python-paho-mqtt is licensed under EPL-2.0, not EPL-1.0, since version
1.6.0 and
fabe7500fb
While at it, add LICENSE.txt to PKG_LICENSE_FILES
Fixes: 784f2a519b (python-paho-mqtt: bump to version 1.6.1)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit 3380427f29)
This is a security release.
Notable Changes
CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.21.12 (2024-07-02) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/x509, net/http, net/netip, and os packages.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Currently, armv5 and armv6 targets are both using armv6 rustc.
Without this patch, rust programs in armv5 targets throw illegal instruction
error.
Signed-off-by: Lu jicong <jiconglu58@gmail.com>
(cherry picked from commit 84464a656c)
If the download directory is on another filesystem (NFS), then the
current implementation of bootstrapping rust fails. Because the 'syscall'
(rename) does not work on crossing filesystem boundary.
This chnage was already merged upstream to the github main rust repository.
rust-lang/rust#124975
The patch has been rebased so that it can be applied correctly.
No functional change.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 6b6c74dca8)
- Switch back to .gz tarball
- Replace local bootstrap cache hack with upstreamed option
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit c1b3e0440f)
go1.21.11 (released 2024-06-04) includes
security fixes to the archive/zip and net/netip packages,
as well as bug fixes to the compiler,
the go command, the runtime, and the os package.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
The 3.2.3 release includes many bug-fixes. This release also includes
the update of uri.gem to 0.12.2 which contains the security fix.
- CVE-2023-36617: ReDoS vulnerability in URI
See: https://www.ruby-lang.org/en/news/2024/01/18/ruby-3-2-3-released/
The 3.2.4 release includes security fixes. Please check the topics below
for details.
- CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
- CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
- CVE-2024-27280: Buffer overread vulnerability in StringIO
See: https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Notable changes
This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
A fix has also been included for compiling Node.js from source with newer versions of Clang.
The list of keys used to sign releases has been synchronized with the current list from the main branch.
Updated dependencies
* acorn updated to 8.11.3.
* acorn-walk updated to 8.3.2.
* ada updated to 2.7.8.
* c-ares updated to 1.28.1.
* corepack updated to 0.28.0.
* nghttp2 updated to 1.61.0.
* ngtcp2 updated to 1.3.0.
* npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324.
* simdutf updated to 5.2.4.
* zlib updated to 1.3.0.1-motley-7d77fb7.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.21.10 (released 2024-05-07) includes security fixes to the go
command, as well as bug fixes to the net/http package.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This is a security release.
Notable Changes
* CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1. Update it to version 3.16.3
Release notes: https://github.com/LuaLanes/lanes/releases/tag/v3.16.3
2. Change to download tarball instead of checking out Git sources
In the previous commit (in the Fixes tag), it was changed to Git sources without any reason. Let's revert it back. Let's use again tagged release.
Fixes: b93e5b45b1 ("lualanes: Version bump to v3.16.2")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 8b7040b6de)
Update the PKG_VERSION and PKG_SOURCE_VERSION to pull version 3.16.2
from upstream. The upstream version includes fixes for the
`pthread_yield: symbol not found` issue.
Removed patches 100-musl-compat.patch and 200-fix-redef-error.patch
as fixes were implemented upstream.
Build tested on aarch64, arm_cortex_a15/a9, i386, mips[el]_24kc,
powerpc_464fp/8548, riscv64, x86_64. Confirmed on x86_64.
Signed-off-by: Mark Baker <mark@vpost.net>
(cherry picked from commit 08e51ab50a)
Notable Changes
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
* llhttp version 9.2.1
* undici version 5.28.4
Changed to use gz according to main-snapshot
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.21.8 (released 2024-03-05) includes security fixes to the crypto/x509,
html/template, net/http, net/http/cookiejar, and net/mail packages,
as well as bug fixes to the go command and the runtime.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
go1.21.6 (released 2024-01-09) includes fixes to the compiler,
the runtime, and the crypto/tls, maps, and runtime/pprof packages.
go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 34867e83ca)
Update to v18.19.1
This is a security release.
Notable changes
* CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
* CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
* CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
* CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
* undici version 5.28.3
* npm version 10.2.4
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
b3b0cc8 version 0.2.2
85515cd roidmi: initial support for NEX2 Pro
62addc2 isort imports
8695649 README: update other govee to govee_ht
33f6ade ruuvitag: remove device class for counter
2099607 Rename key govee->govee_ht
12acacd codestyle updates
dbba43d ruuvitag: drop redundant import
84878e0 base: add and use HumidityTemperatureSensor
e9f0046 xiaomi_lywsd03_atc: make send_custom a class variable
2f4809a base: use lowercase for instance variable
5b1af17 govee: add manufacturer
7891691 ruuvitag: add manufacturer
cfd799b ruuvitag: remove inheritance from SubscribeAndSetDataMixin
7be28a1 codestyle updates
bffcf5e Add Govee H5074 temperature/humidity sensor support (#77)
Signed-off-by: Quintin Hill <stuff@quintin.me.uk>
(cherry picked from commit 268ed6d347)
Dependency introduced by 21094e67cf
and
3c1fac9773
(And only for python versions below 3.12.)
Fixes: 64fa106 (python3-bleak: bump version to 0.21.1)
Signed-off-by: Quintin Hill <stuff@quintin.me.uk>
(cherry picked from commit fcb02c264b)
Users might configure their own env variables on the host, and sometimes
it can lead build failure or unexpected behavior.
Fixes: #22889
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 9f01010958)
Includes fix for CVE-2023-39326 (net/http: limit chunked data overhead).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit b8254cdac4)
