buildroot.git
3 years agopackage/dovecot-pigeonhole: bump version to 0.5.14
Bernd Kuhls [Fri, 5 Mar 2021 05:56:31 +0000 (06:56 +0100)]
package/dovecot-pigeonhole: bump version to 0.5.14

Release notes:
https://dovecot.org/pipermail/dovecot-news/2021-March/000456.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/dovecot: bump version to 2.3.14
Bernd Kuhls [Fri, 5 Mar 2021 05:56:30 +0000 (06:56 +0100)]
package/dovecot: bump version to 2.3.14

Release notes:
https://dovecot.org/pipermail/dovecot-news/2021-March/000455.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/dhcpcd: disable privsep on older kernels
Fabrice Fontaine [Fri, 5 Mar 2021 10:15:42 +0000 (11:15 +0100)]
package/dhcpcd: disable privsep on older kernels

Commit e5594f7239547672c08058b77f8098d2c080bebc fixed privsep for sh,
or1k, microblaze, xtensa, arc, nds32 and nios2, but failed to take into
account that the audit functionality is only available in recent kernels
on those architectures.

Pass the --disable-privsep configure option if the kernel is too old in
those architectures.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/libopenssl does not support riscv32
Yann E. MORIN [Wed, 3 Mar 2021 18:16:34 +0000 (19:16 +0100)]
package/libopenssl does not support riscv32

riscv32 is (surprise!) a 32-bit architecture. But it has been Y2038-safe
from its inception. As such, there are no legacy binaries that may use
the 32-bit time syscalls, and thus they are not available on riscv32.

Code that directly calls to the syscalls without using the C libraries
wrappers thus need to handle this case by themselves. That's what
upstream tried to do with:
    https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc

We initially carried that patch with 2bb26c1a1d24 (package/libopenssl:
fix build on riscv32).

However, as Arnd Bergmann puts it [0]:

    The patch looks wrong to me: __NR_io_pgetevents_time64 must be used
    whenever time_t is 64-bit wide on a 32-bit architecture, while
    __NR_io_getevents/__NR_io_pgetevents must be used when time_t is the
    same width as 'long'.

    Checking whether __NR_io_getevents is defined is wrong for all
    architectures other than riscv

And Arnd agrees that patch should be reverted [1] [2] (there are further
comments in that stream, that are worth reading).

As such, we've reverted 2bb26c1a1d24 with 6cfb4ad7f76a.

This means we have no working solution to enable openssl on riscv32 for
now. So, rather than fail the build, or backport a dysfunctional patch,
let's just forbid openssl on riscv32.

Drop the default from the choice selection; it was anyway superfluous:
the default of a choice, if left unspecified, is the first entry of the
choice. Also, having a default means we'd have to also propagate the
dependencies of the defaulted-to symbol, which is yet a little bit more
maintenance. Since the chances we get a third implementation of openssl
are pretty slim (very, very slim), reasoning about what is the default
is still very easy.

When propagating dependencies to tpm2-tss' users, we've tried to keep
the architecture dependency toward the top when possible, and otherwise
we've added it together with existing arch dependencies (MMU).

While at it, drop a useless redundant comment in ibm-sw-tpm2: if we
select FORCE_LIBOPENSSL, it is obvious that's because libressl is not
supported... Besides none of the other users of FORCE_LIBOPENSSL have
such a comment.

Fixes:
    http://autobuild.buildroot.org/results/eb9/eb9a64d4ffae8569b5225083f282cf87ffa7c681/
    ...
    http://autobuild.buildroot.org/results/07e/07e413b24ba8adc9558c80267ce16dda339bf032/

[0] https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc#commitcomment-44782859
[1] https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc#commitcomment-47826509
[2] https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc#commitcomment-47830530

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Mark Corbin <mark@dibsco.co.uk>
3 years agopackage/dhcpcd: cherry-pick upstream arch-specific privsep fixes
Arnout Vandecappelle (Essensium/Mind) [Thu, 4 Mar 2021 20:18:15 +0000 (21:18 +0100)]
package/dhcpcd: cherry-pick upstream arch-specific privsep fixes

dhcpcd includes privsep-linux.c which contains platform-specific
definitions for the seccomp fixes. A lot of our architectures were not
supported yet in the 9.4.0 release, but are supported now thanks to
Fabrice Fontaine.

Cherry-pick those patches. All of them affect the same code, but they
are cherry-picked individually to keep the correspondence with upstream.
Slight adjustments had to be made but there were no merge conflicts.

Fixes:
 - http://autobuild.buildroot.org/results/9ed863b3ba5e6e0587a48e619395e5bdb7e9c557
 - http://autobuild.buildroot.org/results/affd2f094084c4f53a324830539d07050b83587e
 - http://autobuild.buildroot.org/results/67f39606054930d307ddd0eb7743f06316d41544

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/gnuchess: security bump to version 6.2.7
Fabrice Fontaine [Thu, 4 Mar 2021 13:08:46 +0000 (14:08 +0100)]
package/gnuchess: security bump to version 6.2.7

Fix CVE-2019-15767: In GNU Chess 6.2.5, there is a stack-based buffer
overflow in the cmd_load function in frontend/cmd.cc via a crafted chess
position in an EPD file.

Update indentation in hash file (two spaces)

https://lists.gnu.org/archive/html/info-gnu-chess/2020-04/msg00000.html
https://lists.gnu.org/archive/html/info-gnu-chess/2020-05/msg00000.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/sox: fix static build with magic
Fabrice Fontaine [Wed, 3 Mar 2021 15:58:01 +0000 (16:58 +0100)]
package/sox: fix static build with magic

This build failure is raised since bump to
7524160b29a476f7e87bc14fddf12d349f9a3c5e

Fixes:
 - http://autobuild.buildroot.org/results/d96f27cd96926060046e2e1115777f5bceda3741

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/kismet: fix build when time_t is defined as long long
Fabrice Fontaine [Thu, 4 Mar 2021 12:29:25 +0000 (13:29 +0100)]
package/kismet: fix build when time_t is defined as long long

On some platforms time_t is defined as long long. At the moment, the
compilation of sqlite3_column_as<time_t>(...) fails on these systems
because the appropriate getter is not defined

Fixes:
 - http://autobuild.buildroot.org/results/3a76afdbd8b564579bfb08a4d75b438dbd73ac2e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/libminiupnpc: add CPE variables
Fabrice Fontaine [Thu, 4 Mar 2021 11:30:39 +0000 (12:30 +0100)]
package/libminiupnpc: add CPE variables

cpe:2.3:a:miniupnp_project:miniupnpc is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aminiupnp_project%3Aminiupnpc

Split the _VERSION into the traditional major/minor separation, even
though it is not strictly speaking major/minor. This allows re-using for
the CPE versioning.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - inverse the split: rather than defining _VERSION based on the CPE
    values, split the _VERSION and use that to define the CPE variables
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/gnuchess: add CPE variables
Fabrice Fontaine [Thu, 4 Mar 2021 13:08:45 +0000 (14:08 +0100)]
package/gnuchess: add CPE variables

cpe:2.3:a:gnu:chess is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Achess

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/systemd: add SYSTEMD_CPE_ID_VENDOR
Fabrice Fontaine [Thu, 4 Mar 2021 11:28:55 +0000 (12:28 +0100)]
package/systemd: add SYSTEMD_CPE_ID_VENDOR

cpe:2.3:a:freedesktop:systemd is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afreedesktop%3Asystemd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/rabbitmq-server: add CPE variables
Fabrice Fontaine [Thu, 4 Mar 2021 11:35:41 +0000 (12:35 +0100)]
package/rabbitmq-server: add CPE variables

cpe:2.3:a:pivotal_software:rabbitmq is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apivotal_software%3Arabbitmq

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/harfbuzz: set HARFBUZZ_CPE_ID_VALID
Fabrice Fontaine [Thu, 4 Mar 2021 11:34:54 +0000 (12:34 +0100)]
package/harfbuzz: set HARFBUZZ_CPE_ID_VALID

cpe:2.3:a:harfbuzz_project:harfbuzz is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aharfbuzz_project%3Aharfbuzz

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/icu: add CPE variables
Fabrice Fontaine [Thu, 4 Mar 2021 11:34:10 +0000 (12:34 +0100)]
package/icu: add CPE variables

cpe:2.3:a:icu-project:international_components_for_unicode is a valid
CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aicu-project%3Ainternational_components_for_unicode

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/heimdal: set HEIMDAL_CPE_ID_VALID
Fabrice Fontaine [Thu, 4 Mar 2021 11:26:44 +0000 (12:26 +0100)]
package/heimdal: set HEIMDAL_CPE_ID_VALID

cpe:2.3:a:heimdal_project:heimdal is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aheimdal_project%3Aheimdal

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/minicom: set MINICOM_CPE_ID_VALID
Fabrice Fontaine [Thu, 4 Mar 2021 11:31:48 +0000 (12:31 +0100)]
package/minicom: set MINICOM_CPE_ID_VALID

cpe:2.3:a:minicom_project:minicom is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aminicom_project%3Aminicom

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/rtmpdump: set RTMPDUMP_CPE_ID_VALID
Fabrice Fontaine [Thu, 4 Mar 2021 11:31:13 +0000 (12:31 +0100)]
package/rtmpdump: set RTMPDUMP_CPE_ID_VALID

cpe:2.3:a:rtmpdump_project:rtmpdump is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Artmpdump_project%3Artmpdump

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libmicrohttpd: add LIBMICROHTTPD_CPE_ID_VENDOR
Fabrice Fontaine [Thu, 4 Mar 2021 11:29:41 +0000 (12:29 +0100)]
package/libmicrohttpd: add LIBMICROHTTPD_CPE_ID_VENDOR

cpe:2.3:a:gnu:libmicrohttpd is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Alibmicrohttpd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libosip2: add CPE variables
Fabrice Fontaine [Thu, 4 Mar 2021 11:27:26 +0000 (12:27 +0100)]
package/libosip2: add CPE variables

cpe:2.3:a:gnu:osip is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Aosip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/iucode-tool: set IUCODE_TOOL_CPE_ID_VALID
Fabrice Fontaine [Thu, 4 Mar 2021 11:26:11 +0000 (12:26 +0100)]
package/iucode-tool: set IUCODE_TOOL_CPE_ID_VALID

cpe:2.3:a:iucode-tool_project:iucode-tool is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aiucode-tool_project%3Aiucode-tool

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/lame: set LAME_CPE_ID_VALID
Fabrice Fontaine [Thu, 4 Mar 2021 11:25:21 +0000 (12:25 +0100)]
package/lame: set LAME_CPE_ID_VALID

cpe:2.3:a:lame_project:lame is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alame_project%3Alame

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/apr-util: add CPE variables
Fabrice Fontaine [Wed, 3 Mar 2021 15:32:03 +0000 (16:32 +0100)]
package/apr-util: add CPE variables

cpe:2.3:a:apache:portable_runtime_utility is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aapache%3Aportable_runtime_utility

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libstrophe: fix tarball hash
Fabrice Fontaine [Thu, 4 Mar 2021 11:42:02 +0000 (12:42 +0100)]
package/libstrophe: fix tarball hash

Fix hash added by commit 28c7ff0bdb602e75d2891818ff87fe7fd4ed0015:
https://patchwork.ozlabs.org/project/buildroot/patch/20210104101054.5392-1-jubalh@iodoru.org

Says Michael:

    > ERROR: libstrophe-0.10.1.tar.gz has wrong sha256 hash:
    > ERROR: expected: 4918c47029ecdea2deab4b0f9336ca4a8bb12c28b72b2cec397d98664b94c771
    > ERROR: got     : 5bf0bbc555cb6059008f1b748370d4d2ee1e1fabd3eeab68475263556405ba39
    > ERROR: Incomplete download, or man-in-the-middle (MITM) attack

    I'm sorry about that. We had some disagreement at JasPer and we removed
    an existing tag and created the same tag on a different commit. Thus
    generating a different tarball under the same tag..

    I thought I only did the buildroot update after this, but maybe I
    remember wrong.

While at it, also update indentation in hash file (two spaces)

Fixes:
 - http://autobuild.buildroot.org/results/2f13af96eee20176ccb37ad32ec1472b4c9d6208

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: quote Michael's explanations]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/rpcbind: set RPCBIND_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 15:16:07 +0000 (16:16 +0100)]
package/rpcbind: set RPCBIND_CPE_ID_VALID

cpe:2.3:a:rpcbind_project:rpcbind is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Arpcbind_project%3Arpcbind

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/transmission: add TRANSMISSION_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 15:13:15 +0000 (16:13 +0100)]
package/transmission: add TRANSMISSION_CPE_ID_VENDOR

cpe:2.3:a:transmissionbt:transmission is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Atransmissionbt%3Atransmission

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rsync: add RSYNC_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 15:02:44 +0000 (16:02 +0100)]
package/rsync: add RSYNC_CPE_ID_VENDOR

cpe:2.3:a:samba:rsync is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Asamba%3Arsync

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/librsync: set LIBRSYNC_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 15:04:43 +0000 (16:04 +0100)]
package/librsync: set LIBRSYNC_CPE_ID_VALID

cpe:2.3:a:librsync_project:librsync is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibrsync_project%3Alibrsync

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/librsvg: add LIBRSVG_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 14:57:56 +0000 (15:57 +0100)]
package/librsvg: add LIBRSVG_CPE_ID_VENDOR

cpe:2.3:a:gnome:librsvg is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnome%3Alibrsvg

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libpjsip: add CPE variables
Fabrice Fontaine [Wed, 3 Mar 2021 14:54:07 +0000 (15:54 +0100)]
package/libpjsip: add CPE variables

cpe:2.3:a:pjsip:pjsip is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apjsip%3Apjsip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libstrophe: bump to version 0.10.1
Michael Vetter [Wed, 3 Mar 2021 14:49:59 +0000 (15:49 +0100)]
package/libstrophe: bump to version 0.10.1

Changes:
* Fixed compilation error when LibreSSL is used
* Fixed crash when NULL is provided as password

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/neon: add NEON_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 14:44:25 +0000 (15:44 +0100)]
package/neon: add NEON_CPE_ID_VENDOR

cpe:2.3:a:webdav:neon is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Awebdav%3Aneon

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/sdl2_image: add SDL2_IMAGE_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 14:43:44 +0000 (15:43 +0100)]
package/sdl2_image: add SDL2_IMAGE_CPE_ID_VENDOR

cpe:2.3:a:libsdl:sdl2_image is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibsdl%3Asdl2_image

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/procps-ng: set PROCPS_NG_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 14:43:13 +0000 (15:43 +0100)]
package/procps-ng: set PROCPS_NG_CPE_ID_VALID

cpe:2.3:a:procps-ng_project:procps-ng is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aprocps-ng_project%3Aprocps-ng

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libvorbis: add LIBVORBIS_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 14:42:33 +0000 (15:42 +0100)]
package/libvorbis: add LIBVORBIS_CPE_ID_VENDOR

cpe:2.3:a:xiph.org:libvorbis is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Axiph.org%3Alibvorbis

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libconfuse: set LIBCONFUSE_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 14:41:36 +0000 (15:41 +0100)]
package/libconfuse: set LIBCONFUSE_CPE_ID_VALID

cpe:2.3:a:libconfuse_project:libconfuse is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibconfuse_project%3Alibconfuse

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libsoup: add LIBSOUP_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 14:41:01 +0000 (15:41 +0100)]
package/libsoup: add LIBSOUP_CPE_ID_VENDOR

cpe:2.3:a:gnome:libsoup is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnome%3Alibsoup

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/stunnel: add STUNNEL_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 09:25:38 +0000 (10:25 +0100)]
package/stunnel: add STUNNEL_CPE_ID_VENDOR

cpe:2.3:a:stunnel:stunnel is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Astunnel%3Astunnel

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/sane-backends: set SANE_BACKENDS_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 09:22:35 +0000 (10:22 +0100)]
package/sane-backends: set SANE_BACKENDS_CPE_ID_VALID

cpe:2.3:a:sane-backends_project:sane-backends is a valid CPE identifier
for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Asane-backends_project%3Asane-backends

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/suricata: bump to version 6.0.2
Fabrice Fontaine [Tue, 2 Mar 2021 13:18:33 +0000 (14:18 +0100)]
package/suricata: bump to version 6.0.2

This release is a bug fix release, fixing numerous important issues:
https://suricata-ids.org/2021/03/02/suricata-6-0-2-and-5-0-6-released/

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libhtp: bump to version 0.5.37
Fabrice Fontaine [Tue, 2 Mar 2021 13:18:32 +0000 (14:18 +0100)]
package/libhtp: bump to version 0.5.37

https://github.com/OISF/libhtp/releases/tag/0.5.37

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libebml: security bump to version 1.4.2
Fabrice Fontaine [Wed, 3 Mar 2021 10:10:39 +0000 (11:10 +0100)]
package/libebml: security bump to version 1.4.2

Fix CVE-2021-3405: A flaw was found in libebml before 1.4.2. A heap
overflow bug exists in the implementation of EbmlString::ReadData and
EbmlUnicodeString::ReadData in libebml.

https://github.com/Matroska-Org/libebml/blob/release-1.4.2/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/elfutils: set ELFUTILS_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 09:30:44 +0000 (10:30 +0100)]
package/elfutils: set ELFUTILS_CPE_ID_VALID

cpe:2.3:a:elfutils_project:elfutils is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aelfutils_project%3Aelfutils

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/prosody: add PROSODY_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 09:29:57 +0000 (10:29 +0100)]
package/prosody: add PROSODY_CPE_ID_VENDOR

cpe:2.3:a:prosody:prosody is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aprosody%3Aprosody

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/netatalk: set NETATALK_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 09:29:19 +0000 (10:29 +0100)]
package/netatalk: set NETATALK_CPE_ID_VALID

cpe:2.3:a:netatalk_project:netatalk is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anetatalk_project%3Anetatalk

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/liburiparser: add CPE variables
Fabrice Fontaine [Wed, 3 Mar 2021 09:27:49 +0000 (10:27 +0100)]
package/liburiparser: add CPE variables

cpe:2.3:a:uriparser_project:uriparser is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Auriparser_project%3Auriparser

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/pango: add PANGO_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 09:27:15 +0000 (10:27 +0100)]
package/pango: add PANGO_CPE_ID_VENDOR

cpe:2.3:a:pango:pango is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apango%3Apango

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/jq: set JQ_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 09:26:40 +0000 (10:26 +0100)]
package/jq: set JQ_CPE_ID_VALID

cpe:2.3:a:jq_project:jq is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ajq_project%3Ajq

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libseccomp: set LIBSECCOMP_CPE_ID_VALID
Fabrice Fontaine [Wed, 3 Mar 2021 09:26:13 +0000 (10:26 +0100)]
package/libseccomp: set LIBSECCOMP_CPE_ID_VALID

cpe:2.3:a:libseccomp_project:libseccomp is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibseccomp_project%3Alibseccomp

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/rpm: add RPM_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 09:25:08 +0000 (10:25 +0100)]
package/rpm: add RPM_CPE_ID_VENDOR

cpe:2.3:a:rpm:rpm is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Arpm%3Arpm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/live555: add CPE variables
Fabrice Fontaine [Wed, 3 Mar 2021 09:24:28 +0000 (10:24 +0100)]
package/live555: add CPE variables

cpe:2.3:a:live555:streaming_media is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alive555%3Astreaming_media

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/irssi: add IRSSI_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 09:22:03 +0000 (10:22 +0100)]
package/irssi: add IRSSI_CPE_ID_VENDOR

cpe:2.3:a:irssi:irssi is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Airssi%3Airssi

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/mpg123: add MPG123_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 09:21:25 +0000 (10:21 +0100)]
package/mpg123: add MPG123_CPE_ID_VENDOR

cpe:2.3:a:mpg123:mpg123 is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ampg123%3Ampg123

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libmodplug: add LIBMODPLUG_CPE_ID_VENDOR
Fabrice Fontaine [Wed, 3 Mar 2021 09:20:45 +0000 (10:20 +0100)]
package/libmodplug: add LIBMODPLUG_CPE_ID_VENDOR

cpe:2.3:a:konstanty_bialkowski:libmodplug is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Akonstanty_bialkowski%3Alibmodplug

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoRevert "package/libopenssl: fix build on riscv32"
Yann E. MORIN [Wed, 3 Mar 2021 10:15:29 +0000 (11:15 +0100)]
Revert "package/libopenssl: fix build on riscv32"

This reverts commit 2bb26c1a1d24cdbb946bc2a77680dbc8f9c0d537.

There was some negative feedback from Arnd Bergmann on that patch:
    https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc#commitcomment-44782859

    The patch looks wrong to me: __NR_io_pgetevents_time64 must be used
    whenever time_t is 64-bit wide on a 32-bit architecture, while
    __NR_io_getevents/__NR_io_pgetevents must be used when time_t is the
    same width as 'long'.

    Checking whether __NR_io_getevents is defined is wrong for all
    architectures other than riscv

And in light of the above, indeed the patch does not look so correct
after all.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libopenssl: fix build on riscv32
Yann E. MORIN [Tue, 2 Mar 2021 21:51:47 +0000 (22:51 +0100)]
package/libopenssl: fix build on riscv32

riscv32 is (surprise!) a 32-bit architecture. But it has been Y2038-safe
from its inception. As such, there are no legacy binaries that may use
the 32-bit time syscalls, and thus they are not available on riscv32.

Code that directly calls to the syscalls without using the C libraries
wrappers thus need to handle this case by themselves.

Backport a patch from the upstream openssl development branch that will
eventually be openssl 3.0, but has not yet been backported to the 1.1.1
stable branch.

Fixes:
    http://autobuild.buildroot.org/results/eb9/eb9a64d4ffae8569b5225083f282cf87ffa7c681/
    ...
    http://autobuild.buildroot.org/results/07e/07e413b24ba8adc9558c80267ce16dda339bf032/

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Mark Corbin <mark@dibsco.co.uk>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agosupport/scripts/gen-bootlin-toolchains: correct xtensa-lx60 toolchain dependencies
Peter Korsgaard [Tue, 2 Mar 2021 21:15:51 +0000 (22:15 +0100)]
support/scripts/gen-bootlin-toolchains: correct xtensa-lx60 toolchain dependencies

Fixes:
http://autobuild.buildroot.net/results/011/0111c2ed54618daaeedfc66b0ea04eda00a7e855/
http://autobuild.buildroot.net/results/e53/e53e3880b63a23fa3b3e6d34664d40d5ddbdff89/
..

As listed in the br_fragment file of the toolchain, this is built for a
little-endian "custom" xtensa variant rather than the (big-endian) fsf one:

BR2_xtensa=y
BR2_XTENSA_CUSTOM=y

So update the dependencies in the script and regenerate Config.in.options /
toolchain test.  Also fixup the autobuild config snippet to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/wpa_supplicant: add upstream 2021-1 security fix
Peter Korsgaard [Tue, 2 Mar 2021 21:59:43 +0000 (22:59 +0100)]
package/wpa_supplicant: add upstream 2021-1 security fix

Fixes the following security issue:

- wpa_supplicant P2P provision discovery processing vulnerability (no CVE
  yet)

A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.

For more details, see the advisory:
https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: actually add the patch URL to the patch list]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/kismet: server needs wchar
Fabrice Fontaine [Sun, 3 Jan 2021 14:21:01 +0000 (15:21 +0100)]
package/kismet: server needs wchar

kismet embeds its own copy of fmt since version 2019-04-R1 so add a
dependency on wchar to avoid the following build failure when building
the server:

./fmt/core.h:1245:1:
 std::wstring vformat(wstring_view format_str, wformat_args args);
 ^~~
./fmt/core.h:1266:13: error: 'wstring' in namespace 'std' does not name a type
 inline std::wstring format(wstring_view format_str, const Args & ... args) {
             ^~~~~~~
./fmt/core.h:1266:8: note: 'std::wstring' is defined in header '<string>'; did you forget to '#include <string>'?

Fixes:
 - http://autobuild.buildroot.org/results/f19b3d080514a799a1c75b38ff5f7ae4e8d2628d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/perl: link with -lintl if needed
Fabrice Fontaine [Sun, 21 Feb 2021 17:45:49 +0000 (18:45 +0100)]
package/perl: link with -lintl if needed

Link with TARGET_NLS_LIBS if needed to avoid the following build failure
with perl in version 5.32:

/home/buildroot/autobuild/instance-3/output-1/host/bin/arm-linux-gcc -lm -Wl,-E -o perl perlmain.o libperl.a  -lm -lcrypt -lpthread -ldl
/home/buildroot/autobuild/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: libperl.a(locale.o): in function `S_emulate_setlocale':
/home/buildroot/autobuild/instance-3/output-1/build/perl-5.32.1/locale.c:1182: undefined reference to `libintl_textdomain'

An upstream issue has been opened in:
https://github.com/Perl/perl5/issues/18467

Fixes:
 - http://autobuild.buildroot.org/results/9df8d8d28006845b4f927548f8856dfa8f79802b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agouclibc-ng-test: update to latest
Waldemar Brodkorb [Sat, 27 Feb 2021 18:04:40 +0000 (19:04 +0100)]
uclibc-ng-test: update to latest

Fixes:
http://autobuild.buildroot.net/results/877879987f7adea0fa239e879b056c248968b1e9
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/bustle: fix static build
Fabrice Fontaine [Mon, 4 Jan 2021 06:54:52 +0000 (07:54 +0100)]
package/bustle: fix static build

Commit 436cb9308a50b1007a42eb490405a3155307a771 wrongly removed --static
from pcap-config call

Fixes:
 - http://autobuild.buildroot.org/results/b5d8d8d8452342373c2446613ba3051c20a97c03

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/python-pyyaml: security bump to version 5.4.1
Fabrice Fontaine [Tue, 2 Mar 2021 17:25:23 +0000 (18:25 +0100)]
package/python-pyyaml: security bump to version 5.4.1

Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library
in versions before 5.4, where it is susceptible to arbitrary code
execution when it processes untrusted YAML files through the full_load
method or with the FullLoader loader. Applications that use the library
to process untrusted input may be vulnerable to this flaw. This flaw
allows an attacker to execute arbitrary code on the system by abusing
the python/object/new constructor. This flaw is due to an incomplete fix
for CVE-2020-1747.

Update hash of LICENSE file (update in year:
https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1)

https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/gnuradio: fix qtgui build when gr-analog is not set
Gwenhael Goavec-Merou [Mon, 4 Jan 2021 15:11:16 +0000 (16:11 +0100)]
package/gnuradio: fix qtgui build when gr-analog is not set

gr-qtgui examples needs to have gr-analog enabled, without this dependency
compile crash with:

In file included from
/x/output/build/gnuradio-3.8.1.0/gr-qtgui/examples/c++/display_qt.cc:22:
/x/output/build/gnuradio-3.8.1.0/gr-qtgui/examples/c++/display_qt.h:24:10:
fatal error: gnuradio/analog/noise_source.h: No such file or directory
24 | #include <gnuradio/analog/noise_source.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [gr-qtgui/examples/c++/CMakeFiles/display_qt.dir/build.make:67:
gr-qtgui/examples/c++/CMakeFiles/display_qt.dir/display_qt.cc.o] Error 1
make[3]: *** Waiting for unfinished jobs....
In file included from
/somewhere/gnuradio/build/gr-qtgui/examples/c++/moc_display_qt.cpp:10:
/somewhere/gnuradio/build/gr-qtgui/examples/c++/../../../../gr-qtgui/examples/c++/display_qt.h:24:10:
fatal error: gnuradio/analog/noise_source.h: No such file or directory
24 | #include <gnuradio/analog/noise_source.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

GR_ANALOG is not an explicit dependency of GR_QTGUI, so disable c++ examples if
user has not selected this option.

[backported from 7470a7a3771dd90defb826b464dfe62977cb1eb6]

Fixes:
- http://autobuild.buildroot.net/results/fde670499289f3d7d47379eebccf6e0f92c6d200/

Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/python-pyyaml: add CPE variables
Fabrice Fontaine [Tue, 2 Mar 2021 17:25:22 +0000 (18:25 +0100)]
package/python-pyyaml: add CPE variables

cpe:2.3:a:pyyaml:pyyaml is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apyyaml%3Apyyaml

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/dovecot-pigeonhole: add CPE variables
Fabrice Fontaine [Tue, 2 Mar 2021 14:15:04 +0000 (15:15 +0100)]
package/dovecot-pigeonhole: add CPE variables

cpe:2.3:a:dovecot:pigeonhole is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Adovecot%3Apigeonhole

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/giflib: set GIFLIB_CPE_ID_VALID
Fabrice Fontaine [Tue, 2 Mar 2021 14:09:29 +0000 (15:09 +0100)]
package/giflib: set GIFLIB_CPE_ID_VALID

cpe:2.3:a:giflib_project:giflib is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agiflib_project%3Agiflib

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/nmap: add NMAP_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 2 Mar 2021 14:04:54 +0000 (15:04 +0100)]
package/nmap: add NMAP_CPE_ID_VENDOR

cpe:2.3:a:nmap:nmap is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anmap%3Anmap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/ruby: add RUBY_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 2 Mar 2021 14:01:07 +0000 (15:01 +0100)]
package/ruby: add RUBY_CPE_ID_VENDOR

cpe:2.3:a:ruby-lang:ruby is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aruby-lang%3Aruby

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/gd: add CPE variables
Fabrice Fontaine [Tue, 2 Mar 2021 13:59:09 +0000 (14:59 +0100)]
package/gd: add CPE variables

cpe:2.3:a:libgd:libgd is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibgd%3Alibgd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libfribidi: add CPE variables
Fabrice Fontaine [Tue, 2 Mar 2021 13:50:27 +0000 (14:50 +0100)]
package/libfribidi: add CPE variables

cpe:2.3:a:gnu:fribidi is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Afribidi

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/jpeg-turbo: add CPE variables
Fabrice Fontaine [Tue, 2 Mar 2021 13:45:33 +0000 (14:45 +0100)]
package/jpeg-turbo: add CPE variables

cpe:2.3:a:libjpeg-turbo:libjpeg-turbo is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibjpeg-turbo%3Alibjpeg-turbo

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/tiff: add CPE variables
Fabrice Fontaine [Tue, 2 Mar 2021 13:41:26 +0000 (14:41 +0100)]
package/tiff: add CPE variables

cpe:2.3:a:libtiff:libtiff is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtiff%3Alibtiff

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/rabbitmq-c: set RABBITMQ_C_CPE_ID_VALID
Fabrice Fontaine [Tue, 2 Mar 2021 13:37:09 +0000 (14:37 +0100)]
package/rabbitmq-c: set RABBITMQ_C_CPE_ID_VALID

cpe:2.3:a:rabbitmq-c_project:rabbitmq-c is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Arabbitmq-c_project%3Arabbitmq-c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libpam-tacplus: add CPE variables
Fabrice Fontaine [Tue, 2 Mar 2021 13:31:08 +0000 (14:31 +0100)]
package/libpam-tacplus: add CPE variables

cpe:2.3:a:pam_tacplus_project:pam_tacplus is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apam_tacplus_project%3Apam_tacplus

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/e2fsprogs: set E2FSPROGS_CPE_ID_VALID
Fabrice Fontaine [Tue, 2 Mar 2021 13:24:56 +0000 (14:24 +0100)]
package/e2fsprogs: set E2FSPROGS_CPE_ID_VALID

cpe:2.3:a:e2fsprogs_project:e2fsprogs is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ae2fsprogs_project%3Ae2fsprogs

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/bootstrap: add BOOTSRAP_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 2 Mar 2021 09:28:10 +0000 (10:28 +0100)]
package/bootstrap: add BOOTSRAP_CPE_ID_VENDOR

cpe:2.3:a:getbootstrap:bootstrap is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agetbootstrap%3Abootstrap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libsndfile: set LIBSNDFILE_CPE_ID_VALID
Fabrice Fontaine [Tue, 2 Mar 2021 09:27:35 +0000 (10:27 +0100)]
package/libsndfile: set LIBSNDFILE_CPE_ID_VALID

cpe:2.3:a:libsndfile_project:libsndfile is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibsndfile_project%3Alibsndfile

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/bubblewwrap: add BUBBLEWRAP_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 2 Mar 2021 09:26:42 +0000 (10:26 +0100)]
package/bubblewwrap: add BUBBLEWRAP_CPE_ID_VENDOR

cpe:2.3:a:projectatomic:bubblewrap is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aprojectatomic%3Abubblewrap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/rdesktop: add RDESKTOP_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 2 Mar 2021 09:25:31 +0000 (10:25 +0100)]
package/rdesktop: add RDESKTOP_CPE_ID_VENDOR

cpe:2.3:a:rdesktop:rdesktop is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ardesktop%3Ardesktop

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/redis: security bump to v6.0.12
Titouan Christophe [Tue, 2 Mar 2021 08:12:41 +0000 (09:12 +0100)]
package/redis: security bump to v6.0.12

From the release notes:
(https://github.com/redis/redis/blob/6.0.12/00-RELEASENOTES)

================================================================================
Redis 6.0.11     Released Mon Feb 22 16:13:23 IST 2021
================================================================================

Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), LOW
otherwise.

Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.

================================================================================
Redis 6.0.12     Released Mon Mar  1 17:29:52 IST 2021
================================================================================

Upgrade urgency: LOW, fixes a compilation issue.

Bug fixes:
* Fix compilation error on non-glibc systems if jemalloc is not used (#8533)

Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years ago{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 10}.x series
Peter Korsgaard [Mon, 1 Mar 2021 19:32:16 +0000 (20:32 +0100)]
{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 10}.x series

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/gstreamer1/gst1-plugins-bad: add sctp option
Fabrice Fontaine [Sat, 27 Feb 2021 08:25:22 +0000 (09:25 +0100)]
package/gstreamer1/gst1-plugins-bad: add sctp option

sctp unconditionnally uses __sync_*_4 intrinsics in
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/blob/master/ext/sctp/usrsctp/usrsctplib/user_atomic.h

As a result, this will raise the following build failure with bootlin
sparc toolchain:

/srv/storage/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/9.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: ext/sctp/usrsctp/libusrsctp-static.a(usrsctplib_user_socket.c.o): in function `usrsctp_conninput':
user_socket.c:(.text+0x3004): undefined reference to `__sync_fetch_and_add_4'

sctp uses an internal version of usrsctp (which is not available in
buildroot) and is available since version 1.15.1:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/e2f06326eac7c3c7fa9c0d5baf4bf9673fc93376

Fixes:
 - http://autobuild.buildroot.org/results/981b11ae9746d1eef40c1797398c4f6c16f005bd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/prosody: security bump to 0.11.8
Francois Perrad [Mon, 1 Mar 2021 12:24:35 +0000 (13:24 +0100)]
package/prosody: security bump to 0.11.8

From the release notes:
https://blog.prosody.im/prosody-0.11.8-released/

This release also fixes a security issue, where channel binding, which
connects the authentication layer (i.e.  SASL) with the security layer (i.e.
TLS) to detect man-in-the-middle attacks, could be used on connections
encrypted with TLS 1.3, despite the holy texts declaring this undefined.

https://issues.prosody.im/1542

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: mark as security bump, expand commit text]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoconfigs: rename a bunch of friendlyarm boards
Yann E. MORIN [Sun, 28 Feb 2021 21:49:39 +0000 (22:49 +0100)]
configs: rename a bunch of friendlyarm boards

We have defconfigs for quite a few friendlyarm boards, but the
naming for the defconfigs for those boards is inconsistent: some
start with 'friendlyarm_' while others don't.

Although the number of boards starting with 'friendlyarm_' is
less than those which do not, we still choose to rename the
boards so all have the 'friendlyarm_' prefix.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chakra Divi <chakra@openedev.com>
Cc: Davide Viti <zinosat@gmail.com>
Cc: Marek Belisko <marek.belisko@open-nandra.com>
Cc: Suniel Mahesh <sunil@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/util-linux: disable runuser for the host build
Peter Seiderer [Sat, 27 Feb 2021 15:54:13 +0000 (16:54 +0100)]
package/util-linux: disable runuser for the host build

runuser allows running commands as another user, but needs to run as
root to be able to setuid(). But Buildroot does not require running as
root, and so runuser can't be used.

Incientally, that fixes host build in case unsuitable libs are found on
the system:
    http://lists.busybox.net/pipermail/buildroot/2021-February/304261.html

Reported-by: GA K <guyarkam@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - expand the commit log with a more fundamental explanation that
    runuser can't be used anyway
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/tpm2-pkcs11: needs threads
Fabrice Fontaine [Sat, 27 Feb 2021 19:26:39 +0000 (20:26 +0100)]
package/tpm2-pkcs11: needs threads

tpm2-pkcs11 fails to build without threads since its addition with
commit 42db2c7236c2249ec02608ed714fa6f95e36161b

Fixes:
 - http://autobuild.buildroot.org/results/8218776da34cc4a20663ae6737ad7727b12d8cd2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/privoxy: security bump to version 3.0.32
Peter Korsgaard [Mon, 1 Mar 2021 16:49:10 +0000 (17:49 +0100)]
package/privoxy: security bump to version 3.0.32

Privoxy 3.0.32 fixes a number of security issues:

- Security/Reliability:
  - ssplit(): Remove an assertion that could be triggered with a
    crafted CGI request.
    Commit 2256d7b4d67. OVE-20210203-0001.
    Reported by: Joshua Rogers (Opera)
  - cgi_send_banner(): Overrule invalid image types. Prevents a
    crash with a crafted CGI request if Privoxy is toggled off.
    Commit e711c505c48. OVE-20210206-0001.
    Reported by: Joshua Rogers (Opera)
  - socks5_connect(): Don't try to send credentials when none are
    configured. Fixes a crash due to a NULL-pointer dereference
    when the socks server misbehaves.
    Commit 85817cc55b9. OVE-20210207-0001.
    Reported by: Joshua Rogers (Opera)
  - chunked_body_is_complete(): Prevent an invalid read of size two.
    Commit a912ba7bc9c. OVE-20210205-0001.
    Reported by: Joshua Rogers (Opera)
  - Obsolete pcre: Prevent invalid memory accesses with an invalid
    pattern passed to pcre_compile(). Note that the obsolete pcre code
    is scheduled to be removed before the 3.0.33 release. There has been
    a warning since 2008 already.
    Commit 28512e5b624. OVE-20210222-0001.
    Reported by: Joshua Rogers (Opera)

for more details, see the announcement:
https://www.openwall.com/lists/oss-security/2021/02/28/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/ushare: bump to version 2.1
Fabrice Fontaine [Mon, 22 Feb 2021 07:13:01 +0000 (08:13 +0100)]
package/ushare: bump to version 2.1

Fix SOAP action responses which are broken since the switch to latest
version of libupnp (1.14.x) in version 2.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/jbig2dec: add JBIG2DEC_CPE_ID_VENDOR
Fabrice Fontaine [Mon, 1 Mar 2021 17:48:40 +0000 (18:48 +0100)]
package/jbig2dec: add JBIG2DEC_CPE_ID_VENDOR

cpe:2.3:a:artifex:jbig2dec is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aartifex%3Ajbig2dec

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/putty: add PUTTY_CPE_ID_VENDOR
Fabrice Fontaine [Mon, 1 Mar 2021 17:42:39 +0000 (18:42 +0100)]
package/putty: add PUTTY_CPE_ID_VENDOR

cpe:2.3:a:putty:putty is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aputty%3Aputty

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python-urllib3: add CPE variables
Fabrice Fontaine [Mon, 1 Mar 2021 17:37:01 +0000 (18:37 +0100)]
package/python-urllib3: add CPE variables

cpe:2.3:a:python:urllib3 is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Aurllib3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python3: add CPE variables
Fabrice Fontaine [Mon, 1 Mar 2021 17:27:27 +0000 (18:27 +0100)]
package/python3: add CPE variables

cpe:2.3:a:python:python is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Apython

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python-aiohttp-session: add CPE variables
Fabrice Fontaine [Mon, 1 Mar 2021 17:22:03 +0000 (18:22 +0100)]
package/python-aiohttp-session: add CPE variables

cpe:2.3:a:aiohttp-session_project:aiohttp-session is a valid CPE
identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaiohttp-session_project%3Aaiohttp-session

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/libbsd: add LIBBSD_CPE_ID_VENDOR
Fabrice Fontaine [Mon, 1 Mar 2021 16:48:18 +0000 (17:48 +0100)]
package/libbsd: add LIBBSD_CPE_ID_VENDOR

cpe:2.3:a:freedesktop:libbsd is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afreedesktop%3Alibbsd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/mosquitto: bump to v2.0.8
Titouan Christophe [Mon, 1 Mar 2021 15:19:07 +0000 (16:19 +0100)]
package/mosquitto: bump to v2.0.8

Mosquitto 2.0.8 is bugfix release. See the announcement:
https://mosquitto.org/blog/2021/02/version-2-0-8-released/

Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/openssh: security bump to version 8.4p1
Christian Stewart [Mon, 1 Mar 2021 11:59:03 +0000 (03:59 -0800)]
package/openssh: security bump to version 8.4p1

Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in
the scp.c toremote function, as demonstrated by backtick characters in the
destination argument. NOTE: the vendor reportedly has stated that they
intentionally omit validation of "anomalous argument transfers" because that
could "stand a great chance of breaking existing workflows."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/haproxy: bump to version 2.2.9
Fabrice Fontaine [Sat, 27 Feb 2021 19:44:42 +0000 (20:44 +0100)]
package/haproxy: bump to version 2.2.9

https://www.mail-archive.com/haproxy@formilux.org/msg39744.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agoUpdate for 2021.02-rc3
Peter Korsgaard [Sat, 27 Feb 2021 17:34:56 +0000 (18:34 +0100)]
Update for 2021.02-rc3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/python-aiohttp: security bump to version 3.7.4
Peter Korsgaard [Sat, 27 Feb 2021 12:38:44 +0000 (13:38 +0100)]
package/python-aiohttp: security bump to version 3.7.4

Fixes the following security issue:

CVE-2021-21330: Open redirect vulnerability in aiohttp
(normalize_path_middleware middleware)

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async
HTTP client/server framework, is prone to an open redirect vulnerability.  A
maliciously crafted link to an aiohttp-based web-server could redirect the
browser to a different website.

For more details, see the advisory:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libglib2: security bump to version 2.66.7
Fabrice Fontaine [Sat, 27 Feb 2021 09:04:24 +0000 (10:04 +0100)]
package/libglib2: security bump to version 2.66.7

- Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
  2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
  with a buffer of 4GB or more on a 64-bit platform, the length would be
  truncated modulo 2**32, causing unintended length truncation.
- Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
  2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
  integer overflow on 64-bit platforms due to an implicit cast from 64
  bits to 32 bits. The overflow could potentially lead to memory
  corruption.

https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>