Includes fixes for:
* CVE-2021-44716: unbounded growth of HTTP/2 header canonicalization
cache
* CVE-2021-44717: syscall.ForkExec error can close file descriptor 0
Added patches:
* 001-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-available.patch:
https://github.com/golang/go/pull/49748 backported for Go 1.17,
this removes the requirement for the gold linker when building Go
programs that use Go plugins on arm/arm64
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit eac2e91a28)
There's been a bit of overlapping opinions on some of these packages.
The best thing to do here is to reduce ownership and relinquish my
control.
This patch does that.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 48ce6e48b6)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This fixes:
- CVE-2021-21707
Also drop upstream patch which is included in the release now.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 2e9c1a00ea)
This fixes:
- CVE-2021-21707
Also drop upstream patch which is included in the release now.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit c6f27671a3)
Contains fixes for:
* CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat)
accesses a memory location after the end of a buffer
* CVE-2021-41772: archive/zip Reader.Open panic via a crafted ZIP
archive containing an invalid name or an empty filename field
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 901f80aae7)
This package was updated without a hash change.
Fixes: c157522580 ("pyodbc: update to version 4.0.31")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b783386890)
Details:
- Cleaned up whitespace and removed comments (refer to official PHP documentation for that)
- Removed directives that no longer exist as of PHP 8.0.12
- Added newly existing directives commented out
- Added '~E_DEPRECATED' to 'error_reporting'
Signed-off-by: Giovanni Giacobbi <giovanni@giacobbi.net>
(cherry picked from commit f54b987c8f)
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Details:
- Cleaned up whitespace and removed comments (refer to official PHP documentation for that)
- Removed directives that no longer exist as of PHP 7.4.25
- Added '~E_DEPRECATED' to 'error_reporting'
Directives removed that no longer exist as of PHP 7.4.25:
- zend.ze1_compatibility_mode
- y2k_compliance
- register_globals
- register_long_arrays
- magic_quotes_gpc
- magic_quotes_runtime
- magic_quotes_sybase
- always_populate_raw_post_data
Signed-off-by: Giovanni Giacobbi <giovanni@giacobbi.net>
This is the latest version, which still has support for PHP 7.x.
It's an intermediate step in the transition to PHP 8.x.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 5fe58d0002)
This PR prepares PHP for a few minor changes that cause PHP builds to fail when using --enable-intl with ICU 70.1.
Change UBool to bool for equality operators in ICU >= 70.1
https://github.com/php/php-src/pull/7596
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit bc13112a7c)
This PR prepares PHP for a few minor changes that cause PHP builds to fail when using --enable-intl with ICU 70.1.
Change UBool to bool for equality operators in ICU >= 70.1
https://github.com/php/php-src/pull/7596
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 4da149b68a)
October 12th 2021 Security Releases:
HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Includes fix for CVE-2021-38297 (passing very large arguments to WASM
module functions can cause portions of the module to be overwritten).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit dd986cde7fba08b7c01e3c2a7e25ae612319041f)
Avoid parallel relinking and usage of the host perl binary by wrapping
its usage around flock calls.
Sometimes, two packages will try to relink the static host perl binary
at the same time. Neither of them will have the other's module linked
in, and one of them will unavoidably clobber the other one's binary.
This will lead to errors when a package will not be able to find a
module that was supposed to be installed.
To fix that, an exclusive flock is used when relinking, with a 900
seconds timeout to avoid locking up the build process forever.
This is not enough because the binary may be concurrently used to build
another module package; perl is used in Configure, Compile, and Install
procedures. If timing is right, a package will fail with a "permission
denied" error.
So a shared flock call is added in Configure, Compile, and Install
definitions for host and target, with a shorter, 300 seconds timeout.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 1e18c4324f)
Without -ldl linker flag .so extensions are not loaded
when glibc is used. Fix it by providing adjusted LDFLAGS
for this case.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 1bff138517)
