A remote code execution vuln has been found in sqlite. Infos available
here:
https://blade.tencent.com/magellan/index_en.html
sqlite 3.26.0 contains the fix.
This commit also changes source URL to https. It also adds a depend on
zlib, which is now required.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This bumps libtiff's minor version from 9 to 10. In addition to the CVE
fixes that we already included this fixes:
CVE-2017-17095
CVE-2018-17101
CVE-2018-18557
The update is 100% backwards compatible, no symbol changes.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Debian uses libxml2 2.9.4 in Stretch. This adds their security related
fixes from 2.9.4+dfsg1-2.2+deb9u2 to LEDE's 17.01 release.
Fixed CVEs:
CVE-2016-4658
CVE-2016-5131
CVE-2017-0663
CVE-2017-15412
CVE-2017-7375
CVE-2017-7376
CVE-2017-9047
CVE-2017-9048
CVE-2017-9049
CVE-2017-9050
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Backport Rosen's commit in master to 17.01 to address open CVEs. This
fixes:
CVE-2017-11613
CVE-2018-5784
CVE-2018-7456
CVE-2018-8905
CVE-2018-10963
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This update includes fixes for the following CVEs:
- CVE-2018-1053
- CVE-2018-1058
- CVE-2018-10915
- CVE-2018-10925
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
When compiling against uClibc on lede-17.01 it's detected in the linking
phase that '__isnan' is nowhere to be found:
sqlite3-sqlite3.o: In function `serialGet':
sqlite3.c:(.text+0x6364): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_result_double':
sqlite3.c:(.text+0x10faa): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VXPrintf':
sqlite3.c:(.text+0x175ca): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_bind_double':
sqlite3.c:(.text+0x1b0ac): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VdbeExec':
sqlite3.c:(.text+0x3b77e): undefined reference to `__isnan'
collect2: error: ld returned 1 exit status
To fix this libm needs to be linked in as well in the uClibc case. So
add libm ('-lm') to the TARGET_LDFLAGS accordingly.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This allows prevents build error due to trust-paths not being
specified. The trust module was not being used in openwrt.
Resolves#5528
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
- Version bump to 4.0.9, as otherwise ca. a dozen patches would need
to be added to fix the open CVEs. There have been no API/ABI
changes between 4.0.6 and 4.0.9, so this is OK.
- Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935
on top.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- there are multiple open CVEs, this adds patches for them
- adds --disable-silent-rules for verbose build output
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- currently zlib is never detected, although there is a dependency on
it, fix that.
- change links from http to https
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Currently alsa-lib fails to build on uClibc:
parser.c: In function 'snd_tplg_build_file':
parser.c:262:35: error: 'S_IRUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c:262:35: note: each undeclared identifier is reported only once for each function it appears in
parser.c:262:45: error: 'S_IWUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c: In function 'snd_tplg_build':
parser.c:330:35: error: 'S_IRUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c:330:45: error: 'S_IWUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
Makefile:390: recipe for target 'parser.lo' failed
Fix this by adding an upstream fix as a backport.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Contains fixes for
* CVE-2017-15099
* CVE-2017-15098
* CVE-2017-12172
* CVE-2017-7548
* CVE-2017-7547
* CVE-2017-7546
* CVE-2017-7486
* CVE-2017-7485
* CVE-2017-7484
Note that some fixes apply for newly created databases only!
To mitigate CVE-2017-7486 and CVE-2017-7547 in existing databases,
a procedure described in the the release notes of PostgreSQL 9.5.8
is necessary!
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
While recently building asterisk, the make system stalled on gnutls. On my install of Ubuntu 16.04 on WSL, it seems curl can't download from ftp and doesn't even time out properly. Easiest solution is to switch the gnutls Makefile to use HTTPS instead.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixed recently in master as part of upgrading, but the same issue
applies to 17.01. The two variant packages both now PROVIDE
libwebsockets, the virtual package.
Signed-off-by: Karl Palsson <karlp@etactica.com>
libidn.pc file was missing in package staging area causing build
failures for other packages expecting to find libidn package config
files.
refreshed patches to clear existing patch fuzz
take over maintainership
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Update liboping/oping/noping to upstream release 1.9.0
Also introduce new location of downloads and correct
the licence to LGPL-2.1+ (as seen in liboping's README)
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
v1.6.1:
- Faster VP9 encoding and decoding
- Bug Fixes
Now the ABI_VERSION is derived from PKG_VERSION
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>