Merge 2024.02.7 #57
Merged
Merge 2024.02.7 #57
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Now that the support for generating a fully random configuration has
been well-tested, the whole mechanism based on a toolchain CSV isn't
really useful anymore, so let's drop it to simplify the logic.
Note that the autobuilder code still uses --{,no-}toolchains-csv, so we
can't remove those or the autobuilders would fail. Once all supported
branches no longer use those argumetns, we can drop them from the
autobuilder code, then ask people to update their runners, and we will
finally be able to drop those arguments. Eventually.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: keep --{,no-}toolchains-csv and explain why]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2f260084d5771728f3340ff6a86a23391133a635)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Before calling randpackageconfig/randconfig, we were pre-generating a snippet of .config with: (1) minimal.config (2) BR2_CURL/BR2_WGET settings (3) some random selection of init system, debug, runtime debug, etc (4) enabling BR2_REPRODUCIBLE=y when diffoscope was found Now that we only use randconfig, this whole fine-tuning is completely irrelevant, as it gets overridden by "make randconfig". (1) and (3) above are useless, as randconfig does all the randomization that is needed. However, we want to preserve (2) and (4) above, so we re-implement those fixups, but *after* randconfig has done its job. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 3d33d394c2c9659f8c487929bf45f7daf673e521) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to test that upstream sites are still working, we need to NOT fallback to sources.buildroot.net for some builds. As there is anyway a local cache in the autobuilder instances, we need to do quite a lot of builds without any BR2_BACKUP_SITE configured to have a chance to catch issues, which is why a 50% chance is used to unset BR2_BACKUP_SITE. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit da5c25c9f91b17a3c00ff0b35164881f2d1aa425) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Right now, genrandconfig just spits out the random messages from the different make invocations, which isn't terribly useful. Instead, let's redirect the output of make invocations to oblivion, and add some more high level logging. As part of this logging, we're interested to see how many iterations were needed to find a valid configuration, so changed the loop logic to count from 0 to 100 instead of from 100 to 0 so that we can easily show the iteration number. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit ce3dedc26b9080399c44d86e14aa1704f7bf563a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 2f260084d577 (utils/genrandconfig: remove support for toolchain CSV) kept the --no-toolchains-csv option, but in the rework forgot to keep it as a bool, while argparse default is to expect a string. Rather than re-introduce the action="store_true" which implies the argument is a bool, explicit make it a bool. Fixes: 2f260084d5771728f3340ff6a86a23391133a635 Reported-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 4dbb87bb6676b82f34981f6adedccfa03a9667cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tweaking this variable should allow us to get better coverage of packages with larger dependency trees. Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ea6bb507b1d3841be052525936121f7e88c43fbd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Botan commit 313e439c786d68bcf374b2cb0edfe3ffd891db94 added a dependency to pthread.h. Add a dependency to thread support. Fixes: - http://autobuild.buildroot.org/results/205/205d7505803990508bbd545393902789063ababd Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ad6e6f5d598a9311fc9141e4b9b08820562d1792) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for changes: https://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-20-current.md There is still an open issue reported upstream: asterisk/asterisk#671 But it seems it is not reproducible by the asterisk developers, so update the package so others can make use of it. Use the external pjsip package, instead of the bundled one. Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 0e6d4d2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix a compile issue when libyuv and libjpeg is enabled. Detection of following function fails: checking for pjsip_dlg_create_uas_and_inc_lock in -lpjsip... no In config.log you see that libjpeg is missing. Fixes: http://autobuild.buildroot.net/results/7bed9fc68fc9331ad12942c3eab9742ee8a7a4c4 Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 07b7d87) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following uclibc-ng build failure raised since bump to version 20.7.0 in commit 0e6d4d2 and asterisk/asterisk@2694792: stasis/control.c: In function 'exec_command_on_condition': stasis/control.c:313:3: warning: implicit declaration of function 'pthread_kill'; did you mean 'pthread_yield'? [-Wimplicit-function-declaration] 313 | pthread_kill(control->control_thread, SIGURG); | ^~~~~~~~~~~~ | pthread_yield stasis/control.c:313:41: error: 'SIGURG' undeclared (first use in this function) 313 | pthread_kill(control->control_thread, SIGURG); | ^~~~~~ Fixes: 0e6d4d2 - http://autobuild.buildroot.org/results/d16e4ca4bd26234f84d17da24c04a8c19faba6c5 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit ebd44d7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 8f88a64 "support/scripts/apply-patches.sh: set the maximum fuzz factor to 0" reduced the fuzz factor. Due to this change, asterisk fails to build with output: Applying 0004-install-samples-need-the-data-files.patch using patch: patching file Makefile Hunk #1 FAILED at 779. 1 out of 1 hunk FAILED -- saving rejects to file Makefile.rej This commit rebase the package patches on the current package version. Note: the patch 0005 is unchanged, as it is correct in its current state. Fixes: - http://autobuild.buildroot.org/results/92d/92d58ecb67f11a6eb74695bc1efcc672f69a57a9 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit a6fabd9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for a ChangeLog: https://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-20-current.md 20.8.1 contains a fix for CVE-2024-35190. However, the vulnerability was introduced in commit 68a49128253f677f9e1b235c70d2316342372f7d between 20.7.0 and 20.8.0, and Buildroot was using 20.7.0, so we were not affected by this vulnerability. Patch 0005 is applied upstream. Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 622957a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a23518b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for a changelog: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-20.9.2.md And here for the security advisory: GHSA-c4cg-9275-6w44 Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 6877647e8aff18a697d49015dd6273a9886db17e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for complete changelogs: https://botan.randombit.net/news.html#version-3-5-0-2024-07-08 https://botan.randombit.net/news.html#version-3-4-0-2024-04-08 CVE-2024-34702: Fix a DoS caused by excessive name constraints. (GH CVE-2024-39312: Fix a name constraint processing error, where if permitted and excluded rules both applied to a certificate, only the permitted rules would be checked. The License hash changed because the year was updated from 2023 to 2024. Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 3ba9ac62052c99d7557adf2bbad1bab0c5577a81) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The "using enum" was added in gcc 11.x [0] (see also [1]). Compile successfully tested with internal Buildroot toolchain for sparc with gcc 12.x as gcc 11.x is not available anymore. The autobuild failure will be avoided now and fixed with newer external bootlin toolchains. Fixes: - http://autobuild.buildroot.org/results/ab8/ab83b920156f5a1e51ef960e4007769b5c27d0a1 [0] https://gcc.gnu.org/projects/cxx-status.html#cxx20 [1] https://stackoverflow.com/questions/75018634/how-to-use-the-using-keyword-in-gcc-10-4 Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 10a70b1af67cf79986c2e401f7a54aa850ea82d6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable RNG support so that following build failure does not happen:
In file included from ../../../../src/libstrongswan/plugins/plugin.h:28,
from wolfssl_plugin.h:34,
from wolfssl_plugin.c:29:
wolfssl_plugin.c: In function 'get_features':
../../../../src/libstrongswan/plugins/plugin_feature.h:321:119: error: 'FEATURE_WC_RNG' undeclared (first use in this function); did you mean 'FEATURE_RNG'?
321 | #define __PLUGIN_FEATURE_REGISTER(type, _f) (plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
| ^~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:332:73: note: in expansion of macro '__PLUGIN_FEATURE_REGISTER'
332 | #define _PLUGIN_FEATURE_REGISTER_RNG(type, f) __PLUGIN_FEATURE_REGISTER(type, f)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:248:39: note: in expansion of macro '_PLUGIN_FEATURE_REGISTER_RNG'
248 | #define PLUGIN_REGISTER(type, f, ...) _PLUGIN_FEATURE_REGISTER_##type(type, f, ##__VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
wolfssl_plugin.c:510:17: note: in expansion of macro 'PLUGIN_REGISTER'
510 | PLUGIN_REGISTER(RNG, wolfssl_rng_create),
| ^~~~~~~~~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:321:119: note: each undeclared identifier is reported only once for each function it appears in
321 | #define __PLUGIN_FEATURE_REGISTER(type, _f) (plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
| ^~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:332:73: note: in expansion of macro '__PLUGIN_FEATURE_REGISTER'
332 | #define _PLUGIN_FEATURE_REGISTER_RNG(type, f) __PLUGIN_FEATURE_REGISTER(type, f)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:248:39: note: in expansion of macro '_PLUGIN_FEATURE_REGISTER_RNG'
248 | #define PLUGIN_REGISTER(type, f, ...) _PLUGIN_FEATURE_REGISTER_##type(type, f, ##__VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
wolfssl_plugin.c:510:17: note: in expansion of macro 'PLUGIN_REGISTER'
510 | PLUGIN_REGISTER(RNG, wolfssl_rng_create),
| ^~~~~~~~~~~~~~~
make[6]: *** [Makefile:659: wolfssl_plugin.lo] Error 1
Reported Upstream:
strongswan/strongswan#2410
This build failure started since 5.9.11 update in commit
7895966.
Fixes:
http://autobuild.buildroot.net/results/278b3f74c48c858ae368d59069752adb69c05246
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 89d512729cfa5b2ef5c5165492789ba4441add19)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old URL gives 403 forbidden. Use a working sourceforge URL. Fixes: http://autobuild.buildroot.org/results/c0c3945cade7a6d7a615ac23523c93b02dbb056f Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 77512bba98e09c7231a2629652e464dbf882fd23) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following build failure on xtensa: Waf: Entering directory `/home/buildroot/instance-0/output-1/build/ntpsec-1.2.3/build/host' [1/2] Processing ntpd/ntp_parser.y [2/2] Compiling build/host/ntpd/ntp_parser.tab.c gcc: error: unrecognized command-line option '-mlongcalls' gcc: error: unrecognized command-line option '-mauto-litpools' reveals that the target's CFLAGS are being used for host compilation. The patch fixes the host compilation by correctly setting the CFLAGS to be used. It should be noted that the build script used by ntpsec applies CFLAGS for host compilation and --cross-cflags for target compilation. Fixes: - http://autobuild.buildroot.org/results/9321a637f2c340ce8dcb24249676bb6c44d0dfc6 Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 064e4c09fa788ccf0927fcaf3987e0f0fdc08eb7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update the site path to reflect the recent organizational changes on the chronox.de website. Fixes: - http://autobuild.buildroot.org/results/77243633783ac2d037d15d7e9c01384781fe700e Signed-off-by: Tan En De <ende.tan@starfivetech.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d4d8881731ed745aff676b860a05abdff9ff1a0c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As explained in: https://security-tracker.debian.org/tracker/CVE-2024-1048 https://www.openwall.com/lists/oss-security/2024/02/06/3 CVE-2024-1048 is related to a tool called grub-set-bootflag which only exists in the Redhat fork of Grub, and which we don't use in Buildroot, so this CVE should be ignored. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 2495630383c4a6659b6b91a58e4f71cdda283f2f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This vulnerability is irrelevant to Buildroot, as it affects only some downstream changes from Redhat. See: https://security-tracker.debian.org/tracker/CVE-2023-4001 https://www.openwall.com/lists/oss-security/2024/01/15/3 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e2f46ed03db7f07e62ce44f22dba0db53a5d2fd4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I lack the time (and interest) to properly keep these entries up to date, so drop them from my section. Signed-off-by: Thomas Huth <huth@tuxfamily.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6fdbab87a2b9d00743ed9fe6caa6db365d7ca326) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: https://curl.se/changes.html#8_9_1 Fixes CVE-2024-7264. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Reviewed-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e656625b8a68e15deb9afaeaa4d61de5171288a4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
…x series Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ebef582bd28fa183818ab973b58e167c75548a07) [Peter: drop 6.10.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: * https://sqlparse.readthedocs.io/en/latest/changes.html#release-0-5-1-jul-15-2024 * https://sqlparse.readthedocs.io/en/latest/changes.html#release-0-5-0-apr-13-2024 Version 0.5.0 fixes the following security issue [1]: Parsing heavily nested list leads to Denial of Service Build backend switched from flit to hatchling in [2]. [1] GHSA-2m57-hf25-phgg [2] andialbrecht/sqlparse@326a316 Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 65247fcc6a12eb2443ae9861e7cd36b3881a466e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes: http://autobuild.buildroot.org/results/92c/92c697697c07f63f0e03ceb655b5d558e85c392e Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit b331217a50e975e89e28741a05d1f7b60c62496a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes: - http://autobuild.buildroot.org/results/28f1e34166e836bf3b984f228bb09842840de82a Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d0d23b47393e0133b76437a274f724c16a7d7e2d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue: - CVE-2024-43167: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault See announcement: https://nlnetlabs.nl/news/2024/Aug/15/unbound-1.21.0-released/ See also change log: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-0 This commit also updates the _SITE url from [1] to [2], to follow the HTTP redirect, and the url published on the download page [3]. Finally, this commit adds a comment in the hash file that the PGP signature was checked. [1] https://www.unbound.net/downloads [2] https://nlnetlabs.nl/downloads/unbound [3] https://nlnetlabs.nl/projects/unbound/download Signed-off-by: Julien Olivain <ju.o@free.fr> [Peter: Mark as security bump, add CVE info] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ed34c4c77b8b2a830c7a9ffb1d75c7bf1e35a7c4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2024-23184 & CVE-2024-23185: https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 786484e631d34f9630baaa74006a8398aa19ad7d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit d6f90873eb5d526ae07d976e0ba3063c79cdf346) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 4c5d82ea058edd74a5423f621543f9cffb162179) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 5af5c0ac0b6057d1c4fe1dc6c6ec208c4fea8a10) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 930663032b94bf5a26ca5e0efc582b9ab57cc677) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also fix conjugations of verbs. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [Arnout: fix additional typoes] Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 3c4dd46791dfa7f599d132d2d6f00f3bf57fd081) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit b55759c516b6f18f30b9e0bd185b414c56a62df8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [Arnout: fix additional 'recommended' typo] Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 74bef5945f48fea2a863a456fa21271d136ed189) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 09964bc5c0f8b329cda6383a1297029354269da9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2024-8926, CVE-2024-8927, CVE-2024-9026, and CVE-2024-8925. Changelog: https://www.php.net/ChangeLog-8.php#8.2.24 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version fixes an out-of-bound reads in the MLSD command, so upgrading is recommended. It also improves compatibility with various systems. Update the COPYING hash because of a change in copyright year Signed-off-by: Michael Fischer <mf@go-sys.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5271e90a6a2cc7633f3f917391865d2f9df54142) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes Fixes CVE-2024-45490, CVE-2024-45491 & CVE-2024-45492. Follow upstream switch of project repository to github: https://sourceforge.net/p/expat/news/2022/01/project-moved-to-github/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0509885d8dc221978fd332f9768b427ed2775942) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://www.python.org/downloads/release/python-31110/ Fixes CVE-2024-4032, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592, CVE-2024-8088 and CVE-2023-27043. The fixes for bundled libexpat are irrelevant for us because external expat is used. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
…x series Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d3a12bc6f1fc231948d1b6b154dd890bf6df4fa5) [Peter: drop 6.10.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue: CVE-2024-35235: Cupsd Listen arbitrary chmod 0140777 GHSA-vvwp-mv6j-hw6f https://www.openwall.com/lists/oss-security/2024/06/11/1 Drop cups hash patches which are now upstream. Rebase remaining patches. Signed-off-by: James Hilliard <james.hilliard1@gmail.com> [Peter: mark as security bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8d835ffc524e2dab66ce1421240b9eb93c8f8f6a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Doctoring a defconfig is tedious, and it is not easy to update a defconfig, as it requires manual copy-pasting, adding comments and so on... Instead, just require defconfigs to be generated with 'savedefconfig'. Any details can/must be provided in the commit log. Reported-by: Edgar Bonet <bonet@grenoble.cnrs.fr> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 17bdd10cb350e9c45926c2a5a05f278d104ee4c9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 1bf483665d825007ac1a2853310841ff3d935bdc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3.7.5 fixed a number of security issues:
fix multiple vulnerabilities identified by SAST (#2251, #2256)
cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
lzop: prevent integer overflow (#2174)
rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
rar4: fix OOB in delta and audio filter (#2148, #2149)
rar4: fix out of boundary access with large files (#2179)
rar4: add boundary checks to rgb filter (#2210)
rar4: fix OOB access with unicode filenames (#2203)
rar5: clear 'data ready' cache on window buffer reallocs (#2265)
rpm: calculate huge header sizes correctly (#2158)
unzip: unify EOF handling (#2175)
util: fix out of boundary access in mktemp functions (#2160)
uu: stop processing if lines are too long (#2168)
And 3.7.6 fixed a tar regression introduced in 3.7.5
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab3c84e5e2391a7832f6baa2f20b28661f55dd2c)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The previous repo is not available anymore. Fixes: https://autobuild.buildroot.org/results/8c8b073ce163131763fca978b400e596fcf39e62 Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 4e5fd24c8b7438672c475d0559200ff72c4b1cc7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 86bb1b236 "boot/grub2: needs host-python3" [1] introduced a dependency on host-python3. Since grub does not have any specific requirements on host Python modules, or recent host Python version, this commit replaces the host-python3 dependency with BR2_PYTHON3_HOST_DEPENDENCY. This will skip the host-python3 compilation if a sufficient version (3.4 or greater at the time of this commit) is already present on host. This will save build time. This optimization was suggested by Peter, in [2]. Note 1: this commit was checked to ensure that grub is building with Python 3.4. Note 2: BR2_PYTHON3_HOST_DEPENDENCY was introduced in commit b607297 "support/dependencies: add a check for python3" [3]. [1] https://gitlab.com/buildroot.org/buildroot/-/commit/86bb1b2360bdaed069cd087541f4edad1d5ce925 [2] https://lists.buildroot.org/pipermail/buildroot/2024-September/763967.html [3] https://gitlab.com/buildroot.org/buildroot/-/commit/b60729784ab1c2f75dca30f924f4dd3176713ae8 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8a71fda371c1785f9e4364f05ab0a632e1946c53) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
linux-pam 1.2.0 removed the use of yywrap, so the flex dependency is not needed now (host-flex is still needed). Fixes: #47 Signed-off-by: Damien Thébault <damien.thebault@gmail.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 600e273487baf76d4469bca43d42bd2c4b364db8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a test that runs the dtc commandline tools. To test devicetree compilation, we use an example devicetree from the dtc project. The example source is GPL-2.0+ licensed. Signed-off-by: Brandon Maier <brandon.maier@gmail.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit 9b690341602388b54c596c4510d770f58f4ad227) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For change log, see: https://github.com/eclipse/mosquitto/blob/v2.0.19/ChangeLog.txt The change log mention 2 security related fixes. There is no allocated CVE. Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit bd127d0c3ffc57646f4908264728da4ea074241b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add patch to fix build failure introduced in bump to version 8.10.0. Fixes: https://autobuild.buildroot.org/results/2d553687a32651f81813c82d7bbf9bb11fd3eca5/ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 16ce77ad7d3a05addc1962b455242199a93f3811) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release 2024.02.7
agners
approved these changes
Nov 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Package updates related to HAOS config: