aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitlab-ci.yml9
-rw-r--r--community/alertmanager/APKBUILD2
-rw-r--r--community/buildah/APKBUILD2
-rw-r--r--community/caddy/APKBUILD2
-rw-r--r--community/chezmoi/APKBUILD2
-rw-r--r--community/conmon/APKBUILD2
-rw-r--r--community/consul-template/APKBUILD2
-rw-r--r--community/consul/APKBUILD2
-rw-r--r--community/containerd/APKBUILD2
-rw-r--r--community/croc/APKBUILD2
-rw-r--r--community/crun/APKBUILD2
-rw-r--r--community/curlie/APKBUILD2
-rw-r--r--community/dep/APKBUILD2
-rw-r--r--community/dnscrypt-proxy/APKBUILD2
-rw-r--r--community/docker-cli-buildx/APKBUILD2
-rw-r--r--community/docker-credential-ecr-login/APKBUILD2
-rw-r--r--community/docker/APKBUILD2
-rw-r--r--community/dockviz/APKBUILD2
-rw-r--r--community/easypki/APKBUILD2
-rw-r--r--community/fzf/APKBUILD2
-rw-r--r--community/ginkgo/APKBUILD2
-rw-r--r--community/gitlab-runner/APKBUILD2
-rw-r--r--community/glide/APKBUILD2
-rw-r--r--community/gmnitohtml/APKBUILD2
-rw-r--r--community/go-bindata-assetfs/APKBUILD2
-rw-r--r--community/go-bindata/APKBUILD2
-rw-r--r--community/go-ipfs/APKBUILD2
-rw-r--r--community/go-md2man/APKBUILD2
-rw-r--r--community/go-msgauth/APKBUILD2
-rw-r--r--community/go/APKBUILD11
-rw-r--r--community/gogs/APKBUILD2
-rw-r--r--community/gojq/APKBUILD2
-rw-r--r--community/gonic/APKBUILD2
-rw-r--r--community/gotop/APKBUILD2
-rw-r--r--community/govendor/APKBUILD2
-rw-r--r--community/grafana/APKBUILD2
-rw-r--r--community/hcloud/APKBUILD2
-rw-r--r--community/hey/APKBUILD2
-rw-r--r--community/imagemagick/APKBUILD2
-rw-r--r--community/img/APKBUILD2
-rw-r--r--community/irtt/APKBUILD2
-rw-r--r--community/jenkins/APKBUILD6
-rw-r--r--community/jool-modules-lts/APKBUILD2
-rw-r--r--community/k3s/APKBUILD2
-rw-r--r--community/k9s/APKBUILD2
-rw-r--r--community/kiln/APKBUILD2
-rw-r--r--community/lab/APKBUILD2
-rw-r--r--community/lazygit/APKBUILD2
-rw-r--r--community/lego/APKBUILD2
-rw-r--r--community/libressl/APKBUILD6
-rw-r--r--community/mongodb-tools/APKBUILD2
-rw-r--r--community/nextcloud/APKBUILD6
-rw-r--r--community/nextcloud/iconv-ascii-translit-not-supported.patch19
-rw-r--r--community/nfpm/APKBUILD2
-rw-r--r--community/nomad/APKBUILD2
-rw-r--r--community/nss/APKBUILD8
-rw-r--r--community/nss/CVE-2021-43527.patch352
-rw-r--r--community/opensmtpd-filter-rspamd/APKBUILD2
-rw-r--r--community/opensmtpd-filter-senderscore/APKBUILD2
-rw-r--r--community/packer/APKBUILD2
-rw-r--r--community/perl-app-cpanminus/APKBUILD12
-rw-r--r--community/piknik/APKBUILD2
-rw-r--r--community/prometheus-node-exporter/APKBUILD2
-rw-r--r--community/prometheus-snmp-exporter/APKBUILD2
-rw-r--r--community/prometheus/APKBUILD2
-rw-r--r--community/prosody-filer/APKBUILD2
-rw-r--r--community/rclone/APKBUILD2
-rw-r--r--community/rest-server/APKBUILD2
-rw-r--r--community/restic/APKBUILD2
-rw-r--r--community/rtl8821ce-lts/APKBUILD2
-rw-r--r--community/rtpengine-lts/APKBUILD2
-rw-r--r--community/runc/APKBUILD2
-rw-r--r--community/shfmt/APKBUILD2
-rw-r--r--community/skopeo/APKBUILD2
-rw-r--r--community/ssh-ldap-pubkey/APKBUILD9
-rw-r--r--community/tailscale/APKBUILD2
-rw-r--r--community/telegraf/APKBUILD2
-rw-r--r--community/terraform/APKBUILD2
-rw-r--r--community/umoci/APKBUILD2
-rw-r--r--community/vault/APKBUILD2
-rw-r--r--community/vouch-proxy/APKBUILD4
-rw-r--r--community/wait4x/APKBUILD2
-rwxr-xr-xcommunity/webhook/APKBUILD2
-rw-r--r--community/writefreely/APKBUILD2
-rw-r--r--community/wuzz/APKBUILD2
-rw-r--r--community/yggdrasil/APKBUILD2
-rw-r--r--community/yq/APKBUILD2
-rw-r--r--main/alpine-base/APKBUILD2
-rw-r--r--main/amavis/APKBUILD11
-rw-r--r--main/apache2/APKBUILD9
-rw-r--r--main/bash/APKBUILD20
-rw-r--r--main/bind/APKBUILD13
-rw-r--r--main/bind/bind-9.16.20-map-format-fix.patch8
-rw-r--r--main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch40
-rw-r--r--main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch68
-rw-r--r--main/busybox/APKBUILD10
-rw-r--r--main/cairo/APKBUILD12
-rw-r--r--main/cairo/fix-inf-loop.patch36
-rw-r--r--main/cifs-utils/APKBUILD4
-rw-r--r--main/curl/APKBUILD20
-rw-r--r--main/curl/CVE-2022-22576.patch143
-rw-r--r--main/curl/CVE-2022-27774-pre.patch41
-rw-r--r--main/curl/CVE-2022-27774.patch78
-rw-r--r--main/curl/CVE-2022-27775.patch35
-rw-r--r--main/curl/CVE-2022-27776.patch113
-rw-r--r--main/cyrus-sasl/APKBUILD24
-rw-r--r--main/cyrus-sasl/CVE-2019-19906.patch15
-rw-r--r--main/cyrus-sasl/autoconf-270.patch75
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch25
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch17
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-dbm-errno.patch29
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch11
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch16
-rw-r--r--main/cyrus-sasl/fix-saslauthd-man-page.patch31
-rw-r--r--main/dahdi-linux-lts/APKBUILD2
-rw-r--r--main/esh/APKBUILD6
-rw-r--r--main/expat/APKBUILD13
-rw-r--r--main/flac/APKBUILD9
-rw-r--r--main/freetype/APKBUILD19
-rw-r--r--main/freetype/CVE-2022-27404.patch44
-rw-r--r--main/freetype/CVE-2022-27405.patch36
-rw-r--r--main/freetype/CVE-2022-27406.patch27
-rw-r--r--main/git/APKBUILD7
-rw-r--r--main/gmp/APKBUILD10
-rw-r--r--main/gzip/APKBUILD14
-rw-r--r--main/haproxy/APKBUILD4
-rw-r--r--main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch318
-rw-r--r--main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch72
-rw-r--r--main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch99
-rw-r--r--main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch113
-rw-r--r--main/hostapd/APKBUILD20
-rw-r--r--main/intel-ucode/APKBUILD43
-rw-r--r--main/krb5/APKBUILD6
-rw-r--r--main/ldb/APKBUILD13
-rw-r--r--main/ldb/skip-failing-tests.patch35
-rw-r--r--main/libarchive/APKBUILD7
-rw-r--r--main/libretls/APKBUILD8
-rw-r--r--main/libretls/CVE-2022-0778.patch54
-rw-r--r--main/liburing/APKBUILD8
-rw-r--r--main/liburing/busybox-mktemp.patch54
-rw-r--r--main/libxml2/APKBUILD16
-rw-r--r--main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch64
-rw-r--r--main/libxml2/work-around-lxml-api-abuse.patch211
-rw-r--r--main/libxslt/APKBUILD17
-rw-r--r--main/libxslt/Dont-set-maxDepth-in-XPath-contexts.patch70
-rw-r--r--main/libxslt/Stop-using-maxParserDepth-XPath-limit.patch37
-rw-r--r--main/libxslt/Transfer-XPath-limits-to-XPtr-context.patch42
-rw-r--r--main/lighttpd/APKBUILD14
-rw-r--r--main/linux-lts/APKBUILD28
-rw-r--r--main/linux-lts/config-lts.aarch6419
-rw-r--r--main/linux-lts/config-lts.armv723
-rw-r--r--main/linux-lts/config-lts.mips6411
-rw-r--r--main/linux-lts/config-lts.ppc64le14
-rw-r--r--main/linux-lts/config-lts.s390x12
-rw-r--r--main/linux-lts/config-lts.x8615
-rw-r--r--main/linux-lts/config-lts.x86_643
-rw-r--r--main/linux-lts/config-virt.aarch6415
-rw-r--r--main/linux-lts/config-virt.armv717
-rw-r--r--main/linux-lts/config-virt.ppc64le14
-rw-r--r--main/linux-lts/config-virt.x8614
-rw-r--r--main/linux-lts/config-virt.x86_643
-rw-r--r--main/linux-pam/APKBUILD2
-rw-r--r--main/logrotate/APKBUILD4
-rw-r--r--main/logrotate/logrotate.conf3
-rw-r--r--main/lua5.4/APKBUILD12
-rw-r--r--main/lua5.4/CVE-2022-28805.patch23
-rw-r--r--main/mariadb/APKBUILD39
-rw-r--r--main/nginx/APKBUILD8
-rw-r--r--main/nginx/CVE-2021-3618.patch92
-rw-r--r--main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch33
-rw-r--r--main/nodejs/APKBUILD10
-rw-r--r--main/openrc/APKBUILD6
-rw-r--r--main/openrc/seedrng.patch619
-rw-r--r--main/opensmtpd/APKBUILD10
-rw-r--r--main/opensmtpd/smtpd.initd8
-rw-r--r--main/openssl/APKBUILD8
-rw-r--r--main/openvpn/APKBUILD12
-rw-r--r--main/postfix/APKBUILD4
-rw-r--r--main/postgresql/APKBUILD4
-rw-r--r--main/rdiff-backup/APKBUILD3
-rw-r--r--main/redis/APKBUILD7
-rw-r--r--main/rsyslog/APKBUILD8
-rw-r--r--main/rsyslog/CVE-2022-24903.patch56
-rw-r--r--main/rsyslog/rsyslog.logrotate1
-rw-r--r--main/ruby/APKBUILD6
-rw-r--r--main/samba/APKBUILD15
-rw-r--r--main/subversion/APKBUILD11
-rw-r--r--main/subversion/fix-use-after-free.patch41
-rw-r--r--main/tcpdump/APKBUILD54
-rw-r--r--main/tiff/APKBUILD38
-rw-r--r--main/tiff/CVE-2022-0561.patch29
-rw-r--r--main/tiff/CVE-2022-0562.patch27
-rw-r--r--main/tiff/CVE-2022-0865.patch34
-rw-r--r--main/tiff/CVE-2022-0891.patch214
-rw-r--r--main/tiff/CVE-2022-0907.patch89
-rw-r--r--main/tiff/CVE-2022-0908.patch29
-rw-r--r--main/tiff/CVE-2022-0909.patch32
-rw-r--r--main/tiff/CVE-2022-0924.patch53
-rw-r--r--main/tiff/CVE-2022-22844.patch40
-rw-r--r--main/tiny-cloud/APKBUILD65
-rw-r--r--main/tzdata/APKBUILD8
-rw-r--r--main/util-linux/APKBUILD11
-rw-r--r--main/varnish/APKBUILD11
-rw-r--r--main/vim/APKBUILD27
-rw-r--r--main/xen/APKBUILD82
-rw-r--r--main/xen/qemu-xen_paths.patch12
-rw-r--r--main/xen/xenqemu-xattr-size-max.patch10
-rw-r--r--main/xen/xsa386.patch29
-rw-r--r--main/xen/xsa388-4.15-1.patch174
-rw-r--r--main/xen/xsa388-4.15-2.patch36
-rw-r--r--main/xen/xsa389-4.15.patch182
-rw-r--r--main/xen/xsa390.patch46
-rw-r--r--main/xtables-addons-lts/APKBUILD2
-rw-r--r--main/xz/APKBUILD14
-rw-r--r--main/xz/xzgrep-ZDI-CAN-16587.patch94
-rw-r--r--main/zfs-lts/APKBUILD2
-rw-r--r--main/zlib/APKBUILD20
-rw-r--r--main/zlib/Fix-CC-logic-in-configure.patch43
-rw-r--r--main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch74
-rw-r--r--main/zlib/crc32.patch51
-rw-r--r--main/zsh/APKBUILD12
221 files changed, 3936 insertions, 1953 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7f585ff935..14e97d82d5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,18 +6,11 @@ variables:
GIT_STRATEGY: clone
GIT_DEPTH: "500"
-default:
- # Make sure master points to the correct upstream commit
- before_script:
- - >
- git fetch -nq $CI_MERGE_REQUEST_PROJECT_URL
- +refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME:refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
-
lint:
stage: lint
image: alpinelinux/apkbuild-lint-tools:latest
script:
- - changed-aports $CI_MERGE_REQUEST_TARGET_BRANCH_NAME | lint
+ - lint
allow_failure: true
only:
- merge_requests
diff --git a/community/alertmanager/APKBUILD b/community/alertmanager/APKBUILD
index ec54c83493..129495c866 100644
--- a/community/alertmanager/APKBUILD
+++ b/community/alertmanager/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=alertmanager
pkgver=0.22.1
-pkgrel=2
+pkgrel=3
pkgdesc="Prometheus Alertmanager"
url="https://github.com/prometheus/alertmanager"
arch="all"
diff --git a/community/buildah/APKBUILD b/community/buildah/APKBUILD
index 92192b3332..4495f339ae 100644
--- a/community/buildah/APKBUILD
+++ b/community/buildah/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Michał Polański <michal@polanski.me>
pkgname=buildah
pkgver=1.21.4
-pkgrel=1
+pkgrel=2
pkgdesc="tool that facilitates building OCI container images"
url="https://github.com/containers/buildah"
license="Apache-2.0"
diff --git a/community/caddy/APKBUILD b/community/caddy/APKBUILD
index ff73457e2b..bd8aca28f9 100644
--- a/community/caddy/APKBUILD
+++ b/community/caddy/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michał Polański <michal@polanski.me>
pkgname=caddy
pkgver=2.4.5
-pkgrel=1
+pkgrel=2
pkgdesc="Fast, multi-platform web server with automatic HTTPS"
url="https://caddyserver.com/"
license="Apache-2.0"
diff --git a/community/chezmoi/APKBUILD b/community/chezmoi/APKBUILD
index f7ed468d29..3470d3958b 100644
--- a/community/chezmoi/APKBUILD
+++ b/community/chezmoi/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=chezmoi
pkgver=2.0.16
-pkgrel=2
+pkgrel=3
pkgdesc="Manage your dotfiles across multiple machines, securely."
url="https://www.chezmoi.io/"
arch="all"
diff --git a/community/conmon/APKBUILD b/community/conmon/APKBUILD
index c1c0dc641f..8af85b7016 100644
--- a/community/conmon/APKBUILD
+++ b/community/conmon/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michał Polański <michal@polanski.me>
pkgname=conmon
pkgver=2.0.29
-pkgrel=0
+pkgrel=1
pkgdesc="OCI container runtime monitor"
url="https://github.com/containers/conmon"
license="Apache-2.0"
diff --git a/community/consul-template/APKBUILD b/community/consul-template/APKBUILD
index bcd5ac22cc..6c7849c88b 100644
--- a/community/consul-template/APKBUILD
+++ b/community/consul-template/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=consul-template
pkgver=0.26.0
-pkgrel=1
+pkgrel=2
pkgdesc="Generic template rendering and notifications with Consul"
url="https://www.consul.io/"
arch="all"
diff --git a/community/consul/APKBUILD b/community/consul/APKBUILD
index beaab0b940..fdb2725405 100644
--- a/community/consul/APKBUILD
+++ b/community/consul/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=consul
pkgver=1.9.6
-pkgrel=1
+pkgrel=2
pkgdesc="Tool for service discovery, monitoring and configuration"
url="https://www.consul.io"
# mips(64): dependency boltdb does not support mips(64)
diff --git a/community/containerd/APKBUILD b/community/containerd/APKBUILD
index 46a5542d10..a4b1b1f318 100644
--- a/community/containerd/APKBUILD
+++ b/community/containerd/APKBUILD
@@ -6,7 +6,7 @@ pkgname=containerd
# NOTE: containerd's Makefile tries to get REVISION from git, but we're building from a tarball.
_commit=1e5ef943eb76627a6d3b6de8cd1ef6537f393a71
pkgver=1.5.8
-pkgrel=0
+pkgrel=1
pkgdesc="An open and reliable container runtime"
url="https://containerd.io"
arch="all"
diff --git a/community/croc/APKBUILD b/community/croc/APKBUILD
index fce46eadd8..03866f9bf8 100644
--- a/community/croc/APKBUILD
+++ b/community/croc/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: André Klitzing <aklitzing@gmail.com>
pkgname=croc
pkgver=9.1.4
-pkgrel=2
+pkgrel=3
pkgdesc="Easily and securely send things from one computer to another"
url="https://github.com/schollz/croc"
license="MIT"
diff --git a/community/crun/APKBUILD b/community/crun/APKBUILD
index fb32889e17..8e3a5fed7a 100644
--- a/community/crun/APKBUILD
+++ b/community/crun/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Michał Polański <michal@polanski.me>
pkgname=crun
pkgver=0.21
-pkgrel=0
+pkgrel=1
pkgdesc="Fast and lightweight fully featured OCI runtime and C library for running containers"
url="https://github.com/containers/crun"
arch="all"
diff --git a/community/curlie/APKBUILD b/community/curlie/APKBUILD
index f16fca097b..69264bf2a7 100644
--- a/community/curlie/APKBUILD
+++ b/community/curlie/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: André Klitzing <aklitzing@gmail.com>
pkgname=curlie
pkgver=1.6.0
-pkgrel=2
+pkgrel=3
pkgdesc="Curlie is a frontend to curl that adds the ease of use of httpie"
url="https://github.com/rs/curlie"
arch="all"
diff --git a/community/dep/APKBUILD b/community/dep/APKBUILD
index 1d0c409dfb..718401ad08 100644
--- a/community/dep/APKBUILD
+++ b/community/dep/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Ed Robinson <edward-robinson@cookpad.com>
pkgname=dep
pkgver=0.5.4
-pkgrel=4
+pkgrel=5
pkgdesc="Go dependency management tool"
url="https://github.com/golang/dep"
# mips(64): dependency boltdp does not support mips
diff --git a/community/dnscrypt-proxy/APKBUILD b/community/dnscrypt-proxy/APKBUILD
index 473fd90c65..33e5eb39c2 100644
--- a/community/dnscrypt-proxy/APKBUILD
+++ b/community/dnscrypt-proxy/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Ian Bashford <ianbashford@gmail.com>
pkgname=dnscrypt-proxy
pkgver=2.0.45
-pkgrel=2
+pkgrel=3
pkgdesc="Tool for securing communications between a client and a DNS resolver"
url="https://dnscrypt.info"
arch="all"
diff --git a/community/docker-cli-buildx/APKBUILD b/community/docker-cli-buildx/APKBUILD
index 543c29c3b0..1433ca0b38 100644
--- a/community/docker-cli-buildx/APKBUILD
+++ b/community/docker-cli-buildx/APKBUILD
@@ -3,7 +3,7 @@
pkgname=docker-cli-buildx
_commit=11057da37336192bfc57d81e02359ba7ba848e4a
pkgver=0.5.1
-pkgrel=2
+pkgrel=3
pkgdesc="A Docker CLI plugin for extended build capabilities"
url="https://docs.docker.com/engine/reference/commandline/buildx_build"
arch="all"
diff --git a/community/docker-credential-ecr-login/APKBUILD b/community/docker-credential-ecr-login/APKBUILD
index fd8aac5612..3a78e846b3 100644
--- a/community/docker-credential-ecr-login/APKBUILD
+++ b/community/docker-credential-ecr-login/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Ty Sarna <ty@sarna.org>
pkgname=docker-credential-ecr-login
pkgver=0.5.0
-pkgrel=2
+pkgrel=3
pkgdesc="Credential helper for Docker to use the AWS Elastic Container Registry"
url="https://github.com/awslabs/amazon-ecr-credential-helper"
arch="x86_64 aarch64"
diff --git a/community/docker/APKBUILD b/community/docker/APKBUILD
index 67ac494ec8..06d68bff1f 100644
--- a/community/docker/APKBUILD
+++ b/community/docker/APKBUILD
@@ -5,7 +5,7 @@ pkgname=docker
pkgver=20.10.11
_cli_commit=dea9396e184290f638ea873c76db7c80efd5a1d2 # https://github.com/docker/cli/commits/v$pkgver
_moby_commit=847da184ad5048b27f5bdf9d53d070f731b43180 # https://github.com/moby/moby/commits/v$pkgver
-pkgrel=0
+pkgrel=1
pkgdesc="Pack, ship and run any application as a lightweight container"
url="https://www.docker.io/"
arch="all"
diff --git a/community/dockviz/APKBUILD b/community/dockviz/APKBUILD
index 6a67aecd17..2df04e73dc 100644
--- a/community/dockviz/APKBUILD
+++ b/community/dockviz/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: TBK <alpine@jjtc.eu>
pkgname=dockviz
pkgver=0.6.3
-pkgrel=4
+pkgrel=5
pkgdesc="Visualizing Docker Data"
url="https://github.com/justone/dockviz"
arch="all"
diff --git a/community/easypki/APKBUILD b/community/easypki/APKBUILD
index f9ffd266f7..981665e496 100644
--- a/community/easypki/APKBUILD
+++ b/community/easypki/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=easypki
pkgver=1.1.0
-pkgrel=7
+pkgrel=8
pkgdesc="Creating a certificate authority the easy way"
url="https://github.com/google/easypki"
arch="all !mips64" # build failures on dep github.com/boltdb/bolt
diff --git a/community/fzf/APKBUILD b/community/fzf/APKBUILD
index 7b6f052690..15857bd0e7 100644
--- a/community/fzf/APKBUILD
+++ b/community/fzf/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=fzf
pkgver=0.27.2
-pkgrel=2
+pkgrel=3
pkgdesc="A command-line fuzzy finder"
url="https://github.com/junegunn/fzf"
arch="all"
diff --git a/community/ginkgo/APKBUILD b/community/ginkgo/APKBUILD
index 9e64ca9312..59b869251c 100644
--- a/community/ginkgo/APKBUILD
+++ b/community/ginkgo/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michał Polański <michal@polanski.me>
pkgname=ginkgo
pkgver=1.16.4
-pkgrel=2
+pkgrel=3
pkgdesc="BDD-style Go testing framework"
url="https://onsi.github.io/ginkgo/"
license="MIT"
diff --git a/community/gitlab-runner/APKBUILD b/community/gitlab-runner/APKBUILD
index 09078b1ece..1f57e54534 100644
--- a/community/gitlab-runner/APKBUILD
+++ b/community/gitlab-runner/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=gitlab-runner
pkgver=13.12.0
-pkgrel=2
+pkgrel=3
# first 8 chars of the git hash of the release, see
# https://gitlab.com/gitlab-org/gitlab-runner/-/tags
# PLEASE update this, since they're used to determine what version of
diff --git a/community/glide/APKBUILD b/community/glide/APKBUILD
index 2576daee76..08f4e349a6 100644
--- a/community/glide/APKBUILD
+++ b/community/glide/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=glide
pkgver=0.13.3
-pkgrel=4
+pkgrel=5
pkgdesc="Vendor Package Management for Golang"
url="https://github.com/Masterminds/glide"
arch="all"
diff --git a/community/gmnitohtml/APKBUILD b/community/gmnitohtml/APKBUILD
index a6ebe23b15..48564aaec4 100644
--- a/community/gmnitohtml/APKBUILD
+++ b/community/gmnitohtml/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Stacy Harper <contact@stacyharper.net>
pkgname=gmnitohtml
pkgver=0.1.0
-pkgrel=2
+pkgrel=3
pkgdesc="Gemini text to HTML converter"
options="!check" # No testsuite
url="https://git.sr.ht/~adnano/gmnitohtml"
diff --git a/community/go-bindata-assetfs/APKBUILD b/community/go-bindata-assetfs/APKBUILD
index 422e981a5e..23dd18f501 100644
--- a/community/go-bindata-assetfs/APKBUILD
+++ b/community/go-bindata-assetfs/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Matthias Neugebauer <mtneug@mailbox.org>
pkgname=go-bindata-assetfs
pkgver=1.0.1
-pkgrel=3
+pkgrel=4
pkgdesc="small utility which generates Go code to serve any file with net/http"
url="https://github.com/elazarl/go-bindata-assetfs"
arch="all"
diff --git a/community/go-bindata/APKBUILD b/community/go-bindata/APKBUILD
index 170e0ef752..5135e36806 100644
--- a/community/go-bindata/APKBUILD
+++ b/community/go-bindata/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=go-bindata
pkgver=3.1.3
-pkgrel=6
+pkgrel=7
pkgdesc="A small utility which generates Go code from any file"
url="https://github.com/go-bindata/go-bindata"
arch="all"
diff --git a/community/go-ipfs/APKBUILD b/community/go-ipfs/APKBUILD
index 170bce20b0..955d9bfb96 100644
--- a/community/go-ipfs/APKBUILD
+++ b/community/go-ipfs/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Oleg Titov <oleg.titov@gmail.com>
pkgname=go-ipfs
pkgver=0.8.0
-pkgrel=3
+pkgrel=4
pkgdesc="Inter Platnetary File System (IPFS), a peer-to-peer hypermedia distribution protocol"
url="https://ipfs.io/"
arch="x86_64 x86 aarch64 armhf armv7"
diff --git a/community/go-md2man/APKBUILD b/community/go-md2man/APKBUILD
index 1c1a47bac6..7598a3d225 100644
--- a/community/go-md2man/APKBUILD
+++ b/community/go-md2man/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Jake Buchholz <tomalok@gmail.com>
pkgname=go-md2man
pkgver=2.0.0
-pkgrel=3
+pkgrel=4
pkgdesc="Utility to convert markdown to man pages"
options="net"
url="https://github.com/cpuguy83/go-md2man"
diff --git a/community/go-msgauth/APKBUILD b/community/go-msgauth/APKBUILD
index b194c9c64e..3a292ab1ab 100644
--- a/community/go-msgauth/APKBUILD
+++ b/community/go-msgauth/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=go-msgauth
pkgver=0.6.2
-pkgrel=2
+pkgrel=3
pkgdesc="Go utilities for DKIM, DMARC, and Authentication-Results"
url="https://github.com/emersion/go-msgauth"
arch="all"
diff --git a/community/go/APKBUILD b/community/go/APKBUILD
index 904f00e565..6efdba3a16 100644
--- a/community/go/APKBUILD
+++ b/community/go/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=go
# go binaries are statically linked, security updates require rebuilds
-pkgver=1.16.10
+pkgver=1.16.15
pkgrel=0
pkgdesc="Go programming language compiler"
url="https://golang.org/"
@@ -27,6 +27,13 @@ case "$CARCH" in
esac
# secfixes:
+# 1.16.15-r0:
+# - CVE-2021-44716
+# - CVE-2022-23772
+# - CVE-2022-23773
+# - CVE-2022-23806
+# - CVE-2022-24921
+# - CVE-2022-27191
# 1.16.10-r0:
# - CVE-2021-41772
# - CVE-2021-41771
@@ -181,7 +188,7 @@ package() {
}
sha512sums="
-d12753bd7973beb7ab047a189bd0d7132b5ab8c35e943b12388289d59f9becaefb858d37cfcb808c1e12f3e06c883ef170d98ed99449e9beda636cab9bfff2b6 go1.16.10.src.tar.gz
+5b7fd234e6eb3db173ec536ac599a8c640eb4b0e8abeb16f7728efb6d7c927c41a7e8631505ba6983f565f0470a37458e60d8df33089f7ab773c250b44413e66 go1.16.15.src.tar.gz
988a436727aefc5124702bd70cb01bb457a921affcdd03e17f78937685482e899080d95baf125e054d1f634dae5c747d05a3662f1f4f462b87965b06270c788f disable-flaky-sync-test.patch
ab4aa83d8a9bf10bbb93ad029095b47c6eea7d5532703d84449884039116e07897871649feb1df8128f10257cbdb5d7eb03820ab0f1a3f60315e195302f6e516 disable-flaky-gc-test.patch
6017caacf77c2911e9e882878fdaa2ed066b76b7e97b2ad776bc33d96b21cabc802966473946642c86a8f985c69adcc5e7ea61684f6d0dbacd468a6aad687229 allow-unshare-to-return-enosys.patch
diff --git a/community/gogs/APKBUILD b/community/gogs/APKBUILD
index bb3cbb0a69..e7a1a04b05 100644
--- a/community/gogs/APKBUILD
+++ b/community/gogs/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer:
pkgname=gogs
pkgver=0.12.3
-pkgrel=4
+pkgrel=5
pkgdesc="Painless self-hosted Git service"
url="https://gogs.io/"
arch="all"
diff --git a/community/gojq/APKBUILD b/community/gojq/APKBUILD
index a9070f12ca..aa0dbf6a22 100644
--- a/community/gojq/APKBUILD
+++ b/community/gojq/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michał Polański <michal@polanski.me>
pkgname=gojq
pkgver=0.12.4
-pkgrel=2
+pkgrel=3
pkgdesc="Pure Go implementation of jq"
url="https://github.com/itchyny/gojq"
license="MIT"
diff --git a/community/gonic/APKBUILD b/community/gonic/APKBUILD
index 5c6ccc74fb..ea3795f783 100644
--- a/community/gonic/APKBUILD
+++ b/community/gonic/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Alex McGrath <amk@amk.ie>
pkgname=gonic
pkgver=0.12.3
-pkgrel=2
+pkgrel=3
pkgdesc="Subsonic compatible music streaming server"
url="https://github.com/sentriz/gonic"
arch="all"
diff --git a/community/gotop/APKBUILD b/community/gotop/APKBUILD
index 5096b17c39..43749c73ba 100644
--- a/community/gotop/APKBUILD
+++ b/community/gotop/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=gotop
pkgver=4.1.1
-pkgrel=2
+pkgrel=3
pkgdesc="Terminal based graphical activity monitor"
url="https://github.com/xxxserxxx/gotop"
arch="all"
diff --git a/community/govendor/APKBUILD b/community/govendor/APKBUILD
index 1cf3cd29df..1c95607f14 100644
--- a/community/govendor/APKBUILD
+++ b/community/govendor/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=govendor
pkgver=1.0.9
-pkgrel=6
+pkgrel=7
pkgdesc="Go vendor tool that works with the standard vendor file"
url="https://github.com/kardianos/govendor"
arch="all"
diff --git a/community/grafana/APKBUILD b/community/grafana/APKBUILD
index 73576a8007..dab065be58 100644
--- a/community/grafana/APKBUILD
+++ b/community/grafana/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Konstantin Kulikov <k.kulikov2@gmail.com>
pkgname=grafana
pkgver=7.5.7
-pkgrel=3
+pkgrel=4
_commit=91de51771c # git rev-parse --short HEAD
_stamp=1621279005 # git --no-pager show -s --format=%ct
pkgdesc="Open source, feature rich metrics dashboard and graph editor"
diff --git a/community/hcloud/APKBUILD b/community/hcloud/APKBUILD
index 0f07db44d5..f081d7541d 100644
--- a/community/hcloud/APKBUILD
+++ b/community/hcloud/APKBUILD
@@ -3,7 +3,7 @@
pkgname=hcloud
_pkgname=cli
pkgver=1.26.1
-pkgrel=1
+pkgrel=2
pkgdesc="Command-line interface for Hetzner Cloud"
url="https://github.com/hetznercloud/cli"
arch="all"
diff --git a/community/hey/APKBUILD b/community/hey/APKBUILD
index 13a322ff9d..79d0a80fb7 100644
--- a/community/hey/APKBUILD
+++ b/community/hey/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michał Polański <michal@polanski.me>
pkgname=hey
pkgver=0.1.4
-pkgrel=2
+pkgrel=3
pkgdesc="HTTP load generator"
url="https://github.com/rakyll/hey"
arch="all"
diff --git a/community/imagemagick/APKBUILD b/community/imagemagick/APKBUILD
index c06ab088db..70811858f4 100644
--- a/community/imagemagick/APKBUILD
+++ b/community/imagemagick/APKBUILD
@@ -4,7 +4,7 @@
pkgname=imagemagick
_pkgname=ImageMagick
pkgver=7.0.11.14
-pkgrel=0
+pkgrel=1
_pkgver=${pkgver%.*}-${pkgver##*.}
_abiver=7
pkgdesc="Collection of tools and libraries for many image formats"
diff --git a/community/img/APKBUILD b/community/img/APKBUILD
index 9aece303c4..780725345a 100644
--- a/community/img/APKBUILD
+++ b/community/img/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Lucas Ramage <ramage.lucas@protonmail.com>
pkgname=img
pkgver=0.5.11
-pkgrel=2
+pkgrel=3
pkgdesc="Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder"
url="https://github.com/genuinetools/img"
arch="x86_64"
diff --git a/community/irtt/APKBUILD b/community/irtt/APKBUILD
index 851f8ec461..d776bed60b 100644
--- a/community/irtt/APKBUILD
+++ b/community/irtt/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Thomas Liske <thomas@fiasko-nw.net>
pkgname=irtt
pkgver=0.9.1
-pkgrel=3
+pkgrel=4
pkgdesc="Isochronous Round-Trip Tester"
url="https://github.com/heistp/irtt"
arch="all"
diff --git a/community/jenkins/APKBUILD b/community/jenkins/APKBUILD
index ca35cc8a8e..552cb9ed83 100644
--- a/community/jenkins/APKBUILD
+++ b/community/jenkins/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=jenkins
-pkgver=2.319.2
+pkgver=2.319.3
pkgrel=0
pkgdesc="Extendable continuous integration server (stable version)"
url="https://jenkins.io"
@@ -21,6 +21,8 @@ source="$pkgname-$pkgver.war::https://get.jenkins.io/war-stable/$pkgver/jenkins.
builddir="$srcdir/"
# secfixes:
+# 2.319.3-r0:
+# - CVE-2022-0538
# 2.319.2-r0:
# - CVE-2022-20612
# 2.287-r0:
@@ -62,7 +64,7 @@ package() {
}
sha512sums="
-f6f0846d9e032b48e85fc20a030baa2d5c500a65c6c909d00852be3324d1b79c31ea8b7ff45ac05299ff9797b17aeb61d094ad425ce5198f6e13aa050007e650 jenkins-2.319.2.war
+d6d952c064cf0a52d94db7ccd1903d726b10dcc6f41b20a23ca319a6e64ad8d8259c308cf44183e37ad9e6583b71a4d904da7aacb892a68b8dda826c71a9a425 jenkins-2.319.3.war
ee2e80d93b390b2c5dead3111e07d6226cbd87393740fd630975e4d177acc033392ebbdb99f8ea3c6daeceac184399b38b0fa3ae7d96b5cb28f65d473b916244 jenkins.logrotate
43686a537248c7a0a8fe53c3ca9577c8ffb50a141248de028d398d0fd3b3be8562b6cb2c63b44b3b0ac58d6431e8907790553791b2e125d1bfc2e3263ffaa83e jenkins.initd
7247750a13fc2537dc1e405f6d8221ccdc80cfbaf40c47327ee04c206afa8607ada52e7b895c8eb3489dd9f6a94b42b8b38110b3120948a35dc4f197fe4c08ed jenkins.confd
diff --git a/community/jool-modules-lts/APKBUILD b/community/jool-modules-lts/APKBUILD
index 08b3fdd43f..977fc8c86b 100644
--- a/community/jool-modules-lts/APKBUILD
+++ b/community/jool-modules-lts/APKBUILD
@@ -21,7 +21,7 @@ fi
# Kernel version
# Keep in sync with main/linux-lts!
_kpkg=linux-$_flavor
-_kver=5.10.93
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/k3s/APKBUILD b/community/k3s/APKBUILD
index 4fe45781c4..6d0cb0b47d 100644
--- a/community/k3s/APKBUILD
+++ b/community/k3s/APKBUILD
@@ -3,7 +3,7 @@
pkgname=k3s
_pkgver=1.21.1+k3s1
pkgver=${_pkgver/+k3s/.}
-pkgrel=3
+pkgrel=4
pkgdesc="Lightweight Kubernetes. 5 less than k8s"
url="https://k3s.io"
arch="all"
diff --git a/community/k9s/APKBUILD b/community/k9s/APKBUILD
index 4ccd4ee428..74ed0be558 100644
--- a/community/k9s/APKBUILD
+++ b/community/k9s/APKBUILD
@@ -3,7 +3,7 @@
pkgname=k9s
_pkgname=github.com/derailed/k9s
pkgver=0.24.10
-pkgrel=2
+pkgrel=3
_commit=6426ea11 # git rev-parse --short HEAD
_date=2021-05-26T21:44:34UTC # date -u -d @$(date +%s) +%FT%T%Z
pkgdesc="Kubernetes TUI"
diff --git a/community/kiln/APKBUILD b/community/kiln/APKBUILD
index c369118105..6d85a884db 100644
--- a/community/kiln/APKBUILD
+++ b/community/kiln/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Stacy Harper <contact@stacyharper.net>
pkgname=kiln
pkgver=0.2.0
-pkgrel=2
+pkgrel=3
pkgdesc="Simple static site generator for Gemini sites"
url="https://git.sr.ht/~adnano/kiln"
arch="all"
diff --git a/community/lab/APKBUILD b/community/lab/APKBUILD
index 35e3682c16..5278a351d9 100644
--- a/community/lab/APKBUILD
+++ b/community/lab/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=lab
pkgver=0.21.0
-pkgrel=2
+pkgrel=3
pkgdesc="Git Wrapper for GitLab"
url="https://zaquestion.github.io/lab/"
arch="all"
diff --git a/community/lazygit/APKBUILD b/community/lazygit/APKBUILD
index 41936e1cba..b2401622cd 100644
--- a/community/lazygit/APKBUILD
+++ b/community/lazygit/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Thomas Deutsch <thomas@tuxpeople.org>
pkgname=lazygit
pkgver=0.28.2
-pkgrel=1
+pkgrel=2
pkgdesc="Simple terminal UI for git commands"
url="https://github.com/jesseduffield/lazygit"
arch="all"
diff --git a/community/lego/APKBUILD b/community/lego/APKBUILD
index 497ebefa1e..827624b8a9 100644
--- a/community/lego/APKBUILD
+++ b/community/lego/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=lego
pkgver=4.3.1
-pkgrel=2
+pkgrel=3
pkgdesc="Let's Encrypt client and ACME library written in Go"
url="https://github.com/go-acme/lego"
license="MIT"
diff --git a/community/libressl/APKBUILD b/community/libressl/APKBUILD
index 6aa384d0f9..e063b75acc 100644
--- a/community/libressl/APKBUILD
+++ b/community/libressl/APKBUILD
@@ -3,6 +3,8 @@
# Maintainer: Orion <systmkor@gmail.com>
#
# secfixes:
+# 3.3.6-r0:
+# - CVE-2022-0778
# 3.1.5-r0:
# - CVE-2020-1971
# 2.7.4-r0:
@@ -12,7 +14,7 @@
# - CVE-2017-8301
#
pkgname=libressl
-pkgver=3.3.3
+pkgver=3.3.6
_namever=${pkgname}${pkgver%.*}
pkgrel=0
pkgdesc="Version of the TLS/crypto stack forked from OpenSSL"
@@ -84,6 +86,6 @@ _libs() {
}
sha512sums="
-2d0b5f4cfe37d573bc64d5967abb77f536dbe581fbad9637d925332bcdfd185fe6810335b2af80a89f92d7e6edaa8ea3ba2492c60a117e47ea1b2d6aacf01f0f libressl-3.3.3.tar.gz
+b34cd1c5ac610b18cef996eacb5f4b5684f47e98ed82008e6bb7c61fe488f54db0a9b55ef69298c61a1c4e42a2294fff9b011e2a7c9397fcb5820698dfe10a71 libressl-3.3.6.tar.gz
18e72b7db28664ee4e294a4a461e48daa90be9e9323584112a5878fd56a578d02f4730c7c788f57cc39b2bc35447df0a47a4391077d764d953419890ad511d35 ssl-libcompat.patch
"
diff --git a/community/mongodb-tools/APKBUILD b/community/mongodb-tools/APKBUILD
index 6442892db4..43ae773845 100644
--- a/community/mongodb-tools/APKBUILD
+++ b/community/mongodb-tools/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Mikael Jenkler <mikael@jenkler.com>
pkgname=mongodb-tools
pkgver=4.2.14
-pkgrel=2
+pkgrel=3
pkgdesc="The MongoDB tools provide import, export, and diagnostic capabilities."
url="https://github.com/mongodb/mongo-tools"
arch="all !s390x"
diff --git a/community/nextcloud/APKBUILD b/community/nextcloud/APKBUILD
index e257c54a26..f6985154f6 100644
--- a/community/nextcloud/APKBUILD
+++ b/community/nextcloud/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=nextcloud
-pkgver=21.0.7
+pkgver=21.0.9
pkgrel=0
_replaced_ver=20
pkgdesc="A safe home for all your data"
@@ -36,7 +36,6 @@ source="https://download.nextcloud.com/server/releases/nextcloud-$pkgver.zip
nextcloud-app-encryption-info-add-mcrypt.patch
dont-update-htaccess.patch
disable-integrity-check-as-default.patch
- iconv-ascii-translit-not-supported.patch
use-external-docs-if-local-not-avail.patch
$pkgname-config.php
@@ -246,12 +245,11 @@ _package_app() {
}
sha512sums="
-404681179dbdb47bce373fb2d0d01fb7f3feac9e939ad652c5385904bc894b67c0b5f3ef10d99583c5fe24e9ee8ed5eb83ce7d2168122d3185d666d5d4c7389f nextcloud-21.0.7.zip
+89637421760c138ae22d3550f9014b289ae8f8aa6aa7f8406a6bd253736d5761c33a2c58be8df5b6bf265344aa230d8d686253ae6717b8a715798c0c176ef444 nextcloud-21.0.9.zip
aea0adb2c3a48ec6af2958c6ccfe13adff86316a56084e763b7e6df9e21aa3435b13305b7c15cc2b795e83c9388b05006862f6465c29e3dc2c1fbd8eb8befcb9 nextcloud-dont-chmod.patch
67654d1b606c36ee9a8804b4ae0c9310c6f9dbc38aee0e73afb8da535fe64ee688b7052fd5d248ce094843c54dd8858e8c4cb014556a5a33f261fd3a4d56f7c4 nextcloud-app-encryption-info-add-mcrypt.patch
aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
d2100a837fef1eeae5f706650ab4c985d9e00f61efa5526ef76c7c1f5811c3906eb6c3c13c151eff9677a0c303faab64411a5a84d6792728bc520d2c618d7d5b disable-integrity-check-as-default.patch
-3fc3e06580a619d81b12f448976ffac34f0bb80fc73e9443fa213a73f160ba4b9bd14a26c134258ee12c04d8e103b46f4de10d7b11e4544a328878e57d436055 iconv-ascii-translit-not-supported.patch
df1a16414a278c205876ec86c210a02a9009954e2d4f9033ff3c9b76c371e2764ef3587db5a4b8f76302655c6c8688c8729d1685279a77d279d3839cc359fbcd use-external-docs-if-local-not-avail.patch
5f73cd9399fa484ef15bd47e803c93381deffbc7699eceadbb5c27e43b20156806d74e5021a64d28f0165ef87b519e962780651711a37bceb9f0b04455dfdce1 nextcloud-config.php
7388458a9e8b7afd3d3269718306410ffa59c3c23da4bef367a4d7f6d2570136fae9dd421b19c1441e7ffb15a5405e18bb5da67b1a15f9f45e8b98d3fda532ba nextcloud.logrotate
diff --git a/community/nextcloud/iconv-ascii-translit-not-supported.patch b/community/nextcloud/iconv-ascii-translit-not-supported.patch
deleted file mode 100644
index e36f82b8c0..0000000000
--- a/community/nextcloud/iconv-ascii-translit-not-supported.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-commit 70e75d985f5c6a7bea67210e85e6c6c9fea783f9
-Author: Leonardo Arena <rnalrd@alpinelinux.org>
-Date: Fri Jun 12 09:21:47 2020 +0000
-
- iconv ascii translit not supported
-
-diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
-index 16013555..6c95f97c 100644
---- a/apps/user_ldap/lib/Access.php
-+++ b/apps/user_ldap/lib/Access.php
-@@ -1428,7 +1428,7 @@ class Access extends LDAPUtility {
- }
-
- // Transliteration to ASCII
-- $transliterated = @iconv('UTF-8', 'ASCII//TRANSLIT', $name);
-+ $transliterated = @iconv('UTF-8', 'ASCII', $name);
- if ($transliterated !== false) {
- // depending on system config iconv can work or not
- $name = $transliterated;
diff --git a/community/nfpm/APKBUILD b/community/nfpm/APKBUILD
index 0ee1f585d4..3f620afcf6 100644
--- a/community/nfpm/APKBUILD
+++ b/community/nfpm/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=nfpm
pkgver=2.5.1
-pkgrel=2
+pkgrel=3
pkgdesc="a simple apk, Deb and RPM packager without external dependencies"
url="https://nfpm.goreleaser.com/"
arch="all !riscv64"
diff --git a/community/nomad/APKBUILD b/community/nomad/APKBUILD
index d5666e5aa2..b40c75d536 100644
--- a/community/nomad/APKBUILD
+++ b/community/nomad/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Matthias Neugebauer <mtneug@mailbox.org>
pkgname=nomad
pkgver=1.0.4 # remember to update GIT_COMMIT below
-pkgrel=3
+pkgrel=4
pkgdesc="easy-to-use, flexible, and performant workload orchestrator"
url="https://www.nomadproject.io/"
arch="all !x86 !armv7 !armhf !mips64" # blocking on yarn/npm
diff --git a/community/nss/APKBUILD b/community/nss/APKBUILD
index f21f25b5ff..4d36adf6a1 100644
--- a/community/nss/APKBUILD
+++ b/community/nss/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Rasmus Thomsen <oss@cogitri.dev>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=nss
-pkgver=3.66
+pkgver=3.68.3
pkgrel=0
pkgdesc="Mozilla Network Security Services"
url="https://developer.mozilla.org/docs/Mozilla/Projects/NSS"
@@ -12,7 +12,6 @@ depends_dev="nspr-dev"
makedepends="nspr-dev sqlite-dev zlib-dev perl bsd-compat-headers linux-headers"
subpackages="$pkgname-static $pkgname-dev $pkgname-tools"
source="https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-$pkgver.tar.gz
- CVE-2021-43527.patch
nss.pc.in
nss-util.pc.in
nss-softokn.pc.in
@@ -25,6 +24,8 @@ source="https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM
options="!strip"
# secfixes:
+# 3.68.3-r0:
+# - CVE-2022-1097
# 3.66-r0:
# - CVE-2021-43527
# 3.58-r0:
@@ -188,8 +189,7 @@ tools() {
}
sha512sums="
-327129cb065a8c19246e081e3cbc4798c81dc52eab6ee366eade151e9d308990592075c52a7c672165725fd855a0c539d56a803c26ef066561c584d693e0e467 nss-3.66.tar.gz
-aff96b509bd649f9d5d5850b19daf1296210868dedd3ca9c1d198a9cf4cb2cfeb9ed6c530a8c9b7e1fbc0284e728ccf61c149fa07d940ef30e8ebc6588af76e6 CVE-2021-43527.patch
+70fa8ab48d45249c04424979640583e8bc867432b7e3f26c1602db49a13861dd070f081ed82660bb7451f835dc859b5788ae12a67f9ddab1f6bd1a7afb1174d2 nss-3.68.3.tar.gz
75dbd648a461940647ff373389cc73bc8ec609139cd46c91bcce866af02be6bcbb0524eb3dfb721fbd5b0bc68c20081ed6f7debf6b24317f2a7ba823e8d3c531 nss.pc.in
0f2efa8563b11da68669d281b4459289a56f5a3a906eb60382126f3adcfe47420cdcedc6ab57727a3afeeffa2bbb4c750b43bef8b5f343a75c968411dfa30e09 nss-util.pc.in
09c69d4cc39ec9deebc88696a80d0f15eb2d8c94d9daa234a2adfec941b63805eb4ce7f2e1943857b938bddcaee1beac246a0ec627b71563d9f846e6119a4a15 nss-softokn.pc.in
diff --git a/community/nss/CVE-2021-43527.patch b/community/nss/CVE-2021-43527.patch
deleted file mode 100644
index afec728805..0000000000
--- a/community/nss/CVE-2021-43527.patch
+++ /dev/null
@@ -1,352 +0,0 @@
-
-# HG changeset patch
-# User Dennis Jackson <djackson@mozilla.com>
-# Date 1637577642 0
-# Node ID dea71cbef9e03636f37c6cb120f8deccce6e17dd
-# Parent da3d22d708c9cc0a32cff339658aeb627575e371
-Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea
-
-Differential Revision: https://phabricator.services.mozilla.com/D129514
-
-diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
---- a/nss/lib/cryptohi/secvfy.c
-+++ b/nss/lib/cryptohi/secvfy.c
-@@ -159,58 +159,89 @@ verifyPKCS1DigestInfo(const VFYContext *
- SECItem pkcs1DigestInfo;
- pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo;
- pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
- return _SGN_VerifyPKCS1DigestInfo(
- cx->hashAlg, digest, &pkcs1DigestInfo,
- PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
- }
-
-+static unsigned int
-+checkedSignatureLen(const SECKEYPublicKey *pubk)
-+{
-+ unsigned int sigLen = SECKEY_SignatureLen(pubk);
-+ if (sigLen == 0) {
-+ /* Error set by SECKEY_SignatureLen */
-+ return sigLen;
-+ }
-+ unsigned int maxSigLen;
-+ switch (pubk->keyType) {
-+ case rsaKey:
-+ case rsaPssKey:
-+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
-+ break;
-+ case dsaKey:
-+ maxSigLen = DSA_MAX_SIGNATURE_LEN;
-+ break;
-+ case ecKey:
-+ maxSigLen = 2 * MAX_ECKEY_LEN;
-+ break;
-+ default:
-+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-+ return 0;
-+ }
-+ if (sigLen > maxSigLen) {
-+ PORT_SetError(SEC_ERROR_INVALID_KEY);
-+ return 0;
-+ }
-+ return sigLen;
-+}
-+
- /*
- * decode the ECDSA or DSA signature from it's DER wrapping.
- * The unwrapped/raw signature is placed in the buffer pointed
- * to by dsig and has enough room for len bytes.
- */
- static SECStatus
- decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
- unsigned int len)
- {
- SECItem *dsasig = NULL; /* also used for ECDSA */
-- SECStatus rv = SECSuccess;
-
-- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
-- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
-- if (sig->len != len) {
-- PORT_SetError(SEC_ERROR_BAD_DER);
-- return SECFailure;
-+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
-+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
-+ if (len > DSA_MAX_SIGNATURE_LEN) {
-+ goto loser;
- }
--
-- PORT_Memcpy(dsig, sig->data, sig->len);
-- return SECSuccess;
-+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
-+ if (len > MAX_ECKEY_LEN * 2) {
-+ goto loser;
-+ }
-+ } else {
-+ goto loser;
- }
-
-- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
-- if (len > MAX_ECKEY_LEN * 2) {
-- PORT_SetError(SEC_ERROR_BAD_DER);
-- return SECFailure;
-- }
-+ /* Decode and pad to length */
-+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
-+ if (dsasig == NULL) {
-+ goto loser;
- }
-- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
--
-- if ((dsasig == NULL) || (dsasig->len != len)) {
-- rv = SECFailure;
-- } else {
-- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
-+ if (dsasig->len != len) {
-+ SECITEM_FreeItem(dsasig, PR_TRUE);
-+ goto loser;
- }
-
-- if (dsasig != NULL)
-- SECITEM_FreeItem(dsasig, PR_TRUE);
-- if (rv == SECFailure)
-- PORT_SetError(SEC_ERROR_BAD_DER);
-- return rv;
-+ PORT_Memcpy(dsig, dsasig->data, len);
-+ SECITEM_FreeItem(dsasig, PR_TRUE);
-+
-+ return SECSuccess;
-+
-+loser:
-+ PORT_SetError(SEC_ERROR_BAD_DER);
-+ return SECFailure;
- }
-
- const SEC_ASN1Template hashParameterTemplate[] =
- {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) },
- { SEC_ASN1_OBJECT_ID, 0 },
- { SEC_ASN1_SKIP_REST },
- { 0 }
-@@ -276,17 +307,17 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg
- *
- * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
- * algorithm was not found or was not a signing algorithm.
- */
- SECStatus
- sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
- const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
- {
-- int len;
-+ unsigned int len;
- PLArenaPool *arena;
- SECStatus rv;
- SECItem oid;
- SECOidTag encalg;
-
- PR_ASSERT(hashalg != NULL);
- PR_ASSERT(encalgp != NULL);
-
-@@ -461,58 +492,62 @@ vfy_CreateContext(const SECKEYPublicKey
- cx->wincx = wincx;
- cx->hasSignature = (sig != NULL);
- cx->encAlg = encAlg;
- cx->hashAlg = hashAlg;
- cx->key = SECKEY_CopyPublicKey(key);
- cx->pkcs1RSADigestInfo = NULL;
- rv = SECSuccess;
- if (sig) {
-- switch (type) {
-- case rsaKey:
-- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
-- &cx->pkcs1RSADigestInfo,
-- &cx->pkcs1RSADigestInfoLen,
-- cx->key,
-- sig, wincx);
-- break;
-- case rsaPssKey:
-- sigLen = SECKEY_SignatureLen(key);
-- if (sigLen == 0) {
-- /* error set by SECKEY_SignatureLen */
-- rv = SECFailure;
-+ rv = SECFailure;
-+ if (type == rsaKey) {
-+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
-+ &cx->pkcs1RSADigestInfo,
-+ &cx->pkcs1RSADigestInfoLen,
-+ cx->key,
-+ sig, wincx);
-+ } else {
-+ sigLen = checkedSignatureLen(key);
-+ /* Check signature length is within limits */
-+ if (sigLen == 0) {
-+ /* error set by checkedSignatureLen */
-+ rv = SECFailure;
-+ goto loser;
-+ }
-+ if (sigLen > sizeof(cx->u)) {
-+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+ rv = SECFailure;
-+ goto loser;
-+ }
-+ switch (type) {
-+ case rsaPssKey:
-+ if (sig->len != sigLen) {
-+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+ rv = SECFailure;
-+ goto loser;
-+ }
-+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
-+ rv = SECSuccess;
- break;
-- }
-- if (sig->len != sigLen) {
-- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+ case ecKey:
-+ case dsaKey:
-+ /* decodeECorDSASignature will check sigLen == sig->len after padding */
-+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
-+ break;
-+ default:
-+ /* Unreachable */
- rv = SECFailure;
-- break;
-- }
-- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
-- break;
-- case dsaKey:
-- case ecKey:
-- sigLen = SECKEY_SignatureLen(key);
-- if (sigLen == 0) {
-- /* error set by SECKEY_SignatureLen */
-- rv = SECFailure;
-- break;
-- }
-- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
-- break;
-- default:
-- rv = SECFailure;
-- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-- break;
-+ goto loser;
-+ }
-+ }
-+ if (rv != SECSuccess) {
-+ goto loser;
- }
- }
-
-- if (rv)
-- goto loser;
--
- /* check hash alg again, RSA may have changed it.*/
- if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
- /* error set by HASH_GetHashTypeByOidTag */
- goto loser;
- }
- /* check the policy on the hash algorithm. Do this after
- * the rsa decode because some uses of this function get hash implicitly
- * from the RSA signature itself. */
-@@ -645,21 +680,26 @@ VFY_EndWithSignature(VFYContext *cx, SEC
- if (cx->hashcx == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
- switch (cx->key->keyType) {
- case ecKey:
- case dsaKey:
-- dsasig.data = cx->u.buffer;
-- dsasig.len = SECKEY_SignatureLen(cx->key);
-+ dsasig.len = checkedSignatureLen(cx->key);
- if (dsasig.len == 0) {
- return SECFailure;
- }
-+ if (dsasig.len > sizeof(cx->u)) {
-+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+ return SECFailure;
-+ }
-+ dsasig.data = cx->u.buffer;
-+
- if (sig) {
- rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
- dsasig.len);
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
- }
-@@ -681,18 +721,23 @@ VFY_EndWithSignature(VFYContext *cx, SEC
- cx->params,
- &mech);
- PORT_DestroyCheapArena(&tmpArena);
- if (rv != SECSuccess) {
- return SECFailure;
- }
-
- rsasig.data = cx->u.buffer;
-- rsasig.len = SECKEY_SignatureLen(cx->key);
-+ rsasig.len = checkedSignatureLen(cx->key);
- if (rsasig.len == 0) {
-+ /* Error set by checkedSignatureLen */
-+ return SECFailure;
-+ }
-+ if (rsasig.len > sizeof(cx->u)) {
-+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
- if (sig) {
- if (sig->len != rsasig.len) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
- PORT_Memcpy(rsasig.data, sig->data, rsasig.len);
-@@ -744,37 +789,42 @@ VFY_End(VFYContext *cx)
- static SECStatus
- vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
- const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg,
- void *wincx)
- {
- SECStatus rv;
- VFYContext *cx;
- SECItem dsasig; /* also used for ECDSA */
--
- rv = SECFailure;
-
- cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
- if (cx != NULL) {
- switch (key->keyType) {
- case rsaKey:
- rv = verifyPKCS1DigestInfo(cx, digest);
-+ /* Error (if any) set by verifyPKCS1DigestInfo */
- break;
-- case dsaKey:
- case ecKey:
-+ case dsaKey:
- dsasig.data = cx->u.buffer;
-- dsasig.len = SECKEY_SignatureLen(cx->key);
-+ dsasig.len = checkedSignatureLen(cx->key);
- if (dsasig.len == 0) {
-+ /* Error set by checkedSignatureLen */
-+ rv = SECFailure;
- break;
- }
-- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
-- SECSuccess) {
-+ if (dsasig.len > sizeof(cx->u)) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-- } else {
-- rv = SECSuccess;
-+ rv = SECFailure;
-+ break;
-+ }
-+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
-+ if (rv != SECSuccess) {
-+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- }
- break;
- default:
- break;
- }
- VFY_DestroyContext(cx, PR_TRUE);
- }
- return rv;
-
diff --git a/community/opensmtpd-filter-rspamd/APKBUILD b/community/opensmtpd-filter-rspamd/APKBUILD
index a2951b3916..17f5104435 100644
--- a/community/opensmtpd-filter-rspamd/APKBUILD
+++ b/community/opensmtpd-filter-rspamd/APKBUILD
@@ -3,7 +3,7 @@
pkgname=opensmtpd-filter-rspamd
_pkgname=filter-rspamd
pkgver=0.1.7
-pkgrel=2
+pkgrel=3
pkgdesc="OpenSMTPD filter integration for Rspamd"
url="https://github.com/poolpOrg/filter-rspamd"
license="ISC"
diff --git a/community/opensmtpd-filter-senderscore/APKBUILD b/community/opensmtpd-filter-senderscore/APKBUILD
index 7e226a3c89..4077075ab1 100644
--- a/community/opensmtpd-filter-senderscore/APKBUILD
+++ b/community/opensmtpd-filter-senderscore/APKBUILD
@@ -3,7 +3,7 @@
pkgname=opensmtpd-filter-senderscore
_pkgname=filter-senderscore
pkgver=0.1.1
-pkgrel=3
+pkgrel=4
pkgdesc="OpenSMTPD senderscore filter"
url="https://github.com/poolpOrg/filter-senderscore"
license="ISC"
diff --git a/community/packer/APKBUILD b/community/packer/APKBUILD
index 13a9dbc44c..aa630d2472 100644
--- a/community/packer/APKBUILD
+++ b/community/packer/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Galen Abell <galen@galenabell.com>
pkgname=packer
pkgver=1.7.2
-pkgrel=3
+pkgrel=4
pkgdesc="tool for creating machine images for multiple platforms"
url="https://www.packer.io/"
license="MPL-2.0"
diff --git a/community/perl-app-cpanminus/APKBUILD b/community/perl-app-cpanminus/APKBUILD
index 96aa80a624..fcabee9597 100644
--- a/community/perl-app-cpanminus/APKBUILD
+++ b/community/perl-app-cpanminus/APKBUILD
@@ -4,8 +4,8 @@
pkgname=perl-app-cpanminus
#_pkgreal is used by apkbuild-cpan to find modules at MetaCpan
_pkgreal=App-cpanminus
-pkgver=1.7044
-pkgrel=3
+pkgver=1.7045
+pkgrel=0
pkgdesc="Get, unpack, build and install modules from CPAN"
url="https://metacpan.org/release/App-cpanminus/"
arch="noarch"
@@ -16,6 +16,10 @@ subpackages="$pkgname-doc"
source="https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-$pkgver.tar.gz"
builddir="$srcdir/$_pkgreal-$pkgver"
+# secfixes:
+# 1.7045-r0:
+# - CVE-2020-16154
+
build() {
export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}')
PERL_MM_USE_DEFAULT=1 perl -I. Makefile.PL INSTALLDIRS=vendor
@@ -32,4 +36,6 @@ package() {
find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
}
-sha512sums="85e88de8fbefabdfd84fe8aeaa8294d58d63e27276cd6d8b8dfc5dc4cd6c30c12f5859f30e4930842d6d06af50c88d71358dee49c93821234c811aa39de822d7 App-cpanminus-1.7044.tar.gz"
+sha512sums="
+450b5e1aaa8774a1bc3ae93d7535d9ef7a175417f3e55e88bc8cab208e27334f5d2f69f7c709b8394476410a8f3eeea26b7369c3ab9565985a56b0bbf6310513 App-cpanminus-1.7045.tar.gz
+"
diff --git a/community/piknik/APKBUILD b/community/piknik/APKBUILD
index 4cffb5bbff..043f44db15 100644
--- a/community/piknik/APKBUILD
+++ b/community/piknik/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=piknik
pkgver=0.10.1
-pkgrel=2
+pkgrel=3
pkgdesc="Copy/paste anything over the network"
url="https://github.com/jedisct1/piknik"
arch="all"
diff --git a/community/prometheus-node-exporter/APKBUILD b/community/prometheus-node-exporter/APKBUILD
index 3f38ddd82f..ede7a5824e 100644
--- a/community/prometheus-node-exporter/APKBUILD
+++ b/community/prometheus-node-exporter/APKBUILD
@@ -3,7 +3,7 @@
pkgname=prometheus-node-exporter
_pkgname=node_exporter
pkgver=1.1.2
-pkgrel=2
+pkgrel=3
pkgdesc="Prometheus exporter for machine metrics"
url="https://github.com/prometheus/node_exporter"
license="Apache-2.0"
diff --git a/community/prometheus-snmp-exporter/APKBUILD b/community/prometheus-snmp-exporter/APKBUILD
index f6b3842a83..4578f4baee 100644
--- a/community/prometheus-snmp-exporter/APKBUILD
+++ b/community/prometheus-snmp-exporter/APKBUILD
@@ -2,7 +2,7 @@
pkgname=prometheus-snmp-exporter
_pkgname=snmp_exporter
pkgver=0.20.0
-pkgrel=2
+pkgrel=3
pkgdesc="Description"
url="https://github.com/prometheus/snmp_exporter"
arch="all"
diff --git a/community/prometheus/APKBUILD b/community/prometheus/APKBUILD
index 22446b6b9d..df98ae7679 100644
--- a/community/prometheus/APKBUILD
+++ b/community/prometheus/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=prometheus
pkgver=2.27.1
-pkgrel=2
+pkgrel=3
pkgdesc="The Prometheus monitoring system and time series database"
url="https://github.com/prometheus/prometheus"
arch="all !mips64" # Missing yarn->nodejs
diff --git a/community/prosody-filer/APKBUILD b/community/prosody-filer/APKBUILD
index 000912c9f0..1a77f009cb 100644
--- a/community/prosody-filer/APKBUILD
+++ b/community/prosody-filer/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Galen Abell <galen@galenabell.com>
pkgname=prosody-filer
pkgver=1.0.2
-pkgrel=3
+pkgrel=4
pkgdesc="Golang mod_http_upload_external server for Prosody and Ejabberd"
url="https://github.com/ThomasLeister/prosody-filer"
arch="all"
diff --git a/community/rclone/APKBUILD b/community/rclone/APKBUILD
index 1705f965a9..48a2eb2a10 100644
--- a/community/rclone/APKBUILD
+++ b/community/rclone/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Chloe Kudryavtsev <toast@toast.cafe>
pkgname=rclone
pkgver=1.53.3
-pkgrel=4
+pkgrel=5
pkgdesc="Rsync for cloud storage"
url="https://rclone.org/"
arch="all"
diff --git a/community/rest-server/APKBUILD b/community/rest-server/APKBUILD
index d04f94441a..722fa222c5 100644
--- a/community/rest-server/APKBUILD
+++ b/community/rest-server/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=rest-server
pkgver=0.10.0
-pkgrel=2
+pkgrel=3
pkgdesc="A high performance HTTP server that implements restic's REST backend API"
url="https://github.com/restic/rest-server"
arch="all"
diff --git a/community/restic/APKBUILD b/community/restic/APKBUILD
index 090bcf522e..093be0ab30 100644
--- a/community/restic/APKBUILD
+++ b/community/restic/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=restic
pkgver=0.12.0
-pkgrel=3
+pkgrel=4
pkgdesc="Fast, secure, efficient backup program"
url="https://restic.net/"
# mips(64): test failures due to fallocate not being supported
diff --git a/community/rtl8821ce-lts/APKBUILD b/community/rtl8821ce-lts/APKBUILD
index c62fdd93bb..90b8068364 100644
--- a/community/rtl8821ce-lts/APKBUILD
+++ b/community/rtl8821ce-lts/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Kevin Daudt <kdaudt@alpinelinux.org>
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
-_kver=5.10.93
+_kver=5.10.109
_krel=0
_flavor="$FLAVOR"
[ -z "$_flavor" ] && _flavor=lts
diff --git a/community/rtpengine-lts/APKBUILD b/community/rtpengine-lts/APKBUILD
index 4b89a665bd..302a5e404a 100644
--- a/community/rtpengine-lts/APKBUILD
+++ b/community/rtpengine-lts/APKBUILD
@@ -5,7 +5,7 @@ _ver=9.0.1.10
_rel=0
# kernel version
-_kver=5.10.93
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/runc/APKBUILD b/community/runc/APKBUILD
index 636d1da240..2274012fab 100644
--- a/community/runc/APKBUILD
+++ b/community/runc/APKBUILD
@@ -7,7 +7,7 @@ url="https://www.opencontainers.org"
_commit=b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
pkgver=1.0.0_rc95
-pkgrel=2
+pkgrel=3
_ver=v${pkgver/_rc/-rc}
# if we're building against an explicit commit beyond pkgver, use this instead:
diff --git a/community/shfmt/APKBUILD b/community/shfmt/APKBUILD
index 8ad0b675db..184b363c8f 100644
--- a/community/shfmt/APKBUILD
+++ b/community/shfmt/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Olliver Schinagl <oliver@schinagl.nl>
pkgname=shfmt
pkgver=3.3.0
-pkgrel=2
+pkgrel=3
pkgdesc="A shell parser, formatter, and interpreter (sh/bash/mksh)"
url="https://mvdan.cc/sh"
arch="all"
diff --git a/community/skopeo/APKBUILD b/community/skopeo/APKBUILD
index 2deec29f5e..eb9252c274 100644
--- a/community/skopeo/APKBUILD
+++ b/community/skopeo/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=skopeo
pkgver=1.3.1
-pkgrel=1
+pkgrel=2
pkgdesc="Work with remote images registries - retrieving information, images, signing content"
url="https://github.com/containers/skopeo"
license="Apache-2.0"
diff --git a/community/ssh-ldap-pubkey/APKBUILD b/community/ssh-ldap-pubkey/APKBUILD
index ce1f1764f3..bd7affb9ef 100644
--- a/community/ssh-ldap-pubkey/APKBUILD
+++ b/community/ssh-ldap-pubkey/APKBUILD
@@ -1,18 +1,19 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=ssh-ldap-pubkey
-pkgver=1.3.3
+pkgver=1.4.0
pkgrel=0
pkgdesc="Utility to manage SSH public keys stored in LDAP"
url="https://github.com/jirutka/ssh-ldap-pubkey"
arch="noarch"
license="MIT"
depends="python3 py3-pyldap py3-docopt"
-makedepends="python3-dev"
+makedepends="python3-dev py3-setuptools"
install="$pkgname.post-install"
subpackages="$pkgname-doc"
source="$pkgname-$pkgver.tar.gz::https://github.com/jirutka/$pkgname/archive/v$pkgver.tar.gz
- ldap.conf.patch"
+ ldap.conf.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
prepare() {
@@ -39,6 +40,6 @@ package() {
}
sha512sums="
-b52d4de3e0704817e8ea0fb316c21646da1bac74ed226812c03f9ee5ae449a86e5ef4c679633d212db05382e216b254a185e29d4a2244318ad5de288b909254a ssh-ldap-pubkey-1.3.3.tar.gz
+a62929b47f46f18936fcc7c233afaee43f0cef5f7a8de15304986205f98c2644a18f9c0dcabb35598f1cc485b8c4dbeb8b2f07cb2c3dcbb6b271a276aebf88e7 ssh-ldap-pubkey-1.4.0.tar.gz
5b96dd8b1150eb62db7d33d1eee5ed9b28ebaf487c6a8cab6ba1d66d14496c2fdb1c73c1c0959ccd99ea53359b8d82861b7416dc0351bfa22ccfe59b5f530564 ldap.conf.patch
"
diff --git a/community/tailscale/APKBUILD b/community/tailscale/APKBUILD
index ad19a92063..c1a917a25e 100644
--- a/community/tailscale/APKBUILD
+++ b/community/tailscale/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Robert Günzler <r@gnzler.io>
pkgname=tailscale
pkgver=1.8.5
-pkgrel=2
+pkgrel=3
pkgdesc="The easiest, most secure way to use WireGuard and 2FA"
url="https://tailscale.com/"
license="BSD-3-Clause"
diff --git a/community/telegraf/APKBUILD b/community/telegraf/APKBUILD
index f71d5c4910..35fc09b5ea 100644
--- a/community/telegraf/APKBUILD
+++ b/community/telegraf/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Konstantin Kulikov <k.kulikov2@gmail.com>
pkgname=telegraf
pkgver=1.18.3
-pkgrel=2
+pkgrel=3
_commit=6a94f65a # git rev-parse --short HEAD
_branch=release-${pkgver%.*}
pkgdesc="A plugin-driven server agent for collecting & reporting metrics, part of the InfluxDB project"
diff --git a/community/terraform/APKBUILD b/community/terraform/APKBUILD
index 4ae8d709a0..028747f6e0 100644
--- a/community/terraform/APKBUILD
+++ b/community/terraform/APKBUILD
@@ -5,7 +5,7 @@
# Maintainer: Thomas Boerger <thomas@webhippie.de>
pkgname=terraform
pkgver=0.14.9
-pkgrel=3
+pkgrel=4
pkgdesc="Building, changing and combining infrastructure safely and efficiently"
url="https://www.terraform.io/"
arch="all"
diff --git a/community/umoci/APKBUILD b/community/umoci/APKBUILD
index ab979a3d5a..75f24f3b71 100644
--- a/community/umoci/APKBUILD
+++ b/community/umoci/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=umoci
pkgver=0.4.7
-pkgrel=2
+pkgrel=3
pkgdesc="umoci modifies Open Container images"
url="https://umo.ci/"
arch="all"
diff --git a/community/vault/APKBUILD b/community/vault/APKBUILD
index b310ee449b..87997ac8ad 100644
--- a/community/vault/APKBUILD
+++ b/community/vault/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Gennady Feldman <gena01@gmail.com>
pkgname=vault
pkgver=1.7.7
-pkgrel=0
+pkgrel=1
pkgdesc="tool for encryption as a service, secrets and privileged access management"
url="https://www.vaultproject.io/"
arch="all"
diff --git a/community/vouch-proxy/APKBUILD b/community/vouch-proxy/APKBUILD
index 2273a4b2ca..3df435abf8 100644
--- a/community/vouch-proxy/APKBUILD
+++ b/community/vouch-proxy/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=vouch-proxy
pkgver=0.23.1
-pkgrel=7
+pkgrel=8
pkgdesc="An SSO solution for Nginx using the auth_request module"
url="https://github.com/vouch/vouch-proxy"
arch="all"
@@ -11,7 +11,7 @@ install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-openrc"
pkgusers="vouch"
pkggroups="vouch"
-options="!check" # no test suite
+options="chmod-clean !check" # no test suite
source="$pkgname-$pkgver.tar.gz::https://github.com/vouch/vouch-proxy/archive/refs/tags/v$pkgver.tar.gz
$pkgname.initd
$pkgname.logrotate
diff --git a/community/wait4x/APKBUILD b/community/wait4x/APKBUILD
index 8ef7e4f230..5ffb9ba3e4 100644
--- a/community/wait4x/APKBUILD
+++ b/community/wait4x/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Mohammad Abdolirad <m.abdolirad@gmail.com>
pkgname=wait4x
pkgver=0.4.0
-pkgrel=2
+pkgrel=3
pkgdesc="Waiting for a port to enter into specify state"
url="https://github.com/atkrad/wait4x"
arch="all"
diff --git a/community/webhook/APKBUILD b/community/webhook/APKBUILD
index 327edaa01b..1e048d0eed 100755
--- a/community/webhook/APKBUILD
+++ b/community/webhook/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Andy Hawkins <andy@gently.org.uk>
pkgname=webhook
pkgver=2.8.0
-pkgrel=2
+pkgrel=3
pkgdesc="Lightweight configurable webhooks server"
url="https://github.com/adnanh/webhook"
license="MIT"
diff --git a/community/writefreely/APKBUILD b/community/writefreely/APKBUILD
index 5bbafab1bf..352721464c 100644
--- a/community/writefreely/APKBUILD
+++ b/community/writefreely/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Justin Berthault <justin.berthault@zaclys.net>
pkgname=writefreely
pkgver=0.12.0
-pkgrel=4
+pkgrel=5
pkgdesc="Federated blogging from write.as"
url="https://writefreely.org"
# mips(64): limited by nodejs
diff --git a/community/wuzz/APKBUILD b/community/wuzz/APKBUILD
index 8a57f08b64..24f3559e47 100644
--- a/community/wuzz/APKBUILD
+++ b/community/wuzz/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Adam Jensen <adam@acj.sh>
pkgname=wuzz
pkgver=0.5.0
-pkgrel=2
+pkgrel=3
pkgdesc="Interactive CLI tool for HTTP inspection"
options="net"
url="https://github.com/asciimoo/wuzz"
diff --git a/community/yggdrasil/APKBUILD b/community/yggdrasil/APKBUILD
index a7c7ec7dab..0dc778f689 100644
--- a/community/yggdrasil/APKBUILD
+++ b/community/yggdrasil/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=yggdrasil
pkgver=0.3.16
-pkgrel=4
+pkgrel=5
pkgdesc="An experiment in scalable routing as an encrypted IPv6 overlay network"
url="https://yggdrasil-network.github.io/"
arch="all"
diff --git a/community/yq/APKBUILD b/community/yq/APKBUILD
index 35e09ce73d..52667a2dbb 100644
--- a/community/yq/APKBUILD
+++ b/community/yq/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Tuan Hoang <tmhoang@linux.ibm.com>
pkgname=yq
pkgver=4.6.3
-pkgrel=2
+pkgrel=3
pkgdesc="portable command-line YAML processor written in Go"
url="https://github.com/mikefarah/yq"
arch="all"
diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD
index c290293dc5..80e7e675d6 100644
--- a/main/alpine-base/APKBUILD
+++ b/main/alpine-base/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-base
-pkgver=3.14.3
+pkgver=3.14.6
pkgrel=0
pkgdesc="Meta package for minimal alpine base"
url="https://alpinelinux.org"
diff --git a/main/amavis/APKBUILD b/main/amavis/APKBUILD
index d55c588a27..69468922fc 100644
--- a/main/amavis/APKBUILD
+++ b/main/amavis/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=amavis
-pkgver=2.12.1
+pkgver=2.12.2
pkgrel=1
pkgdesc="High-performance interface between mailer (MTA) and content checkers"
url="https://gitlab.com/amavis/amavis"
@@ -12,7 +12,7 @@ depends="sed file perl perl-archive-zip perl-carp perl-convert-tnef
perl-exporter perl-io-stringy perl-mime-tools
perl-mailtools perl-socket perl-net-libidn perl-net-server
perl-time-hires perl-unix-syslog perl-mail-dkim
- perl-io-socket-inet6
+ perl-io-socket-inet6 perl-io-socket-ssl
perl-mail-spamassassin
"
makedepends=""
@@ -44,11 +44,14 @@ package() {
install -Dm755 -o root -g amavis "$file" "$pkgdir/usr/sbin/$file"
done
+ install -Dm640 -o root -g amavis amavisd.conf "$pkgdir"/etc/amavisd.conf
install -Dm755 "$srcdir"/amavisd.initd "$pkgdir"/etc/init.d/amavisd
install -Dm644 "$srcdir"/amavisd.confd "$pkgdir"/etc/conf.d/amavisd
}
-sha512sums="33bcc8606e142ed390cb368a7c640f96b70ecd1c8473e7d19f3125f89afde7a044981b9e3704c722c54472f88b2e4e54c89bab19bc28ceb89561aeb8ede04c8e amavis-v2.12.1.tar.gz
+sha512sums="
+7ef5ba670b530bf19352ba8aebd57a171e32d90adffc0b248b93a39f740fe4bb8ddf1d5ecdd46d0c9e1b4ca1a9ff0a9e86e73900e73a1a2cac514656c3a7db01 amavis-v2.12.2.tar.gz
6a9dd16a6b52f3d1fbd16887f29ccceddc58e88a02e681f23c1fe54b7e24feea5089d52813f4f3e87d9242daf79d2b2ea1e7c451d83d7de943403e71dc61c4e5 amavisd.initd
a5ce3583c34197f335372728cf92da23bae2cd7a9ae48daff6eaadbf66fbd5be6bb8b480b0fce1ea2b3a662b0a54d1d2f1f277d2f9a06d9630b57fa5d7ac2635 amavisd.confd
-87f9c4489fb377e6e1315edcef75940b1a61a30c418106c1ef48eef4f425746333c550b270e0e6727fe89a68239f673f24392d81a53157ad487d3d2da1e95b4c amavisd-conf.patch"
+87f9c4489fb377e6e1315edcef75940b1a61a30c418106c1ef48eef4f425746333c550b270e0e6727fe89a68239f673f24392d81a53157ad487d3d2da1e95b4c amavisd-conf.patch
+"
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index ff191b3f8b..723a3ec23b 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=apache2
_pkgreal=httpd
-pkgver=2.4.52
+pkgver=2.4.53
pkgrel=0
pkgdesc="A high performance Unix-based HTTP server"
url="https://httpd.apache.org/"
@@ -51,6 +51,11 @@ options="suid"
builddir="$srcdir"/$_pkgreal-$pkgver
# secfixes:
+# 2.4.53-r0:
+# - CVE-2022-22719
+# - CVE-2022-22720
+# - CVE-2022-22721
+# - CVE-2022-23943
# 2.4.52-r0:
# - CVE-2021-44224
# - CVE-2021-44790
@@ -382,7 +387,7 @@ _lua() {
}
sha512sums="
-97c021c576022a9d32f4a390f62e07b5f550973aef2f299fd52defce1a9fa5d27bd4a676e7bf214373ba46063d34aecce42de62fdd93678a4e925cfcbb2afdf6 httpd-2.4.52.tar.bz2
+07ef59594251a30a864cc9cc9a58ab788c2d006cef85b728f29533243927c63cb063e0867f2a306f37324c3adb9cf7dcb2402f3516b05c2c6f32469d475dd756 httpd-2.4.53.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
diff --git a/main/bash/APKBUILD b/main/bash/APKBUILD
index 131eed39a9..f25bd7e993 100644
--- a/main/bash/APKBUILD
+++ b/main/bash/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: TBK <alpine@jjtc.eu>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bash
-pkgver=5.1.4
+pkgver=5.1.16
_patchlevel=${pkgver##*.}
_myver=${pkgver%.*}
_patchbase=${_myver/./}
@@ -90,9 +90,23 @@ dev() {
mv "$pkgdir"/usr/lib/$pkgname/Makefile* "$subpkgdir"/usr/lib/$pkgname
}
-sha512sums="c44a0ce381469219548a3a27589af3fea4f22eda1ca4e9434b59fc16da81b471c29ce18e31590e0860a6a251a664b68c2b45e3a17d22cfc02799ffd9a208390c bash-5.1.tar.gz
+sha512sums="
+c44a0ce381469219548a3a27589af3fea4f22eda1ca4e9434b59fc16da81b471c29ce18e31590e0860a6a251a664b68c2b45e3a17d22cfc02799ffd9a208390c bash-5.1.tar.gz
9d8845491d0fe335bdd8e9a2bd98bda54bfed2ae3c35b2196c6d5a38bdf96c4d97572ba7d6b19ab605ef4e8f001f64cf3312f87dedebb9e37a95ad2c44e33cdb bash-noinfo.patch
1cd86805a2639614372aec29a710bc456e330abcbbaa0867820c94f714a1fa5fb5c1b18aa2c10263ae0bce9dad7579c7af2f732282315c1c34bfd6a90777bfd2 bash51-001
923e7822a9629645347d3aea0058fb5e2d52223507159a62369309f264612df44a84931c19e0ccb3852e98ce672dfbd454477090b4041b5a0de477c94eb61088 bash51-002
01e952dcfdae58624723d64912ea3444eed2fdcd266ba1a929b95ec3abd70f914bf400607c3f7bb7a94ac2925f794f91f37c1929d5bb987de2ba7f60a19cb8bd bash51-003
-10ff24cd91a2cd88818bfa7218050843af6b409e43fcca89f5ec70d8266020c6c2a55132426271f165cd0f154f49eb0f8ec2761b80fc066c921b83120bb543ce bash51-004"
+10ff24cd91a2cd88818bfa7218050843af6b409e43fcca89f5ec70d8266020c6c2a55132426271f165cd0f154f49eb0f8ec2761b80fc066c921b83120bb543ce bash51-004
+fa83d894fe874a05b9a7d47b8bca8e5b7f4067221d82e8b1af616d17725592c3737c621f2a8ad3c917b29846012c37c85acd34dcbb43eb6b05065ccce89b260c bash51-005
+b9b6e3d71f7b7718e2e8598ec8e337dcc675571fb233c29e5230ebf14eab2249204531f2fe8c4d1459c5fed10acb679048588d1e457e98dbc00ffc4d2cd227e3 bash51-006
+e4ebdc47e780ddc2588ecdfcfe00cb618039c7044e250ab2b836b0735c461ebacd15beaf2145e277c70b7f51cded55bd8dde7757df810f33f8dae306ee5ba571 bash51-007
+97f9558a08a66cc9da62c285bf9118b39328e25ed3b9277728e0539b1ac0adef176a090e39cd96dc03d6fd900d8155bd58040cb3390a09f637bab1de8af3faf6 bash51-008
+2d3c65162ec4e5c3dfeb439891950ef2c43973a84122fcdf6b56c388466c7e671dbc9b236d2253f01411b668c365855263995dbacb8e6f9e9dbcb7e6c2cc518c bash51-009
+aac4a0b72b559566334f1029c52754f4c98185af99e09436e401d83ab81bab7882d0d8050674b30f171733f3628157777a264566e927e93db2ea5a18d26630f1 bash51-010
+bb9e47a570bb9758c365831f9650b9379b60862b8cef572edc3cd833df96ebb8b9612de474bdc2a03ff4efc2275f871d55962295385e38f3658874488e974b81 bash51-011
+59819914b6821d9f4af0aade7b9b7ea92368c2b8eb8407cea11dfeee7208905dd06bdef7a049d7b1c4fac41c44d9a130b95a061957a9649050b37471b3044cf1 bash51-012
+67535155f49a7f54f151e62aba9274f82d01f33a1a1a7e5efd1aa0d63ba2d078765f0b5e22cb24db7132eff2d8c5852a3688298baa5217b8b6e159aae065d748 bash51-013
+f658ab7ef01ba1d26f735e24b23bf35687e15b0d5d20f90da233d000745a55bdba142c11e9fba52e3b84470ec625fab60cc74cd6be533d990496a3795c658e88 bash51-014
+fd4bc85f942a3a16c545f7e951a24f620ff2d884640dea6e05f305aaf88ed41862bfb05eea2258881608de696f9dc7a0fe3bebb51a011f50b720ea7a66699184 bash51-015
+020b3f3db77ca603a27a3423323538db5c9844be17ee428cf7cda80bebdcc715d30eab6c95773541cb8d14f3ad9e6142bf0adcda0e745ee638242508cc0ab05f bash51-016
+"
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index ca5c565b1e..897ab86c01 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -5,12 +5,12 @@
# Contributor: ungleich <alpinelinux@ungleich.ch>
# Maintainer:
pkgname=bind
-pkgver=9.16.20
+pkgver=9.16.27
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
_major=${pkgver%%.*}
[ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p"
-pkgrel=1
+pkgrel=0
pkgdesc="The ISC DNS server"
url="https://www.isc.org/"
arch="all"
@@ -57,10 +57,14 @@ source="
named.conf.recursive
127.zone
localhost.zone
- bind-9.16.20-map-format-fix.patch
"
# secfixes:
+# 9.16.27-r0:
+# - CVE-2022-0396
+# - CVE-2021-25220
+# 9.16.25-r0:
+# - CVE-2021-25219
# 9.16.20-r0:
# - CVE-2021-25218
# 9.16.15-r0:
@@ -274,7 +278,7 @@ _gpgfingerprints="
"
sha512sums="
-bd4ffcc2589ca8f1ac228576ec11e86f317d5a78d7964a0a7ae70b2fa38831d5bd65c2e8c35d8190502de7139f85d8b080b3b8ee968811a8df78e5761781525d bind-9.16.20.tar.xz
+5c71f228db83aa8cc9e65466d6e5afca4a9f80c693358111a003fe09e1a14522175eb2b6a0f11e2a2cd4fdba01f2ae315de52e394a441b3861ca2a011e02af62 bind-9.16.27.tar.xz
2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6 bind.plugindir.patch
7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch
53db80f7ee4902f42fb1d0bc959242bcb6f20d95256bda99ce2c206af8b4703c7f72bb26d026c633f70451b84a37c3946b210951e34dd5d6620b181cd0183de4 named.initd
@@ -283,5 +287,4 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793
3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
-d9224712ee2c6f6d0ff483ed253497548935fe35f45e5bdf26c9bd25c6234adde00727df7eb49fbfbfb34aad9d9fa0f112e900804794ad90a5cd8a64e9db61c6 bind-9.16.20-map-format-fix.patch
"
diff --git a/main/bind/bind-9.16.20-map-format-fix.patch b/main/bind/bind-9.16.20-map-format-fix.patch
deleted file mode 100644
index f6e3c9b378..0000000000
--- a/main/bind/bind-9.16.20-map-format-fix.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/lib/dns/mapapi
-+++ b/lib/dns/mapapi
-@@ -13,4 +13,4 @@
- # Whenever releasing a new major release of BIND9, set this value
- # back to 1.0 when releasing the first alpha. Map files are *never*
- # compatible across major releases.
--MAPAPI=2.0
-+MAPAPI=3.0
diff --git a/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..1d1716e3b0
--- /dev/null
+++ b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,40 @@
+From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8..02c061e67 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ );
+ if (rc)
+ return NULL;
++ /* ensure host contains only printable characters */
+ if (flags & IGNORE_PORT)
+- return xstrdup(host);
++ return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ if (sa->sa_family == AF_INET6) {
+ if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ /* For now we don't support anything else, so it has to be INET */
+ /*if (sa->sa_family == AF_INET)*/
+- return xasprintf("%s:%s", host, serv);
++ return xasprintf("%s:%s", printable_string(host), serv);
+ /*return xstrdup(host);*/
+ }
+
+--
+2.35.1
+
diff --git a/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..01c45c9ba6
--- /dev/null
+++ b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,68 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Unable to uncompress domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf(format, ns_rr_name(rr), dname);
++ printf(format, ns_rr_name(rr), printable_string(dname));
+ break;
+
+ case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ break;
+
+ case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ if (n > 0) {
+ memset(dname, 0, sizeof(dname));
+ memcpy(dname, ns_rr_rdata(rr) + 1, n);
+- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ }
+ break;
+
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ }
+
+ printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+ break;
+
+ case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ return -1;
+ }
+
+- printf("\tmail addr = %s\n", dname);
++ printf("\tmail addr = %s\n", printable_string(dname));
+ cp += n;
+
+ printf("\tserial = %lu\n", ns_get32(cp));
+--
+2.35.1
+
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index d2bc28ee13..71e3d2932f 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.33.1
-pkgrel=6
+pkgrel=7
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url="https://busybox.net/"
arch="all"
@@ -43,6 +43,9 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
CVE-2021-42375.patch
awk-fixes.patch
+ 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+ 0002-nslookup-sanitize-all-printed-strings-with-printable.patch
+
acpid.logrotate
busyboxconfig
busyboxconfig-extras
@@ -53,6 +56,9 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
"
# secfixes:
+# 1.33.1-r7:
+# - ALPINE-13661
+# - CVE-2022-28391
# 1.33.1-r6:
# - CVE-2021-42378
# - CVE-2021-42379
@@ -271,6 +277,8 @@ d12246f1134bbd3993462d27172c4739cc601b251d57ce8e088745773afa965551236e8cb8b9013d
9b58baffbb343ee332daf27be4dddb2d8f621709ef5e2773fc76381372e17d8b950cb3d93a4cfd39401e62fdcd8bd59c3e8fd86c4d0966bb8de9f3067e1af01e CVE-2021-42374.patch
6b54119daccce39d8184f6d3d0e5b96911833d408dfcc2bb10534c63ec55e9760ad1fc13e75da399d07cc4c6bf741504202416053edafd4e51cb06ed981c01eb CVE-2021-42375.patch
b7835e85e135a03d21cdc920a222caa1c77f76262e39fc75ec8d8aaa570d32427a9be1f523255e4c55d8d847d51406b46864845a598684cbdfa7234b629c4764 awk-fixes.patch
+b52050678e79e4da856956906d07fcb620cbf35f2ef6b5a8ee3b8d244ea63b4b98eef505451184d5b4937740d91eef154ed748c30d329ac485be51b37626f251 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+ead4ad65d270d8659e1898fa16f76b6cbcf567d8aba238eacccda3764edb4362240d9359d6389873bedc126d405f805fc6dfce653a7181618ebcc67c94bd08d2 0002-nslookup-sanitize-all-printed-strings-with-printable.patch
aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1 acpid.logrotate
5b0adc5bbe3d539380007ccc2e90ee1c986d24eae29b5e04b65a1e18988dc18907e7f617c7b3eb66ce131fdcb2de78da8b7653f58f95347d286fe5d17c6118f8 busyboxconfig
470a646505887dbf20dd8c3c3b5c8ab25f363f3a0bfbca577de115b8ec61f28e9843f4f3a7978c634e863dbf28bae987f20e7fa1aa529450ff6c17bc188cae53 busyboxconfig-extras
diff --git a/main/cairo/APKBUILD b/main/cairo/APKBUILD
index e4b684c330..e4736e7b70 100644
--- a/main/cairo/APKBUILD
+++ b/main/cairo/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cairo
pkgver=1.16.0
-pkgrel=3
+pkgrel=5
pkgdesc="A vector graphics library"
url="https://cairographics.org/"
arch="all"
@@ -37,6 +37,7 @@ source="https://cairographics.org/releases/cairo-$pkgver.tar.xz
musl-stacksize.patch
CVE-2018-19876.patch
pdf-flush.patch
+ fix-inf-loop.patch
fix-mask-usage-in-image-compositor.patch
composite_color_glyphs.patch
cff-allow-empty-array-of-operands-for-certain-operat.patch
@@ -44,6 +45,8 @@ source="https://cairographics.org/releases/cairo-$pkgver.tar.xz
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 1.16.0-r5:
+# - CVE-2019-6462
# 1.16.0-r2:
# - CVE-2020-35492
# 1.16.0-r1:
@@ -89,10 +92,13 @@ tools() {
amove usr/lib/cairo/libcairo-trace.*
}
-sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz
+sha512sums="
+9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz
86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch
8f13cdcae0f134e04778cf5915f858fb8d5357a7e0a454791c93d1566935b985ec66dfe1683cd0b74a1cb44a130923d7a27cf006f3fc70b9bee93abd58a55aa3 CVE-2018-19876.patch
533ea878dc7f917af92e2694bd3f535a09cde77f0ecd0cc00881fbc9ec1ea86f60026eacc76129705f525f6672929ad8d15d8cfe1bfa61e9962e805a7fbded81 pdf-flush.patch
+ebe5d71b18aa9eefe1e0a6c150761bb7abef41f144f37eb0bfa8a01947aacb1292ac131cf815dcaaaa6478c0aac07ca5428fba28ad346a00c5aaa5fa64f6ff5b fix-inf-loop.patch
20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 fix-mask-usage-in-image-compositor.patch
a056e85549e8410782674cb4ce7b38b035cdde8f4319c18dd942a18b33d35c5be4d0c0c34081ee556473df4f2725cdba508a387ee6222214484b10a5d9eaad90 composite_color_glyphs.patch
-ae079840a842ec645ab3c9a2d5db8d3f8bb4e25ce4090afc3d226ba292f15b85bdaaed0967bb12bfa429d7f6376a28c87518df194ab6b1d2a2e7c96ab6df8ba2 cff-allow-empty-array-of-operands-for-certain-operat.patch"
+ae079840a842ec645ab3c9a2d5db8d3f8bb4e25ce4090afc3d226ba292f15b85bdaaed0967bb12bfa429d7f6376a28c87518df194ab6b1d2a2e7c96ab6df8ba2 cff-allow-empty-array-of-operands-for-certain-operat.patch
+"
diff --git a/main/cairo/fix-inf-loop.patch b/main/cairo/fix-inf-loop.patch
new file mode 100644
index 0000000000..2a26876c36
--- /dev/null
+++ b/main/cairo/fix-inf-loop.patch
@@ -0,0 +1,36 @@
+From bbeaf08190d3006a80b80a77724801cd477a37b8 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@worldiety.de>
+Date: Sat, 17 Apr 2021 19:15:03 +0200
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1c891d1a0 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ { M_PI / 11.0, 9.81410988043554039085e-09 },
+ };
+ int table_size = ARRAY_LENGTH (table);
++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
+
+ for (i = 0; i < table_size; i++)
+ if (table[i].error < tolerance)
+ return table[i].angle;
+
+ ++i;
++
+ do {
+ angle = M_PI / i++;
+ error = _arc_error_normalized (angle);
+- } while (error > tolerance);
++ } while (error > tolerance && i < max_segments);
+
+ return angle;
+ }
+--
+GitLab
+
diff --git a/main/cifs-utils/APKBUILD b/main/cifs-utils/APKBUILD
index 7caf96d1fb..c44090d9ea 100644
--- a/main/cifs-utils/APKBUILD
+++ b/main/cifs-utils/APKBUILD
@@ -17,8 +17,8 @@ source="https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-$pkgver.tar.b
options="suid"
# secfixes:
-# 6.11-r0:
-# - CVE-2020-14342 (Not affected, requires --with-systemd)
+# 0:
+# - CVE-2020-14342 # (Not affected, requires --with-systemd)
prepare() {
default_prepare
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index a3aa7a78a5..6560308c34 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -9,7 +9,7 @@
pkgname=curl
pkgver=7.79.1
-pkgrel=0
+pkgrel=1
pkgdesc="URL retrival utility and library"
url="https://curl.se/"
arch="all"
@@ -20,10 +20,21 @@ checkdepends="nghttp2 python3"
makedepends_host="$depends_dev"
makedepends_build="autoconf automake groff libtool perl"
subpackages="$pkgname-dbg $pkgname-static $pkgname-doc $pkgname-dev libcurl"
-source="https://curl.se/download/curl-$pkgver.tar.xz"
+source="https://curl.se/download/curl-$pkgver.tar.xz
+ CVE-2022-22576.patch
+ CVE-2022-27774-pre.patch
+ CVE-2022-27774.patch
+ CVE-2022-27775.patch
+ CVE-2022-27776.patch
+ "
options="net" # Required for running tests
# secfixes:
+# 7.79.1-r1:
+# - CVE-2022-22576
+# - CVE-2022-27774
+# - CVE-2022-27775
+# - CVE-2022-27776
# 7.79.0-r0:
# - CVE-2021-22945
# - CVE-2021-22946
@@ -164,4 +175,9 @@ static() {
sha512sums="
1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d curl-7.79.1.tar.xz
+9456de77de52e7980fb8e42bdc524b56dc7029c8205209de2de39d6354c8f5457e3fc8068d36d55cbf96ae82aabd390afc94721995dfc4b8e4a69bed9d0b00c8 CVE-2022-22576.patch
+63af4876fa94ff11ec3c1d4a36cfd2919083cf57cedc5086703966e627b27d8fac520155214b6f81e80a38a392cbd542f135f218944ae5117cf8b1ba388c7046 CVE-2022-27774-pre.patch
+4161539ebf5b9d4b1c5f4f83a8af313a96f5d9a4871a3da5f1ea564903b9079ac02003816f613e05aec9f3819bd2e152bb7885d0df138997abcaeb4adab897d6 CVE-2022-27774.patch
+c68b3eff3ef6120277c8acbd1d3ce4e16a26219a6b543af03a7bb9c5c3bc5d3480c237f11470995d088c9cbd06531352b86b151038cfcd551477038da0a96b33 CVE-2022-27775.patch
+116d30037af107cd028bd6404b6488106ebe1f3482b65159fe6764c355edf57b5fc460ce034a4eb07053f97128d68e89ef50ae080b33ee82b0fc5460f09866c4 CVE-2022-27776.patch
"
diff --git a/main/curl/CVE-2022-22576.patch b/main/curl/CVE-2022-22576.patch
new file mode 100644
index 0000000000..5238d9998b
--- /dev/null
+++ b/main/curl/CVE-2022-22576.patch
@@ -0,0 +1,143 @@
+Patch-Source: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
+From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 25 Apr 2022 11:44:05 +0200
+Subject: [PATCH] url: check sasl additional parameters for connection reuse.
+
+Also move static function safecmp() as non-static Curl_safecmp() since
+its purpose is needed at several places.
+
+Bug: https://curl.se/docs/CVE-2022-22576.html
+
+CVE-2022-22576
+
+Closes #8746
+---
+ lib/strcase.c | 10 ++++++++++
+ lib/strcase.h | 2 ++
+ lib/url.c | 13 ++++++++++++-
+ lib/urldata.h | 1 +
+ lib/vtls/vtls.c | 21 ++++++---------------
+ 5 files changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index dd46ca1ba0e5..692a3f14aee7 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
+ } while(*src++ && --n);
+ }
+
++/* Compare case-sensitive NUL-terminated strings, taking care of possible
++ * null pointers. Return true if arguments match.
++ */
++bool Curl_safecmp(char *a, char *b)
++{
++ if(a && b)
++ return !strcmp(a, b);
++ return !a && !b;
++}
++
+ /* --- public functions --- */
+
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index b234d3815220..2635f5117e99 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -49,4 +49,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+
++bool Curl_safecmp(char *a, char *b);
++
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index 9a988b4d58d8..e1647b133854 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -781,6 +781,7 @@ static void conn_free(struct connectdata *conn)
+ Curl_safefree(conn->passwd);
+ Curl_safefree(conn->sasl_authzid);
+ Curl_safefree(conn->options);
++ Curl_safefree(conn->oauth_bearer);
+ Curl_dyn_free(&conn->trailer);
+ Curl_safefree(conn->host.rawalloc); /* host name buffer */
+ Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
+@@ -1342,7 +1343,9 @@ ConnectionExists(struct Curl_easy *data,
+ /* This protocol requires credentials per connection,
+ so verify that we're using the same name and password as well */
+ if(strcmp(needle->user, check->user) ||
+- strcmp(needle->passwd, check->passwd)) {
++ strcmp(needle->passwd, check->passwd) ||
++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
+ /* one of them was different */
+ continue;
+ }
+@@ -3637,6 +3640,14 @@ static CURLcode create_conn(struct Curl_easy *data,
+ }
+ }
+
++ if(data->set.str[STRING_BEARER]) {
++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
++ if(!conn->oauth_bearer) {
++ result = CURLE_OUT_OF_MEMORY;
++ goto out;
++ }
++ }
++
+ #ifdef USE_UNIX_SOCKETS
+ if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
+ conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 07eb19b87034..1d89b8d7fa68 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -984,6 +984,7 @@ struct connectdata {
+ char *passwd; /* password string, allocated */
+ char *options; /* options string, allocated */
+ char *sasl_authzid; /* authorisation identity string, allocated */
++ char *oauth_bearer; /* OAUTH2 bearer, allocated */
+ unsigned char httpversion; /* the HTTP version*10 reported by the server */
+ struct curltime now; /* "current" time */
+ struct curltime created; /* creation time */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 03b85ba065e5..a40ac06f684f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+ return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+
+-static bool safecmp(char *a, char *b)
+-{
+- if(a && b)
+- return !strcmp(a, b);
+- else if(!a && !b)
+- return TRUE; /* match */
+- return FALSE; /* no match */
+-}
+-
+
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ blobcmp(data->cert_blob, needle->cert_blob) &&
+ blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+- safecmp(data->CApath, needle->CApath) &&
+- safecmp(data->CAfile, needle->CAfile) &&
+- safecmp(data->issuercert, needle->issuercert) &&
+- safecmp(data->clientcert, needle->clientcert) &&
+- safecmp(data->random_file, needle->random_file) &&
+- safecmp(data->egdsocket, needle->egdsocket) &&
++ Curl_safecmp(data->CApath, needle->CApath) &&
++ Curl_safecmp(data->CAfile, needle->CAfile) &&
++ Curl_safecmp(data->issuercert, needle->issuercert) &&
++ Curl_safecmp(data->clientcert, needle->clientcert) &&
++ Curl_safecmp(data->random_file, needle->random_file) &&
++ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->curves, needle->curves) &&
diff --git a/main/curl/CVE-2022-27774-pre.patch b/main/curl/CVE-2022-27774-pre.patch
new file mode 100644
index 0000000000..b5cf4fccc3
--- /dev/null
+++ b/main/curl/CVE-2022-27774-pre.patch
@@ -0,0 +1,41 @@
+Patch-Source: https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839
+From 08b8ef4e726ba10f45081ecda5b3cea788d3c839 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] connect: store "conn_remote_port" in the info struct
+
+To make it available after the connection ended.
+---
+ lib/connect.c | 1 +
+ lib/urldata.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index e0b740147157..9bcf525ebb39 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
+ data->info.conn_scheme = conn->handler->scheme;
+ data->info.conn_protocol = conn->handler->protocol;
+ data->info.conn_primary_port = conn->port;
++ data->info.conn_remote_port = conn->remote_port;
+ data->info.conn_local_port = local_port;
+ }
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ef2174d9e727..9c34ec444c08 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1160,7 +1160,11 @@ struct PureInfo {
+ reused, in the connection cache. */
+
+ char conn_primary_ip[MAX_IPADR_LEN];
+- int conn_primary_port;
++ int conn_primary_port; /* this is the destination port to the connection,
++ which might have been a proxy */
++ int conn_remote_port; /* this is the "remote port", which is the port
++ number of the used URL, independent of proxy or
++ not */
+ char conn_local_ip[MAX_IPADR_LEN];
+ int conn_local_port;
+ const char *conn_scheme;
diff --git a/main/curl/CVE-2022-27774.patch b/main/curl/CVE-2022-27774.patch
new file mode 100644
index 0000000000..db358af55e
--- /dev/null
+++ b/main/curl/CVE-2022-27774.patch
@@ -0,0 +1,78 @@
+Patch-Source: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79
+From 620ea21410030a9977396b4661806bc187231b79 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] transfer: redirects to other protocols or ports clear auth
+
+... unless explicitly permitted.
+
+Bug: https://curl.se/docs/CVE-2022-27774.html
+Reported-by: Harry Sintonen
+Closes #8748
+---
+ lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 53ef0b03b8e0..315da876c4a8 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1611,10 +1611,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+-
+ uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
++
++ /* Clear auth if this redirects to a different port number or protocol,
++ unless permitted */
++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
++ char *portnum;
++ int port;
++ bool clear = FALSE;
++
++ if(data->set.use_port && data->state.allow_port)
++ /* a custom port is used */
++ port = (int)data->set.use_port;
++ else {
++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
++ CURLU_DEFAULT_PORT);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++ port = atoi(portnum);
++ free(portnum);
++ }
++ if(port != data->info.conn_remote_port) {
++ infof(data, "Clear auth, redirects to port from %u to %u",
++ data->info.conn_remote_port, port);
++ clear = TRUE;
++ }
++ else {
++ char *scheme;
++ const struct Curl_handler *p;
++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++
++ p = Curl_builtin_scheme(scheme);
++ if(p && (p->protocol != data->info.conn_protocol)) {
++ infof(data, "Clear auth, redirects scheme from %s to %s",
++ data->info.conn_scheme, scheme);
++ clear = TRUE;
++ }
++ free(scheme);
++ }
++ if(clear) {
++ Curl_safefree(data->state.aptr.user);
++ Curl_safefree(data->state.aptr.passwd);
++ }
++ }
+ }
+
+ if(type == FOLLOW_FAKE) {
diff --git a/main/curl/CVE-2022-27775.patch b/main/curl/CVE-2022-27775.patch
new file mode 100644
index 0000000000..e1c02b8969
--- /dev/null
+++ b/main/curl/CVE-2022-27775.patch
@@ -0,0 +1,35 @@
+Patch-Source: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705
+From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index ec669b971dc3..8948b53fa500 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf,
+ /* report back which name we used */
+ *hostp = hostname;
+
+- /* put the number first so that the hostname gets cut off if too long */
+- msnprintf(buf, len, "%ld%s", port, hostname);
++ /* put the numbers first so that the hostname gets cut off if too long */
++#ifdef ENABLE_IPV6
++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
++#else
++ msnprintf(buf, len, "%ld/%s", port, hostname);
++#endif
+ Curl_strntolower(buf, buf, len);
+ }
+
diff --git a/main/curl/CVE-2022-27776.patch b/main/curl/CVE-2022-27776.patch
new file mode 100644
index 0000000000..59ffa79a36
--- /dev/null
+++ b/main/curl/CVE-2022-27776.patch
@@ -0,0 +1,113 @@
+Patch-Source: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258
+From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
+
+CVE-2022-27776
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+---
+ lib/http.c | 34 ++++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index ce79fc4e31c8..f0476f3b9272 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
++/*
++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
++ * data" can (still) be sent to this host.
++ */
++static bool allow_auth_to_host(struct Curl_easy *data)
++{
++ struct connectdata *conn = data->conn;
++ return (!data->state.this_is_a_follow ||
++ data->set.allow_auth_to_other_hosts ||
++ (data->state.first_host &&
++ strcasecompare(data->state.first_host, conn->host.name) &&
++ (data->state.first_remote_port == conn->remote_port) &&
++ (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ /**
+ * Curl_http_output_auth() setups the authentication headers for the
+ * host/proxy and the correct authentication
+@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data,
+ with it */
+ authproxy->done = TRUE;
+
+- /* To prevent the user+password to get sent to other than the original
+- host due to a location-follow, we do some weirdo checks here */
+- if(!data->state.this_is_a_follow ||
++ /* To prevent the user+password to get sent to other than the original host
++ due to a location-follow */
++ if(allow_auth_to_host(data)
+ #ifndef CURL_DISABLE_NETRC
+- conn->bits.netrc ||
++ || conn->bits.netrc
+ #endif
+- !data->state.first_host ||
+- data->set.allow_auth_to_other_hosts ||
+- strcasecompare(data->state.first_host, conn->host.name)) {
++ )
+ result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+- }
+ else
+ authhost->done = TRUE;
+
+@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+ checkprefix("Cookie:", compare)) &&
+ /* be careful of sending this potentially sensitive header to
+ other hosts */
+- (data->state.this_is_a_follow &&
+- data->state.first_host &&
+- !data->set.allow_auth_to_other_hosts &&
+- !strcasecompare(data->state.first_host, conn->host.name)))
++ !allow_auth_to_host(data))
+ ;
+ else {
+ #ifdef USE_HYPER
+@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
+ return CURLE_OUT_OF_MEMORY;
+
+ data->state.first_remote_port = conn->remote_port;
++ data->state.first_remote_protocol = conn->handler->protocol;
+ }
+ Curl_safefree(data->state.aptr.host);
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 1d89b8d7fa68..ef2174d9e727 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1329,14 +1329,16 @@ struct UrlState {
+ char *ulbuf; /* allocated upload buffer or NULL */
+ curl_off_t current_speed; /* the ProgressShow() function sets this,
+ bytes / second */
+- char *first_host; /* host name of the first (not followed) request.
+- if set, this should be the host name that we will
+- sent authorization to, no else. Used to make Location:
+- following not keep sending user+password... This is
+- strdup() data.
+- */
++
++ /* host name, port number and protocol of the first (not followed) request.
++ if set, this should be the host name that we will sent authorization to,
++ no else. Used to make Location: following not keep sending user+password.
++ This is strdup()ed data. */
++ char *first_host;
++ int first_remote_port;
++ unsigned int first_remote_protocol;
++
+ int retrycount; /* number of retries on a new connection */
+- int first_remote_port; /* remote port of the first (not followed) request */
+ struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+ long sessionage; /* number of the most recent session */
+ struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index 14956bbd6e..052be95f20 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cyrus-sasl
-pkgver=2.1.27
-pkgrel=12
+pkgver=2.1.28
+pkgrel=0
pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
url="https://www.cyrusimap.org/sasl/"
arch="all"
@@ -35,18 +35,12 @@ makedepends="
libtool
"
source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pkgver/cyrus-sasl-$pkgver.tar.gz
- cyrus-sasl-2.1.27-as_needed.patch
- cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
- cyrus-sasl-2.1.27-dbm-errno.patch
- cyrus-sasl-2.1.27-doc_build_fix.patch
- cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
- CVE-2019-19906.patch
- fix-saslauthd-man-page.patch
- autoconf-270.patch
saslauthd.initd
"
# secfixes:
+# 2.1.28-r0:
+# - CVE-2022-24407
# 2.1.27-r5:
# - CVE-2019-19906
# 2.1.26-r7:
@@ -123,14 +117,6 @@ libsasl() {
}
sha512sums="
-d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623eab235f85af9be38dcf5d42fc131db531c177040a85187aee5096b8df63b cyrus-sasl-2.1.27.tar.gz
-9eefa6d45e3dd9157a5672909acdd88f0ae35e76d64c3723890a474bbb05b22499cfadb0c077924d27f34da3710b2b700094dd7d5704050138c08dabcefdde94 cyrus-sasl-2.1.27-as_needed.patch
-4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
-d7dfdf520d16a79f265708d1c6938bd24bd26b9a0ff9b7fcbfc95c494af7f44220080bd3f79d0486bb6fc30b4a9a269adb7836bc593eacca99a1ef549ce58a9e cyrus-sasl-2.1.27-dbm-errno.patch
-6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch
-fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
-c39efd87dc9c883d3b07474197f6835fbd32f23baa1f5cd04b25a0473639f847321c40f232e390d4dc9d9ee189dbd177c05d3d1461af4d28a48a4827abc5d9b8 CVE-2019-19906.patch
-ce4ce9ac1fbca22b545996796101d7712dcc6a9d5b375fc2fbab5e7c6b937ac335b36b9a734c64cab552e2b806433f088683239ae30b82bfff3783bd1bb5b627 fix-saslauthd-man-page.patch
-587c8af4e1327c76d73feb15d67e8b5b4f60f15b33bc9e8c6b3cccf9de4532d8ed6dbd5c7e70223312edae662bffc8dfc94ba85b9984d2ef461c3a9e86b84ddd autoconf-270.patch
+db15af9079758a9f385457a79390c8a7cd7ea666573dace8bf4fb01bb4b49037538d67285727d6a70ad799d2e2318f265c9372e2427de9371d626a1959dd6f78 cyrus-sasl-2.1.28.tar.gz
f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd
"
diff --git a/main/cyrus-sasl/CVE-2019-19906.patch b/main/cyrus-sasl/CVE-2019-19906.patch
deleted file mode 100644
index f7edb521e8..0000000000
--- a/main/cyrus-sasl/CVE-2019-19906.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-https://github.com/cyrusimap/cyrus-sasl/issues/587
-
-diff --git a/lib/common.c b/lib/common.c
-index bc3bf1df..9969d6aa 100644
---- a/lib/common.c
-+++ b/lib/common.c
-@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
-
- if (add==NULL) add = "(null)";
-
-- addlen=strlen(add); /* only compute once */
-+ addlen=strlen(add)+1; /* only compute once */
- if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
- return SASL_NOMEM;
-
diff --git a/main/cyrus-sasl/autoconf-270.patch b/main/cyrus-sasl/autoconf-270.patch
deleted file mode 100644
index df07fc137a..0000000000
--- a/main/cyrus-sasl/autoconf-270.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 3b0149cf3d235247b051b7cb7663bc3dadbb999b Mon Sep 17 00:00:00 2001
-From: Pavel Raiskup <praiskup@redhat.com>
-Date: Thu, 1 Apr 2021 17:17:52 +0200
-Subject: [PATCH] configure.ac: avoid side-effects in AC_CACHE_VAL
-
-In the COMMANDS-TO-SET-IT argument, per Autoconf docs:
-https://www.gnu.org/software/autoconf/manual/autoconf-2.63/html_node/Caching-Results.html
----
- configure.ac | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index a106d35e..d333496d 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -220,11 +220,14 @@ void foo() { int i=0;}
- int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
- if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
- if(ptr1 && !ptr2) exit(0); } exit(1); }
--], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no
-- AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?]),
-+], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
- AC_MSG_WARN(cross-compiler, we'll do our best)))
- LIBS="$cmu_save_LIBS"
- AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)
-+
-+ if test "$sasl_cv_dlsym_adds_uscore" = no; then
-+ AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?])
-+ fi
- fi
- fi
-
-From d3bcaf62f6213e7635e9c4a574f39a831e333980 Mon Sep 17 00:00:00 2001
-From: Pavel Raiskup <praiskup@redhat.com>
-Date: Thu, 1 Apr 2021 17:26:28 +0200
-Subject: [PATCH] configure.ac: properly quote macro arguments
-
-Autoconf 2.70+ is more picky about the quotation (even though with
-previous versions the arguments should have been quoted, too). When we
-don't quote macros inside the AC_CACHE_VAL macro - some of the Autoconf
-initialization is wrongly ordered in ./configure script and we keep
-seeing bugs like:
-
- ./configure: line 2165: ac_fn_c_try_run: command not found
-
-Original report: https://bugzilla.redhat.com/1943013
----
- configure.ac | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index d333496d..7281cba0 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -213,15 +213,16 @@ if test $sasl_cv_uscore = yes; then
- AC_MSG_CHECKING(whether dlsym adds the underscore for us)
- cmu_save_LIBS="$LIBS"
- LIBS="$LIBS $SASL_DL_LIB"
-- AC_CACHE_VAL(sasl_cv_dlsym_adds_uscore,AC_TRY_RUN( [
-+ AC_CACHE_VAL([sasl_cv_dlsym_adds_uscore],
-+ [AC_TRY_RUN([
- #include <dlfcn.h>
- #include <stdio.h>
- void foo() { int i=0;}
- int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
- if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
- if(ptr1 && !ptr2) exit(0); } exit(1); }
--], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
-- AC_MSG_WARN(cross-compiler, we'll do our best)))
-+], [sasl_cv_dlsym_adds_uscore=yes], [sasl_cv_dlsym_adds_uscore=no],
-+ [AC_MSG_WARN(cross-compiler, we'll do our best)])])
- LIBS="$cmu_save_LIBS"
- AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)
-
-
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch
deleted file mode 100644
index 7cd9e151fb..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Author: Matthias Klose <doko@ubuntu.com>
-Desription: Fix FTBFS, add $(SASL_DB_LIB) as dependency to libsasldb, and use
-it.
---- cyrus-sasl-2.1.27/saslauthd/Makefile.am
-+++ cyrus-sasl-2.1.27/saslauthd/Makefile.am
-@@ -25,7 +25,7 @@
- saslauthd_DEPENDENCIES = saslauthd-main.o $(LTLIBOBJS_FULL)
- saslauthd_LDADD = @SASL_KRB_LIB@ \
- @GSSAPIBASE_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \
-- @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS)
-+ @LIB_SOCKET@ ../sasldb/libsasldb.la @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS)
-
- testsaslauthd_SOURCES = testsaslauthd.c utils.c
- testsaslauthd_LDADD = @LIB_SOCKET@
---- cyrus-sasl-2.1.27/sasldb/Makefile.am
-+++ cyrus-sasl-2.1.27/sasldb/Makefile.am
-@@ -54,6 +54,6 @@
-
- libsasldb_la_SOURCES = allockey.c sasldb.h
- EXTRA_libsasldb_la_SOURCES = $(extra_common_sources)
--libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND)
--libsasldb_la_LIBADD = $(SASL_DB_BACKEND)
-+libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) $(SASL_DB_LIB)
-+libsasldb_la_LIBADD = $(SASL_DB_BACKEND) $(SASL_DB_LIB)
- libsasldb_la_LDFLAGS = -no-undefined
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
deleted file mode 100644
index c331039e2f..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Author: Fabian Fagerholm <fabbe@debian.org>
-Description: This patch makes sure the non-PIC version of libsasldb.a, which
-is created out of non-PIC objects, is not going to overwrite the PIC version,
-which is created out of PIC objects. The PIC version is placed in .libs, and
-the non-PIC version in the current directory. This ensures that both non-PIC
-and PIC versions are available in the correct locations.
---- cyrus-sasl-2.1.27/lib/Makefile.am
-+++ cyrus-sasl-2.1.27/lib/Makefile.am
-@@ -98,7 +98,7 @@
-
- libsasl2.a: libsasl2.la $(SASL_STATIC_OBJS)
- @echo adding static plugins and dependencies
-- $(AR) cru .libs/$@ $(SASL_STATIC_OBJS)
-+ $(AR) cru $@ $(SASL_STATIC_OBJS)
- @for i in ./libsasl2.la ../common/libplugin_common.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \
- if test ! -f $$i; then continue; fi; . $$i; \
- for j in $$dependency_libs foo; do \
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-dbm-errno.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-dbm-errno.patch
deleted file mode 100644
index dd9147d9f5..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-dbm-errno.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From af48f6fec9a7b6374d4153c5db894d4a1f349645 Mon Sep 17 00:00:00 2001
-From: Jonas Jelten <jj@sft.mx>
-Date: Sat, 2 Feb 2019 20:53:37 +0100
-Subject: [PATCH] db_gdbm: fix gdbm_errno overlay from gdbm_close
-
-`gdbm_close` also sets gdbm_errno since version 1.17.
-This leads to a problem in `libsasl` as the `gdbm_close` incovation overlays
-the `gdbm_errno` value which is then later used for the error handling.
----
- sasldb/db_gdbm.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/sasldb/db_gdbm.c b/sasldb/db_gdbm.c
-index ee56a6bf..c908808e 100644
---- a/sasldb/db_gdbm.c
-+++ b/sasldb/db_gdbm.c
-@@ -107,9 +107,11 @@ int _sasldb_getdata(const sasl_utils_t *utils,
- gkey.dptr = key;
- gkey.dsize = key_len;
- gvalue = gdbm_fetch(db, gkey);
-+ int fetch_errno = gdbm_errno;
-+
- gdbm_close(db);
- if (! gvalue.dptr) {
-- if (gdbm_errno == GDBM_ITEM_NOT_FOUND) {
-+ if (fetch_errno == GDBM_ITEM_NOT_FOUND) {
- utils->seterror(conn, SASL_NOLOG,
- "user: %s@%s property: %s not found in %s",
- authid, realm, propName, path);
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch
deleted file mode 100644
index bdd02f7796..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py
-+++ cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py
-@@ -23,7 +23,7 @@
- from sphinx import addnodes
- from sphinx.locale import admonitionlabels, _
- from sphinx.util.osutil import ustrftime
--from sphinx.util.compat import docutils_version
-+#from sphinx.util.compat import docutils_version
-
- class CyrusManualPageWriter(ManualPageWriter):
-
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
deleted file mode 100644
index c585cb158e..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Gentoo bug #389349
---- cyrus-sasl-2.1.27/m4/sasl2.m4
-+++ cyrus-sasl-2.1.27/m4/sasl2.m4
-@@ -220,7 +220,11 @@
- [AC_WARN([Cybersafe define not found])])
-
- elif test "$ac_cv_header_gssapi_h" = "yes"; then
-- AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h,
-+ AC_EGREP_CPP(hostbased_service_gss_nt_yes, gssapi.h,
-+ [#include <gssapi.h>
-+ #ifdef GSS_C_NT_HOSTBASED_SERVICE
-+ hostbased_service_gss_nt_yes
-+ #endif],
- [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,,
- [Define if your GSSAPI implementation defines GSS_C_NT_HOSTBASED_SERVICE])])
- elif test "$ac_cv_header_gssapi_gssapi_h"; then
diff --git a/main/cyrus-sasl/fix-saslauthd-man-page.patch b/main/cyrus-sasl/fix-saslauthd-man-page.patch
deleted file mode 100644
index c6ecc4ce0c..0000000000
--- a/main/cyrus-sasl/fix-saslauthd-man-page.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Fixes https://gitlab.alpinelinux.org/alpine/aports/-/issues/12342
-
-See: https://github.com/cyrusimap/cyrus-sasl/pull/569
-
-diff -upr cyrus-sasl-2.1.27.orig/saslauthd/Makefile.am cyrus-sasl-2.1.27/saslauthd/Makefile.am
---- cyrus-sasl-2.1.27.orig/saslauthd/Makefile.am 2021-01-23 12:19:13.058918319 +0100
-+++ cyrus-sasl-2.1.27/saslauthd/Makefile.am 2021-01-23 12:20:07.132516526 +0100
-@@ -32,20 +32,15 @@ testsaslauthd_LDADD = @LIB_SOCKET@
-
- saslcache_SOURCES = saslcache.c
-
--EXTRA_DIST = saslauthd.8 saslauthd.mdoc include \
-+EXTRA_DIST = saslauthd.mdoc include \
- getnameinfo.c getaddrinfo.c LDAP_SASLAUTHD
- AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_builddir)/common -I$(top_srcdir)/common
- DEFS = @DEFS@ -DSASLAUTHD_CONF_FILE_DEFAULT=\"@sysconfdir@/saslauthd.conf\" -I. -I$(srcdir) -I..
-
-
--dist-hook: saslauthd.8
--
--saslauthd.8: saslauthd.mdoc
-- nroff -mdoc $(srcdir)/saslauthd.mdoc > $(srcdir)/saslauthd.8
--
--install-data-local: saslauthd.8
-+install-data-local: saslauthd.mdoc
- $(mkinstalldirs) $(DESTDIR)$(mandir)/man8
-- $(INSTALL_DATA) $(srcdir)/saslauthd.8 $(DESTDIR)$(mandir)/man8/saslauthd.8
-+ $(INSTALL_DATA) $(srcdir)/saslauthd.mdoc $(DESTDIR)$(mandir)/man8/saslauthd.8
-
- uninstall-local:
- -rm -rf $(DESTDIR)$(mandir)/man8/saslauthd.8
diff --git a/main/dahdi-linux-lts/APKBUILD b/main/dahdi-linux-lts/APKBUILD
index 5c81561253..13bd249f29 100644
--- a/main/dahdi-linux-lts/APKBUILD
+++ b/main/dahdi-linux-lts/APKBUILD
@@ -9,7 +9,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.93
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/esh/APKBUILD b/main/esh/APKBUILD
index fc6c53e03b..ebaa57ad5f 100644
--- a/main/esh/APKBUILD
+++ b/main/esh/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=esh
-pkgver=0.3.1
+pkgver=0.3.2
pkgrel=0
pkgdesc="Simple template system based on shell"
url="https://github.com/jirutka/esh"
@@ -22,4 +22,6 @@ package() {
make DESTDIR="$pkgdir" prefix=/usr install
}
-sha512sums="a29f8b028ceba305c8a37f2df20be95701fa3bdaeefd9853e05cc6423a6c685b33954deabda9af25c31baeae2321084e2a2badee216010c8efd75e58888effa3 esh-0.3.1.tar.gz"
+sha512sums="
+f93835f0c28b75fa4b4ab2fdccd860050e4dde25634074065b182f289dd36d05074c7a5762f6cd35f409ae2ef239de5e0799af70ec6a96ba63df50fc8c123784 esh-0.3.2.tar.gz
+"
diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD
index fd4bde80fc..a0613ef626 100644
--- a/main/expat/APKBUILD
+++ b/main/expat/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=expat
-pkgver=2.4.3
+pkgver=2.4.7
pkgrel=0
pkgdesc="XML Parser library written in C"
url="http://www.libexpat.org/"
@@ -11,6 +11,15 @@ source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkg
subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
# secfixes:
+# 2.4.5-r0:
+# - CVE-2022-25235
+# - CVE-2022-25236
+# - CVE-2022-25313
+# - CVE-2022-25314
+# - CVE-2022-25315
+# 2.4.4-r0:
+# - CVE-2022-23852
+# - CVE-2022-23990
# 2.4.3-r0:
# - CVE-2021-45960
# - CVE-2021-46143
@@ -46,5 +55,5 @@ package() {
}
sha512sums="
-1a77580c10d8cd1eb2c9224697cb73cdad742c1b6cf716d987379d01bb1f66240c315c298f5295f120cf44445521ccb7cdd39db1e743f164b919245a35a9468e expat-2.4.3.tar.bz2
+313bbee4c941d56aa1a0c0d0f4a2c9f9ada8df734bc905fd9d616199ab980b460485870bf3c7fd1605334f782a0c16e9c2960a96cdceb444a7af9b2e3e748515 expat-2.4.7.tar.bz2
"
diff --git a/main/flac/APKBUILD b/main/flac/APKBUILD
index d358fe2167..2e62156cfb 100644
--- a/main/flac/APKBUILD
+++ b/main/flac/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=flac
-pkgver=1.3.3
+pkgver=1.3.4
pkgrel=0
pkgdesc="Free Lossless Audio Codec"
url="https://xiph.org/flac/"
@@ -12,6 +12,9 @@ makedepends="libogg-dev !libiconv"
source="http://downloads.xiph.org/releases/flac/flac-$pkgver.tar.xz"
# secfixes:
+# 1.3.4-r0:
+# - CVE-2020-0499
+# - CVE-2021-0561
# 1.3.2-r2:
# - CVE-2017-6888
@@ -47,4 +50,6 @@ package() {
install -Dm0644 COPYING.Xiph \
"$pkgdir"/usr/share/licenses/$pkgname/COPYING.Xiph
}
-sha512sums="d6417e14fab0c41b2df369e5e39ce62a5f588e491af4d465b0162f74e171e5549b2f061867f344bfbf8aaccd246bf5f2acd697e532a2c7901c920c69429b1a28 flac-1.3.3.tar.xz"
+sha512sums="
+4a626e8a1bd126e234c0e5061e3b46f3a27c2065fdfa228fd8cf00d3c7fa2c05fafb5cec36acce7bfce4914bfd7db0b2a27ee15decf2d8c4caad630f62d44ec9 flac-1.3.4.tar.xz
+"
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index 6d3aaf337c..34532ab6c3 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=freetype
pkgver=2.10.4
-pkgrel=1
+pkgrel=3
pkgdesc="TrueType font rendering library"
url="https://www.freetype.org/"
arch="all"
@@ -13,9 +13,17 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.xz
0001-Enable-table-validation-modules.patch
subpixel.patch
+ CVE-2022-27404.patch
+ CVE-2022-27405.patch
+ CVE-2022-27406.patch
"
# secfixes:
+# 2.10.4-r3:
+# - CVE-2022-27405
+# - CVE-2022-27406
+# 2.10.4-r2:
+# - CVE-2022-27404
# 2.10.4-r0:
# - CVE-2020-15999
# 2.9-r1:
@@ -51,6 +59,11 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="827cda734aa6b537a8bcb247549b72bc1e082a5b32ab8d3cccb7cc26d5f6ee087c19ce34544fa388a1eb4ecaf97600dbabc3e10e950f2ba692617fee7081518f freetype-2.10.4.tar.xz
+sha512sums="
+827cda734aa6b537a8bcb247549b72bc1e082a5b32ab8d3cccb7cc26d5f6ee087c19ce34544fa388a1eb4ecaf97600dbabc3e10e950f2ba692617fee7081518f freetype-2.10.4.tar.xz
580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763 0001-Enable-table-validation-modules.patch
-72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch"
+72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch
+a00040fddd30f8b7add990c4614cbe69a04d702c471064eaf1f28b70a24c35e25e430bc8ae1d90f198b3e432d90c8884519db30fab2e41e467892d79f5cdee8f CVE-2022-27404.patch
+4e4ed4b325ca8dbbd7362782867901b90eef48cb78d6a030769c33add029d4f61ddafe590c1cca35edd8e2b0c128106b7e01874acf52ac7c2b475f4ca6cf8cdf CVE-2022-27405.patch
+574f0a93a022ba8bae4440012dd4062841187e1af4e906e5a8f117549a7e528e9d4a0bd35833294248f3a71b299175cbf6d144231af29d8d2dd350bc7dc5b804 CVE-2022-27406.patch
+"
diff --git a/main/freetype/CVE-2022-27404.patch b/main/freetype/CVE-2022-27404.patch
new file mode 100644
index 0000000000..841ab4c593
--- /dev/null
+++ b/main/freetype/CVE-2022-27404.patch
@@ -0,0 +1,44 @@
+Patch-Source: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+
+Fixes #1138.
+
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+---
+ src/sfnt/sfobjs.c | 2 +-
+ src/sfnt/sfwoff2.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+ face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+
+ /* value -(N+1) requests information on index N */
+- if ( face_instance_index < 0 )
++ if ( face_instance_index < 0 && face_index > 0 )
+ face_index--;
+
+ if ( face_index >= face->ttc_header.count )
+diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
+index cb1e0664a..165b875e5 100644
+--- a/src/sfnt/sfwoff2.c
++++ b/src/sfnt/sfwoff2.c
+@@ -2085,7 +2085,7 @@
+ /* Validate requested face index. */
+ *num_faces = woff2.num_fonts;
+ /* value -(N+1) requests information on index N */
+- if ( *face_instance_index < 0 )
++ if ( *face_instance_index < 0 && face_index > 0 )
+ face_index--;
+
+ if ( face_index >= woff2.num_fonts )
+--
+GitLab
+
diff --git a/main/freetype/CVE-2022-27405.patch b/main/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..4766867601
--- /dev/null
+++ b/main/freetype/CVE-2022-27405.patch
@@ -0,0 +1,36 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+
+
++ /* only use lower 31 bits together with sign bit */
++ if ( face_index > 0 )
++ face_index &= 0x7FFFFFFFL;
++ else
++ {
++ face_index &= 0x7FFFFFFFL;
++ face_index = -face_index;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
+--
+GitLab
+
diff --git a/main/freetype/CVE-2022-27406.patch b/main/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..0fdef7d216
--- /dev/null
+++ b/main/freetype/CVE-2022-27406.patch
@@ -0,0 +1,27 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+ if ( !face )
+ return FT_THROW( Invalid_Face_Handle );
+
++ if ( !face->size )
++ return FT_THROW( Invalid_Size_Handle );
++
+ if ( !req || req->width < 0 || req->height < 0 ||
+ req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+ return FT_THROW( Invalid_Argument );
+--
+GitLab
+
diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index c9534fb292..e05e19f404 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -2,6 +2,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 2.32.1-r0:
+# - CVE-2022-24765
# 2.30.2-r0:
# - CVE-2021-21300
# 2.26.2-r0:
@@ -27,9 +29,10 @@
# - CVE-2017-1000117
# 0:
# - CVE-2021-29468
+# - CVE-2021-46101
pkgname=git
-pkgver=2.32.0
+pkgver=2.32.2
pkgrel=0
pkgdesc="Distributed version control system"
url="https://www.git-scm.com/"
@@ -283,7 +286,7 @@ _perl_config() {
}
sha512sums="
-1ab3e7022ccee411d14a7da5c37d6259ef5c0f85ebed8f49698e25c65cbc7a46f8096919fcb6568360bfe284dd7475b596eee1a167db966096255a405853837c git-2.32.0.tar.xz
+491e3469ffc618eb9edf154026c118f3d0bf80ff1d0dbbe028290cb7b208c190254ef24f03bf301e26b2a125a85cd27e56e1f44c822d888535103c2590bf4dae git-2.32.2.tar.xz
89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd
fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd
be5d568fc5b8b84c9afb97b31e471e41f32ccfe188eba0588ea0ef98b2d96c2ce4b2c1a3d70e88205aa4f6667f850b3f32c13bbb149ecddbf670344c162a4e25 fix-t4219-with-sticky-bit.patch
diff --git a/main/gmp/APKBUILD b/main/gmp/APKBUILD
index c5e80d754d..691d934d61 100644
--- a/main/gmp/APKBUILD
+++ b/main/gmp/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gmp
pkgver=6.2.1
-pkgrel=0
+pkgrel=1
pkgdesc="free library for arbitrary precision arithmetic"
url="https://gmplib.org/"
arch="all"
@@ -9,9 +9,14 @@ license="LGPL-3.0-or-later OR GPL-2.0-or-later"
makedepends="m4 texinfo libtool"
subpackages="$pkgname-doc $pkgname-dev libgmpxx"
source="https://gmplib.org/download/gmp/gmp-$pkgver.tar.xz
+ CVE-2021-43618.patch::https://gmplib.org/repo/gmp-6.2/raw-rev/561a9c25298e
"
replaces="gmp5"
+# secfixes:
+# 6.2.1-r1:
+# - CVE-2021-43618
+
prepare() {
default_prepare
# force update to libtool with fixed cross-build support
@@ -51,4 +56,5 @@ doc() {
replaces="gmp5-doc"
}
-sha512sums="c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 gmp-6.2.1.tar.xz"
+sha512sums="c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 gmp-6.2.1.tar.xz
+3956190d9c266feb62f8965c3cd32d0a9260f76ffb0d3e32211974bb53ddd5c6eaa657f7e00ba8fa7c914c0e1375155d25de6a81cdb9b03d6a5bbc16ac121447 CVE-2021-43618.patch"
diff --git a/main/gzip/APKBUILD b/main/gzip/APKBUILD
index bdb30df8d5..92a548f46d 100644
--- a/main/gzip/APKBUILD
+++ b/main/gzip/APKBUILD
@@ -1,15 +1,19 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gzip
-pkgver=1.10
-pkgrel=1
+pkgver=1.12
+pkgrel=0
pkgdesc="Popular data compression program"
subpackages="$pkgname-doc"
url="https://www.gnu.org/software/gzip/"
arch="all"
license="GPL-3.0-or-later"
depends="less"
-source="https://ftp.gnu.org/gnu/gzip/gzip-$pkgver.tar.gz"
+source="https://ftp.gnu.org/gnu/gzip/gzip-$pkgver.tar.xz"
+
+# secfixes:
+# 1.12-r0:
+# - CVE-2022-1271
build() {
# avoid text relocation
@@ -42,4 +46,6 @@ package() {
ln -sf /bin/gunzip "$pkgdir"/usr/bin/uncompress
}
-sha512sums="7939043e74554ced0c1c05d354ab4eb36cd6dce89ad79d02ccdc5ed6b7ee390759689b2d47c07227b9b44a62851afe7c76c4cae9f92527d999f3f1b4df1cccff gzip-1.10.tar.gz"
+sha512sums="
+116326fe991828227de150336a0c016f4fe932dfbb728a16b4a84965256d9929574a4f5cfaf3cf6bb4154972ef0d110f26ab472c93e62ec9a5fd7a5d65abea24 gzip-1.12.tar.xz
+"
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index ed1e1950c8..22ad027c8b 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -4,7 +4,7 @@
pkgname=haproxy
# NOTE: Upgrade only to LTS versions announced on upstream site url!
# Using LTS versions is easier to keep it in good shape for stable releases
-pkgver=2.4.9
+pkgver=2.4.17
_pkgmajorver=${pkgver%.*}
pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -58,7 +58,7 @@ package() {
}
sha512sums="
-52ee14898ee92b0c13b1788e1178251c00d7ddaffaf862b8ad9400261674420db4b4d4611565ae1508d288fc6f03b1fd4d0207570793ad53a615113f9774cd3d haproxy-2.4.9.tar.gz
+98d46b6dbafd95977a32a6479266f3b9fe6e6ed57e39182a3d031add60dabfdaa7494083109a75eaa3e4b15d0293b11081f9b06556eee1777ede40ed6c002a7f haproxy-2.4.17.tar.gz
4aa8fc812079baf1d17cf9484a9b44568c3dd94f35243a57a4a7868e7f88146a4e94c80ea8ab86f1b08a524567e269a3ec119b67fc679f6bd0d9f1c70ce4f080 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg
"
diff --git a/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch b/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch
new file mode 100644
index 0000000000..9f4b0c2959
--- /dev/null
+++ b/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch
@@ -0,0 +1,318 @@
+From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 27 Aug 2019 16:33:15 +0300
+Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions
+
+These are needed for implementing SAE hash-to-element.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/crypto/crypto.h | 45 ++++++++++++++++++
+ src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++
+ src/crypto/crypto_wolfssl.c | 66 ++++++++++++++++++++++++++
+ 3 files changed, 205 insertions(+)
+
+diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
+index 15f8ad04cea4..68476dbce96c 100644
+--- a/src/crypto/crypto.h
++++ b/src/crypto/crypto.h
+@@ -518,6 +518,13 @@ struct crypto_bignum * crypto_bignum_init(void);
+ */
+ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len);
+
++/**
++ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint)
++ * @val: Value to set
++ * Returns: Pointer to allocated bignum or %NULL on failure
++ */
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val);
++
+ /**
+ * crypto_bignum_deinit - Free bignum
+ * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set()
+@@ -612,6 +619,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ const struct crypto_bignum *b,
+ struct crypto_bignum *c);
+
++/**
++ * crypto_bignum_addmod - d = a + b (mod c)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum
++ * @d: Bignum; used to store the result of (a + b) % c
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ const struct crypto_bignum *c,
++ struct crypto_bignum *d);
++
+ /**
+ * crypto_bignum_mulmod - d = a * b (mod c)
+ * @a: Bignum
+@@ -625,6 +645,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ const struct crypto_bignum *c,
+ struct crypto_bignum *d);
+
++/**
++ * crypto_bignum_sqrmod - c = a^2 (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result of a^2 % b
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c);
++
++/**
++ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c);
++
+ /**
+ * crypto_bignum_rshift - r = a >> n
+ * @a: Bignum
+@@ -731,6 +773,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e);
+ */
+ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
+
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e);
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e);
++
+ /**
+ * struct crypto_ec_point - Elliptic curve point
+ *
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index bab33a537293..ed463105e8f1 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -1283,6 +1283,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+
+
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++ BIGNUM *bn;
++
++ if (TEST_FAIL())
++ return NULL;
++
++ bn = BN_new();
++ if (!bn)
++ return NULL;
++ if (BN_set_word(bn, val) != 1) {
++ BN_free(bn);
++ return NULL;
++ }
++ return (struct crypto_bignum *) bn;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ if (clear)
+@@ -1449,6 +1467,28 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ const struct crypto_bignum *c,
++ struct crypto_bignum *d)
++{
++ int res;
++ BN_CTX *bnctx;
++
++ if (TEST_FAIL())
++ return -1;
++
++ bnctx = BN_CTX_new();
++ if (!bnctx)
++ return -1;
++ res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
++ (const BIGNUM *) c, bnctx);
++ BN_CTX_free(bnctx);
++
++ return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ const struct crypto_bignum *b,
+ const struct crypto_bignum *c,
+@@ -1472,6 +1512,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ int res;
++ BN_CTX *bnctx;
++
++ if (TEST_FAIL())
++ return -1;
++
++ bnctx = BN_CTX_new();
++ if (!bnctx)
++ return -1;
++ res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++ bnctx);
++ BN_CTX_free(bnctx);
++
++ return res ? 0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ BN_CTX *bnctx;
++ BIGNUM *res;
++
++ if (TEST_FAIL())
++ return -1;
++
++ bnctx = BN_CTX_new();
++ if (!bnctx)
++ return -1;
++ res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++ bnctx);
++ BN_CTX_free(bnctx);
++
++ return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+ struct crypto_bignum *r)
+ {
+@@ -1682,6 +1764,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+
+
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ if (clear)
+diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
+index 4cedab4367cd..e9894b335e53 100644
+--- a/src/crypto/crypto_wolfssl.c
++++ b/src/crypto/crypto_wolfssl.c
+@@ -1042,6 +1042,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+
+
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++ mp_int *a;
++
++ if (TEST_FAIL())
++ return NULL;
++
++ a = (mp_int *) crypto_bignum_init();
++ if (!a)
++ return NULL;
++
++ if (mp_set_int(a, val) != MP_OKAY) {
++ os_free(a);
++ a = NULL;
++ }
++
++ return (struct crypto_bignum *) a;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ if (!n)
+@@ -1168,6 +1188,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ const struct crypto_bignum *c,
++ struct crypto_bignum *d)
++{
++ if (TEST_FAIL())
++ return -1;
++
++ return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c,
++ (mp_int *) d) == MP_OKAY ? 0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ const struct crypto_bignum *b,
+ const struct crypto_bignum *m,
+@@ -1181,6 +1214,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ if (TEST_FAIL())
++ return -1;
++
++ return mp_sqrmod((mp_int *) a, (mp_int *) b,
++ (mp_int *) c) == MP_OKAY ? 0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ /* TODO */
++ return -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+ struct crypto_bignum *r)
+ {
+@@ -1386,6 +1440,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+
+
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) &e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) &e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ ecc_point *point = (ecc_point *) p;
+--
+2.25.1
+
diff --git a/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch b/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch
new file mode 100644
index 0000000000..6c8509b8c2
--- /dev/null
+++ b/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch
@@ -0,0 +1,72 @@
+From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function
+
+This is a backport of "SAE: Move sqrt() implementation into a helper
+function" to introduce the helper function needed for the following
+patches.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++
+ src/common/dragonfly.h | 2 ++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
+index 547be66f1561..1e842716668e 100644
+--- a/src/common/dragonfly.c
++++ b/src/common/dragonfly.c
+@@ -213,3 +213,37 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+ "dragonfly: Unable to get randomness for own scalar");
+ return -1;
+ }
++
++
++/* res = sqrt(val) */
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++ struct crypto_bignum *res)
++{
++ const struct crypto_bignum *prime;
++ struct crypto_bignum *tmp, *one;
++ int ret = 0;
++ u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
++ size_t prime_len;
++
++ /* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */
++
++ prime = crypto_ec_get_prime(ec);
++ prime_len = crypto_ec_prime_len(ec);
++ tmp = crypto_bignum_init();
++ one = crypto_bignum_init_uint(1);
++
++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++ prime_len) < 0 ||
++ (prime_bin[prime_len - 1] & 0x03) != 3 ||
++ !tmp || !one ||
++ /* tmp = (p+1)/4 */
++ crypto_bignum_add(prime, one, tmp) < 0 ||
++ crypto_bignum_rshift(tmp, 2, tmp) < 0 ||
++ /* res = sqrt(val) */
++ crypto_bignum_exptmod(val, tmp, prime, res) < 0)
++ ret = -1;
++
++ crypto_bignum_deinit(tmp, 0);
++ crypto_bignum_deinit(one, 0);
++ return ret;
++}
+diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
+index ec3dd593eda4..84d67f575c54 100644
+--- a/src/common/dragonfly.h
++++ b/src/common/dragonfly.h
+@@ -27,5 +27,7 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+ struct crypto_bignum *_rand,
+ struct crypto_bignum *_mask,
+ struct crypto_bignum *scalar);
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++ struct crypto_bignum *res);
+
+ #endif /* DRAGONFLY_H */
+--
+2.25.1
+
diff --git a/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch b/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
new file mode 100644
index 0000000000..f2a9cb3a9f
--- /dev/null
+++ b/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
@@ -0,0 +1,99 @@
+From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/sae.c | 47 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 08fdbfd18173..8d79ed962768 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -286,14 +286,16 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ int pwd_seed_odd = 0;
+ u8 prime[SAE_MAX_ECC_PRIME_LEN];
+ size_t prime_len;
+- struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++ struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL;
+ u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN];
+ int res = -1;
+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+ * mask */
++ unsigned int is_eq;
+
+ os_memset(x_bin, 0, sizeof(x_bin));
+
+@@ -402,25 +404,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ goto fail;
+ }
+
+- if (!sae->tmp->pwe_ecc)
+- sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
+- if (!sae->tmp->pwe_ecc)
+- res = -1;
+- else
+- res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+- sae->tmp->pwe_ecc, x,
+- pwd_seed_odd);
+- if (res < 0) {
+- /*
+- * This should not happen since we already checked that there
+- * is a result.
+- */
++ /* y = sqrt(x^3 + ax + b) mod p
++ * if LSB(save) == LSB(y): PWE = (x, y)
++ * else: PWE = (x, p - y)
++ *
++ * Calculate y and the two possible values for PWE and after that,
++ * use constant time selection to copy the correct alternative.
++ */
++ y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x);
++ if (!y ||
++ dragonfly_sqrt(sae->tmp->ec, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN,
++ prime_len) < 0 ||
++ crypto_bignum_sub(sae->tmp->prime, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN,
++ SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) {
+ wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++ goto fail;
++ }
++
++ is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01);
++ const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN,
++ prime_len, x_y + prime_len);
++ os_memcpy(x_y, x_bin, prime_len);
++ wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len);
++ crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1);
++ sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y);
++ if (!sae->tmp->pwe_ecc) {
++ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
++ res = -1;
+ }
+
+ fail:
++ forced_memzero(x_y, sizeof(x_y));
+ crypto_bignum_deinit(qr, 0);
+ crypto_bignum_deinit(qnr, 0);
++ crypto_bignum_deinit(y, 1);
+ os_free(dummy_password);
+ bin_clear_free(tmp_password, password_len);
+ crypto_bignum_deinit(x, 1);
+--
+2.25.1
+
diff --git a/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch b/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
new file mode 100644
index 0000000000..71d22b0864
--- /dev/null
+++ b/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
@@ -0,0 +1,113 @@
+From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 18:52:27 +0200
+Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 46 ++++++++++++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 2b2b8efdbd01..ff22b29b087a 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -127,7 +127,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+ u8 x_bin[MAX_ECC_PRIME_LEN];
+ u8 prime_bin[MAX_ECC_PRIME_LEN];
+- struct crypto_bignum *tmp2 = NULL;
++ u8 x_y[2 * MAX_ECC_PRIME_LEN];
++ struct crypto_bignum *tmp2 = NULL, *y = NULL;
+ struct crypto_hash *hash;
+ unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+ int ret = 0, res;
+@@ -139,6 +140,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 found_ctr = 0, is_odd = 0;
+ int cmp_prime;
+ unsigned int in_range;
++ unsigned int is_eq;
+
+ if (grp->pwe)
+ return -1;
+@@ -151,11 +153,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+ primebytelen) < 0)
+ return -1;
+- grp->pwe = crypto_ec_point_init(grp->group);
+- if (!grp->pwe) {
+- wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+- goto fail;
+- }
+
+ if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+ wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+@@ -261,10 +258,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ */
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
+- if (!x_candidate ||
+- crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
+- is_odd) != 0) {
+- wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++ if (!x_candidate)
++ goto fail;
++
++ /* y = sqrt(x^3 + ax + b) mod p
++ * if LSB(y) == LSB(pwd-seed): PWE = (x, y)
++ * else: PWE = (x, p - y)
++ *
++ * Calculate y and the two possible values for PWE and after that,
++ * use constant time selection to copy the correct alternative.
++ */
++ y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
++ if (!y ||
++ dragonfly_sqrt(grp->group, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
++ crypto_bignum_sub(prime, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
++ MAX_ECC_PRIME_LEN, primebytelen) < 0) {
++ wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++ goto fail;
++ }
++
++ /* Constant time selection of the y coordinate from the two
++ * options */
++ is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
++ const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
++ primebytelen, x_y + primebytelen);
++ os_memcpy(x_y, x_bin, primebytelen);
++ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
++ grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
++ if (!grp->pwe) {
++ wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
+ goto fail;
+ }
+
+@@ -289,6 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ /* cleanliness and order.... */
+ crypto_bignum_deinit(x_candidate, 1);
+ crypto_bignum_deinit(tmp2, 1);
++ crypto_bignum_deinit(y, 1);
+ crypto_bignum_deinit(qr, 1);
+ crypto_bignum_deinit(qnr, 1);
+ bin_clear_free(prfbuf, primebytelen);
+@@ -296,6 +321,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ os_memset(qnr_bin, 0, sizeof(qnr_bin));
+ os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
+ os_memset(pwe_digest, 0, sizeof(pwe_digest));
++ forced_memzero(x_y, sizeof(x_y));
+
+ return ret;
+ }
+--
+2.25.1
+
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index 848cd883e6..7d122c95ed 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.9
-pkgrel=3
+pkgrel=4
pkgdesc="daemon for wireless software access points"
url="https://w1.fi/hostapd/"
arch="all"
@@ -16,11 +16,19 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
CVE-2021-30004.patch::https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15
+
+ 0001-crypto-Add-more-bignum-EC-helper-functions.patch
+ 0002-dragonfly-Add-sqrt-helper-function.patch
+ 0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
+ 0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
"
options="!check" #no testsuite
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
+# 2.9-r4:
+# - CVE-2022-23303
+# - CVE-2022-23304
# 2.9-r3:
# - CVE-2021-30004
# 2.9-r2:
@@ -103,11 +111,17 @@ package() {
&& install -Dm644 hostapd_cli.1 \
"$pkgdir"/usr/share/man/man1/hostapd_cli
}
-sha512sums="66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c hostapd-2.9.tar.gz
+sha512sums="
+66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c hostapd-2.9.tar.gz
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd
63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
b76bbca282a74ef16c0303e5dbd2ccd33a62461595964d52c1481b0bfa4f41deacde56830b85409b288803b87ceb6f33cf0ccc69c5b17ec632c2d4784b872f3c 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
00cc739e78c42353a555c0de2f29defecff372927040e14407a231d1ead7ff32a37c9fd46bea7cdf1c24e3ac891bc3d483800d44fc6d2c8a12d2ae886523b12c 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
69243af20cdcfa837c51917a3723779f4825e11436fb83311355b4ffe8f7a4b7a5747a976f7bf923038c410c9e9055b13b866d9a396913ad08bdec3a70e9f6e0 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
-88608529763a6fd9e8cb1e9c9a35630dc2e311a260e023e2a69002d0db700d5f58fc7723a00433b4ea895b92c371cf1db221f38742490b4ed9b4b049892b65e1 CVE-2021-30004.patch"
+88608529763a6fd9e8cb1e9c9a35630dc2e311a260e023e2a69002d0db700d5f58fc7723a00433b4ea895b92c371cf1db221f38742490b4ed9b4b049892b65e1 CVE-2021-30004.patch
+540ddb5ddde8aa8e2292ab01f632b63ac2e390aecd63506ac4e736b4677125d10be44c4dee153f135e51b510e6b62d4926f921e4bbd117ed0864b5becc9b873e 0001-crypto-Add-more-bignum-EC-helper-functions.patch
+77402d5917144850d3d521b6f880c942de809d058eb09c6e79e5d54898165e21c06eb997eb089f9bf3f9ef387bc8b3697e62f1a80dbb319892a72e5b5f0ff14c 0002-dragonfly-Add-sqrt-helper-function.patch
+9dd05d81597a13552d094735dd6da0e298e2c372ee0ed0f191ead149dd5ec32f4002f2950d327fdebfd942ba47ec87c5064f6cd512eef41867e9568a75e61352 0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
+55879aacd970ba6a926ed6936204e8507736551aa24d8d384d80d790da8c7362dd80f247b84e8bb51ea527fa516d37163d5b82bc595a85a432116cc5e042606e 0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
+"
diff --git a/main/intel-ucode/APKBUILD b/main/intel-ucode/APKBUILD
index 00bb0b57aa..d508671db0 100644
--- a/main/intel-ucode/APKBUILD
+++ b/main/intel-ucode/APKBUILD
@@ -1,16 +1,51 @@
# Maintainer: Marian Buschsieweke <marian.buschsieweke@ovgu.de>
pkgname=intel-ucode
-pkgver=20210608
+pkgver=20220510
pkgrel=0
pkgdesc="Microcode update files for Intel CPUs"
arch="x86 x86_64"
-url="https://downloadcenter.intel.com/SearchResult.aspx?lang=eng&keyword=%22microcode%22"
+url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files"
license="custom"
makedepends="iucode-tool"
source="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-$pkgver.tar.gz"
options="!check"
builddir="$srcdir/Intel-Linux-Processor-Microcode-Data-Files-microcode-$pkgver"
+# (Taken from https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md)
+# secfixes:
+# 20220510-r0:
+# - CVE-2022-21151
+# 20220207-r0:
+# - CVE-2021-0127
+# - CVE-2021-0146
+# 20210608-r0:
+# - CVE-2020-24489
+# - CVE-2020-24511
+# - CVE-2020-24513
+# 20210216-r0:
+# - CVE-2020-8698
+# 20201112-r0:
+# - CVE-2020-8694
+# - CVE-2020-8698
+# 20201110-r0:
+# - CVE-2020-8694
+# - CVE-2020-8698
+# 20200609-r0:
+# - CVE-2020-0548
+# 20191113-r0:
+# - CVE-2019-11135
+# 20191112-r0:
+# - CVE-2018-12126
+# - CVE-2019-11135
+# 20190918-r0:
+# - CVE-2019-11135
+# 20190618-r0:
+# - CVE-2018-12126
+# 20190514a-r0:
+# - CVE-2018-12126
+# - CVE-2017-5754
+# - CVE-2017-5753
+
build() {
rm -f intel-ucode/list intel-ucode-with-caveats/list
mkdir -p kernel/x86/microcode
@@ -25,4 +60,6 @@ package() {
install -Dm644 license "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
-sha512sums="61acd2e76aa019fa0002fbf56c503791080a937ff93d81e020f8f0cc089dc08928b4c7e9884f713b886e2f9d4a8409fea59e39f628ef534a588515e1c3fc861d microcode-20210608.tar.gz"
+sha512sums="
+00329ce62a6d9cc66fb8594d132ef67951086ab1250ceaf908d5a357753ed62557275f55c5eb7b3ad55d1fdd312b5d1a436b214cdcbf6e3e1a840c8bf6f4795d microcode-20220510.tar.gz
+"
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index 966042ad10..f9a9af34d8 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=krb5
-pkgver=1.18.4
+pkgver=1.18.5
pkgrel=0
pkgdesc="The Kerberos network authentication system"
url="https://web.mit.edu/kerberos/www/"
@@ -30,6 +30,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/$_maj_min/krb5-$pkgver.tar.gz
builddir="$srcdir/$pkgname-$pkgver/src"
# secfixes:
+# 1.18.5-r0:
+# - CVE-2021-37750
# 1.18.4-r0:
# - CVE-2021-36222
# 1.18.3-r0:
@@ -118,7 +120,7 @@ libs() {
}
sha512sums="
-7d9f1e937ba122f5af1340b5025420903a4cc3692bdf4093289921ad09b3fd02c8684b65a783d4b397ba15c4cf29c728cbf24a6405c5fff72fb882137703539e krb5-1.18.4.tar.gz
+7fd25944ac66074bf21465824f226aa3456a253a7517e7d3cacb7664103b8b033076cc23ee7c7806e7c9f884747c05eac5b1f1cf771b3d1989e5129c36de4bb2 krb5-1.18.5.tar.gz
5c62cbcbf1ef0462323f3392a362b42ed301967a1de80ddcb27eece4fad23efeeb5f04f5af521cfffff36b918bb93813262aa62785e59d6cb5af437a2c9e886d mit-krb5_krb5-config_LDFLAGS.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
diff --git a/main/ldb/APKBUILD b/main/ldb/APKBUILD
index 523893948c..bb1b4023d3 100644
--- a/main/ldb/APKBUILD
+++ b/main/ldb/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ldb
-pkgver=2.3.0
-pkgrel=1
+pkgver=2.3.3
+pkgrel=0
pkgdesc="schema-less, ldap like, API and database"
url="https://ldb.samba.org/"
arch="all"
@@ -11,6 +11,7 @@ makedepends="libtirpc-dev tevent-dev py3-tevent tdb-dev py3-tdb talloc-dev
subpackages="$pkgname-dev py3-$pkgname:_py3 $pkgname-tools $pkgname-doc"
source="https://www.samba.org/ftp/pub/ldb/ldb-$pkgver.tar.gz
disable-compile-error-test.patch
+ skip-failing-tests.patch
"
# secfixes:
@@ -21,6 +22,7 @@ _waf=buildtools/bin/waf
case "$CARCH" in
ppc64le) options="$options !check" ;;
+ armhf|armv7|x86) export DEB_HOST_ARCH_BITS=32 ;;
esac
build() {
@@ -57,5 +59,8 @@ tools() {
mv "$pkgdir"/usr/lib/ldb/libldb-cmdline.* "$subpkgdir"/usr/lib/ldb/
}
-sha512sums="7e389c0b4700a809893276d69216436ebd6d30e1f52407e4a08a1113cf14e151aed74300d8c36765c91c8f3195d8054b13a28cbdfcab031f88fd1d353e415348 ldb-2.3.0.tar.gz
-ed55d5151bbcaf5c0a1b70a1f44b461a501ad94ce02ee97e3ea10c560ce3656a190510697bbd3c5b6f70a74519bf7c0a91210bcb415ffd97d9440045e10a02e8 disable-compile-error-test.patch"
+sha512sums="
+ffb50208fe971afd544a431b79905ec8fce67d78d20c3fcfb8345a56f3b278fb664bc48079d7239a8ca5b70aae8b32076b6007cb63e080cd536e9fe458efeccd ldb-2.3.3.tar.gz
+ed55d5151bbcaf5c0a1b70a1f44b461a501ad94ce02ee97e3ea10c560ce3656a190510697bbd3c5b6f70a74519bf7c0a91210bcb415ffd97d9440045e10a02e8 disable-compile-error-test.patch
+08e6a0b075dc40c8d1c9ac12fcf72c0601d3ec128a56915be88336754b876580d52f64e94bf9157e82810a9afe2eb6cdb7be0e999fd88a5e70e70dd71ce1dab5 skip-failing-tests.patch
+"
diff --git a/main/ldb/skip-failing-tests.patch b/main/ldb/skip-failing-tests.patch
new file mode 100644
index 0000000000..0b32f2bd95
--- /dev/null
+++ b/main/ldb/skip-failing-tests.patch
@@ -0,0 +1,35 @@
+From 38f5e8e09a7ae641b3669068b10c6bd966e46632 Mon Sep 17 00:00:00 2001
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Thu, 4 Nov 2021 22:46:15 +0100
+Subject: [PATCH] Skip failing tests (on 32-bit architectures)
+
+See https://bugzilla.samba.org/show_bug.cgi?id=14558#c17
+---
+ tests/python/api.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tests/python/api.py b/tests/python/api.py
+index 8d154aa..e1de40c 100755
+--- a/tests/python/api.py
++++ b/tests/python/api.py
+@@ -44,6 +44,9 @@ class NoContextTests(TestCase):
+ self.assertEqual("19700101000000.0Z", ldb.timestring(0))
+ self.assertEqual("20071119191012.0Z", ldb.timestring(1195499412))
+
++ if os.environ.get('DEB_HOST_ARCH_BITS', '64') == '32':
++ self.skipTest('Test failing on 32-bit')
++
+ self.assertEqual("00000101000000.0Z", ldb.timestring(-62167219200))
+ self.assertEqual("99991231235959.0Z", ldb.timestring(253402300799))
+
+@@ -62,6 +65,9 @@ class NoContextTests(TestCase):
+ self.assertEqual(0, ldb.string_to_time("19700101000000.0Z"))
+ self.assertEqual(1195499412, ldb.string_to_time("20071119191012.0Z"))
+
++ if os.environ.get('DEB_HOST_ARCH_BITS', '64') == '32':
++ self.skipTest('Test failing on 32-bit')
++
+ self.assertEqual(-62167219200, ldb.string_to_time("00000101000000.0Z"))
+ self.assertEqual(253402300799, ldb.string_to_time("99991231235959.0Z"))
+
+--
diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD
index 88a813794c..cfecc03b66 100644
--- a/main/libarchive/APKBUILD
+++ b/main/libarchive/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libarchive
-pkgver=3.5.2
+pkgver=3.5.3
pkgrel=0
pkgdesc="library that can create and read several streaming archive formats"
url="https://libarchive.org/"
@@ -13,6 +13,9 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-tools"
source="https://libarchive.org/downloads/libarchive-$pkgver.tar.xz"
# secfixes:
+# 3.5.3-r0:
+# - CVE-2021-31566
+# - CVE-2021-36976
# 3.4.2-r0:
# - CVE-2020-19221
# - CVE-2020-9308
@@ -42,5 +45,5 @@ tools() {
}
sha512sums="
-ac7c47f9ddfe5d4d5db6ca9c1bcba788af95662bf0e54ca5426fe66cd8262896e12acc426eecdf0e0d6681c180bcd37f4c4469619273607e95399c7f49b61c7c libarchive-3.5.2.tar.xz
+90da8508cbaf4e187234e70ded9522316db35c3843eb6d51e8676088d9db68b13490d53eb05c6dbf6df78496319ce2a4bd4e4a3a1b83240a57b58492aceb4c7f libarchive-3.5.3.tar.xz
"
diff --git a/main/libretls/APKBUILD b/main/libretls/APKBUILD
index be6223ef47..6bfd02cdc6 100644
--- a/main/libretls/APKBUILD
+++ b/main/libretls/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Ariadne Conill <ariadne@dereferenced.org>
pkgname=libretls
pkgver=3.3.3p1
-pkgrel=2
+pkgrel=3
pkgdesc="port of libtls from libressl to openssl"
arch="all"
url="https://git.causal.agency/libretls/"
@@ -13,8 +13,13 @@ makedepends_host="openssl-dev"
makedepends="$depends_dev autoconf automake libtool"
subpackages="$pkgname-doc $pkgname-static $pkgname-dev"
source="https://causal.agency/libretls/libretls-$pkgver.tar.gz
+ CVE-2022-0778.patch
test_program.c"
+# secfixes:
+# 3.3.3p1-r3:
+# - CVE-2022-0778
+
prepare() {
default_prepare
@@ -52,5 +57,6 @@ check() {
sha512sums="
58806e87e9071fd370f7287c29e4e395d8fdb9e2db6105ee2d22d890a497b204d0cf041ea495c5fc565e0ab97d9172966b3e895e30feec30e541bd1b4ecef6db libretls-3.3.3p1.tar.gz
+d415a589fb3b220b20bf28a9711d3fe13d9709c0204a0a1493751a1c11dc0c957a6da8a1d794630ca38234f3222d5b9b7e53a6c24567f6b42967aa5868ba682f CVE-2022-0778.patch
71d36fe25c95a0a45497e3f699b01dddcaae9053dd1b1e2419df94272c47024cf6516c51c902129201061601b04a72551904b15a332a4cf53358983b5db73618 test_program.c
"
diff --git a/main/libretls/CVE-2022-0778.patch b/main/libretls/CVE-2022-0778.patch
new file mode 100644
index 0000000000..136f71f1ae
--- /dev/null
+++ b/main/libretls/CVE-2022-0778.patch
@@ -0,0 +1,54 @@
+From d09ca2569d9cbe6fa1e8038e90ff5cb57e20e0b5 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Sat, 12 Mar 2022 11:26:23 -0600
+Subject: [PATCH] add infinite loop fix in BN_mod_sqrt
+
+---
+ patches/bn_sqrt.patch | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+ create mode 100644 patches/bn_sqrt.patch
+
+diff --git a/patches/bn_sqrt.patch b/patches/bn_sqrt.patch
+new file mode 100644
+index 000000000..495de3120
+--- /dev/null
++++ b/patches/bn_sqrt.patch
+@@ -0,0 +1,38 @@
++--- crypto/bn/bn_sqrt.c.orig Fri Feb 18 16:30:39 2022
+++++ crypto/bn/bn_sqrt.c Sat Mar 12 11:23:53 2022
++@@ -351,21 +351,22 @@
++ goto vrfy;
++ }
++
++-
++- /* find smallest i such that b^(2^i) = 1 */
++- i = 1;
++- if (!BN_mod_sqr(t, b, p, ctx))
++- goto end;
++- while (!BN_is_one(t)) {
++- i++;
++- if (i == e) {
++- BNerror(BN_R_NOT_A_SQUARE);
++- goto end;
+++ /* Find the smallest i with 0 < i < e such that b^(2^i) = 1. */
+++ for (i = 1; i < e; i++) {
+++ if (i == 1) {
+++ if (!BN_mod_sqr(t, b, p, ctx))
+++ goto end;
+++ } else {
+++ if (!BN_mod_sqr(t, t, p, ctx))
+++ goto end;
++ }
++- if (!BN_mod_mul(t, t, t, p, ctx))
++- goto end;
+++ if (BN_is_one(t))
+++ break;
++ }
++-
+++ if (i >= e) {
+++ BNerror(BN_R_NOT_A_SQUARE);
+++ goto end;
+++ }
++
++ /* t := y^2^(e - i - 1) */
++ if (!BN_copy(t, y))
diff --git a/main/liburing/APKBUILD b/main/liburing/APKBUILD
index 7ef31eaa98..229d07a80d 100644
--- a/main/liburing/APKBUILD
+++ b/main/liburing/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Milan P. Stanić <mps@arvanta.net>
pkgname=liburing
pkgver=2.0
-pkgrel=0
+pkgrel=1
pkgdesc="Linux kernel io_uring access library"
url="https://git.kernel.dk/cgit/liburing/"
arch="all"
@@ -9,6 +9,7 @@ license="LGPL-2.1-or-later"
makedepends="linux-headers"
subpackages="$pkgname-dev $pkgname-doc"
source="https://git.kernel.dk/cgit/liburing/snapshot/liburing-$pkgver.tar.gz
+ busybox-mktemp.patch
"
build() {
@@ -25,4 +26,7 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="e7739a33bcbccc80da725556f924d49a3a78c945a7f1e74c03821a9dafc71c7821a46b7f042f1377a192b46b518ebb5e44f76e89aa7e8652f99f4cfbd9d05e79 liburing-2.0.tar.gz"
+sha512sums="
+e7739a33bcbccc80da725556f924d49a3a78c945a7f1e74c03821a9dafc71c7821a46b7f042f1377a192b46b518ebb5e44f76e89aa7e8652f99f4cfbd9d05e79 liburing-2.0.tar.gz
+28650f7833ad65823d9a32a4a8d549e5db21af609085417791145f9ab2f1e0d982cb5e111b1686d6c400a20905d646eab169704d1d4c305cca45d308fa1b7041 busybox-mktemp.patch
+"
diff --git a/main/liburing/busybox-mktemp.patch b/main/liburing/busybox-mktemp.patch
new file mode 100644
index 0000000000..d984315cbb
--- /dev/null
+++ b/main/liburing/busybox-mktemp.patch
@@ -0,0 +1,54 @@
+Patch-Source: https://github.com/axboe/liburing/commit/cce3026ee45a86cfdd104fd1be270b759a161233
+From cce3026ee45a86cfdd104fd1be270b759a161233 Mon Sep 17 00:00:00 2001
+From: Nugra <richiisei@gmail.com>
+Date: Tue, 15 Feb 2022 22:36:50 +0700
+Subject: [PATCH] configure: Support busybox mktemp
+
+Busybox mktemp does not support `--tmpdir`, it says:
+ mktemp: unrecognized option: tmpdir
+
+It can be fixed with:
+1. Create a temporary directory.
+2. Use touch to create the temporary files inside the directory.
+3. Clean up by deleting the temporary directory.
+
+[ammarfaizi2: s/fio/liburing/]
+
+Signed-off-by: Nugra <richiisei@gmail.com>
+Link: https://t.me/GNUWeeb/530154
+[ammarfaizi2: Rephrase the commit message and add touch command]
+Co-authored-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+Link: https://lore.kernel.org/r/20220215153651.181319-2-ammarfaizi2@gnuweeb.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ configure | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/configure b/configure
+index 805a67109..1f7f1c334 100755
+--- a/configure
++++ b/configure
+@@ -78,14 +78,17 @@ EOF
+ exit 0
+ fi
+
+-TMPC="$(mktemp --tmpdir fio-conf-XXXXXXXXXX.c)"
+-TMPC2="$(mktemp --tmpdir fio-conf-XXXXXXXXXX-2.c)"
+-TMPO="$(mktemp --tmpdir fio-conf-XXXXXXXXXX.o)"
+-TMPE="$(mktemp --tmpdir fio-conf-XXXXXXXXXX.exe)"
++TMP_DIRECTORY="$(mktemp -d)"
++TMPC="$TMP_DIRECTORY/liburing-conf.c"
++TMPC2="$TMP_DIRECTORY/liburing-conf-2.c"
++TMPO="$TMP_DIRECTORY/liburing-conf.o"
++TMPE="$TMP_DIRECTORY/liburing-conf.exe"
++
++touch $TMPC $TMPC2 $TMPO $TMPE
+
+ # NB: do not call "exit" in the trap handler; this is buggy with some shells;
+ # see <1285349658-3122-1-git-send-email-loic.minier@linaro.org>
+-trap "rm -f $TMPC $TMPC2 $TMPO $TMPE" EXIT INT QUIT TERM
++trap "rm -rf $TMP_DIRECTORY" EXIT INT QUIT TERM
+
+ rm -rf config.log
+
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 4e996061d9..5d996377e4 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=libxml2
-pkgver=2.9.12
-pkgrel=1
+pkgver=2.9.14
+pkgrel=0
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
@@ -17,13 +17,15 @@ if [ -z "$BOOTSTRAP" ]; then
py_configure="--with-python=/usr/bin/python3"
fi
options="!strip"
-source="http://xmlsoft.org/sources/libxml2-$pkgver.tar.gz
- revert-Make-xmlFreeNodeList-non-recursive.patch
+source="https://download.gnome.org/sources/libxml2/${pkgver%.*}/libxml2-$pkgver.tar.xz
libxml2-2.9.8-python3-unicode-errors.patch
- work-around-lxml-api-abuse.patch
"
# secfixes:
+# 2.9.14-r0:
+# - CVE-2022-29824
+# 2.9.13-r0:
+# - CVE-2022-23308
# 2.9.11-r0:
# - CVE-2021-3517
# - CVE-2021-3518
@@ -103,8 +105,6 @@ utils() {
}
sha512sums="
-df1c6486e80f0fcf3c506f3599bcfb94b620c00d0b5d26831bc983daa78d58ec58b5057b1ec7c1a26c694f40199c6234ee2a6dcabf65abfa10c447cb5705abbd libxml2-2.9.12.tar.gz
-347178e432379d543683cba21b902e7305202c03e8dbd724ae395963d677096a5cfc4e345e208d498163ca5174683c167610fc2b297090476038bc2bb7c84b4f revert-Make-xmlFreeNodeList-non-recursive.patch
+d08e6cafb289c499fdc5b3a12181e032a34f7a249bc66758859f964d3e71e19fd69be79921e1a9d8ab1e692d15b13f5fae95eeb10c3236974d89e218f5107606 libxml2-2.9.14.tar.xz
a205c97fa1488fb8907cfa08b5f82e2055c80b86213dc3cc5c4b526fe6aa786bcc4e4eeb226c44635a1d021307b39e3940f706c42fb60e9e3e9b490a84164df7 libxml2-2.9.8-python3-unicode-errors.patch
-5e2a80038cb7085fce27dfff2d92f651259124b1a899ce3b5dbb0f6f8e815e30d5256e447cd1dff227f535be0c13ce8cff0234cf0bee7ff75cd2245a8b65130a work-around-lxml-api-abuse.patch
"
diff --git a/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch b/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch
deleted file mode 100644
index 102abdb313..0000000000
--- a/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-This is a revert of
-https://github.com/GNOME/libxml2/commit/0762c9b69ba01628f72eada1c64ff3d361fb5716
-
-This fixes perl-xml-libxslt test suite
-https://bugzilla.suse.com/show_bug.cgi?id=1157450
-
-diff --git a/tree.c b/tree.c
-index 08b1a50..f2b1457 100644
---- a/tree.c
-+++ b/tree.c
-@@ -3664,9 +3664,7 @@ xmlNextElementSibling(xmlNodePtr node) {
- void
- xmlFreeNodeList(xmlNodePtr cur) {
- xmlNodePtr next;
-- xmlNodePtr parent;
- xmlDictPtr dict = NULL;
-- size_t depth = 0;
-
- if (cur == NULL) return;
- if (cur->type == XML_NAMESPACE_DECL) {
-@@ -3682,21 +3680,16 @@ xmlFreeNodeList(xmlNodePtr cur) {
- return;
- }
- if (cur->doc != NULL) dict = cur->doc->dict;
-- while (1) {
-- while ((cur->children != NULL) &&
-- (cur->type != XML_DTD_NODE) &&
-- (cur->type != XML_ENTITY_REF_NODE)) {
-- cur = cur->children;
-- depth += 1;
-- }
--
-+ while (cur != NULL) {
- next = cur->next;
-- parent = cur->parent;
- if (cur->type != XML_DTD_NODE) {
-
- if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue))
- xmlDeregisterNodeDefaultValue(cur);
-
-+ if ((cur->children != NULL) &&
-+ (cur->type != XML_ENTITY_REF_NODE))
-+ xmlFreeNodeList(cur->children);
- if (((cur->type == XML_ELEMENT_NODE) ||
- (cur->type == XML_XINCLUDE_START) ||
- (cur->type == XML_XINCLUDE_END)) &&
-@@ -3727,16 +3720,7 @@ xmlFreeNodeList(xmlNodePtr cur) {
- DICT_FREE(cur->name)
- xmlFree(cur);
- }
--
-- if (next != NULL) {
-- cur = next;
-- } else {
-- if ((depth == 0) || (parent == NULL))
-- break;
-- depth -= 1;
-- cur = parent;
-- cur->children = NULL;
-- }
-+ cur = next;
- }
- }
-
diff --git a/main/libxml2/work-around-lxml-api-abuse.patch b/main/libxml2/work-around-lxml-api-abuse.patch
deleted file mode 100644
index 482b9f03d5..0000000000
--- a/main/libxml2/work-around-lxml-api-abuse.patch
+++ /dev/null
@@ -1,211 +0,0 @@
-From 85b1792e37b131e7a51af98a37f92472e8de5f3f Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 18 May 2021 20:08:28 +0200
-Subject: [PATCH] Work around lxml API abuse
-
-Make xmlNodeDumpOutput and htmlNodeDumpFormatOutput work with corrupted
-parent pointers. This used to work with the old recursive code but the
-non-recursive rewrite required parent pointers to be set correctly.
-
-Unfortunately, lxml relies on the old behavior and passes subtrees with
-a corrupted structure. Fall back to a recursive function call if an
-invalid parent pointer is detected.
-
-Fixes #255.
----
- HTMLtree.c | 46 ++++++++++++++++++++++++++++------------------
- xmlsave.c | 31 +++++++++++++++++++++----------
- 2 files changed, 49 insertions(+), 28 deletions(-)
-
-diff --git a/HTMLtree.c b/HTMLtree.c
-index 24434d45..bdd639c7 100644
---- a/HTMLtree.c
-+++ b/HTMLtree.c
-@@ -744,7 +744,7 @@ void
- htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- xmlNodePtr cur, const char *encoding ATTRIBUTE_UNUSED,
- int format) {
-- xmlNodePtr root;
-+ xmlNodePtr root, parent;
- xmlAttrPtr attr;
- const htmlElemDesc * info;
-
-@@ -755,6 +755,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- }
-
- root = cur;
-+ parent = cur->parent;
- while (1) {
- switch (cur->type) {
- case XML_HTML_DOCUMENT_NODE:
-@@ -762,13 +763,25 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- if (((xmlDocPtr) cur)->intSubset != NULL) {
- htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL);
- }
-- if (cur->children != NULL) {
-+ /* Always validate cur->parent when descending. */
-+ if ((cur->parent == parent) && (cur->children != NULL)) {
-+ parent = cur;
- cur = cur->children;
- continue;
- }
- break;
-
- case XML_ELEMENT_NODE:
-+ /*
-+ * Some users like lxml are known to pass nodes with a corrupted
-+ * tree structure. Fall back to a recursive call to handle this
-+ * case.
-+ */
-+ if ((cur->parent != parent) && (cur->children != NULL)) {
-+ htmlNodeDumpFormatOutput(buf, doc, cur, encoding, format);
-+ break;
-+ }
-+
- /*
- * Get specific HTML info for that node.
- */
-@@ -817,6 +830,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- (cur->name != NULL) &&
- (cur->name[0] != 'p')) /* p, pre, param */
- xmlOutputBufferWriteString(buf, "\n");
-+ parent = cur;
- cur = cur->children;
- continue;
- }
-@@ -825,9 +839,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- (info != NULL) && (!info->isinline)) {
- if ((cur->next->type != HTML_TEXT_NODE) &&
- (cur->next->type != HTML_ENTITY_REF_NODE) &&
-- (cur->parent != NULL) &&
-- (cur->parent->name != NULL) &&
-- (cur->parent->name[0] != 'p')) /* p, pre, param */
-+ (parent != NULL) &&
-+ (parent->name != NULL) &&
-+ (parent->name[0] != 'p')) /* p, pre, param */
- xmlOutputBufferWriteString(buf, "\n");
- }
-
-@@ -842,9 +856,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- break;
- if (((cur->name == (const xmlChar *)xmlStringText) ||
- (cur->name != (const xmlChar *)xmlStringTextNoenc)) &&
-- ((cur->parent == NULL) ||
-- ((xmlStrcasecmp(cur->parent->name, BAD_CAST "script")) &&
-- (xmlStrcasecmp(cur->parent->name, BAD_CAST "style"))))) {
-+ ((parent == NULL) ||
-+ ((xmlStrcasecmp(parent->name, BAD_CAST "script")) &&
-+ (xmlStrcasecmp(parent->name, BAD_CAST "style"))))) {
- xmlChar *buffer;
-
- buffer = xmlEncodeEntitiesReentrant(doc, cur->content);
-@@ -902,13 +916,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- break;
- }
-
-- /*
-- * The parent should never be NULL here but we want to handle
-- * corrupted documents gracefully.
-- */
-- if (cur->parent == NULL)
-- return;
-- cur = cur->parent;
-+ cur = parent;
-+ /* cur->parent was validated when descending. */
-+ parent = cur->parent;
-
- if ((cur->type == XML_HTML_DOCUMENT_NODE) ||
- (cur->type == XML_DOCUMENT_NODE)) {
-@@ -939,9 +949,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
- (cur->next != NULL)) {
- if ((cur->next->type != HTML_TEXT_NODE) &&
- (cur->next->type != HTML_ENTITY_REF_NODE) &&
-- (cur->parent != NULL) &&
-- (cur->parent->name != NULL) &&
-- (cur->parent->name[0] != 'p')) /* p, pre, param */
-+ (parent != NULL) &&
-+ (parent->name != NULL) &&
-+ (parent->name[0] != 'p')) /* p, pre, param */
- xmlOutputBufferWriteString(buf, "\n");
- }
- }
-diff --git a/xmlsave.c b/xmlsave.c
-index 61a40459..aedbd5e7 100644
---- a/xmlsave.c
-+++ b/xmlsave.c
-@@ -847,7 +847,7 @@ htmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
- static void
- xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
- int format = ctxt->format;
-- xmlNodePtr tmp, root, unformattedNode = NULL;
-+ xmlNodePtr tmp, root, unformattedNode = NULL, parent;
- xmlAttrPtr attr;
- xmlChar *start, *end;
- xmlOutputBufferPtr buf;
-@@ -856,6 +856,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
- buf = ctxt->buf;
-
- root = cur;
-+ parent = cur->parent;
- while (1) {
- switch (cur->type) {
- case XML_DOCUMENT_NODE:
-@@ -868,7 +869,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
- break;
-
- case XML_DOCUMENT_FRAG_NODE:
-- if (cur->children != NULL) {
-+ /* Always validate cur->parent when descending. */
-+ if ((cur->parent == parent) && (cur->children != NULL)) {
-+ parent = cur;
- cur = cur->children;
- continue;
- }
-@@ -887,7 +890,18 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
- break;
-
- case XML_ELEMENT_NODE:
-- if ((cur != root) && (ctxt->format == 1) && (xmlIndentTreeOutput))
-+ /*
-+ * Some users like lxml are known to pass nodes with a corrupted
-+ * tree structure. Fall back to a recursive call to handle this
-+ * case.
-+ */
-+ if ((cur->parent != parent) && (cur->children != NULL)) {
-+ xmlNodeDumpOutputInternal(ctxt, cur);
-+ break;
-+ }
-+
-+ if ((ctxt->level > 0) && (ctxt->format == 1) &&
-+ (xmlIndentTreeOutput))
- xmlOutputBufferWrite(buf, ctxt->indent_size *
- (ctxt->level > ctxt->indent_nr ?
- ctxt->indent_nr : ctxt->level),
-@@ -942,6 +956,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
- xmlOutputBufferWrite(buf, 1, ">");
- if (ctxt->format == 1) xmlOutputBufferWrite(buf, 1, "\n");
- if (ctxt->level >= 0) ctxt->level++;
-+ parent = cur;
- cur = cur->children;
- continue;
- }
-@@ -1058,13 +1073,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
- break;
- }
-
-- /*
-- * The parent should never be NULL here but we want to handle
-- * corrupted documents gracefully.
-- */
-- if (cur->parent == NULL)
-- return;
-- cur = cur->parent;
-+ cur = parent;
-+ /* cur->parent was validated when descending. */
-+ parent = cur->parent;
-
- if (cur->type == XML_ELEMENT_NODE) {
- if (ctxt->level > 0) ctxt->level--;
---
-GitLab
-
diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD
index 542caa143c..defc4a03d0 100644
--- a/main/libxslt/APKBUILD
+++ b/main/libxslt/APKBUILD
@@ -1,21 +1,19 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
pkgname=libxslt
-pkgver=1.1.34
-pkgrel=1
+pkgver=1.1.35
+pkgrel=0
pkgdesc="XML stylesheet transformation library"
url="http://xmlsoft.org/XSLT/"
arch="all"
license="custom"
makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="http://xmlsoft.org/sources/libxslt-$pkgver.tar.gz
- Stop-using-maxParserDepth-XPath-limit.patch
- Transfer-XPath-limits-to-XPtr-context.patch
- Dont-set-maxDepth-in-XPath-contexts.patch
- "
+source="https://download.gnome.org/sources/libxslt/${pkgver%.*}/libxslt-$pkgver.tar.xz"
# secfixes:
+# 1.1.35-r0:
+# - CVE-2021-30560
# 1.1.34-r0:
# - CVE-2019-13117
# - CVE-2019-13118
@@ -48,8 +46,5 @@ package() {
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
sha512sums="
-1516a11ad608b04740674060d2c5d733b88889de5e413b9a4e8bf8d1a90d712149df6d2b1345b615f529d7c7d3fa6dae12e544da828b39c7d415e54c0ee0776b libxslt-1.1.34.tar.gz
-e79a19b902dc72f9b04a70dfa9a4e242dced6903f3c78ed2aa562eebc99156ca71fe7f83662bafd94d1da7fdc8e447faee13d1c5e0bcf21b6a99eddbcccea129 Stop-using-maxParserDepth-XPath-limit.patch
-886c8a3b71848458d5713c998e473bfbdaed422110dd79d32eda514c9b24a404fd3a8c734b8ebc8c55d1c70eaf779c4ee6472e86f8666219b28e71dc1b894b8f Transfer-XPath-limits-to-XPtr-context.patch
-c4052ad3f0ffe737f8be4606ab1f65069a4c3eee18c4f34b0c4d6c6db4757b28c063bba029e031b2075954461f1cf0a4c1ed4db098289d60a8319f4c3358feb9 Dont-set-maxDepth-in-XPath-contexts.patch
+9dd4a699235f50ae9b75b25137e387471635b4b2da0a4e4380879cd49f1513470fcfbfd775269b066eac513a1ffa6860c77ec42747168e2348248f09f60c8c96 libxslt-1.1.35.tar.xz
"
diff --git a/main/libxslt/Dont-set-maxDepth-in-XPath-contexts.patch b/main/libxslt/Dont-set-maxDepth-in-XPath-contexts.patch
deleted file mode 100644
index 6b9dab8a85..0000000000
--- a/main/libxslt/Dont-set-maxDepth-in-XPath-contexts.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 77c26bad0433541f486b1e7ced44ca9979376908 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Wed, 26 Aug 2020 00:34:38 +0200
-Subject: [PATCH] Don't set maxDepth in XPath contexts
-
-The maximum recursion depth is hardcoded in libxml2 now.
----
- libxslt/functions.c | 2 +-
- tests/fuzz/fuzz.c | 11 ++---------
- 2 files changed, 3 insertions(+), 10 deletions(-)
-
-diff --git a/libxslt/functions.c b/libxslt/functions.c
-index 975ea790..7887dda7 100644
---- a/libxslt/functions.c
-+++ b/libxslt/functions.c
-@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
- defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
- xptrctxt->opLimit = ctxt->context->opLimit;
- xptrctxt->opCount = ctxt->context->opCount;
-- xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
-+ xptrctxt->depth = ctxt->context->depth;
-
- resObj = xmlXPtrEval(fragment, xptrctxt);
-
-diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
-index 75234ad6..780c2d41 100644
---- a/tests/fuzz/fuzz.c
-+++ b/tests/fuzz/fuzz.c
-@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
- xpctxt = tctxt->xpathCtxt;
-
- /* Resource limits to avoid timeouts and call stack overflows */
-- xpctxt->maxDepth = 500;
- xpctxt->opLimit = 500000;
-
- /* Test namespaces used in xpath.xml */
-@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
- return 0;
- }
-
--static void
--xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
-- ctxt->maxDepth = 200;
-- ctxt->opLimit = 100000;
--}
--
- xmlChar *
- xsltFuzzXslt(const char *data, size_t size) {
- xmlDocPtr xsltDoc;
-@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) {
- xmlFreeDoc(xsltDoc);
- return NULL;
- }
-- xsltSetXPathResourceLimits(sheet->xpathCtxt);
-+ sheet->xpathCtxt->opLimit = 100000;
- sheet->xpathCtxt->opCount = 0;
- if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) {
- xsltFreeStylesheet(sheet);
-@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) {
- xsltSetCtxtSecurityPrefs(sec, ctxt);
- ctxt->maxTemplateDepth = 100;
- ctxt->opLimit = 20000;
-- xsltSetXPathResourceLimits(ctxt->xpathCtxt);
-+ ctxt->xpathCtxt->opLimit = 100000;
- ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount;
-
- result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt);
---
-GitLab
-
diff --git a/main/libxslt/Stop-using-maxParserDepth-XPath-limit.patch b/main/libxslt/Stop-using-maxParserDepth-XPath-limit.patch
deleted file mode 100644
index ee9c2aad6b..0000000000
--- a/main/libxslt/Stop-using-maxParserDepth-XPath-limit.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 9ae2f94df1721e002941b40665efb762aefcea1a Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 17 Aug 2020 03:42:11 +0200
-Subject: [PATCH] Stop using maxParserDepth XPath limit
-
-This will be removed again from libxml2.
----
- tests/fuzz/fuzz.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
-index f502ca2c..75234ad6 100644
---- a/tests/fuzz/fuzz.c
-+++ b/tests/fuzz/fuzz.c
-@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
- xpctxt = tctxt->xpathCtxt;
-
- /* Resource limits to avoid timeouts and call stack overflows */
-- xpctxt->maxParserDepth = 15;
-- xpctxt->maxDepth = 100;
-+ xpctxt->maxDepth = 500;
- xpctxt->opLimit = 500000;
-
- /* Test namespaces used in xpath.xml */
-@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
-
- static void
- xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
-- ctxt->maxParserDepth = 15;
-- ctxt->maxDepth = 100;
-+ ctxt->maxDepth = 200;
- ctxt->opLimit = 100000;
- }
-
---
-GitLab
-
diff --git a/main/libxslt/Transfer-XPath-limits-to-XPtr-context.patch b/main/libxslt/Transfer-XPath-limits-to-XPtr-context.patch
deleted file mode 100644
index e943e79045..0000000000
--- a/main/libxslt/Transfer-XPath-limits-to-XPtr-context.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 824657768aea2cce9c23e72ba8085cb5e44350c7 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 17 Aug 2020 04:27:13 +0200
-Subject: [PATCH] Transfer XPath limits to XPtr context
-
-Expressions like document('doc.xml#xpointer(evil_expr)') ignored the
-XPath limits.
----
- libxslt/functions.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/functions.c b/libxslt/functions.c
-index b350545a..975ea790 100644
---- a/libxslt/functions.c
-+++ b/libxslt/functions.c
-@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
- goto out_fragment;
- }
-
-+#if LIBXML_VERSION >= 20911 || \
-+ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
-+ xptrctxt->opLimit = ctxt->context->opLimit;
-+ xptrctxt->opCount = ctxt->context->opCount;
-+ xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
-+
-+ resObj = xmlXPtrEval(fragment, xptrctxt);
-+
-+ ctxt->context->opCount = xptrctxt->opCount;
-+#else
- resObj = xmlXPtrEval(fragment, xptrctxt);
-- xmlXPathFreeContext(xptrctxt);
- #endif
-
-+ xmlXPathFreeContext(xptrctxt);
-+#endif /* LIBXML_XPTR_ENABLED */
-+
- if (resObj == NULL)
- goto out_fragment;
-
---
-GitLab
-
diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
index dc4f0f8a86..f8212d3dda 100644
--- a/main/lighttpd/APKBUILD
+++ b/main/lighttpd/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=lighttpd
-pkgver=1.4.59
+pkgver=1.4.64
pkgrel=0
pkgdesc="Secure, fast, compliant and very flexible web-server"
url="https://www.lighttpd.net"
@@ -12,7 +12,7 @@ pkgusers="lighttpd"
pkggroups="lighttpd"
makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua5.3-dev
automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev
- bsd-compat-headers"
+ bsd-compat-headers pcre2-dev"
subpackages="$pkgname-doc $pkgname-dbg $pkgname-openrc $pkgname-mod_auth
$pkgname-mod_webdav"
source="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-$pkgver.tar.xz
@@ -25,6 +25,10 @@ source="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-$pkgver.t
mod_fastcgi.conf
mod_fastcgi_fpm.conf"
+# secfixes:
+# 1.4.64-r0:
+# - CVE-2022-22707
+
build() {
./configure \
--build=$CBUILD \
@@ -95,7 +99,8 @@ mod_webdav() {
_mv_mod mod_webdav
}
-sha512sums="94d312f6ac65c32057018b749c4865220b43b3e4b7fe9396848aa403ea7fdc2ccbf3f4f91daf281b754cf272a52a8bcdc689502773ea33cae36eead2785daa0f lighttpd-1.4.59.tar.xz
+sha512sums="
+8e2ad0830ff80fcebf0c33600caafb5ab4e9ff6b5073c12572f88a44fdfe85f777fa8b22b2fc2964fecbeb556997ad660867dcee80efb224d63329c8b18ea936 lighttpd-1.4.64.tar.xz
f2f3c5c7731550237fd75a8de66275f427eaf897cffff7ac7ef44178328ad8fad6c4ec6654759bfc665cbaf7991ddcdf0aaa916831c8b6aa440192d57b242038 lighttpd.initd
9d2ab5deb7353ebf290e90936b511941df440859c78589d0bcf130ef69a5e9c79e4d318548b6b118df002083c46f7476230a28954b7a10a9dbd05040e02b1291 lighttpd.confd
0536b4f21d2e8659f7831b45998c13d9f6051ae7ecde13be01f372f837d255bfc4e211de48a7686cc743d53aa9c08ab3f10ec19788896dcf8356b90053ca7a16 lighttpd.logrotate
@@ -103,4 +108,5 @@ f2f3c5c7731550237fd75a8de66275f427eaf897cffff7ac7ef44178328ad8fad6c4ec6654759bfc
a3f2f5763885d7e4f510491b24164e34aaf62bb02daa12991575dc64335c12668355af5bb8d6ce191eb4e9cce95324b1f7c9ba61b323b4e7b50a1e03e021afcf mime-types.conf
27cc638d8068dcf47bd9db44943d1db6c6f4e8e6abd6b42af7cea004b1c093440068541d98c68f8bea70b956713adaf8ed59a4b642dea826ee8620a05f8cfde5 mod_cgi.conf
1d15b84c03fb648a0e67ab5c5411b85478b4454c44bc2959cc96d1700eeadd7ff429520a5f1550db6527267646622dccd3d47d3fd1258869fccaf5c22d4ad4b2 mod_fastcgi.conf
-f9efc4b70d825600f5356c30e57d0b6cac11c01739337f7192c09c2cfd96cb76c8328b11d818ea4c2addc1a6d253975b84700106ae75854d55d0df73e220bd2b mod_fastcgi_fpm.conf"
+f9efc4b70d825600f5356c30e57d0b6cac11c01739337f7192c09c2cfd96cb76c8328b11d818ea4c2addc1a6d253975b84700106ae75854d55d0df73e220bd2b mod_fastcgi_fpm.conf
+"
diff --git a/main/linux-lts/APKBUILD b/main/linux-lts/APKBUILD
index 52b5778534..a863a00068 100644
--- a/main/linux-lts/APKBUILD
+++ b/main/linux-lts/APKBUILD
@@ -2,7 +2,7 @@
_flavor=lts
pkgname=linux-${_flavor}
-pkgver=5.10.93
+pkgver=5.10.109
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -236,17 +236,17 @@ d19365fe94431008768c96a2c88955652f70b6df6677457ee55ee95246a64fdd2c6fed9b3bef37c2
ca5aafac37e0b5f3fcbaf801e12f98beb58ffaf1d8c88f76caff22b059831869b4094e7fdcb6d6860422d6b2d036e072caff460e1feb84bd04d10740ad56265b 0007-pci-hotplug-declare-IDT-bridge-as-hotpluggabl-bridge.patch
cbe85cf34e8420c91d2276c2d2aa0ab5023af68e57a1fa613f073f16a76766c67f585eda71c28f232bd0625e0dc8275a9eddc95f49409205dc0dbcc28c9fac1c 0008-pci-spr2803-quirk-to-fix-class-ID.patch
16b2d5b0255b37075ba894fc797673d633395907ce0b93400c5a8bd05b512b5cd040b91000fa41f9240d42afc664a69206597d1e3f754a1aa64b9be21a67f5c6 ampere-mt-jade.patch
-a07cf6966af3716d41a67d38bcf964190ee64d4dd011382997da8056ea545e2926eff0726c310f2ee5711f9958d5995317d17b5d82e0b245a40402d63859fda2 config-lts.aarch64
-84aaad1001be4e55c5885dcf27a4647028319123bf54195f8c1233287bec9c890dbb131920976e950136d5eacc7ff153fc9ad305cfd0ca28fd0194a263e8be4f config-lts.armv7
-36f93117ecc4abe55e339451fc4779b262bf172e52416b49f878f0c726124905c4593e64f5c25217837d54da4e5748375f7d3fc7329f32e1ab4fe7f7b7707040 config-lts.x86
-f013855a894cd5d4275ae8c3332f38861fa84cba395cdd67effad5899e50bfa96cdd15e9965871a91dbe86b5d259ad49a2adcb0d9e5d69eded5019b5d6abe05c config-lts.x86_64
-35b8424024af2fdcd93a8f2062f6b55bdfe65daf4d0a160e5b217df122dbb1727ef899636ba18d063af0e0c02a5bd57ba414466264f82c4525dd20e54d6b4b82 config-lts.ppc64le
-e2657b50b1844710cc29b545e4b560b7b79827b9005c6b1ccc7e5c89de31ce0a2a169407b0bff1e3cd9a1bcaa88745c149092d45029ca13bcc2b56a2b6d77ac6 config-lts.s390x
-0caf98dec1162b1ba4e4bb4e198d0a34e59ac022532d562961cf9b22cbdb930675ff3a845bb17ddff83b91a84ad61df9d607f175c34133916e0a3cdbb4c13786 config-lts.mips64
-4ec067d515b1c8f1fbdfade9a95b5d25d68aa67040cc5219d0e349133ea1e14ba46fca70c25d4ca84bbcb546d8b3025e74db3a4ce322bc311d8e22a6a53acc2a config-virt.aarch64
-7965fe20cfa6058ea4a56168770c88a64f409bb3e1c8d73fa43c0585cdb9e86d5530e567ea2b6e752bef9b3e53959bb35fcb90acea99e0b95ae127eb9c0de628 config-virt.armv7
-12e180709fcd4246b24707372b9cf4d01d1704023bb515f67ed97d5066589868b10873731c5eca1447194988830abe3c841d2b6a1e136e8d42ca70052fc205a4 config-virt.ppc64le
-e7713a81a2efe14db8ed7118926a56362c37251b64c74e56ac95d7ae5f56b6db0d1858184b060d39ce3ebc2dcf694bf38ac793c33e3a510b1eb784a526df431d config-virt.x86
-461aedb3eedd0e1adedc71d52ee9321d6d6120ca807fa84f3cc816670ebdd414adc1d7741cccba9788d9994501bcdab7d4e14fbb80cfd527edab60e7b894fdde config-virt.x86_64
-915a18a6b45f6090292be3d29ce1dc636190cd65383d1987a018d26650a5d4e3225e0307f7ea7a27530962bfd2cd65035de16b0892f5d80562b16326249d1b7a patch-5.10.93.xz
+afe1f326427e4e58a78950e73c5b7e816201d3acf256eb2c868658db1deb2aca3160f1e0b837f39ff5878e661bac71685d2949039e45bbc74dc8f8209c20983a config-lts.aarch64
+034955a002dd747204a253b509ce1195352cbd91bf072fd6b26c30c42a453217605112ef0f4d24e75f3aec0a80c9e2d43f7f800c6e475ac1b8d1ed7722f7ee15 config-lts.armv7
+5954e302c71f5f22d5a7374c482984eb3367b6f102729d574bd7777593a0a7d198e77be029864890e32b71029ce47f94755c37499590dd67d4d2efc49b755913 config-lts.x86
+12f4b44394102bfe7624d29b5d5c476b01485a3e163e1904267029b66e69d197c197217562a89cbef2eee1293699cef1dc108144ae08107ccc2a733649b11f23 config-lts.x86_64
+2ce063971c4f72343b7e96e69f308ee5793f0fb9ae653a366323ceb97dfe9df286f6fb1a532014c2fabf1b1d781afd3b5547e44b7ae498d3e57cf52c87f31093 config-lts.ppc64le
+9932b74ea9504628912a2db470f36db64b2192d72f6c9be929082819ab554a5447e4c2de844c8417398c574c8d51fb434777a9de10ce13127cab175d1807e791 config-lts.s390x
+1558ca5a6bc8732cb8041022e51efaa361bbb9a236138d7c022735d324cffb7496fb994802ba47a5037f82a9fd4c39a8816ae3e31a796481492b55f891900e97 config-lts.mips64
+59fe4fd847015bf1d1bd9dc012465e215431d46be8dfb99a2e51ed5986cf36b4be4cad3496f56647678ba3c28ce38969c5b2e0301bf52060adb8291b73bd4a31 config-virt.aarch64
+41900f8c853bb155c4d0aad4d9b539631d62808e254b804acc9221e23800a5a6f497fb61849593f747e3d31c94e95f6e9a4bd9157dfca3daf87c49fbedf7a461 config-virt.armv7
+4b5355c9d1b9fc2a8b2ec190acf4f22204bc62bb6b96c10d7ea318e4a59f5151d6ce2f800f2d0d24abbd22ca21a5992010200986c9d9d8ebfa525cad162d654a config-virt.ppc64le
+d5782648c6a0c3421699d12f130a21439892fb908133c85d760a2503ffb2c1de9575527d5eba45f759f8f03eb73c3bc145bf145078d170c75e3da1911dc63b1c config-virt.x86
+39ae4052c193e505431cd0b188395abd02d81f53e1ecfad28f02dc9e1819501d9df1032e8b955285bd3627c54d918c68d45a8774dd47a5da89ceea2b0e2d983d config-virt.x86_64
+857028984882fe1945133bbcb5660c795e9f3616fd202a87f26ad6ff2063d2b3a0a5efb17bc905433aa2400163ba9bf7340c9283ea3573b49e9eed2eda332eb2 patch-5.10.109.xz
"
diff --git a/main/linux-lts/config-lts.aarch64 b/main/linux-lts/config-lts.aarch64
index e6d058e8c3..2d9bd9f8b5 100644
--- a/main/linux-lts/config-lts.aarch64
+++ b/main/linux-lts/config-lts.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.10.43 Kernel Configuration
+# Linux/arm64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -797,6 +797,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -4423,6 +4427,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_UCS1002 is not set
# CONFIG_CHARGER_BD99954 is not set
@@ -5743,7 +5748,6 @@ CONFIG_DRM_AMD_ACP=y
#
CONFIG_DRM_AMD_DC=y
# CONFIG_DRM_AMD_DC_HDCP is not set
-# CONFIG_DRM_AMD_DC_SI is not set
# end of Display Engine Configuration
# CONFIG_HSA_AMD is not set
@@ -6069,6 +6073,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -6627,7 +6632,7 @@ CONFIG_I2C_HID=m
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=y
+CONFIG_USB_COMMON=m
CONFIG_USB_LED_TRIG=y
CONFIG_USB_ULPI_BUS=m
CONFIG_USB_CONN_GPIO=m
@@ -7571,6 +7576,7 @@ CONFIG_ASHMEM=y
# CONFIG_FIREWIRE_SERIAL is not set
# CONFIG_GS_FPGABOOT is not set
# CONFIG_UNISYSSPAR is not set
+# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set
# CONFIG_FB_TFT is not set
CONFIG_FSL_DPAA2=y
CONFIG_FSL_DPAA2_ETHSW=m
@@ -8492,8 +8498,6 @@ CONFIG_MST_IRQ=y
CONFIG_ARCH_HAS_RESET_CONTROLLER=y
CONFIG_RESET_CONTROLLER=y
CONFIG_RESET_BERLIN=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
CONFIG_RESET_QCOM_AOSS=y
# CONFIG_RESET_QCOM_PDC is not set
CONFIG_RESET_RASPBERRYPI=m
@@ -8888,7 +8892,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
@@ -9061,6 +9064,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.armv7 b/main/linux-lts/config-lts.armv7
index 9e4455b831..686cb4be68 100644
--- a/main/linux-lts/config-lts.armv7
+++ b/main/linux-lts/config-lts.armv7
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.10.43 Kernel Configuration
+# Linux/arm 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -195,6 +195,7 @@ CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_FUTEX_PI=y
+CONFIG_HAVE_FUTEX_CMPXCHG=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
@@ -208,6 +209,7 @@ CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
CONFIG_USERMODE_DRIVER=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
@@ -585,6 +587,7 @@ CONFIG_ALIGNMENT_TRAP=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_TIME_ACCOUNTING=y
# CONFIG_XEN is not set
+CONFIG_STACKPROTECTOR_PER_TASK=y
# end of Kernel Features
#
@@ -715,6 +718,7 @@ CONFIG_ARCH_HIBERNATION_POSSIBLE=y
#
# Firmware Drivers
#
+# CONFIG_ARM_SCMI_PROTOCOL is not set
CONFIG_FIRMWARE_MEMMAP=y
CONFIG_DMIID=y
# CONFIG_DMI_SYSFS is not set
@@ -845,6 +849,11 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -2093,6 +2102,7 @@ CONFIG_NVME_MULTIPATH=y
CONFIG_NVME_HWMON=y
CONFIG_NVME_FABRICS=m
# CONFIG_NVME_FC is not set
+# CONFIG_NVME_TCP is not set
CONFIG_NVME_TARGET=m
# CONFIG_NVME_TARGET_PASSTHRU is not set
CONFIG_NVME_TARGET_LOOP=m
@@ -3590,6 +3600,7 @@ CONFIG_AXP20X_POWER=m
# CONFIG_CHARGER_SMB347 is not set
CONFIG_CHARGER_TPS65217=m
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_UCS1002 is not set
# CONFIG_CHARGER_BD99954 is not set
@@ -5058,6 +5069,7 @@ CONFIG_HDMI=y
#
CONFIG_DUMMY_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -5532,7 +5544,7 @@ CONFIG_I2C_HID=m
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=y
+CONFIG_USB_COMMON=m
CONFIG_USB_LED_TRIG=y
# CONFIG_USB_ULPI_BUS is not set
# CONFIG_USB_CONN_GPIO is not set
@@ -6313,6 +6325,7 @@ CONFIG_ASHMEM=y
# CONFIG_LTE_GDM724X is not set
CONFIG_GS_FPGABOOT=m
# CONFIG_UNISYSSPAR is not set
+# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set
CONFIG_FB_TFT=m
# CONFIG_FB_TFT_AGM1264K_FL is not set
# CONFIG_FB_TFT_BD663474 is not set
@@ -7110,9 +7123,7 @@ CONFIG_EXYNOS_IRQ_COMBINER=y
# CONFIG_IPACK_BUS is not set
CONFIG_ARCH_HAS_RESET_CONTROLLER=y
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
CONFIG_RESET_IMX7=y
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_QCOM_AOSS is not set
# CONFIG_RESET_QCOM_PDC is not set
CONFIG_RESET_SIMPLE=y
@@ -7448,7 +7459,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
CONFIG_UFS_FS=m
CONFIG_UFS_FS_WRITE=y
@@ -7618,6 +7628,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.mips64 b/main/linux-lts/config-lts.mips64
index 4a006b0479..493e2bc72d 100644
--- a/main/linux-lts/config-lts.mips64
+++ b/main/linux-lts/config-lts.mips64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/mips 5.10.43 Kernel Configuration
+# Linux/mips 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -192,6 +192,7 @@ CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_KCMP=y
@@ -541,6 +542,10 @@ CONFIG_HAVE_SPARSE_SYSCALL_NR=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -1404,6 +1409,7 @@ CONFIG_BLK_DEV_RBD=m
#
# CONFIG_BLK_DEV_NVME is not set
# CONFIG_NVME_FC is not set
+# CONFIG_NVME_TCP is not set
# end of NVME Support
#
@@ -3160,6 +3166,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.ppc64le b/main/linux-lts/config-lts.ppc64le
index c087a8ae23..ca386b2efd 100644
--- a/main/linux-lts/config-lts.ppc64le
+++ b/main/linux-lts/config-lts.ppc64le
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 5.10.43 Kernel Configuration
+# Linux/powerpc 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -205,6 +205,7 @@ CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS=y
@@ -589,6 +590,9 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -1863,6 +1867,7 @@ CONFIG_WIREGUARD=m
# CONFIG_WIREGUARD_DEBUG is not set
# CONFIG_EQUALIZER is not set
# CONFIG_NET_FC is not set
+# CONFIG_IFB is not set
# CONFIG_NET_TEAM is not set
CONFIG_MACVLAN=m
CONFIG_MACVTAP=m
@@ -2539,6 +2544,7 @@ CONFIG_POWER_SUPPLY_HWMON=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=y
# CONFIG_HWMON_DEBUG_CHIP is not set
@@ -2833,7 +2839,6 @@ CONFIG_DRM_AMDGPU=m
CONFIG_DRM_AMD_DC=y
CONFIG_DRM_AMD_DC_DCN=y
# CONFIG_DRM_AMD_DC_HDCP is not set
-# CONFIG_DRM_AMD_DC_SI is not set
# end of Display Engine Configuration
# CONFIG_HSA_AMD is not set
@@ -3010,6 +3015,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -4028,7 +4034,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_RAM is not set
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
@@ -4192,6 +4197,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.s390x b/main/linux-lts/config-lts.s390x
index 6b3634d881..6c710a0cc6 100644
--- a/main/linux-lts/config-lts.s390x
+++ b/main/linux-lts/config-lts.s390x
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/s390 5.10.43 Kernel Configuration
+# Linux/s390 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -206,6 +206,7 @@ CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_KCMP=y
@@ -379,6 +380,7 @@ CONFIG_UPROBES=y
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
CONFIG_ARCH_USE_BUILTIN_BSWAP=y
CONFIG_KRETPROBES=y
+CONFIG_HAVE_IOREMAP_PROT=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KRETPROBES=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
@@ -418,6 +420,7 @@ CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
CONFIG_HAVE_ARCH_SOFT_DIRTY=y
CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
CONFIG_HAVE_RELIABLE_STACKTRACE=y
CONFIG_CLONE_BACKWARDS2=y
@@ -444,6 +447,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3016,6 +3023,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.x86 b/main/linux-lts/config-lts.x86
index c2d9e54172..14bd449e0d 100644
--- a/main/linux-lts/config-lts.x86
+++ b/main/linux-lts/config-lts.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.10.43 Kernel Configuration
+# Linux/x86 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -794,6 +794,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -4210,6 +4214,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -5774,6 +5779,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -6985,7 +6991,6 @@ CONFIG_DMA_ACPI=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_PCH_DMA=m
# CONFIG_PLX_DMA is not set
-# CONFIG_XILINX_ZYNQMP_DPDMA is not set
CONFIG_QCOM_HIDMA_MGMT=m
# CONFIG_QCOM_HIDMA is not set
CONFIG_DW_DMAC_CORE=m
@@ -7887,7 +7892,6 @@ CONFIG_PWM_PCA9685=m
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
# CONFIG_RESET_TI_SYSCON is not set
#
@@ -8183,7 +8187,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
@@ -8359,6 +8362,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.x86_64 b/main/linux-lts/config-lts.x86_64
index 795d16634d..c8b0d12da7 100644
--- a/main/linux-lts/config-lts.x86_64
+++ b/main/linux-lts/config-lts.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.93 Kernel Configuration
+# Linux/x86_64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -5880,6 +5880,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
diff --git a/main/linux-lts/config-virt.aarch64 b/main/linux-lts/config-virt.aarch64
index e6d7cd8e0d..c37a95484b 100644
--- a/main/linux-lts/config-virt.aarch64
+++ b/main/linux-lts/config-virt.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.10.43 Kernel Configuration
+# Linux/arm64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -767,6 +767,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -2959,6 +2963,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -3408,6 +3413,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -4065,8 +4071,6 @@ CONFIG_PARTITION_PERCPU=y
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_QCOM_AOSS is not set
# CONFIG_RESET_QCOM_PDC is not set
# CONFIG_RESET_TI_SYSCON is not set
@@ -4373,7 +4377,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
@@ -4521,6 +4524,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.armv7 b/main/linux-lts/config-virt.armv7
index 15d6d09db5..d81e0519b3 100644
--- a/main/linux-lts/config-virt.armv7
+++ b/main/linux-lts/config-virt.armv7
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.10.43 Kernel Configuration
+# Linux/arm 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -192,6 +192,7 @@ CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_FUTEX_PI=y
+CONFIG_HAVE_FUTEX_CMPXCHG=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
@@ -489,6 +490,7 @@ CONFIG_ALIGNMENT_TRAP=y
CONFIG_PARAVIRT=y
# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
# CONFIG_XEN is not set
+CONFIG_STACKPROTECTOR_PER_TASK=y
# end of Kernel Features
#
@@ -721,6 +723,11 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -2816,6 +2823,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -3270,6 +3278,7 @@ CONFIG_HDMI=y
#
CONFIG_DUMMY_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -3906,8 +3915,6 @@ CONFIG_ALPINE_MSI=y
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_QCOM_AOSS is not set
# CONFIG_RESET_QCOM_PDC is not set
# CONFIG_RESET_TI_SYSCON is not set
@@ -4194,7 +4201,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
@@ -4342,6 +4348,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.ppc64le b/main/linux-lts/config-virt.ppc64le
index 14149e8958..2b85d3201f 100644
--- a/main/linux-lts/config-virt.ppc64le
+++ b/main/linux-lts/config-virt.ppc64le
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 5.10.43 Kernel Configuration
+# Linux/powerpc 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -584,6 +584,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -2647,6 +2651,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25980 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
@@ -3053,6 +3058,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -3606,8 +3612,6 @@ CONFIG_IRQCHIP=y
# CONFIG_IPACK_BUS is not set
CONFIG_RESET_CONTROLLER=y
-# CONFIG_RESET_BRCMSTB_RESCAL is not set
-# CONFIG_RESET_INTEL_GW is not set
# CONFIG_RESET_TI_SYSCON is not set
#
@@ -3880,7 +3884,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
@@ -4028,6 +4031,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.x86 b/main/linux-lts/config-virt.x86
index 810c95f26a..b39408e661 100644
--- a/main/linux-lts/config-virt.x86
+++ b/main/linux-lts/config-virt.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.10.43 Kernel Configuration
+# Linux/x86 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -737,6 +737,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -2651,6 +2655,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=m
# CONFIG_HWMON_DEBUG_CHIP is not set
@@ -3129,6 +3134,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -3496,7 +3502,6 @@ CONFIG_DMA_ACPI=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_PCH_DMA=m
# CONFIG_PLX_DMA is not set
-# CONFIG_XILINX_ZYNQMP_DPDMA is not set
# CONFIG_QCOM_HIDMA_MGMT is not set
CONFIG_QCOM_HIDMA=m
# CONFIG_DW_DMAC is not set
@@ -3936,7 +3941,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
CONFIG_PSTORE_RAM=m
-# CONFIG_PSTORE_BLK is not set
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
@@ -4088,6 +4092,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.x86_64 b/main/linux-lts/config-virt.x86_64
index e05a637a91..3fa1530c97 100644
--- a/main/linux-lts/config-virt.x86_64
+++ b/main/linux-lts/config-virt.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.93 Kernel Configuration
+# Linux/x86_64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20210424) 10.3.1 20210424"
CONFIG_CC_IS_GCC=y
@@ -3212,6 +3212,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
diff --git a/main/linux-pam/APKBUILD b/main/linux-pam/APKBUILD
index 4988f5ab75..fd5cdf40d5 100644
--- a/main/linux-pam/APKBUILD
+++ b/main/linux-pam/APKBUILD
@@ -28,7 +28,7 @@ source="
builddir="$srcdir"/Linux-PAM-$pkgver
# secfixes:
-# 1.5.1:
+# 1.5.1-r0:
# - CVE-2020-27780
prepare() {
default_prepare
diff --git a/main/logrotate/APKBUILD b/main/logrotate/APKBUILD
index 7be6a06d93..f9da6bf1a2 100644
--- a/main/logrotate/APKBUILD
+++ b/main/logrotate/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=logrotate
pkgver=3.18.1
-pkgrel=0
+pkgrel=1
pkgdesc="Tool to rotate logfiles"
url="https://github.com/logrotate/logrotate"
arch="all"
@@ -52,6 +52,6 @@ package() {
sha512sums="
d559bf188f587096433887d3a89040fa82f4db35fbae84a9e6d04c425e6d004cbed9bd48bb3eaf53e424a82e1e777b02e55ee17ecdb4c6c0ec3db81964db5b14 logrotate-3.18.1.tar.xz
f4d708594fb2b240cfc2928f38a180d27c2cecb9867e048dc29a32c0147244db4d2f6d92e7bff27e1f2623537587db87b2f8fc9bb988f98eff0c98f79f5a5bf2 logrotate.cron
-9e6a1d024b1cf1ddb8b631fdc1379bfecbfeb1af873930d2a19d32313b26881926df5c21b47b55ada2b6012be981ec2d6d8fa2f249a68b61fd2c97c32f52a957 logrotate.conf
+e91c1648a088410d1f5ad16d05b67e316977be5cc0cbbb21a4e1fda2267415fb7945553aa4b4a4701d658fd6bfe35e3d9a304e0cf2a9c7f1be5a5753c3dbc7cb logrotate.conf
be9f0043b594d26b4f64e07a2188d19c3c43af75ef726305e4d98f744fc16cee9f280227116858e2f5b781c0a7b58e0209d7e9ab1285dfa7ba55a9dfda700229 logrotate.confd
"
diff --git a/main/logrotate/logrotate.conf b/main/logrotate/logrotate.conf
index ba75a0c2cb..30cf9c9904 100644
--- a/main/logrotate/logrotate.conf
+++ b/main/logrotate/logrotate.conf
@@ -17,9 +17,6 @@ tabooext + .apk-new
# uncomment this if you want your log files compressed
compress
-# main log file
-/var/log/messages {}
-
# apk packages drop log rotation information into this directory
include /etc/logrotate.d
diff --git a/main/lua5.4/APKBUILD b/main/lua5.4/APKBUILD
index 4294e5c777..5b983dd354 100644
--- a/main/lua5.4/APKBUILD
+++ b/main/lua5.4/APKBUILD
@@ -3,7 +3,7 @@ pkgname=lua5.4
_pkgname=lua
pkgver=5.4.3
_luaver=${pkgname#lua}
-pkgrel=0
+pkgrel=1
pkgdesc="Powerful light-weight programming language"
url="https://www.lua.org/"
arch="all"
@@ -17,10 +17,13 @@ source="https://www.lua.org/ftp/$_pkgname-$pkgver.tar.gz
lua-5.4-make.patch
lua-5.4-module_paths.patch
lua5.4.pc
+ CVE-2022-28805.patch
"
builddir="$srcdir/$_pkgname-$pkgver"
# secfixes:
+# 5.4.3-r1:
+# - CVE-2022-28805
# 5.3.5-r2:
# - CVE-2019-6706
@@ -101,7 +104,10 @@ libs() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr/
}
-sha512sums="3a1a3ee8694b72b4ec9d3ce76705fe179328294353604ca950c53f41b41161b449877d43318ef4501fee44ecbd6c83314ce7468d7425ba9b2903c9c32a28bbc0 lua-5.4.3.tar.gz
+sha512sums="
+3a1a3ee8694b72b4ec9d3ce76705fe179328294353604ca950c53f41b41161b449877d43318ef4501fee44ecbd6c83314ce7468d7425ba9b2903c9c32a28bbc0 lua-5.4.3.tar.gz
1bc6c623024c1738155b30ff9c0edcce0f336edc25aa20c3a1400c859421ea2015d75175cce8d515e055ac3e96028426b74812e04022af18a0ed4c4601556027 lua-5.4-make.patch
904a9b296d0bdb68630f8865fce86fc8f092120ee6ebfeb97f069b5aa49f203ddc63aeceee276ae8e006bbb73bf2811e7eceb6aae82817170d3acef3ad057c93 lua-5.4-module_paths.patch
-34466bc244737a557ff2c87efbc62ab5c5424523f574d17b2f34aea40f534f2c45cdfa242097aadecd38f00d732b0c8e9daef1cd461728a084c72946edb9a48a lua5.4.pc"
+34466bc244737a557ff2c87efbc62ab5c5424523f574d17b2f34aea40f534f2c45cdfa242097aadecd38f00d732b0c8e9daef1cd461728a084c72946edb9a48a lua5.4.pc
+de9b2203ccde8711bfd3e6ff59fda12f48130fd9f6cc3e9db0403326a03e56433f929e29f869a12e9a4f1461d84b713efc5ea47e631a2830f945ea34fc4e081c CVE-2022-28805.patch
+"
diff --git a/main/lua5.4/CVE-2022-28805.patch b/main/lua5.4/CVE-2022-28805.patch
new file mode 100644
index 0000000000..b00fcc63f7
--- /dev/null
+++ b/main/lua5.4/CVE-2022-28805.patch
@@ -0,0 +1,23 @@
+Patch-Source: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+---
+ lparser.c | 1 +
+ testes/attrib.lua | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/lparser.c b/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+ expdesc key;
+ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
+ lua_assert(var->k != VVOID); /* this one must exist */
++ luaK_exp2anyregup(fs, var); /* but could be a constant */
+ codestring(&key, varname); /* key is variable name */
+ luaK_indexed(fs, var, &key); /* env[varname] */
+ }
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index 63e3a8c3d1..c667da953d 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -7,7 +7,7 @@
# Contributor: Jake Buchholz <tomalok@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb
-pkgver=10.5.13
+pkgver=10.5.16
pkgrel=0
pkgdesc="A fast SQL database server"
url="https://www.mariadb.org/"
@@ -45,6 +45,41 @@ source="https://archive.mariadb.org/mariadb-$pkgver/source/mariadb-$pkgver.tar.g
"
# secfixes:
+# 10.5.16-r0:
+# - CVE-2022-27376
+# - CVE-2022-27377
+# - CVE-2022-27378
+# - CVE-2022-27379
+# - CVE-2022-27380
+# - CVE-2022-27381
+# - CVE-2022-27382
+# - CVE-2022-27383
+# - CVE-2022-27384
+# - CVE-2022-27386
+# - CVE-2022-27387
+# - CVE-2022-27444
+# - CVE-2022-27445
+# - CVE-2022-27446
+# - CVE-2022-27447
+# - CVE-2022-27448
+# - CVE-2022-27449
+# - CVE-2022-27451
+# - CVE-2022-27452
+# - CVE-2022-27455
+# - CVE-2022-27456
+# - CVE-2022-27457
+# - CVE-2022-27458
+# 10.5.15-r0:
+# - CVE-2021-46659
+# - CVE-2021-46661
+# - CVE-2021-46663
+# - CVE-2021-46664
+# - CVE-2021-46665
+# - CVE-2021-46668
+# - CVE-2022-24048
+# - CVE-2022-24050
+# - CVE-2022-24051
+# - CVE-2022-24052
# 10.5.13-r0:
# - CVE-2021-35604
# 10.5.12-r0:
@@ -461,7 +496,7 @@ _plugin_rocksdb() {
}
sha512sums="
-5d5ac04a3c8099a982cacb98dd4c162966fc7957e11c28e8b5645e49ffcf0513b9c8956f43d215c37e5eaa34aa8db6c71cfe993c89d62cab123021ee83169e7f mariadb-10.5.13.tar.gz
+28cea63cc3c5e1b236fb13593285e5d4b9aac5eaf259784e760def42bca8b09954510d39014a7a7c9e8656d61f5995a356df2f2ebb0df2696dd739ff3de5865d mariadb-10.5.16.tar.gz
c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd
b15d5cbe4e1547ad18cd1ce5a2d5a75d8dd8e017ca725154abdf28d3d1cae8403e0c3e93745441872f72e1ba9f2fef587f596231a231e374bd5a61ba3d8945ea ppc-remove-glibc-dep.patch
598490b4bb45c9f7be46086d25c2b6c601d417c45f11aa519c2290065e7d6e98a7519f9860b823e67a8fd3e6ce3b4728af73ec3a2c66eec32b42fd4ad7cc07f7 disable-failing-test.patch
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index 44bf1c7681..7836029cd5 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -4,6 +4,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 1.20.1-r1:
+# - CVE-2021-3618
# 1.20.1-r0:
# - CVE-2021-23017
# 1.16.1-r6:
@@ -23,7 +25,7 @@ pkgname=nginx
# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
# Odd-numbered versions are mainline (development) versions.
pkgver=1.20.2
-pkgrel=0
+pkgrel=1
# Revision of nginx-tests to use for check().
_tests_hgrev=823f603da727
_njs_ver=0.5.3
@@ -79,6 +81,8 @@ source="https://nginx.org/download/$pkgname-$pkgver.tar.gz
nginx-rtmp-module~02-23e1873.patch::https://github.com/arut/nginx-rtmp-module/commit/23e1873aa62acb58b7881eed2a501f5bf35b82e9.patch
traffic-accounting-nginx-module~disable-stream-module.patch
nginx_cookie_flag_module~fix-mem-allocations.patch
+ CVE-2021-3618.patch
+ nginx-tests~skip-broken-mail_max_error-tests.patch
nginx.conf
default.conf
stream.conf
@@ -444,6 +448,8 @@ e87d9c8cbebc147881e3a40e6944acfe836f29eb7b393af0465b04dd27f1fa42f17ab63d2bcc7505
ddfd20891de0a48bf378cbc30a9c08e6e73115531b9f14d8120410122a926c4d31f554306bfb34fbed593c7984d1290c32d2c473118c1cbfd33f7cfd50956fbe nginx-rtmp-module~02-23e1873.patch
09ec9f18323197eafa55ff68e8c836ad3dd830e6cd3bd4aeaf34e179ef3f72f734a0117288c1c58813aff59f3f1f0f29ccd772a672e17551e7a4fd0693a89c92 traffic-accounting-nginx-module~disable-stream-module.patch
ac0f912ae90e0083cc761a622290223edeed0bd32213bbe766d637ac2dfd9835d163e5d16ef28740cbad05d6d92cc418d62df3413c70b4f2c63db02f8ca1c7cc nginx_cookie_flag_module~fix-mem-allocations.patch
+5896417268cdd4cde1cc6a4cf9ebc3aa2c82cb4b27a68c1fa4e9c1065cf4e5f0eebc13cfdb2ac3ebe29fdc5332022a61681aceefe1c72c5402ce73fab3f03f5a CVE-2021-3618.patch
+d04ebbdf6e595b724cad59bef273e192328b47dfb15a6b19b6856ea6cc2152aaff86ca33cfd9f736cfab56377aab686d4dca6c25cb5373e56ac2e4651418c851 nginx-tests~skip-broken-mail_max_error-tests.patch
9c5ee975dffa15b76688ef798371635f38f1e6773b143c738add26297878dddfc20ebf276e3871a60f28b197e8a70496ca17d4816c2136171978c157bb8e591f nginx.conf
0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf
f3321a45736697009817db335ad36d3f1d05f60d98ac90a943220cdd4c00c52632f018db6a6076d5431a483525aacc5725b87b765b590e2f63b3ef98c5b16bd8 stream.conf
diff --git a/main/nginx/CVE-2021-3618.patch b/main/nginx/CVE-2021-3618.patch
new file mode 100644
index 0000000000..5c3441ef26
--- /dev/null
+++ b/main/nginx/CVE-2021-3618.patch
@@ -0,0 +1,92 @@
+Patch-Source: https://github.com/nginx/nginx/commit/173f16f736c10eae46cd15dd861b04b82d91a37a
+commit 173f16f736c10eae46cd15dd861b04b82d91a37a
+Author: Maxim Dounin <mdounin@mdounin.ru>
+Date: Wed May 19 03:13:31 2021 +0300
+
+ Mail: max_errors directive.
+
+ Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+ in Exim, specifies the number of errors after which the connection is closed.
+
+diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
+index 07104df6..21178c3e 100644
+--- a/src/mail/ngx_mail.h
++++ b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@ typedef struct {
+ ngx_msec_t timeout;
+ ngx_msec_t resolver_timeout;
+
++ ngx_uint_t max_errors;
++
+ ngx_str_t server_name;
+
+ u_char *file_name;
+@@ -231,6 +233,7 @@ typedef struct {
+ ngx_uint_t command;
+ ngx_array_t args;
+
++ ngx_uint_t errors;
+ ngx_uint_t login_attempt;
+
+ /* used to parse POP3/IMAP/SMTP command */
+diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
+index 40831242..115671ca 100644
+--- a/src/mail/ngx_mail_core_module.c
++++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = {
+ offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+ NULL },
+
++ { ngx_string("max_errors"),
++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++ ngx_conf_set_num_slot,
++ NGX_MAIL_SRV_CONF_OFFSET,
++ offsetof(ngx_mail_core_srv_conf_t, max_errors),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
+ cscf->timeout = NGX_CONF_UNSET_MSEC;
+ cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
++ cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+ cscf->resolver = NGX_CONF_UNSET_PTR;
+
+ cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+ ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+ 30000);
+
++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+
+ ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+
+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
+index 57503e9a..246ba97c 100644
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -874,7 +874,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c)
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
+- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++ s->errors++;
++
++ if (s->errors >= cscf->max_errors) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client sent too many invalid commands");
++ s->quit = 1;
++ }
++
++ return rc;
++ }
++
++ if (rc == NGX_IMAP_NEXT) {
+ return rc;
+ }
+
diff --git a/main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch b/main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch
new file mode 100644
index 0000000000..af563806b6
--- /dev/null
+++ b/main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch
@@ -0,0 +1,33 @@
+The fix for CVE-2021-3618 triggers some tests to fail. These tests are normally
+skipped, but the patch enables the features that enabled the tests.
+
+Skip these specific checks for now.
+diff --git a/mail_max_errors.t b/mail_max_errors.t
+index f6f0171..295e872 100644
+--- a/mail_max_errors.t
++++ b/mail_max_errors.t
+@@ -61,7 +61,7 @@ mail {
+
+ EOF
+
+-$t->try_run('no max_errors')->plan(18);
++$t->try_run('no max_errors')->plan(16);
+
+ ###############################################################################
+
+@@ -82,7 +82,6 @@ $s->read();
+
+ $s->send('a01 FOO' . CRLF . 'a02 BAR' . CRLF . 'a03 BAZZ');
+ $s->check(qr/^a01 BAD/, 'imap pipelined first error');
+-$s->check(qr/^a02 BAD/, 'imap pipelined second error');
+ $s->check(qr/^$/, 'imap pipelined max errors');
+
+ # pop3
+@@ -102,7 +101,6 @@ $s->read();
+
+ $s->send('FOO' . CRLF . 'BAR' . CRLF . 'BAZZ');
+ $s->check(qr/^-ERR/, 'pop3 pipelined first error');
+-$s->check(qr/^-ERR/, 'pop3 pipelined second error');
+ $s->check(qr/^$/, 'pop3 pipelined max errors');
+
+ # smtp
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index 0852d75351..632d08f08c 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -6,6 +6,11 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 14.19.0-r0:
+# - CVE-2022-21824
+# - CVE-2021-44533
+# - CVE-2021-44532
+# - CVE-2021-44531
# 14.18.1-r0:
# - CVE-2021-22959
# - CVE-2021-22960
@@ -84,7 +89,7 @@
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=14.18.1
+pkgver=14.19.0
pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
@@ -157,6 +162,7 @@ build() {
--openssl-use-def-ca-store \
--with-icu-default-data-dir=$(icu-config --icudatadir) \
--with-intl=small-icu \
+ --without-corepack \
--without-npm
make BUILDTYPE=Release
@@ -180,7 +186,7 @@ dev() {
}
sha512sums="
-f9455ff65a57772e242343e2c1113e769c2ab8123e8a4fd6bd65525f4401d5f35e0bc73981db4f76af4f8da4e14a389fd41d2eca97cde6f0dfed5ed7a6ec532c node-v14.18.1.tar.gz
+2973947c60fea08fa6e5a4adfd0b8e419fdeb69261e2e1df4d80cc75ee482115494040733a278f873d6402343f8424e80ea5151d85b99f2fc49c85d1dcb9135e node-v14.19.0.tar.gz
dbe8167b61518f8f59176759d69834d57bf3e6a5a5fd3dfc2359cafe0325da08b27f8220d278ed77f50c9f63a03313eabbbb0eaca3e592e5bb4e0d5be0ced373 disable-running-gyp-on-shared-deps.patch
44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf link-with-libatomic-on-mips32.patch
30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f fix-build-with-system-c-ares.patch
diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD
index 734f788e29..58f3f0e57c 100644
--- a/main/openrc/APKBUILD
+++ b/main/openrc/APKBUILD
@@ -2,13 +2,13 @@
pkgname=openrc
pkgver=0.43.3
_ver=${pkgver/_git*/}
-pkgrel=2
+pkgrel=3
pkgdesc="OpenRC manages the services, startup and shutdown of a host"
url="https://github.com/OpenRC/openrc"
arch="all"
license="BSD-2-Clause"
depends="ifupdown-any"
-makedepends="bsd-compat-headers"
+makedepends="bsd-compat-headers linux-headers"
checkdepends="sed"
subpackages="$pkgname-doc $pkgname-dev $pkgname-dbg
$pkgname-zsh-completion:zshcomp:noarch
@@ -30,6 +30,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve
0020-staticroute-confd.patch
CVE-2021-42341.patch
+ seedrng.patch
openrc.logrotate
hostname.initd
@@ -149,6 +150,7 @@ ff9bf2f6e4f55633a9641385398f70a2e591e2b3b56b1903f168a97b07bd56dc5a65d151deeab942
af0d5a3e6bdd09abd65174a0292450ebb79116a6be50ad4dc368e7ade497020bf4f7d55487335eb32067616603c7d9c3f8596228064c93bfd47596fb12ef7215 0014-time_t-64bit.patch
50acfd498c74e34b099b43776545327dba63114d16347839bc9f1cc40b1898d0a600f05e64b24f7f013842e9f72fadc5a7b651d145d45699e87b6919ba077281 0020-staticroute-confd.patch
0c593760590748c57e40a0727aff4c4bf92d3a5317fe6de8a03efe44abb49a22fd76080b92d5cdb281c1c6ac51c8a1e2fbcfb78f0e7f55b94e6864832258bd04 CVE-2021-42341.patch
+e204fef5e5d1e8da140c43f42f0eb97283cb56c02193d137f56217cfd7b9ae0dfad5954fb8d1ce0fcb63c20537551ba706e7fd09f3f012fc2a6a0c1106d2540b seedrng.patch
12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate
493f27d588e64bb2bb542b32493ed05873f4724e8ad1751002982d7b4e07963cfb72f93603b2d678f305177cf9556d408a87b793744c6b7cd46cf9be4b744c02 hostname.initd
c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd
diff --git a/main/openrc/seedrng.patch b/main/openrc/seedrng.patch
new file mode 100644
index 0000000000..4f06f1e801
--- /dev/null
+++ b/main/openrc/seedrng.patch
@@ -0,0 +1,619 @@
+From 076c2552aeff88a27fe275dfaae61dedf4bb4bd5 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 24 Mar 2022 22:07:16 -0600
+Subject: [PATCH] Use seedrng for seeding the random number generator
+
+The RNG can't actually be seeded from a shell script, due to the
+reliance on ioctls. For this reason, the seedrng project provides a
+basic script meant to be copy and pasted into projects like OpenRC and
+tweaked as needed: https://git.zx2c4.com/seedrng/about/
+
+This commit imports it into OpenRC and wires up /etc/init.d/urandom to
+call it. It shouldn't be called by other things on the system, so it
+lives in rc_sbindir.
+
+Closes #506.
+Closes #507.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+---
+ AUTHORS | 1 +
+ conf.d/urandom | 9 +-
+ init.d/urandom.in | 41 ++--
+ src/rc/Makefile | 6 +-
+ src/rc/meson.build | 10 +-
+ src/rc/seedrng.c | 453 +++++++++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 499 insertions(+), 21 deletions(-)
+ create mode 100644 src/rc/seedrng.c
+
+diff --git a/AUTHORS b/AUTHORS
+index 0616d5175..ede0f471b 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -43,6 +43,7 @@ Ian Stakenvicius <axs@gentoo.org>
+ Jakob Drexel <jake42@rommel.stw.uni-erlangen.de>
+ James Le Cuirot <chewi@aura-online.co.uk>
+ Jan Psota <jasiu@belsznica.pl>
++Jason A. Donenfeld <Jason@zx2c4.com>
+ Jason Zaman <jason@perfinion.com>
+ Joe Harvell <jharvell@dogpad.net>
+ Joe M <joe9mail@gmail.com>
+diff --git a/conf.d/urandom b/conf.d/urandom
+index f721a2491..744e4f702 100644
+--- a/conf.d/urandom
++++ b/conf.d/urandom
+@@ -2,4 +2,11 @@
+ # (say for crypt swap), so you will need to customize this
+ # behavior. If you have /var on a separate partition, then
+ # make sure this path lives on your root device somewhere.
+-urandom_seed="/var/lib/misc/random-seed"
++seed_dir="/var/lib/seedrng"
++lock_file="/var/run/seedrng.lock"
++
++# Set this to true if you do not want seed files to actually
++# credit the RNG. Set this if you plan to replicate this
++# file system image and do not have the wherewithal to first
++# delete the contents of /var/lib/seedrng.
++skip_credit="false"
+diff --git a/init.d/urandom.in b/init.d/urandom.in
+index 0d6ab66e0..cda431fdb 100644
+--- a/init.d/urandom.in
++++ b/init.d/urandom.in
+@@ -1,5 +1,5 @@
+ #!@SBINDIR@/openrc-run
+-# Copyright (c) 2007-2015 The OpenRC Authors.
++# Copyright (c) 2007-2022 The OpenRC Authors.
+ # See the Authors file at the top-level directory of this distribution and
+ # https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
+ #
+@@ -9,7 +9,10 @@
+ # This file may not be copied, modified, propagated, or distributed
+ # except according to the terms contained in the LICENSE file.
+
+-: ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}}
++export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}"
++export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}"
++export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}"
++: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed}
+ description="Initializes the random number generator."
+
+ depend()
+@@ -21,33 +24,35 @@ depend()
+
+ save_seed()
+ {
+- local psz=1
+-
+- if [ -e /proc/sys/kernel/random/poolsize ]; then
+- : $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 ))
+- fi
+-
+ ( # sub shell to prevent umask pollution
+ umask 077
+- dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null
++ dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null
+ )
+ }
+
+ start()
+ {
+- [ -c /dev/urandom ] || return
+- if [ -f "$urandom_seed" ]; then
+- ebegin "Initializing random number generator"
+- cat "$urandom_seed" > /dev/urandom
+- eend $? "Error initializing random number generator"
++ if [ "$RC_UNAME" = Linux ]; then
++ seedrng
++ else
++ [ -c /dev/urandom ] || return
++ if [ -f "$urandom_seed" ]; then
++ ebegin "Initializing random number generator"
++ cat "$urandom_seed" > /dev/urandom
++ eend $? "Error initializing random number generator"
++ fi
++ rm -f "$urandom_seed" && save_seed
+ fi
+- rm -f "$urandom_seed" && save_seed
+ return 0
+ }
+
+ stop()
+ {
+- ebegin "Saving random seed"
+- save_seed
+- eend $? "Failed to save random seed"
++ if [ "$RC_UNAME" = Linux ]; then
++ seedrng
++ else
++ ebegin "Saving random seed"
++ save_seed
++ eend $? "Failed to save random seed"
++ fi
+ }
+diff --git a/src/rc/Makefile b/src/rc/Makefile
+index fd796d920..62539f134 100644
+--- a/src/rc/Makefile
++++ b/src/rc/Makefile
+@@ -15,7 +15,7 @@ endif
+
+ ifeq (${OS},Linux)
+ SRCS+= kill_all.c openrc-init.c openrc-shutdown.c rc-sysvinit.c broadcast.c \
+- rc-wtmp.c
++ rc-wtmp.c seedrng.c
+ endif
+
+ CLEANFILES= version.h rc-selinux.o
+@@ -47,6 +47,7 @@ RC_SBINPROGS= mark_service_starting mark_service_started \
+
+ ifeq (${OS},Linux)
+ RC_BINPROGS+= kill_all
++RC_SBINPROGS+= seedrng
+ SBINPROGS+= openrc-init openrc-shutdown
+ endif
+
+@@ -180,3 +181,6 @@ shell_var: shell_var.o
+
+ swclock: swclock.o _usage.o rc-misc.o
+ ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD}
++
++seedrng: seedrng.o
++ ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD}
+diff --git a/src/rc/seedrng.c b/src/rc/seedrng.c
+new file mode 100644
+index 000000000..c1f941457
+--- /dev/null
++++ b/src/rc/seedrng.c
+@@ -0,0 +1,453 @@
++/*
++ * seedrng.c
++ * Seed kernel RNG from seed file, based on code from:
++ * https://git.zx2c4.com/seedrng/about/
++ */
++
++/*
++ * Copyright (c) 2022 The OpenRC Authors.
++ * See the Authors file at the top-level directory of this distribution and
++ * https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
++ *
++ * This file is part of OpenRC. It is subject to the license terms in
++ * the LICENSE file found in the top-level directory of this
++ * distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE
++ * This file may not be copied, modified, propagated, or distributed
++ * except according to the terms contained in the LICENSE file.
++ */
++
++#include <linux/random.h>
++#include <sys/random.h>
++#include <sys/ioctl.h>
++#include <sys/file.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <fcntl.h>
++#include <poll.h>
++#include <unistd.h>
++#include <time.h>
++#include <errno.h>
++#include <endian.h>
++#include <stdbool.h>
++#include <stdint.h>
++#include <string.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++#include "rc.h"
++#include "einfo.h"
++#include "helpers.h"
++
++#ifndef GRND_INSECURE
++#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */
++#endif
++
++static const char *SEED_DIR;
++static const char *LOCK_FILE;
++static char *CREDITABLE_SEED;
++static char *NON_CREDITABLE_SEED;
++
++enum blake2s_lengths {
++ BLAKE2S_BLOCK_LEN = 64,
++ BLAKE2S_HASH_LEN = 32,
++ BLAKE2S_KEY_LEN = 32
++};
++
++enum seedrng_lengths {
++ MAX_SEED_LEN = 512,
++ MIN_SEED_LEN = BLAKE2S_HASH_LEN
++};
++
++struct blake2s_state {
++ uint32_t h[8];
++ uint32_t t[2];
++ uint32_t f[2];
++ uint8_t buf[BLAKE2S_BLOCK_LEN];
++ unsigned int buflen;
++ unsigned int outlen;
++};
++
++#define le32_to_cpup(a) le32toh(*(a))
++#define cpu_to_le32(a) htole32(a)
++#ifndef ARRAY_SIZE
++#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
++#endif
++#ifndef DIV_ROUND_UP
++#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))
++#endif
++
++static inline void cpu_to_le32_array(uint32_t *buf, unsigned int words)
++{
++ while (words--) {
++ *buf = cpu_to_le32(*buf);
++ ++buf;
++ }
++}
++
++static inline void le32_to_cpu_array(uint32_t *buf, unsigned int words)
++{
++ while (words--) {
++ *buf = le32_to_cpup(buf);
++ ++buf;
++ }
++}
++
++static inline uint32_t ror32(uint32_t word, unsigned int shift)
++{
++ return (word >> (shift & 31)) | (word << ((-shift) & 31));
++}
++
++static const uint32_t blake2s_iv[8] = {
++ 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
++ 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
++};
++
++static const uint8_t blake2s_sigma[10][16] = {
++ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
++ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
++ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
++ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
++ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
++ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
++ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
++ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
++ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
++ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
++};
++
++static void blake2s_set_lastblock(struct blake2s_state *state)
++{
++ state->f[0] = -1;
++}
++
++static void blake2s_increment_counter(struct blake2s_state *state, const uint32_t inc)
++{
++ state->t[0] += inc;
++ state->t[1] += (state->t[0] < inc);
++}
++
++static void blake2s_init_param(struct blake2s_state *state, const uint32_t param)
++{
++ int i;
++
++ memset(state, 0, sizeof(*state));
++ for (i = 0; i < 8; ++i)
++ state->h[i] = blake2s_iv[i];
++ state->h[0] ^= param;
++}
++
++static void blake2s_init(struct blake2s_state *state, const size_t outlen)
++{
++ blake2s_init_param(state, 0x01010000 | outlen);
++ state->outlen = outlen;
++}
++
++static void blake2s_compress(struct blake2s_state *state, const uint8_t *block, size_t nblocks, const uint32_t inc)
++{
++ uint32_t m[16];
++ uint32_t v[16];
++ int i;
++
++ while (nblocks > 0) {
++ blake2s_increment_counter(state, inc);
++ memcpy(m, block, BLAKE2S_BLOCK_LEN);
++ le32_to_cpu_array(m, ARRAY_SIZE(m));
++ memcpy(v, state->h, 32);
++ v[ 8] = blake2s_iv[0];
++ v[ 9] = blake2s_iv[1];
++ v[10] = blake2s_iv[2];
++ v[11] = blake2s_iv[3];
++ v[12] = blake2s_iv[4] ^ state->t[0];
++ v[13] = blake2s_iv[5] ^ state->t[1];
++ v[14] = blake2s_iv[6] ^ state->f[0];
++ v[15] = blake2s_iv[7] ^ state->f[1];
++
++#define G(r, i, a, b, c, d) do { \
++ a += b + m[blake2s_sigma[r][2 * i + 0]]; \
++ d = ror32(d ^ a, 16); \
++ c += d; \
++ b = ror32(b ^ c, 12); \
++ a += b + m[blake2s_sigma[r][2 * i + 1]]; \
++ d = ror32(d ^ a, 8); \
++ c += d; \
++ b = ror32(b ^ c, 7); \
++} while (0)
++
++#define ROUND(r) do { \
++ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
++ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
++ G(r, 2, v[2], v[ 6], v[10], v[14]); \
++ G(r, 3, v[3], v[ 7], v[11], v[15]); \
++ G(r, 4, v[0], v[ 5], v[10], v[15]); \
++ G(r, 5, v[1], v[ 6], v[11], v[12]); \
++ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
++ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
++} while (0)
++ ROUND(0);
++ ROUND(1);
++ ROUND(2);
++ ROUND(3);
++ ROUND(4);
++ ROUND(5);
++ ROUND(6);
++ ROUND(7);
++ ROUND(8);
++ ROUND(9);
++
++#undef G
++#undef ROUND
++
++ for (i = 0; i < 8; ++i)
++ state->h[i] ^= v[i] ^ v[i + 8];
++
++ block += BLAKE2S_BLOCK_LEN;
++ --nblocks;
++ }
++}
++
++static void blake2s_update(struct blake2s_state *state, const void *inp, size_t inlen)
++{
++ const size_t fill = BLAKE2S_BLOCK_LEN - state->buflen;
++ const uint8_t *in = inp;
++
++ if (!inlen)
++ return;
++ if (inlen > fill) {
++ memcpy(state->buf + state->buflen, in, fill);
++ blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_LEN);
++ state->buflen = 0;
++ in += fill;
++ inlen -= fill;
++ }
++ if (inlen > BLAKE2S_BLOCK_LEN) {
++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_LEN);
++ blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_LEN);
++ in += BLAKE2S_BLOCK_LEN * (nblocks - 1);
++ inlen -= BLAKE2S_BLOCK_LEN * (nblocks - 1);
++ }
++ memcpy(state->buf + state->buflen, in, inlen);
++ state->buflen += inlen;
++}
++
++static void blake2s_final(struct blake2s_state *state, uint8_t *out)
++{
++ blake2s_set_lastblock(state);
++ memset(state->buf + state->buflen, 0, BLAKE2S_BLOCK_LEN - state->buflen);
++ blake2s_compress(state, state->buf, 1, state->buflen);
++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
++ memcpy(out, state->h, state->outlen);
++}
++
++static size_t determine_optimal_seed_len(void)
++{
++ size_t ret = 0;
++ char poolsize_str[11] = { 0 };
++ int fd = open("/proc/sys/kernel/random/poolsize", O_RDONLY);
++
++ if (fd < 0 || read(fd, poolsize_str, sizeof(poolsize_str) - 1) < 0) {
++ ewarn("Unable to determine pool size, falling back to %u bits: %s", MIN_SEED_LEN * 8, strerror(errno));
++ ret = MIN_SEED_LEN;
++ } else
++ ret = DIV_ROUND_UP(strtoul(poolsize_str, NULL, 10), 8);
++ if (fd >= 0)
++ close(fd);
++ if (ret < MIN_SEED_LEN)
++ ret = MIN_SEED_LEN;
++ else if (ret > MAX_SEED_LEN)
++ ret = MAX_SEED_LEN;
++ return ret;
++}
++
++static int read_new_seed(uint8_t *seed, size_t len, bool *is_creditable)
++{
++ ssize_t ret;
++ int urandom_fd;
++
++ *is_creditable = false;
++ ret = getrandom(seed, len, GRND_NONBLOCK);
++ if (ret == (ssize_t)len) {
++ *is_creditable = true;
++ return 0;
++ }
++ if (ret == -1 && errno == ENOSYS) {
++ struct pollfd random_fd = {
++ .fd = open("/dev/random", O_RDONLY),
++ .events = POLLIN
++ };
++ if (random_fd.fd < 0)
++ return -errno;
++ *is_creditable = poll(&random_fd, 1, 0) == 1;
++ close(random_fd.fd);
++ } else if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len)
++ return 0;
++ urandom_fd = open("/dev/urandom", O_RDONLY);
++ if (urandom_fd < 0)
++ return -errno;
++ ret = read(urandom_fd, seed, len);
++ if (ret == (ssize_t)len)
++ ret = 0;
++ else
++ ret = -errno ? -errno : -EIO;
++ close(urandom_fd);
++ return ret;
++}
++
++static int seed_rng(uint8_t *seed, size_t len, bool credit)
++{
++ struct {
++ int entropy_count;
++ int buf_size;
++ uint8_t buffer[MAX_SEED_LEN];
++ } req = {
++ .entropy_count = credit ? len * 8 : 0,
++ .buf_size = len
++ };
++ int random_fd, ret;
++
++ if (len > sizeof(req.buffer))
++ return -EFBIG;
++ memcpy(req.buffer, seed, len);
++
++ random_fd = open("/dev/random", O_RDWR);
++ if (random_fd < 0)
++ return -errno;
++ ret = ioctl(random_fd, RNDADDENTROPY, &req);
++ if (ret)
++ ret = -errno ? -errno : -EIO;
++ close(random_fd);
++ return ret;
++}
++
++static int seed_from_file_if_exists(const char *filename, bool credit, struct blake2s_state *hash)
++{
++ uint8_t seed[MAX_SEED_LEN];
++ ssize_t seed_len;
++ int fd, dfd, ret = 0;
++
++ fd = open(filename, O_RDONLY);
++ if (fd < 0 && errno == ENOENT)
++ return 0;
++ else if (fd < 0) {
++ ret = -errno;
++ eerror("Unable to open seed file: %s", strerror(errno));
++ return ret;
++ }
++ dfd = open(SEED_DIR, O_DIRECTORY | O_RDONLY);
++ if (dfd < 0) {
++ ret = -errno;
++ close(fd);
++ eerror("Unable to open seed directory: %s", strerror(errno));
++ return ret;
++ }
++ seed_len = read(fd, seed, sizeof(seed));
++ if (seed_len < 0) {
++ ret = -errno;
++ eerror("Unable to read seed file: %s", strerror(errno));
++ }
++ close(fd);
++ if (ret) {
++ close(dfd);
++ return ret;
++ }
++ if ((unlink(filename) < 0 || fsync(dfd) < 0) && seed_len) {
++ ret = -errno;
++ eerror("Unable to remove seed after reading, so not seeding: %s", strerror(errno));
++ }
++ close(dfd);
++ if (ret)
++ return ret;
++ if (!seed_len)
++ return 0;
++
++ blake2s_update(hash, &seed_len, sizeof(seed_len));
++ blake2s_update(hash, seed, seed_len);
++
++ einfo("Seeding %zd bits %s crediting", seed_len * 8, credit ? "and" : "without");
++ ret = seed_rng(seed, seed_len, credit);
++ if (ret < 0)
++ eerror("Unable to seed: %s", strerror(-ret));
++ return ret;
++}
++
++static void populate_global_paths(void)
++{
++ SEED_DIR = getenv("SEEDRNG_SEED_DIR");
++ if (!SEED_DIR || !*SEED_DIR)
++ SEED_DIR = "/var/lib/seedrng";
++ LOCK_FILE = getenv("SEEDRNG_LOCK_FILE");
++ if (!LOCK_FILE || !*LOCK_FILE)
++ LOCK_FILE = "/var/run/seedrng.lock";
++ xasprintf(&CREDITABLE_SEED, "%s/seed.credit", SEED_DIR);
++ xasprintf(&NON_CREDITABLE_SEED, "%s/seed.no-credit", SEED_DIR);
++}
++
++int main(int argc _unused, char *argv[] _unused)
++{
++ static const char seedrng_prefix[] = "SeedRNG v1 Old+New Prefix";
++ static const char seedrng_failure[] = "SeedRNG v1 No New Seed Failure";
++ int ret, fd, lock, program_ret = 0;
++ uint8_t new_seed[MAX_SEED_LEN];
++ size_t new_seed_len;
++ bool new_seed_creditable;
++ struct timespec realtime = { 0 }, boottime = { 0 };
++ struct blake2s_state hash;
++
++ umask(0077);
++ if (getuid())
++ eerrorx("This rc helper program requires root");
++
++ populate_global_paths();
++ blake2s_init(&hash, BLAKE2S_HASH_LEN);
++ blake2s_update(&hash, seedrng_prefix, strlen(seedrng_prefix));
++ clock_gettime(CLOCK_REALTIME, &realtime);
++ clock_gettime(CLOCK_BOOTTIME, &boottime);
++ blake2s_update(&hash, &realtime, sizeof(realtime));
++ blake2s_update(&hash, &boottime, sizeof(boottime));
++
++ if (mkdir(SEED_DIR, 0700) < 0 && errno != EEXIST)
++ eerrorx("Unable to create \"%s\" directory: %s", SEED_DIR, strerror(errno));
++
++ lock = open(LOCK_FILE, O_WRONLY | O_CREAT, 0000);
++ if (lock < 0 || flock(lock, LOCK_EX) < 0)
++ eerrorx("Unable to open lock file: %s", strerror(errno));
++
++ ret = seed_from_file_if_exists(NON_CREDITABLE_SEED, false, &hash);
++ if (ret < 0)
++ program_ret |= 1 << 1;
++ ret = seed_from_file_if_exists(CREDITABLE_SEED, !rc_yesno(getenv("SEEDRNG_SKIP_CREDIT")), &hash);
++ if (ret < 0)
++ program_ret |= 1 << 2;
++
++ new_seed_len = determine_optimal_seed_len();
++ ret = read_new_seed(new_seed, new_seed_len, &new_seed_creditable);
++ if (ret < 0) {
++ eerror("Unable to read new seed: %s", strerror(-ret));
++ new_seed_len = BLAKE2S_HASH_LEN;
++ strncpy((char *)new_seed, seedrng_failure, new_seed_len);
++ program_ret |= 1 << 3;
++ }
++ blake2s_update(&hash, &new_seed_len, sizeof(new_seed_len));
++ blake2s_update(&hash, new_seed, new_seed_len);
++ blake2s_final(&hash, new_seed + new_seed_len - BLAKE2S_HASH_LEN);
++
++ einfo("Saving %zu bits of %s seed for next boot", new_seed_len * 8, new_seed_creditable ? "creditable" : "non-creditable");
++ fd = open(NON_CREDITABLE_SEED, O_WRONLY | O_CREAT | O_TRUNC, 0400);
++ if (fd < 0) {
++ eerror("Unable to open seed file for writing: %s", strerror(errno));
++ program_ret |= 1 << 4;
++ goto out;
++ }
++ if (write(fd, new_seed, new_seed_len) != (ssize_t)new_seed_len || fsync(fd) < 0) {
++ eerror("Unable to write seed file: %s", strerror(errno));
++ program_ret |= 1 << 5;
++ goto out;
++ }
++ if (new_seed_creditable && rename(NON_CREDITABLE_SEED, CREDITABLE_SEED) < 0) {
++ ewarn("Unable to make new seed creditable: %s", strerror(errno));
++ program_ret |= 1 << 6;
++ }
++out:
++ close(fd);
++ close(lock);
++ return program_ret;
++}
diff --git a/main/opensmtpd/APKBUILD b/main/opensmtpd/APKBUILD
index 952581aa66..bcf0c14bfa 100644
--- a/main/opensmtpd/APKBUILD
+++ b/main/opensmtpd/APKBUILD
@@ -8,7 +8,7 @@
# - CVE-2020-7247
pkgname=opensmtpd
pkgver=6.8.0p2
-pkgrel=0
+pkgrel=2
pkgdesc="Secure, reliable, lean, and easy-to configure SMTP server"
url="https://www.opensmtpd.org/"
arch="all"
@@ -84,8 +84,10 @@ pam() {
amove usr/sbin/smtpd-pam
}
-sha512sums="48f152b75575146fdd09bdf47123041ea62fefb6e5de33a69826bf91a2126a918f8db1caffadb2f142a1a21de8126d492de88cb65bdf169e61c0b22d3e78d290 opensmtpd-6.8.0p2.tar.gz
-ec3e3a877f77d55a8f676169ff30feb1467b5ac5b0a3bfa960c54ab3848610ccf819e037d2d2a3b2231ec35989cf1dd03f105a7b5188fc828ee653260532fe1b smtpd.initd
+sha512sums="
+48f152b75575146fdd09bdf47123041ea62fefb6e5de33a69826bf91a2126a918f8db1caffadb2f142a1a21de8126d492de88cb65bdf169e61c0b22d3e78d290 opensmtpd-6.8.0p2.tar.gz
+cce0c3b014a02d46c77d4de6495cf8e7e48d17c89c27432f121060d6712ae3606a6e5d51a74cf5504e826f7dd72176297dc83c9e6623f8e3fe9a952c8d02add1 smtpd.initd
e68fca4a7e0ceda271ad61c5a6592a859789bea9ccb6417258f7a0b45d92163ed6097c208d3fdfb78bf978a6a01b6f3678e047e3ce972b2c521419d54a992e0a smtpd.confd
51d47b34eb3d728daa45f29d6434cc75db28dfa69b6fb3ecd873121df85b296a2d2c81016d765a07778aa26a496e4b29c09a30b82678cf42596a536734b5deca aliases
-8639757c0190ca96dd32530b5b7e26637dab3204fd3750385eb495964e787157a8d3a084d109709889e5b2ca99f9e51da2192030fdfe9440f431531299a8e103 smtpd.conf.patch"
+8639757c0190ca96dd32530b5b7e26637dab3204fd3750385eb495964e787157a8d3a084d109709889e5b2ca99f9e51da2192030fdfe9440f431531299a8e103 smtpd.conf.patch
+"
diff --git a/main/opensmtpd/smtpd.initd b/main/opensmtpd/smtpd.initd
index ae55a7a73d..e72fa4173d 100644
--- a/main/opensmtpd/smtpd.initd
+++ b/main/opensmtpd/smtpd.initd
@@ -33,9 +33,9 @@ checkconfig() {
ebegin "Checking $name configuration"
# Don't output anything unless something is *not* ok.
- local out; out=$($command -n 2>&1)
- local ret=$?
+ local out rc=0
+ out=$($command -n 2>&1) || rc=$?
+ [ "$rc" -eq 0 ] || printf '%s\n' "$out" >&2
- [ "$ret" -eq 0 ] || printf '%s\n' "$out" >&2
- eend $?
+ eend $rc
}
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 536ef62650..f40ea6059a 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
-pkgver=1.1.1l
+pkgver=1.1.1o
_abiver=${pkgver%.*}
pkgrel=0
pkgdesc="Toolkit for Transport Layer Security (TLS)"
@@ -19,6 +19,8 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
"
# secfixes:
+# 1.1.1n-r0:
+# - CVE-2022-0778
# 1.1.1l-r0:
# - CVE-2021-3711
# - CVE-2021-3712
@@ -44,6 +46,8 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
# 1.1.1a-r0:
# - CVE-2018-0734
# - CVE-2018-0735
+# 0:
+# - CVE-2022-1292
build() {
local _target _optflags
@@ -126,7 +130,7 @@ _libssl() {
}
sha512sums="
-d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0 openssl-1.1.1l.tar.gz
+75b2f1499cb4640229eb6cd35d85cbff2e19db17b959ac4d04b60f1b395b73567f9003521452a0fcfeea9b31b26de0a7bccf476ecf9caae02298f3647cfb7e23 openssl-1.1.1o.tar.gz
43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch
e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch
"
diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD
index 44dc67160b..12f8213aed 100644
--- a/main/openvpn/APKBUILD
+++ b/main/openvpn/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openvpn
-pkgver=2.5.2
+pkgver=2.5.6
pkgrel=0
pkgdesc="Robust, and highly configurable VPN (Virtual Private Network)"
url="https://openvpn.net/"
@@ -12,7 +12,7 @@ depends="iproute2"
depends_dev="openssl-dev" # openvpn-plugin.h includes openssl/x509.h
makedepends="$depends_dev lzo-dev linux-pam-dev linux-headers"
install="$pkgname.pre-install"
-source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.xz
+source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.gz
openvpn.initd
openvpn.confd
openvpn.up
@@ -20,6 +20,8 @@ source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.xz
"
# secfixes:
+# 2.5.6-r0:
+# - CVE-2022-0547
# 2.5.2-r0:
# - CVE-2020-15078
# 2.4.9-r0:
@@ -72,8 +74,10 @@ pam() {
"$subpkgdir"/usr/lib/openvpn/plugins/
}
-sha512sums="ae2cac00ae4b9e06e7e70b268ed47d36bbb45409650175e507d5bfa12b0a4f24bccc64f2494d1563f9269c8076d0f753a492f01ea33ce376ba00b7cdcb5c7bd0 openvpn-2.5.2.tar.xz
+sha512sums="
+0bb0dda44ff757cf5249b6c047932c51073344a1d69048f210da421263a07bb5f4370f5b0c3ed4fdd6c6da2888d28fe8ee8947b59594f4c17a9ea20588852bc0 openvpn-2.5.6.tar.gz
111a1ce79bdb41b8a03c0d43f1fd87de8a0d5592a8b1bd878113af79adce3d0a3109badd92b5af9a0f80b6585473a1e01638f7e78e6baa8aac439f0708bc2a72 openvpn.initd
1f14d4bd7a4a026c276af048ce647501c15358c6b0d184e95c49be5b8184188c8edafb76ed94835cdbb314187ee3b5b3ccd852e3a47add0599814c402309bece openvpn.confd
cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760 openvpn.up
-4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down"
+4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down
+"
diff --git a/main/postfix/APKBUILD b/main/postfix/APKBUILD
index 58f3cf2450..a7c6f528df 100644
--- a/main/postfix/APKBUILD
+++ b/main/postfix/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=postfix
-pkgver=3.6.3
+pkgver=3.6.6
pkgrel=0
pkgdesc="Secure and fast drop-in replacement for Sendmail (MTA)"
url="http://www.postfix.org/"
@@ -197,7 +197,7 @@ stone() {
}
sha512sums="
-7179aaeeaf27838b867d9a07f9a889d7cd6b7f5053e123caef4dff2820d4df6d5be167effedde6c857b4468966b8449c631e56405e1ac2d589716fb4e3f15e3b postfix-3.6.3.tar.gz
+ee2e1a59c99b9869c401f8a42afdc094c4b2ba804ed8f9f366c33b36b8d2c66d8362d5a32fbe72f4b2c9a431c232b60ada9fce29dec60ac4610220e0f5c6fb77 postfix-3.6.6.tar.gz
2752e69c4e1857bdcf29444ffb458bca818bc60b9c77c20823c5f5b87c36cb5e0f3217a625a7fe5788d5bfcef7570a1f2149e1233fcd23ccf7ee14190aff47a2 postfix.initd
25cd34f23ca909d4e33aaf3239d1e397260abc7796d9a4456dee4f005682fd3a58aab8106126e5218c95bdddae415a3ef7e2223cd3b0d7b1e2bd76158bb7eaf8 postfix-install.patch
0769e2e503486f8dd6fa21f2c534ad7df7a9f1bb57dde2f0ad61863a3e615d0a6dc18132b27796eb28cd81afb2b4e97c65c9d490a391f835aa3b7b18e74252c5 lmdb-default.patch
diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD
index 3c5555b97d..5310fa28c2 100644
--- a/main/postgresql/APKBUILD
+++ b/main/postgresql/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: G.J.R. Timmer <gjr.timmer@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=postgresql
-pkgver=13.5
+pkgver=13.6
pkgrel=0
pkgdesc="A sophisticated object-relational DBMS"
url="https://www.postgresql.org/"
@@ -300,7 +300,7 @@ _run_tests() {
}
sha512sums="
-c76effbca8ee63be48fa3aeb39c7038221848fe83ca2afc4e0904ba8c6a50b89aa2ad37080d4e3be75e9bdc2d6ca6dfefcda334ef55a5e1a8954bb955ce905e5 postgresql-13.5.tar.bz2
+2852726a3031b8d469f1c38f3019af02fc5afe40ec27b22288a29acefd30c63a98806bce88a214d0c2f9177f547b0b5010ad64e70bcbe2c2f1d97a27ae1984f8 postgresql-13.6.tar.bz2
1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch
27e00b58fe5c3899c66fc0dde51846c14701bcfedd132b106d676783ba603e8cbdc6e620f29b52dc892bdaa9302052788cf5e575a1659f61c017a12e0d2ee4d0 perl-rpath.patch
8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch
diff --git a/main/rdiff-backup/APKBUILD b/main/rdiff-backup/APKBUILD
index d3e2e39943..2070d02db2 100644
--- a/main/rdiff-backup/APKBUILD
+++ b/main/rdiff-backup/APKBUILD
@@ -2,13 +2,14 @@
# Maintainer: Jeremy Thomerson <jeremy@thomersonfamily.com>
pkgname=rdiff-backup
pkgver=2.0.5
-pkgrel=3
+pkgrel=4
pkgdesc="Reverse differential backup tool"
# Requires unpackaged 'xattr'
options="!check"
url="https://rdiff-backup.net/"
arch="all"
license="GPL-2.0-or-later"
+depends="python3"
makedepends="librsync-dev python3-dev py3-setuptools"
subpackages="
$pkgname-doc
diff --git a/main/redis/APKBUILD b/main/redis/APKBUILD
index ea5e162861..6b6c086167 100644
--- a/main/redis/APKBUILD
+++ b/main/redis/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Eivind Uggedal <eu@eju.no>
# Maintainer: TBK <alpine@jjtc.eu>
pkgname=redis
-pkgver=6.2.6
+pkgver=6.2.7
pkgrel=0
pkgdesc="Advanced key-value store"
url="https://redis.io/"
@@ -26,6 +26,9 @@ source="https://download.redis.io/releases/redis-$pkgver.tar.gz
options="!check"
# secfixes:
+# 6.2.7-r0:
+# - CVE-2022-24735
+# - CVE-2022-24736
# 6.2.6-r0:
# - CVE-2021-32626
# - CVE-2021-32627
@@ -87,7 +90,7 @@ package() {
}
sha512sums="
-9b947d26fd9e208627ed22d318ab3d0775ab0be46d98db1c1d158feac671b984e75ce33e647d196face9643f80768af47e678be1b4e1ddd3eb56dff467c46022 redis-6.2.6.tar.gz
+d113094b8e31754915db7f0317d9b7969e034af3a7bac2ae0cbfad6cc61ba3aae35e9709c435abc1024a96f914df7a760b3cd18d06c375b541cfa837d1c5b953 redis-6.2.7.tar.gz
7725486329f2aba8fe03a768f6d8ab78cc96ab6f2ca403af56c252ef7978f7628b580587b372969ca5dd6257780ef58571ce6dc5aca468c3b2a299033b41047f redis.conf.patch
a5dc411c2bd7edf61400e29accb375275dd888fda72a8f7e3889be475010c695a22f536be818ef9441e47285c00b451966db924362a7f56806586078c9e3ff8c sentinel.conf.patch
f6dcdad1edd6b5fb6aa28ba774bfc8aba035f316695da261fb2ad291b76f00f177479f9d74434d06c26bd15f131edc9a2f55c9880758cf0987800d2031069738 redis.initd
diff --git a/main/rsyslog/APKBUILD b/main/rsyslog/APKBUILD
index 209b42f3c1..252b85e8c2 100644
--- a/main/rsyslog/APKBUILD
+++ b/main/rsyslog/APKBUILD
@@ -6,7 +6,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=rsyslog
pkgver=8.2012.0
-pkgrel=1
+pkgrel=3
pkgdesc="Enhanced multi-threaded syslogd with database support and more"
url="https://www.rsyslog.com/"
arch="all !s390x" # limited by czmq
@@ -49,6 +49,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/rsyslog/rsyslog/archive/v$pk
$pkgname.conf
musl-fix.patch
queue.patch
+ CVE-2022-24903.patch
"
# <subpackage>[:<module>...]
@@ -92,6 +93,8 @@ for _i in $_plugins; do
done
# secfixes:
+# 8.2012.0-r3:
+# - CVE-2022-24903
# 8.1908.0-r1:
# - CVE-2019-17040
# - CVE-2019-17041
@@ -190,8 +193,9 @@ _plugin() {
sha512sums="
78a6f8499340a18b71da22788bb3323ac12f804725b2bb00e939ef6bd4cb6b803e5384a179ddee7db99bf49f2b963419fc26b1bf2d875f6aff7b58fdd4d254b2 rsyslog-8.2012.0.tar.gz
bcd63c8df2ac63b80f3cb51ba7f544988df6cd875f4e81020e762dff30d7537f21b72c95a4b1c08baf15f4ed5f03defbf3f061673aabada5841f45ab9f579374 rsyslog.initd
-198ad8f617b9edb93c9231118a9b3bb80b1e00e6517d2a79c393cbfef4417b8f0d08f231fb33843f8e9b09c7f9bc69dd501057ffe9eef583108af34996fee59d rsyslog.logrotate
+6bf69f14746d0523a4e9189593bc62e14a6e05c7e17922e4398df4b951abdde165e826290f6b6cdc8149199288f555d098178d93d2fae202463ebc523626161b rsyslog.logrotate
451b861dc82d7a2810e6c9ff8f80b2c5149cc6b440baf5901149e7b6524a1179826787a924c84403c2e9d8fa7d4df2c909e7f0877ac0cd4e6faf2e37cba7c6c1 rsyslog.conf
15745c8cdb730ae548d038ca4c04f9f48ef55c6e04949a8e86df356877563c0fcb9660445e47d3f9530925092d6dd80b2b2fc3f64a114ee85103d137327524cb musl-fix.patch
ef2e000b1c42cb5beffb26393952c2a692791e78972ee4b6f187ca53e338122b2004cc5216381c042195f12cc58f37f186a04e12a65b5bdfdcdf76b73393efb7 queue.patch
+1689c9b4ec0b692c6604e2e69507955ea4fa79047afad72786119206a63c191cf003473888cbab8bec1e8f7f787ee0311fed1975debd5b3b41d703f1ada8af49 CVE-2022-24903.patch
"
diff --git a/main/rsyslog/CVE-2022-24903.patch b/main/rsyslog/CVE-2022-24903.patch
new file mode 100644
index 0000000000..832e05b962
--- /dev/null
+++ b/main/rsyslog/CVE-2022-24903.patch
@@ -0,0 +1,56 @@
+From 89955b0bcb1ff105e1374aad7e0e993faa6a038f Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 22 Apr 2022 09:49:46 +0200
+Subject: [PATCH] net bugfix: potential buffer overrun
+
+---
+ contrib/imhttp/imhttp.c | 4 +++-
+ plugins/imptcp/imptcp.c | 4 +++-
+ runtime/tcps_sess.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
+index f09260b586..95704af985 100644
+--- a/contrib/imhttp/imhttp.c
++++ b/contrib/imhttp/imhttp.c
+@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk
+ connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
+ }
+ // temporarily save this character into the message buffer
+- connWrkr->pMsg[connWrkr->iMsg++] = ch;
++ if(connWrkr->iMsg + 1 < s_iMaxLine) {
++ connWrkr->pMsg[connWrkr->iMsg++] = ch;
++ }
+ } else {
+ const char *remoteAddr = "";
+ if (connWrkr->propRemoteAddr) {
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index 2df46a236c..c32dec5851 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
+ if(pThis->iOctetsRemain <= 200000000) {
+ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ }
+- *(pThis->pMsg + pThis->iMsg++) = c;
++ if(pThis->iMsg < iMaxLine) {
++ *(pThis->pMsg + pThis->iMsg++) = c;
++ }
+ } else { /* done with the octet count, so this must be the SP terminator */
+ DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 0efa2c23c4..c5442f7638 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis,
+ if(pThis->iOctetsRemain <= 200000000) {
+ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ }
+- *(pThis->pMsg + pThis->iMsg++) = c;
++ if(pThis->iMsg < iMaxLine) {
++ *(pThis->pMsg + pThis->iMsg++) = c;
++ }
+ } else { /* done with the octet count, so this must be the SP terminator */
+ DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
diff --git a/main/rsyslog/rsyslog.logrotate b/main/rsyslog/rsyslog.logrotate
index e2842b88dc..8450db8e70 100644
--- a/main/rsyslog/rsyslog.logrotate
+++ b/main/rsyslog/rsyslog.logrotate
@@ -1,3 +1,4 @@
+/var/log/messages
/var/log/auth.log
/var/log/cron.log
/var/log/kern.log
diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD
index 88e2b788d7..56ca8f6932 100644
--- a/main/ruby/APKBUILD
+++ b/main/ruby/APKBUILD
@@ -4,6 +4,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 2.7.6-r0:
+# - CVE-2022-28739
# 2.7.5-r0:
# - CVE-2021-41817
# - CVE-2021-41816
@@ -48,7 +50,7 @@
# - CVE-2017-17405
#
pkgname=ruby
-pkgver=2.7.5
+pkgver=2.7.6
_abiver="${pkgver%.*}.0"
pkgrel=0
pkgdesc="An object-oriented language for quick and easy programming"
@@ -353,7 +355,7 @@ _mvgem() {
sha512sums="
-09e029b5cc15b6e4e37bcf15adb28213eaedec3ea22106d63095b37ea6b2a2b68e82e74e6b50746c87dd77e5185795d014e0db118bf0f45ffa0b0a307f5f65da ruby-2.7.5.tar.gz
+94810bb204cec55b5bbec8d51a5f5cc696613d1812b152399441a5cc7e4eddd2b376bc85e16d8da0b12f1938d19bf0d056b49a028809c036fb5a446a65bffbee ruby-2.7.6.tar.gz
a142199140fa711a64717429e9069fd2082319abaf4b129f561db374b3bc16e2a90cc4c849b5d28334505d1c71fed242aef3c44d983da3513d239dcb778673a5 rubygems-avoid-platform-specific-gems.patch
43c1fc80f0dcb4f24d891478889808583da90dc9e0df74c3b1cf41253c13a0d416d2b7ae17e7d53ac1238340a845b088f0fe20324a79905cc6b950b3dcfa4ac6 test_insns-lower-recursion-depth.patch
3ffc034c01110ee5531265333ca5ee8d61d08131843fe3004c5b34c88c9c1b32cb4ed89574f393177c8bd526e9c15da61ab344f93adf07b9148c561ee19e2eb5 fix-get_main_stack.patch
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index 14053d3b4a..5326ec8de6 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
-pkgver=4.14.8
+pkgver=4.14.12
pkgrel=0
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="https://www.samba.org/"
@@ -95,6 +95,16 @@ source="
pkggroups="winbind"
# secfixes:
+# 4.14.12-r0:
+# - CVE-2016-2124
+# - CVE-2020-25717
+# - CVE-2020-25718
+# - CVE-2020-25719
+# - CVE-2020-25721
+# - CVE-2020-25722
+# - CVE-2021-23192
+# - CVE-2021-3738
+# - CVE-2021-44142
# 4.14.8-r0:
# - CVE-2021-3671
# 4.14.4-r0:
@@ -543,6 +553,7 @@ libs() {
usr/lib/$pkgname/libcmocka-samba4.so \
usr/lib/$pkgname/libcommon-auth-samba4.so \
usr/lib/$pkgname/libdbwrap-samba4.so \
+ usr/lib/$pkgname/libdcerpc-pkt-auth-samba4.so \
usr/lib/$pkgname/libdcerpc-samba-samba4.so \
usr/lib/$pkgname/libevents-samba4.so \
usr/lib/$pkgname/libflag-mapping-samba4.so \
@@ -604,7 +615,7 @@ libs() {
}
sha512sums="
-e5d5f26eeee92e1d7d3e70b389debe331b2d14d4f5ca7796f850275897fdf16e96b507b6862c8fc4bab1bfca312ea22b60b090d881149cd1e9725fe9877dabfd samba-4.14.8.tar.gz
+6a021d61dc2a8894c646a9b6d85e38c9020b3c227f10d1820cbdf2ad6793c0beeacedd5fff5f75718d4083ec9169cb1fb58f65636e1a50e638fcefce355690d9 samba-4.14.12.tar.gz
58de5e79fdfd06e828d478e112d581d333a8bee88d2602b92204d780f0d707b27dd84f8e2e6b00fca40da81c8fe99aa5bcec70d8b393d3a0a83199c72a4aa48b getpwent_r.patch
b7906d66fe55a980a54161ee3f311b51bcbce76b8d4c8cc1ba6d0c5bdf98232cb192b9d2c1aa7b3e2742f5b9848c6cf429347940eefe66c3e0eda1d5aac1bf93 musl_uintptr.patch
1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8 netdb-defines.patch
diff --git a/main/subversion/APKBUILD b/main/subversion/APKBUILD
index eb736a7dd3..fe695fc14f 100644
--- a/main/subversion/APKBUILD
+++ b/main/subversion/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=subversion
-pkgver=1.14.1
-pkgrel=4
+pkgver=1.14.2
+pkgrel=0
_py3c_ver=1.1
pkgdesc="Replacement for CVS, another versioning system (svn)"
url="https://subversion.apache.org/"
@@ -20,11 +20,13 @@ source="https://archive.apache.org/dist/subversion/subversion-$pkgver.tar.bz2
subversion-1.7.0-deplibs.patch
subversion-perl-deplibs.patch
subversion-1.12.0-linking.patch
- fix-use-after-free.patch
svnserve.confd
svnserve.initd"
# secfixes:
+# 1.14.2-r0:
+# - CVE-2021-28544
+# - CVE-2022-24070
# 1.14.1-r0:
# - CVE-2020-17525
# 1.12.2-r0:
@@ -135,12 +137,11 @@ py() {
}
sha512sums="
-0a70c7152b77cdbcb810a029263e4b3240b6ef41d1c19714e793594088d3cca758d40dfbc05622a806b06463becb73207df249393924ce591026b749b875fcdd subversion-1.14.1.tar.bz2
+20ada4688ca07d9fb8da4b7d53b5084568652a3b9418c65e688886bae950a16a3ff37710fcfc9c29ef14a89e75b2ceec4e9cf35d5876a7896ebc2b512cfb9ecc subversion-1.14.2.tar.bz2
aa95bbe1a80eec9e32d3dab4b0771a35fc467052757077fa17b42ceba78a5fe7fb1fa99079240aeeea5538abff778518b706f3bf16dbce2cd4f7dc1900c61b24 py3c-1.1.tar.gz
fb219c45b80602d919176cc191394df09f90d0f5c7d24e6a36b166bd92777ecae67eeac1e49c0ffbb0e724396b3d2094dbb0bef17d01dc87d418b1cd554bd7c4 subversion-1.7.0-deplibs.patch
fd6e5f45cff4d3cf0d885a34c822b32141b13b199d99ad8e1b04d641c9c1ee27e73f5c556a4ad54a900b6d39cc14afad17b6738d8af44c76758f1a27b4d49f9a subversion-perl-deplibs.patch
7d46f2ee0bbba53b6dc9312b35000b1433a46edb09f61030da1ff66951bc204fc90598e5b07ce2554d46508d5a9e8193152131ae21050901c7b40cb034fb5cc3 subversion-1.12.0-linking.patch
-ded55257f3efeaa6d70ab15ad5082be9d4544e729a907541575dbac024605633eaaf00957850ae7cf63c549ccb6204dd6e00c664765a8fc4e66a8c2f2b2c0c1d fix-use-after-free.patch
7fe993443d4d3ef5e1e75f60e85036ee0b2bb2636c2c830210e64f525f95ae4c10ca1dc4504fc36915ec9391815becbe7cbf5f589c28609386d8d079ed02c630 svnserve.confd
f6392193cc65aaceee9b6e5e66f80af4b095ba4007e8536e8b1c4e8b2c75610d7f5596b83e5edd504672f021c074887fc6464cf4fc1dfe9446741105f11cd855 svnserve.initd
"
diff --git a/main/subversion/fix-use-after-free.patch b/main/subversion/fix-use-after-free.patch
deleted file mode 100644
index 1374501ba4..0000000000
--- a/main/subversion/fix-use-after-free.patch
+++ /dev/null
@@ -1,41 +0,0 @@
---- subversion-1.14.1/subversion/libsvn_repos/authz.c
-+++ subversion-1.14.1.uaf/subversion/libsvn_repos/authz.c
-@@ -130,6 +130,30 @@
- static svn_object_pool__t *filtered_pool = NULL;
- static svn_atomic_t authz_pool_initialized = FALSE;
-
-+/*
-+ * Ensure that we will initialize authz again if the pool which
-+ * our authz caches depend on is cleared.
-+ *
-+ * HTTPD may run pre/post config hooks multiple times and clear
-+ * its global configuration pool which our authz pools depend on.
-+ * This happens in a non-threaded context during HTTPD's intialization
-+ * and HTTPD's main loop, so it is safe to reset static variables here.
-+ * (And any applications which cleared this pool while SVN threads
-+ * were running would crash no matter what.)
-+ *
-+ * See issue #4880, "Use-after-free of object-pools in
-+ * subversion/libsvn_repos/authz.c when used as httpd module"
-+ */
-+static apr_status_t
-+deinit_authz(void *data)
-+{
-+ /* The two object pools run their own cleanup handlers. */
-+ authz_pool = NULL;
-+ filtered_pool = NULL;
-+ authz_pool_initialized = FALSE;
-+ return APR_SUCCESS;
-+}
-+
- /* Implements svn_atomic__err_init_func_t. */
- static svn_error_t *
- synchronized_authz_initialize(void *baton, apr_pool_t *pool)
-@@ -143,6 +167,7 @@
- SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
- SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
-
-+ apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
- return SVN_NO_ERROR;
- }
-
diff --git a/main/tcpdump/APKBUILD b/main/tcpdump/APKBUILD
index a4f35a0dbb..413d83f1af 100644
--- a/main/tcpdump/APKBUILD
+++ b/main/tcpdump/APKBUILD
@@ -15,33 +15,33 @@ source="https://www.tcpdump.org/release/tcpdump-$pkgver.tar.gz
# 4.9.3-r1:
# - CVE-2020-8037
# 4.9.3-r0:
-# - CVE-2017-16808 (AoE)
-# - CVE-2018-14468 (FrameRelay)
-# - CVE-2018-14469 (IKEv1)
-# - CVE-2018-14470 (BABEL)
-# - CVE-2018-14466 (AFS/RX)
-# - CVE-2018-14461 (LDP)
-# - CVE-2018-14462 (ICMP)
-# - CVE-2018-14465 (RSVP)
-# - CVE-2018-14881 (BGP)
-# - CVE-2018-14464 (LMP)
-# - CVE-2018-14463 (VRRP)
-# - CVE-2018-14467 (BGP)
-# - CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
-# - CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
-# - CVE-2018-14880 (OSPF6)
-# - CVE-2018-16451 (SMB)
-# - CVE-2018-14882 (RPL)
-# - CVE-2018-16227 (802.11)
-# - CVE-2018-16229 (DCCP)
-# - CVE-2018-16301 (was fixed in libpcap)
-# - CVE-2018-16230 (BGP)
-# - CVE-2018-16452 (SMB)
-# - CVE-2018-16300 (BGP)
-# - CVE-2018-16228 (HNCP)
-# - CVE-2019-15166 (LMP)
-# - CVE-2019-15167 (VRRP)
-# - CVE-2018-14879 (tcpdump -V)
+# - CVE-2017-16808 # (AoE)
+# - CVE-2018-14468 # (FrameRelay)
+# - CVE-2018-14469 # (IKEv1)
+# - CVE-2018-14470 # (BABEL)
+# - CVE-2018-14466 # (AFS/RX)
+# - CVE-2018-14461 # (LDP)
+# - CVE-2018-14462 # (ICMP)
+# - CVE-2018-14465 # (RSVP)
+# - CVE-2018-14881 # (BGP)
+# - CVE-2018-14464 # (LMP)
+# - CVE-2018-14463 # (VRRP)
+# - CVE-2018-14467 # (BGP)
+# - CVE-2018-10103 # (SMB - partially fixed, but SMB printing disabled)
+# - CVE-2018-10105 # (SMB - too unreliably reproduced, SMB printing disabled)
+# - CVE-2018-14880 # (OSPF6)
+# - CVE-2018-16451 # (SMB)
+# - CVE-2018-14882 # (RPL)
+# - CVE-2018-16227 # (802.11)
+# - CVE-2018-16229 # (DCCP)
+# - CVE-2018-16301 # (was fixed in libpcap)
+# - CVE-2018-16230 # (BGP)
+# - CVE-2018-16452 # (SMB)
+# - CVE-2018-16300 # (BGP)
+# - CVE-2018-16228 # (HNCP)
+# - CVE-2019-15166 # (LMP)
+# - CVE-2019-15167 # (VRRP)
+# - CVE-2018-14879 # (tcpdump -V)
# 4.9.0-r0:
# - CVE-2016-7922
# - CVE-2016-7923
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 148daa5140..eec623e90f 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
-pkgver=4.2.0
-pkgrel=1
+pkgver=4.3.0
+pkgrel=0
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="https://gitlab.com/libtiff/libtiff"
arch="all"
@@ -14,10 +14,29 @@ checkdepends="diffutils"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx"
source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz
CVE-2018-12900.patch
+ CVE-2022-0561.patch
+ CVE-2022-0562.patch
+ CVE-2022-0865.patch
+ CVE-2022-0891.patch
+ CVE-2022-0907.patch
+ CVE-2022-0908.patch
+ CVE-2022-0909.patch
+ CVE-2022-0924.patch
+ CVE-2022-22844.patch
"
builddir="$srcdir/libtiff-v$pkgver"
# secfixes:
+# 4.3.0-r0:
+# - CVE-2022-0561
+# - CVE-2022-0562
+# - CVE-2022-0865
+# - CVE-2022-0891
+# - CVE-2022-0907
+# - CVE-2022-0908
+# - CVE-2022-0909
+# - CVE-2022-0924
+# - CVE-2022-22844
# 4.2.0-r0:
# - CVE-2020-35521
# - CVE-2020-35522
@@ -105,5 +124,16 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="d47578feffcc1ecdac2d188c1df4faf05865cd9075b4d01c708a0e71928cce3b60850738a6b7ace334ae00e96ccffc6189ed91b9be81840a1d2b040777010dd5 libtiff-v4.2.0.tar.gz
-c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch"
+sha512sums="
+eaa2503dc1805283e0590b06e3e660a793fe849ae8b975b2d69369695d65a40640787c156574faaca856917be799eeb844e60f55555e1f219dd513cef66ea95d libtiff-v4.3.0.tar.gz
+c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch
+a1a11110f74ab4ee5468aae51962bea48a2bcbd51c9cb75dbb4e277cec394afab644906eb3b3b6fb95f413821a4799c227f986b720c383b8553dea67a92236a0 CVE-2022-0561.patch
+d2decdafd32a2a41001a263c6da5f538538286d54e5072afb2a3d281ca7815ac0e78f5ab9a72e10b28fe9960819038fc6cff6419e2ac7982aea6199012d3ae80 CVE-2022-0562.patch
+e8eb613809909e463fb8b401f295c56f41a8f8aabe0acea2f14e52ab42f90c62b7eee5c6fedfdce0f6c15c093dd2f11e34af1b23491782716254832d353fbc75 CVE-2022-0865.patch
+516fb18524a6d0320000515daeadc2a0272aaf409e158c67fec49ba6704abcaed6f9a73c6e8e3ec13c6e0ff7a952bd36e8187dcdda5cd3931f2ffcaede33fc46 CVE-2022-0891.patch
+1b7168bf339b31fd2b532ccdd99dd25787ed71220ef6db3f1206e618f7150f095dee8aed7bb84fa4af304bb5bc1914e800c03c88e5c03385943fd6c41d3e82da CVE-2022-0907.patch
+2feea03d8493d5fef3815ecf3ad52df2aef0db7def8832531f3d1e6e59df548729a51259f3a06a9b017219fffd37d541e06964bb3622a01b47d3e4408cd3850f CVE-2022-0908.patch
+d415ef9dd5292e7bbb1da76dfa11ecbe149d0c5039afc5134e2afae72ae264bcdd8417c96051c61fad6635d0530b9c5cd2e2ef30458baa3d0dce59b3489baf8f CVE-2022-0909.patch
+78fcddd4e254178349971629bccc25be451f2b6d816c0ed063fad034060814c9f97c04904ff58f1923b7ae1c6c4d00d86ba2c8cf950e864f3bc8ead871a3ff45 CVE-2022-0924.patch
+d22f8486e5166a9e0a3ddae910972001aa806baef7619f7b6aaba219f850faf5144bb2cc6668090646cf9d849fdd4217ff5f542746184aa1cd1d21078e33f579 CVE-2022-22844.patch
+"
diff --git a/main/tiff/CVE-2022-0561.patch b/main/tiff/CVE-2022-0561.patch
new file mode 100644
index 0000000000..7bda47c46e
--- /dev/null
+++ b/main/tiff/CVE-2022-0561.patch
@@ -0,0 +1,29 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 23194ced..50ebf8ac 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
+ _TIFFfree(data);
+ return(0);
+ }
+- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
+- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
++ if( dir->tdir_count )
++ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
++ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
+ _TIFFfree(data);
+ data=resizeddata;
+ }
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-0562.patch b/main/tiff/CVE-2022-0562.patch
new file mode 100644
index 0000000000..906b641aac
--- /dev/null
+++ b/main/tiff/CVE-2022-0562.patch
@@ -0,0 +1,27 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 2bbc4585..23194ced 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
+ goto bad;
+ }
+
+- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
++ if (old_extrasamples > 0)
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-0865.patch b/main/tiff/CVE-2022-0865.patch
new file mode 100644
index 0000000000..bcb339974f
--- /dev/null
+++ b/main/tiff/CVE-2022-0865.patch
@@ -0,0 +1,34 @@
+From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 24 Feb 2022 22:26:02 +0100
+Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
+ in memory-mapped mode and when bit reversal is needed (fixes #385)
+
+---
+ libtiff/tif_jbig.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 74086338..8bfa4cef 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
+ */
+ tif->tif_flags |= TIFF_NOBITREV;
+ tif->tif_flags &= ~TIFF_MAPPED;
++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
++ * value to be consistent with the state of a non-memory mapped file.
++ */
++ if (tif->tif_flags&TIFF_BUFFERMMAP) {
++ tif->tif_rawdata = NULL;
++ tif->tif_rawdatasize = 0;
++ tif->tif_flags &= ~TIFF_BUFFERMMAP;
++ tif->tif_flags |= TIFF_MYBUFFER;
++ }
+
+ /* Setup the function pointers for encode, decode, and cleanup. */
+ tif->tif_setupdecode = JBIGSetupDecode;
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-0891.patch b/main/tiff/CVE-2022-0891.patch
new file mode 100644
index 0000000000..d038d0450d
--- /dev/null
+++ b/main/tiff/CVE-2022-0891.patch
@@ -0,0 +1,214 @@
+From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 8 Mar 2022 17:02:44 +0000
+Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
+ extractImageSection
+
+---
+ tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
+ 1 file changed, 36 insertions(+), 56 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f2e5474a..e62bcc71 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -105,8 +105,8 @@
+ * of messages to monitor progress without enabling dump logs.
+ */
+
+-static char tiffcrop_version_id[] = "2.4";
+-static char tiffcrop_rev_date[] = "12-13-2010";
++static char tiffcrop_version_id[] = "2.4.1";
++static char tiffcrop_rev_date[] = "03-03-2010";
+
+ #include "tif_config.h"
+ #include "libport.h"
+@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+ uint32_t img_length;
+ #endif
+- uint32_t j, shift1, shift2, trailing_bits;
++ uint32_t j, shift1, trailing_bits;
+ uint32_t row, first_row, last_row, first_col, last_col;
+ uint32_t src_offset, dst_offset, row_offset, col_offset;
+- uint32_t offset1, offset2, full_bytes;
++ uint32_t offset1, full_bytes;
+ uint32_t sect_width;
+ #ifdef DEVELMODE
+ uint32_t sect_length;
+@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+ int k;
+ unsigned char bitset;
+- static char *bitarray = NULL;
+ #endif
+
+ img_width = image->width;
+@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ dst_offset = 0;
+
+ #ifdef DEVELMODE
+- if (bitarray == NULL)
+- {
+- if ((bitarray = (char *)malloc(img_width)) == NULL)
+- {
+- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
+- return (-1);
+- }
+- }
++ char bitarray[39];
+ #endif
+
+- /* rows, columns, width, length are expressed in pixels */
++ /* rows, columns, width, length are expressed in pixels
++ * first_row, last_row, .. are index into image array starting at 0 to width-1,
++ * last_col shall be also extracted. */
+ first_row = section->y1;
+ last_row = section->y2;
+ first_col = section->x1;
+@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+ sect_length = last_row - first_row + 1;
+ #endif
+- img_rowsize = ((img_width * bps + 7) / 8) * spp;
+- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+- trailing_bits = (sect_width * bps) % 8;
++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
++ * samples rather than separate planes so the same logic works to extract regions
++ * regardless of the way the data are organized in the input file.
++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
++ */
++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
+
+ #ifdef DEVELMODE
+ TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
+@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+
+ if ((bps % 8) == 0)
+ {
+- col_offset = first_col * spp * bps / 8;
++ col_offset = (first_col * spp * bps) / 8;
+ for (row = first_row; row <= last_row; row++)
+ {
+- /* row_offset = row * img_width * spp * bps / 8; */
+ row_offset = row * img_rowsize;
+ src_offset = row_offset + col_offset;
+
+@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ }
+ else
+ { /* bps != 8 */
+- shift1 = spp * ((first_col * bps) % 8);
+- shift2 = spp * ((last_col * bps) % 8);
++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
+ for (row = first_row; row <= last_row; row++)
+ {
+ /* pull out the first byte */
+ row_offset = row * img_rowsize;
+- offset1 = row_offset + (first_col * bps / 8);
+- offset2 = row_offset + (last_col * bps / 8);
++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
+
+ #ifdef DEVELMODE
+ for (j = 0, k = 7; j < 8; j++, k--)
+@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ sprintf(&bitarray[9], " ");
+ for (j = 10, k = 7; j < 18; j++, k--)
+ {
+- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
+ sprintf(&bitarray[j], (bitset) ? "1" : "0");
+ }
+ bitarray[18] = '\0';
+- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
+- row, offset1, shift1, offset2, shift2);
++ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
++ row, offset1, shift1, offset1+full_bytes, trailing_bits);
+ #endif
+
+ bytebuff1 = bytebuff2 = 0;
+@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+
+ if (trailing_bits != 0)
+ {
+- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+ sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+ TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
+- offset2, dst_offset);
++ offset1 + full_bytes, dst_offset);
+ for (j = 30, k = 7; j < 38; j++, k--)
+ {
+ bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
+@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+ for (j = 0; j <= full_bytes; j++)
+ {
+- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
++ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+ sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+ }
+ #ifdef DEVELMODE
+@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+ dst_offset += full_bytes;
+
++ /* Copy the trailing_bits for the last byte in the destination buffer.
++ Could come from one ore two bytes of the source buffer. */
+ if (trailing_bits != 0)
+ {
+ #ifdef DEVELMODE
+- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
+-#endif
+- if (shift2 > shift1)
+- {
+- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
+- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
+- sect_buff[dst_offset] = bytebuff2;
+-#ifdef DEVELMODE
+- TIFFError ("", " Shift2 > Shift1\n");
++ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
+ #endif
++ /* More than necessary bits are already copied into last destination buffer,
++ * only masking of last byte in destination buffer is necessary.*/
++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
+ }
+- else
+- {
+- if (shift2 < shift1)
+- {
+- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
+- sect_buff[dst_offset] &= bytebuff2;
+-#ifdef DEVELMODE
+- TIFFError ("", " Shift2 < Shift1\n");
+-#endif
+- }
+-#ifdef DEVELMODE
+- else
+- TIFFError ("", " Shift2 == Shift1\n");
+-#endif
+- }
+- }
+ #ifdef DEVELMODE
+ sprintf(&bitarray[28], " ");
+ sprintf(&bitarray[29], " ");
+@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
+ width = sections[i].x2 - sections[i].x1 + 1;
+ length = sections[i].y2 - sections[i].y1 + 1;
+ sectsize = (uint32_t)
+- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
++ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
+ /* allocate a buffer if we don't have one already */
+ if (createImageSection(sectsize, sect_buff_ptr))
+ {
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-0907.patch b/main/tiff/CVE-2022-0907.patch
new file mode 100644
index 0000000000..9f6e087b9d
--- /dev/null
+++ b/main/tiff/CVE-2022-0907.patch
@@ -0,0 +1,89 @@
+From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH] add checks for return value of limitMalloc (#392)
+
+---
+ tools/tiffcrop.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f2e5474a..9b8acc7e 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -7406,7 +7406,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+ if (!sect_buff)
+ {
+ sect_buff = (unsigned char *)limitMalloc(sectsize);
+- *sect_buff_ptr = sect_buff;
++ if (!sect_buff)
++ {
++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++ return (-1);
++ }
+ _TIFFmemset(sect_buff, 0, sectsize);
+ }
+ else
+@@ -7422,15 +7426,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+ else
+ sect_buff = new_buff;
+
++ if (!sect_buff)
++ {
++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++ return (-1);
++ }
+ _TIFFmemset(sect_buff, 0, sectsize);
+ }
+ }
+
+- if (!sect_buff)
+- {
+- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+- return (-1);
+- }
+ prev_sectsize = sectsize;
+ *sect_buff_ptr = sect_buff;
+
+@@ -7697,7 +7701,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ if (!crop_buff)
+ {
+ crop_buff = (unsigned char *)limitMalloc(cropsize);
+- *crop_buff_ptr = crop_buff;
++ if (!crop_buff)
++ {
++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++ return (-1);
++ }
+ _TIFFmemset(crop_buff, 0, cropsize);
+ prev_cropsize = cropsize;
+ }
+@@ -7713,15 +7721,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ }
+ else
+ crop_buff = new_buff;
++ if (!crop_buff)
++ {
++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++ return (-1);
++ }
+ _TIFFmemset(crop_buff, 0, cropsize);
+ }
+ }
+
+- if (!crop_buff)
+- {
+- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+- return (-1);
+- }
+ *crop_buff_ptr = crop_buff;
+
+ if (crop->crop_mode & CROP_INVERT)
+@@ -9280,3 +9288,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
+ * fill-column: 78
+ * End:
+ */
++
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-0908.patch b/main/tiff/CVE-2022-0908.patch
new file mode 100644
index 0000000000..36b4858362
--- /dev/null
+++ b/main/tiff/CVE-2022-0908.patch
@@ -0,0 +1,29 @@
+From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #383)
+
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 50ebf8ac..2ec44a4f 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5091,7 +5091,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ _TIFFfree(data);
+ return(0);
+ }
+- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
++ if (dp->tdir_count > 0 )
++ {
++ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
++ }
+ o[(uint32_t)dp->tdir_count]=0;
+ if (data!=0)
+ _TIFFfree(data);
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-0909.patch b/main/tiff/CVE-2022-0909.patch
new file mode 100644
index 0000000000..67dfeaeea2
--- /dev/null
+++ b/main/tiff/CVE-2022-0909.patch
@@ -0,0 +1,32 @@
+From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] fix the FPE in tiffcrop (#393)
+
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 57055ca9..59b346ca 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -333,13 +333,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
+ break;
+ case TIFFTAG_XRESOLUTION:
+ dblval = va_arg(ap, double);
+- if( dblval < 0 )
++ if( dblval != dblval || dblval < 0 )
+ goto badvaluedouble;
+ td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_YRESOLUTION:
+ dblval = va_arg(ap, double);
+- if( dblval < 0 )
++ if( dblval != dblval || dblval < 0 )
+ goto badvaluedouble;
+ td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+ break;
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-0924.patch b/main/tiff/CVE-2022-0924.patch
new file mode 100644
index 0000000000..f6cf2351d1
--- /dev/null
+++ b/main/tiff/CVE-2022-0924.patch
@@ -0,0 +1,53 @@
+From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
+
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 224583e0..aa32b118 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1667,12 +1667,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+ tdata_t obuf;
+ tstrip_t strip = 0;
+ tsample_t s;
++ uint16_t bps = 0, bytes_per_sample;
+
+ obuf = limitMalloc(stripsize);
+ if (obuf == NULL)
+ return (0);
+ _TIFFmemset(obuf, 0, stripsize);
+ (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps == 0 )
++ {
++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++ _TIFFfree(obuf);
++ return 0;
++ }
++ if( (bps % 8) != 0 )
++ {
++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++ _TIFFfree(obuf);
++ return 0;
++ }
++ bytes_per_sample = bps/8;
+ for (s = 0; s < spp; s++) {
+ uint32_t row;
+ for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1682,7 +1697,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+
+ cpContigBufToSeparateBuf(
+ obuf, (uint8_t*) buf + row * rowsize + s,
+- nrows, imagewidth, 0, 0, spp, 1);
++ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+ if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+ TIFFError(TIFFFileName(out),
+ "Error, can't write strip %"PRIu32,
+--
+GitLab
+
diff --git a/main/tiff/CVE-2022-22844.patch b/main/tiff/CVE-2022-22844.patch
new file mode 100644
index 0000000000..b1f89b444c
--- /dev/null
+++ b/main/tiff/CVE-2022-22844.patch
@@ -0,0 +1,40 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index 8c9e23c5..e7a88c09 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -146,9 +146,19 @@ main(int argc, char* argv[])
+
+ arg_index++;
+ if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+- fprintf( stderr, "Failed to set %s=%s\n",
+- TIFFFieldName(fip), argv[arg_index] );
++ if(TIFFFieldPassCount( fip )) {
++ size_t len;
++ len = strlen(argv[arg_index]) + 1;
++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
++ (uint16_t)len, argv[arg_index]) != 1)
++ fprintf( stderr, "Failed to set %s=%s\n",
++ TIFFFieldName(fip), argv[arg_index] );
++ } else {
++ if (TIFFSetField(tiff, TIFFFieldTag(fip),
++ argv[arg_index]) != 1)
++ fprintf( stderr, "Failed to set %s=%s\n",
++ TIFFFieldName(fip), argv[arg_index] );
++ }
+ } else if (TIFFFieldWriteCount(fip) > 0
+ || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+ int ret = 1;
+--
+GitLab
+
diff --git a/main/tiny-cloud/APKBUILD b/main/tiny-cloud/APKBUILD
new file mode 100644
index 0000000000..b42318cfeb
--- /dev/null
+++ b/main/tiny-cloud/APKBUILD
@@ -0,0 +1,65 @@
+# Contributor: Mike Crute <mike@crute.us>
+# Contributor: Jake Buchholz Göktürk <tomalok@gmail.com>
+# Maintainer: Jake Buchholz Göktürk <tomalok@gmail.com>
+pkgname=tiny-cloud
+pkgver=2.0.0
+pkgrel=0
+pkgdesc="Tiny Cloud instance bootstrapper"
+url="https://gitlab.alpinelinux.org/alpine/cloud/tiny-cloud"
+arch="noarch"
+license="MIT"
+options="!check" # no tests provided
+depends="e2fsprogs-extra partx sfdisk"
+source="$url/-/archive/$pkgver/$pkgname-$pkgver.tar.gz"
+subpackages="
+ $pkgname-network
+ $pkgname-openrc
+ $pkgname-aws
+ $pkgname-azure
+ $pkgname-gcp
+ $pkgname-oci
+"
+
+package() {
+ make PREFIX="$pkgdir" core openrc
+}
+
+network() {
+ pkgdesc="Tiny Cloud - networking module"
+ depends="ifupdown-ng iproute2-minimal $pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" network
+}
+
+aws() {
+ pkgdesc="Tiny Cloud - Amazon Web Services module"
+ depends="nvme-cli $pkgname-network=$pkgver-r$pkgrel"
+ provides="tiny-ec2-bootstrap"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" aws
+}
+
+azure() {
+ pkgdesc="Tiny Cloud - Azure module"
+ depends="$pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" azure
+}
+
+gcp() {
+ pkgdesc="Tiny Cloud - Google Cloud Platform module"
+ depends="$pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" gcp
+}
+
+oci() {
+ pkgdesc="Tiny Cloud - Oracle Cloud Infrastructure module"
+ depends="$pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" oci
+}
+
+sha512sums="
+d3c1eb1daf1d298f34459ab2b54c1077b3bc037bbe0df3591cade85ba9d351a47f9ce42fabe5480505236731795679a32f0144998de689f35139aa28ac490d48 tiny-cloud-2.0.0.tar.gz
+"
diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD
index a7611d6e3a..1dec5d6eff 100644
--- a/main/tzdata/APKBUILD
+++ b/main/tzdata/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=tzdata
-pkgver=2021e
-_tzcodever=2021e
+pkgver=2022a
+_tzcodever=2022a
_ptzver=0.5
pkgrel=0
pkgdesc="Timezone data"
@@ -51,8 +51,8 @@ package() {
}
sha512sums="
-87b0335129ea41c5f42f687f548712e5da892baa8494cecf5d34851beceecf6ae52f22104696ed187713cf9e502570eb2041e277dfd3c043c11d0253bfde685a tzcode2021e.tar.gz
-c1e8d04e049157ed5d4af0868855bbd75517e3d7e1db9c41d5283ff260109de46b6fac6be94828201d093e163d868044ac2a9db2bf0aeab800e264d0c73a9119 tzdata2021e.tar.gz
+3f047a6f414ae3df4a3d6bb9b39a1790833d191ae48e6320ab9438cd326dc455475186a02c44e4cde96b48101ab000880919b1e0e8092aed7254443ed2c831ed tzcode2022a.tar.gz
+542e4559beac8fd8c4af7d08d816fd12cfe7ffcb6f20bba4ff1c20eba717749ef96e5cf599b2fe03b5b8469c0467f8cb1c893008160da281055a123dd9e810d9 tzdata2022a.tar.gz
68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz
0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch
fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch
diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD
index f271dc21c0..6e9363053d 100644
--- a/main/util-linux/APKBUILD
+++ b/main/util-linux/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=util-linux
-pkgver=2.37.2
+pkgver=2.37.4
case $pkgver in
*.*.*) _v=${pkgver%.*};;
@@ -16,7 +16,7 @@ arch="all"
license="GPL-3.0-or-later AND GPL-2.0-or-later AND GPL-2.0-only AND
LGPL-2.1-or-later AND BSD-3-Clause AND BSD-4-Clause-UC AND Public-Domain"
depends="blkid setpriv findmnt mcookie hexdump lsblk sfdisk cfdisk partx flock logger uuidgen"
-makedepends_build="autoconf automake libtool"
+makedepends_build="autoconf automake libtool asciidoctor"
makedepends_host="zlib-dev ncurses-dev linux-headers libcap-ng-dev"
options="suid"
source="https://www.kernel.org/pub/linux/utils/util-linux/v$_v/util-linux-$pkgver.tar.xz
@@ -54,6 +54,11 @@ fi
makedepends="$makedepends_build $makedepends_host"
# secfixes:
+# 2.37.4-r0:
+# - CVE-2022-0563
+# 2.37.3-r0:
+# - CVE-2021-3995
+# - CVE-2021-3996
# 2.37.2-r0:
# - CVE-2021-37600
@@ -156,7 +161,7 @@ _py3() {
}
sha512sums="
-38f0fe820445e3bfa79550e6581c230f98c7661566ccc4daa51c7208a5f972c61b4e57dfc86bed074fdbc7c40bc79f856be8f6a05a8860c1c0cecc4208e8b81d util-linux-2.37.2.tar.xz
+ada2629b0a8e83ea83513e04f7b1ccceb3b8ab82acd119c5d8389d1abc48c92d0b591f39fb34b1fd65db3ab630f03a672a9f3dacf1a6e4f124bdb083fc1be6d7 util-linux-2.37.4.tar.xz
876bb9041eca1b2cca1e9aac898f282db576f7860aba690a95c0ac629d7c5b2cdeccba504dda87ff55c2a10b67165985ce16ca41a0694a267507e1e0cafd46d9 ttydefaults.h
401d2ccbdbfb0ebd573ac616c1077e2c2b79ff03e9221007759d8ac25eb522c401f705abbf7daac183d5e8017982b8ec5dd0a5ebad39507c5bb0a9f31f04ee97 rfkill.confd
c4e7ba6d257496c99934add2ca532db16fb070ea2367554587c9fb4e24ab1d80b8ba3fd0fd4fdd5ef1374c3ec6414007369b292ee334ef23171d0232ef709db2 rfkill.initd
diff --git a/main/varnish/APKBUILD b/main/varnish/APKBUILD
index 00a29260af..632009f023 100644
--- a/main/varnish/APKBUILD
+++ b/main/varnish/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: V.Krishn <vkrishn4@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=varnish
-pkgver=6.6.1
+pkgver=6.6.2
pkgrel=0
pkgdesc="High-performance HTTP accelerator"
url="https://www.varnish-cache.org/"
@@ -31,6 +31,8 @@ source="https://varnish-cache.org/_downloads/varnish-$pkgver.tgz
# secfixes:
+# 6.6.2-r0:
+# - CVE-2022-23959
# 6.6.1-r0:
# - CVE-2021-36740
# 6.2.1-r0:
@@ -40,11 +42,6 @@ source="https://varnish-cache.org/_downloads/varnish-$pkgver.tgz
# 5.1.3-r0:
# - CVE-2017-12425
-prepare() {
- default_prepare
- update_config_sub
-}
-
# libunwind is not available on riscv64
case "$CARCH" in
riscv64) makedepends="$makedepends libexecinfo-dev" ;;
@@ -109,7 +106,7 @@ geoip() {
}
sha512sums="
-af3ee1743af2ede2d3efbb73e5aa9b42c7bbd5f86163ec338c8afd1989c3e51ff3e1b40bed6b72224b5d339a74f22d6e5f3c3faf2fedee8ab4715307ed5d871b varnish-6.6.1.tgz
+8fa163678e2e454fcc959ba24f349de00e6c00357df55f37f12f0d3acbcb2799b2f376385cef2d40c14a4cc44a5eea1b5a3fbf6245961611d4fc3ea30699035d varnish-6.6.2.tgz
2123668169b055f2d88f9b5b8e0877ca8b3cbfcd61e03d91fd7d0513b3267e4ef01a4d858cc6a3298cca0a49aaea2f92ff4fd9c0baf52a6c67b452a53f7e54d0 musl-include-vpf.patch
c51c8964880990c2b01807b2a38d886b146736a918bda9ea2e032c50085bf6745cab3cccb4ee4c561ab936a8b7cfb278cfcb758543ea6c605c15b8973c9f10ce musl-include-vsb.patch
5ac7867e85cbd721f903c524ed4b524423d9dada4acfeefb0e543214a208828df5cc4efe2f012991bea6b38c2b223c24b17d3890ec4ed2c57d2b441b8e5a6900 varnishd.initd
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index b02d91f86b..612bbde0a6 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vim
-pkgver=8.2.4173
+pkgver=8.2.4836
pkgrel=0
pkgdesc="Improved vi-style text editor"
url="https://www.vim.org/"
@@ -18,6 +18,29 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/vim/vim/archive/v$pkgver.tar
"
# secfixes:
+# 8.2.4836-r0:
+# - CVE-2022-1381
+# 8.2.4708-r0:
+# - CVE-2022-1154
+# - CVE-2022-1160
+# 8.2.4619-r0:
+# - CVE-2022-0943
+# - CVE-2022-0572
+# - CVE-2022-0629
+# - CVE-2022-0685
+# - CVE-2022-0696
+# - CVE-2022-0714
+# - CVE-2022-0729
+# - CVE-2022-0359
+# - CVE-2022-0361
+# - CVE-2022-0368
+# - CVE-2022-0392
+# - CVE-2022-0393
+# - CVE-2022-0407
+# - CVE-2022-0408
+# - CVE-2022-0413
+# - CVE-2022-0417
+# - CVE-2022-0443
# 8.2.4173-r0:
# - CVE-2021-4069
# - CVE-2021-4136
@@ -159,6 +182,6 @@ xxd() {
}
sha512sums="
-56b3a9cc7aaa5bf92e69e66e4f0004b6611f4e63e1d30c017283131b9922f4c988b19ebf6224939ad48dd3b158d6fab7c7b2be35396b4f57756a0ed9075d0423 vim-8.2.4173.tar.gz
+e1afe03a3140c91fa928d88a8b3ad5e7c8808e5de5b7a07726b2a4f8f402adfdef2890be6a279e52848cc75346d15d4653f579f96da409544d58aba036abbbf7 vim-8.2.4836.tar.gz
d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc
"
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index d2fa99d07c..f307a1e4a3 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xen
-pkgver=4.15.1
-pkgrel=2
+pkgver=4.15.2
+pkgrel=0
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -145,35 +145,35 @@ options="!strip"
# 4.10.1-r0:
# - CVE-2018-10472 XSA-258
# - CVE-2018-10471 XSA-259
-# 4.10-1-r1:
+# 4.10.1-r1:
# - CVE-2018-8897 XSA-260
# - CVE-2018-10982 XSA-261
# - CVE-2018-10981 XSA-262
# 4.11.0-r0:
-# - CVE-2018-3639 XSA-263
-# - CVE-2018-12891 XSA-264
-# - CVE-2018-12893 XSA-265
-# - CVE-2018-12892 XSA-266
-# - CVE-2018-3665 XSA-267
+# - CVE-2018-3639 XSA-263
+# - CVE-2018-12891 XSA-264
+# - CVE-2018-12893 XSA-265
+# - CVE-2018-12892 XSA-266
+# - CVE-2018-3665 XSA-267
# 4.11.1-r0:
-# - CVE-2018-15469 XSA-268
-# - CVE-2018-15468 XSA-269
-# - CVE-2018-15470 XSA-272
-# - CVE-2018-3620 XSA-273
-# - CVE-2018-3646 XSA-273
-# - CVE-2018-19961 XSA-275
-# - CVE-2018-19962 XSA-275
-# - CVE-2018-19963 XSA-276
-# - CVE-2018-19964 XSA-277
-# - CVE-2018-18883 XSA-278
-# - CVE-2018-19965 XSA-279
-# - CVE-2018-19966 XSA-280
-# - CVE-2018-19967 XSA-282
+# - CVE-2018-15469 XSA-268
+# - CVE-2018-15468 XSA-269
+# - CVE-2018-15470 XSA-272
+# - CVE-2018-3620 XSA-273
+# - CVE-2018-3646 XSA-273
+# - CVE-2018-19961 XSA-275
+# - CVE-2018-19962 XSA-275
+# - CVE-2018-19963 XSA-276
+# - CVE-2018-19964 XSA-277
+# - CVE-2018-18883 XSA-278
+# - CVE-2018-19965 XSA-279
+# - CVE-2018-19966 XSA-280
+# - CVE-2018-19967 XSA-282
# 4.12.0-r2:
-# - CVE-2018-12126 XSA-297
-# - CVE-2018-12127 XSA-297
-# - CVE-2018-12130 XSA-297
-# - CVE-2019-11091 XSA-297
+# - CVE-2018-12126 XSA-297
+# - CVE-2018-12127 XSA-297
+# - CVE-2018-12130 XSA-297
+# - CVE-2019-11091 XSA-297
# 4.12.1-r0:
# - CVE-2019-17349 CVE-2019-17350 XSA-295
# 4.13.0-r0:
@@ -196,9 +196,9 @@ options="!strip"
# - CVE-2020-11743 XSA-316
# - CVE-2020-11742 XSA-318
# 4.13.1-r0:
-# - CVE-????-????? XSA-312
+# - XSA-312
# 4.13.1-r3:
-# - CVE-2020-0543 XSA-320
+# - CVE-2020-0543 XSA-320
# 4.13.1-r4:
# - CVE-2020-15566 XSA-317
# - CVE-2020-15563 XSA-319
@@ -240,7 +240,7 @@ options="!strip"
# - CVE-2020-29570 XSA-358
# - CVE-2020-29571 XSA-359
# 4.14.1-r2:
-# - CVE-2021-3308 XSA-360
+# - CVE-2021-3308 XSA-360
# 4.14.1-r3:
# - CVE-2021-26933 XSA-364
# 4.15.0-r0:
@@ -248,7 +248,7 @@ options="!strip"
# 4.15.0-r1:
# - CVE-2021-28693 XSA-372
# - CVE-2021-28692 XSA-373
-# - CVE-2021-0089 XSA-375
+# - CVE-2021-0089 XSA-375
# - CVE-2021-28690 XSA-377
# 4.15.0-r2:
# - CVE-2021-28694 XSA-378
@@ -269,6 +269,12 @@ options="!strip"
# - CVE-2021-28708 XSA-388
# - CVE-2021-28705 XSA-389
# - CVE-2021-28709 XSA-389
+# 4.15.2-r0:
+# - CVE-2021-28706 XSA-385
+# - CVE-2021-28703 XSA-387
+# - CVE-2022-23033 XSA-393
+# - CVE-2022-23034 XSA-394
+# - CVE-2022-23035 XSA-395
case "$CARCH" in
x86*)
@@ -327,13 +333,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
stubdom-hack.patch
- xsa386.patch
- xsa390.patch
-
- xsa388-4.15-1.patch
- xsa388-4.15-2.patch
- xsa389-4.15.patch
-
xenstored.initd
xenstored.confd
xenconsoled.initd
@@ -556,7 +555,7 @@ EOF
}
sha512sums="
-8d3cbdf708f46477e32ee7cbd16a490c82efa855cecd84ee712b8680df4d69c987ba9ab00ff3851f627b98a8ebbc5dab71f92f142ed958ee2bc538bc792cd4b9 xen-4.15.1.tar.gz
+1cbf988fa8ed38b7ad724978958092ca0e5506e38c709c7d1af196fb8cb8ec0197a79867782761ef230b268624b3d7a0d5d0cd186f37d25f495085c71bf70d54 xen-4.15.2.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -567,17 +566,12 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz
0a63f83c9135d05c6bfe7c4d12da3ff76271e35305a4d5654bd5aefa9ee59f5363546c65820c42133deb0fb5a0a0bcaa9b1c48396f9f996acea0d492a5f03f33 ipxe-git-988d2c13cdf0f0b4140685af35ced70ac5b3283c.tar.gz
b9c754220187955d01ffbb6e030dace9d9aaae755db1765d07e407858c71a2cb0de04e0ab2099cd121d9e1bc1978af06c7dbd2fd805e06eca12ac5d527f15a52 mini-os-__divmoddi4.patch
-1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
+23b74b048c884c75a47f7a8c59ac8596072220351179aac367e459d230abdeccb93903cbc7007d5858cc8fb0c0506d8d8d791f6fb0cae12482153bb76626c594 qemu-xen_paths.patch
1c9cb24bf67a2e84466572198315d5501627addf1ccd55d8d83df8d77d269a6696cd45e4a55601495168284e3bff58fb39853f56c46aaddd14f6191821678cf6 hotplug-vif-vtrill.patch
-2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b xenqemu-xattr-size-max.patch
+e78c84dabe2dd77132b003c71730e378245f04110396d0a0e71aa4964309dd2cb63a802337833bd90cb9d7cef9918d4fc8879a6f978e8489800cd5e14f272fb3 xenqemu-xattr-size-max.patch
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
231b5d0abf6420722534bf48b4f263bdf70dd258f5f34b344f230b4e166edb3ebaf769592f40653ea5836b4431ef951ebcf1995f09e2beb4a591edd3b024a652 qemu-xen-time64.patch
6c28470dab368ce94d94db9e66954e4d915394ea730f6d4abb198ae122dbd7412453d6d8054f0a348d43d7f807fb13294363162f8b19f47311e802ffa9a40a90 stubdom-hack.patch
-77811232c5cf199d24fb8e4a5367a56d56e61ad218397913fa22bd89d0dffabe92acfded246aa731d450f80dcffee84268b27e73e60f19eec15d0ada988a0574 xsa386.patch
-cce33b310272224b5974725804544f5fb4557efd8e29c8d2a4cb7ed62ae0346f90dcf22d38c39c4a55c6058b2af2f385901f202437daef64c006b8b0ba9e9f4c xsa390.patch
-af8ea4ad35a29270761c381f70acb5d6406dc964fb72193be38b3c28fc06fa0b8c18a91e73a97ebdb3a5ae420d72a87671370bd40ebda22815f85a5fb4217450 xsa388-4.15-1.patch
-837a80111ac436e637dece8396e0937ef6159c085465b63900a49d269e818264e38e8a3982a8aef03e236d77c23d80b4c7aaed2e021f0cbd1f89c77d86684dcd xsa388-4.15-2.patch
-84d5623aa06991767786be77d7d01b3224bcafa0a6acf648c1267199465945773247ef75ee77fd4d25063315627f820f2f4c6d63cb9cbdce1f9c96f28d784eb7 xsa389-4.15.patch
a8dda349cab62febf2ef506eb26d2ba494a649b1c37206519ae23f02a36f600b19996bb8a148e5f21a240ec53ecfcf971a07686b9ddcdad417563fdf39b2215f xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
1dd04f4bf1890771aa7eef0b6e46f7139487da0907d28dcdbef9fbe335dcf731ca391cfcb175dd82924f637a308de00a69ae981f67348c34f04489ec5e5dc3b7 xenconsoled.initd
diff --git a/main/xen/qemu-xen_paths.patch b/main/xen/qemu-xen_paths.patch
index e558d1f37f..5a1f212a14 100644
--- a/main/xen/qemu-xen_paths.patch
+++ b/main/xen/qemu-xen_paths.patch
@@ -1,11 +1,11 @@
---- ./tools/Makefile.orig
-+++ ./tools/Makefile
-@@ -219,6 +219,8 @@
- -L$(XEN_ROOT)/tools/xenstore \
- $(QEMU_UPSTREAM_RPATH)" \
+--- a/tools/Makefile
++++ b/tools/Makefile
+@@ -245,6 +245,8 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-fi
+ $(EXTRA_CFLAGS_QEMU_XEN)" \
+ --extra-ldflags="$(QEMU_UPSTREAM_RPATH)" \
--bindir=$(LIBEXEC_BIN) \
+ --libexecdir=$(LIBEXEC_BIN) \
+ --sysconfdir=/etc/xen \
--datadir=$(SHAREDIR)/qemu-xen \
--localstatedir=$(localstatedir) \
- --disable-kvm \
+ --docdir=$(LIBEXEC)/share/doc \
diff --git a/main/xen/xenqemu-xattr-size-max.patch b/main/xen/xenqemu-xattr-size-max.patch
index b0c02cbdad..4a48ca0ce7 100644
--- a/main/xen/xenqemu-xattr-size-max.patch
+++ b/main/xen/xenqemu-xattr-size-max.patch
@@ -1,8 +1,8 @@
---- xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c.orig
-+++ xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c
-@@ -25,6 +25,10 @@
- #include "trace.h"
- #include "migration/migration.h"
+--- a/tools/qemu-xen/hw/9pfs/9p.c
++++ b/tools/qemu-xen/hw/9pfs/9p.c
+@@ -30,6 +30,10 @@
+ #include <math.h>
+ #include <linux/limits.h>
+#ifdef __linux__
+#include <linux/limits.h> /* for XATTR_SIZE_MAX */
diff --git a/main/xen/xsa386.patch b/main/xen/xsa386.patch
deleted file mode 100644
index 83f24d30d5..0000000000
--- a/main/xen/xsa386.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: VT-d: fix deassign of device with RMRR
-Date: Fri, 1 Oct 2021 15:05:42 +0200
-
-Ignoring a specific error code here was not meant to short circuit
-deassign to _just_ the unmapping of RMRRs. This bug was previously
-hidden by the bogus (potentially indefinite) looping in
-pci_release_devices(), until f591755823a7 ("IOMMU/PCI: don't let domain
-cleanup continue when device de-assignment failed") fixed that loop.
-
-This is CVE-2021-28702 / XSA-386.
-
-Fixes: 8b99f4400b69 ("VT-d: fix RMRR related error handling")
-Reported-by: Ivan Kardykov <kardykov@tabit.pro>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Tested-by: Ivan Kardykov <kardykov@tabit.pro>
-
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -2409,7 +2409,7 @@ static int reassign_device_ownership(
- ret = iommu_identity_mapping(source, p2m_access_x,
- rmrr->base_address,
- rmrr->end_address, 0);
-- if ( ret != -ENOENT )
-+ if ( ret && ret != -ENOENT )
- return ret;
- }
- }
-
diff --git a/main/xen/xsa388-4.15-1.patch b/main/xen/xsa388-4.15-1.patch
deleted file mode 100644
index b4d900336b..0000000000
--- a/main/xen/xsa388-4.15-1.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: x86/PoD: deal with misaligned GFNs
-
-Users of XENMEM_decrease_reservation and XENMEM_populate_physmap aren't
-required to pass in order-aligned GFN values. (While I consider this
-bogus, I don't think we can fix this there, as that might break existing
-code, e.g Linux'es swiotlb, which - while affecting PV only - until
-recently had been enforcing only page alignment on the original
-allocation.) Only non-PoD code paths (guest_physmap_{add,remove}_page(),
-p2m_set_entry()) look to be dealing with this properly (in part by being
-implemented inefficiently, handling every 4k page separately).
-
-Introduce wrappers taking care of splitting the incoming request into
-aligned chunks, without putting much effort in trying to determine the
-largest possible chunk at every iteration.
-
-Also "handle" p2m_set_entry() failure for non-order-0 requests by
-crashing the domain in one more place. Alongside putting a log message
-there, also add one to the other similar path.
-
-Note regarding locking: This is left in the actual worker functions on
-the assumption that callers aren't guaranteed atomicity wrt acting on
-multiple pages at a time. For mis-aligned GFNs gfn_lock() wouldn't have
-locked the correct GFN range anyway, if it didn't simply resolve to
-p2m_lock(), and for well-behaved callers there continues to be only a
-single iteration, i.e. behavior is unchanged for them. (FTAOD pulling
-out just pod_lock() into p2m_pod_decrease_reservation() would result in
-a lock order violation.)
-
-This is CVE-2021-28704 and CVE-2021-28707 / part of XSA-388.
-
-Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-
---- a/xen/arch/x86/mm/p2m-pod.c
-+++ b/xen/arch/x86/mm/p2m-pod.c
-@@ -496,7 +496,7 @@ p2m_pod_zero_check_superpage(struct p2m_
-
-
- /*
-- * This function is needed for two reasons:
-+ * This pair of functions is needed for two reasons:
- * + To properly handle clearing of PoD entries
- * + To "steal back" memory being freed for the PoD cache, rather than
- * releasing it.
-@@ -504,8 +504,8 @@ p2m_pod_zero_check_superpage(struct p2m_
- * Once both of these functions have been completed, we can return and
- * allow decrease_reservation() to handle everything else.
- */
--unsigned long
--p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order)
-+static unsigned long
-+decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order)
- {
- unsigned long ret = 0, i, n;
- struct p2m_domain *p2m = p2m_get_hostp2m(d);
-@@ -552,8 +552,10 @@ p2m_pod_decrease_reservation(struct doma
- * All PoD: Mark the whole region invalid and tell caller
- * we're done.
- */
-- if ( p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid,
-- p2m->default_access) )
-+ int rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid,
-+ p2m->default_access);
-+
-+ if ( rc )
- {
- /*
- * If this fails, we can't tell how much of the range was changed.
-@@ -561,7 +563,12 @@ p2m_pod_decrease_reservation(struct doma
- * impossible.
- */
- if ( order != 0 )
-+ {
-+ printk(XENLOG_G_ERR
-+ "%pd: marking GFN %#lx (order %u) as non-PoD failed: %d\n",
-+ d, gfn_x(gfn), order, rc);
- domain_crash(d);
-+ }
- goto out_unlock;
- }
- ret = 1UL << order;
-@@ -670,6 +677,22 @@ out_unlock:
- return ret;
- }
-
-+unsigned long
-+p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order)
-+{
-+ unsigned long left = 1UL << order, ret = 0;
-+ unsigned int chunk_order = find_first_set_bit(gfn_x(gfn) | left);
-+
-+ do {
-+ ret += decrease_reservation(d, gfn, chunk_order);
-+
-+ left -= 1UL << chunk_order;
-+ gfn = gfn_add(gfn, 1UL << chunk_order);
-+ } while ( left );
-+
-+ return ret;
-+}
-+
- void p2m_pod_dump_data(struct domain *d)
- {
- struct p2m_domain *p2m = p2m_get_hostp2m(d);
-@@ -1273,19 +1296,15 @@ remap_and_retry:
- return true;
- }
-
--
--int
--guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn_l,
-- unsigned int order)
-+static int
-+mark_populate_on_demand(struct domain *d, unsigned long gfn_l,
-+ unsigned int order)
- {
- struct p2m_domain *p2m = p2m_get_hostp2m(d);
- gfn_t gfn = _gfn(gfn_l);
- unsigned long i, n, pod_count = 0;
- int rc = 0;
-
-- if ( !paging_mode_translate(d) )
-- return -EINVAL;
--
- gfn_lock(p2m, gfn, order);
-
- P2M_DEBUG("mark pod gfn=%#lx\n", gfn_l);
-@@ -1325,12 +1344,44 @@ guest_physmap_mark_populate_on_demand(st
-
- ioreq_request_mapcache_invalidate(d);
- }
-+ else if ( order )
-+ {
-+ /*
-+ * If this failed, we can't tell how much of the range was changed.
-+ * Best to crash the domain.
-+ */
-+ printk(XENLOG_G_ERR
-+ "%pd: marking GFN %#lx (order %u) as PoD failed: %d\n",
-+ d, gfn_l, order, rc);
-+ domain_crash(d);
-+ }
-
- out:
- gfn_unlock(p2m, gfn, order);
-
- return rc;
- }
-+
-+int
-+guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn,
-+ unsigned int order)
-+{
-+ unsigned long left = 1UL << order;
-+ unsigned int chunk_order = find_first_set_bit(gfn | left);
-+ int rc;
-+
-+ if ( !paging_mode_translate(d) )
-+ return -EINVAL;
-+
-+ do {
-+ rc = mark_populate_on_demand(d, gfn, chunk_order);
-+
-+ left -= 1UL << chunk_order;
-+ gfn += 1UL << chunk_order;
-+ } while ( !rc && left );
-+
-+ return rc;
-+}
-
- void p2m_pod_init(struct p2m_domain *p2m)
- {
diff --git a/main/xen/xsa388-4.15-2.patch b/main/xen/xsa388-4.15-2.patch
deleted file mode 100644
index ccccb20263..0000000000
--- a/main/xen/xsa388-4.15-2.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: x86/PoD: handle intermediate page orders in p2m_pod_cache_add()
-
-p2m_pod_decrease_reservation() may pass pages to the function which
-aren't 4k, 2M, or 1G. Handle all intermediate orders as well, to avoid
-hitting the BUG() at the switch() statement's "default" case.
-
-This is CVE-2021-28708 / part of XSA-388.
-
-Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-
---- a/xen/arch/x86/mm/p2m-pod.c
-+++ b/xen/arch/x86/mm/p2m-pod.c
-@@ -112,15 +112,13 @@ p2m_pod_cache_add(struct p2m_domain *p2m
- /* Then add to the appropriate populate-on-demand list. */
- switch ( order )
- {
-- case PAGE_ORDER_1G:
-- for ( i = 0; i < (1UL << PAGE_ORDER_1G); i += 1UL << PAGE_ORDER_2M )
-+ case PAGE_ORDER_2M ... PAGE_ORDER_1G:
-+ for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_2M )
- page_list_add_tail(page + i, &p2m->pod.super);
- break;
-- case PAGE_ORDER_2M:
-- page_list_add_tail(page, &p2m->pod.super);
-- break;
-- case PAGE_ORDER_4K:
-- page_list_add_tail(page, &p2m->pod.single);
-+ case PAGE_ORDER_4K ... PAGE_ORDER_2M - 1:
-+ for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_4K )
-+ page_list_add_tail(page + i, &p2m->pod.single);
- break;
- default:
- BUG();
diff --git a/main/xen/xsa389-4.15.patch b/main/xen/xsa389-4.15.patch
deleted file mode 100644
index 402a38e2d4..0000000000
--- a/main/xen/xsa389-4.15.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: x86/P2M: deal with partial success of p2m_set_entry()
-
-M2P and PoD stats need to remain in sync with P2M; if an update succeeds
-only partially, respective adjustments need to be made. If updates get
-made before the call, they may also need undoing upon complete failure
-(i.e. including the single-page case).
-
-Log-dirty state would better also be kept in sync.
-
-Note that the change to set_typed_p2m_entry() may not be strictly
-necessary (due to the order restriction enforced near the top of the
-function), but is being kept here to be on the safe side.
-
-This is CVE-2021-28705 and CVE-2021-28709 / XSA-389.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -784,6 +784,7 @@ p2m_remove_page(struct p2m_domain *p2m,
- unsigned long i;
- p2m_type_t t;
- p2m_access_t a;
-+ int rc;
-
- /* IOMMU for PV guests is handled in get_page_type() and put_page(). */
- if ( !paging_mode_translate(p2m->domain) )
-@@ -819,8 +820,27 @@ p2m_remove_page(struct p2m_domain *p2m,
-
- ioreq_request_mapcache_invalidate(p2m->domain);
-
-- return p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid,
-- p2m->default_access);
-+ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid,
-+ p2m->default_access);
-+ if ( likely(!rc) || !mfn_valid(mfn) )
-+ return rc;
-+
-+ /*
-+ * The operation may have partially succeeded. For the failed part we need
-+ * to undo the M2P update and, out of precaution, mark the pages dirty
-+ * again.
-+ */
-+ for ( i = 0; i < (1UL << page_order); ++i )
-+ {
-+ p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, NULL, NULL);
-+ if ( !p2m_is_hole(t) && !p2m_is_special(t) && !p2m_is_shared(t) )
-+ {
-+ set_gpfn_from_mfn(mfn_x(mfn) + i, gfn_x(gfn) + i);
-+ paging_mark_pfn_dirty(p2m->domain, _pfn(gfn_x(gfn) + i));
-+ }
-+ }
-+
-+ return rc;
- }
-
- int
-@@ -1009,13 +1029,8 @@ guest_physmap_add_entry(struct domain *d
-
- /* Now, actually do the two-way mapping */
- rc = p2m_set_entry(p2m, gfn, mfn, page_order, t, p2m->default_access);
-- if ( rc == 0 )
-+ if ( likely(!rc) )
- {
-- pod_lock(p2m);
-- p2m->pod.entry_count -= pod_count;
-- BUG_ON(p2m->pod.entry_count < 0);
-- pod_unlock(p2m);
--
- if ( !p2m_is_grant(t) )
- {
- for ( i = 0; i < (1UL << page_order); i++ )
-@@ -1023,6 +1038,42 @@ guest_physmap_add_entry(struct domain *d
- gfn_x(gfn_add(gfn, i)));
- }
- }
-+ else
-+ {
-+ /*
-+ * The operation may have partially succeeded. For the successful part
-+ * we need to update M2P and dirty state, while for the failed part we
-+ * may need to adjust PoD stats as well as undo the earlier M2P update.
-+ */
-+ for ( i = 0; i < (1UL << page_order); ++i )
-+ {
-+ omfn = p2m->get_entry(p2m, gfn_add(gfn, i), &ot, &a, 0, NULL, NULL);
-+ if ( p2m_is_pod(ot) )
-+ {
-+ BUG_ON(!pod_count);
-+ --pod_count;
-+ }
-+ else if ( mfn_eq(omfn, mfn_add(mfn, i)) && ot == t &&
-+ a == p2m->default_access && !p2m_is_grant(t) )
-+ {
-+ set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i);
-+ paging_mark_pfn_dirty(d, _pfn(gfn_x(gfn) + i));
-+ }
-+ else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) )
-+ {
-+ ASSERT(mfn_valid(omfn));
-+ set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i);
-+ }
-+ }
-+ }
-+
-+ if ( pod_count )
-+ {
-+ pod_lock(p2m);
-+ p2m->pod.entry_count -= pod_count;
-+ BUG_ON(p2m->pod.entry_count < 0);
-+ pod_unlock(p2m);
-+ }
-
- out:
- p2m_unlock(p2m);
-@@ -1314,6 +1365,51 @@ static int set_typed_p2m_entry(struct do
- return 0;
- }
- }
-+
-+ P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn));
-+ rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access);
-+ if ( unlikely(rc) )
-+ {
-+ gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n",
-+ gfn_l, order, rc, mfn_x(mfn));
-+
-+ /*
-+ * The operation may have partially succeeded. For the successful part
-+ * we need to update PoD stats, M2P, and dirty state.
-+ */
-+ if ( order != PAGE_ORDER_4K )
-+ {
-+ unsigned long i;
-+
-+ for ( i = 0; i < (1UL << order); ++i )
-+ {
-+ p2m_type_t t;
-+ mfn_t cmfn = p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0,
-+ NULL, NULL);
-+
-+ if ( !mfn_eq(cmfn, mfn_add(mfn, i)) || t != gfn_p2mt ||
-+ a != access )
-+ continue;
-+
-+ if ( p2m_is_ram(ot) )
-+ {
-+ ASSERT(mfn_valid(mfn_add(omfn, i)));
-+ set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY);
-+
-+ ioreq_request_mapcache_invalidate(d);
-+ }
-+#ifdef CONFIG_HVM
-+ else if ( p2m_is_pod(ot) )
-+ {
-+ pod_lock(p2m);
-+ BUG_ON(!p2m->pod.entry_count);
-+ --p2m->pod.entry_count;
-+ pod_unlock(p2m);
-+ }
-+#endif
-+ }
-+ }
-+ }
- else if ( p2m_is_ram(ot) )
- {
- unsigned long i;
-@@ -1326,12 +1422,6 @@ static int set_typed_p2m_entry(struct do
-
- ioreq_request_mapcache_invalidate(d);
- }
--
-- P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn));
-- rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access);
-- if ( rc )
-- gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n",
-- gfn_l, order, rc, mfn_x(mfn));
- #ifdef CONFIG_HVM
- else if ( p2m_is_pod(ot) )
- {
diff --git a/main/xen/xsa390.patch b/main/xen/xsa390.patch
deleted file mode 100644
index 3c008a9bc2..0000000000
--- a/main/xen/xsa390.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: VT-d: fix reduced page table levels support when sharing tables
-
-domain_pgd_maddr() contains logic to adjust the root address to be put
-in the context entry in case 4-level page tables aren't supported by an
-IOMMU. This logic may not be bypassed when sharing page tables.
-
-This is CVE-2021-28710 / XSA-390.
-
-Fixes: 25ccd093425c ("iommu: remove the share_p2m operation")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -340,19 +340,21 @@ static uint64_t domain_pgd_maddr(struct
- {
- pagetable_t pgt = p2m_get_pagetable(p2m_get_hostp2m(d));
-
-- return pagetable_get_paddr(pgt);
-+ pgd_maddr = pagetable_get_paddr(pgt);
- }
--
-- if ( !hd->arch.vtd.pgd_maddr )
-+ else
- {
-- /* Ensure we have pagetables allocated down to leaf PTE. */
-- addr_to_dma_page_maddr(d, 0, 1);
--
- if ( !hd->arch.vtd.pgd_maddr )
-- return 0;
-- }
-+ {
-+ /* Ensure we have pagetables allocated down to leaf PTE. */
-+ addr_to_dma_page_maddr(d, 0, 1);
-
-- pgd_maddr = hd->arch.vtd.pgd_maddr;
-+ if ( !hd->arch.vtd.pgd_maddr )
-+ return 0;
-+ }
-+
-+ pgd_maddr = hd->arch.vtd.pgd_maddr;
-+ }
-
- /* Skip top levels of page tables for 2- and 3-level DRHDs. */
- for ( agaw = level_to_agaw(4);
diff --git a/main/xtables-addons-lts/APKBUILD b/main/xtables-addons-lts/APKBUILD
index d77f7f31af..0d9a8c943b 100644
--- a/main/xtables-addons-lts/APKBUILD
+++ b/main/xtables-addons-lts/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.93
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/xz/APKBUILD b/main/xz/APKBUILD
index a8022f590e..1e4bd3c428 100644
--- a/main/xz/APKBUILD
+++ b/main/xz/APKBUILD
@@ -2,13 +2,18 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xz
pkgver=5.2.5
-pkgrel=0
+pkgrel=1
pkgdesc="Library and CLI tools for XZ and LZMA compressed files"
url="https://tukaani.org/xz"
arch="all"
license="GPL-2.0-or-later AND Public-Domain AND LGPL-2.1-or-later"
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
-source="https://tukaani.org/xz/xz-$pkgver.tar.xz"
+source="https://tukaani.org/xz/xz-$pkgver.tar.xz
+ xzgrep-ZDI-CAN-16587.patch"
+
+# secfixes:
+# 5.2.5-r1:
+# - CVE-2022-1271
build() {
./configure \
@@ -38,4 +43,7 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb xz-5.2.5.tar.xz"
+sha512sums="
+59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb xz-5.2.5.tar.xz
+52b16268e333399444f433a11ccf3a9b020a6914ed23fc8e082128fec596011d7c6863d47414d4c0f245d20ebed4b3a50b422599b4b88d66f6c6eb2e74b9a939 xzgrep-ZDI-CAN-16587.patch
+"
diff --git a/main/xz/xzgrep-ZDI-CAN-16587.patch b/main/xz/xzgrep-ZDI-CAN-16587.patch
new file mode 100644
index 0000000000..406ded5903
--- /dev/null
+++ b/main/xz/xzgrep-ZDI-CAN-16587.patch
@@ -0,0 +1,94 @@
+From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+ info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index b180936..e5186ba 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+ { test $# -eq 1 || test $no_filename -eq 1; }; then
+ eval "$grep"
+ else
++ # Append a colon so that the last character will never be a newline
++ # which would otherwise get lost in shell command substitution.
++ i="$i:"
++
++ # Escape & \ | and newlines only if such characters are present
++ # (speed optimization).
+ case $i in
+ (*'
+ '* | *'&'* | *'\'* | *'|'*)
+- i=$(printf '%s\n' "$i" |
+- sed '
+- $!N
+- $s/[&\|]/\\&/g
+- $s/\n/\\n/g
+- ');;
++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+ esac
+- sed_script="s|^|$i:|"
++
++ # $i already ends with a colon so don't add it here.
++ sed_script="s|^|$i|"
+
+ # Fail if grep or sed fails.
+ r=$(
+ exec 4>&1
+- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++ (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++ LC_ALL=C sed "$sed_script" >&3 4>&-
+ ) || r=2
+ exit $r
+ fi >&3 5>&-
+--
+2.35.1
+
diff --git a/main/zfs-lts/APKBUILD b/main/zfs-lts/APKBUILD
index a252129191..94d6c1430c 100644
--- a/main/zfs-lts/APKBUILD
+++ b/main/zfs-lts/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.88
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zlib/APKBUILD b/main/zlib/APKBUILD
index e9f33ee647..989c41687b 100644
--- a/main/zlib/APKBUILD
+++ b/main/zlib/APKBUILD
@@ -1,13 +1,20 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=zlib
-pkgver=1.2.11
-pkgrel=3
+pkgver=1.2.12
+pkgrel=1
pkgdesc="A compression/decompression Library"
arch="all"
license="Zlib"
url="https://zlib.net/"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
-source="https://zlib.net/zlib-$pkgver.tar.gz"
+source="https://zlib.net/zlib-$pkgver.tar.gz
+ Fix-CC-logic-in-configure.patch
+ configure-Pass-LDFLAGS-to-link-tests.patch
+ crc32.patch
+ "
+# secfixes:
+# 1.2.12-r0:
+# - CVE-2018-25032
build() {
# we trade size for a little more speed.
@@ -29,4 +36,9 @@ package() {
DESTDIR="$pkgdir"
}
-sha512sums="73fd3fff4adeccd4894084c15ddac89890cd10ef105dd5e1835e1e9bbb6a49ff229713bd197d203edfa17c2727700fce65a2a235f07568212d820dca88b528ae zlib-1.2.11.tar.gz"
+sha512sums="
+cc2366fa45d5dfee1f983c8c51515e0cff959b61471e2e8d24350dea22d3f6fcc50723615a911b046ffc95f51ba337d39ae402131a55e6d1541d3b095d6c0a14 zlib-1.2.12.tar.gz
+faa19991e88cbfd624ac9ce4a0ba12e3d7d54f88680b1a0a156a542a45bafe2053d69c6f309327817f7cc74f5765204bbb3c56ff531efd29d8fd6bb682c78598 Fix-CC-logic-in-configure.patch
+76179eb7e498aef5bc88c3f826c6f2506a2d3c3a2e2560ef1825bd4a9297d68b0d2390619a4b3b0b2e6dde765431e5fba18fd15fbd1ad99827244f8f9bdbd909 configure-Pass-LDFLAGS-to-link-tests.patch
+38f0593a0bc17336d31191b7af684e31ec2eb34bd3add49bcb1f95c5e2bfb4405ffc341c2650d52c4fbf417ab4f80a0cc82fb868c9816b04d25210ae29a71f2c crc32.patch
+"
diff --git a/main/zlib/Fix-CC-logic-in-configure.patch b/main/zlib/Fix-CC-logic-in-configure.patch
new file mode 100644
index 0000000000..f34c40445d
--- /dev/null
+++ b/main/zlib/Fix-CC-logic-in-configure.patch
@@ -0,0 +1,43 @@
+From 80d086357a55b94a13e43756cf3e131f25eef0e4 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Mon, 28 Mar 2022 08:40:45 +0100
+Subject: [PATCH] Fix CC logic in configure
+
+In https://github.com/madler/zlib/commit/e9a52aa129efe3834383e415580716a7c4027f8d,
+the logic was changed to try check harder for GCC, but it dropped
+the default setting of cc=${CC}. It was throwing away any pre-set CC value as
+a result.
+
+The rest of the script then cascades down a bad path because it's convinced
+it's not GCC or a GCC-like compiler.
+
+This led to e.g. misdetection of inability to build shared libs
+for say, multilib cases (w/ CC being one thing from the environment being used
+for one test (e.g. x86_64-unknown-linux-gnu-gcc -m32 and then 'cc' used for
+shared libs (but missing "-m32"!)). Obviously just one example of how
+the old logic could break.
+
+This restores the old default of 'CC' if nothing overrides it later
+in configure.
+
+Bug: https://bugs.gentoo.org/836308
+Signed-off-by: Sam James <sam@gentoo.org>
+---
+ configure | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure b/configure
+index 52ff4a04e..3fa3e8618 100755
+--- a/configure
++++ b/configure
+@@ -174,7 +174,10 @@ if test -z "$CC"; then
+ else
+ cc=${CROSS_PREFIX}cc
+ fi
++else
++ cc=${CC}
+ fi
++
+ cflags=${CFLAGS-"-O3"}
+ # to force the asm version use: CFLAGS="-O3 -DASMV" ./configure
+ case "$cc" in
diff --git a/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch b/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch
new file mode 100644
index 0000000000..3689dd88d6
--- /dev/null
+++ b/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch
@@ -0,0 +1,74 @@
+From 37c9730ba474d274f4cc6a974943eef95087b9f6 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 8 Mar 2022 22:38:47 -0800
+Subject: [PATCH] configure: Pass LDFLAGS to link tests
+
+LDFLAGS can contain critical flags without which linking wont succeed
+therefore ensure that all configure tests involving link time checks are
+using LDFLAGS on compiler commandline along with CFLAGS to ensure the
+tests perform correctly. Without this some tests may fail resulting in
+wrong confgure result, ending in miscompiling the package
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/configure b/configure
+index e974d1fd7..69dfa3f69 100755
+--- a/configure
++++ b/configure
+@@ -410,7 +410,7 @@ if test $shared -eq 1; then
+ echo Checking for shared library support... | tee -a configure.log
+ # we must test in two steps (cc then ld), required at least on SunOS 4.x
+ if try $CC -w -c $SFLAGS $test.c &&
+- try $LDSHARED $SFLAGS -o $test$shared_ext $test.o; then
++ try $LDSHARED $SFLAGS $LDFLAGS -o $test$shared_ext $test.o; then
+ echo Building shared library $SHAREDLIBV with $CC. | tee -a configure.log
+ elif test -z "$old_cc" -a -z "$old_cflags"; then
+ echo No shared library support. | tee -a configure.log
+@@ -492,7 +492,7 @@ int main(void) {
+ }
+ EOF
+ fi
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ sizet=`./$test`
+ echo "Checking for a pointer-size integer type..." $sizet"." | tee -a configure.log
+ else
+@@ -530,7 +530,7 @@ int main(void) {
+ return 0;
+ }
+ EOF
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for fseeko... Yes." | tee -a configure.log
+ else
+ CFLAGS="${CFLAGS} -DNO_FSEEKO"
+@@ -547,7 +547,7 @@ cat > $test.c <<EOF
+ #include <errno.h>
+ int main() { return strlen(strerror(errno)); }
+ EOF
+-if try $CC $CFLAGS -o $test $test.c; then
++if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for strerror... Yes." | tee -a configure.log
+ else
+ CFLAGS="${CFLAGS} -DNO_STRERROR"
+@@ -654,7 +654,7 @@ int main()
+ return (mytest("Hello%d\n", 1));
+ }
+ EOF
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for vsnprintf() in stdio.h... Yes." | tee -a configure.log
+
+ echo >> configure.log
+@@ -744,7 +744,7 @@ int main()
+ }
+ EOF
+
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for snprintf() in stdio.h... Yes." | tee -a configure.log
+
+ echo >> configure.log
diff --git a/main/zlib/crc32.patch b/main/zlib/crc32.patch
new file mode 100644
index 0000000000..85a6a7e3ab
--- /dev/null
+++ b/main/zlib/crc32.patch
@@ -0,0 +1,51 @@
+From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 30 Mar 2022 11:14:53 -0700
+Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
+
+The previous releases of zlib were not sensitive to incorrect CRC
+inputs with bits set above the low 32. This commit restores that
+behavior, so that applications with such bugs will continue to
+operate as before.
+---
+ crc32.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/crc32.c b/crc32.c
+index a1bdce5c2..451887bc7 100644
+--- a/crc32.c
++++ b/crc32.c
+@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
+ #endif /* DYNAMIC_CRC_TABLE */
+
+ /* Pre-condition the CRC */
+- crc ^= 0xffffffff;
++ crc = (~crc) & 0xffffffff;
+
+ /* Compute the CRC up to a word boundary. */
+ while (len && ((z_size_t)buf & 7) != 0) {
+@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
+ #endif /* DYNAMIC_CRC_TABLE */
+
+ /* Pre-condition the CRC */
+- crc ^= 0xffffffff;
++ crc = (~crc) & 0xffffffff;
+
+ #ifdef W
+
+@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
+ #ifdef DYNAMIC_CRC_TABLE
+ once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
+ }
+
+ /* ========================================================================= */
+@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
+ uLong crc2;
+ uLong op;
+ {
+- return multmodp(op, crc1) ^ crc2;
++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
+ }
diff --git a/main/zsh/APKBUILD b/main/zsh/APKBUILD
index b2712b5293..ec68e1e954 100644
--- a/main/zsh/APKBUILD
+++ b/main/zsh/APKBUILD
@@ -3,6 +3,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 5.8.1-r0:
+# - CVE-2021-45444
# 5.8-r0:
# - CVE-2019-20044
# 5.4.2-r1:
@@ -10,8 +12,8 @@
# - CVE-2018-1071
#
pkgname=zsh
-pkgver=5.8
-pkgrel=2
+pkgver=5.8.1
+pkgrel=0
pkgdesc="Very advanced and programmable command interpreter (shell)"
url="https://www.zsh.org/"
arch="all"
@@ -174,5 +176,7 @@ _submv() {
mv "$pkgdir"/$path "$subpkgdir"/${path%/*}/
}
-sha512sums="96198ecef498b7d7945fecebbe6bf14065fa8c5d81a7662164579eba8206b79575812d292adea1864bc7487ac0818ba900e25f9ab3802449340de80417c2c533 zsh-5.8.tar.xz
-1067ad916d8921fe8880e040453782dcaafb6c05566f72b806e71aef2c2a53f25b6039cf8133196dd52cf7e23b172452ef3f77188bab8c8b1a50c1ea6ffa176a zprofile"
+sha512sums="
+f54a5a47ed15d134902613f6169c985680afc45a67538505e11b66b348fcb367145e9b8ae2d9eac185e07ef5f97254b85df01ba97294002a8c036fd02ed5e76d zsh-5.8.1.tar.xz
+1067ad916d8921fe8880e040453782dcaafb6c05566f72b806e71aef2c2a53f25b6039cf8133196dd52cf7e23b172452ef3f77188bab8c8b1a50c1ea6ffa176a zprofile
+"