A remote code execution vuln has been found in sqlite. Infos available
here:
https://blade.tencent.com/magellan/index_en.html
sqlite 3.26.0 contains the fix.
This commit also changes source URL to https. It also adds a depend on
zlib, which is now required.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This bumps libtiff's minor version from 9 to 10. In addition to the CVE
fixes that we already included this fixes:
CVE-2017-17095
CVE-2018-17101
CVE-2018-18557
The update is 100% backwards compatible, no symbol changes.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Debian uses libxml2 2.9.4 in Stretch. This adds their security related
fixes from 2.9.4+dfsg1-2.2+deb9u2 to LEDE's 17.01 release.
Fixed CVEs:
CVE-2016-4658
CVE-2016-5131
CVE-2017-0663
CVE-2017-15412
CVE-2017-7375
CVE-2017-7376
CVE-2017-9047
CVE-2017-9048
CVE-2017-9049
CVE-2017-9050
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Backport Rosen's commit in master to 17.01 to address open CVEs. This
fixes:
CVE-2017-11613
CVE-2018-5784
CVE-2018-7456
CVE-2018-8905
CVE-2018-10963
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This update includes fixes for the following CVEs:
- CVE-2018-1053
- CVE-2018-1058
- CVE-2018-10915
- CVE-2018-10925
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
If we're built with CONFIG_LIGHTTPD_SSL then mod_openssl.so should
be included into the base package. Fixes issue #5343.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
All of the bugs for which we had patches have been fixed upstream
in 1.4.46, so the patches can be dropped.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Conflicts:
net/lighttpd/Makefile
The script removes the UCI option ucitrack.@sqm[0] if present and then
returns success. If that UCI option is already absent however, the
script incorrectly returns failure, which blocks upgrade of the
luci-app-sqm package.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This fixes:
*** error: gettext infrastructure mismatch: using a Makefile.in.in from gettext version 0.18 but the autoconf macros are from gettext version 0.19
Makefile of minidlna package specifies PKG_FIXUP:=autoreconf. That
results in calling autoreconf with multiple arguments, including many -I
ones. One of autoreconf steps is calling aclocal with the same set of -I
arguments.
All of that results in:
1) aclocal using staging_dir's /usr/share/aclocal and its po.m4
2) not using minidlna's po.m4
3) not updating Makefile.in.in
If staging_dir's po.m4 has different GETTEXT_MACRO_VERSION than the
minidlna's one it'll result in a mismatch in the Makefile.in. Ideally we
should take care of regenerating Makefile.in.in but this isn't
currentlly supported. As localization isn't properly supported anyway
(no shipping .mo files) it's safe to just disable building po files.
Added patch comes from the master branch commit d5fcc972ba
("multimedia/minidlna: Update to 1.2.0").
Fixes: 7292844261 ("minidlna: backport fixes from 1.1.6 and 1.2.0 releases")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
When compiling against uClibc on lede-17.01 it's detected in the linking
phase that '__isnan' is nowhere to be found:
sqlite3-sqlite3.o: In function `serialGet':
sqlite3.c:(.text+0x6364): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_result_double':
sqlite3.c:(.text+0x10faa): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VXPrintf':
sqlite3.c:(.text+0x175ca): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_bind_double':
sqlite3.c:(.text+0x1b0ac): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VdbeExec':
sqlite3.c:(.text+0x3b77e): undefined reference to `__isnan'
collect2: error: ld returned 1 exit status
To fix this libm needs to be linked in as well in the uClibc case. So
add libm ('-lm') to the TARGET_LDFLAGS accordingly.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This allows prevents build error due to trust-paths not being
specified. The trust module was not being used in openwrt.
Resolves#5528
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
- Version bump to 4.0.9, as otherwise ca. a dozen patches would need
to be added to fix the open CVEs. There have been no API/ABI
changes between 4.0.6 and 4.0.9, so this is OK.
- Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935
on top.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- there are multiple open CVEs, this adds patches for them
- adds --disable-silent-rules for verbose build output
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- currently zlib is never detected, although there is a dependency on
it, fix that.
- change links from http to https
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Currently alsa-lib fails to build on uClibc:
parser.c: In function 'snd_tplg_build_file':
parser.c:262:35: error: 'S_IRUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c:262:35: note: each undeclared identifier is reported only once for each function it appears in
parser.c:262:45: error: 'S_IWUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c: In function 'snd_tplg_build':
parser.c:330:35: error: 'S_IRUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c:330:45: error: 'S_IWUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
Makefile:390: recipe for target 'parser.lo' failed
Fix this by adding an upstream fix as a backport.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add dependency on ca-bundle without which the HTTPS fetches fail.
Add "-x" option to force HTTP/1.1 instead of HTTP/2.0
Add a workaround for bug in libcurl <7.530 that prevents it from
working at all when built with mbedtls.
Signed-off-by: Darren Tucker <dtucker@dtucker.net>
Acked-by: Aaron Drew <aarond10@gmail.com>
A vulnerability was discovered in the processing of wildcard synthesized
NSEC records. While synthesis of NSEC records is allowed by RFC4592,
these synthesized owner names should not be used in the NSEC processing.
This does, however, happen in Unbound 1.6.7 and earlier versions.
(see https://unbound.net/downloads/CVE-2017-15105.txt)
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>