Includes fixes:
* 3.7.14:
* CVE-2020-10735: Prevent DoS by large int<->str conversions
* CVE-2021-28861: http.server: Open Redirection if the URL path starts with //
* 3.7.16:
* CVE-2022-45061: Slow IDNA decoding with large strings
* CVE-2022-37454: Buffer overflow in the _sha3 module
* CVE-2015-20107: mailcap.findmatch: document shell command Injection danger in filename parameter
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Fixes multiple CVEs. Upstream changelog is
https://ftp.isc.org/isc/bind9/9.16.37/CHANGES
CVEs fixed:
CVE-2022-3924: Fix serve-stale crash when recursive clients soft quota
is reached.
CVE-2022-3736: Handle RRSIG lookups when serve-stale is active.
CVE-2022-3094: An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
While running `make menuconfig`, it was discovered then there is a
recursive dependency like this:
tmp/.config-package.in:59138:error: recursive dependency detected!
tmp/.config-package.in:59138: symbol PACKAGE_libwebsockets-openssl is selected by PACKAGE_libwebsockets-mbedtls
tmp/.config-package.in:59122: symbol PACKAGE_libwebsockets-mbedtls depends on PACKAGE_libwebsockets-openssl
It is not possible with the recently added conflicts that two packages
(OpenSSL and full variant, which uses OpenSSL as well), which are almost the same
provides the same named package libwebsockets as their conflict - Mbed
TLS.
Fixes: 676c5c72b5 ("libwebsockets: OpenSSL
and mbedTLS variants should conflict")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit a4e8cbb89a)
They provide the same files, but they don't conflict to each other, this
means that users can install them side by side.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 676c5c72b5)
For some time, it is not possible to install ttyd and mosquitto-ssl at the
same time, so let's solve it that libwebsockets-full provides
libwebsockets-openssl. This allows to install ttyd and mosquitto at
the same time.
Also, we need to add conflict, because we should not have installed
libwebsockets-openssl and libwebsockets-full at the same time as they
provides the same files.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 77e682a11c)
This is similar to commit f303e87a1e
("nss: update to 3.67") as there is something wrong with NSS build
system and otherwise this package fails to compile. Let's compile it
single threaded.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
- Release notes:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.38.1
- Update the configuration file to use version 4.0 as mentioned in the
release notes to try the latest changes
Fixes: CVE-2022-38725
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 34b7af9e08)
This adds conflicts between the variants,
because they provide the same files, and it should not be
possible to install them side by side. Otherwise, it might happen that
half files would be from one variant and the other half from the
other.
Also, adds provides as if you request to install ``vim`` and
``vim-full``, then the request could be satisfied even they collide,
because ``vim-full`` provides ``vim`` package.
Signed-off-by: Karel Kočí <cynerd@email.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[add commit message]
(cherry picked from commit 46c058468a)
makes LuaJit builds for mpc85xx targets with SPE ISA extension
enabled possible
Quoting inner commit message:
This allows building LuaJit for systems with Power ISA SPE
extension[^1] support by using soft float on LuaJit side.
While e500 CPU cores support SPE instruction set extension
allowing them to perform floating point arithmetic natively,
this isn't required. They can function with software floating
point to integer arithmetic translation as well,
just like FPU-less PowerPC CPUs without SPE support.
Therefore I see no need to prevent them from running LuaJit
explicitly.
[^1]: https://www.nxp.com/docs/en/reference-manual/SPEPEM.pdf
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
(cherry picked from commit a4a484fbca)
Installing the .pc files helps other programs to detect
the presence of libsasl2.
While at, reduce the glob pattern a little bit to not
include unneeded symlinks.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit c9ce769b1a)
cdn.postfix.johnriley.me serves a certificate for a different domain
name.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit d4feef97e6)
libarchive looks for ext2fs headers during configure, and if it finds
them it will expect to find them during compile, or on the rare occasion
when they aren't it will fail:
libarchive/archive_entry.c:59:55: fatal error: ext2fs/ext2_fs.h: No such file or directory
As we just need headers for some type constants, let's re-use headers
from tools/e2fsprogs package which are always available.
Reported-by: Adam Dov <adov@maxlinear.com>
Suggested-by: Paul Eggleton <paul.eggleton@linux.intel.com>
References: https://git.yoctoproject.org/poky/commit/?id=f0b9a7cf9f80be1917e45266fa201f464a28c1e5
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 797945dfaa)
The postinst script is sourced during image build, which causes the
follow failure:
/home/stijn/Development/OpenWrt/openwrt/build_dir/target-x86_64_musl/root-x86/etc/init.d/lxc-auto: line 3: /lib/functions.sh: No such file or directory
postinst script ./usr/lib/opkg/info/lxc-auto.postinst has failed with exit code 1
Sourcing /lib/functions.sh is not needed, as /etc/rc.common does so
already. Unfortunately removing that line from the init script is not
enough to fix the problem. The postinst script should also check
IPKG_INSTROOT. As these two changes are unrelated, they should go in
separate commits, and the solution to the image build problem is to
revert the commit that introduced the breakage.
This reverts commit 2cde10b950.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
otherwise, a user would have to either manually run /etc/init.d/lxc-auto
boot or reboot the system to start using lxc.
originally committed in 2cde10b950
reverted in 039912dec5
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 7da7356539)
fix ldconfig build issue. This patch is a backport from upstream:
18c9cf7d37
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
(cherry picked from commit 42c4d25455)
Commit 9bcea2de2c causes a dependency
problem with some out-of-tree packages which expect "DEPENDS:=+kmod-pcspkr".
To fix this problem, this commit restores a dependency definition to
the previous one on x86 target.
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
(cherry picked from commit 8b1216fb49)
Beep is a target-independent software that can handle buzzers controlled by kmod-gpio-beeper.
This change is useful for some non-x86 enterprise APs and development boards
that have a buzzer connected to GPIO.
Compile-tested: ath79, ELECOM WAB-I1750-PS, 3fab4ac + device support patch
Run-tested: ath79, ELECOM WAB-I1750-PS, 3fab4ac + device support patch
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
(cherry picked from commit 9bcea2de2c)
This can be finally re-reverted, so we can use version 3.1.13, which
fixes multiple security vulnerabilities, but it segfaults almost
immediately. There is currently pending pull request, which fixes this,
and multiple users confirmed that it works on different GNU/Linux distributions.
This reverts commit bfe255064e.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Tianling Shen