Commit Graph

9 Commits

Author SHA1 Message Date
Fabrice Fontaine
ba65ca804e expat: bump to version 2.2.6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-08-29 20:57:33 +02:00
Adam Duskett
78e964bc22 expat: bump to 2.2.5
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-11-22 22:29:49 +01:00
Baruch Siach
bfa4428d78 expat: bump to version 2.2.4
Upstream migrated to automake for autotools: the "installlib" target
no longer exist, and we can use the standard "install" target, and
therefore drop the special INSTALL_STAGING_OPTS and
INSTALL_TARGET_OPTS variables.

Add license hash.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-09-06 22:42:14 +02:00
Baruch Siach
b0a7ac8873 expat: bump to version 2.2.3
Drop the XML_POOR_ENTROPY workaround. Upstream commit fd9581a34e5665
(Never require XML_POOR_ENTROPY for "./configure && make") fixes this
issue.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-08-09 23:51:21 +02:00
Baruch Siach
b3eca09500 expat: security bump to version 2.2.2
Changes (security fixes):

[MOX-006]      Fix non-NULL parser parameter validation in XML_Parse;
                 resulted in NULL dereference, previously

Drop upstream patch.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-16 23:25:54 +02:00
Peter Korsgaard
c0ad6ded01 expat: security bump to version 2.2.1
Fixes:

- CVE-2017-9233 - External entity infinite loop DoS. See:
  https://libexpat.github.io/doc/cve-2017-9233/

- CVE-2016-9063 -- Detect integer overflow

And further more:

- Fix regression from fix to CVE-2016-0718 cutting off longer tag names.

- Extend fix for CVE-2016-5300 (use getrandom() if available).

- Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
  version of SipHash).

Also add an upstream patch to fix detection of getrandom().

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-19 22:06:03 +02:00
Gustavo Zacarias
c27ecf4930 expat: security bump to version 2.2.0
Fixes:

CVE-2016-4472 - Improve insufficient fix to CVE-2015-1283 /
CVE-2015-2716 introduced with Expat 2.1.1

CVE-2016-5300 - Use more entropy for hash initialization than the
original fix to CVE-2012-0876

CVE-2012-6702 - Resolve troublesome internal call to srand that was
introduced with Expat 2.1.0 when addressing CVE-2012-0876

Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-06-23 21:11:14 +02:00
Gustavo Zacarias
63b9681d64 expat: bump to version 2.1.1
Drop 0001-fix-CVE-2015-1283.patch since it's upstream.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-03-14 08:48:43 +01:00
Yann E. MORIN
2ced21f8f9 package: add hashes for SourceForge-hosted packages
Since SourceForge sometimes serves us faulty tarballs, we can tons of
autobuild failures:
    http://autobuild.buildroot.org/results/9fb/9fba5bf086a4e7a29e5f7156ec43847db7aacfc4/
    http://autobuild.buildroot.org/results/6c8/6c837b244c45ac3b3a887734a371cd6d226cf216/
    ...

Fix that by adding hash files for all SourceForge-hosted packages (thos
etht did not already have it).

We normally prefer to use hashes published by upstream, but hunting them
all one by one is a tedious task, so those hashes were all locally
computed with a script that searched for SF-hosted packages, downloades
the associated tarball, computed the hash, and stored it in the
corresponding .hash file.

Also, SF publishes sha1 hashes, while I used the stronger sha256, since
sha1 is now considered to be relatively weak.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <jacmet@uclibc.org>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Richard Braun <rbraun@sceen.net>
Cc: Nathaniel Roach <nroach44@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-12-28 22:21:16 +01:00