buildroot.git
3 years agopackage/x11r7/xlib_libXfixes: add CPE variables
Fabrice Fontaine [Fri, 14 May 2021 21:44:44 +0000 (23:44 +0200)]
package/x11r7/xlib_libXfixes: add CPE variables

cpe:2.3:a:x:libxfixes is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax%3Alibxfixes

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/x11r7/xlib_libXinerama: add CPE variables
Fabrice Fontaine [Fri, 14 May 2021 21:41:11 +0000 (23:41 +0200)]
package/x11r7/xlib_libXinerama: add CPE variables

cpe:2.3:a:x:libxinerama is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax%3Alibxinerama

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/x11r7/xlib_libXfont2: add CPE variables
Fabrice Fontaine [Fri, 14 May 2021 21:35:13 +0000 (23:35 +0200)]
package/x11r7/xlib_libXfont2: add CPE variables

cpe:2.3:a:x:libxfont is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax%3Alibxfont

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/localedef: fix host gcc-11.x compile
Peter Seiderer [Fri, 14 May 2021 17:54:29 +0000 (19:54 +0200)]
package/localedef: fix host gcc-11.x compile

Add two upstream patches fixing host gcc-11.x compile.

Fixes:

  - https://bugs.busybox.net/show_bug.cgi?id=13806

  In file included from ../include/pthread.h:1,
                   from ../sysdeps/nptl/thread_db.h:25,
                   from ../nptl/descr.h:32,
                   from ../sysdeps/x86_64/nptl/tls.h:130,
                   from ../sysdeps/generic/libc-tsd.h:44,
                   from ./localeinfo.h:224,
                   from programs/ld-ctype.c:37:
  ../sysdeps/nptl/pthread.h:734:47: error: argument 1 of type ‘struct __jmp_buf_tag *’ declared as a pointer [-Werror=array-parameter=]
    734 | extern int __sigsetjmp (struct __jmp_buf_tag *__env, int __savemask) __THROWNL;
        |                         ~~~~~~~~~~~~~~~~~~~~~~^~~~~
  In file included from ../include/setjmp.h:2,
                   from ../nptl/descr.h:24,
                   from ../sysdeps/x86_64/nptl/tls.h:130,
                   from ../sysdeps/generic/libc-tsd.h:44,
                   from ./localeinfo.h:224,
                   from programs/ld-ctype.c:37:
  ../setjmp/setjmp.h:54:46: note: previously declared as an array ‘struct __jmp_buf_tag[1]’
     54 | extern int __sigsetjmp (struct __jmp_buf_tag __env[1], int __savemask) __THROWNL;
        |                         ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libxslt: fix build with latest libxml2
Fabrice Fontaine [Fri, 14 May 2021 20:28:38 +0000 (22:28 +0200)]
package/libxslt: fix build with latest libxml2

Build is broken since bump of libxml2 to version 2.9.11 in commit
a241dcec4188dbf30fbc8b65d7e6f2ece9da3d04 because libxslt calls the
following command "${XML_CONFIG} --libs print" which will return an
error code since
https://github.com/GNOME/libxml2/commit/2a357ab99e6f5c9196384b11cd91dd993f93014c

Fixes:
 - http://autobuild.buildroot.org/results/47ceb8c24c9ead8a450b7fea3266f760d6b77b4f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/prosody: security bump to version 0.11.9
Peter Korsgaard [Fri, 14 May 2021 09:43:09 +0000 (11:43 +0200)]
package/prosody: security bump to version 0.11.9

Fixes the following security issues:

- CVE-2021-32918: DoS via insufficient memory consumption controls

  It was discovered that default settings leave Prosody susceptible to
  remote unauthenticated denial-of-service (DoS) attacks via memory
  exhaustion when running under Lua 5.2 or Lua 5.3.  Lua 5.2 is the default
  and recommended Lua version for Prosody 0.11.x series.

- CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
  consumption

  It was discovered that Prosody does not disable SSL/TLS renegotiation,
  even though this is not used in XMPP.  A malicious client may flood a
  connection with renegotiation requests to consume excessive CPU resources
  on the server.

- CVE-2021-32921: Use of timing-dependent string comparison with sensitive
  values

  It was discovered that Prosody does not use a constant-time algorithm for
  comparing certain secret strings when running under Lua 5.2 or later.
  This can potentially be used in a timing attack to reveal the contents of
  secret strings to an attacker.

- CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
  configuration

  mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
  the transfer of files and other data between XMPP clients.

  It was discovered that the proxy65 component of Prosody allows open access
  by default, even if neither of the users have an XMPP account on the local
  server, allowing unrestricted use of the server’s bandwidth.

- CVE-2021-32919: Undocumented dialback-without-dialback option insecure

  The undocumented option ‘dialback_without_dialback’ enabled an
  experimental feature for server-to-server authentication.  A flaw in this
  feature meant it did not correctly authenticate remote servers, allowing a
  remote server to impersonate another server when this option is enabled.

For more details, see the advisory:
https://prosody.im/security/advisory_20210512/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agotest_docker_compose.py: Test the volume mount feature
Peter Korsgaard [Thu, 13 May 2021 21:03:53 +0000 (23:03 +0200)]
test_docker_compose.py: Test the volume mount feature

Extend docker_compose_test() to expose /bin on the host to the container
through a volume mount and verify that /bin/busybox can be downloaded and
contains the right data.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agotest_docker_compose.py: Test the port publish feature
Peter Korsgaard [Thu, 13 May 2021 21:03:52 +0000 (23:03 +0200)]
test_docker_compose.py: Test the port publish feature

Extend docker_test() to expose a random (8888) port to verify that doesn't
fail, and extend the docker-compose test to run the busybox httpd in the
background, expose that as port 80 and verify that /etc/resolv.conf could be
fetched by wget.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/docker-engine: fix port forwarding for hosts without IPv6
Peter Korsgaard [Thu, 13 May 2021 21:03:51 +0000 (23:03 +0200)]
package/docker-engine: fix port forwarding for hosts without IPv6

docker-engine 20.10.6 broke container port forwarding for hosts without IPv6
support:

docker: Error response from daemon: driver failed programming external
connectivity on endpoint naughty_moore
(038e9ed4b5ea77e1c52462d6d04ad001fbad9beb185a6511aadc217c8a271608): Error
starting userland proxy: listen tcp6 [::]:80: socket: address family not
supported by protocol.

Add a libnetwork patch from an upstream pull request to fix this, after
adjusting the patch to apply to docker-engine (which has libnetwork vendored
under vendor/github.com/docker/libnetwork):

- https://github.com/moby/libnetwork/pull/2635,
- https://github.com/moby/moby/pull/42322

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/live555: security bump to version 2021.05.03
Fabrice Fontaine [Fri, 14 May 2021 20:08:26 +0000 (22:08 +0200)]
package/live555: security bump to version 2021.05.03

Fix CVE-2021-28899: Vulnerability in the
AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession,
and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession
subclasses in Networks LIVE555 Streaming Media before 2021.3.16.

http://live555.com/liveMedia/public/changelog.txt

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libxml2: bump to version 2.9.12
Fabrice Fontaine [Fri, 14 May 2021 19:52:34 +0000 (21:52 +0200)]
package/libxml2: bump to version 2.9.12

Brown-paper bag release:
https://github.com/GNOME/libxml2/commit/b48e77cf4f6fa0792c5f4b639707a2b0675e461b

Update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoDEVELOPERS: add package/bitcoin for Dick Olsson
Dick Olsson [Fri, 14 May 2021 12:55:21 +0000 (12:55 +0000)]
DEVELOPERS: add package/bitcoin for Dick Olsson

Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoDEVELOPERS: add myself for bitcoin
Bernd Kuhls [Fri, 14 May 2021 07:51:30 +0000 (09:51 +0200)]
DEVELOPERS: add myself for bitcoin

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoipackage/modem-manager: bump version to 1.16.4
Petr Vorel [Thu, 29 Apr 2021 19:08:20 +0000 (21:08 +0200)]
ipackage/modem-manager: bump version to 1.16.4

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/opentyrian: switch to using github
Yann E. MORIN [Thu, 29 Apr 2021 19:53:24 +0000 (21:53 +0200)]
package/opentyrian: switch to using github

OpenTyrian was previously managed in a Mercurial repository hosted on
Bitbucket. Mid-2020, Bitbucket shut off all its Mercurial repositories:
    https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket

Since then, OpenTyrian's source code is inacessible, but we have had no
build failure associated as there is an old archive hosted on s.b.o, so
that all builds fallback to downloading that:
    http://sources.buildroot.net/opentyrian/opentyrian-9c9f0ec3532b.tar.gz

However, the project has been revived (kinda) on github:
    https://github.com/opentyrian/opentyrian

Git commit cf5dbeb69eebd9ef9afc4473088d9469b79589eb has been found to
be the closest, both in content and date, to the Mercuail reference
9c9f0ec3532b we were using. The only deltas are in Mercurial-specific
files:

 b/.hg_archival.txt |    5     0     5     0 -----
 b/.hgtags          |    2     1     1     0 +-
 2 files changed, 1 insertion(+), 6 deletions(-)

While at it, add a hash file.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Julien Boibessot <julien.boibessot@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/postgis: fix comment dependencies (binutils-bug-21464, binutils-bug-27597)
Peter Seiderer [Sun, 2 May 2021 14:40:48 +0000 (16:40 +0200)]
package/postgis: fix comment dependencies (binutils-bug-21464, binutils-bug-27597)

The comment dependencies need to be the inverse of the package
dependencies (fixes comment shown in menuconfig even if the package
is available).

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libgeos: fix comment dependencies (binutils-bug-12464, binutils-bug-27597)
Peter Seiderer [Sun, 2 May 2021 14:40:47 +0000 (16:40 +0200)]
package/libgeos: fix comment dependencies (binutils-bug-12464, binutils-bug-27597)

The comment dependencies need to be the inverse of the package
dependencies (fixes comment shown in menuconfig even if the package
is available).

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agosupport/testing: remove TestPythonPy2Colorzero
Romain Naour [Thu, 13 May 2021 14:37:31 +0000 (16:37 +0200)]
support/testing: remove TestPythonPy2Colorzero

The python2 support has been removed since the python-colorzero bump version to 2.0.

[1] 73bf3292e16b9419c5c88d10e9755d7208ca3623

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agosupport/testing: remove TestPythonPy2Gpiozero
Romain Naour [Thu, 13 May 2021 14:34:31 +0000 (16:34 +0200)]
support/testing: remove TestPythonPy2Gpiozero

The python2 support has been removed since the python-colorzero bump version to 2.0.

Remove the gpiozero test with python2

[1] 73bf3292e16b9419c5c88d10e9755d7208ca3623

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libxml2: security bump to version 2.9.11
Adrian Perez de Castro [Thu, 13 May 2021 15:18:50 +0000 (18:18 +0300)]
package/libxml2: security bump to version 2.9.11

Update libxml2 to version 2.9.11, which incorporates all the patches
carried by Buildroot (which are hence removed), and includes fixes for
CVE-2020-7595, CVE-2019-20388, CVE-2020-24977, and CVE-2021-3541 (at
least), as per

  https://gitlab.gnome.org/GNOME/libxml2/-/issues/186#note_1104945

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/postgresql: security bump version to 13.3
Bernd Kuhls [Fri, 14 May 2021 05:59:45 +0000 (07:59 +0200)]
package/postgresql: security bump version to 13.3

Fixes CVE-2021-32027, CVE-2021-32028 & CVE-2021-32029:
https://www.postgresql.org/about/news/postgresql-133-127-1112-1017-and-9622-released-2210/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoboot/opensbi: only check/reference COPYING.BSD when _LATEST_VERSION is used
Peter Korsgaard [Wed, 12 May 2021 08:41:03 +0000 (10:41 +0200)]
boot/opensbi: only check/reference COPYING.BSD when _LATEST_VERSION is used

With the addition of support for custom opensbi version in commit
5c7166d387b (boot/opensbi: add support for version configuration), we can no
longer be sure that the license file name / hash will be correct in all
cases, so only specify COPYING.BSD when _LATEST_VERSION is used, similar to
how we do it for the Linux kernel.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoboot/opensbi: move patches to 0.9/ subdir to only apply when the 0.9 version is selected
Peter Korsgaard [Wed, 12 May 2021 08:41:02 +0000 (10:41 +0200)]
boot/opensbi: move patches to 0.9/ subdir to only apply when the 0.9 version is selected

With the addition of support for custom opensbi version in commit
5c7166d387b (boot/opensbi: add support for version configuration), we can no
longer be sure that the Buildroot patches can be applied - So move them to a
0.9 subdir to ensure they are only applied when the _LATEST_VERSION is used.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rt-tests: add patch to fix compatibility with make 3.81
Peter Korsgaard [Wed, 12 May 2021 07:41:04 +0000 (09:41 +0200)]
package/rt-tests: add patch to fix compatibility with make 3.81

Fixes:
http://autobuild.buildroot.net/results/cf7c4f360f5464c700788cc8299fd086544c80e8/build-end.log

Older GNU make versions don't like the explicit undefine.  It isn't really
needed as ifdef handles undefined and defined-to-the-empty-string the same
way, so just drop the undefine logic.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/bitcoin: security bump to version 0.21.1
Fabrice Fontaine [Wed, 12 May 2021 21:21:20 +0000 (23:21 +0200)]
package/bitcoin: security bump to version 0.21.1

Tag as a security bump as having an up to date bitcoin is important:
https://patchwork.ozlabs.org/project/buildroot/patch/20200202085526.35742-1-james.hilliard1@gmail.com

https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.21.1.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/vlc: security bump version to 3.0.14
Bernd Kuhls [Thu, 13 May 2021 07:04:31 +0000 (09:04 +0200)]
package/vlc: security bump version to 3.0.14

Removed patch 0002 which was applied upstream:
https://code.videolan.org/videolan/vlc/-/commit/41caaa08cde60c4fec4bf2e5f9610e2a1b9e6a23

Renumbered remaining patches.

Release notes:
https://www.videolan.org/vlc/releases/3.0.13.html
https://www.videolan.org/vlc/releases/3.0.12-update.html

Version 3.0.13 fixes VideoLAN-SB-VLC-3013:
https://www.videolan.org/security/sb-vlc3013.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agodocs/website: update for 2021.02.2
Peter Korsgaard [Wed, 12 May 2021 09:39:25 +0000 (11:39 +0200)]
docs/website: update for 2021.02.2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoUpdate for 2021.02.2
Peter Korsgaard [Wed, 12 May 2021 09:05:47 +0000 (11:05 +0200)]
Update for 2021.02.2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 76b4f9e9b658d3a4a72266e4aa2e63aa7a3f54f9)
[Peter: drop Makefile change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoUpdate for 2021.05-rc1
Peter Korsgaard [Wed, 12 May 2021 08:49:31 +0000 (10:49 +0200)]
Update for 2021.05-rc1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoboot/opensbi: unconditionally disable SSP
Fabrice Fontaine [Sat, 8 May 2021 19:41:55 +0000 (21:41 +0200)]
boot/opensbi: unconditionally disable SSP

Fix build failure raised since commit
810ba387bec3c5b6904e8893fb4cb6f9d3717466

Fixes:
 - https://gitlab.com/kubu93/buildroot/-/jobs/1247043359

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/sysklogd: bump to version 2.2.3
Joachim Wiberg [Wed, 12 May 2021 04:24:54 +0000 (06:24 +0200)]
package/sysklogd: bump to version 2.2.3

https://github.com/troglobit/sysklogd/releases/tag/v2.2.3

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/kodi: bump version to 19.1
Bernd Kuhls [Sun, 9 May 2021 16:43:39 +0000 (18:43 +0200)]
package/kodi: bump version to 19.1

Removed patch 0002 which was applied upstream:
https://github.com/xbmc/xbmc/commit/c9cf94d3108d742e50ea73b5553125ef5e405c73

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/kodi-pvr-nextpvr: bump version to 8.2.3-Matrix
Bernd Kuhls [Sun, 9 May 2021 06:54:10 +0000 (08:54 +0200)]
package/kodi-pvr-nextpvr: bump version to 8.2.3-Matrix

Changelog:
https://github.com/kodi-pvr/pvr.nextpvr/blob/Matrix/pvr.nextpvr/changelog.txt

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/luvi: bump to version 2.12.0
Jörg Krause [Tue, 11 May 2021 09:48:45 +0000 (09:48 +0000)]
package/luvi: bump to version 2.12.0

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/luv: bump to version 1.41.0-0
Jörg Krause [Tue, 11 May 2021 09:35:42 +0000 (09:35 +0000)]
package/luv: bump to version 1.41.0-0

Enable Lua 5.4 support which is fixed now.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/upmpdcli: bump to version 1.5.12
Jörg Krause [Tue, 11 May 2021 09:17:05 +0000 (09:17 +0000)]
package/upmpdcli: bump to version 1.5.12

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/php: bump version to 7.4.19
Bernd Kuhls [Tue, 11 May 2021 17:49:21 +0000 (19:49 +0200)]
package/php: bump version to 7.4.19

Changelog: https://www.php.net/ChangeLog-7.php#7.4.19

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/x11r7/xdriver_xf86-input-libinput: bump version to 1.0.1
Bernd Kuhls [Fri, 30 Apr 2021 20:55:37 +0000 (22:55 +0200)]
package/x11r7/xdriver_xf86-input-libinput: bump version to 1.0.1

Release notes:
https://lists.x.org/archives/xorg-announce/2021-April/003083.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/x11r7/xorgproto: bump version to 2021.4
Bernd Kuhls [Fri, 30 Apr 2021 20:55:36 +0000 (22:55 +0200)]
package/x11r7/xorgproto: bump version to 2021.4

Release notes:
https://lists.x.org/archives/xorg-announce/2021-April/003085.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/tor: bump version to 0.4.5.8
Bernd Kuhls [Tue, 11 May 2021 15:58:29 +0000 (17:58 +0200)]
package/tor: bump version to 0.4.5.8

Release notes: https://blog.torproject.org/node/2031

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/kodi-pvr-iptvsimple: bump version to 7.6.4-Matrix
Bernd Kuhls [Tue, 11 May 2021 15:41:17 +0000 (17:41 +0200)]
package/kodi-pvr-iptvsimple: bump version to 7.6.4-Matrix

Changelog:
https://github.com/kodi-pvr/pvr.iptvsimple/blob/Matrix/pvr.iptvsimple/changelog.txt

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/kodi-inputstream-ffmpegdirect: bump version to 1.21.3-Matrix
Bernd Kuhls [Tue, 11 May 2021 15:41:16 +0000 (17:41 +0200)]
package/kodi-inputstream-ffmpegdirect: bump version to 1.21.3-Matrix

Changelog:
https://github.com/xbmc/inputstream.ffmpegdirect/blob/Matrix/inputstream.ffmpegdirect/changelog.txt

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python-pyjwt: Bump to version 2.1.0
Grzegorz Blach [Sun, 2 May 2021 12:56:16 +0000 (14:56 +0200)]
package/python-pyjwt: Bump to version 2.1.0

Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/log4qt: add telnet optional logging
Bartosz Bilas [Wed, 5 May 2021 19:22:10 +0000 (21:22 +0200)]
package/log4qt: add telnet optional logging

Telnet logging is an optional feature that's disabled by default.

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/log4qt: link with latomic if needed
Bartosz Bilas [Wed, 5 May 2021 18:10:12 +0000 (20:10 +0200)]
package/log4qt: link with latomic if needed

Fixes:
 - http://autobuild.buildroot.net/results/fb5/fb52f5366a25230606149f44dc46f86f0273a680/

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libcamera: bump version to 3a1f67a
Peter Seiderer [Sun, 2 May 2021 09:54:18 +0000 (11:54 +0200)]
package/libcamera: bump version to 3a1f67a

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rpi-wifi-firmware: bump version to 4c47758
Peter Seiderer [Sun, 2 May 2021 09:48:29 +0000 (11:48 +0200)]
package/rpi-wifi-firmware: bump version to 4c47758

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Reviewed-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rpi-bt-firmware: bump version to 4c47758
Peter Seiderer [Sun, 2 May 2021 09:48:28 +0000 (11:48 +0200)]
package/rpi-bt-firmware: bump version to 4c47758

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Reviewed-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rpi-userland: bump version to 45a0022
Peter Seiderer [Sun, 2 May 2021 09:48:27 +0000 (11:48 +0200)]
package/rpi-userland: bump version to 45a0022

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rpi-firmware: bump version to 1a46874
Peter Seiderer [Sun, 2 May 2021 09:48:26 +0000 (11:48 +0200)]
package/rpi-firmware: bump version to 1a46874

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Reviewed-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoconfigs/raspberrypi*: bump kernel version to 96110e9 (5.10.33)
Peter Seiderer [Sun, 2 May 2021 09:48:25 +0000 (11:48 +0200)]
configs/raspberrypi*: bump kernel version to 96110e9 (5.10.33)

Now based on 5.10.33 (from 5.10.1).

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Reviewed-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libinput: bump version to 1.17.2
Peter Seiderer [Fri, 30 Apr 2021 21:18:50 +0000 (23:18 +0200)]
package/libinput: bump version to 1.17.2

For details see [1].

[1] https://lists.freedesktop.org/archives/wayland-devel/2021-April/041809.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoCHANGES: update with recent changes
Peter Korsgaard [Tue, 11 May 2021 09:32:16 +0000 (11:32 +0200)]
CHANGES: update with recent changes

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/elfutils: bump to version 0.184
Fabrice Fontaine [Mon, 10 May 2021 20:51:22 +0000 (22:51 +0200)]
package/elfutils: bump to version 0.184

https://sourceware.org/pipermail/elfutils-devel/2021q2/003797.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/gerbera: bump to version 1.8.1
Fabrice Fontaine [Mon, 10 May 2021 21:23:12 +0000 (23:23 +0200)]
package/gerbera: bump to version 1.8.1

https://github.com/gerbera/gerbera/releases/tag/v1.8.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/domoticz: needs gcc >= 6
Fabrice Fontaine [Mon, 10 May 2021 20:40:13 +0000 (22:40 +0200)]
package/domoticz: needs gcc >= 6

domoticz fails to build with gcc 5 since bump to version 2021.1 in
commit 33b49c4ae33e767b86130cbc1844e2003bbe0f98 because domoticz needs
C++14 since
https://github.com/domoticz/domoticz/commit/bdf82257dc93daa78b0179a0229539553b608f6b

Fixes:
 - http://autobuild.buildroot.org/results/f4f9caa44d1836279c3806bc990a1203bf743c0d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/ruby: links with atomic if needed
Fabrice Fontaine [Mon, 10 May 2021 20:37:10 +0000 (22:37 +0200)]
package/ruby: links with atomic if needed

Build fails since bump to version 3.0.0 in commit
af5226f2fd1292a26f2dfda32f41cbbad7aa4cc because ruby needs atomic
operation support since
https://github.com/ruby/ruby/commit/6ed6b85ece8733518a7da0c3ec714f20d1102bf5

Fixes:
 - http://autobuild.buildroot.org/results/84ee5f4688be994a5440c3a61bddabee72ca3b3c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/lvm2: bump version to 2.03.12
Marcin Niestroj [Mon, 10 May 2021 09:27:26 +0000 (11:27 +0200)]
package/lvm2: bump version to 2.03.12

Downstream patches have been mainlined in commits [1] (v2.03.06) and
[2] (v2.03.12). Second patch was slightly modified, so replace
--disable-symvers with --with-symvers=no.

[1] https://github.com/lvmteam/lvm2/commit/125f27ac37bc9b93cc96f64052b9681b3d479ee1
[2] https://github.com/lvmteam/lvm2/commit/1cedbaf13778de02e38b5dc80a7af246b7ec83e5

Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/lvm2: use http instead of ftp
Marcin Niestroj [Mon, 10 May 2021 09:27:25 +0000 (11:27 +0200)]
package/lvm2: use http instead of ftp

ftp links do not seem to be accessible anymore. Replace them with http.

Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoboot/Config.in: fix beaglev-ddrinit include after rename
Peter Korsgaard [Tue, 11 May 2021 07:09:07 +0000 (09:09 +0200)]
boot/Config.in: fix beaglev-ddrinit include after rename

Commit 3b551f68a55d74f (boot/beaglev-ddrlnit: rename to beaglev-ddrinit to
match renamed upstream repo) forgot to update the include in boot/Config.in,
breaking menuconfig.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoconfigs/acmesystems_acqua_a5_{256, 512}mb: add openssl host dependency
Edgar Bonet [Mon, 10 May 2021 14:18:34 +0000 (16:18 +0200)]
configs/acmesystems_acqua_a5_{256, 512}mb: add openssl host dependency

The Linux build needs openssl:

https://gitlab.com/buildroot.org/buildroot/-/jobs/1240157423
https://gitlab.com/buildroot.org/buildroot/-/jobs/1240157424

Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/boost: fix broken BOOST_SITE URL
Sébastien Szymanski [Mon, 10 May 2021 08:18:32 +0000 (10:18 +0200)]
package/boost: fix broken BOOST_SITE URL

Current URL returns 403 error:

--2021-05-10 10:04:12--  https://dl.bintray.com/boostorg/release/1.75.0/source/boost_1_75_0.tar.bz2
Resolving dl.bintray.com... 18.193.131.58, 3.66.199.110
Connecting to dl.bintray.com|18.193.131.58|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2021-05-10 10:04:12 ERROR 403: Forbidden.

Bintray has been sunset on May 1st:
https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/

Update the URL to the new upstream location to fix this issue.

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agosupport/testing: add sudo package test
Arnout Vandecappelle (Essensium/Mind) [Wed, 5 May 2021 19:13:44 +0000 (21:13 +0200)]
support/testing: add sudo package test

Create a new user 'sudotest' to validate that sudo really works (i.e.
properly has setuid).

Creating the user and adding it to sudoers is done at runtime, otherwise
we'd need to add extra files to the config which complicates things a
little bit.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/kodi-inputstream-ffmpegdirect: bump version to 1.21.2-Matrix
Bernd Kuhls [Wed, 5 May 2021 15:58:18 +0000 (17:58 +0200)]
package/kodi-inputstream-ffmpegdirect: bump version to 1.21.2-Matrix

Changelog:
https://github.com/xbmc/inputstream.ffmpegdirect/blob/Matrix/inputstream.ffmpegdirect/changelog.txt

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/kodi-pvr-iptvsimple: bump version to 7.6.2-Matrix
Bernd Kuhls [Wed, 5 May 2021 15:58:17 +0000 (17:58 +0200)]
package/kodi-pvr-iptvsimple: bump version to 7.6.2-Matrix

Changelog:
https://github.com/kodi-pvr/pvr.iptvsimple/blob/Matrix/pvr.iptvsimple/changelog.txt

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoboot/beaglev-ddrlnit: rename to beaglev-ddrinit to match renamed upstream repo
Peter Korsgaard [Mon, 10 May 2021 09:06:57 +0000 (11:06 +0200)]
boot/beaglev-ddrlnit: rename to beaglev-ddrinit to match renamed upstream repo

And adjust DEVELOPERS and beaglev_defconfig to match.

The typo in the repo name has now been fixed:

https://github.com/starfive-tech/beagle_ddrinit/issues/6

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/bullet: needs dynamic library
Fabrice Fontaine [Thu, 6 May 2021 20:50:48 +0000 (22:50 +0200)]
package/bullet: needs dynamic library

Build without dlfcn.h fails because bullet3 is not disabled since
commit 5f154799b6ed772a0c028072996e110fac131508

Fixes:
 - http://autobuild.buildroot.org/results/ab2efdd1eac64474adf00d8e60b42110c6e89143

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/hwloc: bump to version 2.4.1
Fabrice Fontaine [Fri, 7 May 2021 18:30:09 +0000 (20:30 +0200)]
package/hwloc: bump to version 2.4.1

- Add ac_cv_prog_cc_c99 to avoid a build failure due to
  https://github.com/open-mpi/hwloc/commit/f2226f76e104923a76c5d09328284104abad6b01
- Update hash of COPYING, copyrights added with
  https://github.com/open-mpi/hwloc/commit/ebaa3595e2ddc6e0e94e8ea5b1472f1a21969c80
- Update indentation in hash file (two spaces)

As a side effect, this will remove numactl dependency (which raises a
build failure with sparc v8 since commit
4ed540ddf59bec4b389be44d7f42820d2466904f) thanks to:
https://github.com/open-mpi/hwloc/commit/e6a53bbf65458fd5fe4d45d5a83027b530566591

https://github.com/open-mpi/hwloc/blob/hwloc-2.4.1/NEWS

Fixes:
 - http://autobuild.buildroot.org/results/5f9394d3bab4e83edbea9bc607c3e135adfdabbc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/putty: fix build on uclibc
Fabrice Fontaine [Sun, 9 May 2021 13:34:12 +0000 (15:34 +0200)]
package/putty: fix build on uclibc

Fix build failure on uclibc raised since bump to version 0.75 in commit
d562009f7b9701cb20bc4b1d389d19f9a647cc3b

Fixes:
 - http://autobuild.buildroot.org/results/726f7c5ce13e78ed91e827b872e9d7ccfa13f298

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoboot/opensbi: bump to version 0.9
Fabrice Fontaine [Sat, 8 May 2021 19:41:54 +0000 (21:41 +0200)]
boot/opensbi: bump to version 0.9

https://github.com/riscv/opensbi/releases/tag/v0.9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoconfigs/wandboard: bump kernel and U-Boot versions
Vincent Stehlé [Sun, 9 May 2021 10:01:41 +0000 (12:01 +0200)]
configs/wandboard: bump kernel and U-Boot versions

- Bump kernel to version 5.12.2.
- Bump U-Boot to version 2021.04.

While at it, switch U-Boot to the Kconfig build system and add some more
comments to the defconfig.

Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rust: security bump to version 1.52.0
Fabrice Fontaine [Fri, 7 May 2021 20:58:44 +0000 (22:58 +0200)]
package/rust: security bump to version 1.52.0

Fix CVE-2020-36317, CVE-2020-36318, CVE-2020-36323, CVE-2021-28877,
CVE-2021-28875, CVE-2021-28876, CVE-2021-28878 and CVE-2021-28879

https://github.com/rust-lang/rust/blob/1.52.0/RELEASES.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoconfigs/pandaboard: bump kernel and U-Boot versions
Vincent Stehlé [Sun, 9 May 2021 17:15:05 +0000 (19:15 +0200)]
configs/pandaboard: bump kernel and U-Boot versions

- Bump kernel to version 5.12.2.
- Bump U-Boot to version 2021.04.

While at it, enable VFPv3 with 32 registers (instead of 16) and add a few
comments to the defconfig.

Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years ago{linux, linux-headers}: bump 4.19.x / 5.{4, 10, 11, 12}.x series
Peter Korsgaard [Sat, 8 May 2021 21:07:02 +0000 (23:07 +0200)]
{linux, linux-headers}: bump 4.19.x / 5.{4, 10, 11, 12}.x series

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/putty: bump to version 0.75
Alexander Dahl [Sat, 8 May 2021 19:53:42 +0000 (21:53 +0200)]
package/putty: bump to version 0.75

Upstream does not set -Werror in its build files anymore.  License file
just changed copyright years and holders.  PGP signatures of source
tarball and hashes were checked.

Link: https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.75.html
Link: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/monkey: drop package
Fabrice Fontaine [Sat, 8 May 2021 18:44:16 +0000 (20:44 +0200)]
package/monkey: drop package

As stated in commit 26a7d912f4a44bce558ee24bbadb5d10527f68c1, upstream
is aware than the lack of release is an issue but no comments since
2018: https://github.com/monkey/monkey/issues/276

Moreover, TLS support is broken since 2016 but again upstream does not
seem to care about it: https://github.com/monkey/monkey/issues/336

So just drop monkey

Fixes:
 - http://autobuild.buildroot.org/results/0626ebab4f084d9b97d6696c7d4ebf7760d776a3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/cryptsetup: disable tmpfiles.d for host build
John Keeping [Fri, 7 May 2021 15:21:59 +0000 (16:21 +0100)]
package/cryptsetup: disable tmpfiles.d for host build

When building host-cryptsetup, if tmpfiles.d support is enabled then the
install step tries to install /usr/lib/tmpfiles.d/cryptsetup.conf
globally on the host system.

Even if the tmpfiles.d config were installed correctly in the host
directory, nothing would ever run these rules, so disable this feature
via configure.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python-pytest: bump to version 6.2.4
Marcin Niestroj [Fri, 7 May 2021 17:43:55 +0000 (19:43 +0200)]
package/python-pytest: bump to version 6.2.4

Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/haproxy: bump to version 2.2.14
Fabrice Fontaine [Sat, 8 May 2021 07:39:44 +0000 (09:39 +0200)]
package/haproxy: bump to version 2.2.14

http://www.haproxy.org/download/2.2/src/CHANGELOG

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/ruby: security bump to version 3.0.1
Fabrice Fontaine [Fri, 7 May 2021 20:21:04 +0000 (22:21 +0200)]
package/ruby: security bump to version 3.0.1

This release includes security fixes:
- CVE-2021-28965: XML round-trip vulnerability in REXML
- CVE-2021-28966: Path traversal in Tempfile on Windows

https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/xen: bump version to 4.14.2
Peter Korsgaard [Fri, 7 May 2021 07:06:14 +0000 (09:06 +0200)]
package/xen: bump version to 4.14.2

Includes a number of bugfixes and the security fixes up to 368, so drop
those.

For details, see the release notes:
https://xenproject.org/downloads/xen-project-archives/xen-project-4-14-series/xen-project-4-14-2/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/go: security bump to version 1.16.4
Peter Korsgaard [Fri, 7 May 2021 06:28:21 +0000 (08:28 +0200)]
package/go: security bump to version 1.16.4

Fixes the following security issues:

- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
  unrecoverable panic when reading a very large header (over 7MB on 64-bit
  architectures, or over 4MB on 32-bit ones).  Transport and Client are
  vulnerable and the program can be made to crash by a malicious server.
  Server is not vulnerable by default, but can be if the default max header
  of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
  in which case the program can be made to crash by a malicious client.

  https://github.com/golang/go/issues/45710

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python3: security bump to version 3.9.5
Peter Korsgaard [Fri, 7 May 2021 06:15:35 +0000 (08:15 +0200)]
package/python3: security bump to version 3.9.5

Fixes the following security issues:

- bpo-43434: Creating a sqlite3.Connection object now also produces a
  sqlite3.connect auditing event.  Previously this event was only produced
  by sqlite3.connect() calls.  Patch by Erlend E.  Aasland.

- bpo-43882: The presence of newline or tab characters in parts of a URL
  could allow some forms of attacks.
  Following the controlling specification for URLs defined by WHATWG
  urllib.parse() now removes ASCII newlines and tabs from URLs, preventing
  such attacks.

- bpo-43472: Ensures interpreter-level audit hooks receive the
  cpython.PyInterpreterState_New event when called through the
  _xxsubinterpreters module.

- bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
  address strings.  Leading zeros are ambiguous and interpreted as octal
  notation by some libraries.  For example the legacy function
  socket.inet_aton() treats leading zeros as octal notatation.  glibc
  implementation of modern inet_pton() does not accept any leading zeros.
  For a while the ipaddress module used to accept ambiguous leading zeros.

- bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
  in urllib.request.AbstractBasicAuthHandler.  The ReDoS-vulnerable regex
  has quadratic worst-case complexity and it allows cause a denial of
  service when identifying crafted invalid RFCs.  This ReDoS issue is on the
  client side and needs remote attackers to control the HTTP server.

- bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
  and generator code/frame attribute access.

https://www.python.org/downloads/release/python-395/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoconfigs/beaglev: enable building of low-level firmware
Thomas Petazzoni [Tue, 4 May 2021 20:51:38 +0000 (22:51 +0200)]
configs/beaglev: enable building of low-level firmware

This commit extends the beaglev_defconfig and its documentation to
build the low-level firmware, and to explain how to reflash it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr: use typoed-name for beaglev-ddrlnit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoboot/beaglev-secondboot: new package
Thomas Petazzoni [Tue, 4 May 2021 20:51:37 +0000 (22:51 +0200)]
boot/beaglev-secondboot: new package

This packages allows to build the first stage bootloader used on the
BeagleV, which is used even before the DDR initialization and
OpenSBI/U-Boot. Yes, "secondboot" is strange for what is the first
stage bootloader, but that's the upstream name.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr:
  - add hash file
  - commit is HEAD only right now, so don't reference HEAD
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoboot/beaglev-ddrlnit: new package
Thomas Petazzoni [Tue, 4 May 2021 20:51:36 +0000 (22:51 +0200)]
boot/beaglev-ddrlnit: new package

This commit adds a package for the DDR initialization code used on the
BeagleV platform.

The typo in the package name is upstream's typo, and we just keep it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr:
  - upstream name is beaglev_ddrlnit, not *init (keep their typo)
  - rename package and variables accordingly
  - the referenced commit is no longer the HEAD of said branch
  - add a hash file
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/riscv64-elf-toolchain: new package
Thomas Petazzoni [Tue, 4 May 2021 20:51:35 +0000 (22:51 +0200)]
package/riscv64-elf-toolchain: new package

This commit adds a new package for a prebuilt bare-metal toolchain for
RISC-V 64-bit. Indeed, some bootloader/firmware for the BeagleV (and
potentially later for other platforms?) do not build with a
Linux-capable toolchain.

This uses a pre-built toolchain from SiFive, precompiled for x86-64,
so all packages using this toolchain must have the appropriate
BR2_HOSTARCH dependency.

This package is modeled after package/arm-gnu-a-toolchain/, which
package a pre-built ARM32 bare-metal toolchain.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoconfigs/beaglev_defconfig: new defconfig
Thomas Petazzoni [Tue, 4 May 2021 20:51:34 +0000 (22:51 +0200)]
configs/beaglev_defconfig: new defconfig

This commit introduces support for the RISC-V based BeagleV platform,
which uses a Starfive JH7100.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
[yann.morin.1998@free.fr: use:  eval $(make printvars)]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoboot/opensbi: add options to enable/disable image installation
Thomas Petazzoni [Tue, 4 May 2021 20:51:33 +0000 (22:51 +0200)]
boot/opensbi: add options to enable/disable image installation

Until now, whenever a BR2_TARGET_OPENSBI_PLAT value was specified,
opensbi.mk was assuming that both fw_jump and fw_dynamic would be
produced. However, this is not the case: the OpenSBI per-platform
config.mk can decide which image to build.

As an example, the config.mk for VIC7100-based BeagleV only enables
producing the fw_payload image.

This commit adds three options to enable the installation of images:
one for fw_jump, one for fw_dynamic, one for fw_payload.

The options for fw_jump and fw_dynamic are "default y" when
BR2_TARGET_OPENSBI_PLAT is not empty, to preserve existing behavior.

The option for fw_payload is forcefully selected when either Linux or
U-Boot are selected as payloads.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/cegui: add libfribidi optional dependency
Fabrice Fontaine [Sun, 10 May 2020 08:52:17 +0000 (10:52 +0200)]
package/cegui: add libfribidi optional dependency

libfribidi is an optional dependency (enabled by default) since version
0.8.0 and
https://github.com/cegui/cegui/commit/17974582e6b6a7d8f5853b0272433f130f82e52a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Bartosz Bilas<b.bilas@grinn-global.com>
Reviewed-by: Bartosz Bilas<b.bilas@grinn-global.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/cifs-utils: security bump to version 6.13
Fabrice Fontaine [Fri, 7 May 2021 19:39:29 +0000 (21:39 +0200)]
package/cifs-utils: security bump to version 6.13

Fix CVE-2021-20208: A flaw was found in cifs-utils in versions before
6.13. A user when mounting a krb5 CIFS file system from within a
container can use Kerberos credentials of the host. The highest threat
from this vulnerability is to data confidentiality and integrity.

https://lists.samba.org/archive/samba-technical/2021-April/136467.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/openjdk: fully switch to Github, commonalise version scheme
Yann E. MORIN [Thu, 6 May 2021 19:48:25 +0000 (21:48 +0200)]
package/openjdk: fully switch to Github, commonalise version scheme

Commit 057e27029c98 (package/openjdk{, -bin}: bump latest to version
16.0.1+9) partially switched over to using the Github repository (which
is the new official publication channel for OpenJDK).

However, only the JDK16 was switched, because of concerns about a change
in the hash of Github-generated archives for the JDK11, due to a missing
Hg-related file on Github.

But as Arnout put it:
    There's a trivial workaround: drop OPENJDK_SOURCE = .... That way,
    the tarball name becomes openjdk-... instead of jdk-... and it's a
    different file.

There is indeed no good reason to force a non-default filename for the
archive, so we do drop it.

As a consequence, we can fully switch over to Github for openjdk, using
the new version scheme. Of course the hash changes, but it is a new
file, so that's OK.

The filename for the JDK16 changes, but the content does not change, so
the hash does not change.

For consistency, the version scheme is also applied to openjdk-bin. Even
though it was already using Github, using that new version scheme also
allows to commonalise the variables too. The archives are the exact
same: no change in filename or content, so no hash to fixup.

Reported-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
cc: Adam Duskett <aduskett@gmail.com>
Tested-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/python-django: security bump to version 3.2.2
Peter Korsgaard [Thu, 6 May 2021 21:25:40 +0000 (23:25 +0200)]
package/python-django: security bump to version 3.2.2

Django 3.0.x is EOL, so move to 3.2.x which is the new LTS release.  For
details of the changes and update instructions, see the announcement:

https://www.djangoproject.com/weblog/2021/apr/06/django-32-released/

Fixes the following security issues:

- CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of
  the SQLPanel for Django Debug Toolbar >= 0.10.0

  With Django Debug Toolbar 0.10.0 and above, attackers are able to execute
  SQL by changing the raw_sql input of the SQL explain, analyze or select
  forms and submitting the form.  This is a high severity issue for anyone
  using the toolbar in a production environment.  Generally the Django Debug
  Toolbar team only maintains the latest version of django-debug-toolbar,
  but an exception was made because of the high severity of this issue.

  The GitHub Security Advisory can be found here:
  https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj

- CVE-2021-31542: Potential directory-traversal via uploaded files

  MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal
  via uploaded files with suitably crafted file names.

  In order to mitigate this risk, stricter basename and path sanitation is
  now applied.  Specifically, empty file names and paths with dot segments
  will be rejected.

  This issue has low severity, according to the Django security policy.

- CVE-2021-32052: Header injection possibility since URLValidator accepted
  newlines in input on Python 3.9.5+

  On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs.  If you
  used values with newlines in HTTP response, you could suffer from header
  injection attacks.  Django itself wasn't vulnerable because HttpResponse
  prohibits newlines in HTTP headers.

  Moreover, the URLField form field which uses URLValidator silently removes
  newlines and tabs on Python 3.9.5+, so the possibility of newlines
  entering your data only existed if you are using this validator outside of
  the form fields.

  This issue was introduced by the bpo-43882 fix.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python-asgiref: bump version to 3.3.4
Peter Korsgaard [Thu, 6 May 2021 21:25:39 +0000 (23:25 +0200)]
package/python-asgiref: bump version to 3.3.4

Needed by django 3.2.x

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/Makefile.in: expose CONFIG_DIR to post-build/post-image scripts
Thomas Petazzoni [Tue, 4 May 2021 20:51:32 +0000 (22:51 +0200)]
package/Makefile.in: expose CONFIG_DIR to post-build/post-image scripts

Sometimes, post-build or post-image scripts need to reinvoke
Buildroot's make, for example to execute "make printvars".

However, so far post-build/image/fakeroot can't trivially run printvars
in a way that worked for both in-tree and out-of-tree builds. Indeed:

 * "make printvars" would work for in-tree builds, but not out of tree
   builds

 * "make -C ${O} printvars" would work for out-of-tree builds, but not
   in-tree builds

 * "make -C ${BR2_CONFIG%/*} printvars" works in both cases, but it is
   a bit cryptic, and two maintainers did not even immediately think of
   it

In order to solve this, this commit exposes $(CONFIG_DIR) to
post-build/image/fakeroot scripts, through the EXTRA_ENV variable.

The documentation is updated accordingly.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
  - reference BR2_CONFIG as an exemple
  - slightly reword the commit log accordingly
  - move the doc for CONFIG_DIR next to that of BR2_CONFIG
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoDEVELOPERS: transition rockwellcollins.com to collins.com
Matthew Weber [Thu, 6 May 2021 16:29:23 +0000 (11:29 -0500)]
DEVELOPERS: transition rockwellcollins.com to collins.com

Email addresses are all live and some of us will start contributing
with the new collins.com domain.

Signed-off-by: Matthew Weber <matthew.weber@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/openjdk{, -bin}: bump latest to version 16.0.1+9
Adam Duskett [Tue, 4 May 2021 21:00:25 +0000 (14:00 -0700)]
package/openjdk{, -bin}: bump latest to version 16.0.1+9

When introducing OpenJDK to buildroot, the OpenJDK project did not put
releases on their GitHub page. Since then, the OpenJDK developers have
not only added OpenJDK releases to Github, they are starting to phase
out adding releases to their public-facing mercurial repository.

Compare the following URLs:
https://wiki.openjdk.java.net/display/JDKUpdates/JDK+14u
https://wiki.openjdk.java.net/display/JDKUpdates/JDK+15u
https://wiki.openjdk.java.net/display/JDKUpdates/JDK+16u

With JDK14, only the mercurial repository is listed. With OpenJDK15,
both the GitHub and mercurial repository are listed. Finally, with
OpenJDK16, only the GitHub repository is listed.

For consistency's sake, and for the version bump of JDK latest from 14
to 16 do the following:

  - Change the repository for OpenJDK14 to point to the official GitHub
    repository,

  - In order to simplify and reuse the GitHub URL, modify the
    OPENJDK_VERSION_MAJOR and OPENJDK_VERSION_MINOR definitions to only
    include a single number for the MAJOR definition.

  - Change openjdk-bin.mk to also use the same format as the openjdk.mk
    file

Unfortunately, we can't yet do the switch for OpenJDK11: the Github
repository is missing a Mercurial-related file, so that the archive
for OpenJDK11 11.0.11+9 would change from the one we already have on
s.b.o and that people would alreay have locally, and we'd have a hash
mismatch, either on master, or on all pur previous relases. OpenJDK11
just got a new release mere hours ago (as of this writing), but it
hasn't yet trickled down to AdoptOpenJDK/openjdk11-binaries, so we
can't do the bump just yet...

Add a note to the OpenJDK11 case, to prepare the migration to Github
with the next version bump.

Finally, remove upstreamed patch 0001-fix-gcc-10-support.patch as it's
no longer needed.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - meld the github switch and 14->16 bump together
  - drop the github switch for 11 9because hash mismatch)
  - expand commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/coremark-pro: disable parallel build
Fabrice Fontaine [Thu, 8 Apr 2021 16:54:06 +0000 (18:54 +0200)]
package/coremark-pro: disable parallel build

Disable parallel build as it seems to be totally broken:

/bin/bash: line 0: cd: /home/buildroot/autobuild/instance-2/output-1/build/coremark-pro-1.1.2743/builds/linux64/gcc64/obj/bench/core: No such file or directory

/bin/sh: 1: cd: can't cd to /home/buildroot/autobuild/instance-1/output-1/build/coremark-pro-1.1.2743/builds/linux/gcc/obj/bench/fp/loops/SP

Fixes:
 - http://autobuild.buildroot.org/results/7ba5e209772af7037fc735ea174d3fc3eaf46f4b
 - http://autobuild.buildroot.org/results/32b51bb9eda7899b6cc331f10a860644bd6004fa

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/monkey: bump to latest git commit
Fabrice Fontaine [Mon, 26 Apr 2021 21:53:58 +0000 (23:53 +0200)]
package/monkey: bump to latest git commit

This will fix a build failure with gcc 10

- Update indentation in hash file (two spaces)
- Drop INSTALL_SYSCONFDIR, INSTALL_WEBROOTDIR and WITH_SYSTEM_MALLOC
  (not available since
  https://github.com/monkey/monkey/commit/df145932e33fca0d4a1dcd9d7675f996c8e6a73b)
- Set WITHOUT_HEADERS to ON because headers are not needed and to avoid
  the following build failure:

CMake Error at include/cmake_install.cmake:46 (file):
  file INSTALL cannot find
  "/home/fabrice/buildroot/output/build/monkey-f54856ce250c4e25735434dc75717a4b7fbfc45b/include/mk_core.h":
  No such file or directory.
Call Stack (most recent call first):
  cmake_install.cmake:69 (include)

Upstream is aware than the lack of release is an issue but no comments
since 2018: https://github.com/monkey/monkey/issues/276

Fixes:
 - http://autobuild.buildroot.org/results/0b723937ca048228082d040100f6e6324ac8300b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/pipewire: needs gcc >= 5
Fabrice Fontaine [Tue, 27 Apr 2021 06:52:01 +0000 (08:52 +0200)]
package/pipewire: needs gcc >= 5

spa (i.e. plugins which can be disabled but also tools which can't be
disabled) fails to build on gcc 4.8 since bump to version 0.3.26 in
commit a6d88d3ba5e30e11f4d726f341bc56c1be7c71c9:

In file included from ../spa/include/spa/pod/builder.h:34:0,
                 from ../spa/include/spa/param/audio/format-utils.h:34,
                 from ../spa/plugins/audioconvert/test-audioadapter.c:36:
../spa/include/spa/utils/hook.h:57:50: error: initializer element is not constant
 #define SPA_CALLBACKS_INIT(_funcs,_data) (struct spa_callbacks){ _funcs, _data, }
                                                  ^

Fixes:
 - http://autobuild.buildroot.org/results/e7a36ec7166a287667572e5140685e6371a9f107

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>