”
- SERVER-48039 Unrecognized option: net.ssl.clusterCertificateSelector
in MongoDB v4.2
- SERVER-45803 mongodecrypt needs a ServiceContext
- SERVER-46834 Use monotonic time in UserCacheInvalidator
- SERVER-47113 LDAP connection pool acquisition state should own host
list
https://docs.mongodb.com/manual/release-notes/4.2
Also:
- Update indentation in hash file (two spaces)
- Tweak version to be "compliant" with https://release-monitoring.org
- Use official tarball
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit af45533523)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
oracle-mysql won't built its own bundled zlib since commit
6fed83a030 so don't unconditionally link
with zlib instead use mysql_config to retrieve cflags and libs as
suggested by Thomas Petazzoni in review of first iteration
Fixes:
- No autobuilder failures yet
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit efffb3ea45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gtkvncviewer has been added since version 0.9.13 and
2650cfc17b,
disable it as it is only an example
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c89f62cec6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop all patches (already in version)
- Fix CVE-2018-21247: An issue was discovered in LibVNCServer before
0.9.13. There is an information leak (of uninitialized memory contents)
in the libvncclient/rfbproto.c ConnectToRFBRepeater function.
- Fix CVE-2019-20839: libvncclient/sockets.c in LibVNCServer before
0.9.13 has a buffer overflow via a long socket filename.
- Fix CVE-2019-20840: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/ws_decode.c can lead to a crash because of
unaligned accesses in hybiReadAndDecode.
- Fix CVE-2020-14396: An issue was discovered in LibVNCServer before
0.9.13. libvncclient/tls_openssl.c has a NULL pointer dereference.
- Fix CVE-2020-14397: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/rfbregion.c has a NULL pointer dereference.
- Fix CVE-2020-14398: An issue was discovered in LibVNCServer before
0.9.13. An improperly closed TCP connection causes an infinite loop in
libvncclient/sockets.c.
- Fix CVE-2020-14399: An issue was discovered in LibVNCServer before
0.9.13. Byte-aligned data is accessed through uint32_t pointers in
libvncclient/rfbproto.c.
- Fix CVE-2020-14400: An issue was discovered in LibVNCServer before
0.9.13. Byte-aligned data is accessed through uint16_t pointers in
libvncserver/translate.c.
- Fix CVE-2020-14401: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/scale.c has a pixel_value integer overflow.
- Fix CVE-2020-14402: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/corre.c allows out-of-bounds access via
encodings.
- Fix CVE-2020-14403: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/hextile.c allows out-of-bounds access via
encodings.
- Fix CVE-2020-14404: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/rre.c allows out-of-bounds access via encodings.
- Fix CVE-2020-14405: An issue was discovered in LibVNCServer before
0.9.13. libvncclient/rfbproto.c does not limit TextChat size.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e1b60ef181)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-14148: The Server-Server protocol implementation in
ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated
by the IRC_NJOIN() function.
- Fix a static build failure with openssl thanks to
ad86a41eee
- Update indentation in hash file (two spaces)
Fixes:
- http://autobuild.buildroot.org/results/078a7afc432786316a1d2ea03f96444ff741b942
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 53f92e65ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
* CVE-2020-8619: It was possible to trigger an INSIST failure when a
zone with an interior wildcard label was queried in a certain
pattern.
Release notes:
https://ftp.isc.org/isc/bind9/cur/9.11/RELEASE-NOTES-bind-9.11.20.txt
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc7740825a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 'package/rpi-firmware: fix startup file names' ([1]) the
start and fixup file names are normalized to start.elf/fixup.dat,
adjust the rpi4 genimage config files accordingly.
Fixes:
ERROR: file(rpi-firmware/fixup4.dat): stat(.../images/rpi-firmware/fixup4.dat) failed: No such file or directory
ERROR: vfat(boot.vfat): could not setup rpi-firmware/fixup4.dat
[1] https://git.buildroot.net/buildroot/commit/?id=1bdc0334ff6273761b2e7fda730cdcc7e1f46862
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 59c3426c51)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2020-7212 (1.25.2 - 1.25.7)
The _encode_invalid_chars function does not remove duplicate percent
encodings in the _percent_encodings array, which combined with the
normalization step could take O(N^2) time to compute for a URL of
length N. This results in a marginally higher CPU consumption
compared to the potential linear time achieved by deduplicating
the _percent_encodings array.
CC: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fc57db8401)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As spotted by Thomas Petazzoni during review of
https://patchwork.ozlabs.org/project/buildroot/patch/20200713215943.2240412-1-fontaine.fabrice@gmail.com,
oracle-mysql uses its bundled version of zlib if it is not found on the
system
So explictly disable zlib if needed and add a patch fixing build
failures without it
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6fed83a030)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EXIV2_ENABLE_LIBXMP has been dropped since version 0.27 and
2784b1f7f7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e5310ad13e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EXIV2_ENABLE_BUILD_SAMPLES has been renamed into EXIV2_BUILD_SAMPLES
since version 0.27 and
60d436c969
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9188421331)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prior to gzip 1.10, the compression pipeline used with PCF fonts was
not reproducible due to the implicit -N/--name injecting a timestamp:
$ cat /path/to/file | gzip > /path/to/file.gz
This updates Portable Compiled Format font packages to have a host-gzip
dependency, so gzip version 1.10 or newer will reliably be used.
This change does not affect encodings, which use a seemingly
synonymous compression pipeline, but that happens to be reproducible
with gzip versions at least as old as version 1.3.13:
$ gzip < /path/to/file > /path/to/file.gz
Reported-by: Jordan Speicher <jspeicher@xes-inc.com>
Signed-off-by: Aaron Sierra <asierra@xes-inc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 10082b2e43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, we delete /usr/share/bash-completion when bash is not enabled.
We need to delete /etc/bash_completion.d too. For example, the jo package
installs files there:
/etc/bash_completion.d/jo.bash
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 18072ecc24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some toolchains, like the Linaro gcc7 toolchains, now install libstdc++ debug
library symbols to /lib/debug, which can be as large as the library itself.
This commit removes the extra debug content if debugging is not enabled.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 04e9a1ec8c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
- Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well
as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with
a NULL f_rng argument. An attacker with access to precise enough
timing and memory access information (typically an untrusted operating
system attacking a secure enclave) could fully recover the ECC private
key.
- Fix issue in Lucky 13 counter-measure that could make it ineffective
when hardware accelerators were used (using one of the
MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13
attack to be possible in those configurations, allowing an active
network attacker to recover plaintext after repeated timing
measurements under some conditions.
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
Switch to github to get latest release
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7f79bb5cfd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
