Update the Flent package and move it to net/, renaming it to just 'flent'
instead of python3-flent (it's not a library, having the python3- prefix
makes no sense). Also add python3-defusedxml as a dependency to protect
against XML bombs if using the one of the backends that use XML-RPC, and
trim the dependencies to those used directly by Flent.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Perl threads seem to be supported and working for aarch64, and
including aarch64 here would allow packages like freeswitch-mod-perl
to become available from the standard OpwnWrt package repository for
popular routers such as the Linksys E8450 and Belkin RT3200.
Signed-off-by: Doug Thomson <dwt62f+github@gmail.com>
go1.19.4 (released 2022-12-06) includes security fixes to the net/http
and os packages, as well as bug fixes to the compiler, the runtime,
and the crypto/x509, os/exec, and sync/atomic packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Package does not currently build because of distutil dependency. Fix
this by updating to the latest version.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Also bump Cython version to 0.29.32
And yeeeey: zip -> tar.gz
And they fixed the Intel AVX extension stuff/detection.
Which is why I deferred updating it until now.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The following CVEs are fixed in this release:
* CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
* Insufficient fix for macOS devices on v18.5.0
* CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium)
* CVE-2022-32213: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)
* Insufficient fix on v18.5.0
* CVE-2022-32215: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
* Insufficient fix on v18.5.0
* CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
* CVE-2022-35255: Weak randomness in WebCrypto keygen
More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.
llhttp updated to 6.0.10
llhttp is updated to 6.0.10 which includes fixes for the following vulnerabilities.
* HTTP Request Smuggling - CVE-2022-32213 bypass via obs-fold mechanic (Medium)(CVE-2022-32213 ): The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
* HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215): The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
* HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)(CVE-35256): The llhttp parser in the http does not correctly handle header fields that are not terminated with CLRF. This can lead to HTTP Request Smuggling (HRS).
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
