2.5.5: Bug fix for a deadlock in multi-thread/multi-process (using Process.fork) applications, like for example Puma
2.5.4: Fixes multiple vulnerabilities:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
When the server hostname resolved to both IPv4 and IPv6 addresses,
connecting would fail with nothing in syslog. This corrects that oversight.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
(cherry picked from ca56324 and PKG_MIRROR_HASH removal from 494ce71)
Revert the addition of build dependency in commit 2d1694ff7
to a non-existent host build of zlib.
The host build of zlib was removed already in April 2018 by
8dcd941d8b (diff-1ed408c61d79f9c6c5d197333e94ce8d)
which made zlib a build tool defined in /tools
The newly introduced build dependency causes always a warning like:
WARNING: Makefile 'package/feeds/packages/postgresql/Makefile'
has a build dependency on 'zlib/host', which does not exist
Not sure what was the error that 2d1694ff7 tried to fix,
but reference to a non-existent host build is not the solution.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit d8e61d49da)
spotted on buildbot trying postgresql/host build:
configure: error: zlib library not found
Fix this by adding zlib/host to HOST_BUILD_DEPENDS.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry-picked from commit 2d1694ff7c)
cherry-pick and squash commits from master for GNUnet
04eb431cb libgabe: add package
7831fb63b libgabe: update to shared library version
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
cherry-pick commit 4c5d25458 libpbc: add new package
from master as GNUnet started to depend on libgabe which depends on
libpbc.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
revert 7b2bf511c gnunet: Specify libmicrohttpd-ssl dependency
which was accidentally merged from master while the rename of the
libmicrohttpd* packages has happened only on master.
Revert it for openwrt-18.06.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Backport and squash the following commits from master:
43ec390bd postgresql: security bump to 9.6.10
845aab78a postgresql: Update to 9.6.11
fe6597dd7 postgresql: update to version 9.6.12
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Backport and squash the following commits from master:
853e9d1c3 libextractor: Update to 1.7
1a23de5db libextractor: update to version 1.8
a50f26941 libextractor: fix PKG_HASH
6709d9b82 libextractor: update to version 1.9
Backport and squash the following commits from master:
af06f6fd5 gnurl: update to version 7.61.1
7cdbb7569 gnurl: build without libpsl
d34eda733 gnurl: update to version 7.63.0
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is a minor bugfix release. Full changelog available at:
https://mosquitto.org/blog/2019/02/version-1-5-7-released/
Most relevant to OpenWrt are probably:
* fixing persistent store bloat
* fix sorting of included config files
* fix errors related to per_listener_settings
Signed-off-by: Karl Palsson <karlp@etactica.com>
Link to Python bug:
https://bugs.python.org/issue34656
Upstream commit:
71a9c65e74
OpenWrt 18.06 contains version Python 3.6.5, which doesn't contain this
fix.
Python 2.7 is not affected.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This is a bugfix and security release.
CVE-2018-12551: If Mosquitto is configured to use a password file for
authentication, any malformed data in the password file will be
treated as valid. This typically means that the malformed data becomes
a username and no password. If this occurs, clients can circumvent
authentication and get access to the broker by using the malformed
username. In particular, a blank line will be treated as a valid empty
username. Other security measures are unaffected.
=> Users who have only used the mosquitto_passwd utility to create and
modify their password files are unaffected by this vulnerability.
CVE-2018-12550: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined,
which means that no topic access is denied. Although denying access to
all topics is not a useful configuration, this behaviour is unexpected
and could lead to access being incorrectly granted in some
circumstances.
CVE-2018-12546. If a client publishes a retained message to a topic
that they have access to, and then their access to that topic is
revoked, the retained message will still be delivered to future
subscribers. This behaviour may be undesirable in some applications,
so a configuration option `check_retain_source` has been introduced to
enforce checking of the retained message source on publish.
Plus the following bugfixes:
* wills not sent to websocket clients
* spaces now allowed in bridge usernames
* durable clients not receiving offline messages with
per_listener_settings==true
* compilation with openssl without deprecated apis
* TLS working over SOCKS
* better comment handling in config files
Full changelog available at: https://github.com/eclipse/mosquitto/blob/fixes/ChangeLog.txt#L1
Signed-off-by: Karl Palsson <karlp@etactica.com>
Upstream Release Notes:
- MDEV-17475: Maximum value of table_definition_cache is now 2097152
- MDEV-13671: InnoDB should use case-insensitive column name comparisons
like the rest of the server
- ALTER TABLE fixes: MDEV-17230, MDEV-16499, MDEV-17904, MDEV-17833,
MDEV-17470, MDEV-18237, MDEV-18016
- Improvements to InnoDB page checksum, recovery, and Mariabackup:
MDEV-17957, MDEV-12112, MDEV-18025, MDEV-18279, MDEV-18183
- Galera
- MDEV-15740: Galera durability fix
- New configuration variable wsrep_certification_rules, used for
controlling whether to use new/optimized
(--wsrep_certification_rules=optimized) certification rules or the
old/classic ones (--wsrep_certification_rules=strict). Setting the
variable to strict can cause more certification failures.
- Fixes for the following security vulnerabilities:
- CVE-2019-2537
- CVE-2019-2529
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This upstream release adds support for trust_anchors_backoff_time
configuration parameter. UCI support has been added for this.
This commit also includes a number of clean-ups:
o change START=50 to START=30 in init file
Starting earlier in the boot means less chance of missing interface
trigger events. See: https://github.com/openwrt/packages/pull/4675
o remove unused variables from init file
o separate local declarations and assignments in init file
o add defensive quoting in init file
o use default values for procd respawn in init file
o make use of {} in variables consistent in init file
o remove unused variable from init file
Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
I am no longer able to support maintaining the stubby daemon for openwrt. I suggest Jonathan Underwood <jonathan.underwood@gmail.com> as a replacement.
This commit brings UCI support to the stubby package.
o All options are documented in the README.md file.
o The README.md file has been re-written to include a short usage
manual.
o The default configuration now includes more Cloudflare addresses.
o The stubby service is (re)started using procd triggers from a
specified interface with a configurable time delay.
o Round robin use of upstream resolvers is now activated by
default.
o Client privacy is now activated by default.
o Options are added for specifying the log level of the daemon and
command line options passed to the stubby command.
Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
Remove the limit setting core="unlimited", since this shouldn't be needed
in production use (i.e. non-debug) and on an embedded platform, which is
why it's rarely used by any existing packages.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks,
as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific
SHA256 certificate hash are taken from Cloudflare's DoT configuration guide
published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/.
Note that the certificate is valid to March 25th 2020, 13:00 CET, which
provides ample time for issuance of a backup pin to support future key
rollover.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
