- Fixes CVE-2023-50868 and CVE-2023-50387
- Also, the resolver has not been called 'Knot DNS Resolver' for quite
some time, so fix that, too.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
(cherry picked from commit 1131acf57f)
This is the latest version and brings compatibility with OpenSSL 3.0.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 78dcc29e47)
Add a patch which removes a call in Libxml2Parser.cc to 'xmlSetFeature'.
This function belongs to the 'depreciated' API part and is not
available in OpenWrt builds.
According to my understanding, this call can be removed safely since
it disables the feature "substitute entities" which is disabled by default.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 3ec47dc85c)
Fixes vulnerabilities:
- Improper Neutralization of Special Elements (CVE-2023-42117)
- dnsdb Out-Of-Bounds Read (CVE-2023-42119)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 86ec7b19bc)
Backport PCRE2 patches from upstream and move package to PCRE2 library
as PCRE is EOL and won't receive any security update anymore.
Patch are backported with minimal change, only the Changelog change is
commented out as it would conflict and makes no sense to adapt for the
purpose of backport patches.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 5b929fde5f)
In preparation to PCRE2 fixup, use autoreconf PKG_FIXUP as a better
configure system instead of configure script. This is needed to reduce
upcoming patch to migrate to PCRE2 library.
To correctly use autoreconf it's needed to declare empty
PKG_REMOVE_FILES.
zsh include custom macro in the default aclocal.m4
When autoreconf PKG_FIXUP is used, if PKG_REMOVE_FILES is not defined,
it's set to remove the file aclocal.m4 by default resulting in problem
with the custom macro AC_PROG_LN.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
[ split to 2 commit, add PKG_REMOVE_FILES, reword commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit a7f837c98b)
This is a security release.
JH/01 Bug 2999: Fix a possible OOB write in the external authenticator, which
could be triggered by externally-supplied input. Found by Trend Micro.
CVE-2023-42115
JH/02 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
be triggered by externally-controlled input. Found by Trend Micro.
CVE-2023-42116
JH/03 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could
be triggered by externally-controlled input. Found by Trend Micro.
CVE-2023-42114
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 7c8f4a2a1c)
Move atftp to PCRE2 as PCRE is flagged as EOL and won't receive security
updates anymore.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit f81a1a1212)
Bump to release 0.8.0. Autorecong is now needed to correctly compile the
package.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 364fe00b17)
Otherwise one cannot produce *.avi containers needed for some H.264
camera codecs.
Signed-off-by: Jan Kratochvil <jan@jankratochvil.net>
(cherry picked from commit 62f01d7b36)
This fixes compilation problems with glibc 2.36.
Full Changelog:
btrfs-progs-6.0 (2022-10-11)
-----------------------------
* fi usage: in tabular output, print total size and slack size
* mkfs:
* option -O now accepts values from -R to unify the interface (-R will
continue to work)
* zone reset and discard is done in parallel on all devices
* removed option --leafsize, deprecated long time ago
* corrupt-block: recalculate checksum when changing generation
* fixes:
* convert: fix reserved range detection and overlaps
* mkfs: fix creating files with reserved inode numbers with --rootdir
* receive: escape filenames in command attributes
* fix extent buffer leaks after transaction abort
* experimental:
* mkfs: support for block-group-tree (kernel 6.1)
* fsverity in send (protocol v3, WIP)
* btrfstune -b converts to block-group-tree
* other:
* cleanups, refactoring
* new and updated tests
* update documentation
btrfs-progs-6.0.1 (2022-11-04)
""""""""""""""""""""""""""""""
* send: minor speed up for v2 due to increased buffer size
* resize: invalid command line options fail with error code
* quota rescan:
* add long options --status and --wait
* new option to wait but don't start rescan
* qgroup show: print path by default, updated format
* qgroup: new subcommand clear-stale, remove qgroups without their subvolumes
* experimental:
* add warnings to commands that have it enabled (mkfs, image, btrfstune)
* other:
* documentation, help text, error message updates
btrfs-progs-5.19 (2022-08-16)
-----------------------------
* send: support protocol version 2
* fi show: print all missing devices
* device stats: add tabular output
* replace: add alias to device group (device replace)
* check: validate free space tree items
* fixes:
* convert: support large filesystems (block count > 32bit)
* recognize filesystems with verity enabled
* mkfs and DUP could write out of order, fix it for zoned mode
* build:
* optional support for LZO and ZSTD in receive
* compatibility with glibc 2.36 (mount.h)
* add fallbacks for new GCC builtins
* other:
* corrupt-block: target specific items, offsets
* documentation updates, new pages from wiki
* new tests
btrfs-progs-5.19.1 (2022-09-12)
"""""""""""""""""""""""""""""""
* fix memory leaks (extent buffer, path)
* check: verify block device size vs item
* rescue fix-device-size: allow to shrink device item
* receive: fix crash on wrong pinter free()
* other:
* experimental: support for block-group-tree
* documentation updates
* new tests
btrfs-progs-5.18 (2022-05-25)
-----------------------------
* fixes:
* dump-tree: don't print traling zeros in checksums
* recognize paused balance as exclusive operation state, allow to start
device add
* convert: properly initialize target filesystem label
* mkfs: don't create free space bitmaps for empty filesystem
* restore: make lzo support build-time configurable, print supported
compression in help text
* update kernel-lib sources
* other:
* documentation updates, finish conversion to RST, CHANGES and INSTALL
could be included into RST
* fix build detection of experimental mode
* new tests
btrfs-progs-5.18.1 (2022-06-06)
"""""""""""""""""""""""""""""""
* fixes:
* convert: fix self reference of toplevel directory
* build: make kernel lib headers compatible with C++
* zoned mode: verify minimum zone size 4MiB
* libbtrfs: cleanups, merge headers and remove declarations of unexported
symbols
* other: documentation updates
btrfs-progs-5.17 (2022-04-26)
-----------------------------
* check:
* repair wrong num_devices in superblock
* recognize overly long xattr names
* fix wrong total bytes check for seed device
* auto-repair on read on RAID56
* property set: unify handling of empty value to mean default, changed meaning
for property 'compression' to allow reset to default and to set NOCOMPRESS,
since kernel 5.14
* fixes:
* dump-tree: print fs-verity items
* fix location of system chunk on zoned filesystem
* do not allow setting seeding flag on a filesystem with dirty log
* mkfs and subpage support: use sectorsize as nodesize fallback for mixed
profiles
* preparatory work for extent tree v2, global roots
* experimental feature (unstable interface, not built by default,
do not use for production)
* btrfstune: option --csum to switch checksum algorithm
* other:
* cleanups, refactoring
* update documentation build, remove asciidocs leftovers
* update fssum to consider xattrs
* add fsstress
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 99f5604905)
(cherry picked from commit 12bc0789a1)
Disable libudev to avoid dependency.
Backport patch to fix 64-bit int types under ppc64 and mips64.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 06de9e9958)
Apply preliminary hotfix for some (three?) of the 0-day
vulnerabilities reported by ZDI.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit db85d9ead6)
Move apache to PCRE2 now that PCRE is flagged EOL and won't receive any
security update.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit d14fe0c51c)
Bump apache to release 2.4.57 and refresh patch automatically.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 86f9af41c1)
Pcre (1) is unmaintained and reached its end of life in 2021.
The base system provides pcre2 exclusively since May.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
(cherry picked from commit 379946951c)
Replace my own patch with the upstream solution, which they issued
in response to my bug report.
(Two patches as they overlooked something on the first try.
Reference to https://savannah.gnu.org/bugs/index.php?63431 )
The nettle lib evaluation is now conditional to not having "--disable-ntlm".
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit fd7da3333e)
Update wget to 1.21.3
* Remove patch 100-fix-hsts-time.patch as upstream has issued
its own version on the fixes
* Add a hack (and fixup autoreconf) to fix an upstream bug that
forces the nettle library into nossl even if NTLM is disabled.
Upstream bug filed: https://savannah.gnu.org/bugs/?63431
* Remove old maintainer who has not been active
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit a694130993)
`time_t` on musl 1.2 is 64bit, while `long` is 32 bit. we will always get zero time with the original source on mips big endian.
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
(cherry picked from commit 0907651268)
It seems like the libpcre dependency was added by mistake.
While checking in the source code of czmq (Makefile.am, CMakeLists.txt),
I see there are several dependencies, but there isn't PCRE.
Fixes: 936a48a ("czmq: add new package")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit e3ab95185c)
include/libdrm/drm.h and others headers are needed to build libva.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
(cherry picked from commit cb8c0ba6c0)
libreswan makefile detects macos (darwin) and changes build logic
but OpenWrt is always Linux so it is required to specify linux as
target platfrom
This patch specifies Linux as a target platfrom
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
(cherry picked from commit 270e8eabc3)
zerotier as default has executable stack.
[ 11.343143] process '/usr/bin/zerotier-one' started with executable stack
executable stacks are not recommend, possibly provide a threat and there
seems to be no advantage of executable stack with zerotier-one - so let's
build it without instead.
Stack is executable on x86_64, but not on all archs, such as ramips.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit 56f30520f2)
Michal Hrusecky