git.libre-soc.org Git - buildroot.git/log

package/rpm: add RPM_CPE_ID_VENDOR

cpe:2.3:a:rpm:rpm is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Arpm%3Arpm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/live555: add CPE variables

cpe:2.3:a:live555:streaming_media is a valid CPE identifier for this
package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alive555%3Astreaming_media

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/irssi: add IRSSI_CPE_ID_VENDOR

cpe:2.3:a:irssi:irssi is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Airssi%3Airssi

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/mpg123: add MPG123_CPE_ID_VENDOR

cpe:2.3:a:mpg123:mpg123 is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ampg123%3Ampg123

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libmodplug: add LIBMODPLUG_CPE_ID_VENDOR

cpe:2.3:a:konstanty_bialkowski:libmodplug is a valid CPE identifier for
this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Akonstanty_bialkowski%3Alibmodplug

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Revert "package/libopenssl: fix build on riscv32"

This reverts commit 2bb26c1a1d24cdbb946bc2a77680dbc8f9c0d537.

There was some negative feedback from Arnd Bergmann on that patch:
    https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc#commitcomment-44782859

    The patch looks wrong to me: __NR_io_pgetevents_time64 must be used
    whenever time_t is 64-bit wide on a 32-bit architecture, while
    __NR_io_getevents/__NR_io_pgetevents must be used when time_t is the
    same width as 'long'.

    Checking whether __NR_io_getevents is defined is wrong for all
    architectures other than riscv

And in light of the above, indeed the patch does not look so correct
after all.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libopenssl: fix build on riscv32

riscv32 is (surprise!) a 32-bit architecture. But it has been Y2038-safe
from its inception. As such, there are no legacy binaries that may use
the 32-bit time syscalls, and thus they are not available on riscv32.

Code that directly calls to the syscalls without using the C libraries
wrappers thus need to handle this case by themselves.

Backport a patch from the upstream openssl development branch that will
eventually be openssl 3.0, but has not yet been backported to the 1.1.1
stable branch.

Fixes:
    http://autobuild.buildroot.org/results/eb9/eb9a64d4ffae8569b5225083f282cf87ffa7c681/
    ...
    http://autobuild.buildroot.org/results/07e/07e413b24ba8adc9558c80267ce16dda339bf032/

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Mark Corbin <mark@dibsco.co.uk>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

support/scripts/gen-bootlin-toolchains: correct xtensa-lx60 toolchain dependencies

Fixes:
http://autobuild.buildroot.net/results/011/0111c2ed54618daaeedfc66b0ea04eda00a7e855/
http://autobuild.buildroot.net/results/e53/e53e3880b63a23fa3b3e6d34664d40d5ddbdff89/
..

As listed in the br_fragment file of the toolchain, this is built for a
little-endian "custom" xtensa variant rather than the (big-endian) fsf one:

BR2_xtensa=y
BR2_XTENSA_CUSTOM=y

So update the dependencies in the script and regenerate Config.in.options /
toolchain test. Also fixup the autobuild config snippet to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/wpa_supplicant: add upstream 2021-1 security fix

Fixes the following security issue:

- wpa_supplicant P2P provision discovery processing vulnerability (no CVE
yet)

A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.

For more details, see the advisory:
https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: actually add the patch URL to the patch list]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/kismet: server needs wchar

kismet embeds its own copy of fmt since version 2019-04-R1 so add a
dependency on wchar to avoid the following build failure when building
the server:

./fmt/core.h:1245:1:
std::wstring vformat(wstring_view format_str, wformat_args args);
^~~
./fmt/core.h:1266:13: error: 'wstring' in namespace 'std' does not name a type
inline std::wstring format(wstring_view format_str, const Args & ... args) {
^~~~~~~
./fmt/core.h:1266:8: note: 'std::wstring' is defined in header '<string>'; did you forget to '#include <string>'?

Fixes:
- http://autobuild.buildroot.org/results/f19b3d080514a799a1c75b38ff5f7ae4e8d2628d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/perl: link with -lintl if needed

Link with TARGET_NLS_LIBS if needed to avoid the following build failure
with perl in version 5.32:

/home/buildroot/autobuild/instance-3/output-1/host/bin/arm-linux-gcc -lm -Wl,-E -o perl perlmain.o libperl.a -lm -lcrypt -lpthread -ldl
/home/buildroot/autobuild/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: libperl.a(locale.o): in function `S_emulate_setlocale':
/home/buildroot/autobuild/instance-3/output-1/build/perl-5.32.1/locale.c:1182: undefined reference to `libintl_textdomain'

An upstream issue has been opened in:
https://github.com/Perl/perl5/issues/18467

Fixes:
- http://autobuild.buildroot.org/results/9df8d8d28006845b4f927548f8856dfa8f79802b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

uclibc-ng-test: update to latest

Fixes:
http://autobuild.buildroot.net/results/877879987f7adea0fa239e879b056c248968b1e9
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bustle: fix static build

Commit 436cb9308a50b1007a42eb490405a3155307a771 wrongly removed --static
from pcap-config call

Fixes:
- http://autobuild.buildroot.org/results/b5d8d8d8452342373c2446613ba3051c20a97c03

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/python-pyyaml: security bump to version 5.4.1

Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library
in versions before 5.4, where it is susceptible to arbitrary code
execution when it processes untrusted YAML files through the full_load
method or with the FullLoader loader. Applications that use the library
to process untrusted input may be vulnerable to this flaw. This flaw
allows an attacker to execute arbitrary code on the system by abusing
the python/object/new constructor. This flaw is due to an incomplete fix
for CVE-2020-1747.

Update hash of LICENSE file (update in year:
https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1)

https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gnuradio: fix qtgui build when gr-analog is not set

gr-qtgui examples needs to have gr-analog enabled, without this dependency
compile crash with:

In file included from
/x/output/build/gnuradio-3.8.1.0/gr-qtgui/examples/c++/display_qt.cc:22:
/x/output/build/gnuradio-3.8.1.0/gr-qtgui/examples/c++/display_qt.h:24:10:
fatal error: gnuradio/analog/noise_source.h: No such file or directory
24 | #include <gnuradio/analog/noise_source.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [gr-qtgui/examples/c++/CMakeFiles/display_qt.dir/build.make:67:
gr-qtgui/examples/c++/CMakeFiles/display_qt.dir/display_qt.cc.o] Error 1
make[3]: *** Waiting for unfinished jobs....
In file included from
/somewhere/gnuradio/build/gr-qtgui/examples/c++/moc_display_qt.cpp:10:
/somewhere/gnuradio/build/gr-qtgui/examples/c++/../../../../gr-qtgui/examples/c++/display_qt.h:24:10:
fatal error: gnuradio/analog/noise_source.h: No such file or directory
24 | #include <gnuradio/analog/noise_source.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

GR_ANALOG is not an explicit dependency of GR_QTGUI, so disable c++ examples if
user has not selected this option.

[backported from 7470a7a3771dd90defb826b464dfe62977cb1eb6]

Fixes:
- http://autobuild.buildroot.net/results/fde670499289f3d7d47379eebccf6e0f92c6d200/

Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/python-pyyaml: add CPE variables

cpe:2.3:a:pyyaml:pyyaml is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apyyaml%3Apyyaml

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/dovecot-pigeonhole: add CPE variables

cpe:2.3:a:dovecot:pigeonhole is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Adovecot%3Apigeonhole

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/giflib: set GIFLIB_CPE_ID_VALID

cpe:2.3:a:giflib_project:giflib is a valid CPE identifier for this
package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agiflib_project%3Agiflib

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/nmap: add NMAP_CPE_ID_VENDOR

cpe:2.3:a:nmap:nmap is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anmap%3Anmap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/ruby: add RUBY_CPE_ID_VENDOR

cpe:2.3:a:ruby-lang:ruby is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aruby-lang%3Aruby

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gd: add CPE variables

cpe:2.3:a:libgd:libgd is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibgd%3Alibgd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libfribidi: add CPE variables

cpe:2.3:a:gnu:fribidi is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Afribidi

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/jpeg-turbo: add CPE variables

cpe:2.3:a:libjpeg-turbo:libjpeg-turbo is a valid CPE identifier for this
package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibjpeg-turbo%3Alibjpeg-turbo

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/tiff: add CPE variables

cpe:2.3:a:libtiff:libtiff is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtiff%3Alibtiff

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/rabbitmq-c: set RABBITMQ_C_CPE_ID_VALID

cpe:2.3:a:rabbitmq-c_project:rabbitmq-c is a valid CPE identifier for
this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Arabbitmq-c_project%3Arabbitmq-c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libpam-tacplus: add CPE variables

cpe:2.3:a:pam_tacplus_project:pam_tacplus is a valid CPE identifier for
this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apam_tacplus_project%3Apam_tacplus

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/e2fsprogs: set E2FSPROGS_CPE_ID_VALID

cpe:2.3:a:e2fsprogs_project:e2fsprogs is a valid CPE identifier for
this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ae2fsprogs_project%3Ae2fsprogs

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bootstrap: add BOOTSRAP_CPE_ID_VENDOR

cpe:2.3:a:getbootstrap:bootstrap is a valid CPE identifier for this
package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agetbootstrap%3Abootstrap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libsndfile: set LIBSNDFILE_CPE_ID_VALID

cpe:2.3:a:libsndfile_project:libsndfile is a valid CPE identifier for
this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibsndfile_project%3Alibsndfile

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bubblewwrap: add BUBBLEWRAP_CPE_ID_VENDOR

cpe:2.3:a:projectatomic:bubblewrap is a valid CPE identifier for this
package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aprojectatomic%3Abubblewrap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/rdesktop: add RDESKTOP_CPE_ID_VENDOR

cpe:2.3:a:rdesktop:rdesktop is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ardesktop%3Ardesktop

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/redis: security bump to v6.0.12

From the release notes:
(https://github.com/redis/redis/blob/6.0.12/00-RELEASENOTES)

================================================================================
Redis 6.0.11 Released Mon Feb 22 16:13:23 IST 2021
================================================================================

Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), LOW
otherwise.

Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.

================================================================================
Redis 6.0.12 Released Mon Mar 1 17:29:52 IST 2021
================================================================================

Upgrade urgency: LOW, fixes a compilation issue.

Bug fixes:
* Fix compilation error on non-glibc systems if jemalloc is not used (#8533)

Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 10}.x series

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gstreamer1/gst1-plugins-bad: add sctp option

sctp unconditionnally uses __sync_*_4 intrinsics in
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/blob/master/ext/sctp/usrsctp/usrsctplib/user_atomic.h

As a result, this will raise the following build failure with bootlin
sparc toolchain:

/srv/storage/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/9.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: ext/sctp/usrsctp/libusrsctp-static.a(usrsctplib_user_socket.c.o): in function `usrsctp_conninput':
user_socket.c:(.text+0x3004): undefined reference to `__sync_fetch_and_add_4'

sctp uses an internal version of usrsctp (which is not available in
buildroot) and is available since version 1.15.1:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/e2f06326eac7c3c7fa9c0d5baf4bf9673fc93376

Fixes:
- http://autobuild.buildroot.org/results/981b11ae9746d1eef40c1797398c4f6c16f005bd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/prosody: security bump to 0.11.8

From the release notes:
https://blog.prosody.im/prosody-0.11.8-released/

This release also fixes a security issue, where channel binding, which
connects the authentication layer (i.e. SASL) with the security layer (i.e.
TLS) to detect man-in-the-middle attacks, could be used on connections
encrypted with TLS 1.3, despite the holy texts declaring this undefined.

https://issues.prosody.im/1542

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: mark as security bump, expand commit text]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

configs: rename a bunch of friendlyarm boards

We have defconfigs for quite a few friendlyarm boards, but the
naming for the defconfigs for those boards is inconsistent: some
start with 'friendlyarm_' while others don't.

Although the number of boards starting with 'friendlyarm_' is
less than those which do not, we still choose to rename the
boards so all have the 'friendlyarm_' prefix.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chakra Divi <chakra@openedev.com>
Cc: Davide Viti <zinosat@gmail.com>
Cc: Marek Belisko <marek.belisko@open-nandra.com>
Cc: Suniel Mahesh <sunil@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/util-linux: disable runuser for the host build

runuser allows running commands as another user, but needs to run as
root to be able to setuid(). But Buildroot does not require running as
root, and so runuser can't be used.

Incientally, that fixes host build in case unsuitable libs are found on
the system:
    http://lists.busybox.net/pipermail/buildroot/2021-February/304261.html

Reported-by: GA K <guyarkam@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - expand the commit log with a more fundamental explanation that
    runuser can't be used anyway
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/tpm2-pkcs11: needs threads

tpm2-pkcs11 fails to build without threads since its addition with
commit 42db2c7236c2249ec02608ed714fa6f95e36161b

Fixes:
- http://autobuild.buildroot.org/results/8218776da34cc4a20663ae6737ad7727b12d8cd2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/privoxy: security bump to version 3.0.32

Privoxy 3.0.32 fixes a number of security issues:

- Security/Reliability:
  - ssplit(): Remove an assertion that could be triggered with a
    crafted CGI request.
    Commit 2256d7b4d67. OVE-20210203-0001.
    Reported by: Joshua Rogers (Opera)
  - cgi_send_banner(): Overrule invalid image types. Prevents a
    crash with a crafted CGI request if Privoxy is toggled off.
    Commit e711c505c48. OVE-20210206-0001.
    Reported by: Joshua Rogers (Opera)
  - socks5_connect(): Don't try to send credentials when none are
    configured. Fixes a crash due to a NULL-pointer dereference
    when the socks server misbehaves.
    Commit 85817cc55b9. OVE-20210207-0001.
    Reported by: Joshua Rogers (Opera)
  - chunked_body_is_complete(): Prevent an invalid read of size two.
    Commit a912ba7bc9c. OVE-20210205-0001.
    Reported by: Joshua Rogers (Opera)
  - Obsolete pcre: Prevent invalid memory accesses with an invalid
    pattern passed to pcre_compile(). Note that the obsolete pcre code
    is scheduled to be removed before the 3.0.33 release. There has been
    a warning since 2008 already.
    Commit 28512e5b624. OVE-20210222-0001.
    Reported by: Joshua Rogers (Opera)

for more details, see the announcement:
https://www.openwall.com/lists/oss-security/2021/02/28/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/ushare: bump to version 2.1

Fix SOAP action responses which are broken since the switch to latest
version of libupnp (1.14.x) in version 2.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/jbig2dec: add JBIG2DEC_CPE_ID_VENDOR

cpe:2.3:a:artifex:jbig2dec is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aartifex%3Ajbig2dec

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/putty: add PUTTY_CPE_ID_VENDOR

cpe:2.3:a:putty:putty is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aputty%3Aputty

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python-urllib3: add CPE variables

cpe:2.3:a:python:urllib3 is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Aurllib3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python3: add CPE variables

cpe:2.3:a:python:python is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Apython

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python-aiohttp-session: add CPE variables

cpe:2.3:a:aiohttp-session_project:aiohttp-session is a valid CPE
identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaiohttp-session_project%3Aaiohttp-session

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libbsd: add LIBBSD_CPE_ID_VENDOR

cpe:2.3:a:freedesktop:libbsd is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afreedesktop%3Alibbsd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/mosquitto: bump to v2.0.8

Mosquitto 2.0.8 is bugfix release. See the announcement:
https://mosquitto.org/blog/2021/02/version-2-0-8-released/

Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/openssh: security bump to version 8.4p1

Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in
the scp.c toremote function, as demonstrated by backtick characters in the
destination argument. NOTE: the vendor reportedly has stated that they
intentionally omit validation of "anomalous argument transfers" because that
could "stand a great chance of breaking existing workflows."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/haproxy: bump to version 2.2.9

https://www.mail-archive.com/haproxy@formilux.org/msg39744.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Update for 2021.02-rc3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python-aiohttp: security bump to version 3.7.4

Fixes the following security issue:

CVE-2021-21330: Open redirect vulnerability in aiohttp
(normalize_path_middleware middleware)

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async
HTTP client/server framework, is prone to an open redirect vulnerability. A
maliciously crafted link to an aiohttp-based web-server could redirect the
browser to a different website.

For more details, see the advisory:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libglib2: security bump to version 2.66.7

- Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
  2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
  with a buffer of 4GB or more on a 64-bit platform, the length would be
  truncated modulo 2**32, causing unintended length truncation.
- Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
  2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
  integer overflow on 64-bit platforms due to an implicit cast from 64
  bits to 32 bits. The overflow could potentially lead to memory
  corruption.

https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/openntpd: add OPENNTPD_CPE_ID_VENDOR

cpe:2.3:a:openntpd:openntpd is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aopenntpd%3Aopenntpd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/openldap: add upstream security fix for CVE-2021-27212

In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
failure in slapd can occur in the issuerAndThisUpdateCheck function via a
crafted packet, resulting in a denial of service (daemon exit) via a short
timestamp. This is related to schema_init.c and checkTime.

For more details, see the bugtracker:
https://bugs.openldap.org/show_bug.cgi?id=9454

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/screen: add security fix for CVE-2021-26937

encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a
denial of service (invalid write access and application crash) or possibly
have unspecified other impact via a crafted UTF-8 character sequence.

For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2021/02/09/3

So far no fix has been added to upstream git, and a number of early proposed
fixes caused regressions, so pull the security fix from the screen 4.8.0-5
Debian package.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/imagemagick: disable remaining config options (heic, jxl, openjp2)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/imagemagick: add optional libraw support

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/imagemagick: add optional zstd support

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/imagemagick: add optional libzip support

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/imagemagick: security bump to version 7.0.10-62

Fixes the following security issue:

CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and
7.0.10-57 in gem.c. This flaw allows an attacker who submits a crafted file
that is processed by ImageMagick to trigger undefined behavior through a
division by zero. The highest threat from this vulnerability is to system
availability.

For more details, see the bugtracker:
https://github.com/ImageMagick/ImageMagick/issues/3077

- bump version to 7.0.10-62
- update license file hash (copyright year update)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/readline: disable bracketed paste by default

As of readline 8.1, "bracketed paste" is enabled by default. However,
the feature causes control characters to appear in captured (telnet)
session output. This can throw off pattern matching if the output is to
be processed by scripts.

Let's keep the previous default of leaving this feature disabled and
provide a configuration option for users to enable it.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[yann.morin.1998@free.fr:
  - explicit enable/disable
  - no indentation in conditional block
  - rewrap help text
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/qemu: disable tests

tests/fp/fp-bench.c use fenv.h that is not always provided
by the libc (uClibc).

To workaround this issue, add an new meson option to
disable tests while building Qemu.

Fixes:
http://autobuild.buildroot.net/results/53f5d8baa994d599b9da013ee643b82353366ec3/build-end.log

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/botan: avoid empty -l

Add upstream patch to fix upstream commit
af63fe89228172e5a395f7e6491fae3bfa9da4b1 which was added to buildroot in
commit d71de4143d7a8554929f2a1e9731f83a4cf85fd3

Fixes:
- http://autobuild.buildroot.org/results/801007860b7787b28b2b2e3611b59350034a3694

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libuwsc: disable example

BUILD_EXAMPLE=OFF is already passed by cmake-package

Fixes:
- http://autobuild.buildroot.org/results/f5256d5a3a86112f008506f1910d0600c491a2a0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/brltty: fix build with gcc < 5

Fix build of brltty in version 6.2 with gcc < 5

Fixes:
- http://autobuild.buildroot.org/results/b758c6ffc7a14b24d5482e65ba6f90bc046ebd01

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: do an actual backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/babeltrace2: link with libatomic if needed

Fix build of babeltrace2 in version 2.0.3 with Bootlin SPARC uclibc
toolchain added with commit 1348c569d0cb7f67eca30f170b782aa8b51cc259

Fixes:
- http://autobuild.buildroot.org/results/31770bf70f9ce4e3be8fb310d084b214820c6829

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/elfutils: link with libatomic if needed

Fix build of elfutils 0.181 with Bootlin SPARC uclibc toolchain added
with commit 1348c569d0cb7f67eca30f170b782aa8b51cc259

Fixes:
- http://autobuild.buildroot.org/results/31ce9e3861c6229a7869a15d322f5d2f5bfc6165

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/intel-mediasdk: disable samples and tutorials

Disable samples and tutorials which are enabled by default and fail to
build with gcc 10 without upstream commit:
https://github.com/Intel-Media-SDK/MediaSDK/commit/c7d40371eb0c2042261fe1f91a364f69a1457235

Fixes:
- http://autobuild.buildroot.org/results/9ee28e5dc0b2ba854766d9bc82b95c28be2722d3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/nodejs: security bump to version v12.21.0

Fixes the following security issues:

CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion

Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors.  If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g.  a file.  If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.

CVE-2021-22884: DNS rebinding in --inspect

Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”.  When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network.  If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain.  As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/ply: build needs flex and bison

Building needs flex and bison installed on the host system.

Fixes:
http://autobuild.buildroot.net/results/7cfe75725f4746367f2870ee9545f31ba56f6ec1

Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/screen: add SCREEN_CPE_ID_VENDOR

cpe:2.3:a:gnu:screen is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Ascreen

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/xterm: add XTERM_CPE_ID_VENDOR

cpe:2.3:a:invisible-island:xterm is a valid CPE identifier for this
package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ainvisible-island%3Axterm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python3: security bump to version 3.9.2

Fixes the following security issue:

- CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a
query args separator
https://bugs.python.org/issue42967

And fixes a number of issues. For details, see the changelog:
https://docs.python.org/release/3.9.2/whatsnew/changelog.html

Drop the now upstreamed security patch and update the license hash for a
change of copyright year:

-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

support/download: drop sub-second precision in tarball creation

Some download backends, like svn, will provide timestamps with a
sub-second precision, e.g.

    $ svn info --show-item last-changed-date [...]
    2021-02-19T20:22:34.889717Z

However, the PAX headers do not accept sub-second precision, leading to
failure to download from subversion:

    tar: Time stamp is out of allowed range
    tar: Exiting with failure status due to previous errors
    make[1]: *** [package/pkg-generic.mk:148: [...]/build/subversion-1886712/.stamp_downloaded] Error 1

Fix that by massaging the timestamp to drop the sub-second part. We
do that in the generic helper, rather than the svn backend, so that
all callers to the generic helper benefit from this, as this is more
an internal details of the tarball limitations, than of the backends
themselves.

Reported-by: Roosen Henri <Henri.Roosen@ginzinger.com>
Signed-off-by: Vincent Fazio <vfazio@xes-inc.com>
[yann.morin.1998@free.fr:
  - add Henri as reporter
  - move it out of the svn backend, and to the generic helper
  - reword the commit log accordingly
  - use an explicit time format rather than -Iseconds
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bind: security bump to version 9.11.28

Fixes the following security issue:

- CVE-2020-8625: When tkey-gssapi-keytab or tkey-gssapi-credential was
  configured, a specially crafted GSS-TSIG query could cause a buffer
  overflow in the ISC implementation of SPNEGO (a protocol enabling
  negotiation of the security mechanism to use for GSSAPI authentication).
  This flaw could be exploited to crash named.  Theoretically, it also
  enabled remote code execution, but achieving the latter is very difficult
  in real-world conditions

For details, see the advisory:
https://kb.isc.org/docs/cve-2020-8625

In addition, 9.11.26-27 fixed a number of issues, see the release notes for
details:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html

Drop now upstreamed patches, update the GPG key for the 2021-2022 variant
and update the COPYRIGHT hash for a change of year:

-Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/fakeroot: fix glibc detection on patch for new wrappers

Commit f45925a951318e9e53bead80b363e004301adc6f add the patch:

0003-libfakeroot.c-add-wrappers-for-new-glibc-2.33-symbol.patch

which allowed fakeroot to be compiled with GLIBC 2.33 or above.
However, this introduce a bug for building with a non-GLIBC based
toolchain as a GLIBC macro - __GLIBC_PREREQ - is used on the same line
as the detection of GLIBC.

Fix this by backporting the fix to this incorrect macro from upstream
commit:

https://salsa.debian.org/clint/fakeroot/-/commit/8090dffdad8fda86dccd47ce7a7db8840bdf7d7b

CC: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/unbound: bump to version 1.13.1

This release contains a number of bug fixes. There is added support
for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID
option (RFC 5001). Unbound control has added commands to enable and
disable rpz processing. Reply callbacks have a start time passed to
them that can be used to calculate time, these are callbacks for
response processing. With the option serve-original-ttl the TTL served
in responses is the original, not counted down, value, for when in
front of authority service.

https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.1

Signed-off-by: Stefan Ott <stefan@ott.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/irqbalance: fix irqbalance/irqbalance-ui socket communication

Add patch to fix irqbalance/irqbalance-ui socket communication by
fixing uint64_t printf format usage.

Fixes:

  $ irqbalance-ui
  Invalid data sent.  Unexpected token: (null)TYPE

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - do an actual backport as upstream applied the patch
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/open62541: fix library version definition

Manually specified version must start with letter 'v',
otherwise, the generated version macro will be zero
in the <build_dir>/src_generated/open62541/config.h file:
  #define UA_OPEN62541_VER_MAJOR 0
  #define UA_OPEN62541_VER_MINOR 0
  #define UA_OPEN62541_VER_PATCH 0

Reference from the following link:
https://open62541.org/doc/current/building.html

Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

support/scripts/boot-qemu-image.py: properly catch timeout

As reported on IRC by sephthir, the gitlab test of the defconfig
qemu_sparc_ss10_defconfig doesn't error out while the system
is not working properly.

This is because we explicitly wait for the timeout as an expected
condition, but do not check for it. Indeed, pexpect.expect() returns
the index of the matching condition in the list of expected conditions,
but we just ignore the return code, so we are not able to differentiate
between a successful login (or prompt) from a timeout.

By default, pexepect.expect() raises the pexpect.TIMEOUT exception on a
timeout, and we are already prepared to catch and handle that exception.
But because pexpect.TIMEOUT is passed as an expected condition, the
exception is not raised.

Remove pexpect.TIMEOUT from the list of expected conditions, so that the
exception is properly raised again, and so that we can catch it.

The qemu_sparc_ss10_defconfig is already fixed by
4d16e6f5324f0285f51bfbb5a3503584f3b3ad12.

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/irqbalance: fix sysv startup script (add mkdir /run/irqbalance)

- add mkdir -p /run/irqbalance to sysv startup script needed to
  create socket /run/irqbalance/irqbalance<pid>.sock

Fixes:

  - Bug 13541 [1]

  daemon.warn /usr/sbin/irqbalance: Daemon couldn't be bound to the file-based socket.

[1] https://bugs.busybox.net/show_bug.cgi?id=13541

Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: only create in start case]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/irqbalance: fix systemd startup script (add RuntimeDirectory)

- add RuntimeDirectory=irqbalance to create /run/irqbalanace needed to
  create socket /run/irqbalance/irqbalance<pid>.sock

Fixes:

  - Bug 13541 [1]

  /usr/sbin/irqbalance[158]: Daemon couldn't be bound to the file-based socket.

[1] https://bugs.busybox.net/show_bug.cgi?id=13541

Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

DEVELOPERS: remove Scott Fan

Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

utils/scanpypi: use python3 explicitly

scanpypi is python3 compatible. In addition, it executes the setup.py
of Python modules to extract the relevant information. Since these are
more and more commonly using python3 constructs, using "python" to run
scanpypi causes problems on systems that have python2 installed as
python, when trying to parse setup.py scripts with python3 constructs.

Fixes part of #13516.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/taglib: drop config options to enable MP4/ASF support

Both options where removed in git commit dd846904cbc1ef3ee628d77f0c9df88ef8967816
back in year 2011.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
[yann.morin.1998@free.fr: drop the legacy handling]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/rust: disable ninja

Ninja has recently be enabled as the default build system to build
llvm fork for rust compiler [1]. But we can still use Make if
"ninja = false" is provided in config.toml.

Ninja support can be enabled by a following patch.

[1] https://github.com/rust-lang/rust/commit/30b7dac745b1555cd96f41977f7d24435cbe7fa2

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1019386205

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/cegui: use plain assignemnt for first _CONF_OPTS

Commit 689b9c1a7cf5 (package/cegui: disable xerces support) added
an unconditional assignment to _CONF_OPTS before all the conditional
ones, but used the append-assignment instead of the traditional plain
assignment.

Fix that by removing the append-assignment.

Use that opportunity to also move the first item of this multi-line
assignment, to its own line.

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
- reference the exact commit that introduce the issue
- also move the first item to its own line
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/python-django: security bump to version 3.0.13

Fixes the following security issue:

- CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

  Django contains a copy of urllib.parse.parse_qsl() which was added to
  backport some security fixes.  A further security fix has been issued
  recently such that parse_qsl() no longer allows using ; as a query
  parameter separator by default.  Django now includes this fix.  See
  bpo-42967 for further details.

For more details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/botan: fix build with -latomic

Static build with toolchains needing -latomic (e.g sparc) is broken
since version 2.17.0 and
https://github.com/randombit/botan/commit/88af81b88976d9a1293280f68df597220ab42767

Fixes:
- http://autobuild.buildroot.org/results/5c03ee53a34a3cdb409cffcda76e5cc2c723778b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libselinux: fix build with musl 1.2.2

Fixes:
- http://autobuild.buildroot.org/results/34b010e76d65cf1d79ef53207cbc00a86674e17a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libusb: apply upstream patch to fix descriptor parsing

v1.0.24 of libusb has a bug in the Linux backend where it fails to
enumerate any device with more than one configuration. Backport the
upstream patch which fixes this as otherwise libusb based applications
are unable to communicate with any devices advertising more than one
configuration.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

docs/website: update for 2020.02.11

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Update for 2020.02.11

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 08e03785d3812c085c438a6040ccedc3e9f5809d)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

docs/website: update for 2020.11.3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Update for 2020.11.3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 610e67b1fc4ac44e0c4a7ba437c917ad6d63f481)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Update for 2021.02-rc2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/perl-extutils-pkgconfig: set PATH to BR_PATH

Set PATH to BR_PATH to allow perl-extutils-pkgconfig to find pkg-config
binary

Fixes:
- http://autobuild.buildroot.org/results/d87787fbf2a8cb9bbaa3b59d1e8004ad1459536a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libopenssl: security bump to version 1.1.1j

Fixes the following security issues:

- CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash()

  The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate.  However it fails to correctly
  handle any errors that may occur while parsing the issuer field (which
  might occur if the issuer field is maliciously constructed).  This may
  subsequently result in a NULL pointer deref and a crash leading to a
  potential denial of service attack.

  The function X509_issuer_and_serial_hash() is never directly called by
  OpenSSL itself so applications are only vulnerable if they use this
  function directly and they use it on certificates that may have been
  obtained from untrusted sources.

- CVE-2021-23839: Incorrect SSLv2 rollback protection

  OpenSSL 1.0.2 supports SSLv2.  If a client attempts to negotiate SSLv2
  with a server that is configured to support both SSLv2 and more recent SSL
  and TLS versions then a check is made for a version rollback attack when
  unpadding an RSA signature.  Clients that support SSL or TLS versions
  greater than SSLv2 are supposed to use a special form of padding.  A
  server that supports greater than SSLv2 is supposed to reject connection
  attempts from a client where this special form of padding is present,
  because this indicates that a version rollback has occurred (i.e.  both
  client and server support greater than SSLv2, and yet this is the version
  that is being requested).

  The implementation of this padding check inverted the logic so that the
  connection attempt is accepted if the padding is present, and rejected if
  it is absent.  This means that such as server will accept a connection if
  a version rollback attack has occurred.  Further the server will
  erroneously reject a connection if a normal SSLv2 connection attempt is
  made.

  OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable
  to this issue.  The underlying error is in the implementation of the
  RSA_padding_check_SSLv23() function.  This also affects the
  RSA_SSLV23_PADDING padding mode used by various other functions.  Although
  1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still
  exists, as does the RSA_SSLV23_PADDING padding mode.  Applications that
  directly call that function or use that padding mode will encounter this
  issue.  However since there is no support for the SSLv2 protocol in 1.1.1
  this is considered a bug and not a security issue in that version.

- CVE-2021-23840: Integer overflow in CipherUpdate

  Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
  overflow the output length argument in some cases where the input length
  is close to the maximum permissable length for an integer on the platform.
  In such cases the return value from the function call will be 1
  (indicating success), but the output length value will be negative.  This
  could cause applications to behave incorrectly or crash.

For more details, see the advisory:
https://www.openssl.org/news/secadv/20210216.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

support/scripts/pkg-stats: add ignored_cves to json output

Add the list of <pkg>_IGNORE_CVES to the json output to show that we have a
known cause (available patch or the CVE is not valid for our package
configuration) that a affected CVE is not reported.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/openblas: fix detection of gfortran compiler

The compiler detection since openblas 0.3.8 added support for gcc 10, but
this broke detection of compilers created with crosstool-ng, or other
toolchains that have a package version containing a version like x.y.z where
at least one of x, y or z have more than one digit, for example
"Crosstool-NG 1.24.0".

See the reported issue for more details [1].

Backport the upstream patch that fixes it.

[1] https://github.com/xianyi/OpenBLAS/issues/3099

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>