aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--community/ceph/30-32bit_fix.patch.noauto2
-rw-r--r--community/ceph/APKBUILD8
-rw-r--r--community/fio/APKBUILD6
-rw-r--r--community/firefox-esr/APKBUILD38
-rw-r--r--community/go/APKBUILD16
-rw-r--r--community/ifstate/APKBUILD8
-rw-r--r--community/jool-modules-lts/APKBUILD2
-rw-r--r--community/jool-modules-rpi/APKBUILD2
-rw-r--r--community/marble/APKBUILD2
-rw-r--r--community/mozjs78/APKBUILD11
-rw-r--r--community/nextcloud/APKBUILD17
-rw-r--r--community/php7/APKBUILD10
-rw-r--r--community/php8/APKBUILD10
-rw-r--r--community/plasma-workspace/APKBUILD2
-rw-r--r--community/py3-pyroute2/001-ipset-content.patch11
-rw-r--r--community/py3-pyroute2/APKBUILD11
-rw-r--r--community/rtl8821ce-lts/APKBUILD2
-rw-r--r--community/rtpengine-lts/APKBUILD2
-rw-r--r--community/stellarium/APKBUILD2
-rw-r--r--community/stunnel/APKBUILD8
-rw-r--r--community/swaylock/APKBUILD17
-rw-r--r--community/swaylock/fix-version.patch11
-rw-r--r--community/swaylock/ungit-version.patch21
-rw-r--r--community/tinc-pre/APKBUILD17
-rw-r--r--community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch70
-rw-r--r--community/wofi/APKBUILD7
-rw-r--r--main/alpine-base/APKBUILD2
-rw-r--r--main/apache2/APKBUILD18
-rw-r--r--main/apk-tools/APKBUILD4
-rw-r--r--main/asterisk/APKBUILD12
-rw-r--r--main/asterisk/CVE-2021-32558.patch126
-rw-r--r--main/bind/APKBUILD12
-rw-r--r--main/bind/bind-9.16.20-map-format-fix.patch8
-rw-r--r--main/c-ares/APKBUILD12
-rw-r--r--main/curl/APKBUILD8
-rw-r--r--main/dahdi-linux-lts/APKBUILD2
-rw-r--r--main/gd/APKBUILD27
-rw-r--r--main/gd/CVE-2021-38115.patch26
-rw-r--r--main/gd/CVE-2021-40145.patch124
-rw-r--r--main/geoip/APKBUILD11
-rwxr-xr-xmain/geoip/geoip.cron7
-rw-r--r--main/ghostscript/APKBUILD12
-rw-r--r--main/ghostscript/CVE-2021-3781.patch232
-rw-r--r--main/gnupg/APKBUILD10
-rw-r--r--main/gpsd/APKBUILD (renamed from community/gpsd/APKBUILD)31
-rw-r--r--main/gpsd/gpsd.confd (renamed from community/gpsd/gpsd.confd)0
-rw-r--r--main/gpsd/gpsd.initd (renamed from community/gpsd/gpsd.initd)0
-rw-r--r--main/gpsd/timepps.h (renamed from community/gpsd/timepps.h)0
-rw-r--r--main/grep/APKBUILD8
-rw-r--r--main/haproxy/APKBUILD7
-rw-r--r--main/libgcrypt/APKBUILD9
-rw-r--r--main/libgcrypt/CVE-2021-40528.patch51
-rw-r--r--main/libspf2/APKBUILD14
-rw-r--r--main/libspf2/CVE-2021-20314.patch22
-rw-r--r--main/linux-lts/APKBUILD28
-rw-r--r--main/linux-lts/config-lts.aarch6425
-rw-r--r--main/linux-lts/config-lts.armv711
-rw-r--r--main/linux-lts/config-lts.mips646
-rw-r--r--main/linux-lts/config-lts.ppc64le6
-rw-r--r--main/linux-lts/config-lts.s390x6
-rw-r--r--main/linux-lts/config-lts.x869
-rw-r--r--main/linux-lts/config-lts.x86_6410
-rw-r--r--main/linux-lts/config-virt.aarch6424
-rw-r--r--main/linux-lts/config-virt.armv78
-rw-r--r--main/linux-lts/config-virt.ppc64le8
-rw-r--r--main/linux-lts/config-virt.x867
-rw-r--r--main/linux-lts/config-virt.x86_647
-rw-r--r--main/linux-rpi/APKBUILD6
-rw-r--r--main/mariadb/APKBUILD7
-rw-r--r--main/mosquitto/APKBUILD12
-rw-r--r--main/mosquitto/CVE-2021-34432.patch61
-rw-r--r--main/nettle/APKBUILD8
-rw-r--r--main/nodejs/APKBUILD19
-rw-r--r--main/nodejs/fix-build-with-system-c-ares.patch535
-rw-r--r--main/openssh/APKBUILD18
-rw-r--r--main/openssh/CVE-2021-41617.patch25
-rw-r--r--main/openssh/ssh-copy-id.patch30
-rw-r--r--main/openssl/APKBUILD11
-rw-r--r--main/perl-net-cidr-lite/APKBUILD16
-rw-r--r--main/pgpool/APKBUILD5
-rw-r--r--main/postgresql/APKBUILD10
-rw-r--r--main/redis/APKBUILD13
-rw-r--r--main/ruby/APKBUILD13
-rw-r--r--main/sofia-sip/APKBUILD6
-rw-r--r--main/squashfs-tools/APKBUILD16
-rw-r--r--main/squid/APKBUILD12
-rw-r--r--main/squid/CVE-2021-28116.patch424
-rw-r--r--main/tzdata/APKBUILD12
-rw-r--r--main/unbound/APKBUILD6
-rw-r--r--main/vim/APKBUILD12
-rw-r--r--main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch83
-rw-r--r--main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch58
-rw-r--r--main/xen/APKBUILD50
-rw-r--r--main/xen/stubdom-hack.patch11
-rw-r--r--main/xen/tpm-version.patch31
-rw-r--r--main/xen/xsa360-4.14.patch97
-rw-r--r--main/xen/xsa364.patch69
-rw-r--r--main/xen/xsa373-4.14-1.patch120
-rw-r--r--main/xen/xsa373-4.14-2.patch102
-rw-r--r--main/xen/xsa373-4.14-3.patch163
-rw-r--r--main/xen/xsa373-4.14-4.patch81
-rw-r--r--main/xen/xsa373-4.14-5.patch143
-rw-r--r--main/xen/xsa375.patch50
-rw-r--r--main/xen/xsa377.patch27
-rw-r--r--main/xtables-addons-lts/APKBUILD2
-rw-r--r--main/zfs-lts/APKBUILD2
-rw-r--r--main/zfs-rpi/APKBUILD2
107 files changed, 2243 insertions, 1388 deletions
diff --git a/community/ceph/30-32bit_fix.patch.noauto b/community/ceph/30-32bit_fix.patch.noauto
index 818504c970..dfa6a7ef6e 100644
--- a/community/ceph/30-32bit_fix.patch.noauto
+++ b/community/ceph/30-32bit_fix.patch.noauto
@@ -52,7 +52,7 @@ diff -uNr ceph-15.2.4/src/client/Client.h ceph-15.2.4-arm32_fix/src/client/Clien
@@ -1179,7 +1179,7 @@
int _lookup_parent(Inode *in, const UserPerm& perms, Inode **parent=NULL);
int _lookup_name(Inode *in, Inode *parent, const UserPerm& perms);
- int _lookup_ino(inodeno_t ino, const UserPerm& perms, Inode **inode=NULL);
+ int _lookup_vino(vinodeno_t ino, const UserPerm& perms, Inode **inode=NULL);
- bool _ll_forget(Inode *in, uint64_t count);
+ bool _ll_forget(Inode *in, size_t count);
diff --git a/community/ceph/APKBUILD b/community/ceph/APKBUILD
index 32f1b558d3..a7905e140e 100644
--- a/community/ceph/APKBUILD
+++ b/community/ceph/APKBUILD
@@ -3,8 +3,8 @@
# Contributor: Duncan Bellamy <dunk@denkimushi.com>
# Maintainer: Duncan Bellamy <dunk@denkimushi.com>
pkgname=ceph
-pkgver=15.2.13
-pkgrel=1
+pkgver=15.2.14
+pkgrel=0
pkgdesc="Ceph is a distributed object store and file system"
pkgusers="ceph"
pkggroups="ceph"
@@ -545,12 +545,12 @@ _pkg() {
}
sha512sums="
-bde28c331c489db0845959f65c425146c317466a7793f56a83e2827dec35b8cd6f600bf9056151c1e6926cc0155deebbc8681c240ac9f37ad876b9a6afae96da ceph_15.2.13.orig.tar.gz
+eacc4dea0d8dfe2753aff78d89324d81c5634a784313c3da8ded778e2734958c216f8c705b25f070d7ba66b559424ad3c47cb68852f66f8c9c83a83ca78ad5a5 ceph_15.2.14.orig.tar.gz
110bdbcb40216c7ed155a8d23020784741b4992d895f4f04a146d275506e4e68053854d3b063b41e9c9b3e3e4f95b6b90602f92c185c853c0d8f47ad0c6b7121 ceph.confd
ce5f162501f6b67fe254546dddf880d1a5b1d1a0fa69e0b1918de17e8da45c5c6124512b8cbd98b76f29d931403de0d11c5ffd330ed8ee1f4dc75bb04baecae3 ceph.initd
c608f11cf358d76daf5281467a4ea941a81474fbe7f5faa41f7f4d0abaf9136a01576bbb1ab24bdd7bc91a49f66bd7f0a84717de5ec27250d74dd1e47e3b5dd3 10-musl-fixes.patch
427ab410aeb02d49c5caa8ff68c7b8df325229823d625b7069cd48c66dd9e129e742270850fb2be2238eb6fa12b8256845b4d94426ca96b2a9187b2726e78423 20-pci.patch
-29161e75e7bff5a1394c5eb27e0fd5dc8044d2e144e311accbac5257bb4aa7ebf8f58293e98de8cbbd629923301b24bdaff165fa4027a79538b4e8e9c2c7c2ed 30-32bit_fix.patch.noauto
+68660da5df1fe290f88707feb3781b5ccb5310fa248fd8b7c5075811b3ad4620bcc0aaed8cde857ff63695160172a4bfb668efc8b0fa55745fb8301168c6fe66 30-32bit_fix.patch.noauto
f974ab36cd6fa49c1d4613203a4f2152723e4952a185dfb6349bc4ca8ee1a7a9d0477bea136c54248271de30a4e584734ba41e8ec41bf274b04074622888ae39 31-32bit_fix_tests.patch.noauto
62ef2e7e10978e9e0eef4a094bc63d9890f0d7e71eba0f0e15baede0597ea179a77924f6dbd4d4a9c9b151c9ae934f4c10d7f2a17ee960b017f942ec57c7af35 34-fix_cpu_detection.patch
8a3e902309238ae6917b4c5fe9fa371dad3ba8e01848f462a9b67ad8d69b8370a8957f6c88462a7016319fd323eb6d6c31415734db56485a8a8b279d2705aff5 35-fix_ErasureCodeShec.patch
diff --git a/community/fio/APKBUILD b/community/fio/APKBUILD
index 9a04c1be27..01d0c89f15 100644
--- a/community/fio/APKBUILD
+++ b/community/fio/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: wener <wenermail@gmail.com>
pkgname=fio
pkgver=3.25
-pkgrel=0
+pkgrel=1
pkgdesc="Flexible I/O Tester"
url="https://github.com/axboe/fio"
arch="all"
@@ -18,7 +18,9 @@ case "$CARCH" in
esac
build() {
- ./configure --prefix=/usr
+ ./configure \
+ --prefix=/usr \
+ --disable-native
make T_TEST_PROGS=
}
diff --git a/community/firefox-esr/APKBUILD b/community/firefox-esr/APKBUILD
index 112943b2f9..b35c21034e 100644
--- a/community/firefox-esr/APKBUILD
+++ b/community/firefox-esr/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=firefox-esr
-pkgver=78.11.0
+pkgver=78.14.0
# Date of release, YY-MM-DD for metainfo file (see package())
-_releasedate=2021-06-01
+_releasedate=2021-09-07
pkgrel=0
pkgdesc="Firefox web browser - Extended Support Release"
url="https://www.mozilla.org/en-US/firefox/organizations/"
@@ -86,6 +86,20 @@ _mozappdir=/usr/lib/firefox
ldpath="$_mozappdir"
# secfixes:
+# 78.14.0-r0:
+# - CVE-2021-38492
+# - CVE-2021-38493
+# 78.13.0-r0:
+# - CVE-2021-29980
+# - CVE-2021-29984
+# - CVE-2021-29985
+# - CVE-2021-29986
+# - CVE-2021-29988
+# - CVE-2021-29989
+# 78.12.0-r0:
+# - CVE-2021-29970
+# - CVE-2021-29976
+# - CVE-2021-30547
# 78.11.0-r0:
# - CVE-2021-29967
# 78.10.0-r0:
@@ -453,7 +467,25 @@ npapi() {
}
sha512sums="
-d02fc2eda587155b1c54ca12a6c5cde220a29f41f154f1c9b71ae8f966d8cc9439201a5b241e03fc0795b74e2479f7aa5d6b69f70b7639432e5382f321f7a6f4 firefox-78.11.0esr.source.tar.xz
+5d5e4b1197f87b458a8ab14a62701fa0f3071e9facbb4fba71a64ef69abf31edbb4c5efa6c20198de573216543b5289270b5929c6e917f01bb165ce8c139c1ac firefox-78.14.0esr.source.tar.xz
+0b3f1e4b9fdc868e4738b5c81fd6c6128ce8885b260affcb9a65ff9d164d7232626ce1291aaea70132b3e3124f5e13fef4d39326b8e7173e362a823722a85127 stab.h
+2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71 fix-fortify-system-wrappers.patch
+4510fb92653d0fdcfbc6d30e18087c0d22d4acd5eb53be7d0a333abe087a9e0bf9e58e56bafe96e1e1b28ebd1fd33b8926dbb70c221007e335b33d1468755c66 fix-tools.patch
+a4a3e062661bda64d502d426c480ac9645345860118de9df9ffe6e0597738c70c11e5cdef2d4fd12c5e2ee30a09310159230524655a419a4f7e4eeeb0f3c06b0 mallinfo.patch
+454ea3263cabce099accbdc47aaf83be26a19f8b5a4568c01a7ef0384601cf8315efd86cd917f9c8bf419c2c845db89a905f3ff9a8eb0c8e41042e93aa96a85c disable-moz-stackwalk.patch
+089c97e6011e86a9b9d9e7b0c8ba3af0519d1ce4e2b1e9ab7719762d6968388bfa47dad3bf23a6d41c3d66fdcc6c15e2c926e3ff9500bfd4fbf1b53e6d19dc57 fix-rust-target.patch
+d35cacb9ede80e6bfbef0709823e536dddfb1c02d776275b0b7adb5969e9927d8c6117df96873569c3f3db0a18ee5db24f8086a9311a05077892be43a3dd8d79 fix-webrtc-glibcisms.patch
+60845dcb034b2c4459c30f7d5f25c8176cf42df794e2cc0e86c3e2abb6541c24b962f3a16ca70a288d4d6f377b68d00b2904b22463108559612053d835d9bff1 fd6847c9416f9eebde636e21d794d25d1be8791d.patch
+4e584621145cf8add069c6dac18e805b3274a1ee402d84e924df2341f7d3c5be261a93ef51283bacbd606f47fbdc628c4323ecc31efc5b403b8d224b18dc278f allow-custom-rust-vendor.patch
+f3b7c3e804ce04731012a46cb9e9a6b0769e3772aef9c0a4a8c7520b030fdf6cd703d5e9ff49275f14b7d738fe82a0a4fde3bc3219dff7225d5db0e274987454 firefox.desktop
+5dcb6288d0444a8a471d669bbaf61cdb1433663eff38b72ee5e980843f5fc07d0d60c91627a2c1159215d0ad77ae3f115dcc5fdfe87e64ca704b641aceaa44ed firefox-safe.desktop
+bb75b2abda86e455d81571052a2cfec5a9d858ffa91c50a7217b4b6c02cbfc0400e9114a27bd54ce78d7d3a44e9b03927cf0317654d98c0f39d26c63c9670117 remove-faulty-libvpx-check.patch
+f963fcdba7307a0b1712dfb95ceba4ab49f449f60e550bb69d15d50272e6df9add90862251ee561e4ea5fd171a2703552ffa7aade92996f5f0b3e577f1544a6d disable-neon-in-aom.patch
+4911ddb41bef8d9f6d6200159cde465627e940fe1c09099be55769d21a5a52a3f737e1bf803daa96126c035b091aea880fbc5d2e6cf5da96ddd17322461a72d6 sandbox-fork.patch
+db26757b2ebf9f567962e32294b4ae48b3a5d0378a7589dfe650fe3a179ff58befbab5082981c68e1c25fb9e56b2db1e4e510d4bca17c3e3aedbf9a2f21806eb sandbox-sched_setscheduler.patch
+"
+sha512sums="
+5d5e4b1197f87b458a8ab14a62701fa0f3071e9facbb4fba71a64ef69abf31edbb4c5efa6c20198de573216543b5289270b5929c6e917f01bb165ce8c139c1ac firefox-78.14.0esr.source.tar.xz
0b3f1e4b9fdc868e4738b5c81fd6c6128ce8885b260affcb9a65ff9d164d7232626ce1291aaea70132b3e3124f5e13fef4d39326b8e7173e362a823722a85127 stab.h
2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71 fix-fortify-system-wrappers.patch
4510fb92653d0fdcfbc6d30e18087c0d22d4acd5eb53be7d0a333abe087a9e0bf9e58e56bafe96e1e1b28ebd1fd33b8926dbb70c221007e335b33d1468755c66 fix-tools.patch
diff --git a/community/go/APKBUILD b/community/go/APKBUILD
index 3daeff7aa0..e2a7eb7dd4 100644
--- a/community/go/APKBUILD
+++ b/community/go/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=go
# go binaries are statically linked, security updates require rebuilds
-pkgver=1.15.12
+pkgver=1.15.15
pkgrel=0
pkgdesc="Go programming language compiler"
url="https://golang.org/"
@@ -24,6 +24,15 @@ case "$CARCH" in
esac
# secfixes:
+# 1.15.15-r0:
+# - CVE-2021-36221
+# 1.15.14-r0:
+# - CVE-2021-34558
+# 1.15.13-r0:
+# - CVE-2021-33195
+# - CVE-2021-33196
+# - CVE-2021-33197
+# - CVE-2021-33198
# 1.15.12-r0:
# - CVE-2021-31525
# 1.15.10-r0:
@@ -167,3 +176,8 @@ ab4aa83d8a9bf10bbb93ad029095b47c6eea7d5532703d84449884039116e07897871649feb1df81
c20c126ce12f9a5190784f2a772a47658f375e44fb67884a0450ec3bbd0db61a978388b4c862bd80234e579bab58fd55b6306f3953acda11fd58603799b2e3b3 fix-setrlimit-hang.patch
6017caacf77c2911e9e882878fdaa2ed066b76b7e97b2ad776bc33d96b21cabc802966473946642c86a8f985c69adcc5e7ea61684f6d0dbacd468a6aad687229 allow-unshare-to-return-enosys.patch
"
+sha512sums="bf8a6f669d024ce77271fbc8dc1d7a727c4da85c70cad00d0baaef157e7c5d7879ea9ae71cdb04e55f9c07f5ae76655264ca8a159c971eab1cf8a8861b74e69b go1.15.15.src.tar.gz
+988a436727aefc5124702bd70cb01bb457a921affcdd03e17f78937685482e899080d95baf125e054d1f634dae5c747d05a3662f1f4f462b87965b06270c788f disable-flaky-sync-test.patch
+ab4aa83d8a9bf10bbb93ad029095b47c6eea7d5532703d84449884039116e07897871649feb1df8128f10257cbdb5d7eb03820ab0f1a3f60315e195302f6e516 disable-flaky-gc-test.patch
+c20c126ce12f9a5190784f2a772a47658f375e44fb67884a0450ec3bbd0db61a978388b4c862bd80234e579bab58fd55b6306f3953acda11fd58603799b2e3b3 fix-setrlimit-hang.patch
+6017caacf77c2911e9e882878fdaa2ed066b76b7e97b2ad776bc33d96b21cabc802966473946642c86a8f985c69adcc5e7ea61684f6d0dbacd468a6aad687229 allow-unshare-to-return-enosys.patch"
diff --git a/community/ifstate/APKBUILD b/community/ifstate/APKBUILD
index a6cd93f843..9eac111214 100644
--- a/community/ifstate/APKBUILD
+++ b/community/ifstate/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Thomas Liske <thomas@fiasko-nw.net>
pkgname=ifstate
-pkgver=1.5.2
+pkgver=1.5.6
pkgrel=0
pkgdesc="Manage host interface settings in a declarative manner"
url="https://ifstate.net/"
@@ -25,6 +25,8 @@ package() {
install -Dm755 "$srcdir"/ifstate.initd "$pkgdir"/etc/init.d/ifstate
}
-sha512sums="ca6533f2fbe1bedce7fa1ba4dfa4da8d55ac4e9966516f4b008f672d98bb34bd4f4e87dfcd7bcd1930686d693d998ae5d34ae46aa200be46c9638738cf98e4c0 ifstate-1.5.2.tar.gz
+sha512sums="
+457b00b2599c024866a7bcbd6811157dfe935d16387e529097edbfd52ffe0a79e973dadcfa4bd2bdf707e2fd9a6d6f1f917dcb4b8fb8bba3f377ea92d2fed458 ifstate-1.5.6.tar.gz
dfc31dc7452c63ec18d368803ffb3bef1cd96d98345d0c5ef1baeb8b2819130b504d3e6e82d99ee86fa18d4576b7927d0b80d6d79f9f20e388e07faa09a87285 ifstate.conf
-e583c764c65dbf00ce6a4269cef5d8a78c2ec47851671cc25bbebd2d6095c42f0a10eccfd021728e05b3b67d8b950f9e4359da63226da551b8dc5ebd5d8aa0ef ifstate.initd"
+e583c764c65dbf00ce6a4269cef5d8a78c2ec47851671cc25bbebd2d6095c42f0a10eccfd021728e05b3b67d8b950f9e4359da63226da551b8dc5ebd5d8aa0ef ifstate.initd
+"
diff --git a/community/jool-modules-lts/APKBUILD b/community/jool-modules-lts/APKBUILD
index 3914476030..16ab91e8e2 100644
--- a/community/jool-modules-lts/APKBUILD
+++ b/community/jool-modules-lts/APKBUILD
@@ -21,7 +21,7 @@ fi
# Kernel version
# Keep in sync with main/linux-lts!
_kpkg=linux-$_flavor
-_kver=5.10.38
+_kver=5.10.61
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/jool-modules-rpi/APKBUILD b/community/jool-modules-rpi/APKBUILD
index a06b4266e7..61ef51ebfe 100644
--- a/community/jool-modules-rpi/APKBUILD
+++ b/community/jool-modules-rpi/APKBUILD
@@ -21,7 +21,7 @@ fi
# Kernel version
# Keep in sync with main/linux-rpi!
_kpkg=linux-$_flavor
-_kver=5.10.36
+_kver=5.10.61
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/marble/APKBUILD b/community/marble/APKBUILD
index 3fcda12d5c..9e55e8c764 100644
--- a/community/marble/APKBUILD
+++ b/community/marble/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Bart Ribbers <bribbers@disroot.org>
pkgname=marble
pkgver=20.12.3
-pkgrel=0
+pkgrel=1
pkgdesc="A Virtual Globe and World Atlas that you can use to learn more about Earth"
# mips, ppc64le and s390x blocked by qt5-qtwebengine
# armhf blocked by qt5-qtdeclarative
diff --git a/community/mozjs78/APKBUILD b/community/mozjs78/APKBUILD
index d4df64f266..da4818fadd 100644
--- a/community/mozjs78/APKBUILD
+++ b/community/mozjs78/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Rasmus Thomsen <oss@cogitri.dev>
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=mozjs78
-pkgver=78.12.0
+pkgver=78.15.0
pkgrel=0
pkgdesc="Standalone Mozilla JavaScript engine"
url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey"
@@ -40,6 +40,13 @@ builddir="$srcdir"/firefox-$pkgver
_builddir="$builddir/js/src"
# secfixes:
+# 78.15.0-r0:
+# - CVE-2021-38500
+# 78.14.0-r0:
+# - CVE-2021-38493
+# 78.13.0-r0:
+# - CVE-2021-29984
+# - CVE-2021-29989
# 78.12.0-r0:
# - CVE-2021-29976
# - CVE-2021-29967
@@ -124,7 +131,7 @@ package() {
}
sha512sums="
-646eb803e0d0e541773e3111708c7eaa85e784e4bae6e4a77dcecdc617ee29e2e349c9ef16ae7e663311734dd7491aebd904359124dda62672dbc18bfb608f0a firefox-78.12.0esr.source.tar.xz
+ac3de735b246ce4f0e1619cd2664321ffa374240ce6843e785d79a350dc30c967996bbcc5e3b301cb3d822ca981cbea116758fc4122f1738d75ddfd1165b6378 firefox-78.15.0esr.source.tar.xz
f7e5bee97cfa495d491dac4b8b98e5d3081346d920700e8bb6d077543e18245e5c82201a9981036ec0bf16d9fbdd42fd76e8cf6d90bb811e7338261204020149 0001-silence-sandbox-violations.patch
4f2cb93f91e798218d83cb3ac4c60b61a3658c5b269bfe250f4c4875aedaacbd77598d8d20e3a868626e49988b2073a2404e37d6918b11def774c25db68dd08d disable-jslint.patch
60845dcb034b2c4459c30f7d5f25c8176cf42df794e2cc0e86c3e2abb6541c24b962f3a16ca70a288d4d6f377b68d00b2904b22463108559612053d835d9bff1 fd6847c9416f9eebde636e21d794d25d1be8791d.patch
diff --git a/community/nextcloud/APKBUILD b/community/nextcloud/APKBUILD
index 903899b5f9..52b54cd967 100644
--- a/community/nextcloud/APKBUILD
+++ b/community/nextcloud/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=nextcloud
-pkgver=20.0.11
+pkgver=20.0.13
pkgrel=0
pkgdesc="A safe home for all your data"
url="http://nextcloud.com"
@@ -246,7 +246,7 @@ _package_app() {
}
sha512sums="
-7490191ca05a9fffce49e6c4076a188d03c4a8223283b8966e637eadd0ad74b51340e0508aa29454e4e7f06693cf179d71d73754724ecaa975c2470abdbe2ff7 nextcloud-20.0.10.zip
+0082757bd98e746b088eba77cba8815e87f7273142ccb364b85cbd3aca734f246ffd78644c5735630f72dd2f9d2a1ca1d67d7c2a5371c9327cf94fed1145403e nextcloud-20.0.13.zip
aea0adb2c3a48ec6af2958c6ccfe13adff86316a56084e763b7e6df9e21aa3435b13305b7c15cc2b795e83c9388b05006862f6465c29e3dc2c1fbd8eb8befcb9 nextcloud19-dont-chmod.patch
2d03b90c1e2f3d96001f31f1bbf902e4c411c8de7dc5a4f956fa8297533324cb12092d3ad2198f2e02ff4835dc22febee2d49e449b003caef5b990d9dcff1e70 nextcloud-app-encryption-info-add-mcrypt.patch
aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
@@ -260,16 +260,3 @@ edb699ea6127b231793254115b334006c2d50a0d2ecc846188c3521ddffc3c0e19c5e2944f03cae8
ee9073a6df4286cba2d1d855cf40863968f20677729b2c7848ab50a70d4915b8e84c957a850a03a707231256c11312e5792e7817dd50afbf73efe767fef2112d fpm-pool.conf
959852e34f010e635470829d66713f3e22c47717ec2c6487759eed2b6aeff9fd1421fe0271d494a02781bd1c98beb2823583623ee2cf03057cd5db794627d6c2 occ
"
-sha512sums="1373e3491d6f5a0d3c7cffdc9794e3972f6bf067ac622be07da966dd31e7905486d5725594dab7e404ff82c1d3af60f3b230259bbaf488bf60b604375c11c993 nextcloud-20.0.11.zip
-aea0adb2c3a48ec6af2958c6ccfe13adff86316a56084e763b7e6df9e21aa3435b13305b7c15cc2b795e83c9388b05006862f6465c29e3dc2c1fbd8eb8befcb9 nextcloud19-dont-chmod.patch
-2d03b90c1e2f3d96001f31f1bbf902e4c411c8de7dc5a4f956fa8297533324cb12092d3ad2198f2e02ff4835dc22febee2d49e449b003caef5b990d9dcff1e70 nextcloud-app-encryption-info-add-mcrypt.patch
-aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
-d2100a837fef1eeae5f706650ab4c985d9e00f61efa5526ef76c7c1f5811c3906eb6c3c13c151eff9677a0c303faab64411a5a84d6792728bc520d2c618d7d5b disable-integrity-check-as-default.patch
-3fc3e06580a619d81b12f448976ffac34f0bb80fc73e9443fa213a73f160ba4b9bd14a26c134258ee12c04d8e103b46f4de10d7b11e4544a328878e57d436055 iconv-ascii-translit-not-supported.patch
-df1a16414a278c205876ec86c210a02a9009954e2d4f9033ff3c9b76c371e2764ef3587db5a4b8f76302655c6c8688c8729d1685279a77d279d3839cc359fbcd use-external-docs-if-local-not-avail.patch
-5f73cd9399fa484ef15bd47e803c93381deffbc7699eceadbb5c27e43b20156806d74e5021a64d28f0165ef87b519e962780651711a37bceb9f0b04455dfdce1 nextcloud-config.php
-7388458a9e8b7afd3d3269718306410ffa59c3c23da4bef367a4d7f6d2570136fae9dd421b19c1441e7ffb15a5405e18bb5da67b1a15f9f45e8b98d3fda532ba nextcloud.logrotate
-dcc57735d7d4af4a7ebbdd1186d301e51d2ae4675022aea6bf1111222dfa188a3a490ebd6e7c8a7ac30046cb7d93f81cec72a51acbc60d0c10b7fb64630c637a nextcloud.confd
-edb699ea6127b231793254115b334006c2d50a0d2ecc846188c3521ddffc3c0e19c5e2944f03cae81e6c645c859258380691081b1c522a22d40939b31db36e8a nextcloud.cron
-ee9073a6df4286cba2d1d855cf40863968f20677729b2c7848ab50a70d4915b8e84c957a850a03a707231256c11312e5792e7817dd50afbf73efe767fef2112d fpm-pool.conf
-959852e34f010e635470829d66713f3e22c47717ec2c6487759eed2b6aeff9fd1421fe0271d494a02781bd1c98beb2823583623ee2cf03057cd5db794627d6c2 occ"
diff --git a/community/php7/APKBUILD b/community/php7/APKBUILD
index e8075bc8f2..ea81ac853a 100644
--- a/community/php7/APKBUILD
+++ b/community/php7/APKBUILD
@@ -25,7 +25,7 @@
pkgname=php7
_pkgreal=php
-pkgver=7.4.21
+pkgver=7.4.24
pkgrel=0
_apiver=20190902
_suffix=${pkgname#php}
@@ -174,6 +174,8 @@ done
subpackages="$subpackages $pkgname-common::noarch"
# secfixes:
+# 7.4.24-r0:
+# - CVE-2021-21706
# 7.4.21-r0:
# - CVE-2021-21705
# 7.4.15-r0:
@@ -679,7 +681,8 @@ _mv() {
mv "$@"
}
-sha512sums="778ddbfe614fdc6a00bc82c61f4c636bdbe815ce3398415a29bd24a2fd4ca2113b3b804303585d8830242e04b0c202bbc7c725a46c9bad79b070a0e896e5e681 php-7.4.21.tar.xz
+sha512sums="
+30dd0a83d6184791f4cff3edcffeb05470de8f98ddadba3c11544449bf500280ff2048a8ca8588b35d0622dcbbf16f55ea297f51d469ae137048cab2d40da9cd php-7.4.24.tar.xz
1c708de82d1086f272f484faf6cf6d087af7c31750cc2550b0b94ed723961b363f28a947b015b2dfc0765caea185a75f5d2c2f2b099c948b65c290924f606e4f php7-fpm.initd
cacce7bf789467ff40647b7319e3760c6c587218720538516e8d400baa75651f72165c4e28056cd0c1dc89efecb4d00d0d7823bed80b29136262c825ce816691 php7-fpm.logrotate
274bd7b0b2b7002fa84c779640af37b59258bb37b05cb7dd5c89452977d71807f628d91b523b5039608376d1f760f3425d165242ca75ee5129b2730e71c4e198 php7-module.conf
@@ -689,4 +692,5 @@ ebf571c5e595221b9944d7e840807ebb68c1be38bf117186e19a3bd1070310ece5918bcaa5f94167
965b52893affb666af64e00d09e0208dcd41b17ce2864cf05616c6d05a05c0121694c0b209d403b8c0c55d18e6f1528c4aba1a4fcdce7b282a13304d12cd0f9d sharedir.patch
16399fbf6a966f9beffe00f659f9551ef8e52285bca116da5bd5b15ec99a2b0bd5fa03be0faa6c893802aa44c100d634083343a9ac0cd2467812865df66dd572 php7-fpm-version-suffix.patch
3bfeea79f9acfaa7be5bab85cd3d02713abb569e54024a22bb2c747c06d97f83ac2c63dcd75c7c409426ac03f8bc2ccc01bcd66bc39a767930d32542349123f9 fix-tests-devserver.patch
-7c8c3cac9efce81d525cb5a70e1402e393881b83ef4c7b5d39d3565803d21cd283daf3d74e9a8b059ecac66cf339756acc63608ffcb83d960dba86583bd45108 enchant-2.patch"
+7c8c3cac9efce81d525cb5a70e1402e393881b83ef4c7b5d39d3565803d21cd283daf3d74e9a8b059ecac66cf339756acc63608ffcb83d960dba86583bd45108 enchant-2.patch
+"
diff --git a/community/php8/APKBUILD b/community/php8/APKBUILD
index 5bf4977457..3ba058d3c3 100644
--- a/community/php8/APKBUILD
+++ b/community/php8/APKBUILD
@@ -25,7 +25,7 @@
pkgname=php8
_pkgreal=php
-pkgver=8.0.8
+pkgver=8.0.11
pkgrel=0
_apiver=20200930
_suffix=${pkgname#php}
@@ -172,6 +172,8 @@ done
subpackages="$subpackages $pkgname-common::noarch"
# secfixes:
+# 8.0.11-r0:
+# - CVE-2021-21706
# 8.0.8-r0:
# - CVE-2021-21705
# 8.0.2-r0:
@@ -611,7 +613,8 @@ _mv() {
mv "$@"
}
-sha512sums="1f8b94083b64705e24365af57169f8ff08115f31a7471238d9ed7a24b692e46c789f3fc00ff2bef2205243b9cd9c4736831e995a004afc7fc4127f3b74932428 php-8.0.8.tar.xz
+sha512sums="
+2d346959b2691ea0d5334dc9cad225b7a65ec53d6a6493f3b95c4819a0c088bec36aa1bf4ab3c8044a631bcfefb689d85463ff2259d42000e65dac30badcc59d php-8.0.11.tar.xz
8a9a63cddfd9bdde23db85a7be0711e14688bab35b580abd0184d370c54de80b72cbdeb369570cd23927154984f024eaad5d222d53d9e19130fb2e8758dd4540 php8-fpm.initd
cd3a96d3febde3b6657ed80ff58945641443e84e5e0fd3d9df29e640e9549bc452a3412f1999fa02ae1ee2b64c08040998fa75805f67e0252741c376e26e1c3c php8-fpm.logrotate
95f536addfbb28fbca8b14da46d95a3595369d6e98d345f55f0fda1b12bdefd1579a27505424e7d1088a987d330798253cec9bd42b544bb567189cba746217c7 php8-module.conf
@@ -620,4 +623,5 @@ ec206639d076ddac6c2d1db697a5428ed3be979157db39417af7fbe6ab837e8dc00315ae0e55aea4
79f919ca110530cac2f1ed1e7a86e2c396c25022f00501b520b6bd2efa8eefd962df4ad25235b8a37d8a30d67d257baaf9dfb4041891206a5b15a9c895f1797d includedir.patch
b5d7e87df4f45171a185aec1d4cf96157b3c6b9ea9625237e31b0756220a12a64c260cc20c38bfb0146f11fca25c9c25be1981a922ecb14de5cc2965d29d8fe3 sharedir.patch
f634ac591576dff87487d239578420364edb56e977535c4a5ab799d360a799179edf1e7e6a4e6b6e5b4f58e267dbf913ed77bde140ad8425e6df4093bfa69e70 php8-fpm-version-suffix.patch
-1b64a7cef9e81387f955cb60ffa4e3d2277b4f6072e9328d779c0d447c202c8ee9dff0d8d8c34abc82c150311f51c4e9316a3b72a383ca6c9a6e683bc5b349a0 fix-tests-devserver.patch"
+1b64a7cef9e81387f955cb60ffa4e3d2277b4f6072e9328d779c0d447c202c8ee9dff0d8d8c34abc82c150311f51c4e9316a3b72a383ca6c9a6e683bc5b349a0 fix-tests-devserver.patch
+"
diff --git a/community/plasma-workspace/APKBUILD b/community/plasma-workspace/APKBUILD
index 480009dbb1..29fa0c88b3 100644
--- a/community/plasma-workspace/APKBUILD
+++ b/community/plasma-workspace/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Bart Ribbers <bribbers@disroot.org>
pkgname=plasma-workspace
pkgver=5.20.5
-pkgrel=1
+pkgrel=2
pkgdesc="KDE Plasma Workspace"
# armhf blocked by kirigami2
# s390x blocked by kactivitymanagerd
diff --git a/community/py3-pyroute2/001-ipset-content.patch b/community/py3-pyroute2/001-ipset-content.patch
new file mode 100644
index 0000000000..b74ad3f988
--- /dev/null
+++ b/community/py3-pyroute2/001-ipset-content.patch
@@ -0,0 +1,11 @@
+--- a/pyroute2/wiset.py.orig 2021-05-12 23:14:00.000000000 +0200
++++ b/pyroute2/wiset.py 2021-08-13 19:12:57.590768736 +0200
+@@ -251,6 +251,8 @@
+ proto = IP_PROTOCOLS.get(proto, str(proto)).lower()
+ key += '{proto}:'.format(proto=proto)
+ key += str(entry.get_attr("IPSET_ATTR_PORT_FROM"))
++ elif parse_type == "mac":
++ key += entry.get_attr("IPSET_ATTR_ETHER")
+ key += ","
+
+ key = key.strip(",")
diff --git a/community/py3-pyroute2/APKBUILD b/community/py3-pyroute2/APKBUILD
index 5064ffc1dc..0a55da2f74 100644
--- a/community/py3-pyroute2/APKBUILD
+++ b/community/py3-pyroute2/APKBUILD
@@ -2,13 +2,15 @@
pkgname=py3-pyroute2
_pkgname=pyroute2
pkgver=0.5.19
-pkgrel=0
+pkgrel=1
pkgdesc="Python Netlink library"
url="https://github.com/svinota/pyroute2"
arch="noarch"
license="GPL-2.0-or-later OR Apache-2.0"
makedepends="py3-setuptools py3-pytest"
-source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+ 001-ipset-content.patch
+ "
builddir="$srcdir/$_pkgname-$pkgver"
build() {
@@ -26,4 +28,7 @@ package() {
rm -rf "${pkgdir:?}/usr/bin"
}
-sha512sums="bd60e2adf59b8438ff4f6abf2d41cf18eb60dcef3072577648488db45ffe89bd9c7207c4eccc38eb9256533ea2950e7f20b82ae4940b1207ba71d0f261e83f6d pyroute2-0.5.19.tar.gz"
+sha512sums="
+bd60e2adf59b8438ff4f6abf2d41cf18eb60dcef3072577648488db45ffe89bd9c7207c4eccc38eb9256533ea2950e7f20b82ae4940b1207ba71d0f261e83f6d pyroute2-0.5.19.tar.gz
+1e38436bf3e2670dd8fd47128d739b4c83d4fc087ba3fb75fac0205754a1c7ae8a5c2996cecfccf80111581ea6656ffefa02e053835dd2e33737748532365be8 001-ipset-content.patch
+"
diff --git a/community/rtl8821ce-lts/APKBUILD b/community/rtl8821ce-lts/APKBUILD
index a111e3efc7..c21e408e73 100644
--- a/community/rtl8821ce-lts/APKBUILD
+++ b/community/rtl8821ce-lts/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Kevin Daudt <kdaudt@alpinelinux.org>
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
-_kver=5.10.38
+_kver=5.10.61
_krel=0
_flavor="$FLAVOR"
[ -z "$_flavor" ] && _flavor=lts
diff --git a/community/rtpengine-lts/APKBUILD b/community/rtpengine-lts/APKBUILD
index eecbc51630..f20d9a3b46 100644
--- a/community/rtpengine-lts/APKBUILD
+++ b/community/rtpengine-lts/APKBUILD
@@ -5,7 +5,7 @@ _ver=9.0.1.10
_rel=0
# kernel version
-_kver=5.10.38
+_kver=5.10.61
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/stellarium/APKBUILD b/community/stellarium/APKBUILD
index afe3c60767..0444fc07e9 100644
--- a/community/stellarium/APKBUILD
+++ b/community/stellarium/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=stellarium
pkgver=0.20.4
-pkgrel=0
+pkgrel=1
pkgdesc="A stellarium with great graphics and a nice database of sky-objects"
url="http://stellarium.org/"
arch="all !mips !mips64 !armhf" # Limited by qt5-qtmultimedia-dev
diff --git a/community/stunnel/APKBUILD b/community/stunnel/APKBUILD
index bca05d9320..8b8bbb92cc 100644
--- a/community/stunnel/APKBUILD
+++ b/community/stunnel/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=stunnel
-pkgver=5.57
+pkgver=5.60
pkgrel=0
pkgdesc="SSL encryption wrapper between network client and server"
url="https://www.stunnel.org"
@@ -44,6 +44,8 @@ package() {
"$pkgdir"/usr/share/doc/$pkgname/examples/
}
-sha512sums="de5feec6c2c01a6aba2c3b9b9356a8b115ba67c194b6459927870c4a5e37f8a57ac74129f223671586393539d789c868bc8f794331c7e4af058e540123b409e9 stunnel-5.57.tar.gz
+sha512sums="
+4ad0423a7e52c0db8746caf4b64ff69abe1f5c880417779d9933597d7ca86f240b64b578dc3e625fba04bbbddad7aa056dd62d2ecdf6d6a842ffa228bace705e stunnel-5.60.tar.gz
51d56a6c0d961f6de5cd2ef07a1cfdb19fb1b74300da9c340899daa919bd9b2c0bfff472f03746df0dd1aa6098c79035921ca36108ca0b93693377f1ac1c7fb4 stunnel.initd
-a72bfddeb74787d58c9fd24782d86c0498ce3530a43fbdd4ec4c4b57baa6257b6ef21005aca274b22c4a22cdbbbcee63dd3d841f458af248db9c69e8d59fa56f stunnel.conf"
+a72bfddeb74787d58c9fd24782d86c0498ce3530a43fbdd4ec4c4b57baa6257b6ef21005aca274b22c4a22cdbbbcee63dd3d841f458af248db9c69e8d59fa56f stunnel.conf
+"
diff --git a/community/swaylock/APKBUILD b/community/swaylock/APKBUILD
index 8a833f2ee1..7b12f9ffe5 100644
--- a/community/swaylock/APKBUILD
+++ b/community/swaylock/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=swaylock
pkgver=1.5
-pkgrel=4
+pkgrel=5
pkgdesc="Screen locker for Wayland"
url="https://swaywm.org"
arch="all"
@@ -24,7 +24,12 @@ subpackages="
$pkgname-fish-completion
$pkgname-zsh-completion
"
-source="$pkgname-$pkgver.tar.gz::https://github.com/swaywm/swaylock/archive/$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/swaywm/swaylock/archive/$pkgver.tar.gz
+ $pkgname-call-fclose-vice-free.patch::https://github.com/swaywm/swaylock/commit/366db56553ee02334871756ab19c72d2171ad364.patch
+ $pkgname-fix-potential-use-after-free.patch::https://github.com/swaywm/swaylock/commit/235b925df7e1bb82d98f1ac8c02e8f85d0a54ee9.patch
+ ungit-version.patch
+ fix-version.patch
+ "
prepare() {
default_prepare
@@ -57,4 +62,10 @@ package() {
mv "$pkgdir"/usr/share/fish/vendor_completions.d "$pkgdir"/usr/share/fish/completions
}
-sha512sums="16dd9b912ca702849290cf18d91ffbd64a70118cc284982a84b567c4974fd4590b12707c0aae1fcda7ccd1caa7880f342c633b9345bd795c36702916696d1f67 swaylock-1.5.tar.gz"
+sha512sums="
+16dd9b912ca702849290cf18d91ffbd64a70118cc284982a84b567c4974fd4590b12707c0aae1fcda7ccd1caa7880f342c633b9345bd795c36702916696d1f67 swaylock-1.5.tar.gz
+c306fa82587a82e698ddc5046ad74e95acff1064b488ec6cd3449a16ca0c879fdf990d940cdbb6ab48cedad3bb28a9a9cf34d75733ed66fe07f2c03eb4e2e0c6 swaylock-call-fclose-vice-free.patch
+fdf99132c12af93c9545344b5b892ba7b1491cd021d565aeb4b02a13f01433c71abd5df442e193497f8fd4c3a2aa97e6e2fed9feb265367d5aed68b1746585fa swaylock-fix-potential-use-after-free.patch
+9919bb17e2cf2c8dc4fbac3ba91434f775574caca345026bd8f56e6e9caeff85fa5ad86a9485b103da9be7e393734c37c20c32141cd42cc7f479273ca2147f6b ungit-version.patch
+3e9316339d6a255662ed7b59e8405885e25bddf95f064f8a0042baaec661affe6588c59cd6d0e0ab44a06bc322b910c61aed86c13189874b98cc978ec446993f fix-version.patch
+"
diff --git a/community/swaylock/fix-version.patch b/community/swaylock/fix-version.patch
new file mode 100644
index 0000000000..a9f6a448c6
--- /dev/null
+++ b/community/swaylock/fix-version.patch
@@ -0,0 +1,11 @@
+--- a/meson.build
++++ b/meson.build
+@@ -1,7 +1,7 @@
+ project(
+ 'swaylock',
+ 'c',
+- version: '1.4',
++ version: '1.5',
+ license: 'MIT',
+ meson_version: '>=0.48.0',
+ default_options: [
diff --git a/community/swaylock/ungit-version.patch b/community/swaylock/ungit-version.patch
new file mode 100644
index 0000000000..fe542d8be5
--- /dev/null
+++ b/community/swaylock/ungit-version.patch
@@ -0,0 +1,21 @@
+--- a/meson.build
++++ b/meson.build
+@@ -46,18 +46,10 @@
+ crypt = cc.find_library('crypt', required: not libpam.found())
+ math = cc.find_library('m')
+
+-git = find_program('git', required: false)
+ scdoc = find_program('scdoc', required: get_option('man-pages'))
+ wayland_scanner = find_program('wayland-scanner')
+
+ version = '"@0@"'.format(meson.project_version())
+-if git.found()
+- git_commit_hash = run_command([git.path(), 'describe', '--always', '--tags'])
+- git_branch = run_command([git.path(), 'rev-parse', '--abbrev-ref', 'HEAD'])
+- if git_commit_hash.returncode() == 0 and git_branch.returncode() == 0
+- version = '"@0@ (" __DATE__ ", branch \'@1@\')"'.format(git_commit_hash.stdout().strip(), git_branch.stdout().strip())
+- endif
+-endif
+ add_project_arguments('-DSWAYLOCK_VERSION=@0@'.format(version), language: 'c')
+
+ wl_protocol_dir = wayland_protos.get_pkgconfig_variable('pkgdatadir')
diff --git a/community/tinc-pre/APKBUILD b/community/tinc-pre/APKBUILD
index dfe9cc04a7..19534490f4 100644
--- a/community/tinc-pre/APKBUILD
+++ b/community/tinc-pre/APKBUILD
@@ -1,9 +1,9 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
-# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
+# Maintainer: wener <wenermail@gmail.com>
pkgname=tinc-pre
-_distver="1.1pre17"
+_distver="1.1pre18"
pkgver=${_distver/pre/.}
-pkgrel=3
+pkgrel=0
pkgdesc="Virtual Private Network (VPN) daemon (pre-release)"
url="https://tinc-vpn.org/"
# s390x: tests hang
@@ -14,10 +14,8 @@ makedepends="linux-headers ncurses-dev readline-dev
zlib-dev lzo-dev openssl-dev texinfo
automake autoconf libtool bash"
subpackages="$pkgname-doc"
-# TODO remove prevent-large-amounts-of-UDP-probes.patch on next release
-source="http://tinc-vpn.org/packages/tinc-$_distver.tar.gz
+source="https://tinc-vpn.org/packages/tinc-$_distver.tar.gz
tinc-1.1-fix-paths.patch
- prevent-large-amounts-of-UDP-probes.patch
$pkgname.initd
$pkgname.confd
$pkgname.networks
@@ -65,9 +63,10 @@ package() {
"$pkgdir"/etc/conf.d/tinc.networks
}
-sha512sums="b966dbfa522e12ff6766c4deb54a9da29cddc15c3a1df0f0e084df27ee5f1421ffbebc0e29472b1bcd79ea8b41f8c0ef904172e333dcba0b85bafe4654a63b30 tinc-1.1pre17.tar.gz
+sha512sums="
+d8b03c78fd579df58d4c8a03f5d2241d2c95edb660ce9aa34441f6e75df09e3fff7524215c7c4b3622311e80f5bb452a6ac1205f3fd13424d56135f70b973183 tinc-1.1pre18.tar.gz
bb6f9a1fedf6ffab21f6bfa65c8d977b24453a5d667229eec995b979bbe8dcdaa0617f076a3d9081c4580068b385f7595b80856d5abcf9c928b866eb9c6f4910 tinc-1.1-fix-paths.patch
-ce2ff7c57798bfb85f6b382552e31cd1f79ddcc3a1ecc6b823b51103a480d7ccf43475d0e4511b0aa48f4f1515d0e544a1af65a170caf3b6aacc084b391a4855 prevent-large-amounts-of-UDP-probes.patch
59811c3e5241d08ebdfbd539556b7cee0dfaab89727ad503512c98f1a696fae143ecdf2682a652c5d71d077ed254ffe2e1c442b1c305c7e7ea94d9af9a1d385e tinc-pre.initd
f8d9354af5ebc07420ced98059262751bffef434b61c6333964338f327e2ac01ae676e375954efa794a1bccf8b939c78387b9fb7261f675f1237b0d946b529c9 tinc-pre.confd
-f7cb459c170898e51176bd92c642335386db90b7bca2abb3f6eb2514546efbd74e5fd2c8845060111dd48a0dd2cc1890717a03315c9b86185047c259cdc27135 tinc-pre.networks"
+f7cb459c170898e51176bd92c642335386db90b7bca2abb3f6eb2514546efbd74e5fd2c8845060111dd48a0dd2cc1890717a03315c9b86185047c259cdc27135 tinc-pre.networks
+"
diff --git a/community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch b/community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch
deleted file mode 100644
index 6701b2a919..0000000000
--- a/community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-Upstream: Yes, merged
-Reason: Prevent large amounts of UDP probes being sent consecutively
-Url: http://git.tinc-vpn.org/git/browse?p=tinc;a=commit;h=2b0aeec02d64bb4724da9ff1dbc19b7d35d7c904
-
-From 017a7fb57655d9b1d706ee78f7e3d0000411b883 Mon Sep 17 00:00:00 2001
-From: Guus Sliepen <guus@tinc-vpn.org>
-Date: Tue, 18 Dec 2018 17:44:08 +0100
-Subject: [PATCH] Prevent large amounts of UDP probes being sent consecutively.
-
-We cannot reset udp_ping_sent to zero when we receive a valid reply to
-an UDP probe, because that would cause a new one to be sent immediately
-in try_udp(). Instead, add a bit to node_status_t to keep track of whether we
-have a UDP probe that's waiting for a reply.
-
-Thanks to Ronny Nilsson for spotting the source of the problem.
----
- src/net_packet.c | 7 ++++---
- src/node.h | 3 ++-
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/src/net_packet.c b/src/net_packet.c
-index 5a856429..31c66d32 100644
---- a/src/net_packet.c
-+++ b/src/net_packet.c
-@@ -152,11 +152,12 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
- len = ntohs(len16);
- }
-
-- if(n->udp_ping_sent.tv_sec != 0) { // a probe in flight
-+ if(n->status.ping_sent) { // a probe in flight
- gettimeofday(&now, NULL);
- struct timeval rtt;
- timersub(&now, &n->udp_ping_sent, &rtt);
- n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
-+ n->status.ping_sent = false;
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
- } else {
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
-@@ -175,8 +176,7 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
- reset_address_cache(n->address_cache, &n->address);
- }
-
-- // Reset the UDP ping timer. (no probe in flight)
-- n->udp_ping_sent.tv_sec = 0;
-+ // Reset the UDP ping timer.
-
- if(udp_discovery) {
- timeout_del(&n->udp_ping_timeout);
-@@ -1132,6 +1132,7 @@ static void try_udp(node_t *n) {
- if(ping_tx_elapsed.tv_sec >= interval) {
- gettimeofday(&now, NULL);
- n->udp_ping_sent = now; // a probe in flight
-+ n->status.ping_sent = true;
- send_udp_probe_packet(n, MIN_PROBE_SIZE);
-
- if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
-diff --git a/src/node.h b/src/node.h
-index 3daffd4a..1b33789e 100644
---- a/src/node.h
-+++ b/src/node.h
-@@ -41,7 +41,8 @@ typedef struct node_status_t {
- unsigned int udppacket: 1; /* 1 if the most recently received packet was UDP */
- unsigned int validkey_in: 1; /* 1 if we have sent a valid key to him */
- unsigned int has_address: 1; /* 1 if we know an external address for this node */
-- unsigned int unused: 20;
-+ unsigned int ping_sent: 1; /* 1 if we sent a UDP probe but haven't received the reply yet */
-+ unsigned int unused: 19;
- } node_status_t;
-
- typedef struct node_t {
diff --git a/community/wofi/APKBUILD b/community/wofi/APKBUILD
index 7ec44fdf28..87316a0446 100644
--- a/community/wofi/APKBUILD
+++ b/community/wofi/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Galen Abell <galen@galenabell.com>
# Maintainer: Galen Abell <galen@galenabell.com>
pkgname=wofi
-pkgver=1.2.3
+pkgver=1.2.4
pkgrel=0
pkgdesc="A launcher/menu program for wlroots based wayland compositors."
url="https://hg.sr.ht/~scoopta/wofi"
@@ -9,7 +9,7 @@ arch="all"
license="GPL-3.0-only"
makedepends="wayland-dev gtk+3.0-dev meson"
options="!check" # no tests
-subpackages="$pkgname-doc"
+subpackages="$pkgname-doc $pkgname-dev"
source="$pkgname-v$pkgver.tar.gz::https://hg.sr.ht/~scoopta/wofi/archive/v$pkgver.tar.gz"
builddir="$srcdir/$pkgname-v$pkgver"
@@ -21,4 +21,5 @@ build() {
package() {
DESTDIR="$pkgdir" meson install --no-rebuild -C build
}
-sha512sums="613df12ff3da401d8ca661937cb7a8403ef23ceec328cf45e91b9da8ff6e64f4f669e7052b71c30f4560c975937c18d8912ee55a60bd32ace7498357ab0a8d5a wofi-v1.2.3.tar.gz"
+
+sha512sums="6ae4b05a8521b8953f2603fe22876ecc55744a10ff510f5275c74a00ebe8ce04694a87b92534b1022a00c935c44d3603a415fca7eb46e28a7319be6e8a561698 wofi-v1.2.4.tar.gz"
diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD
index c73a28fb16..852f74b19f 100644
--- a/main/alpine-base/APKBUILD
+++ b/main/alpine-base/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-base
-pkgver=3.13.5
+pkgver=3.13.6
pkgrel=0
pkgdesc="Meta package for minimal alpine base"
url="https://alpinelinux.org"
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index dde873aec7..4b6dc0e204 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=apache2
_pkgreal=httpd
-pkgver=2.4.48
+pkgver=2.4.51
pkgrel=0
pkgdesc="A high performance Unix-based HTTP server"
url="https://httpd.apache.org/"
@@ -27,7 +27,7 @@ subpackages="$pkgname-ctl
$pkgname-ssl
$pkgname-utils
$pkgname-webdav"
-source="https://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
+source="https://dlcdn.apache.org/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
apache2.confd
apache2.logrotate
apache2.initd
@@ -51,6 +51,17 @@ options="suid"
builddir="$srcdir"/$_pkgreal-$pkgver
# secfixes:
+# 2.4.51-r0:
+# - CVE-2021-42013
+# 2.4.50-r0:
+# - CVE-2021-41524
+# - CVE-2021-41773
+# 2.4.49-r0:
+# - CVE-2021-40438
+# - CVE-2021-39275
+# - CVE-2021-36160
+# - CVE-2021-34798
+# - CVE-2021-33193
# 2.4.48-r0:
# - CVE-2019-17657
# - CVE-2020-13938
@@ -366,8 +377,9 @@ _lua() {
"$subpkgdir"/usr/lib/apache2/
_load_mods
}
+
sha512sums="
-6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724 httpd-2.4.48.tar.bz2
+9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66 httpd-2.4.51.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD
index 63660ecf8b..34f9b8b6ba 100644
--- a/main/apk-tools/APKBUILD
+++ b/main/apk-tools/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=apk-tools
-pkgver=2.12.6
+pkgver=2.12.7
pkgrel=0
pkgdesc="Alpine Package Keeper - package manager for alpine"
arch="all"
@@ -86,6 +86,6 @@ luaapk() {
}
sha512sums="
-ebdda710ed11ef404cf0e68a3842fcb7f12b329e870f1341039b3f1a0de12dfcad31228f59bc291e0542f1c1cf4e587e1613478f0d0fd930900bb689fbf52251 apk-tools-v2.12.6.tar.gz
+1297bb969a4d27164b38e64f4d2c00b00758d8d83c7ba658eeddccdd549dc6ba8f26a60a9e71c88f4bca87b2746a8fb4b7bb41e0096cf459e1b841203f903681 apk-tools-v2.12.7.tar.gz
102e6d01a984fb7a84c9432f797e4d8d2c90e9570dd26208b8485569ab471ea88a2cc81eabd3b3f7e4c9685a37afc458dec172a65b03c19c78a7efb598c54f45 _apk
"
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index 6585907cba..f5f4d4dbb3 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=asterisk
pkgver=18.2.1
-pkgrel=1
+pkgrel=2
pkgdesc="Modular Open Source PBX System"
pkgusers="asterisk"
pkggroups="asterisk"
@@ -33,11 +33,14 @@ source="$_download/asterisk-$pkgver.tar.gz
20-musl-astmm-fix.patch
30-asterisk-mariadb.patch
40-asterisk-cdefs.patch
+ CVE-2021-32558.patch
asterisk.initd
asterisk.confd
asterisk.logrotate"
# secfixes:
+# 18.2.1-r2:
+# - CVE-2021-32558
# 18.2.1-r0:
# - CVE-2021-26712
# - CVE-2021-26713
@@ -188,12 +191,15 @@ sound_en() {
chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
}
-sha512sums="9d7ab83059509dacfab85fdecbdecdb9a90d5da5e3e7f2dce3b49edbbcf5198e19afe8c23b6c4fa480285f00406e74e29bf16bb40cb90a96d03b3e6b315191f9 asterisk-18.2.1.tar.gz
+sha512sums="
+9d7ab83059509dacfab85fdecbdecdb9a90d5da5e3e7f2dce3b49edbbcf5198e19afe8c23b6c4fa480285f00406e74e29bf16bb40cb90a96d03b3e6b315191f9 asterisk-18.2.1.tar.gz
aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz
771237ba6d42ab62d914f2702234b23fd0bc8c22f2aa33b0e745c9170163c8046f6d48ecb299faab3d6fb397f1aa046421083c3cc88510c9779861c522f357dd 10-musl-mutex-init.patch
0fae11b42894ab3d405bc50e9275b9084712b482fbf9b4259ea938667fc5cbe413655f3ff83da0f607151bb2b6e49c2f741b5ada6944dbb478f076ef8d86380a 20-musl-astmm-fix.patch
a43239189a1170d23d8f99d7658d8e064d4cc8149dd92d68e80d7af7a8fe181e0b111860ab13f12a91172c1e7f370c1a86679081b9ced98f4932fdfc64f04a49 30-asterisk-mariadb.patch
ba33f11169284f190b7dabab1da7d2751cb65d7976408db635a892fa17d7552e1660350017e7aada3464ecc7d9d6e99d6ad76d66c0036de062a386cffbc948e6 40-asterisk-cdefs.patch
+87df7c97c0963f41a6d61ed80c7b9996d7f38fa39bbca50c3157f4bb68146e1c977459dfdff734395aca4fd9d801c15d6c996bfabdd81be16b96f3bbe92ff480 CVE-2021-32558.patch
0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd
ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd
-7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate"
+7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate
+"
diff --git a/main/asterisk/CVE-2021-32558.patch b/main/asterisk/CVE-2021-32558.patch
new file mode 100644
index 0000000000..522d8d6f4f
--- /dev/null
+++ b/main/asterisk/CVE-2021-32558.patch
@@ -0,0 +1,126 @@
+From 852a8780cb45db0dca7c18b364cb0485a1e09840 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@sangoma.com>
+Date: Mon, 10 May 2021 17:59:00 -0500
+Subject: [PATCH] AST-2021-008 - chan_iax2: remote crash on unsupported media format
+
+If chan_iax2 received a packet with an unsupported media format, for
+example vp9, then it would set the frame's format to NULL. This could
+then result in a crash later when an attempt was made to access the
+format.
+
+This patch makes it so chan_iax2 now ignores/drops frames received
+with unsupported media format types.
+
+ASTERISK-29392 #close
+
+Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
+---
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 4122c04..c57434b 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -4132,6 +4132,7 @@
+ long ms;
+ long next;
+ struct timeval now = ast_tvnow();
++ struct ast_format *voicefmt;
+
+ /* Make sure we have a valid private structure before going on */
+ ast_mutex_lock(&iaxsl[callno]);
+@@ -4151,10 +4152,9 @@
+
+ ms = ast_tvdiff_ms(now, pvt->rxcore);
+
+- if(ms >= (next = jb_next(pvt->jb))) {
+- struct ast_format *voicefmt;
+- voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
+- ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);
++ voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
++ if (voicefmt && ms >= (next = jb_next(pvt->jb))) {
++ ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));
+ switch(ret) {
+ case JB_OK:
+ fr = frame.data;
+@@ -4182,7 +4182,7 @@
+ pvt = iaxs[callno];
+ }
+ }
+- break;
++ break;
+ case JB_DROP:
+ iax2_frame_free(frame.data);
+ break;
+@@ -6451,8 +6451,14 @@
+ f->frametype = fh->type;
+ if (f->frametype == AST_FRAME_VIDEO) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else if (f->frametype == AST_FRAME_VOICE) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else {
+ f->subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -9929,8 +9935,8 @@
+ } else if (iaxs[fr->callno]->voiceformat == 0) {
+ ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+- } else {
+- f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
++ } else if ((f.subclass.format = ast_format_compatibility_bitfield2format(
++ iaxs[fr->callno]->voiceformat))) {
+ f.datalen = len;
+ if (f.datalen >= 0) {
+ if (f.datalen)
+@@ -10173,11 +10179,17 @@
+ f.frametype = fh->type;
+ if (f.frametype == AST_FRAME_VIDEO) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ if ((fh->csub >> 6) & 0x1) {
+ f.subclass.frame_ending = 1;
+ }
+ } else if (f.frametype == AST_FRAME_VOICE) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ } else {
+ f.subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -11795,6 +11807,11 @@
+ f.subclass.frame_ending = 1;
+ }
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
+ } else {
+ ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");
+ iax2_vnak(fr->callno);
+@@ -11816,9 +11833,14 @@
+ } else {
+ /* A mini frame */
+ f.frametype = AST_FRAME_VOICE;
+- if (iaxs[fr->callno]->voiceformat > 0)
++ if (iaxs[fr->callno]->voiceformat > 0) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
+- else {
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
++ } else {
+ ast_debug(1, "Received mini frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+ ast_variables_destroy(ies.vars);
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 1cded17a4f..b1550e5cd8 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -5,7 +5,7 @@
# Contributor: ungleich <alpinelinux@ungleich.ch>
# Maintainer:
pkgname=bind
-pkgver=9.16.15
+pkgver=9.16.20
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
_major=${pkgver%%.*}
@@ -57,9 +57,12 @@ source="
named.conf.recursive
127.zone
localhost.zone
+ bind-9.16.20-map-format-fix.patch
"
# secfixes:
+# 9.16.20-r0:
+# - CVE-2021-25218
# 9.16.15-r0:
# - CVE-2021-25214
# - CVE-2021-25215
@@ -269,7 +272,8 @@ _gpgfingerprints="
BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57
"
-sha512sums="30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917915fdf39c26fd223396fc1e873410a50da305f0b870864f7fbbdccec8033 bind-9.16.15.tar.xz
+sha512sums="
+bd4ffcc2589ca8f1ac228576ec11e86f317d5a78d7964a0a7ae70b2fa38831d5bd65c2e8c35d8190502de7139f85d8b080b3b8ee968811a8df78e5761781525d bind-9.16.20.tar.xz
2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6 bind.plugindir.patch
7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch
53db80f7ee4902f42fb1d0bc959242bcb6f20d95256bda99ce2c206af8b4703c7f72bb26d026c633f70451b84a37c3946b210951e34dd5d6620b181cd0183de4 named.initd
@@ -277,4 +281,6 @@ sha512sums="30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917
d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative
3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
-340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone"
+340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
+d9224712ee2c6f6d0ff483ed253497548935fe35f45e5bdf26c9bd25c6234adde00727df7eb49fbfbfb34aad9d9fa0f112e900804794ad90a5cd8a64e9db61c6 bind-9.16.20-map-format-fix.patch
+"
diff --git a/main/bind/bind-9.16.20-map-format-fix.patch b/main/bind/bind-9.16.20-map-format-fix.patch
new file mode 100644
index 0000000000..f6e3c9b378
--- /dev/null
+++ b/main/bind/bind-9.16.20-map-format-fix.patch
@@ -0,0 +1,8 @@
+--- a/lib/dns/mapapi
++++ b/lib/dns/mapapi
+@@ -13,4 +13,4 @@
+ # Whenever releasing a new major release of BIND9, set this value
+ # back to 1.0 when releasing the first alpha. Map files are *never*
+ # compatible across major releases.
+-MAPAPI=2.0
++MAPAPI=3.0
diff --git a/main/c-ares/APKBUILD b/main/c-ares/APKBUILD
index 8b0d659a63..5977622f51 100644
--- a/main/c-ares/APKBUILD
+++ b/main/c-ares/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=c-ares
-pkgver=1.17.1
-pkgrel=1
+pkgver=1.17.2
+pkgrel=0
pkgdesc="An asynchronously DNS/names resolver library"
url="https://c-ares.haxx.se/"
arch="all"
@@ -11,6 +11,10 @@ license="MIT"
subpackages="$pkgname-doc $pkgname-static $pkgname-dev"
source="https://c-ares.haxx.se/download/c-ares-$pkgver.tar.gz"
+# secfixes:
+# 1.17.2-r0:
+# - CVE-2021-3672
+
build() {
./configure \
--build=$CBUILD \
@@ -36,4 +40,6 @@ package() {
make -j1 DESTDIR="$pkgdir" install
}
-sha512sums="b11887bcc9274d368088e1a8b6aca62414f20675cf0bc58e948f54fa04c327c39dd23cefe7509eec6397db14b550a3f6b77f5c18b3d735b3eef48ce2da1dcd00 c-ares-1.17.1.tar.gz"
+sha512sums="
+f625e0ef8508af6475d3e83b51ab29be8a4878e2a87e7f518bea046b76a74bfde7043ca6ec2a9e714c898ab9e5d4a5a678c3347a9f9eb68980438f7ca8ae3fc8 c-ares-1.17.2.tar.gz
+"
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 5976f05ee0..bb23e53483 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
-pkgver=7.78.0
+pkgver=7.79.1
pkgrel=0
pkgdesc="URL retrival utility and library"
url="https://curl.se/"
@@ -19,6 +19,10 @@ source="https://curl.se/download/curl-$pkgver.tar.xz"
options="net" # Required for running tests
# secfixes:
+# 7.79.0-r0:
+# - CVE-2021-22945
+# - CVE-2021-22946
+# - CVE-2021-22947
# 7.78.0-r0:
# - CVE-2021-22922
# - CVE-2021-22923
@@ -154,5 +158,5 @@ static() {
}
sha512sums="
-f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a curl-7.78.0.tar.xz
+1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d curl-7.79.1.tar.xz
"
diff --git a/main/dahdi-linux-lts/APKBUILD b/main/dahdi-linux-lts/APKBUILD
index 6817d0f15c..75850e5c53 100644
--- a/main/dahdi-linux-lts/APKBUILD
+++ b/main/dahdi-linux-lts/APKBUILD
@@ -9,7 +9,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.38
+_kver=5.10.61
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index b5e4f903d1..88444f78b9 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -1,24 +1,37 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=gd
-pkgver=2.3.0
-pkgrel=2
+pkgver=2.3.2
+pkgrel=1
_pkgreal=lib$pkgname
pkgdesc="Library for the dynamic creation of images by programmers"
url="https://libgd.github.io/"
arch="all"
license="custom"
-makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev"
+makedepends="
+ libjpeg-turbo-dev
+ libpng-dev
+ libwebp-dev
+ freetype-dev
+ zlib-dev
+ "
subpackages="$pkgname-dev $_pkgreal:libs"
-source="https://github.com/$_pkgreal/$_pkgreal/releases/download/gd-$pkgver/$_pkgreal-$pkgver.tar.xz"
+source="https://github.com/$_pkgreal/$_pkgreal/releases/download/gd-$pkgver/$_pkgreal-$pkgver.tar.xz
+ CVE-2021-38115.patch
+ CVE-2021-40145.patch
+ "
builddir="$srcdir/$_pkgreal-$pkgver"
# https://github.com/libgd/libgd/issues/359
options="!check"
# secfixes:
+# 2.3.0-r1:
+# - CVE-2021-38115
+# - CVE-2021-40145
# 2.3.0-r0:
# - CVE-2019-11038
# - CVE-2018-14553
+# - CVE-2017-6363
# 2.2.5-r2:
# - CVE-2018-5711
# - CVE-2019-6977
@@ -54,4 +67,8 @@ dev() {
mv "$pkgdir"/usr/bin/bdftogd "$subpkgdir"/usr/bin/
}
-sha512sums="5b201d22560e147a3d5471010b898ad0268c3a2453b870d1267b6ba92e540cf9f75099336c1ab08217e41827ac86fe04525726bf29ad117e5dcbaef9a8d0622a libgd-2.3.0.tar.xz"
+sha512sums="
+a31c6dbb64e7b725b63f3b400f7bebc289e2d776bdca0595af23006841660dc93a56c2247b98f8a584438a826f9e9ff0bea17d0b3900e48e281580b1308794d2 libgd-2.3.2.tar.xz
+cf455c3487dd3ef074abb0d89c2763e5652b11273a63eb050212dbed911e6fe9b65bf26c2de8ac9dc32d8225c096389075f518296280c3109c19612daafdb043 CVE-2021-38115.patch
+778ec72d6bcccd5fac032bb165f198cd588bc59e8358cb0933fe2e7e688416d693c517b0c2afd1c3b682619404a94bb4f0babbdf895774e83c869a34f191f84a CVE-2021-40145.patch
+"
diff --git a/main/gd/CVE-2021-38115.patch b/main/gd/CVE-2021-38115.patch
new file mode 100644
index 0000000000..94083594e0
--- /dev/null
+++ b/main/gd/CVE-2021-38115.patch
@@ -0,0 +1,26 @@
+From 8b111b2b4a4842179be66db68d84dda91a246032 Mon Sep 17 00:00:00 2001
+From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
+Date: Mon, 19 Jul 2021 10:07:13 +0430
+Subject: [PATCH] fix read out-of-bands in reading tga header file
+
+---
+ src/gd_tga.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index cae9428da..286febb28 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -191,7 +191,11 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ return -1;
+ }
+
+- gdGetBuf(tga->ident, tga->identsize, ctx);
++
++ if (gdGetBuf(tga->ident, tga->identsize, ctx) != tga->identsize) {
++ gd_error("fail to read header ident");
++ return -1;
++ }
+ }
+
+ return 1;
diff --git a/main/gd/CVE-2021-40145.patch b/main/gd/CVE-2021-40145.patch
new file mode 100644
index 0000000000..3f6b855eb2
--- /dev/null
+++ b/main/gd/CVE-2021-40145.patch
@@ -0,0 +1,124 @@
+From e95059590fadaabd9aadc0c0489804d75a3c5d52 Mon Sep 17 00:00:00 2001
+From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
+Date: Mon, 19 Jul 2021 18:52:50 +0430
+Subject: [PATCH 1/3] gdImageGd2Ptr memory leak
+
+---
+ src/gd_gd2.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 760e85b9f..84ec53375 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1,4 +1,4 @@
+-/*
++
/*
+ * gd_gd2.c
+ *
+ * Implements the I/O and support for the GD2 format.
+@@ -910,9 +910,11 @@ _gd2PutHeader (gdImagePtr im, gdIOCtx * out, int cs, int fmt, int cx, int cy)
+
+ }
+
+-static void
++/* returns 0 on success, 1 on failure */
++static int
+ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ {
++ int ret = 0;
+ int ncx, ncy, cx, cy;
+ int x, y, ylo, yhi, xlo, xhi;
+ int chunkLen;
+@@ -974,10 +976,12 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ /* */
+ chunkData = gdCalloc (cs * bytesPerPixel * cs, 1);
+ if (!chunkData) {
++ ret = 1;
+ goto fail;
+ }
+ compData = gdCalloc (compMax, 1);
+ if (!compData) {
++ ret = 1;
+ goto fail;
+ }
+
+@@ -992,6 +996,7 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+
+ chunkIdx = gdCalloc (idxSize * sizeof (t_chunk_info), 1);
+ if (!chunkIdx) {
++ ret = 1;
+ goto fail;
+ }
+ };
+@@ -1107,6 +1112,8 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ }
+ GD2_DBG (printf ("Done\n"));
+
++ return ret;
++
+ }
+
+ /*
+@@ -1128,8 +1135,11 @@ BGD_DECLARE(void *) gdImageGd2Ptr (gdImagePtr im, int cs, int fmt, int *size)
+ void *rv;
+ gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+ if (out == NULL) return NULL;
+- _gdImageGd2 (im, out, cs, fmt);
+- rv = gdDPExtractData (out, size);
++ if (_gdImageGd2(im, out, cs, fmt)) {
++ rv = NULL;
++ } else {
++ rv = gdDPExtractData(out, size);
++ }
+ out->gd_free (out);
+ return rv;
+ }
+
+From e8eeb8dde5bc4c9d4e7ae1ab43d9fd1780ceb792 Mon Sep 17 00:00:00 2001
+From: Maryam Ebrahimzadeh <61263086+me22bee@users.noreply.github.com>
+Date: Tue, 24 Aug 2021 11:46:07 +0430
+Subject: [PATCH 2/3] trigger the github actions
+
+---
+ src/gd_gd2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 84ec53375..097c93d0d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1135,11 +1135,13 @@ BGD_DECLARE(void *) gdImageGd2Ptr (gdImagePtr im, int cs, int fmt, int *size)
+ void *rv;
+ gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+ if (out == NULL) return NULL;
++
+ if (_gdImageGd2(im, out, cs, fmt)) {
+ rv = NULL;
+ } else {
+ rv = gdDPExtractData(out, size);
+ }
++
+ out->gd_free (out);
+ return rv;
+ }
+
+From a1d4caace613d31209b42d22d9f7ebe37c381f9a Mon Sep 17 00:00:00 2001
+From: Maryam Ebrahimzadeh <61263086+me22bee@users.noreply.github.com>
+Date: Tue, 24 Aug 2021 12:02:23 +0430
+Subject: [PATCH 3/3] remove non-printable bytes
+
+---
+ src/gd_gd2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 097c93d0d..5c57d44a6 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1,4 +1,4 @@
+-
/*
++/*
+ * gd_gd2.c
+ *
+ * Implements the I/O and support for the GD2 format.
diff --git a/main/geoip/APKBUILD b/main/geoip/APKBUILD
index dcde2c3a59..245a56315e 100644
--- a/main/geoip/APKBUILD
+++ b/main/geoip/APKBUILD
@@ -2,15 +2,14 @@
pkgname="geoip"
_pkgname="GeoIP"
pkgver=1.6.12
-pkgrel=1
+pkgrel=2
pkgdesc="Lookup countries by IP addresses"
url="http://www.maxmind.com/app/ip-location"
arch="all"
license="GPL"
makedepends="zlib-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://github.com/maxmind/geoip-api-c/releases/download/v$pkgver/$_pkgname-$pkgver.tar.gz
- geoip.cron"
+source="https://github.com/maxmind/geoip-api-c/releases/download/v$pkgver/$_pkgname-$pkgver.tar.gz"
builddir="$srcdir"/$_pkgname-$pkgver
build() {
@@ -29,7 +28,6 @@ package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
mkdir -p "$pkgdir"/usr/share/GeoIP
- install -m755 -D ../../geoip.cron "$pkgdir"/etc/periodic/monthly/geoip
}
check() {
@@ -37,5 +35,6 @@ check() {
make check
}
-sha512sums="a1c8120692a7ba6de5836550917f86f4797dd236a8b7d71b6f92b5389e4b071d89e57036654f5de1d4b762730a2a5c331c31414eab0c889c9befaa097941fee7 GeoIP-1.6.12.tar.gz
-910b1efc93898416057aa7fc1a3f57d35f354973656ed40fbe266c737c4b4aa37f28b42e4163ed850a454c999bc880c27d863a04a14328b7b7e65348a85dd7d3 geoip.cron"
+sha512sums="
+a1c8120692a7ba6de5836550917f86f4797dd236a8b7d71b6f92b5389e4b071d89e57036654f5de1d4b762730a2a5c331c31414eab0c889c9befaa097941fee7 GeoIP-1.6.12.tar.gz
+"
diff --git a/main/geoip/geoip.cron b/main/geoip/geoip.cron
deleted file mode 100755
index 8d74aff5cf..0000000000
--- a/main/geoip/geoip.cron
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz -O /tmp/GeoIP.dat.gz && gunzip /tmp/GeoIP.dat.gz && mv /tmp/GeoIP.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz -O /tmp/GeoIPv6.dat.gz && gunzip /tmp/GeoIPv6.dat.gz && mv /tmp/GeoIPv6.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz -O /tmp/GeoLiteCity.dat.gz && gunzip /tmp/GeoLiteCity.dat.gz && mv /tmp/GeoLiteCity.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz -O /tmp/GeoLiteCityv6.dat.gz && gunzip /tmp/GeoLiteCityv6.dat.gz && mv /tmp/GeoLiteCityv6.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz -O /tmp/GeoIPASNum.dat.gz && gunzip /tmp/GeoIPASNum.dat.gz && mv /tmp/GeoIPASNum.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz -O /tmp/GeoIPASNumv6.dat.gz && gunzip /tmp/GeoIPASNumv6.dat.gz && mv /tmp/GeoIPASNumv6.dat /usr/share/GeoIP
diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index 22f173a3e9..95587fb82d 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=ghostscript
pkgver=9.53.3
-pkgrel=0
+pkgrel=1
pkgdesc="An interpreter for the PostScript language and for PDF"
url="https://ghostscript.com/"
arch="all"
@@ -13,12 +13,15 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev expat-dev
cups-dev libtool jbig2dec-dev openjpeg-dev"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk"
source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver//./}/ghostscript-$pkgver.tar.gz
+ CVE-2021-3781.patch
ghostscript-system-zlib.patch
fix-sprintf.patch
freetype.patch
"
# secfixes:
+# 9.53.3-r1:
+# - CVE-2021-3781
# 9.51-r0:
# - CVE-2020-16287
# - CVE-2020-16288
@@ -155,7 +158,10 @@ gtk() {
mv "$pkgdir"/usr/bin/gsx "$subpkgdir"/usr/bin/
}
-sha512sums="c142ef9d83896aa8fd18c8e412220fe8f4950614be00d327d27ab051fe85e16524bf2ee00f46c2aca7a352ce47bc3acf2c4de0f7bbea7e4c55474b8af6cdc0a6 ghostscript-9.53.3.tar.gz
+sha512sums="
+c142ef9d83896aa8fd18c8e412220fe8f4950614be00d327d27ab051fe85e16524bf2ee00f46c2aca7a352ce47bc3acf2c4de0f7bbea7e4c55474b8af6cdc0a6 ghostscript-9.53.3.tar.gz
+26a625518b18433309ccf404cbe90e2240a75091ae8c38d197d5dce5e1ac7e3df73be83683b64de2d38f429ffa45cb3eda9ecf9388e40094a1ca84328457a8f4 CVE-2021-3781.patch
70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482 ghostscript-system-zlib.patch
beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch
-16735f13caf20ea56a057f4a94556d3e2191c2db28caab0757f36d12261065a494a053d17fb8a734573709c023955daa18c4e45c319355673ec4e6b7d823cf80 freetype.patch"
+16735f13caf20ea56a057f4a94556d3e2191c2db28caab0757f36d12261065a494a053d17fb8a734573709c023955daa18c4e45c319355673ec4e6b7d823cf80 freetype.patch
+"
diff --git a/main/ghostscript/CVE-2021-3781.patch b/main/ghostscript/CVE-2021-3781.patch
new file mode 100644
index 0000000000..5c0f6bcb4e
--- /dev/null
+++ b/main/ghostscript/CVE-2021-3781.patch
@@ -0,0 +1,232 @@
+From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 7 Sep 2021 20:36:12 +0100
+Subject: [PATCH] Bug 704342: Include device specifier strings in access
+ validation
+
+for the "%pipe%", %handle%" and %printer% io devices.
+
+We previously validated only the part after the "%pipe%" Postscript device
+specifier, but this proved insufficient.
+
+This rebuilds the original file name string, and validates it complete. The
+slight complication for "%pipe%" is it can be reached implicitly using
+"|" so we have to check both prefixes.
+
+Addresses CVE-2021-3781
+---
+ base/gdevpipe.c | 22 +++++++++++++++-
+ base/gp_mshdl.c | 11 +++++++-
+ base/gp_msprn.c | 10 ++++++-
+ base/gp_os2pr.c | 13 +++++++++-
+ base/gslibctx.c | 69 ++++++++++---------------------------------------
+ 5 files changed, 65 insertions(+), 60 deletions(-)
+
+diff --git a/base/gdevpipe.c b/base/gdevpipe.c
+index 96d71f5d8..5bdc485be 100644
+--- a/base/gdevpipe.c
++++ b/base/gdevpipe.c
+@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ #else
+ gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+ gs_fs_list_t *fs = ctx->core->fs;
++ /* The pipe device can be reached in two ways, explicltly with %pipe%
++ or implicitly with "|", so we have to check for both
++ */
++ char f[gp_file_name_sizeof];
++ const char *pipestr = "|";
++ const size_t pipestrlen = strlen(pipestr);
++ const size_t preflen = strlen(iodev->dname);
++ const size_t nlen = strlen(fname);
++ int code1;
++
++ if (preflen + nlen >= gp_file_name_sizeof)
++ return_error(gs_error_invalidaccess);
++
++ memcpy(f, iodev->dname, preflen);
++ memcpy(f + preflen, fname, nlen + 1);
++
++ code1 = gp_validate_path(mem, f, access);
++
++ memcpy(f, pipestr, pipestrlen);
++ memcpy(f + pipestrlen, fname, nlen + 1);
+
+- if (gp_validate_path(mem, fname, access) != 0)
++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
+ return gs_error_invalidfileaccess;
+
+ /*
+diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
+index 2b964ed74..8d87ceadc 100644
+--- a/base/gp_mshdl.c
++++ b/base/gp_mshdl.c
+@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ long hfile; /* Correct for Win32, may be wrong for Win64 */
+ gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+ gs_fs_list_t *fs = ctx->core->fs;
++ char f[gp_file_name_sizeof];
++ const size_t preflen = strlen(iodev->dname);
++ const size_t nlen = strlen(fname);
+
+- if (gp_validate_path(mem, fname, access) != 0)
++ if (preflen + nlen >= gp_file_name_sizeof)
++ return_error(gs_error_invalidaccess);
++
++ memcpy(f, iodev->dname, preflen);
++ memcpy(f + preflen, fname, nlen + 1);
++
++ if (gp_validate_path(mem, f, access) != 0)
+ return gs_error_invalidfileaccess;
+
+ /* First we try the open_handle method. */
+diff --git a/base/gp_msprn.c b/base/gp_msprn.c
+index ed4827968..746a974f7 100644
+--- a/base/gp_msprn.c
++++ b/base/gp_msprn.c
+@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
+ gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+ gs_fs_list_t *fs = ctx->core->fs;
++ const size_t preflen = strlen(iodev->dname);
++ const size_t nlen = strlen(fname);
+
+- if (gp_validate_path(mem, fname, access) != 0)
++ if (preflen + nlen >= gp_file_name_sizeof)
++ return_error(gs_error_invalidaccess);
++
++ memcpy(pname, iodev->dname, preflen);
++ memcpy(pname + preflen, fname, nlen + 1);
++
++ if (gp_validate_path(mem, pname, access) != 0)
+ return gs_error_invalidfileaccess;
+
+ /* First we try the open_printer method. */
+diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
+index f852c71fc..ba54cde66 100644
+--- a/base/gp_os2pr.c
++++ b/base/gp_os2pr.c
+@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ FILE ** pfile, char *rfname, uint rnamelen)
+ {
+ os2_printer_t *pr = (os2_printer_t *)iodev->state;
+- char driver_name[256];
++ char driver_name[gp_file_name_sizeof];
+ gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+ gs_fs_list_t *fs = ctx->core->fs;
++ const size_t preflen = strlen(iodev->dname);
++ const int size_t = strlen(fname);
++
++ if (preflen + nlen >= gp_file_name_sizeof)
++ return_error(gs_error_invalidaccess);
++
++ memcpy(driver_name, iodev->dname, preflen);
++ memcpy(driver_name + preflen, fname, nlen + 1);
++
++ if (gp_validate_path(mem, driver_name, access) != 0)
++ return gs_error_invalidfileaccess;
+
+ /* First we try the open_printer method. */
+ /* Note that the loop condition here ensures we don't
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 6dfed6cd5..318039fad 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
+ int
+ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+- char *fp, f[gp_file_name_sizeof];
+- const int pipe = 124; /* ASCII code for '|' */
+- const int len = strlen(fname);
+- int i, code;
++ char f[gp_file_name_sizeof];
++ int code;
+
+ /* Be sure the string copy will fit */
+- if (len >= gp_file_name_sizeof)
++ if (strlen(fname) >= gp_file_name_sizeof)
+ return gs_error_rangecheck;
+ strcpy(f, fname);
+- fp = f;
+ /* Try to rewrite any %d (or similar) in the string */
+ rewrite_percent_specifiers(f);
+- for (i = 0; i < len; i++) {
+- if (f[i] == pipe) {
+- fp = &f[i + 1];
+- /* Because we potentially have to check file permissions at two levels
+- for the output file (gx_device_open_output_file and the low level
+- fopen API, if we're using a pipe, we have to add both the full string,
+- (including the '|', and just the command to which we pipe - since at
+- the pipe_fopen(), the leading '|' has been stripped.
+- */
+- code = gs_add_control_path(mem, gs_permit_file_writing, f);
+- if (code < 0)
+- return code;
+- code = gs_add_control_path(mem, gs_permit_file_control, f);
+- if (code < 0)
+- return code;
+- break;
+- }
+- if (!IS_WHITESPACE(f[i]))
+- break;
+- }
+- code = gs_add_control_path(mem, gs_permit_file_control, fp);
++
++ code = gs_add_control_path(mem, gs_permit_file_control, f);
+ if (code < 0)
+ return code;
+- return gs_add_control_path(mem, gs_permit_file_writing, fp);
++ return gs_add_control_path(mem, gs_permit_file_writing, f);
+ }
+
+ int
+ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+- char *fp, f[gp_file_name_sizeof];
+- const int pipe = 124; /* ASCII code for '|' */
+- const int len = strlen(fname);
+- int i, code;
++ char f[gp_file_name_sizeof];
++ int code;
+
+ /* Be sure the string copy will fit */
+- if (len >= gp_file_name_sizeof)
++ if (strlen(fname) >= gp_file_name_sizeof)
+ return gs_error_rangecheck;
+ strcpy(f, fname);
+- fp = f;
+ /* Try to rewrite any %d (or similar) in the string */
+- for (i = 0; i < len; i++) {
+- if (f[i] == pipe) {
+- fp = &f[i + 1];
+- /* Because we potentially have to check file permissions at two levels
+- for the output file (gx_device_open_output_file and the low level
+- fopen API, if we're using a pipe, we have to add both the full string,
+- (including the '|', and just the command to which we pipe - since at
+- the pipe_fopen(), the leading '|' has been stripped.
+- */
+- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+- if (code < 0)
+- return code;
+- code = gs_remove_control_path(mem, gs_permit_file_control, f);
+- if (code < 0)
+- return code;
+- break;
+- }
+- if (!IS_WHITESPACE(f[i]))
+- break;
+- }
+- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
++ rewrite_percent_specifiers(f);
++
++ code = gs_remove_control_path(mem, gs_permit_file_control, f);
+ if (code < 0)
+ return code;
+- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
++ return gs_remove_control_path(mem, gs_permit_file_writing, f);
+ }
+
+ int
+--
+2.17.1
+
diff --git a/main/gnupg/APKBUILD b/main/gnupg/APKBUILD
index 73651cfa67..1142f0067c 100644
--- a/main/gnupg/APKBUILD
+++ b/main/gnupg/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gnupg
-pkgver=2.2.27
+pkgver=2.2.31
_ver=${pkgver/_beta/-beta}
pkgrel=0
pkgdesc="GNU Privacy Guard 2 - a PGP replacement tool"
@@ -21,7 +21,7 @@ source="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$_ver.tar.bz2
install="$pkgname-scdaemon.pre-install"
# secfixes:
-# 2.2.13-r0:
+# 2.2.23-r0:
# - CVE-2020-25125
# 2.2.18-r0:
# - CVE-2019-14855
@@ -74,7 +74,9 @@ scdaemon() {
mv "$pkgdir/usr/libexec/scdaemon" "$subpkgdir/usr/libexec/"
}
-sha512sums="cf336962116c9c08ac80b1299654b94948033ef51d6d5e7f54c2f07bbf7d92c7b0bddb606ceee2cdd837063f519b8d59af5a82816b840a0fc47d90c07b0e95ab gnupg-2.2.27.tar.bz2
+sha512sums="
+2f6fa200e08d6b8993b482e5825bea6083afc8686c4e1ae80386b36ae49e1c2d73066c508edaa359a7794cb26ba7a00f81555a906fa422d1117e41415cfa2fea gnupg-2.2.31.tar.bz2
c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7 0001-Include-sys-select.h-for-FD_SETSIZE.patch
b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b fix-i18n.patch
-4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules"
+4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules
+"
diff --git a/community/gpsd/APKBUILD b/main/gpsd/APKBUILD
index db0ef9107e..8554e6a750 100644
--- a/community/gpsd/APKBUILD
+++ b/main/gpsd/APKBUILD
@@ -1,17 +1,25 @@
# Contributor: Nathan Angelacos <nangel@alpinelinux.org>
# Maintainer: Nathan Angelacos <nangel@alpinelinux.org>
+
+# gpsd is commonly used with NTP servers to provide a stable clock,
+# please do not move to community.
+
pkgname=gpsd
-pkgver=3.21
+pkgver=3.23
pkgrel=0
pkgdesc="GPS daemon"
-arch=all
+arch="all"
url="http://catb.org/gpsd/"
license="BSD-2-Clause"
-makedepends="scons python3-dev libcap-dev ncurses-dev"
-subpackages="$pkgname-dev $pkgname-doc py3-$pkgname:_py $pkgname-clients:_clients"
+makedepends="scons asciidoctor python3-dev libcap-dev ncurses-dev"
+subpackages="
+ $pkgname-dev
+ $pkgname-doc
+ py3-$pkgname:_py:noarch
+ $pkgname-clients:_clients
+ $pkgname-openrc"
source="https://download-mirror.savannah.gnu.org/releases/gpsd/gpsd-$pkgver.tar.gz
timepps.h
- gpsd-use-local-timepps-header.patch
gpsd.initd
gpsd.confd"
@@ -32,10 +40,11 @@ prepare() {
}
build() {
- CPPFLAGS="$CPPFLAGS -I. -DHAVE_SYS_TIMEPPS_H"
+ CPPFLAGS="$CPPFLAGS -I$builddir -DHAVE_SYS_TIMEPPS_H"
scons -j${JOBS:-1} \
prefix=/usr \
target_python=python3 \
+ python_shebang=/usr/bin/python3 \
dbus_export=no \
systemd=no
}
@@ -46,9 +55,6 @@ check() {
package() {
DESTDIR="$pkgdir" scons install
- # fix python interpreter path
- sed -e "s,#!/usr/bin/\(python[23]\?\|env \+python[23]\?\),#!/usr/bin/python3},g" -i \
- gegps gpscat gpsfake xgps xgpsspeed gpsprof gps/*.py
install -m755 -D "$srcdir"/gpsd.initd "$pkgdir"/etc/init.d/gpsd
install -m644 -D "$srcdir"/gpsd.confd "$pkgdir"/etc/conf.d/gpsd
}
@@ -75,8 +81,9 @@ _clients() {
mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin
}
-sha512sums="7fbff3698a44ef24ce4631f1d0c5192b70c2e47f28e61372d8d0c437a6b4aeee459b08dcd69d9dc02bbda7b56949fd01ac57460fb922b5f807455f4ab3e91f2d gpsd-3.21.tar.gz
+sha512sums="
+967cc9801271418023630df02b457b76108968992151f6e80b569e99b856bd79cc3d0369d2088f3bc609b2ab22b29dba87639bf466bf262ab80b2b3f04055f8b gpsd-3.23.tar.gz
eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h
-b692c9fc77a9db3fc621693d3b9e3ef9bc2efbbc7b01651168d7b928d29d48a489b8859930bad01b6021e211372e069a726b78dd5938385ed4ae0153b38f4170 gpsd-use-local-timepps-header.patch
51319247eb78c3021d3eb897cb5d6026cc09d46a532a245a835459ed525947ffb6239f08126dd7e344de52e3b0387226bce060191ec3f14f99fc9f255d96f8ea gpsd.initd
-75dbfe39eb900cc9587dd70794ee77ae2230765bbede47760ca227145aa3f2290b6995335ffcfeae6cd86f56b01ca87367548f4fbcf810aff1bc012b7416deef gpsd.confd"
+75dbfe39eb900cc9587dd70794ee77ae2230765bbede47760ca227145aa3f2290b6995335ffcfeae6cd86f56b01ca87367548f4fbcf810aff1bc012b7416deef gpsd.confd
+"
diff --git a/community/gpsd/gpsd.confd b/main/gpsd/gpsd.confd
index 0f52aa9b5e..0f52aa9b5e 100644
--- a/community/gpsd/gpsd.confd
+++ b/main/gpsd/gpsd.confd
diff --git a/community/gpsd/gpsd.initd b/main/gpsd/gpsd.initd
index d2a30071a2..d2a30071a2 100644
--- a/community/gpsd/gpsd.initd
+++ b/main/gpsd/gpsd.initd
diff --git a/community/gpsd/timepps.h b/main/gpsd/timepps.h
index 8c3bd835d6..8c3bd835d6 100644
--- a/community/gpsd/timepps.h
+++ b/main/gpsd/timepps.h
diff --git a/main/grep/APKBUILD b/main/grep/APKBUILD
index ab0a5ee44e..d60a66f98c 100644
--- a/main/grep/APKBUILD
+++ b/main/grep/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=grep
-pkgver=3.6
+pkgver=3.7
pkgrel=0
pkgdesc="Searches input files for lines containing a match to a specified pattern"
url="https://www.gnu.org/software/grep/grep.html"
@@ -45,5 +45,7 @@ package() {
rmdir -p "$pkgdir"/usr/lib 2>/dev/null || true
}
-sha512sums="8934544a19ded61344d83ff2cab501e86f17f8ae338892e0c36c2d2d8e63c76817840a0071ef5e3fcbca9115eba8a1aae0e4c46b024e75cd9a2e3bd05f933d90 grep-3.6.tar.xz
-9ba6b01c0c74933299afb469dadd2ea0c7e24befa34c691671a576063e32a1f0c735541e5e2bb0073d8afd814790909f7f895827aa8a2fbacdfcae380a7bcb11 fix-tests.patch"
+sha512sums="
+e9e45dcd40af8367f819f2b93c5e1b4e98a251a9aa251841fa67a875380fae52cfa27c68c6dbdd6a4dde1b1017ee0f6b9833ef6dd6e419d32d71b6df5e972b82 grep-3.7.tar.xz
+9ba6b01c0c74933299afb469dadd2ea0c7e24befa34c691671a576063e32a1f0c735541e5e2bb0073d8afd814790909f7f895827aa8a2fbacdfcae380a7bcb11 fix-tests.patch
+"
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index cd3b9e540a..7c73e016e6 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -4,7 +4,7 @@
pkgname=haproxy
# NOTE: Upgrade only to LTS versions announced on upstream site url!
# Using LTS versions is easier to keep it in good shape for stable releases
-pkgver=2.2.15
+pkgver=2.2.17
_pkgmajorver=${pkgver%.*}
pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -36,8 +36,7 @@ build() {
USE_NS=1 \
LUA_LIB=/usr/lib/lua$_luaver \
LUA_INC=/usr/include/lua$_luaver \
- EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" \
- CFLAGS="$CFLAGS"
+ EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o"
}
check() {
@@ -58,7 +57,7 @@ package() {
}
sha512sums="
-ef77cb2201ea61e7ac085acca8db6e9ee43ce1db2e8c5366d49cad9ace654eb81809a70f96b20a6f6f549061f8a73012ad1805a009c3e1c6fa5cd195af795012 haproxy-2.2.15.tar.gz
+174197e1e0915a6ae6062b9a070f16102ac7f3429f991f36cdb2e2cce587bd26059bd1dc71a368f904bcdecd292ab5926715160400ae96d498d902aac356864f haproxy-2.2.17.tar.gz
4aa8fc812079baf1d17cf9484a9b44568c3dd94f35243a57a4a7868e7f88146a4e94c80ea8ab86f1b08a524567e269a3ec119b67fc679f6bd0d9f1c70ce4f080 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg
"
diff --git a/main/libgcrypt/APKBUILD b/main/libgcrypt/APKBUILD
index e578b56927..7aabd83c2b 100644
--- a/main/libgcrypt/APKBUILD
+++ b/main/libgcrypt/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libgcrypt
pkgver=1.8.8
-pkgrel=0
+pkgrel=1
pkgdesc="general purpose crypto library based on the code used in GnuPG"
url="https://www.gnupg.org/"
arch="all"
@@ -9,9 +9,13 @@ license="LGPL-2.1-or-later"
depends_dev="libgpg-error-dev"
makedepends="$depends_dev texinfo"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
-source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-$pkgver.tar.bz2"
+source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-$pkgver.tar.bz2
+ CVE-2021-40528.patch
+ "
# secfixes:
+# 1.8.8-r1:
+# - CVE-2021-40528
# 1.8.8-r0:
# - CVE-2021-33560
# 1.8.5-r0:
@@ -65,4 +69,5 @@ static() {
sha512sums="
9861f3b5da3cb013eb79efbf2859864f8c2c11b41484b051c981c45cc0bf1569202838226da10ebddeb7a7b7f39ebd3a95f107b9bf6f908074ccc9a51ea94db8 libgcrypt-1.8.8.tar.bz2
+1af48fddb687aa68ff6db9e1c69d6870fbed2dc1e523d0174f6636f92d8b9a918c86a9e26696ca21ee9a3cb5ba38bb21009618343feb8a8fdaa753245113c0e3 CVE-2021-40528.patch
"
diff --git a/main/libgcrypt/CVE-2021-40528.patch b/main/libgcrypt/CVE-2021-40528.patch
new file mode 100644
index 0000000000..52a376f327
--- /dev/null
+++ b/main/libgcrypt/CVE-2021-40528.patch
@@ -0,0 +1,51 @@
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index ae7a631..eead450 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -510,8 +510,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ static void
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+- gcry_mpi_t t1, t2, r;
++ gcry_mpi_t t1, t2, r, r1, h;
+ unsigned int nbits = mpi_get_nbits (skey->p);
++ gcry_mpi_t x_blind;
+
+ mpi_normalize (a);
+ mpi_normalize (b);
+@@ -522,20 +523,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+
+ t2 = mpi_snew (nbits);
+ r = mpi_new (nbits);
++ r1 = mpi_new (nbits);
++ h = mpi_new (nbits);
++ x_blind = mpi_snew (nbits);
+
+ /* We need a random number of about the prime size. The random
+ number merely needs to be unpredictable; thus we use level 0. */
+ _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+
++ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
++ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
++ mpi_set_highbit (r1, nbits - 1);
++ mpi_sub_ui (h, skey->p, 1);
++ mpi_mul (x_blind, h, r1);
++ mpi_add (x_blind, skey->x, x_blind);
++
+ /* t1 = r^x mod p */
+- mpi_powm (t1, r, skey->x, skey->p);
++ mpi_powm (t1, r, x_blind, skey->p);
+ /* t2 = (a * r)^-x mod p */
+ mpi_mulm (t2, a, r, skey->p);
+- mpi_powm (t2, t2, skey->x, skey->p);
++ mpi_powm (t2, t2, x_blind, skey->p);
+ mpi_invm (t2, t2, skey->p);
+ /* t1 = (t1 * t2) mod p*/
+ mpi_mulm (t1, t1, t2, skey->p);
+
++ mpi_free (x_blind);
++ mpi_free (h);
++ mpi_free (r1);
+ mpi_free (r);
+ mpi_free (t2);
+
diff --git a/main/libspf2/APKBUILD b/main/libspf2/APKBUILD
index 80843440bf..5739e5ebd6 100644
--- a/main/libspf2/APKBUILD
+++ b/main/libspf2/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libspf2
pkgver=1.2.10
-pkgrel=4
+pkgrel=5
pkgdesc="Sender Policy Framework library, a part of the SPF/SRS protocol pair."
url="https://wiki.gnome.org/Projects/Libsecret"
arch="all"
@@ -16,8 +16,13 @@ source="http://www.libspf2.org/spf/$pkgname-$pkgver.tar.gz
netdb_success.patch
musl-res_close.patch
fix-gcc-variadic-macros.patch
+ CVE-2021-20314.patch
"
+# secfixes:
+# 1.2.10-r5:
+# - CVE-2021-20314
+
prepare() {
cd "$builddir"
update_config_sub
@@ -53,9 +58,12 @@ tools() {
rm -fr "$pkgdir"/usr/bin
}
-sha512sums="162ce382628c6fcadac3e11f5a12442db622bb23f7ec503e16f5ba7fc88afdd777bce6b093c12a58210355985fd11b74b140f08fab347334d82d953dd183b130 libspf2-1.2.10.tar.gz
+sha512sums="
+162ce382628c6fcadac3e11f5a12442db622bb23f7ec503e16f5ba7fc88afdd777bce6b093c12a58210355985fd11b74b140f08fab347334d82d953dd183b130 libspf2-1.2.10.tar.gz
3b9bff9b5a5b95f6722f86a43373b0c84cbb79a4509cf0c73486612c0a1b33587bb0b42966b0d2e3a317e4d7a730091fa444bd1258afd06bb3553c4a96d3ee34 00001.patch
18ddfe106b652e2fb9e36a9f1743fc7cecf38530da65a06ac892b60d2c430aaad657f5653495950d4af4b9833826366b79e629937498e5ce7f6af716303221c4 00002.patch
033dd1e959004f7a1026fb1de73813e934560101e04897297e468918ee28e4d7d0f271d6f05d984db22dd43e097f6aa133df18d11419b085d89db89b120750c9 netdb_success.patch
4fb8a28a667d8fe54a48fa89230446b758c6d532866ee26e8b9ef3032f6e0993ec19a2cc2fb265d18d259e35de6fe66183763bbc69c424de70ad8fe0dbcf7a2f musl-res_close.patch
-2face288cfb2cbcfced0f6d47f905b9efdccf696de780892c4e36b134bb4dbe77416b42f42f8ccb16da47551d800fe037899324dec33e140fb8cea0f201abd74 fix-gcc-variadic-macros.patch"
+2face288cfb2cbcfced0f6d47f905b9efdccf696de780892c4e36b134bb4dbe77416b42f42f8ccb16da47551d800fe037899324dec33e140fb8cea0f201abd74 fix-gcc-variadic-macros.patch
+809c9a001b21831a6840359bea3f4e302e1589a5e77bceff85dd63d631ac25ce217ba11446d537d044a1e87481323940da25e6159ad19dd62fcb0803bcd2dcf6 CVE-2021-20314.patch
+"
diff --git a/main/libspf2/CVE-2021-20314.patch b/main/libspf2/CVE-2021-20314.patch
new file mode 100644
index 0000000000..412d5f322a
--- /dev/null
+++ b/main/libspf2/CVE-2021-20314.patch
@@ -0,0 +1,22 @@
+From c37b7c13c30e225183899364b9f2efdfa85552ef Mon Sep 17 00:00:00 2001
+From: Shevek <shevek@anarres.org>
+Date: Sat, 5 Jun 2021 21:39:04 -0700
+Subject: [PATCH] spf_compile.c: Correct size of ds_avail.
+
+---
+ src/libspf2/spf_compile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libspf2/spf_compile.c b/src/libspf2/spf_compile.c
+index ff02f87..b08ffe2 100644
+--- a/src/libspf2/spf_compile.c
++++ b/src/libspf2/spf_compile.c
+@@ -455,7 +455,7 @@ SPF_c_parse_var(SPF_response_t *spf_response, SPF_data_var_t *data,
+ /* Magic numbers for x/Nc in gdb. */ \
+ data->ds.__unused0 = 0xba; data->ds.__unused1 = 0xbe; \
+ dst = SPF_data_str( data ); \
+- ds_avail = _avail; \
++ ds_avail = _avail - sizeof(SPF_data_t); \
+ ds_len = 0; \
+ } while(0)
+
diff --git a/main/linux-lts/APKBUILD b/main/linux-lts/APKBUILD
index 375d10d9ea..cdc6379ce8 100644
--- a/main/linux-lts/APKBUILD
+++ b/main/linux-lts/APKBUILD
@@ -2,7 +2,7 @@
_flavor=lts
pkgname=linux-${_flavor}
-pkgver=5.10.38
+pkgver=5.10.61
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -235,16 +235,16 @@ d19365fe94431008768c96a2c88955652f70b6df6677457ee55ee95246a64fdd2c6fed9b3bef37c2
ca5aafac37e0b5f3fcbaf801e12f98beb58ffaf1d8c88f76caff22b059831869b4094e7fdcb6d6860422d6b2d036e072caff460e1feb84bd04d10740ad56265b 0007-pci-hotplug-declare-IDT-bridge-as-hotpluggabl-bridge.patch
cbe85cf34e8420c91d2276c2d2aa0ab5023af68e57a1fa613f073f16a76766c67f585eda71c28f232bd0625e0dc8275a9eddc95f49409205dc0dbcc28c9fac1c 0008-pci-spr2803-quirk-to-fix-class-ID.patch
16b2d5b0255b37075ba894fc797673d633395907ce0b93400c5a8bd05b512b5cd040b91000fa41f9240d42afc664a69206597d1e3f754a1aa64b9be21a67f5c6 ampere-mt-jade.patch
-39daef6a804030cef728b2825b5979eeba46755f32de15c89544c11e4809bf23d018357bc50c654b5e8f013e9f34ea3bd078d23ce9feb790975775f0ac669591 config-lts.aarch64
-8c9746919125ed22f29c6f29923fad1b35e75636ac2f0d64889bbe7a9a2efe3292529703916cbe82b43fc9336b93b66b7ade98ed029d105f0a8c891f2667ce39 config-lts.armv7
-f9a26097e89763e0de0c2b27a3c603c029f645170227086ce5c5fb91812a97a81f4baea8513f625845e5140581a35f2708d85502162d3fec187e34032662bf86 config-lts.x86
-66bbcbeb44e3ffd2b1d062a416e3a68f798dd1d45003cd6a9279ede8486a344240107e868844fa9e1a2a6012861cb0ed94ac43b88b2dd246c74d287fa9720185 config-lts.x86_64
-2af054e26f338fb5634aff4e51a3435a5545a2caaf8db1f982d8a619bc3ba644180c53d04bdbf157eae316e089f54101fc753f899d44ae55d13e79194e87ccb0 config-lts.ppc64le
-be3a2394dd157444c51caf28bb507dda4c655568218cb378fd99348711933af4f844b12a56b1e2d2f6963e0dd02152d18a9c937bf748a6ea9b62d39b3ecbc397 config-lts.s390x
-958516966bd172dc293a08bfea4da2c9bc0064c8b5ce7f9790c7afe83497b57013d56df422c7aec1cb618b04a5bd6be29f3046eb366db99b0eae3c2e8db1d730 config-lts.mips64
-d161d930d556b9f83aba1975800b2afb794b015187b8222d8a2e05c9eea191f615da52fde1e330a67f1b0a7822a4e33553c5cee982dab907472490fca257cfc2 config-virt.aarch64
-6fd9c2e7949ff278d21ea7feecf7da65eeb01b901f79a5e0e548e63bc5f1a8915f1b22ec7acc7a050abda1d7059302e3a93dd35b9d139cb8382352f5bc42e8d2 config-virt.armv7
-018cfa22e53690b8649f646659dfa2108650acc476057cfb20f023c8332765407d42f543a2ff841035f678da6605e0e7f8e1c383edb508693d9a23de0e214b56 config-virt.ppc64le
-00e8f614094d0f9a5270cdbedccda3dd55cc03f3045e9c0b1a6d5de91595cc204a960a57cd274da7c3708521b1dedcfa333f81ecf23198fb29165247aad74b24 config-virt.x86
-105d8f70e497f9ccb66533ddea7e591a3a2cbbe9ae3f73e168b03e783efb07ddb085af8904d7a83404bf90c3c55d5b45b557f99ef906afbff286df19df311519 config-virt.x86_64
-3829c94628b30d2bf76c667f7be1331c07f4a0aec1949f5299d65935429eafda1d2fc317ff582baeb7a5e7b3af5a3d80823616d1b77819aec9e88850c32f01eb patch-5.10.38.xz"
+89934520a6acb51b20f403cdf0531c54c9bd96ea51ae71597bd7bbb230d0e4cc4e213e6f4abdbdac70770f9d571e6dab18f15a7d205fccc2b0e01a29539f397f config-lts.aarch64
+7586c2c14e3e5d1733ba6b10f9e505884e69ebd73f5660a83d6e0a229067be10bd74fdd3c39f3e86a6d370713e3c515023a98a590804f46092ff8ae7c069b657 config-lts.armv7
+2e1191008bb2e73af4863152cdcd28f8b5ad7e8c383712de32c389b8b34e8cb5453a1875999e035e17e6adc3620372716e0dad2d89f63d4a7f9d4a4c1563f311 config-lts.x86
+7054e12a504ba4104ae64f15b1751630ca865ab0501f57338d672c7265eee742c691ab6f5cfb8ca2f8b4646017ad40ec4ab4af317ea0af030847662bab654db3 config-lts.x86_64
+9f35e146fd04ac383306eef06214da9991dc452f941b53acc6d8922452fbbb432098a0b1eb65a206a69b84f26e1dc21dc6542f74f7f472714e9a9fc50807f6a6 config-lts.ppc64le
+2ff28ec6132d54a843a8d83d48d6264622ccaf0bf5b8dfba052328c7370b177bb89a74bcc4c1fbde13a5966dbc76e563b7568747d3319a329f399e45aa73ce3b config-lts.s390x
+c3f71766203e547c0bc4390de0389b6593c6cce2a36618a9c683af2cf09e0ec10dec288c0e6bd58eab0c0e1b1d0afceb13c7d8a7a1ef68a5689955a714654567 config-lts.mips64
+a351ed481a3d8346811869fd72ea62541d4e7a5019154022061c9c90765fe33d73ea1c8981acda6d19f57aa796b8450bb0379c2357fd708bc9a97522e428279c config-virt.aarch64
+59d622fc8425995da40bc600fe0013c4e1fabd4d5ffff03de075d798e11d575fc061ce602ec2950f4aacae00b4f61a3195152d3bdf015d7d511609ec451b91d6 config-virt.armv7
+c666e9c8e2b9981cd5bba8196610c4ec364e512935d6f094e41b27189f23568f749562e146b67c8f06f196e235c428f11c5ee78ab5af5e0c42cfdad081b26267 config-virt.ppc64le
+dbfec3bbdd6a2920ffeb677d672dc85f0bc7b76a4a10eca5c092799b22cf887c441ee5db314f65e1634ec9f6a625a99bf289864989172d0cbb8f2a8042d3cb9e config-virt.x86
+4816b2fb44164a6823fc4554b228ac42ae864f535f0976a71c63ae1d12fbfddda90f2519258b44fdbdea56faeee7a63a1c79797ea4b3fc8f50d7971471635cee config-virt.x86_64
+13397d1b126dccbac00fc05a2fbd6af316a0fdea86f7f4ed3c447dbecfa20fce9f30b1fa2fdbb1c570ab7ea514f2f02691844231c0d2e318aea26a72b4c75b93 patch-5.10.61.xz"
diff --git a/main/linux-lts/config-lts.aarch64 b/main/linux-lts/config-lts.aarch64
index 9d2121a02f..dc9f07cad9 100644
--- a/main/linux-lts/config-lts.aarch64
+++ b/main/linux-lts/config-lts.aarch64
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.10.27 Kernel Configuration
+# Linux/arm64 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -281,6 +281,7 @@ CONFIG_FIX_EARLYCON_MEM=y
CONFIG_PGTABLE_LEVELS=4
CONFIG_ARCH_SUPPORTS_UPROBES=y
CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_BROKEN_GAS_INST=y
#
# Platform selection
@@ -427,8 +428,6 @@ CONFIG_CP15_BARRIER_EMULATION=y
#
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_PAN=y
-CONFIG_AS_HAS_LSE_ATOMICS=y
-CONFIG_ARM64_LSE_ATOMICS=y
CONFIG_ARM64_USE_LSE_ATOMICS=y
CONFIG_ARM64_VHE=y
# end of ARMv8.1 architectural features
@@ -445,10 +444,6 @@ CONFIG_ARM64_CNP=y
#
# ARMv8.3 architectural features
#
-CONFIG_ARM64_PTR_AUTH=y
-CONFIG_CC_HAS_BRANCH_PROT_PAC_RET=y
-CONFIG_CC_HAS_SIGN_RETURN_ADDRESS=y
-CONFIG_AS_HAS_PAC=y
CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y
# end of ARMv8.3 architectural features
@@ -456,20 +451,14 @@ CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y
# ARMv8.4 architectural features
#
CONFIG_ARM64_AMU_EXTN=y
-CONFIG_AS_HAS_ARMV8_4=y
-CONFIG_ARM64_TLB_RANGE=y
# end of ARMv8.4 architectural features
#
# ARMv8.5 architectural features
#
CONFIG_ARM64_BTI=y
-CONFIG_ARM64_BTI_KERNEL=y
-CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI=y
CONFIG_ARM64_E0PD=y
CONFIG_ARCH_RANDOM=y
-CONFIG_ARM64_AS_HAS_MTE=y
-CONFIG_ARM64_MTE=y
# end of ARMv8.5 architectural features
CONFIG_ARM64_SVE=y
@@ -477,8 +466,6 @@ CONFIG_ARM64_MODULE_PLTS=y
# CONFIG_ARM64_PSEUDO_NMI is not set
CONFIG_RELOCATABLE=y
# CONFIG_RANDOMIZE_BASE is not set
-CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y
-CONFIG_STACKPROTECTOR_PER_TASK=y
# end of Kernel Features
#
@@ -1013,7 +1000,6 @@ CONFIG_GENERIC_EARLY_IOREMAP=y
CONFIG_ARCH_HAS_PTE_DEVMAP=y
CONFIG_HMM_MIRROR=y
CONFIG_FRAME_VECTOR=y
-CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
# CONFIG_PERCPU_STATS is not set
# CONFIG_GUP_BENCHMARK is not set
# CONFIG_READ_ONLY_THP_FOR_FS is not set
@@ -4436,6 +4422,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_UCS1002 is not set
# CONFIG_CHARGER_BD99954 is not set
@@ -8055,7 +8042,6 @@ CONFIG_HID_SENSOR_ACCEL_3D=m
# CONFIG_AD7923 is not set
# CONFIG_AD7949 is not set
# CONFIG_AD799X is not set
-# CONFIG_AD9467 is not set
# CONFIG_ADI_AXI_ADC is not set
# CONFIG_AXP20X_ADC is not set
# CONFIG_AXP288_ADC is not set
@@ -8505,8 +8491,6 @@ CONFIG_MST_IRQ=y
CONFIG_ARCH_HAS_RESET_CONTROLLER=y
CONFIG_RESET_CONTROLLER=y
CONFIG_RESET_BERLIN=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
CONFIG_RESET_QCOM_AOSS=y
# CONFIG_RESET_QCOM_PDC is not set
CONFIG_RESET_RASPBERRYPI=m
@@ -8901,7 +8885,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
diff --git a/main/linux-lts/config-lts.armv7 b/main/linux-lts/config-lts.armv7
index 349a19b8fb..7f995d6650 100644
--- a/main/linux-lts/config-lts.armv7
+++ b/main/linux-lts/config-lts.armv7
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.10.27 Kernel Configuration
+# Linux/arm 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_HAS_ASM_GOTO=y
@@ -715,6 +715,7 @@ CONFIG_ARCH_HIBERNATION_POSSIBLE=y
#
# Firmware Drivers
#
+# CONFIG_ARM_SCMI_PROTOCOL is not set
CONFIG_FIRMWARE_MEMMAP=y
CONFIG_DMIID=y
# CONFIG_DMI_SYSFS is not set
@@ -2093,6 +2094,7 @@ CONFIG_NVME_MULTIPATH=y
CONFIG_NVME_HWMON=y
CONFIG_NVME_FABRICS=m
# CONFIG_NVME_FC is not set
+# CONFIG_NVME_TCP is not set
CONFIG_NVME_TARGET=m
# CONFIG_NVME_TARGET_PASSTHRU is not set
CONFIG_NVME_TARGET_LOOP=m
@@ -3590,6 +3592,7 @@ CONFIG_AXP20X_POWER=m
# CONFIG_CHARGER_SMB347 is not set
CONFIG_CHARGER_TPS65217=m
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_UCS1002 is not set
# CONFIG_CHARGER_BD99954 is not set
@@ -6682,7 +6685,6 @@ CONFIG_IIO_KFIFO_BUF=m
# CONFIG_AD7923 is not set
# CONFIG_AD7949 is not set
# CONFIG_AD799X is not set
-# CONFIG_AD9467 is not set
# CONFIG_ADI_AXI_ADC is not set
CONFIG_AXP20X_ADC=m
# CONFIG_AXP288_ADC is not set
@@ -7110,9 +7112,7 @@ CONFIG_EXYNOS_IRQ_COMBINER=y
# CONFIG_IPACK_BUS is not set
CONFIG_ARCH_HAS_RESET_CONTROLLER=y
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
CONFIG_RESET_IMX7=y
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_QCOM_AOSS is not set
# CONFIG_RESET_QCOM_PDC is not set
CONFIG_RESET_SIMPLE=y
@@ -7448,7 +7448,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
CONFIG_UFS_FS=m
CONFIG_UFS_FS_WRITE=y
diff --git a/main/linux-lts/config-lts.mips64 b/main/linux-lts/config-lts.mips64
index f32811ae69..752c6940f5 100644
--- a/main/linux-lts/config-lts.mips64
+++ b/main/linux-lts/config-lts.mips64
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/mips 5.10.27 Kernel Configuration
+# Linux/mips 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -604,6 +604,7 @@ CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
CONFIG_QUEUED_SPINLOCKS=y
CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
CONFIG_QUEUED_RWLOCKS=y
+CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y
CONFIG_FREEZER=y
#
@@ -1399,6 +1400,7 @@ CONFIG_BLK_DEV_RBD=m
#
# CONFIG_BLK_DEV_NVME is not set
# CONFIG_NVME_FC is not set
+# CONFIG_NVME_TCP is not set
# end of NVME Support
#
diff --git a/main/linux-lts/config-lts.ppc64le b/main/linux-lts/config-lts.ppc64le
index fa7def0f51..27feb876ce 100644
--- a/main/linux-lts/config-lts.ppc64le
+++ b/main/linux-lts/config-lts.ppc64le
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 5.10.27 Kernel Configuration
+# Linux/powerpc 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -2539,6 +2539,7 @@ CONFIG_POWER_SUPPLY_HWMON=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=y
# CONFIG_HWMON_DEBUG_CHIP is not set
@@ -4028,7 +4029,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_RAM is not set
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
diff --git a/main/linux-lts/config-lts.s390x b/main/linux-lts/config-lts.s390x
index 04da4c0c3d..e80306c09d 100644
--- a/main/linux-lts/config-lts.s390x
+++ b/main/linux-lts/config-lts.s390x
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/s390 5.10.27 Kernel Configuration
+# Linux/s390 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -379,6 +379,7 @@ CONFIG_UPROBES=y
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
CONFIG_ARCH_USE_BUILTIN_BSWAP=y
CONFIG_KRETPROBES=y
+CONFIG_HAVE_IOREMAP_PROT=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KRETPROBES=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
@@ -418,6 +419,7 @@ CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
CONFIG_HAVE_ARCH_SOFT_DIRTY=y
CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
CONFIG_HAVE_RELIABLE_STACKTRACE=y
CONFIG_CLONE_BACKWARDS2=y
diff --git a/main/linux-lts/config-lts.x86 b/main/linux-lts/config-lts.x86
index 65b2b8f7e0..983cdccde0 100644
--- a/main/linux-lts/config-lts.x86
+++ b/main/linux-lts/config-lts.x86
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.10.27 Kernel Configuration
+# Linux/x86 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_HAS_ASM_GOTO=y
@@ -4209,6 +4209,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -6984,7 +6985,6 @@ CONFIG_DMA_ACPI=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_PCH_DMA=m
# CONFIG_PLX_DMA is not set
-# CONFIG_XILINX_ZYNQMP_DPDMA is not set
CONFIG_QCOM_HIDMA_MGMT=m
# CONFIG_QCOM_HIDMA is not set
CONFIG_DW_DMAC_CORE=m
@@ -7490,7 +7490,6 @@ CONFIG_HID_SENSOR_ACCEL_3D=m
# CONFIG_AD7923 is not set
# CONFIG_AD7949 is not set
# CONFIG_AD799X is not set
-# CONFIG_AD9467 is not set
# CONFIG_CC10001_ADC is not set
# CONFIG_HI8435 is not set
# CONFIG_HX711 is not set
@@ -7887,7 +7886,6 @@ CONFIG_PWM_PCA9685=m
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
# CONFIG_RESET_TI_SYSCON is not set
#
@@ -8183,7 +8181,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
diff --git a/main/linux-lts/config-lts.x86_64 b/main/linux-lts/config-lts.x86_64
index b36b72da1d..0f9a14248e 100644
--- a/main/linux-lts/config-lts.x86_64
+++ b/main/linux-lts/config-lts.x86_64
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.27 Kernel Configuration
+# Linux/x86_64 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -322,7 +322,6 @@ CONFIG_RETPOLINE=y
CONFIG_X86_EXTENDED_PLATFORM=y
# CONFIG_X86_NUMACHIP is not set
# CONFIG_X86_VSMP is not set
-# CONFIG_X86_UV is not set
# CONFIG_X86_GOLDFISH is not set
# CONFIG_X86_INTEL_MID is not set
CONFIG_X86_INTEL_LPSS=y
@@ -4320,6 +4319,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -7122,7 +7122,6 @@ CONFIG_INTEL_IDMA64=m
# CONFIG_INTEL_IDXD is not set
CONFIG_INTEL_IOATDMA=m
# CONFIG_PLX_DMA is not set
-# CONFIG_XILINX_ZYNQMP_DPDMA is not set
CONFIG_QCOM_HIDMA_MGMT=m
# CONFIG_QCOM_HIDMA is not set
CONFIG_DW_DMAC_CORE=m
@@ -7680,7 +7679,6 @@ CONFIG_HID_SENSOR_ACCEL_3D=m
# CONFIG_AD7923 is not set
# CONFIG_AD7949 is not set
# CONFIG_AD799X is not set
-# CONFIG_AD9467 is not set
# CONFIG_CC10001_ADC is not set
# CONFIG_HI8435 is not set
# CONFIG_HX711 is not set
@@ -8080,7 +8078,6 @@ CONFIG_PWM_PCA9685=m
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
# CONFIG_RESET_TI_SYSCON is not set
#
@@ -8392,7 +8389,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
diff --git a/main/linux-lts/config-virt.aarch64 b/main/linux-lts/config-virt.aarch64
index 934b6250c6..83ac3ffe32 100644
--- a/main/linux-lts/config-virt.aarch64
+++ b/main/linux-lts/config-virt.aarch64
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.10.27 Kernel Configuration
+# Linux/arm64 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -274,6 +274,7 @@ CONFIG_FIX_EARLYCON_MEM=y
CONFIG_PGTABLE_LEVELS=4
CONFIG_ARCH_SUPPORTS_UPROBES=y
CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_BROKEN_GAS_INST=y
#
# Platform selection
@@ -418,8 +419,6 @@ CONFIG_CP15_BARRIER_EMULATION=y
#
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_PAN=y
-CONFIG_AS_HAS_LSE_ATOMICS=y
-CONFIG_ARM64_LSE_ATOMICS=y
CONFIG_ARM64_USE_LSE_ATOMICS=y
CONFIG_ARM64_VHE=y
# end of ARMv8.1 architectural features
@@ -436,10 +435,6 @@ CONFIG_ARM64_CNP=y
#
# ARMv8.3 architectural features
#
-CONFIG_ARM64_PTR_AUTH=y
-CONFIG_CC_HAS_BRANCH_PROT_PAC_RET=y
-CONFIG_CC_HAS_SIGN_RETURN_ADDRESS=y
-CONFIG_AS_HAS_PAC=y
CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y
# end of ARMv8.3 architectural features
@@ -447,20 +442,14 @@ CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y
# ARMv8.4 architectural features
#
CONFIG_ARM64_AMU_EXTN=y
-CONFIG_AS_HAS_ARMV8_4=y
-CONFIG_ARM64_TLB_RANGE=y
# end of ARMv8.4 architectural features
#
# ARMv8.5 architectural features
#
CONFIG_ARM64_BTI=y
-CONFIG_ARM64_BTI_KERNEL=y
-CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI=y
CONFIG_ARM64_E0PD=y
CONFIG_ARCH_RANDOM=y
-CONFIG_ARM64_AS_HAS_MTE=y
-CONFIG_ARM64_MTE=y
# end of ARMv8.5 architectural features
CONFIG_ARM64_SVE=y
@@ -468,8 +457,6 @@ CONFIG_ARM64_MODULE_PLTS=y
# CONFIG_ARM64_PSEUDO_NMI is not set
CONFIG_RELOCATABLE=y
# CONFIG_RANDOMIZE_BASE is not set
-CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y
-CONFIG_STACKPROTECTOR_PER_TASK=y
# end of Kernel Features
#
@@ -984,7 +971,6 @@ CONFIG_GENERIC_EARLY_IOREMAP=y
# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
# CONFIG_IDLE_PAGE_TRACKING is not set
CONFIG_ARCH_HAS_PTE_DEVMAP=y
-CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
# CONFIG_PERCPU_STATS is not set
# CONFIG_GUP_BENCHMARK is not set
# CONFIG_READ_ONLY_THP_FOR_FS is not set
@@ -2970,6 +2956,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -4076,8 +4063,6 @@ CONFIG_PARTITION_PERCPU=y
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_QCOM_AOSS is not set
# CONFIG_RESET_QCOM_PDC is not set
# CONFIG_RESET_TI_SYSCON is not set
@@ -4384,7 +4369,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
diff --git a/main/linux-lts/config-virt.armv7 b/main/linux-lts/config-virt.armv7
index a0f1178afa..78b577091a 100644
--- a/main/linux-lts/config-virt.armv7
+++ b/main/linux-lts/config-virt.armv7
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.10.27 Kernel Configuration
+# Linux/arm 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_HAS_ASM_GOTO=y
@@ -2804,6 +2804,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -3893,8 +3894,6 @@ CONFIG_ALPINE_MSI=y
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_QCOM_AOSS is not set
# CONFIG_RESET_QCOM_PDC is not set
# CONFIG_RESET_TI_SYSCON is not set
@@ -4179,7 +4178,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
diff --git a/main/linux-lts/config-virt.ppc64le b/main/linux-lts/config-virt.ppc64le
index d9cd7a39ef..c2cad0fbd9 100644
--- a/main/linux-lts/config-virt.ppc64le
+++ b/main/linux-lts/config-virt.ppc64le
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 5.10.27 Kernel Configuration
+# Linux/powerpc 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -2644,6 +2644,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -3603,8 +3604,6 @@ CONFIG_IRQCHIP=y
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_TI_SYSCON is not set
#
@@ -3877,7 +3876,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
diff --git a/main/linux-lts/config-virt.x86 b/main/linux-lts/config-virt.x86
index ed0ecdec3c..26f4636f00 100644
--- a/main/linux-lts/config-virt.x86
+++ b/main/linux-lts/config-virt.x86
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.10.27 Kernel Configuration
+# Linux/x86 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_HAS_ASM_GOTO=y
@@ -2650,6 +2650,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
# CONFIG_HWMON_DEBUG_CHIP is not set
@@ -3495,7 +3496,6 @@ CONFIG_DMA_ACPI=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_PCH_DMA=m
# CONFIG_PLX_DMA is not set
-# CONFIG_XILINX_ZYNQMP_DPDMA is not set
# CONFIG_QCOM_HIDMA_MGMT is not set
CONFIG_QCOM_HIDMA=m
# CONFIG_DW_DMAC is not set
@@ -3935,7 +3935,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
diff --git a/main/linux-lts/config-virt.x86_64 b/main/linux-lts/config-virt.x86_64
index 7c869467e2..dc191e3e58 100644
--- a/main/linux-lts/config-virt.x86_64
+++ b/main/linux-lts/config-virt.x86_64
@@ -1,11 +1,11 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.27 Kernel Configuration
+# Linux/x86_64 5.10.61 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=100201
-CONFIG_LD_VERSION=235010000
+CONFIG_LD_VERSION=235020000
CONFIG_CLANG_VERSION=0
CONFIG_LLD_VERSION=0
CONFIG_CC_CAN_LINK=y
@@ -2728,6 +2728,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
# CONFIG_HWMON_DEBUG_CHIP is not set
@@ -3575,7 +3576,6 @@ CONFIG_DMA_ACPI=y
# CONFIG_INTEL_IDXD is not set
CONFIG_INTEL_IOATDMA=m
# CONFIG_PLX_DMA is not set
-# CONFIG_XILINX_ZYNQMP_DPDMA is not set
# CONFIG_QCOM_HIDMA_MGMT is not set
CONFIG_QCOM_HIDMA=m
# CONFIG_DW_DMAC is not set
@@ -4062,7 +4062,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
diff --git a/main/linux-rpi/APKBUILD b/main/linux-rpi/APKBUILD
index d5cd5e7be5..75ac8d8b48 100644
--- a/main/linux-rpi/APKBUILD
+++ b/main/linux-rpi/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=linux-rpi
-pkgver=5.10.36
+pkgver=5.10.61
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
@@ -303,8 +303,8 @@ _dev() {
}
sha512sums="95bc137d0cf9148da6a9d1f1a878698dc27b40f68e22c597544010a6c591ce1b256f083489d3ff45ff77753289b535135590194d88ef9f007d0ddab3d74de70e linux-5.10.tar.xz
-badb51b4b3a163d67df9d7c77218b46ac69d8445eaa20db28529eb6594d525f14a27e87c4a174b96bed2b17f901928a15b6f982f00d5423c3719b9b49f2d6173 patch-5.10.36.xz
-fa520ea620a2ce6cc6701878d692abd558be160c46500559c76f4935389c3f80906481a6fb2b62bf2ec5486ee6ce6c760dc6c5fb253e8225ed2dcdedfeecfdf4 rpi-5.10.36-alpine.patch
+13397d1b126dccbac00fc05a2fbd6af316a0fdea86f7f4ed3c447dbecfa20fce9f30b1fa2fdbb1c570ab7ea514f2f02691844231c0d2e318aea26a72b4c75b93 patch-5.10.61.xz
+f75f1c25f70d2e2a7cd2ac8cf05f6589ff54543318debe8d7d7ddccd2cbaf5f1d512398be46cad0f4d4c64caf178d8e317f3f53565bc0a0566cd87151c2ba4f9 rpi-5.10.61-alpine.patch
13612ed26f486a4053dc61a1d376cccf21b57f96e9359d3f3b1897458fb96dde24dfcd32f15eeec2a60e5246044d67df2d84b215b2dbb082495b08e872c735c9 config-changes-rpi.armhf
13612ed26f486a4053dc61a1d376cccf21b57f96e9359d3f3b1897458fb96dde24dfcd32f15eeec2a60e5246044d67df2d84b215b2dbb082495b08e872c735c9 config-changes-rpi.armv7
13612ed26f486a4053dc61a1d376cccf21b57f96e9359d3f3b1897458fb96dde24dfcd32f15eeec2a60e5246044d67df2d84b215b2dbb082495b08e872c735c9 config-changes-rpi.aarch64
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index 492ca79c67..6225400bfc 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -7,7 +7,7 @@
# Contributor: Jake Buchholz <tomalok@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb
-pkgver=10.5.11
+pkgver=10.5.12
pkgrel=0
pkgdesc="A fast SQL database server"
url="https://www.mariadb.org/"
@@ -45,6 +45,9 @@ source="https://downloads.mariadb.org/interstitial/mariadb-$pkgver/source/mariad
"
# secfixes:
+# 10.5.12-r0:
+# - CVE-2021-2372
+# - CVE-2021-2389
# 10.5.10-r0:
# - CVE-2021-2154
# - CVE-2021-2166
@@ -456,7 +459,7 @@ _plugin_rocksdb() {
}
sha512sums="
-5ccb3f3d7cedf5ff79dd8d9304f0b7f3eb99a5558b446d1baf24cabe20c709360e2c99a737024793918fd6c23fc5a9bb83ffddfb5549310774d07294a3bbddf4 mariadb-10.5.11.tar.gz
+c732c2033304f273900b3dcf21936e28aebb147316fcabc7efdc43b75bc47c198daacfaaae082b997d4e695139d2aeaa2619bd29935f1b6f0aa25b9b9cde9ae5 mariadb-10.5.12.tar.gz
c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd
b15d5cbe4e1547ad18cd1ce5a2d5a75d8dd8e017ca725154abdf28d3d1cae8403e0c3e93745441872f72e1ba9f2fef587f596231a231e374bd5a61ba3d8945ea ppc-remove-glibc-dep.patch
598490b4bb45c9f7be46086d25c2b6c601d417c45f11aa519c2290065e7d6e98a7519f9860b823e67a8fd3e6ce3b4728af73ec3a2c66eec32b42fd4ad7cc07f7 disable-failing-test.patch
diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD
index bb5aecadfd..2c98f73fe3 100644
--- a/main/mosquitto/APKBUILD
+++ b/main/mosquitto/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mosquitto
pkgver=1.6.12
-pkgrel=2
+pkgrel=3
pkgdesc="An open source MQTT broker"
url="https://mosquitto.org/"
arch="all"
@@ -19,9 +19,12 @@ source="http://mosquitto.org/files/source/mosquitto-$pkgver.tar.gz
disable-ci-tests.patch
mosquitto.initd
mosquitto.confd
+ CVE-2021-34432.patch
"
# secfixes:
+# 1.6.12-r3:
+# - CVE-2021-34432
# 1.6.7-r0:
# - CVE-2019-11779
# 1.5.6-r0:
@@ -90,8 +93,11 @@ clients() {
mv "$pkgdir"/usr/bin/mosquitto_[ps]ub "$subpkgdir"/usr/bin/
}
-sha512sums="68cd2e4aa14254c0332ad78eac1f885e0e4e9f2332540d3778b8c7df096db7618b8467b5bb25f70ddc3306d01dd36eb9a9e2bf2738da77e196c7a1ccaed869d2 mosquitto-1.6.12.tar.gz
+sha512sums="
+68cd2e4aa14254c0332ad78eac1f885e0e4e9f2332540d3778b8c7df096db7618b8467b5bb25f70ddc3306d01dd36eb9a9e2bf2738da77e196c7a1ccaed869d2 mosquitto-1.6.12.tar.gz
fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33 config.patch
21df2006a5eb9e1248cf261e555ded8e80e79f2a2d2a55b1f8a153af7c0feb867f3b3bd71efbe4d8569e3031c65f3e144794724f012e7539244a9bd97b6b6bb3 disable-ci-tests.patch
a527813957b6f2d7afdb7269bade61d99b3023a147861b38902971929ff342a7c8c276bdb808fcfe7e48fa3e5c7521a16d777e5a3313256b8bf1e759cec5b7b0 mosquitto.initd
-678a8aaefb9181f5f4998304046e5a8737049f90cf6bbbfd5fd4549592728afe77cb536547b39ad1598d53fe0b7c03e1506b2683e7b936712b9fad4a317f4b43 mosquitto.confd"
+678a8aaefb9181f5f4998304046e5a8737049f90cf6bbbfd5fd4549592728afe77cb536547b39ad1598d53fe0b7c03e1506b2683e7b936712b9fad4a317f4b43 mosquitto.confd
+5dfd7ac9a49284a08e75f36cea6ea7b5ed6126e5afb43ba4ecfe8efe38ddf6b15f52b1b1eff0b8901f065f0773595ed8f66757b70e12283a7d1a2e876b39f092 CVE-2021-34432.patch
+"
diff --git a/main/mosquitto/CVE-2021-34432.patch b/main/mosquitto/CVE-2021-34432.patch
new file mode 100644
index 0000000000..14037ba13c
--- /dev/null
+++ b/main/mosquitto/CVE-2021-34432.patch
@@ -0,0 +1,61 @@
+From 9b08faf0bdaf5a4f2e6e3dd1ea7e8c57f70418d6 Mon Sep 17 00:00:00 2001
+From: "Roger A. Light" <roger@atchoo.org>
+Date: Tue, 9 Feb 2021 14:09:53 +0000
+Subject: [PATCH] Fix mosquitto_{pub|sub}_topic_check() function returns.
+
+The would not return MOSQ_ERR_INVAL on topic == NULL.
+---
+ lib/util_topic.c | 19 ++++++++++++++++---
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/lib/util_topic.c b/lib/util_topic.c
+index fc24f0d1cb..62b531127c 100644
+--- a/lib/util_topic.c
++++ b/lib/util_topic.c
+@@ -54,6 +54,11 @@ int mosquitto_pub_topic_check(const char *str)
+ #ifdef WITH_BROKER
+ int hier_count = 0;
+ #endif
++
++ if(str == NULL){
++ return MOSQ_ERR_INVAL;
++ }
++
+ while(str && str[0]){
+ if(str[0] == '+' || str[0] == '#'){
+ return MOSQ_ERR_INVAL;
+@@ -81,7 +86,9 @@ int mosquitto_pub_topic_check2(const char *str, size_t len)
+ int hier_count = 0;
+ #endif
+
+- if(len > 65535) return MOSQ_ERR_INVAL;
++ if(str == NULL || len > 65535){
++ return MOSQ_ERR_INVAL;
++ }
+
+ for(i=0; i<len; i++){
+ if(str[i] == '+' || str[i] == '#'){
+@@ -115,7 +122,11 @@ int mosquitto_sub_topic_check(const char *str)
+ int hier_count = 0;
+ #endif
+
+- while(str && str[0]){
++ if(str == NULL){
++ return MOSQ_ERR_INVAL;
++ }
++
++ while(str[0]){
+ if(str[0] == '+'){
+ if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){
+ return MOSQ_ERR_INVAL;
+@@ -150,7 +161,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
+ int hier_count = 0;
+ #endif
+
+- if(len > 65535) return MOSQ_ERR_INVAL;
++ if(str == NULL || len > 65535){
++ return MOSQ_ERR_INVAL;
++ }
+
+ for(i=0; i<len; i++){
+ if(str[i] == '+'){
diff --git a/main/nettle/APKBUILD b/main/nettle/APKBUILD
index d98d0deff4..9908ba0ecd 100644
--- a/main/nettle/APKBUILD
+++ b/main/nettle/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Fabian Affolter <fabian@affolter-engineering.ch>
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=nettle
-pkgver=3.7.2
+pkgver=3.7.3
pkgrel=0
pkgdesc="A low-level cryptographic library"
url="https://www.lysator.liu.se/~nisse/nettle/"
@@ -14,6 +14,8 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-utils"
source="https://ftp.gnu.org/gnu/nettle/nettle-$pkgver.tar.gz"
# secfixes:
+# 3.7.3-r0:
+# - CVE-2021-3580
# 3.7.2-r0:
# - CVE-2021-20305
@@ -51,4 +53,6 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="5f6edcc24ff620885b24394b31e55b494418c35dd63e6ece222ddabc58e793c44a82155051cc5759896ed5f014a8efd547f0aef6736a131e41651c5cab7c7211 nettle-3.7.2.tar.gz"
+sha512sums="
+9901eba305421adff6d551ac7f478dff3f68a339d444c776724ab0b977fe6be792b1d2950c8705acbe76bd924fd6d898a65eded546777884be3b436d0e052437 nettle-3.7.3.tar.gz
+"
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index b4778eb6f9..3d8c17d662 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -6,6 +6,19 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 14.18.1-r0:
+# - CVE-2021-22959
+# - CVE-2021-22960
+# 14.17.6-r0:
+# - CVE-2021-37701
+# - CVE-2021-37712
+# - CVE-2021-37713
+# - CVE-2021-39134
+# - CVE-2021-39135
+# 14.17.5-r0:
+# - CVE-2021-3672
+# - CVE-2021-22931
+# - CVE-2021-22939
# 14.17.4-r0:
# - CVE-2021-22930
# 14.17.3-r0:
@@ -73,7 +86,7 @@
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=14.17.4
+pkgver=14.18.1
pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
@@ -96,6 +109,7 @@ replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility
source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
disable-running-gyp-on-shared-deps.patch
link-with-libatomic-on-mips32.patch
+ fix-build-with-system-c-ares.patch
"
builddir="$srcdir/node-v$pkgver"
@@ -188,7 +202,8 @@ npm() {
}
sha512sums="
-c6b574e5a3ee3329cc069bd1d556076e2002ba29ea3788aaa09fb669be13588adf783a2f179d0fcd8b17513979f39078d0a403b56f61fb9022652c2c3dcdbbd8 node-v14.17.4.tar.gz
+f9455ff65a57772e242343e2c1113e769c2ab8123e8a4fd6bd65525f4401d5f35e0bc73981db4f76af4f8da4e14a389fd41d2eca97cde6f0dfed5ed7a6ec532c node-v14.18.1.tar.gz
dbe8167b61518f8f59176759d69834d57bf3e6a5a5fd3dfc2359cafe0325da08b27f8220d278ed77f50c9f63a03313eabbbb0eaca3e592e5bb4e0d5be0ced373 disable-running-gyp-on-shared-deps.patch
44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf link-with-libatomic-on-mips32.patch
+30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f fix-build-with-system-c-ares.patch
"
diff --git a/main/nodejs/fix-build-with-system-c-ares.patch b/main/nodejs/fix-build-with-system-c-ares.patch
new file mode 100644
index 0000000000..8121891d04
--- /dev/null
+++ b/main/nodejs/fix-build-with-system-c-ares.patch
@@ -0,0 +1,535 @@
+From aff98a5667c22794e2eaf658f6dfbee54cdd4a3b Mon Sep 17 00:00:00 2001
+From: Felix Yan <felixonmars@archlinux.org>
+Date: Thu, 12 Aug 2021 02:44:43 +0800
+Subject: [PATCH 1/2] deps: fix building with system c-ares on Linux
+Patch-Source: https://github.com/nodejs/node/pull/39739
+
+The change in #39724 breaks building with system c-ares
+(`--shared-cares`):
+```
+In file included from ../src/cares_wrap.cc:25:
+../src/cares_wrap.h:25:11: fatal error: ares_nameser.h: No such file or
+directory
+ 25 | # include <ares_nameser.h>
+ | ^~~~~~~~~~~~~~~~
+```
+
+Since `ares_nameser.h` isn't available with a default system c-ares
+installation, let's copy it as our private header here.
+
+Tested to build fine on Arch Linux with shared c-ares.
+---
+ src/ares_nameser.h | 482 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 482 insertions(+)
+ create mode 100644 src/ares_nameser.h
+
+diff --git a/src/ares_nameser.h b/src/ares_nameser.h
+new file mode 100644
+index 000000000000..5270e5a3a6a0
+--- /dev/null
++++ b/src/ares_nameser.h
+@@ -0,0 +1,482 @@
++
++#ifndef ARES_NAMESER_H
++#define ARES_NAMESER_H
++
++#ifdef HAVE_ARPA_NAMESER_H
++# include <arpa/nameser.h>
++#endif
++#ifdef HAVE_ARPA_NAMESER_COMPAT_H
++# include <arpa/nameser_compat.h>
++#endif
++
++/* ============================================================================
++ * arpa/nameser.h may or may not provide ALL of the below defines, so check
++ * each one individually and set if not
++ * ============================================================================
++ */
++
++#ifndef NS_PACKETSZ
++# define NS_PACKETSZ 512 /* maximum packet size */
++#endif
++
++#ifndef NS_MAXDNAME
++# define NS_MAXDNAME 256 /* maximum domain name */
++#endif
++
++#ifndef NS_MAXCDNAME
++# define NS_MAXCDNAME 255 /* maximum compressed domain name */
++#endif
++
++#ifndef NS_MAXLABEL
++# define NS_MAXLABEL 63
++#endif
++
++#ifndef NS_HFIXEDSZ
++# define NS_HFIXEDSZ 12 /* #/bytes of fixed data in header */
++#endif
++
++#ifndef NS_QFIXEDSZ
++# define NS_QFIXEDSZ 4 /* #/bytes of fixed data in query */
++#endif
++
++#ifndef NS_RRFIXEDSZ
++# define NS_RRFIXEDSZ 10 /* #/bytes of fixed data in r record */
++#endif
++
++#ifndef NS_INT16SZ
++# define NS_INT16SZ 2
++#endif
++
++#ifndef NS_INADDRSZ
++# define NS_INADDRSZ 4
++#endif
++
++#ifndef NS_IN6ADDRSZ
++# define NS_IN6ADDRSZ 16
++#endif
++
++#ifndef NS_CMPRSFLGS
++# define NS_CMPRSFLGS 0xc0 /* Flag bits indicating name compression. */
++#endif
++
++#ifndef NS_DEFAULTPORT
++# define NS_DEFAULTPORT 53 /* For both TCP and UDP. */
++#endif
++
++/* ============================================================================
++ * arpa/nameser.h should provide these enumerations always, so if not found,
++ * provide them
++ * ============================================================================
++ */
++#ifndef HAVE_ARPA_NAMESER_H
++
++typedef enum __ns_class {
++ ns_c_invalid = 0, /* Cookie. */
++ ns_c_in = 1, /* Internet. */
++ ns_c_2 = 2, /* unallocated/unsupported. */
++ ns_c_chaos = 3, /* MIT Chaos-net. */
++ ns_c_hs = 4, /* MIT Hesiod. */
++ /* Query class values which do not appear in resource records */
++ ns_c_none = 254, /* for prereq. sections in update requests */
++ ns_c_any = 255, /* Wildcard match. */
++ ns_c_max = 65536
++} ns_class;
++
++typedef enum __ns_type {
++ ns_t_invalid = 0, /* Cookie. */
++ ns_t_a = 1, /* Host address. */
++ ns_t_ns = 2, /* Authoritative server. */
++ ns_t_md = 3, /* Mail destination. */
++ ns_t_mf = 4, /* Mail forwarder. */
++ ns_t_cname = 5, /* Canonical name. */
++ ns_t_soa = 6, /* Start of authority zone. */
++ ns_t_mb = 7, /* Mailbox domain name. */
++ ns_t_mg = 8, /* Mail group member. */
++ ns_t_mr = 9, /* Mail rename name. */
++ ns_t_null = 10, /* Null resource record. */
++ ns_t_wks = 11, /* Well known service. */
++ ns_t_ptr = 12, /* Domain name pointer. */
++ ns_t_hinfo = 13, /* Host information. */
++ ns_t_minfo = 14, /* Mailbox information. */
++ ns_t_mx = 15, /* Mail routing information. */
++ ns_t_txt = 16, /* Text strings. */
++ ns_t_rp = 17, /* Responsible person. */
++ ns_t_afsdb = 18, /* AFS cell database. */
++ ns_t_x25 = 19, /* X_25 calling address. */
++ ns_t_isdn = 20, /* ISDN calling address. */
++ ns_t_rt = 21, /* Router. */
++ ns_t_nsap = 22, /* NSAP address. */
++ ns_t_nsap_ptr = 23, /* Reverse NSAP lookup (deprecated). */
++ ns_t_sig = 24, /* Security signature. */
++ ns_t_key = 25, /* Security key. */
++ ns_t_px = 26, /* X.400 mail mapping. */
++ ns_t_gpos = 27, /* Geographical position (withdrawn). */
++ ns_t_aaaa = 28, /* Ip6 Address. */
++ ns_t_loc = 29, /* Location Information. */
++ ns_t_nxt = 30, /* Next domain (security). */
++ ns_t_eid = 31, /* Endpoint identifier. */
++ ns_t_nimloc = 32, /* Nimrod Locator. */
++ ns_t_srv = 33, /* Server Selection. */
++ ns_t_atma = 34, /* ATM Address */
++ ns_t_naptr = 35, /* Naming Authority PoinTeR */
++ ns_t_kx = 36, /* Key Exchange */
++ ns_t_cert = 37, /* Certification record */
++ ns_t_a6 = 38, /* IPv6 address (deprecates AAAA) */
++ ns_t_dname = 39, /* Non-terminal DNAME (for IPv6) */
++ ns_t_sink = 40, /* Kitchen sink (experimentatl) */
++ ns_t_opt = 41, /* EDNS0 option (meta-RR) */
++ ns_t_apl = 42, /* Address prefix list (RFC3123) */
++ ns_t_ds = 43, /* Delegation Signer (RFC4034) */
++ ns_t_sshfp = 44, /* SSH Key Fingerprint (RFC4255) */
++ ns_t_rrsig = 46, /* Resource Record Signature (RFC4034) */
++ ns_t_nsec = 47, /* Next Secure (RFC4034) */
++ ns_t_dnskey = 48, /* DNS Public Key (RFC4034) */
++ ns_t_tkey = 249, /* Transaction key */
++ ns_t_tsig = 250, /* Transaction signature. */
++ ns_t_ixfr = 251, /* Incremental zone transfer. */
++ ns_t_axfr = 252, /* Transfer zone of authority. */
++ ns_t_mailb = 253, /* Transfer mailbox records. */
++ ns_t_maila = 254, /* Transfer mail agent records. */
++ ns_t_any = 255, /* Wildcard match. */
++ ns_t_zxfr = 256, /* BIND-specific, nonstandard. */
++ ns_t_caa = 257, /* Certification Authority Authorization. */
++ ns_t_max = 65536
++} ns_type;
++
++typedef enum __ns_opcode {
++ ns_o_query = 0, /* Standard query. */
++ ns_o_iquery = 1, /* Inverse query (deprecated/unsupported). */
++ ns_o_status = 2, /* Name server status query (unsupported). */
++ /* Opcode 3 is undefined/reserved. */
++ ns_o_notify = 4, /* Zone change notification. */
++ ns_o_update = 5, /* Zone update message. */
++ ns_o_max = 6
++} ns_opcode;
++
++typedef enum __ns_rcode {
++ ns_r_noerror = 0, /* No error occurred. */
++ ns_r_formerr = 1, /* Format error. */
++ ns_r_servfail = 2, /* Server failure. */
++ ns_r_nxdomain = 3, /* Name error. */
++ ns_r_notimpl = 4, /* Unimplemented. */
++ ns_r_refused = 5, /* Operation refused. */
++ /* these are for BIND_UPDATE */
++ ns_r_yxdomain = 6, /* Name exists */
++ ns_r_yxrrset = 7, /* RRset exists */
++ ns_r_nxrrset = 8, /* RRset does not exist */
++ ns_r_notauth = 9, /* Not authoritative for zone */
++ ns_r_notzone = 10, /* Zone of record different from zone section */
++ ns_r_max = 11,
++ /* The following are TSIG extended errors */
++ ns_r_badsig = 16,
++ ns_r_badkey = 17,
++ ns_r_badtime = 18
++} ns_rcode;
++
++#endif /* HAVE_ARPA_NAMESER_H */
++
++
++/* ============================================================================
++ * arpa/nameser_compat.h typically sets these. However on some systems
++ * arpa/nameser.h does, but may not set all of them. Lets conditionally
++ * define each
++ * ============================================================================
++ */
++
++#ifndef PACKETSZ
++# define PACKETSZ NS_PACKETSZ
++#endif
++
++#ifndef MAXDNAME
++# define MAXDNAME NS_MAXDNAME
++#endif
++
++#ifndef MAXCDNAME
++# define MAXCDNAME NS_MAXCDNAME
++#endif
++
++#ifndef MAXLABEL
++# define MAXLABEL NS_MAXLABEL
++#endif
++
++#ifndef HFIXEDSZ
++# define HFIXEDSZ NS_HFIXEDSZ
++#endif
++
++#ifndef QFIXEDSZ
++# define QFIXEDSZ NS_QFIXEDSZ
++#endif
++
++#ifndef RRFIXEDSZ
++# define RRFIXEDSZ NS_RRFIXEDSZ
++#endif
++
++#ifndef INDIR_MASK
++# define INDIR_MASK NS_CMPRSFLGS
++#endif
++
++#ifndef NAMESERVER_PORT
++# define NAMESERVER_PORT NS_DEFAULTPORT
++#endif
++
++
++/* opcodes */
++#ifndef O_QUERY
++# define O_QUERY 0 /* ns_o_query */
++#endif
++#ifndef O_IQUERY
++# define O_IQUERY 1 /* ns_o_iquery */
++#endif
++#ifndef O_STATUS
++# define O_STATUS 2 /* ns_o_status */
++#endif
++#ifndef O_NOTIFY
++# define O_NOTIFY 4 /* ns_o_notify */
++#endif
++#ifndef O_UPDATE
++# define O_UPDATE 5 /* ns_o_update */
++#endif
++
++
++/* response codes */
++#ifndef SERVFAIL
++# define SERVFAIL ns_r_servfail
++#endif
++#ifndef NOTIMP
++# define NOTIMP ns_r_notimpl
++#endif
++#ifndef REFUSED
++# define REFUSED ns_r_refused
++#endif
++#if defined(_WIN32) && !defined(HAVE_ARPA_NAMESER_COMPAT_H) && defined(NOERROR)
++# undef NOERROR /* it seems this is already defined in winerror.h */
++#endif
++#ifndef NOERROR
++# define NOERROR ns_r_noerror
++#endif
++#ifndef FORMERR
++# define FORMERR ns_r_formerr
++#endif
++#ifndef NXDOMAIN
++# define NXDOMAIN ns_r_nxdomain
++#endif
++/* Non-standard response codes, use numeric values */
++#ifndef YXDOMAIN
++# define YXDOMAIN 6 /* ns_r_yxdomain */
++#endif
++#ifndef YXRRSET
++# define YXRRSET 7 /* ns_r_yxrrset */
++#endif
++#ifndef NXRRSET
++# define NXRRSET 8 /* ns_r_nxrrset */
++#endif
++#ifndef NOTAUTH
++# define NOTAUTH 9 /* ns_r_notauth */
++#endif
++#ifndef NOTZONE
++# define NOTZONE 10 /* ns_r_notzone */
++#endif
++#ifndef TSIG_BADSIG
++# define TSIG_BADSIG 16 /* ns_r_badsig */
++#endif
++#ifndef TSIG_BADKEY
++# define TSIG_BADKEY 17 /* ns_r_badkey */
++#endif
++#ifndef TSIG_BADTIME
++# define TSIG_BADTIME 18 /* ns_r_badtime */
++#endif
++
++
++/* classes */
++#ifndef C_IN
++# define C_IN 1 /* ns_c_in */
++#endif
++#ifndef C_CHAOS
++# define C_CHAOS 3 /* ns_c_chaos */
++#endif
++#ifndef C_HS
++# define C_HS 4 /* ns_c_hs */
++#endif
++#ifndef C_NONE
++# define C_NONE 254 /* ns_c_none */
++#endif
++#ifndef C_ANY
++# define C_ANY 255 /* ns_c_any */
++#endif
++
++
++/* types */
++#ifndef T_A
++# define T_A 1 /* ns_t_a */
++#endif
++#ifndef T_NS
++# define T_NS 2 /* ns_t_ns */
++#endif
++#ifndef T_MD
++# define T_MD 3 /* ns_t_md */
++#endif
++#ifndef T_MF
++# define T_MF 4 /* ns_t_mf */
++#endif
++#ifndef T_CNAME
++# define T_CNAME 5 /* ns_t_cname */
++#endif
++#ifndef T_SOA
++# define T_SOA 6 /* ns_t_soa */
++#endif
++#ifndef T_MB
++# define T_MB 7 /* ns_t_mb */
++#endif
++#ifndef T_MG
++# define T_MG 8 /* ns_t_mg */
++#endif
++#ifndef T_MR
++# define T_MR 9 /* ns_t_mr */
++#endif
++#ifndef T_NULL
++# define T_NULL 10 /* ns_t_null */
++#endif
++#ifndef T_WKS
++# define T_WKS 11 /* ns_t_wks */
++#endif
++#ifndef T_PTR
++# define T_PTR 12 /* ns_t_ptr */
++#endif
++#ifndef T_HINFO
++# define T_HINFO 13 /* ns_t_hinfo */
++#endif
++#ifndef T_MINFO
++# define T_MINFO 14 /* ns_t_minfo */
++#endif
++#ifndef T_MX
++# define T_MX 15 /* ns_t_mx */
++#endif
++#ifndef T_TXT
++# define T_TXT 16 /* ns_t_txt */
++#endif
++#ifndef T_RP
++# define T_RP 17 /* ns_t_rp */
++#endif
++#ifndef T_AFSDB
++# define T_AFSDB 18 /* ns_t_afsdb */
++#endif
++#ifndef T_X25
++# define T_X25 19 /* ns_t_x25 */
++#endif
++#ifndef T_ISDN
++# define T_ISDN 20 /* ns_t_isdn */
++#endif
++#ifndef T_RT
++# define T_RT 21 /* ns_t_rt */
++#endif
++#ifndef T_NSAP
++# define T_NSAP 22 /* ns_t_nsap */
++#endif
++#ifndef T_NSAP_PTR
++# define T_NSAP_PTR 23 /* ns_t_nsap_ptr */
++#endif
++#ifndef T_SIG
++# define T_SIG 24 /* ns_t_sig */
++#endif
++#ifndef T_KEY
++# define T_KEY 25 /* ns_t_key */
++#endif
++#ifndef T_PX
++# define T_PX 26 /* ns_t_px */
++#endif
++#ifndef T_GPOS
++# define T_GPOS 27 /* ns_t_gpos */
++#endif
++#ifndef T_AAAA
++# define T_AAAA 28 /* ns_t_aaaa */
++#endif
++#ifndef T_LOC
++# define T_LOC 29 /* ns_t_loc */
++#endif
++#ifndef T_NXT
++# define T_NXT 30 /* ns_t_nxt */
++#endif
++#ifndef T_EID
++# define T_EID 31 /* ns_t_eid */
++#endif
++#ifndef T_NIMLOC
++# define T_NIMLOC 32 /* ns_t_nimloc */
++#endif
++#ifndef T_SRV
++# define T_SRV 33 /* ns_t_srv */
++#endif
++#ifndef T_ATMA
++# define T_ATMA 34 /* ns_t_atma */
++#endif
++#ifndef T_NAPTR
++# define T_NAPTR 35 /* ns_t_naptr */
++#endif
++#ifndef T_KX
++# define T_KX 36 /* ns_t_kx */
++#endif
++#ifndef T_CERT
++# define T_CERT 37 /* ns_t_cert */
++#endif
++#ifndef T_A6
++# define T_A6 38 /* ns_t_a6 */
++#endif
++#ifndef T_DNAME
++# define T_DNAME 39 /* ns_t_dname */
++#endif
++#ifndef T_SINK
++# define T_SINK 40 /* ns_t_sink */
++#endif
++#ifndef T_OPT
++# define T_OPT 41 /* ns_t_opt */
++#endif
++#ifndef T_APL
++# define T_APL 42 /* ns_t_apl */
++#endif
++#ifndef T_DS
++# define T_DS 43 /* ns_t_ds */
++#endif
++#ifndef T_SSHFP
++# define T_SSHFP 44 /* ns_t_sshfp */
++#endif
++#ifndef T_RRSIG
++# define T_RRSIG 46 /* ns_t_rrsig */
++#endif
++#ifndef T_NSEC
++# define T_NSEC 47 /* ns_t_nsec */
++#endif
++#ifndef T_DNSKEY
++# define T_DNSKEY 48 /* ns_t_dnskey */
++#endif
++#ifndef T_TKEY
++# define T_TKEY 249 /* ns_t_tkey */
++#endif
++#ifndef T_TSIG
++# define T_TSIG 250 /* ns_t_tsig */
++#endif
++#ifndef T_IXFR
++# define T_IXFR 251 /* ns_t_ixfr */
++#endif
++#ifndef T_AXFR
++# define T_AXFR 252 /* ns_t_axfr */
++#endif
++#ifndef T_MAILB
++# define T_MAILB 253 /* ns_t_mailb */
++#endif
++#ifndef T_MAILA
++# define T_MAILA 254 /* ns_t_maila */
++#endif
++#ifndef T_ANY
++# define T_ANY 255 /* ns_t_any */
++#endif
++#ifndef T_ZXFR
++# define T_ZXFR 256 /* ns_t_zxfr */
++#endif
++#ifndef T_CAA
++# define T_CAA 257 /* ns_t_caa */
++#endif
++#ifndef T_MAX
++# define T_MAX 65536 /* ns_t_max */
++#endif
++
++
++#endif /* ARES_NAMESER_H */
+
+From db4643979ee676b3a3d6cdf2fb597d399cf8013f Mon Sep 17 00:00:00 2001
+From: Felix Yan <felixonmars@archlinux.org>
+Date: Fri, 13 Aug 2021 00:01:59 +0800
+Subject: [PATCH 2/2] build: ignore cpplint for third-party ares_nameser.h
+
+---
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile b/Makefile
+index ec4c774748cd..c418995c53c1 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1289,6 +1289,7 @@ jslint-ci: lint-js-ci
+ LINT_CPP_ADDON_DOC_FILES_GLOB = test/addons/??_*/*.cc test/addons/??_*/*.h
+ LINT_CPP_ADDON_DOC_FILES = $(wildcard $(LINT_CPP_ADDON_DOC_FILES_GLOB))
+ LINT_CPP_EXCLUDE ?=
++LINT_CPP_EXCLUDE += src/ares_nameser.h
+ LINT_CPP_EXCLUDE += src/node_root_certs.h
+ LINT_CPP_EXCLUDE += $(LINT_CPP_ADDON_DOC_FILES)
+ LINT_CPP_EXCLUDE += $(wildcard test/js-native-api/??_*/*.cc test/js-native-api/??_*/*.h test/node-api/??_*/*.cc test/node-api/??_*/*.h)
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 4663f4011d..83fe663712 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
pkgname=openssh
pkgver=8.4_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=3
+pkgrel=4
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html"
arch="all"
@@ -35,13 +35,18 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
sftp-interactive.patch
disable-forwarding-by-default.patch
fix-verify-dns-segfault.patch
- https://github.com/openssh/openssh-portable/commit/d9e727dcc04a52caaac87543ea1d230e9e6b5604.patch
+ ssh-copy-id.patch
+
CVE-2021-28041.patch
+ CVE-2021-41617.patch
+
sshd.initd
sshd.confd
"
# secfixes:
+# 8.4_p1-r4:
+# - CVE-2021-41617
# 8.4_p1-r1:
# - CVE-2021-28041
# 8.4_p1-r0:
@@ -212,12 +217,15 @@ _pkg_flavour() {
done
}
-sha512sums="d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce openssh-8.4p1.tar.gz
+sha512sums="
+d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce openssh-8.4p1.tar.gz
f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 fix-utmp.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch
-711f564b4bc5b156b699795230b9909c979407517daabc2304975dfea4838fdd426bff7d424254d4a7f9162205f3d8931bd5e25d4006bfbe670a900e2bd05967 d9e727dcc04a52caaac87543ea1d230e9e6b5604.patch
+711f564b4bc5b156b699795230b9909c979407517daabc2304975dfea4838fdd426bff7d424254d4a7f9162205f3d8931bd5e25d4006bfbe670a900e2bd05967 ssh-copy-id.patch
927863c0778d4933d90d5cbd97ba2d6f6deb3c44def522bfb764103e72320512d91a4d4f21ae46b46e72c5fd379d523511f3827b7b0834862483eb3796916bf9 CVE-2021-28041.patch
+25f73470597d2281ab4f13e992b5d56630c12c6f0b65507ebfa60b31003c828e8098012d2561f23f99858e430af67b178df0e94e0116a02e559e427cc287899f CVE-2021-41617.patch
8122ac1838586a1487dad1f70ed2ec8161ae57b4a7ee8bfef9757b590aa76a887a6c5e5f2575728da4c6c2f00d2a924360e23d84a4df204d7021b44b690cb2f8 sshd.initd
-ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd"
+ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd
+"
diff --git a/main/openssh/CVE-2021-41617.patch b/main/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..ec9b8392b4
--- /dev/null
+++ b/main/openssh/CVE-2021-41617.patch
@@ -0,0 +1,25 @@
+diff --git a/auth.c b/auth.c
+index b8d1040d..0134d694 100644
+--- a/auth.c
++++ b/auth.c
+@@ -56,6 +56,7 @@
+ # include <paths.h>
+ #endif
+ #include <pwd.h>
++#include <grp.h>
+ #ifdef HAVE_LOGIN_H
+ #include <login.h>
+ #endif
+@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
+ }
+ closefrom(STDERR_FILENO + 1);
+
++ if (geteuid() == 0 &&
++ initgroups(pw->pw_name, pw->pw_gid) == -1) {
++ error("%s: initgroups(%s, %u): %s", tag,
++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++ _exit(1);
++ }
+ /* Don't use permanently_set_uid() here to avoid fatal() */
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
diff --git a/main/openssh/ssh-copy-id.patch b/main/openssh/ssh-copy-id.patch
new file mode 100644
index 0000000000..d16b43c7bc
--- /dev/null
+++ b/main/openssh/ssh-copy-id.patch
@@ -0,0 +1,30 @@
+From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
+From: Oleg <Fallmay@users.noreply.github.com>
+Date: Thu, 1 Oct 2020 12:09:08 +0300
+Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
+
+---
+ contrib/ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f942..a769077172 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -247,7 +247,7 @@ installkeys_sh() {
+ # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+ # the cat adds the keys we're getting via STDIN
+ # and if available restorecon is used to restore the SELinux context
+- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
++ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ cd;
+ umask 077;
+ mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+@@ -258,6 +258,7 @@ installkeys_sh() {
+ restorecon -F .ssh ${AUTH_KEY_FILE};
+ fi
+ EOF
++ )
+
+ # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+ printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 2794204af7..211971e7fc 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
-pkgver=1.1.1k
+pkgver=1.1.1l
_abiver=${pkgver%.*}
pkgrel=0
pkgdesc="Toolkit for Transport Layer Security (TLS)"
@@ -19,6 +19,9 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
"
# secfixes:
+# 1.1.1l-r0:
+# - CVE-2021-3711
+# - CVE-2021-3712
# 1.1.1k-r0:
# - CVE-2021-3449
# - CVE-2021-3450
@@ -121,6 +124,8 @@ _libssl() {
done
}
-sha512sums="73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121 openssl-1.1.1k.tar.gz
+sha512sums="
+d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0 openssl-1.1.1l.tar.gz
43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch
-e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch"
+e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch
+"
diff --git a/main/perl-net-cidr-lite/APKBUILD b/main/perl-net-cidr-lite/APKBUILD
index dd24238069..fcd6a6fb3a 100644
--- a/main/perl-net-cidr-lite/APKBUILD
+++ b/main/perl-net-cidr-lite/APKBUILD
@@ -2,19 +2,17 @@
# Maintainer: Matt Smith <mcs@darkregion.net>
pkgname=perl-net-cidr-lite
_realname=Net-CIDR-Lite
-pkgver=0.21
-pkgrel=6
+pkgver=0.22
+pkgrel=0
pkgdesc="Perl extension for merging IPv4 or IPv6 CIDR addresses"
-url="http://search.cpan.org/~dougw/Net-CIDR-Lite-0.21/"
+url="https://metacpan.org/release/Net-CIDR-Lite/"
arch="noarch"
license="Artistic-Perl-1.0 GPL+"
depends="perl"
-makedepends="perl-dev"
-install=
subpackages="$pkgname-doc"
-source="https://cpan.metacpan.org/authors/id/D/DO/DOUGW/$_realname-$pkgver.tar.gz"
-
+source="https://cpan.metacpan.org/authors/id/S/ST/STIGTSP/Net-CIDR-Lite-$pkgver.tar.gz"
builddir="$srcdir/$_realname-$pkgver"
+
build() {
cd "$builddir"
PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor
@@ -33,4 +31,6 @@ package() {
find "$pkgdir" -name perllocal.pod -delete
}
-sha512sums="c8a5b00a26fb823e637825eac72ca7002f401a1a623d8b77b694848975124f24fba86830df8d41f6bdba4d2e2f0f93b2b155ac1511b607efa67942189614dc7c Net-CIDR-Lite-0.21.tar.gz"
+sha512sums="
+5d89c0b6d950e5cb4c7eb9639829d76a67373865f5582f61d3e384636b176ac08335a9210d05a53c54105fecfb8ec98ae115cba3d181aed3032370d50f3aec9f Net-CIDR-Lite-0.22.tar.gz
+"
diff --git a/main/pgpool/APKBUILD b/main/pgpool/APKBUILD
index c3eddcbaf6..c8755778fd 100644
--- a/main/pgpool/APKBUILD
+++ b/main/pgpool/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=pgpool
_pkgname="$pkgname-II"
-pkgver=4.2.2
+pkgver=4.2.4
pkgrel=0
pkgdesc="A connection pooling/replication server for PostgreSQL"
url="https://www.pgpool.net/"
@@ -71,7 +71,8 @@ doc() {
done
}
-sha512sums="a147c810cc691fb27b823a813cbd2eaad66822c7c9f5c0f829cc70d4ac65911bbe827640f2dbd8060913276ed97340b52167e4332e9cdf013b6c9bc144c7b5d8 pgpool-4.2.2.tar.gz
+sha512sums="
+984ac302e2cbf5ee8ebda94450feaae3e640c71a40c0077b92dce7b45174a272e7d69b49efeb2419cc8b224fd635a08ca74e263e791e05b36fa3be44af419152 pgpool-4.2.4.tar.gz
71b8239b1b29e2c4a8312b300122ced1452bbe60fc7937e80172c7c5e3d6be71e5aee58f6d3d687b0e35df6ccdc27125a12ae9098f7c2d07e76b8103abca3556 pgpool.initd
0e40a681b068ce5c7f03c342c1217b170601a507cacdf120b9a308df65f2065e6085b292a393802d1955079f7ec434a412e6d871f688ad83bc33fa34aca37cfe pgpool.confd
c9aa2ea9484ed29cb57cdff4004fa9dd4780d73c69db3378effb2e0ecd3ae178771c6a847a28e1a9cc6492ada4321584afb92c9b592119fb11898b42191f22b1 pgpool.logrotated
diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD
index db5ae265b2..6a1d8c0914 100644
--- a/main/postgresql/APKBUILD
+++ b/main/postgresql/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: G.J.R. Timmer <gjr.timmer@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=postgresql
-pkgver=13.3
+pkgver=13.4
pkgrel=0
pkgdesc="A sophisticated object-relational DBMS"
url="https://www.postgresql.org/"
@@ -35,6 +35,8 @@ source="https://ftp.postgresql.org/pub/source/v$pkgver/postgresql-$pkgver.tar.bz
"
# secfixes:
+# 13.4-r0:
+# - CVE-2021-3677
# 13.3-r0:
# - CVE-2021-32027
# - CVE-2021-32028
@@ -268,7 +270,8 @@ _run_tests() {
}
}
-sha512sums="1560cc766982a9ea9d33c77835b20e33e11b03acb77fc75d905c565883935a7dbcd27b9b2ab6a0ecdb815261f7c259865cb3dac85c10a3181c3fcaeb4d28bf60 postgresql-13.3.tar.bz2
+sha512sums="
+f1faf676ffdcee3e7f2c3b78f4badf44770d6be58090036d119d8fb0688e2b9f9159dd44fe850c179b8e23f256942c05edb8fcc385f0e852d16b37eace785b5a postgresql-13.4.tar.bz2
1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch
27e00b58fe5c3899c66fc0dde51846c14701bcfedd132b106d676783ba603e8cbdc6e620f29b52dc892bdaa9302052788cf5e575a1659f61c017a12e0d2ee4d0 perl-rpath.patch
8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch
@@ -279,4 +282,5 @@ c4179fcd8b71791cdc41ea7b622cf82e9bd42ac1de66999234b98a83c0c508c79c492a9301274fe8
a6d9cba5c7270484b3a22083b2b37742faefb01b6643040050c92235840c601b2e206ebda32804937b729c6cf42c79a558b921900e52fc420df2a03b5f29e1f7 postgresql.confd
f5a1cba051e7d846c2d16703514601cb25729ed96b677c9bd0c199d64552120a8b14b238af01917fdb87106681e12dee6fff7447558155ba273e4f96be5e2892 pg-restore.initd
c14a5684e914abb3b0ee71bbf15eed71a9264deacaa404a6e3af6bfc330d93e7598624d0ed11a94263106cc660f7f54c8ff57e759033cf606a795f69ff6c1c7c pg-restore.confd
-5c9bfd9e295dcf678298bf0aa974347a7c311d6e7c2aa76a6920fcb751d01fd1ab77abbec11f3c672f927ad9deaa88e04e370c0b5cd1b60087554c474b748731 pltcl_create_tables.sql"
+5c9bfd9e295dcf678298bf0aa974347a7c311d6e7c2aa76a6920fcb751d01fd1ab77abbec11f3c672f927ad9deaa88e04e370c0b5cd1b60087554c474b748731 pltcl_create_tables.sql
+"
diff --git a/main/redis/APKBUILD b/main/redis/APKBUILD
index 76c2e98396..c6bda867e6 100644
--- a/main/redis/APKBUILD
+++ b/main/redis/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Eivind Uggedal <eu@eju.no>
# Maintainer: TBK <alpine@jjtc.eu>
pkgname=redis
-pkgver=6.0.15
+pkgver=6.0.16
pkgrel=0
pkgdesc="Advanced key-value store"
url="https://redis.io/"
@@ -26,6 +26,15 @@ source="https://download.redis.io/releases/redis-$pkgver.tar.gz
"
# secfixes:
+# 6.0.16-r0:
+# - CVE-2021-32626
+# - CVE-2021-32627
+# - CVE-2021-32628
+# - CVE-2021-32672
+# - CVE-2021-32675
+# - CVE-2021-32687
+# - CVE-2021-32762
+# - CVE-2021-41099
# 6.0.13-r0:
# - CVE-2021-32761
# 6.0.14-r0:
@@ -91,7 +100,7 @@ package() {
}
sha512sums="
-e7ba123798a11e1c68dd6d3ebb0586bed4f2bb33755871f1577f7e0229f826b468c2130c31bcc85a64ce7ff54e280df0a7c60e0882f3ed2a11d43e7819fe8b9e redis-6.0.15.tar.gz
+83bb72448f9943e3d015cb4d961eb2eae21602ef1f90ca52ca8ab7c6918b0ab979db9f61f3981df27b2286894f4864f4588c3a52fa988e30e9419b0967998845 redis-6.0.16.tar.gz
006716439828981ab56bd8837e67d0a99a775e07a80a761903fa762c91571f5e5ffc1a99f0b518a944cbd8635609952ded838f342d5563345199f8e6e6579efd makefile-dont-duplicate-binary.patch
05a35246ee5136f10f1873eb91a267cf31d206d298ff8ac105efc501bbab7f44b50d4e4d92874701c81e105bd72a0ac73f5e810610de8e3769544e7c36a23748 redis.conf.patch
a5dc411c2bd7edf61400e29accb375275dd888fda72a8f7e3889be475010c695a22f536be818ef9441e47285c00b451966db924362a7f56806586078c9e3ff8c sentinel.conf.patch
diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD
index 73863ac42c..d53e7fa841 100644
--- a/main/ruby/APKBUILD
+++ b/main/ruby/APKBUILD
@@ -3,6 +3,10 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 2.7.4-r0:
+# - CVE-2021-31799
+# - CVE-2021-31810
+# - CVE-2021-32066
# 2.7.3-r0:
# - CVE-2021-28965
# - CVE-2021-28966
@@ -39,7 +43,7 @@
# - CVE-2017-17405
#
pkgname=ruby
-pkgver=2.7.3
+pkgver=2.7.4
_abiver="${pkgver%.*}.0"
pkgrel=0
pkgdesc="An object-oriented language for quick and easy programming"
@@ -342,8 +346,9 @@ _mvgem() {
done
}
-
-sha512sums="1d036d08016351e8f9e7506a6abaf490fe226cf2ff9c2f9df582b57bff22a960dbaf271a8a167ac09f864613b9b8b14191bb79f8a6900ad5ca24131ecf571d54 ruby-2.7.3.tar.gz
+sha512sums="
+a317752e9a32c8d1261e67ca89c396722ee779ec8ba4594987812d065b73751f51485a1ede8044aae14b3b16e8d049c6953cef530ae1b82abb135b446c653f8a ruby-2.7.4.tar.gz
a142199140fa711a64717429e9069fd2082319abaf4b129f561db374b3bc16e2a90cc4c849b5d28334505d1c71fed242aef3c44d983da3513d239dcb778673a5 rubygems-avoid-platform-specific-gems.patch
43c1fc80f0dcb4f24d891478889808583da90dc9e0df74c3b1cf41253c13a0d416d2b7ae17e7d53ac1238340a845b088f0fe20324a79905cc6b950b3dcfa4ac6 test_insns-lower-recursion-depth.patch
-3ffc034c01110ee5531265333ca5ee8d61d08131843fe3004c5b34c88c9c1b32cb4ed89574f393177c8bd526e9c15da61ab344f93adf07b9148c561ee19e2eb5 fix-get_main_stack.patch"
+3ffc034c01110ee5531265333ca5ee8d61d08131843fe3004c5b34c88c9c1b32cb4ed89574f393177c8bd526e9c15da61ab344f93adf07b9148c561ee19e2eb5 fix-get_main_stack.patch
+"
diff --git a/main/sofia-sip/APKBUILD b/main/sofia-sip/APKBUILD
index 0b5b241daf..5a02015bed 100644
--- a/main/sofia-sip/APKBUILD
+++ b/main/sofia-sip/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=sofia-sip
-pkgver=1.13.2
+pkgver=1.13.4
pkgrel=0
pkgdesc="RFC3261 compliant SIP User-Agent library"
url="https://github.com/freeswitch/sofia-sip"
@@ -41,4 +41,6 @@ doc() {
default_doc
make doxygen
}
-sha512sums="55d1f9d3310685047f4464d382d190f58b101c99c8ff1f648af76cae16016924a8b0165a734ad2e61108e553e83080f3b7677f5cccf21b28885e4bf74a58adb9 sofia-sip-1.13.2.tar.gz"
+sha512sums="
+bec89cedcb0c259b9a938f35cbf1bd4192f64805df7eef864b2efce63f07ba40b26fbaa74ff8028ebb11c500630913888f67e0123082974edbf1af17d4d78a72 sofia-sip-1.13.4.tar.gz
+"
diff --git a/main/squashfs-tools/APKBUILD b/main/squashfs-tools/APKBUILD
index d5b429c1ad..2f8e18c1af 100644
--- a/main/squashfs-tools/APKBUILD
+++ b/main/squashfs-tools/APKBUILD
@@ -1,20 +1,23 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squashfs-tools
-pkgver=4.4
-pkgrel=1
+pkgver=4.5
+pkgrel=0
pkgdesc="Tools for squashfs, a highly compressed read-only filesystem for Linux"
url="https://github.com/plougher/squashfs-tools"
arch="all"
license="GPL-2.0-or-later"
+options="!check" # no testsuite
makedepends="zlib-dev xz-dev lzo-dev lz4-dev attr-dev zstd-dev"
source="$pkgname-$pkgver.tar.gz::https://github.com/plougher/squashfs-tools/archive/$pkgver.tar.gz
fix-compat.patch
- gcc-10.patch
"
builddir="$srcdir/$pkgname-$pkgver/$pkgname"
+# secfixes:
+# 4.5-r0:
+# - CVE-2021-40153
+
build() {
- CFLAGS="$CFLAGS -std=gnu89" \
make XZ_SUPPORT=1 LZO_SUPPORT=1 LZ4_SUPPORT=1 ZSTD_SUPPORT=1
}
@@ -23,6 +26,7 @@ package() {
cp -a mksquashfs unsquashfs "$pkgdir"/sbin
}
-sha512sums="133ce437fb8c929933d52cff710b61dd9181f6f8be58250b0d6a59a7bb79a2b350f68f456b06a0e17c469409a71272d586802d570248273ddcd5dad088c00308 squashfs-tools-4.4.tar.gz
+sha512sums="
+e00610487d24eed9e5dadcf84014a3d7faa9815d8ce00fd4660e6c8ce394dccf185ed9f387f4fa1313b9812fe770f802bdcbaef87887f2bcefacf234594a72e0 squashfs-tools-4.5.tar.gz
656242ec396d95a5e1029b60299bc91be7266ceedb50978c09a82ad80b32881576909dbd4e1e889abc3fa8c361da5ca9978ce6c319f40f5145bb532acb6c881d fix-compat.patch
-f7d263801bc74876d8805f61a6ff940fc400af957d041a8798a88a3736713091c8077324aff691fc093dd57771d55826da461c4633bf097eaaa88ebe905b109a gcc-10.patch"
+"
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index 7f81264951..9ba693df4d 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squid
pkgver=5.0.6
-pkgrel=0
+pkgrel=1
pkgdesc="A full-featured Web proxy cache server."
url="http://www.squid-cache.org"
install="squid.pre-install squid.pre-upgrade"
@@ -18,6 +18,7 @@ linguas="af ar az bg ca cs da de el es et fa fi fr he hu hy id it ja ka ko lt
lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh"
langdir="/usr/share/squid/errors"
source="http://www.squid-cache.org/Versions/v${pkgver%%.*}/squid-$pkgver.tar.xz
+ CVE-2021-28116.patch
$pkgname.initd
$pkgname.confd
@@ -27,6 +28,8 @@ pkgusers="squid"
pkggroups="squid"
# secfixes:
+# 5.0.6-r1:
+# - CVE-2021-28116
# 5.0.6-r0:
# - CVE-2021-28651
# - CVE-2021-28652
@@ -120,7 +123,10 @@ squid_kerb_auth() {
install -d "$subpkgdir"/usr/lib/squid
mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
}
-sha512sums="97300844145ea5488a88a531fc0fbbf3c96051169eb20f8b95ba9a4c37f73edfbbedb69ee446e81f45b663e5c7c9a82e2978239c2613da7e5da2365fdaeceb6e squid-5.0.6.tar.xz
+sha512sums="
+97300844145ea5488a88a531fc0fbbf3c96051169eb20f8b95ba9a4c37f73edfbbedb69ee446e81f45b663e5c7c9a82e2978239c2613da7e5da2365fdaeceb6e squid-5.0.6.tar.xz
+60440e80e62609584bb5c0eba314fa5e5d68add39fd4d4e3899f3a268552f2dfd31da616b5b1820a1c7096382b82fbc01dc9dc92107feed6cd4b0df40c3c43bd CVE-2021-28116.patch
8320820c02c824ed96065e0b66cabdd80b11c23e911880a42f5bd7e3f6e7a5c1c6def910a1843cca810c62a7dc8ccdb9ae82c0cf52bf08259c3b50058232132d squid.initd
7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd
-89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate"
+89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate
+"
diff --git a/main/squid/CVE-2021-28116.patch b/main/squid/CVE-2021-28116.patch
new file mode 100644
index 0000000000..487c9d6a26
--- /dev/null
+++ b/main/squid/CVE-2021-28116.patch
@@ -0,0 +1,424 @@
+commit 7a73a54cefff6bb83c03de219a73276e42d183d0
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date: 2021-09-24 21:53:11 +0000
+
+ WCCP: Validate packets better (#899)
+
+ Update WCCP to support exception based error handling for
+ parsing and processing we are moving Squid to for protocol
+ handling.
+
+ Update the main WCCPv2 parsing checks to throw meaningful
+ exceptions when detected.
+
+diff --git a/src/wccp2.cc b/src/wccp2.cc
+index 5a4ad1844..9dad77817 100644
+--- a/src/wccp2.cc
++++ b/src/wccp2.cc
+@@ -1108,6 +1108,59 @@ wccp2ConnectionClose(void)
+ * Functions for handling the requests.
+ */
+
++/// Checks that the given area section ends inside the given (whole) area.
++/// \param error the message to throw when the section does not fit
++static void
++CheckSectionLength(const void *sectionStart, const size_t sectionLength, const void *wholeStart, const size_t wholeSize, const char *error)
++{
++ assert(sectionStart);
++ assert(wholeStart);
++
++ const auto wholeEnd = static_cast<const char*>(wholeStart) + wholeSize;
++ assert(sectionStart >= wholeStart && "we never go backwards");
++ assert(sectionStart <= wholeEnd && "we never go beyond our whole (but zero-sized fields are OK)");
++ static_assert(sizeof(wccp2_i_see_you_t) <= PTRDIFF_MAX, "paranoid: no UB when subtracting in-whole pointers");
++ // subtraction safe due to the three assertions above
++ const auto remainderDiff = wholeEnd - static_cast<const char*>(sectionStart);
++
++ // casting safe due to the assertions above (and size_t definition)
++ assert(remainderDiff >= 0);
++ const auto remainderSize = static_cast<size_t>(remainderDiff);
++
++ if (sectionLength <= remainderSize)
++ return;
++
++ throw TextException(error, Here());
++}
++
++/// Checks that the area contains at least dataLength bytes after the header.
++/// The size of the field header itself is not included in dataLength.
++/// \returns the total field size -- the field header and field data combined
++template<class FieldHeader>
++static size_t
++CheckFieldDataLength(const FieldHeader *header, const size_t dataLength, const void *areaStart, const size_t areaSize, const char *error)
++{
++ assert(header);
++ const auto dataStart = reinterpret_cast<const char*>(header) + sizeof(header);
++ CheckSectionLength(dataStart, dataLength, areaStart, areaSize, error);
++ return sizeof(header) + dataLength; // no overflow after CheckSectionLength()
++}
++
++/// Positions the given field at a given start within a given packet area.
++/// The Field type determines the correct field size (used for bounds checking).
++/// \param field the field pointer the function should set
++/// \param areaStart the start of a packet (sub)structure containing the field
++/// \param areaSize the size of the packet (sub)structure starting at areaStart
++/// \param fieldStart the start of a field within the given area
++/// \param error the message to throw when the field does not fit the area
++template<class Field>
++static void
++SetField(Field *&field, const void *fieldStart, const void *areaStart, const size_t areaSize, const char *error)
++{
++ CheckSectionLength(fieldStart, sizeof(Field), areaStart, areaSize, error);
++ field = static_cast<Field*>(const_cast<void*>(fieldStart));
++}
++
+ /*
+ * Accept the UDP packet
+ */
+@@ -1124,8 +1177,6 @@ wccp2HandleUdp(int sock, void *)
+
+ /* These structs form the parts of the packet */
+
+- struct wccp2_item_header_t *header = NULL;
+-
+ struct wccp2_security_none_t *security_info = NULL;
+
+ struct wccp2_service_info_t *service_info = NULL;
+@@ -1141,14 +1192,13 @@ wccp2HandleUdp(int sock, void *)
+ struct wccp2_cache_identity_info_t *cache_identity = NULL;
+
+ struct wccp2_capability_info_header_t *router_capability_header = NULL;
++ char *router_capability_data_start = nullptr;
+
+ struct wccp2_capability_element_t *router_capability_element;
+
+ struct sockaddr_in from;
+
+ struct in_addr cache_address;
+- int len, found;
+- short int data_length, offset;
+ uint32_t tmp;
+ char *ptr;
+ int num_caches;
+@@ -1161,20 +1211,18 @@ wccp2HandleUdp(int sock, void *)
+ Ip::Address from_tmp;
+ from_tmp.setIPv4();
+
+- len = comm_udp_recvfrom(sock,
+- &wccp2_i_see_you,
+- WCCP_RESPONSE_SIZE,
+- 0,
+- from_tmp);
++ const auto lenOrError = comm_udp_recvfrom(sock, &wccp2_i_see_you, WCCP_RESPONSE_SIZE, 0, from_tmp);
+
+- if (len < 0)
++ if (lenOrError < 0)
+ return;
++ const auto len = static_cast<size_t>(lenOrError);
+
+- if (ntohs(wccp2_i_see_you.version) != WCCP2_VERSION)
+- return;
+-
+- if (ntohl(wccp2_i_see_you.type) != WCCP2_I_SEE_YOU)
+- return;
++ try {
++ // TODO: Remove wccp2_i_see_you.data and use a buffer to read messages.
++ const auto message_header_size = sizeof(wccp2_i_see_you) - sizeof(wccp2_i_see_you.data);
++ Must3(len >= message_header_size, "incomplete WCCP message header", Here());
++ Must3(ntohs(wccp2_i_see_you.version) == WCCP2_VERSION, "WCCP version unsupported", Here());
++ Must3(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU, "WCCP packet type unsupported", Here());
+
+ // XXX: drop conversion boundary
+ from_tmp.getSockAddr(from);
+@@ -1182,73 +1230,60 @@ wccp2HandleUdp(int sock, void *)
+ debugs(80, 3, "Incoming WCCPv2 I_SEE_YOU length " << ntohs(wccp2_i_see_you.length) << ".");
+
+ /* Record the total data length */
+- data_length = ntohs(wccp2_i_see_you.length);
++ const auto data_length = ntohs(wccp2_i_see_you.length);
++ Must3(data_length <= len - message_header_size,
++ "malformed packet claiming it's bigger than received data", Here());
+
+- offset = 0;
+-
+- if (data_length > len) {
+- debugs(80, DBG_IMPORTANT, "ERROR: Malformed WCCPv2 packet claiming it's bigger than received data");
+- return;
+- }
++ size_t offset = 0;
+
+ /* Go through the data structure */
+- while (data_length > offset) {
++ while (offset + sizeof(struct wccp2_item_header_t) <= data_length) {
+
+ char *data = wccp2_i_see_you.data;
+
+- header = (struct wccp2_item_header_t *) &data[offset];
++ const auto itemHeader = reinterpret_cast<const wccp2_item_header_t*>(&data[offset]);
++ const auto itemSize = CheckFieldDataLength(itemHeader, ntohs(itemHeader->length),
++ data, data_length, "truncated record");
++ // XXX: Check "The specified length must be a multiple of 4 octets"
++ // requirement to avoid unaligned memory reads after the first item.
+
+- switch (ntohs(header->type)) {
++ switch (ntohs(itemHeader->type)) {
+
+ case WCCP2_SECURITY_INFO:
+-
+- if (security_info != NULL) {
+- debugs(80, DBG_IMPORTANT, "Duplicate security definition");
+- return;
+- }
+-
+- security_info = (struct wccp2_security_none_t *) &wccp2_i_see_you.data[offset];
++ Must3(!security_info, "duplicate security definition", Here());
++ SetField(security_info, itemHeader, itemHeader, itemSize,
++ "security definition truncated");
+ break;
+
+ case WCCP2_SERVICE_INFO:
+-
+- if (service_info != NULL) {
+- debugs(80, DBG_IMPORTANT, "Duplicate service_info definition");
+- return;
+- }
+-
+- service_info = (struct wccp2_service_info_t *) &wccp2_i_see_you.data[offset];
++ Must3(!service_info, "duplicate service_info definition", Here());
++ SetField(service_info, itemHeader, itemHeader, itemSize,
++ "service_info definition truncated");
+ break;
+
+ case WCCP2_ROUTER_ID_INFO:
+-
+- if (router_identity_info != NULL) {
+- debugs(80, DBG_IMPORTANT, "Duplicate router_identity_info definition");
+- return;
+- }
+-
+- router_identity_info = (struct router_identity_info_t *) &wccp2_i_see_you.data[offset];
++ Must3(!router_identity_info, "duplicate router_identity_info definition", Here());
++ SetField(router_identity_info, itemHeader, itemHeader, itemSize,
++ "router_identity_info definition truncated");
+ break;
+
+ case WCCP2_RTR_VIEW_INFO:
+-
+- if (router_view_header != NULL) {
+- debugs(80, DBG_IMPORTANT, "Duplicate router_view definition");
+- return;
+- }
+-
+- router_view_header = (struct router_view_t *) &wccp2_i_see_you.data[offset];
++ Must3(!router_view_header, "duplicate router_view definition", Here());
++ SetField(router_view_header, itemHeader, itemHeader, itemSize,
++ "router_view definition truncated");
+ break;
+
+- case WCCP2_CAPABILITY_INFO:
+-
+- if (router_capability_header != NULL) {
+- debugs(80, DBG_IMPORTANT, "Duplicate router_capability definition");
+- return;
+- }
++ case WCCP2_CAPABILITY_INFO: {
++ Must3(!router_capability_header, "duplicate router_capability definition", Here());
++ SetField(router_capability_header, itemHeader, itemHeader, itemSize,
++ "router_capability definition truncated");
+
+- router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset];
++ CheckFieldDataLength(router_capability_header, ntohs(router_capability_header->capability_info_length),
++ itemHeader, itemSize, "capability info truncated");
++ router_capability_data_start = reinterpret_cast<char*>(router_capability_header) +
++ sizeof(*router_capability_header);
+ break;
++ }
+
+ /* Nothing to do for the types below */
+
+@@ -1257,22 +1292,17 @@ wccp2HandleUdp(int sock, void *)
+ break;
+
+ default:
+- debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(header->type) << ").");
++ debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(itemHeader->type) << ").");
+ }
+
+- offset += sizeof(struct wccp2_item_header_t);
+- offset += ntohs(header->length);
+-
+- if (offset > data_length) {
+- debugs(80, DBG_IMPORTANT, "Error: WCCPv2 packet tried to tell us there is data beyond the end of the packet");
+- return;
+- }
++ offset += itemSize;
++ assert(offset <= data_length && "CheckFieldDataLength(itemHeader...) established that");
+ }
+
+- if ((security_info == NULL) || (service_info == NULL) || (router_identity_info == NULL) || (router_view_header == NULL)) {
+- debugs(80, DBG_IMPORTANT, "Incomplete WCCPv2 Packet");
+- return;
+- }
++ Must3(security_info, "packet missing security definition", Here());
++ Must3(service_info, "packet missing service_info definition", Here());
++ Must3(router_identity_info, "packet missing router_identity_info definition", Here());
++ Must3(router_view_header, "packet missing router_view definition", Here());
+
+ debugs(80, 5, "Complete packet received");
+
+@@ -1308,10 +1338,7 @@ wccp2HandleUdp(int sock, void *)
+ break;
+ }
+
+- if (router_list_ptr->next == NULL) {
+- debugs(80, DBG_IMPORTANT, "WCCPv2 Packet received from unknown router");
+- return;
+- }
++ Must3(router_list_ptr->next, "packet received from unknown router", Here());
+
+ /* Set the router id */
+ router_list_ptr->info->router_address = router_identity_info->router_id_element.router_address;
+@@ -1331,11 +1358,20 @@ wccp2HandleUdp(int sock, void *)
+ }
+ } else {
+
+- char *end = ((char *) router_capability_header) + sizeof(*router_capability_header) + ntohs(router_capability_header->capability_info_length) - sizeof(struct wccp2_capability_info_header_t);
+-
+- router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_header) + sizeof(*router_capability_header));
+-
+- while ((char *) router_capability_element <= end) {
++ const auto router_capability_data_length = ntohs(router_capability_header->capability_info_length);
++ assert(router_capability_data_start);
++ const auto router_capability_data_end = router_capability_data_start +
++ router_capability_data_length;
++ for (auto router_capability_data_current = router_capability_data_start;
++ router_capability_data_current < router_capability_data_end;) {
++
++ SetField(router_capability_element, router_capability_data_current,
++ router_capability_data_start, router_capability_data_length,
++ "capability element header truncated");
++ const auto elementSize = CheckFieldDataLength(
++ router_capability_element, ntohs(router_capability_element->capability_length),
++ router_capability_data_start, router_capability_data_length,
++ "capability element truncated");
+
+ switch (ntohs(router_capability_element->capability_type)) {
+
+@@ -1377,7 +1413,7 @@ wccp2HandleUdp(int sock, void *)
+ debugs(80, DBG_IMPORTANT, "Unknown capability type in WCCPv2 Packet (" << ntohs(router_capability_element->capability_type) << ").");
+ }
+
+- router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_element) + sizeof(struct wccp2_item_header_t) + ntohs(router_capability_element->capability_length));
++ router_capability_data_current += elementSize;
+ }
+ }
+
+@@ -1396,23 +1432,34 @@ wccp2HandleUdp(int sock, void *)
+ num_caches = 0;
+
+ /* Check to see if we're the master cache and update the cache list */
+- found = 0;
++ bool found = false;
+ service_list_ptr->lowest_ip = 1;
+ cache_list_ptr = &router_list_ptr->cache_list_head;
+
+ /* to find the list of caches, we start at the end of the router view header */
+
+ ptr = (char *) (router_view_header) + sizeof(struct router_view_t);
++ const auto router_view_size = sizeof(struct router_view_t) +
++ ntohs(router_view_header->header.length);
+
+ /* Then we read the number of routers */
+- memcpy(&tmp, ptr, sizeof(tmp));
++ const uint32_t *routerCountRaw = nullptr;
++ SetField(routerCountRaw, ptr, router_view_header, router_view_size,
++ "malformed packet (truncated router view info w/o number of routers)");
+
+ /* skip the number plus all the ip's */
+-
+- ptr += sizeof(tmp) + (ntohl(tmp) * sizeof(struct in_addr));
++ ptr += sizeof(*routerCountRaw);
++ const auto ipCount = ntohl(*routerCountRaw);
++ const auto ipsSize = ipCount * sizeof(struct in_addr); // we check for unsigned overflow below
++ Must3(ipsSize / sizeof(struct in_addr) != ipCount, "huge IP address count", Here());
++ CheckSectionLength(ptr, ipsSize, router_view_header, router_view_size, "invalid IP address count");
++ ptr += ipsSize;
+
+ /* Then read the number of caches */
+- memcpy(&tmp, ptr, sizeof(tmp));
++ const uint32_t *cacheCountRaw = nullptr;
++ SetField(cacheCountRaw, ptr, router_view_header, router_view_size,
++ "malformed packet (truncated router view info w/o cache count)");
++ memcpy(&tmp, cacheCountRaw, sizeof(tmp)); // TODO: Replace tmp with cacheCount
+ ptr += sizeof(tmp);
+
+ if (ntohl(tmp) != 0) {
+@@ -1426,7 +1473,8 @@ wccp2HandleUdp(int sock, void *)
+
+ case WCCP2_ASSIGNMENT_METHOD_HASH:
+
+- cache_identity = (struct wccp2_cache_identity_info_t *) ptr;
++ SetField(cache_identity, ptr, router_view_header, router_view_size,
++ "malformed packet (truncated router view info cache w/o assignment hash)");
+
+ ptr += sizeof(struct wccp2_cache_identity_info_t);
+
+@@ -1437,13 +1485,15 @@ wccp2HandleUdp(int sock, void *)
+
+ case WCCP2_ASSIGNMENT_METHOD_MASK:
+
+- cache_mask_info = (struct cache_mask_info_t *) ptr;
++ SetField(cache_mask_info, ptr, router_view_header, router_view_size,
++ "malformed packet (truncated router view info cache w/o assignment mask)");
+
+ /* The mask assignment has an undocumented variable length entry here */
+
+ if (ntohl(cache_mask_info->num1) == 3) {
+
+- cache_mask_identity = (struct wccp2_cache_mask_identity_info_t *) ptr;
++ SetField(cache_mask_identity, ptr, router_view_header, router_view_size,
++ "malformed packet (truncated router view info cache w/o assignment mask identity)");
+
+ ptr += sizeof(struct wccp2_cache_mask_identity_info_t);
+
+@@ -1474,10 +1524,7 @@ wccp2HandleUdp(int sock, void *)
+ debugs (80, 5, "checking cache list: (" << std::hex << cache_address.s_addr << ":" << router_list_ptr->local_ip.s_addr << ")");
+
+ /* Check to see if it's the master, or us */
+-
+- if (cache_address.s_addr == router_list_ptr->local_ip.s_addr) {
+- found = 1;
+- }
++ found = found || (cache_address.s_addr == router_list_ptr->local_ip.s_addr);
+
+ if (cache_address.s_addr < router_list_ptr->local_ip.s_addr) {
+ service_list_ptr->lowest_ip = 0;
+@@ -1494,7 +1541,7 @@ wccp2HandleUdp(int sock, void *)
+ cache_list_ptr->next = NULL;
+
+ service_list_ptr->lowest_ip = 1;
+- found = 1;
++ found = true;
+ num_caches = 1;
+ }
+
+@@ -1502,7 +1549,7 @@ wccp2HandleUdp(int sock, void *)
+
+ router_list_ptr->num_caches = htonl(num_caches);
+
+- if ((found == 1) && (service_list_ptr->lowest_ip == 1)) {
++ if (found && (service_list_ptr->lowest_ip == 1)) {
+ if (ntohl(router_view_header->change_number) != router_list_ptr->member_change) {
+ debugs(80, 4, "Change detected - queueing up new assignment");
+ router_list_ptr->member_change = ntohl(router_view_header->change_number);
+@@ -1515,6 +1562,10 @@ wccp2HandleUdp(int sock, void *)
+ eventDelete(wccp2AssignBuckets, NULL);
+ debugs(80, 5, "I am not the lowest ip cache - not assigning buckets");
+ }
++
++ } catch (...) {
++ debugs(80, DBG_IMPORTANT, "ERROR: Ignoring WCCPv2 message: " << CurrentException);
++ }
+ }
+
+ static void
diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD
index e2b48d56b7..b208b78ea4 100644
--- a/main/tzdata/APKBUILD
+++ b/main/tzdata/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=tzdata
-pkgver=2021a
-_tzcodever=2021a
+pkgver=2021d
+_tzcodever=2021d
_ptzver=0.5
pkgrel=0
pkgdesc="Timezone data"
@@ -50,8 +50,10 @@ package() {
"$pkgdir"/usr/bin/posixtz
}
-sha512sums="bf1d53bcbfecd3b09d57a9e6d3cb49b5dc5f8e1b6674b67e7f974e1a268c2aaf13ca89a7ef12f49d0665aff782bd72685e00c22a41ca88a028da0429f972fd45 tzcode2021a.tar.gz
-7cdd762ec90ce12a30fa36b1d66d1ea82d9fa21e514e2b9c7fcbe2541514ee0fadf30843ff352c65512fb270857b51d1517b45e1232b89c6f954ba9ff1833bb3 tzdata2021a.tar.gz
+sha512sums="
+dbd7e3df02a11676600aa7efa14592feb2ac9ab5807b0d395e0c29ff1ed4a31580120287df9fe0c65a78162157dcd31d9fbe90a2a93bfd891d59ae3668a3adda tzcode2021d.tar.gz
+e25e85679256cfa57072cc8902aad1ca1df5ddc4a06844ca38bd57c8b5ad386e38303654dc85525f4fb470a924db4deb3576827a14d3ff87f4a1c679414b95c9 tzdata2021d.tar.gz
68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz
0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch
-fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch"
+fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch
+"
diff --git a/main/unbound/APKBUILD b/main/unbound/APKBUILD
index 0da2183cbb..e96dac3ec1 100644
--- a/main/unbound/APKBUILD
+++ b/main/unbound/APKBUILD
@@ -3,8 +3,8 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=unbound
-pkgver=1.13.0
-pkgrel=3
+pkgver=1.13.2
+pkgrel=0
pkgdesc="Unbound is a validating, recursive, and caching DNS resolver"
url="http://unbound.net/"
arch="all"
@@ -112,7 +112,7 @@ migrate() {
"$subpkgdir"/usr/bin/migrate-dnscache-to-unbound
}
-sha512sums="d4f3c5a7df5d46f8b1ee32b61e68bdc0d63030820d236ecc51bc3ac356d15248acb9a5e0b6009e1936b03b751e8dd05a071a95ab239fdbbbb308442a59642ad5 unbound-1.13.0.tar.gz
+sha512sums="1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a unbound-1.13.2.tar.gz
10e76b0c0e256cf81d55a6f089644693feb94bd2470730bcbcedb5f340397d2316f3a9ee57adc3d5e84e83cc26109c8cb48f6e2e3bfdbd186e40071b7b4284f1 conf.patch
0a5c7b8f2b8c79c5384bce05962c8f8f5f31ce3aeb967b0e897361a24ea7065eb4e7c28ff3acfb0fb0d46be966d4e526e64b231f49b589ec63f576c25433bb59 migrate-dnscache-to-unbound
c8e29190a7ab2803bb528fcc008d9788c1d46ca96abd7273023778068156aa65330a99af76a755929d24dfa936a3900bd400368ddf7b89fb3bcef29dbaa32683 unbound.initd
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index 75e6bf68e2..3760c45e95 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vim
-pkgver=8.2.2320
+pkgver=8.2.3437
pkgrel=0
pkgdesc="Improved vi-style text editor"
url="https://www.vim.org/"
@@ -18,6 +18,10 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/vim/vim/archive/v$pkgver.tar
"
# secfixes:
+# 8.2.3437-r0:
+# - CVE-2021-3770
+# - CVE-2021-3778
+# - CVE-2021-3796
# 8.1.1365-r0:
# - CVE-2019-12735
# 8.0.1521-r0:
@@ -128,5 +132,7 @@ xxd() {
"$subpkgdir/usr/bin/"
}
-sha512sums="e107ff0c010314d69e4a9809a9e97caf8ad4a72e337b1cf1c68bb14cd97508ccf135d7ab6a661a45f7d50862f4d77026be92ccb76c33b40f9b163c4f8cac9c2d vim-8.2.2320.tar.gz
-d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc"
+sha512sums="
+7f6fc24f8f4a4fa01d20702684cc09aa5c3b51cdc2c96f3afcb484bc60874fab5dcafc33a9daa5ff25f7ae7b90ba0b124a7667d33d9fa5d9553a11be9a1ee069 vim-8.2.3437.tar.gz
+d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc
+"
diff --git a/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch b/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch
deleted file mode 100644
index a5289a821a..0000000000
--- a/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From f98c20aaaf909be04ada5cb6cb88c14b9bc75e15 Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Mon, 17 May 2021 17:47:13 +0100
-Subject: [PATCH 1/2] xen/arm: Create dom0less domUs earlier
-
-In a follow-up patch we will need to unallocate the boot modules
-before heap_init_late() is called.
-
-The modules will contain the domUs kernel and initramfs. Therefore Xen
-will need to create extra domUs (used by dom0less) before heap_init_late().
-
-This has two consequences on dom0less:
- 1) Domains will not be unpaused as soon as they are created but
- once all have been created. However, Xen doesn't guarantee an order
- to unpause, so this is not something one could rely on.
-
- 2) The memory allocated for a domU will not be scrubbed anymore when an
- admin select bootscrub=on. This is not something we advertised, but if
- this is a concern we can introduce either force scrub for all domUs or
- a per-domain flag in the DT. The behavior for bootscrub=off and
- bootscrub=idle (default) has not changed.
-
-This is part of XSA-372 / CVE-2021-28693.
-
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-Tested-by: Stefano Stabellini <sstabellini@kernel.org>
----
- xen/arch/arm/domain_build.c | 2 --
- xen/arch/arm/setup.c | 9 +++++----
- 2 files changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
-index e824ba34b012..b07461f5d376 100644
---- a/xen/arch/arm/domain_build.c
-+++ b/xen/arch/arm/domain_build.c
-@@ -2515,8 +2515,6 @@ void __init create_domUs(void)
-
- if ( construct_domU(d, node) != 0 )
- panic("Could not set up domain %s\n", dt_node_name(node));
--
-- domain_unpause_by_systemcontroller(d);
- }
- }
-
-diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
-index 7968cee47d05..1f26080b30bf 100644
---- a/xen/arch/arm/setup.c
-+++ b/xen/arch/arm/setup.c
-@@ -779,7 +779,7 @@ void __init start_xen(unsigned long boot_phys_offset,
- int cpus, i;
- const char *cmdline;
- struct bootmodule *xen_bootmodule;
-- struct domain *dom0;
-+ struct domain *dom0, *d;
- struct xen_domctl_createdomain dom0_cfg = {
- .flags = XEN_DOMCTL_CDF_hvm | XEN_DOMCTL_CDF_hap,
- .max_evtchn_port = -1,
-@@ -962,6 +962,8 @@ void __init start_xen(unsigned long boot_phys_offset,
- if ( construct_dom0(dom0) != 0)
- panic("Could not set up DOM0 guest OS\n");
-
-+ create_domUs();
-+
- heap_init_late();
-
- init_trace_bufs();
-@@ -975,9 +977,8 @@ void __init start_xen(unsigned long boot_phys_offset,
-
- system_state = SYS_STATE_active;
-
-- create_domUs();
--
-- domain_unpause_by_systemcontroller(dom0);
-+ for_each_domain( d )
-+ domain_unpause_by_systemcontroller(d);
-
- /* Switch on to the dynamically allocated stack for the idle vcpu
- * since the static one we're running on is about to be freed. */
---
-2.17.1
-
diff --git a/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch b/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
deleted file mode 100644
index 3ed62f360e..0000000000
--- a/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From e7e475c1a3dc6b149252413589eebaa4ae138824 Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Sat, 17 Apr 2021 17:38:28 +0100
-Subject: [PATCH 2/2] xen/arm: Boot modules should always be scrubbed if
- bootscrub={on, idle}
-
-The function to initialize the pages (see init_heap_pages()) will request
-scrub when the admin request idle bootscrub (default) and state ==
-SYS_STATE_active. When bootscrub=on, Xen will scrub any free pages in
-heap_init_late().
-
-Currently, the boot modules (e.g. kernels, initramfs) will be discarded/
-freed after heap_init_late() is called and system_state switched to
-SYS_STATE_active. This means the pages associated with the boot modules
-will not get scrubbed before getting re-purposed.
-
-If the memory is assigned to an untrusted domU, it may be able to
-retrieve secrets from the modules.
-
-This is part of XSA-372 / CVE-2021-28693.
-
-Fixes: 1774e9b1df27 ("xen/arm: introduce create_domUs")
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-Tested-by: Stefano Stabellini <sstabellini@kernel.org>
----
- xen/arch/arm/setup.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
-index 1f26080b30bf..34b1c1a11ef6 100644
---- a/xen/arch/arm/setup.c
-+++ b/xen/arch/arm/setup.c
-@@ -75,7 +75,6 @@ static __used void init_done(void)
- /* Must be done past setting system_state. */
- unregister_init_virtual_region();
-
-- discard_initial_modules();
- free_init_memory();
- startup_cpu_idle_loop();
- }
-@@ -964,6 +963,12 @@ void __init start_xen(unsigned long boot_phys_offset,
-
- create_domUs();
-
-+ /*
-+ * This needs to be called **before** heap_init_late() so modules
-+ * will be scrubbed (unless suppressed).
-+ */
-+ discard_initial_modules();
-+
- heap_init_late();
-
- init_trace_bufs();
---
-2.17.1
-
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 220bc2c4a4..e4f32c6085 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xen
-pkgver=4.14.1
-pkgrel=3
+pkgver=4.14.3
+pkgrel=0
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -222,6 +222,16 @@ options="!strip"
# - CVE-2021-28692 XSA-373
# - CVE-2021-0089 XSA-375
# - CVE-2021-28690 XSA-377
+# 4.14.2-r0:
+# - CVE-2021-28694 XSA-378
+# - CVE-2021-28695 XSA-378
+# - CVE-2021-28696 XSA-378
+# - CVE-2021-28697 XSA-379
+# - CVE-2021-28698 XSA-380
+# - CVE-2021-28699 XSA-382
+# - CVE-2021-28700 XSA-383
+# 4.14.2-r1:
+# - CVE-2021-28701 XSA-384
case "$CARCH" in
@@ -280,21 +290,8 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
hotplug-Linux-iscsi-block-handle-lun-1.patch
- xsa360-4.14.patch
- xsa364.patch
-
- 0001-xen-arm-Create-dom0less-domUs-earlier.patch
- 0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
-
- xsa373-4.14-1.patch
- xsa373-4.14-2.patch
- xsa373-4.14-3.patch
- xsa373-4.14-4.patch
- xsa373-4.14-5.patch
-
- xsa375.patch
-
- xsa377.patch
+ stubdom-hack.patch
+ tpm-version.patch
qemu-xen-time64.patch
gcc10-etherboot-enum.patch
@@ -321,6 +318,8 @@ armhf) export XEN_TARGET_ARCH="arm32";;
aarch64) export XEN_TARGET_ARCH="arm64";;
esac
+export CFLAGS="$CFLAGS -fcommon"
+
prepare() {
local i _failed=''
@@ -366,7 +365,7 @@ prepare() {
update_config_sub
msg "Autoreconf..."
- autoreconf
+ autoreconf --install
unset CFLAGS
unset LDFLAGS
@@ -523,7 +522,7 @@ EOF
}
sha512sums="
-c75cbec82793435f5a7026626ffdb2e9a2166b42d2be4b2f1194240e0312458124f0ebd53eeb02ce7330c22afe402a28a96b32f8af66e41e9416fe94535724c9 xen-4.14.1.tar.gz
+b462fcc1549f6e57f7f2a4fd10ce1e957a25a6a7c0319672b62699468f6c4330b9cd0cf2b0231b5cce94f4bb142a957eb8aa58aa0ffb5c85b37211d6b34ccf16 xen-4.14.3.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -541,17 +540,8 @@ f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2
853467a2d055c5bfbdc7bdca175a334241be44a7c5ac3c0a84a4bc5463b5c070b66d37e2a557429ef860727a6b7350683af758cc2494d85b6be4d883143a2c0d elf_local.h
2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b xenqemu-xattr-size-max.patch
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
-f39ae56876f61ed224073985dda83037e75e6f2ab0cd0b0f920186812c6d1e6ec52494b3fd0f25cd9d6606d85061a6555cb952719d084cf8e256ef93080b75f9 xsa360-4.14.patch
-aea8b37ae5c772c4928f8b644dadc59891e7d0e0d50461c66ca106b391fd984e2b8def089d01954f88675ddc93c114d4d27c0ccb7384ff9a1807f081f33805e5 xsa364.patch
-57bae240ac94fd35e8a2a39a06fdc4178a1cf0782832a77fd768ca3c773d8b27d76692703ac481733874e5a0198ef20d7319ea504c6b7836d4edd0a198adede1 0001-xen-arm-Create-dom0less-domUs-earlier.patch
-2b47e612c23c8bb65a2432f93a877f592b75b8de2ae97d5a22ed37588594a38b740f5c3e0694dd7ceff5f949e24ff38113e543038d5ae22e8c1dc142c3e8d1b3 0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
-7010225962e7c22d6aa2e14d10e5091b3876a76f195e9725e7f175b108f933ea9ad5a080663d27279ccd20e2d4e344620ec414e17437d971a8f3cb9420520696 xsa373-4.14-1.patch
-7db22cb16dea81dc393a01e1bd911847457e23c6ba6bfe4ac0d26a66d1f879bdf66c9a28af82d159e395c6547ca29e7ebbed21ea0967d4a5594502e8f9c5410b xsa373-4.14-2.patch
-b3008572e75025cbe00e5a22451394af84f29eea8914ce1ddf7d5379fe76f6362f79f2e8f908060b227debc61e712ba92b1fa2815b683cc47efe1065c700cd6c xsa373-4.14-3.patch
-a7ff44901cdadbb455f845489b5cf82bfcd4e0bdc079ba928310a72a863372c7998174e26174daa6f490e7599843eb6414a029524d7a706d41c38c0809f367bd xsa373-4.14-4.patch
-d43f6a0b15fbc653c1e5634a9910f779de05646197d7ddc5ebbb94b9e6c9f33c985c76a9b0be1103e7658d552f408698dde70072e2b91a995bd558b16bb43611 xsa373-4.14-5.patch
-59f706d2ce623d59ba0e3edc3081d14bd466fa2401ac1666fca33568022a159501aa972a2c556d8558c2701294a2f153ee0b7b487167ede49f8652bacf69b32d xsa375.patch
-9c104793facd9d595a1cbca21034d700e7e25398cad1440131258a349cd60d6145e5847e9c4bd066a5d63a63aceb8995456126a51b6d3ca872cd90717ebc2dbe xsa377.patch
+6c28470dab368ce94d94db9e66954e4d915394ea730f6d4abb198ae122dbd7412453d6d8054f0a348d43d7f807fb13294363162f8b19f47311e802ffa9a40a90 stubdom-hack.patch
+5b582453ea64fae138e9442c7f4c083bbef82c216b25bb3e509c0e8f5c0e88487f9e12152367760fb8a6133266e7d8b58eda5e20cf7234a0f39ed6804070cc8d tpm-version.patch
231b5d0abf6420722534bf48b4f263bdf70dd258f5f34b344f230b4e166edb3ebaf769592f40653ea5836b4431ef951ebcf1995f09e2beb4a591edd3b024a652 qemu-xen-time64.patch
e72ae17cb80c78412996845b996e442cdc21ee4b840c8b7ebacca101619b3d47104bf6b6330520aecf0d7ccf2699826b4f2a649c729b21d5ac81b37f7fc505fc gcc10-etherboot-enum.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
diff --git a/main/xen/stubdom-hack.patch b/main/xen/stubdom-hack.patch
new file mode 100644
index 0000000000..2e7ddc8926
--- /dev/null
+++ b/main/xen/stubdom-hack.patch
@@ -0,0 +1,11 @@
+--- xen-4.15.0.orig/stubdom/Makefile
++++ xen-4.15.0/stubdom/Makefile
+@@ -186,7 +186,7 @@
+ rm $@ -rf || :
+ mv gmp-$(GMP_VERSION) $@
+ #patch -d $@ -p0 < gmp.patch
+- cd $@; CPPFLAGS="-isystem $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include $(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" CC=$(CC) $(GMPEXT) ./configure --disable-shared --enable-static --disable-fft --without-readline --prefix=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf --libdir=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib --build=`gcc -dumpmachine` --host=$(GNU_TARGET_ARCH)-xen-elf
++ cd $@; CPPFLAGS="-isystem $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include $(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" CC=$(CC) $(GMPEXT) ./configure --disable-shared --enable-static --disable-fft --without-readline --prefix=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf --libdir=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib --host=$(GNU_TARGET_ARCH)-xen-elf
+ sed -i 's/#define HAVE_OBSTACK_VPRINTF 1/\/\/#define HAVE_OBSTACK_VPRINTF 1/' $@/config.h
+ touch $@
+
diff --git a/main/xen/tpm-version.patch b/main/xen/tpm-version.patch
new file mode 100644
index 0000000000..caba8adfbb
--- /dev/null
+++ b/main/xen/tpm-version.patch
@@ -0,0 +1,31 @@
+From 84a37d24a9e962e9c2fa8eb4671ea60c0958157d Mon Sep 17 00:00:00 2001
+From: Olaf Hering <olaf@aepfle.de>
+Date: Thu, 14 Jan 2021 13:03:23 +0100
+Subject: [PATCH] stubdom: fix tpm_version
+
+It is just a declaration, not a variable.
+
+ld: /home/abuild/rpmbuild/BUILD/xen-4.14.20200616T103126.3625b04991/non-dbg/stubdom/vtpmmgr/vtpmmgr.a(vtpm_cmd_handler.o):(.bss+0x0): multiple definition of `tpm_version'; /home/abuild/rpmbuild/BUILD/xen-4.14.20200616T103126.3625b04991/non-dbg/stubdom/vtpmmgr/vtpmmgr.a(vtpmmgr.o):(.bss+0x0): first defined here
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+---
+ stubdom/vtpmmgr/vtpmmgr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stubdom/vtpmmgr/vtpmmgr.h b/stubdom/vtpmmgr/vtpmmgr.h
+index 2e6f8de9e4..f40ca9fd67 100644
+--- a/stubdom/vtpmmgr/vtpmmgr.h
++++ b/stubdom/vtpmmgr/vtpmmgr.h
+@@ -53,7 +53,7 @@
+ enum {
+ TPM1_HARDWARE = 1,
+ TPM2_HARDWARE,
+-} tpm_version;
++};
+
+ struct tpm_hardware_version {
+ int hw_version;
+--
+2.30.2
+
diff --git a/main/xen/xsa360-4.14.patch b/main/xen/xsa360-4.14.patch
deleted file mode 100644
index 1bc185b110..0000000000
--- a/main/xen/xsa360-4.14.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From: Roger Pau Monne <roger.pau@citrix.com>
-Subject: x86/dpci: do not remove pirqs from domain tree on unbind
-
-A fix for a previous issue removed the pirqs from the domain tree when
-they are unbound in order to prevent shared pirqs from triggering a
-BUG_ON in __pirq_guest_unbind if they are unbound multiple times. That
-caused free_domain_pirqs to no longer unmap the pirqs because they
-are gone from the domain pirq tree, thus leaving stale unbound pirqs
-after domain destruction if the domain had mapped dpci pirqs after
-shutdown.
-
-Take a different approach to fix the original issue, instead of
-removing the pirq from d->pirq_tree clear the flags of the dpci pirq
-struct to signal that the pirq is now unbound. This prevents calling
-pirq_guest_unbind multiple times for the same pirq without having to
-remove it from the domain pirq tree.
-
-This is XSA-360.
-
-Fixes: 5b58dad089 ('x86/pass-through: avoid double IRQ unbind during domain cleanup')
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-@@ -1331,7 +1331,7 @@ void (pirq_cleanup_check)(struct pirq *p
- }
-
- if ( radix_tree_delete(&d->pirq_tree, pirq->pirq) != pirq )
-- BUG_ON(!d->is_dying);
-+ BUG();
- }
-
- /* Flush all ready EOIs from the top of this CPU's pending-EOI stack. */
---- a/xen/drivers/passthrough/pci.c
-+++ b/xen/drivers/passthrough/pci.c
-@@ -862,6 +862,10 @@ static int pci_clean_dpci_irq(struct dom
- {
- struct dev_intx_gsi_link *digl, *tmp;
-
-+ if ( !pirq_dpci->flags )
-+ /* Already processed. */
-+ return 0;
-+
- pirq_guest_unbind(d, dpci_pirq(pirq_dpci));
-
- if ( pt_irq_need_timer(pirq_dpci->flags) )
-@@ -872,15 +876,10 @@ static int pci_clean_dpci_irq(struct dom
- list_del(&digl->list);
- xfree(digl);
- }
-+ /* Note the pirq is now unbound. */
-+ pirq_dpci->flags = 0;
-
-- radix_tree_delete(&d->pirq_tree, dpci_pirq(pirq_dpci)->pirq);
--
-- if ( !pt_pirq_softirq_active(pirq_dpci) )
-- return 0;
--
-- domain_get_irq_dpci(d)->pending_pirq_dpci = pirq_dpci;
--
-- return -ERESTART;
-+ return pt_pirq_softirq_active(pirq_dpci) ? -ERESTART : 0;
- }
-
- static int pci_clean_dpci_irqs(struct domain *d)
-@@ -897,18 +896,8 @@ static int pci_clean_dpci_irqs(struct do
- hvm_irq_dpci = domain_get_irq_dpci(d);
- if ( hvm_irq_dpci != NULL )
- {
-- int ret = 0;
--
-- if ( hvm_irq_dpci->pending_pirq_dpci )
-- {
-- if ( pt_pirq_softirq_active(hvm_irq_dpci->pending_pirq_dpci) )
-- ret = -ERESTART;
-- else
-- hvm_irq_dpci->pending_pirq_dpci = NULL;
-- }
-+ int ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL);
-
-- if ( !ret )
-- ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL);
- if ( ret )
- {
- spin_unlock(&d->event_lock);
---- a/xen/include/asm-x86/hvm/irq.h
-+++ b/xen/include/asm-x86/hvm/irq.h
-@@ -160,8 +160,6 @@ struct hvm_irq_dpci {
- DECLARE_BITMAP(isairq_map, NR_ISAIRQS);
- /* Record of mapped Links */
- uint8_t link_cnt[NR_LINK];
-- /* Clean up: Entry with a softirq invocation pending / in progress. */
-- struct hvm_pirq_dpci *pending_pirq_dpci;
- };
-
- /* Machine IRQ to guest device/intx mapping. */
diff --git a/main/xen/xsa364.patch b/main/xen/xsa364.patch
deleted file mode 100644
index 2d4b0574d2..0000000000
--- a/main/xen/xsa364.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From dadb5b4b21c904ce59024c686eb1c55be8f46c52 Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Thu, 21 Jan 2021 10:16:08 +0000
-Subject: [PATCH] xen/page_alloc: Only flush the page to RAM once we know they
- are scrubbed
-
-At the moment, each page are flushed to RAM just after the allocator
-found some free pages. However, this is happening before check if the
-page was scrubbed.
-
-As a consequence, on Arm, a guest may be able to access the old content
-of the scrubbed pages if it has cache disabled (default at boot) and
-the content didn't reach the Point of Coherency.
-
-The flush is now moved after we know the content of the page will not
-change. This also has the benefit to reduce the amount of work happening
-with the heap_lock held.
-
-This is XSA-364.
-
-Fixes: 307c3be3ccb2 ("mm: Don't scrub pages while holding heap lock in alloc_heap_pages()")
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- xen/common/page_alloc.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
-index 02ac1fa613e7..1744e6faa5c4 100644
---- a/xen/common/page_alloc.c
-+++ b/xen/common/page_alloc.c
-@@ -924,6 +924,7 @@ static struct page_info *alloc_heap_pages(
- bool need_tlbflush = false;
- uint32_t tlbflush_timestamp = 0;
- unsigned int dirty_cnt = 0;
-+ mfn_t mfn;
-
- /* Make sure there are enough bits in memflags for nodeID. */
- BUILD_BUG_ON((_MEMF_bits - _MEMF_node) < (8 * sizeof(nodeid_t)));
-@@ -1022,11 +1023,6 @@ static struct page_info *alloc_heap_pages(
- pg[i].u.inuse.type_info = 0;
- page_set_owner(&pg[i], NULL);
-
-- /* Ensure cache and RAM are consistent for platforms where the
-- * guest can control its own visibility of/through the cache.
-- */
-- flush_page_to_ram(mfn_x(page_to_mfn(&pg[i])),
-- !(memflags & MEMF_no_icache_flush));
- }
-
- spin_unlock(&heap_lock);
-@@ -1062,6 +1058,14 @@ static struct page_info *alloc_heap_pages(
- if ( need_tlbflush )
- filtered_flush_tlb_mask(tlbflush_timestamp);
-
-+ /*
-+ * Ensure cache and RAM are consistent for platforms where the guest
-+ * can control its own visibility of/through the cache.
-+ */
-+ mfn = page_to_mfn(pg);
-+ for ( i = 0; i < (1U << order); i++ )
-+ flush_page_to_ram(mfn_x(mfn) + i, !(memflags & MEMF_no_icache_flush));
-+
- return pg;
- }
-
---
-2.17.1
-
diff --git a/main/xen/xsa373-4.14-1.patch b/main/xen/xsa373-4.14-1.patch
deleted file mode 100644
index ee5229a11c..0000000000
--- a/main/xen/xsa373-4.14-1.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: VT-d: size qinval queue dynamically
-
-With the present synchronous model, we need two slots for every
-operation (the operation itself and a wait descriptor). There can be
-one such pair of requests pending per CPU. To ensure that under all
-normal circumstances a slot is always available when one is requested,
-size the queue ring according to the number of present CPUs.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/vtd/iommu.h
-+++ b/xen/drivers/passthrough/vtd/iommu.h
-@@ -450,17 +450,9 @@ struct qinval_entry {
- }q;
- };
-
--/* Order of queue invalidation pages(max is 8) */
--#define QINVAL_PAGE_ORDER 2
--
--#define QINVAL_ARCH_PAGE_ORDER (QINVAL_PAGE_ORDER + PAGE_SHIFT_4K - PAGE_SHIFT)
--#define QINVAL_ARCH_PAGE_NR ( QINVAL_ARCH_PAGE_ORDER < 0 ? \
-- 1 : \
-- 1 << QINVAL_ARCH_PAGE_ORDER )
--
- /* Each entry is 16 bytes, so 2^8 entries per page */
- #define QINVAL_ENTRY_ORDER ( PAGE_SHIFT - 4 )
--#define QINVAL_ENTRY_NR (1 << (QINVAL_PAGE_ORDER + 8))
-+#define QINVAL_MAX_ENTRY_NR (1u << (7 + QINVAL_ENTRY_ORDER))
-
- /* Status data flag */
- #define QINVAL_STAT_INIT 0
---- a/xen/drivers/passthrough/vtd/qinval.c
-+++ b/xen/drivers/passthrough/vtd/qinval.c
-@@ -31,6 +31,9 @@
-
- #define VTD_QI_TIMEOUT 1
-
-+static unsigned int __read_mostly qi_pg_order;
-+static unsigned int __read_mostly qi_entry_nr;
-+
- static int __must_check invalidate_sync(struct vtd_iommu *iommu);
-
- static void print_qi_regs(struct vtd_iommu *iommu)
-@@ -55,7 +58,7 @@ static unsigned int qinval_next_index(st
- tail >>= QINVAL_INDEX_SHIFT;
-
- /* (tail+1 == head) indicates a full queue, wait for HW */
-- while ( ( tail + 1 ) % QINVAL_ENTRY_NR ==
-+ while ( ((tail + 1) & (qi_entry_nr - 1)) ==
- ( dmar_readq(iommu->reg, DMAR_IQH_REG) >> QINVAL_INDEX_SHIFT ) )
- cpu_relax();
-
-@@ -68,7 +71,7 @@ static void qinval_update_qtail(struct v
-
- /* Need hold register lock when update tail */
- ASSERT( spin_is_locked(&iommu->register_lock) );
-- val = (index + 1) % QINVAL_ENTRY_NR;
-+ val = (index + 1) & (qi_entry_nr - 1);
- dmar_writeq(iommu->reg, DMAR_IQT_REG, (val << QINVAL_INDEX_SHIFT));
- }
-
-@@ -403,8 +406,28 @@ int enable_qinval(struct vtd_iommu *iomm
-
- if ( iommu->qinval_maddr == 0 )
- {
-- iommu->qinval_maddr = alloc_pgtable_maddr(QINVAL_ARCH_PAGE_NR,
-- iommu->node);
-+ if ( !qi_entry_nr )
-+ {
-+ /*
-+ * With the present synchronous model, we need two slots for every
-+ * operation (the operation itself and a wait descriptor). There
-+ * can be one such pair of requests pending per CPU. One extra
-+ * entry is needed as the ring is considered full when there's
-+ * only one entry left.
-+ */
-+ BUILD_BUG_ON(CONFIG_NR_CPUS * 2 >= QINVAL_MAX_ENTRY_NR);
-+ qi_pg_order = get_order_from_bytes((num_present_cpus() * 2 + 1) <<
-+ (PAGE_SHIFT -
-+ QINVAL_ENTRY_ORDER));
-+ qi_entry_nr = 1u << (qi_pg_order + QINVAL_ENTRY_ORDER);
-+
-+ dprintk(XENLOG_INFO VTDPREFIX,
-+ "QI: using %u-entry ring(s)\n", qi_entry_nr);
-+ }
-+
-+ iommu->qinval_maddr =
-+ alloc_pgtable_maddr(qi_entry_nr >> QINVAL_ENTRY_ORDER,
-+ iommu->node);
- if ( iommu->qinval_maddr == 0 )
- {
- dprintk(XENLOG_WARNING VTDPREFIX,
-@@ -418,15 +441,16 @@ int enable_qinval(struct vtd_iommu *iomm
-
- spin_lock_irqsave(&iommu->register_lock, flags);
-
-- /* Setup Invalidation Queue Address(IQA) register with the
-- * address of the page we just allocated. QS field at
-- * bits[2:0] to indicate size of queue is one 4KB page.
-- * That's 256 entries. Queued Head (IQH) and Queue Tail (IQT)
-- * registers are automatically reset to 0 with write
-- * to IQA register.
-+ /*
-+ * Setup Invalidation Queue Address (IQA) register with the address of the
-+ * pages we just allocated. The QS field at bits[2:0] indicates the size
-+ * (page order) of the queue.
-+ *
-+ * Queued Head (IQH) and Queue Tail (IQT) registers are automatically
-+ * reset to 0 with write to IQA register.
- */
- dmar_writeq(iommu->reg, DMAR_IQA_REG,
-- iommu->qinval_maddr | QINVAL_PAGE_ORDER);
-+ iommu->qinval_maddr | qi_pg_order);
-
- dmar_writeq(iommu->reg, DMAR_IQT_REG, 0);
-
diff --git a/main/xen/xsa373-4.14-2.patch b/main/xen/xsa373-4.14-2.patch
deleted file mode 100644
index 773cbfd555..0000000000
--- a/main/xen/xsa373-4.14-2.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: AMD/IOMMU: size command buffer dynamically
-
-With the present synchronous model, we need two slots for every
-operation (the operation itself and a wait command). There can be one
-such pair of commands pending per CPU. To ensure that under all normal
-circumstances a slot is always available when one is requested, size the
-command ring according to the number of present CPUs.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/amd/iommu-defs.h
-+++ b/xen/drivers/passthrough/amd/iommu-defs.h
-@@ -20,9 +20,6 @@
- #ifndef AMD_IOMMU_DEFS_H
- #define AMD_IOMMU_DEFS_H
-
--/* IOMMU Command Buffer entries: in power of 2 increments, minimum of 256 */
--#define IOMMU_CMD_BUFFER_DEFAULT_ENTRIES 512
--
- /* IOMMU Event Log entries: in power of 2 increments, minimum of 256 */
- #define IOMMU_EVENT_LOG_DEFAULT_ENTRIES 512
-
-@@ -164,8 +161,8 @@ struct amd_iommu_dte {
- #define IOMMU_CMD_BUFFER_LENGTH_MASK 0x0F000000
- #define IOMMU_CMD_BUFFER_LENGTH_SHIFT 24
-
--#define IOMMU_CMD_BUFFER_ENTRY_SIZE 16
--#define IOMMU_CMD_BUFFER_POWER_OF2_ENTRIES_PER_PAGE 8
-+#define IOMMU_CMD_BUFFER_ENTRY_ORDER 4
-+#define IOMMU_CMD_BUFFER_MAX_ENTRIES (1u << 15)
-
- #define IOMMU_CMD_OPCODE_MASK 0xF0000000
- #define IOMMU_CMD_OPCODE_SHIFT 28
---- a/xen/drivers/passthrough/amd/iommu_cmd.c
-+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
-@@ -24,7 +24,7 @@ static int queue_iommu_command(struct am
- {
- uint32_t tail, head;
-
-- tail = iommu->cmd_buffer.tail + IOMMU_CMD_BUFFER_ENTRY_SIZE;
-+ tail = iommu->cmd_buffer.tail + sizeof(cmd_entry_t);
- if ( tail == iommu->cmd_buffer.size )
- tail = 0;
-
-@@ -33,7 +33,7 @@ static int queue_iommu_command(struct am
- if ( head != tail )
- {
- memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
-- cmd, IOMMU_CMD_BUFFER_ENTRY_SIZE);
-+ cmd, sizeof(cmd_entry_t));
-
- iommu->cmd_buffer.tail = tail;
- return 1;
---- a/xen/drivers/passthrough/amd/iommu_init.c
-+++ b/xen/drivers/passthrough/amd/iommu_init.c
-@@ -118,7 +118,7 @@ static void register_iommu_cmd_buffer_in
- writel(entry, iommu->mmio_base + IOMMU_CMD_BUFFER_BASE_LOW_OFFSET);
-
- power_of2_entries = get_order_from_bytes(iommu->cmd_buffer.size) +
-- IOMMU_CMD_BUFFER_POWER_OF2_ENTRIES_PER_PAGE;
-+ PAGE_SHIFT - IOMMU_CMD_BUFFER_ENTRY_ORDER;
-
- entry = 0;
- iommu_set_addr_hi_to_reg(&entry, addr_hi);
-@@ -1022,9 +1022,31 @@ static void *__init allocate_ring_buffer
- static void * __init allocate_cmd_buffer(struct amd_iommu *iommu)
- {
- /* allocate 'command buffer' in power of 2 increments of 4K */
-+ static unsigned int __read_mostly nr_ents;
-+
-+ if ( !nr_ents )
-+ {
-+ unsigned int order;
-+
-+ /*
-+ * With the present synchronous model, we need two slots for every
-+ * operation (the operation itself and a wait command). There can be
-+ * one such pair of requests pending per CPU. One extra entry is
-+ * needed as the ring is considered full when there's only one entry
-+ * left.
-+ */
-+ BUILD_BUG_ON(CONFIG_NR_CPUS * 2 >= IOMMU_CMD_BUFFER_MAX_ENTRIES);
-+ order = get_order_from_bytes((num_present_cpus() * 2 + 1) <<
-+ IOMMU_CMD_BUFFER_ENTRY_ORDER);
-+ nr_ents = 1u << (order + PAGE_SHIFT - IOMMU_CMD_BUFFER_ENTRY_ORDER);
-+
-+ AMD_IOMMU_DEBUG("using %u-entry cmd ring(s)\n", nr_ents);
-+ }
-+
-+ BUILD_BUG_ON(sizeof(cmd_entry_t) != (1u << IOMMU_CMD_BUFFER_ENTRY_ORDER));
-+
- return allocate_ring_buffer(&iommu->cmd_buffer, sizeof(cmd_entry_t),
-- IOMMU_CMD_BUFFER_DEFAULT_ENTRIES,
-- "Command Buffer", false);
-+ nr_ents, "Command Buffer", false);
- }
-
- static void * __init allocate_event_log(struct amd_iommu *iommu)
diff --git a/main/xen/xsa373-4.14-3.patch b/main/xen/xsa373-4.14-3.patch
deleted file mode 100644
index fe345466fd..0000000000
--- a/main/xen/xsa373-4.14-3.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: VT-d: eliminate flush related timeouts
-
-Leaving an in-progress operation pending when it appears to take too
-long is problematic: If e.g. a QI command completed later, the write to
-the "poll slot" may instead be understood to signal a subsequently
-started command's completion. Also our accounting of the timeout period
-was actually wrong: We included the time it took for the command to
-actually make it to the front of the queue, which could be heavily
-affected by guests other than the one for which the flush is being
-performed.
-
-Do away with all timeout detection on all flush related code paths.
-Log excessively long processing times (with a progressive threshold) to
-have some indication of problems in this area.
-
-Additionally log (once) if qinval_next_index() didn't immediately find
-an available slot. Together with the earlier change sizing the queue(s)
-dynamically, we should now have a guarantee that with our fully
-synchronous model any demand for slots can actually be satisfied.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/vtd/dmar.h
-+++ b/xen/drivers/passthrough/vtd/dmar.h
-@@ -127,6 +127,34 @@ do {
- } \
- } while (0)
-
-+#define IOMMU_FLUSH_WAIT(what, iommu, offset, op, cond, sts) \
-+do { \
-+ static unsigned int __read_mostly threshold = 1; \
-+ s_time_t start = NOW(); \
-+ s_time_t timeout = start + DMAR_OPERATION_TIMEOUT * threshold; \
-+ \
-+ for ( ; ; ) \
-+ { \
-+ sts = op(iommu->reg, offset); \
-+ if ( cond ) \
-+ break; \
-+ if ( timeout && NOW() > timeout ) \
-+ { \
-+ threshold |= threshold << 1; \
-+ printk(XENLOG_WARNING VTDPREFIX \
-+ " IOMMU#%u: %s flush taking too long\n", \
-+ iommu->index, what); \
-+ timeout = 0; \
-+ } \
-+ cpu_relax(); \
-+ } \
-+ \
-+ if ( !timeout ) \
-+ printk(XENLOG_WARNING VTDPREFIX \
-+ " IOMMU#%u: %s flush took %lums\n", \
-+ iommu->index, what, (NOW() - start) / 10000000); \
-+} while ( false )
-+
- int vtd_hw_check(void);
- void disable_pmr(struct vtd_iommu *iommu);
- int is_igd_drhd(struct acpi_drhd_unit *drhd);
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -326,8 +326,8 @@ static void iommu_flush_write_buffer(str
- dmar_writel(iommu->reg, DMAR_GCMD_REG, val | DMA_GCMD_WBF);
-
- /* Make sure hardware complete it */
-- IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, dmar_readl,
-- !(val & DMA_GSTS_WBFS), val);
-+ IOMMU_FLUSH_WAIT("write buffer", iommu, DMAR_GSTS_REG, dmar_readl,
-+ !(val & DMA_GSTS_WBFS), val);
-
- spin_unlock_irqrestore(&iommu->register_lock, flags);
- }
-@@ -376,8 +376,8 @@ int vtd_flush_context_reg(struct vtd_iom
- dmar_writeq(iommu->reg, DMAR_CCMD_REG, val);
-
- /* Make sure hardware complete it */
-- IOMMU_WAIT_OP(iommu, DMAR_CCMD_REG, dmar_readq,
-- !(val & DMA_CCMD_ICC), val);
-+ IOMMU_FLUSH_WAIT("context", iommu, DMAR_CCMD_REG, dmar_readq,
-+ !(val & DMA_CCMD_ICC), val);
-
- spin_unlock_irqrestore(&iommu->register_lock, flags);
- /* flush context entry will implicitly flush write buffer */
-@@ -454,8 +454,8 @@ int vtd_flush_iotlb_reg(struct vtd_iommu
- dmar_writeq(iommu->reg, tlb_offset + 8, val);
-
- /* Make sure hardware complete it */
-- IOMMU_WAIT_OP(iommu, (tlb_offset + 8), dmar_readq,
-- !(val & DMA_TLB_IVT), val);
-+ IOMMU_FLUSH_WAIT("iotlb", iommu, (tlb_offset + 8), dmar_readq,
-+ !(val & DMA_TLB_IVT), val);
- spin_unlock_irqrestore(&iommu->register_lock, flags);
-
- /* check IOTLB invalidation granularity */
---- a/xen/drivers/passthrough/vtd/qinval.c
-+++ b/xen/drivers/passthrough/vtd/qinval.c
-@@ -29,8 +29,6 @@
- #include "extern.h"
- #include "../ats.h"
-
--#define VTD_QI_TIMEOUT 1
--
- static unsigned int __read_mostly qi_pg_order;
- static unsigned int __read_mostly qi_entry_nr;
-
-@@ -60,7 +58,11 @@ static unsigned int qinval_next_index(st
- /* (tail+1 == head) indicates a full queue, wait for HW */
- while ( ((tail + 1) & (qi_entry_nr - 1)) ==
- ( dmar_readq(iommu->reg, DMAR_IQH_REG) >> QINVAL_INDEX_SHIFT ) )
-+ {
-+ printk_once(XENLOG_ERR VTDPREFIX " IOMMU#%u: no QI slot available\n",
-+ iommu->index);
- cpu_relax();
-+ }
-
- return tail;
- }
-@@ -180,23 +182,32 @@ static int __must_check queue_invalidate
- /* Now we don't support interrupt method */
- if ( sw )
- {
-- s_time_t timeout;
--
-- /* In case all wait descriptor writes to same addr with same data */
-- timeout = NOW() + MILLISECS(flush_dev_iotlb ?
-- iommu_dev_iotlb_timeout : VTD_QI_TIMEOUT);
-+ static unsigned int __read_mostly threshold = 1;
-+ s_time_t start = NOW();
-+ s_time_t timeout = start + (flush_dev_iotlb
-+ ? iommu_dev_iotlb_timeout
-+ : 100) * MILLISECS(threshold);
-
- while ( ACCESS_ONCE(*this_poll_slot) != QINVAL_STAT_DONE )
- {
-- if ( NOW() > timeout )
-+ if ( timeout && NOW() > timeout )
- {
-- print_qi_regs(iommu);
-+ threshold |= threshold << 1;
- printk(XENLOG_WARNING VTDPREFIX
-- " Queue invalidate wait descriptor timed out\n");
-- return -ETIMEDOUT;
-+ " IOMMU#%u: QI%s wait descriptor taking too long\n",
-+ iommu->index, flush_dev_iotlb ? " dev" : "");
-+ print_qi_regs(iommu);
-+ timeout = 0;
- }
- cpu_relax();
- }
-+
-+ if ( !timeout )
-+ printk(XENLOG_WARNING VTDPREFIX
-+ " IOMMU#%u: QI%s wait descriptor took %lums\n",
-+ iommu->index, flush_dev_iotlb ? " dev" : "",
-+ (NOW() - start) / 10000000);
-+
- return 0;
- }
-
diff --git a/main/xen/xsa373-4.14-4.patch b/main/xen/xsa373-4.14-4.patch
deleted file mode 100644
index a1f186b25e..0000000000
--- a/main/xen/xsa373-4.14-4.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: AMD/IOMMU: wait for command slot to be available
-
-No caller cared about send_iommu_command() indicating unavailability of
-a slot. Hence if a sufficient number prior commands timed out, we did
-blindly assume that the requested command was submitted to the IOMMU
-when really it wasn't. This could mean both a hanging system (waiting
-for a command to complete that was never seen by the IOMMU) or blindly
-propagating success back to callers, making them believe they're fine
-to e.g. free previously unmapped pages.
-
-Fold the three involved functions into one, add spin waiting for an
-available slot along the lines of VT-d's qinval_next_index(), and as a
-consequence drop all error indicator return types/values.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/amd/iommu_cmd.c
-+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
-@@ -20,43 +20,32 @@
- #include "iommu.h"
- #include "../ats.h"
-
--static int queue_iommu_command(struct amd_iommu *iommu, u32 cmd[])
-+static void send_iommu_command(struct amd_iommu *iommu,
-+ const uint32_t cmd[4])
- {
-- uint32_t tail, head;
-+ uint32_t tail;
-
- tail = iommu->cmd_buffer.tail + sizeof(cmd_entry_t);
- if ( tail == iommu->cmd_buffer.size )
- tail = 0;
-
-- head = readl(iommu->mmio_base +
-- IOMMU_CMD_BUFFER_HEAD_OFFSET) & IOMMU_RING_BUFFER_PTR_MASK;
-- if ( head != tail )
-+ while ( tail == (readl(iommu->mmio_base +
-+ IOMMU_CMD_BUFFER_HEAD_OFFSET) &
-+ IOMMU_RING_BUFFER_PTR_MASK) )
- {
-- memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
-- cmd, sizeof(cmd_entry_t));
--
-- iommu->cmd_buffer.tail = tail;
-- return 1;
-+ printk_once(XENLOG_ERR
-+ "AMD IOMMU %04x:%02x:%02x.%u: no cmd slot available\n",
-+ iommu->seg, PCI_BUS(iommu->bdf),
-+ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf));
-+ cpu_relax();
- }
-
-- return 0;
--}
--
--static void commit_iommu_command_buffer(struct amd_iommu *iommu)
--{
-- writel(iommu->cmd_buffer.tail,
-- iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
--}
-+ memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
-+ cmd, sizeof(cmd_entry_t));
-
--static int send_iommu_command(struct amd_iommu *iommu, u32 cmd[])
--{
-- if ( queue_iommu_command(iommu, cmd) )
-- {
-- commit_iommu_command_buffer(iommu);
-- return 1;
-- }
-+ iommu->cmd_buffer.tail = tail;
-
-- return 0;
-+ writel(tail, iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
- }
-
- static void flush_command_buffer(struct amd_iommu *iommu)
diff --git a/main/xen/xsa373-4.14-5.patch b/main/xen/xsa373-4.14-5.patch
deleted file mode 100644
index 01556a87f1..0000000000
--- a/main/xen/xsa373-4.14-5.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: AMD/IOMMU: drop command completion timeout
-
-First and foremost - such timeouts were not signaled to callers, making
-them believe they're fine to e.g. free previously unmapped pages.
-
-Mirror VT-d's behavior: A fixed number of loop iterations is not a
-suitable way to detect timeouts in an environment (CPU and bus speeds)
-independent manner anyway. Furthermore, leaving an in-progress operation
-pending when it appears to take too long is problematic: If a command
-completed later, the signaling of its completion may instead be
-understood to signal a subsequently started command's completion.
-
-Log excessively long processing times (with a progressive threshold) to
-have some indication of problems in this area. Allow callers to specify
-a non-default timeout bias for this logging, using the same values as
-VT-d does, which in particular means a (by default) much larger value
-for device IO TLB invalidation.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/amd/iommu_cmd.c
-+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
-@@ -48,10 +48,12 @@ static void send_iommu_command(struct am
- writel(tail, iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
- }
-
--static void flush_command_buffer(struct amd_iommu *iommu)
-+static void flush_command_buffer(struct amd_iommu *iommu,
-+ unsigned int timeout_base)
- {
-- unsigned int cmd[4], status, loop_count;
-- bool comp_wait;
-+ uint32_t cmd[4];
-+ s_time_t start, timeout;
-+ static unsigned int __read_mostly threshold = 1;
-
- /* RW1C 'ComWaitInt' in status register */
- writel(IOMMU_STATUS_COMP_WAIT_INT,
-@@ -67,22 +69,31 @@ static void flush_command_buffer(struct
- IOMMU_COMP_WAIT_I_FLAG_SHIFT, &cmd[0]);
- send_iommu_command(iommu, cmd);
-
-- /* Make loop_count long enough for polling completion wait bit */
-- loop_count = 1000;
-- do {
-- status = readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
-- comp_wait = status & IOMMU_STATUS_COMP_WAIT_INT;
-- --loop_count;
-- } while ( !comp_wait && loop_count );
--
-- if ( comp_wait )
-+ start = NOW();
-+ timeout = start + (timeout_base ?: 100) * MILLISECS(threshold);
-+ while ( !(readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET) &
-+ IOMMU_STATUS_COMP_WAIT_INT) )
- {
-- /* RW1C 'ComWaitInt' in status register */
-- writel(IOMMU_STATUS_COMP_WAIT_INT,
-- iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
-- return;
-+ if ( timeout && NOW() > timeout )
-+ {
-+ threshold |= threshold << 1;
-+ printk(XENLOG_WARNING
-+ "AMD IOMMU %04x:%02x:%02x.%u: %scompletion wait taking too long\n",
-+ iommu->seg, PCI_BUS(iommu->bdf),
-+ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf),
-+ timeout_base ? "iotlb " : "");
-+ timeout = 0;
-+ }
-+ cpu_relax();
- }
-- AMD_IOMMU_DEBUG("Warning: ComWaitInt bit did not assert!\n");
-+
-+ if ( !timeout )
-+ printk(XENLOG_WARNING
-+ "AMD IOMMU %04x:%02x:%02x.%u: %scompletion wait took %lums\n",
-+ iommu->seg, PCI_BUS(iommu->bdf),
-+ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf),
-+ timeout_base ? "iotlb " : "",
-+ (NOW() - start) / 10000000);
- }
-
- /* Build low level iommu command messages */
-@@ -294,7 +305,7 @@ void amd_iommu_flush_iotlb(u8 devfn, con
- /* send INVALIDATE_IOTLB_PAGES command */
- spin_lock_irqsave(&iommu->lock, flags);
- invalidate_iotlb_pages(iommu, maxpend, 0, queueid, daddr, req_id, order);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, iommu_dev_iotlb_timeout);
- spin_unlock_irqrestore(&iommu->lock, flags);
- }
-
-@@ -331,7 +342,7 @@ static void _amd_iommu_flush_pages(struc
- {
- spin_lock_irqsave(&iommu->lock, flags);
- invalidate_iommu_pages(iommu, daddr, dom_id, order);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- spin_unlock_irqrestore(&iommu->lock, flags);
- }
-
-@@ -355,7 +366,7 @@ void amd_iommu_flush_device(struct amd_i
- ASSERT( spin_is_locked(&iommu->lock) );
-
- invalidate_dev_table_entry(iommu, bdf);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- }
-
- void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf)
-@@ -363,7 +374,7 @@ void amd_iommu_flush_intremap(struct amd
- ASSERT( spin_is_locked(&iommu->lock) );
-
- invalidate_interrupt_table(iommu, bdf);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- }
-
- void amd_iommu_flush_all_caches(struct amd_iommu *iommu)
-@@ -371,7 +382,7 @@ void amd_iommu_flush_all_caches(struct a
- ASSERT( spin_is_locked(&iommu->lock) );
-
- invalidate_iommu_all(iommu);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- }
-
- void amd_iommu_send_guest_cmd(struct amd_iommu *iommu, u32 cmd[])
-@@ -381,7 +392,8 @@ void amd_iommu_send_guest_cmd(struct amd
- spin_lock_irqsave(&iommu->lock, flags);
-
- send_iommu_command(iommu, cmd);
-- flush_command_buffer(iommu);
-+ /* TBD: Timeout selection may require peeking into cmd[]. */
-+ flush_command_buffer(iommu, 0);
-
- spin_unlock_irqrestore(&iommu->lock, flags);
- }
diff --git a/main/xen/xsa375.patch b/main/xen/xsa375.patch
deleted file mode 100644
index aa2e5ad467..0000000000
--- a/main/xen/xsa375.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/spec-ctrl: Protect against Speculative Code Store Bypass
-
-Modern x86 processors have far-better-than-architecturally-guaranteed self
-modifying code detection. Typically, when a write hits an instruction in
-flight, a Machine Clear occurs to flush stale content in the frontend and
-backend.
-
-For self modifying code, before a write which hits an instruction in flight
-retires, the frontend can speculatively decode and execute the old instruction
-stream. Speculation of this form can suffer from type confusion in registers,
-and potentially leak data.
-
-Furthermore, updates are typically byte-wise, rather than atomic. Depending
-on timing, speculation can race ahead multiple times between individual
-writes, and execute the transiently-malformed instruction stream.
-
-Xen has stubs which are used in certain cases for emulation purposes. Inhibit
-speculation between updating the stub and executing it.
-
-This is XSA-375 / CVE-2021-0089.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
-index 8889509d2a..11467a1e3a 100644
---- a/xen/arch/x86/pv/emul-priv-op.c
-+++ b/xen/arch/x86/pv/emul-priv-op.c
-@@ -138,6 +138,8 @@ static io_emul_stub_t *io_emul_stub_setup(struct priv_op_ctxt *ctxt, u8 opcode,
- /* Runtime confirmation that we haven't clobbered an adjacent stub. */
- BUG_ON(STUB_BUF_SIZE / 2 < (p - ctxt->io_emul_stub));
-
-+ block_speculation(); /* SCSB */
-+
- /* Handy function-typed pointer to the stub. */
- return (void *)stub_va;
-
-diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
-index c25d88d0d8..f42ff2a837 100644
---- a/xen/arch/x86/x86_emulate/x86_emulate.c
-+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
-@@ -1257,6 +1257,7 @@ static inline int mkec(uint8_t e, int32_t ec, ...)
- # define invoke_stub(pre, post, constraints...) do { \
- stub_exn.info = (union stub_exception_token) { .raw = ~0 }; \
- stub_exn.line = __LINE__; /* Utility outweighs livepatching cost */ \
-+ block_speculation(); /* SCSB */ \
- asm volatile ( pre "\n\tINDIRECT_CALL %[stub]\n\t" post "\n" \
- ".Lret%=:\n\t" \
- ".pushsection .fixup,\"ax\"\n" \
diff --git a/main/xen/xsa377.patch b/main/xen/xsa377.patch
deleted file mode 100644
index 1a1887b60e..0000000000
--- a/main/xen/xsa377.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/spec-ctrl: Mitigate TAA after S3 resume
-
-The user chosen setting for MSR_TSX_CTRL needs restoring after S3.
-
-All APs get the correct setting via start_secondary(), but the BSP was missed
-out.
-
-This is XSA-377 / CVE-2021-28690.
-
-Fixes: 8c4330818f6 ("x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sidechannel")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
-index 91a8c4d0bd..31a56f02d0 100644
---- a/xen/arch/x86/acpi/power.c
-+++ b/xen/arch/x86/acpi/power.c
-@@ -288,6 +288,8 @@ static int enter_state(u32 state)
-
- microcode_update_one();
-
-+ tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */
-+
- if ( !recheck_cpu_features(0) )
- panic("Missing previously available feature(s)\n");
-
diff --git a/main/xtables-addons-lts/APKBUILD b/main/xtables-addons-lts/APKBUILD
index 3e8ba97e7d..662c0f06e6 100644
--- a/main/xtables-addons-lts/APKBUILD
+++ b/main/xtables-addons-lts/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.38
+_kver=5.10.61
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zfs-lts/APKBUILD b/main/zfs-lts/APKBUILD
index 752caa1c40..0c53a695cd 100644
--- a/main/zfs-lts/APKBUILD
+++ b/main/zfs-lts/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.38
+_kver=5.10.61
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zfs-rpi/APKBUILD b/main/zfs-rpi/APKBUILD
index 9accc13bc4..f3f766f173 100644
--- a/main/zfs-rpi/APKBUILD
+++ b/main/zfs-rpi/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-rpi}
_kpkg=linux-$_flavor
-_kver=5.10.36
+_kver=5.10.61
_krel=0
_kpkgver="$_kver-r$_krel"