1.15.1 includes a fix for CVE-2020-24553:
net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type
is not specified
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Vulnerabilities fixed:
* CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
* CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
Imported patches from the debian package.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[strip C library after adding it to openwrt repository]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[strip C library after adding it to openwrt repository]]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
PycURL changeLog:
Version 7.43.0.6 - 2020-09-02
-----------------------------------------------------------------
This release improves SSL backend detection on various systems, adds support for libcurl’s multiple SSL backend functionality and adds support for several libcurl options.
Signed-off-by: Waldemar Konik <informatyk74@interia.pl>
Compile tested: x86_64
OpenWrt added pcre/host recently. When it is available (installed)
erlang finds staging_dir/hostpkg/include/pcre.h before it finds its own
copy and the build fails.
CC obj/x86_64-pc-linux-gnu/opt/smp/erl_bif_chksum.o
CC obj/x86_64-pc-linux-gnu/opt/smp/erl_bif_re.o
beam/erl_bif_re.c: In function 'erts_init_bif_re':
beam/erl_bif_re.c:96:5: error: 'erts_pcre_malloc' undeclared (first use in this function)
erts_pcre_malloc = &erts_erts_pcre_malloc;
^~~~~~~~~~~~~~~~
beam/erl_bif_re.c:96:5: note: each undeclared identifier is reported only once for each function it appears in
beam/erl_bif_re.c:97:5: error: 'erts_pcre_free' undeclared (first use in this function)
erts_pcre_free = &erts_erts_pcre_free;
^~~~~~~~~~~~~~
This adds a patch from Romain Naour and Bernd Kuhls to prevent that.
Patch snatched from buildroot [1].
[1] https://github.com/buildroot/buildroot/blob/master/package/erlang/0002-erts-emulator-reorder-inclued-headers-paths.patch
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This also removes PKG_BUILD_PARALLEL:=0 that was added for packages that
use HOST_PYTHON3_PACKAGE_BUILD_DEPENDS.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.
As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.
The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).
This also updates affected packages, in particular:
* python-zipp: "setuptools_scm[toml]" has been split into
"setuptools-scm toml" to reuse the requirements file for
setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
is toml).
* python-pycparser: This previously used ply 3.10, whereas the
requirements file will now install 3.11.
[1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode
[2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds a config option PYTHON3_HOST_PIP_CACHE_WORLD_READABLE; if
enabled, chmod will be run after pip install to make all
files/directories in the host pip cache world-readable.
Supersedes https://github.com/openwrt/packages/pull/13012.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This includes a fix for CVE-2020-16845 (encoding/binary: ReadUvarint and
ReadVarint can read an unlimited number of bytes from invalid inputs).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Fixes https://github.com/openwrt/packages/issues/13016
Patch [1] broke compilation for python-pynacl.
The fix is to patch PyNaCl to consider that
PYNACL_HAS_CRYPTO_SCALARMULT_ED25519 is always available.
[1] 3ef28a4ab0
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
upgrade npm to 6.14.6
update openssl to 1.1.1g
Vulnerabilities fixed:
* CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
* CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
* CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Also:
* Remove patches that are included in the update
* Replace the python3 dependency with a smaller list (python3-urllib is
needed because it is a dependency of python3-email)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This version includes fixes for:
* CVE-2020-15801 - Fixes python3x._pth being ignored on Windows
* CVE-2019-20907 - Avoid infinite loop when reading specially crafted
TAR files using the tarfile module
This also:
* Remove patches that are included in the update
* Add a dependency in python3-distutils for python3-email[1]
[1]: https://github.com/python/cpython/blob/v3.8.5/Lib/distutils/dist.py#L10
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This version includes fixes for:
* CVE-2020-14422: Hash collisions in IPv4Interface and IPv6Interface
* CVE-2020-15523: Python uses invalid DLL path after calling Py_SetPath
on Windows
This version also includes support for OpenSSL 1.1.x builds that use
'no-deprecated' and '--api=1.1.0'[1], and so this removes the previous
OpenSSL-related patches.
This also backports fixes for security issues, including:
* CVE-2019-20907: Infinite loop in the tarfile module
This also updates the setuptools and pip packages to 47.1.0 and 20.1.1,
respectively.
[1]: https://github.com/python/cpython/pull/20566
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds a new Makefile variable, GO_PKG_TAGS, for Go packages. When
set, the value is passed as the parameter of the -tags option for 'go
install'.
This also updates syncthing to use this variable.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This reverts commit 33525fa8d5.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[add me as co-maintainer, bump PKG_RELEASE, Makefile polishing]
Log:
pkg_resources.DistributionNotFound: The 'ciso8601==2.1.3' distribution was not found and is required by homeassistant
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This lets the Python build process set _PYTHON_HOST_PLATFORM instead of
forcing an explicit value.
Also:
* Save the target _PYTHON_HOST_PLATFORM value during Build/InstallDev
for use when building target Python packages (in python3-package.mk).
* Use the (mostly) default PYTHON_FOR_BUILD value, instead patch
configure to remove the platform triplet from the sysconfigdata file
name.
* Remove the "CROSS_COMPILE=yes" make variable (there is no indication
that this variable is necessary).
* Force host pip to build packages from source instead of downloading
binary wheels.
Previously, host pip can download universal (platform-independent)
wheels but not platform-specific wheels, because of the custom
_PYTHON_HOST_PLATFORM value. (Packages that do not have universal
wheels would be compiled from source.)
With a correct _PYTHON_HOST_PLATFORM, host pip can install
platform-specific wheels as well. However, the pre-built shared object
(.so) files in these wheels will have the host's platform triplet in
their file names. When target Python packages are built (using the
target's _PYTHON_HOST_PLATFORM), Python will not use these shared
object files.
By forcing host pip to build packages from source, the built shared
object files will not have the platform triplet in their file names.
(Host Python has been patched to remove the platform triplet from file
names.) This allows these packages to be used when building target
Python packages.
(The net effect of this complete change is that platform-dependent
packages will continue to be compiled from source, while
platform-independent packages will now also be compiled from source.)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The main user for this package was Seafile.
In the meantime, Seafile switch to PyMySQL.
https://pypi.org/project/PyMySQL/
PyMySQL seems to be a replacement for python-mysqlclient, and while it may
not be fully compatible with the MySQL API, it may be that those APIs
wouldn't be used.
This change drops this package.
If there is enough usage/reason to bring it back, we can.
For python-mysqlclient, the tag-line/description is:
```
This is a fork of MySQLdb1.
This project adds Python 3 support and bug fixes. I hope this fork is
merged back to MySQLdb1 like distribute was merged back to setuptools.
```
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Bump host Cython version as well.
Add note near PKG_VERSION to remember to periodically update it.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This adds PKG_BUILD_PARALLEL:=0 to packages that depend on host Python
packages (HOST_PYTHON3_PACKAGE_BUILD_DEPENDS), because installing
packages with multiple concurrent pip processes can lead to errors or
unexpected results[1].
This also:
* Move HOST_PYTHON3_PACKAGE_BUILD_DEPENDS definitions to before
python3-package.mk is included
* Update Python folder readme to include PKG_BUILD_PARALLEL:=0
[1]: https://github.com/pypa/pip/issues/2361
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This evaluates the arguments passed to "go install" during Build/Compile
rather than when golang-package.mk is included.
This also changes build directory-related variables to be recursively
expanded, because PKG_BUILD_DIR depends on BUILD_VARIANT and so can
change during different runs of Build/Compile.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Essentially, this is a re-spin from
https://github.com/openwrt/packages/pull/9797/
But a really trimmed down version.
Only the Py3 variant is added now, which makes the Makefile really small
now.
Cython is needed on the host, to cythonize some files.
The package needs targets with hard-float enabled. This is because on some
soft-float targets floating-point exception constants aren't defined.
We can define some dummy values, but that ends up being a bit too much
work.
So, for that, the package depends on HAS_FPU or KERNEL_MIPS_FPU_EMULATOR.
This way, numpy should be buildable on hard-float, or for MIPS on the FPU
emulator being compiled in.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This also removes a link to pypi.org; the previous sentence already
links to pypi.org, a second link in the same paragraph isn't necessary.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The perl Configure file was matching GCC 10 against "1*" and treating it
as GCC 1, causing ABI breakage and segfaults.
Cherry-pick the upstream patch which fixes it to check against (e.g)
"1.*" instead, which will make it work for hundreds more GCC versions
to come.
https://github.com/Perl/perl5/commit/6bd6308fcea3541
"Adapt Configure to GCC version 10"
Also includes the previous commit just adding GCC 8 and 9 to one case:
https://github.com/Perl/perl5/commit/ae195500577d707
"Add gcc-8 and gcc-9 for FORTIFY_SOURCE"
Signed-off-by: Ken Wong <xinxijishuwyq@gmail.com>
The pycrypto package is not maintained; the last stable release was in
2013.
This also updates python3-cryptodome, from conflicting with
python3-crypto, to providing python3-crypto.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This took a while to get running.
It turns out, the fix is mostly in libxslt.
lxml uses the xsltGetProfileInformation() function, which is disabled from
libxslt via --without-profiler.
This causes a runtime error, since it cannot find the symbol.
So, libxslt is also updated to re-enable the profiler.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Previously, binaries installed by Python packages will have a
non-suffixed Python 2 version and a suffixed Python 3 version, e.g. pip
and pip3. With the removal of Python 2, the non-suffixed names are no
longer taken.
This adds symlinks for the non-suffixed names linking to the suffixed
scripts (or in the case of pip, easy_install, and python-config, to the
fully-versioned scripts).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
When a Python package is installed from source (i.e. using setup.py)
into a custom location (with --home), setuptools may want to create a
site.py file in the custom location. This file is created based on the
source code of site-patch.py, a file bundled with setuptools.
Because the normal OpenWrt setuptools package does not contain Python
source code, this file is missing and the installation will end with an
error.
This copies site-patch.py to site-patch.py.txt so that it will be
included in python3-setuptools, and patches setuptools to look for this
file.
See https://github.com/openwrt/packages/issues/12223
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This is not the newest version but the last version compatible with
Django 1.11.
This also updates the jsonfield dependency to jsonfield2.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This package mainly serves to support django-post-office 3.3.0, as that
version switched its dependency from jsonfield to jsonfield2 (a fork of
jsonfield).
The version packaged in this package (3.0.3) is the last version that
supports Django 1.11.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The ssl module assumes OpenSSL can load the default trust anchors (root
CA certificates).
From https://github.com/openwrt/packages/issues/12209
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds the --enable-optimizations configure option (for
profile-guided optimization) for both host and target Python, and the
--with-lto configure option (for link-time optimization) for target
Python (for non-MIPS platforms).
Currently, compiling Python with LTO leads to link errors on mips and
mipsel. (Compiling with LTO appears to succeed on mips64 but there is
only one mips64 target available for convenient testing.)
This also cleans up the host and target configure options:
* Sort options/variables
- Alphabetically
- Flags/options before child-process environment variables
- Group options by type (enable/disable/with/without)
- Static options/variables before conditional ones
* Remove the prefix/dir options, as they are the same as the defaults
set by the build system
* Remove --with-threads, as it is no longer a valid option (threads are
always enabled)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds a script that searches a Python package's source code to find
imports for separately-packaged standard library modules.
The script can be run by calling make with the configure target and
"PY3=stdlib V=s" arguments, e.g.
make package/python3-lxml/configure PY3=stdlib V=s
This also updates the readme on how to call this script, as well as more
information on Python package dependencies in general.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Because the first stage for building target Go is actually a host build,
the default platform options (GO386, GOARM, etc.) are detected from the
host. These values are written to a source file and kept when building
the second stage.
This modifies this source file to set the appropriate values for the
target platform, and reset values for other platforms to their
cross-compiling / most compatible defaults.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The moves the setting of arguments for "go install" out of the shell
script in GoPackage/Build/Compile and into make.
This also adds the -buildid link flag for reproducible builds.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The variable is a list of shell variables; the new name is more in-line
with other parts the build system (CONFIGURE_VARS, MAKE_VARS, etc.).
GoPackage/Environment is kept (for now) in case other feeds are using
it.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Since RSTRIP is defined in rules.mk as a recursively expanded variable,
there is no need to define it again after setting STRIP in
golang-package.mk.
This also adds a note to the comment for GO_PKG_LDFLAGS to say that -s
and -w flags are not necessary.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The default bootstrap Go (Go 1.4) can only be compiled on a limited
number of platforms compared to newer versions of Go.
This adds a config option to use an external bootstrap Go, e.g.
installed through the build system's package manager or downloaded from
golang.org.
See: https://github.com/openwrt/packages/issues/11731
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Java support is no longer feasible in openwrt. It's outdated, and can't
be usd without classpath, which has been removed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This changes the package to download from PyPI (using pypi.mk) and
removes the incorrect PKG_CPE_ID.
The CPE id was for Debian's python-dns package which contains PyDNS
("pydns" on PyPI). This package contains "dnspython" from PyPI.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Host build was added in 2972cc98e ("Add host build") because classpath
required a host java vm. Now that classpath is gone, host build can be
removed as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
