domoticz will fail to build with python and older cmake
Indeed, find_package(PythonLibs 3.4) will not recognize python 3.7 until
cmake 3.7 and the following commit:
c31573b964
To fix this, add a call to find_package(PythonInterp). Indeed, if
FindPythonInterp has already found the major and minor version, that
version will be inserted between the user supplied versions and the
stock version list since cmake in version 3.1 and
3816cd2dc7
Fixes:
- http://autobuild.buildroot.org/results/8e82501a7b49da628ec026132ffca44c0c813040
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7367a8cd59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
For more information, see the changelog:
https://www.openssl.org/news/cl102.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3301b6e1b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
PLATFORM is an environment variable used by xfsprogs' configure script
to determine the platform for which the applications are being built. If
we set some incorrect/unsupported value through e.g: export, this will
be picked up by xfsprogs' configure script and used as-is and assigned
to PKG_PLATFORM, which will lead to build failures.
If PLATFORM was empty/unset, then uname on the host building xfsprogs
gets used to determine the build platform, which again could be
incorrect if we e.g: built xfsprogs on a Darwin system.
Since we are obviously building for Linux, let's just make sure we
define it that way which solves both issues.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 257a2118be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
- CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
- CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
- CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
For more details, see the release notes:
https://www.samba.org/samba/history/samba-4.8.7.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tests are enabled if gperf and zlib are found and they fail on:
/home/buildroot/autobuild/run/instance-0/output/build/msgpack-2.1.5/include/msgpack/v1/object.hpp:652:34:
error: 'void* memcpy(void*, const void*, size_t)' copying an object of non-trivial type 'struct msgpack::v2::object' from an array of 'const msgpack_object' {aka 'const struct msgpack_object'} [-Werror=class-memaccess]
std::memcpy(&o, &v, sizeof(v));
So disable them.
Fixes:
- http://autobuild.buildroot.org/results/7d7aa9723f02f9bc78dbf6248674be4d402199bf
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d2d75e07db)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libid3tag uses a very old configure script.
When the toolchain lacks C++ and the build machine lacks /lib/cpp, this
old configure script fails because it can't find a C++ preprocessor that
is valid:
checking for arm-buildroot-linux-uclibcgnueabi-g++... no
checking whether we are using the GNU C++ compiler... no
checking whether no accepts -g... no
checking dependency style of no... none
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
See `config.log' for more details.
This is yet another case that was tentatively fixed by bd39d11d2e
(core/infra: fix build on toolchain without C++), further amended by
4cd1ab1588 (core: alternate solution to disable C++).
However, this only works on libtool scripts that are recent enough, and
thus we need to autoreconf to get it.
We also need to patch configure.ac so that it does not fail on the
missing, GNU-specific files: NEWS, AUTHORS, and Changelog.
Fixes:
http://autobuild.buildroot.org/results/ac3/ac3870208aab6001db6b790b6c5dde64d08f7669/http://autobuild.buildroot.org/results/cc1/cc18397f38dfd4f1e6605f7a6f58edab49b396ac/
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 43274dd3e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The build of U-Boot on Microchip (formerly Atmel) platforms currently
fails to build with an Assertion Error in dtc. This happens since we
bumped dtc from 1.4.4 to 1.4.7, as a regression was introduced in dtc
1.4.6, and fixed post-1.4.7. This commit backports the upstream commit
to resolve this Assertion Error.
The build error was:
dtc: livetree.c:438: propval_cell: Assertion `prop->val.len == sizeof(cell_t)' failed.
dtc: livetree.c:438: propval_cell: Assertion `prop->val.len == sizeof(cell_t)' failed.
Aborted (core dumped)
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/124434438
(and numerous other similar build failures)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ea7c5aad0f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When c7ffd8a75d ("package/dtc: fix
include guards for older kernel/u-boot") introduced a new patch to the
dtc package, it used the 0001 number, which was already used by
another patch. Let's fix that.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f2922d9765)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE-2018-4345, CVE-2018-4372,
CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378,
CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, and CVE-2018-4416.
Additionally, it fixes a few build failures, and a crash when using
certain version of Cairo.
Release notes can be found in the announcement:
https://webkitgtk.org/2018/11/21/webkitgtk2.22.4-released.html
More details on the issues covered by security fixes can be found
in the corresponding security advisory:
https://webkitgtk.org/security/WSA-2018-0008.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a827a17dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build of package will sometime fails because of the following issue:
install-static target has two dependencies: dispatcher-static and
install-common
Because dispatcher-static is not a file but only a target, it will
always be called to build usb_modeswitch_dispatcher.
So, even if install-common depends on usb_modeswitch_dispatcher, in some
rare cases, install-static won't be able to install
usb_modeswitch_dispatcher because it is being rebuild by
dispatcher-static
To fix this issue, disable parallel build
Fixes:
- http://autobuild.buildroot.org/results/8297be35725b816ff5afaf909605ceb41223efb6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a554109af8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Graphviz' dot utility does not like nodes which names does not start
with an ^[[:alpha:]], i.e. 18xx-ti-utils would cause grievance:
Warning: syntax ambiguity - badly delimited number '18x' in line 4 [...]/graph-depends.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '18x' in line 5 [...]/graph-depends.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '18x' in line 6 [...]/graph-depends.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '18x' in line 7 [...]/graph-depends.dot splits into two tokens
Prefix nodes with an underscore to fix that.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 020206ca57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Checking for the existence of the dtc binary built by the
non-dependent dtc package may cause instable behaviour when giving more
freedom on the order of how the packages are built (parallelization).
In addidion, when moving to per-package host/target method, the check
would always trigger in the isolated host, leading to linux-dtc always
being installed as dtc.
This in turn may lead to undesired overwriting of the real host-dtc binary
when finally assembling the global host dir.
Thus rework the linux-dtc install condition to be defined by configuration
rather than compile time order.
Signed-off-by: Andreas Naumann <anaumann@ultratronik.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 860906ee05)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old 3.4 Linux kernel used by this defconfig doesn't build with gcc 7.x:
include/linux/compiler-gcc.h:106:1: fatal error: linux/compiler-gcc7.h: No such file or directory
So let's use gcc 6.x for the time being.
Long term, we should use a newer or different kernel source for this
defconfig, or get rid of the defconfig entirely if there's no updated
kernel with a fix.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/123771091
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 88928bbd6e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The U-Boot part of the defconfig was not specifying explicitly any
U-Boot version. Since commit 21e3ae8a18
("boot/uboot: default to kconfig buildsystem for latest version"), we
default to using the kconfig build system when the default U-Boot
version is used. Following this change, the apf27 defconfig therefore
started using kconfig, for which the BR2_TARGET_UBOOT_BOARDNAME
Config.in option is not used. Due to this, the build fails with:
boot/uboot/uboot.mk:411: *** No board defconfig name specified, check your BR2_TARGET_UBOOT_BOARD_DEFCONFIG setting. Stop.
Indeed, when Kconfig is used, the board defconfig must be specified
with BR2_TARGET_UBOOT_BOARD_DEFCONFIG.
As part of fixing this, we also set a fixed U-Boot version for this
defconfig, like we do in all other defconfigs.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/123771003
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a8aaee72a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since version v239, systemd-nspawn unconditioanlly uses prlimit(2),
which is not implemented in uClibc-ng. systemd-nspawn can not be
disabled.
This makes systemd glibc-only again.
After a bit of discussion with upstream (om IRC), it looks very
improbable that they accept a patch making systemd-nspawn optional.
They would probably consider a patch that provides that syscall wrapper
if it is missing, though, but that's less trivial...
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0d61846b5f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, tar will not include any extended attribute (xattr) when
creating archives, and thus will not store capabilties either (as they
are stored in the xattr 'security.capability').
Using option --xattrs is enough to create a tarball with all the xattrs
attached to a file. However, extracting all xattrs from a tarball
requires that --xattrs-include='*' be used. This is not symetric (but on
purpose, as per the documentation), and so is confusing to some.
So, we use --xattrs-include='*' to create the archive, so as to be
explicit that we want all xattrs to be stored.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6d688e2132)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since 4adaa581b2, S29netplug looks for
/etc/default/network instead of /etc/sysconfig/network. When this
file exists but does not define $NETWORKING, the script fails on line
29 with something like:
/etc/init.d/S29netplug: 29: [: =: unexpected operator
Fix quoting so this error no longer happens.
Signed-off-by: Thomas Claveirole <thomas.claveirole@green-communications.fr>
[Thomas: keep double quotes around "no", keep curly braces when
referencing the variable.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5682ba9363)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The commands like "make show-build-order" or "make
<package>-show-build-order" show the build order and then print
"make[1]: Nothing to be done for 'show-build-order'" to stdout. It
pollutes output. Technically this message is true but it's not true
for user because he gets an information.
The <package>-show-build-order targets use $(info) for package name
printing. The make utility doesn't consider the internal directive as
a command so it think that it's "Nothing to be done". The patch adds
the empty command to <package>-show-build-order to inform make utility
that taget makes some real actions.
Signed-off-by: Serj Kalichev <serj.kalichev@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Thomas: invert $(info) and @:, as suggested by Yann.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 75c81a12f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit e7af4033c3 ("rpm: use the new
gettext logic") introduced a really nasty bug: by adding
$(TARGET_NLS_DEPENDENCIES) to RPM_DEPENDENCIES, it completely
overwrote the existing value of RPM_DEPENDENCIES, entirely masking all
mandatory RPM dependencies.
rpm is fairly towards the end of the alphabet, and most other
mandatory dependencies (berkeleydb, host-pkgconf, file and popt)
appear earlier by alphabetic ordering. Only zlib was afterwards, but
since file depends on zlib, it was always built before. This probably
explains why our autobuilders haven't encountered a single build
failure.
However, a simple "make rpm" clearly exhibits the failure, and
obviously the upcoming per-package folder mechanism makes such bugs
even more obvious.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 36385f87f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When $(TOPDIR)/dl is a symlink, checking out git submodules can fail,
as reported by Michael in #11086.
To reproduce a similarly-related mis-behaviour:
$ mkdir -p foo/bar foo/buz
$ cd foo/bar
$ ln -s ../buz meh
$ cd meh
$ cd ../../foo
The last command should not succeed, because, relative to meh, there is
no ../../foo directory; we would expect it to be ../../../foo, instead.
But since meh is a symlink to a directory, then a relative path from that
symlink is interpreted as relative to the derefrenced directory, i.e.
from buz in this case.
But where this gets even weirder, is that, if the last command is
replaced by:
$ cd ../../../foo
then it still works, too.
And that is the root of Michael's issue: the dl directory in Buildroot's
TOPDIR is a symlink to a similarly-named directory one directory higher,
which then confuses relative paths, which gets especially and noticeably
bad for git submodules.
Avoid this strangeness, and just use so-called "physical" path, i.e. a
path where all symlinks to directories have been dereferenced.
Fixes: #11086
Reported-by: Michael Nosthoff <posted@heine.so>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Michael Nosthoff <posted@heine.so>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 632e164a19)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The command "make show-build-order" doesn't show dependencies of rootfs-common target.
This patch adds $(ROOTFS_COMMON_DEPENDENCIES) to PACKAGES variable.
Signed-off-by: Serj Kalichev <serj.kalichev@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 305e4487e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When adding the custom BR2_WGET value in the configuration,
genrandconfig forgets to add a newline. Due to this, the next option
that is added is printed on the same line as BR2_WGET="", which causes
it to be ignored.
Due to this, in all builds, the line right after BR2_WGET was
ignored. It could have been BR2_ENABLE_DEBUG, BR2_INIT_BUSYBOX,
BR2_INIT_SYSTEMD, BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV,
BR2_STATIC_LIBS or BR2_PACKAGE_PYTHON_PY_ONLY depending on the
randomization.
Fix that by adding a proper newline at the end of the BR2_WGET option.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3eb49f59d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure.ac script uses PKG_CHECK_MODULES(), and we autoreconf
the package, so host-pkgconf should be listed in the dependencies.
This issue is seen either with per-package folders, or by doing a
clean build with just "make openocd":
>>> openocd 0.10.0 Configuring
>>> openocd 0.10.0 Autoreconfiguring
[...]
configure.ac:12: error: possibly undefined macro: AC_MSG_WARN
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:201: error: possibly undefined macro: AC_DEFINE
configure.ac:582: error: possibly undefined macro: AC_MSG_NOTICE
Even if the message seems unrelated, it's really the lack of pkg.m4
from host-pkgconf that causes the issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 915c136c5c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When /etc/selinux/semanage.conf does not exist, libsemanage tries to
overwrite it. For the target package, it works fine because $(DESTDIR)
is taken into account.
However, for the host package, $(DESTDIR) is empty, and the location
used for /etc/selinux/semanage.conf is not affected by $(PREFIX). This
causes host-libsemanage to try to install /etc/selinux/semanage.conf,
which obviously fails with:
test -f /etc/selinux/semanage.conf || install -m 644 -D semanage.conf /etc/selinux/semanage.conf
install: cannot create directory '/etc/selinux': Permission denied
To fix this, this commit passes DEFAULT_SEMANAGE_CONF_LOCATION in the
make options when building/installing host-libsemanage, providing a
path to semanage.conf that Buildroot can write to.
Fixes:
http://autobuild.buildroot.net/results/cd27e3c66274622d0c3dd5a601a36efb1bc45011/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4c9c70453c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The xlib_libfontenc configure.ac uses PKG_CHECK_MODULES(), but the
Buildroot package does not have a dependency on host-pkgconf. This
causes a build failure with per-package host/target folders, or if one
builds just with "make xlib_libfontenc", which is why it was never
detected by the autobuilders.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7b1238055c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16062: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils
before 2018-08-18 allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted file.
CVE-2018-16402: libelf/elf_end.c in elfutils 0.173 allows remote attackers
to cause a denial of service (double free and application crash) or possibly
have unspecified other impact because it tries to decompress twice.
CVE-2018-16403: libdw in elfutils 0.173 checks the end of the attributes
list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr
in dwarf_hasattr.c, leading to a heap-based buffer over-read and an
application crash.
For more details, see the announcement:
https://sourceware.org/ml/elfutils-devel/2018-q3/msg00116.html
0.172 and 0.173 also included fixes for crashes and hangs found by afl-fuzz
(no CVEs assigned):
https://sourceware.org/ml/elfutils-devel/2018-q2/msg00272.htmlhttps://sourceware.org/ml/elfutils-devel/2018-q2/msg00209.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6a74acb6fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the advisory:
Due to incorrect input handling, Squid is vulnerable to a
Cross-Site Scripting vulnerability when generating HTTPS response
messages about TLS errors.
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
Add the patch from the 3.5 branch fixing this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
