This is a security release.
Notable Changes
* CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Reverts [1] to resolve the following build error on macOS:
/Volumes/wrt3200/openwrt/staging_dir/hostpkg/usr/bin/perl installperl --destdir=/Volumes/wrt3200/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/perl/perl-5.38.2/ipkg-install
WARNING: You've never run 'make test' or some tests failed! (Installing anyway.)
/usr/bin/perl5.38.2
error: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: input file: /Volumes/wrt3200/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/perl/perl-5.38.2/ipkg-install/usr/bin/perl5.38.2 is not a Mach-O file
[1] 88efce3814
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Make the python-jinja2/host target available for the build environment
to be used with e.g. the PKG_BUILD_DEPENDS list.
This is needed for an upcoming package (libcamera).
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Make the python-yaml/host target available for the build environment
to be used with e.g. the PKG_BUILD_DEPENDS list.
This is needed for an upcoming package (libcamera).
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
With the recent move to using ZSTD as the default compression format
for packaging git repo clones we must refresh all of the hashes for
the packages feed as well.
Signed-off-by: Robert Marko <robimarko@gmail.com>
This is a security release
Notable Changes
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
* llhttp version 9.2.1
* undici version 5.28.4
Changed to use gz according to main-snapshot
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.22.2 (released 2024-04-03) includes a security fix to the
net/http package, as well as bug fixes to the compiler, the
go command, the linker, and the encoding/gob, go/types,
net/http, and runtime/trace packages.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2
Find out more:
https://github.com/golang/go/issues?q=milestone%3AGo1.22.2
Signed-off-by: Shi JiaYang <shi05275@163.com>
Relevant changes since previous 3.9.13:
- FIXED: Fix crash serializing str introduced in 3.9.11
- FIXED: Implement recursion limit of 1024 on orjson.loads()
- FIXED: Use byte-exact read on str formatting SIMD path to avoid crash
- Build now depends on Rust 1.72 or later
- Support serializing numpy.float16 (numpy.half)
- sdist uses metadata 2.3 instead of 2.1
- Improve Windows PyPI builds
Signed-off-by: Timothy M. Ace <openwrt@timothyace.com>
1. Update it to version 3.16.3
Release notes: https://github.com/LuaLanes/lanes/releases/tag/v3.16.3
2. Change to download tarball instead of checking out Git sources
In the previous commit (in the Fixes tag), it was changed to Git sources without any reason. Let's revert it back. Let's use again tagged release.
Fixes: b93e5b45b1 ("lualanes: Version bump to v3.16.2")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Go 1.22.1 contains the following security fixes:
- CVE-2024-24783:
crypto/x509: Verify panics on certificates with an unknown public key
algorithm
- CVE-2023-45290
net/http: memory exhaustion in Request.ParseMultipartForm
- CVE-2023-45289
net/http, net/http/cookiejar: incorrect forwarding of sensitive headers
and cookies on HTTP redirect
- CVE-2024-24785
html/template: errors returned from MarshalJSON methods may break
template escaping
- CVE-2024-24784
net/mail: comments in display names are incorrectly handled
https://go.dev/doc/devel/release#go1.22.1https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
Signed-off-by: Zephyr Lykos <git@mochaa.ws>
Added a third bootstrap stage since go1.22 (and onwards) requires
at least go1.20.14 to build.[1]
[1]: https://go.dev/doc/go1.22#bootstrap
Signed-off-by: Zephyr Lykos <git@mochaa.ws>
go1.21.6 (released 2024-01-09) includes fixes to the compiler,
the runtime, and the crypto/tls, maps, and runtime/pprof packages.
go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Most packages already use https URLs and for PHP and PECL
package downloads https is working properly.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Update to v20.11.1
This is a security release.
Notable changes
* CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
* CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
* CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
* CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
* CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
* CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
* CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
* CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
* undici version 5.28.3
* libuv version 1.48.0
* OpenSSL version 3.0.13+quic1 (Depends on shared library provided by OpenWrt)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
