Commit Graph

68879 Commits

Author SHA1 Message Date
Peter Korsgaard
fbcc1bf533 docs/website: Update for 2023.02.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-31 21:30:47 +02:00
Peter Korsgaard
d283473ae4 Update for 2023.02.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3b8e5b19ad)
[Peter: drop Makefile/Vagrantfile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-31 21:28:50 +02:00
Peter Korsgaard
1f137a03ea docs/website: Update for 2023.05.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-31 20:28:40 +02:00
Peter Korsgaard
386b72ca22 Update for 2023.05.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3923a4fac8)
[Peter: drop Makefile change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-31 20:12:26 +02:00
Bernd Kuhls
16c3b4b92b {linux, linux-headers}: bump 4.{14, 19}.x / 5.{4, 10, 15}.x / 6.{1, 4}.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-30 23:45:22 +02:00
Fabrice Fontaine
3c8d890c19 toolchain/helpers.mk: strengthen uClibc locale check
Currently, when verifying the configuration of a uClibc toolchain for
the presence of locale support, we check __UCLIBC_HAS_LOCALE__. It
turns out that we in fact also expect __UCLIBC_HAS_XLOCALE__ to be
defined, as without it locale_t is not defined, causing build failure
in some packages, such as libcpprestsdk:

In file included from /home/thomas/autobuild/instance-0/output-1/build/libcpprestsdk-2.10.18/Release/include/cpprest/json.h:18,
                 from /home/thomas/autobuild/instance-0/output-1/build/libcpprestsdk-2.10.18/Release/src/pch/stdafx.h:88,
                 from /home/thomas/autobuild/instance-0/output-1/build/libcpprestsdk-2.10.18/Release/src/http/client/http_client_msg.cpp:13:
/home/thomas/autobuild/instance-0/output-1/build/libcpprestsdk-2.10.18/Release/include/cpprest/asyncrt_utils.h:317:13: error: 'locale_t' does not name a type
  317 |     typedef locale_t xplat_locale;
      |             ^~~~~~~~

As essentially our requirement for uClibc in external toolchains is
"it should match the uClibc configuration used by Buildroot for
internal toolchains", it makes sense to verify
__UCLIBC_HAS_XLOCALE__. Note that of course checking
__UCLIBC_HAS_XLOCALE__ is sufficient, as it cannot be enabled if
__UCLIBC_HAS_LOCALE isn't.

This addresses an issue with the Synopsys ARC external toolchain,
which is built with __UCLIBC_HAS_LOCALE__, but without
__UCLIBC_HAS_XLOCALE__ causing a build failure with some
packages (such as libcpprestsdk).

Therefore, this patch also changes how the Synospys ARC external
toolchain is exposed in Buildroot: it no longer advertise locale
support.

Fixes:

  http://autobuild.buildroot.org/results/e6778e60cc1ea455f5b4511d5824f04d8040f67b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-30 23:44:24 +02:00
Daniel Lang
6fa3a239ac support/scripts/gen-missing-cpe: remove rarely used script
The intention of this script is to generate the XML that can be sent to
NVD to request a new CPE identifier.

As discussed on the mailing list [0] keeping up with version numbers of
all registered CPE ID won't work.
In addition the feed used to generated the XML files will be retired
[1]. In the future an API needs to be used for fetching the data in
connection with a local database.
All of this works against keeping this script and porting it to the new
API.
As a last blow Matthew, the original author concluded [2]:
> Makes sense to drop it.  There never got to be enough momentum in the overall
> software community to make CVE or even the new identifier really accurate.

The intention is to ignore the version part of CPE IDs in the future,
and only look at the version range specified on a CVE. Therefore, a tool
to add new CPE ID versions isn't useful to us. It might still be useful
to have a tool to create the vendor and project parts of a CPE ID.
However, the current gen-missing-cpe tool doesn't support that, and the
API is anyway going to be retired. So there is no reason at all to keep
this around.

Remove gen-missing-cpe and the cpedb module. Remove the Makefile target
to call the script.

Since the cpedb module is removed, the CPEDB_URL definition must be
moved to the place where it is still used, in pkg-stats.

[0]: https://lists.buildroot.org/pipermail/buildroot/2023-August/672620.html
[1]: https://nvd.nist.gov/General/News/change-timeline
[2]: https://lists.buildroot.org/pipermail/buildroot/2023-August/672651.html

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 22:39:23 +02:00
Daniel Lang
8997c746fa support/scripts/pkg-stats: fix typos
Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 22:22:05 +02:00
Thomas Petazzoni
829610c701 package/heirloom-mailx: ignore CVE-2004-2771
The CVE-2004-2771 is already fixed by the Debian patch
0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch. The Debian patch
description is:

Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)

See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
more details.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 22:12:02 +02:00
Thomas Petazzoni
94716fdb48 package/heirloom-mailx: fix comment about ignore CVE-2014-7844
In commit
15972770cf ("package/heirloom-mailx:
security bump to version 12.5-5 from Debian"), we added CVE-2014-7844
in HEIRLOOM_MAILX_IGNORE_CVES, but with the wrong comment about it: it
is a different patch in the Debian stack of patches that fixes
it. Indeed the description of patch
0011-outof-Introduce-expandaddr-flag.patch is:

=====================================================================
Subject: [PATCH 1/4] outof: Introduce expandaddr flag

Document that address expansion is disabled unless the expandaddr
binary option is set.

This has been assigned CVE-2014-7844 for BSD mailx, but it is not
a vulnerability in Heirloom mailx because this feature was documented.
=====================================================================

See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
details.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 22:05:13 +02:00
Thomas Petazzoni
cf686670b9 package/log4cxx: ignore CVE-2023-31038
CVE-2023-31038 affects log4cxx only if ODBC is supported. While
CVE-2023-31038 has been fixed in newer versions of log4cxx, there is
quite a huge gap to do a version bump, and the commit that fixes
CVE-2023-31038 could not be identified.

Therefore, we want to rely on the fact that our log4cxx package does
not support ODBC: there is indeed no explicit dependency on our
unixodbc package in log4cxx.mk. However, log4cxx automatically detects
if ODBC is available and if it is, it uses it.

So what we do in this commit is backport an upstream commit, which
adds explicitly options to enable/disable ODBC and ESMTP support, and
we use them to (1) always disable ODBC and (2) explicitly
enable/disable ESMTP support.

Thanks to ODBC being disabled, we're not affected by CVE-2023-31038.

Of course, there is a potential regression for users who were relying
on the implicit unixodbc dependency, but as we could not identify the
commit fixing the CVE-2023-31038, this is the best we can do at the
moment.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 22:02:45 +02:00
Arnout Vandecappelle
6bee7c3eb2 .checkpackageignore: correct renamed path of openjdk 17.0.8+7 patch
Commit c1038fe47c renamed the patch, but didn't update
.checkpackageignore, leading to two failures:

.checkpackageignore:1055: ignored file package/openjdk/17.0.7+7/0001-Add-ARCv2-ISA-processors-support-to-Zero.patch is missing
package/openjdk/17.0.8+7/0001-Add-ARCv2-ISA-processors-support-to-Zero.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)

Rename the file in .checkpackageignore as well.

Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:57:01 +02:00
Thomas Petazzoni
65c99394ff boot/grub2: backport fixes for numerous CVEs
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).

So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.

It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.

This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.

All Grub test cases are working fine:

  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:54:23 +02:00
Yann E. MORIN
60f50a5e34 package/pcm-tools: fix github-download
The pcm-tools package contains a version.h with git attributes:

    $ cat version.h
    #define PCM_VERSION " ($Format:%ci ID=%h$)"

    $ man 5 gitattributes
       Creating an archive
         export-subst
           If the attribute export-subst is set for a file then Git
           will expand several placeholders when adding this file to
           an archive. The expansion depends on the availability of
           a commit ID, i.e., if git-archive(1) has been given a tree
           instead of a commit or a tag then no replacement will be
           done. The placeholders are the same as those for the option
           --pretty=format: of git-log(1), except that they need to be
           wrapped like this: $Format:PLACEHOLDERS$ in the file. E.g.
           the string $Format:%H$ will be replaced by the commit hash.

So, the archive generated by github has changed since we updated
pcm-tools in 2021-12-08 with commit d1d93d488c (package/pcm-tools:
bump to version 202110). The downlad was still OK in 2022-01-04 [0]
but has been failing at least since 202-08-25 [1].

Since the archive is generated on the github side, there is not much we
can do to fix this up.

We switch over to using git to do the download, and we generate the
archive localy, which we know is reproducible.

We fix the version.h so that it contains the same string as the backup
tarball we host on s.b.o.

There are three other files in pcm-tools that have git attributes, to
exclude them from the generated archive, all pertaining to CI/CD stuff:
    .cirrus.yml export-ignore
    .gitlab-ci.yml export-ignore
    .travis.yml export-ignore

We don't remove them, because they have no impact on the build, and they
are anyway already present in the archive by the time we could act on it
anyway...

[0] http://autobuild.buildroot.org/results/127/1276a3d49c8848039f034e7f03632df365097e94/
[1] http://autobuild.buildroot.org/results/8bb/8bbf9c36af332bbf5e7c1abcbb594a0b231ef97e/

Reported-by: Woody Douglass <wdouglass@carnegierobotics.com>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:40:46 +02:00
Adam Duskett
c1038fe47c package/openjdk{-bin}: security bump versions to 11.0.20+8 and 17.0.8+7
Fixed the following security issues:

* CVEs
  - CVE-2023-22006
  - CVE-2023-22036
  - CVE-2023-22041
  - CVE-2023-22044
  - CVE-2023-22045
  - CVE-2023-22049
  - CVE-2023-25193
* Security fixes
  - JDK-8298676: Enhanced Look and Feel
  - JDK-8300285: Enhance TLS data handling
  - JDK-8300596: Enhance Jar Signature validation
  - JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
  - JDK-8302475: Enhance HTTP client file downloading
  - JDK-8302483: Enhance ZIP performance
  - JDK-8303376: Better launching of JDI
  - JDK-8304468: Better array usages
  - JDK-8305312: Enhanced path handling
  - JDK-8308682: Enhance AES performance

For details, see the announcements:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-July/024064.html
https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-July/024063.html

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:36:43 +02:00
Daniel Lang
47b79476fb package/libxcrypt: fix build with perl >= 5.38
perl 5.38 deprecated smartmatch (~~ and the given/when syntax).
Backport an upstream patch to drop uses of when.

Fixes:
- http://autobuild.buildroot.net/results/04c/04cf8d79fe8a58c3438e7be95ae781c9b2bef8a0/

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-29 23:27:58 +02:00
Peter Korsgaard
04bc804630 Update for 2023.08-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-29 15:00:27 +02:00
Waldemar Brodkorb
41280018b3 package/f2fs-tools: fix musl compile error
musl 1.2.4 removed the lseek64 function, but kept a definition of lseek64
when _LARGEFILE64_SOURCE is defined.

Add patch from upstream to kill the usage of lseek64.

There is no need to backport it to older Buildroot releases, because musl 1.2.4
is not part of any release.

Fixes:
 - http://autobuild.buildroot.net/results/17f/17f4ea7d62581cf8c574deeb98e1785220d5bd3f

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-29 12:42:03 +02:00
Bernd Kuhls
c9a4c8a056 {linux, linux-headers}: bump 6.1.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-29 10:47:55 +02:00
Bernd Kuhls
387d66dc4f package/clamav: security bump version to 1.0.3
Release notes:
https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html

Fixes CVE-2023-40477:
"Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.10."

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-29 10:34:38 +02:00
James Hilliard
df6aed587f package/{rust, rust-bin}: security bump to version 1.71.1
Fixes CVE-2023-38497: Cargo not respecting umask when extracting crate
archives
https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html

Link to Rust 1.71.1 announcement: https://blog.rust-lang.org/2023/08/03/Rust-1.71.1.html

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-28 08:17:46 +02:00
Romain Naour
e0166ecba0 support/misc/gitlab-ci.yml.in: retry a job only if it failed due to a runner issue
Each time a new pipeline is triggered, some jobs may fail due to
temporary issue with a Gitlab runner (network, power supply, docker or
maintainance).

Most of the problems are "runner system failure" [1] and require to
retart each failed jobs manually by maintainers to complete the
pipeline with only real failures if any.

The "retry" keyword allows to configure how many times a job is retried
if it fails. "retry:when" allows to retry a failed job only on
specific failure types like "runner_system_failure".

While at it, retry a job if it failed due to a timeout failure (this
timeout means that the job was pending for more than 24h) [2].

Such timeout failures occur on pipelines testing each Buildroot's
defconfig since there is not enough gitlab runner available to build
all of them within 24h.

Retry only jobs that are more likely to wait for a runner
(generate-gitlab-ci-yml, runtime_test_base, defconfig_base and test_pkg).

[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/4936949397 (runner system failure)
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/4936949530 (timeout failure or the job got stuck)

https://docs.gitlab.com/ee/ci/yaml/#retrywhen

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-27 10:09:37 +02:00
Waldemar Brodkorb
5acaac7122 package/gcc: fix powerpc toolchain issues with 64-bit capable cores
Some of the powerpc CPUs supported by Buildroot are dual mode CPUs,
which means 32 Bit and 64 Bit mode is supported, and for any 64-bit
capable CPU, GCC defaults to using 64-bit, even if the toolchain tuple
starts with powerpc-* (and not powerpc64-*). This causes issues when
building toolchains with uClibc or musl.

In order to resolve this, we force GCC to understand we want to
generate 32-bit code, using the --with-cpu-32 option.

See here the gcc documentation for details about --with-cpu-32:
https://gcc.gnu.org/install/configure.html

See here for a discussion on the musl mailinglist about the error:
https://inbox.vuxu.org/musl/20220722162900.GB1320090@port70.net/

Fixes:
 - http://autobuild.buildroot.net/results/450/4509d8cfb7d99beb4ef023f170490def1d90f92c
 - http://autobuild.buildroot.net/results/654/6545a464d49f9f3c6740a5208cfad7f09ec4cb8b
 - http://autobuild.buildroot.net/results/cf8/cf866d5320b069eb1e8b4f05e8e58de0ad2ec7b5

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-26 21:51:26 +02:00
Bernd Kuhls
19da044715 {linux, linux-headers}: bump 5.{10, 15}.x / 6.1.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-26 20:07:38 +02:00
Bernd Kuhls
a26fa40853 package/python3: security bump version to 3.11.5
Added md5 hash provided by upstream.

Release notes: https://www.python.org/downloads/release/python-3115/

Fixes CVE-2023-40217.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-26 20:06:32 +02:00
Romain Naour
3214d9d2b8 configs/sipeed_{maixduino, maix_go}_sdcard_defconfig: fix build with binutils >= 2.38
Backport an upstream patch fixing the build with binutils >= 2.38
for riscv's for Zicsr and Zifencei.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4936949340
https://gitlab.com/buildroot.org/buildroot/-/jobs/4936949329

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-26 20:06:04 +02:00
Romain Naour
0ee8ef970b configs/freescale_imx6qsabresd_defconfig: fix defconfig
While switching ATF to github, the BR2_TARGET_UBOOT_CUSTOM_GIT=y
symbol was not removed. Since then this defconfig fail to build
in gitlab-ci due to invalid defconfig check.

  WARN: defconfig ./configs/freescale_imx6qsabresd_defconfig can't be used:
        Missing: BR2_TARGET_UBOOT_CUSTOM_GIT=y

[1] dd42b159a5

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4889436612

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-26 20:06:01 +02:00
Romain Naour
01893c74eb configs/hifive_unleashed_defconfig: bump to kernel 5.10.190
We have to bump the kernel version to build with gcc >= 12 for riscv
and zicsr/zifencei extension [1] [2].

Similar to 0a4ac1e7fa.

Fixes:
./arch/riscv/include/asm/vdso/gettimeofday.h: Assembler messages:
./arch/riscv/include/asm/vdso/gettimeofday.h:71: Error: unrecognized opcode `csrr a5,0xc01', extension `zicsr' required

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7486227fa47aa84b102be18fd9985f6e8e11e756
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0b077b22ea9ff698840ff9305d9382935fb41540

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-26 19:50:59 +02:00
Romain Naour
b6a96f8be2 configs/hifive_unleashed_defconfig: uboot needs pylibfdt
uboot needs Python libfdt to build:

  pylibfdt does not seem to be available with python3

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4839060137

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-26 19:50:56 +02:00
Peter Korsgaard
c11950fe4a package/mosquitto: bump to version 2.0.17
Bugfix release, fixing a number of regressions in 2.0.16

From the changelog
(https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt)

2.0.17 - 2023-08-22
===================

Broker:
- Fix `max_queued_messages 0` stopping clients from receiving messages.
  Closes #2879.
- Fix `max_inflight_messages` not being set correctly. Closes #2876.

Apps:
- Fix `mosquitto_passwd -U` backup file creation. Closes #2873.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-25 23:03:38 +02:00
Bernd Kuhls
47ac12bd4e {linux, linux-headers}: bump 6.{1, 4}.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-25 23:03:37 +02:00
Yann E. MORIN
87bc648720 package/check: don't conflict with release archive
In commit ee93213d18 (package/check: fix compile issue due to missing
source file), we switched from using the released tarball, to using the
autogenerated tarball from github.

However, that means that the filename of the archive did not change,
while its content did change. The hash was promptly updated, but that
means that the archive we cache on s.b.o (and possibly the one users
may also already have locally) will not match the new hash (and
conversely).

So we switch to using the sha1-hash of the commit corresponding to the
tag.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-08-25 09:04:07 +02:00
Giulio Benetti
624814f4ec package/rtl8189fs: fix build with big endian
Add local patch to allow to override CFLAGS and undefine
CONFIG_LITTLE_ENDIAN by default and use the correct endianness according
to target architecture.

Fixes:
http://autobuild.buildroot.net/results/fe67db3884573ef750eda9d0dccd5f97b3ae698e

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-24 23:41:29 +02:00
Julien Olivain
96a54b0907 package/screen: security bump to version 4.9.1
See release announce:
https://lists.gnu.org/archive/html/screen-users/2023-08/msg00000.html

Fixes:
CVE-2023-24626: https://www.cve.org/CVERecord?id=CVE-2023-24626

Note: Buildroot installs screen as setuid, so the described scenario
in CVE applies.

This commit also rebases all patches on this release. Patch were
regenerated with 'git format-patch -N', so patch file name changed in
this process. The file .checkpackageignore is also updated accordingly.

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-24 22:34:41 +02:00
Raphaël Mélotte
bdaade3e34 package/network-manager: remove leftover comment about headers
Commit 0a8ef2f3f7 bumped the headers
version requirements, but did not update the associated comment.

Remove the comment entirely, as it does not apply anymore.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-24 20:58:18 +02:00
Frank Vanbever
670329f057 package/libmodsecurity: security bump to version 3.0.10
- Fixes CVE-2023-38285 [1]
- Adapted 0001-configure.ac-drop-usage-of-git-at-configure-time.patch due to
  upstream moving to autoconf portable shell constructs.

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>

[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-24 20:55:47 +02:00
Waldemar Brodkorb
3f46db39e6 package/gmp: guard riscv definition
In commit 30997eaa65438a2ce726ad8a204ac5a36363f5c8 a mistake
was made. Guard the definition correctly.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-24 20:53:24 +02:00
Waldemar Brodkorb
9c61470c4b package/mpg123: fix linking error due to undefined symbol
This was introduced since commit
f8af24707b, which bumped mpg123 from
1.25.15 to 1.31.3.

Patch was provided by upstream:
https://sourceforge.net/p/mpg123/bugs/353/

Fixes:

  http://autobuild.buildroot.net/results/74e1522cc9328c98186ca730eeb7ce0cb5fbbcb5

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 23:39:08 +02:00
Giulio Benetti
49a37916a8 package/esp-hosted: fix build failure with missing CONFIG_SPI/MMC
Depending on the interface chosen we need to enable Linux CONFIG_SPI or
CONFIG_MMC, so let's do that according to BR2_PACKAGE_ESP_HOSTED_SPI.

Fixes:
http://autobuild.buildroot.net/results/cdf65ad07aba1d86f195576a2317c83aeb3dfce2

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 22:10:07 +02:00
Giulio Benetti
6b3d0c5adb package/ramspeed: disable package if affected from gcc bug 43744
This package is affected by gcc bug 43744 and I have not found a work
around for it(i.e. the common -O0 we use or other), so let's disable it if
gcc has such bug.

Fixes:
http://autobuild.buildroot.net/results/ab289769c5fea435934ed260d38e0a4fdd2ba72d

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 22:08:55 +02:00
Waldemar Brodkorb
5a4429a6dd package/zlib-ng: handle power9 cpu, fix compile error
Zlib-ng misdetects the powerpc cpu and the package fails to compile
for non-power9 cpu's.
Power9 support was added Upstream in commit:
02d10b252cc54159f7c33823048daec4b023fb22
So it was introduced in zlib-ng 2.1.3 and this was added to Buildroot
in commit 0df456ea6e.

So there is no need to backport it to older Buildroot releases.

Fixes:
 - http://autobuild.buildroot.net/results/a9f/a9f45486664b2d5b23a2f330a63955a06ae8189d

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 21:21:39 +02:00
Waldemar Brodkorb
6d8deb4b23 package/gmp: fix compile error for riscv
In commit 87b2a30319 gmp got updated
to 6.2.1, since then the compile error exist.

Compile error looks like this:
tmp-mul_1.s: Assembler messages:
tmp-mul_1.s:55: Error: unrecognized opcode `mul a5,a7,a3'
tmp-mul_1.s:57: Error: unrecognized opcode `mulhu a7,a7,a3'

Patch should be backported to stable branches.

Fixes:
 - http://autobuild.buildroot.net/results/2f2/2f2112bea73adbf49eabb62fe6cda6a9cd5d0567
 - http://autobuild.buildroot.net/results/566/566a4945555b781ed127997176f73b3c17ecab5d

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 20:08:02 +02:00
Bernd Kuhls
c2612d918f package/php: security bump version to 8.2.9
Changelog: https://www.php.net/ChangeLog-8.php#8.2.9
Release notes: https://www.php.net/releases/8_2_9.php

Fixes CVE-2023-3823 & CVE-2023-3824.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 00:07:28 +02:00
Bernd Kuhls
c78799639b package/clamav: security bump version to 1.0.2
Release notes: https://blog.clamav.net/2023/07/2023-08-16-releases.html

Fixes CVE-2023-20197 & CVE-2023-20212.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-22 00:05:44 +02:00
Bernd Kuhls
2235ab809f package/samba4: security bump version to 4.18.6
Release notes: https://www.samba.org/samba/history/samba-4.18.6.html

Includes a mitigation for CVE-2007-4559.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-21 16:06:33 +02:00
Bernd Kuhls
20c5bae6fa {linux, linux-headers}: bump 4.{14, 19}.x / 5.{4, 10, 15}.x / 6.{1, 4}.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-21 15:54:54 +02:00
Bernd Kuhls
31ddf22ff6 package/postgresql: security bump version to 15.4
Release notes:
https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/

Fixes CVE-2023-39417 & CVE-2023-39418.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-21 15:51:39 +02:00
Clement Ramirez
db46428e0a package/cups: security bump version to 2.4.6
Fixes CVE-2023-34241 (see [0] for details)

[0] https://github.com/OpenPrinting/cups/releases/tag/v2.4.6

The number of changes between 2.4.4 and 2.4.6 is really small, and
limited to bug fixes:

9d614a4b3184205294c55355a1d2eb54d4532ccd (tag: v2.4.6) Update CHANGES.md
6f6da74ec284e28c156f0b9f62f3bd610e61aa78 Fix use-after-free in cupsdAcceptClient() (fixes CVE-2023-34241)
3f12185ca9cbb5350a6370d6046066907b8abc12 Merge pull request #735 from AtariDreams/Fixer
f5281777c80cdf820a2a71c9e7f08b91f0e11160 Fix compilation on older macOS versions
ee82c5b18409def3ec1424ce2eb343aabb0ff0d1 Merge pull request #730 from zdohnal/cupssinglefile_24x
1504527b2415a4b67b0e3e17593b053f3628746f  cups/ppd-cache.c: Put cupsSingleFile into generated PPD
3be1d5da8fe9ee13aab5ee6ecc11b2f9387821a6 Prepare files for next release
c1f54ec966ccc5d5564eed95dcb540842af7b5ca (tag: v2.4.5) cups/cups.h: Update for 2.4.5
70dba05b7511a96476ea0ef8fe1d92c6500c6e61 Finish hotfix release 2.4.5
87f5cb7d8f0da8fa2835bb0aa3ca48b5e5a66a3f Merge pull request #727 from AtariDreams/hotfix
61aa0b259183fe59124566f08ecf649bb806cd24 Regression: Certificate data is corrupted during base64 conversion
7362f41c45d834564f876ffac536f59eece843ec Prepare files for next release

Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-21 15:27:47 +02:00
Bernd Kuhls
b9a864d03d package/freeswitch: security bump version to 1.10.10
Release notes:
https://github.com/signalwire/freeswitch/releases/tag/v1.10.10
"This is a major release containing critical security fixes, adding
 Debian 12 Bookworm, OpenSSL 3 and FFmpeg5 support."

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-21 14:47:32 +02:00
Bernd Kuhls
171977f4bf package/libks: bump version to 2.0.2
Updated license hash due to copyright year bump:
52a3f2a546

Needed for freeswitch bump to 1.10.10:
7c1faeff48

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-21 14:47:11 +02:00