Fabrice Fontaine [Mon, 11 Jan 2021 20:15:44 +0000 (21:15 +0100)]
package/netcat: set NETCAT_CPE_ID_VALID
cpe:2.3:a:netcat_project:netcat is indeed the right CPE identifier for
this package, as can be seen from:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anetcat_project%3Anetcat
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Sat, 2 May 2020 10:06:35 +0000 (12:06 +0200)]
package/gkrellm: new package
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sun, 10 Jan 2021 19:28:15 +0000 (20:28 +0100)]
package/frotz: needs threads
Fixes:
- http://autobuild.buildroot.org/results/
8443316d8074bf44a82ceeda4630a9acb1254947
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Geoffrey Le Gourriérec [Sun, 10 Jan 2021 20:39:10 +0000 (21:39 +0100)]
configs/qemu_*: bump kernel version to 5.4.88
Bump QEMU defconfigs to latest longterm kernel 5.4.88.
Please note that QEMU boards not based on 5.4.y were ignored:
- qemu_csky810_virt_defconfig
- qemu_csky807_virt_defconfig
- qemu_csky610_virt_defconfig
- qemu_csky860_virt_defconfig
Tests were carried out on all QEMU boards using Gitlab [1] (commit
message was slightly different, but the patch is identical)
Additional actions needed were:
- board/qemu/sh4-r2d: Remove one of the two kernel patches [2] provided
by Alan Modra fixing rodata alignment, carried here by Romain Naour [3]
to fix an issue preventing kernel from booting with binutils 2.23.
Patch is present in upstream Linux now.
[1] https://gitlab.com/clumsyape/buildroot/-/pipelines/
239483891
[2] https://www.sourceware.org/ml/binutils/2019-12/msg00112.html
[3] https://git.busybox.net/buildroot/commit/?id=
a2331c8a61bdd71c47492efc818fb0458a349219
Signed-off-by: Geoffrey Le Gourriérec <geoffrey.legourrierec@gmail.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 10 Jan 2021 19:58:51 +0000 (20:58 +0100)]
package/nano: drop unrecognized option
wordbounds option has been removed since version 4.0 and
https://git.savannah.gnu.org/cgit/nano.git/commit?id=
798695ff1ec0bec2605eb490008f2968a5e8c264
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Petr Vorel [Mon, 11 Jan 2021 17:55:20 +0000 (18:55 +0100)]
{linux, linux-headers}: bump 5.{4, 10}.x 4.{4, 9, 14, 19} series
Drop 5.9 stable (EOL).
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[Peter: add Config.in.legacy handling for 5.9]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Tue, 29 Sep 2020 19:14:43 +0000 (21:14 +0200)]
package/tar: drop specific version for host variant
Now that we can generate reproducible archives, with all known tar
versions starting with 1.27, we don't need to clamp the host-tar
version to the old 1.29, and can now bump to any later version.
Drop the host-tar version, and use the same as the target variant.
Note that we still need the _SOURCE trick, to avoid depending on tar
to extract the tar tarball...
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
Yann E. MORIN [Mon, 28 Sep 2020 21:16:50 +0000 (23:16 +0200)]
support/dependencies: drop check for maximal tar version
So far, we checked that the tar present on the host was at most tar
1.29, because tar 1.30 changed the way it generates archives.
Having a maximum tar version requirement meant that we would eventually
always have to build our own host-tar, as distributions are updating
the version they use.
But now, we have found a way to generate reproducible archives starting
with tar 1.27 onward, so we no longer need the check for a maximum tar
version, so we can drop that requirement.
Note: this is semantically a revert of
b8fa273d500b (check-host-tar.sh:
blacklist tar 1.30+), but keeping the new, mostly-linear code-path.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
Yann E. MORIN [Mon, 28 Dec 2020 11:06:11 +0000 (12:06 +0100)]
support/download: change format of archives generated from svn
Like we recently did for git, switch the archives generated from
subversion to be reproducible whatever the tar version.
We have no in-tree users of the svn backend which also has hashes,
so no hash to update.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
Yann E. MORIN [Wed, 23 Dec 2020 21:21:05 +0000 (22:21 +0100)]
support/download: cleanup svn backend
Commit
89f5e9893 (support/download/svn: generate reproducible svn
archives) did what it said, but can be siplified a bit.
Indeed, we are doing an svn export, so we won't have any of the .svn
directories, neither at the root of the extract, nor in any of the
sub-directories.
As such, we do not need to filter them out when we generate the list
of files to include in the archive.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
Yann E. MORIN [Mon, 25 Mar 2019 21:48:12 +0000 (22:48 +0100)]
support/download: change format of archives generated from git
Switch to using the tarball helper, that can generate reproducible
archives whatever the tar version >= 1.27.
However, those archives are not identical to the previous ones generated
in the (now-broken) gnu format.
To avoid any clashing between old and new archives, and new and old
Buildroot versions, we need to name the new generated archives
differently from the existing ones.
So, we bump the git-specific format-version to -br1.
The %ci date has been supported by git back to 1.6.0, released August
2008); it is not strictly ISO8601, but is still accepted as a PAX date
header. The strict ISO8601 placeholder, %cI, was only introduced with
2.2.0, release in November 2014, so too recent to be widely available.
As the format and the names of the archives changes, we need to update
all the hash files with the new names and hashes.
Of all the bootloaders that have a git download method, vexpress-firmware
is the only one to have a hash. Others have no hash files, or they have
explicitly set BR_NO_CHECK_HASH_FOR.
For the packages, linux-headers is the special snowflake, as the git
download is only for custom git tree, so it is excluded from the hash
verification with BR_NO_CHECK_HASH_FOR.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
---8<------8<------8<------8<---
#!/bin/sh
# Find and download all packages using git as backend.
# Manually fix hashes for affected packages.
# Packages that only have a host variant
HOST_ONLY='imx-mkimage|mxsldr|netsurf-buildsystem|opkg-utils|prelink-cross|qoriq-rcw|vboot-utils'
# Packages that have a non-git main _SOURCE, and/or which
# have BR_NO_CHECK_HASH_FOR for the git _SOURCE
NOT_GIT='aufs|aufs-util|xenomai|linux-headers'
export BR2_DL_DIR=$(pwd)/temp-dl-dir
make defconfig
make $( git grep -l -E 'SITE_METHOD[[:space:]]*:?=[[:space:]]*git\>|_SITE[[:space:]]*:?=[[:space:]]*git:' \
boot/vexpress-firmware/ package/ \
|sed -r -e 's,.*/([^/]+)\.mk,\1,' \
|sed -r -e '/^('"${NOT_GIT}"')$/d;' \
-e 's/^('"${HOST_ONLY}"')/host-\1/;' \
-e 's/$/-legal-info/;'
)
---8<------8<------8<------8<---
Yann E. MORIN [Mon, 28 Dec 2020 16:07:04 +0000 (17:07 +0100)]
support/download: add helper to generate a reproducible archive
We currently need to generate reproducible archives in at least two
locations: the git and svn download backends. We also know of some
future potential use (e.g. the other download backends, like cvs, or
in the upcoming download post-processors for vendoring, like cargo
and go).
However, we are currently limited to a narrow range of tar versions
that we support, to create reproducible archives, because the gnu
format we use has changed with tar 1.30.
As a consequence, and as time advances, more and more distros are,
or will eventually start, shipping with tar 1.30 or later, and thus
we need to always build our on host-tar.
Now, thanks to some grunt work by Vincent, we have a set of options
that we can pass tar, to generate reproducible archives back from
tar-1.27 and up through tar-1.32, the latest released version.
However, those options are non-trivial, so we do not want to have
to repeat those (and maintain them) in multiple locations.
Introduce a helper that can generate a reproducible archive from
an input directory.
The --pax-option, to set specific PAX headers, does not accept
RFC2822 timestamps which value are too away from some fixed point
(set atcompile-time?):
tar: Time stamp is out of allowed range
However, the same timestamps passed as strict compliant ISO 8601 are
accepted, so that's what we expect as a date format.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
---8<------8<------8<------8<---
# Here is a Makefile used to test all the versions of tar, with
# different output formats and different sets of options:
# Versions prior to 1.27 do not build on recent machines, because
# 'gets()' got removed (rightfully so), so don't count them as
# candidates.
VERSIONS = 1.27 1.27.1 1.28 1.29 1.30 1.31 1.32
DATE = Thu 21 May 2020 06:44:11 PM CEST
TARS = \
$(patsubst %,test_gnu_%.tar,$(VERSIONS)) \
$(patsubst %,test_posix_%.tar,$(VERSIONS)) \
$(patsubst %,test_posix_paxoption_%.tar,$(VERSIONS))
all: $(TARS)
sha1sum $(^)
.INTERMEDIATE: test_%.tar
test_gnu_%.tar: tar.% list
./$(<) cf - -C test \
--transform="s#^\./#test-version/#" \
--numeric-owner --owner=0 --group=0 \
--mtime="$(DATE)" \
--format=gnu \
-T list \
>$(@)
test_posix_%.tar: tar.% list
./$(<) cf - -C test \
--transform="s#^\./#test-version/#" \
--numeric-owner --owner=0 --group=0 \
--mtime="$(DATE)" \
--format=posix \
-T list \
>$(@)
test_posix_paxoption_%.tar: tar.% list
./$(<) cf - -C test \
--transform="s#^\./#test-version/#" \
--numeric-owner --owner=0 --group=0 \
--mtime="$(DATE)" \
--format=posix \
--pax-option='delete=atime,delete=ctime,delete=mtime' \
--pax-option='exthdr.name=%d/PaxHeaders/%f,exthdr.mtime={$(DATE)}' \
-T list \
>$(@)
list: .FORCE
list: test
(cd test && find . -not -type d ) |LC_ALL=C sort >$(@)
LONG = L$$(for i in $$(seq 1 200); do printf 'o'; done)ng
test: .FORCE
test:
rm -rf test
mkdir -p test/bar
echo foo >test/Foo
echo bar >test/bar/Bar
ln -s bar/Bar test/buz
echo long >test/Very-$(LONG)-filename
ln test/Very-$(LONG)-filename \
test/short
.PRECIOUS: tar.%
tar.%: tar-%
cd $(<) && ./configure
$(MAKE) -C $(<)
install -m 0755 $(<)/src/tar $(@)
.PRECIOUS: tar-%
tar-%: tar-%.tar.gz
tar xzf $(<)
.PRECIOUS: tar-%.tar.gz
tar-%.tar.gz:
wget "https://ftp.gnu.org/gnu/tar/$(@)"
.FORCE:
clean:
rm -rf tar-* tar.* test_* test list
---8<------8<------8<------8<---
Yann E. MORIN [Sun, 13 Dec 2020 13:59:28 +0000 (14:59 +0100)]
core/pkg-infra: allow per site-method sub-version strings
When we want to change the format of an archive we generate (e.g. those
we generate from git trees), the hashes of those archives will change.
To avoid any issue (e.g. an older Buildroot using newer archives, or the
other way around) that would conclude that the hashes do not match, we
want to change the filenames of the generated archives whenever we
change their format.
Introduce a new internal variable, specific to each site method, that we
can set to include a "format version" for the archives generated from
that site method.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
Yann E. MORIN [Mon, 25 Mar 2019 19:59:20 +0000 (20:59 +0100)]
core/pkg-infra: prepare for alternate default source archives
The .tar.gz default extension is historical, and we initially used
to only fetch tarballs from remote sites.
When we introduced downloads from VCS repositories, we kept that
extension, and kept compressing with gz, by lack of good reason to
switch to some other compression scheme.
However, nowadays, we will want to change the way we construct the
tarballs we generate from VCS. This will de facto change the hashes
of those tarballs.
So we will want that the archives we generate do not clash with the
existing ones, so we need another filename. Thus, we need a way to
be able to use a different extension when we generate archives from
VCS.
Use a macro as suggested by Arnout.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>
Yann E. MORIN [Sat, 9 Jan 2021 10:12:54 +0000 (11:12 +0100)]
package/libclc: switch to use the frozen, legacy mirror
The LLVM project has switched to using a monorepo to host all their
components. The separate, individual repositories have been closed
late 2020 / early 2021. The libclc repository is no longer.
Switch to using the libclc source from the llvm legacy and frozen
mirror.
Even though we could switch over to using the github helper, we just
keep using the git download method: it is a small repository, and it
will not impact people that were already using it.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Valentin Korenblit <valentinkorenblit@gmail.com>
Cc: Michael Opdenacker <michael.opdenacker@bootlin.com>
Acked-by: Romain Naour <romain.naour@gmail.com>
---
Changes v1 -> v2:
- keep everything as-is, just switch to the frozen mirror
Yann E. MORIN [Sun, 10 Jan 2021 18:19:49 +0000 (19:19 +0100)]
package/tzdata: drop obosolete, legacy zic option -y
The following commits:
-
7868289fd534 package/zic: bump version to 2020f
-
c99374ecbb5e package/tzdata: bump version to 2020f
bumped the tzdata from version 2020a to 2020f. However, in 2020b, the
zic option '-y' was removed, and so was the yearistype.sh script [0].
This now spews annoying warnings:
warning: -y ignored
Fortunately, it still consumes its argument, so the missing yearistype.sh
is simply ignored.
Drop that option.
[0] https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Bernd Kuhls [Sun, 10 Jan 2021 16:47:11 +0000 (17:47 +0100)]
package/tzdata: bump version to 2020f
Release notes:
https://mm.icann.org/pipermail/tz-announce/2020-December/000064.html
Upstream removed timezones pacificnew and systemv:
https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bernd Kuhls [Sun, 10 Jan 2021 16:47:10 +0000 (17:47 +0100)]
package/zic: bump version to 2020f
Release notes:
https://mm.icann.org/pipermail/tz-announce/2020-December/000064.html
Rebased patch.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Sat, 9 Jan 2021 07:41:23 +0000 (08:41 +0100)]
package/readline: bump to version 8.1
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bernd Kuhls [Sun, 10 Jan 2021 12:23:10 +0000 (13:23 +0100)]
package/busybox: fix selinux-related build error
Fixes:
http://autobuild.buildroot.net/results/b89/
b89b7d0f0601bb706e76cea31cf4e43326e5540c/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sun, 10 Jan 2021 13:00:13 +0000 (14:00 +0100)]
package/rng-tools: bump to version 6.11
Drop patches (already in version)
https://github.com/nhorman/rng-tools/releases/tag/V6.11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Michael Fischer [Fri, 8 Jan 2021 10:12:00 +0000 (11:12 +0100)]
package/sdl2: bump version to 2.0.14
patch 0001: already applied upstream
patch 0002: adapt patch to 2.0.14
Signed-off-by: Michael Fischer <mf@go-sys.de>
[yann.morin.1998@free.fr:
- renumber remaining patch
- fix space-typo in hash file
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sun, 10 Jan 2021 08:59:51 +0000 (09:59 +0100)]
package/multipath-tools: fix license
As stated in README.md, multipath-tools is covered by several licenses
and LGPL-2.0 is "just" the default license:
- GPL-2.0+ (e.g. libmultipath/alias.c)
- GPL-3.0+ (e.g. libdmmp/libdmmp.c)
- LGPL-2.1+ (e.g. libmpathcmd/mpath_cmd.c)
So replace COPYING (which is a symlink to LICENSES/LGPL-2.0) by the
approriate license files in LICENSES directory
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: further split long lines]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yair Ben-Avraham [Sun, 10 Jan 2021 08:35:35 +0000 (08:35 +0000)]
package/casync: new package
Signed-off-by: Yair Ben-Avraham <yairba@protonmail.com>
[yann.morin.1998@free.fr:
- correctly fix build without lzma in an upstreamable fashion
- actually fix the build without udev
- depend on udev, not libudev (which does not exist)
- don't use += for the first variable assignment to _CONF_OPTS
- explicitly disable unsupported fuzz options
- add explicit optiopnal support for bash-completion
- drop useless comments about "features" and "booleans"
- fix alphabetical order in DEVELOPERS
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Thu, 7 Jan 2021 22:24:12 +0000 (23:24 +0100)]
package/nodejs: security bump to version 12.20.1
Fixes the following security issues:
- CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions
are vulnerable to a use-after-free bug in its TLS implementation. When
writing to a TLS enabled socket, node::StreamBase::Write calls
node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first
argument. If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure. This
may be exploited to corrupt memory leading to a Denial of Service or
potentially other exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of
Node.js allow two copies of a header field in a http request. For
example, two Transfer-Encoding header fields. In this case Node.js
identifies the first header field and ignores the second. This can lead
to HTTP Request Smuggling
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/
20201208.txt
Update the license hash for the addition of the (MIT licensed)
cjs-module-lexer module:
https://github.com/nodejs/node/commit/
9eb1fa19248949dfc716807b1dc97dedf36da14e
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Thu, 7 Jan 2021 16:09:16 +0000 (17:09 +0100)]
package/clinfo: bump to version 3.0.20.11.20
Update indentation of hash file (two spaces).
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 8 Jan 2021 06:53:41 +0000 (07:53 +0100)]
package/poppler: use ENABLE_GLIB
Use ENABLE_GLIB which is available since version 0.60 and
https://github.com/freedesktop/poppler/commit/
766a32ff59dadd9ae4639d8a79861a17be6aec52
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bernd Kuhls [Thu, 7 Jan 2021 21:41:24 +0000 (22:41 +0100)]
DEVELOPERS: fix order
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 8 Jan 2021 18:19:53 +0000 (19:19 +0100)]
package/libiec61850: fix CVE-2020-15158
In libIEC61850 before version 1.4.3, when a message with COTP message
length field with value < 4 is received an integer underflow will happen
leading to heap buffer overflow. This can cause an application crash or
on some platforms even the execution of remote code. If your application
is used in open networks or there are untrusted nodes in the network it
is highly recommend to apply the patch. This was patched with commit
033ab5b. Users of version 1.4.x should upgrade to version 1.4.3 when
available. As a workaround changes of commit
033ab5b can be applied to
older versions.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bernd Kuhls [Fri, 8 Jan 2021 19:06:03 +0000 (20:06 +0100)]
package/busybox: bump version to 1.33.0
Rebased patch 0002.
Removed patch 0003 which was applied upstream:
https://git.busybox.net/busybox/commit/?h=1_33_stable&id=
1a5d6fcbb5e606ab4acdf22afa26361a25f1d43b
Switched _SITE to https.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Huth [Thu, 30 Apr 2020 14:44:41 +0000 (16:44 +0200)]
package/frotz: new package
Frotz is an interpreter for old Infocom adventures and other Z-code
games.
Signed-off-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Sat, 9 Jan 2021 12:33:37 +0000 (13:33 +0100)]
toolchain: CodeSourcery AArch64 2014.11 does not contain libatomic
Fixes build error
output/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-amd-linux-gnu/4.9.1/../../../../aarch64-amd-linux-gnu/bin/ld:
cannot find -latomic
using this defconfig
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_AARCH64=y
BR2_PACKAGE_OPENSSL=y
libopenssl is only used here as an example: all packages adding -latomic
if BR2_TOOLCHAIN_HAS_LIBATOMIC=y are broken, like dav1d, ffmpeg, gnutls,
kodi and vlc.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Huth [Thu, 30 Apr 2020 06:54:45 +0000 (08:54 +0200)]
package/xorcurses: new package
XorCurses is a remake of the 8-bit game 'Xor' by Astral Software.
Your task is to roam around a series of mazes where you have to
collect all blue masks before finding the exit. You have two 'shields'
(players) and you can use either one at any time and switch between
them. While the first level is simply a matter of navigation, the
following levels introduce further objects like bombs and teleports,
which have to be used right to solve the puzzles.
Signed-off-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Sat, 9 Jan 2021 13:37:08 +0000 (14:37 +0100)]
package/apcupsd: fix reverse dependency for libusb
Commit
8a26801c9f (package/libusb: needs gcc >= 4.9) added a dependency
to gcc >= 4.9 for libusb but forgot to propagate the reverse dependency
to BR2_PACKAGE_APCUPSD_USB.
Fixes:
http://autobuild.buildroot.net/results/f34/
f348fe8e5530970a14589ca878810a3bdaf98f67/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Baruch Siach [Sat, 9 Jan 2021 20:09:21 +0000 (22:09 +0200)]
configs/solidrun_clearfog_gt_8k: bump BSP components
Switch to upstream ATF of recent version to fix build with recently
updated mv-ddr. The vendor does not provide public access to newer ATF
versions anymore.
Bump U-Boot and kernel to fix dtc build on hosts with gcc 10.
Increase rootfs size. The default 60MB is not enough.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
948622614
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Sat, 9 Jan 2021 17:55:07 +0000 (18:55 +0100)]
package/bats-core: bump version to 1.2.1
For details, see the release notes:
https://github.com/bats-core/bats-core/releases/tag/v1.2.1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Thu, 7 Jan 2021 21:13:34 +0000 (22:13 +0100)]
linux: indicate proper CPE prefix
The CPE type of the Linux kernel is special, it should be "o", unlike
all other packages that use "a". We therefore need to override
<pkg>_CPE_ID_PREFIX, so that the CPE ID of the linux package matches
with the CPE dictionary.
Reported-by: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Sat, 9 Jan 2021 12:18:55 +0000 (13:18 +0100)]
package/nano: bump to version 5.4
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Sat, 9 Jan 2021 12:17:19 +0000 (13:17 +0100)]
package/dbus: bump to version 1.12.20
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 8 Jan 2021 18:11:57 +0000 (19:11 +0100)]
package/p11-kit: security bump to version 0.23.22
- Fix memory-safety issues that affect the RPC protocol (CVE-2020-29361,
CVE-2020-29362 and CVE-2020-29363)
- Update indentation in hash file (two spaces)
https://github.com/p11-glue/p11-kit/blob/0.23.22/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 8 Jan 2021 17:53:00 +0000 (18:53 +0100)]
package/openvpn: set OPENVPN_CPE_ID_VENDOR
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Raphaël Mélotte [Fri, 8 Jan 2021 17:50:49 +0000 (18:50 +0100)]
package/python-s3transfer: bump to version 0.3.3
While at it, use two spaces for all the hashes.
Signed-off-by: Raphaël Mélotte <raphael.melotte@essensium.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 8 Jan 2021 17:32:59 +0000 (18:32 +0100)]
package/openjpeg: fix build with poppler
Fix build of poppler with openjpeg in version 2.4.0
Fixes:
- http://autobuild.buildroot.org/results/
e4e43519a1c70686844b08257971cc350a746636
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 8 Jan 2021 17:06:29 +0000 (18:06 +0100)]
package/multipath-tools: disable -Werror
Set the new WARNFLAGS to "" which has been added since version 0.8.5 and
https://github.com/opensvc/multipath-tools/commit/
82f1b164cb21c9632b3c73f865d97777c7a61e0d
Otherwise, -Werror will raise the following build failure:
/srv/storage/autobuild/run/instance-3/output-1/host/bin/mipsel-linux-gcc --std=gnu99 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -D_FORTIFY_SOURCE=1 -Werror -Wall -Wextra -Wformat=2 -Werror=implicit-int -Werror=implicit-function-declaration -Werror=format-security -Wno-clobbered -Wno-error=clobbered -Werror=cast-qual -Werror=discarded-qualifiers -pipe -DBIN_DIR=\"/sbin\" -DLIB_STRING=\"lib\" -DRUN_DIR=\"run\" -MMD -MP -fPIC -I.. -I../../libmultipath/nvme -Wp,-D_FORTIFY_SOURCE=2 -c -o nvme.o nvme.c
<command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
Fixes:
- http://autobuild.buildroot.org/results/
71f7661e7d26ca8608e902eee9f2a92376b00601
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tian Yuanhao [Wed, 16 Dec 2020 08:42:46 +0000 (00:42 -0800)]
package/balena-engine: new package
Signed-off-by: Tian Yuanhao <tianyuanhao@aliyun.com>
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Romain Naour [Fri, 24 Apr 2020 17:04:35 +0000 (19:04 +0200)]
package/libiec61850: new package
Don't add mbedtls support since it require a bundled and specific
version.
Keep experimental Python binding support disabled for now.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Fri, 24 Apr 2020 11:39:28 +0000 (13:39 +0200)]
package/fluidsynth: add systemd optional dependency
systemd is an optional dependency (enabled by default) since version
2.0.5 and
https://github.com/FluidSynth/fluidsynth/commit/
099369f8b7f39afe08b6a518195948b05a937af3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Fri, 24 Apr 2020 11:39:27 +0000 (13:39 +0200)]
package/fluidsynth: add sdl2 optional dependency
sdl2 is an optional dependency (enabled by default) since version 2.1.0:
https://github.com/FluidSynth/fluidsynth/commit/
978283bbf0309191a441121b7ea867e41e329d3b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Matt Weber [Tue, 21 Apr 2020 13:08:53 +0000 (08:08 -0500)]
package/swupdate: note init script tokenizing limitation
Command line options reference:
https://sbabic.github.io/swupdate/_sources/swupdate.txt
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Wed, 22 Apr 2020 09:22:53 +0000 (11:22 +0200)]
package/luasyslog: bump to version 2.2.0 from a fork
This commit switches the luasyslog package to use a fork of the
project that has good Lua 5.3 support.
This fork has a public repository on Github
(https://github.com/ntd/luasyslog/), and is available as a Lua Rock
(https://luarocks.org/modules/ntd/luasyslog), but unfortunately the
rockspec uses a build method that is not supported by the Buildroot
luarocks infrastructure. Therefore, we used the autotools build system
provided by this fork.
Because this fork has good support for Lua 5.3, the "Lua 5.3
compatibility" patch becomes useless and can be dropped.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Konrad Schwarz [Thu, 31 Dec 2020 21:29:47 +0000 (22:29 +0100)]
package/environment-setup: fix spelling of the script file in the manual.
The manual incorrectly refers to the script file as `setup-environment';
it is actually called `environment-setup'.
Signed-off-by: Konrad Schwarz <konrad.schwarz@siemens.com>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Rob Mellor [Fri, 13 Nov 2020 10:10:26 +0000 (10:10 +0000)]
package/freescale-imx/firmware-imx/Config.in: install imx6q binaries for IM6UL platform
linux-*/arch/arm/boot/dts/imx6ul.dtsi
requires the install of the sdma-imx6q.bin as stated in
line 727: fsl,sdma-ram-script-name = "imx/sdma/sdma-imx6q.bin";
without the BR2_PACKAGE_FIRMWARE_IMX_SDMA_FW_NAME being set to "imx6q"
line 102 of firmware-imx.mk does not install the firmware to to target
Signed-off-by: Rob Mellor <Rob.Mellor@ultra-pals.com>
Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Chris Packham [Wed, 11 Nov 2020 22:41:02 +0000 (11:41 +1300)]
package/coremark-pro: new package
CoreMark-Pro is a comprehensive, advanced processor benchmark that
works with and enhances the market-proven industry-standard EEMBC
CoreMark benchmark.
https://www.eembc.org/coremark-pro/
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Chris Packham [Wed, 11 Nov 2020 22:41:01 +0000 (11:41 +1300)]
package/coremark: new package
CoreMark is a simple, yet sophisticated benchmark that is designed
specifically to test the functionality of a processor core. Running
CoreMark produces a single-number score allowing users to make quick
comparisons between processors.
https://www.eembc.org/coremark/
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Tue, 5 Jan 2021 17:17:10 +0000 (18:17 +0100)]
package/boost: drop BOOST_IGNORE_CVES
Not needed since commit
63332c33aa0771532807fd2684d4eee4eb952435
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Thu, 7 Jan 2021 21:14:55 +0000 (22:14 +0100)]
package/open62541: add patch to allow building without a C++ compiler
This patch was intended to be added in commit
b36ea68b5ad0f89ffd92cac3f91654e180683b1c ("package/open62541: new
package") but was missed, causing open62541 to not build on
configurations that lack a C++ compiler. This patch removes the need
for a C++ compiler by properly declaring the CMake project.
Fixes:
http://autobuild.buildroot.net/results/
86ca6a5a01ecfc7030c6be0da81924436b41d057/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Michael Vetter [Mon, 4 Jan 2021 09:33:45 +0000 (10:33 +0100)]
package/jasper: Bump to 2.0.24
Changes:
* Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH for
easier access to the JasPer version.
* Fixes stack overflow bug on Windows, where variable-length
arrays are not available. (#256)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Thu, 7 Jan 2021 16:14:14 +0000 (17:14 +0100)]
DEVELOPERS: Add Romain Naour for qemu package
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Thu, 7 Jan 2021 18:22:21 +0000 (19:22 +0100)]
package/pkgconf: bump to version 1.6.3
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Thu, 7 Jan 2021 18:02:16 +0000 (19:02 +0100)]
DEVELOPERS: add myself for php
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Thu, 7 Jan 2021 18:02:15 +0000 (19:02 +0100)]
package/php: security bump version to 7.4.14
Fixes CVE-2020-7071: https://bugs.php.net/bug.php?id=77423
Release notes: https://news-web.php.net/php.announce/304
Changelog: https://www.php.net/ChangeLog-7.php#7.4.14
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 4 Jan 2021 17:16:24 +0000 (18:16 +0100)]
package/sigrok-cli: bump to version 0.7.1
https://sigrok.org/gitweb/?p=sigrok-cli.git;a=blob;f=NEWS;h=
614c910b791228203dd144f0c092204ba0491e8f;hb=
6bb3c3dd27c0477705a5c0684a8c3fd506a35f48
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 4 Jan 2021 17:14:19 +0000 (18:14 +0100)]
package/minizip: bump to version 2.10.6
https://github.com/nmoinvaz/minizip/releases/tag/2.10.6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Tue, 5 Jan 2021 15:47:53 +0000 (16:47 +0100)]
package/minicom: bump to version 2.8
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ryan Barnett [Tue, 5 Jan 2021 14:05:40 +0000 (08:05 -0600)]
package/c-periphery: bump to v2.3.1
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Tue, 5 Jan 2021 13:19:41 +0000 (14:19 +0100)]
package/libcap: bump to version 2.46
remove merged patch
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Tue, 5 Jan 2021 13:20:00 +0000 (14:20 +0100)]
package/libwebsockets: bump to version 4.0.21
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Tue, 5 Jan 2021 07:51:05 +0000 (08:51 +0100)]
package/libgtk3: bump to version 3.24.24
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 4 Jan 2021 17:13:40 +0000 (18:13 +0100)]
package/libgtk2: bump to version 2.24.33
Update indentation in hash file (two spaces)
https://gitlab.gnome.org/GNOME/gtk/-/blob/2.24.33/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 4 Jan 2021 17:10:42 +0000 (18:10 +0100)]
package/openjpeg: security bump to version 2.4.0
- Drop upstreamed patches
- Update indentation in hash file (two spaces)
- Fix CVE-2020-27814, CVE-2020-27823, CVE-2020-27824 and
CVE-2020-27841 to CVE-2020-27845
https://github.com/uclouvain/openjpeg/releases/v2.4.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 19:29:56 +0000 (20:29 +0100)]
package/ytree: bump version to 2.03
Changelog: https://www.han.de/~werner/ytree.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 19:27:06 +0000 (20:27 +0100)]
package/dav1d: bump version to 0.8.1
Changelog: https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 19:26:00 +0000 (20:26 +0100)]
package/x11r7/xfont_font-misc-ethiopic: bump version to 1.0.4
Added hashes provided by upstream.
Release notes:
https://lists.x.org/archives/xorg-announce/2020-August/003055.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 19:25:59 +0000 (20:25 +0100)]
package/x11r7/xfont_font-alias: bump version to 1.0.4
Added hashes provided by upstream.
Release notes:
https://lists.x.org/archives/xorg-announce/2020-August/003054.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 19:17:29 +0000 (20:17 +0100)]
package/x11r7/xapp_fonttosfnt: bump version to 1.2.1
Release notes:
https://lists.x.org/archives/xorg-announce/2020-December/003068.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 18:59:09 +0000 (19:59 +0100)]
package/libmicrohttpd: bump version to 0.9.72
Release notes:
https://lists.gnu.org/archive/html/libmicrohttpd/2020-12/msg00023.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 18:23:33 +0000 (19:23 +0100)]
package/stellarium: bump version to 0.20.4
Release notes:
http://stellarium.org/release/2020/12/28/stellarium-0.20.4.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 17:22:08 +0000 (18:22 +0100)]
package/dovecot-pigeonhole: bump version to 0.5.13
Release notes:
https://dovecot.org/pipermail/dovecot-news/2021-January/000449.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Tue, 5 Jan 2021 17:22:07 +0000 (18:22 +0100)]
package/dovecot: security bump version to 2.3.13
Updated license hash due to upstream commit:
https://github.com/dovecot/core/commit/
bf7952d33e39358a1258697505ed25c050e14bbb
Fixes the following CVEs:
CVE-2020-24386:
https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
CVE-2020-25275:
https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
Release notes:
https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Arnout Vandecappelle (Essensium/Mind) [Tue, 5 Jan 2021 22:23:31 +0000 (23:23 +0100)]
support/scripts/pkg-stats: fix flake8 errors
support/scripts/pkg-stats:81:22: E211 whitespace before '('
support/scripts/pkg-stats:404:1: E305 expected 2 blank lines after class or function definition, found 1
support/scripts/pkg-stats:561:12: E713 test for membership should be 'not in'
support/scripts/pkg-stats:567:1: E302 expected 2 blank lines, found 1
support/scripts/pkg-stats:595:1: E302 expected 2 blank lines, found 1
support/scripts/pkg-stats:1051:1: E302 expected 2 blank lines, found 1
support/scripts/pkg-stats:1057:1: E302 expected 2 blank lines, found 1
Also fix:
support/scripts/pkg-stats:1054:5: E722 do not use bare 'except'
found by a more recent flake8 version. The exception may be either
IndexError or AttributeError, so use Exception to catch either.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Pascal de Bruijn [Thu, 23 Jan 2020 08:36:41 +0000 (09:36 +0100)]
package/nginx: use /var/cache/nginx instead of /var/tmp/nginx
move
http-client-body-temp-path
http-proxy-temp-path
http-fastcgi-temp-path
http-scgi-temp-path
http-uwsgi-temp-path
from /var/tmp/nginx to /var/cache/nginx
this allows the use of systemd constructs
LogsDirectory=nginx
CacheDirectory=nginx
to replace
ExecStartPre=/usr/bin/mkdir -p /var/log/nginx /var/tmp/nginx
as there isn't a similar construct for /var/tmp.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Yann CARDAILLAC [Thu, 16 Jan 2020 22:05:39 +0000 (23:05 +0100)]
package/open62541: new package
Signed-off-by: Yann CARDAILLAC <ycardaillac@sepro-group.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sat, 18 Jan 2020 16:36:18 +0000 (17:36 +0100)]
package/olsr: add pud plugin
pud plugin needs gpsd and has a specific license
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Hector Kesari [Tue, 21 Jan 2020 19:29:16 +0000 (13:29 -0600)]
package/perl: add option to enable threads
Add config option for Perl to enable threads usage.
Signed-off-by: Hector Kesari <hector.kesari@rockwellcollins.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Mon, 4 Jan 2021 21:04:02 +0000 (22:04 +0100)]
package/spi-tools: bump to version 0.8.6
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Mon, 4 Jan 2021 21:03:37 +0000 (22:03 +0100)]
package/pango: bump to version 1.48.0
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Mon, 4 Jan 2021 21:03:10 +0000 (22:03 +0100)]
package/lighttpd: bump to version 1.4.58
the part concerning pdf is merged upstream
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Mon, 4 Jan 2021 21:02:42 +0000 (22:02 +0100)]
package/libsecret: bump to version 0.20.4
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Mon, 4 Jan 2021 21:02:11 +0000 (22:02 +0100)]
package/harfbuzz: bump to version 2.7.4
remove merged patch
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Perrad [Mon, 4 Jan 2021 21:01:37 +0000 (22:01 +0100)]
package/dash: bump to version 0.5.11.3
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
David GOUARIN [Mon, 4 Jan 2021 16:49:54 +0000 (17:49 +0100)]
package/librelp: bump to version 1.9.0
Signed-off-by: David GOUARIN <david.gouarin@thalesgroup.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Matt Weber [Fri, 4 Dec 2020 15:46:01 +0000 (16:46 +0100)]
package: provide CPE ID details for numerous packages
This patch adds CPE ID information for a significant number of
packages.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Fri, 4 Dec 2020 15:46:00 +0000 (16:46 +0100)]
support/scripts/pkg-stats: improve rendering of CVE information
This commit improves pkg-stats to fill in pkg.status['cve'] depending
on the situation for CVEs affecting this package. They are then used
in the HTML rendering.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Fri, 4 Dec 2020 15:45:59 +0000 (16:45 +0100)]
support/scripts/pkg-stats: ignore packages with no valid infra and no version for CVE checking
Virtual packages (with in pkg-stats speak have "no valid
infrastructure") and packages that have no version specified cannot be
used for CVE checking. They trigger a bunch of warnings from the CVE
checking code, as it cannot parse their version: they don't have any
version. So instead, we simply skip those packages.
A follow-up commit will improve the reporting to be able to
distinguish those packages from packages that have seen their CVEs
checked and don't have any reported.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Fri, 4 Dec 2020 15:45:58 +0000 (16:45 +0100)]
support/scripts/{pkg-stats, cve.py}: support CPE ID based matching
This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.
One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.
So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.
And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Gregory CLEMENT [Fri, 4 Dec 2020 15:45:57 +0000 (16:45 +0100)]
support/script/pkg-stats: show CPE ID in results
This commit improves the pkg-stats script to show the CPE ID of
packages, if available. For now, it doesn't use CPE IDs to match CVEs.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Pierre-Jean Texier [Mon, 4 Jan 2021 18:49:01 +0000 (19:49 +0100)]
package/python-modbus-tk: bump to version 1.1.2
Also Remove md5 hash
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Pierre-Jean Texier [Mon, 4 Jan 2021 18:47:19 +0000 (19:47 +0100)]
package/libarchive: bump to version 3.5.1
Libarchive 3.5.1 is a bugfix release.
Update COPYRIGHT hash due to clarification about 'archive_entry.c' source
file:
- https://github.com/libarchive/libarchive/commit/
fde4660d7bda7debe8e6c8166d49fe9fa62db61d
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Pierre-Jean Texier [Mon, 4 Jan 2021 18:46:25 +0000 (19:46 +0100)]
package/mongoose: bump to to version 7.0
Update LICENSE hash; copyright year update:
-Copyright (c) 2004-2013 Sergey Lyubka <valenok@gmail.com>
-Copyright (c) 2013-2018 Cesanta Software Limited
+Copyright (c) 2004-2013 Sergey Lyubka
+Copyright (c) 2013-2020 Cesanta Software Limited
See https://github.com/cesanta/mongoose/releases/tag/7.0
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Titouan Christophe [Mon, 4 Jan 2021 18:47:12 +0000 (19:47 +0100)]
package/waf: bump to v2.0.21
Also add a comment in waf.hash about the mechanism for LICENSE hash check
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>