Peter Seiderer [Wed, 2 Dec 2020 18:22:15 +0000 (19:22 +0100)]
package/hdparm: bump version to 9.60
Changes according to [1] and [2]:
- decode more bits from id[69], courtesy Adrián Kálazi.
- allow passing of custom LDFLAGS from the environment.
- add new "static" target.
- fix --dco-identify max sectors, courtesy of Paul Sultana.
- get rid of leftover "unknown" variables from identify.c
- fixed return values from get_log_page_data().
- support for ioSafe Solo with jMicron bridge.
[1] https://sourceforge.net/p/hdparm/news/2020/11/hdparm-959-is-released
[2] https://sourceforge.net/p/hdparm/news/2020/11/hdparm-960-is-released
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Sat, 5 Dec 2020 08:09:53 +0000 (09:09 +0100)]
package/dav1d: bump version to 0.8.0
Release notes:
https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Sat, 5 Dec 2020 08:05:47 +0000 (09:05 +0100)]
package/pngquant: bump version to 2.13.1
Reformatted hashes.
Changelog:
https://raw.githubusercontent.com/kornelski/pngquant/master/CHANGELOG
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Sat, 5 Dec 2020 08:01:59 +0000 (09:01 +0100)]
package/utf8proc: bump version to 2.6.0
Reformatted hashes.
Release notes:
https://github.com/JuliaStrings/utf8proc/releases/tag/v2.6.0
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Sat, 5 Dec 2020 07:56:53 +0000 (08:56 +0100)]
package/pulseaudio: bump version to 14.0
Reformatted hashes, switched _SITE to https.
Release notes:
https://lists.freedesktop.org/archives/pulseaudio-discuss/2020-November/031938.html
https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:57 +0000 (07:44 +0100)]
package/perl-type-tiny: bump to version 1.012000
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:56 +0000 (07:44 +0100)]
package/perl-plack: bump to version 1.0048
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:55 +0000 (07:44 +0100)]
package/perl-package-stash: bump to version 0.39
diff LICENSE:
-This software is copyright (c) 2018 by Jesse Luehrs.
+This software is copyright (c) 2020 by Jesse Luehrs.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:54 +0000 (07:44 +0100)]
package/perl-net-dns: bump to version 1.29
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:53 +0000 (07:44 +0100)]
package/perl-moo: bump to version 2.004004
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:52 +0000 (07:44 +0100)]
package/perl-json-maybexs: bump to version 1.004003
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:51 +0000 (07:44 +0100)]
package/perl-http-entity-parser: bump to version 0.25
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:50 +0000 (07:44 +0100)]
package/perl-http-cookies: bump to version 6.09
diff LICENSE:
-This software is Copyright (c) 2002-2019 by Gisle Aas.
+This software is Copyright (c) 2002 by Gisle Aas.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:49 +0000 (07:44 +0100)]
package/perl-file-listing: bump to version 6.14
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Francois Perrad [Sat, 5 Dec 2020 06:44:48 +0000 (07:44 +0100)]
package/perl-date-manip: bump to version 6.83
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Thu, 3 Dec 2020 09:30:49 +0000 (10:30 +0100)]
Merge branch 'next'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 3 Dec 2020 07:43:41 +0000 (08:43 +0100)]
Kickoff 2021.02 cycle
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 2 Dec 2020 22:45:57 +0000 (23:45 +0100)]
docs/website/news.html: add 2020.11 announcement link
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 2 Dec 2020 22:21:32 +0000 (23:21 +0100)]
Update for 2020.11
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 2 Dec 2020 06:32:43 +0000 (07:32 +0100)]
package/gnuplot: security bump to version 5.4.1
- Fix CVE-2020-25412: com_line() in command.c in gnuplot 5.4 leads to an
out-of-bounds-write from strncpy() that may lead to arbitrary code
execution.
- Drop second patch (already in version)
- Update indentation in hash file (two spaces)
http://gnuplot.info/ReleaseNotes_5_4_1.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 1 Dec 2020 22:23:46 +0000 (23:23 +0100)]
package/docker-containerd: security bump to version 1.4.3
Fixes the following security issue:
- CVE-2020-15257: Access controls for the shim’s API socket verified that
the connecting process had an effective UID of 0, but did not otherwise
restrict access to the abstract Unix domain socket. This would allow
malicious containers running in the same network namespace as the shim,
with an effective UID of 0 but otherwise reduced privileges, to cause new
processes to be run with elevated privileges.
For more details, see the advisory:
https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Waldemar Brodkorb [Mon, 23 Nov 2020 16:30:35 +0000 (17:30 +0100)]
package/mksh: update to 59c
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Seiderer [Mon, 23 Nov 2020 20:55:25 +0000 (21:55 +0100)]
package/libxkbcommon: bump version to 1.0.3
For details see [1], changelog:
- Fix (hopefully) a segfault in xkb_x11_keymap_new_from_device() in some
unclear situation (bug introduced in 1.0.2).
- Fix keymaps created with xkb_x11_keymap_new_from_device() don't have level
names (bug introduced in 0.8.0).
[1] https://lists.freedesktop.org/archives/wayland-devel/2020-November/041660.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Vincent Stehlé [Fri, 27 Nov 2020 14:40:24 +0000 (15:40 +0100)]
configs/arm_foundationv8: bump to Linux 5.9.11
- Bump to the latest kernel v5.9.11 and require openssl.
- Switch to PSCI for bringing up the secondary CPUs.
- Switch to GICv3.
- Update the instruction in the readme.txt to use the latest FVP v8
Foundation Platform 11.12 build 38, and to start 4 cores in SMP.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
James Hilliard [Tue, 24 Nov 2020 02:12:59 +0000 (19:12 -0700)]
package/python-serial: bump to version 3.5
License hash changed due to year update.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
James Hilliard [Tue, 24 Nov 2020 02:07:37 +0000 (19:07 -0700)]
package/python-serial-asyncio: bump to version 0.5
License hash changed due to year update.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
James Hilliard [Tue, 24 Nov 2020 01:59:27 +0000 (18:59 -0700)]
package/python-aiohttp-jinja2: bump to version 1.4.2
License hash changed due to formatting change.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Tue, 1 Dec 2020 20:23:00 +0000 (21:23 +0100)]
package/libuhttpd: fix static build with mbedtls and zlib
Fixes:
- http://autobuild.buildroot.org/results/
5891d12e90182460cde1ddfa0ca75e9fd55e3dff
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Alexander Egorenkov [Sat, 28 Nov 2020 09:50:50 +0000 (10:50 +0100)]
package/makedumpfile: bump to version 1.6.8
Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sat, 28 Nov 2020 22:11:53 +0000 (23:11 +0100)]
package/rust: bump to version 1.48.0
Update indentation in hash file (two spaces)
https://github.com/rust-lang/rust/blob/master/RELEASES.md#version-1480-2020-11-19
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Tue, 1 Dec 2020 22:13:00 +0000 (23:13 +0100)]
package/netsurf: fix build with gcc 10
Fixes:
- http://autobuild.buildroot.org/results/
e81568c2b4f5ef5d055c9b94e624ba2d23f50d16
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 1 Dec 2020 22:12:59 +0000 (23:12 +0100)]
package/netsurf: renumber patches
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Johan Oudinet [Thu, 26 Nov 2020 17:43:01 +0000 (18:43 +0100)]
package/ejabberd: bump version to 20.07
- Fix the download url to reflect upstream website changes.
- Fix line numbers in patch 0001.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:43:00 +0000 (18:43 +0100)]
package/erlang-p1-xmpp: bump version to 1.4.10
upstream uses include_lib. Adapt the corresponding patch accordingly.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:59 +0000 (18:42 +0100)]
package/erlang-p1-yaml: bump version to 1.0.28
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:58 +0000 (18:42 +0100)]
package/erlang-p1-sip: bump version to 1.0.38
upstream is finally using include_lib to include libraries. Adapt the patch
accordingly.
The hash of the license file has changed, due to:
-Copyright 2002-2019 ProcessOne SARL
+Copyright 2002-2020 ProcessOne SARL
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:57 +0000 (18:42 +0100)]
package/erlang-p1-stun: bump version to 1.0.39
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:56 +0000 (18:42 +0100)]
package/erlang-p1-stringprep: bump version to 1.0.23
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:55 +0000 (18:42 +0100)]
package/erlang-p1-pkix: bump version to 1.0.6
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:54 +0000 (18:42 +0100)]
package/erlang-p1-oauth2: bump version to 0.6.7
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:53 +0000 (18:42 +0100)]
package/erlang-p1-acme: bump version to 1.0.9
The rebar.config.script file adds a dependency to base64url package. Since we remove
all rebar dependencies, add a patch to remove such dependency. Otherwise rebar would
try to download it during the build.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:52 +0000 (18:42 +0100)]
package/erlang-p1-yconf: bump version to 1.0.8
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:51 +0000 (18:42 +0100)]
package/erlang-p1-mqtree: bump version to 1.0.10
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:50 +0000 (18:42 +0100)]
package/erlang-jiffy: bump version to 1.0.6
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:49 +0000 (18:42 +0100)]
package/erlang-p1-xml: bump version to 1.1.44
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:48 +0000 (18:42 +0100)]
package/erlang-p1-tls: bump version to 1.1.9
The license file hash has changed due to:
-Copyright 2002-2019 ProcessOne SARL
+Copyright 2002-2020 ProcessOne SARL
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:47 +0000 (18:42 +0100)]
package/erlang-p1-zlib: bump version to 1.0.9
The license file hash has changed due to:
-Copyright 2002-2019 ProcessOne SARL
+Copyright 2002-2020 ProcessOne SARL
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Tue, 1 Dec 2020 19:27:03 +0000 (20:27 +0100)]
package/libcap: fix libcap.pc
libcap builds an incorrect libcap.pc because libdir is pulled from the
host os:
ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif
Fix this error by passing lib=lib and prefix in
{HOST_LIBCAP,LIBCAP}_BUILD_CMDS
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=13276
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 1 Dec 2020 17:49:03 +0000 (18:49 +0100)]
package/x11r7/xserver_xorg-server: add upstream security fixes for CVE-2020-14360 / 25712
Fixes the following security issues:
* CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access
Insufficient checks on the lengths of the XkbSetMap request can lead to
out of bounds memory accesses in the X server.
* CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow
Insufficient checks on input of the XkbSetDeviceInfo request can lead to a
buffer overflow on the head in the X server.
For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/12/01/3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 28 Nov 2020 11:00:41 +0000 (12:00 +0100)]
toolchain: add upstream fix for arc gcc
Fixes:
http://autobuild.buildroot.net/results/792/
792e69eefc87d28b92972c452d5e230d86d9e114/
Upstream issue:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/issues/310
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 28 Nov 2020 11:00:40 +0000 (12:00 +0100)]
toolchain: update option descriptions for ARC tools arc-2020.09-release
https://git.buildroot.net/buildroot/commit/?id=
0791abfba0227803b19895ea22326f4e17ac93dc
bumped
* Binutils 2.34.50 with additional ARC patches
* GCC 10.0.2 with additional ARC patches
* GDB 10.0.50 with additional ARC patches
but forgot to update the version numbers stored in option descriptions.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:46 +0000 (18:42 +0100)]
package/erlang-eimp: bump version to 1.0.17
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:45 +0000 (18:42 +0100)]
package/erlang-p1-cache-tab: bump version to 1.0.25
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Thu, 26 Nov 2020 17:42:44 +0000 (18:42 +0100)]
package/erlang-p1-utils: bump version to 1.0.20
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sat, 28 Nov 2020 10:04:03 +0000 (11:04 +0100)]
package/s390-tools: also set HAVE_LIBCURL
Set HAVE_LIBCURL when libcurl is available to enable genprotimg and
libekmfweb:
https://github.com/ibm-s390-tools/s390-tools/blob/master/README.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 28 Nov 2020 09:57:25 +0000 (10:57 +0100)]
package/setserial: add license hash
Also reformatted hash file.
Fixes:
http://autobuild.buildroot.net/results/d1c/
d1ccecc74755155664cd17c8d33721c804a37b25/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Sun, 29 Nov 2020 17:56:33 +0000 (18:56 +0100)]
package/kmsxx: bump version to
5489056 and convert to meson build
- remove 0001-fix-compiler-errors-with-gcc-10.patch
(upstream)
- remove 0002-added-include-string-to-card.h-to-follow-gcc10-porti.patch
(upstream)
- convert to meson
- add patch to use system fmt instead of git submodule (fixes
configure 'ERROR: Include dir ext/fmt/include does not exist.')
- add patch to use system pybind11 instead of git submodule (fixes
configure 'ERROR: Include dir ext/pybind11/include does not exist.')
- add patch to use python only if pykms is enabled (fixes
configure 'ERROR: Dependency "pybind11" not found, tried pkgconfig')
- add optional libevdev dependency (needed for utils/kmstouch)
- update LICENSE file hash (replaced short copyright notice and
link to http://mozilla.org/MPL/2.0/ with complete license text)
- lift toolchain headers requirement to at least 4.11 (include
linux/dma-buf.h)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Wed, 18 Nov 2020 17:18:27 +0000 (18:18 +0100)]
package/kmsxx: fix build with gcc 10
Fixes:
- http://autobuild.buildroot.org/results/
59f70fb725c2f07e27dc818839e02f2788ee490c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Seiderer [Sun, 29 Nov 2020 20:58:42 +0000 (21:58 +0100)]
package/fmt: bump version to 7.1.3
For details see [1], [2], [3] and [4].
[1] https://github.com/fmtlib/fmt/releases/tag/7.1.0
[2] https://github.com/fmtlib/fmt/releases/tag/7.1.1
[3] https://github.com/fmtlib/fmt/releases/tag/7.1.2
[4] https://github.com/fmtlib/fmt/releases/tag/7.1.3
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Angelo Compagnucci [Tue, 1 Dec 2020 21:30:53 +0000 (22:30 +0100)]
package/cups-filters: bump to version 1.28.4
While bumping, removing upstreamed patches. Removing also autoreconf
step cause we are not patching it anymore.
License hash is changed due to remove of notice for file
filter/sys5ippprinter.c.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Sat, 28 Nov 2020 09:51:08 +0000 (10:51 +0100)]
package/s390-tools: fix build with netsnmp
Fix the following build failure:
/bin/sh: net-snmp-config: command not found
/home/buildroot/autobuild/run/instance-2/output-1/host/lib/gcc/s390x-buildroot-linux-gnu/9.3.0/../../../../s390x-buildroot-linux-gnu/bin/ld: osasnmpd.o: in function `main':
osasnmpd.c:(.text.startup+0xcc): undefined reference to `snmp_log_perror'
Moreover, replace perl-net-snmp dependency by netsnmp as osasnmpd is an
SNMP subagent for the net-snmp package:
https://github.com/ibm-s390-tools/s390-tools/blob/master/osasnmpd/osasnmpd.8
Fixes:
- http://autobuild.buildroot.org/results/
00796f2ebd5fb0e08ac7a05a9ee566f2bc4bd1c3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Julien Olivain [Tue, 17 Nov 2020 21:21:45 +0000 (22:21 +0100)]
package/linux-firmware: install Ath10k QCA9377 sdio firmware
linux-firmware version
20201022 introduced a new sdio firmware for
QCA9377 sdio devices. Install it when support is selected.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Julien Olivain [Tue, 17 Nov 2020 21:21:44 +0000 (22:21 +0100)]
package/linux-firmware: bump version to
20201022
This update is motivated by the inclusion SDIO firmware for QCA9377 WiFi
cards in this new version. See [1].
The license file "WHENCE" content/checksum has changed, since it's an
index of firmware provenance and their licenses, and many new firmware
files were added.
For the full linux-firmware change log, see tag
20201022 log [2].
[1] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=
d7904d5b07a9e2c4cdd9f8b2c5a5faa9c6e665cf
[2] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/?h=
20201022
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Julien Olivain [Tue, 17 Nov 2020 21:21:43 +0000 (22:21 +0100)]
package/linux-firmware: reformat hash file using the 2 spaces convention
For readability, this reformatting is done in a separate commit, as this
package contains many license files.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Thu, 19 Nov 2020 22:11:40 +0000 (23:11 +0100)]
package/bind: fix license hash
Commit
9679d3f0218519ea7a01f3b5fefb7f6dd23b138e forgot to update hash of
COPYRIGHT which was updated to replace http by https:
https://gitlab.isc.org/isc-projects/bind9/-/commit/
400171aee8db87c3973987980327051a58a20a80
Fixes:
- http://autobuild.buildroot.org/results/
db614a6fa1e17af2fa5c1d4a0d51cdf770893ca9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Angelo Compagnucci [Mon, 9 Nov 2020 16:58:03 +0000 (17:58 +0100)]
package/environment-setup: add better kernel handling
Exporting ARCH and KERNELDIR makes easier to compile an external kernel
or out of tree kernel modules.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Bernd Kuhls [Mon, 30 Nov 2020 17:40:06 +0000 (18:40 +0100)]
package/{mesa3d, mesa3d-headers}: bump version to 20.2.3
Release notes of this bugfix release:
https://lists.freedesktop.org/archives/mesa-announce/2020-November/000607.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Marcus Folkesson [Tue, 1 Dec 2020 07:00:05 +0000 (08:00 +0100)]
package/libostree: bump to version 2020.8
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Angelo Compagnucci [Sun, 8 Nov 2020 17:07:18 +0000 (18:07 +0100)]
package/python-pydal: bump to version
20200910.1
While bumping updating the sha256 computation method.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Angelo Compagnucci [Sun, 8 Nov 2020 16:57:55 +0000 (17:57 +0100)]
package/python-can: bump to verison 3.3.4
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Peter Korsgaard [Mon, 30 Nov 2020 07:12:43 +0000 (08:12 +0100)]
package/privoxy: security bump to version 3.0.29
From the release notes:
- Security/Reliability:
- Fixed memory leaks when a response is buffered and the buffer
limit is reached or Privoxy is running out of memory.
Commits
bbd53f1010b and
4490d451f9b. OVE-
20201118-0001.
Sponsored by: Robert Klemme
- Fixed a memory leak in the show-status CGI handler when
no action files are configured. Commit
c62254a686.
OVE-
20201118-0002.
Sponsored by: Robert Klemme
- Fixed a memory leak in the show-status CGI handler when
no filter files are configured. Commit
1b1370f7a8a.
OVE-
20201118-0003.
Sponsored by: Robert Klemme
- Fixes a memory leak when client tags are active.
Commit
245e1cf32. OVE-
20201118-0004.
Sponsored by: Robert Klemme
- Fixed a memory leak if multiple filters are executed
and the last one is skipped due to a pcre error.
Commit
5cfb7bc8fe. OVE-
20201118-0005.
- Prevent an unlikely dereference of a NULL-pointer that
could result in a crash if accept-intercepted-requests
was enabled, Privoxy failed to get the request destination
from the Host header and a memory allocation failed.
Commit
7530132349. CID 267165. OVE-
20201118-0006.
- Fixed memory leaks in the client-tags CGI handler when
client tags are configured and memory allocations fail.
Commit
cf5640eb2a. CID 267168. OVE-
20201118-0007.
- Fixed memory leaks in the show-status CGI handler when memory
allocations fail. Commit
064eac5fd0 and commit
fdee85c0bf3.
CID 305233. OVE-
20201118-0008.
For more details, see the announcement:
https://www.openwall.com/lists/oss-security/2020/11/29/1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 30 Nov 2020 06:56:31 +0000 (07:56 +0100)]
package/libplist: drop duplicated COPYING hash
Commit
762119b4c5489352a889c2627eb37906647c375d resulted in a duplicated
line for COPYING hash so drop it
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Sun, 29 Nov 2020 09:38:23 +0000 (10:38 +0100)]
package/kmsxx: fix gcc-10.x compile
Backport upstream commit ([1]) adding missing string include.
Fixes:
- http://autobuild.buildroot.net/results/
53a5f023ae40db18f45ebe7578962914c2d22a44
In file included from .../build/kmsxx-
cb0786049f960f2bd383617151b01318e02e9ff9/kms++/inc/kms++/omap/omapcard.h:3,
from .../build/kmsxx-
cb0786049f960f2bd383617151b01318e02e9ff9/kms++/src/omap/omapcard.cpp:2:
.../build/kmsxx-
cb0786049f960f2bd383617151b01318e02e9ff9/kms++/inc/kms++/card.h:17:18: error: 'string' in namespace 'std' does not name a type
17 | Card(const std::string& device);
| ^~~~~~
[1] https://github.com/tomba/kmsxx/commit/
b53f9d383c9189a897c44cd88a8fc1b871fdc8a2.patch
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 29 Nov 2020 09:35:13 +0000 (10:35 +0100)]
package/lynx: fix reproducible build issues
Fixes (part of) http://autobuild.buildroot.net/results/
23fe4365ca65f37eace8265a70fbfb9723b8ee9d/
Lynx by default contains logic to generate a "configuration info" HTML page,
which leaks build paths, and adds the build timestamp to the version output.
Disable both when building in reproducible mode.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 29 Nov 2020 07:57:04 +0000 (08:57 +0100)]
package/jemalloc: add jemalloc-config to _CONFIG_SCRIPTS handling
Fixes (part of) http://autobuild.buildroot.net/results/
23fe4365ca65f37eace8265a70fbfb9723b8ee9d/
jemalloc installs a jemalloc-config script, leaking build paths and breaking
reproducible builds (and per-package builds).
Add it to _CONFIG_SCRIPTS so the paths get fixed up for staging and the
script removed from target.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 28 Nov 2020 22:41:46 +0000 (23:41 +0100)]
package/mariadb: security bump to version 10.3.27
Fixes the following security issues:
- CVE-2020-15180: during SST a joiner sends an sst method name to the donor.
Donor then appends it to the "wsrep_sst_" string to get the name of the
sst script to use, e.g. wsrep_sst_rsync. There is no validation or
filtering here, so if the malicious joiner sends, for example, "rsync `rm
-rf /`" the donor will execute that too.
- CVE-2020-14812: Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: Locking). Supported versions that are affected are
5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily
exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause
a hang or frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2020-14765: Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: FTS). Supported versions that are affected are 5.6.49
and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2020-14776: Vulnerability in the MySQL Server product of Oracle MySQL
(component: InnoDB). Supported versions that are affected are 5.7.31 and
prior and 8.0.21 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
- CVE-2020-14789: Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: FTS). Supported versions that are affected are 5.7.31
and prior and 8.0.21 and prior. Easily exploitable vulnerability allows
high privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
- CVE-2020-28912:
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf
describes a named pipe privilege vulnerability, specifically for MySQL,
where an unprivileged user, located on the same machine as the server, can
act as man-in-the-middle between server and client.
Additionally, 10.3.27 fixes a regression added in 10.3.26.
Drop weak md5/sha1 checksums.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 28 Nov 2020 15:54:09 +0000 (16:54 +0100)]
package/gstreamer1/gst1-plugins-good: qmlgl needs gstreamer-gl-1.0
Build of qmlql fails without gstreamer-gl-1.0 since version 1.17.1 and
https://github.com/GStreamer/gst-plugins-good/commit/
2ecba800bfbf177bc56999dc59ecdff00cbc353c
Fixes:
- http://autobuild.buildroot.org/results/
e1537ebac7cd70b6d868a8b7f0205ce3d8593508
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 28 Nov 2020 15:00:36 +0000 (16:00 +0100)]
package/bustle: fix license
bustle binaries are licensed under GPL-3.0:
https://gitlab.freedesktop.org/bustle/bustle/-/blob/bustle-0.7.5/LICENSE
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 28 Nov 2020 10:10:01 +0000 (11:10 +0100)]
Update for 2020.11-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vincent Stehlé [Thu, 26 Nov 2020 21:59:24 +0000 (22:59 +0100)]
configs/bananapi_m2_zero: bump Linux and U-Boot versions
Bump Linux kernel to 5.9.11 and U-Boot to 2020.10.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vincent Stehlé [Fri, 27 Nov 2020 13:12:12 +0000 (14:12 +0100)]
configs/aarch64_efi: bump kernel version
Bump Linux kernel version to 5.9.11.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Sat, 28 Nov 2020 07:45:55 +0000 (08:45 +0100)]
package/lua-lyaml: bump to version 6.2.7
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 27 Nov 2020 20:11:28 +0000 (21:11 +0100)]
package/proftpd: security bump to version 1.3.6e
1.3.6e
---------
+ Fixed null pointer deference in mod_sftp when using SCP incorrectly
(Issue #1043).
1.3.6d
---------
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
1.3.6c
---------
+ Fixed regression in directory listing latency (Issue #863).
+ Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for
converting them to supported format.
+ Fixed use-after-free vulnerability during data transfers (Issue #903)
[CVE-2020-9273]
+ Fixed out-of-bounds read in mod_cap by updating the bundled libcap
(Issue #902) [CVE-2020-9272]
http://proftpd.org/docs/RELEASE_NOTES-1.3.6e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: mark as security bump, add CVEs]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 27 Nov 2020 17:25:15 +0000 (18:25 +0100)]
package/slirp: add upstream security fix for CVE-2020-29129 / CVE-2020-29130
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Fri, 27 Nov 2020 23:22:25 +0000 (00:22 +0100)]
package/libinput: bump version to 1.16.4
For details see [1].
[1] https://lists.freedesktop.org/archives/wayland-devel/2020-November/041664.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Thu, 26 Nov 2020 19:08:42 +0000 (20:08 +0100)]
package/x11r7/xserver_xorg-xserver: drop obsolete patch
Drop second patch following upstream review:
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/555
Indeed, this patch has been dropped from openembedded since 2018 because
"it is forcing input to use SIGIO, despite the fact that since 2015
xserver has used an input thread.":
https://github.com/openembedded/openembedded-core/commit/
cde11398e6d74ad8f27334199b4bd99cdf1f0ff7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Thu, 12 Nov 2020 22:00:59 +0000 (23:00 +0100)]
package/qemu: use a system-wide slirp
Use a system-wide slirp now that we switched to the up to date
https://gitlab.freedesktop.org/slirp/libslirp
qemu already depends on libglib2 so we don't need to add any new
dependencies
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 27 Nov 2020 17:13:52 +0000 (18:13 +0100)]
package/vsftpd: S70vsftpd: correct -x argument to start-stop-daemon
Fixes #13341
The -x / --exec start-stop-daemon option expects the path to the executable,
not just the name, leading to errors when running the init script:
Starting vsftpd: start-stop-daemon: unable to stat //vsftpd (No such file or directory)
Reported-by: tochansky@tochlab.net
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Thu, 26 Nov 2020 21:25:45 +0000 (22:25 +0100)]
package/minidlna: security bump version to 1.3.0
Changelog:
https://sourceforge.net/p/minidlna/git/ci/master/tree/NEWS
Fixes CVE-2020-28926 & CVE-2020-12695.
Removed patch 0001 which was applied upstream:
https://sourceforge.net/p/minidlna/git/ci/
b5e75ff7d160a02632cab416ff0af66504c7db8b/
Removed patch 0002 which was not applied upstream, upstream applied
a different fix for CVE-2020-12695:
https://sourceforge.net/p/minidlna/git/ci/
06ee114731612462eb1eb1266f0431ccf59269d2/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Thu, 26 Nov 2020 17:34:30 +0000 (18:34 +0100)]
package/php: security bump version to 7.4.13
Rebased patches.
Changelog: https://www.php.net/ChangeLog-7.php#7.4.13
According to the release notes this is a "security bug fix release":
https://news-web.php.net/php.announce/301
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Norbert Lange [Fri, 27 Nov 2020 10:29:47 +0000 (11:29 +0100)]
package/lz4: bump version to 1.9.3
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 27 Nov 2020 17:13:36 +0000 (18:13 +0100)]
package/linux-pam: bump to version 1.5.1
- Drop patches (already in version) and so autoreconf
- cracklib is not a dependency since
https://github.com/linux-pam/linux-pam/commit/
d702ff714c309069111899fd07c09e31c414c166
https://github.com/linux-pam/linux-pam/releases/tag/v1.5.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 24 Nov 2020 17:03:23 +0000 (18:03 +0100)]
package/efl: fix build with wepb
webpdemux support in webp is mandatory since version 1.25.0 and
https://github.com/Enlightenment/efl/commit/
df06418b6f39f3b8d73631bda33308b67736bb9d
Fixes:
- http://autobuild.buildroot.org/results/
736357e669c35bd56e818c0c7fabd1b455f40a5f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 24 Nov 2020 19:21:42 +0000 (20:21 +0100)]
{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 9}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 4 Nov 2020 14:51:40 +0000 (15:51 +0100)]
support/testing/tests/core/test_cpeid: new test
This commit adds a number of test cases to verify that the CPE_ID_*
variables are properly handled by the generic package infrastructure
and that the "make show-info" JSON output matches what we expect.
A total of 5 different example packages are used to exercise different
scenarios of CPE_ID_* variables usage.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Wed, 4 Nov 2020 14:51:39 +0000 (15:51 +0100)]
package/pkg-utils.mk: expose CPE ID in show-info when available
This commit exposes a new per-package property in the "make show-info"
JSON output: "cpe-id", which exists when a valid CPE ID is available
for the package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Wed, 4 Nov 2020 14:51:38 +0000 (15:51 +0100)]
docs/manual: document <pkg>_CPE_ID variables
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Matt Weber [Wed, 4 Nov 2020 14:51:37 +0000 (15:51 +0100)]
package/pkg-generic.mk: add CPE ID related package variables
Currently, the match between Buildroot packages and CVEs is solely
based on the package names. Unfortunately, as one can imagine, there
isn't necessarily a strict mapping between Buildroot package names,
and how software projects are referenced in the National Vulnerability
Database (NVD) which we use.
The NVD has defined the concept of CPE (Common Platform Enumeration)
identifiers, which uniquely identifies software components based on
string looking like this:
cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:*
In particular, this CPE identifier contains a vendor name (here
"netsurf-browser"), a product name (here "libnsbmp") and a version
(here "0.1.2").
This patch series introduces the concept of CPE ID in Buildroot, where
each package can be associated to a CPE ID. A package can define one
or several of:
- <pkg>_CPE_ID_VENDOR
- <pkg>_CPE_ID_PRODUCT
- <pkg>_CPE_ID_VERSION
- <pkg>_CPE_ID_VERSION_MINOR
- <pkg>_CPE_ID_PREFIX
If one or several of those variables are defined, then the
<pkg>_CPE_ID will be defined by the generic package infrastructure as
follows:
$(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*
<pkg>_CPE_ID_* variables that are not explicitly specified by the
package will carry a default value defined by the generic package
infrastructure.
If a package is happy with the default <pkg>_CPE_ID, and therefore
does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it
can set <pkg>_CPE_ID_VALID = YES.
If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined
by the package, then <pkg>_CPE_ID_VALID = YES will be set by the
generic package infrastructure.
Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will
be defined. Indeed, we want to be able to distinguish packages for
which the CPE ID information has been checked and is considered valid,
from packages for which the CPE ID information has never been
verified. For this reason, we cannot simply define a default value
for <pkg>_CPE_ID.
The <pkg>_CPE_ID_* values for the host package are inherited from the
same variables of the corresponding target package, as we normally do
for most package variables.
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Wed, 4 Nov 2020 14:51:35 +0000 (15:51 +0100)]
support/scripts/cve.py: properly match CPEs with version '*'
Currently, when the version encoded in a CPE is '-', we assume all
versions are affected, but when it's '*' with no further range
information, we assume no version is affected.
This doesn't make sense, so instead, we handle '*' and '-' in the same
way. If there's no version information available in the CVE CPE ID, we
assume all versions are affected.
This increases quite a bit the number of CVEs and package affected:
- "total-cves": 302,
- "pkg-cves": 100,
+ "total-cves": 597,
+ "pkg-cves": 135,
For example, CVE-2007-4476 has a CPE ID of:
cpe:2.3:a:gnu:tar:*:*:*:*:*:*:*:*
So it should be taken into account. In this specific case, it is
combined with an AND with CPE ID
cpe:2.3:o:suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
we don't support this kind of matching, we'd better be on the safe
side, and report this CVE as affecting tar, do an analysis of the CVE
impact, and document it in TAR_IGNORE_CVES.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Seiderer [Mon, 23 Nov 2020 21:18:26 +0000 (22:18 +0100)]
package/thermald: fix time_t related compile failure
Add upstream patch [1] to fix (musl) time_t related compile failure.
Fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13336
src/thd_trip_point.cpp: In member function ‘bool cthd_trip_point::thd_trip_point_check(int, unsigned int, int, bool*)’:
src/thd_trip_point.cpp:250:19: error: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Werror=format=]
250 | thd_log_info("Too early to act zone:%d index %d tm %ld\n",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
251 | zone_id, cdev->thd_cdev_get_index(),
252 | tm - cdevs[i].last_op_time);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| time_t {aka long long int}
src/thermald.h:82:57: note: in definition of macro ‘thd_log_info’
82 | #define thd_log_info(...) g_log(NULL, G_LOG_LEVEL_INFO, __VA_ARGS__)
| ^~~~~~~~~~~
src/thd_trip_point.cpp:250:59: note: format string is defined here
250 | thd_log_info("Too early to act zone:%d index %d tm %ld\n",
| ~~^
| |
| long int
| %lld
[1] https://github.com/intel/thermal_daemon/commit/
a7136682b9e6ebdb53c3c8b472bcd5039d62dc78.patch
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>