Update to v18.17.1
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
* CVE-2023-32002: Policies can be bypassed via Module._load (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases (Depends on shared library provided by OpenWrt)
* OpenSSL security advisory 14th July.
* OpenSSL security advisory 19th July.
* OpenSSL security advisory 31st July
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
On host PC using GCC 13, stackctrl.c fails to compile
with the following error:
../py/stackctrl.c: In function 'mp_stack_ctrl_init':
../py/stackctrl.c:32:32: error: storing the address of
local variable 'stack_dummy'
in 'mp_state_ctx.thread.stack_top' [-Werror=dangling-pointer=]
32 | MP_STATE_THREAD(stack_top) = (char *)&stack_dummy;
../py/stackctrl.c:31:18: note: 'stack_dummy' declared here
31 | volatile int stack_dummy;
| ^~~~~~~~~~~
In file included from ../py/runtime.h:29,
from ../py/stackctrl.c:27:
../py/mpstate.h:296:23: note: 'mp_state_ctx' declared here
296 | extern mp_state_ctx_t mp_state_ctx;
| ^~~~~~~~~~~~
cc1: all warnings being treated as errors
Fixed accordingly by ignoring -dangling-pointer warning
inside mp_stack_ctrl_init function.
Signed-off-by: Jean-Paul Etienne <fractalclone@gmail.com>
Version 1.71.1 (2023-08-03)
===========================
- Fix CVE-2023-38497: Cargo did not respect the umask when extracting dependencies
- Fix bash completion for users of Rustup
- Do not show `suspicious_double_ref_op` lint when calling `borrow()`
- Fix ICE: substitute types before checking inlining compatibility
- Fix ICE: don't use `can_eq` in `derive(..)` suggestion for missing method
- Fix building Rust 1.71.0 from the source tarball
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fix for CVE-2023-29409 (crypto/tls: verifying certificate
chains containing large RSA keys is slow).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This loads the module, which should return the path of the CA bundle
and verifies that the file exists.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This renames the source package to python-sqlparse to match other Python
packages.
This also updates the build dependencies; package now uses the flit-core
build backend.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
From the README:
frozenlist.FrozenList is a list-like structure which implements
collections.abc.MutableSequence. The list is mutable until
FrozenList.freeze is called, after which list modifications raise
RuntimeError.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
From the README:
A library that helps you read text from an unknown charset encoding.
Motivated by chardet, I'm trying to resolve the issue by taking a new
approach. All IANA character set names for which the Python core library
provides codecs are supported.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This renames the source package to python-pyroute2 to match other Python
packages.
This also updates/simplifies the package dependencies.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Notable Changes:
*Ada 2.0
Node.js v18.17.0 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.
*Web Crypto API
Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations. This further improves interoperability with other implementations of Web Crypto API.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
When user runs `make clean` command, everything in `$(STAGING_DIR)`
(where we installed rust) will be removed, but `$(BUILD_DIR_HOST)`
(where we compiled rust and stored build stage) is untouched.
So when user starts a new build after that, OpenWrt buildroot will
still consider `rust` is installed already, resulting the build error
"cargo: command not found".
Fix this by moving to target build dir as well.
Fixes: f489e019ac ("rust: compile host package per target")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
While the compiled binaries are intended to run on the host system, the
rust/host package does include the target matching the configured
OpenWrt target.
If using (for example) ./scripts/env to switch between different
OpenWrt configurations, this will cause issues if the different
configuration is for a different target. In such case there will be a
mismatch between the available Rust target and OpenWrt target and the
following error will be printed:
> error[E0463]: can't find crate for `core`
> note: the `XXX` target may not be installed
This fix will add the RUSTC_TARGET_ARCH as HOST_BUILD_DIR and CARGO_HOME
suffix, such that rust/host will be compiled in case an OpenWrt
configuration change causes the RUSTC_TARGET_ARCH to change.
Fixes: #21530
Signed-off-by: Orne Brocaar <info@brocaar.com>
[Applied Jeffery To's suggestion for build and install path]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fix for CVE-2023-29406 (net/http: insufficient sanitization of
Host header).
This also updates the copyright information for various Go packaging
files.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Mako was removed in 60ce07b9a1d5c7a53297f177f10af68f3304be9e; at the
time we were using host pip to install host Python packages and so
having this package was not necessary.
With the move away from host pip and toward proper host packages, it
would be better to have a Mako host-only package here to support the
mesa package in the video feed.
This re-imports the package from the abandoned packages feed, updates
the makefile with current Python package conventions, and updates the
package to the latest version.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This renames the source package to python-click to match other Python
packages.
This also updates the package dependencies, licence file, package title
and description.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
- 1.0.0:
- What's Changed:
- Handle situations where the cwd does not exist.
- Add python-decouple as a related project
- Drop support for python 3.7, add python 3.12-dev
- 0.21.1:
- Added:
- Use Python 3.11 non-beta in CI
- Modernize variables code
- Modernize main.py and parser.py code
- Improve conciseness of cli.py and init.py
- Improve error message for get and list commands when env file
can't be opened
- Updated Licence to align with BSD OSI template
Signed-off-by: Javier Marcet <javier@marcet.info>
- 1.6.1
- Fix Dispatcher keyboard interrupt. Should solve reconnect loop
with rel
- 1.6.0
- Fix teardown issue when ping thread is not properly ended
- Fix double ping wait time on first ping
- Minor typehints improvements
- 1.5.3
- Add logic to avoid error in the case where content-length header
does not exist, bug introduced in 1.5.2
- Fix wsdump.py script typing, bug introduced in 1.5.2
- 1.5.2
- Add typehints
- Fix pytype errors
- Fix args passed to logging function
- Standardize PEP 3101 formatting
- Add more verbose exception for unsuccessful handshake
Signed-off-by: Javier Marcet <javier@marcet.info>
This also removes the dependency on gnupg as there are two packages for
gpg, gnupg and gnupg2; this library should work with either one.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Update to v18.16.1
The following CVEs are fixed in this release:
* CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
* OpenSSL Security Releases (Depends on shared library provided by OpenWrt)
* OpenSSL security advisory 28th March.
* OpenSSL security advisory 20th April.
* OpenSSL security advisory 30th May
* c-ares vulnerabilities: (Depends on shared library provided by OpenWrt)
* GHSA-9g78-jv2r-p7vc
* GHSA-8r8p-23f3-64c2
* GHSA-54xr-f67r-4pc4
* GHSA-x6mf-cxr9-8q6v
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
* Rename:
* Source package from python3-libsemanage to python-semanage
* Target package from python3-libsemanage to python3-semanage
* Update dependents with new target package name
* Update package title, license files, and dependencies
* Remove Build/InstallDev (files not used by any other package)
* Use Py3Package to build Python bytecode and source packages
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* Rename:
* Source package from python3-libselinux to python-selinux
* Target package from python3-libselinux to python3-selinux
* Update dependents with new target package name
* Remove patches:
* 010-setup-py-custom-cc.patch: LDSHARED is already set as part of
$(PYTHON3_VARS)
* 020-Make-use-of-variables-when-defining-libdir-and-inclu.patch: This
package doesn't install the libselinux.pc file
* Update package title and dependencies
* Remove Build/InstallDev (files not used by any other package)
* Use Py3Package to build Python bytecode and source packages
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
