This release includes security fixes. Please check the topics below for
details.
- CVE-2023-28755: ReDoS vulnerability in URI
- CVE-2023-28756: ReDoS vulnerability in Time
This release also includes some bug fixes. See the
https://github.com/ruby/ruby/releases/tag/v3_0_6 for further details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
The initial package submission was missing
some required and optional dependencies
due to lack of testing on a system without any python
related packages pre-installed.
Some optional but highly recommended dependencies
were discovered with the stdlib module as described in:
392a68e247/lang/python/README.mdFixes#20441
Signed-off-by: Julien Malik <julien.malik@paraiso.me>
(cherry picked from commit 1f25be97b6)
Description:
Update to v16.20.0
Fixed a bug with system-icu.
Fixed a bug when selecting arm-fpu for vfpv3-d16.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Includes fix for CVE-2023-2453 (crypto/elliptic: specific unreduced
P-256 scalars produce incorrect results).
This also includes makefile updates for Go 1.19.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 8677ed11e3)
go1.19.6 (released 2023-02-14) includes security fixes to the
crypto/tls, mime/multipart, net/http, and path/filepath packages,
as well as bug fixes to the go command, the linker, the runtime,
and the crypto/x509, net/http, and time packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 0cdd7b8c0e)
Thursday February 16 2023 Security Releases
Notable Changes
The following CVEs are fixed in this release:
* CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
* CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
* CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
* CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
* CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit 6cd5a2c57f)
Refresh patches.
Bump setuptools to 65.5.0
Bump pip to 22.3.1
Removed patch: patches-pip/001-pep517-pyc-fix.patch
No longer needed as per:
fa4b2efbab
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Package does not currently build because of distutil dependency. Fix
this by updating to the latest version.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 4a16e5eb8c)
[do not use AUTORELEASE]
The old 2.python-requests.org URL is not reachable on modern browsers,
and is not the current canonical URL for the project. Update to the
current best URL for the project.
Signed-off-by: Karl Palsson <karlp@etactica.com>
(cherry picked from commit 4969de2bdf)
Go1.19.5 (released 2023-01-10) includes fixes to the compiler,
the linker, and the crypto/x509, net/http, sync/atomic,
and syscall packages.
Removed upstreamed patch.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 5a25a731c6)
go1.19.4 (released 2022-12-06) includes security fixes to the net/http
and os packages, as well as bug fixes to the compiler, the runtime,
and the crypto/x509, os/exec, and sync/atomic packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 6a0ee524b1)
Perl threads seem to be supported and working for aarch64, and
including aarch64 here would allow packages like freeswitch-mod-perl
to become available from the standard OpwnWrt package repository for
popular routers such as the Linksys E8450 and Belkin RT3200.
Signed-off-by: Doug Thomson <dwt62f+github@gmail.com>
(cherry picked from commit 6db2fe93cd)
