This fixes:
- CVE-2021-21707
Also drop upstream patch which is included in the release now.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 2e9c1a00ea)
This fixes:
- CVE-2021-21707
Also drop upstream patch which is included in the release now.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit c6f27671a3)
Reasons to drop this package:
a) this package depends on luci-app-rosy-file-server
Unfortunately, it was marked as broken as it is unmaintained.
See: 34b682afac
b) maintainer is inactive
c) rosinson website does not seem to be working
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit f1893a426a)
Remove parsing of data which is not used within `auc`. Later iterations
may use these but they can be gradually added whenever needed.
Also remove HTTP code handling of error codes no longer used by the
backend. Early iterations of the server where infinitely complex to
figure out created images and announce them to clients but ever since
everything is stored in JSON, things got better (aka simpler).
If a package is missing on the upstream server, color it in red.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 6527d65b9b)
Currently `auc` uses the outdated /json/ path, this commit uses
/json/v1/ to be more future proof.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 69b5c28929)
* use username/group 'exim' instead of mail
* register configuration file
* make sure /usr/lib/exim/lookups exists
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 66a62e2fcf)
Ship default configuration /etc/exim/exim.conf as well as
a simple procd init script. Enable building with LMTP for better
integration with dovecot.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 31d12ead78)
Several exploitable vulnerabilities in Exim were reported to us and are
fixed.
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary PID file creation
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()
Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
The update to 4.94.2 also integrates a fix for a printf format issue
previously addressed by a local patch which is removed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit c241cb12bb)
A lot of changes since 3.3.1.
Full (long) lists of release notes between
versions are available at
https://github.com/containers/podman/releases
containers.conf updated
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit 3e5761d6cd)
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.
This is part of an attempt to get rootless podman to work on OpenWrt.
See https://github.com/openwrt/packages/issues/15096.
See also the upstream issue at
https://github.com/containers/podman/issues/10698.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
(cherry picked from commit 416eced174)
Running podman as users other than root seems to require that those
users can read /usr/share/containers/seccomp.json. This change sets the
permissions on that file to match those used on Fedora.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
(cherry picked from commit a41556af4f)
Running podman as users other than root seems to require that those
users can read the configuration files in /etc/containers. This change
sets the permissions of /etc/containers and its contents to match those
used on Fedora.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
(cherry picked from commit f51ef46aa6)
- Add support for AppArmor
- Gracefully stop containers and pods on shutdown
I found out that If you change location of containers to persistent storage instead of tmpfs, starting them will fail unless they have been stopped. If this is the case that reboot has occurred before pods and containers have been stopped, they cannot be started, they have to be removed and re-created. Change in initscript tries to avoid that. Even if containers are running at tmpfs, this won't hurt. Still, if something happens and system hangs/reboots/etc, script won't save you from that. It's just a attempt to make things better.
I also enabled AppArmor support for future possibilities.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit 5bb8844fe3)
Now that 'crun' has been packaged, add support for it in podman.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 954be76e6a)
bug fixes:
- Remove unreachable code path
- exit: report if the exit command was killed
- exit: fix race zombie reaper
- conn_sock: allow watchdog messages through the notify socket proxy
- seccomp: add support for seccomp notify
misc:
- Add seccomp to build dependency
included patch removes unnecessary dependency of libdl and also allows a succesfull build
disabled for arc where libseccomp does not seem to be available
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit ab08ad2ad9)
Patch fixing segfaults on nulls was removed due to patch's content being now included in conmon's source since containers/conmon@355dbf1
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit 9fdfe2e2c7)
Switched to building with meson as it works better in a parallel
context.
Small Makefile adjustments for consistency.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit c8128df4e4)
cni-plugins makes use of veth, make sure kernel module is installed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 1b25b6e239)
This is a security release that fixes a single bug:
- tighten up plugin-finding logic (#811)
Users of libcni are strongly encouraged to update.
Added me to list of maintainers as requested by @dangowrt.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit ceaccc1c7a)
Also package /usr/libexec/libinput/* and /usr/share/lib/input/*.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f53cd4232a)
This package was updated without a hash change.
Fixes: c157522580 ("pyodbc: update to version 4.0.31")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b783386890)
