Bugfix release with important bugfixes:
https://github.com/timescale/timescaledb/releases/tag/2.0.2
This maintenance release contains bugfixes since the 2.0.1 release. We
deem it high priority for upgrading.
The bug fixes in this release address issues with joins, the status of
background jobs, and disabling compression. It also includes
enhancements to continuous aggregates, including improved validation
of policies and optimizations for faster refreshes when there are a
lot of invalidations.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old at91bootstrap version (1.x) uses a strange variant of the BSD
license, called "BSD Source Code Attribution" and referenced by SPDX
as BSD-Source-Code.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3887e8c095)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog:
- fix for memory leak in set of listen-to property
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 99362e8d17)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-20305: A flaw was found in Nettle in versions before 3.7.2,
where several Nettle signature verification functions (GOST DSA, EDDSA &
ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply
function being called with out-of-range scalers, possibly resulting in
incorrect results. This flaw allows an attacker to force an invalid
signature, causing an assertion failure or possible validation. The
highest threat to this vulnerability is to confidentiality, integrity,
as well as system availability.
https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.7.2_release_20210321/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ed653df573)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
docutils is not a dependency since version 1.18.0 and
dd24dd1b2e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 34764dcfac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As of v8.2008 rsyslog no longer provides a default service file, and now
suggests using the platform suggested defaults. For Buildroot, install
the Debian service file which has been added in the same version,
however is not included in the official release.
Upstream commit which adds this service file:
cfd07503ba
Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4732b78221)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
boost date-time is not a dependency since version 4.9700 and
a3eacbc987
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4b4d98e2c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch not needed since commit 37f197f863
which bumped host-cmake dependency from 3.10 to 3.15
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a46b41b4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8d51ee7c79)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. For details, see the changelog:
https://curl.se/changes.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cffe295259)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d06bf96097)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ijson < 2.5 (as available in Debian 10) use the slow python backend by
default instead of the most efficient one available like modern ijson
versions, significantly slowing down cve checking. E.G.:
time ./support/scripts/pkg-stats --nvd-path ~/.nvd -p avahi --html foobar.html
Goes from
174,44s user 2,11s system 99% cpu 2:58,04 total
To
93,53s user 2,00s system 98% cpu 1:36,65 total
E.G. almost 2x as fast.
As a workaround, detect when the python backend is used and try to use a
more efficient one instead. Use the yajl2_cffi backend as recommended by
upstream, as it is most likely to work, and print a warning (and continue)
if we fail to load it.
The detection is slightly complicated by the fact that ijson.backends used
to be a reference to a backend module, but is nowadays a string (without the
ijson.backends prefix).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f31227e628)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
showing "enable home daemon"
and "homed support needs a toolchain w/ threads, dynamic library, kernel headers >= 4.12"
when BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_12
introduced by fa62b5165c
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5d4dc98c58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 841c695468 (libdrm: change to meson build system) converted the
autotools --disable-manpages to the neson -Dmanpages=false. However, the
actual option is 'man-pages':
WARNING: Unknown options: "manpages"
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: tweak commit log as per Peter's review]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 56fd68b688)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Enable introspection when GObject Introspection is enabled.
Signed-off-by: Einar Jon Gunnarsson <tolvupostur@gmail.com>
Acked-by: Aleksander Morgado <aleksander@aleksander.es>
[yann.morin.1998@free.fr: drop config option, rely on GOI package]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c45accd295)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add Signed-off-by and while at it, renumber it
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=13731
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 575c60ff9a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
i2c-tools 4.2 contained an invalid check, leading to verbose false-positive
warning messages when the variable length ({r,w}?) option is used:
https://www.spinics.net/lists/linux-i2c/msg50032.htmlhttps://www.spinics.net/lists/linux-i2c/msg50253.html
Unfortunately upstream does not make bugfix releases, instead opting to list
such bugfixes on the wiki:
https://i2c.wiki.kernel.org/index.php/I2C_Tools
So add the patch here.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 535c65594c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-1386: Fix for UnRAR DLL load privilege escalation. Affects
0.103.1 and prior on Windows only.
- CVE-2021-1252: Fix for Excel XLM parser infinite loop. Affects 0.103.0
and 0.103.1 only.
- CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash.
Affects 0.103.0 and 0.103.1 only.
- CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects
0.103.1 and prior.
- CVE-2021-27506: The ClamAV Engine (Version 0.103.1 and below) embedded in
Storsmshield Network Security (1.0 to 4.1.5) is subject to DoS in case of
parsing of malformed png files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7aee27c2b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-21240: httplib2 is a comprehensive HTTP client library
for Python. In httplib2 before version 0.19.0, a malicious server
which responds with long series of "\xa0" characters in the
"www-authenticate" header may cause Denial of Service (CPU burn while
parsing header) of the httplib2 client accessing said server. This is
fixed in version 0.19.0 which contains a new implementation of auth
headers parsing using the pyparsing library.
- Fix CVE-2020-11078: In httplib2 before version 0.18.0, an attacker
controlling unescaped part of uri for `httplib2.Http.request()` could
change request headers and body, send additional hidden requests to
same server. This vulnerability impacts software that uses httplib2
with uri constructed by string concatenation, as opposed to proper
urllib building with escaping. This has been fixed in 0.18.0.
- Use LICENSE file instead of PKG-INFO
- pyparsing is a runtime dependency since version 0.19.0 and
bd9ee252c8https://github.com/httplib2/httplib2/blob/v0.19.1/CHANGELOG
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2050b4869d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Notice: This fixes a security issue, but in code not used in Buildroot:
ifcfg-rh: handle "802-1x.{,phase2-}ca-path". Otherwise setting this
property silently fails and a profile might accidentally not perform
any authentication (CVE-2020-10754).
Update indentation in hash file (two spaces)
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.22.16/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: Clarify that security issue isn't applicable to Buildroot]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6db751e1e1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-35964: track_header in libavformat/vividas.c in FFmpeg 4.3.1 has
an out-of-bounds write because of incorrect extradata packing.
- CVE-2020-35965: decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an
out-of-bounds write because of errors in calculations of when to perform
memset zero operations.
Removed patch which was applied upstream:
ca55240b8c
Changelog:
http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=28d79ea1aed0a59f43ee922f5b6efa82dc7e2b18;hb=refs/heads/release/4.3
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2a3cfb2381)
[Peter: mark as security fix, extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
