Fixes the following security issue for the internal TLS backend:
- CVE-2021-30004: In wpa_supplicant and hostapd 2.9, forging attacks may
occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c
and tls/x509v3.c.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a8fbe67b9b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue for the internal TLS backend:
- CVE-2021-30004: In wpa_supplicant and hostapd 2.9, forging attacks may
occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c
and tls/x509v3.c.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d65586f45a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build of http::sconesite::image module was silently broken until commit
d3b818c3cf
However, sconeserver fails to build with ImageMagick because:
- it checks for ImageMagick++.pc instead of ImageMagick.pc
- it uses the transform function which has been removed from the public
API since version 7.0.1-0 and
06f590165f
As sconeserver does not seem to be maintained anymore, drop
BR2_PACKAGE_SCONESERVER_HTTP_SCONESITE_IMAGE.
Fixes:
- http://autobuild.buildroot.org/results/895ab582d1140f7677fc1c6934fa2e0c47c49f20
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: add legacy symbol. It costs us exactly nothing, and if someone
actually had that selected, they know what's going on.]
(cherry picked from commit fdb6fc2b4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Let's use the _BUG_ form for disabling this package instead of BR2_nios2
architecture as we already use it for other packages.
Propagate this dependency to postgis. Also add the missing dependency on
bug 21464 to postgis.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout:
- put 27597 after 21464 instead of before it;
- propagate dependency to postgis;
- mention the bugs in the comments.
]
(cherry picked from commit 72eba37e52)
[Peter: drop postgis logic, not in 2021.02.x]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since its introduction in commit
b05e74ff92 in 2013, numactl has had an
explicit list of architectures that it supports. Interestingly, this
list does not include ARM, and now that rt-tests unconditionally needs
numactl, it meant the rt-tests package was no longer available on ARM.
Further investigation revealed that there is nothing in recent
versions of numactl that appears to be architecture-specific. It does
build with all of Buildroot toolchains currently used in the
autobuilders.
The only necessary changes are:
* Exclude no-MMU architectures, as madvise() is used in the code
base, and this is not available on no-MMU architectures.
* Make sure to use -latomic when needed, as some atomic operations
are used.
* Backport a patch that fixes the .symver usage, which only affects
really old gcc versions: only the old ARM Sourcery toolchain was
affected by this. Newer gcc versions support the gcc "symver"
attribute, so that the code that directly emits the assembly
.symver directive is not invoked.
With these changes, numactl builds successfully on all our supported
toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4ed540ddf5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit a646cd27b1 (package/freescale-imx/imx-vpu: bump version to
5.4.39.3) somehow messed up when updating the hashes of the licene
files:
>>> imx-vpu 5.4.39.3 Collecting legal info
ERROR: EULA has wrong sha256 hash:
ERROR: expected: a39da2e94bd8b99eaac4325633854620ea3a55145259c3a7748c610a80714cfc
ERROR: got : 7ffad92e72e5f6b23027e7cf93a770a4acef00a92dcf79f22701ed401c5478c0
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
ERROR: COPYING has wrong sha256 hash:
ERROR: expected: 69cbb76b3f10ac5a8c36f34df7bbdf50825815560c00a946fff2922365ef01a2
ERROR: got : 2ceab29de5ea533b86f570bcc4e9ddbfb5fe85a1da4978a8613ff3fd9bed781d
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
The most probable cause is some confusion with imx-vpu-hantro, as the
faulty hashes reported above are those found in imx-vpu-hantro.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[yann.morin.1998@free.fr: rewrite commit log with a probably reason]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 96142a5426)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://security-tracker.debian.org/tracker/CVE-2019-6293https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976
"But this bug does not cause stack overflows in the generated code.
The function and file referred to in the bug (mark_beginning_as_normal
in nfa.c) are part of the flex code generator, not part of the
generated code. If flex crashes before generating any code, that
can hardly be a vulnerability. If flex does not crash, the generated
code is fine (or perhaps subject to other unreported bugs, who knows,
but the NFA has been generated correctly)."
Upstream has chosen to not provide a fix
https://github.com/westes/flex/issues/414
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: use actual upstream URL]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 120d1241d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There had existed in one of the ISC BIND libraries a bug in a
function that was used by dhcpd when operating in DHCPv6 mode.
There was also a bug in dhcpd relating to the use of this function
per its documentation, but the bug in the library function
prevented this from causing any harm. All releases of dhcpd from
ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known
to not present issues like this.
Affects: Builds of dhcpd versions prior to version 4.4.1 when
using BIND versions 9.11.2 or later.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6470
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 23fb8dd2d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want bash to be installed as /bin/bash. For ages, Buildroot has
been doing this by overriding exec_prefix at install time. First of
all, it would be preferred to do this at configure time. But also,
overriding exec_prefix not only changes where "bash" goes, but also
where the pkgconfig file goes. Due to this, bash.pc goes into
/lib/pkgconfig/, and doesn't get removed by target-finalize.
Since all we want is to have 'bash' as /bin/bash, simply pass
--bindir=/bin at configure time. This allows to use the default target
installation logic for autotools-package. We keep a post-install
target hook to remove /bin/bashbug.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 73aed53c82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix vulnerability to DNS-rebind attacks.
This security fix addresses the same vulnerability isue which was reported
for libupnp (which libnpupnp is derived from) in CVE-2021-29462.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit adea5b316e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From https://www.lesbonscomptes.com/upmpdcli/pages/releases.html:
2021-03-13 libnpupnp 4.1.1
* Fix HEAD requests. Samsung TVs now work with Gerbera + libnpupnp
2021-03-13 libnpupnp 4.1.0
* Send SERVER and USER-AGENT headers in misc places where mandated or useful.
* Add API for the client code to set the user-agent and server string values
* Fix building and running with --disable-ipv6
* Misc portability fixes.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e1fa1334d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
