- Oct 28, 2017
-
-
Peter Korsgaard authored
[Peter: drop Makefile changes] Signed-off-by:
Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 05a2e38af23ecdb04f54da97f5ce2b1f7f41b842) Signed-off-by:
-
Jerzy Grzegorek authored
Signed-off-by:
Jerzy Grzegorek <jerzy.m.grzegorek@gmail.com> Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
-
Bernd Kuhls authored
Changelog: http://www.php.net/ChangeLog-7.php#7.1.11 Signed-off-by:
-
Bernd Kuhls authored
Release notes: https://www.samba.org/samba/history/samba-4.6.9.html Added license hash. Signed-off-by:
-
Martin Bark authored
Signed-off-by:
Martin Bark <martin@barkynet.com> Signed-off-by:
-
Martin Bark authored
Signed-off-by:
-
Joshua Henderson authored
Reorganize so the optional composer option for the qt5wayland package shows up as an indented option. Signed-off-by:
Joshua Henderson <joshua.henderson@microchip.com> Signed-off-by:
-
Peter Korsgaard authored
Signed-off-by: -
Peter Korsgaard authored
Fixes the following security issues: CVE-2017-13089: The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. CVE-2017-13090: The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer. Drop now upstreamed patch and change to .tar.lz as .tar.xz is no longer available. Also add a hash for the license file while we're at it. Signed-off-by: -
Bernd Kuhls authored
Release notes: https://blog.torproject.org/new-stable-tor-releases-0318-03012-02913-02816-02515 Added license hash. Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
-
- Oct 27, 2017
-
-
Adrian Perez de Castro authored
This is a maintenance release of the current stable WebKitGTK+ version, which contains bugfixes; mostly for crashes and rendering issues, plus one important fix for the layout or Arabic text. Release notes: https://webkitgtk.org/2017/10/27/webkitgtk2.18.2-released.html Even though an acconpanying security advisory has not been published for this release, the release contains fixes for several crashes (one of them for the decoder of the very common GIF image format), which arguably can be considered potential security issues. Signed-off-by:Adrian Perez de Castro <aperez@igalia.com> Signed-off-by:
-
Peter Seiderer authored
Signed-off-by:
Peter Seiderer <ps.report@gmx.net> Signed-off-by:
-
Jerzy Grzegorek authored
Signed-off-by:
-
Yegor Yefremov authored
Remove upstreamed patch and add licence checksums. Signed-off-by:
Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by:
-
Yegor Yefremov authored
Add licence checksum. Signed-off-by:
-
Peter Korsgaard authored
Fixes CVE-2017-15906 - The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. For more details, see the release notes: https://www.openssh.com/txt/release-7.6 Also add a hash for the license file while we're at it. Signed-off-by:
-
Peter Korsgaard authored
3.2.11 fixes important issues. From the release notes: ================================================================================ Redis 3.2.11 Released Thu Sep 21 15:47:53 CEST 2017 ================================================================================ Upgrade urgency HIGH: Potentially critical bugs fixed. AOF flush on SHUTDOWN did not cared to really write the AOF buffers (not in the kernel but in the Redis process memory) to disk before exiting. Calling SHUTDOWN during traffic resulted into not every operation to be persisted on disk. Also add a hash for the license file while we're at it. Signed-off-by: -
Peter Korsgaard authored
Fixes CVE-2017-2888 - An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. Also add a hash for the license file while we're at it. Signed-off-by:
-
- Oct 26, 2017
-
-
Peter Korsgaard authored
Fixes: http://autobuild.buildroot.net/results/d59/d5992dcc9a49ee77afaebdcc9448ac1868fa7de1/ http://autobuild.buildroot.net/results/e89/e894f21ce1983ee3bd8d65a8e59e1adab9a62707/ The configure script automatically enables support for the raspberry pi video backend if it detects the rpi-userland package. Unfortunately it hardcodes a number of include/linker paths unsuitable for cross compilation, breaking the build: if test x$enable_video = xyes -a x$enable_video_rpi = xyes; then .. RPI_CFLAGS="-I/opt/vc/include -I/opt/vc/include/interface/vcos/pthreads -I/opt/vc/include/interface/vmcs_host/linux" RPI_LDFLAGS="-L/opt/vc/lib -lbcm_host" fi So explicitly disable it until the configure script is fixed. Signed-off-by:
-
Martin Bark authored
Fixes a regression introduced in 8.8.0. See https://nodejs.org/en/blog/release/v8.8.1/ Peter: apply on top of 8.8.0, mention that it fixes regression] Signed-off-by:
-
Peter Korsgaard authored
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. For more details, see the announcement: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ Signed-off-by:
-
- Oct 25, 2017
-
-
Eric Le Bihan authored
Signed-off-by:
Eric Le Bihan <eric.le.bihan.dev@free.fr> Signed-off-by:
-
Eric Le Bihan authored
Signed-off-by:
-
Eric Le Bihan authored
Signed-off-by:
-
Eric Le Bihan authored
Bump version to 2.6.0.1 and refresh patches. Signed-off-by:
-
Adam Duskett authored
Also add hash for license file. Signed-off-by:
Adam Duskett <aduskett@gmail.com> Signed-off-by:
-
Peter Korsgaard authored
Fixes CVE-2017-1000257 - IMAP FETCH response out of bounds read https://curl.haxx.se/docs/adv_20171023.html Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: (a) When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. (CWE-126) Found by Hanno Böck. CVE-2017-15228 was assigned to this issue. (b) While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672) CVE-2017-15227 was assigned to this issue. (c) Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. Found by Joseph Bisch. This is a separate, but similar issue to CVE-2017-9468. (CWE-690) CVE-2017-15721 was assigned to this issue. (d) Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. Found by Joseph Bisch. (CWE-690) CVE-2017-15723 was assigned to this issue. (e) In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string. Found by Joseph Bisch. (CWE-126) CVE-2017-15722 was assigned to this issue. For more details, see the advisory: https://irssi.org/security/irssi_sa_2017_10.txt While we're at it, also add a hash for the license file. Signed-off-by:
-
- Oct 24, 2017
-
-
Bernd Kuhls authored
Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
-
Bernd Kuhls authored
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.29 Signed-off-by:
-
- Oct 23, 2017
-
-
Peter Korsgaard authored
Signed-off-by: -
Peter Korsgaard authored
[Peter: drop Makefile changes] Signed-off-by:
-
Adam Duskett authored
This module requires NPTL. Without support for the module, it is built unconditionally, which was causing the following build errors: http://autobuild.buildroot.net/results/029/0298038fc126d15733d81c54e0bb7cb00be48b92/build-end.log http://autobuild.buildroot.net/results/6f3/6f3a218c47204e431100799482a3ed0ec159fa15/build-end.log http://autobuild.buildroot.net/results/63e/63e5569a90d3ace97cb6102509cbd04aeab6f5f7/build-end.log Signed-off-by:
Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
-
Vicente Olivert Riera authored
Passing just the endianness flag to LD is not enough. We need to pass the right emulation flag which will set everything for us, not only the endianness. Signed-off-by:
Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by:
-
- Oct 22, 2017
-
-
Jörg Krause authored
Signed-off-by:
Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by:
-
