On commit 027a8b29f1e62d5ff5bbb15b79376614f902a680 pkg-config has been
added to retrieve OpenSSL dependencies, but it's been passed `libssl`
instead of `openssl`, this makes fail some linking. Indeed we need
OpenSSL dependency, so let's use `openssl` with pkg-config.
Substitute `libssl` with `openssl`.
Fixes:
http://autobuild.buildroot.net/results/b225425ee237852bd9fee4ca0b8d24f3e37d64f9/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e38641851a1bc334e6fb0a019ccf3af91098182f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
During linking one OpenSSL dependecy is missing(-latomic) on linking
library list.
- Substitute explicit library list with `pkg-config libssl` when
BR2_PACKAGE_OPENSSL is enabled. In such way all needed libraries
will be included in linking list.
- Add also `host-pkgconf` to CIVETWEB_DEPENDENCIES if
BR2_PACKAGE_OPENSSL is enabled to make it available for previous
point.
Fixes:
http://autobuild.buildroot.net/results/b2e210bdefe84f4ec9cfda79a33d81788fb7e66c/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 027a8b29f1e62d5ff5bbb15b79376614f902a680)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update patch so -latomic (provided in LIBS) is added after openssl libs
(provided in $3)
Fixes:
- http://autobuild.buildroot.org/results/4b90b7d02e354ebf3d8f95023547bf4a18e0165e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 73c04d9448f9172eb2174ed3c891ac2953eff6d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tss2-esys.pc contains a hardcoded -lgcrypt even though the openssl crypto
backend (as in Buildroot) may be used, leading to linker errors when using
esys.
Given that tpm2-tss doesn't allow static linking, there is no need to
explicitly list the crypto library dependency.
Cherry pick an upstream patch to fix this. Notice that the upstream patch
also changes the default crypto backend to openssl. As this isn't stricly
needed (we explicitly configure for openssl) and requires autoreconv, drop
the configure.ac hunk from the patch.
https://github.com/tpm2-software/tpm2-tss/pull/1173
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 55c4f7ca4b3616cbc48f464d9f803eb10f7a908d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license contains the "no endorsement" clause, so it should be listed as
BSD-3-Clause:
* Neither the name of Intel Corporation nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 92c7310d5be2956d2f609013289cc85073deac24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Host version of this package needs pkg-conf the same way as target
package: for Makefiles library dependencies retrieving.
Fixes:
http://autobuild.buildroot.net/results/8543eb3815a67747349a2e60654d19b9804a3a89/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8bd63b0b4a39d42ff35132a8fd18f50722bb6b1f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When static linking some dependency library can be missing
(i.e. -latomic for -lcrypto) on linking libraries list. This is
because when static linking libraries dependencies are not
transparently linked into binary.
To avoid moving libraries before/after one another or add new ones
that are not needed at all in the dynamic linking case, we use `pkg-config --libs
LIBRARY` where LIBRARY is the library we "probe" for its existence and
dependency.
In this commit, we:
- Remove 0005-fix-static-link-zlib.patch where -lcrypto and -lz were
swapped, as it is no longer needed thanks to the following point.
- Replace it with 0005-Use-pkgconf-to-get-libs-deps.patch where
-lcrypto has been substituted with `pkg-config --libs libcrypto`
- Add host-pkgconf to ANDROID_TOOLS_DEPENDENCIES
Fixes:
http://autobuild.buildroot.net/results/d3d6679cfc8afe4467368bd3d31483172c1032de/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e4f77a2e4ae42fa999be17eb48574363e0e51e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
* CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
that there is an uninitialized pointer access in gnutls versions 3.6.3 or
later which can be triggered by certain post-handshake messages
* CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
before 3.6.7. A memory corruption (double free) vulnerability in the
certificate verification API. Any client or server application that
verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
3.6.7.1 is identical to 3.6.7, but fixes a packaging issue in the release
tarball:
https://lists.gnutls.org/pipermail/gnutls-devel/2019-April/013086.html
HTTP URLs changed to HTTPS in COPYING, so update license hash.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1dd5576ccb8eadeb8672c8b22df86f4f41dce1d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 426103703df02b0038cd1524fe5edf530265f771)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37371ff4f6718409ca9f23be297b8ba3974bcf2a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Containerd is no longer maintained under the docker github project and now
has an official website, so refer to that in the help text.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 638504bcdf98d44b09d7964ebaccb81137af1455)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Contains a number of bugfixes. For more details, see the announcement:
https://github.com/containerd/containerd/releases/tag/v1.2.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 20af865354ed4e816ddcfd617cc18f8dedb9159e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 905e976a6af224b3ed015c46fcea2d717c155f55.
With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4b13a216921ca88dfdd340e5cf12df1b970a9caa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit ce76a989022baa6395b874ed44b9246bba053f8a.
With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 18fb2167f7f41bd5702860d35459a0f498d941a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This includes an improved fix for CVE-2019-5736 without the ~10MB memory
overhead per container and with fallback code using mkostemp(3) when
O_TMPFILE isn't available.
For more details, see the announcement:
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc7
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56f495a07838fe898d995f572c0efac21ed61902)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: https://www.php.net/ChangeLog-7.php#7.3.4
Fixes these bugs, CVE-ID were not assigned yet:
Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s).
Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 614c1e2edde9378f87572412d0f86c24308d6547)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Both patches are already included (a bit earlier in the file) in version
2.0.12, so drop the patches.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0fda716432fb43c0d275c7194a33a20d106acdf9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ab5fbbd640a05076c0799d966f46409b70bf9b0e)
[Peter: drop 5.0.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
since version 1.7, coxpcall is only required with Lua 5.1
see, https://github.com/keplerproject/wsapi/pull/41
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b7b8a7f3ac2c32d6fde841795ac09b7b9f296219)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Switch site to gitlab
- Remove second patch (already in version)
- Use new --{with,without}-usb option
- Add hash for license file
- Fix CVE-2017-6318
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a911b7d2297dcd22a8c0893916c79bf92290f63b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-5953: Buffer overflow vulnerability
For more details, see the announcement:
https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00015.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d732da7a2088f375aa7fd59860589c9b81568ae5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Include upstream commit 193f1e8 "glob: Do not assume glibc glob
internals". Without this if building glibc with host-make it will fail
with a segfault in make:
>>> glibc glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1 Building
PATH="/scratch/builds/host-make/host/bin:/scratch/builds/host-make/host/sbin:/home/sam/bin:/home/sam/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games" /scratch/builds/host-make/host/bin/host-make -j25 -C /scratch/builds/host-make/build/glibc-glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1/build
/scratch/builds/host-make/host/bin/host-make -r PARALLELMFLAGS="" -C /scratch/builds/host-make/build/glibc-glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1 objdir=`pwd` all
Segmentation fault (core dumped)
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a07f69c81750f1196d6029dcd26521d9a9ab5306)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tpm2-tools does not need dbus or libglib2, so remove them and the
corresponding toolchain dependencies.
The confusion may have come from the upstream travis configuration, which
also builds tpm2-abrmd (which uses dbus+libglib2).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f63a58c35018d55bb56900922bd81369e214e4a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of issues discovered post-3.1.3, including a completely
broken -T option handling. For details, see:
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.1.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b7a36629d6dfb03b4310ad154b003a5d07fd4b12)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of issues discovered post-2.1.1. For details, see:
https://github.com/tpm2-software/tpm2-tss/releases/tag/2.1.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2c47079d38a212074326570fda6c1fccad8acb07)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2.22.7 contains a number of bugfixes. From the announcement:
- Fix rendering of glyphs in Hebrew (and possibly other languages) when
Unicode NFC normalization is used.
- Fix several crashes and race conditions.
https://webkitgtk.org/2019/03/01/webkitgtk2.22.7-released.html
Change SITE to https as the webserver uses HSTS.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d484ba63b58c01ba6d723341ab91e83aaf2632ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Contains a number of fixes for issues discovered post-2.9.8. From the
release notes:
- Fixed readdir bug when non-zero offsets are given to filler and the
filesystem client, after reading a whole directory, re-reads it from a
non-zero offset e.g. by calling seekdir followed by readdir.
https://github.com/libfuse/libfuse/releases/tag/fuse-2.9.9
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b6d842fea292662ab944777d82d766e56cb8320)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No point in installing udev rules if nothing will use it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4cba22bbfa21ac27d28cfb7e9973c2c91e30568f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes some omissions from the installation.
Install the udev rules.
Tell buildroot about the fuse device.
Apply setuid permissions on the fusermount tool.
Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ea62ff85b59aa1ff7757787061eb451b4b4780df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
CVE-2019-9741: An issue was discovered in net/http in Go 1.11.5. CRLF
injection is possible if the attacker controls a url parameter, as
demonstrated by the second argument to http.NewRequest with \r\n followed by
an HTTP header or a Redis command.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From NEWS:
* Changes in Wget 1.20.2
** Fixed a buffer overflow vulnerability
For more details, see the announcement:
https://lists.gnu.org/archive/html/info-gnu/2019-04/msg00000.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c21d440c8a79a6af284ec5793481d1b8a0b298ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) SECURITY: CVE-2019-0197 (cve.mitre.org)
mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
request from http/1.1 to http/2 that was not the first request on a
connection could lead to a misconfiguration and crash. Servers that
never enabled the h2 protocol or only enabled it for https: and
did not set "H2Upgrade on" are unaffected by this issue.
[Stefan Eissing]
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0211 (cve.mitre.org)
MPMs unix: Fix a local priviledge escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
mod_php) from modifying it persistently to abuse the priviledged main
process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0217 (cve.mitre.org)
mod_auth_digest: Fix a race condition checking user credentials which
could allow a user with valid credentials to impersonate another,
under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
*) SECURITY: CVE-2019-0215 (cve.mitre.org)
mod_ssl: Fix access control bypass for per-location/per-dir client
certificate verification in TLSv1.3.
*) SECURITY: CVE-2019-0220 (cve.mitre.org)
Merge consecutive slashes in URL's. Opt-out with
`MergeSlashes OFF`. [Eric Covener]
For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.39
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 556ad6c25bb574cbfe05631cceb4329d69b49cad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Loop relaxation logic in xtensa gas may produce code in which LEND
register doesn't match actual zero overhead loop end. Fix relaxation
code so that it produces a literal or a pair of const16 instructions
with associated relocation record that works correctly in the presence
of other relaxations. This fixes crash in X11 server caused by window
movement.
Loop relaxation has limited of 32K range, this fix removes this
limitation.
Fixes:
http://autobuild.buildroot.net/results/e05522ce540f4ac23f9a3a8fec724694d9a23101/
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 2.32 patch]
(cherry picked from commit 197b5f9d1c23237d39db146f0396b63f4e6270bb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ftp is blocked on some (corporate) networks.
Signed-off-by: Nityananda Padhan <ntneitin@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 58ea5f583585e6ec42a3caa568f9fc931d632526)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ftp is blocked on some (corporate) networks.
Signed-off-by: Nityananda Padhan <ntneitin@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 16e5ec5475fbce69ab0794589807ad7f9c1c3d5d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patch (already in version)
- Add hash for license file
- Fix around 10 CVEs:
https://www.cvedetails.com/vulnerability-list/vendor_id-2224/product_id-3881/version_id-216413/
- Add an upstream patch for CVE-2019-6128
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f0d4873b3c2cd9cd98cdf9476463ed210e3560ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, host-xz and host-lzip are built as soon as the
corresponding tools are not provided by the system, independently of
whether they are really needed by the Buildroot configuration. This is
particularly annoying for host-lzip, which is only needed for very few
packages.
This commit modifies the generic package infrastructure to only add
host-lzip and host-xz as dependencies when really needed.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
[Thomas:
- improve commit log
- as suggested by Yann E. Morin, make the lzip case similar to the xz
case]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 004960e967a559e59e58fbc0848212e4ebecab62)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit cc419509506 added the GST_OMX_VARIANT option which gets a default
value that gets overridden by subsequent conditions. check-package
doesn't like that, so instead make the three cases explicitly mutually
exclusive.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5b217aad9c0242209e41155280b91a8d79fee305)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
target defaults to none, which isn't a legal target:
configure: Using none as OpenMAX IL target
configure: error: invalid OpenMAX IL target, you must specify one of --with-omx-target={generic,rpi,bellagio,tizonia,zynqultrascaleplus}
Instead default to 'generic', fixing the build with E.G. nvidia-tegra23.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc419509506573ed040dd4487c2d79ae36c24b13)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2019-6256: A Denial of Service issue was discovered in the LIVE555
Streaming Media libraries as used in Live555 Media Server 0.93. It can
cause an RTSPServer crash in handleHTTPCmd_TunnelingPOST, when
RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP headers in
a GET request and a POST request within the same TCP session. This occurs
because of a call to an incorrect virtual function pointer in the
readSocket function in GroupsockHelper.cpp.
- CVE-2019-7314: liblivemedia in Live555 before 2019.02.03 mishandles the
termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up,
which could lead to a Use-After-Free error that causes the RTSP server to
crash (Segmentation fault) or possibly have unspecified other impact.
- CVE-2019-9215: n Live555 before 2019.02.27, malformed headers lead to
invalid memory access in the parseAuthorizationHeader function.
The normal live555 web site is temporarily unavailable, so use an
alternative _SITE / drop upstream hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ed30a85e5a327dc2c0a840b3ee3ba3ad41400c9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Remove first and second patches (already in version)
- Remove third and fourth patches (not needed since:
245b5a3b4b)
- Add hash for license file
- Drop autoreconf (as configure.ac is not patched anymore)
- Use new --with-crypto option
- Restrict symlink following on installation (CVE-2017-7500,
CVE-2017-7501)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b4cc264d937a42e11f23e8a24a18d292fe7499c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: https://wiki.znc.in/ChangeLog/1.7.3
Fixes CVE-2019-9917:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9917
- ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial
of Service (crash) via invalid encoding.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 601d9cced09e59b386ead70e1125781d42e8bdd1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Switch site to "real" upstream instead of debian as debian does not
have latest version
- Drop patch (not needed anymore as getline was renamed in my_getline)
- Add hash for license file
- Fix CVE-2013-0348 and CVE-2017-17663
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 48e6230e5fd764f301aa9509938957700799959d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
* CVE-2019-7524: Missing input buffer size validation leads into
arbitrary buffer overflow when reading fts or pop3 uidl header
from Dovecot index. Exploiting this requires direct write access to
the index files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e3c53aa8a1eeff63cfe7a5e80ad00cce503119cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
