Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

glib, gnutls and libgcrypt security updates #4010

Merged
merged 26 commits into from
Oct 13, 2020
Merged

glib, gnutls and libgcrypt security updates #4010

merged 26 commits into from
Oct 13, 2020

Conversation

th0ma7
Copy link
Contributor

@th0ma7 th0ma7 commented Jun 4, 2020
edited
Loading

Motivation: While investigating issue #4006 and trying to find the root cause I ended-up updating various dependencies. In the process I noticed multiple old versions of various key libraries that needed to be updated due to multiple CVE advisories. This PR is in direct relation to #4155 where newer version addresses security issues.
Linked issues: #4006, #4008, #3998, #4155

Checklist

  • Build rule all-supported completed successfully
  • n/a Package upgrade completed successfully
  • n/a New installation of package completed successfully

IMPORTANT NOTES

GLIB

https://www.cvedetails.com/vulnerability-list/vendor_id-283/product_id-16275/version_id-260024/Gnome-Glib-2.56.1.html

  • glib update from 2.55 to 2.58 (was using an old and unstable version using odd versioning)
  • glibmm update from 2.34 to 2.58 (should always be in sync with glib in terms of versioning)
  • glib and glibmm version 2.58.x is the last version supporting autoconf/autobuild tools. Starting with version 2.60 only meson/ninja are supported

gnutls & libgcrypt

https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html
https://www.cvedetails.com/vulnerability-list/vendor_id-4711/product_id-25777/Gnupg-Libgcrypt.html

  • gnutls: Update from version 3.6.8 to 3.6.15
  • libgcrypt: Update from version 1.8.5 to 1.8.6
  • libgpg-error: Update from version 1.32 to 1.39

Needed to be updated to accommodate above version updates

  • libsigc++ update from 2.4.0 to 2.10
  • libxml++ update from 2.36 to 2.40.1

Others

  • rmlint & jpcre2 are synocli-file dependencies to which trivial updates where available (relates on PR openssl: update to version 1.1.1h #4155)
    -- jpcre2 update from version 10.31.03 to 10.32.01
    -- rmlint update from 2.9 to 2.10.1
  • sslh Update from 1.19c to 1.21c
  • gnupg update from 2.1.6 to 2.2.23
  • libassuan Update from 2.2.1 to 2.5.3 (for gnupg)
  • libksba Update from version 1.3.3 to 1.4.0 (for gnupg)

@th0ma7 th0ma7 mentioned this pull request Jun 4, 2020
Closed
3 tasks
@th0ma7 th0ma7 changed the title glib & misc updates [WIP] glib & misc updates Jun 4, 2020
@th0ma7 th0ma7 self-assigned this Jun 4, 2020
@th0ma7
Copy link
Contributor Author

th0ma7 commented Jun 4, 2020

I don't know if there is interest in this; instead of loosing the work I thought I would share.

Many packages dated quite a bit or where based on unstable releases (e.g. glib) or misaligned (glibmm). Feel free to comment or disregard as you see fit.

@th0ma7 th0ma7 force-pushed the glib-misc-updates branch from c7f44b5 to af69364 Compare June 24, 2020 02:12
@th0ma7 th0ma7 force-pushed the glib-misc-updates branch from af69364 to a8120f6 Compare October 2, 2020 20:01
This was referenced Oct 5, 2020
Merged
Merged
Merged
th0ma7 added a commit to th0ma7/spksrc that referenced this pull request Oct 7, 2020
@th0ma7
libsigc++: Revert marking 88f6281 as unsupported (PR SynoCommunity#4010)
76433c7
@th0ma7 th0ma7 changed the title [WIP] glib & misc updates glib, gnutls and libgcrypt security updates Oct 9, 2020
@th0ma7 th0ma7 mentioned this pull request Oct 9, 2020
Closed
55 tasks
ymartin59
ymartin59 approved these changes Oct 12, 2020
View reviewed changes
native/glib/Makefile Outdated Show resolved Hide resolved
@th0ma7 th0ma7 force-pushed the glib-misc-updates branch 2 times, most recently from 450cc47 to 9ab8499 Compare October 12, 2020 17:08
th0ma7 added a commit to th0ma7/spksrc that referenced this pull request Oct 12, 2020
@th0ma7
libsigc++: Revert marking 88f6281 as unsupported (PR SynoCommunity#4010)
8a59dcd
@th0ma7 th0ma7 force-pushed the glib-misc-updates branch from 791dcbc to d5ce51d Compare October 13, 2020 00:19
@th0ma7
Copy link
Contributor Author

th0ma7 commented Oct 13, 2020
edited
Loading

@ymartin59 Now ready for a merge. Feel free to have another look at it before I squash & merge but should now build with no more errors (leaving github-action running to confirm).

@ymartin59 ymartin59 merged commit d6133ef into SynoCommunity:master Oct 13, 2020
@th0ma7 th0ma7 deleted the glib-misc-updates branch October 13, 2020 21:01
@th0ma7 th0ma7 mentioned this pull request Oct 23, 2020
Merged
3 tasks
@hgy59 hgy59 mentioned this pull request Oct 24, 2020
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ymartin59 ymartin59 ymartin59 approved these changes

Assignees

@th0ma7 th0ma7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@th0ma7 @ymartin59