Commit Graph

7253 Commits

Author SHA1 Message Date
champtar b04fe7f74b Merge pull request #7723 from micmac1/lede-17.01-sqlite3
(lede 17.01) sqlite3 security bump
2018-12-18 22:50:41 +01:00
Sebastian Kemper d309d0090c sqlite3: use dynamic linking for sqlite cli tool
Otherwise it'll carry a static copy of it's own lib.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-12-18 20:07:35 +01:00
Sebastian Kemper 6fdeb2df93 sqlite3: security bump
A remote code execution vuln has been found in sqlite. Infos available
here:

https://blade.tencent.com/magellan/index_en.html

sqlite 3.26.0 contains the fix.

This commit also changes source URL to https. It also adds a depend on
zlib, which is now required.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-12-18 20:05:18 +01:00
Hannu Nyman 94685f7a78 Merge pull request #7555 from micmac1/tiff-4010-17.01
(lede-17.01) tiff: security bump to 4.0.10
2018-12-06 10:35:45 +02:00
Sebastian Kemper c3109a2563 tiff: security bump to 4.0.10
This bumps libtiff's minor version from 9 to 10. In addition to the CVE
fixes that we already included this fixes:

CVE-2017-17095
CVE-2018-17101
CVE-2018-18557

The update is 100% backwards compatible, no symbol changes.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-12-02 11:59:16 +01:00
Hannu Nyman fe3eb92a4d Merge pull request #7165 from pacien/181009-1701-pkg-tinc
tinc: update to 1.0.35 (security update) [lede-17.01]
2018-10-10 20:28:18 +03:00
Pacien TRAN-GIRARD 578a7c506a tinc: update to 1.0.35
Critical security update for:
* CVE-2018-16737,
* CVE-2018-16738,
* CVE-2018-16758

Announcement:
https://www.tinc-vpn.org/pipermail/tinc/2018-October/005311.html

Signed-off-by: Pacien TRAN-GIRARD <pacien.trangirard@pacien.net>
2018-10-09 23:58:12 +02:00
Ted Hess 40da7ecf21 socat: Fix CRDLY, TABDLY and CSIZE shifts for PowerPC
Signed-off-by: Ted Hess <thess@kitschensync.net>
2018-08-30 15:23:57 -04:00
Michael Heimpold 1553fad25f Merge pull request #6835 from micmac1/xml2-cve-17.01
libxml2: add Debian patches to address CVEs
2018-08-21 21:11:38 +02:00
Sebastian Kemper a5bbf27e35 libxml2: add Debian patches to address CVEs
Debian uses libxml2 2.9.4 in Stretch. This adds their security related
fixes from 2.9.4+dfsg1-2.2+deb9u2 to LEDE's 17.01 release.

Fixed CVEs:

CVE-2016-4658
CVE-2016-5131
CVE-2017-0663
CVE-2017-15412
CVE-2017-7375
CVE-2017-7376
CVE-2017-9047
CVE-2017-9048
CVE-2017-9049
CVE-2017-9050

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-08-21 20:42:56 +02:00
Jiri Slachta 56acd578ff Merge pull request #6806 from micmac1/tiff-17.01
tiff: fix remaining CVEs
2018-08-19 19:12:40 +02:00
Sebastian Kemper 1e77dfa7b0 tiff: fix remaining CVEs
Backport Rosen's commit in master to 17.01 to address open CVEs. This
fixes:

CVE-2017-11613
CVE-2018-5784
CVE-2018-7456
CVE-2018-8905
CVE-2018-10963

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-08-19 11:06:00 +02:00
Dirk Brenken 6b4862d5ca Merge pull request #6783 from EricLuehrsen/unbound_1701
[lede-17.01] unbound: drop odhcpd leases with wrong field count
2018-08-18 19:53:35 +02:00
Eric Luehrsen cad5ceed6a unbound: drop odhcpd leases with wrong field count
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
(cherry pick commit: 59617f076d)
2018-08-17 23:41:16 -04:00
Daniel Golle 7dd5529bf8 Merge pull request #6760 from micmac1/postgresql-17.01
postgresql: security bump to 9.5.14 for 17.01
2018-08-15 20:08:16 +02:00
Sebastian Kemper eb5ac25380 postgresql: security bump to 9.5.14
This update includes fixes for the following CVEs:

- CVE-2018-1053
- CVE-2018-1058
- CVE-2018-10915
- CVE-2018-10925

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-08-15 17:28:45 +02:00
Hannu Nyman 2578f56c29 Merge pull request #6350 from EricLuehrsen/unbound_20180625_1701
[lede-17.01] unbound: limit outside script source to init funciton scope
2018-06-27 07:18:11 +03:00
Eric Luehrsen 43f14b8112 unbound: limit outside script source to init funciton scope
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
2018-06-25 20:50:30 -04:00
Hannu Nyman 338690b2f7 Merge pull request #6077 from MikePetullo/lede-17.01-lighttpd
lighttpd: CONFIG_LIGHTTPD_SSL includes mod_openssl
2018-05-21 08:23:30 +03:00
Philip Prindeville b93e46562a lighttpd: CONFIG_LIGHTTPD_SSL includes mod_openssl
If we're built with CONFIG_LIGHTTPD_SSL then mod_openssl.so should
be included into the base package. Fixes issue #5343.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2018-05-20 14:46:26 -04:00
Hannu Nyman 08e547f943 usbip: remove upstreamed musl compatibility patch (#5983)
Remove musl compatibility patch that is now included
in the upstream Linux kernel and backported to stable kernels.

Commit in 4.4:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/tools/usb/usbip?h=linux-4.4.y&id=6638091f1b1623db8b2338ef5a5f26d9ec870444

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-04-29 22:22:03 +01:00
Hannu Nyman 89370e23df Merge pull request #5803 from VincentRiou/lighttpd_1_4_48_with_wstunnel
Lighttpd 1.4.48 with wstunnel
2018-04-25 12:26:16 +03:00
Luiz Angelo Daros de Luca e4e9360ff5 Merge pull request #5848 from luizluca/ruby-2.4.4
[17.01] ruby: bump to 2.4.4
2018-03-29 15:23:01 -03:00
Luiz Angelo Daros de Luca 09b00c08f5 ruby: bump to 2.4.4
This release includes some bug fixes and some security fixes.

* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems

There are also some bug fixes

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2018-03-29 11:37:25 -03:00
Hannu Nyman ccb9ca53cc Merge pull request #5839 from nxhack/lede-17_01_icu_CVE-2017-15422
icu: fix CVE-2017-15422
2018-03-27 23:26:20 +03:00
Hirokazu MORIKAWA 20984d673e icu: fix CVE-2017-15422
[lede-17.01]

Maintainer: me

Compile tested: ar71xx, mips_24kc_gcc-5.4.0_musl-1.1.16, lede-17.01 r3863-fad29d2
Run tested: NONE

Description:
CVE-2017-15422 : integer overflow in icu
https://security-tracker.debian.org/tracker/CVE-2017-15422

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
2018-03-27 17:05:45 +09:00
Vincent Riou e1b36a234c lighttpd: add mod-wstunnel
Exposes the mod-wstunnel plugin which implements websocket proxying over http

Signed-off-by: Vincent Riou <vincent@invizbox.com>
2018-03-23 14:57:16 +00:00
Philip Prindeville 62b0d30aeb lighttpd: update to 1.4.48
All of the bugs for which we had patches have been fixed upstream
in 1.4.46, so the patches can be dropped.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Conflicts:
	net/lighttpd/Makefile
2018-03-23 14:18:05 +00:00
Tony Ambardar 0b748a3ac5 sqm-scripts: Fix return value bug in postrm script
The script removes the UCI option ucitrack.@sqm[0] if present and then
returns success. If that UCI option is already absent however, the
script incorrectly returns failure, which blocks upgrade of the
luci-app-sqm package.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2018-03-03 16:39:32 +01:00
Karl Palsson 96c08703f3 mosqitto: bump to 1.4.15 for CVE fixes.
See https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
for full details.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2018-03-01 11:20:03 +00:00
Rafał Miłecki 90d3ef2f76 minidlna: exclude "po" directory to fix CONFIG_BUILD_NLS=y builds
This fixes:
*** error: gettext infrastructure mismatch: using a Makefile.in.in from gettext version 0.18 but the autoconf macros are from gettext version 0.19

Makefile of minidlna package specifies PKG_FIXUP:=autoreconf. That
results in calling autoreconf with multiple arguments, including many -I
ones. One of autoreconf steps is calling aclocal with the same set of -I
arguments.

All of that results in:
1) aclocal using staging_dir's /usr/share/aclocal and its po.m4
2) not using minidlna's po.m4
3) not updating Makefile.in.in

If staging_dir's po.m4 has different GETTEXT_MACRO_VERSION than the
minidlna's one it'll result in a mismatch in the Makefile.in. Ideally we
should take care of regenerating Makefile.in.in but this isn't
currentlly supported. As localization isn't properly supported anyway
(no shipping .mo files) it's safe to just disable building po files.

Added patch comes from the master branch commit d5fcc972ba
("multimedia/minidlna: Update to 1.2.0").

Fixes: 7292844261 ("minidlna: backport fixes from 1.1.6 and 1.2.0 releases")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-02-19 12:47:31 +01:00
champtar 56331e808f Merge pull request #5492 from micmac1/fix-sqlite3-on-uclibc
sqlite3 [lede-17.01]: fix uClibc builds
2018-01-31 07:55:37 -08:00
Sebastian Kemper b8e6fc3eb7 sqlite3: fix uClibc builds
When compiling against uClibc on lede-17.01 it's detected in the linking
phase that '__isnan' is nowhere to be found:

sqlite3-sqlite3.o: In function `serialGet':
sqlite3.c:(.text+0x6364): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_result_double':
sqlite3.c:(.text+0x10faa): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VXPrintf':
sqlite3.c:(.text+0x175ca): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_bind_double':
sqlite3.c:(.text+0x1b0ac): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VdbeExec':
sqlite3.c:(.text+0x3b77e): undefined reference to `__isnan'
collect2: error: ld returned 1 exit status

To fix this libm needs to be linked in as well in the uClibc case. So
add libm ('-lm') to the TARGET_LDFLAGS accordingly.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 20:48:45 +01:00
Nikos Mavrogiannopoulos acc974f84c p11-kit: disable trust module
This allows prevents build error due to trust-paths not being
specified. The trust module was not being used in openwrt.

Resolves #5528

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2018-01-30 20:36:51 +01:00
Jiri Slachta ea967b5a71 Merge pull request #5541 from micmac1/jiri-lede-17.01
libssh2, libxslt, tiff: security bumps + fix (for lede-17.01)
2018-01-30 19:57:37 +01:00
Sebastian Kemper 4e93c8bf46 tiff: version bump to address open CVEs
- Version bump to 4.0.9, as otherwise ca. a dozen patches would need
  to be added to fix the open CVEs. There have been no API/ABI
  changes between 4.0.6 and 4.0.9, so this is OK.
- Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935
  on top.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 15:17:42 +01:00
Sebastian Kemper 2847e03934 libxslt: add patches copied from Debian to fix CVEs
- there are multiple open CVEs, this adds patches for them
- adds --disable-silent-rules for verbose build output

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 15:09:51 +01:00
Sebastian Kemper 902542faa0 libssh: fix zlib detection
- currently zlib is never detected, although there is a dependency on
  it, fix that.
- change links from http to https

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 15:06:08 +01:00
tripolar 14f5d40714 Merge pull request #5493 from micmac1/fix-alsa-lib-on-uclibc
alsa-lib [lede-17.01]: fix build on uclibc
2018-01-27 13:24:29 +01:00
Sebastian Kemper dc7f2ccad2 alsa-lib: fix uClibc builds
Currently alsa-lib fails to build on uClibc:

parser.c: In function 'snd_tplg_build_file':
parser.c:262:35: error: 'S_IRUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                   ^
parser.c:262:35: note: each undeclared identifier is reported only once for each function it appears in
parser.c:262:45: error: 'S_IWUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                             ^
parser.c: In function 'snd_tplg_build':
parser.c:330:35: error: 'S_IRUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                   ^
parser.c:330:45: error: 'S_IWUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                             ^
Makefile:390: recipe for target 'parser.lo' failed

Fix this by adding an upstream fix as a backport.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-27 11:49:02 +01:00
Hannu Nyman 19f22c9548 Merge pull request #5497 from daztucker/lede-17.01
net/https-dns-proxy: Update to 2018-01-24.
2018-01-26 16:29:20 +02:00
Darren Tucker e359065b62 net/https-dns-proxy: Update to 2018-01-24.
Add dependency on ca-bundle without which the HTTPS fetches fail.
Add "-x" option to force HTTP/1.1 instead of HTTP/2.0
Add a workaround for bug in libcurl <7.530 that prevents it from
working at all when built with mbedtls.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>
Acked-by: Aaron Drew <aarond10@gmail.com>
2018-01-25 20:05:18 +11:00
Luiz Angelo Daros de Luca 127daaef07 Merge pull request #5317 from luizluca/17.01/ruby-2.4.3
[17.01] ruby: bump to 2.4.3
2018-01-22 08:43:03 -02:00
Hannu Nyman 399e43d5dc Merge pull request #5479 from EricLuehrsen/lede-17.01-unbound-168
[lede-17.01] unbound: update to 1.6.8 for CVE-2017-15105
2018-01-20 10:03:35 +02:00
Eric Luehrsen b6cf69bca6 unbound: update to 1.6.8 for CVE-2017-15105
A vulnerability was discovered in the processing of wildcard synthesized
NSEC records. While synthesis of NSEC records is allowed by RFC4592,
these synthesized owner names should not be used in the NSEC processing.
This does, however, happen in Unbound 1.6.7 and earlier versions.
(see https://unbound.net/downloads/CVE-2017-15105.txt)

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2018-01-19 21:25:14 -05:00
Hannu Nyman f09eaa4f39 Merge pull request #5477 from dibdot/travelmate-17.01
[17.01] travelmate: release 1.0.2
2018-01-19 15:10:12 +02:00
Hannu Nyman f2b1b3a048 Merge pull request #5476 from dibdot/adblock-17.01
[17.01] adblock: release 3.4.3
2018-01-19 15:10:02 +02:00
Dirk Brenken 4038c7ea6f [17.01] travelmate: release 1.0.2
* bump travelmate version in stable tree

Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-01-19 10:02:23 +01:00
Dirk Brenken 366e595d56 [17.01] adblock: release 3.4.3
* bump adblock version in stable tree

Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-01-19 09:50:39 +01:00
Yousong Zhou f5046db67e vpnc: fix using proto_add_host_dependency
Fixes #4343

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-01-19 11:18:10 +08:00