Commit Graph

1117 Commits

Author SHA1 Message Date
Sebastian Kemper d309d0090c sqlite3: use dynamic linking for sqlite cli tool
Otherwise it'll carry a static copy of it's own lib.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-12-18 20:07:35 +01:00
Sebastian Kemper 6fdeb2df93 sqlite3: security bump
A remote code execution vuln has been found in sqlite. Infos available
here:

https://blade.tencent.com/magellan/index_en.html

sqlite 3.26.0 contains the fix.

This commit also changes source URL to https. It also adds a depend on
zlib, which is now required.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-12-18 20:05:18 +01:00
Sebastian Kemper c3109a2563 tiff: security bump to 4.0.10
This bumps libtiff's minor version from 9 to 10. In addition to the CVE
fixes that we already included this fixes:

CVE-2017-17095
CVE-2018-17101
CVE-2018-18557

The update is 100% backwards compatible, no symbol changes.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-12-02 11:59:16 +01:00
Sebastian Kemper a5bbf27e35 libxml2: add Debian patches to address CVEs
Debian uses libxml2 2.9.4 in Stretch. This adds their security related
fixes from 2.9.4+dfsg1-2.2+deb9u2 to LEDE's 17.01 release.

Fixed CVEs:

CVE-2016-4658
CVE-2016-5131
CVE-2017-0663
CVE-2017-15412
CVE-2017-7375
CVE-2017-7376
CVE-2017-9047
CVE-2017-9048
CVE-2017-9049
CVE-2017-9050

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-08-21 20:42:56 +02:00
Sebastian Kemper 1e77dfa7b0 tiff: fix remaining CVEs
Backport Rosen's commit in master to 17.01 to address open CVEs. This
fixes:

CVE-2017-11613
CVE-2018-5784
CVE-2018-7456
CVE-2018-8905
CVE-2018-10963

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-08-19 11:06:00 +02:00
Sebastian Kemper eb5ac25380 postgresql: security bump to 9.5.14
This update includes fixes for the following CVEs:

- CVE-2018-1053
- CVE-2018-1058
- CVE-2018-10915
- CVE-2018-10925

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-08-15 17:28:45 +02:00
Hirokazu MORIKAWA 20984d673e icu: fix CVE-2017-15422
[lede-17.01]

Maintainer: me

Compile tested: ar71xx, mips_24kc_gcc-5.4.0_musl-1.1.16, lede-17.01 r3863-fad29d2
Run tested: NONE

Description:
CVE-2017-15422 : integer overflow in icu
https://security-tracker.debian.org/tracker/CVE-2017-15422

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
2018-03-27 17:05:45 +09:00
champtar 56331e808f Merge pull request #5492 from micmac1/fix-sqlite3-on-uclibc
sqlite3 [lede-17.01]: fix uClibc builds
2018-01-31 07:55:37 -08:00
Sebastian Kemper b8e6fc3eb7 sqlite3: fix uClibc builds
When compiling against uClibc on lede-17.01 it's detected in the linking
phase that '__isnan' is nowhere to be found:

sqlite3-sqlite3.o: In function `serialGet':
sqlite3.c:(.text+0x6364): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_result_double':
sqlite3.c:(.text+0x10faa): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VXPrintf':
sqlite3.c:(.text+0x175ca): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_bind_double':
sqlite3.c:(.text+0x1b0ac): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VdbeExec':
sqlite3.c:(.text+0x3b77e): undefined reference to `__isnan'
collect2: error: ld returned 1 exit status

To fix this libm needs to be linked in as well in the uClibc case. So
add libm ('-lm') to the TARGET_LDFLAGS accordingly.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 20:48:45 +01:00
Nikos Mavrogiannopoulos acc974f84c p11-kit: disable trust module
This allows prevents build error due to trust-paths not being
specified. The trust module was not being used in openwrt.

Resolves #5528

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2018-01-30 20:36:51 +01:00
Sebastian Kemper 4e93c8bf46 tiff: version bump to address open CVEs
- Version bump to 4.0.9, as otherwise ca. a dozen patches would need
  to be added to fix the open CVEs. There have been no API/ABI
  changes between 4.0.6 and 4.0.9, so this is OK.
- Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935
  on top.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 15:17:42 +01:00
Sebastian Kemper 2847e03934 libxslt: add patches copied from Debian to fix CVEs
- there are multiple open CVEs, this adds patches for them
- adds --disable-silent-rules for verbose build output

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 15:09:51 +01:00
Sebastian Kemper 902542faa0 libssh: fix zlib detection
- currently zlib is never detected, although there is a dependency on
  it, fix that.
- change links from http to https

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 15:06:08 +01:00
Sebastian Kemper dc7f2ccad2 alsa-lib: fix uClibc builds
Currently alsa-lib fails to build on uClibc:

parser.c: In function 'snd_tplg_build_file':
parser.c:262:35: error: 'S_IRUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                   ^
parser.c:262:35: note: each undeclared identifier is reported only once for each function it appears in
parser.c:262:45: error: 'S_IWUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                             ^
parser.c: In function 'snd_tplg_build':
parser.c:330:35: error: 'S_IRUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                   ^
parser.c:330:45: error: 'S_IWUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                             ^
Makefile:390: recipe for target 'parser.lo' failed

Fix this by adding an upstream fix as a backport.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-27 11:49:02 +01:00
Daniel Golle eb3a0d828e postgresql: update to version 9.5.10
Contains fixes for
 * CVE-2017-15099
 * CVE-2017-15098
 * CVE-2017-12172
 * CVE-2017-7548
 * CVE-2017-7547
 * CVE-2017-7546
 * CVE-2017-7486
 * CVE-2017-7485
 * CVE-2017-7484

Note that some fixes apply for newly created databases only!
To mitigate CVE-2017-7486 and CVE-2017-7547 in existing databases,
a procedure described in the the release notes of PostgreSQL 9.5.8
is necessary!

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-01-05 00:20:31 +01:00
Rosen Penev 81571ac0ef gnutls: Use HTTPS instead of FTP
While recently building asterisk, the make system stalled on gnutls. On my install of Ubuntu 16.04 on WSL, it seems curl can't download from ftp and doesn't even time out properly. Easiest solution is to switch the gnutls Makefile to use HTTPS instead.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2017-12-30 22:31:17 +01:00
Nikos Mavrogiannopoulos f2131de798 gnutls: updated to 3.5.16
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2017-11-04 23:41:09 +01:00
Etienne Champetier 9ce3deb840 sqlite3: update to 3.19.3
fix possible database corruption
https://www.sqlite.org/releaselog/3_19_3.html

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2017-10-25 11:36:18 -07:00
Daniel Engberg 6bca857952 libs/sqlite3: Update to 3190200
Update sqlite to 3190200
Remove obsolete tarball hash variable

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-10-25 11:36:18 -07:00
Ian Leonard 0a279576a9 sqlite: update to 3.17.0
Signed-off-by: Ian Leonard <antonlacon@gmail.com>
2017-10-25 11:36:18 -07:00
Karl Palsson 58a1a733e5 libwebsockets: add PROVIDES to both variants
Fixed recently in master as part of upgrading, but the same issue
applies to 17.01.  The two variant packages both now PROVIDE
libwebsockets, the virtual package.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2017-10-25 11:15:12 +00:00
Hirokazu MORIKAWA e967fd8ca8 icu: fix CVE-2017-14952 Double-Free Vulnerability [lede-17.01]
http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/

https://security-tracker.debian.org/tracker/CVE-2017-14952

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
2017-10-24 02:34:06 -05:00
Steven Hessing 9040b270b5 noddos: new backport of noddos from master branch
Signed-off-by: Steven Hessing <steven.hessing@gmail.com>
2017-10-07 21:24:43 -07:00
Thomas Heil a6a44f91f3 pcre: Added fix for CVE-2017-11164 by adding stack recursion limit
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
2017-09-03 15:15:20 +02:00
Thomas Heil 1434dbdf55 pcre: upgrade to version 8.41
- fixes security issues

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
2017-09-03 15:15:20 +02:00
Nikos Mavrogiannopoulos e8af9ce46e gnutls: updated to 3.5.13
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2017-06-18 13:26:24 +02:00
Nikos Mavrogiannopoulos 4c26df19ad libtasn1: updated to 4.12
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2017-06-18 13:26:24 +02:00
W. Michael Petullo ca5d4b08e5 openldap: update to 2.4.45
Fixes CVE-2017-9287

Signed-off-by: W. Michael Petullo <mike@flyn.org>
2017-06-14 18:31:29 -04:00
Hannu Nyman 14f08bc825 Merge pull request #4443 from MikePetullo/lede-17.01-libdmapsharing
libdmapsharing: update to 2.9.38
2017-06-06 09:50:51 +03:00
W. Michael Petullo 33d8f9e567 libdmapsharing: update to 2.9.38
Signed-off-by: W. Michael Petullo <mike@flyn.org>
2017-06-05 17:28:29 -04:00
Nikos Mavrogiannopoulos 73011d3a90 gnutls: updated to 3.5.11
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2017-05-08 05:58:42 +02:00
Hirokazu MORIKAWA bb0828957d [lede-17.01] icu: fix CVE-2017-7867 CVE-2017-7868
icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

icu: increase PKG_RELEASE
2017-04-19 18:12:56 +09:00
Thomas Heil 94987aaff7 [libs/pcre]: fix CVE-2017-7186
Fix CVE-2017-7186 mentioned in https://bugs.exim.org/show_bug.cgi?id=2052

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
2017-03-27 10:06:32 +02:00
Nikos Mavrogiannopoulos 01c15dc2ce gnutls: updated to 3.5.9
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2017-02-12 11:28:17 +01:00
Daniel Engberg 225ced086e libs/gnutls: Don't link libidn unintentionally
Fixes compilation reported by by buildbots.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit c7c951eada)
2017-02-08 10:46:57 +02:00
Ian Leonard 92541f9171 opus: update to 1.1.4
Includes fix for CVE 2017-0381.

Assume maintainership.

Signed-off-by: Ian Leonard <antonlacon@gmail.com>
2017-02-07 17:45:41 +01:00
heil 7d74e5e9d8 package: pcre bump to version 8.40
Signed-off-by: heil <heil@terminal-consulting.de>
2017-02-05 20:10:03 +01:00
Kevin Darbyshire-Bryant 2232cedc17 libidn: install libidn.pc in staging area & refresh patches
libidn.pc file was missing in package staging area causing build
failures for other packages expecting to find libidn package config
files.

refreshed patches to clear existing patch fuzz

take over maintainership

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-02-05 19:52:32 +01:00
p-wassi 0f4b5c25b8 libs/liboping: update to 1.9.0
Update liboping/oping/noping to upstream release 1.9.0
Also introduce new location of downloads and correct
the licence to LGPL-2.1+ (as seen in liboping's README)

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2017-02-05 19:36:51 +01:00
Luiz Angelo Daros de Luca 28d1e7b77b libvpx: bump to 1.6.1
v1.6.1:
- Faster VP9 encoding and decoding
- Bug Fixes

Now the ABI_VERSION is derived from PKG_VERSION

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2017-01-25 23:14:49 -02:00
Vladimir Ulrich 5cb98f890e [libs/fftw3] Updated to version 3.3.6
Signed-off-by: Vladimir Ulrich <admin@evl.su>
2017-01-16 01:19:10 +03:00
Nikos Mavrogiannopoulos 4563af5d95 gnutls: updated to 3.5.8
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2017-01-15 21:32:38 +01:00
Luka Perkov ee9b3f8e7e libuv: bump to 1.10.2
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
2017-01-15 19:30:03 +01:00
Matthias Schiffer ee211f94ec libxslt: revert $(STAGING_DIR_HOSTPKG) to $(STAGING_DIR)/host where appropriate
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-14 19:01:13 +01:00
Matthias Schiffer 68699b6811 libgpg-error: revert $(STAGING_DIR_HOSTPKG) to $(STAGING_DIR)/host where appropriate
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-14 19:01:11 +01:00
Ted Hess 1c2107e462 libshout: Update to 2.4.1. Create -nossl variant
Signed-off-by: Ted Hess <thess@kitschensync.net>
2017-01-13 17:01:43 -05:00
Ted Hess 867453bd52 Merge pull request #3785 from diizzyy/patch-17
libs/libstrophe: Fix source tarball filename
2017-01-13 13:37:05 -05:00
Peter Wagner e7e68c08ba glib2: add --enable-libmount=no to HOST_CONFIGURE_ARGS
Signed-off-by: Peter Wagner <tripolar@gmx.at>
2017-01-13 19:14:28 +01:00
Peter Wagner ae19abe330 glib2: update to 2.50.2
Signed-off-by: Peter Wagner <tripolar@gmx.at>
2017-01-13 09:40:56 +01:00
Matthias Schiffer 3823ef9bc4 Merge pull request #3813 from NeoRaider/hostpkg
Use STAGING_DIR_HOSTPKG where appropriate
2017-01-11 21:54:09 +01:00