buildroot/package/subversion, branch 2016.05

subversion: security bump to version 1.9.4

2016-04-28T19:14:06+00:00

Fixes: CVE-2016-2167 - svnserve/sasl may authenticate users using the wrong realm. CVE-2016-2168 - Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard

package/subversion: security version bump to 1.9.3

2016-01-31T19:33:39+00:00

Release announcement: http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/%3CCAP_GPNj_GCA869VQeJUrp5ngXsgN7pQQHSS=sqoXm8_6hHTTxg@mail.gmail.com%3E CVE-2015-5259: Remotely triggerable heap overflow and out-of-bounds read caused by integer overflow in the svn:// protocol parser. http://subversion.apache.org/security/CVE-2015-5259-advisory.txt CVE-2015-5343: Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel-encoded request bodies. http://subversion.apache.org/security/CVE-2015-5343-advisory.txt Signed-off-by: Bernd Kuhls Signed-off-by: Thomas Petazzoni

subversion: add missing comment when building static

2015-12-29T16:02:00+00:00

Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni

subversion: bump to version 1.9.2

2015-09-28T20:15:45+00:00

- Bump to version 1.9.2. - Update the hash file. - Use a tar.bz2 tarball to save space and bandwidth. - Fix a typo in the berkeley-db configure option. - Remove non-existent configure options: neon, gssapi and ssl. - Remove neon dependency: is not needed to build subversion. - Tweak the 0001-dont-mangle-cflags.patch for the 1.9.2 version and to patch configure.ac instead of configure. - Add a new 0002-disable-macos-specific-features.patch to remove a configure check for Mach-O (and two more) which breaks the build when cross-compiling. - Enable autoreconf since we are patching the configure.ac. Signed-off-by: Vicente Olivert Riera Signed-off-by: Thomas Petazzoni

subversion: security bump to version 1.7.19

2014-12-21T12:22:18+00:00

Fixes: CVE-2014-3580: mod_dav_svn DoS from invalid REPORT requests. CVE-2014-8108: mod_dav_svn DoS from use of invalid transaction names. Also add hash file. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni

Rename BR2_PREFER_STATIC_LIB to BR2_STATIC_LIBS

2014-12-11T21:48:13+00:00

Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed from "prefer static libraries when possible" to "use only static libraries". The former semantic didn't make much sense, since the user had absolutely no control/idea of which package would use static libraries, and which packages would not. Therefore, for quite some time, we have been starting to enforce that BR2_PREFER_STATIC_LIB should really build everything with static libraries. As a consequence, this patch renames BR2_PREFER_STATIC_LIB to BR2_STATIC_LIBS, and adjust the Config.in option accordingly. This also helps preparing the addition of other options to select shared, shared+static or just static. Note that we have verified that this commit can be reproduced by simply doing a global rename of BR2_PREFER_STATIC_LIB to BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy. Signed-off-by: Thomas Petazzoni Reviewed-by: "Yann E. MORIN"

subversion: ensure --disable-debug doesn't mangle CFLAGS

2014-11-05T23:01:09+00:00

Fixes: http://autobuild.buildroot.net/results/fc6/fc69a19c66462585449f7c4dad174d45a84e4947/ http://autobuild.buildroot.net/results/e04/e0471f2a9087d547840a7b18863289963e357b57/ http://autobuild.buildroot.net/results/bd8/bd8cdf976937c7b9029658871929f4be464b7a47/ http://autobuild.buildroot.net/results/652/652c3afe844e912061fbc5991e6fecad98ff6e6f/ And many more. When --disable-debug is passed to configure, as is automatically done by the autotools infrastructure since 822a757456e (infra: Move --enable/--disable-debug to package/Makefile.in), the configure script will try to strip debugging (-g) options from the C/CXXFLAGS. The logic to do so is unfortunately buggy, so it ends up mangling options like -mfloat-gprs=double that we use on certain PowerPC variants, breaking the build. Fix it by adjusting the sed regexp to be more selective in what it strips. The package unfortunately doesn't cleanly autoreconf, so configure is patched instead of configure.ac. Signed-off-by: Peter Korsgaard

subversion: needs sqlite and pkg-config

2014-10-27T16:41:42+00:00

Fixes: http://autobuild.buildroot.net/results/de2/de243c429c1e443efdbba82a860dbb7a03d5b746/ http://autobuild.buildroot.net/results/40c/40ce377893789883503deaa57912b87d2e0192e8/ http://autobuild.buildroot.net/results/134/13449cd77fbbd1c2b21d04b1fc866a086d915353/ http://autobuild.buildroot.net/results/e3f/e3fc33177eef955830a7be68e7b23503fd1d9ebe/ and others. Also add the missing 'select' statements for apr, expat and zlib to match the .mk file. Signed-off-by: Peter Korsgaard

packages: rename FOO_CONF_OPT into FOO_CONF_OPTS

2014-10-04T16:54:16+00:00

To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS, make the same change for FOO_CONF_OPT. Sed command used: find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g' Signed-off-by: Thomas De Schampheleire Reviewed-by: "Yann E. MORIN" Signed-off-by: Thomas Petazzoni

subversion: security bump to version 1.7.18

2014-08-15T20:29:04+00:00

Fixes: CVE-2014-0032 - mod_dav_svn is vunerable to a remotely triggerable segfault DoS vulnerability when SVNListParentPath is on. CVE-2014-3522 - Serf RA layer does not correctly validate certificates with wildcards in them for HTTPS. CVE-2014-3528 - Credentials cached with Subversion may be sent to the wrong server. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni