Includes fixes for:
* CVE-2021-3177 - ctypes: Buffer overflow in PyCArg_repr
* CVE-2021-23336 - urllib parse_qsl(): Web cache poisoning - semicolon
as a query args separator
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This backports fixes for security issues, including:
* CVE-2020-14422: Hash collisions in IPv4Interface and IPv6Interface
* CVE-2019-20907: Infinite loop in the tarfile module
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Add -rpath linker option to host build, pointing to staging/hostpkh/lib.
It's needed to find the correct host libs during runtime, without it the
hosts libs may be used instaead, causing failures.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit 0311e58bb6)
The linker option -rpath is required to find libs in staging_dir. Now it
is included when building host modules. Without it the import test of
the _ctypes and _uuid modules would fail. The _ctypes module uses
libffi.so.6 from staging, but OpenSUSE LEAP 15 has libffi.so.7.
It will also fail on LEAP 42.x, Fedora28 and 29 and future or old
versions of Ubuntu.
Fix needed in master and 18.06 branches.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit 6ade5a1e3a)
When during the build the openssl extension is also selected, then
the mysqlnd extension depends on it, too.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 50b1cd3757)
This fixes how GOARM is selected for arm platforms, based on support for
VFP/VFPv3 rather than CPU version.
Fixes#10967.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
PHP7 fails to load xmlreader.so (php7-mod-xmlreader) module without
dom.so (php7-mod-dom) module loaded:
-snip-
PHP Warning: PHP Startup: Unable to load dynamic library 'xmlreader.so'
(tried: /usr/lib/php/xmlreader.so (Error relocating /usr/lib/php/xmlreader.so:
dom_node_class_entry: symbol not found), /usr/lib/php/xmlreader.so.so (Error
loading shared library /usr/lib/php/xmlreader.so.so: No such file or
directory)) in Unknown on line 0
^C
-snap-
However, this dependency only exists when during build also php7-mod-dom
is selected.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit b8c22fc1ec)
While at, update the SPDX license id to most recent format.
Compile and run tested on mxs platform.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 5805da860e)
This fixes CVE-2019-11042 and CVE-2019-11041.
Compile and run tested on mxs platform
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 8e419c6d4c)
All symbols on MacOS are prefixed with an underscore which
interfered with the filtering mechanism (added in perl 5.28)
for extension libraries to be linked into static perl.
Signed-off-by: Jakub Piotr Cłapa <jpc@loee.pl>
2.5.7 fixes:
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication
2.5.6 fixes:
* Multiple jQuery vulnerabilities in RDoc
* About 40 bugs
Changelog: https://github.com/ruby/ruby/compare/v2_5_5...v2_5_7
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Patches already merged and so removed:
* 019-bpo-36216-Add-check-for-characters-in-netloc-that-normalize-to-separators-GH-12216.patch
* 020-bpo-36216-Only-print-test-messages-when-verbose-GH-12291.patch
* 021-2.7-bpo-35121-prefix-dot-in-domain-for-proper-subdom.patch
* 027-bpo-38243-Escape-the-server-title-of-DocXMLRPCServer.patch
* 028-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
Patches no longer necessary and so removed:
* 017_lib2to3_fix_pyc_search.patch
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from 83b300aa83)
This seems to have slipped for some time. No idea if it ever worked.
It could be that this worked at some point.
In any case, the shebang is properly updated now.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry-picked from commit 1b96dc0171)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(bump PKG_RELEASE for python3-pip)
CVE-2013-7459 and CVE-2018-6594. Both patches taken from Fedora.
Also took the liberty to update the PKG_SOURCE_URL to a standard one.
Updated the home URL as well.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry-picked from 32b23e28ad)
Currently, all files in usr/bin (presumably all Python scripts) are run
through sed to replace the shebang; sed will overwrite the file whether
or not a match is found. This causes symlinks to be overridden and made
into copies of their targets. python[3]-base and python[3]-dev are
affected by this.
This adds the --follow-symlinks flag to sed, in addition to using
$(SED), so that symlinks are not overridden.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This extends the Python[3] shebang fixup to all packages.
Only Python scripts in `/usr/bin` will be handled at the moment. Later it
may make sense to also cover executables in `/bin`, though typically Python
executables shouldn't be placed there.
Previously the shebang handling was only done for python[3]-pip &
python[3]-setuptools.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Jeffery To