[pull] main-19.07 from openwrt:openwrt-19.07 #23

* update 'check' function Signed-off-by: Stan Grishin <[email protected]> (cherry picked from commit d11f310)

[19.07] simple-adblock: update to 1.8.8-1

While a pinned/working version of setuptools-scm is installed (by python-zipp) by the time this package is compiled, pinning the version in this package is still the correct thing to do. Signed-off-by: Jeffery To <[email protected]>

Signed-off-by: Jeffery To <[email protected]>

* there are reports that newer versions don't work on 19.07.x * revert to older README to describe this older version Signed-off-by: Stan Grishin <[email protected]> (cherry picked from commit 7bb2ccd)

[19.07] vpn-policy-routing: downgrade to 0.2.1-13

…cies-openwrt-19.07 [openwrt-19.07] python-packages: Fix host package build dependencies

Signed-off-by: Olivier Poitrey <[email protected]>

- Remove patch, which is part of this release, it was backported from upstream Signed-off-by: Josef Schlehofer <[email protected]>

Recently, silicondust (developers of hdhomerun) did some cleanup and removed old versions for hdhomerun library. ``` WGET http://download.silicondust.com/hdhomerun/libhdhomerun_20150826.tgz http://download.silicondust.com/hdhomerun/libhdhomerun_20150826.tgz: 2021-10-26 05:15:14 ERROR 404: Not Found. ``` And because of that, it is not possible to compile tvheadend, it ends with following error: ``` In file included from src/input/mpegts/tvhdhomerun/tvhdhomerun.c:25:0: src/input/mpegts/tvhdhomerun/tvhdhomerun_private.h:27:10: fatal error: libhdhomerun/hdhomerun.h: No such file or directory #include <libhdhomerun/hdhomerun.h> ^~~~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. ``` Let's fix it by updating libdhdhomerun to newer version. Signed-off-by: Josef Schlehofer <[email protected]>

The following CVEs are addressed: * CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This effectively disables the lame server cache, as it could previously be abused by an attacker to significantly degrade resolver performance. Signed-off-by: Noah Meyerhans <[email protected]>

Fixes: CVE-2020-13904 CVE-2020-2044 CVE-2020-20453 CVE-2020-22015 CVE-2020-22019 CVE-2020-22033 CVE-2020-22021 CVE-2020-22037 CVE-2020-35965 CVE-2021-38114 CVE-2021-38171 CVE-2021-38291 Refresh patches Signed-off-by: Josef Schlehofer <[email protected]>

Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit d8e88ef)

Details: - Cleaned up whitespace and removed comments (refer to official PHP documentation for that) - Removed directives that no longer exist as of PHP 7.2.34 - Added '~E_DEPRECATED' to 'error_reporting' Directives removed that no longer exist as of PHP 7.2.34: - zend.ze1_compatibility_mode - y2k_compliance - register_globals - register_long_arrays - magic_quotes_gpc - magic_quotes_runtime - magic_quotes_sybase - always_populate_raw_post_data Signed-off-by: Giovanni Giacobbi <[email protected]>

[19.07] php7: Update and clean up distributed php7.ini

Signed-off-by: Michal Vasilek <[email protected]> (cherry picked from commit f7717bd)

[19.07] cyrus-sasl: patch CVE-2019-19906

Changelog: https://downloads.isc.org/isc/bind9/9.16.23/RELEASE-NOTES-bind-9.16.23.html Signed-off-by: Josef Schlehofer <[email protected]>

Signed-off-by: Martin Pecka <[email protected]>

CVE-2021-30535 : Double free in ICU https://nvd.nist.gov/vuln/detail/CVE-2021-30535 https://security-tracker.debian.org/tracker/CVE-2021-30535 ICU-21587 : Fix memory bug w/ baseName unicode-org/icu#1698 Signed-off-by: Hirokazu MORIKAWA <[email protected]>

ddns-scripts: Fix wrong whitespace in preinst and postinst scripts

@Version

Also bump the version in syslog-ng config file. Removes this warning: Nov 16 14:19:41 turris syslog-ng[15159]: WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. Please update it to use the syslog-ng 3.35 format at your time of convenience. To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @Version header at the top of the configuration file; config-version='3.33' Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 2d2fd36)

Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 18261fc)

Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking). I've just taken patch from the advisory[1] and rebased it onto 1.15.0 version. 1. https://github.com/c-ares/c-ares/compare/809d5e8..44c009b.patch Fixes: CVE-2021-3672 Signed-off-by: Petr Štetiar <[email protected]>

Patch 001-configure_fixes does not apply anymore. Other patches were refreshed. Signed-off-by: Josef Schlehofer <[email protected]>

Changelog: https://marlam.de/msmtp/news/msmtp-1-8-19/ Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 173faad)

[19.07] postgresql: security update to version 11.14

[19.07] libs/c-ares: fix domain hijacking CVE-2021-3672

Update nano editor to version 6.0 Version 6.0 enable toggling the display of the line numbers with the shortcut key M-N (Alt-n). Also the cmdline option "-l" works. Remove earlier patch regarding that. Signed-off-by: Hannu Nyman <[email protected]> (backported from commits 0571f54, 9023845 and ae7f62d)

The postrm script was missing shebang. Postrm scripts are packaged and executed directly and not sourced by default script (as in case of prerm and postinst). Also move some indents around to not confuse reader. The section in postinst was indented to same level as grep "condition" but is on same level as initial grep (not part of that "condition"). Signed-off-by: Karel Kočí <[email protected]> (cherry picked from commit d2d193d)

Signed-off-by: Karel Kočí <[email protected]> (cherry picked from commit c09d604)

Fixes Makefile warnings: WARNING: skipping X -- package has no install section Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit 5a7148d)

treewide: add missing BUILDONLY

Update havged to version 1.9.17. Signed-off-by: Hannu Nyman <[email protected]> (cherry picked from commit e065ccd) (Autorelease removed)

Fixes (see [1] for details): CVE-2021-33193 CVE-2021-41524 CVE-2021-41773 CVE-2021-42013 [1] https://httpd.apache.org/security/vulnerabilities_24.html Signed-off-by: Sebastian Kemper <[email protected]> (cherry picked from commit da4b1ca)

The current init script is using the deprecated -nd flag. This updates netdata to be started with -D. Signed-off-by: James White <[email protected]> (cherry picked from commit cf9d5a8)

Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit 8c77bcc)

Signed-off-by: Stijn Tintel <[email protected]> (cherry picked from commit 7e50722)

This helps to compile domoticz on arc target. Signed-off-by: Josef Schlehofer <[email protected]>

The previous one was wrong, and it did not work. It could be checked inside compiled package in control.tar.gz that there was missing ``conffiles`` file with content `/etc/config/tvheadend` It is also possible to verify that the config is not overwritten on the router by running ``opkg install tvheadend --force-reinstall`` Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 752d1ff)

Several Makefile rearrangements for consistency between packages. Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit 73d29b9)

Signed-off-by: Sergio E. Nemirowski <[email protected]> (cherry picked from commit 838306c)

Signed-off-by: Vieno Hakkerinen <[email protected]> (cherry picked from commit bc50029)

Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit 68a3a06)

Remove paxctl stuff. pax is not packaged in OpenWrt. Add reload support. Install lua cfg file as 644. It's needed to be readable as prosody user Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit eb46e23)

Fixes CVEs: - CVE-2022-0217 - CVE-2021-37601 - CVE-2021-32918 - CVE-2021-32920 - CVE-2021-32921 - CVE-2021-32917 - CVE-2021-32919 Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit dcedbe8)

Signed-off-by: Josef Schlehofer <[email protected]>

Nano is by default built as "tiny" with most features disabled. That is suitable for basic tasks in routers with small flash. Add a new nano-plus variant that enables selected additional features in the build config: * multiple files (multibuffer) * Unicode/utf8 * justify * .nanorc support * help * also some key bindings get enabled as "tiny" configure option is removed. Signed-off-by: Hannu Nyman <[email protected]> (cherry picked from commit 85cb71d)

nss: backport patch for CVE-2021-43527

The runtime testing always ran on master branch aka snapshots since the branch wasn't passed over to the container execution! Signed-off-by: Paul Spooren <[email protected]> (cherry picked from commit f535d77)

Signed-off-by: Josef Schlehofer <[email protected]>

bind: update to version 9.16.25

* fixes CVE-2021-41817 and CVE-2021-41819 Signed-off-by: Michal Vasilek <[email protected]>

Update nano to version 6.1. Signed-off-by: Hannu Nyman <[email protected]> (cherry picked from commit 717efb8) [removed aurorelease]

Update nano to 6.2. Remove inactive second maintainer. Signed-off-by: Hannu Nyman <[email protected]> (cherry picked from commit a3f14c5) [removed AUTORELEASE]

The FreeBSD project stopped publishing HTTP date headers and seeks to limit further resource taxing by distributed htpdate clients using the www.freebsd.org host as default time source. Fixes: #17924 Reported-by: Allan Jude <[email protected]> Signed-off-by: Jo-Philipp Wich <[email protected]> (cherry picked from commit e871318)

Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit c69160e)

* import patches for CVEs from alpine 3.13 CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-23852, CVE-2022-23990 CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315 Signed-off-by: Michal Vasilek <[email protected]> (cherry picked from commit 584c0c4)

- Bump version in config file Release notes: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.36.1 Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 110d46e)

Fixes security issues: * CVE-2022-0396 -- A synchronous call to closehandle_cb() caused isc__nm_process_sock_buffer() to be called recursively, which in turn left TCP connections hanging in the CLOSE_WAIT state blocking indefinitely when out-of-order processing was disabled. * CVE-2021-25220 -- The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. Signed-off-by: Noah Meyerhans <[email protected]>

Includes fixes for: * Windows builds updated to bzip2 1.0.8 to mitigate CVE-2016-3189 and CVE-2019-12900 * CVE-2022-26488: Escalation of privilege via Windows Installer Signed-off-by: Jeffery To <[email protected]>

[openwrt-19.07] python3: Update to 3.7.13, refresh patches

Remove upstreamed patches. Added patch to fix compilation. Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit 68b5a71)

Upstream was sloppy when cutting the release. Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit df20377)

dnslog feature has been removed since v1.4. Signed-off-by: Sungbo Eo <[email protected]> (cherry picked from commit 95954b8)

- add missing configs to PKG_CONFIG_DEPENDS and sort it - remove redundant INSTALL_DIR Signed-off-by: Sungbo Eo <[email protected]> (cherry picked from commit 2c71fb2)

If miniportal option is enabled, some haserl scripts are provided which present a simple login web page. To make it functional haserl is required. Signed-off-by: Sungbo Eo <[email protected]> (cherry picked from commit 5320888)

Please update to this latest release as soon as possible as this releases fixes the following major security issues: CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194. For a summary of news and a detailed list of changes see the ReleaseNotes[1]. [1]: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html Signed-off-by: Daniel Golle <[email protected]> (cherry picked from commit 951ef67)

Provide a new variant, nano-full, that enables almost all functionality of nano. Only libmagic file type detection has been left out. Ship with a minimal /etc/nanorc that the user can modify. nanorc documentation at https://www.nano-editor.org/dist/latest/nanorc.5.html Provide color highlighting for the uci config files. Signed-off-by: Hannu Nyman <[email protected]> (cherry picked from commit 6a51794)

- Fixes CVE-2020-15803, CVE-2021-27927 - SourceForge does not provide tarball for version 4.0.37 and it was necessary to use Zabbix CDN to download it. Signed-off-by: Josef Schlehofer <[email protected]>

BUILDONLY was disabling SANE backends (drivers) build. Closes #14484 Signed-off-by: Luiz Angelo Daros de Luca <[email protected]> (cherry picked from commit bf4340e)

Fixes from 2.6.9: - CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods - CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse Fixes from 2.6.10: - CVE-2022-28739: Buffer overrun in String-to-Float conversion After this release, Ruby 2.6 reaches EOL. Signed-off-by: Luiz Angelo Daros de Luca <[email protected]>

Changelog: https://downloads.isc.org/isc/bind9/9.16.28/RELEASE-NOTES-bind-9.16.28.html Signed-off-by: Josef Schlehofer <[email protected]>

This fixes CVE-2022-24884. Also update the package URL to match the source repository. Signed-off-by: Matthias Schiffer <[email protected]> (cherry picked from commit de5671e)

Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit fbe3079)

Signed-off-by: Michal Vasilek <[email protected]> (cherry picked from commit ef29bf0)

* fixes CVE-2022-1552 Signed-off-by: Michal Vasilek <[email protected]>

otherwise, a user would have to either manually run /etc/init.d/lxc-auto boot or reboot the system to start using lxc. Signed-off-by: Michal Vasilek <[email protected]> (cherry picked from commit 2cde10b)

We received a report from Turris user on Turris support department that netatalk version 3.1.13 does not work properly. Process afpd says: INTERNAL ERROR Signal 11 because of that Apple Time Machine does not work as it should This was already reported to netatalk by different people on various GNU/Linux distributions like CentOS, AlmaLinux [1] [2] netatalk developer states [3]: ``` Generally, at this point I can only advice to stop using Netatalk. There are more pending CVEs that I currently don't have the bandwidth to work on. ``` [1] https://sourceforge.net/p/netatalk/bugs/669/ [2] https://sourceforge.net/p/netatalk/bugs/670/ [3] https://sourceforge.net/p/netatalk/mailman/message/37638871/ This reverts commit 165c562. Signed-off-by: Josef Schlehofer <[email protected]>

Signed-off-by: Federico Capoano <[email protected]>

* follow upstream ressources to github * rename /usr/sbin/munin-node to /usr/sbin/muninlite (following the chane of upstream) * change plugin directory from /usr/sbin/munin-node-plugin.d/ to /etc/munin/plugins (compatible to upstream / munin-node) * all patches (except one OpenWrt-specific patch) were merged upstream Signed-off-by: Lars Kruse <[email protected]>

Signed-off-by: Lars Kruse <[email protected]>

Since muninlite 2.0 the unpatched upstream also uses /proc/sys/kernel/hostname. Thus the patch is not necessary anymore. Signed-off-by: Lars Kruse <[email protected]>

Signed-off-by: Francois Dechery <[email protected]>

Signed-off-by: Lars Kruse <[email protected]>

Signed-off-by: Kim B. Heino <[email protected]>

Signed-off-by: Lars Kruse <[email protected]>

libxml2 seems to be required only during build, hence no need to depend on it in run-time. Signed-off-by: Daniel Golle <[email protected]> (cherry picked from commit 1f3585a)

Signed-off-by: Michael Heimpold <[email protected]> (cherry picked from commit 10e867d) [remove no longer needed CVE-2019-19956 patch (fixed in libxml2 2.9.10)] Signed-off-by: Šimon Bořek <[email protected]>

Signed-off-by: Michael Heimpold <[email protected]> (cherry picked from commit 6b932d3) Signed-off-by: Šimon Bořek <[email protected]>

This fixes CVE-2022-23308. Also switch to GNOME as download source and xz tarball. Signed-off-by: Michael Heimpold <[email protected]> (cherry picked from commit 81fd836) Signed-off-by: Šimon Bořek <[email protected]>

This fixes CVE-2022-29824. Signed-off-by: Michael Heimpold <[email protected]> (cherry picked from commit c12e1cf) Signed-off-by: Šimon Bořek <[email protected]>

libxml2: backport 2.9.14 version bump

This can be finally re-reverted, so we can use version 3.1.13, which fixes multiple security vulnerabilities, but it segfaults almost immediately. There is currently pending pull request, which fixes this, and multiple users confirmed that it works on different GNU/Linux distributions. This reverts commit bfe2550. Signed-off-by: Josef Schlehofer <[email protected]>

This commit backports pending PR, which solves segfaults: - Netatalk/netatalk#174 To fix issues with segfaults described here: - #18571 - Netatalk/netatalk#175 Signed-off-by: Šimon Bořek <[email protected]> (cherry picked from commit ab76857)

[19.07] netatalk: re-introduce 3.1.13 and backport pending fixes

Signed-off-by: Yanase Yuki <[email protected]> (cherry picked from commit ac52356)

Beep is a target-independent software that can handle buzzers controlled by kmod-gpio-beeper. This change is useful for some non-x86 enterprise APs and development boards that have a buzzer connected to GPIO. Compile-tested: ath79, ELECOM WAB-I1750-PS, 3fab4ac + device support patch Run-tested: ath79, ELECOM WAB-I1750-PS, 3fab4ac + device support patch Signed-off-by: Yanase Yuki <[email protected]> (cherry picked from commit 9bcea2d)

Commit 9bcea2d causes a dependency problem with some out-of-tree packages which expect "DEPENDS:=+kmod-pcspkr". To fix this problem, this commit restores a dependency definition to the previous one on x86 target. Signed-off-by: Yanase Yuki <[email protected]> (cherry picked from commit 8b1216f)

1. Changed Git repository, which is used for Fedora packaging johnath/beep#11 (comment) Fixed CVEs: CVE-2018-0492 - https://nvd.nist.gov/vuln/detail/CVE-2018-0492 CVE-2018-1000532 - https://nvd.nist.gov/vuln/detail/CVE-2018-1000532 2. Fixed SPDX License Identifier 3. Add patch to comment out -D_FORTIFY_SOURCE Otherwise, it can not be built by default. Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 6488eaf)

Signed-off-by: W. Michael Petullo <[email protected]> (cherry picked from commit bab2f02)

fix ldconfig build issue. This patch is a backport from upstream: LuaJIT/LuaJIT@18c9cf7 Signed-off-by: Sergey V. Lobanov <[email protected]> (cherry picked from commit 42c4d25)

Signed-off-by: Rosen Penev <[email protected]> (cherry picked from commit 24c0007)

Signed-off-by: Michal Vasilek <[email protected]>

Signed-off-by: Josef Schlehofer <[email protected]>

otherwise, a user would have to either manually run /etc/init.d/lxc-auto boot or reboot the system to start using lxc. originally committed in 2cde10b reverted in 039912d Signed-off-by: Michal Vasilek <[email protected]> (cherry picked from commit 7da7356)

The postinst script is sourced during image build, which causes the follow failure: /home/stijn/Development/OpenWrt/openwrt/build_dir/target-x86_64_musl/root-x86/etc/init.d/lxc-auto: line 3: /lib/functions.sh: No such file or directory postinst script ./usr/lib/opkg/info/lxc-auto.postinst has failed with exit code 1 Sourcing /lib/functions.sh is not needed, as /etc/rc.common does so already. Unfortunately removing that line from the init script is not enough to fix the problem. The postinst script should also check IPKG_INSTROOT. As these two changes are unrelated, they should go in separate commits, and the solution to the image build problem is to revert the commit that introduced the breakage. This reverts commit 2cde10b. Signed-off-by: Stijn Tintel <[email protected]>

- Changelog: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.37.1 - Bump config version Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit ae7aefe)

Signed-off-by: Federico Capoano <[email protected]> (cherry picked from commit 0419a79)

[19.07] openwisp-config: update to 1.0.1

Update haveged to version 1.9.18 Signed-off-by: Hannu Nyman <[email protected]> (cherry picked from commit 8579494)

Signed-off-by: Federico Capoano <[email protected]> (cherry picked from commit 0419a79)

[19.07] openwisp-monitoring: added 0.1.1

libarchive looks for ext2fs headers during configure, and if it finds them it will expect to find them during compile, or on the rare occasion when they aren't it will fail: libarchive/archive_entry.c:59:55: fatal error: ext2fs/ext2_fs.h: No such file or directory As we just need headers for some type constants, let's re-use headers from tools/e2fsprogs package which are always available. Reported-by: Adam Dov <[email protected]> Suggested-by: Paul Eggleton <[email protected]> References: https://git.yoctoproject.org/poky/commit/?id=f0b9a7cf9f80be1917e45266fa201f464a28c1e5 Signed-off-by: Petr Štetiar <[email protected]> (cherry picked from commit 797945d)

cdn.postfix.johnriley.me serves a certificate for a different domain name. Signed-off-by: Michal Vasilek <[email protected]> (cherry picked from commit d4feef9)

Installing the .pc files helps other programs to detect the presence of libsasl2. While at, reduce the glob pattern a little bit to not include unneeded symlinks. Signed-off-by: Michael Heimpold <[email protected]> (cherry picked from commit c9ce769)

Release notes: https://downloads.isc.org/isc/bind9/9.16.31/doc/arm/html/notes.html Signed-off-by: Josef Schlehofer <[email protected]>

makes LuaJit builds for mpc85xx targets with SPE ISA extension enabled possible Quoting inner commit message: This allows building LuaJit for systems with Power ISA SPE extension[^1] support by using soft float on LuaJit side. While e500 CPU cores support SPE instruction set extension allowing them to perform floating point arithmetic natively, this isn't required. They can function with software floating point to integer arithmetic translation as well, just like FPU-less PowerPC CPUs without SPE support. Therefore I see no need to prevent them from running LuaJit explicitly. [^1]: https://www.nxp.com/docs/en/reference-manual/SPEPEM.pdf Signed-off-by: Pali Rohár <[email protected]> Signed-off-by: Šimon Bořek <[email protected]> (cherry picked from commit a4a484f)

901b0f0 main: fix two one-byte overreads in header_value() Signed-off-by: Jo-Philipp Wich <[email protected]> (cherry picked from commit 443c6c1)

This adds conflicts between the variants, because they provide the same files, and it should not be possible to install them side by side. Otherwise, it might happen that half files would be from one variant and the other half from the other. Also, adds provides as if you request to install ``vim`` and ``vim-full``, then the request could be satisfied even they collide, because ``vim-full`` provides ``vim`` package. Signed-off-by: Karel Kočí <[email protected]> Signed-off-by: Josef Schlehofer <[email protected]> [add commit message] (cherry picked from commit 46c0584)

* refresh patches Signed-off-by: Michal Vasilek <[email protected]> (cherry picked from commit 81e0fcb)

Signed-off-by: Jan Hak <[email protected]> (cherry picked from commit 7aee9d1)

Signed-off-by: Jan Hák <[email protected]> (cherry picked from commit 2d2f1e5)

Signed-off-by: Jan Hák <[email protected]> (cherry picked from commit 175087b)

Signed-off-by: Jan Hák <[email protected]> (cherry picked from commit 60a80b3)

Signed-off-by: Jan Hák <[email protected]> (cherry picked from commit 2a56e47)

Signed-off-by: Jan Hák <[email protected]> (cherry picked from commit 4de863e)

Signed-off-by: Jan Hák <[email protected]> (cherry picked from commit f30da8c)

Signed-off-by: Jan Hak <[email protected]> (cherry picked from commit b0870d7)

Signed-off-by: Jan Hak <[email protected]> (cherry picked from commit 0b8f3ea)

- Release notes: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.38.1 - Update the configuration file to use version 4.0 as mentioned in the release notes to try the latest changes Fixes: CVE-2022-38725 Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 34b7af9)

Changelog: https://downloads.isc.org/isc/bind9/9.16.33/RELEASE-NOTES-bind-9.16.33.html Fixes: - multiple CVEs (CVE-2022-2795, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178) Signed-off-by: Josef Schlehofer <[email protected]>

This is similar to commit f303e87 ("nss: update to 3.67") as there is something wrong with NSS build system and otherwise this package fails to compile. Let's compile it single threaded. Signed-off-by: Josef Schlehofer <[email protected]>

For some time, it is not possible to install ttyd and mosquitto-ssl at the same time, so let's solve it that libwebsockets-full provides libwebsockets-openssl. This allows to install ttyd and mosquitto at the same time. Also, we need to add conflict, because we should not have installed libwebsockets-openssl and libwebsockets-full at the same time as they provides the same files. Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 77e682a)

They provide the same files, but they don't conflict to each other, this means that users can install them side by side. Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 676c5c7)

While running `make menuconfig`, it was discovered then there is a recursive dependency like this: tmp/.config-package.in:59138:error: recursive dependency detected! tmp/.config-package.in:59138: symbol PACKAGE_libwebsockets-openssl is selected by PACKAGE_libwebsockets-mbedtls tmp/.config-package.in:59122: symbol PACKAGE_libwebsockets-mbedtls depends on PACKAGE_libwebsockets-openssl It is not possible with the recently added conflicts that two packages (OpenSSL and full variant, which uses OpenSSL as well), which are almost the same provides the same named package libwebsockets as their conflict - Mbed TLS. Fixes: 676c5c7 ("libwebsockets: OpenSSL and mbedTLS variants should conflict") Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit a4e8cbb)

Fixes multiple CVEs. Upstream changelog is https://ftp.isc.org/isc/bind9/9.16.37/CHANGES CVEs fixed: CVE-2022-3924: Fix serve-stale crash when recursive clients soft quota is reached. CVE-2022-3736: Handle RRSIG lookups when serve-stale is active. CVE-2022-3094: An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. Signed-off-by: Noah Meyerhans <[email protected]>

Includes fixes: * 3.7.14: * CVE-2020-10735: Prevent DoS by large int<->str conversions * CVE-2021-28861: http.server: Open Redirection if the URL path starts with // * 3.7.16: * CVE-2022-45061: Slow IDNA decoding with large strings * CVE-2022-37454: Buffer overflow in the _sha3 module * CVE-2015-20107: mailcap.findmatch: document shell command Injection danger in filename parameter Signed-off-by: Jeffery To <[email protected]>

[openwrt-19.07] python3: Update to 3.7.16, refresh patches

This includes an updated patch for pip, as the bundled pip was also updated with this release. Signed-off-by: Jeffery To <[email protected]>

[openwrt-19.07] python3: Update to 3.7.17

[pull] main-19.07 from openwrt:openwrt-19.07 #23

Are you sure you want to change the base?

[pull] main-19.07 from openwrt:openwrt-19.07 #23

Commits on Oct 15, 2021

Commits on Oct 16, 2021

Commits on Oct 17, 2021

Commits on Oct 18, 2021

Commits on Oct 22, 2021

Commits on Oct 25, 2021

Commits on Oct 28, 2021

Commits on Oct 29, 2021

Commits on Oct 30, 2021

Commits on Oct 31, 2021

Commits on Nov 11, 2021

Commits on Nov 12, 2021

Commits on Nov 13, 2021

Commits on Nov 14, 2021

Commits on Nov 18, 2021

Commits on Nov 26, 2021

Commits on Nov 29, 2021

Commits on Nov 30, 2021

Commits on Dec 2, 2021

Commits on Dec 4, 2021

Commits on Dec 12, 2021

Commits on Dec 16, 2021

Commits on Dec 17, 2021

Commits on Jan 2, 2022

Commits on Jan 3, 2022

Commits on Jan 9, 2022

Commits on Jan 13, 2022

Commits on Jan 19, 2022

Commits on Jan 25, 2022

Commits on Jan 30, 2022

Commits on Jan 31, 2022

Commits on Feb 1, 2022

Commits on Feb 2, 2022

Commits on Feb 6, 2022

Commits on Feb 9, 2022

Commits on Feb 22, 2022

Commits on Feb 23, 2022

Commits on Feb 24, 2022

Commits on Mar 12, 2022

Commits on Mar 18, 2022

Commits on Mar 21, 2022

Commits on Mar 23, 2022

Commits on Mar 24, 2022

Commits on Apr 16, 2022

Commits on Apr 22, 2022

Commits on Apr 23, 2022

Commits on Apr 24, 2022

Commits on May 5, 2022

Commits on May 6, 2022

Commits on May 15, 2022

Commits on May 20, 2022

Commits on Jun 1, 2022

Commits on Jun 2, 2022

Commits on Jun 6, 2022

Commits on Jun 8, 2022

Commits on Jun 10, 2022

Commits on Jun 22, 2022

Commits on Jun 23, 2022

Commits on Jun 24, 2022

Commits on Jun 25, 2022

Commits on Jun 30, 2022

Commits on Jul 1, 2022

Commits on Jul 4, 2022

Commits on Jul 13, 2022

Commits on Jul 17, 2022

Commits on Jul 18, 2022

Commits on Aug 2, 2022

Commits on Aug 6, 2022

Commits on Aug 10, 2022

Commits on Aug 24, 2022

Commits on Sep 7, 2022

Commits on Sep 8, 2022

Commits on Sep 25, 2022

Commits on Sep 26, 2022

Commits on Oct 25, 2022

Commits on Oct 27, 2022

Commits on Jan 29, 2023