Johan Oudinet [Fri, 19 Jan 2018 16:29:31 +0000 (17:29 +0100)]
ejabberd: Bump to version 17.11
* Adapt all patches.
* Use the new configure option enable-system-deps even though there is
still a patch needed to correct includes.
* Disable graphics to not depends on X libraries. Disable also
mod_avatar from the default loaded modules, since this module
requires graphics enabled.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Zoltan Gyarmati [Mon, 29 Jan 2018 05:38:11 +0000 (06:38 +0100)]
package/pinentry: avoid building qt5 version if qt4 is enabled
BR2_PACKAGE_PINENTRY_QT5 selects BR2_PACKAGE_QT5, which can lead to Qt
version clash if otherwise Qt4 is selected as well. Making
BR2_PACKAGE_PINENTRY_QT5 depending on !BR2_PACKAGE_QT to avoid this.
James Knight [Tue, 23 Jan 2018 18:24:43 +0000 (13:24 -0500)]
libpqxx: needs at least gcc 4.8 for c++11 features
This package uses autoconf (AX_CXX_COMPILE_STDCXX_11) to validate C++11
support. The test code uses an auto static data member for validation;
however, support for this only exists in GCC 4.8+ [1]. This causes the
configuration script to generated the following errors:
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ accepts -g... yes
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ supports C++11 features by default... no
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ supports C++11 features with -std=c++11... no
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ supports C++11 features with +std=c++11... no
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ supports C++11 features with -h std=c++11... no
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ supports C++11 features with -std=c++0x... no
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ supports C++11 features with +std=c++0x... no
checking whether .../host/bin/powerpc-ctng_e500v2-linux-gnuspe-g++ supports C++11 features with -h std=c++0x... no
Bumping the required GCC version of this package to at least v4.8.
Ilya Kuzmich [Tue, 9 Jan 2018 11:37:43 +0000 (14:37 +0300)]
merge_config.sh: add br2-external support
Pass BR2_EXTERNAL value via -e option.
This will prevent merge_config.sh from silently eating any symbols defined in
external trees on a clean buildroot tree invocation.
Signed-off-by: Ilya Kuzmich <ilya.kuzmich@gmail.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch is to fix the following build error:
weak_readline.c:30:19: fatal error: dlfcn.h: No such file or directory
#include <dlfcn.h>
^
compilation terminated.
Makefile:890: recipe for target 'weak_readline.o' failed
Signed-off-by: Laurent Charpentier <laurent_pubs@yahoo.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 28 Jan 2018 22:33:10 +0000 (23:33 +0100)]
dovecot: add upstream security fix for CVE-2017-15132
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL
authentication results in a memory leak in dovecot's auth client used by
login processes. The leak has impact in high performance configuration
where same login processes are reused and can cause the process to crash due
to memory exhaustion.
For more details, see:
http://www.openwall.com/lists/oss-security/2018/01/25/4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 28 Jan 2018 22:02:56 +0000 (23:02 +0100)]
openocd: add security fix for CVE-2018-5704
Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP
POST for sending data to 127.0.0.1 port 4444, which allows remote attackers
to conduct cross-protocol scripting attacks, and consequently execute
arbitrary commands, via a crafted web site.
For more details, see:
https://sourceforge.net/p/openocd/mailman/message/36188041/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Chris Lesiak [Tue, 23 Jan 2018 23:15:58 +0000 (17:15 -0600)]
package/systemd: Set fallback hostname
When BR2_TARGET_GENERIC_HOSTNAME is set, use the config option
--with-fallback-hostname to specify the fallback hostname to use
if none is configured in /etc/hostname. This is useful in a
pristine installation with an empty /etc.
Signed-off-by: Chris Lesiak <chris.lesiak@licor.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Chris Lesiak [Tue, 23 Jan 2018 23:13:50 +0000 (17:13 -0600)]
Makefile: Store OS release in /usr/lib/os-release
It is recommended that vendor trees store OS release information
in /usr/lib/os-release and that /etc/os-release should be a relative
symlink to /usr/lib/os-release.
Matt Weber [Wed, 24 Jan 2018 04:09:41 +0000 (22:09 -0600)]
security hardening: add RELFO, FORTIFY options
This enables a user to build a complete system using these
options. It is important to note that not all packages will
build correctly to start with.
Modeled after OpenWRT approach
https://github.com/openwrt/openwrt/blob/master/config/Config-build.in#L176
A good testing tool to check a target's elf files for compliance
to an array of hardening techniques can be found here:
https://github.com/slimm609/checksec.sh
[Peter: reword fortify help texts, glibc comment] Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add license hash, install in /usr/sbin, tweak help text] Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add host-pkgconf to dependencies] Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Fri, 19 Jan 2018 13:59:29 +0000 (14:59 +0100)]
package/physfs: needs threads support
When physfs is built for a Linux system the PHYSFS_PLATFORM_POSIX (which
enable code that use pthread_*()) symbol must be defined, so threads support
is required. The physfs build system used by the previous version didn't
correctly set PHYSFS_PLATFORM_POSIX for system without pthread support.
Carlos Santos [Fri, 26 Jan 2018 10:21:57 +0000 (08:21 -0200)]
hwdata: bump to version 0.308
The hwdata collection is hosted at GitHub now and provides additional
databases, besides pci.ids and usb.ids:
- Individual Address Block (IAB) and Organizationally Unique Identifier
(OUI) databases, from IEEE Registration Authority
- PNP ID database (from Microsoft)
Install only pci.ids and usb.ids by default, to keep compatibility with
previous versions.
In the future we can make other packages (pciutils, lshw) use the common
files instead of installing their own copies, thus saving some storage
space.
[Peter: drop BR2_PACKAGE_HWDATA_ANY and build time error, rework install step] Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jörg Krause [Wed, 24 Jan 2018 22:00:29 +0000 (23:00 +0100)]
swupdate: add upstream patch to fix build error
When building SWUpdate with the following defconfig:
```
CONFIG_DOWNLOAD=y
```
.. the build process breaks with:
```
corelib/channel_curl.c:27:10: fatal error: json-c/json.h: No such file or directory
#include <json-c/json.h>
```
Looking at the SWUpdate Kconfig based build system shows that `CONFIG_DOWNLOAD`
depends on `HAVE_LIBCURL`, which selects CURL, which eventually enables the
(unnecessary) build of channel_curl.o.
The upstream fixes the condition for building channel_curl.o by adding a new
hidden config option `CHANNEL_CURL`, which is only selected by the
dependent options.
Yegor Yefremov [Fri, 26 Jan 2018 12:54:06 +0000 (13:54 +0100)]
scanpypi: ignore empty elements in package requirements
Depending on how setup.py reads requirements files empty elements can occur.
This patch takes care, that such elements will be ignored and don't crash
the scanpypi script.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com> Tested-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Fri, 26 Jan 2018 00:16:52 +0000 (22:16 -0200)]
util-linux: disable useless programs in the host package
Disable all programs that depend on ncurses, as well as utilities that
are useless on the host: agetty, chfn-chsh, chmem, login, lslogins,
mesg, more, newgrp, nologin, nsenter, pg, rfkill, schedutils, setpriv,
setterm, su, sulogin, tunelp, ul, unshare, uuidd, vipw, wall, wdctl,
write, zramctl.
Also add dependency on host-zlib if host cramfs utils are to be built.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE-2018-4088, CVE-2017-13885,
CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153,
CVE-2017-7153, CVE-2017-7161, and CVE-2018-4096. Additionally, it solves
a GStreamer deadlock when stopping video playback, and contains fixes
and improvements for the WebDriver implementation.
SQUID-2018:2 Due to incorrect pointer handling Squid is vulnerable to
denial of service attack when processing ESI responses or downloading
intermediate CA certificates.