- Feb 13, 2019
-
-
Peter Korsgaard authored
Signed-off-by:Peter Korsgaard <peter@korsgaard.com>
-
Gerome Burlats authored
Linux version are changed to 4.19.16 (LTS) for all qemu defconfigs, except for riscv. riscv defconfigs are left unchanged because they have a custom Linux repository causing more difficulties when upgrading to 4.19 for riscv32. And for the riscv64, it has been updated recently to Linux 4.20 by another contributor. Patch for arm-versatile-nommu is changed into a git format Add cache attributes for xtensa-lx60-nommu config because the commit https://github.com/torvalds/linux/commit/7bb516ca5424e12b42124fab2906b6da9c81ba9c added a new config variable for memory cache attribute: CONFIG_MEMMAP_CACHEATTR All these updated configs have been built successfully. Signed-off-by:
Gerome Burlats <gerome.burlats@smile.fr> Cc: Romain Naour <romain.naour@smile.fr> Signed-off-by:
Romain Naour <romain.naour@smile.fr> Signed-off-by:
-
- Feb 12, 2019
-
-
Peter Korsgaard authored
For details, see https://github.com/snyk/zip-slip-vulnerability Older python versions do not validate that the extracted files are inside the target directory. Detect and error out on evil paths before extracting .zip / .tar file. Given the scope of this (zip issue was fixed in python 2.7.4, released 2013-04-06, scanpypi is only used by a developer when adding a new python package), the security impact is fairly minimal, but it is good to get it fixed anyway. Reported-by:
Bas van Schaik <security-reports@semmle.com> Signed-off-by:
-
Christian Stewart authored
Fixes the startup warning from Docker: failed to retrieve runc version: unknown output format: runc version commit ... Introduces a patch to replace the faulty version detection logic in the Docker engine. Signed-off-by:
Christian Stewart <christian@paral.in> Signed-off-by:
-
Christian Stewart authored
Signed-off-by:
-
Christian Stewart authored
Signed-off-by:
-
Christian Stewart authored
Signed-off-by:
-
Fabrice Fontaine authored
Here is the list of the changes compared to the removed mongodb 3.3.4 version: - Remove patch (not applicable anymore) - Add patch (sent upstream) to fix openssl build with gcc 7 and -fpermissive - Remove 32 bits x86 platforms, removed since version 3.4: https://docs.mongodb.com/manual/installation/#supported-platforms - Change license: since October 2018, license is SSPL: - https://www.mongodb.com/community/licensing - https://jira.mongodb.org/browse/SERVER-38767 - gcc must be at least 5.3 so add a dependency on gcc >= 6 - Add a dependency on host-python-xxx modules: https://github.com/mongodb/mongo/blob/r4.0.6/docs/building.md - Use system versions of boost, pcre, snappy, sqlite, yaml-cpp and zlib instead of embedded mongodb ones - Add hash for license files Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Tested-by:
Adam Duskett <aduskett@gmail.com> Signed-off-by:
-
Fabrice Fontaine authored
host-python-typing is needed for mongodb 4.0.6 Signed-off-by:
-
Fabrice Fontaine authored
host-python-pyyaml is needed for mongodb 4.0.6 Signed-off-by:
-
Fabrice Fontaine authored
host-libyaml is needed for host-python-pyyaml Signed-off-by:
-
Peter Korsgaard authored
The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: * Creating a new container using an attacker-controlled image. * Attaching (docker exec) into an existing container which the attacker had previous write access to. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2 The fix for this issue uses fexecve(3), which isn't available on uClibc, so add a dependency on !uclibc to runc and propagate to the reverse dependencies (containerd/docker-engine). Signed-off-by: -
Peter Korsgaard authored
runc (which is a reverse dependency of docker-engine) is about to gain a !uclibc dependency, so move to a glibc toolchain instead. There are currently no prebuilt x86_64 / core2 / glibc toolchains available, so instead use the internal toolchain backend to build one. While we are at it, drop the infra.basetest.BASIC_TOOLCHAIN_CONFIG reference, as that ARM toolchain configuration doesn't make any sense for this x86-64 based test. add docker / docker-compose tests Signed-off-by: -
Baruch Siach authored
CVE-2019-6116: Remote code execution. https://www.openwall.com/lists/oss-security/2019/01/23/5 Cc: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
Baruch Siach <baruch@tkos.co.il> Signed-off-by:
-
Baruch Siach authored
CVE-2019-1000019: Crash when parsing some 7zip archives. CVE-2019-1000020: A corrupted or malicious ISO9660 image can cause read_CE() to loop forever. Signed-off-by:
-
Grégoire Delattre authored
Signed-off-by:
Grégoire Delattre <gregoire.delattre@gmail.com> Signed-off-by:
-
Matt Weber authored
v3.2.0 has a bug in the configure step which causes it to fail when being built against libressl. As libopenssl is selected as the default, the autobuilders have not uncovered this failure. The issue has been confirmed in LTS 2018.02.10 (probably broken prior to that as well) and is not related to the Openssl bump to 1.1.x. Thread with more details http://lists.busybox.net/pipermail/buildroot/2019-February/243133.html Signed-off-by:
Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by:
-
Baruch Siach authored
CVE-2018-20330: Integer overflow causing segfault occurred when attempting to load a BMP file with more than 1 billion pixels using the `tjLoadImage()` function. CVE-2018-19664: Buffer overrun occurred when attempting to decompress a specially-crafted malformed JPEG image to a 256-color BMP using djpeg. Cc: Murat Demirten <mdemirten@yh.com.tr> Signed-off-by:
-
Baruch Siach authored
CVE-2019-6109: Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. CVE-2019-6111: Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). Signed-off-by:
-
Peter Korsgaard authored
In preparation for 2019.02-rc1 Signed-off-by:
-
- Feb 11, 2019
-
-
Bernd Kuhls authored
Fixes http://autobuild.buildroot.net/results/2f8/2f89e41f79e8bec1c0561b486ae5750fc87a6320/ Signed-off-by:
Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-
Thomas Petazzoni authored
The sg3_utils has provisions to build against librt when needed, but forgot to use that mechanism for the sg_turs program. This commit fixes that. The patch has been submitted upstream to the sg3_utils author. Fixes: http://autobuild.buildroot.net/results/67b890a41d05497820ea4f44e187257dd6818b0b/ Signed-off-by:
-
Fabrice Fontaine authored
- Add a call to PKG_CHECK_MODULES in configure.ac to get openssl libraries and its dependencies if openssl support is enabled - Add OPENSSL_LIBS to libupnp.pc.in so that applications linking with pupnp (such as mpd) will be able to retrieve openssl libraries Fixes: - http://autobuild.buildroot.org/results/a4148e516070b79816769f3443fc24d6d8192073 Signed-off-by:
-
Matt Weber authored
Fixes http://autobuild.buildroot.net/results/5e2/5e2c3178d8a6e11b1af1c37144737097730ba222/ Signed-off-by:
-
Thomas De Schampheleire authored
opentracing-cpp requires dlfcn.h from src/dynamic_load_unix.cpp. This file is compiled unconditionally. Disable opentracing-cpp on BR2_STATIC_LIBS configurations. Fixes: http://autobuild.buildroot.net/results/454173aef9ff7c808294a974088d7682cad240a8/ Signed-off-by:
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by:
-
Fabrice Fontaine authored
- Remove patch (already in version) - Use COPYING as license file as COPYING has been fixed by: https://github.com/AsteroidOS/brcm-patchram-plus/commit/95b7b6916d661a4da3f9c0adf52d5e1f4f8ab042 Signed-off-by:
-
Yann E. MORIN authored
Rather than tell check-package to ignore a false-positive issue, just avoid the issue to begin with, by using an intermediate variable to construct the list of licenses. Signed-off-by:
"Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by:
-
- Feb 10, 2019
-
-
Thomas Petazzoni authored
Commit 684bcc45 ("package/brcm-patchram-plus: fix build on sparc") added a patch that modifies the src/main.c file, without paying attention to the fact that this file is used as the license file for the package, and therefore the .hash had to be updated at the same time. This commit updates the license file hash as needed. There are obviously no licensing related changes in the SPARC build fixes. Fixes: http://autobuild.buildroot.net/results/083ce1c3100b10e40480e6330ce0c29dde51f5e0/ Signed-off-by:
-
Fabrice Fontaine authored
Signed-off-by:
-
Fabrice Fontaine authored
Signed-off-by:
-
Fabrice Fontaine authored
Signed-off-by:
-
Bernd Kuhls authored
Fixes http://autobuild.buildroot.net/results/77c/77cd536a0fab78eabe27e055d28db2da354008d7/ Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
-
Bernd Kuhls authored
Removed patch 0002, applied upstream. Follow upstream switch of release tarball to bz2 and new location. Signed-off-by:
-
Chris Packham authored
gst-shark needs gstreamer to be compiled with debugging support enabled. Make this selection automatically when the gst-shark package is selected. Fixes: - http://autobuild.buildroot.net/results/09b894b0775df2dd87d8fb2d53c6a243d8668aba/ - and many more Signed-off-by:
Chris Packham <judge.packham@gmail.com> Signed-off-by:
-
Adrian Perez de Castro authored
This is a maintenance release of the current stable WebKitGTK+ version, which contains security fixes for CVE identifiers: CVE-2019-6212, CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, CVE-2019-6226, CVE-2019-6227, CVE-2019-6229, CVE-2019-6233, and CVE-2019-6234. Additionally, it contains a few minor fixes. Release notes can be found in the announcement: https://webkitgtk.org/2019/02/09/webkitgtk2.22.6-released.html More details on the issues covered by securit fixes can be found in the corresponding security advisory: https://webkitgtk.org/security/WSA-2019-0001.html Signed-off-by:
Adrian Perez de Castro <aperez@igalia.com> Signed-off-by:
-
Bernd Kuhls authored
For details see https://bugs.archlinux.org/task/61623 Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: CVE-2018-12551: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. Affects version 1.0 to 1.5.5 inclusive. CVE-2018-12550: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. Affects versions 1.0 to 1.5.5 inclusive. CVE-2018-12546: If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option check_retain_source has been introduced to enforce checking of the retained message source on publish. Add two upstream post-1.5.6 patches to fix a build error in the bridge code when ADNS is enabled and when building with older toolchains not defaulting to C99 mode. Signed-off-by: -
Bernd Kuhls authored
Rebased patch 0004. This bump fixes https://bugs.php.net/bug.php?id=77369 , status of CVE-ID: needed Signed-off-by:
-
- Feb 09, 2019
-
-
Thomas De Schampheleire authored
Xenomai has two mutually exclusive cores: - Cobalt: dual-kernel approach: patched kernel + userland - Mercury: only userland In the Cobalt core, not all architectures are supported. This is the source of the existing ARCH_SUPPORTS variable. In the Mercury core, there is no imposed architecture restriction. Rename the XENOMAI_ARCH_SUPPORTS flag to XENOMAI_COBALT_ARCH_SUPPORTS and move its check from the Xenomai package to the Cobalt core. Nevertheless, even for Mercury, there are some restrictions: - pthread_atfork is used, which requires an MMU - sync functions like __sync_sub_and_fetch and __sync_add_and_fetch are expected. As the corresponding 'linux extension' selects Xenomai, we add the MMU and sync dependencies there too. They may or may not already be covered by XENOMAI_COBALT_ARCH_SUPPORTS flag. Signed-off-by:
-
