Compare commits

...

28 Commits

Author SHA1 Message Date
Peter Korsgaard cf01d69e1b Update for 2016.11.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-03-10 00:00:07 +01:00
Gustavo Zacarias 40185d3bff wireshark: security bump to version 2.2.5
Fixes:
wnpa-sec-2017-03 - LDSS dissector crash
wnpa-sec-2017-04 - RTMTP dissector infinite loop
wnpa-sec-2017-05 - WSP dissector infinite loop
wnpa-sec-2017-06 - STANAG 4607 file parser infinite loop
wnpa-sec-2017-07 - NetScaler file parser infinite loop
wnpa-sec-2017-08 - NetScaler file parser crash
wnpa-sec-2017-09 - K12 file parser crash
wnpa-sec-2017-10 - IAX2 dissector infinite loop
wnpa-sec-2017-11 - NetScaler file parser infinite loop

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit e9e594d99a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 785d474cb4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-03-08 18:06:36 +01:00
Gustavo Zacarias d51608ac63 gnutls: security bump to version 3.5.10
Fixes:
GNUTLS-SA-2017-3A - Addressed integer overflow resulting to invalid
memory write in OpenPGP certificate parsing.
GNUTLS-SA-2017-3B - Addressed crashes in OpenPGP certificate parsing,
related to private key parser. No longer allow OpenPGP certificates
(public keys) to contain private key sub-packets.
GNUTLS-SA-2017-3C - Addressed large allocation in OpenPGP certificate
parsing, that could lead in out-of-memory condition.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6fdb2b109b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-03-08 18:05:01 +01:00
Peter Korsgaard 411067de8a gnutls: bump version to 3.5.9
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 743f5076df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-03-08 18:04:30 +01:00
Peter Korsgaard 3abd9c659c libcurl: security bump to version 7.53.0
Fixes CVE-2017-2629 - curl SSL_VERIFYSTATUS ignored

>From the advisory (http://www.openwall.com/lists/oss-security/2017/02/21/6):

Curl and libcurl support "OCSP stapling", also known as the TLS Certificate
Status Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When
telling curl to use this feature, it uses that TLS extension to ask for a
fresh proof of the server's certificate's validity. If the server doesn't
support the extension, or fails to provide said proof, curl is expected to
return an error.

Due to a coding mistake, the code that checks for a test success or failure,
ends up always thinking there's valid proof, even when there is none or if the
server doesn't support the TLS extension in question. Contrary to how it used
to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes
invalid or otherwise be mislead that the server is in a better shape than it
is in reality.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c5f5d9fa4e)
2017-02-26 22:12:55 +01:00
Peter Korsgaard 17a052f38a dbus: security bump to version 1.10.16
>From http://www.openwall.com/lists/oss-security/2017/02/16/4

The latest dbus release 1.10.16 fixes two symlink attacks in
non-production-suitable configurations. I am treating these as bugs
rather than practical vulnerabilities, and very much hope neither of
these is going to affect any real users, but I'm reporting them to
oss-security in case there's an attack vector that I've missed.

No CVEs assigned so far.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c9556ed90f)
2017-02-26 22:09:47 +01:00
Gustavo Zacarias 2797084634 dbus: bump to version 1.10.14
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3229c7c12d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-26 22:09:22 +01:00
Baruch Siach cd7e3cb079 stunnel: fix static link
zlib is a dependency of OpenSSL. Take that into account when linking
statically.

Fixes:
http://autobuild.buildroot.net/results/dfe/dfe7c82c7976912378e33e03ea4c677bee6a778d/
http://autobuild.buildroot.net/results/48c/48cb55428613e91abfe8e71456182082d9eabb75/
http://autobuild.buildroot.net/results/810/81029efad8b9e2f48c26a7b20f62c90844fc86df/

and many more.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b575baeb1a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-26 22:03:40 +01:00
Gustavo Zacarias e10d8f3cf2 redis: bump to version 3.2.8
It fixes a regression in the 3.2.7 security release that can cause server
deadlocks.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f4cb8f2d4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-16 09:10:22 +01:00
Peter Korsgaard f2da4a526f ntfs-3g: add security fix for CVE-2017-0358
Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
NTFS driver for FUSE does not not scrub the environment before
executing modprobe to load the fuse module. This influence the behavior
of modprobe (MODPROBE_OPTIONS environment variable, --config and
--dirname options) potentially allowing for local root privilege
escalation if ntfs-3g is installed setuid.

Notice that Buildroot does NOT install netfs-3g setuid root, but custom
permission tables might be used, causing it to vulnerable to the above.

ntfs-3g does not seem to have a publicly available version control system
and no new releases have been made, so instead grab the patch from Debian.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f971f354c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-16 09:10:12 +01:00
Peter Korsgaard 29fd237aa3 vim: security bump to version 8.0.0329
Fixes:

- CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values
  for the 'filetype', 'syntax' and 'keymap' options, which may result in the
  execution of arbitrary code if a file with a specially crafted modeline is
  opened.

- CVE-2017-5953: vim before patch 8.0.0322 does not properly validate values
  for tree length when handling a spell file, which may result in an integer
  overflow at a memory allocation site and a resultant buffer overflow.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0e76cde70f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-16 09:09:53 +01:00
Peter Korsgaard 0c2eff408c bind: security bump to version 9.11.0-P3
Fixes CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash:

https://kb.isc.org/article/AA-01453

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b9141fc88b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-16 09:09:04 +01:00
Baruch Siach 4b4b74b056 quagga: security bump to version 1.1.1
Fixes CVE-2017-5495: Telnet interface input buffer allocates unbounded amounts
of memory, leading to DoS.

Add optional dependency on protobuf-c.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ae73226476)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-16 09:08:05 +01:00
Adam Duskett 0d74852e6d ntp: security bump to verserion 4.2.8p9
This version of ntp fixes several vulnerabilities.

CVE-2016-9311
CVE-2016-9310
CVE-2016-7427
CVE-2016-7428
CVE-2016-9312
CVE-2016-7431
CVE-2016-7434
CVE-2016-7429
CVE-2016-7426
CVE-2016-7433

http://www.kb.cert.org/vuls/id/633847

In addition, libssl_compat.h is now included in many files, which
references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h.
Even if a you pass --disable-ssl as a configuration option, these
files are now required.

As such, I have also added openssl as a dependency, and it is now
automatically selected when you select ntp.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ebf6f64b76)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-16 09:06:02 +01:00
Baruch Siach bf6a402f77 tcpdump: security bump to version 4.9.0
Security fixes in this release (from the Debian changelog):

    + CVE-2016-7922: buffer overflow in print-ah.c:ah_print().
    + CVE-2016-7923: buffer overflow in print-arp.c:arp_print().
    + CVE-2016-7924: buffer overflow in print-atm.c:oam_print().
    + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print().
    + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print().
    + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print().
    + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print().
    + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header().
    + CVE-2016-7930: buffer overflow in print-llc.c:llc_print().
    + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print().
    + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum().
    + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print().
    + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print().
    + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print().
    + CVE-2016-7936: buffer overflow in print-udp.c:udp_print().
    + CVE-2016-7937: buffer overflow in print-udp.c:vat_print().
    + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame().
    + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions.
    + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions.
    + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions.
    + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions.
    + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print().
    + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print().
    + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print().
    + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print().
    + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions.
    + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print().
    + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a
      buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP,
      lightweight resolver protocol, PIM).
    + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print().
    + CVE-2016-8575: buffer overflow in print-fr.c:q933_print().
    + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print().
    + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print().
    + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print().
    + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print().
    + CVE-2017-5341: buffer overflow in print-otv.c:otv_print().
    + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH,
      OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in
      print-ether.c:ether_print().
    + CVE-2017-5482: buffer overflow in print-fr.c:q933_print().
    + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse().
    + CVE-2017-5484: buffer overflow in print-atm.c:sig_print().
    + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap().
    + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print().

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 183b443e57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-16 09:05:06 +01:00
Vicente Olivert Riera cae567ffc5 php: security bump version to 7.1.1
0006-Fix-php-fpm.service.in.patch already included:
  https://github.com/php/php-src/commit/bb19125781c0794da9a63fee62e263ff4efff661

Fixes:

CVE-2016-10158

    Loading a TIFF or JPEG malicious file can lead to a Denial-of-Service
    attack when the EXIF header is being parsed.

CVE-2016-10159

    Loading a malicious phar archive can cause an extensive memory
    allocation, leading to a Denial-of-Service attack on 32 bit
    computers.

CVE-2016-10160

    An attacker might remotely execute arbitrary code using a malicious
    phar archive. This is the consequence of an off-by-one memory
    corruption.

CVE-2016-10161

    An attacker with control of the unserialize() function argument can
    cause an out-of-bounce read. This could lead to a Denial-of-Service
    attack or a remote code execution.

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 34be501214)
2017-02-09 14:43:37 +01:00
Peter Korsgaard ca84b0177e imagemagick: fix build of png support when jpeg support is disabled
Fixes:
http://autobuild.buildroot.net/results/d20/d20eecec8e7b947759185f77a6c8e610dd7393f3/
http://autobuild.buildroot.net/results/ee1/ee15efa8ae3f95244980810155ff7ba9f885a59d/
http://autobuild.buildroot.net/results/aa8/aa80f2fd4c7dd884ea8a1b55ad15a40c7bf40501/
http://autobuild.buildroot.net/results/9aa/9aaa044f78115d7f599ea09669c0d6bface5633e/

This combination is broken since 7.0.4-6.

Since commit a9e228f8ac26 (Implemented a private PNG caNv (canvas) chunk),
PNGsLong gets called unconditionally, but it is only defined if JPEG
support is enabled (which defines JNG_SUPPORTED), breaking the build:

MagickCore/.libs/libMagickCore-7.Q16HDRI.a(MagickCore_libMagickCore_7_Q16HDRI_la-png.o): In function `WriteOnePNGImage':
png.c:(.text+0x748d): undefined reference to `PNGsLong'
png.c:(.text+0x74b7): undefined reference to `PNGsLong'

Fix it by adding a patch unconditionally defining the helper function.

Patch submitted upstream.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c6f8088fdd)
2017-02-06 22:43:01 +01:00
Vicente Olivert Riera dc7fd80cc9 imagemagick: security bump to version 7.0.4-6
Fixes an use of uninitialized data issue in MAT image format that may have
security impact:

https://github.com/ImageMagick/ImageMagick/issues/362

[Peter: extend commit message, mention (potential) security impact]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

(cherry picked from commit e5f505efac)
2017-02-03 14:25:04 +01:00
Vicente Olivert Riera 21dc9299a2 imagemagick: bump version to 7.0.4-5
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ad736e199c)
2017-02-03 14:24:55 +01:00
Vicente Olivert Riera b5c365b3c0 imagemagick: bump version to 7.0.4-4
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a89bdc363c)
2017-02-03 14:24:44 +01:00
Vicente Olivert Riera 3edd35cac8 redis: security bump to version 3.2.7
Release notes:
  https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/

From the notes:
Upgrade urgency HIGH.

This release fixes important security and correctness issues.  It is
especially important to upgrade for Redis Cluster users and for users
running Redis in their laptop since a cross-scripting attack is fixed in
this release.

[Peter: extend description]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

(cherry picked from commit bbc042b91e)
2017-02-03 14:23:30 +01:00
Gustavo Zacarias 2aa63f06cf redis: bump to version 3.2.6
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4be266220a)
2017-02-03 14:23:20 +01:00
Peter Korsgaard 3a2a910b21 lcms2: add upstream security fix for CVE-2016-10165
An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found,
leading to heap memory leak triggered by crafted ICC profile.

https://bugzilla.redhat.com/show_bug.cgi?id=1367357

Add upstream patch to fix it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cd2e115a3f)
2017-01-31 10:22:53 +01:00
Gustavo Zacarias 7ca8ea399f squid: security bump to version 3.5.24
Fixes:
* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5451001591)
2017-01-31 10:22:37 +01:00
Jörg Krause 2599d77cbe package/wavpack: security bump to version 5.1.0
Fixes:
 - CVE-2016-10169: global buffer overread in read_code / read_words.c
 - CVE-2016-10170: heap out of bounds read in WriteCaffHeader / caff.c
 - CVE-2016-10171: heap out of bounds read in unreorder_channels / wvunpack.c
 - CVE-2016-10172: heap oob read in read_new_config_info / open_utils.c

[Peter: add CVE references]
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dbc108d672)
2017-01-30 14:52:23 +01:00
Jörg Krause ba416e0f48 package/wavpack: bump version to 5.0.0
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0dbe92b0d0)
2017-01-30 14:50:20 +01:00
Gustavo Zacarias 841fc4f3c5 openssl: security bump to version 1.0.2k
Fixes:
CVE-2017-3731 - Truncated packet could crash via OOB read.
CVE-2017-3732 - BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055 - Montgomery multiplication may produce incorrect results

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f9a6a2df56)
2017-01-27 13:16:44 +01:00
Bernd Kuhls 0d09bfa43f package/x11r7/xlib_libXpm: bump version to 3.5.12
Fixes CVE-2016-10164: The affected code is prone to two 32 bit integer
overflows while parsing extensions: the amount of extensions and their
concatenated length.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit e9f66e194a)
2017-01-25 11:44:31 +01:00
41 changed files with 141 additions and 89 deletions
+8
View File
@@ -1,3 +1,11 @@
2016.11.3, Released March 9th, 2017
Important / security related fixes.
Updated/fixed packages: bind, dbus, gnutls, imagemagick,
lcms2, libcurl, ntfs-3g, ntp, openssl, php, quagga, redis,
squid, stunnel, tcpdump, vim, wavpack, wireshark, xlib_libXpm
2016.11.2, Released January 25th, 2017
Important / security related fixes.
+1 -1
View File
@@ -83,7 +83,7 @@ else # umask / $(CURDIR) / $(O)
all:
# Set and export the version string
export BR2_VERSION := 2016.11.2
export BR2_VERSION := 2016.11.3
# Save running make version since it's clobbered by the make package
RUNNING_MAKE_VERSION := $(MAKE_VERSION)
+2 -2
View File
@@ -1,2 +1,2 @@
# Verified from http://ftp.isc.org/isc/bind9/9.11.0-P2/bind-9.11.0-P2.tar.gz.sha256.asc
sha256 d651f83ce1c08c83d6ac8201685c4f2b5fdb79794f3a4f93c3948e0ef439c1e5 bind-9.11.0-P2.tar.gz
# Verified from http://ftp.isc.org/isc/bind9/9.11.0-P3/bind-9.11.0-P3.tar.gz.sha256.asc
sha256 0feee0374bcbdee73a9d4277f3c5007622279572d520d7c27a4b64015d8ca9e9 bind-9.11.0-P3.tar.gz
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
BIND_VERSION = 9.11.0-P2
BIND_VERSION = 9.11.0-P3
BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
# bind does not support parallel builds.
BIND_MAKE = $(MAKE1)
+1 -1
View File
@@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
sha256 210a79430b276eafc6406c71705e9140d25b9956d18068df98a70156dc0e475d dbus-1.10.12.tar.gz
sha256 a7b0ba6ea3e8d0e08afec5e3030d0245614268276620c536726f8fa6e5c43388 dbus-1.10.16.tar.gz
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
DBUS_VERSION = 1.10.12
DBUS_VERSION = 1.10.16
DBUS_SITE = http://dbus.freedesktop.org/releases/dbus
DBUS_LICENSE = AFLv2.1 or GPLv2+ (library, tools), GPLv2+ (tools)
DBUS_LICENSE_FILES = COPYING
+1 -1
View File
@@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
sha256 0e97f243ae72b70307d684b84c7fe679385aa7a7a0e37e5be810193dcc17d4ff gnutls-3.5.8.tar.xz
sha256 af443e86ba538d4d3e37c4732c00101a492fe4b56a55f4112ff0ab39dbe6579d gnutls-3.5.10.tar.xz
+1 -1
View File
@@ -5,7 +5,7 @@
################################################################################
GNUTLS_VERSION_MAJOR = 3.5
GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).8
GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).10
GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz
GNUTLS_SITE = ftp://ftp.gnutls.org/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR)
GNUTLS_LICENSE = LGPLv2.1+ (core library), GPLv3+ (gnutls-openssl library)
@@ -0,0 +1,47 @@
From 5d0e9c53f49022df5154eb3c04900f48b1c6448e Mon Sep 17 00:00:00 2001
From: Peter Korsgaard <peter@korsgaard.com>
Date: Mon, 6 Feb 2017 17:39:31 +0100
Subject: [PATCH] png.c: unbreak build without JPEG support
Since commit a9e228f8ac26 (Implemented a private PNG caNv (canvas) chunk),
PNGsLong gets called unconditionally, but it is only defined if JPEG
support is enabled (which defines JNG_SUPPORTED), breaking the build:
MagickCore/.libs/libMagickCore-7.Q16HDRI.a(MagickCore_libMagickCore_7_Q16HDRI_la-png.o): In function `WriteOnePNGImage':
png.c:(.text+0x748d): undefined reference to `PNGsLong'
png.c:(.text+0x74b7): undefined reference to `PNGsLong'
For build log, see:
http://autobuild.buildroot.net/results/d20/d20eecec8e7b947759185f77a6c8e610dd7393f3/build-end.log
Fix it by unconditionally defining the helper function.
Submitted-upstream: https://github.com/ImageMagick/ImageMagick/pull/373
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
coders/png.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/coders/png.c b/coders/png.c
index aebe59281..1328b1aab 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -1229,7 +1229,6 @@ static void PNGLong(png_bytep p,png_uint_32 value)
*p++=(png_byte) (value & 0xff);
}
-#if defined(JNG_SUPPORTED)
static void PNGsLong(png_bytep p,png_int_32 value)
{
*p++=(png_byte) ((value >> 24) & 0xff);
@@ -1237,7 +1236,6 @@ static void PNGsLong(png_bytep p,png_int_32 value)
*p++=(png_byte) ((value >> 8) & 0xff);
*p++=(png_byte) (value & 0xff);
}
-#endif
static void PNGShort(png_bytep p,png_uint_16 value)
{
--
2.11.0
+1 -1
View File
@@ -1,2 +1,2 @@
# From http://www.imagemagick.org/download/releases/digest.rdf
sha256 bc09ea103a82d1c2c093889eda7e36dd0aa7aa98a06c55de4b73932838459fc4 ImageMagick-7.0.4-3.tar.xz
sha256 1ee004740b7ab47fff3c92ae4a89dcbd0181c4d5f31fcb7e3697412ea384a0da ImageMagick-7.0.4-6.tar.xz
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
IMAGEMAGICK_VERSION = 7.0.4-3
IMAGEMAGICK_VERSION = 7.0.4-6
IMAGEMAGICK_SOURCE = ImageMagick-$(IMAGEMAGICK_VERSION).tar.xz
IMAGEMAGICK_SITE = http://www.imagemagick.org/download/releases
IMAGEMAGICK_LICENSE = Apache-2.0
@@ -0,0 +1,27 @@
From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
From: Marti <marti.maria@tktbrainpower.com>
Date: Mon, 15 Aug 2016 23:31:39 +0200
Subject: [PATCH] Added an extra check to MLU bounds
Thanks to Ibrahim el-sayed for spotting the bug
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
src/cmstypes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cmstypes.c b/src/cmstypes.c
index cb61860..c7328b9 100644
--- a/src/cmstypes.c
+++ b/src/cmstypes.c
@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
// Check for overflow
if (Offset < (SizeOfHeader + 8)) goto Error;
+ if ((Offset + Len) > SizeOfTag + 8) goto Error;
// True begin of the string
BeginOfThisString = Offset - SizeOfHeader - 8;
--
2.11.0
+1 -1
View File
@@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
sha256 d16185a767cb2c1ba3d5b9096ec54e5ec198b213f45864a38b3bda4bbf87389b curl-7.52.1.tar.bz2
sha256 b2345a8bef87b4c229dedf637cb203b5e21db05e20277c8e1094f0d4da180801 curl-7.53.0.tar.bz2
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
LIBCURL_VERSION = 7.52.1
LIBCURL_VERSION = 7.53.0
LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
LIBCURL_SITE = https://curl.haxx.se/download
LIBCURL_DEPENDENCIES = host-pkgconf \
+1
View File
@@ -1,2 +1,3 @@
# Locally calculated
sha256 d7b72c05e4b3493e6095be789a760c9f5f2b141812d5b885f3190c98802f1ea0 ntfs-3g_ntfsprogs-2016.2.22.tgz
sha256 43deadaeade489934b0b45e2ed8aa5f853ad0364fbde7ad144211b80132ea041 0003-CVE-2017-0358.patch
+1
View File
@@ -7,6 +7,7 @@
NTFS_3G_VERSION = 2016.2.22
NTFS_3G_SOURCE = ntfs-3g_ntfsprogs-$(NTFS_3G_VERSION).tgz
NTFS_3G_SITE = http://tuxera.com/opensource
NTFS_3G_PATCH = https://sources.debian.net/data/main/n/ntfs-3g/1:2016.2.22AR.1-4/debian/patches/0003-CVE-2017-0358.patch
NTFS_3G_CONF_OPTS = --disable-ldconfig
NTFS_3G_INSTALL_STAGING = YES
NTFS_3G_DEPENDENCIES = host-pkgconf
+1
View File
@@ -1,6 +1,7 @@
config BR2_PACKAGE_NTP
bool "ntp"
select BR2_PACKAGE_LIBEVENT
select BR2_PACKAGE_OPENSSL
help
Network Time Protocol suite/programs.
Provides things like ntpd, ntpdate, ntpq, etc...
+3 -3
View File
@@ -1,4 +1,4 @@
# From http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p8.tar.gz.md5
md5 4a8636260435b230636f053ffd070e34 ntp-4.2.8p8.tar.gz
# From http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p9.tar.gz.md5
md5 857452b05f5f2e033786f77ade1974ed ntp-4.2.8p9.tar.gz
# Calculated based on the hash above
sha256 2ab3d0b5f0456e6311dda1cc27ab75da108762773a19e46abd938bd9407b97ee ntp-4.2.8p8.tar.gz
sha256 b724287778e1bac625b447327c9851eedef020517a3545625e9f652a90f30b72 ntp-4.2.8p9.tar.gz
+5 -10
View File
@@ -5,9 +5,9 @@
################################################################################
NTP_VERSION_MAJOR = 4.2
NTP_VERSION = $(NTP_VERSION_MAJOR).8p8
NTP_VERSION = $(NTP_VERSION_MAJOR).8p9
NTP_SITE = http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-$(NTP_VERSION_MAJOR)
NTP_DEPENDENCIES = host-pkgconf libevent $(if $(BR2_PACKAGE_BUSYBOX),busybox)
NTP_DEPENDENCIES = host-pkgconf libevent openssl $(if $(BR2_PACKAGE_BUSYBOX),busybox)
NTP_LICENSE = ntp license
NTP_LICENSE_FILES = COPYRIGHT
NTP_CONF_ENV = ac_cv_lib_md5_MD5Init=no
@@ -17,17 +17,12 @@ NTP_CONF_OPTS = \
--disable-tickadj \
--disable-debugging \
--with-yielding-select=yes \
--disable-local-libevent
--disable-local-libevent \
--with-crypto
# 0002-ntp-syscalls-fallback.patch
NTP_AUTORECONF = YES
ifeq ($(BR2_PACKAGE_OPENSSL),y)
NTP_CONF_OPTS += --with-crypto
NTP_DEPENDENCIES += openssl
else
NTP_CONF_OPTS += --without-crypto --disable-openssl-random
endif
ifeq ($(BR2_PACKAGE_LIBCAP),y)
NTP_CONF_OPTS += --enable-linuxcaps
NTP_DEPENDENCIES += libcap
+2 -2
View File
@@ -1,5 +1,5 @@
# From https://www.openssl.org/source/openssl-1.0.2j.tar.gz.sha256
sha256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 openssl-1.0.2j.tar.gz
# From https://www.openssl.org/source/openssl-1.0.2k.tar.gz.sha256
sha256 6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0 openssl-1.0.2k.tar.gz
# Locally computed
sha256 eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9 openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
sha256 147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
OPENSSL_VERSION = 1.0.2j
OPENSSL_VERSION = 1.0.2k
OPENSSL_SITE = http://www.openssl.org/source
OPENSSL_LICENSE = OpenSSL or SSLeay
OPENSSL_LICENSE_FILES = LICENSE
@@ -1,35 +0,0 @@
From 1a8714d0b56e06301b3c261eaef93d897ec5d834 Mon Sep 17 00:00:00 2001
From: Floris Bos <bos@je-eigen-domein.nl>
Date: Fri, 1 May 2015 15:28:55 +0200
Subject: [PATCH] Fix php-fpm.service.in
- Expand file paths.
- Remove obsolete After=syslog.target. Syslog is socket activated nowadays.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
---
sapi/fpm/php-fpm.service.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sapi/fpm/php-fpm.service.in b/sapi/fpm/php-fpm.service.in
index a2df30e..c135f04 100644
--- a/sapi/fpm/php-fpm.service.in
+++ b/sapi/fpm/php-fpm.service.in
@@ -1,11 +1,11 @@
[Unit]
Description=The PHP FastCGI Process Manager
-After=syslog.target network.target
+After=network.target
[Service]
Type=@php_fpm_systemd@
-PIDFile=@localstatedir@/run/php-fpm.pid
-ExecStart=@sbindir@/php-fpm --nodaemonize --fpm-config @sysconfdir@/php-fpm.conf
+PIDFile=@EXPANDED_LOCALSTATEDIR@/run/php-fpm.pid
+ExecStart=@EXPANDED_SBINDIR@/php-fpm --nodaemonize --fpm-config @EXPANDED_SYSCONFDIR@/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
--
2.7.4
+1 -1
View File
@@ -1,2 +1,2 @@
# From http://php.net/downloads.php
sha256 a810b3f29c21407c24caa88f50649320d20ba6892ae1923132598b8a0ca145b6 php-7.1.0.tar.xz
sha256 b3565b0c1441064eba204821608df1ec7367abff881286898d900c2c2a5ffe70 php-7.1.1.tar.xz
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
PHP_VERSION = 7.1.0
PHP_VERSION = 7.1.1
PHP_SITE = http://www.php.net/distributions
PHP_SOURCE = php-$(PHP_VERSION).tar.xz
PHP_INSTALL_STAGING = YES
+1 -1
View File
@@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
sha256 d284af5dd875dbba90ab875d40db5d68fdc9ede17a76f2af525f85344be56767 quagga-1.0.20160315.tar.xz
sha256 b5a94e5bdad3062e04595a5692b8cc435f0a85102f75dfdca0a06d093b4ef63f quagga-1.1.1.tar.gz
+9 -3
View File
@@ -4,10 +4,9 @@
#
################################################################################
QUAGGA_VERSION = 1.0.20160315
QUAGGA_SOURCE = quagga-$(QUAGGA_VERSION).tar.xz
QUAGGA_VERSION = 1.1.1
QUAGGA_SITE = http://download.savannah.gnu.org/releases/quagga
QUAGGA_DEPENDENCIES = host-gawk
QUAGGA_DEPENDENCIES = host-gawk host-pkgconf
QUAGGA_LICENSE = GPLv2+
QUAGGA_LICENSE_FILES = COPYING
@@ -29,6 +28,13 @@ else
QUAGGA_CONF_OPTS += --disable-capabilities
endif
ifeq ($(BR2_PACKAGE_PROTOBUF_C),y)
QUAGGA_CONF_OPTS += --enable-protobuf
QUAGGA_DEPENDENCIES += protobuf-c
else
QUAGGA_CONF_OPTS += --disable-protobuf
endif
QUAGGA_CONF_OPTS += $(if $(BR2_PACKAGE_QUAGGA_ZEBRA),--enable-zebra,--disable-zebra)
QUAGGA_CONF_OPTS += $(if $(BR2_PACKAGE_QUAGGA_BGPD),--enable-bgpd,--disable-bgpd)
QUAGGA_CONF_OPTS += $(if $(BR2_PACKAGE_QUAGGA_RIPD),--enable-ripd,--disable-ripd)
+2 -2
View File
@@ -1,4 +1,4 @@
# From https://github.com/antirez/redis-hashes/blob/master/README
sha1 6f6333db6111badaa74519d743589ac4635eba7a redis-3.2.5.tar.gz
sha1 6780d1abb66f33a97aad0edbe020403d0a15b67f redis-3.2.8.tar.gz
# Calculated based on the hash above
sha256 8509ceb1efd849d6b2346a72a8e926b5a4f6ed3cc7c3cd8d9f36b2e9ba085315 redis-3.2.5.tar.gz
sha256 61b373c23d18e6cc752a69d5ab7f676c6216dc2853e46750a8c4ed791d68482c redis-3.2.8.tar.gz
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
REDIS_VERSION = 3.2.5
REDIS_VERSION = 3.2.8
REDIS_SITE = http://download.redis.io/releases
REDIS_LICENSE = BSD-3c (core); MIT and BSD family licenses (Bundled components)
REDIS_LICENSE_FILES = COPYING
+3 -3
View File
@@ -1,3 +1,3 @@
# From http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.23.tar.xz.asc
md5 9b68f689e3d9578932b9c6a4041037c2 squid-3.5.23.tar.xz
sha1 33e43869d5eeb0fdfd1d625e6d6edee0617b2b22 squid-3.5.23.tar.xz
# From http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.24.tar.xz.asc
md5 3fae511e16b6379b61c011914673973d squid-3.5.24.tar.xz
sha1 f203637783301a4b86e554b6dd226de721762ae5 squid-3.5.24.tar.xz
+1 -1
View File
@@ -5,7 +5,7 @@
################################################################################
SQUID_VERSION_MAJOR = 3.5
SQUID_VERSION = $(SQUID_VERSION_MAJOR).23
SQUID_VERSION = $(SQUID_VERSION_MAJOR).24
SQUID_SOURCE = squid-$(SQUID_VERSION).tar.xz
SQUID_SITE = http://www.squid-cache.org/Versions/v3/$(SQUID_VERSION_MAJOR)
SQUID_LICENSE = GPLv2+
+2 -1
View File
@@ -11,7 +11,8 @@ STUNNEL_DEPENDENCIES = openssl
STUNNEL_CONF_OPTS = --with-ssl=$(STAGING_DIR)/usr --with-threads=fork \
--disable-libwrap
STUNNEL_CONF_ENV = \
ax_cv_check_cflags___fstack_protector=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)
ax_cv_check_cflags___fstack_protector=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no) \
LIBS=$(if $(BR2_STATIC_LIBS),-lz)
STUNNEL_LICENSE = GPLv2+
STUNNEL_LICENSE_FILES = COPYING COPYRIGHT.GPL
+1 -1
View File
@@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
sha256 20e4341ec48fcf72abcae312ea913e6ba6b958617b2f3fb496d51f0ae88d831c tcpdump-4.8.1.tar.gz
sha256 eae98121cbb1c9adbedd9a777bf2eae9fa1c1c676424a54740311c8abcee5a5e tcpdump-4.9.0.tar.gz
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
TCPDUMP_VERSION = 4.8.1
TCPDUMP_VERSION = 4.9.0
TCPDUMP_SITE = http://www.tcpdump.org/release
TCPDUMP_LICENSE = BSD-3c
TCPDUMP_LICENSE_FILES = LICENSE
+1 -1
View File
@@ -1,2 +1,2 @@
# Locally computed
sha256 9b4790dafc886537096a6e1953ee0424b8c308881b97151a7bfba1f9fd14e3f9 vim-v8.0.0001.tar.gz
sha256 6fbe0ec1228f951ba598b48ac8033f41ca4934cc34689a6008685e7c26477ae2 vim-v8.0.0329.tar.gz
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
VIM_VERSION = v8.0.0001
VIM_VERSION = v8.0.0329
VIM_SITE = $(call github,vim,vim,$(VIM_VERSION))
# Win over busybox vi since vim is more feature-rich
VIM_DEPENDENCIES = \
+1 -1
View File
@@ -1,2 +1,2 @@
# locally computed hash
sha256 7d31b34166c33c3109b45c6e4579b472fd05e3ee8ec6d728352961c5cdd1d6b0 wavpack-4.75.2.tar.bz2
sha256 1939627d5358d1da62bc6158d63f7ed12905552f3a799c799ee90296a7612944 wavpack-5.1.0.tar.bz2
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
WAVPACK_VERSION = 4.75.2
WAVPACK_VERSION = 5.1.0
WAVPACK_SITE = http://www.wavpack.com
WAVPACK_SOURCE = wavpack-$(WAVPACK_VERSION).tar.bz2
WAVPACK_INSTALL_STAGING = YES
+2 -2
View File
@@ -1,2 +1,2 @@
# From: https://www.wireshark.org/download/src/all-versions/SIGNATURES-2.2.4.txt
sha256 42a7fb35eed5a32478153e24601a284bb50148b7ba919c3e8452652f4c2a3911 wireshark-2.2.4.tar.bz2
# From: https://www.wireshark.org/download/src/all-versions/SIGNATURES-2.2.5.txt
sha256 75dd88d3d6336559e5b0b72077d8a772a988197d571f00029986225fef609ac8 wireshark-2.2.5.tar.bz2
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
WIRESHARK_VERSION = 2.2.4
WIRESHARK_VERSION = 2.2.5
WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.bz2
WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions
WIRESHARK_LICENSE = wireshark license
+2 -2
View File
@@ -1,2 +1,2 @@
# From http://lists.freedesktop.org/archives/xorg/2013-September/056010.html
sha256 c5bdafa51d1ae30086fac01ab83be8d47fe117b238d3437f8e965434090e041c libXpm-3.5.11.tar.bz2
# From https://lists.x.org/archives/xorg-announce/2016-December/002752.html
sha256 fd6a6de3da48de8d1bb738ab6be4ad67f7cb0986c39bd3f7d51dd24f7854bdec libXpm-3.5.12.tar.bz2
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
XLIB_LIBXPM_VERSION = 3.5.11
XLIB_LIBXPM_VERSION = 3.5.12
XLIB_LIBXPM_SOURCE = libXpm-$(XLIB_LIBXPM_VERSION).tar.bz2
XLIB_LIBXPM_SITE = http://xorg.freedesktop.org/releases/individual/lib
XLIB_LIBXPM_LICENSE = MIT