OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2018.02 2017-11-12T16:52:28+00:00 2017-11-12T16:52:28+00:00 Peter Korsgaard peter@korsgaard.com 2017-11-12T13:43:11+00:00 urn:sha1:f2c353054111b0398399ba1933a47d34441c875e Fixed the following security issues: CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode CVE-2017-14064: Heap exposure in generating JSON For more details, see the release notes: https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/ Drop now upstreamed rubygems patches and add hashes for the license files while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-09-09T20:44:00+00:00 Peter Korsgaard peter@korsgaard.com 2017-09-07T09:17:55+00:00 urn:sha1:0e5448af5091ee208fdd38a4e221f444085dd0c8 We unfortunately cannot use the upstream patches directly as they are not in 'patch -p1' format, so convert them and include instead. Fixes: CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. For more details, see https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-01T13:27:05+00:00 Rahul Bedarkar rahulbedarkar89@gmail.com 2017-03-30T13:43:39+00:00 urn:sha1:96e9480fbc71a39d473be5d4f73b4d15b5029a8f We want to use SPDX identifier for license string as much as possible. SPDX short identifier for BSD-2c is BSD-2-Clause. This change is done using following command. find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g' Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-01T13:26:57+00:00 Rahul Bedarkar rahulbedarkar89@gmail.com 2017-03-30T13:43:38+00:00 urn:sha1:9f59b378a36ae81db2672b417a68c7358b41ccc3 We want to use SPDX identifier for license string as much as possible. SPDX short identifier for BSD-3c is BSD-3-Clause. This change is done using following command. find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g' Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-03-22T22:12:29+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-03-22T15:25:40+00:00 urn:sha1:81de172d11d95a27eac5bc7ad24303cc0cff0b73 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-02-07T10:46:52+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-02-07T09:47:59+00:00 urn:sha1:99e01a35f9e6cf9d17ef65cc9c983f3b364723b7 On uClibc, finite, isinf and isnan are not directly implemented as functions. Instead math.h #define's these to __finite, __isinf and __isnan, which are real functions. This confuses the Ruby configure script which use AC_REPLACE_FUNCS to detect these, as it really checks for a function without including math.h. Because of the naming difference the checks fail, therefore the symbols HAVE_FINITE, HAVE_ISINF and HAVE_ISNAN are not defined. Ruby code relies on those symbols in order to define its own version of the finite, isinf and isnan functions. Since the symbols haven't been defined, those definitions cause conflicts with the already-existing functions. Fixes: http://autobuild.buildroot.net/results/f34/f34dc20749c6f6d12c51eddf3ee6c2ef41d7c13d/ [Peter: extend description, add comment in .mk] Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-01-13T15:19:02+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-01-09T17:14:03+00:00 urn:sha1:ca06126066b16cc65a9971e7e0f0eaeeadc37980 The problem addressed by 0001 patch has been fixed upstream and is that fix is included in this release: https://github.com/ruby/ruby/commit/aa107497cd379b713eba8cecdb9a882bb1e0dd89 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-11-21T20:14:36+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2016-11-21T13:43:06+00:00 urn:sha1:0085734dc92d5e9024f1b511c32c4eab536f6a73 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-11-15T21:48:46+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2016-11-15T15:25:48+00:00 urn:sha1:cbe981184cc1b4909b3f18d653109075d21458cb Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-09-08T20:15:15+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-09-08T18:38:57+00:00 urn:sha1:4338a319b72570e433fd7484f8a95e1e0e978941 It's been deprecated for quite some time now. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>