Includes a number of post-18.09.7 bugfixes and to keep in sync with the
docker-engine version.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c5568f9985)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
CVE-2019-13509: Docker Engine in debug mode may sometimes add secrets to the
debug log. This applies to a scenario where docker stack deploy is run to
redeploy a stack that includes (non external) secrets. It potentially
applies to other API users of the stack API if they resend the secret.
And a number of other non-security issues.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1d1fb619f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch used previously to support versions of ln lacking the '-r'
option generated broken links:
$ file target/usr/lib/cups/backend/driverless
target/usr/lib/cups/backend/driverless: broken symbolic link to ../../usr/lib/cups/driver/driverless
Add a squashing of two patches already applied upstream that provide a
better solution:
https://github.com/OpenPrinting/cups-filters/pull/154https://github.com/OpenPrinting/cups-filters/pull/157
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f80ec7963a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
texttotext must be linked to libiconv if !BR2_ENABLE_LOCALE so pull a
patch applied upstream that adds libiconv discovery via autoconf.
With this change, autoreconf requires the config.rpath and ABOUT-NLS
files which are not in v1.25.4. Add a pre-configure hook to fake them.
Fixes: https://bugs.busybox.net/show_bug.cgi?id=12031
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5376b4b4e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With Microblaze Gcc version < 8.x the build hangs due to gcc bug
85180: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180. The bug
shows up when building protobuf with optimization but not when building
with -O0. To work around this, if BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we
force using -O0.
Fixes:
http://autobuild.buildroot.net/results/73dc9610a13d6e14eec58d529617210d93d5dec4/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Arnout: fix variable name]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e975f1cbef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using a newer host system cmake to build MariaDB, the following build
error occurs:
CMake Error at cmake/os/Linux.cmake:29 (STRING):
STRING sub-command REPLACE requires at least four arguments.
Call Stack (most recent call first):
CMakeLists.txt:101 (INCLUDE)
CMake Error at cmake/os/Linux.cmake:29 (STRING):
STRING sub-command REPLACE requires at least four arguments.
Call Stack (most recent call first):
CMakeLists.txt:101 (INCLUDE)
Fixes: https://bugs.busybox.net/show_bug.cgi?id=11781
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c2ff8c63da)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mariadb no longer allows the WITH_SSL=OFF configure option. It will
instead search for openssl or gnutls headers, and if missing error out
with:
CMake Error at /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
Could NOT find GnuTLS (missing: GNUTLS_LIBRARY GNUTLS_INCLUDE_DIR)
(Required is at least version "3.3.24")
Call Stack (most recent call first):
/usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:378 (_FPHSA_FAILURE_MESSAGE)
/usr/share/cmake/Modules/FindGnuTLS.cmake:54 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
libmariadb/CMakeLists.txt:298 (FIND_PACKAGE)
Therefore, make host-mariadb depend on host-openssl, and tell mariadb
to use the system openssl.
This was not found by autobuilders because mariadb isn't built in the
autobuilders (it's part of a choice).
Note that the target mariadb already has an unconditional dependency
on openssl.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit fca2e83768)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If follow through the customize-outside-br.txt with how to add external
toolchain in br-ext tree then one thing is missing - inclusion of
*.mk file with external toolchain package description.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 392b60f176)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Remove second patch (already in version)
- Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the
other side of the key exchange had a similar bug.
- When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written as
an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit
of information on average and could cause the value to be 1 byte too
large for the output buffer.
- The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the
same blinding value was generated. This reduced the effectiveness of
the countermeasure and leaked information about the private key
through side channels. Reported by Jack Lloyd.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6bab018ee8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Remove all patches except first one (already in version)
- Update first patch
- Fix CVE-2019-6471: A race condition when discarding malformed packets
can cause BIND to exit with an assertion failure
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 395ad387e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I am exclusively using my Gmail address for now on. Reflect this in
the DEVELOPERS file.
Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 916497d7d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mathieu is no longer working at Savoir-faire Linux, update his email
address in the DEVELOPERS file.
Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fd7f37606d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a security issue. From the annoncement:
A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive.
If a client sends a SUBSCRIBE packet containing a topic that consists of
approximately 65400 or more '/' characters, i.e. the topic hierarchy
separator, then a stack overflow will occur.
The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions
are available at https://mosquitto.org/files/cve/2019-hier
The fix addresses the problem by restricting the allowed number of topic
hierarchy levels to 200. An alternative fix is to increase the size of the
stack by a small amount.
https://mosquitto.org/blog/2019/09/version-1-6-6-released/
Also notice that 1.6.5 silently fixed a security issue:
CVE-2019-11778
A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778
If an MQTT v5 client connects to Mosquitto, sets a last will and testament,
sets a will delay interval, sets a session expiry interval, and the will
delay interval is set longer than the session expiry interval, then a use
after free error occurs, which has the potential to cause a crash in some
situations.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c5c106e4e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This would normally be enabled by systemctl preset-all however since we
don't have a host systemctl we need to enable the service manually.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b81e00e2ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Keep listing the test infra so the developer is included in reviews, but
trim the list of tests to those the developer are most interested in.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 10acb4ff6d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The JSON::PP Perl module is used at build time by the webkitgtk and
wpewebkit packages.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e0c879509d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- ECDSA remote timing attack (CVE-2019-1547)
Severity: Low
- Fork Protection (CVE-2019-1549)
Severity: Low
- Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
Severity: Low
For more details, see the advisory:
https://www.openssl.org/news/secadv/20190910.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 99a2f0dd6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In the SYSV init script allow /etc/default/vmtoolsd to override $ARGS
(if it present)
Signed-off-by: Simon Rowe <simon.rowe@citrix.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3d104ce719)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing a number of issues:
- Fix v5 DISCONNECT packets with remaining length == 2 being treated as a
protocol error. Closes#1367.
- Fix support for libwebsockets 3.x (excluding 3.2.0)
- Fix slow websockets performance when sending large messages. Closes
#1390.
- Fix bridges potentially not connecting on Windows. Closes#478.
- Fix clients authorised using use_identity_as_username or
use_subject_as_username being disconnected on SIGHUP. Closes#1402.
- Improve error messages in some situations when clients disconnect.
Reduces the number of "Socket error on client X, disconnecting" messages.
- Fix Will for v5 clients not being sent if will delay interval was greater
than the session expiry interval. Closes#1401.
- Fix CRL file not being reloaded on HUP. Closes#35.
- Fix repeated "Error in poll" messages on Windows when only websockets
listeners are defined. Closes#1391.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b7c4cdad1e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the
parser into changing from DTD parsing to document parsing too early; a
consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)
then resulted in a heap-based buffer over-read.
While we're at it, also change to use .tar.xz rather than the bigger
.tar.bz2.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 386794d02e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- ASN.1 BER and related dissectors crash. Bug 15870. CVE-2019-13619
https://www.wireshark.org/security/wnpa-sec-2019-20
Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7ba0ef5240)
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
They are required by the default udev rules.
Fixes: https://bugs.busybox.net/show_bug.cgi?id=12141
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0aa6634318)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Useful for test purposes when we want to install util-linux with a
custom TARGET_DIR, e.g.
$ make util-linux-reinstall TARGET_DIR=/tmp/util-linux
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 40af3a6661)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Create the configuration file as /etc/thttpd.conf, as expected by the
systemd unit file.
This matches other web server packages that install configuration files
at /etc/lighttpd/, /etc/apache2, etc.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 349501320b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The init script provided by thttpd is for FreeBSD. Add a custom one,
made specifically for Buildroot.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fc7488e99f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data
from a specified resource over multiple streams. They manipulate window
size and stream priority to force the server to queue the data in 1-byte
chunks. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both, potentially leading to a denial of
service.
- CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess
CPU, memory, or both, potentially leading to a denial of service.
- CVE-2019-9513 "Resource Loop": The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess
CPU, potentially leading to a denial of service.
- CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and
sends an invalid request over each stream that should solicit a stream of
RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both,
potentially leading to a denial of service.
- CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS
frames to the peer. Since the RFC requires that the peer reply with one
acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both, potentially
leading to a denial of service.
- CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of
headers with a 0-length header name and 0-length header value, optionally
Huffman encoded into 1-byte or greater headers. Some implementations
allocate memory for these headers and keep the allocation alive until the
session dies. This can consume excess memory, potentially leading to a
denial of service.
- CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave the
TCP window closed so the peer cannot actually write (many of) the bytes on
the wire. The attacker then sends a stream of requests for a large
response object. Depending on how the servers queue the responses, this
can consume excess memory, CPU, or both, potentially leading to a denial
of service.
- CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames
with an empty payload and without the end-of-stream flag. These frames
can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends
time processing each frame disproportionate to attack bandwidth. This can
consume excess CPU, potentially leading to a denial of service.
(Discovered by Piotr Sikora of Google)
Notice that this version bump requires nghttp2 1.39.2. It also includes an
(unconditional) embedded copy of brotli.
Update the license hash because of copyright year changes and the addition
of the MIT-style license text for large_pages and brotli.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8c3032414e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2019-9511: Data Dribble
CVE-2019-9513: Resource Loop
For details, see the advisory:
https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/
Notice that libnghttp2 itself is not affected by these vulnerabilities, only
nghttpx and nghttpd (which are currently not built).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4c7e7acbe4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/a6247b95f1578fe1daec485589582310c75b5d84/
luksmeta-v9 generates man pages at build if a2x is available since:
commit 3fa51bb22350fee101fc52044949f6eb394114ae
Author: Daniel Kopeček <dkopecek@redhat.com>
Date: Fri Jul 13 01:52:45 2018 +0200
Generate manual page from source during build time
If a2x (asciidoc) is not available during configure time,
a warning will be generated and the manual page wont be
generated nor installed.
Man pages are not needed on target and the build step fails in certain
setups, so disable it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0471f650b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing a potential infinite loop when handling the LUKS
header:
git shortlog v8..v9
Daniel Kopeček (2):
Use asciidoc as the manual page source format
Generate manual page from source during build time
Milan Broz (1):
Fix infinite loop when initializing trimmed LUKS header.
Nathaniel McCallum (3):
Fix invalid man page section reference
Fix typos in the man page
Release version 9
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8103460aa1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
nfs-utils selects rpcbind, and rpcbind unconditionally selects
libtirpc. Therefore, nfs-utils will never be used with the C library
RPC implementation: libtirpc will always be used. Consequently, all
the conditional logic to use libtirpc only if available is useless,
and we can use libtirpc unconditionally.
As an added bonus, this means that we can enable IPv6, because
libtirpc provides an IPv6-compatible RPC implementation.
Fixes: https://bugs.busybox.net/show_bug.cgi?id=10806
Signed-off-by: Carlos Santos <unixmania@gmail.com>
[Thomas: rework commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 749334cb36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This includes the following changes:
94079e6 Fixed invalid UTF-8 codes in ChangeLog
1470a82 Updated service.fedora
9596c53 Updated service.fedora
b50b59b New version 1.9.5
037e059 New version 1.9.5
2681d01 Added test for /dev/random symlink
0dac21b Update to automake 1.16
638e2f0 Fixed built issue on Cygwin
083f827 minimize diff
b38def1 minimize diff
e16369d take into account review by @nbraud
6dfce53 Remove support for CPUID on ia64
fc50dda [PATCH] Output some progress during CUSUM and RANDOM EXCURSION test
be4e481 NEWS: Cleanup extraneous whitespace
0815b3c Fixup upstream changelog
6d52229 Fix type mismatch in get_poolsize
90d00f7 service.redhat: update PIDFile
16a9726 fix segv at start
ceab89a init.d/Makefile.am: add missing dependency
01e3154 Diagnostics capture mode now works correctly by referencing the right variable during rng warmup
f219358 Fix segfault on arm machines
Also add a 'v' prefix in _SITE variable.
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8e1b0d8857)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
My email address will be deactivated in two weeks.
Signed-off-by: Refik Tuzakli <refik.tuzakli@savronik.com.tr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7a597d3dc8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Python packages should no longer depend on BR2_PACKAGE_PYTHON in their
config file, unless they are only compatible with Python 2.
Signed-off-by: Raphaël Mélotte <raphael.melotte@essensium.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5c553ba59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
<Pranit.Sirsat@imgtec.com>: host mxa-00376f01.gslb.pphosted.com[91.207.212.86]
said: 550 5.1.1 User Unknown (in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fa54d02458)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
autoreconf is not needed since bump to version 1.10.1 in
commit 3cd6faa04c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 75baf4764c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/bfd29593bb6c53d3e9e2d02d2ed6bea360d99c00/
In libnss there is a bug leading to build failure due to double declared
functions. This is due to 2 different #ifdef statements treating the
same function-set.
Add patch to fix this by making the 2 #ifdef statements equal.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 82187f9481)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
(3.44.1)
CVE-2019-11729: More thorough input checking
CVE-2019-11719: Don't unnecessarily strip leading 0's from key material
during PKCS11 import
CVE-2019-11727: Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
Note:
This version requires nspr 4.22 or newer provided by the previous patch.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7e509333ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Rework all 3 patches to make that applicable to 4.22 version.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 385b5686a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Kevin Joly (kevin.joly@sensefly.com)<mailto:kevin.joly@sensefly.com>
Your message couldn't be delivered to the recipient because you don't have permission to send to it.
Looking at his LinkedIn profile, he left SenseFly in January 2019,
which quite certainly explains why his @sensefly.com e-mail address is
no longer working.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 55814b8ef9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
