July 2021 Security Releases:
Use after free on close http2 on stream canceling (High) (CVE-2021-22930)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Also bump Cython version to 0.29.23.
And add support for OpenBLAS.
Currently optional, but will be enabled by default on some architectures
later.
Depends on PR https://github.com/openwrt/packages/pull/15685
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This version prefers charset_normalizer instead of chardet.
chardet is still usable if available.
Dropping patches for idna. Not required anymore.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Includes fix for CVE-2021-34558 (crypto/tls: clients can panic when
provided a certificate of the wrong type for the negotiated parameters).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This release fixes some bugs and these vulnerabilities:
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Python works with GNU DBM and with Berkley DBM.
Berkley DBM has been under Oracle for some time.
And it's not clear how many Python users actually use DBM.
In the packages feed, we have both libdb47 (which is now under Oracle) and
GNU DBM. The GNU DBM has a compatibility layer for Berkley DBM.
There are newer versions than libdb47, but it's probably not worth having
them yet. The libbd47 tarball is ~40+ MB. Odds are newer versions will be
bigger and more bloated.
This change merges the old `python3-gdbm` package into the `python3-dbm`
package, since they are effectively using the same underlying library now,
i.e. gdbm.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
I seem to forget to check/select setuptools and pip (that come bundled with
Python).
This change will do a simple 'ls' on the 2 wheel files, so that the build
fails even if just building Python.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Dropped patches:
0004-Replace-EVP_CIPHER_CTX_cleanup-with-EVP_CIPHER_CTX_r.patch
0005-Switch-get_-Update-APIs-to-get0.patch
Reworked patches:
0001-Add-new-ASN1_STRING_get0_data-API.patch
0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch
These 2 require that we keep only the CUSTOMIZATIONS stuff for now. Maybe
later we can drop this.
Ran 'make package/python-cryptography/refresh'.
Added patch:
0004-disable-rust.patch
upstream did a sloppy job with the CRYPTOGRAPHY_DONT_BUILD_RUST logic; we
need to patch it, to make sure the setuptools-rust isn't installed.
We may need to carry this patch in our tree for a bit longer than upstream,
because in newer versions, CRYPTOGRAPHY_DONT_BUILD_RUST logic gets removed.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
By adding these dependencies, it is much easier for users (both
applications that use Twisted and end users) to have secure
communications by default.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
1.16.1 included fixes for:
* CVE-2021-27918 - encoding/xml: infinite loop when using
xml.NewTokenDecoder with a custom TokenReader
* CVE-2021-27919 - archive/zip: can panic when calling Reader.Open
1.16.4 included fixes for:
* CVE-2021-31525 - net/http: ReadRequest can stack overflow due to
recursion with very large headers
1.16.5 includes fixes for:
* CVE-2021-33195 - net: Lookup functions may return invalid host names
* CVE-2021-33196 - archive/zip: malformed archive may cause panic or
memory exhaustion
* CVE-2021-33197 - net/http/httputil: ReverseProxy forwards Connection
headers if first one is empty
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Daniel Golle