PHP_NEW_EXTENSION(fileinfo, fileinfo.c $libmagic_sources, $ext_shared,,-I@ext_srcdir@/libmagic)
--- a/ext/opcache/config.m4
+++ b/ext/opcache/config.m4
-@@ -261,7 +261,11 @@ AC_TRY_RUN([
- ], [
- flock_type=linux
- AC_DEFINE([HAVE_FLOCK_LINUX], [], [Struct flock is Linux-type])
--], [])
-+], [
-+ dnl cross-compiling; assume Linux
-+ flock_type=linux
-+ AC_DEFINE([HAVE_FLOCK_LINUX], [], [Struct flock is Linux-type])
-+])
- fi
+@@ -232,6 +232,10 @@ int main() {
+ flock_type=unknown
+ AC_MSG_CHECKING(for struct flock layout)
++dnl cross-compiling for Linux
++flock_type=linux
++AC_DEFINE([HAVE_FLOCK_LINUX], [], [Struct flock is Linux-type])
++
if test "$flock_type" = "unknown"; then
+ AC_TRY_RUN([
+ #include <fcntl.h>
include $(TOPDIR)/rules.mk
PKG_NAME:=python-cryptography
-PKG_VERSION:=2.4.2
+PKG_VERSION:=2.5
PKG_RELEASE:=1
PKG_SOURCE:=cryptography-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= https://files.pythonhosted.org/packages/source/c/cryptography
-PKG_HASH:=05a6052c6a9f17ff78ba78f8e6eb1d777d25db3b763343a1ae89a7a8670386dd
+PKG_HASH:=4946b67235b9d2ea7d31307be9d5ad5959d6c4a8f98f900157b47abddf698401
PKG_LICENSE:=Apache-2.0 BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD
+++ /dev/null
-From e7a6229b332969d621aaf25f3fc5cdd99e3c9072 Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Sun, 18 Nov 2018 18:04:01 -0800
-Subject: [PATCH] Adjust DTLS check (#4593)
-
-OpenSSL defines these even with OPENSSL_NO_DTLS.
----
- src/_cffi_src/openssl/ssl.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
-index c921dbee..f0b8939c 100644
---- a/src/_cffi_src/openssl/ssl.py
-+++ b/src/_cffi_src/openssl/ssl.py
-@@ -709,7 +709,7 @@ static const long TLS_ST_BEFORE = 0;
- static const long TLS_ST_OK = 0;
- #endif
-
--#if defined(OPENSSL_NO_DTLS) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
-+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
- static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
- const SSL_METHOD *(*DTLS_method)(void) = NULL;
- const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
include $(TOPDIR)/rules.mk
PKG_NAME:=python-lxml
-PKG_VERSION:=4.3.0
+PKG_VERSION:=4.3.1
PKG_RELEASE:=1
PKG_SOURCE:=lxml-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/l/lxml
-PKG_HASH:=d1e111b3ab98613115a208c1017f266478b0ab224a67bc8eac670fa0bad7d488
+PKG_HASH:=da5e7e941d6e71c9c9a717c93725cda0708c2474f532e3680ac5e39ec57d224d
PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)-lxml-$(PKG_VERSION)
PKG_UNPACK=$(HOST_TAR) -C $(PKG_BUILD_DIR) --strip-components=1 -xzf $(DL_DIR)/$(PKG_SOURCE)
)
}
+delete_empty_dirs() {
+ local dst_dir="$1"
+ if [ -d "$dst_dir/usr" ] ; then
+ for _ in $(seq 1 10) ; do
+ find "$dst_dir/usr" -empty -type d -exec rmdir {} \; || continue
+ break
+ done
+ rmdir "$dst_dir/usr" || true
+ fi
+}
+
ver="$1"
src_dir="$2"
dst_dir="$3"
mode="$5"
filespec="$6"
+find "$src_dir" -name "*\.exe" -exec rm -f {} \;
+
process_filespec "$src_dir" "$dst_dir" "$filespec" || {
echo "process filespec error-ed"
exit 1
}
+usr_bin_dir="$dst_dir/usr/bin"
+
+if [ -d "$usr_bin_dir" ] ; then
+ sed "1"'!'"b;s,^#"'!'".*python.*,#"'!'"/usr/bin/python${ver}," -i $usr_bin_dir/*
+fi
+
if [ "$mode" == "sources" ] ; then
# Copy only python source files
- find $dst_dir -not -type d -not -name "*\.py" | xargs rm -f
+ find "$dst_dir" -not -type d -not -name "*\.py" -exec rm -f {} \;
- # Delete empty folders (if the case)
- if [ -d "$dst_dir/usr" ] ; then
- find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty
- rmdir --ignore-fail-on-non-empty $dst_dir/usr
- fi
+ delete_empty_dirs "$dst_dir"
exit 0
fi
# So, we just stuck to un-optimized byte-codes,
# which is still way better/faster than running
# Python sources all the time.
-$python -m compileall $legacy -d '/' $dst_dir || {
+$python -m compileall $legacy -d '/' "$dst_dir" || {
echo "python -m compileall err-ed"
exit 1
}
# Delete source files and pyc [ un-optimized bytecode files ]
# We may want to make this optimization thing configurable later, but not sure atm
-find $dst_dir -type f -name "*\.py" | xargs rm -f
+find "$dst_dir" -type f -name "*\.py" -exec rm -f {} \;
-# Delete empty folders (if the case)
-if [ -d "$dst_dir/usr" ] ; then
- find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty
- rmdir --ignore-fail-on-non-empty $dst_dir/usr
-fi
+delete_empty_dirs "$dst_dir"
exit 0
define Package/$(1)/install
$(call PyPackage/$(1)/install,$$(1))
- find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
$(SHELL) $(python_mk_path)python-package-install.sh "2" \
"$(PKG_INSTALL_DIR)" "$$(1)" \
"$(HOST_PYTHON_BIN)" "$$(2)" \
cd $(PKG_BUILD_DIR)/$(strip $(1)), \
./setup.py $(2), \
$(3))
- find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
endef
PYTHON_PKG_SETUP_ARGS:=--single-version-externally-managed
include $(TOPDIR)/rules.mk
PKG_NAME:=python-pyasn1-modules
-PKG_VERSION:=0.2.3
+PKG_VERSION:=0.2.4
PKG_RELEASE:=1
PKG_SOURCE:=pyasn1-modules-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/p/pyasn1-modules
-PKG_HASH:=d14fcb29dabecba3d7b360bf72327c26c385248a5d603cf6be5f566ce999b261
+PKG_HASH:=a52090e8c5841ebbf08ae455146792d9ef3e8445b21055d3a3b7ed9c712b7c7c
PKG_LICENSE:=BSD-2-Clause
PKG_LICENSE_FILES:=LICENSE.txt
include $(TOPDIR)/rules.mk
PKG_NAME:=python-pyopenssl
-PKG_VERSION:=18.0.0
+PKG_VERSION:=19.0.0
PKG_RELEASE:=1
PKG_SOURCE:=pyOpenSSL-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://pypi.io/packages/source/p/pyOpenSSL
-PKG_HASH:=6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580
+PKG_HASH:=aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_NAME:=python
PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)
-PKG_RELEASE:=4
+PKG_RELEASE:=5
PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.python.org/ftp/python/$(PKG_VERSION)
define PyPackage/python-pip/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages
- # Adjust shebang to proper python location on target
- sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/*
$(CP) $(PKG_BUILD_DIR)/install-pip/bin/* $(1)/usr/bin
$(CP) \
$(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON_VERSION)/site-packages/pip \
define PyPackage/python-setuptools/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages
- # Adjust shebang to proper python location on target
- sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/*
$(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/* $(1)/usr/bin
$(CP) \
$(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON_VERSION)/site-packages/pkg_resources \
--- /dev/null
+From 06b15424b0dcacb1c551b2a36e739fffa8d0c595 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 15 Jan 2019 15:11:52 -0800
+Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
+
+Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
+distribution points with empty DP or URI correctly. A malicious or buggy
+certificate can result into segfault.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+https://bugs.python.org/issue35746
+(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+---
+ Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++
+ Lib/test/test_ssl.py | 22 +++++++++++++++++++
+ .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++
+ Modules/_ssl.c | 4 ++++
+ 4 files changed, 51 insertions(+)
+ create mode 100644 Lib/test/talos-2019-0758.pem
+ create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+
+diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
+new file mode 100644
+index 0000000000..13b95a77fd
+--- /dev/null
++++ b/Lib/test/talos-2019-0758.pem
+@@ -0,0 +1,22 @@
++-----BEGIN CERTIFICATE-----
++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
++-----END CERTIFICATE-----
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index e476031702..9240184d98 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem")
+ BADKEY = data_file("badkey.pem")
+ NOKIACERT = data_file("nokia.pem")
+ NULLBYTECERT = data_file("nullbytecert.pem")
++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
+
+ DHFILE = data_file("ffdh3072.pem")
+ BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding())
+@@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase):
+ self.assertEqual(p['crlDistributionPoints'],
+ ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
+
++ def test_parse_cert_CVE_2019_5010(self):
++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
++ if support.verbose:
++ sys.stdout.write("\n" + pprint.pformat(p) + "\n")
++ self.assertEqual(
++ p,
++ {
++ 'issuer': (
++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
++ 'notAfter': 'Jun 14 18:00:58 2028 GMT',
++ 'notBefore': 'Jun 18 18:00:58 2018 GMT',
++ 'serialNumber': '02',
++ 'subject': ((('countryName', 'UK'),),
++ (('commonName',
++ 'codenomicon-vm-2.test.lal.cisco.com'),)),
++ 'subjectAltName': (
++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
++ 'version': 3
++ }
++ )
++
+ def test_parse_cert_CVE_2013_4238(self):
+ p = ssl._ssl._test_decode_cert(NULLBYTECERT)
+ if support.verbose:
+diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+new file mode 100644
+index 0000000000..dffe347eec
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+@@ -0,0 +1,3 @@
++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
++not handle CRL distribution points with empty DP or URI correctly. A
++malicious or buggy certificate can result into segfault.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index a96c419260..19bb1207b4 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) {
+ STACK_OF(GENERAL_NAME) *gns;
+
+ dp = sk_DIST_POINT_value(dps, i);
++ if (dp->distpoint == NULL) {
++ /* Ignore empty DP value, CVE-2019-5010 */
++ continue;
++ }
+ gns = dp->distpoint->name.fullname;
+
+ for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
+--
+2.17.1
+
define Package/$(1)/install
$(call Py3Package/$(1)/install,$$(1))
- find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
$(SHELL) $(python3_mk_path)python-package-install.sh "3" \
"$(PKG_INSTALL_DIR)" "$$(1)" \
"$(HOST_PYTHON3_BIN)" "$$(2)" \
cd $(PKG_BUILD_DIR)/$(strip $(1)), \
./setup.py $(2), \
$(3))
- find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
endef
PYTHON3_PKG_SETUP_ARGS:=--single-version-externally-managed
PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO)
PKG_NAME:=python3
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)
PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
define Package/python3-pip/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages
- # Adjust shebang to proper python location on target
- sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/*
$(CP) $(PKG_BUILD_DIR)/install-pip/bin/pip3* $(1)/usr/bin
$(CP) \
$(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip \
$(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip-$(PYTHON3_PIP_VERSION).dist-info \
$(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/
- find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf
+ for _ in \$(seq 1 10) ; do \
+ find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \
+ break ; \
+ done
endef
$(eval $(call Py3BasePackage,python3-pip, \
define Py3Package/python3-setuptools/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages
- # Adjust shebang to proper python location on target
- sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/*
$(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/easy_install-* $(1)/usr/bin
$(LN) easy_install-$(PYTHON3_VERSION) $(1)/usr/bin/easy_install-3
$(CP) \
$(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/setuptools-$(PYTHON3_SETUPTOOLS_VERSION).dist-info \
$(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/easy_install.py \
$(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages
- find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf
+ for _ in \$(seq 1 10) ; do \
+ find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \
+ break ; \
+ done
endef
$(eval $(call Py3BasePackage,python3-setuptools, \
--- /dev/null
+From be5de958e9052e322b0087c6dba81cdad0c3e031 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 15 Jan 2019 15:03:36 -0800
+Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
+
+Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
+distribution points with empty DP or URI correctly. A malicious or buggy
+certificate can result into segfault.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+https://bugs.python.org/issue35746
+(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+---
+ Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++
+ Lib/test/test_ssl.py | 22 +++++++++++++++++++
+ .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++
+ Modules/_ssl.c | 4 ++++
+ 4 files changed, 51 insertions(+)
+ create mode 100644 Lib/test/talos-2019-0758.pem
+ create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+
+diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
+new file mode 100644
+index 0000000000..13b95a77fd
+--- /dev/null
++++ b/Lib/test/talos-2019-0758.pem
+@@ -0,0 +1,22 @@
++-----BEGIN CERTIFICATE-----
++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
++-----END CERTIFICATE-----
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index f1b9565c8d..b6794ce3a8 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -116,6 +116,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem")
+ BADKEY = data_file("badkey.pem")
+ NOKIACERT = data_file("nokia.pem")
+ NULLBYTECERT = data_file("nullbytecert.pem")
++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
+
+ DHFILE = data_file("ffdh3072.pem")
+ BYTES_DHFILE = os.fsencode(DHFILE)
+@@ -365,6 +366,27 @@ class BasicSocketTests(unittest.TestCase):
+ self.assertEqual(p['crlDistributionPoints'],
+ ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
+
++ def test_parse_cert_CVE_2019_5010(self):
++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
++ if support.verbose:
++ sys.stdout.write("\n" + pprint.pformat(p) + "\n")
++ self.assertEqual(
++ p,
++ {
++ 'issuer': (
++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
++ 'notAfter': 'Jun 14 18:00:58 2028 GMT',
++ 'notBefore': 'Jun 18 18:00:58 2018 GMT',
++ 'serialNumber': '02',
++ 'subject': ((('countryName', 'UK'),),
++ (('commonName',
++ 'codenomicon-vm-2.test.lal.cisco.com'),)),
++ 'subjectAltName': (
++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
++ 'version': 3
++ }
++ )
++
+ def test_parse_cert_CVE_2013_4238(self):
+ p = ssl._ssl._test_decode_cert(NULLBYTECERT)
+ if support.verbose:
+diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+new file mode 100644
+index 0000000000..dffe347eec
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+@@ -0,0 +1,3 @@
++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
++not handle CRL distribution points with empty DP or URI correctly. A
++malicious or buggy certificate can result into segfault.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 9894ad821d..9baec8a9bc 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -1516,6 +1516,10 @@ _get_crl_dp(X509 *certificate) {
+ STACK_OF(GENERAL_NAME) *gns;
+
+ dp = sk_DIST_POINT_value(dps, i);
++ if (dp->distpoint == NULL) {
++ /* Ignore empty DP value, CVE-2019-5010 */
++ continue;
++ }
+ gns = dp->distpoint->name.fullname;
+
+ for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
+--
+2.17.1
+
--- /dev/null
+Backported to 2.5.3
+
+From 74f94b3e6ebf15b76f3b357e754095412b006e94 Mon Sep 17 00:00:00 2001
+From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Fri, 8 Feb 2019 07:22:55 +0000
+Subject: [PATCH] configure.ac: check finite,isinf,isnan as macros first
+
+[ruby-core:91487] [Bug #15595]
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67036 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+---
+ aclocal.m4 | 1 +
+ configure.ac | 13 ++++---------
+ tool/m4/ruby_replace_funcs.m4 | 13 +++++++++++++
+ 3 files changed, 18 insertions(+), 9 deletions(-)
+ create mode 100644 tool/m4/ruby_replace_funcs.m4
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -1189,9 +1189,6 @@ main()
+ ac_cv_func_fsync=yes
+ ac_cv_func_seekdir=yes
+ ac_cv_func_telldir=yes
+- ac_cv_func_isinf=yes
+- ac_cv_func_isnan=yes
+- ac_cv_func_finite=yes
+ ac_cv_func_lchown=yes
+ ac_cv_func_link=yes
+ ac_cv_func_readlink=yes
+@@ -1239,9 +1236,6 @@ main()
+ [netbsd*], [ LIBS="-lm $LIBS"
+ ],
+ [dragonfly*], [ LIBS="-lm $LIBS"
+- # isinf() and isnan() are macros on DragonFly.
+- ac_cv_func_isinf=yes
+- ac_cv_func_isnan=yes
+ ],
+ [aix*],[ LIBS="-lm $LIBS"
+ ac_cv_func_round=no
+@@ -2212,11 +2206,8 @@ AC_REPLACE_FUNCS(dup2)
+ AC_REPLACE_FUNCS(erf)
+ AC_REPLACE_FUNCS(explicit_bzero)
+ AC_REPLACE_FUNCS(ffs)
+-AC_REPLACE_FUNCS(finite)
+ AC_REPLACE_FUNCS(flock)
+ AC_REPLACE_FUNCS(hypot)
+-AC_REPLACE_FUNCS(isinf)
+-AC_REPLACE_FUNCS(isnan)
+ AC_REPLACE_FUNCS(lgamma_r)
+ AC_REPLACE_FUNCS(memmove)
+ AC_REPLACE_FUNCS(nextafter)
+@@ -2228,6 +2219,10 @@ AC_REPLACE_FUNCS(strlcpy)
+ AC_REPLACE_FUNCS(strstr)
+ AC_REPLACE_FUNCS(tgamma)
+
++RUBY_REPLACE_FUNC([finite], [@%:@include <math.h>])
++RUBY_REPLACE_FUNC([isinf], [@%:@include <math.h>])
++RUBY_REPLACE_FUNC([isnan], [@%:@include <math.h>])
++
+ # for missing/setproctitle.c
+ AS_CASE(["$target_os"],
+ [aix* | k*bsd*-gnu | kopensolaris*-gnu | linux* | darwin*], [AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)],
+--- /dev/null
++++ b/tool/m4/ruby_replace_funcs.m4
+@@ -0,0 +1,13 @@
++# -*- Autoconf -*-
++dnl RUBY_REPLACE_FUNC [func] [included]
++AC_DEFUN([RUBY_REPLACE_FUNC], [dnl
++ AC_CHECK_DECL([$1],dnl
++ [AC_DEFINE(AS_TR_CPP(HAVE_[$1]))],dnl
++ [AC_REPLACE_FUNCS($1)],dnl
++ [$2])dnl
++])
++
++dnl RUBY_REPLACE_FUNCS [funcs] [included]
++AC_DEFUN([RUBY_REPLACE_FUNCS] [dnl
++ m4_map_args_w([$1], [RUBY_REPLACE_FUNC(], [), [$2]])dnl
++])
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -44,3 +44,17 @@ AC_DEFUN([AC_MSG_RESULT], [dnl
+ { _AS_ECHO_LOG([result: $1])
+ COLORIZE_RESULT([$1]); dnl
+ }])
++
++# -*- Autoconf -*-
++dnl RUBY_REPLACE_FUNC [func] [included]
++AC_DEFUN([RUBY_REPLACE_FUNC], [dnl
++ AC_CHECK_DECL([$1],dnl
++ [AC_DEFINE(AS_TR_CPP(HAVE_[$1]))],dnl
++ [AC_REPLACE_FUNCS($1)],dnl
++ [$2])dnl
++])
++
++dnl RUBY_REPLACE_FUNCS [funcs] [included]
++AC_DEFUN([RUBY_REPLACE_FUNCS] [dnl
++ m4_map_args_w([$1], [RUBY_REPLACE_FUNC(], [), [$2]])dnl
++])
include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
-PKG_VERSION:=1.8.17
-PKG_RELEASE:=2
+PKG_VERSION:=1.8.19
+PKG_RELEASE:=1
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/
-PKG_HASH:=7b789b177875afdd5ddeff058e7efde73aa895dc2dcf728b464358635ae3948e
+PKG_HASH:=64f5fbfd4e09ffeaf26cb6667398ba780704a14e96e60000caa8bf69962ba734
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_LICENSE:=GPL-2.0
#!/bin/bash
CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git
-BASE_TAG=v1.8.17
+BASE_TAG=v1.8.19
TMP_REPODIR=tmprepo
PATCHESDIR=patches
+++ /dev/null
-commit 6648ff0cccee04a6a0c0e64050151b5d6c5bac51
-Author: Jarno Huuskonen <jarno.huuskonen@uef.fi>
-Date: Fri Jan 4 14:05:02 2019 +0200
-
- DOC: http-request cache-use / http-response cache-store expects cache name
-
- Adds missing cache name option to http-request cache-use and
- http-response cache-store documentation.
-
- Also adds optional if/unless condition to
- 10.2.2. Proxy section: http-request cache-use / http-response cache-store
-
- (cherry picked from commit 251a6b72a8b6f0a4b167f6a2960e422d682aed80)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 5376f6af9239fdf8a79b6c912387de12e3c9d6cd)
- [wla: no http-request/response section in 1.8]
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 4f999e25..712e56e2 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -17157,13 +17157,13 @@ max-age <seconds>
- 10.2.2. Proxy section
- ---------------------
-
--http-request cache-use <name>
-+http-request cache-use <name> [ { if | unless } <condition> ]
- Try to deliver a cached object from the cache <name>. This directive is also
- mandatory to store the cache as it calculates the cache hash. If you want to
- use a condition for both storage and delivering that's a good idea to put it
- after this one.
-
--http-response cache-store <name>
-+http-response cache-store <name> [ { if | unless } <condition> ]
- Store an http-response within the cache. The storage of the response headers
- is done at this step, which means you can use others http-response actions
- to modify headers before or after the storage of the response. This action
--- /dev/null
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -39,6 +39,7 @@
+ #include <netdb.h>
+ #include <netinet/tcp.h>
+
++#include <openssl/bn.h>
+ #include <openssl/crypto.h>
+ #include <openssl/ssl.h>
+ #include <openssl/x509.h>
+@@ -60,6 +61,17 @@
+ #include <openssl/async.h>
+ #endif
+
++#ifndef OPENSSL_VERSION
++#define OPENSSL_VERSION SSLEAY_VERSION
++#define OpenSSL_version(x) SSLeay_version(x)
++#define OpenSSL_version_num SSLeay
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_getm_notBefore X509_get_notBefore
++#define X509_getm_notAfter X509_get_notAfter
++#endif
++
+ #include <import/lru.h>
+ #include <import/xxhash.h>
+
+@@ -217,7 +229,7 @@ static struct {
+ .capture_cipherlist = 0,
+ };
+
+-#ifdef USE_THREAD
++#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
+
+ static HA_RWLOCK_T *ssl_rwlocks;
+
+@@ -1716,8 +1728,8 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
+ ASN1_INTEGER_set(X509_get_serialNumber(newcrt), HA_ATOMIC_ADD(&ssl_ctx_serial, 1));
+
+ /* Set duration for the certificate */
+- if (!X509_gmtime_adj(X509_get_notBefore(newcrt), (long)-60*60*24) ||
+- !X509_gmtime_adj(X509_get_notAfter(newcrt),(long)60*60*24*365))
++ if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
++ !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
+ goto mkcert_error;
+
+ /* set public key in the certificate */
+@@ -6299,7 +6311,7 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char
+ goto out;
+
+ smp_trash = get_trash_chunk();
+- if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
++ if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
+ goto out;
+
+ smp->data.u.str = *smp_trash;
+@@ -6399,7 +6411,7 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char
+ goto out;
+
+ smp_trash = get_trash_chunk();
+- if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
++ if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
+ goto out;
+
+ smp->data.u.str = *smp_trash;
+@@ -8976,10 +8988,12 @@ static void __ssl_sock_init(void)
+ #endif
+
+ xprt_register(XPRT_SSL, &ssl_sock);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_library_init();
++#endif
+ cm = SSL_COMP_get_compression_methods();
+ sk_SSL_COMP_zero(cm);
+-#ifdef USE_THREAD
++#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ ssl_locking_init();
+ #endif
+ #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+@@ -9008,8 +9022,8 @@ static void __ssl_sock_init(void)
+ #else /* OPENSSL_IS_BORINGSSL */
+ OPENSSL_VERSION_TEXT
+ "\nRunning on OpenSSL version : %s%s",
+- SSLeay_version(SSLEAY_VERSION),
+- ((OPENSSL_VERSION_NUMBER ^ SSLeay()) >> 8) ? " (VERSIONS DIFFER!)" : "");
++ OpenSSL_version(OPENSSL_VERSION),
++ ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
+ #endif
+ memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+@@ -9100,12 +9114,14 @@ static void __ssl_sock_deinit(void)
+ }
+ #endif
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ERR_remove_state(0);
+ ERR_free_strings();
+
+ EVP_cleanup();
++#endif
+
+-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
++#if OPENSSL_VERSION_NUMBER >= 0x00907000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+ CRYPTO_cleanup_all_ex_data();
+ #endif
+ }
+++ /dev/null
-commit a64e5574e40e3e0819c82e35a7e3d2fa65febc73
-Author: Willy Tarreau <w@1wt.eu>
-Date: Fri Jan 11 19:38:25 2019 +0100
-
- BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key
-
- The cache uses the first 32 bits of the uri's hash as the key to reference
- the object in the cache. It makes a special case of the value zero to mean
- that the object is not in the cache anymore. The problem is that when an
- object hashes as zero, it's still inserted but the eb32_delete() call is
- skipped, resulting in the object still being chained in the memory area
- while the block has been reclaimed and used for something else. Then when
- objects which were chained below it (techically any object since zero is
- at the root) are deleted, the walk through the upper object may encounter
- corrupted values where valid pointers were expected.
-
- But while this should only happen statically once on 4 billion, the problem
- gets worse when the cache-use conditions don't match the cache-store ones,
- because cache-store runs with an uninitialized key, which can create objects
- that will never be found by the lookup code, or worse, entries with a zero
- key preventing eviction of the tree node and resulting in a crash. It's easy
- to accidently end up on such a config because the request rules generally
- can't be used to decide on the response :
-
- http-request cache-use cache if { path_beg /images }
- http-response cache-store cache
-
- In this test, mixing traffic with /images/$RANDOM and /foo/$RANDOM will
- result in random keys being inserted, some of them possibly being zero,
- and crashes will quickly happen.
-
- The fix consists in 1) always initializing the transaction's cache_hash
- to zero, and 2) never storing a response for which the hash has not been
- calculated, as indicated by the value zero.
-
- It is worth noting that objects hashing as value zero will never be cached,
- but given that there's only one chance among 4 billion that this happens,
- this is totally harmless.
-
- This fix must be backported to 1.9 and 1.8.
-
- (cherry picked from commit c9036c00044a8d81561113886ecec9a9ce71bd3b)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 5a6279fcc16da479304bcabc1705e8653f274337)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/cache.c b/src/cache.c
-index 667cede3..3d8ed241 100644
---- a/src/cache.c
-+++ b/src/cache.c
-@@ -400,7 +400,7 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
- struct cache *cache = (struct cache *)rule->arg.act.p[0];
- struct shared_context *shctx = shctx_ptr(cache);
- struct cache_entry *object;
--
-+ unsigned int key = *(unsigned int *)txn->cache_hash;
-
- /* Don't cache if the response came from a cache */
- if ((obj_type(s->target) == OBJ_TYPE_APPLET) &&
-@@ -420,6 +420,10 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
- if (txn->meth != HTTP_METH_GET)
- goto out;
-
-+ /* cache key was not computed */
-+ if (!key)
-+ goto out;
-+
- /* cache only 200 status code */
- if (txn->status != 200)
- goto out;
-@@ -478,7 +482,7 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
-
- cache_ctx->first_block = first;
-
-- object->eb.key = (*(unsigned int *)&txn->cache_hash);
-+ object->eb.key = key;
- memcpy(object->hash, txn->cache_hash, sizeof(object->hash));
- /* Insert the node later on caching success */
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 7e4a8351..29a1083a 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -8210,6 +8210,7 @@ void http_init_txn(struct stream *s)
-
- txn->flags = 0;
- txn->status = -1;
-+ *(unsigned int *)txn->cache_hash = 0;
-
- txn->cookie_first_date = 0;
- txn->cookie_last_date = 0;
+++ /dev/null
-commit 9f01534cd68de78c74b50d7b8def07a72c2a3b49
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Wed Jan 2 18:46:41 2019 +0100
-
- BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT.
-
- When using early data, disable the OpenSSL anti-replay protection, and set
- the max amount of early data we're ready to accept, based on the size of
- buffers, or early data won't work with the released OpenSSL 1.1.1.
-
- This should be backported to 1.8.
-
- (cherry picked from commit 51088ce68fee0bae52118d6823873417046f9efe)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 6703b633078b6bae12395ee3e310427b37965d68)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 24ccc4b1..11655533 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -3821,6 +3821,10 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
- SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
- SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
- #elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-+ if (bind_conf->ssl_conf.early_data) {
-+ SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
-+ SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
-+ }
- SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
- SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
- #else
+++ /dev/null
-commit aca7e5aed7e036489ccc83d925103e94653b8670
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Tue Jan 8 15:35:32 2019 +0100
-
- DOC: Be a bit more explicit about allow-0rtt security implications.
-
- Document a bit better than allow-0rtt can trivially be used for replay attacks,
- and so should only be used when it's safe to replay a request.
-
- This should probably be backported to 1.8 and 1.9.
-
- (cherry picked from commit 69752964944ef9c8dc03477ee95bc7d149a72089)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit bb0df71201ad5b2d0cec514773d244275e5240df)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 712e56e2..72b769a4 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -10483,7 +10483,10 @@ accept-proxy
-
- allow-0rtt
- Allow receiving early data when using TLSv1.3. This is disabled by default,
-- due to security considerations.
-+ due to security considerations. Because it is vulnerable to replay attacks,
-+ you should only allow if for requests that are safe to replay, ie requests
-+ that are idempotent. You can use the "wait-for-handshake" action for any
-+ request that wouldn't be safe with early data.
-
- alpn <protocols>
- This enables the TLS ALPN extension and advertises the specified protocol
+++ /dev/null
-commit 30cd01cbfd40201f3abe246216a85c69352aa79c
-Author: Emeric Brun <ebrun@haproxy.com>
-Date: Thu Jan 10 10:51:13 2019 +0100
-
- BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file
-
- This patch fixes missing allocation checks loading tls key file
- and avoid memory leak in some error cases.
-
- This patch should be backport on branches 1.9 and 1.8
-
- (cherry picked from commit 09852f70e0ed0f23cf9287b1ce55bb6a60112f32)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit a1dc55a63cfbc8f440b72b6def3957bf1fad12b2)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 11655533..7884c411 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -7627,15 +7627,36 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
- }
-
- keys_ref = malloc(sizeof(*keys_ref));
-+ if (!keys_ref) {
-+ if (err)
-+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
-+ return ERR_ALERT | ERR_FATAL;
-+ }
-+
- keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
-+ if (!keys_ref->tlskeys) {
-+ free(keys_ref);
-+ if (err)
-+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
-+ return ERR_ALERT | ERR_FATAL;
-+ }
-
- if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
-+ free(keys_ref->tlskeys);
-+ free(keys_ref);
- if (err)
- memprintf(err, "'%s' : unable to load ssl tickets keys file", args[cur_arg+1]);
- return ERR_ALERT | ERR_FATAL;
- }
-
- keys_ref->filename = strdup(args[cur_arg + 1]);
-+ if (!keys_ref->filename) {
-+ free(keys_ref->tlskeys);
-+ free(keys_ref);
-+ if (err)
-+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
-+ return ERR_ALERT | ERR_FATAL;
-+ }
-
- while (fgets(thisline, sizeof(thisline), f) != NULL) {
- int len = strlen(thisline);
-@@ -7647,6 +7668,9 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
- thisline[--len] = 0;
-
- if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
-+ free(keys_ref->filename);
-+ free(keys_ref->tlskeys);
-+ free(keys_ref);
- if (err)
- memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
- fclose(f);
-@@ -7656,6 +7680,9 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
- }
-
- if (i < TLS_TICKETS_NO) {
-+ free(keys_ref->filename);
-+ free(keys_ref->tlskeys);
-+ free(keys_ref);
- if (err)
- memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
- fclose(f);
+++ /dev/null
-commit 98f9549fa466e3b73a04f17dbc05fd88427c72f4
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Jan 14 15:17:46 2019 +0100
-
- BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH
-
- At a few places in the code we used to rely on this variable to guess
- what LB algo was in place. This is wrong because if the defaults section
- presets "balance url_param foo" and a backend uses "balance roundrobin",
- these locations will still see this url_param_name set and consider it.
- The harm is limited, as this only causes the beginning of the request
- body to be buffered. And in general this is a bad practice which prevents
- us from cleaning the lbprm stuff. Let's explicitly check the LB algo
- instead.
-
- This may be backported to all currently maintained versions.
-
- (cherry picked from commit 089eaa0ba73913187e93d52c3ea34faa01fd8f9c)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 70d1744bb41daab4110071e4855504b6dc47bda9)
- [wla: no htx in 1.8]
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 29a1083a..5dc562ff 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -3935,7 +3935,8 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
- * that parameter. This will be done in another analyser.
- */
- if (!(s->flags & (SF_ASSIGNED|SF_DIRECT)) &&
-- s->txn->meth == HTTP_METH_POST && s->be->url_param_name != NULL &&
-+ s->txn->meth == HTTP_METH_POST &&
-+ (s->be->lbprm.algo & BE_LB_ALGO) == BE_LB_ALGO_PH &&
- (msg->flags & (HTTP_MSGF_CNT_LEN|HTTP_MSGF_TE_CHNK))) {
- channel_dont_connect(req);
- req->analysers |= AN_REQ_HTTP_BODY;
+++ /dev/null
-commit a5027f804144536f79829443b33e6c19c32b690a
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Jan 14 16:29:52 2019 +0100
-
- BUG/MINOR: backend: balance uri specific options were lost across defaults
-
- The "balance uri" options "whole", "len" and "depth" were not properly
- inherited from the defaults sections. In addition, "whole" and "len"
- were not even reset when parsing "uri", meaning that 2 subsequent
- "balance uri" statements would not have the expected effect as the
- options from the first one would remain for the second one.
-
- This may be backported to all maintained versions.
-
- (cherry picked from commit 602a499da5e81d6b4cfe8410f0fc6d53c1e06745)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit f00758fde5961e3bebc508852faeee4d9d80b0e0)
- [wla: cfg_parse_listen() is still in cfgparse.c in 1.8]
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/backend.c b/src/backend.c
-index 87327f19..4c4044a6 100644
---- a/src/backend.c
-+++ b/src/backend.c
-@@ -1516,6 +1516,8 @@ int backend_parse_balance(const char **args, char **err, struct proxy *curproxy)
- curproxy->lbprm.algo |= BE_LB_ALGO_UH;
-
- curproxy->uri_whole = 0;
-+ curproxy->uri_len_limit = 0;
-+ curproxy->uri_dirs_depth1 = 0;
-
- while (*args[arg]) {
- if (!strcmp(args[arg], "len")) {
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 94f29637..91bb802e 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -2844,7 +2844,10 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
-
- if (defproxy.url_param_name)
- curproxy->url_param_name = strdup(defproxy.url_param_name);
-- curproxy->url_param_len = defproxy.url_param_len;
-+ curproxy->url_param_len = defproxy.url_param_len;
-+ curproxy->uri_whole = defproxy.uri_whole;
-+ curproxy->uri_len_limit = defproxy.uri_len_limit;
-+ curproxy->uri_dirs_depth1 = defproxy.uri_dirs_depth1;
-
- if (defproxy.hh_name)
- curproxy->hh_name = strdup(defproxy.hh_name);
+++ /dev/null
-commit 7c6a6149a91d2e240a5a63f981c5d07d681df725
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Jan 14 17:07:39 2019 +0100
-
- BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit
-
- There are a few instances where the lookup algo is tested against
- BE_LB_LKUP_CHTREE using a binary "AND" operation while this macro
- is a value among a set, and not a bit. The test happens to work
- because the value is exactly 4 and no bit overlaps with the other
- possible values but this is a latent bug waiting for a new LB algo
- to appear to strike. At the moment the only other algo sharing a bit
- with it is the "first" algo which is never supported in the same code
- places.
-
- This fix should be backported to maintained versions for safety if it
- passes easily, otherwise it's not important as it will not fix any
- visible issue.
-
- (cherry picked from commit 6c30be52da3d949a8dd6fb5e2de7319c031e656e)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 48147c424680b7e887fb176662d58d87baa16098)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/backend.c b/src/backend.c
-index 4c4044a6..0cf14cfd 100644
---- a/src/backend.c
-+++ b/src/backend.c
-@@ -183,7 +183,7 @@ static struct server *get_server_sh(struct proxy *px, const char *addr, int len,
- if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
- h = full_hash(h);
- hash_done:
-- if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- return chash_get_server_hash(px, h, avoid);
- else
- return map_get_server_hash(px, h);
-@@ -236,7 +236,7 @@ static struct server *get_server_uh(struct proxy *px, char *uri, int uri_len, co
- if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
- hash = full_hash(hash);
- hash_done:
-- if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- return chash_get_server_hash(px, hash, avoid);
- else
- return map_get_server_hash(px, hash);
-@@ -293,7 +293,7 @@ static struct server *get_server_ph(struct proxy *px, const char *uri, int uri_l
- if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
- hash = full_hash(hash);
-
-- if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- return chash_get_server_hash(px, hash, avoid);
- else
- return map_get_server_hash(px, hash);
-@@ -367,7 +367,7 @@ static struct server *get_server_ph_post(struct stream *s, const struct server *
- if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
- hash = full_hash(hash);
-
-- if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- return chash_get_server_hash(px, hash, avoid);
- else
- return map_get_server_hash(px, hash);
-@@ -463,7 +463,7 @@ static struct server *get_server_hh(struct stream *s, const struct server *avoid
- if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
- hash = full_hash(hash);
- hash_done:
-- if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- return chash_get_server_hash(px, hash, avoid);
- else
- return map_get_server_hash(px, hash);
-@@ -507,7 +507,7 @@ static struct server *get_server_rch(struct stream *s, const struct server *avoi
- if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
- hash = full_hash(hash);
- hash_done:
-- if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- return chash_get_server_hash(px, hash, avoid);
- else
- return map_get_server_hash(px, hash);
-@@ -615,7 +615,7 @@ int assign_server(struct stream *s)
- case BE_LB_LKUP_CHTREE:
- case BE_LB_LKUP_MAP:
- if ((s->be->lbprm.algo & BE_LB_KIND) == BE_LB_KIND_RR) {
-- if (s->be->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((s->be->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- srv = chash_get_next_server(s->be, prev_srv);
- else
- srv = map_get_server_rr(s->be, prev_srv);
-@@ -691,7 +691,7 @@ int assign_server(struct stream *s)
- * back to round robin on the map.
- */
- if (!srv) {
-- if (s->be->lbprm.algo & BE_LB_LKUP_CHTREE)
-+ if ((s->be->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
- srv = chash_get_next_server(s->be, prev_srv);
- else
- srv = map_get_server_rr(s->be, prev_srv);
+++ /dev/null
-commit 93b3994091b5bd17b43c9d91ecae470d33157e25
-Author: Tim Duesterhus <tim@bastelstu.be>
-Date: Fri Jan 4 00:11:59 2019 +0100
-
- BUG/MINOR: stick_table: Prevent conn_cur from underflowing
-
- When using the peers feature a race condition could prevent
- a connection from being properly counted. When this connection
- exits it is being "uncounted" nonetheless, leading to a possible
- underflow (-1) of the conn_curr stick table entry in the following
- scenario :
-
- - Connect to peer A (A=1, B=0)
- - Peer A sends 1 to B (A=1, B=1)
- - Kill connection to A (A=0, B=1)
- - Connect to peer B (A=0, B=2)
- - Peer A sends 0 to B (A=0, B=0)
- - Peer B sends 0/2 to A (A=?, B=0)
- - Kill connection to B (A=?, B=-1)
- - Peer B sends -1 to A (A=-1, B=-1)
-
- This fix may be backported to all supported branches.
-
- (cherry picked from commit 8b87c01c4d59247d9fb51a38cd12d5d94324b6a4)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 4ceecc8a4ee6f46f20c7729056e14af5a8757121)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/include/proto/session.h b/include/proto/session.h
-index f48c0d4f..7265f5a7 100644
---- a/include/proto/session.h
-+++ b/include/proto/session.h
-@@ -59,7 +59,8 @@ static inline void session_store_counters(struct session *sess)
- if (ptr) {
- HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
-
-- stktable_data_cast(ptr, conn_cur)--;
-+ if (stktable_data_cast(ptr, conn_cur) > 0)
-+ stktable_data_cast(ptr, conn_cur)--;
-
- HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
-
-diff --git a/include/proto/stream.h b/include/proto/stream.h
-index 8521957e..c9bcac37 100644
---- a/include/proto/stream.h
-+++ b/include/proto/stream.h
-@@ -104,7 +104,8 @@ static inline void stream_store_counters(struct stream *s)
- if (ptr) {
- HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
-
-- stktable_data_cast(ptr, conn_cur)--;
-+ if (stktable_data_cast(ptr, conn_cur) > 0)
-+ stktable_data_cast(ptr, conn_cur)--;
-
- HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
-
-@@ -142,7 +143,8 @@ static inline void stream_stop_content_counters(struct stream *s)
- if (ptr) {
- HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
-
-- stktable_data_cast(ptr, conn_cur)--;
-+ if (stktable_data_cast(ptr, conn_cur) > 0)
-+ stktable_data_cast(ptr, conn_cur)--;
-
- HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
-
+++ /dev/null
-commit 1c95076d881b7508a8d0819b1cfd642e364b255c
-Author: Jérôme Magnin <jmagnin@haproxy.com>
-Date: Sun Jan 20 11:27:40 2019 +0100
-
- BUG/MINOR: server: don't always trust srv_check_health when loading a server state
-
- When we load health values from a server state file, make sure what we assign
- to srv->check.health actually matches the state we restore.
-
- This should be backported as far as 1.6.
-
- (cherry picked from commit f57afa453a685cfd92b7a27ef6e6035cb384ff57)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 75455a0b78ce4ac723698df26c014b38467843b1)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/server.c b/src/server.c
-index a86db3db..28414780 100644
---- a/src/server.c
-+++ b/src/server.c
-@@ -2843,16 +2843,37 @@ static void srv_update_state(struct server *srv, int version, char **params)
- HA_SPIN_LOCK(SERVER_LOCK, &srv->lock);
- /* recover operational state and apply it to this server
- * and all servers tracking this one */
-+ srv->check.health = srv_check_health;
- switch (srv_op_state) {
- case SRV_ST_STOPPED:
- srv->check.health = 0;
- srv_set_stopped(srv, "changed from server-state after a reload", NULL);
- break;
- case SRV_ST_STARTING:
-+ /* If rise == 1 there is no STARTING state, let's switch to
-+ * RUNNING
-+ */
-+ if (srv->check.rise == 1) {
-+ srv->check.health = srv->check.rise + srv->check.fall - 1;
-+ srv_set_running(srv, "", NULL);
-+ break;
-+ }
-+ if (srv->check.health < 1 || srv->check.health >= srv->check.rise)
-+ srv->check.health = srv->check.rise - 1;
- srv->next_state = srv_op_state;
- break;
- case SRV_ST_STOPPING:
-- srv->check.health = srv->check.rise + srv->check.fall - 1;
-+ /* If fall == 1 there is no STOPPING state, let's switch to
-+ * STOPPED
-+ */
-+ if (srv->check.fall == 1) {
-+ srv->check.health = 0;
-+ srv_set_stopped(srv, "changed from server-state after a reload", NULL);
-+ break;
-+ }
-+ if (srv->check.health < srv->check.rise ||
-+ srv->check.health > srv->check.rise + srv->check.fall - 2)
-+ srv->check.health = srv->check.rise;
- srv_set_stopping(srv, "changed from server-state after a reload", NULL);
- break;
- case SRV_ST_RUNNING:
-@@ -2906,7 +2927,6 @@ static void srv_update_state(struct server *srv, int version, char **params)
- srv->last_change = date.tv_sec - srv_last_time_change;
- srv->check.status = srv_check_status;
- srv->check.result = srv_check_result;
-- srv->check.health = srv_check_health;
-
- /* Only case we want to apply is removing ENABLED flag which could have been
- * done by the "disable health" command over the stats socket
+++ /dev/null
-commit 7a74ffef9f356304b46ab862858cead85d451b5f
-Author: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon Jan 21 14:15:50 2019 +0100
-
- BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk()
-
- With tcp-check, the result of the check is set by the function tcpcheck_main()
- from the I/O layer. So it is important to wake up the check task to handle the
- result and finish the check. Otherwise, we will wait the task timeout to handle
- the result of a tcp-check, delaying the next check by as much.
-
- This patch also fixes a problem about email alerts reported by PiBa-NL (Pieter)
- on the ML [1] on all versions since the 1.6. So this patch must be backported
- from 1.9 to 1.6.
-
- [1] https://www.mail-archive.com/haproxy@formilux.org/msg32190.html
-
- (cherry picked from commit 774c486cece942570b6a9d16afe236a16ee12079)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 3722dfbbfadf8f83f82feb3e67fbe482a5c94840)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/checks.c b/src/checks.c
-index 74958b2d..e04f1146 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -1403,12 +1403,13 @@ static int wake_srv_chk(struct conn_stream *cs)
- }
-
- if (check->result != CHK_RES_UNKNOWN) {
-- /* We're here because nobody wants to handle the error, so we
-- * sure want to abort the hard way.
-- */
-+ /* Check complete or aborted. If connection not yet closed do it
-+ * now and wake the check task up to be sure the result is
-+ * handled ASAP. */
- conn_sock_drain(conn);
- cs_close(cs);
- ret = -1;
-+ task_wakeup(check->task, TASK_WOKEN_IO);
- }
-
- HA_SPIN_UNLOCK(SERVER_LOCK, &check->server->lock);
+++ /dev/null
-commit b68a427a236e7b9b0cf8b1c4a5360d960cdf9458
-Author: Dirkjan Bussink <d.bussink@gmail.com>
-Date: Mon Jan 21 09:35:03 2019 -0800
-
- BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages
-
- In OpenSSL 1.1.1 TLS 1.3 KeyUpdate messages will trigger the callback
- that is used to verify renegotiation is disabled. This means that these
- KeyUpdate messages fail. In OpenSSL 1.1.1 a better mechanism is
- available with the SSL_OP_NO_RENEGOTIATION flag that disables any TLS
- 1.2 and earlier negotiation.
-
- So if this SSL_OP_NO_RENEGOTIATION flag is available, instead of having
- a manual check, trust OpenSSL and disable the check. This means that TLS
- 1.3 KeyUpdate messages will work properly.
-
- Reported-By: Adam Langley <agl@imperialviolet.org>
- (cherry picked from commit 526894ff3925d272c13e57926aa6b5d9d8ed5ee3)
- [wt: gh issue #24; Needs to be backported till 1.8]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 062c5a190d50c4aa9c5bde88c8c5c85c5f15fc7b)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 7884c411..7736c324 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -1406,6 +1406,10 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
- BIO *write_bio;
- (void)ret; /* shut gcc stupid warning */
-
-+#ifndef SSL_OP_NO_RENEGOTIATION
-+ /* Please note that BoringSSL defines this macro to zero so don't
-+ * change this to #if and do not assign a default value to this macro!
-+ */
- if (where & SSL_CB_HANDSHAKE_START) {
- /* Disable renegotiation (CVE-2009-3555) */
- if ((conn->flags & (CO_FL_CONNECTED | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_CONNECTED) {
-@@ -1413,6 +1417,7 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
- conn->err_code = CO_ER_SSL_RENEG;
- }
- }
-+#endif
-
- if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
- if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) {
-@@ -3806,6 +3811,11 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
- options |= SSL_OP_NO_TICKET;
- if (bind_conf->ssl_options & BC_SSL_O_PREF_CLIE_CIPH)
- options &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
-+
-+#ifdef SSL_OP_NO_RENEGOTIATION
-+ options |= SSL_OP_NO_RENEGOTIATION;
-+#endif
-+
- SSL_CTX_set_options(ctx, options);
-
- #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
+++ /dev/null
-commit 2e405726a0c6be6617905522bde9038f75e623c4
-Author: Willy Tarreau <w@1wt.eu>
-Date: Wed Jan 23 10:02:15 2019 +0100
-
- DOC: mention the effect of nf_conntrack_tcp_loose on src/dst
-
- On rare occasions the logs may report inverted src/dst when using
- conntrack with this sysctl. Add a mention for it in the doc. More
- info here :
-
- https://www.spinics.net/lists/netdev/msg544878.html
-
- (cherry picked from commit 64ded3db2c686bad582cf9bb9fcabf21cb4becb7)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
- (cherry picked from commit 037f9ac4a2cc4b344859af1cff7b30d5ecabe9e0)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 72b769a4..bc8ae4f8 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -13822,7 +13822,12 @@ dst : ip
- which is the address the client connected to. It can be useful when running
- in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
- On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
-- RFC 4291.
-+ RFC 4291. When the incoming connection passed through address translation or
-+ redirection involving connection tracking, the original destination address
-+ before the redirection will be reported. On Linux systems, the source and
-+ destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl
-+ is set, because a late response may reopen a timed out connection and switch
-+ what is believed to be the source and the destination.
-
- dst_conn : integer
- Returns an integer value corresponding to the number of currently established
-@@ -14127,7 +14132,13 @@ src : ip
- behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind
- directive is used, it can be the address of a client behind another
- PROXY-protocol compatible component for all rule sets except
-- "tcp-request connection" which sees the real address.
-+ "tcp-request connection" which sees the real address. When the incoming
-+ connection passed through address translation or redirection involving
-+ connection tracking, the original destination address before the redirection
-+ will be reported. On Linux systems, the source and destination may seldom
-+ appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late
-+ response may reopen a timed out connection and switch what is believed to be
-+ the source and the destination.
-
- Example:
- # add an HTTP header in requests with the originating address' country
+++ /dev/null
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -39,6 +39,7 @@
- #include <netdb.h>
- #include <netinet/tcp.h>
-
-+#include <openssl/bn.h>
- #include <openssl/crypto.h>
- #include <openssl/ssl.h>
- #include <openssl/x509.h>
-@@ -60,6 +61,17 @@
- #include <openssl/async.h>
- #endif
-
-+#ifndef OPENSSL_VERSION
-+#define OPENSSL_VERSION SSLEAY_VERSION
-+#define OpenSSL_version(x) SSLeay_version(x)
-+#define OpenSSL_version_num SSLeay
-+#endif
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define X509_getm_notBefore X509_get_notBefore
-+#define X509_getm_notAfter X509_get_notAfter
-+#endif
-+
- #include <import/lru.h>
- #include <import/xxhash.h>
-
-@@ -217,7 +229,7 @@ static struct {
- .capture_cipherlist = 0,
- };
-
--#ifdef USE_THREAD
-+#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
-
- static HA_RWLOCK_T *ssl_rwlocks;
-
-@@ -1716,8 +1728,8 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
- ASN1_INTEGER_set(X509_get_serialNumber(newcrt), HA_ATOMIC_ADD(&ssl_ctx_serial, 1));
-
- /* Set duration for the certificate */
-- if (!X509_gmtime_adj(X509_get_notBefore(newcrt), (long)-60*60*24) ||
-- !X509_gmtime_adj(X509_get_notAfter(newcrt),(long)60*60*24*365))
-+ if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
-+ !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
- goto mkcert_error;
-
- /* set public key in the certificate */
-@@ -6299,7 +6311,7 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char
- goto out;
-
- smp_trash = get_trash_chunk();
-- if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
-+ if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
- goto out;
-
- smp->data.u.str = *smp_trash;
-@@ -6399,7 +6411,7 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char
- goto out;
-
- smp_trash = get_trash_chunk();
-- if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
-+ if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
- goto out;
-
- smp->data.u.str = *smp_trash;
-@@ -8976,10 +8988,12 @@ static void __ssl_sock_init(void)
- #endif
-
- xprt_register(XPRT_SSL, &ssl_sock);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- SSL_library_init();
-+#endif
- cm = SSL_COMP_get_compression_methods();
- sk_SSL_COMP_zero(cm);
--#ifdef USE_THREAD
-+#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
- ssl_locking_init();
- #endif
- #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-@@ -9008,8 +9022,8 @@ static void __ssl_sock_init(void)
- #else /* OPENSSL_IS_BORINGSSL */
- OPENSSL_VERSION_TEXT
- "\nRunning on OpenSSL version : %s%s",
-- SSLeay_version(SSLEAY_VERSION),
-- ((OPENSSL_VERSION_NUMBER ^ SSLeay()) >> 8) ? " (VERSIONS DIFFER!)" : "");
-+ OpenSSL_version(OPENSSL_VERSION),
-+ ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
- #endif
- memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
- #if OPENSSL_VERSION_NUMBER < 0x00907000L
-@@ -9100,12 +9114,14 @@ static void __ssl_sock_deinit(void)
- }
- #endif
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- ERR_remove_state(0);
- ERR_free_strings();
-
- EVP_cleanup();
-+#endif
-
--#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-+#if OPENSSL_VERSION_NUMBER >= 0x00907000L && OPENSSL_VERSION_NUMBER < 0x10100000L
- CRYPTO_cleanup_all_ex_data();
- #endif
- }
PKG_NAME:=iotivity
PKG_VERSION:=1.2.1
-PKG_RELEASE=1
+PKG_RELEASE:=2
PKG_SOURCE:=${PKG_NAME}-${PKG_VERSION}.tar.gz
PKG_SOURCE_URL:=http://mirrors.kernel.org/${PKG_NAME}/${PKG_VERSION}/
--- /dev/null
+From 26c2798188497da22e0a70efebc47991dd755db2 Mon Sep 17 00:00:00 2001
+From: Philippe Coval <philippe.coval@osg.samsung.com>
+Date: Wed, 28 Jun 2017 04:54:05 +0200
+Subject: [PATCH] resource: Include functional header for g++-7.1.0
+
+It was tested on yocto poky master on iotivity-1.2.1 (and later):
+
+ resource/include/OCUtilities.h: \
+ In function 'OCStackResult OC::nil_guard(PtrT&&, FnT&&, ParamTs&& ...)':
+ resource/include/OCUtilities.h:85:21: \
+ error: 'bind' is not a member of 'std'
+ return std::bind(fn, p, std::ref(params)...)();
+
+ resource/include/OCApi.h: At global scope:
+ resource/include/OCApi.h:362:18: \
+ error: 'function' in namespace 'std' does not name a template type
+ typedef std::function<void(std::shared_ptr<OCResource>)> FindCallback;
+
+Change-Id: Ie1cab497c33fde394f77490a1d636eb36a563396
+Origin: https://gerrit.iotivity.org/gerrit/#/c/21069/
+Signed-off-by: Philippe Coval <philippe.coval@osg.samsung.com>
+Reviewed-on: https://gerrit.iotivity.org/gerrit/21067
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+Tested-by: jenkins-iotivity <jenkins@iotivity.org>
+---
+ resource/include/OCApi.h | 2 --
+ resource/include/OCUtilities.h | 1 +
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/resource/include/OCApi.h b/resource/include/OCApi.h
+index 4e14f29cc..af9721554 100644
+--- a/resource/include/OCApi.h
++++ b/resource/include/OCApi.h
+@@ -27,9 +27,7 @@
+ #include <map>
+ #include <memory>
+ #include <iterator>
+-#if defined(_MSC_VER)
+ #include <functional>
+-#endif
+
+ #include "octypes.h"
+ #include "OCHeaderOption.h"
+diff --git a/resource/include/OCUtilities.h b/resource/include/OCUtilities.h
+index 85039d0c1..f1c93045f 100644
+--- a/resource/include/OCUtilities.h
++++ b/resource/include/OCUtilities.h
+@@ -26,6 +26,7 @@
+ #include <memory>
+ #include <utility>
+ #include <exception>
++#include <functional>
+
+ #include <OCException.h>
+ #include <StringConstants.h>
+--
+2.17.1
+
include $(TOPDIR)/rules.mk
PKG_NAME:=irssi
-PKG_VERSION:=1.1.2
+PKG_VERSION:=1.2.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=https://github.com/irssi/irssi/releases/download/1.1.2/
-PKG_HASH:=5ccc2b89a394e91bea0aa83a951c3b1d471c76da87b4169ec435530a31bf9732
+PKG_SOURCE_URL:=https://github.com/irssi/irssi/releases/download/1.2.0/
+PKG_HASH:=1643fca1d8b35e5a5d7b715c9c889e1e9cdb7e578e06487901ea959e6ab3ebe5
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
PKG_NAME:=openssh
PKG_VERSION:=7.9p1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
--- /dev/null
+From 11b88754cadcad0ba79b4ffcc127223248dccb54 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Wed, 23 Jan 2019 08:01:46 +0000
+Subject: upstream: Sanitize scp filenames via snmprintf. To do this we move
+
+the progressmeter formatting outside of signal handler context and have the
+atomicio callback called for EINTR too. bz#2434 with contributions from djm
+and jjelen at redhat.com, ok djm@
+
+OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
+
+CVE-2019-6109
+
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c
+Bug-Debian: https://bugs.debian.org/793412
+Last-Update: 2019-02-08
+
+Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
+---
+ atomicio.c | 20 ++++++++++++++-----
+ progressmeter.c | 53 ++++++++++++++++++++++---------------------------
+ progressmeter.h | 3 ++-
+ scp.c | 1 +
+ sftp-client.c | 16 ++++++++-------
+ 5 files changed, 51 insertions(+), 42 deletions(-)
+
+diff --git a/atomicio.c b/atomicio.c
+index f854a06f5..d91bd7621 100644
+--- a/atomicio.c
++++ b/atomicio.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
++/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2006 Damien Miller. All rights reserved.
+ * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
+@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
+ res = (f) (fd, s + pos, n - pos);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READ_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
+ res = (f) (fd, iov, iovcnt);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READV_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+diff --git a/progressmeter.c b/progressmeter.c
+index fe9bf52e4..add462dde 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
++/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2003 Nils Nordman. All rights reserved.
+ *
+@@ -31,6 +31,7 @@
+
+ #include <errno.h>
+ #include <signal.h>
++#include <stdarg.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <time.h>
+@@ -39,6 +40,7 @@
+ #include "progressmeter.h"
+ #include "atomicio.h"
+ #include "misc.h"
++#include "utf8.h"
+
+ #define DEFAULT_WINSIZE 80
+ #define MAX_WINSIZE 512
+@@ -61,7 +63,7 @@ static void setscreensize(void);
+ void refresh_progress_meter(void);
+
+ /* signal handler for updating the progress meter */
+-static void update_progress_meter(int);
++static void sig_alarm(int);
+
+ static double start; /* start progress */
+ static double last_update; /* last progress update */
+@@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ static int win_size; /* terminal window size */
+ static volatile sig_atomic_t win_resized; /* for window resizing */
++static volatile sig_atomic_t alarm_fired;
+
+ /* units for format_size */
+ static const char unit[] = " KMGT";
+@@ -126,9 +129,17 @@ refresh_progress_meter(void)
+ off_t bytes_left;
+ int cur_speed;
+ int hours, minutes, seconds;
+- int i, len;
+ int file_len;
+
++ if ((!alarm_fired && !win_resized) || !can_output())
++ return;
++ alarm_fired = 0;
++
++ if (win_resized) {
++ setscreensize();
++ win_resized = 0;
++ }
++
+ transferred = *counter - (cur_pos ? cur_pos : start_pos);
+ cur_pos = *counter;
+ now = monotime_double();
+@@ -158,16 +169,11 @@ refresh_progress_meter(void)
+
+ /* filename */
+ buf[0] = '\0';
+- file_len = win_size - 35;
++ file_len = win_size - 36;
+ if (file_len > 0) {
+- len = snprintf(buf, file_len + 1, "\r%s", file);
+- if (len < 0)
+- len = 0;
+- if (len >= file_len + 1)
+- len = file_len;
+- for (i = len; i < file_len; i++)
+- buf[i] = ' ';
+- buf[file_len] = '\0';
++ buf[0] = '\r';
++ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
++ file_len * -1, file);
+ }
+
+ /* percent of transfer done */
+@@ -228,22 +234,11 @@ refresh_progress_meter(void)
+
+ /*ARGSUSED*/
+ static void
+-update_progress_meter(int ignore)
++sig_alarm(int ignore)
+ {
+- int save_errno;
+-
+- save_errno = errno;
+-
+- if (win_resized) {
+- setscreensize();
+- win_resized = 0;
+- }
+- if (can_output())
+- refresh_progress_meter();
+-
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
++ alarm_fired = 1;
+ alarm(UPDATE_INTERVAL);
+- errno = save_errno;
+ }
+
+ void
+@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ bytes_per_second = 0;
+
+ setscreensize();
+- if (can_output())
+- refresh_progress_meter();
++ refresh_progress_meter();
+
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
+ signal(SIGWINCH, sig_winch);
+ alarm(UPDATE_INTERVAL);
+ }
+@@ -286,6 +280,7 @@ stop_progress_meter(void)
+ static void
+ sig_winch(int sig)
+ {
++ signal(SIGWINCH, sig_winch);
+ win_resized = 1;
+ }
+
+diff --git a/progressmeter.h b/progressmeter.h
+index bf179dca6..8f6678060 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
++/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2002 Nils Nordman. All rights reserved.
+ *
+@@ -24,4 +24,5 @@
+ */
+
+ void start_progress_meter(const char *, off_t, off_t *);
++void refresh_progress_meter(void);
+ void stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index 7163d33dc..80308573c 100644
+--- a/scp.c
++++ b/scp.c
+@@ -593,6 +593,7 @@ scpio(void *_cnt, size_t s)
+ off_t *cnt = (off_t *)_cnt;
+
+ *cnt += s;
++ refresh_progress_meter();
+ if (limit_kbps > 0)
+ bandwidth_limit(&bwlimit, s);
+ return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index 4986d6d8d..2bc698f86 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+ struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+
+- bandwidth_limit(bwlimit, amount);
++ refresh_progress_meter();
++ if (bwlimit != NULL)
++ bandwidth_limit(bwlimit, amount);
+ return 0;
+ }
+
+@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
+ iov[1].iov_base = (u_char *)sshbuf_ptr(m);
+ iov[1].iov_len = sshbuf_len(m);
+
+- if (atomiciov6(writev, conn->fd_out, iov, 2,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
++ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
+ sshbuf_len(m) + sizeof(mlen))
+ fatal("Couldn't send packet: %s", strerror(errno));
+
+@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+
+ if ((r = sshbuf_reserve(m, 4, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, 4,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
++ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
+ if (errno == EPIPE || errno == ECONNRESET)
+ fatal("Connection closed");
+ else
+@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+
+ if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, msg_len,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
++ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
+ != msg_len) {
+ if (errno == EPIPE)
+ fatal("Connection closed");
--- /dev/null
+From 125924e47db3713a85a70e0f8d6c23818d2ea054 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 26 Jan 2019 22:41:28 +0000
+Subject: upstream: check in scp client that filenames sent during
+
+remote->local directory copies satisfy the wildcard specified by the user.
+
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+
+For this reason, this also adds a new -T flag to disable the check.
+
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+
+OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
+
+CVE-2019-6111
+
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
+Last-Update: 2019-02-08
+
+Patch-Name: check-filenames-in-scp-client.patch
+---
+ scp.1 | 12 +++++++++++-
+ scp.c | 37 +++++++++++++++++++++++++++++--------
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/scp.1 b/scp.1
+index 0e5cc1b2d..397e77091 100644
+--- a/scp.1
++++ b/scp.1
+@@ -18,7 +18,7 @@
+ .Nd secure copy (remote file copy program)
+ .Sh SYNOPSIS
+ .Nm scp
+-.Op Fl 346BCpqrv
++.Op Fl 346BCpqrTv
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+@@ -208,6 +208,16 @@ to use for the encrypted connection.
+ The program must understand
+ .Xr ssh 1
+ options.
++.It Fl T
++Disable strict filename checking.
++By default when copying files from a remote host to a local directory
++.Nm
++checks that the received filenames match those requested on the command-line
++to prevent the remote end from sending unexpected or unwanted files.
++Because of differences in how various operating systems and shells interpret
++filename wildcards, these checks may cause wanted files to be rejected.
++This option disables these checks at the expense of fully trusting that
++the server will not send unexpected filenames.
+ .It Fl v
+ Verbose mode.
+ Causes
+diff --git a/scp.c b/scp.c
+index 1971c80cd..035037bcc 100644
+--- a/scp.c
++++ b/scp.c
+@@ -94,6 +94,7 @@
+ #include <dirent.h>
+ #include <errno.h>
+ #include <fcntl.h>
++#include <fnmatch.h>
+ #include <limits.h>
+ #include <locale.h>
+ #include <pwd.h>
+@@ -383,14 +384,14 @@ void verifydir(char *);
+ struct passwd *pwd;
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+ #define CMDNEEDS 64
+ char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
+
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
++void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(int, char *[]);
+@@ -429,8 +430,9 @@ main(int argc, char **argv)
+ addargs(&args, "-oRemoteCommand=none");
+ addargs(&args, "-oRequestTTY=no");
+
+- fflag = tflag = 0;
+- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
++ fflag = Tflag = tflag = 0;
++ while ((ch = getopt(argc, argv,
++ "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
+ switch (ch) {
+ /* User-visible flags. */
+ case '1':
+@@ -509,9 +511,13 @@ main(int argc, char **argv)
+ setmode(0, O_BINARY);
+ #endif
+ break;
++ case 'T':
++ Tflag = 1;
++ break;
+ default:
+ usage();
+ }
++ }
+ argc -= optind;
+ argv += optind;
+
+@@ -542,7 +548,7 @@ main(int argc, char **argv)
+ }
+ if (tflag) {
+ /* Receive data. */
+- sink(argc, argv);
++ sink(argc, argv, NULL);
+ exit(errs != 0);
+ }
+ if (argc < 2)
+@@ -800,7 +806,7 @@ tolocal(int argc, char **argv)
+ continue;
+ }
+ free(bp);
+- sink(1, argv + argc - 1);
++ sink(1, argv + argc - 1, src);
+ (void) close(remin);
+ remin = remout = -1;
+ }
+@@ -976,7 +982,7 @@ rsource(char *name, struct stat *statp)
+ (sizeof(type) != 4 && sizeof(type) != 8))
+
+ void
+-sink(int argc, char **argv)
++sink(int argc, char **argv, const char *src)
+ {
+ static BUF buffer;
+ struct stat stb;
+@@ -992,6 +998,7 @@ sink(int argc, char **argv)
+ unsigned long long ull;
+ int setimes, targisdir, wrerrno = 0;
+ char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
++ char *src_copy = NULL, *restrict_pattern = NULL;
+ struct timeval tv[2];
+
+ #define atime tv[0]
+@@ -1016,6 +1023,17 @@ sink(int argc, char **argv)
+ (void) atomicio(vwrite, remout, "", 1);
+ if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+ targisdir = 1;
++ if (src != NULL && !iamrecursive && !Tflag) {
++ /*
++ * Prepare to try to restrict incoming filenames to match
++ * the requested destination file glob.
++ */
++ if ((src_copy = strdup(src)) == NULL)
++ fatal("strdup failed");
++ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
++ *restrict_pattern++ = '\0';
++ }
++ }
+ for (first = 1;; first = 0) {
+ cp = buf;
+ if (atomicio(read, remin, cp, 1) != 1)
+@@ -1120,6 +1138,9 @@ sink(int argc, char **argv)
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
++ if (restrict_pattern != NULL &&
++ fnmatch(restrict_pattern, cp, 0) != 0)
++ SCREWUP("filename does not match request");
+ if (targisdir) {
+ static char *namebuf;
+ static size_t cursize;
+@@ -1157,7 +1178,7 @@ sink(int argc, char **argv)
+ goto bad;
+ }
+ vect[0] = xstrdup(np);
+- sink(1, vect);
++ sink(1, vect, src);
+ if (setimes) {
+ setimes = 0;
+ if (utimes(vect[0], tv) < 0)
#
PKG_NAME:=shadowsocks-libev
PKG_VERSION:=3.2.3
-PKG_RELEASE:=3
+PKG_RELEASE:=6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)
local args
[ -x "$bin" ] || return 1
+ "$bin" -f
+ "$bin" -6 -f
+
config_get cfgtype "$cfg" TYPE
[ "$cfgtype" = ss_rules ] || return 1
eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
validate_ss_rules_section "$cfg" || return 1
- [ "$disabled" = 0 ] || return 1
+ [ "$disabled" = 0 ] || return 0
eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp"
eval local_port_udp="\$ss_rules_redir_udp_$redir_udp"
}
if [ "$1" = "-6" ]; then
- if ! ip6tables -t nat -L -n >/dev/null; then
- __errmsg "Skipping ipv6. Please install ip6tables-mod-nat"
+ if ! ip6tables -t nat -L -n &>/dev/null; then
+ __errmsg "Skipping ipv6. Requires ip6tables-mod-nat"
exit 1
fi
o_use_ipv6=1; shift
:ss_rules_local_out -
-I OUTPUT 1 -p tcp -j ss_rules_local_out
-A ss_rules_local_out -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN
- -A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
+ -A ss_rules_local_out $o_ipt_extra -j $local_target
COMMIT
EOF
}
:ss_rules_forward -
$(ss_rules_iptchains_mkprerules "$proto")
-A ss_rules_pre_src -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN
- -A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src
+ -A ss_rules_pre_src $o_ipt_extra -j ss_rules_src
-A ss_rules_src -m set --match-set ss_rules${o_af}_src_bypass src -j RETURN
-A ss_rules_src -m set --match-set ss_rules${o_af}_src_forward src -j ss_rules_forward
-A ss_rules_src -m set --match-set ss_rules${o_af}_src_checkdst src -j ss_rules_dst
- -A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
+ -A ss_rules_src -j $src_default_target
-A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_bypass dst -j RETURN
-A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_forward dst -j ss_rules_forward
$recentrst_addset_rules
- -A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
+ -A ss_rules_dst -j $dst_default_target
$forward_rules
COMMIT
$recentrst_mangle_rules
include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
-PKG_VERSION:=1.8.3
-PKG_RELEASE:=2
+PKG_VERSION:=1.9.0
+PKG_RELEASE:=1
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.unbound.net/downloads
-PKG_HASH:=2b692b8311edfad41e7d0380aac34576060d4176add81dc5db419c79b2a4cecc
+PKG_HASH:=415af94b8392bc6b2c52e44ac8f17935cc6ddf2cc81edfb47c5be4ad205ab917
PKG_BUILD_PARALLEL:=1
PKG_FIXUP:=autoreconf
+++ /dev/null
-From 023411f97505c8c7e375112ad853b6a40ef848a6 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 12 Dec 2018 16:03:05 +0000
-Subject: [PATCH] - Fix for crash in dns64 module if response is null.
-
-git-svn-id: file:///svn/unbound/trunk@5025 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- dns64/dns64.c | 1 +
- doc/Changelog | 3 +++
- 2 files changed, 4 insertions(+)
-
-diff --git a/dns64/dns64.c b/dns64/dns64.c
-index 77e68900..f2834da2 100644
---- a/dns64/dns64.c
-+++ b/dns64/dns64.c
-@@ -628,6 +628,7 @@ handle_event_moddone(struct module_qstate* qstate, int id)
-
- /* Store the response in cache. */
- if ( (!iq || !iq->started_no_cache_store) &&
-+ qstate->return_msg && qstate->return_msg->rep &&
- !dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep,
- 0, 0, 0, NULL, qstate->query_flags))
- log_err("out of memory");
-Index: daemon/daemon.c
-===================================================================
---- a/daemon/daemon.c
-+++ b/daemon/daemon.c
-@@ -769,7 +769,7 @@ daemon_delete(struct daemon* daemon)
- # endif
- # ifdef HAVE_OPENSSL_CONFIG
- EVP_cleanup();
--# if OPENSSL_VERSION_NUMBER < 0x10100000
-+# if (OPENSSL_VERSION_NUMBER < 0x10100000) || !defined(OPENSSL_NO_ENGINE)
- ENGINE_cleanup();
- # endif
- CONF_modules_free();
-Index: util/net_help.c
-===================================================================
--- a/util/net_help.c
+++ b/util/net_help.c
-@@ -1006,10 +1006,10 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
+@@ -1049,10 +1049,10 @@ void* outgoing_ssl_fd(void* sslctx, int
static lock_basic_type *ub_openssl_locks = NULL;
-
+
/** callback that gets thread id for openssl */
-static unsigned long
-ub_crypto_id_cb(void)
- return (unsigned long)log_thread_get();
+ CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
}
-
+
static void
-@@ -1035,7 +1035,7 @@ int ub_openssl_lock_init(void)
+@@ -1078,7 +1078,7 @@ int ub_openssl_lock_init(void)
for(i=0; i<CRYPTO_num_locks(); i++) {
lock_basic_init(&ub_openssl_locks[i]);
}
CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
#endif /* OPENSSL_THREADS */
return 1;
-@@ -1047,7 +1047,7 @@ void ub_openssl_lock_delete(void)
+@@ -1090,7 +1090,7 @@ void ub_openssl_lock_delete(void)
int i;
if(!ub_openssl_locks)
return;
--- /dev/null
+Index: daemon/remote.c
+===================================================================
+--- a/daemon/remote.c (revision 5105)
++++ b/daemon/remote.c (working copy)
+@@ -1987,7 +1987,7 @@
+ return NULL;
+ }
+ } else {
+-#ifndef HAVE_SSL_SET1_HOST
++#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+ if(auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", todo);
+Index: iterator/iter_fwd.c
+===================================================================
+--- a/iterator/iter_fwd.c (revision 5105)
++++ b/iterator/iter_fwd.c (working copy)
+@@ -239,7 +239,7 @@
+ s->name, p->str);
+ return 0;
+ }
+-#ifndef HAVE_SSL_SET1_HOST
++#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+ if(tls_auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", p->str);
+Index: iterator/iter_hints.c
+===================================================================
+--- a/iterator/iter_hints.c (revision 5105)
++++ b/iterator/iter_hints.c (working copy)
+@@ -252,7 +252,7 @@
+ s->name, p->str);
+ return 0;
+ }
+-#ifndef HAVE_SSL_SET1_HOST
++#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+ if(auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", p->str);
include $(TOPDIR)/rules.mk
PKG_NAME:=uwsgi-cgi
-PKG_VERSION:=2.0.17.1
-PKG_RELEASE:=5
+PKG_VERSION:=2.0.18
+PKG_RELEASE:=1
-PKG_SOURCE_URL=https://codeload.github.com/unbit/uwsgi/tar.gz/$(PKG_VERSION)?
+PKG_SOURCE_URL= \
+ https://projects.unbit.it/downloads \
+ https://codeload.github.com/unbit/uwsgi/tar.gz/$(PKG_VERSION)?
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_HASH:=d2318235c74665a60021a4fc7770e9c2756f9fc07de7b8c22805efe85b5ab277
+PKG_HASH:=4972ac538800fb2d421027f49b4a1869b66048839507ccf0aa2fda792d99f583
PKG_BUILD_DIR:=$(BUILD_DIR)/uwsgi-$(PKG_VERSION)
PKG_LICENSE:=GPL-2.0-or-later
CATEGORY:=Network
SUBMENU:=Web Servers/Proxies
TITLE:=The uWSGI server
- URL:=http://unbit.com/
+ URL:=https://projects.unbit.it/uwsgi
DEPENDS:=+libcap +jansson +libuuid
endef
CATEGORY:=Network
SUBMENU:=Web Servers/Proxies
TITLE:=Support files for LuCI on Nginx
- URL:=http://unbit.com/
DEPENDS:=+uwsgi-cgi
endef
PKG_NAME:=bluez
PKG_VERSION:=5.50
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@KERNEL/linux/bluetooth/
define Package/bluez-utils/install
$(INSTALL_DIR) $(1)/usr/bin
- $(CP) $(PKG_BUILD_DIR)/tools/bdaddr $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/bccmd $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/bluemoon $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/btattach $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/btmon $(1)/usr/bin/
- $(CP) $(PKG_BUILD_DIR)/tools/btmgmt $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/ciptool $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/hciattach $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/hciconfig $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/hcidump $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/hcitool $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/hex2hcd $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/l2ping $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/l2test $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/mpris-proxy $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/rctest $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/rfcomm $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/sdptool $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/tools/bdaddr $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/bccmd $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/bluemoon $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/btattach $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/btmon $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/tools/btmgmt $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ciptool $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/hciattach $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/hciconfig $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/hcidump $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/hcitool $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/hex2hcd $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/l2ping $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/l2test $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/mpris-proxy $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/rctest $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/rfcomm $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sdptool $(1)/usr/bin/
$(INSTALL_BIN) $(PKG_BUILD_DIR)/attrib/gatttool $(1)/usr/bin/
endef
define Package/bluez-daemon/install
$(INSTALL_DIR) $(1)/usr/bin
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/bluetooth/bluetoothd $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/bin/bluetoothctl $(1)/usr/bin/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/bluetooth/obexd $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/bluetooth/bluetoothd $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/bluetoothctl $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/bluetooth/obexd $(1)/usr/bin/
$(INSTALL_DIR) $(1)/etc/dbus-1/system.d/
$(INSTALL_DATA) $(PKG_BUILD_DIR)/src/bluetooth.conf $(1)/etc/dbus-1/system.d/bluetooth.conf
$(INSTALL_DIR) $(1)/etc/bluetooth
include $(TOPDIR)/rules.mk
PKG_NAME:=mariadb
-PKG_VERSION:=10.2.21
+PKG_VERSION:=10.2.22
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
https://ftp.yz.yamagata-u.ac.jp/pub/dbms/mariadb/$(PKG_NAME)-$(PKG_VERSION)/source \
https://downloads.mariadb.org/interstitial/$(PKG_NAME)-$(PKG_VERSION)/source
-PKG_HASH:=637f0808b65ec06902897a2f885a60377828d019d35802402dca541f8113536c
+PKG_HASH:=42f4c54c29b7c196bd105bbf4d2ea721f869b14cb7ba436c3566e6dd2760614c
PKG_MAINTAINER:=Sebastian Kemper <sebastian_ml@gmx.net>
PKG_LICENSE:=GPL-2.0 LGPL-2.1
PKG_LICENSE_FILES:=COPYING libmariadb/COPYING.LIB
MARIADB_COMMON_DEPENDS := \
$(ICONV_DEPENDS) \
- +libatomic \
+libopenssl \
- +libstdcpp \
+zlib
+MARIADB_COMMON_DEPENDS_EXE := \
+ $(MARIADB_COMMON_DEPENDS) \
+ +libatomic \
+ +libstdcpp
+
# Pass CPPFLAGS in the CFLAGS as otherwise the build system will
# ignore them.
TARGET_CFLAGS+=$(TARGET_CPPFLAGS)
$(call Package/mariadb/Default)
TITLE:=MariaDB database client base
DEPENDS:=mariadb-common \
- $(MARIADB_COMMON_DEPENDS) \
+ $(MARIADB_COMMON_DEPENDS_EXE) \
+libedit
endef
define Package/mariadb-server-base
$(call Package/mariadb/Default)
DEPENDS:=mariadb-common \
- $(MARIADB_COMMON_DEPENDS) \
+ $(MARIADB_COMMON_DEPENDS_EXE) \
+!arc:libaio \
+liblzma \
+libpcre \
--- a/scripts/mysql_install_db.sh
+++ b/scripts/mysql_install_db.sh
-@@ -388,7 +388,7 @@ fi
+@@ -399,7 +399,7 @@ fi
# Try to determine the hostname
+++ /dev/null
---- a/libmariadb/libmariadb/secure/openssl.c
-+++ b/libmariadb/libmariadb/secure/openssl.c
-@@ -419,8 +419,10 @@ void ma_tls_end()
- if (mariadb_deinitialize_ssl)
- {
- #ifndef HAVE_OPENSSL_1_1_API
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10000000L
- ERR_remove_state(0);
-+#else
-+ ERR_remove_thread_state(NULL);
- #endif
- EVP_cleanup();
- CRYPTO_cleanup_all_ex_data();
PKG_NAME:=rtl-ais
PKG_VERSION:=0.3
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/dgiardini/rtl-ais/tar.gz/v$(PKG_VERSION)?
PROG=/usr/bin/rtl_ais
validate_rtl_ais_section() {
- uci_validate_section "rtl_ais" "rtl_ais" "$1" \
+ uci_load_validate "rtl_ais" "rtl_ais" "$1" "$2" \
'enabled:bool' \
'ppm:range(-100,100):0'
}
load_rtl_ais() {
local cfg="$1"
- local enabled ppm
- validate_rtl_ais_section "$cfg" || { echo "validation failed"; return 1; }
+ [ "$2" = 0 ] || { echo "validation failed"; return 1; }
[ "$enabled" = "1" ] || return 1
- procd_open_instance
- procd_set_param command "$PROG" -p "$ppm"
+ procd_open_instance
+ procd_set_param command "$PROG" -p "$ppm"
procd_set_param stdout 1
procd_set_param stderr 1
- procd_set_param respawn
- procd_close_instance
+ procd_set_param respawn
+ procd_close_instance
}
start_service() {
config_load "rtl_ais"
- config_foreach load_rtl_ais "rtl_ais"
+ config_foreach validate_rtl_ais_section "rtl_ais" load_rtl_ais
}
service_triggers() {
PKG_NAME:=xz
PKG_VERSION:=5.2.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=@SF/lzmautils
PKG_HASH:=3313fd2a95f43d88e44264e6b015e7d03053e681860b0d5d3f9baca79c57b7bf
+PKG_MAINTAINER:=
PKG_LICENSE:=Public-Domain LGPL-2.1+ GPL-2.0+ GPL-3.0+
PKG_LICENSE_FILES:=COPYING
-PKG_MAINTAINER:=Nicolas Thill <nico@openwrt.org>
+PKG_CPE_ID:=cpe:/a:tukaani:xz
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
$$(eval $$(call BuildPackage,$(1)))
endef
+TARGET_LDFLAGS += -Wl,--gc-sections -flto
CONFIGURE_ARGS += \
--enable-small \
--enable-assume-ram=4 \
--disable-assembler \
+ --disable-debug \
+ --disable-doc \
+ --disable-rpath \
+ --disable-symbol-versions \
--disable-werror \
-
-# API uses "restrict" keyword introduced in C99 standard
-TARGET_CFLAGS += \
- -std=c99 \
+ --with-pic
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include