<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package, branch 2017.08.1</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.08.1</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.08.1'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-10-22T22:41:33+00:00</updated>
<entry>
<title>linux-headers: bump 4.{4, 9, 13}.x series</title>
<updated>2017-10-22T22:41:33+00:00</updated>
<author>
<name>Bernd Kuhls</name>
<email>bernd.kuhls@t-online.de</email>
</author>
<published>2017-10-22T17:04:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=e04fc15a1dc1345824986ce333348db5aef7ca7a'/>
<id>urn:sha1:e04fc15a1dc1345824986ce333348db5aef7ca7a</id>
<content type='text'>
[Peter: drop 4.13.x bump]
Signed-off-by: Bernd Kuhls &lt;bernd.kuhls@t-online.de&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
(cherry picked from commit f7479f4c818f335332fdca128d7d4f3e5e7c02ac)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>sqlite: add security patches</title>
<updated>2017-10-22T22:40:34+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-10-22T14:00:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=a820bdd0d36cbcd3277c3530ad0ecc581d1a6c70'/>
<id>urn:sha1:a820bdd0d36cbcd3277c3530ad0ecc581d1a6c70</id>
<content type='text'>
CVE-2017-13685: The dump_callback function in SQLite 3.20.0 allows
remote attackers to cause a denial of service (EXC_BAD_ACCESS and
application crash) via a crafted file.

CVE-2017-15286: SQLite 3.20.1 has a NULL pointer dereference in
tableColumnList in shell.c
because it fails to consider certain cases where
`sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
initialized.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
(cherry picked from commit d3c96bd5a6d3d64ab9c61104c6078b4bc89b12ec)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libffi: add patch to fix MIPS support</title>
<updated>2017-10-22T22:40:02+00:00</updated>
<author>
<name>Mauro Condarelli</name>
<email>mc5686@mclink.it</email>
</author>
<published>2017-04-21T10:33:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=e27c8e67f45cbc9e853228f669ce483a83b63265'/>
<id>urn:sha1:e27c8e67f45cbc9e853228f669ce483a83b63265</id>
<content type='text'>
Building Python 3.x on MIPS with musl fails because the libffi code
uses a "#ifdef linux" test to decide if we're building on Linux or
not. When building with -std=c99, "linux" is not defined, so instead
of including &lt;asm/sgidefs.h&gt;, libffi's code tries to include
&lt;sgidefs.h&gt;, which doesn't exist on musl.

The right fix is to use __linux__, which is POSIX compliant, and
therefore defined even when -std=c99 is used.

Note that glibc and uClibc were not affected because they do provide a
&lt;sgidefs.h&gt; header in addition to the &lt;asm/sgidefs.h&gt; one.

Signed-off-by: Mauro Condarelli &lt;mc5686@mclink.it&gt;
[Thomas: reformat patch with Git, add a better commit log and description.]
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;

(cherry picked from commit 4852f05907cd365825f37c283a415a77ba1fcba9)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>xen: add upstream post-4.9.0 security fix for XSA-245</title>
<updated>2017-10-22T22:38:31+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-21T18:04:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=39948ac3ae0ef2e8dcc5e05bdfe19e96a37d866a'/>
<id>urn:sha1:39948ac3ae0ef2e8dcc5e05bdfe19e96a37d866a</id>
<content type='text'>
Fixes XA-245: ARM: Some memory not scrubbed at boot

https://xenbits.xenproject.org/xsa/advisory-245.html

Notice: Not applying XSA-237..244 as they are x86 only and have patch file
name conflicts between 2017.02.x and master.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
(cherry picked from commit 90b9b457ecd5e6ebea9d48f36c030b95ca67059b)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>lame: security bump to version 3.100</title>
<updated>2017-10-22T22:37:35+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-22T11:15:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=5675183a7ccab93a20172c26b33bc5a3588ca064'/>
<id>urn:sha1:5675183a7ccab93a20172c26b33bc5a3588ca064</id>
<content type='text'>
Fixes the following security issues:

CVE-2017-9410: fill_buffer_resample function in libmp3lame/util.c heap-based
buffer over-read and ap

CVE-2017-9411: fill_buffer_resample function in libmp3lame/util.c invalid
memory read and application crash

CVE-2017-9412: unpack_read_samples function in frontend/get_audio.c invalid
memory read and application crash

Drop patches now upstream or no longer needed:

0001-configure.patch: Upstream as mentioned in patch description

0002-gtk1-ac-directives.patch: Upstream as mentioned in patch
description/release notes:

Resurrect Owen Taylor's code dated from 97-11-3 to properly deal with GTK1.
This was transplanted back from aclocal.m4 with a patch provided by Andres
Mejia. This change makes it easy to regenerate autotools' files with a simple
invocation of autoconf -vfi.

0003-msse.patch: Not needed as -march &lt;x86-variant-with-msse-support&gt;
nowadays implies -msse.

With these removed, autoreconf is no longer needed.

Also add a hash for the license file while we're at it.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
(cherry picked from commit 7e3583dd558925a447eaa4367d659f39482fbbc0)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>busybox: add upstream post-1.27.2 httpd fix</title>
<updated>2017-10-22T22:36:58+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-21T17:20:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=86a7d8cb0a78d4cb3aa4e37bbe5b68107d42f212'/>
<id>urn:sha1:86a7d8cb0a78d4cb3aa4e37bbe5b68107d42f212</id>
<content type='text'>
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
(cherry picked from commit ec58149009776f63767644f9a3409f420c271766)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>busybox: bump to version 1.27.2</title>
<updated>2017-10-22T22:36:50+00:00</updated>
<author>
<name>Adam Duskett</name>
<email>aduskett@gmail.com</email>
</author>
<published>2017-09-05T12:20:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c47a2495a05fee5267d8cc5f987688807fa67b4c'/>
<id>urn:sha1:c47a2495a05fee5267d8cc5f987688807fa67b4c</id>
<content type='text'>
Signed-off-by: Adam Duskett &lt;aduskett@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
(cherry picked from commit 5cdb463e442d63f0ba361e7348d0ed56cb9b63d0)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>musl: add upstream security fix for CVE-2017-15650</title>
<updated>2017-10-22T22:35:55+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-21T19:12:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=3c25932a4d1bbbcb74bb797ddd0ecf97e0e5b4ab'/>
<id>urn:sha1:3c25932a4d1bbbcb74bb797ddd0ecf97e0e5b4ab</id>
<content type='text'>
&gt;From the upstream announcement:
http://www.openwall.com/lists/oss-security/2017/10/19/5

Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.

When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
(cherry picked from commit 209f42fd3a5f4357e22fb72f1597a6868566aabd)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>package/go: fix cross-compilation settings</title>
<updated>2017-10-22T22:35:28+00:00</updated>
<author>
<name>Angelo Compagnucci</name>
<email>angelo.compagnucci@gmail.com</email>
</author>
<published>2017-10-16T17:08:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=1a223cda9edb19b49e1a11713d0a8f5065e53f82'/>
<id>urn:sha1:1a223cda9edb19b49e1a11713d0a8f5065e53f82</id>
<content type='text'>
This patch fixes a bug with the BR2_TOOLCHAIN_HAS_THREADS variable
handling which causes CGO_ENABLED to be always 0.

Furthermore, it fixes the cross compilation options for the go
compiler: setting CGO_ENABLED should be done only for the target
compiler not the host one.

Signed-off-by: Angelo Compagnucci &lt;angelo.compagnucci@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
Acked-by: Christian Stewart &lt;christian@paral.in&gt;
(cherry picked from commit 80ea21bc3c2147adf810731b0b242e94a3ad294e)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>webkitgtk: security bump to version 2.18.1</title>
<updated>2017-10-22T22:28:04+00:00</updated>
<author>
<name>Adrian Perez de Castro</name>
<email>aperez@igalia.com</email>
</author>
<published>2017-10-18T23:07:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=e4c4cd88fab0e4f9812b0a0b879ce375d2e1db39'/>
<id>urn:sha1:e4c4cd88fab0e4f9812b0a0b879ce375d2e1db39</id>
<content type='text'>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains bugfixes (many of them related to rendering, plus one
important fix for touch input) and many security fixes.

Release notes:

    https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html

Fixes CVE-2017-7081, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090,
CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094,
CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099,
CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107,
CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120,
CVE-2017-7142:

    https://webkitgtk.org/security/WSA-2017-0008.html

Signed-off-by: Adrian Perez de Castro &lt;aperez@igalia.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
(cherry picked from commit 6d623e72770534c8e40e5afd7aa8fb77e49d1974)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
</feed>
