Fabrice Fontaine [Mon, 8 Feb 2021 20:10:38 +0000 (21:10 +0100)]
package/bison: add BISON_CPE_ID_VENDOR
cpe:2.3:a:gnu:bison is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Abison
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:05:19 +0000 (21:05 +0100)]
package/c-icap: set C_ICAP_CPE_ID_VALID
cpe:2.3:a:c-icap_project:c-icap is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ac-icap_project%3Ac-icap
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pieter Ronsijn [Thu, 4 Feb 2021 21:57:22 +0000 (22:57 +0100)]
package/exfat(-utils): change license to GPL-2.0+
The license is specified in https://github.com/relan/exfat/blob/master/COPYING and indicates GPL-2.0+
The license changed from from GPL-3.0+ to GPL-2.0+ in 2013 but was never updated in buildroot.
https://github.com/relan/exfat/commit/
48573fff5d070863e3279769e8a95d5c15a5c77d
Signed-off-by: Pieter Ronsijn <pieterronsijn@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Mon, 8 Feb 2021 18:53:21 +0000 (19:53 +0100)]
package/fetchmail: bump version to 6.4.16
Release notes:
https://sourceforge.net/p/fetchmail/mailman/message/
37215482/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:05:18 +0000 (21:05 +0100)]
package/c-icap: bump to version 0.5.7
https://sourceforge.net/p/c-icap/news/2020/10/the-c-icap-057-is-released
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:08:25 +0000 (21:08 +0100)]
package/bluez5_utils: add CPE variables
cpe:2.3:a:bluez:bluez is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Abluez%3Abluez
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: fix s/BLUEZ5_CPE/BLUEZ5_UTILS_CPE/ typo]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 20:06:58 +0000 (21:06 +0100)]
package/berkeleydb: add CPE variables
cpe:2.3:a:oracle:berkeley_db is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aoracle%3Aberkeley_db
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 8 Feb 2021 13:24:11 +0000 (14:24 +0100)]
package/python: clarify that this refers to the deprecated 2.7 series
Python 2.7 is EOL, so people should use the python3 package instead if
possible. Make it a bit more obvious that 'python' is not the right package
to use by explicitly mentioning that this is about python 2.7 and that it is
deprecated.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 8 Feb 2021 09:39:21 +0000 (10:39 +0100)]
package/connman: add upstream security fixes for CVE-2021-2667{5, 6}
Fixes the following security issues:
- CVE-2021-26675: Remote (adjacent network) code execution flaw
- CVE-2021-26676: Remote stack information leak
For details, see the advisory:
https://www.openwall.com/lists/oss-security/2021/02/08/2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 8 Feb 2021 21:05:36 +0000 (22:05 +0100)]
CHANGES: update with recent changes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:39:34 +0000 (21:39 +0100)]
package/at-spi2-atk: add AT_SPI2_ATK_CPE_ID_VENDOR
cpe:2.3:a:gnome:at-spi2-atk is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnome%3Aat-spi2-atk
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 7 Feb 2021 21:52:27 +0000 (22:52 +0100)]
configs/avenger96_defconfig: add support for Arrow Avenger96 board
Very similar to the other stm32mp157-based boards, except that we use the
multi_v7 defconfig for ease of maintenance.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Mon, 8 Feb 2021 09:04:34 +0000 (11:04 +0200)]
package/memtester: fix compile and link flags
The memtester build system does not use CFLAGS/LDFLAGS variables.
Everything should be written to conf-cc and conf-ld.
Use '%' as sed expression delimiter because comma might appear in
LDFLAGS.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 8 Feb 2021 07:46:35 +0000 (08:46 +0100)]
package/x11r7/xlib_libXrandr: add CPE variables
cpe:2.3:a:x.org:libxrandr is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxrandr
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Heiko Thiery [Mon, 8 Feb 2021 10:10:35 +0000 (11:10 +0100)]
package/connman: set CONNMAN_CPE_ID_VENDOR
cpe:2.3:a:intel:connman is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/detail/702658?namingFormat=2.3&orderBy=CPEURI&keyword=connman&status=FINAL
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Heiko Thiery [Mon, 8 Feb 2021 08:04:50 +0000 (09:04 +0100)]
configs/kontron_smarc_sal28_defconfig: use Python 3.x for U-Boot build
New U-Boot versions need Python 3.x for pylibfdt.
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/
1006924823
Cc: Michael Walle <michael@walle.cc>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 12:57:37 +0000 (13:57 +0100)]
package/brotli: add BROTLI_CPE_ID_VENDOR
cpe:2.3:a:google:brotli is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agoogle%3Abrotli
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:27:18 +0000 (21:27 +0100)]
package/audiofile: drop package
The audiofile package is affected by multiple CVEs and is not maintained
anymore (no release since 2013):
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:audio_file_library_project:audio_file_library:0.3.6:*:*:*:*:*:*:*
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:35:15 +0000 (21:35 +0100)]
package/avahi: add AVAHI_CPE_ID_VENDOR
cpe:2.3:a:avahi:avahi is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aavahi%3Aavahi
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 20:31:18 +0000 (21:31 +0100)]
package/augeas: add AUGEAS_CPE_ID_VENDOR
cpe:2.3:a:augeas:augeas is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaugeas%3Aaugeas
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:34:37 +0000 (14:34 +0100)]
package/x11r7/xlib_libXi: add CPE variables
cpe:2.3:a:x.org:libxi is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxi
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:52:26 +0000 (14:52 +0100)]
package/x11r7/xlib_libXvMC: add CPE variables
cpe:2.3:a:x.org:libxvmc is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxvmc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 13:16:16 +0000 (14:16 +0100)]
package/libsigsegv: bump version to 2.13
Removed patches applied upstream:
0001-Improve-support-for-Linux-RISC-V.patch
https://github.com/roswell/libsigsegv/commit/
671b2528b55c57eda1a8fe5872ff1ef61014235f
0002-m4-stack-direction-RISC-V-stack-grows-downward.patch
https://github.com/roswell/libsigsegv/commit/
fd0e3d99d109b46d73ef37f38a23076f5acd1053
0003-Improve-support-for-Linux-nds32.patch
0004-m4-stack-direction-NDS32-stack-grows-downward.patch
https://github.com/roswell/libsigsegv/commit/
51a03192a3e024931309bdf11a9c055985de0ddf
Reformatted hashes.
Release notes: https://github.com/roswell/libsigsegv/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:03:28 +0000 (14:03 +0100)]
package/gnupg: add CPE variables
cpe:2.3:a:gnupg:gnupg is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnupg%3Agnupg
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 13:06:01 +0000 (14:06 +0100)]
package/libshout: bump version to 2.4.5
Added sha512 hash provided by upstream, reformatted hashes.
Changelog:
https://gitlab.xiph.org/xiph/icecast-libshout/-/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:58:18 +0000 (13:58 +0100)]
package/libgsm: bump version to 1.0.19
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:52:45 +0000 (13:52 +0100)]
package/msmtp: bump version to 1.8.14
Release notes:
https://github.com/marlam/msmtp-mirror/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:52:44 +0000 (13:52 +0100)]
package/libgsasl: bump version to 1.10.0
Added hashes provided by upstream, updated license hash due to various
upstream commits:
https://git.savannah.gnu.org/gitweb/?p=gsasl.git;a=history;f=README
Release notes:
https://lists.gnu.org/archive/html/help-gsasl/2021-01/msg00007.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:43:04 +0000 (13:43 +0100)]
package/libgphoto2: bump version to 2.5.26
Removed md5 hash, reformatted remaining hashes.
Added optional support for libcurl available since version 2.5.24.
Release notes: https://github.com/gphoto/libgphoto2/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 12:39:19 +0000 (13:39 +0100)]
package/libraw: add LIBRAW_CPE_ID_VENDOR
cpe:2.3:a:libraw:libraw is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibraw%3Alibraw
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 12:31:54 +0000 (13:31 +0100)]
package/memcached: add MEMCACHED_CPE_ID_VENDOR
cpe:2.3:a:memcached:memcached is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Amemcached%3Amemcached
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:29:12 +0000 (13:29 +0100)]
package/libgpg-error: bump version to 1.41
Release notes:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=blob;f=NEWS;
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 12:26:55 +0000 (13:26 +0100)]
package/libass: set LIBASS_CPE_ID_VALID
cpe:2.3:a:libass_project:libass is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibass_project%3Alibass
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:17:53 +0000 (13:17 +0100)]
package/liberation: bump version to 2.1.2
Changelog:
https://github.com/liberationfonts/liberation-fonts/blob/master/ChangeLog
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:14:08 +0000 (13:14 +0100)]
package/libedit: bump version to
20191231-3.1
Reformatted hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:02:31 +0000 (13:02 +0100)]
package/ccid: bump version to 1.4.34
Release notes:
http://lists.infradead.org/pipermail/pcsclite-muscle/2021-January/001170.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 11:56:37 +0000 (12:56 +0100)]
package/pigz: bump version to 2.6
Updated license hash due to various commits bumping the version number:
https://github.com/madler/pigz/commits/master/README
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:09:31 +0000 (13:09 +0100)]
package/libdvbsi: bump version to 0.3.9
Switched _SITE to github, removed md5 hash, reformatted hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:13:02 +0000 (14:13 +0100)]
package/x11r7/xlib_libX11: add CPE variables
cpe:2.3:a:x.org:libx11 is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibx11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:45:10 +0000 (14:45 +0100)]
package/x11r7/xlib_libXrender: add CPE variables
cpe:2.3:a:x.org:libxrender is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxrender
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:47:50 +0000 (14:47 +0100)]
package/x11r7/xlib_libXv: add CPE variables
cpe:2.3:a:x.org:libxv is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax.org%3Alibxv
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 12:35:51 +0000 (13:35 +0100)]
package/cryptsetup: set CRYPTSETUP_CPE_ID_VALID
cpe:2.3:a:cryptsetup_project:cryptsetup is a valid CPE identifier for
this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acryptsetup_project%3Acryptsetup
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 7 Feb 2021 12:21:06 +0000 (13:21 +0100)]
package/libfastjson: bump version to 0.99.9
Changelog: https://github.com/rsyslog/libfastjson/blob/master/ChangeLog
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 13:07:46 +0000 (14:07 +0100)]
package/mosquitto: add MOSQUITTO_CPE_ID_VENDOR
cpe:2.3:a:eclipse:mosquitto is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aeclipse%3Amosquitto
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gilles Talis [Sun, 7 Feb 2021 10:48:36 +0000 (11:48 +0100)]
package/webp: bump to version 1.2.0
Also fixed indentation in hash file
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 10:30:56 +0000 (11:30 +0100)]
package/sox: fix static build with id3tag
This build failure is raised since bump to
7524160b29a476f7e87bc14fddf12d349f9a3c5e
Fixes:
- http://autobuild.buildroot.org/results/
73efdacf237e3d567fa66f3b3f68e624f5e35bc7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 7 Feb 2021 09:19:29 +0000 (10:19 +0100)]
package/tpm2-pkcs11: add p11-kit optional dependency
Fixes:
- http://autobuild.buildroot.org/results/
fee607da7226a92cceab2bbfd4c5d031016dfa3d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Sat, 6 Feb 2021 11:36:40 +0000 (12:36 +0100)]
package/lua-http: bump to version 0.4
diff LICENSE.md
- Copyright (c) 2015-2019 Daurnimator
+ Copyright (c) 2015-2021 Daurnimator
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 19:03:59 +0000 (20:03 +0100)]
package/libblockdev: bump version to 2.25
Release notes:
https://github.com/storaged-project/libblockdev/blob/2.x-branch/NEWS.rst
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 19:03:58 +0000 (20:03 +0100)]
package/libbytesize: bump version to 2.5
Release notes:
https://github.com/storaged-project/libbytesize/releases/tag/2.4
https://github.com/storaged-project/libbytesize/releases/tag/2.5
Removed patch which was applied upstream:
https://github.com/storaged-project/libbytesize/commit/
f2b6600f5483fc68c46d596d578be10546f5ac43
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 18:43:45 +0000 (19:43 +0100)]
package/libabseil-cpp: bump version to
20200923.3
Release notes:
https://github.com/abseil/abseil-cpp/releases/tag/
20200923.3
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:14:15 +0000 (17:14 +0100)]
package/openrc: set OPENRC_CPE_ID_VALID
cpe:2.3:a:openrc_project:openrc is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aopenrc_project%3Aopenrc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:54:53 +0000 (17:54 +0100)]
package/jsoncpp: set JSONCPP_CPE_ID_VALID
cpe:2.3:a:jsoncpp_project:jsoncpp is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ajsoncpp_project%3Ajsoncpp
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 15:50:11 +0000 (16:50 +0100)]
package/unbound: add UNBOUND_CPE_ID_VENDOR
cpe:2.3:a:nlnetlabs:unbound is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anlnetlabs%3Aunbound
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:04:30 +0000 (17:04 +0100)]
package/mariadb: set MARIADB_CPE_ID_VENDOR
cpe:2.3:a:mariadb:mariadb is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Amariadb%3Amariadb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 15:59:52 +0000 (16:59 +0100)]
package/gnuplot: set GNUPLOT_CPE_ID_VALID
cpe:2.3:a:gnuplot_project:gnuplot is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnuplot_project%3Agnuplot
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sat, 6 Feb 2021 08:51:02 +0000 (09:51 +0100)]
package/pkg-utils: escape \ in generated legal-info
In the output of legal-info, which is JSON-formatted, we include the
CPI_ID (when it is valid).
For xerces, the CPE_ID contains two sequences of \+ (which is exactly
what is present in the NIST DB, [0]).
However, in JSON, like in C, \ escapes the following character; only a
very limited set of characters are valid to escape: " \ / b f n r t u.
Escaping any other character is invalid. Conformant JSON parser will
choke on invalid sequences, and so does not the json python module:
File "/usr/lib/python2.7/json/decoder.py", line 380, in raw_decode
obj, end = self.scan_once(s, idx)
ValueError: Invalid \escape: line 1 column 608554 (char 608553)
We fix that be globally escaping \ in our json output, in the generic
sanitising macro.
[0] https://nvd.nist.gov/products/cpe/detail/645?namingFormat=2.3&orderBy=CPEURI&keyword=xerces&status=FINAL
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 15:43:48 +0000 (16:43 +0100)]
package/cryptopp: add CPE variables
cpe:2.3:a:cryptopp:crypto\+\+ is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa%3Acryptopp%3Acrypto%5C%2B%5C%2B
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:11:22 +0000 (17:11 +0100)]
package/slirp: add CPE variables
cpe:2.3:a:libslirp_project:libslirp is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibslirp_project%3Alibslirp
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jianhui Zhao [Sat, 6 Feb 2021 14:33:59 +0000 (22:33 +0800)]
package/rtty: bump version to 7.3.2
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:29:37 +0000 (17:29 +0100)]
package/redis: add REDIS_CPE_ID_VENDOR
cpe:2.3:a:redislabs:redis is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aredislabs%3Aredis
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 6 Feb 2021 16:31:39 +0000 (17:31 +0100)]
package/mosquitto: bump version to 2.0.7
Includes a number of bugfixes. For details, see the announcement:
https://mosquitto.org/blog/2021/02/version-2-0-7-released/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 09:59:39 +0000 (10:59 +0100)]
package/python-flask-cors: bump to version 3.0.10
https://github.com/corydolphin/flask-cors/releases/tag/3.0.10
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:20:05 +0000 (17:20 +0100)]
package/libkrb5: add CPE variables
cpe:2.3:a:mit:kerberos_5 is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Amit%3Akerberos_5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Sat, 6 Feb 2021 20:11:19 +0000 (21:11 +0100)]
package/binutils: bump 2.36.x series to 2.36.1
Release notes:
We are very sorry to have to report that a problem was found with the
GNU Binutils 2.36 release. It turns out that it contained a small
portion of code that was not covered by an FSF copyright assignment.
So we have created a replacement release - 2.36.1 - with that code
removed.
In addition we found that a fix for a theoretical security
vulnerability[1] was itself broken and could result in the archiver
program "ar" misbehaving. So we have chosen to revert the fix from
the 2.36.1 release whilst the problem is properly resolved.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:58:07 +0000 (17:58 +0100)]
package/oniguruma: set ONIGURUMA_CPE_ID_VALID
cpe:2.3:a:oniguruma_project:oniguruma is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aoniguruma_project%3Aoniguruma
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 16:51:15 +0000 (17:51 +0100)]
package/freetype: add FREETYPE_CPE_ID_VENDOR
cpe:2.3:a:freetype:freetype is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afreetype%3Afreetype
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 19:19:50 +0000 (20:19 +0100)]
package/libcoap: bump version
Reformatted hashes, updated license hash due to copyright year bump:
https://github.com/obgm/libcoap/commit/
12fd8a25f708aa45a20f61e363f127b934633668
Release notes:
https://sourceforge.net/p/libcoap/mailman/message/
36801445/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 18:54:09 +0000 (19:54 +0100)]
package/{apparmor, libapparmor}: bump version to 3.0.1
Release notes:
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.1
Removed patches which were applied upstream, updated _SITE.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 19:15:25 +0000 (20:15 +0100)]
package/libcli: bump version to 1.10.4
Removed whitespace and updated project URL in Config.in.
Reformatted hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 19:07:21 +0000 (20:07 +0100)]
package/libcap: bump version to 2.48
Release notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bartosz Bilas [Sat, 6 Feb 2021 18:53:24 +0000 (19:53 +0100)]
package/rauc: package/rauc: bump version to 1.5.1
Removed patch applied upstream.
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 6 Feb 2021 11:53:19 +0000 (12:53 +0100)]
{linux, linux-headers}: bump 5.{4, 10}.x 4.{4, 9, 14, 19} series
Stick to 4.4.255 / 4.4.255 even though .256 is ready, as the wraparound of
the minor version may cause problems:
https://lkml.org/lkml/2021/2/5/747
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.256
https://lkml.org/lkml/2021/2/5/862
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.256
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Peter: stick to 4.{4,9}.255]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Petr Vorel [Sat, 6 Feb 2021 18:56:40 +0000 (18:56 +0000)]
package/iputils: update path for tftpd
tftpd has been installed into /usr/sbin in
20210202
(in upstream commit
8d1420f tftpd: install into sbindir).
Thus remove hook which expected it in /usr/bin and tried to move it into
/usr/sbin.
Fixes:
- http://autobuild.buildroot.net/results/
3d142a705f07d496b1342e04094cd03ce7d92994
- http://autobuild.buildroot.net/results/
dae643b2d23d74b5f91225d00e85c350861a0e8a
- http://autobuild.buildroot.net/results/
dcfcb082bc188e7f990e280c3fd5d971f32cc048
Fixes: ea422f9950 ("package/iputils: bump version to 20210202")
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Leonid Yuriev [Fri, 5 Feb 2021 21:29:49 +0000 (00:29 +0300)]
package/libmdbx: bump version to 0.9.3
Release notes: https://github.com/erthink/libmdbx/releases/tag/v0.9.3
Signed-off-by: Leonid Yuriev <leo@yuriev.ru>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 30 Jan 2021 17:14:55 +0000 (18:14 +0100)]
package/htop: add lm-sensors optional dependency
lm-sensors is an optional dependency (enabled by default) since version
3.0.3 and
https://github.com/htop-dev/htop/commit/
1b225cd7a0af03a6349c48326118a287fc36acd0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yair Ben-Avraham [Sun, 24 Jan 2021 19:29:26 +0000 (19:29 +0000)]
package/tpm2-pkcs11: new package
A PKCS#11 interface for TPM2 hardware
Signed-off-by: Yair Ben-Avraham <yairba@protonmail.com>
[Peter: add openssl dependency, drop tpm2-tools, unconditionally pass -std=gnu99]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 6 Feb 2021 11:07:51 +0000 (12:07 +0100)]
package/tmux: bump to version 3.1c
- Drop patch (already in version)
- Update hash of COPYING (examples directory removed:
https://github.com/tmux/tmux/commit/
e722ba38e3133cb01b4cd17bf5fe7c56e42a4962)
- Update indentation in hash file (two spaces)
https://raw.githubusercontent.com/tmux/tmux/3.1c/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 6 Feb 2021 11:22:44 +0000 (12:22 +0100)]
package/p11-kit: set P11_KIT_CPE_ID_VALID
cpe:2.3:a:p11-kit_project:p11-kit is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ap11-kit_project%3Ap11-kit
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 6 Feb 2021 11:16:14 +0000 (12:16 +0100)]
package/nodejs: add CPE variables
cpe:2.3:a:nodejs:node.js is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anodejs%3Anode.js
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 6 Feb 2021 11:07:50 +0000 (12:07 +0100)]
package/tmux: set TMUX_CPE_ID_VALID
cpe:2.3:a:tmux_project:tmux is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Atmux_project%3Atmux
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 6 Feb 2021 11:05:54 +0000 (12:05 +0100)]
package/asterisk: add CPE variables
cpe:2.3:a:asterisk:open_source is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aasterisk%3Aopen_source
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 6 Feb 2021 10:39:27 +0000 (11:39 +0100)]
package/raptor: add CPE variables
cpe:2.3:a:librdf:raptor_rdf_syntax_library is a valid CPE identifier for
this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibrdf%3Araptor_rdf_syntax_library
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 6 Feb 2021 09:56:50 +0000 (10:56 +0100)]
package/atftp: set ATFTP_CPE_ID_VALID
cpe:2.3:a:atftp_project:atftp is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aatftp_project%3Aatftp
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 6 Feb 2021 09:56:49 +0000 (10:56 +0100)]
package/atftp: bump to version 0.7.4
- Drop patches (already in version) and so autoreconf
- Update indentation in hash file (two spaces)
https://sourceforge.net/p/atftp/code/ci/v0.7.4/tree/Changelog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Fri, 5 Feb 2021 13:07:56 +0000 (14:07 +0100)]
package/python3: add upstream security fix for CVE-2021-3177
Fixes the following security issue:
- CVE-2021-3177: Python 3.x through 3.9.1 has a buffer overflow in
PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
in certain Python applications that accept floating-point numbers as
untrusted input, as demonstrated by a 1e300 argument to
c_double.from_param. This occurs because sprintf is used unsafely.
For details, see the advisory:
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Stefan Sørensen [Fri, 5 Feb 2021 10:00:21 +0000 (11:00 +0100)]
package/netsnmp: bump version to 5.9
- Rebased patches 1 and 4
- Dropped upstreamed patches 5 and 6
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[yann.morin.1998@free.fr:
- update patches 1-2 with actual backports, as noticed by Stefan
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 5 Feb 2021 07:54:04 +0000 (08:54 +0100)]
package/python-bottle: add CPE variables
cpe:2.3:a:bottlepy:bottle is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Abottlepy%3Abottle
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 5 Feb 2021 18:18:30 +0000 (19:18 +0100)]
package/python-flask-cors: add CPE variables
cpe:2.3:a:flask-cors_project:flask-cors is a valid CPE identifier for
this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aflask-cors_project%3Aflask-cors
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Thu, 4 Feb 2021 19:31:11 +0000 (20:31 +0100)]
package/makedumpfile: fix build on sparc64
Fix the following build failure on sparc64:
/home/giuliobenetti/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc64-buildroot-linux-gnu/9.3.0/../../../../sparc64-buildroot-linux-gnu/bin/ld: /tmp/ccylTux8.o: in function `find_kaslr_offsets':
/home/giuliobenetti/autobuild/run/instance-0/output-1/build/makedumpfile-1.6.8/makedumpfile.c:4017: undefined reference to `get_kaslr_offset'
Even if this build failure is only raised with version 1.6.8,
get_kaslr_offset was also undeclared on sparc64 in version 1.6.7
Fixes:
- http://autobuild.buildroot.org/results/
1421f54f7599bba62c0a4bd5c65ce21c8cc7ee1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Asaf Kahlon [Fri, 5 Feb 2021 16:36:39 +0000 (18:36 +0200)]
package/libfuse3: bump version to 3.10.2
Remove patch (already on upstream).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Stefan Sørensen [Fri, 5 Feb 2021 10:00:20 +0000 (11:00 +0100)]
package/libpwquality: bump version to 1.4.4
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Fri, 5 Feb 2021 09:01:01 +0000 (10:01 +0100)]
package/atftp: add security fix for CVE-2020-6097
Fixed the following security issue:
- CVE-2020-6097: An exploitable denial of service vulnerability exists in
the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A
specially crafted sequence of RRQ-Multicast requests trigger an assert()
call resulting in denial-of-service. An attacker can send a sequence of
malicious packets to trigger this vulnerability.
For more details, see the report:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Maxim Kochetkov [Fri, 5 Feb 2021 05:57:45 +0000 (08:57 +0300)]
package/timescaledb: bump version to 2.0.1
Release notes: https://github.com/timescale/timescaledb/releases/tag/2.0.1
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 5 Feb 2021 08:03:31 +0000 (09:03 +0100)]
package/python-django: add CPE variables
cpe:2.3:a:djangoproject:django is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Adjangoproject%3Adjango
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 5 Feb 2021 07:46:26 +0000 (08:46 +0100)]
package/vala: add VALA_CPE_ID_VENDOR
cpe:2.3:a:gnome:vala is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnome%3Avala
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 5 Feb 2021 07:45:09 +0000 (08:45 +0100)]
package/cryptodev-linux: set CRYPTODEV_LINUX_CPE_ID_VENDOR
cpe:2.3:a:cryptodev-linux:cryptodev-linux is a valid CPE identifier for
this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acryptodev-linux%3Acryptodev-linux
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 5 Feb 2021 07:42:17 +0000 (08:42 +0100)]
package/libtirpc: set LIBTIRPC_CPE_ID_VALID
cpe:2.3:a:libtirpc_project:libtirpc is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtirpc_project%3Alibtirpc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 5 Feb 2021 12:13:29 +0000 (13:13 +0100)]
package/wpa_supplicant: add upstream 2020-2 security fix
Fixes the following security issue:
- wpa_supplicant P2P group information processing vulnerability (no CVE yet)
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners. The actual
parsing of that information validates field lengths appropriately, but
processing of the parsed information misses a length check when storing a
copy of the secondary device types. This can result in writing attacker
controlled data into the peer entry after the area assigned for the
secondary device type. The overflow can result in corrupting pointers
for heap allocations. This can result in an attacker within radio range
of the device running P2P discovery being able to cause unexpected
behavior, including termination of the wpa_supplicant process and
potentially arbitrary code execution.
For more details, see the advisory:
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: keep _PATCH near _VERSION and _SITE]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Tue, 2 Feb 2021 20:56:14 +0000 (21:56 +0100)]
package/xenomai: disable cobalt for armv8
When a armv8 target is used in 32bits mode, xenomai fail to detect the
ARM architecture and abord the build. (__ARM_ARCH_7A__ is not defined
for armv8 cpus).
There are no autobuilder failures for this issue since cobalt is never
selected, but the following defconfig:
BR2_arm=y
BR2_cortex_a53=y
BR2_ARM_FPU_NEON_VFPV4=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_XENOMAI=y
BR2_PACKAGE_XENOMAI_COBALT=y
This was initialy reproduced using the raspberrypi3_defconfig with
Xenomai package with cobalt selected.
In order to use Xenomai on raspberrypi3 in 32 bits mode, one has to
select BR2_cortex_a7 instead of BR2_cortex_a53 (see
a13a388dd444).
See:
https://gitlab.denx.de/Xenomai/xenomai/-/blob/v3.1/lib/cobalt/arch/arm/include/asm/xenomai/features.h#L52
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr:
- switch to independent conditional 'default y'
- slightly reword the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>