Fixes podman build breakage which was caused by podman depending on
netavark, which in turn depends on rust-iptables.
rust-iptables requires rust 1.85.0 since commit 75825cd
75825cd9c1
Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>
(cherry picked from commit c675028528)
[refresh patches]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
ack would always set a return code of 1 if -c was used. Now it properly
returns 1 if no files match, and 0 if any files match.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b6b9cd38fa)
Notable Changes
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
Dependency update:
CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
- Automatically refresh one patch
- Other patch is unchanged
Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
(cherry picked from commit 541060ee56)
go1.21.13 (released 2024-08-06) includes fixes to the go command,
the covdata command, and the bytes package.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
python-paho-mqtt is licensed under EPL-2.0, not EPL-1.0, since version
1.6.0 and
fabe7500fb
While at it, add LICENSE.txt to PKG_LICENSE_FILES
Fixes: 784f2a519b (python-paho-mqtt: bump to version 1.6.1)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit 3380427f29)
This is a security release.
Notable Changes
CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.21.12 (2024-07-02) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/x509, net/http, net/netip, and os packages.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Currently, armv5 and armv6 targets are both using armv6 rustc.
Without this patch, rust programs in armv5 targets throw illegal instruction
error.
Signed-off-by: Lu jicong <jiconglu58@gmail.com>
(cherry picked from commit 84464a656c)
If the download directory is on another filesystem (NFS), then the
current implementation of bootstrapping rust fails. Because the 'syscall'
(rename) does not work on crossing filesystem boundary.
This chnage was already merged upstream to the github main rust repository.
rust-lang/rust#124975
The patch has been rebased so that it can be applied correctly.
No functional change.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 6b6c74dca8)
- Switch back to .gz tarball
- Replace local bootstrap cache hack with upstreamed option
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit c1b3e0440f)
go1.21.11 (released 2024-06-04) includes
security fixes to the archive/zip and net/netip packages,
as well as bug fixes to the compiler,
the go command, the runtime, and the os package.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
The 3.2.3 release includes many bug-fixes. This release also includes
the update of uri.gem to 0.12.2 which contains the security fix.
- CVE-2023-36617: ReDoS vulnerability in URI
See: https://www.ruby-lang.org/en/news/2024/01/18/ruby-3-2-3-released/
The 3.2.4 release includes security fixes. Please check the topics below
for details.
- CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
- CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
- CVE-2024-27280: Buffer overread vulnerability in StringIO
See: https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Notable changes
This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
A fix has also been included for compiling Node.js from source with newer versions of Clang.
The list of keys used to sign releases has been synchronized with the current list from the main branch.
Updated dependencies
* acorn updated to 8.11.3.
* acorn-walk updated to 8.3.2.
* ada updated to 2.7.8.
* c-ares updated to 1.28.1.
* corepack updated to 0.28.0.
* nghttp2 updated to 1.61.0.
* ngtcp2 updated to 1.3.0.
* npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324.
* simdutf updated to 5.2.4.
* zlib updated to 1.3.0.1-motley-7d77fb7.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.21.10 (released 2024-05-07) includes security fixes to the go
command, as well as bug fixes to the net/http package.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This is a security release.
Notable Changes
* CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1. Update it to version 3.16.3
Release notes: https://github.com/LuaLanes/lanes/releases/tag/v3.16.3
2. Change to download tarball instead of checking out Git sources
In the previous commit (in the Fixes tag), it was changed to Git sources without any reason. Let's revert it back. Let's use again tagged release.
Fixes: b93e5b45b1 ("lualanes: Version bump to v3.16.2")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 8b7040b6de)
Update the PKG_VERSION and PKG_SOURCE_VERSION to pull version 3.16.2
from upstream. The upstream version includes fixes for the
`pthread_yield: symbol not found` issue.
Removed patches 100-musl-compat.patch and 200-fix-redef-error.patch
as fixes were implemented upstream.
Build tested on aarch64, arm_cortex_a15/a9, i386, mips[el]_24kc,
powerpc_464fp/8548, riscv64, x86_64. Confirmed on x86_64.
Signed-off-by: Mark Baker <mark@vpost.net>
(cherry picked from commit 08e51ab50a)
Notable Changes
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
* llhttp version 9.2.1
* undici version 5.28.4
Changed to use gz according to main-snapshot
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
