Thomas De Schampheleire [Tue, 16 Feb 2021 14:20:07 +0000 (15:20 +0100)]
 
package/uboot-tools: depend on u-boot when selected
Currently, the envimage creation logic only depends on u-boot when the
user does not specify a custom envimage source via
BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE. This assumes that the
user-provided envimage source is not coming from the u-boot source
tree.
But especially given the fact that the envimage creation logic used to
be part of the u-boot package, this is a realistic scenario: users may
have provided a value of BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE
based on $(UBOOT_DIR), e.g.:
    $(UBOOT_DIR)/board/foo-vendor/bar-board/env.txt
Therefore, always add the u-boot dependency if u-boot is selected, for
either case of custom or default envimage source.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Thomas: re-organize code a bit.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Arnout Vandecappelle (Essensium/Mind) [Tue, 16 Feb 2021 20:12:33 +0000 (21:12 +0100)]
 
support/scripts/cpedb.py: remove import pickle
pickle is no longer used since 
09a71e6a75636
Fixes:
support/scripts/cpedb.py:7:1: F401 'pickle' imported but unused
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Sun, 10 Jan 2021 19:06:16 +0000 (20:06 +0100)]
 
package/gstreamer1/gst1-python: needs gst1-plugins-base
gst1-plugins-base is a mandatory dependency since at least version
1.9.90 and
https://github.com/GStreamer/gst-python/commit/
16f971226df1980b58ebde330123debaaf3b53d0
Fixes:
 - http://autobuild.buildroot.org/results/
48b22c66c3a610d70931b9adfd6e5082bb3ff3d1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:28:48 +0000 (18:28 +0100)]
 
package/lcms2: disable tiff
tiff is only used by tificc sample and upstream rejected the patch to
fix the static build failure because "adding pkg-config dependency for a
sample is an overkill": https://github.com/mm2/Little-CMS/pull/244
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:28:47 +0000 (18:28 +0100)]
 
Revert "package/lcms2: fix static building with tiff"
This reverts commit 
7e4f054d2347708c9e22fe84c1d5f374d5b343cd.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:32 +0000 (14:54 +0100)]
 
package/collectd: add 'synproxy' option
The synproxy plugin exists since 5.8.0 and is enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:31 +0000 (14:54 +0100)]
 
package/collectd: add 'logparser' option
The logparser plugin is new since 5.11.0 and enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:30 +0000 (14:54 +0100)]
 
package/collectd: add 'mdevents' option
The mdevents plugin is new since 5.12.0 and enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:28 +0000 (14:54 +0100)]
 
package/collectd: add 'infiniband' option
The infiniband plugin is new since 5.12.0 and enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 19:27:56 +0000 (20:27 +0100)]
 
package/orc: fix powerpc build with headers < 4.11
Autobuilder failures are raised with bootlin toolchains but it affects
orc since version 0.4.30
Fixes:
 - http://autobuild.buildroot.org/results/
0821e96cba3e455edd47b87485501d892fc7ac6a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 11:58:01 +0000 (12:58 +0100)]
 
package/ebtables: install symlink to ebtables-legacy
Since the upgrade of ebtables from 2.0.10-4 to 2.0.11, there no longer is an
'ebtables' binary. It has been renamed to 'ebtables-legacy' and moved from
'/sbin' to '/usr/sbin'. This change is part of the upstream change to
integrate the functionality of ebtables (and arptables) in the iptables
package, using the nf_tables kernel backend [1].
Unfortunately, the renaming (and move) of the original 'ebtables' binary
breaks existing scripts that are calling 'ebtables' or '/sbin/ebtables'.
Therefore, add a symlink from the original path to 'ebtables-legacy'.
However, do not provide this symlink if BR2_PACKAGE_IPTABLES_NFTABLES is
enabled. In this case, the iptables package will build the new equivalent
of ebtables -- a symlink to ebtables-legacy would cause conflicts.
[1] https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 12:50:30 +0000 (13:50 +0100)]
 
package/tcpdump: remove duplicated binary
Since tcpdump 4.99.0, the 'tcpdump' binary is no longer installed in
/usr/sbin but in /usr/bin. This change invalidates the Buildroot hook
'TCPDUMP_REMOVE_DUPLICATED_BINARY', causing a fairly large rootfs size
increase as a result.
Update the path inside this hook.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:56 +0000 (09:07 +0100)]
 
package/mongoose: add MONGOOSE_CPE_ID_VENDOR
cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:55 +0000 (09:07 +0100)]
 
package/mongoose: security bump to version 7.1
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
  Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
  connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
  to remote OOB write attack via connection request after exhausting
  memory pool.
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
  write attack via connection request after exhausting memory pool.
https://github.com/cesanta/mongoose/releases/tag/7.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:54 +0000 (09:07 +0100)]
 
package/mongoose: fix activation of openssl/mbedtls
MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and
https://github.com/cesanta/mongoose/commit/
f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85
So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Tue, 16 Feb 2021 08:44:16 +0000 (09:44 +0100)]
 
DEVELOPERS: drop Rahul Jain, user no longer exists
<rahul.jain@imgtec.com>: host mxa-
00376f01.gslb.pphosted.com[185.132.180.163]
    said: 550 5.1.1 User Unknown (in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Tue, 16 Feb 2021 08:30:21 +0000 (09:30 +0100)]
 
DEVELOPERS: drop Guillaume Gardet, domain no longer exists
The oliseo.fr domain no longer responds to SMTP requests:
smtplib.SMTPRecipientsRefused: {'Guillaume Gardet <guillaume.gardet@oliseo.fr>': (550, b'5.1.2 <guillaume.gardet@oliseo.fr>: Recipient address rejected: Domain not found')}
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Jörg Krause [Mon, 15 Feb 2021 13:47:31 +0000 (14:47 +0100)]
 
package/fakeroot: add upstream patches to fix glibc 2.33 compatibility
Glibc 2.33 removed `_STAT_VER`. On host machines, which updated to glibc
2.33, building host-fakeroot breaks:
```
In file included from communicate.h:20,
                 from libfakeroot.c:60:
libfakeroot.c: In function ‘chown’:
libfakeroot.c:99:40: error: ‘_STAT_VER’ undeclared (first use in this function)
   99 | #define INT_NEXT_STAT(a,b) NEXT_STAT64(_STAT_VER,a,b)
```
The issue has been discussed on some package maintainer threads, e.g.:
https://bugs.archlinux.org/task/69572
https://bugzilla.redhat.com/show_bug.cgi?id=
1889862#c13
A patch series was prepared by Ilya Lipnitskiy which included two other
patches not related to the glibc 2.33 compatibility issue and submitted as
merge request for upstream:
https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg57280.html
Upstream accepted the merge request:
https://salsa.debian.org/clint/fakeroot/-/merge_requests/10
Note, that this patch series only contains the necessay patches for glibc
2.33 compatibility.
Tested on my Arch Linux machine, building a UBIFS/OverlayFS-based root
filesystem for an i.MX6ULL target board.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Tested-by: Bartosz Bilas <b.bilas@grinn-global.com>
[Peter: drop patch numbering (PATCH x/y) as pointed out by check-package]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:26:36 +0000 (18:26 +0100)]
 
package/libgpg-error: fix build without threads
Fix build without threads of libgpg-error in version >= 1.40
Fixes:
 - http://autobuild.buildroot.org/results/
3344c96e5627a9327b0eabe0b27f34490bbabc0d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:45:43 +0000 (18:45 +0100)]
 
package/ne10: disable unit tests and examples
Unit tests fail to build with gcc 10 on:
[100%] Linking C executable NE10_dsp_unit_test_smoke
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/10.2.1/../../../../aarch64-none-linux-gnu/bin/ld: CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_suite_fft_float32.c.o:(.bss+0x0): multiple definition of `seatest_simple_test_result'; CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_main.c.o:(.bss+0x0): first defined here
So just disable them and, while at it, also disable examples which are
also enabled by default
Fixes:
 - http://autobuild.buildroot.org/results/
c658d52668825c26a15d6ac3ca538472cad5cd78
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Michael Vetter [Mon, 15 Feb 2021 10:45:28 +0000 (11:45 +0100)]
 
package/jasper: security bump version to 2.0.25
Changes:
* Fix memory-related bugs in the JPEG-2000 codec resulting from
  attempting to decode invalid code streams. (#264, #265)
  This fix is associated with CVE-2021-26926 and CVE-2021-26927.
* Fix wrong return value under some compilers (#260)
* Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Sat, 13 Feb 2021 22:19:48 +0000 (23:19 +0100)]
 
support/scripts/cpedb.py: drop CPE XML database caching
Currently, the CPE XML database is parsed into a Python dict, which is
then pickled into a local file, to speed up the processing of further
invocations.
However, it turns out that since the initial implementation, we have
switched the XML parsing from the out of tree xmltodict module to the
standard ElementTree one, which has made the parsing much faster. The
pickle caching only saves 6 seconds, on something that takes more than
13 minutes total.
In addition, this pickle caching consumes a significant amount of RAM,
causing the Python process to be OOM-killed on a server with 4 GB of
RAM.
So let's just drop this caching entirely.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yann E. MORIN [Sun, 14 Feb 2021 08:22:16 +0000 (09:22 +0100)]
 
package/ply: fix dependencies of comment for dependencies
Commits 
ca1afcb2171f (package/ply: needs headers >= 4.14) and
debe9eb13ebd (package/ply: needs dynamic library) added restrictions
on the availability of ply. The first forgot to add a comment, and
the second mis-handled the dependency on the headers version.
Indeed, we want the comment to show the requirement on the headers
version (since that is not a hardware dependency).
Fix this comment to include the headers version, and fix the condition
accordingly.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Andreas Klinger <ak@it-klinger.de>
Peter Seiderer [Wed, 10 Feb 2021 23:16:40 +0000 (00:16 +0100)]
 
package/dnsmasq: bump version to 2.84
Bugfix release, fixing a regression introduced in 2.83.  For more details,
see the announcement:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014640.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 
8fcdd2023ee6bc2efd96a3b43fec103f2afa0e2f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 1 Feb 2021 07:41:01 +0000 (08:41 +0100)]
 
package/mpd: fix build of GenParseName
Fix build of GenParseName which has been added in version 0.22:
https://github.com/MusicPlayerDaemon/MPD/commit/
fa45a8adfa44f6bc815ae7428770112c15c76d73
Fixes:
 - http://autobuild.buildroot.org/results/
871e1362c44e5b68a149e6a5dd3caf99ea0d904a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Giulio Benetti [Fri, 12 Feb 2021 22:42:38 +0000 (23:42 +0100)]
 
package/libgeos: fix build failure due to Gcc Bug 68485
Package libgeos manifests Microblaze Gcc Bug 68485 resulting in a build
failure due to an Internal Compiler Error.
As done for other packages in Buildroot work around this Gcc Bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y.
Fixes:
http://autobuild.buildroot.net/results/0da/
0daa6b259aea5381fad86d01e6dd026b1c8ad073/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Fri, 12 Feb 2021 21:57:24 +0000 (22:57 +0100)]
 
package/wireshark: security bump to version 3.4.3
The following vulnerabilities have been fixed:
 - wnpa-sec-2021-01 USB HID dissector memory leak. Bug 17124.
   CVE-2021-22173.
 - wnpa-sec-2021-02 USB HID dissector crash. Bug 17165. CVE-2021-22174.
https://www.wireshark.org/docs/relnotes/wireshark-3.4.3.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Sergey Matyukevich [Sat, 13 Feb 2021 18:22:30 +0000 (21:22 +0300)]
 
support/testing: TestATFAllwinner needs python3 for u-boot
New U-Boot version needs Python 3.x for pylibfdt.
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/
1019385909
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 12 Feb 2021 20:00:06 +0000 (21:00 +0100)]
 
package/lcms2: fix static building with tiff
Strangely enough, we have only one build failure on the autobuilder even
if lcms2 never used pkg-config to retrieve static dependencies of tiff
(which also depends on xz since 2016)
Fixes:
 - http://autobuild.buildroot.org/results/
07c5ca780bcdbfcd7cad6502345f1553ce17bdc3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Andreas Klinger [Sat, 13 Feb 2021 19:05:23 +0000 (20:05 +0100)]
 
package/ply: needs dynamic library
ply builds and installs a library. Some objects that go in that library
are tagged with a 'section' attribute (excerpt):
    __attribute__((section("providers")))
Later on, it references the bounds of that section, with the canonical
__start and __stop markers, which will eventually be created by the
linker:
    extern struct provider __start_providers;
    extern struct provider __stop_providers;
Sections only exists in an ELF file, and a static library id not an ELF.
So, when creating a static library, the markers are not created. Thus,
when linking the final executable, the link fails because of missing
symbols:
    .../powerpc-buildroot-linux-uclibc/bin/ld: ../libply/.libs/libply.a(libply_la-provider.o): in function `provider_get':
    provider.c:(.text+0xe): undefined reference to `__start_providers'
    .../powerpc-buildroot-linux-uclibc/bin/ld: provider.c:(.text+0x12): undefined reference to `__stop_providers'
    .../powerpc-buildroot-linux-uclibc/bin/ld: provider.c:(.text+0x2a): undefined reference to `__start_providers'
    .../powerpc-buildroot-linux-uclibc/bin/ld: provider.c:(.text+0x32): undefined reference to `__stop_providers'
So, conceptually, ply can not build in static-only.
Fixes:
 - http://autobuild.buildroot.net/results/
3a586241d37614b644ff6c4674ae28df2b22fdf8
Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 12 Feb 2021 21:45:24 +0000 (22:45 +0100)]
 
package/fetchmail: set FETCHMAIL_CPE_ID_VENDOR
cpe:2.3:a:fetchmail:fetchmail is a valid CPE identifier for this
package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afetchmail%3Afetchmail
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Fri, 12 Feb 2021 21:39:02 +0000 (22:39 +0100)]
 
package/fail2ban: add FAIL2BAN_CPE_ID_VENDOR
cpe:2.3:a:fail2ban:fail2ban is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afail2ban%3Afail2ban
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Fri, 12 Feb 2021 21:52:35 +0000 (22:52 +0100)]
 
package/file: set FILE_CPE_ID_VALID
cpe:2.3:a:file_project:file is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afile_project%3Afile
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 12 Feb 2021 20:28:36 +0000 (21:28 +0100)]
 
package/x11vnc: set X11VNC_CPE_ID_VALID
cpe:2.3:a:x11vnc_project:x11vnc is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax11vnc_project%3Ax11vnc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 12 Feb 2021 20:06:59 +0000 (21:06 +0100)]
 
package/axel: set AXEL_CPE_ID_VALID
cpe:2.3:a:axel_project:axel is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaxel_project%3Aaxel
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Fri, 12 Feb 2021 17:34:16 +0000 (18:34 +0100)]
 
package/postgresql: security bump version to 13.2
Release notes:
https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
Fixes CVE-2021-3393 & CVE-2021-20229.
Updated license hash due to copyright year bump:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=
c09f6882d6f78bde26fcc1e1a3da11c274de596a
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 11 Feb 2021 15:05:01 +0000 (16:05 +0100)]
 
docs/website: mention Bootlin Buildroot training courses
Our documentation page already mentions the open-source and freely
available training materials from Bootlin on Buildroot.
It turns out that we now have online training courses accessible to
public registration, which makes them accessible to a wider
audience. It probably makes sense to mention them alongside the
training materials.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Fri, 15 Jan 2021 17:01:56 +0000 (18:01 +0100)]
 
uboot: fix binman with a new dependency
since 2021.01, tools/binman is broken.
tools/binman/control.py imports pkg_resources
the module pkg_resources is supplied by setuptools,
so this new dependency is required.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 11 Feb 2021 18:09:43 +0000 (19:09 +0100)]
 
package/xterm: security bump to version 366
Fixes the following security issue:
CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a
denial of service (segmentation fault) or possibly have unspecified other
impact via a crafted UTF-8 character sequence.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 11 Feb 2021 14:18:37 +0000 (15:18 +0100)]
 
package/subversion: security bump to version 1.14.1
Fixes the following security issue:
CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion
mod_authz_svn
Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile option
and a client sends a request for a non-existing repository URL.
For more details, see the advisory:
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diego Hurtado de Mendoza [Wed, 10 Feb 2021 09:13:19 +0000 (10:13 +0100)]
 
package/can-utils: enable build using musl libc
From commit 
20fb6d3288f3c9aac7975e505d9a25f21f64bdf9 this package was
disabled for musl because can-utils used the error() glibc extension
at that time.
Since then, can-utils fixed compilation on musl by replacing this
error() calls with err().
https://github.com/linux-can/can-utils/pull/163/commits/
791b6de78673f005e9748983231f7260f6b69e99
This commit disables the musl check.
Signed-off-by: Diego Hurtado de Mendoza <diego.hdmp@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 06:46:26 +0000 (07:46 +0100)]
 
package/guile: link with libatomic if needed
Fix build of guile 3.0.4 with Bootlin SPARC uclibc toolchain added with
commit 
1348c569d0cb7f67eca30f170b782aa8b51cc259
Fixes:
 - http://autobuild.buildroot.org/results/
a72d8e14854f9c6c9632e856019a3eb8ec4818b6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 10 Feb 2021 17:40:23 +0000 (18:40 +0100)]
 
package/kodi: remove dependency to libsamplerate
This package is not needed anymore since 2014:
https://github.com/xbmc/xbmc/commit/
e36e4f0e2a46764d0c4341a5caf50cae6f772504
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Thu, 11 Feb 2021 10:40:01 +0000 (11:40 +0100)]
 
package/protobuf: remove target version of 'protoc'
The tool 'protoc' and its associated library libprotoc.so are only
needed during development, to convert a protocol buffer definition in the
associated code for a specific code language.
Buildroot does not officially support creating a development environment on
target, so remove these files to reduce disk usage by more than 1.5 MB
(stripped, uncompressed).
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 11 Feb 2021 13:23:11 +0000 (14:23 +0100)]
 
configs/avenger96_defconfig: linux build needs host-openssl
Fixes the gitlab build:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
1019385566/
  HOSTCC  scripts/extract-cert
scripts/extract-cert.c:21:25: fatal error: openssl/bio.h: No such file or directory
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Thu, 11 Feb 2021 19:43:56 +0000 (20:43 +0100)]
 
package/kodi-inputstream-adaptive: update project URL
Reference: https://github.com/xbmc/repo-binary-addons/pull/143
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Heiko Thiery [Sat, 6 Feb 2021 10:57:35 +0000 (11:57 +0100)]
 
package/netopeer2: cleanup shm files after installation
On install step the host tool syrepoctl is used to install some YANG
modules. Unfortunatly syrepoctl creates some files in /dev/shm folder and
does not cleanup afterwards. This files can be incompatible depending on
the used sysrepo version. This causes autobuilder failures when updating
the package [1].
To make sure we can remove this leftovers of sysrepoctl we specify a
build specific SYSREPO_SHM_PREFIX. With this the files can deleted safely
after installation is completed. This also ensures that concurrent
parallel builds will not affected mutualy.
The prfix must be unique between concurrent builds, so we use the build
directory ($(CONFIG_DIR)) to discriminate builds. It must also be unique
between top-level parallel package builds, so we also use the name of
the current package to discriminate.
Fixes:
 [1] http://autobuild.buildroot.net/results/
6e559c4f98b7ed93d7b5af638264e907492a6532/
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Co-Developed-by: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
  - also use the package name as discriminant
  - expand commit log accordingly
  - rename the variable to start with the package name
  - explain why we clean up before as well
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Heiko Thiery [Sat, 6 Feb 2021 10:57:37 +0000 (11:57 +0100)]
 
package/netopeer2: add dependency to host-sysrepo
The sysrepoctl executable from the host-sysrepo package is used to
install YANG modules during installation. So add the dependency here.
Also make sure we use this executable by setting the make environment
variable SYSREPOCTL_EXECUTABLE. Otherwise a system wide installed
sysrepoctl would be used that is not what we want.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Christian Stewart [Wed, 10 Feb 2021 23:52:03 +0000 (15:52 -0800)]
 
package/docker-cli: bump to version 20.10.3
Client fixes:
 - Check contexts before importing them to reduce risk of extracted files escaping context store
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Christian Stewart [Wed, 10 Feb 2021 23:52:02 +0000 (15:52 -0800)]
 
package/docker-engine: security bump to version 20.10.3
Security fixes:
 - CVE-2021-21285 Prevent an invalid image from crashing docker daemon
 - CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
 - Ensure AppArmor and SELinux profiles are applied when building with BuildKit
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Christian Stewart [Wed, 10 Feb 2021 23:25:46 +0000 (15:25 -0800)]
 
package/go: bump to version 1.15.8
go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package.
https://golang.org/doc/go1.15
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Feb 2021 08:01:35 +0000 (09:01 +0100)]
 
utils/getdeveloperlib.py: reduce Cc: list based on package infras
When a developer has package/pkg-<infra>.mk assigned to him/her in the
DEVELOPERS file, this has 3 implications:
 (1) Patches adding new packages using this infrastructure are Cc'ed
     to this developer. This is done by the analyze_patch() function,
     which matches the regexp r"^\+\$\(eval
     \$\((host-)?([^-]*)-package\)\)$" in the patch, i.e where an
     added line contains a reference to the infra maintained by the
     developer.
 (2) Patches touching the package/pkg-<infra>.mk file itself are Cc'ed
     to this developer.
 (3) Any patch touching a package using this infra are also Cc'ed to
     this developer.
Point (3) causes a significant amount of patches to be sent to
developers who have package/pkg-generic.mk and
package/pkg-autotools.mk assigned to them in the DEVELOPERS
file. Basically, all patches touching generic or autotools packages
get CC'ed to such developers, which causes a massive amount of patches
to be received.
So this patch adjusts the getdeveloperlib.py to drop point (3), but
preserves point (1) and (2). Indeed, it makes sense to be Cc'ed on new
package additions (to make a review that they use the package
infrastructure correctly), and it makes sense to be Cc'ed on patches
that touch the infrastructure code itself.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Tue, 9 Feb 2021 20:39:12 +0000 (21:39 +0100)]
 
package/ngircd: add NGIRCD_CPE_ID_VENDOR
cpe:2.3:a:barton:ngircd is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Abarton%3Angircd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:58:21 +0000 (14:58 +0100)]
 
package/shadowsocks-libev: add SHADOWSOCKS_LIBEV_CPE_ID_VENDOR
cpe:2.3:a:shadowsocks:shadowsocks-libev is a valid CPE identifier for
this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ashadowsocks%3Ashadowsocks-libev
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:42:36 +0000 (21:42 +0100)]
 
package/tinydtls: add TINYDTLS_CPE_ID_VENDOR
cpe:2.3:a:eclipse:tinydtls is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aeclipse%3Atinydtls
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:45:53 +0000 (21:45 +0100)]
 
package/upx: set UPX_CPE_ID_VALID
cpe:2.3:a:upx_project:upx is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aupx_project%3Aupx
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:58:45 +0000 (21:58 +0100)]
 
package/matio: set MATIO_CPE_ID_VALID
cpe:2.3:a:matio_project:matio is a valid CPE identifier for this
package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Amatio_project%3Amatio
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:28:45 +0000 (21:28 +0100)]
 
package/libvncserver: set LIBVNCSERVER_CPE_ID_VALID
cpe:2.3:a:libvncserver_project:libvncserver is a valid CPE identifier
for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibvncserver_project%3Alibvncserver
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:51:27 +0000 (21:51 +0100)]
 
package/glib-networking: add GLIB_NETWORKING_CPE_ID_VENDOR
cpe:2.3:a:gnome:glib-networking is a valid CPE identifier for this
package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnome%3Aglib-networking
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:48:27 +0000 (21:48 +0100)]
 
package/nghttp2: add NGHTTP2_CPE_ID_VENDOR
cpe:2.3:a:nghttp2:nghttp2 is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anghttp2%3Anghttp2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 9 Feb 2021 21:55:10 +0000 (22:55 +0100)]
 
Update for 2021.02-rc1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:39:13 +0000 (21:39 +0100)]
 
package/ngircd: bump to version 26.1
https://github.com/ngircd/ngircd/releases/tag/rel-26.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gwenhael Goavec-Merou [Mon, 8 Feb 2021 15:19:15 +0000 (16:19 +0100)]
 
package/gnuradio: add gr-uhd option
GNURadio has a block to use USRP, through UHD, to receive or transmit RF
signals.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gwenhael Goavec-Merou [Mon, 8 Feb 2021 15:19:14 +0000 (16:19 +0100)]
 
package/uhd: add missing support
Complete uhd package with the rest of USRP, octoclock and python support.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:07:57 +0000 (21:07 +0100)]
 
package/libostree: libfuse is optional, not mandatory
libfuse is optional since its addition in version 2016.2 with
https://github.com/ostreedev/ostree/commit/
e9ccdd2d007801ef25cc7283188942d791889c27
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:09:24 +0000 (21:09 +0100)]
 
package/attr: set ATTR_CPE_ID_VALID
cpe:2.3:a:attr_project:attr is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aattr_project%3Aattr
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 9 Feb 2021 20:27:19 +0000 (21:27 +0100)]
 
package/freerdp: add FREERDP_CPE_ID_VENDOR
cpe:2.3:a:freerdp:freerdp is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afreerdp%3Afreerdp
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Titouan Christophe [Tue, 9 Feb 2021 10:05:46 +0000 (11:05 +0100)]
 
package/waf: bump to v2.0.22
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Tue, 9 Feb 2021 16:36:40 +0000 (17:36 +0100)]
 
package/intel-microcode: security bump to version 
20201118
Fixes the following security issues:
- CVE-2020-8694: Insufficient access control in the Linux kernel driver for
  some Intel(R) Processors may allow an authenticated user to potentially
  enable information disclosure via local access.
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
- CVE-2020-8695: Observable discrepancy in the RAPL interface for some
  Intel(R) Processors may allow a privileged user to potentially enable
  information disclosure via local access.
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
- CVE-2020-8698: Improper removal of sensitive information before storage or
  transfer in some Intel(R) Processors may allow an authenticated user to
  potentially enable information disclosure via local access.
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Heiko Thiery [Tue, 9 Feb 2021 07:45:24 +0000 (08:45 +0100)]
 
package/connman: bump version to 1.39
Drop patches that are upstream now and fix hash file indentation.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:10:38 +0000 (21:10 +0100)]
 
package/bison: add BISON_CPE_ID_VENDOR
cpe:2.3:a:gnu:bison is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Abison
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:05:19 +0000 (21:05 +0100)]
 
package/c-icap: set C_ICAP_CPE_ID_VALID
cpe:2.3:a:c-icap_project:c-icap is a valid CPE identifier for this
package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ac-icap_project%3Ac-icap
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pieter Ronsijn [Thu, 4 Feb 2021 21:57:22 +0000 (22:57 +0100)]
 
package/exfat(-utils): change license to GPL-2.0+
The license is specified in https://github.com/relan/exfat/blob/master/COPYING and indicates GPL-2.0+
The license changed from from GPL-3.0+ to GPL-2.0+ in 2013 but was never updated in buildroot.
https://github.com/relan/exfat/commit/
48573fff5d070863e3279769e8a95d5c15a5c77d
Signed-off-by: Pieter Ronsijn <pieterronsijn@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Mon, 8 Feb 2021 18:53:21 +0000 (19:53 +0100)]
 
package/fetchmail: bump version to 6.4.16
Release notes:
https://sourceforge.net/p/fetchmail/mailman/message/
37215482/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:05:18 +0000 (21:05 +0100)]
 
package/c-icap: bump to version 0.5.7
https://sourceforge.net/p/c-icap/news/2020/10/the-c-icap-057-is-released
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:08:25 +0000 (21:08 +0100)]
 
package/bluez5_utils: add CPE variables
cpe:2.3:a:bluez:bluez is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Abluez%3Abluez
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: fix s/BLUEZ5_CPE/BLUEZ5_UTILS_CPE/ typo]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:06:58 +0000 (21:06 +0100)]
 
package/berkeleydb: add CPE variables
cpe:2.3:a:oracle:berkeley_db is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aoracle%3Aberkeley_db
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 8 Feb 2021 13:24:11 +0000 (14:24 +0100)]
 
package/python: clarify that this refers to the deprecated 2.7 series
Python 2.7 is EOL, so people should use the python3 package instead if
possible.  Make it a bit more obvious that 'python' is not the right package
to use by explicitly mentioning that this is about python 2.7 and that it is
deprecated.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 8 Feb 2021 09:39:21 +0000 (10:39 +0100)]
 
package/connman: add upstream security fixes for CVE-2021-2667{5, 6}
Fixes the following security issues:
- CVE-2021-26675: Remote (adjacent network) code execution flaw
- CVE-2021-26676: Remote stack information leak
For details, see the advisory:
https://www.openwall.com/lists/oss-security/2021/02/08/2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 8 Feb 2021 21:05:36 +0000 (22:05 +0100)]
 
CHANGES: update with recent changes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:39:34 +0000 (21:39 +0100)]
 
package/at-spi2-atk: add AT_SPI2_ATK_CPE_ID_VENDOR
cpe:2.3:a:gnome:at-spi2-atk is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnome%3Aat-spi2-atk
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 7 Feb 2021 21:52:27 +0000 (22:52 +0100)]
 
configs/avenger96_defconfig: add support for Arrow Avenger96 board
Very similar to the other stm32mp157-based boards, except that we use the
multi_v7 defconfig for ease of maintenance.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Mon, 8 Feb 2021 09:04:34 +0000 (11:04 +0200)]
 
package/memtester: fix compile and link flags
The memtester build system does not use CFLAGS/LDFLAGS variables.
Everything should be written to conf-cc and conf-ld.
Use '%' as sed expression delimiter because comma might appear in
LDFLAGS.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 07:46:35 +0000 (08:46 +0100)]
 
package/x11r7/xlib_libXrandr: add CPE variables
cpe:2.3:a:x.org:libxrandr is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxrandr
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Heiko Thiery [Mon, 8 Feb 2021 10:10:35 +0000 (11:10 +0100)]
 
package/connman: set CONNMAN_CPE_ID_VENDOR
cpe:2.3:a:intel:connman is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/detail/702658?namingFormat=2.3&orderBy=CPEURI&keyword=connman&status=FINAL
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Heiko Thiery [Mon, 8 Feb 2021 08:04:50 +0000 (09:04 +0100)]
 
configs/kontron_smarc_sal28_defconfig: use Python 3.x for U-Boot build
New U-Boot versions need Python 3.x for pylibfdt.
Fixes:
 - https://gitlab.com/buildroot.org/buildroot/-/jobs/
1006924823
Cc: Michael Walle <michael@walle.cc>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 12:57:37 +0000 (13:57 +0100)]
 
package/brotli: add BROTLI_CPE_ID_VENDOR
cpe:2.3:a:google:brotli is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agoogle%3Abrotli
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:27:18 +0000 (21:27 +0100)]
 
package/audiofile: drop package
The audiofile package is affected by multiple CVEs and is not maintained
anymore (no release since 2013):
  https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:audio_file_library_project:audio_file_library:0.3.6:*:*:*:*:*:*:*
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:35:15 +0000 (21:35 +0100)]
 
package/avahi: add AVAHI_CPE_ID_VENDOR
cpe:2.3:a:avahi:avahi is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aavahi%3Aavahi
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:31:18 +0000 (21:31 +0100)]
 
package/augeas: add AUGEAS_CPE_ID_VENDOR
cpe:2.3:a:augeas:augeas is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaugeas%3Aaugeas
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:34:37 +0000 (14:34 +0100)]
 
package/x11r7/xlib_libXi: add CPE variables
cpe:2.3:a:x.org:libxi is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxi
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:52:26 +0000 (14:52 +0100)]
 
package/x11r7/xlib_libXvMC: add CPE variables
cpe:2.3:a:x.org:libxvmc is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxvmc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 13:16:16 +0000 (14:16 +0100)]
 
package/libsigsegv: bump version to 2.13
Removed patches applied upstream:
0001-Improve-support-for-Linux-RISC-V.patch
https://github.com/roswell/libsigsegv/commit/
671b2528b55c57eda1a8fe5872ff1ef61014235f
0002-m4-stack-direction-RISC-V-stack-grows-downward.patch
https://github.com/roswell/libsigsegv/commit/
fd0e3d99d109b46d73ef37f38a23076f5acd1053
0003-Improve-support-for-Linux-nds32.patch
0004-m4-stack-direction-NDS32-stack-grows-downward.patch
https://github.com/roswell/libsigsegv/commit/
51a03192a3e024931309bdf11a9c055985de0ddf
Reformatted hashes.
Release notes: https://github.com/roswell/libsigsegv/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:03:28 +0000 (14:03 +0100)]
 
package/gnupg: add CPE variables
cpe:2.3:a:gnupg:gnupg is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnupg%3Agnupg
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 13:06:01 +0000 (14:06 +0100)]
 
package/libshout: bump version to 2.4.5
Added sha512 hash provided by upstream, reformatted hashes.
Changelog:
https://gitlab.xiph.org/xiph/icecast-libshout/-/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:58:18 +0000 (13:58 +0100)]
 
package/libgsm: bump version to 1.0.19
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:52:45 +0000 (13:52 +0100)]
 
package/msmtp: bump version to 1.8.14
Release notes:
https://github.com/marlam/msmtp-mirror/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:52:44 +0000 (13:52 +0100)]
 
package/libgsasl: bump version to 1.10.0
Added hashes provided by upstream, updated license hash due to various
upstream commits:
https://git.savannah.gnu.org/gitweb/?p=gsasl.git;a=history;f=README
Release notes:
https://lists.gnu.org/archive/html/help-gsasl/2021-01/msg00007.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:43:04 +0000 (13:43 +0100)]
 
package/libgphoto2: bump version to 2.5.26
Removed md5 hash, reformatted remaining hashes.
Added optional support for libcurl available since version 2.5.24.
Release notes: https://github.com/gphoto/libgphoto2/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 12:39:19 +0000 (13:39 +0100)]
 
package/libraw: add LIBRAW_CPE_ID_VENDOR
cpe:2.3:a:libraw:libraw is a valid CPE identifier for this package:
  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibraw%3Alibraw
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>