summaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
...
* package/bind: security bump to version 9.11.5-P4Peter Korsgaard2019-02-222-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] - When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] - Code change #4964, intended to prevent double signatures when deleting an inactive zone DNSKEY in some situations, introduced a new problem during zone processing in which some delegation glue RRsets are incorrectly identified as needing RRSIGs, which are then created for them using the current active ZSK for the zone. In some, but not all cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but incompletely -- this can result in a broken chain, affecting validation of proof of nonexistence for records in the zone. [GL #771] - named could crash if it managed a DNSSEC security root with managed-keys and the authoritative zone rolled the key to an algorithm not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] - named leaked memory when processing a request with multiple Key Tag EDNS options present. ISC would like to thank Toshifumi Sakaguchi for bringing this to our attention. This flaw is disclosed in CVE-2018-5744. [GL #772] - Zone transfer controls for writable DLZ zones were not effective as the allowzonexfr method was not being called for such zones. This flaw is disclosed in CVE-2019-6465. [GL #790] For more details, see the release notes: http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html Change the upstream URL to HTTPS as the webserver uses HSTS: >>> bind 9.11.5-P4 Downloading URL transformed to HTTPS due to an HSTS policy Update the hash of the license file to account for a change of copyright year: -Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC") Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/unzip: add security and bug fix patches from DebianBaruch Siach2019-02-222-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Debian bug #741384: Buffer overflow Debian bug #744212: Buffer overflow CVE-2014-8139: CRC32 verification heap-based overflow CVE-2014-8140: Out-of-bounds write issue in test_compr_eb() CVE-2014-8141: Out-of-bounds read issues in getZip64Data() CVE-2014-9636: Heap overflow CVE-2015-7696: Heap overflow when extracting password-protected archive CVE-2015-7697: Infinite loop when extracting password-protected archive Red Hat Bugzilla #1260944: Unsigned overflow on invalid input Debian bug #842993: Do not ignore Unix Timestamps CVE-2014-9913: Buffer overflow CVE-2016-9844: Buffer overflow in zipinfo CVE-2018-1000035: Buffer overflow in password protected ZIP archives Cc: Luca Ceresoli <luca@lucaceresoli.net> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/proftpd: prevent openssl pthread detectionMatt Weber2019-02-221-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | The proftpd configure script doesn't use pkg-config to detect openssl libraries. Instead, it just adds -lcrypto. Since openssl may be linked with pthread, it tries to detect that by calling 'openssl version -f', which gives the arguments with which openssl was compiled. Since the openssl executable used is either host-openssl or the system installed openssl, the output of 'openssl version -f' is useless in Buildroot context. If the target toolchain doesn't have threads support, it will wrongly pick up -pthread from host-openssl. Fortunately there is a simple workaround: --without-openssl-cmdline says that there is no openssl executable and skips the test, so -pthread is not added. It turns out -pthread is never needed, even in static linking cases, because openssl/libressl puts the thread support in a separate object file that only gets linked in if the program actually uses threads (which proftpd doesn't). Fixes: http://autobuild.buildroot.net/results/9c25c3cb3cf93b76c0538c5376a803641bf6575b Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> [Rewrite commit log, after additional analysis and testing] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/dtc: additional fix of include guards for older u-bootThomas De Schampheleire2019-02-211-4/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With recent dtc but old u-boot, compilation issues occur related to libfdt. These problems really are u-boot issue since it does not properly set include paths so that its own headers are included. Nevertheless, since the u-boot version is typically decided by users and stuck at some version provided by a SoC or board vendor, it is not feasible to fix those old versions. Instead, already several fixes were made in the past, in Buildroot. See commits: c7ffd8a75d5 "package/dtc: fix include guards for older kernel/u-boot" f437bf547ca "uboot: fix build for older uboot source trees" bf733342324 "uboot: fix build when libfdt-devel is installed system-wide" 0bf80e4bcd5 "uboot: ensure host includes are searched before system default includes" b15a7a62d3f "uboot: revert "uboot: use local libfdt.h"" baae5156ce3 "uboot: use local fdt headers" 3a6573ccee2 "uboot: use local libfdt.h" Commit c7ffd8a75d55e24d793106eabbb80964ab91081f fixes the problem caused by dtc having changed their include guards from _FOO_H to FOO_H (leading underscore removed). Old u-boot would still use _FOO_H, which (combined with host-dtc headers that use FOO_H) would cause the inclusion of two different copies of the same nominal include file, e.g. libfdt.h or libfdt_env.h, causing 'error: redefinition of xxx' compilation issues. The fix sets the 'new' include guard when the 'old' one is detected, preventing a second inclusion of the same nominal file. For some u-boot versions, however, this change not only needs to be made in libfdt.h and libfdt_env.h, but also in 'fdt.h'. Update the dtc patch to do just that. Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/madplay: fix static buildFabrice Fontaine2019-02-212-2/+26
| | | | | | | | | | | Add a patch to use pkg-config to find id3tag dependency (-lz) Fixes: - http://autobuild.buildroot.org/results/5e4882ddacf205a92a3ff1e79649cf16e4b6c0ae Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [Arnout: add comment to AUTORECONF to refer to the patch] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/libid3tag: fix id3tag.pcFabrice Fontaine2019-02-211-0/+1
| | | | | | | | Add -lz to id3tag.pc, this fix is needed to be able to use pkg-config in madplay to find id3tag dependencies Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/swupdate: update license filesFabrice Fontaine2019-02-202-3/+7
| | | | | | | | | | | | | | COPYING contains only the license for GPL-2.0 so use the new license files that have been added in the Licenses directory since version 2018.03 and https://github.com/sbabic/swupdate/commit/32c1f98eaca69e362be074197f84a59d994c0876 Also update GPL-2.0+ to "GPL-2.0+ with OpenSSL exception" and add Exceptions file, see: https://github.com/sbabic/swupdate/commit/66d0dbe80f49eb49f8999c9d738579651fc38134 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/imagemagick: fixup help text layoutYann E. MORIN2019-02-201-2/+2
| | | | | Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/rabbitmq-c: needs dynamic libraryFabrice Fontaine2019-02-203-15/+9
| | | | | | | | | | | | | | | syslog-ng expects that rabbitmq-c is built with openssl support however currently we're disabling openssl on rabbitmq-c in static build. To fix this issue, add a dependency on dynamic library on rabbitmq-c and its reverse dependencies (only BR2_PACKAGE_JANUS_GATEWAY_RABBITMQ as php-amqp already depends on dynamic library) Fixes: - http://autobuild.buildroot.org/results/fce91b98fb199a26ad5f5f726c9bdec4f9d64486 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/syslog-ng: add optional rabbitmq-c dependencyFabrice Fontaine2019-02-201-2/+7
| | | | | | | | | | | | | rabbitmq-c is not an embedded submodule since version 3.16.1 and https://github.com/balabit/syslog-ng/commit/c0559593c377f04662368dbecf282d2670aad12f So enable/disable amqp depending on rabbitmq-c availability and remove uneeded -lrt from LIBS Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Reviewed-by: Chris Packham <judge.packham@gmail.com> Signed-off-by: Fabrice Fontaine &lt;<a href="mailto:fontaine.fabrice@gmail.com" target="_blank" rel="noreferrer">fontaine.fabrice@gmail.com</a>&gt;<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Looks good to me</div><div dir="auto"><br></div><div dir="auto">Reviewed-by: Chris Packham &lt;<a href="mailto:judge.packham@gmail.com">judge.packham@gmail.com</a>&gt;<br><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* systemd: Remove instance name usage in a non-template unit fileGervais, Francois2019-02-201-1/+1
| | | | | | | | | | | | | console-getty.service is not a template unit file (it doesn't have the @ specifier), so %I doesn't get properly expanded in it. Thus, getty startup will fail due to invalid options and no getty prompt is launched on the console. Fixes: No getty prompt on boot Signed-off-by: Francois Gervais <fgervais@distech-controls.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* libcurl: fix typo in configure option w/o OpenSSLTrent Piepho2019-02-201-1/+1
| | | | | | | | | | When not using OpenSSL, the correct option to configure is --without-ssl with two dashes. Fixes: b8b78e7e6a ("libcurl: Allow selection of TLS package libcurl will use") Signed-off-by: Trent Piepho <tpiepho@impinj.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/luvi: bump to version 2.9.0 to fix build with OpenSSL 1.1.1aJörg Krause2019-02-204-118/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest release that bundles lua-openssl 0.7.4 to fix compatibility with OpenSSL 1.1.1a. Drop patches 0001 and 0002 that are included in the new release. Successfully build and runtime tested on Banana Pro, note that version string for lua-openssl does not match the tag name (0.7.4): ``` luvi v2.9.0 zlib: 1.2.11 libuv: 1.25.0 ssl: OpenSSL 1.1.1a 20 Nov 2018, lua-openssl 0.7.3 ``` Fixes: http://autobuild.buildroot.net/results/e87994a3dc987f5aa101a5e721ac927e21453373 http://autobuild.buildroot.net/results/ea725ad90cfcd3c5e242268a593dcabd7297fe70 http://autobuild.buildroot.net/results/f2fb9eea0044e4a5f674742d29ea95af49cf5a45 http://autobuild.buildroot.net/results/de4daa1b930f907f06640dc98a708016217ddea5 .. and many more. Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/poco: disable build for riscvBaruch Siach2019-02-201-1/+1
| | | | | | | | | | | | | poco does not support the riscv target. Fixes: http://autobuild.buildroot.net/results/9a8/9a8213c502df53222eafc3ecd2fcfa36db20950b/ http://autobuild.buildroot.net/results/dd4/dd48cac70e8cb697b42ee51561902df81edcea40/ http://autobuild.buildroot.net/results/030/030c6cc8e2a59b015f8f3793d76234a2ef4ab772/ Cc: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/ipmiutil: fix build with openssl 1.1.xFabrice Fontaine2019-02-201-1/+1
| | | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/1d868798c5b80d7b41123f988449ef548dd95490 This works for libressl as well, because libressl does provide EVP_CIPHER_CTX_new() which is what gets enabled by -DSSL11 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/postgresql: bump to version 11.2Peter Korsgaard2019-02-182-6/+6
| | | | | | | | | | | | | | | | | | Fixes a long standing fsync issue and a number of other bugs: https://www.postgresql.org/docs/11/release-11-2.html https://wiki.postgresql.org/wiki/Fsync_Errors The hash of the license file is only changed due to a year update: -Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group +Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: Peter Seiderer <ps.report@gmx.net> [Thomas: update commit log to explain why the license file hash has changed, as repoted by Peter Seiderer] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/log4cplus: link with libatomic when neededFabrice Fontaine2019-02-171-0/+4
| | | | | | | | | | | | | | | | On some architectures, atomic binutils are provided by the libatomic library from gcc. Linking with libatomic is therefore necessary, otherwise the build fails with: sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line This is often for example the case on sparcv8 32 bit. Fixes: - http://autobuild.buildroot.org/results/16e360cb91afff7655f459a3d1fb906ca48f8464 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/xenomai: fix build with gcc 8Fabrice Fontaine2019-02-171-0/+91
| | | | | | | | Fixes: - http://autobuild.buildroot.org/results/3a53f54476828ee878602da9adddf1e1e70f7a69 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/safeclib: fix build with gcc 7Fabrice Fontaine2019-02-171-0/+62
| | | | | | | | Fixes: - http://autobuild.buildroot.org/results/f4fe6bf54d213ca75bc1f16df61f8f92e648288e Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/mender: fix sysv startup scriptAngelo Compagnucci2019-02-151-1/+1
| | | | | | | | | | | | | Mender is a service explicitly written for systemd and so it doesn't fork on background, doesn't redirect outputs and doesn't create a pid file by itself. To make the service running correctly is therefore necessary to use the -m switch of start-stop-daemon to create the pid file and -b option to send the process to background. Logging is preserved because the service will log anyway on syslog. Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/mender: fix missing /var/libAngelo Compagnucci2019-02-151-0/+1
| | | | | | | | | | | | | | Mender needs /var/lib directory to be available: on some configurations /var/lib is not available and thus the mender package installation fails. This patch does a mkdir to ensure the /var/lib directory is always available. Fixes: http://autobuild.buildroot.net/results/d2237083a13ab7688dd2b6dc8dbcd4226ed5651a/ Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/qt5/qt5base: handle sse2/sse3/ssse3/sse4.1/sse4.2/avx/avx2 configurationPeter Seiderer2019-02-151-0/+19
| | | | | | | | | | | | The Qt configure auto detection (and announced runtime detection feature) failes (see e.g. [1]), so override the configuration with the buildroot determined settings. [1] http://lists.busybox.net/pipermail/buildroot/2019-January/241862.html Reported-by: David Picard <dplamp@gmx.com> Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/pulseaudio: fix S50pulseaudio init scriptPeter Seiderer2019-02-151-2/+9
| | | | | | | | | | | | | | | | - fix the following start warnings: W: [pulseaudio] main.c: Running in system mode, but --disallow-exit not set. W: [pulseaudio] main.c: Running in system mode, but --disallow-module-loading not set. N: [pulseaudio] main.c: Running in system mode, forcibly disabling SHM mode. N: [pulseaudio] main.c: Running in system mode, forcibly disabling exit idle time. - fix the following stop error: E: [pulseaudio] main.c: Failed to kill daemon: No such process Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/qwt: needs qt5base gui supportPeter Seiderer2019-02-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | In commit 3e99c8418af904b14b01455d68c84d7b5afd261f ("package/qwt: remove qt4 support"), the following line was incorrectly dropped: select BR2_PACKAGE_QT5BASE_GUI if BR2_PACKAGE_QT5 Due to this, qt5base can now be configured with widgets enabled but gui disabled, causing the following build issue: ERROR: Feature 'widgets' was enabled, but the pre-condition 'features.gui' failed. Re-introduce the proper select, but slightly simplified since only Qt5 is supported now. Fixes: http://autobuild.buildroot.net/results/c771c2d5aac3e21f908e5a118f3755dbc9301a47 Signed-off-by: Peter Seiderer <ps.report@gmx.net> [Thomas: rework commit log] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/libcpprestsdk: disable samplesFabrice Fontaine2019-02-151-1/+1
| | | | | Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/libv4l: bump version to 1.16.3Peter Seiderer2019-02-152-3/+3
| | | | | | | | | Changes since 1.16.2: - Makefile.am: don't use relative paths for include - keytable: do not install bpf protocols decoders with execute permission Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/madplay: add hash for license filesFabrice Fontaine2019-02-151-0/+2
| | | | | Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/madplay: needs autoreconfFabrice Fontaine2019-02-153-110/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | madplay uses a very old configure script. When the toolchain lacks C++ and the build machine lacks /lib/cpp, this old configure script fails because it can't find a C++ preprocessor that is valid: checking for arm-buildroot-linux-uclibcgnueabi-g++... no checking whether we are using the GNU C++ compiler... no checking whether no accepts -g... no checking dependency style of no... none checking how to run the C++ preprocessor... /lib/cpp configure: error: C++ preprocessor "/lib/cpp" fails sanity check See `config.log' for more details. This is yet another case that was tentatively fixed by bd39d11d2e (core/infra: fix build on toolchain without C++), further amended by 4cd1ab15886 (core: alternate solution to disable C++). However, this only works on libtool scripts that are recent enough, and thus we need to autoreconf to get it. We also need to patch configure.ac so that it does not fail on the missing, GNU-specific files: NEWS, AUTHORS, and Changelog. Finally, remove also patch on ltmain.sh and MADPLAY_LIBTOOL_PATCH=NO as autoreconf will create an up to date ltmain.sh Fixes: - http://autobuild.buildroot.org/results/fc927de0e9a42095789fb0a631d5facf14076f6e Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/python-django: security bump to version 2.1.7Peter Korsgaard2019-02-152-4/+4
| | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation. https://docs.djangoproject.com/en/2.1/releases/2.1.6/ 2.1.6 contained a packaging error, fixed by 2.1.7: https://docs.djangoproject.com/en/2.1/releases/2.1.7/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/libgpiod: bump version to v1.2.1Bartosz Golaszewski2019-02-152-2/+2
| | | | | | | This is a bugfix release fixing two problems with C++ bindings. Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* package/mosquitto: bump to version 1.5.7Peter Korsgaard2019-02-144-64/+2
| | | | | | | | Bugfix release, fixing a number of issues discovered post-1.5.6. Drop patches as they are now included upstream. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/qemu: fix build of host-qemu on systems with old kernel headersThomas Petazzoni2019-02-141-0/+60
| | | | | | | | | | | | | | | | | Qemu assumes that when <linux/usbdevice_fs.h> is available, it can build its USBFS code. However, some systems have <linux/usbdevice_fs.h>, but it doesn't provide all the definitions that Qemu needs, causing a build failure. In order to fix this, we introduce a Qemu patch that improves the check that determines whether USBFS support should be enabled or not. Fixes: http://autobuild.buildroot.net/results/c4af5505f80e1e6185df70d191e85d9393df5795/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mender: change to use release archiveAngelo Compagnucci2019-02-142-2/+3
| | | | | | | | Relase archive is distributed with depencies, this prevents the go build system to download them. Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19, 20}.x seriesPeter Korsgaard2019-02-141-5/+5
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/efivar: needs host gcc >= 4.8Thomas Petazzoni2019-02-142-4/+9
| | | | | | | | | | | | | | | | | The efivar code compiled for the host machine uses __builtin_bswap16(), which is only available starting from gcc 4.8: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52624 So let's add a dependency on host gcc >= 4.8 to efivar and its unique reverse dependency, efibootmgr. Fixes: http://autobuild.buildroot.net/results/48ba906bb6f4dc0c8af43ec11be64f7168dd62fd/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-containerd: fix typo in uclibc dependencyThomas Petazzoni2019-02-141-1/+1
| | | | | | | | | | | | | | | | Commit 6e3f7fbc072c88ab344f2ffa39e402464b566f19 ("package/runc: add upstream security fix for CVE-2019-5736") added a dependency of docker-containerd to uclibc (inherited from runc), but the depends on has a typo that makes it ineffective. Due to this, docker-containerd can still be selected in uClibc configurations, causing runc to be build, and failing to build due fexecve() being missing in uClibc. Fixes: http://autobuild.buildroot.net/results/64ecdb1e007106fdb05979b10b42b90591255504/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* docker-engine: fix runc version check warningChristian Stewart2019-02-121-0/+45
| | | | | | | | | | | | Fixes the startup warning from Docker: failed to retrieve runc version: unknown output format: runc version commit ... Introduces a patch to replace the faulty version detection logic in the Docker engine. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* docker-engine: bump to v18.09.2Christian Stewart2019-02-122-2/+2
| | | | | Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* docker-cli: bump to v18.09.2Christian Stewart2019-02-122-2/+2
| | | | | Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* docker-containerd: bump to v1.2.3Christian Stewart2019-02-122-2/+2
| | | | | Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mongodb: new packageFabrice Fontaine2019-02-125-0/+192
| | | | | | | | | | | | | | | | | | | | | | | Here is the list of the changes compared to the removed mongodb 3.3.4 version: - Remove patch (not applicable anymore) - Add patch (sent upstream) to fix openssl build with gcc 7 and -fpermissive - Remove 32 bits x86 platforms, removed since version 3.4: https://docs.mongodb.com/manual/installation/#supported-platforms - Change license: since October 2018, license is SSPL: - https://www.mongodb.com/community/licensing - https://jira.mongodb.org/browse/SERVER-38767 - gcc must be at least 5.3 so add a dependency on gcc >= 6 - Add a dependency on host-python-xxx modules: https://github.com/mongodb/mongo/blob/r4.0.6/docs/building.md - Use system versions of boost, pcre, snappy, sqlite, yaml-cpp and zlib instead of embedded mongodb ones - Add hash for license files Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Tested-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-typing: add host variantFabrice Fontaine2019-02-121-0/+1
| | | | | | | host-python-typing is needed for mongodb 4.0.6 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-pyyaml: add host variantFabrice Fontaine2019-02-121-0/+2
| | | | | | | | host-python-pyyaml is needed for mongodb 4.0.6 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [Peter: s/HOST_PYTHON/HOST_PYTHON_PYYAML/] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libyaml: add host variantFabrice Fontaine2019-02-121-0/+1
| | | | | | | host-libyaml is needed for host-python-pyyaml Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/runc: add upstream security fix for CVE-2019-5736Peter Korsgaard2019-02-124-6/+347
| | | | | | | | | | | | | | | | | | | | | | | The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: * Creating a new container using an attacker-controlled image. * Attaching (docker exec) into an existing container which the attacker had previous write access to. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2 The fix for this issue uses fexecve(3), which isn't available on uClibc, so add a dependency on !uclibc to runc and propagate to the reverse dependencies (containerd/docker-engine). Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ghostscript: add upstream security fixesBaruch Siach2019-02-126-0/+1715
| | | | | | | | | | CVE-2019-6116: Remote code execution. https://www.openwall.com/lists/oss-security/2019/01/23/5 Cc: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libarchive: add upstream security fixesBaruch Siach2019-02-122-0/+124
| | | | | | | | | | CVE-2019-1000019: Crash when parsing some 7zip archives. CVE-2019-1000020: A corrupted or malicious ISO9660 image can cause read_CE() to loop forever. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sqlcipher: force libopensslMatt Weber2019-02-121-0/+1
| | | | | | | | | | | | | | v3.2.0 has a bug in the configure step which causes it to fail when being built against libressl. As libopenssl is selected as the default, the autobuilders have not uncovered this failure. The issue has been confirmed in LTS 2018.02.10 (probably broken prior to that as well) and is not related to the Openssl bump to 1.1.x. Thread with more details http://lists.busybox.net/pipermail/buildroot/2019-February/243133.html Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jpeg-turbo: add upstream security fixesBaruch Siach2019-02-122-0/+90
| | | | | | | | | | | | | CVE-2018-20330: Integer overflow causing segfault occurred when attempting to load a BMP file with more than 1 billion pixels using the `tjLoadImage()` function. CVE-2018-19664: Buffer overrun occurred when attempting to decompress a specially-crafted malformed JPEG image to a 256-color BMP using djpeg. Cc: Murat Demirten <mdemirten@yh.com.tr> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* openssh: add upstream security fixesBaruch Siach2019-02-122-0/+461
| | | | | | | | | | | | | | | | | | | | CVE-2019-6109: Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. CVE-2019-6111: Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
OpenPOWER on IntegriCloud