An issue was discovered in the C AMQP client library (aka rabbitmq-c)
through 0.13.0 for RabbitMQ. Credentials can only be entered on the
command line (e.g., for amqp-publish or amqp-consume) and are thus
visible to local attackers by listing a process and its arguments.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Drop --without-x (now unrecognized)
- Fix CVE-2023-40745: LibTIFF is vulnerable to an integer overflow. This
flaw allows remote attackers to cause a denial of service (application
crash) or possibly execute an arbitrary code via a crafted tiff image,
which triggers a heap-based buffer overflow.
- Fix CVE-2023-41175: A vulnerability was found in libtiff due to
multiple potential integer overflows in raw2tiff.c. This flaw allows
remote attackers to cause a denial of service or possibly execute an
arbitrary code via a crafted tiff image, which triggers a heap-based
buffer overflow.
https://libtiff.gitlab.io/libtiff/releases/v4.6.0.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Drop patches (already in version)
- tests can be disabled since version 1.2.3 and
e2e3d6b14e
- docs can be disabled since version 1.2.3 and
af6c10e8be
- Fix CVE-2023-46228: zchunk before 1.3.2 has multiple integer overflows
via malformed zchunk files to lib/comp/comp.c, lib/comp/zstd/zstd.c,
lib/dl/multipart.c, or lib/header.c.
https://github.com/zchunk/zchunk/compare/1.2.2...1.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix the following build failure raised since the addition of the package
in commit 0a01085abe:
CMake Error at /home/buildroot/autobuild/instance-3/output-1/host/share/cmake-3.27/Modules/CMakeTestCXXCompiler.cmake:60 (message):
The C++ compiler
"/usr/bin/c++"
is not able to compile a simple test program.
Fixes:
- http://autobuild.buildroot.org/results/4b94edf6dee03e74ff53939aa228069cc6ba4292
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: propagate to spirv-tools]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The update-bash-completion.sh issue is now fixed, so remove the workaround:
https://github.com/dfu-programmer/dfu-programmer/pull/91
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
git.code.sf.net is available over HTTPS, so use that for security and
consistency with the other packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
git.code.sf.net is available over HTTPS, so use that for security and
consistency with the other packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Now that we have HTTPS support for sources.buildroot.net (through Lets
encrypt / Cloudflare), it makes sense to default to it for our backup site.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The host-riscv64-elf-toolchain package was missing a hash file, add it now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes: 487761a5b2 ("package/xdg-dbus-proxy: bump to version 0.1.5")
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update local patch to add missing strerror_l() to other files.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Significant update with new features & fixes.
Full release notes:
https://github.com/docker/compose/releases/tag/v2.23.0
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host-mxsldr package was missing a hash file, add it now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
MiniZip in zlib through 1.3 has an integer overflow and resultant
heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long
filename, comment, or extra field. NOTE: MiniZip is not a supported part
of the zlib product.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 0b9efc991f ("linux: use BR2_MAKE") switched LINUX_MAKE to
$(BR2_MAKE) to avoid build issue with kernel version >= 6.2 and GNU
Make version < 3.82. However, the same issue is actual for kernel
modules as well.
Using $(BR2_MAKE) should guarantee a consistent behavior between
kernel and kernel-modules builds.
Signed-off-by: Alexey Romanov <avromanov@sberdevices.ru>
Signed-off-by: Sergey Bobrenok <SIBobrenok@sberdevices.ru>
[yann.morin.1998@free.fr: minor coding style]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Support for sha256 has no additional dependency, the size increase is
minimal, and sha256 is the smallest hash still not broken (md5 and sha1
are), so it makes sense to enable it unconditionally.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[yann.morin.1998@free.fr: make it unconditional and commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[yann.morin.1998@free.fr: drop option, use package as condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[yann.morin.1998@free.fr: drop option, use package as condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[yann.morin.1998@free.fr: drop option, use package as condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[yann.morin.1998@free.fr: drop option, use package as condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[yann.morin.1998@free.fr: drop option, use package as condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In commit d31db334c3 (opkg: Add gnupg signature checking support.),
the macro definition for the hook, and the hook assignment, got
separated by the then-newly introduced GPG handling.
Move the macro definition closer to the hook assignment. Since this is
a post-install hook, it is but logical that it comes further down in
the .mk file.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested in Fedora 39 and Debian 11 with:
./support/testing/run-tests tests.package.test_opkg.TestOpkg.test_run
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since the bump of tar to version 1.35 in Buildroot commit
d4d483451f ("package/tar: security bump
to version 1.35"), the build will fail on systems that are not Y2038,
such as uClibc configurations.
In order to preserve the previous behavior, pass --disable-year2038.
See the gnulib documentation for details [0]. Contrary to what the
option name might suggest, it doesn't really disable Y2038 support,
but only the check that the system is Y2038 compliant. So even with
--disable-year2038, if the system is Y2038 compliant (uses a 64-bit
arch, uses the musl C library, or uses the glibc C library with
BR2_TIME_BITS_64=y), tar will be Y2038 compliant.
[0] https://www.gnu.org/software/gnulib/manual/html_node/Avoiding-the-year-2038-problem.html
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested with tests.package.test_python_django.TestPythonPy3Django.test_run in
Fedora 38 and Debian 11
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This is a security release, fixing a number of important issues.
https://forum.suricata.io/t/suricata-6-0-15-released/4068/2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Buildroot commit eb60820c0a disabled
elfutils for musl toolchains in 2015. Current code builds fine with musl
so remove the exceptions.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[yann.morin.1998@free.fr:
- move all libc-related conditional blocks together
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
