2.6.5 fixes:
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication
2.6.4 fixes:
* Multiple jQuery vulnerabilities in RDoc
Sebastian Kemper [Sat, 26 Oct 2019 13:01:23 +0000 (15:01 +0200)]
modemmanager: fix compilation
MM has a problem with cross-compiling. It needs to run some
tools during compilation (glib-mkenums & gdbus-codegen) but uses
pkg-config to detect them. But like this it finds the wrong tools, the
ones in $(STAGING_DIR). The correct tools are in
$(STAGING_DIR_HOSTPKG)/bin.
As a workaround this commit patches configure.ac so the correct tools
are used, the ones from glib2/host. The latter is also added to
PKG_BUILD_DEPENDS to reflect this.
libxslt/host is also added to PKG_BUILD_DEPENDS and the related
RequireCommand call is removed. This is OK to do since we have
libxslt/host available since a few days ago.
Sebastian Kemper [Sun, 27 Oct 2019 09:06:35 +0000 (10:06 +0100)]
libxml2: install xml2-config with host triplet
Currently only xml2-config is installed, for both the normal libxml2
package as well as the host package. The problem with that is that due
to multilib considerations the build host may have xml2-config installed
with a host triplet prefix, like x86_64-pc-linux-gnu-xml2-config (and
xml2-config as a symbolic link to it). Gentoo for instance sets it up
like this.
Packages may actually search for a prefixed xml2-config before searching
for xml2-config. An example would be Asterisk:
checking for x86_64-pc-linux-gnu-xml2-config... /usr/bin/x86_64-pc-linux-gnu-xml2-config
This then introduces wrong information into the build, for instance
bad includes:
This commit addresses this by installing xml2-config with a suitable
prefix and creating a symbolic link xml2-config. This is done for both
the host package and the normal package. The latter also needs this fix
because the target may use the same triplet as the host system (for
instance x86_64 cross-compiling for x86_64).
William Fleurant [Sat, 26 Oct 2019 17:41:13 +0000 (13:41 -0400)]
yggdrasil: uci firewall Section name and cover both IP versions
- rename the section instance to yggdrasil (feat. request)
- allow zone to cover both ip4 and ip6 fam
Sebastian Kemper [Sat, 26 Oct 2019 12:47:52 +0000 (14:47 +0200)]
libxslt/host: depend on libxml2/host
The host build requires libxml2-dev. This commit adds the dependency for
libxml2/host, as the host system may not have it installed. This also
avoids using the host's xml2-config (in /usr/bin for instance) while
linking to libraries in staging_dir/hostpkg.
After many failed attempts at upgrading Django to 2.2.6, the solution seems
to be to split a `python-django1` package that works with Python2 and
upgrade `python3-django` to the latest 2.2[.6] LTS release.
This also means that all Python2 Django packages will be stuck & based on
Django 1.11[.24] LTS release. But, it's currently the sanest approach I
could find to be able to perform an upgrade of Django to 2.2, and not break
Seafile.
Upgrading Seafile is also pretty difficult, as their Python3 support is not
yet finished & released. And in the meantime, we want to allow people to
use newer Django versions.
Upstream release message:
"Letsencrypt CA recent changed the CDN provider, which resulted in hanging issues.
Any downstream package should update.
This is important."
Sebastian Kemper [Tue, 22 Oct 2019 21:58:12 +0000 (23:58 +0200)]
libxml2/host: revert xml2-config prefix fix
Commit 218f0229a4594b32d9db6ad0678cdce7e2663e27 added a workaround for a
problem. The host compile overwrote xml2-config in
"$(STAGING_DIR)/host/bin". The workaround fixed the issue for regular
target packages. But it didn't leave a proper xml2-config script for
host packages.
Times have changed. Host packages are now installed in
"$(STAGING_DIR_HOSTPKG). So there is no longer any danger of the host
package overwriting the xml2-config script for target packages. So
revert the mentioned commit, leaving us with two proper xml2-config
scripts, one for target package builds and one for host package builds.
Jeffery To [Mon, 21 Oct 2019 12:31:34 +0000 (20:31 +0800)]
python,python3: Add PYPI_SOURCE_NAME to pypi.mk
This adds a new (optional) variable, PYPI_SOURCE_NAME, to pypi.mk.
For some PyPi packages (e.g. aiohttp_cors, click, django-compressor),
the name of the package and the source tarball name are slightly
different (usually by capitalisation or hyphen/underscore change).
This new variable is to make this difference explicit. PYPI_NAME is
meant for the "official" package name, whereas PYPI_SOURCE_NAME is meant
for the source tarball name.
This required a bit work to get working, compared to other versions. So,
some things have changed a bit more significantly.
Some highlights:
* there is no longer a pgen executable, seems this is now part of
libpython; let's see what this means for us in the future
* blake2 hash (from OpenSSL) detection needs some fixing; will upstream
added patch 002-fix-blake2-detection.patch
* removed all bpo patches; those should be fixed in upstream
* some needed to be manually re-applied as stuff changed:
- 001-enable-zlib.patch - file changed
- 004-do-not-write-bytes-codes.patch - file changed
- 015-abort-on-failed-modules.patch - variable was renamed
cross_compiling -> CROSS_COMPILING
* 017_lib2to3_fix_pyc_search.patch - the code changed, it does not seem to
have the original problem with respect to file-extension, as there
does not seem to be any special extension logic anymore there
* 006-remove-multi-arch-and-local-paths.patch - dropped patch; I can't
remember the full-details of this issue; it was something with
Debian/Ubuntu's multi-arch stuff; it was probably added maybe due to
some overzealous (on my part) thingy caused by some weird reports,
that I could never solve; let's have this patch dropped and see
* make package/python3/refresh to reduce fuzz for the rest