buildroot, branch 2016.11.2

Update for 2016.11.2

2017-01-25T08:27:44+00:00

Signed-off-by: Peter Korsgaard

wireshark: security bump to version 2.2.4

2017-01-25T06:28:03+00:00

Fixes: wnpa-sec-2017-01 - The ASTERIX dissector could go into an infinite loop. wnpa-sec-2017-02 - The DHCPv6 dissector could go into a large loop. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard (cherry picked from commit 2515437e51036f0ad2d89ca16d07cd5b022fdbe9)

go: security bump to version 1.7.4

2017-01-24T11:30:34+00:00

On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141. Thanks to Xy Ziemba for identifying and reporting this issue. The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965. Thanks to Simon Rawet for the report. Signed-off-by: Peter Korsgaard (cherry picked from commit 5c9db62171cefb125193a6f814a0046536fc76a1)

core/br2-external: fix use of relative paths

2017-01-23T15:33:55+00:00

Fixes #9576 When the path to a br2-external tree is relative, make enters an endless recursive loop (paths elided for brevity): $ make BR2_EXTERNAL=.. foo_defconfig make[1]: stat: ../configs/../configs/../configs[...]/toto_defconfig: Filename too long make[1]: *** No rule to make target '../configs/../configs/../configs[...]/toto_defconfig', needed by '../configs/../configs/../configs[...]/toto_defconfig'. Stop. Makefile:79: recipe for target '_all' failed make: *** [_all] Error 2 It is a bit complex to understand the actual technical reason for this never-ending expansion; it seems it happens in the code generated by the percent_defconfig macro. Not sure why, though... But the root cause is the relative path. Just use absolute, canonical paths to br2-external trees. Always. [Peter: add bugzilla reference] Reported-by: outtierbert@gmail.com Signed-off-by: "Yann E. MORIN" Signed-off-by: Peter Korsgaard (cherry picked from commit 05576fca13b129da8c7186ee2307981135d3391f)

runc: security bump to fix CVE-2016-9962

2017-01-23T14:51:32+00:00

RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container. Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni (cherry picked from commit d6706dc430ebb1dade6f90a8d45503c23abec99d)

runc: pass -extldflags '-static' in correct variable

2017-01-23T14:51:24+00:00

commit 9101ce5800 (runc: pass -extldflags '-static' on when BR2_STATIC_LIBS=y) contained a small copy/paste error, FLANNEL_GLDFLAGS was used instead of RUNC_GLDFLAGS. [Peter: refer to exact commit] Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard (cherry picked from commit b97e3c94a9798bbd7eb08f5bd1adb0417cde1fd1)

docker-engine: security bump to version 1.12.6

2017-01-23T14:50:54+00:00

Fixes runC privilege escalation (CVE-2016-9962). Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni (cherry picked from commit 157ddf77e403c6ee00faef44fc32f8f679964204)

docker-engine: fix docker version output

2017-01-23T14:50:45+00:00

At compile-time the docker build scripts generate a version file used to build the output of the docker version command. This file is generated somewhat properly by the Buildroot build system, however the version number and commit ID are incorrectly formatted. This patch fixes the output to the correct format. This is important as some tools like WeaveWorks won't even start unless they can parse the Docker Version output correctly. [Peter: strip v from version using patsusbt] Signed-off-by: Christian Stewart Signed-off-by: Peter Korsgaard (cherry picked from commit 0533484eb7e2ff8500406035c59d2c3c2c07dda3)

docker-engine: bump version to v1.12.5

2017-01-23T14:50:15+00:00

Signed-off-by: Christian Stewart Signed-off-by: Peter Korsgaard (cherry picked from commit 3eddce6ea04a752388bec22a623320290a5834b5)

opus: security bump to 1.1.4

2017-01-23T08:06:46+00:00

Fixes CVE-2017-0381: A remote code execution vulnerability in silk/NLSF_stabilize.c in libopus in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni (cherry picked from commit f00a528ce68e24bb9f162416a5cf25bdc65fce20)