This fixes:
- CVE-2021-21707
Also drop upstream patch which is included in the release now.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 2e9c1a00ea)
This fixes:
- CVE-2021-21707
Also drop upstream patch which is included in the release now.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit c6f27671a3)
Contains fixes for:
* CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat)
accesses a memory location after the end of a buffer
* CVE-2021-41772: archive/zip Reader.Open panic via a crafted ZIP
archive containing an invalid name or an empty filename field
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 901f80aae7)
This package was updated without a hash change.
Fixes: c157522580 ("pyodbc: update to version 4.0.31")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b783386890)
Details:
- Cleaned up whitespace and removed comments (refer to official PHP documentation for that)
- Removed directives that no longer exist as of PHP 8.0.12
- Added newly existing directives commented out
- Added '~E_DEPRECATED' to 'error_reporting'
Signed-off-by: Giovanni Giacobbi <giovanni@giacobbi.net>
(cherry picked from commit f54b987c8f)
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Details:
- Cleaned up whitespace and removed comments (refer to official PHP documentation for that)
- Removed directives that no longer exist as of PHP 7.4.25
- Added '~E_DEPRECATED' to 'error_reporting'
Directives removed that no longer exist as of PHP 7.4.25:
- zend.ze1_compatibility_mode
- y2k_compliance
- register_globals
- register_long_arrays
- magic_quotes_gpc
- magic_quotes_runtime
- magic_quotes_sybase
- always_populate_raw_post_data
Signed-off-by: Giovanni Giacobbi <giovanni@giacobbi.net>
This is the latest version, which still has support for PHP 7.x.
It's an intermediate step in the transition to PHP 8.x.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 5fe58d0002)
This PR prepares PHP for a few minor changes that cause PHP builds to fail when using --enable-intl with ICU 70.1.
Change UBool to bool for equality operators in ICU >= 70.1
https://github.com/php/php-src/pull/7596
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit bc13112a7c)
This PR prepares PHP for a few minor changes that cause PHP builds to fail when using --enable-intl with ICU 70.1.
Change UBool to bool for equality operators in ICU >= 70.1
https://github.com/php/php-src/pull/7596
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 4da149b68a)
October 12th 2021 Security Releases:
HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Includes fix for CVE-2021-38297 (passing very large arguments to WASM
module functions can cause portions of the module to be overwritten).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit dd986cde7f)
Avoid parallel relinking and usage of the host perl binary by wrapping
its usage around flock calls.
Sometimes, two packages will try to relink the static host perl binary
at the same time. Neither of them will have the other's module linked
in, and one of them will unavoidably clobber the other one's binary.
This will lead to errors when a package will not be able to find a
module that was supposed to be installed.
To fix that, an exclusive flock is used when relinking, with a 900
seconds timeout to avoid locking up the build process forever.
This is not enough because the binary may be concurrently used to build
another module package; perl is used in Configure, Compile, and Install
procedures. If timing is right, a package will fail with a "permission
denied" error.
So a shared flock call is added in Configure, Compile, and Install
definitions for host and target, with a shorter, 300 seconds timeout.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 1e18c4324f)
Without -ldl linker flag .so extensions are not loaded
when glibc is used. Fix it by providing adjusted LDFLAGS
for this case.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 1bff138517)
Without -ldl linker flag .so extensions are not loaded
when glibc is used. Fix it by providing adjusted LDFLAGS
for this case.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit d153c61650)
The addressed issue is related to #6893 as its resolution
is actually causing the problem.
When changing the priority of the config file it happens
that after a sysupgrade the previous file is restored
and the new file is added, ending up in a situation
like this:
/etc/php7/15_openssl.ini
/etc/php7/20_openssl.ini
Causing a double extension=openssl.so to be parsed,
which is not appropriate and leads to error message.
The same problem might also occur for mysqli since there
was also a priority change - let's take care about this
at the same time.
The solution is to remove one of the files. Since it is
a configuration file, the user might have adjusted it, so
lets just use the previous version to replace the new
installed version.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit e51a049301)
Includes fix for CVE-2021-39293 (archive/zip: overflow in preallocation
check can cause OOM panic).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit aa96b8408f)
Refreshed patches.
And apply hack for line-endings in pep517 (from pip).
Hack comment:
# FIXME: [1] get rid of this asap; 'patch' doesn't like Windows endings, and this file is full of them...
# I actually tried this in a number of ways and the only way to fix this is to implement
# a poor-man's dos2unix using sed.
# The issue is with the pip package; it seems that it throws in some Windows line-endings
# and 'patch' won't handle them. So, we do a "dos2unix" and then patch.
# We can get rid of this once this is solved upstream and in pip:
# https://github.com/pypa/pep517/pull/130
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 26988f905f)
python3-pyinotify: initial package version 0.9.6 of pyinotify for python3
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
(cherry picked from commit bcb8775e48eb8f99a76b05a8539a0140513e4158)
I tried to install matplotlib by using pip and it failed with the following output:
2021-08-18T11:52:26,171 Collecting matplotlib
2021-08-18T11:52:26,173 Created temporary directory: /tmp/pip-unpack-wuth2u0e
2021-08-18T11:52:26,565 Using cached matplotlib-3.4.3.tar.gz (37.9 MB)
2021-08-18T11:52:38,659 Added matplotlib from https://files.pythonhosted.org/packages/21/37/ 197e68df384ff694f78d687a49ad39f96c67b8d75718bc61503e1676b617/matplotlib-3.4.3.tar. gz#sha256=fc4f526dfdb31c9bd6b8ca06bf9fab663ca12f3ec9cdf4496fb44bc680140318 to build tracker '/tmp/pip- req-tracker-u30x8pht'
2021-08-18T11:52:38,660 Running setup.py (path:/tmp/pip-install-afiyiers/ matplotlib_8e717e38862f4976a3d6cb1832ba3261/setup.py) egg_info for package matplotlib
2021-08-18T11:52:38,661 Created temporary directory: /tmp/pip-pip-egg-info-kbtiezxq
2021-08-18T11:52:38,662 Running command python setup.py egg_info
2021-08-18T11:52:38,831 Traceback (most recent call last):
2021-08-18T11:52:38,832 File "<string>", line 1, in <module>
2021-08-18T11:52:38,832 File "/usr/lib/python3.9/site-packages/setuptools/__init__.py", line 8, in <module>
2021-08-18T11:52:38,833 ModuleNotFoundError: No module named '_distutils_hack'
More details about it:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968410
Once I applied the patch from the bug tracker, I got further to install
it.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit feaaacc10f)
When installing a host perl module, the host perl binary in the staging
dir is replaced by using 'cp'. However, if the binary is running in a
parallel job, cp will fail with a text file busy error. Use
$(INSTALL_BIN), which unliks the file first to avoid the error.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 19c7496648)
July 2021 Security Releases:
Use after free on close http2 on stream canceling (High) (CVE-2021-22930)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Includes fix for CVE-2021-34558 (crypto/tls: clients can panic when
provided a certificate of the wrong type for the negotiated parameters).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit c0c62227bd)
This release fixes some bugs and these vulnerabilities:
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit 1b41e8f641)
I seem to forget to check/select setuptools and pip (that come bundled with
Python).
This change will do a simple 'ls' on the 2 wheel files, so that the build
fails even if just building Python.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Dropped patches:
0004-Replace-EVP_CIPHER_CTX_cleanup-with-EVP_CIPHER_CTX_r.patch
0005-Switch-get_-Update-APIs-to-get0.patch
Reworked patches:
0001-Add-new-ASN1_STRING_get0_data-API.patch
0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch
These 2 require that we keep only the CUSTOMIZATIONS stuff for now. Maybe
later we can drop this.
Ran 'make package/python-cryptography/refresh'.
Added patch:
0004-disable-rust.patch
upstream did a sloppy job with the CRYPTOGRAPHY_DONT_BUILD_RUST logic; we
need to patch it, to make sure the setuptools-rust isn't installed.
We may need to carry this patch in our tree for a bit longer than upstream,
because in newer versions, CRYPTOGRAPHY_DONT_BUILD_RUST logic gets removed.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 01d1b4581e)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Python3 comes with a built-in readline module. It wasn't included up until
now; mostly because it wasn't considered.
This change introduces it as a sub-package of the main Python3 package.
readline support is included in Python.
libreadline pulls libncursesw as a package, so python3-ncurses was
updated to pull libncursesw as well.
It should be the same package; mostly done for consistency.
Resolves the issue reported here:
https://forum.openwrt.org/t/python3-repl-missing-readline/90039
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 49faf5d7ca)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
By adding these dependencies, it is much easier for users (both
applications that use Twisted and end users) to have secure
communications by default.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 8349546208)
Updating Eneas' email as requested on Github:
https://github.com/openwrt/packages/pull/15622
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 6185156e69)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
1.16.1 included fixes for:
* CVE-2021-27918 - encoding/xml: infinite loop when using
xml.NewTokenDecoder with a custom TokenReader
* CVE-2021-27919 - archive/zip: can panic when calling Reader.Open
1.16.4 included fixes for:
* CVE-2021-31525 - net/http: ReadRequest can stack overflow due to
recursion with very large headers
1.16.5 includes fixes for:
* CVE-2021-33195 - net: Lookup functions may return invalid host names
* CVE-2021-33196 - archive/zip: malformed archive may cause panic or
memory exhaustion
* CVE-2021-33197 - net/http/httputil: ReverseProxy forwards Connection
headers if first one is empty
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit fe3c49fe07)
Add --with-imagick=$(STAGING_DIR)/usr so that configure picks
MagickWand-config from there, before it finds an eventual host-installed
version.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit f434a33a13)
Refreshed Python patches.
Updated pip & setuptools version.
For pip, patch '001-pep517-pyc-fix.patch' was reworked.
Also, the current version of the bundled pip (21.1.1) no longer supports
Python2, so the 'py2.py3' suffix gets replaced with just py3.
For setuptools, there is no longer a script/module:
https://github.com/pypa/setuptools/pull/2544
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit e312275dd9)
Related to discussion:
https://github.com/openwrt/packages/pull/14060
Every once in a while a version bump will occur that requires an ABI
change. Example: Python 3.8 to 3.9. When this happens some Python packages
would need to be rebuilt. In setups where everything gets rebuilt, this
isn't a problem.
It's usually a bigger problem when needing to upgrade something via
opkg.
To accommodate for this, we add a libpython with it's own ABI_VERSION
flag. If this ABI_VERSION changes, then this should propagate forward.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 27aee1fbf0)
For some reason Python3 jumped from 3.9.2 to 3.9.4 in about a week.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 156e2e354e)
Notable Changes:
Diagnostics channel (experimental module)
UUID support in the crypto module
Experimental support for AbortController and AbortSignal
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Fixes: https://github.com/openwrt/packages/issues/15370
This is inspired from:
330bc94dcc/lang/python-greenlet/Makefile
The `PKG_USE_MIPS16:=0` is not taken into consideration when building
Python modules. That's because the sysconfig is used.
This is only an issue with greenlet (on MIPS) so far.
One option is to do `PKG_USE_MIPS16:=0` in the core Python package.
But, since we know that the `wlanslovenija` group has successfully used
greenlet on MIPS with this construct, we might as well adopt it until GCC10
becomes the main compiler.
As noted here:
https://github.com/openwrt/packages/issues/15370#issuecomment-817015484
GCC10 doesn't have this problem.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit bde027188a)
Notes:
Build is disabled for arc and mips because
greenlet isn't ported for these platforms
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
(cherry picked from commit 837f1b5924)
Psycopg is the most popular PostgreSQL adapter for the Python programming language
It's used by the python-sqlalchemy for postgresql
This package was removed by this commit for lacking python3 support:
c37b15e1c4
Version 2.8.6 used in this package now supports pyhton3
Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
(cherry picked from commit 7cfb9a04af)
Fixes two CVEs:
CVE-2021-28965: XML round-trip vulnerability in REXML
CVE-2021-28966: Path traversal in Tempfile on Windows
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
April 2021 Security Releases
- OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)
- OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)
- npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)
OpenSSL-related vulnerabilities do not affect the OpenWrt package. Because OpenWrt's OpenSSL shared library has been updated.
NODEJS_ICU_SMALL is default
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
This is d4979cff0 ported to php8.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit db3389edc2)
This is d4979cff0 ported to php8.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 8c6d7dc37c)
Includes fixes for:
* CVE-2021-3177 - ctypes: Buffer overflow in PyCArg_repr
* CVE-2021-23336 - urllib parse_qsl(): Web cache poisoning - semicolon
as a query args separator
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 6d9005d5ac)