Includes fixes for:
* CVE-2022-24675 - encoding/pem: stack overflow
* CVE-2022-28327 - crypto/elliptic: generic P-256 panic when scalar has
too many leading zeroes
This also adds -buildvcs=false to omit VCS information in Go programs.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 8c0477a895)
Fixes: 60ac7dd751 ("pulseaudio: simplify
and rework Makefile")
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 7ae66ec7ca)
The previous used domain http(s)://pulseaudio.org redirects to
https://www.freedesktop.org/wiki/Software/PulseAudio/
This change enforces to use HTTPS everywhere for homepage URLs
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 00e3918069)
It should not be possible to install pulseaudio-daemon and
pulseadio-daemon-avahi at the same time as they have the same files.
Let's avoid that situation by adding conflict.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 5a5bb15949)
There were two conffiles sections and both of them were same, but for
different variants. We can have just one conffile section and use it also
for the other variant.
The same applies for the install section for different variants.
- We have two install sections, but we call the first one with the same
files and then add something more for the second variant.
- While at it to make it easier, let's change those three rows for
copying packages into the single one to make sure that I did not miss
anything. Also, we create a directory first and then move files.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 60ac7dd751)
The full variant of mpd depends on pulseaudio-daemon, so it was not
possible to use the other pulseaudio variant with avahi.
Both pulseaudio daemons provides package pulseaudio, so users can choose
which variant suits them best.
Let's change the dependency to pulseaudio.
Fixes: #19187
Fixes: 2ed62adc59 ("mpd: enable pulseaudio in full package")
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
(cherry picked from commit abe35e89f6)
opkg does not offer ssl varients:
zabbix-agentd
zabbix-sender
zabbix-get
zabbix-proxy
zabbix-server
resolve this by adding ssl varients.
Signed-off-by: Scott Roberts <ttocsr@gmail.com>
(cherry picked from commit cd48d03f01)
(cherry picked from commit e0502e477c)
Motivation of this change is that full variants provides the mini
variant and as well audio-dec package, thus you can not install both as
it fails with the following output:
Collected errors:
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavcodec.so.58
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavcodec.so.58.91.100
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavdevice.so.58
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavdevice.so.58.10.100
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavformat.so.58
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavformat.so.58.45.100
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavutil.so.56
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavutil.so.56.51.100
But that file is already provided by package * libffmpeg-full
* opkg_install_cmd: Cannot install package libffmpeg-audio-dec.
Let's change it to:
Installing libffmpeg-audio-dec (4.3.4-1) to root...
Collected errors:
* check_conflicts_for: The following packages conflict with libffmpeg-audio-dec:
* check_conflicts_for: libffmpeg-full *
* opkg_install_cmd: Cannot install package libffmpeg-audio-dec.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9693bd47c5)
Changes to time_t cause SIGSEGV error on 32bit system and cause ripe
atlas malfunction. (registration successful but no traffic)
Also introduce minor patch to fix some compilation warning.
While at it move PKG_RELEASE to AUTORELEASE macro.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 14c5dfe4c1)
While running `make menuconfig`, it was discovered then there is a
recursive dependency like this:
tmp/.config-package.in:59138:error: recursive dependency detected!
tmp/.config-package.in:59138: symbol PACKAGE_libwebsockets-openssl is selected by PACKAGE_libwebsockets-mbedtls
tmp/.config-package.in:59122: symbol PACKAGE_libwebsockets-mbedtls depends on PACKAGE_libwebsockets-openssl
It is not possible with the recently added conflicts that two packages
(OpenSSL and full variant, which uses OpenSSL as well), which are almost the same
provides the same named package libwebsockets as their conflict - Mbed
TLS.
Fixes: 676c5c72b5 ("libwebsockets: OpenSSL
and mbedTLS variants should conflict")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit a4e8cbb89a)
They provide the same files, but they don't conflict to each other, this
means that users can install them side by side.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 676c5c72b5)
For some time, it is not possible to install ttyd and mosquitto-ssl at the
same time, so let's solve it that libwebsockets-full provides
libwebsockets-openssl. This allows to install ttyd and mosquitto at
the same time.
Also, we need to add conflict, because we should not have installed
libwebsockets-openssl and libwebsockets-full at the same time as they
provides the same files.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 77e682a11c)
We had been creating "rundir" but it was never used, probably leftover
from some removed function. At the same time, we were setting quite
strict rights to the socket directory (while comments sugested
otherwise).
Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit 8f6831b64b)
Fixes mistake in dbe79e409d, the
cloudflare PROVIDES got mixed up with digitalocean.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 001564ed83)
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Remove PKG_RELEASE version bump
* ddns-scripts-services: provide ddns-scripts_service
* ddns-scripts-cloudflare: provide ddns-scripts_digitalocean.com-v2
* ddns-scripts-freedns: provide ddns-scripts_freedns_42_pl
* ddns-scripts-godaddy: provide ddns-scripts_godaddy.com-v1
* ddns-scripts-noip: provide ddns-scripts_no-ip_com
* ddns-scripts-nsupdate: provide ddns-scripts_nsupdate
* ddns-scripts-route53: provide ddns-scripts_route53-v1
* ddns-scripts-cnkuai: provide ddns-scripts_cnkuai_cn
https://github.com/openwrt/packages/pull/13509 renamed many ddns-scripts
packages, but didn't include a PROVIDES for the old package names to
make updates work well.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit dbe79e409d)
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Remove PKG_RELEASE version bump
tailscale version, tailscaled -version and the web UI reported the wrong
version number which doesn't cause any issues, but it can be confusing.
This is fixed by specifying the version in go ldflags similar to how
it's done in many other go packages and the official tailscale Dockerfile.
version.Long version can not be specified in GO_PKG_LDFLAGS_X because it
contains a space and GO_PKG_LDFLAGS_X is always split at a space.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 738f44be4f)
The genhash binary is only built when IPVS is enabled, so make its
installation depend on IPVS being enabled.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 624d2278e7)
Update to 13.8 maintainance release of the PostgreSQL 13 release.
This release contains a variety of fixes from 13.7, among also a fix
addressing CVE-2022-2625.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
**** 1.35 Oct 4, 2022
Improve SVCB error reporting.
Fix rt.cpan.org #144328
accept_reply test fails with matched consecutive "random"
generated packet->id
Fix rt.cpan.org #144299
Spelling errors.
**** 1.34 May 30, 2022
Improve robustness of EDNS option compose/decompose functions.
Simplify code in Makefile.PL.
Fix rt.cpan.org #142426
Avoid "Useless use of a constant in void context" warning.
**** 1.33 Dec 16, 2021
Fix rt.cpan.org #137768
Test t/05-SVCB.t on Perl 5.18.0 fails with deep recursion.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 93a7806578)
(cherry picked from commit b9338331be)
1.9.8: Ludovic Rousseau
11 June 2022
- Install install_spy.sh & uninstall_spy.sh scripts in docdir
- SCardTransmit(): do not fail if receive buffer is "too large"
- SCardControl(): do not fail if receive buffer is "too large"
- fix some memory leaks on shutdown
- use a better random number generator
- Some other minor improvements
1.9.7: Ludovic Rousseau
13 May 2022
- disable strict compilation by default
- fix 3 warnings
1.9.6: Ludovic Rousseau
11 May 2022
- do not fail reader removal in some specific cases (USB/Thunderbolt port)
- improve documentation regarding /etc/reader.conf.d/
- SCardGetStatusChange: speedup the case DISABLE_AUTO_POWER_ON
- configure:
. add --disable-strict option
By default the compiler arguments are now:
-Wall -Wextra -Wno-unused-parameter -Werror ${CFLAGS}
. fail if flex is not found
- fix different data races
- pcscdaemon: -v displays internal constants values:
MAX_READERNAME & PCSCLITE_MAX_READERS_CONTEXTS
- Some other minor improvements
1.9.5: Ludovic Rousseau 4 December 2021
- pcscd: autoexit even if no client connects
- Fix variable substitution in systemd units
- fix potential race conditions with powerState handling
- Add and use tag TAG_IFD_DEVICE_REMOVED
- UnitaryTests: port code to Python 3
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 5c22f49175)
(cherry picked from commit db667b5b0f)
pcsc-lite: update to verion 1.9.9
1.9.9: Ludovic Rousseau
11 September 2022
- SCardEstablishContext() may return SCARD_W_SECURITY_VIOLATION if refused by Polkit
- Fix SCardReleaseContext() failure on orphan handles
- Fix SCardDisconnect() on orphan handle
- pcsc-spy: log the pioSendPci & pioRecvPci SCardTransmit() parameters
- Improve the log from pcscd: log the return code in text instead of hex
- Some other minor improvements
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit a8698d5ede)
Version 2.03.15 - 07th February 2022
====================================
Remove service based autoactivation. global/event_activation = 0 is NOOP.
Improve support for metadata profiles for --type writecache.
Use cache or active DM device when available with new kernels.
Introduce function to utilize UUIDs from DM_DEVICE_LIST.
Increase some hash table size to better support large device sets.
Version 2.03.16 - 18th May 2022
===============================
Fix segfault when handling selection with historical LVs.
Add support --vdosettings with lvcreate, lvconvert, lvchange.
Filtering multipath devices respects blacklist setting from multipath
configuration.
lvmdevices support for removing by device id using --deviceidtype and
--deldev.
Display writecache block size with lvs -o writecache_block_size.
Improve cachesettings description in man lvmcache.
Fix lossing of delete message on thin-pool extension.
Mostly bug fixes and minor improvements.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 63408123df)
(cherry picked from commit 4e70f5caef)
The new version includes all previously locally backported patches.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 669e4a9542)
This release includes a fix for CVE-2022-1215, a format string
vulnerabilty in the evdev device handling. For details, see
https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
Peter Hutterer (2):
evdev: strip the device name of format directives
libinput 1.19.4
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 23638c7ffb)
(cherry picked from commit b95dbe4187)
Noteworthy changes in version 1.17.0 (2022-02-07)
-------------------------------------------------
* New context flag "key-origin". [#5733]
* New context flag "import-filter". [#5739]
* New export mode to export secret subkeys. [#5757]
* Detect errors during the export of secret keys. [#5766]
* New function gpgme_op_receive_keys to import keys from a keyserver
without first running a key listing. [#5808]
* Detect bad passphrase error in certificate import. [T5713]
* Allow setting --key-origin when importing keys. [T5733]
* Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr",
"pinentry", and "socketdir" in gpgme_get_dirinfo. [T5727,T5613]
* Under Unix use poll(2) instead of select(2), when available.
[T2385]
* Do not use --flat_namespace when linking for macOS. [T5610]
* Fix results returned by gpgme_data_* functions. [T5481]
* Support closefrom also for glibc. [rM4b64774b6d]
* cpp,qt: Add support for export of secret keys and secret subkeys.
[#5757]
* cpp,qt: Support for adding existing subkeys to other keys. [#5770]
* qt: Extend ChangeExpiryJob to change expiration of primary key
and of subkeys at the same time. [#4717]
* qt: Expect UTF-8 on stderr on Windows. [rM8fe1546282]
* qt: Allow retrieving the default value of a config entry. [T5515]
Noteworthy changes in version 1.17.1 (2022-03-06)
-------------------------------------------------
* qt: Fix a bug in the ABI compatibility of 1.17.0. [T5834]
Noteworthy changes in version 1.18.0 (2022-08-10)
-------------------------------------------------
* New keylist mode to force refresh via external methods. [T5951]
* The keylist operations now create an import result to report the
result of the locate keylist modes. [T5951]
* core: Return BAD_PASSPHRASE error code on symmetric decryption
failure. [T5939]
* cpp, qt: Do not export internal symbols anymore. [T5906]
* cpp, qt: Support revocation of own OpenPGP keys. [T5904]
* qt: The file name of (signed and) encrypted data can now be set. [T6056]
* cpp, qt: Support setting the primary user ID. [T5938]
* python: Fix segv(NULL) when inspecting contect after exeception. [T6060]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d7799595bd)
(cherry picked from commit 00bfb4f151)
This backports a patch from upstream gpgme to fix compilation with glibc 2.34.
It fixes the following build problem:
posix-io.c: In function '_gpgme_io_spawn':
posix-io.c:577:23: error: void value not ignored as it ought to be
577 | while ((i = closefrom (fd)) && errno == EINTR)
| ^
make[5]: *** [Makefile:947: posix-io.lo] Error 1
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit dafb96c148)
Exim version 4.96
-----------------
JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
after reception to before a subsequent reception. This should
mean slightly faster delivery, and also confirmation of reception
to senders.
JH/02 Move from using the pcre library to pcre2. The former is no longer
being developed or supported (by the original developer).
JH/03 Constification work in the filters module required a major version
bump for the local-scan API. Specifically, the "headers_charset"
global which is visible via the API is now const and may therefore
not be modified by local-scan code.
JH/04 Fix ClamAV TCP use under FreeBSD. Previously the OS-specific shim for
sendfile() didi not account for the way the ClamAV driver code called it.
JH/05 Bug 2819: speed up command-line messages being read in. Previously a
time check was being done for every character; replace that with one
per buffer.
JH/06 Bug 2815: Fix ALPN sent by server under OpenSSL. Previously the string
sent was prefixed with a length byte.
JH/07 Change the SMTP feature name for pipelining connect to be compliant with
RFC 5321. Previously Dovecot (at least) would log errors during
submission.
JH/08 Remove stripping of the binaries from the FreeBSD build. This was added
in 4.61 without a reason logged. Binaries will be bigger, which might
matter on diskspace-constrained systems, but debug is easier.
JH/09 Fix macro-definition during "-be" expansion testing. The move to
write-protected store for macros had not accounted for these runtime
additions; fix by removing this protection for "-be" mode.
JH/10 Convert all uses of select() to poll(). FreeBSD 12.2 was found to be
handing out large-numbered file descriptors, violating the usual Unix
assumption (and required by Posix) that the lowest possible number will be
allocated by the kernel when a new one is needed. In the daemon, and any
child procesees, values higher than 1024 (being bigger than FD_SETSIZE)
are not useable for FD_SET() [and hence select()] and overwrite the stack.
Assorted crashes happen.
JH/11 Fix use of $sender_host_name in daemon process. When used in certain
main-section options or in a connect ACL, the value from the first ever
connection was never replaced for subsequent connections. Found by
Wakko Warner.
JH/12 Bug 2838: Fix for i32lp64 hard-align platforms. Found for SPARC Linux,
though only once PCRE2 was introduced: the memory accounting used under
debug offset allocations by an int, giving a hard trap in early startup.
Change to using a size_t. Debug and fix by John Paul Adrian Glaubitz.
JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value
with underbars is given. The write-protection of configuration introduced
in 4.95 trapped when normalisation was applied to an option not needing
expansion action.
JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.
JH/15 Fix a resource leak in *BSD. An off-by-one error resulted in the daemon
failing to close the certificates directory, every hour or any time it
was touched.
JH/16 Debugging initiated by an ACL control now continues through into routing
and transport processes. Previously debugging stopped any time Exim
re-execs, or for processing a queued message.
JH/17 The "expand" debug selector now gives more detail, specifically on the
result of expansion operators and items.
JH/18 Bug 2751: Fix include_directory in redirect routers. Previously a
bad comparison between the option value and the name of the file to
be included was done, and a mismatch was wrongly identified.
4.88 to 4.95 are affected.
JH/19 Support for Berkeley DB versions 1 and 2 is withdrawn.
JH/20 When built with NDBM for hints DB's check for nonexistence of a name
supplied as the db file-pair basename. Previously, if a directory
path was given, for example via the autoreply "once" option, the DB
file.pag and file.dir files would be created in that directory's
parent.
JH/21 Remove the "allow_insecure_tainted_data" main config option and the
"taint" log_selector. These were previously deprecated.
JH/22 Fix static address-list lookups to properly return the matched item.
Previously only the domain part was returned.
JH/23 Bug 2864: FreeBSD: fix transport hang after 4xx/5xx response. Previously
the call into OpenSSL to send a TLS Close was being repeated; this
resulted in the library waiting for the peer's Close. If that was never
sent we waited forever. Fix by tracking send calls.
JH/24 The ${run} expansion item now expands its command string elements after
splitting. Previously it was before; the new ordering makes handling
zero-length arguments simpler. The old ordering can be obtained by
appending a new option "preexpand", after a comma, to the "run".
JH/25 Taint-check exec arguments for transport-initiated external processes.
Previously, tainted values could be used. This affects "pipe", "lmtp" and
"queryprogram" transport, transport-filter, and ETRN commands.
The ${run} expansion is also affected: in "preexpand" mode no part of
the command line may be tainted, in default mode the executable name
may not be tainted.
JH/26 Fix CHUNKING on a continued-transport. Previously the usabliility of
the the facility was not passed across execs, and only the first message
passed over a connection could use BDAT; any further ones using DATA.
JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data
uses $sending_ip_address and an interface is specified.
Previously any use of the local address in the EHLO name disabled
PIPECONNECT, the common case being to use the rDNS of it.
JH/28 OpenSSL: fix transport-required OCSP stapling verification under session
resumption. Previously verify failed because no certificate status is
passed on the wire for the restarted session. Fix by using the recorded
ocsp status of the stored session for the new connection.
JH/29 TLS resumption: the key for session lookup in the client now includes
more info that a server could potentially use in configuring a TLS
session, avoiding oferring mismatching sessions to such a server.
Previously only the server IP was used.
JH/30 Fix string_copyn() for limit greater than actual string length.
Previously the copied amount was the limit, which could result in a
overlapping memcpy for newly allocated destination soon after a
source string shorter than the limit. Found/investigated by KM.
JH/31 Bug 2886: GnuTLS: Do not free the cached creds on transport connection
close; it may be needed for a subsequent connection. This caused a
SEGV on primary-MX defer. Found/investigated by Gedalya & Andreas.
JH/32 Fix CHUNKING for a second message on a connection when the first was
rejected. Previously we did not reset the chunking-offered state, and
erroneously rejected the BDAT command. Investigation help from
Jesse Hathaway.
JH/33 Fis ${srs_encode ...} to handle an empty sender address, now returning
an empty address. Previously the expansion returned an error.
HS/01 Bug 2855: Handle a v4mapped sender address given us by a frontending
proxy. Previously these were misparsed, leading to paniclog entries.
Also contains commit 51be321b27 "Fix PAM auth. Bug 2813" addressing
CVE-2022-37451.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f2763b95af)
