Peter Korsgaard [Fri, 6 Sep 2019 15:46:55 +0000 (17:46 +0200)]
package/asterisk: security bump to version 16.5.1
Fixes the following security issues:
AST-2019-004: Crash when negotiating for T.38 with a declined stream
When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint
responds with a declined media stream a crash will then occur in Asterisk.
https://downloads.asterisk.org/pub/security/AST-2019-004.pdf
AST-2019-005: Remote Crash Vulnerability in audio transcoding
When audio frames are given to the audio transcoding support in Asterisk the
number of samples are examined and as part of this a message is output to
indicate that no samples are present. A change was done to suppress this
message for a particular scenario in which the message was not relevant. This
change assumed that information about the origin of a frame will always exist
when in reality it may not.
https://downloads.asterisk.org/pub/security/AST-2019-005.pdf
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Fri, 6 Sep 2019 12:05:00 +0000 (15:05 +0300)]
package/python-enum: bump to version 0.4.7
Also add hash for license file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Fri, 6 Sep 2019 12:04:30 +0000 (15:04 +0300)]
package/monit: bump to version 5.26.0
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Fri, 6 Sep 2019 11:34:46 +0000 (13:34 +0200)]
package/exim: security bump to version 4.92.2
Fixes CVE-2019-15846: Local or remote attacker can execute programs with
root privileges
For details, see the advisory:
https://exim.org/static/doc/security/CVE-2019-15846.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Christopher McCrory [Fri, 30 Aug 2019 18:44:13 +0000 (11:44 -0700)]
package/e2fsprogs: bump to version 1.45.3
Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sat, 31 Aug 2019 10:49:30 +0000 (12:49 +0200)]
package/libdmtx: bump version to 0.7.5
According to https://sourceforge.net/projects/libdmtx the project was
moved to https://github.com/dmtx so update project URL in Config.in.
Updated license hash due to upstream commit
https://github.com/dmtx/libdmtx/commit/
b65ff367ad90ab29568a5719b2ec07a2c2a6d8e8
Added AUTORECONF because the github tarball does not include a
configure script.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Sat, 31 Aug 2019 10:45:10 +0000 (12:45 +0200)]
package/aubio: bump to version 0.4.9
Remove upstream patch.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 30 Aug 2019 13:50:04 +0000 (15:50 +0200)]
package/wireguard: bump version to 0.0.
20190702
For details of the changes, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2019-July/004271.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 4 Sep 2019 18:40:43 +0000 (20:40 +0200)]
package/libogg: bump version to 1.3.4
Added all hashes provided by upstream.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 4 Sep 2019 18:12:21 +0000 (20:12 +0200)]
package/dav1d: disable tests and tools
Some tools need SDL2 which will break the build if SDL2 is found on host
Fixes:
- http://autobuild.buildroot.org/results/
4cea773805e62911019d0627dcdf5d17b71032b7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Titouan Christophe [Tue, 3 Sep 2019 11:53:58 +0000 (13:53 +0200)]
package/less: bump to version 530
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Titouan Christophe [Tue, 3 Sep 2019 11:38:37 +0000 (13:38 +0200)]
package/nano: bump to version 4.4
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Sat, 31 Aug 2019 20:03:59 +0000 (23:03 +0300)]
package/iw: bump to version 5.3
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 4 Sep 2019 17:47:47 +0000 (19:47 +0200)]
package/cups-filters: bump to version 1.25.4
Update hash of license file (year, authors, files have been updated)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pierre-Jean Texier [Wed, 4 Sep 2019 17:10:55 +0000 (19:10 +0200)]
DEVELOPERS: add Pierre-Jean Texier for tree
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pierre-Jean Texier [Wed, 4 Sep 2019 17:10:54 +0000 (19:10 +0200)]
package/tree: bump to version 1.8.0
See http://mama.indstate.edu/users/ice/tree/changes.html
Also add a hash for license file.
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 4 Sep 2019 17:02:02 +0000 (19:02 +0200)]
package/cups: security bump to version 2.2.12
- Remove fifth patch (already in version)
- Fix CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
(rdar://
51685251)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sergio Prado [Wed, 4 Sep 2019 01:22:03 +0000 (22:22 -0300)]
package/wolfssl: bump to version 4.1.0
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sergio Prado [Wed, 4 Sep 2019 00:51:28 +0000 (21:51 -0300)]
package/snort: bump to version 2.9.14.1
Since configure is using PKG_CHECK_MODULES macro, we need to
unconditionally depends on host-pkgconf.
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 4 Sep 2019 17:58:48 +0000 (19:58 +0200)]
package/samba4: security bump version to 4.10.8
Release notes: https://www.samba.org/samba/history/samba-4.10.8.html
Fixes CVE-2019-10197
Combination of parameters and permissions can allow user
to escape from the share path definition.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jörg Krause [Mon, 2 Sep 2019 19:34:59 +0000 (21:34 +0200)]
package/mpd: bump to version 0.21.14
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sébastien Szymanski [Tue, 3 Sep 2019 09:20:24 +0000 (11:20 +0200)]
package/unzip: add security patch from Debian
Fix the URL and add a new patch. Quoting changelog [1]:
unzip (6.0-25) unstable; urgency=medium
* Apply one more patch by Mark Adler:
- Do not raise a zip bomb alert for a misplaced central directory.
This should allow Firefox to build again. Closes: #932404.
Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now.
-- Santiago Vila <sanvila@debian.org> Sat, 27 Jul 2019 18:01:36 +0200
[1] https://sources.debian.org/data/main/u/unzip/6.0-25/debian/changelog
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Tue, 3 Sep 2019 10:27:38 +0000 (12:27 +0200)]
DEVELOPERS: add Giulio Benetti to libnspr and libnss package
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ismael Luceno [Tue, 3 Sep 2019 19:07:03 +0000 (21:07 +0200)]
package/axel: bump to version 2.17.6
Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pierre-Jean Texier [Tue, 3 Sep 2019 20:32:48 +0000 (22:32 +0200)]
package/logrotate: bump to version 3.15.1
See https://github.com/logrotate/logrotate/releases/tag/3.15.1
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 3 Sep 2019 18:08:04 +0000 (20:08 +0200)]
package/libvips: remove unrecognized --enable-cxx
Remove --enable-cxx, this option has been removed since version 8.1 and
https://github.com/libvips/libvips/commit/
346a9e70c0b096f84127449488e7dce6968d91c7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 3 Sep 2019 17:08:36 +0000 (19:08 +0200)]
package/micropython: remove unneeded patch
Remove patch which is already in version
Fixes:
- http://autobuild.buildroot.org/results/
01da2ad39ea01c522fc5b431c4544bd91f58ac4a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 3 Sep 2019 16:57:49 +0000 (18:57 +0200)]
package/giflib: drop unneeded patches
Remove patches which are already included in version 5.2.1
Fixes:
- http://autobuild.buildroot.org/results/
a558f21cb1d9ad8618a1c64464e0cf1ccba7608b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 3 Sep 2019 14:30:58 +0000 (16:30 +0200)]
package/qemu: fixup patches after 3.1.1 bump
Commit
a0b032ad859b2e6e8cd (package/qemu: security bump to version 3.1.1)
bumped the version but didn't update the patch subdirectory name, so the
patches are now ignored.
Fix that by renaming the directory. Drop
0002-configure-improve-usbfs-check.patch as that is now upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 3 Sep 2019 13:03:02 +0000 (15:03 +0200)]
Merge branch 'next'
Peter Korsgaard [Tue, 3 Sep 2019 11:16:32 +0000 (13:16 +0200)]
docs/website: update for 2019.05.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 3 Sep 2019 10:37:46 +0000 (12:37 +0200)]
Update for 2019.05.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop Makefile changes]
(cherry picked from commit
b9e671a558f106d57ed3c7f0cd0b89359c6b1567)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 2 Sep 2019 21:02:44 +0000 (23:02 +0200)]
docs/website: update for 2019.02.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 2 Sep 2019 20:15:58 +0000 (22:15 +0200)]
Update for 2019.02.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop Makefile changes]
(cherry picked from commit
b1408d04a383eacadf1518886d216325304569ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 2 Sep 2019 20:06:43 +0000 (22:06 +0200)]
CHANGES: Add missing issues header for 2019.02.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit
96502c2a46a440926c975711110e387ff226349f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 2 Sep 2019 20:54:38 +0000 (22:54 +0200)]
Kickoff 2019.11 cycle
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 1 Sep 2019 21:35:27 +0000 (23:35 +0200)]
docs/website/news.html: add 2019.08 announcement link
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 1 Sep 2019 21:06:01 +0000 (23:06 +0200)]
Update for 2019.08
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 29 Aug 2019 12:00:51 +0000 (14:00 +0200)]
configs/radxa_rock_pi4: remove defconfig
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
278489410
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 29 Aug 2019 12:00:50 +0000 (14:00 +0200)]
configs/pine64_rockpro64: remove defconfig
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
278489367
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 29 Aug 2019 12:00:49 +0000 (14:00 +0200)]
configs/nanopi_m4: remove defconfig
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
278489328
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 29 Aug 2019 12:00:48 +0000 (14:00 +0200)]
configs/nanopi_neo4: remove defconfig
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
278489329
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 29 Aug 2019 12:00:47 +0000 (14:00 +0200)]
configs/nanopc_t4: remove defconfig
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
278489325
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 29 Aug 2019 12:00:46 +0000 (14:00 +0200)]
boot/ts4800-mrboot: remove package
Since the ts4800_defconfig has been removed, the ts4800-mrboot package
is no longer useful, therefore we drop it.
Cc: Patrick Keroulas <patrick.keroulas@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 29 Aug 2019 12:00:45 +0000 (14:00 +0200)]
configs/ts4800: remove defconfig
This defconfig has been failing to build since we switched the default
gcc version to gcc 8.x, as the Linux kernel version is too old and
doesn't contain the necessary fixes to build with gcc >= 8.x.
Despite several pings to the original submitter of the defconfig
(which is not listed in MAINTAINERS), no fix has been sent, so it is
time to drop this defconfig before the 2019.08 release.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
278489442
Cc: Patrick Keroulas <patrick.keroulas@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Alexandre PAYEN [Thu, 8 Aug 2019 15:19:50 +0000 (17:19 +0200)]
package/python-numpy: add reverse dependency on packages using python-numpy
Since commit
1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed[1] is merged, a
new build failure occurs when selecting packages which needs
python-numpy as dependency.
This fix a build issue[2] by adding the correct reverse dependencies
to the following packages :
- gnuradio (for python support)
- opencv3 (for python support)
- piglit
- python-matplotlib
So :
- adding to every listed packages
`depends on !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)`
and add a comment to explain what happend.
[1] https://git.buildroot.net/buildroot/commit/?id=
1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed
[2] http://autobuild.buildroot.org/results/b76/
b76b6cf9602bcf5df69a7276762eab54cf74007b
Signed-off-by: Alexandre PAYEN <alexandre.payen@smile.fr>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Damien DUVAL <damien.duval@smile.fr>
Cc: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Fri, 30 Aug 2019 17:15:19 +0000 (19:15 +0200)]
package/php: security bump version to 7.3.9
Release notes: https://www.php.net/archive/2019.php#2019-08-29-1
Changelog: https://www.php.net/ChangeLog-7.php#7.3.9
Fixes CVE-2019-13224 & CVE-2019-13225:
https://bugs.mageia.org/show_bug.cgi?id=25380
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabio Estevam [Fri, 30 Aug 2019 16:38:26 +0000 (13:38 -0300)]
configs/mx53loco: Bump U-Boot and kernel versions
Bump to U-Boot 2019.07 and kernel 5.2.9 versions.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Fri, 30 Aug 2019 17:00:53 +0000 (19:00 +0200)]
{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.2.x series
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adrian Perez de Castro [Fri, 30 Aug 2019 14:15:28 +0000 (17:15 +0300)]
package/wpewebkit: security bump to version 2.24.3
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669,
CVE-2019-8673, CVE-2019-8676, CVE-2019-8678, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, and CVE-2019-8690.
This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes are available at:
https://wpewebkit.org/release/wpewebkit-2.24.3.html
The detailed security advisory can be found at:
https://wpewebkit.org/security/WSA-2019-0004.html
Patch "0001-Build-failure-after-r243644-in-GTK-Li.patch" is now unneeded
because it is one of the build fixes included in this release.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adrian Perez de Castro [Fri, 30 Aug 2019 12:04:32 +0000 (15:04 +0300)]
package/webkitgtk: security bump to version 2.24.4
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676,
CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and
CVE-2019-8688.
This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes at:
https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html
The detailed security advisory can be found at:
https://webkitgtk.org/security/WSA-2019-0004.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Zoltan Gyarmati [Tue, 27 Aug 2019 09:16:36 +0000 (11:16 +0200)]
package/tinc: bump to 1.0.36
Update the COPYING hash, since the copyright year was updated:
-Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.
+Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.
Signed-off-by: Zoltan Gyarmati <zgyarmati@zgyarmati.de>
[Thomas: update license file hash]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Neil Armstrong [Wed, 28 Aug 2019 12:40:11 +0000 (14:40 +0200)]
package/glmark2: bump to the latest version
Bump to the latest git version, containing multiple fixes and support
for render-only GPUs (lima, panfrost, ...) and missing DRM driver
names to run like meson, rockchip, sun4i-drm.
Tested on Khadas VIM2 (aarch64) and Panfrost.
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Sergio Prado [Wed, 28 Aug 2019 05:47:22 +0000 (02:47 -0300)]
package/stella: bump version to 6.0.1
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Christopher McCrory [Wed, 28 Aug 2019 22:29:33 +0000 (15:29 -0700)]
package/zic: bump to version 2019b
Changed _SITE to https.
Add hash for license file.
Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
[Peter: fix license hash]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Christopher McCrory [Wed, 28 Aug 2019 22:28:51 +0000 (15:28 -0700)]
package/tzdata: bump to version 2019b
Changed _SITE to https.
Add hash for license file.
Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
[Peter: fix LICENSE hash, only use for the host package]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:12 +0000 (20:28 +0300)]
package/python-xmltodict: bump to version 0.12.0
Also add hash for license file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:11 +0000 (20:28 +0300)]
package/python-xlwt: bump to version 1.3.0
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:10 +0000 (20:28 +0300)]
package/python-xlrd: bump to version 1.2.0
The license file was changed from xlrd/licences.py to LICENSE in the
following upstream commit:
https://github.com/python-excel/xlrd/commit/
e7bcab2f4527b5a3d5118938076571e9e7566c2b
While the formatting has changed, the contents are the same. We take
this opportunity to add the hash of the license file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
[Thomas: fix license file details]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:09 +0000 (20:28 +0300)]
package/python-ptyprocess: bump to version 0.6.0
Also add hash for license file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:08 +0000 (20:28 +0300)]
package/python-oauthlib: bump to version 3.1.0
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:07 +0000 (20:28 +0300)]
package/python-jaraco-classes: bump to version 2.0
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:06 +0000 (20:28 +0300)]
package/python-iptables: bump to version 0.14.0
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:05 +0000 (20:28 +0300)]
package/python-ipaddr: bump to version 2.2.0
Also add hash for license file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:04 +0000 (20:28 +0300)]
package/python-futures: bump to version 3.3.0
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:03 +0000 (20:28 +0300)]
package/python-engineio: bump to version 3.9.3
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asaf Kahlon [Tue, 27 Aug 2019 17:28:02 +0000 (20:28 +0300)]
package/python-daemonize: bump to version 2.5.0
Also add hash for license file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Zoltan Gyarmati [Thu, 29 Aug 2019 10:41:03 +0000 (12:41 +0200)]
package/libusb: bump to 1.0.23
Also remove obsolete patch and not calling autoreconf (as configure.ac
is not patched anymore)
Signed-off-by: Zoltan Gyarmati <zgyarmati@zgyarmati.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Wed, 28 Aug 2019 20:46:35 +0000 (22:46 +0200)]
configs/roseapplepi_defconfig: use gcc 7.x
The old 3.10.x based vendor kernel does not build correctly with gcc 8.x.
While there is basic s500 support in the mainline kernel, there is not yet a
mmc driver so it isn't quite a replacement yet.
Stick to the vender kernel for now and revert back to gcc 7.x, hopefully
mainline support will be more complete once gcc 7.x gets dropped.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Petr Vorel [Wed, 28 Aug 2019 16:25:04 +0000 (18:25 +0200)]
package/network-manager: bump to version 1.20.0
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Petr Vorel [Wed, 28 Aug 2019 16:22:38 +0000 (18:22 +0200)]
package/modem-manager: bump to version 1.10.4
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:18:50 +0000 (18:18 +0200)]
package/x11r7/xfont_font-util: bump version to 1.3.2
Added all hashes provided by upstream and license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:17:58 +0000 (18:17 +0200)]
package/x11r7/xdriver_xf86-video-sis: bump version to 0.11.0
Removed all patches after they were applied upstream:
https://cgit.freedesktop.org/xorg/driver/xf86-video-sis/commit/?id=
9e42918588b65860422cb296a92ecede15db7419
https://cgit.freedesktop.org/xorg/driver/xf86-video-sis/commit/?id=
4b1356a2b7fd06e9a05d134caa4033681c939737
Added all hashes provided by upstream and license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:15:29 +0000 (18:15 +0200)]
package/x11r7/xapp_xrandr: bump version to 1.5.1
Switched _SOURCE to .xz, added all hashes provided by upstream and
license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:14:21 +0000 (18:14 +0200)]
package/x11r7/xapp_viewres: bump version to 1.0.6
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Wed, 28 Aug 2019 20:17:38 +0000 (22:17 +0200)]
package/at: bump version
Mainly this allows to drop 3 patches because they have been upstreamed.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Wed, 28 Aug 2019 17:19:23 +0000 (19:19 +0200)]
DEVELOPERS: add Giulio Benetti to at package
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Petr Vorel [Wed, 28 Aug 2019 16:54:52 +0000 (18:54 +0200)]
package/ofono: bump to version 1.30
Removed included in 1.30, refresh patch.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:35:26 +0000 (18:35 +0200)]
package/x11r7/libxcb: bump version to 1.13.1
Upstream does not provide a sha512 hash anymore.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:49:36 +0000 (18:49 +0200)]
package/vdr: bump version to 2.4.1
Release notes:
https://www.linuxtv.org/pipermail/vdr/2019-June/029497.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:38:09 +0000 (18:38 +0200)]
package/pngquant: bump version to 2.12.5
Upstream now provides a sha256 hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 16:31:53 +0000 (18:31 +0200)]
package/libvpx: bump version to 1.8.1
Rebased patch.
Changelog: https://github.com/webmproject/libvpx/blob/master/CHANGELOG
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 28 Aug 2019 21:02:48 +0000 (23:02 +0200)]
Update for 2019.08-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 14:13:15 +0000 (16:13 +0200)]
package/dovecot-pigeonhole: security bump version to 0.5.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116876.html
Fixes
* CVE-2019-11500: ManageSieve protocol parser does not properly handle
NUL byte when scanning data in quoted strings, leading to out of
bounds heap memory writes. Found by Nick Roessler and Rafi Rubin.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Wed, 28 Aug 2019 14:13:14 +0000 (16:13 +0200)]
package/dovecot: security bump version to 2.3.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116874.html
Fixes
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes. Found by Nick Roessler and Rafi Rubin.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 28 Aug 2019 08:49:32 +0000 (10:49 +0200)]
package/python: add upstream security fix for CVE-2019-9740
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
in Python 3.x through 3.7.3. CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string after a ?
character) followed by an HTTP header or a Redis command.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 28 Aug 2019 07:15:50 +0000 (09:15 +0200)]
package/qemu: security bump to version 3.1.1
Fixes the following security issues:
CVE-2018-16872: A flaw was found in qemu Media Transfer Protocol (MTP). The
code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and
directories in usb_mtp_object_readdir doesn't consider that the underlying
filesystem may have changed since the time lstat(2) was called in
usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write
access to the host filesystem shared with a guest can use this property to
navigate the host filesystem in the context of the QEMU process and read any
file the QEMU process has access to. Access to the filesystem may be local
or via a network share protocol such as CIFS.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 17:31:44 +0000 (19:31 +0200)]
package/file: bump version to 5.37
Changelog: https://github.com/file/file/blob/master/ChangeLog
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 16:49:30 +0000 (18:49 +0200)]
package/boinc: bump version to 7.16.1
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 16:47:28 +0000 (18:47 +0200)]
package/asterisk: bump version to 16.5.0
Release notes:
https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-16-current-summary.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 16:45:56 +0000 (18:45 +0200)]
package/apr: bump version to 1.7.0
Release notes: http://www.apache.org/dist/apr/CHANGES-APR-1.7
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 16:41:30 +0000 (18:41 +0200)]
package/x265: bump version to 3.1.2
Release notes:
https://bitbucket.org/multicoreware/x265/src/Release_3.1/doc/reST/releasenotes.rst
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 17:37:58 +0000 (19:37 +0200)]
package/flac: bump version to 1.3.3
Changelog: https://xiph.org/flac/changelog.html
Removed patch applied upstream, removed autoreconf:
https://git.xiph.org/?p=flac.git;a=commitdiff;h=
55721556161e6ab209f940f5023bc44b4051524a
Added all hashes provided by upstream and license hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 18:13:01 +0000 (20:13 +0200)]
package/gnutls: bump version to 3.6.9
Release notes:
https://lists.gnupg.org/pipermail/gnutls-help/2019-July/004556.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 19:31:48 +0000 (21:31 +0200)]
package/hwdata: bump version to 0.326
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 18:20:04 +0000 (20:20 +0200)]
package/hdparm: bump version to 9.58
Release notes:
https://sourceforge.net/p/hdparm/news/2018/10/hdparm-957-is-released/
https://sourceforge.net/p/hdparm/news/2018/10/hdparm-958-is-released/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 19:28:43 +0000 (21:28 +0200)]
package/wpa_supplicant: security bump version to 2.9
Fixes https://w1.fi/security/2019-6/
Removed patch applied upstream:
http://w1.fi/cgit/hostap/commit/?id=
f2973fa39d6109f0f34969e91551a98dc340d537
Removed all other upstream patches which are included in this release.
Release notes:
http://lists.infradead.org/pipermail/hostap/2019-April/039979.html
http://lists.infradead.org/pipermail/hostap/2019-August/040373.html
Support for the old dbus interface was removed upstream:
http://w1.fi/cgit/hostap/commit/?id=
6a8dee76d4090287c016680c009b1334e01b5fbd
Removed Config.in option, removed _NEW from remaining dbus option,
select BR2_PACKAGE_DBUS when needed and added Config.in.legacy options.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 25 Aug 2019 19:28:42 +0000 (21:28 +0200)]
package/hostapd: security bump version to 2.9
Fixes https://w1.fi/security/2019-6/
Release notes:
http://lists.infradead.org/pipermail/hostap/2019-April/039979.html
http://lists.infradead.org/pipermail/hostap/2019-August/040373.html
This release includes all patches from https://w1.fi/security/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 27 Aug 2019 20:54:28 +0000 (22:54 +0200)]
package/faketime: bump to version 0.9.8
- Remove first patch (already in version)
- Remove second patch (not needed since merge of
https://github.com/wolfcw/libfaketime/pull/161)
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Petr Vorel [Tue, 27 Aug 2019 18:41:45 +0000 (20:41 +0200)]
package/libmbim: bump to version 1.18.2
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>