- Aug 29, 2018
-
-
Peter Korsgaard authored
Signed-off-by:Peter Korsgaard <peter@korsgaard.com>
-
Adam Duskett authored
Fixes CVE-2018-10915 & CVE-2018-10925 Changelog: https://www.postgresql.org/docs/10/static/release-10-5.html Signed-off-by:
Adam Duskett <aduskett@gmail.com> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 81ccf146) Signed-off-by:
-
Jörg Krause authored
Add upstream patch to fix build issue detected by the Buildroot autobuilder: ``` arm-buildroot-linux-uclibcgnueabi/sysroot/usr//lib/libsoxr.a(soxr.c.o): In function `soxr_create': soxr.c:(.text+0xd4c): undefined reference to `av_get_cpu_flags' collect2: error: ld returned 1 exit status ``` A quick look at the soxr source code shows that `soxr_create()` might use `av_get_cpu_flags()` depending on the architecture. For the sake of simplicity link with `-lavutil` if it is found when using soxr. Even better, as soxr provides a pkg-config file, this should be prefered. Upstream issue: https://github.com/mikebrady/shairport-sync/issues/733 Upstream status: 5101ab2d13e2b89ea3c1276df5fb7413634eeccd Fixes: http://autobuild.buildroot.net/results/53d/53d21686780aa2485745b59e812b6280dd39f1c5 http://autobuild.buildroot.net/results/605/60576363adfca404c3a7883d5d46e8a4a9ee8171 http://autobuild.buildroot.net/results/806/806867ab1c6f42ad1b34d44844efc57272d48235 http://autobuild.buildroot.net/results/840/840810601fbb8a7957ea9dae175b959a7f9b7491 .. and more. Signed-off-by:
Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by:
-
- Aug 28, 2018
-
-
Baruch Siach authored
Fixes CVE-2018-15473: user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed. Some OpenSSH developers don't consider this a security issue: https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-August/037138.html Signed-off-by:
Baruch Siach <baruch@tkos.co.il> Signed-off-by:
-
Baruch Siach authored
Drop upstream patches, renumber the rest. Signed-off-by:
-
Julien BOIBESSOT authored
This script is useful to copy SSH keys between client and server [1] and installed on most distributions (for example on debian: [2]). [1] https://www.ssh.com/ssh/copy-id [2] https://packages.debian.org/fr/jessie/armhf/openssh-client/filelist Signed-off-by:
Julien BOIBESSOT <julien.boibessot@armadeus.com> Reviewed-by:
"Yann E. MORIN" <yann.morin.1998@free.fr> [Thomas: use full destination path.] Signed-off-by:
-
Baruch Siach authored
Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname. Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
-
Peter Korsgaard authored
Fixes: http://autobuild.buildroot.net/results/d6d/d6dc9a640aa1f6650a3e7b9397f2fe2ae3433f4d/ http://autobuild.buildroot.net/results/ab5/ab5a58ea7845f9f378454ee1aa7e872448618ba9/ ebx was recently added to the x86 inline asm MULADDC_STOP clobber list to fix #1550, but this causes the build to fail with GCC < 5 when building in PIC mode with errors like: include/mbedtls/bn_mul.h:46:13: error: PIC register clobbered by ‘ebx’ in ‘asm’ This is because older GCC versions treated the x86 ebx register (which is used for the GOT) as a fixed reserved register when building as PIC. This is fixed by an improved register allocator in GCC 5+. From the release notes: Register allocation improvements: Reuse of the PIC hard register, instead of using a fixed register, was implemented on x86/x86-64 targets. This improves generated PIC code performance as more hard registers can be used. https://www.gnu.org/software/gcc/gcc-5/changes.html As a workaround, add a patch to detect this situation and disable the inline assembly, similar to the MULADDC_CANNOT_USE_R7 logic. Patch submitted upstream: https://github.com/ARMmbed/mbedtls/pull/1986 Signed-off-by:
-
Christopher McCrory authored
This fixes autobuild failures like http://autobuild.buildroot.net/results/3288b742cee650ee47a41c5b4d6aaef1fe67bff1 php compile breaks with: ext/mysqlnd/mysqlnd_auth.o: In function `php_mysqlnd_scramble_sha2': mysqlnd_auth.c:(.text+0x1054): undefined reference to `PHP_SHA256Init' mysqlnd_auth.c:(.text+0x1064): undefined reference to `PHP_SHA256Update' mysqlnd_auth.c:(.text+0x1070): undefined reference to `PHP_SHA256Final' mysqlnd_auth.c:(.text+0x1078): undefined reference to `PHP_SHA256Init' mysqlnd_auth.c:(.text+0x1088): undefined reference to `PHP_SHA256Update' mysqlnd_auth.c:(.text+0x1094): undefined reference to `PHP_SHA256Final' mysqlnd_auth.c:(.text+0x109c): undefined reference to `PHP_SHA256Init' mysqlnd_auth.c:(.text+0x10ac): undefined reference to `PHP_SHA256Update' mysqlnd_auth.c:(.text+0x10bc): undefined reference to `PHP_SHA256Update' mysqlnd_auth.c:(.text+0x10c8): undefined reference to `PHP_SHA256Final' It looks like the php mysqli extension needs the hash extension to work. This seems to be a php Make dependany bug. This patch works around it until the upstream maintainers can fix it. Signed-off-by:
Christopher McCrory <chrismcc@gmail.com> Signed-off-by:
-
- Aug 27, 2018
-
-
Peter Korsgaard authored
dropbear is affected by an user enumeration vulnerability similar to the recent issue in openssh (CVE-2018-15473). Add an upstream patch fixing the issue. For more details, see the discussion on the mailing list: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002110.html Signed-off-by:
-
Stefan Sørensen authored
Dropbear 2018.76 now uses the --enable-static option to indicate that a static binary should be built. This will incorrectly pick up the generic buildroot option intended for building static libraries, causing an unwanted static binary build with BR2_SHARED_STATIC_LIBS. Fix by appending an --disable-static configure flag, overriding the buildroot default. Signed-off-by:
Stefan Sørensen <stefan.sorensen@spectralink.com> Reviewed-by:
-
Stefan Sørensen authored
Dropbear 2018.76 changed the default ecdsa host key size form 521 to 256 bits, but this breaks systems with an existing 521 bit key, blocking ssh logins. Apply the upstream fix from https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900 : Only advertise a single server ecdsa key when -R (generate as required) is specified. Fixes -R now that default ecdsa key size has changed. [Peter: apply-patches.sh does not like suffix-less filename, so include patch in Buildroot] Signed-off-by:
-
Francois Perrad authored
DROPBEAR_SMALL_CODE could be only honored with bundled libtomcrypt Signed-off-by:
Francois Perrad <francois.perrad@gadz.org> Signed-off-by:
-
Thomas Petazzoni authored
By default, Dropbear's configure script enables hardening flags. Unfortunately, the check for SSP only uses AC_COMPILE_IFELSE(), and therefore doesn't properly test for the availability of libssp, visible only at link time. In addition, Buildroot passes its own hardening flags, depending on various global options. So, we simply disable hardening flags in Dropbear. This fixes a build failure with non-SSP capable toolchains happening since the bump to 2018.76. Signed-off-by:
-
Francois Perrad authored
with this new version: - "configure --enable-static" should now be used instead of "make STATIC=1" - any customised options should be put in localoptions.h Signed-off-by:
-
- Aug 26, 2018
-
-
Yann E. MORIN authored
brltty has a very inventive buildsystem, where it internall runs ./configure for the build machine In doing so, it generates a list of make variables to define what the build machine supports, like it does for the target. However, the build variables are generated with a convoluted sed script that scans the target list, and appends _FOR_BUILD to each target variables. Then, both lists are included from the Makefile, on the assumption that the build variables will not clash with the target variables. Where it gets interesting, is that that sed script considers the variables names to match '[A-Za-z][A-Za-z0-9_]*' And there we see why ATSPI2_PACKAGE does not match: it contains a digit. So, some build variables will inevitably override target ones. Fix that by simply expanding the matching regexp to allow digits in variable names. Fixes: http://autobuild.buildroot.org/results/a37/a37782b3cfc1a96cc129db8fade20a36a7b2d470/ http://autobuild.buildroot.org/results/97e/97edc6a47d2140968e84b409cdc960604e5896f2/ Signed-off-by: -
Yann E. MORIN authored
Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: - CVE-2018-0497: Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel - CVE-2018-0498: Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel For more info, see the advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 Signed-off-by:
-
Yann E. MORIN authored
We can't carry a mercurial patch, because the luarocks package is not organised with the same layout as the upstream package source tree is. Signed-off-by:
-
- Aug 24, 2018
-
-
Vadim Kochan authored
Replace broken http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux by https://hewlettpackard.github.io/wireless-tools . [Peter: also adjust URL in Config.in] Signed-off-by:
Vadim Kochan <vadim.kochan@petcube.com> Signed-off-by:
-
Bernd Kuhls authored
Release notes: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ Fixes CVE-2018-12115, also CVEs were fixed in included OpenSSL code which do not use for the target build. Signed-off-by:
Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
-
Bernd Kuhls authored
[Peter: drop 4.17.x change] Signed-off-by:
-
Bernd Kuhls authored
Fixes CVE-2018-5740: https://ftp.isc.org/isc/bind9/9.11.4-P1/CHANGES Signed-off-by:
-
Bernd Kuhls authored
Version 7.2.8 fixed CVE-2018-12882, CVE-2018-14883 & CVE-2018-14851: http://www.php.net/ChangeLog-7.php#7.2.8 Signed-off-by:
-
Ricardo Martincoski authored
Signed-off-by:
Ricardo Martincoski <ricardo.martincoski@gmail.com> Signed-off-by:
Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit dba254cd) Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: CVE-2017-17405: Command injection vulnerability in Net::FTP (2.4.3): https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ CVE-2017-17742: HTTP response splitting in WEBrick (2.4.4): https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (2.4.4): https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ CVE-2018-8777: DoS by large request in WEBrick (2.4.4): https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/ CVE-2018-8778: Buffer under-read in String#unpack (2.4.4): https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (2.4.4): https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (2.4.4): https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ Multiple vulnerabilities in RubyGems (2.4.4): https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ Signed-off-by:
-
Matt Flax authored
eigen generates a pkg-config file which has a broken prefix (@CMAKE_INSTALL_PREFIX@). This broken prefix causes an incorrect path when other packages call pkg-config --cflags eigen. This patch fixes the prefix in the generated eigen pc file, so projects which depend on this pc file can now correctly find the eigen include directory at build time. Also correct the Cflags output to use the runtime prefix instead of the build time STAGING_DIR, like we do elsewhere. [Peter: drop backslashes, tweak commit message] Signed-off-by:
Matt Flax <flatmax@flatmax.org> Signed-off-by:
-
Peter Korsgaard authored
Bump to the latest release of the 1.11.x LTS series as 1.10.x is no longer supported upstream: https://www.djangoproject.com/download/ Fixes the following security issues: - CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page (1.11.5) - CVE-2018-6188: Information leakage in AuthenticationForm (1.11.10) - CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters (1.11.11) - CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters (1.11.11) - CVE-2018-14574: Open redirect possibility in CommonMiddleware (1.11.15) Also add a hash for the license file. Signed-off-by:
-
Yann E. MORIN authored
glibc-2.28 did quite some lifting in their headers, which breaks the way some packages were detecting glibc, like gnulib. However, packages do bundle gnulib (it was meant to be bundled), and so does m4. Since m4 hasn't seen the slightest commit since 2017-01-09, it is bundling an old gnulib version, that predates glibc-2.28, and thus breaks. It also means that upstream hasn't already fixed the issue. Furthermore, as upstream is using a git submodule for gnulib, and that the paths are not the same in the release tarball (in lib/) and in the git tree (in gnulib/), we can't do a plain backport. So, we selectively backport the two patches from gnulib upstream, restricted to only the files that happen to be used in m4. Signed-off-by:
-
Baruch Siach authored
The threads dependency comment is currently shown even though the toolchain supports threads, only because kernel build is disabled. Merge the kernel and threads comments. This is similar to what we have in other packages that need the kernel. Cc: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by:
-
Peter Korsgaard authored
Fixes CVE-2018-10906 - In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects. And additionally: - libfuse no longer segfaults when fuse_interrupted() is called outside the event loop. - The fusermount binary has been hardened in several ways to reduce potential attack surface. Most importantly, mountpoints and mount options must now match a hard-coded whitelist. It is expected that this whitelist covers all regular use-cases. Signed-off-by:
-
Fabrice Fontaine authored
Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
-
Bernd Kuhls authored
Fixes CVE-2018-0732 & CVE-2018-0737: https://www.openssl.org/news/vulnerabilities.html Added upstream sha1 hash. Signed-off-by:
-
Bernd Kuhls authored
[Peter: drop 4.17.x change] Signed-off-by:
-
Thomas Petazzoni authored
Commit 62884096 ("libselinux: add patch to fix build with gcc < 4.7") introduced a patch, but its file name was incorrect, so it was never applied. In addition, the patch was generated against the Git repository of SELinux, which includes all projects, and therefore it doesn't apply to the libselinux source code extracted from the tarball: the "libselinux/" component path needs to be removed from the patch. This commit fixes both problems, which should finally and really fix: http://autobuild.buildroot.net/results/c3272566bb808e43bb77ec59cfe596f7e0fe9a64/ Signed-off-by:
-
Thomas Petazzoni authored
This commit adds a patch from Hollis Blanchard on libselinux to fix build on host machines that have gcc < 4.7. Fixes: http://autobuild.buildroot.net/results/a82bb0c0b22ff24263ad7a7d165b21c0df7b3b1d/ Signed-off-by:
-
Baruch Siach authored
The bzip.org website is down. Use the Buildroot backup download site. Remove the website link as there is no clear alternative upstream at this point. https://lwn.net/Articles/762264/ Signed-off-by:
-
Marcin Niestroj authored
When using uclibc libdevmapper.so was calling dm_task_get_info_base() function recursively, leading to segmentation fault. This was happening because uclibc linker loader just takes first existing 'dm_task_get_info' (which is 'dm_task_get_info_base') symbol in elf binary, instead of default version. Add upstreamable lvm2 patch [1], which introduces --enable-symvers[=STYLE] switch. Use that switch to disable symbol versions, as we do not plan to support binaries compiled against old libdevmapper library. Fixes bug #10781. [1] https://www.redhat.com/archives/dm-devel/2018-July/msg00187.html Signed-off-by:
Marcin Niestroj <m.niestroj@grinn-global.com> Signed-off-by:
-
Peter Korsgaard authored
Signed-off-by:
-
