Additional fixes for CVE-2017-9800: Malicious server can execute arbitrary
command on client and a number of crash fixes.
https://svn.apache.org/repos/asf/subversion/tags/1.9.10/CHANGES
Drop upstream SHA1 hash as that is no longer listed. Also add a hash for
the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The check-package script when ran gives warnings on ordering issues
on all of these Config files. This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter s in the package directory.
The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Also add a sha256 hash since upstream only provides one weak hash.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-2167 - svnserve/sasl may authenticate users using the wrong
realm.
CVE-2016-2168 - Remotely triggerable DoS vulnerability in mod_authz_svn
during COPY/MOVE authorization check.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Bump to version 1.9.2.
- Update the hash file.
- Use a tar.bz2 tarball to save space and bandwidth.
- Fix a typo in the berkeley-db configure option.
- Remove non-existent configure options: neon, gssapi and ssl.
- Remove neon dependency: is not needed to build subversion.
- Tweak the 0001-dont-mangle-cflags.patch for the 1.9.2 version and to
patch configure.ac instead of configure.
- Add a new 0002-disable-macos-specific-features.patch to remove a
configure check for Mach-O (and two more) which breaks the build when
cross-compiling.
- Enable autoreconf since we are patching the configure.ac.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2014-3580: mod_dav_svn DoS from invalid REPORT requests.
CVE-2014-8108: mod_dav_svn DoS from use of invalid transaction names.
Also add hash file.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.
As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.
This also helps preparing the addition of other options to select
shared, shared+static or just static.
Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2014-0032 - mod_dav_svn is vunerable to a remotely triggerable
segfault DoS vulnerability when SVNListParentPath is on.
CVE-2014-3522 - Serf RA layer does not correctly validate certificates
with wildcards in them for HTTPS.
CVE-2014-3528 - Credentials cached with Subversion may be sent to the
wrong server.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Apache licenses are referred to in a variety of ways; standardise these,
choosing a form which does not contain whitespace.
Signed-off-by: Simon Dawson <spdawson@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Uses fork() in apr_proc_fork() which is used by almost all the packages
that use apr (log4cxx, subversion).
apr-util doesn't use fork or apr_proc_fork but it's of no use alone.
[Peter: also hide log4cxx comment if !BR2_USE_MMU]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
