Security and bug fix release with several feature additions.
https://zsh.sourceforge.io/releases.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 21531fa31a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In the case that the WOLFSSL_CALLBACKS macro is set when building
wolfSSL, there is a potential heap over read of 5 bytes when handling
TLS 1.3 client connections. This heap over read is limited to wolfSSL
builds explicitly setting the macro WOLFSSL_CALLBACKS, the feature does
not get turned on by any other build options. The macro
WOLFSSL_CALLBACKS is intended for debug use only, but if having it
enabled in production, users are recommended to disable
WOLFSSL_CALLBACKS. Users enabling WOLFSSL_CALLBACKS are recommended to
update their version of wolfSSL. CVE 2022-42905
https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 18b5d6205d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following static build failure raised since bump to version
1.9.4 in commit 1f54af8c4f:
compiling dynamic library 1.9.4
/home/giuliobenetti/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/m68k-buildroot-uclinux-uclibc/bin/ld.real: /home/giuliobenetti/autobuild/run/instance-0/output-1/host/m68k-buildroot-uclinux-uclibc/sysroot/usr/lib/crt1.o: in function `_start':
(.text+0x1c): undefined reference to `main'
Fixes:
- http://autobuild.buildroot.org/results/9187852fb7a869bf5595275d47929632659a4407
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 85c20ffa95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
LZ4 v1.9.4 is a maintenance release, featuring a substantial amount
(~350 commits) of minor fixes and improvements, making it a recommended
upgrade. The stable portion of liblz4 API is unmodified, making this
release a drop-in replacement for existing features.
- Drop patch (already in version)
- Update hash of lib/LICENSE (update in year with
87a80acbe7)
https://github.com/lz4/lz4/releases/tag/v1.9.4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1f54af8c4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 7.85.0 fixes CVE-2022-35252: When curl retrieves and parses
cookies from an HTTP(S) server, it accepts cookies using control codes
(byte values below 32). When cookies that contain such control codes are
later sent back to an HTTP(S) server, it might make the server return a
400 response. Effectively allowing a "sister site" to deny service to
siblings.
Drop upstream patches and autoreconf.
Cc: Matt Weber <matthew.weber@collins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 400b63432e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0
and older releases. This issue may allow an attacker to cause a denial
of service or have other unspecified impact via control over malloc.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 810c0eecf1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop patch (already in version) and so autoreconf
https://gitlab.com/gnutls/libtasn1/-/blob/v4.19.0/NEWS
Fixes the following security issue:
- CVE-2021-46848: GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one
array size check that affects asn1_encode_simple_der.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 308678e528)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2022-25308: A stack-based buffer overflow flaw was found in the
Fribidi package. This flaw allows an attacker to pass a specially crafted
file to the Fribidi application, which leads to a possible memory leak or
a denial of service.
- CVE-2022-25309: A heap-based buffer overflow flaw was found in the Fribidi
package and affects the fribidi_cap_rtl_to_unicode() function of the
fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a
specially crafted file to the Fribidi application with the '--caprtl'
option, leading to a crash and causing a denial of service
- CVE-2022-25310: A segmentation fault (SEGV) flaw was found in the Fribidi
package and affects the fribidi_remove_bidi_marks() function of the
lib/fribidi.c file. This flaw allows an attacker to pass a specially
crafted file to Fribidi, leading to a crash and causing a denial of
service.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0f42b67077)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The libbpf build system currently uses the output of "uname -m" to
determine if the library should be installed in "lib" or
"lib64". However, uname -m returns the architecture of the build
machine, which often has nothing to do with the target CPU
architecture.
A patch has been submitted and accepted upstream to address this
issue, by using the $(CC) -dumpmachine output instead. This ensures
libbpf is installed in either "lib" or "lib64" depending on the
bitness of the target CPU architecture.
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c86b69a16d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
s390x doesn't support CONFIG_WIRELESS in Linux so let's disable this
package for this architecture.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e18cc291b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
s390x doesn't support CONFIG_WIRELESS in Linux so let's disable this
package for this architecture.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 895692594f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
s390x doesn't support CONFIG_WIRELESS in Linux so let's disable this
package for this architecture.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bff3a80402)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
s390x doesn't support CONFIG_WIRELESS in Linux so let's disable this
package for this architecture.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 33400378d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
s390x doesn't support CONFIG_WIRELESS in Linux so let's disable this
package for this architecture.
Fixes:
http://autobuild.buildroot.net/results/693053491ba61edcff0f75a4f30c13958e7e12ce/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 682224d6f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Expat 2.5.0 has been released earlier today. Most importantly, this
release fixes CVE-2022-43680: a heap use-after-free vulnerability after
overeager destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations, with
expected impact of denial of service or potentially arbitrary code
execution.
https://blog.hartwork.org/posts/expat-2-5-0-releasedhttps://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26ec7c4d02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.18.7 (released 2022-10-04) includes security fixes to the archive/tar,
net/http/httputil, and regexp packages, as well as bug fixes to the
compiler, the linker, and the go/types package.
go1.18.8 (released 2022-11-01) includes security fixes to the os/exec and
syscall packages, as well as bug fixes to the runtime.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4bb3730fa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.18.6 includes security fixes to the net/http package, as well as bug fixes
to the compiler, the go command, the pprof command, the runtime, and the
crypto/tls, encoding/xml, and net packages.
https://github.com/golang/go/issues?q=milestone%3AGo1.18.6+label%3ACherryPickApproved
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d2141f65e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On machines supporting Riscv SV57 mode like Qemu, Go programs currently crash
with the following type of error:
runtime: lfstack.push invalid packing: node=0xffffff5908a940 cnt=0x1
packed=0xffff5908a9400001 -> node=0xffff5908a940
The upstream PR fixes this error, but has not yet been merged.
Upstream: https://go-review.googlesource.com/c/go/+/409055/4
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fb97f4f354)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.18.4 includes security fixes to the compress/gzip, encoding/gob,
encoding/xml, go/parser, io/fs, net/http, and path/filepath packages, as well as
bug fixes to the compiler, the go command, the linker, the runtime, and the
runtime/metrics package.
go1.18.5 includes security fixes to the encoding/gob and math/big packages, as
well as bug fixes to the compiler, the go command, the runtime, and the testing
package.
https://go.dev/doc/devel/release#go1.18.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 417eb476fd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.18.3 includes security fixes to the crypto/rand, crypto/tls, os/exec,
and path/filepath packages, as well as bug fixes to the compiler, and the
crypto/tls and text/template/parse packages.
https://go.dev/doc/devel/release#go1.18
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d3e3728405)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a patch to fix a build failure due to the target GOARCH being used while
bootstrapping the Go compiler with the go-bootstrap compiler.
Uses the host architecture variable instead.
This commit updates the patch with improvements from the upstream PR.
PR: https://github.com/golang/go/pull/52362
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bc3de65655)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Enable the supported "riscv64" GOARCH.
Add a patch to fix a build failure due to GOARCH leaking into the calls to the
go-bootstrap compiler. Unsets the GOARCH before calling go-bootstrap.
PR: https://github.com/golang/go/pull/52362
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 8a1158f89f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Includes security fixes to the syscall package, as well as bug fixes to the
compiler, runtime, the go command, and the crypto/x509, go/types,
net/http/httptest, reflect, and sync/atomic packages.
Signed-off-by: Joel Stanley <joel@jms.id.au>
[Peter: mark as security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bff7a3f1f2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The latest Go release, version 1.18, is a significant release, including changes
to the language, implementation of the toolchain, runtime, and libraries.
https://go.dev/doc/go1.18
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit add69bdec2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2022-38784: Poppler prior to and including 22.08.0 contains an
integer overflow in the JBIG2 decoder
(JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a
specially crafted PDF file or JBIG2 image could lead to a crash or the
execution of arbitrary code. This is similar to the vulnerability
described by CVE-2022-38171 in Xpdf.
- Drop patch (already in version)
https://gitlab.freedesktop.org/poppler/poppler/-/blob/poppler-22.10.0/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bd35c0f363)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-3213: A heap buffer overflow issue was found in
ImageMagick. When an application processes a malformed TIFF file, it
could lead to undefined behavior or a crash causing a denial of
service.
https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c5b1a0b34a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure file is a shell script which searches for a predefined
python binary and then calls configure.py with that.
As we already call configure with the desired python binary we should
call configure.py directly so that the expected python binary is used
and so that the shell wrapper doesn't throw spurious interpreter
validation errors.
This also avoid spurious errors due to the configure shell wrapper
missing supported python versions, for example this fixes:
Node.js configure: Found Python 3.11.0...
Please use python3.10 or python3.9 or python3.8 or python3.7 or python3.6.
/usr/bin/python3.10 ./configure
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f073cf7547)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 1.6.38 [September 14, 2022]
Added configurations and scripts for continuous integration.
Fixed various errors in the handling of tRNS, hIST and eXIf.
Implemented many stability improvements across all platforms.
Updated the internal documentation.
Update hash of LICENSE file (update in year with
723b2d9f2e)
https://sourceforge.net/p/libpng/code/ci/v1.6.38/tree/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6fa63bce3f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2022-June/007660.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fe56cf24b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 5.0.1 - 8/2/2022
- On very low speed transfers (<10Kbps) sessions would time out due to
a very large interpacket transmission interval. Fixed by putting a
lower limit on the advertised GRTT of of the interpacket transmission
interval.
- Sending of ABORT messages on early shutdown would sometimes fail due
to OpenSSL cleanup functions running before application cleanup.
Changed the ordering of atexit() handlers to ensure OpenSSL cleanup
happens last.
- Fixed missing timestamp update when clients read CONG_CTRL messages
- Fix to GRTT handling on server to ensure it doesn't fall below minumim.
- Fixed bypassed checking of existing files on client for backup
- Various logging fixes
https://sourceforge.net/projects/uftp-multicast/files/Changes.txt/download
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 744607a5cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Starting with glibc 2.34, the gconv modules description has been split in
two:
- a common definition in the old location, /usr/lib/gconv/gconv-modules
- specific definitions in a subdirectory, /usr/lib/gconv/gconv-modules.d/
This is done so as to simplify the handling of glibc gconv modules, and
eventually to segregate those outside of glibc, and so that third-parties
may also provide their own gconv converters and their definitions.
And starting with that same glibc version, most of the gconv modules
definitions are moved to an extra configuration file in that
sub-directory.
It is thus no longer possible to use special code pages, like cp850,
which are very useful to access FAT-formatted devices.
Add support for this new gconv layout, while keeping support for older
glibc versions. Note that the modules themselves are not moved or
renamed, just the definition files have changed.
Instead of passing the one old gonv modules definitions file on stdin,
we pass the base directory to that file, and move into the script the
responsibility to find all the gconv definition files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9d948e1b34)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When only a subset of the glibc gconv modules are installed, we need to
generate a trimmed-down list of available modules. We currently use gawk
for that.
However, we are not using any GNU extension in that awk script, and it
happens to work as expected when using mawk (which has no GNU
extension).
Commit 11c1076db9 (toolchain: add option to copy the gconv libraries)
did not explain why it used gawk explicitly, and given the age for that
commit, we doubt we'd be able to have the involved participants recall
anything from that period...
Besides, gawk is not a requirement for Buildroot.
Switch over to using plain awk.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 822cc1ebc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To generate the glibc locale data, we call into a recursive Makefile,
so as to generate locales in parallel. This is done as part of a
target-finalize hook.
However, that hook is registered after all packages have been parsed,
and as such, it maye be registered after hooks defined in packages.
Furthermore, the expansion of target-finalize hooks is done in a recipe,
so it is not easy to understand whether this generates a "simple" rule
or not.
As a consequence, despite the use of $(MAKE), make may not notice that
the command is a recursive call, and will decide to close the jobserver
file-descriptors, yielding warnings like:
make[2]: warning: jobserver unavailable: using -j1. Add '+' to
parent make rule.
This causes the lcoale data to not be generated in parallel, which is
initially all the fuss about using a sub-makefile...
So, do as suggested, and prepend the hook with a '+', so that it is
explicit to make that it should not close its jobserver fds.
Fixes: 6fbdf51596 (Makefile: Parallelize glibc locale generation)
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Gleb Mazovetskiy <glex.spb@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4164ed24f2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We use gpsd's upstream systemd service unit files, which define a
dependency on chronyd.service. And indeed, upstream chrony does
provide an example service unit file chronyd.service.
However, in Buildroot, we are not using chrony's upstream unit, we are
providing our own, much simplified as compared to upstream. We install
that unit file as chrony.service. Notice that subtle difference in the
name: upstream's is chronyd, with a trailing 'd', while ours just
chrony, without the trailing 'd'.
As a consequence, in a Buildroot-built system, gpsd does not wait for
after chrony is started, which causes all kind of mayhem when gpsd
actually needs to talk to chrony.
We have multiple options:
1. use chrony's upstream unit file;
2 rename the chrony service file as installed by Buildroot, to match
what chrony would actually do;
3. tweak gpsd's unit file to refer to chrony.service, not
chronyd.service;
4. leverage systemd's flexibility in how units are defined, and provide
a drop-in to complement gpsd's unit to also wait for chrony.service.
For 1. it is totally unknown why we do have our unit file to begin with,
rather than use upstream's. Since upstream's is much more complex than
ours, using it might have unforetold consequences.
Going with 2. seems the easiest at first sight, but then it would break
systems where users provide their own drop-ins for chrony, as they would
no longer match.
3. is relatively easy, but running sed is not entirely nice. Besides, it
semantically should be a post-install hook, rather than a systemd-init
command, but again that makes things a bit more ugly. Also, some people
may have their own gpsd.service in an overlay or whatever, which would
break our fixup.
Solution 4. is pretty straightforward, although it is not ideal either.
To be noted: some distributions, like Ubuntu 20.04 at least, do install
the chrony unit file as chrony.service, like Buildroot does. However,
there does not appear to be any fixup in gpsd for this discrepancy, as
their gpsd install still refers to chronyd.service. So that does not
help us decide what to do.
So, eventually, we decided to go with solution 4, which has the least
impact on the system, and keeps the status-quo for all other use-cases.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Cc: Alex Suykov <alex.suykov@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2c9ef36242)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since gpsd-3.22, the systemd service files no longer contain hard-coded
paths to /usr/local/, but use @SBINDIR@ which is replaced appropriately
at build time, and contains the correct path.
Drop the legacy fixup now.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b3b962c935)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2022-40674: bundled libexpat was upgraded from 2.4.7 to 2.4.9 which
fixes a heap use-after-free vulnerability in function doContent
- gh-97616: a fix for a possible buffer overflow in list *= int
- gh-97612: a fix for possible shell injection in the example script
get-remote-certificate.py(this issue originally had a CVE assigned to it,
which its author withdrew)
- gh-96577: a fix for a potential buffer overrun in msilib
License hash changed due to links in license text being changed from
http to https:
96f8d3619d
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 72e8471b5c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
