Merge latest upstream #81
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change the SRC_URI to the correct value due to the following error: WARNING: debootstrap-1.0.132-r0.vr2401 do_fetch: Failed to fetch URL http://ftp.debian.org/debian/pool/main/d/debootstrap/debootstrap_1.0.132.tar.gz, attempting MIRRORS if available Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Drop two patches which haven't been referenced by the nodejs recipe since the 20.11.0 version checkin. 0001-build-fix-build-with-Python-3.12.patch 0001-gyp-resolve-python-3.12-issues.patch Signed-off-by: Jason Schonberg <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Change the SRC_URI to the correct value due to the following error: WARNING: wireguard-tools-1.0.20210914-r0 do_fetch: Failed to fetch URL git://git.zx2c4.com/wireguard-tools;branch=master, attempting MIRRORS if available Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Change the SRC_URI to the correct value due to the following error: WARNING: vlock-2.2.3-r0.vr2401 do_fetch: Failed to fetch URL http://distfiles.gentoo.org/distfiles/vlock-2.2.3.tar.gz, attempting MIRRORS if available Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Remove 0001-Set-use_tcl-to-be-empty-string-if-tcl-is-disabled.patch. This patch is obsolete and not needed because the current graphviz configure.ac has correct logic of checking use_tcl. This use_tcl variable needs to be set when '--disable-tcl' is set, otherwise, things will behave as if no option is supplied and the configure process will check tcl automatically. This patch is problematic because its logic against the current version is wrong. The recipe has already explicitly set '--disable-tcl', so the configure process should not do automatic checking for tcl at do_configure. This patch fixes do_configure error when host has tcl8.6-dev installed. The error is like below: QA Issue: This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities. Rerun configure task after fixing this. [configure-unsafe] Signed-off-by: Chen Qi <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
ChangeLog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2 Security Fix: CVE-2024-49195 Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Soumya Sambu <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Pick the same patch as Debian took for bullseye. Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Pick the same patch as Debian took for bullseye. There is no direct backport to version prior 3.102 because commit NSS_3_101_BETA2-12-g8d94c529b [1] rewrote this code. Applied patch was proposed for old versions in [2] and already applied in Debian bullseye. I could not find suitable upstream status, inappropriate is the best I could pick from offered possibilities. [1] nss-dev/nss@8d94c52< [2] https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/t9JmsYkujWM/m/HjKuk-ngBAAJ Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Full changelog: https://sourceforge.net/p/openipmi/news/ Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Without this the native recipe cannot be built. Signed-off-by: Justin Bronder <[email protected]> (cherry picked from commit 4a86f8a) Signed-off-by: Armin Kuster <[email protected]>
Null Pointer Dereference in mask_cidr6 component at cidr.c in Tcpreplay 4.4.4 allows attackers to crash the application via crafted tcprewrite command. References: https://nvd.nist.gov/vuln/detail/CVE-2023-43279 Upstream patches: appneta/tcpreplay@963842c Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
According to [1] the ESI feature implementation in squid is vulnerable without any fix available. NVD says it's fixed in 6.10, however the change in this release only disables ESI by default (which we always did via PACKAGECONFIG). Commit in master branch related to this CVE is [2]. Title is "Remove Edge Side Include (ESI) protocol" and it's also what it does. So there will never be a fix for these ESI vulnerabilities. We should not break features in LTS branch and cannot fix this problem. So ignrore this CVE based on set PACKAGECONFIG which should remove it from reports for most users. Thos who need ESI need to assess the risk themselves. [1] GHSA-f975-v7qw-q7hj [2] squid-cache/squid@5eb89ef Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
OpenSSL's soversion will not change for any 3.x minor release. https://www.openssl.org/policies/general/versioning-policy.html Signed-off-by: Sana Kazi <[email protected]> Signed-off-by: Khem Raj <[email protected]> (cherry picked from commit c3e4879) Signed-off-by: Akash Hadke <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
CVE-2024-28882: OpenVPN in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session References: https://community.openvpn.net/openvpn/wiki/CVE-2024-28882 Signed-off-by: Haixiao Yan <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Fixes for uninitialized memory issues Hunk present in card-entersafe.c and card-gids.c are refresehed base on codebase. Signed-off-by: Virendra Thakur <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.12/Changes.rst Security fixes: CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. Signed-off-by: Haixiao Yan <[email protected]> [Drop CVE-2024-28882 patch not yet in stable] Signed-off-by: Armin Kuster <[email protected]>
Change the SRC_URI to the correct value due to the following error: WARNING: xfce-dusk-gtk3-1.3-r0 do_fetch: Failed to fetch URL http://sources.openembedded.org/141404-xfce_dusk_gtk3-1_3.tar.gz;subdir=xfce-dusk-gtk3-1.3, attempting MIRRORS if available Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Change the SRC_URI to the correct value due to the following error: WARNING: eject-2.1.5-r0.wr2401 do_fetch: Failed to fetch URL http://sources.openembedded.org/eject-2.1.5.tar.gz, attempting MIRRORS if available Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Change the SRC_URI to the correct value due to the following error: WARNING: libdev-checklib-perl-native-1.16-r0 do_fetch: Failed to fetch URL https://cpan.metacpan.org/modules/by-module/Devel/Devel-CheckLib-1.16.tar.gz, attempting MIRRORS if available Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
ChangeLog: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_4 https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_5 Security fixes: CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3596 https://www.freeradius.org/security/ https://www.blastradius.fail/ https://www.inkbridgenetworks.com/web/content/2557?unique=47be02c8aed46c53b0765db185320249ad873d95 (master rev: 28d82d1) Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Haixiao Yan <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Includes fix for CVE-2024-49767 Changelog: ========== https://github.com/pallets/werkzeug/blob/3.0.6/CHANGES.rst Signed-off-by: Soumya Sambu <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
According to [1][2], Igor Pavlov, the author of 7-Zip, refused to provide an advisory or any related change log entries. Have to backport a part of ./CPP/7zip/Archive/NtfsHandler.cpp from upstream big commit ip7z/7zip@fc66234 [1] https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ [2] https://dfir.ru/wp-content/uploads/2024/07/screenshot-2024-07-03-at-02-13-40-7-zip-_-bugs-_-2402-two-vulnerabilities-in-the-ntfs-handler.png Signed-off-by: Hongxu Jia <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
CVE-2023-52160: The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-52160 Patch from: https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Includes fix for CVE-2024-8925, CVE-2024-8926, CVE-2024-8927 and CVE-2024-9026 Changelog: https://www.php.net/ChangeLog-8.php#8.2.24 Rebase 0001-ext-opcache-config.m4-enable-opcache.patch to new version Signed-off-by: Yogita Urade <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
CVE-2024-34088: In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-34088] Upstream patches: [FRRouting/frr@8c177d6] Signed-off-by: Zhang Peng <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
CVE-2024-31950: In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31950] Upstream patches: [FRRouting/frr@f69d131] Signed-off-by: Zhang Peng <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
CVE-2024-31951: In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31951] Upstream patches: [FRRouting/frr@5557a28] Signed-off-by: Zhang Peng <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
CVE-2024-31948: In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31948] Upstream patches: [FRRouting/frr@ba6a8f1] [FRRouting/frr@babb23b] Signed-off-by: Zhang Peng <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
CVE-2024-31949: In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31949] Upstream patches: [FRRouting/frr@30a332d] Signed-off-by: Zhang Peng <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Signed-off-by: Wang Mingyu <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Divya Chellam <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
ChangeLog: Security fixes ============== * (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE. * (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors. * (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching. Bug fixes ========= * Fixed crashes in cluster mode (#13315) Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Divya Chellam <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Backport patch with adjustments for the current version to fix CVE-2024-7254. Signed-off-by: Chen Qi <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Changelog: * Compilation fixes for libxml 2.13 * Fix ABR in gsf-vba-dump. * Teach gsf (the tool) to handle odf properties. * Fix integer overflows affecting memory allocation. * Add missing "DocumentStatus" ole2 property. * Avoid some undefined C behaviour in overflow checks. Security fixes: CVE-2024-42415 An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). A specially crafted file can result in an integer overflow that allows for a heap-based buffer overflow when processing the sector allocation table. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-36474 An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. A specially crafted file can result in an integer overflow when processing the directory from the file that allows for an out-of-bounds index to be used when reading and writing to an array. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. Reference: [https://gitlab.gnome.org/GNOME/libgsf/-/issues/34] (master rev: 6ed5891) Signed-off-by: Zhang Peng <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
The SPA plugins for bluez depend on D-Bus bindings generated using gdbus-codegen at build time. Some PACKAGECONFIG combinations appear to pull this in accidentally. Add an explicit dependency to ensure that it's in the sysroot when PACKAGECONFIG contains bluez5. Signed-off-by: Ethan D. Twardy <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Backport patches [1] to fix CVE-2024-7246. [1] https://github.com/grpc/grpc/pull/37361/files Signed-off-by: Libo Chen <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
- Solves CVE-2024-8376 - removed 1571.patch and 2894.patch, already applied in v2.0.19 https://github.com/eclipse/mosquitto/blob/v2.0.19/ChangeLog.txt Signed-off-by: Fabrice Aeschbacher <[email protected]> Reviewed-by: Peter Marko <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Bruno VERNAY <[email protected]> Signed-off-by: Hugo SIMELIERE <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Changelog: ========== Broker: - Fix QoS 1 / QoS 2 publish incorrectly returning "no subscribers". Closes #3128. - Open files with appropriate access on Windows. - Don't allow invalid response topic values. - Fix some strict protocol compliance issues. Client library: - Fix cmake build on OS X. Build: - Fix build on NetBSD Signed-off-by: Wang Mingyu <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Bruno VERNAY <[email protected]> Signed-off-by: Hugo SIMELIERE <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
This ensures that we do not have to do the toggling from releases to old-release in LTS release branches Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
configure emits its arguments into binaries via PACKAGE_CONFIGURE_INVOCATION therefore edit the paths from this in generated config.h before it gets into binaries. Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
includes the CFLAGS used to build the package in the binary via PACKAGE_CONFIGURE_INVOCATION which then includes the absolute build path via (eg.) the -ffile-prefix-map flag. Here we remove using variables like PACKAGE_CONFIGURE_INVOCATION in code Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Includes fix for CVE-2024-10976, CVE-2024-10977, CVE-2024-10978 and CVE-2024-10979 Changelog: https://www.postgresql.org/docs/release/16.5/ 0003-configure.ac-bypass-autoconf-2.69-version-check.patch Refreshed for 16.5 Signed-off-by: Yogita Urade <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Upgrade to version 6.8.6: - Handle single number macOS deployment targets - Support for architectures where `char` is unsigned - Support for building from git archives - Run the tests using the current Python version The project has a proper pyproject.toml which declares the setuptools.build.meta PEP-517 backend. Fixes: WARNING: sip-6.8.6-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with setuptools.build_meta, use the correct class [pep517-backend] The work was sponsored by GOVCERT.LU. License-Update: Update years Signed-off-by: Leon Anavi <[email protected]> Signed-off-by: Khem Raj <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Changelog: ========== https://github.com/tornadoweb/tornado/releases/tag/v6.4.2 https://github.com/tornadoweb/tornado/releases/tag/v6.4.1 Switch to python_setuptools_build_meta - tornadoweb/tornado@e71fb6e Signed-off-by: Soumya Sambu <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Signed-off-by: Erick Shepherd <[email protected]>
chaitu236
approved these changes
Jan 16, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge latest from upstream. No conflicts.
AB#2951035
Testing: