19 files changed, 791 insertions, 23 deletions

diff --git a/main/binutils/APKBUILD b/main/binutils/APKBUILD
index 76817f0e6ac..79d8f73d8ac 100644
--- a/main/binutils/APKBUILD
+++ b/main/binutils/APKBUILD
@@ -16,6 +16,7 @@ source="https://ftp.gnu.org/gnu/binutils/binutils-$pkgver.tar.xz
 	ld-bfd-mips.patch
 	CVE-2021-3487.patch
 	"
+builddir="$srcdir/$pkgname-$pkgver"
 
 if [ "$CHOST" != "$CTARGET" ]; then
 	pkgname="$pkgname-$CTARGET_ARCH"
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 1998d3dd4f8..d3d2844c272 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -8,7 +8,8 @@ pkgdesc="Size optimized toolbox of many common UNIX utilities"
 url="https://busybox.net/"
 arch="all"
 license="GPL-2.0-only"
-makedepends_host="linux-headers openssl-dev libtls-standalone-dev perl"
+makedepends_build="perl"
+makedepends_host="linux-headers openssl-dev libtls-standalone-dev"
 makedepends="$makedepends_build $makedepends_host"
 checkdepends="zip"
 provides="/bin/sh"
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index c81d6632a0a..38e0b40206e 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ca-certificates
-pkgver=20211220
+pkgver=20220614
 pkgrel=0
 pkgdesc="Common CA certificates PEM files from Mozilla"
 url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
@@ -64,5 +64,5 @@ bundle() {
 }
 
 sha512sums="
-6b486384c80b29632939a28524acfeeedc60f5df44da86bc16ce79f3cf2ff464455e963ebeb410c3072829b9083215961b32c18673ff77b211652d4c1e870799  ca-certificates-20211220.tar.bz2
+8e20d3021222bb3b470a935d34ffe23e7857bf0b7fedda5284049155aab01bc88ab54ae939376968fb7fbff41e6b06bd32e34405210a8e74faadb68ffa6d9dd4  ca-certificates-20220614.tar.bz2
 "
diff --git a/main/cairo/APKBUILD b/main/cairo/APKBUILD
index b4a63a44a5b..67b31fa38ec 100644
--- a/main/cairo/APKBUILD
+++ b/main/cairo/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cairo
 pkgver=1.16.0
-pkgrel=3
+pkgrel=5
 pkgdesc="A vector graphics library"
 url="https://cairographics.org/"
 arch="all"
@@ -17,10 +17,13 @@ source="https://cairographics.org/releases/cairo-$pkgver.tar.xz
 	CVE-2018-19876.patch
 	pdf-flush.patch
 	85.patch
+	fix-inf-loop.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   1.16.0-r5:
+#     - CVE-2019-6462
 #   1.16.0-r3:
 #     - CVE-2020-35492
 #   1.16.0-r1:
@@ -70,8 +73,11 @@ tools() {
 		"$subpkgdir"/usr/lib/cairo/
 }
 
-sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f  cairo-1.16.0.tar.xz
+sha512sums="
+9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f  cairo-1.16.0.tar.xz
 86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0  musl-stacksize.patch
 8f13cdcae0f134e04778cf5915f858fb8d5357a7e0a454791c93d1566935b985ec66dfe1683cd0b74a1cb44a130923d7a27cf006f3fc70b9bee93abd58a55aa3  CVE-2018-19876.patch
 533ea878dc7f917af92e2694bd3f535a09cde77f0ecd0cc00881fbc9ec1ea86f60026eacc76129705f525f6672929ad8d15d8cfe1bfa61e9962e805a7fbded81  pdf-flush.patch
-20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0  85.patch"
+20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0  85.patch
+ebe5d71b18aa9eefe1e0a6c150761bb7abef41f144f37eb0bfa8a01947aacb1292ac131cf815dcaaaa6478c0aac07ca5428fba28ad346a00c5aaa5fa64f6ff5b  fix-inf-loop.patch
+"
diff --git a/main/cairo/fix-inf-loop.patch b/main/cairo/fix-inf-loop.patch
new file mode 100644
index 00000000000..2a26876c36d
--- /dev/null
+++ b/main/cairo/fix-inf-loop.patch
@@ -0,0 +1,36 @@
+From bbeaf08190d3006a80b80a77724801cd477a37b8 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@worldiety.de>
+Date: Sat, 17 Apr 2021 19:15:03 +0200
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1c891d1a0 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ 	{ M_PI / 11.0,  9.81410988043554039085e-09 },
+     };
+     int table_size = ARRAY_LENGTH (table);
++    const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
+ 
+     for (i = 0; i < table_size; i++)
+ 	if (table[i].error < tolerance)
+ 	    return table[i].angle;
+ 
+     ++i;
++
+     do {
+ 	angle = M_PI / i++;
+ 	error = _arc_error_normalized (angle);
+-    } while (error > tolerance);
++    } while (error > tolerance && i < max_segments);
+ 
+     return angle;
+ }
+-- 
+GitLab
+
diff --git a/main/fcgiwrap/APKBUILD b/main/fcgiwrap/APKBUILD
index ec5214f2acd..d96a516a190 100644
--- a/main/fcgiwrap/APKBUILD
+++ b/main/fcgiwrap/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=fcgiwrap
 pkgver=1.1.0
-pkgrel=5
+pkgrel=6
 pkgdesc="Simple server for running CGI applications over FastCGI"
 url="https://github.com/gnosek/fcgiwrap"
 arch="all"
@@ -13,6 +13,7 @@ install="$pkgname.pre-install"
 makedepends="$depends_dev autoconf libtool automake fcgi-dev"
 subpackages="$pkgname-doc $pkgname-openrc"
 source="$pkgname-$pkgver.tar.gz::https://github.com/gnosek/fcgiwrap/archive/$pkgver.tar.gz
+	no-buffering.patch
 	$pkgname.initd
 	$pkgname.confd"
 
@@ -36,6 +37,9 @@ package() {
 	install -Dm644 $srcdir/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname
 }
 
-sha512sums="b8d35762d1d3c94a67602290b0092f0c38cffbbcd3dbc16597abf8b92172909b04450c238de2e430e841a17dd47fdd48d6a001f77539966980ef1af61e447ddc  fcgiwrap-1.1.0.tar.gz
+sha512sums="
+b8d35762d1d3c94a67602290b0092f0c38cffbbcd3dbc16597abf8b92172909b04450c238de2e430e841a17dd47fdd48d6a001f77539966980ef1af61e447ddc  fcgiwrap-1.1.0.tar.gz
+72ba8a0d044c86cc41358002b1cbb94e77dc81e56669032b474b94d7cde80e6cc5d041a064d79ed98b7db8aee9ffcc8830df88491f14afa251781487a57fd429  no-buffering.patch
 e6111da1089df43f8656e598edf4e658cd2d70e6066833a2c7a465229723e1edce144cf214bd8f771298d54948b8128012c4ce4d509c9d9307a54e8ef90ff2d8  fcgiwrap.initd
-893e9afa92c20c9d0dab68fffc806a1be1f2e28a7e73bbb497316386a9ee083be4bad68a90f660e489311a9812a512b50fb0edb8b9c49b12f6cd266ba53b01a6  fcgiwrap.confd"
+893e9afa92c20c9d0dab68fffc806a1be1f2e28a7e73bbb497316386a9ee083be4bad68a90f660e489311a9812a512b50fb0edb8b9c49b12f6cd266ba53b01a6  fcgiwrap.confd
+"
diff --git a/main/fcgiwrap/no-buffering.patch b/main/fcgiwrap/no-buffering.patch
new file mode 100644
index 00000000000..3d5f0038ee9
--- /dev/null
+++ b/main/fcgiwrap/no-buffering.patch
@@ -0,0 +1,58 @@
+From eb54c65446693366aedfe72f002c6bb4e1a5d748 Mon Sep 17 00:00:00 2001
+From: Richard Stanway <r.stanway@gmail.com>
+Date: Thu, 24 Mar 2016 21:34:17 -0500
+Subject: [PATCH] Add environment variable NO_BUFFERING to disable output
+ buffering
+
+Fixes #36
+---
+ fcgiwrap.8 | 4 ++++
+ fcgiwrap.c | 6 ++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/fcgiwrap.8 b/fcgiwrap.8
+index bf02c26..892b594 100644
+--- a/fcgiwrap.8
++++ b/fcgiwrap.8
+@@ -65,6 +65,10 @@
+ SCRIPT_FILENAME
+ .RS
+ complete path to CGI script. When set, overrides DOCUMENT_ROOT and SCRIPT_NAME
++.RE
++NO_BUFFERING
++.RS
++When set (e.g., to ""), disables output buffering.
+ 
+ .SH EXAMPLE
+ The fastest way to see \fBfcgiwrap\fP do something is to launch it at the command line
+diff --git a/fcgiwrap.c b/fcgiwrap.c
+index b44d8aa..42e3ec9 100644
+--- a/fcgiwrap.c
++++ b/fcgiwrap.c
+@@ -191,6 +191,7 @@ struct fcgi_context {
+ 	int fd_stderr;
+ 	unsigned int reply_state;
+ 	pid_t cgi_pid;
++	int unbuffered;
+ };
+ 
+ static void fcgi_finish(struct fcgi_context *fc, const char* msg)
+@@ -256,6 +257,10 @@ static const char * fcgi_pass_fd(struct fcgi_context *fc, int *fdp, FCGI_FILE *f
+ 				return "writing CGI reply";
+ 			}
+ 		}
++
++		if (fc->unbuffered && FCGI_fflush(ffp)) {
++			return "flushing CGI reply";
++		}
+ 	} else {
+ 		if (nread < 0) {
+ 			return "reading CGI reply";
+@@ -590,6 +595,7 @@ static void handle_fcgi_request(void)
+ 			fc.fd_stderr = pipe_err[0];
+ 			fc.reply_state = REPLY_STATE_INIT;
+ 			fc.cgi_pid = pid;
++			fc.unbuffered = !!getenv("NO_BUFFERING");
+ 
+ 			fcgi_pass(&fc);
+ 	}
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index 947500924fa..798c89fae90 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=freetype
 pkgver=2.10.4
-pkgrel=1
+pkgrel=2
 pkgdesc="TrueType font rendering library"
 url="https://www.freetype.org/"
 arch="all"
@@ -14,9 +14,14 @@ source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar
 	0001-Enable-table-validation-modules.patch
 	subpixel.patch
 	CVE-2022-27404.patch
+	CVE-2022-27405.patch
+	CVE-2022-27406.patch
 	"
 
 # secfixes:
+#   2.10.4-r2:
+#     - CVE-2022-27405
+#     - CVE-2022-27406
 #   2.10.4-r1:
 #     - CVE-2022-27404
 #   2.10.4-r0:
@@ -59,4 +64,6 @@ sha512sums="
 580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763  0001-Enable-table-validation-modules.patch
 72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190  subpixel.patch
 a00040fddd30f8b7add990c4614cbe69a04d702c471064eaf1f28b70a24c35e25e430bc8ae1d90f198b3e432d90c8884519db30fab2e41e467892d79f5cdee8f  CVE-2022-27404.patch
+4e4ed4b325ca8dbbd7362782867901b90eef48cb78d6a030769c33add029d4f61ddafe590c1cca35edd8e2b0c128106b7e01874acf52ac7c2b475f4ca6cf8cdf  CVE-2022-27405.patch
+574f0a93a022ba8bae4440012dd4062841187e1af4e906e5a8f117549a7e528e9d4a0bd35833294248f3a71b299175cbf6d144231af29d8d2dd350bc7dc5b804  CVE-2022-27406.patch
 "
diff --git a/main/freetype/CVE-2022-27405.patch b/main/freetype/CVE-2022-27405.patch
new file mode 100644
index 00000000000..47668676013
--- /dev/null
+++ b/main/freetype/CVE-2022-27405.patch
@@ -0,0 +1,36 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+GitLab
+
diff --git a/main/freetype/CVE-2022-27406.patch b/main/freetype/CVE-2022-27406.patch
new file mode 100644
index 00000000000..0fdef7d2164
--- /dev/null
+++ b/main/freetype/CVE-2022-27406.patch
@@ -0,0 +1,27 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+GitLab
+
diff --git a/main/gcc/APKBUILD b/main/gcc/APKBUILD
index fe52d00a805..afffad628f6 100644
--- a/main/gcc/APKBUILD
+++ b/main/gcc/APKBUILD
@@ -14,7 +14,7 @@ license="GPL-2.0-or-later LGPL-2.1-or-later"
 _gccrel=$pkgver-r$pkgrel
 depends="binutils$_target isl"
 makedepends_build="gcc$_cross g++$_cross paxmark bison flex texinfo gawk zip gmp-dev mpfr-dev mpc1-dev zlib-dev"
-makedepends_host="linux-headers gmp-dev mpfr-dev mpc1-dev isl-dev zlib-dev !gettext-dev $pkgname-gnat-bootstrap"
+makedepends_host="linux-headers gmp-dev mpfr-dev mpc1-dev isl-dev zlib-dev !gettext-dev"
 subpackages=" "
 [ "$CHOST" = "$CTARGET" ] && subpackages="gcc-doc$_target"
 replaces="libstdc++ binutils"
@@ -144,7 +144,8 @@ fi
 if $LANG_ADA; then
 	subpackages="$subpackages libgnat::$CTARGET_ARCH gcc-gnat$_target:gnat"
 	_languages="$_languages,ada"
-	makedepends_build="$makedepends_build gcc-gnat gcc-gnat$_cross"
+	[ "$CBUILD" = "$CTARGET" ] && makedepends_build="$makedepends_build gcc-gnat-bootstrap"
+	[ "$CBUILD" != "$CTARGET" ] && makedepends_build="$makedepends_build gcc-gnat gcc-gnat$_cross"
 fi
 makedepends="$makedepends_build $makedepends_host"
 
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index ab8e37a148a..e831425ecf8 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Milan P. Stanić <mps@arvanta.net>
 pkgname=haproxy
-pkgver=2.2.23
+pkgver=2.2.24
 _pkgmajorver=${pkgver%.*}
 pkgrel=0
 pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -56,7 +56,7 @@ package() {
 }
 
 sha512sums="
-8e4f0e72fbeae0bf31533c74f9d518f4825702f1f7b36137a224a35ba08cbeefbbf587fa0b7ca11cb7306bf64eebc0d0e8aead505a1d53037148e1572c831ff4  haproxy-2.2.23.tar.gz
+021d065e53503248de122fdd9431786b9f375a5f87aca76f870e17e44c8c4001a778bfb4e430b28af781a3f175f3643a549e363e964210c717f212c5966e68d8  haproxy-2.2.24.tar.gz
 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26  haproxy.initd
 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f  haproxy.cfg
 "
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index c67ed02d820..6c57ab093ea 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -7,7 +7,7 @@
 # Contributor: Jake Buchholz <tomalok@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mariadb
-pkgver=10.4.24
+pkgver=10.4.25
 pkgrel=0
 pkgdesc="A fast SQL database server"
 url="https://www.mariadb.org/"
@@ -46,6 +46,31 @@ source="https://archive.mariadb.org/mariadb-$pkgver/source/mariadb-$pkgver.tar.g
 #options="!check"
 
 # secfixes:
+#   10.4.25-r0:
+#     - CVE-2022-21427
+#     - CVE-2022-27376
+#     - CVE-2022-27377
+#     - CVE-2022-27378
+#     - CVE-2022-27379
+#     - CVE-2022-27380
+#     - CVE-2022-27381
+#     - CVE-2022-27382
+#     - CVE-2022-27383
+#     - CVE-2022-27384
+#     - CVE-2022-27386
+#     - CVE-2022-27387
+#     - CVE-2022-27444
+#     - CVE-2022-27445
+#     - CVE-2022-27446
+#     - CVE-2022-27447
+#     - CVE-2022-27448
+#     - CVE-2022-27449
+#     - CVE-2022-27451
+#     - CVE-2022-27452
+#     - CVE-2022-27455
+#     - CVE-2022-27456
+#     - CVE-2022-27457
+#     - CVE-2022-27458
 #   10.4.24-r0:
 #     - CVE-2021-46659
 #     - CVE-2021-46661
@@ -476,7 +501,7 @@ _plugin_rocksdb() {
 }
 
 sha512sums="
-031eb369b3c8e9a6c840396010b40dc6fb99dd29bb04369ab5217637b9ef1feee27208fd5126d87e687ca4a39a0f1f7aa01e77b565a76953876814b045a47e49  mariadb-10.4.24.tar.gz
+27ad62985e19c877623d1512adcbec44e714ca50da9d303eab12bc2ad67dcae45d48a1aa010ad554341c46a1c5db7ee26c14570b9fa55fb71caf9979dd12671e  mariadb-10.4.25.tar.gz
 c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c  mariadb.initd
 70da971aa78815495098205bcbd28428430aa83c3f1050fec0231ca86af9d9def2d2108a48ee08d86812c8dc5ad8ab1ef4e17a49b4936ed5187ae0f6a7ef8f63  pcre.cmake.patch
 dbd0970ea34e8bc8510431b3dc78f90b68be6f84bd27909a88516a469c2d5b402cfa62c548d78bac1e3eb717bb1b361cc375a3a77321a497e16dfba883233949  ppc-remove-glibc-dep.patch
diff --git a/main/mqtt-exec/APKBUILD b/main/mqtt-exec/APKBUILD
index 98f35288f43..28dc57d3af8 100644
--- a/main/mqtt-exec/APKBUILD
+++ b/main/mqtt-exec/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mqtt-exec
 pkgver=0.4
-pkgrel=5
+pkgrel=6
 pkgdesc="simple MQTT client that executes a command on messages"
 url="https://github.com/ncopa/mqtt-exec"
 arch="all"
@@ -15,6 +15,7 @@ source="mqtt-exec-$pkgver.tar.gz::https://github.com/ncopa/mqtt-exec/archive/v$p
 	0001-authentication-expose-authentication-with-credential.patch
 	0001-Let-library-generate-client-id-when-unset.patch
 	mqtt-exec.initd
+	mqtt-exec.confd
 	"
 
 builddir="$srcdir"/mqtt-exec-$pkgver
@@ -31,7 +32,10 @@ package() {
 		"$pkgdir"/etc/init.d/mqtt-exec || return 1
 }
 
-sha512sums="1448b2dda0f27a5275c113331ea2bc073ec1740797c1bb5b472ee3e0fd4d3ef4bcdfa6dc42e7540ee154b291c3d70df89f0646899ebb1bfe585d1384797de5e7  mqtt-exec-0.4.tar.gz
+sha512sums="
+1448b2dda0f27a5275c113331ea2bc073ec1740797c1bb5b472ee3e0fd4d3ef4bcdfa6dc42e7540ee154b291c3d70df89f0646899ebb1bfe585d1384797de5e7  mqtt-exec-0.4.tar.gz
 418058ecc05922df186d0dcbfeab7656977256a143f0346406598d1cf7331d3ba95a9b004bf3b6581be2e3cb2fbf5e69d7954b4c7ac488863f0318506c7f1c7c  0001-authentication-expose-authentication-with-credential.patch
 7007ad1afcba6b5c0e6224a30e3a6c1b9ce178603b27f575bb76d7b979b8e7f4c4c1226afa3ff8cf1f217fff832d0a69cff1cfbc205203dcb8a98afbf6f345ed  0001-Let-library-generate-client-id-when-unset.patch
-7e0c461d5ed73fb8bac1da5f78bb7d8204f692fc3980ee916057c19c3673591d4143a71cc846f863566abfcc9ada22281bb690bc146e9ae37f43896248e5ed4a  mqtt-exec.initd"
+f8cab7fe709fc80b3a75f1d65d55e10c05a4b27e319a9190d3ee78050fea86d8c6512e3d624b8b413dab01b2043bed5f672453090251b93d261d79125f9f0d17  mqtt-exec.initd
+e5cce69f5ad1f0fcf0eb0be7675c2f4ca4ba5518e8303adb16673b7e402dbe8d48b57c4b4512a0d3aba4541241d2ddeca68b88354d089606f67a5549508b44b5  mqtt-exec.confd
+"
diff --git a/main/mqtt-exec/mqtt-exec.confd b/main/mqtt-exec/mqtt-exec.confd
new file mode 100644
index 00000000000..10a14760bbb
--- /dev/null
+++ b/main/mqtt-exec/mqtt-exec.confd
@@ -0,0 +1,23 @@
+# The MQTT broker to connect to
+#mqtt_broker=msg.alpinelinux.org
+
+# The topics to subscribe to. Separate topics by whitespace.
+#mqtt_topics=
+
+# Set the topic for the Will
+#will_topic=
+
+# Whether the Will should be retained or not
+#will_retain=yes
+
+# The message in the Will
+#will_payload=
+
+# QOS level for the Will
+#will_qos=
+
+# Optional username to authenticate as
+#mqtt_user=
+
+# Password for the user
+#export MQTT_EXEC_PASSWORD=
diff --git a/main/mqtt-exec/mqtt-exec.initd b/main/mqtt-exec/mqtt-exec.initd
index ff94d01d449..c9d4e941cb9 100644
--- a/main/mqtt-exec/mqtt-exec.initd
+++ b/main/mqtt-exec/mqtt-exec.initd
@@ -34,6 +34,9 @@ start_pre() {
 	if [ -n "$will_qos" ]; then
 		set -- "$@" --will-qos "$will_qos"
 	fi
+	if [ -n "$mqtt_user" ]; then
+		set -- "$@" --username "$mqtt_user"
+	fi
 
 	set -- "$@" -- ${exec_command}
 
diff --git a/main/nettle/APKBUILD b/main/nettle/APKBUILD
index 79c643351ca..70077290143 100644
--- a/main/nettle/APKBUILD
+++ b/main/nettle/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
 pkgname=nettle
 pkgver=3.5.1
-pkgrel=1
+pkgrel=2
 pkgdesc="A low-level cryptographic library"
 url="https://www.lysator.liu.se/~nisse/nettle/"
 arch="all"
@@ -11,9 +11,16 @@ license="LGPL-2.0-or-later"
 depends_dev="gmp-dev"
 makedepends="$depends_dev m4"
 subpackages="$pkgname-static $pkgname-dev $pkgname-utils"
-source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2021-3580.patch
+	"
+
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   3.5.1-r2:
+#     - CVE-2021-3580
+
 build() {
 	./configure \
 		--build=$CBUILD \
@@ -48,4 +55,7 @@ utils() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-sha512sums="f738121b9091cbe79435fb5d46b45cf6f10912320c233829356908127bab1cac6946ca56e022a832380c44f2c10f21d2feef64cb0f4f41e3da4a681dc0131784  nettle-3.5.1.tar.gz"
+sha512sums="
+f738121b9091cbe79435fb5d46b45cf6f10912320c233829356908127bab1cac6946ca56e022a832380c44f2c10f21d2feef64cb0f4f41e3da4a681dc0131784  nettle-3.5.1.tar.gz
+bfea56c22da1125fa4a3bda76c79fb432f49ede0dbc032c8e90a8048dacab6ac3544d19758b90763cccd99d4dc97ec988ecb6d4224715e0193ed9222b096a223  CVE-2021-3580.patch
+"
diff --git a/main/nettle/CVE-2021-3580.patch b/main/nettle/CVE-2021-3580.patch
new file mode 100644
index 00000000000..fb7dcd60b18
--- /dev/null
+++ b/main/nettle/CVE-2021-3580.patch
@@ -0,0 +1,520 @@
+Patch-Source: https://git.lysator.liu.se/nettle/nettle/-/commit/fd6d9ba7ca92912762c072fcf74490bc5d63d633
+Patch-Source: https://git.lysator.liu.se/nettle/nettle/-/commit/cd6059aebdd3059fbcf674dddb850b821c13b6c2
+Patch-Source: https://git.lysator.liu.se/nettle/nettle/-/commit/c80961c646b0962ab152619ac0a7c6a21850a380
+
+changelogs trimmed
+---
+
+From fd6d9ba7ca92912762c072fcf74490bc5d63d633 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Thu, 6 May 2021 21:30:23 +0200
+Subject: [PATCH] Add check that message length to _pkcs1_sec_decrypt is valid.
+
+* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
+length is valid, for given key size.
+* testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
+calls to rsa_sec_decrypt specifying a too large message length.
+
+(cherry picked from commit 7616541e6eff73353bf682c62e3a68e4fe696707)
+---
+ ChangeLog                        |  8 ++++++++
+ pkcs1-sec-decrypt.c              |  4 +++-
+ testsuite/rsa-sec-decrypt-test.c | 17 ++++++++++++++++-
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/pkcs1-sec-decrypt.c b/pkcs1-sec-decrypt.c
+index 4f13080e..16833691 100644
+--- a/pkcs1-sec-decrypt.c
++++ b/pkcs1-sec-decrypt.c
+@@ -63,7 +63,9 @@ _pkcs1_sec_decrypt (size_t length, uint8_t *message,
+   volatile int ok;
+   size_t i, t;
+ 
+-  assert (padded_message_length >= length);
++  /* Message independent branch */
++  if (length + 11 > padded_message_length)
++    return 0;
+ 
+   t = padded_message_length - length - 1;
+ 
+diff --git a/testsuite/rsa-sec-decrypt-test.c b/testsuite/rsa-sec-decrypt-test.c
+index fb0ed3a1..3419322e 100644
+--- a/testsuite/rsa-sec-decrypt-test.c
++++ b/testsuite/rsa-sec-decrypt-test.c
+@@ -55,6 +55,7 @@ rsa_decrypt_for_test(const struct rsa_public_key *pub,
+ #endif
+ 
+ #define PAYLOAD_SIZE 50
++#define DECRYPTED_SIZE 256
+ void
+ test_main(void)
+ {
+@@ -63,7 +64,7 @@ test_main(void)
+   struct knuth_lfib_ctx random_ctx;
+ 
+   uint8_t plaintext[PAYLOAD_SIZE];
+-  uint8_t decrypted[PAYLOAD_SIZE];
++  uint8_t decrypted[DECRYPTED_SIZE];
+   uint8_t verifybad[PAYLOAD_SIZE];
+   unsigned n_size = 1024;
+   mpz_t gibberish;
+@@ -99,6 +100,20 @@ test_main(void)
+                                     PAYLOAD_SIZE, decrypted, gibberish) == 1);
+       ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted));
+ 
++      ASSERT (pub.size > 10);
++      ASSERT (pub.size <= DECRYPTED_SIZE);
++
++      /* Check that too large message length is rejected, largest
++	 valid size is pub.size - 11. */
++      ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
++				     (nettle_random_func *) knuth_lfib_random,
++				     pub.size - 10, decrypted, gibberish));
++
++      /* This case used to result in arithmetic underflow and a crash. */
++      ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
++				     (nettle_random_func *) knuth_lfib_random,
++				     pub.size, decrypted, gibberish));
++
+       /* bad one */
+       memcpy(decrypted, verifybad, PAYLOAD_SIZE);
+       nettle_mpz_random_size(garbage, &random_ctx,
+-- 
+GitLab
+
+From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:31:39 +0200
+Subject: [PATCH] Change _rsa_sec_compute_root_tr to take a fix input size.
+
+Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
+
+(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
+---
+ ChangeLog                    | 17 +++++++++-
+ rsa-decrypt-tr.c             |  7 ++---
+ rsa-internal.h               |  4 +--
+ rsa-sec-decrypt.c            |  9 ++++--
+ rsa-sign-tr.c                | 61 +++++++++++++++++-------------------
+ testsuite/rsa-encrypt-test.c | 14 ++++++++-
+ 6 files changed, 69 insertions(+), 43 deletions(-)
+
+diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
+index 0224c0b7..927a8915 100644
+--- a/rsa-decrypt-tr.c
++++ b/rsa-decrypt-tr.c
+@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
+   mp_size_t key_limb_size;
+   int res;
+ 
+-  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++  key_limb_size = mpz_size(pub->n);
+ 
+   TMP_GMP_ALLOC (m, key_limb_size);
+   TMP_GMP_ALLOC (em, key->size);
++  mpz_limbs_copy(m, gibberish, key_limb_size);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+-				  mpz_limbs_read(gibberish),
+-				  mpz_size(gibberish));
++  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+ 
+   mpn_get_base256 (em, key->size, m, key_limb_size);
+ 
+diff --git a/rsa-internal.h b/rsa-internal.h
+index b828e451..f66a7df0 100644
+--- a/rsa-internal.h
++++ b/rsa-internal.h
+@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_private_key *key,
+                       mp_limb_t *scratch);
+ 
+ /* Safe side-channel silent variant, using RSA blinding, and checking the
+- * result after CRT. */
++ * result after CRT. In-place calls, with x == m, is allowed. */
+ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ 			 const struct rsa_private_key *key,
+ 			 void *random_ctx, nettle_random_func *random,
+-			 mp_limb_t *x, const mp_limb_t *m, size_t mn);
++			 mp_limb_t *x, const mp_limb_t *m);
+ 
+ #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
+diff --git a/rsa-sec-decrypt.c b/rsa-sec-decrypt.c
+index 6866e7c8..fc4757a0 100644
+--- a/rsa-sec-decrypt.c
++++ b/rsa-sec-decrypt.c
+@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
+   TMP_GMP_ALLOC (m, mpz_size(pub->n));
+   TMP_GMP_ALLOC (em, key->size);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+-				  mpz_limbs_read(gibberish),
+-				  mpz_size(gibberish));
++  /* We need a copy because m can be shorter than key_size,
++   * but _rsa_sec_compute_root_tr expect all inputs to be
++   * normalized to a key_size long buffer length */
++  mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
++
++  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+ 
+   mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+ 
+diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c
+index f824c4ca..9e137c7a 100644
+--- a/rsa-sign-tr.c
++++ b/rsa-sign-tr.c
+@@ -131,35 +131,34 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ 			 const struct rsa_private_key *key,
+ 			 void *random_ctx, nettle_random_func *random,
+-			 mp_limb_t *x, const mp_limb_t *m, size_t mn)
++			 mp_limb_t *x, const mp_limb_t *m)
+ {
++  mp_size_t nn;
+   mpz_t mz;
+   mpz_t xz;
+   int res;
+ 
+-  mpz_init(mz);
+   mpz_init(xz);
+ 
+-  mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
+-  mpz_limbs_finish(mz, mn);
++  nn = mpz_size (pub->n);
+ 
+-  res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
++  res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
++			    mpz_roinit_n(mz, m, nn));
+ 
+   if (res)
+-    mpz_limbs_copy(x, xz, mpz_size(pub->n));
++    mpz_limbs_copy(x, xz, nn);
+ 
+-  mpz_clear(mz);
+   mpz_clear(xz);
+   return res;
+ }
+ #else
+ /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
+-   returns the inverse (ri), for use by rsa_unblind. */
++   returns the inverse (ri), for use by rsa_unblind. Must have c != m,
++   no in-place operation.*/
+ static void
+ rsa_sec_blind (const struct rsa_public_key *pub,
+                void *random_ctx, nettle_random_func *random,
+-               mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
+-               mp_size_t mn)
++               mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
+ {
+   const mp_limb_t *ep = mpz_limbs_read (pub->e);
+   const mp_limb_t *np = mpz_limbs_read (pub->n);
+@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_key *pub,
+ 
+   /* c = m*(r^e) mod n */
+   itch = mpn_sec_powm_itch(nn, ebn, nn);
+-  i2 = mpn_sec_mul_itch(nn, mn);
++  i2 = mpn_sec_mul_itch(nn, nn);
+   itch = MAX(itch, i2);
+-  i2 = mpn_sec_div_r_itch(nn + mn, nn);
++  i2 = mpn_sec_div_r_itch(2*nn, nn);
+   itch = MAX(itch, i2);
+   i2 = mpn_sec_invert_itch(nn);
+   itch = MAX(itch, i2);
+ 
+-  TMP_GMP_ALLOC (tp, nn + mn + itch);
+-  scratch = tp + nn + mn;
++  TMP_GMP_ALLOC (tp, 2*nn  + itch);
++  scratch = tp + 2*nn;
+ 
+   /* ri = r^(-1) */
+   do
+@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_key *pub,
+   while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
+ 
+   mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
+-  /* normally mn == nn, but m can be smaller in some cases */
+-  mpn_sec_mul (tp, c, nn, m, mn, scratch);
+-  mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
++  mpn_sec_mul (tp, c, nn, m, nn, scratch);
++  mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
+   mpn_copyi(c, tp, nn);
+ 
+   TMP_GMP_FREE (r);
+@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_key *pub,
+   TMP_GMP_FREE (tp);
+ }
+ 
+-/* m = c ri mod n */
++/* m = c ri mod n. Allows x == c. */
+ static void
+ rsa_sec_unblind (const struct rsa_public_key *pub,
+                  mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
+@@ -299,7 +297,7 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ 			 const struct rsa_private_key *key,
+ 			 void *random_ctx, nettle_random_func *random,
+-			 mp_limb_t *x, const mp_limb_t *m, size_t mn)
++			 mp_limb_t *x, const mp_limb_t *m)
+ {
+   TMP_GMP_DECL (c, mp_limb_t);
+   TMP_GMP_DECL (ri, mp_limb_t);
+@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+   size_t key_limb_size;
+   int ret;
+ 
+-  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++  key_limb_size = mpz_size(pub->n);
+ 
+   /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+      key is invalid and rejected by rsa_private_key_prepare. However,
+@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+     }
+ 
+   assert(mpz_size(pub->n) == key_limb_size);
+-  assert(mn <= key_limb_size);
+ 
+   TMP_GMP_ALLOC (c, key_limb_size);
+   TMP_GMP_ALLOC (ri, key_limb_size);
+   TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
+ 
+-  rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
++  rsa_sec_blind (pub, random_ctx, random, c, ri, m);
+ 
+-  _rsa_sec_compute_root(key, c, x, scratch);
++  _rsa_sec_compute_root(key, x, c, scratch);
+ 
+-  ret = rsa_sec_check_root(pub, c, x);
++  ret = rsa_sec_check_root(pub, x, c);
+ 
+-  rsa_sec_unblind(pub, x, ri, c);
++  rsa_sec_unblind(pub, x, ri, x);
+ 
+   cnd_mpn_zero(1 - ret, x, key_limb_size);
+ 
+@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ 		    mpz_t x, const mpz_t m)
+ {
+   TMP_GMP_DECL (l, mp_limb_t);
++  mp_size_t nn = mpz_size(pub->n);
+   int res;
+ 
+-  mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+-  TMP_GMP_ALLOC (l, l_size);
++  TMP_GMP_ALLOC (l, nn);
++  mpz_limbs_copy(l, m, nn);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+-				  mpz_limbs_read(m), mpz_size(m));
++  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
+   if (res) {
+-    mp_limb_t *xp = mpz_limbs_write (x, l_size);
+-    mpn_copyi (xp, l, l_size);
+-    mpz_limbs_finish (x, l_size);
++    mp_limb_t *xp = mpz_limbs_write (x, nn);
++    mpn_copyi (xp, l, nn);
++    mpz_limbs_finish (x, nn);
+   }
+ 
+   TMP_GMP_FREE (l);
+diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c
+index 87525f78..d3bc374b 100644
+--- a/testsuite/rsa-encrypt-test.c
++++ b/testsuite/rsa-encrypt-test.c
+@@ -19,6 +19,7 @@ test_main(void)
+   uint8_t after;
+ 
+   mpz_t gibberish;
++  mpz_t zero;
+ 
+   rsa_private_key_init(&key);
+   rsa_public_key_init(&pub);
+@@ -101,6 +102,17 @@ test_main(void)
+   ASSERT(decrypted[decrypted_length] == after);
+   ASSERT(decrypted[0] == 'A');
+ 
++  /* Test zero input. */
++  mpz_init_set_ui (zero, 0);
++  decrypted_length = msg_length;
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++  ASSERT(!rsa_decrypt_tr(&pub, &key,
++			 &lfib, (nettle_random_func *) knuth_lfib_random,
++			 &decrypted_length, decrypted, zero));
++  ASSERT(!rsa_sec_decrypt(&pub, &key,
++			  &lfib, (nettle_random_func *) knuth_lfib_random,
++			  decrypted_length, decrypted, zero));
++  ASSERT(decrypted_length == msg_length);
+ 
+   /* Test invalid key. */
+   mpz_add_ui (key.q, key.q, 2);
+@@ -112,6 +124,6 @@ test_main(void)
+   rsa_private_key_clear(&key);
+   rsa_public_key_clear(&pub);
+   mpz_clear(gibberish);
++  mpz_clear(zero);
+   free(decrypted);
+ }
+-  
+-- 
+GitLab
+
+From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:32:38 +0200
+Subject: [PATCH] Add input check to rsa_decrypt family of functions.
+
+(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe)
+---
+ ChangeLog                    | 10 +++++++++-
+ rsa-decrypt-tr.c             |  4 ++++
+ rsa-decrypt.c                | 10 ++++++++++
+ rsa-sec-decrypt.c            |  4 ++++
+ rsa.h                        |  5 +++--
+ testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------
+ 6 files changed, 62 insertions(+), 9 deletions(-)
+
+diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
+index 927a8915..4a9e9d74 100644
+--- a/rsa-decrypt-tr.c
++++ b/rsa-decrypt-tr.c
+@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
+   mp_size_t key_limb_size;
+   int res;
+ 
++  /* First check that input is in range. */
++  if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++    return 0;
++
+   key_limb_size = mpz_size(pub->n);
+ 
+   TMP_GMP_ALLOC (m, key_limb_size);
+diff --git a/rsa-decrypt.c b/rsa-decrypt.c
+index 7681439d..540d8baa 100644
+--- a/rsa-decrypt.c
++++ b/rsa-decrypt.c
+@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key *key,
+   int res;
+ 
+   mpz_init(m);
++
++  /* First check that input is in range. Since we don't have the
++     public key available here, we need to reconstruct n. */
++  mpz_mul (m, key->p, key->q);
++  if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
++    {
++      mpz_clear (m);
++      return 0;
++    }
++
+   rsa_compute_root(key, m, gibberish);
+ 
+   res = pkcs1_decrypt (key->size, m, length, message);
+diff --git a/rsa-sec-decrypt.c b/rsa-sec-decrypt.c
+index fc4757a0..4c98958d 100644
+--- a/rsa-sec-decrypt.c
++++ b/rsa-sec-decrypt.c
+@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
+   TMP_GMP_DECL (em, uint8_t);
+   int res;
+ 
++  /* First check that input is in range. */
++  if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++    return 0;
++
+   TMP_GMP_ALLOC (m, mpz_size(pub->n));
+   TMP_GMP_ALLOC (em, key->size);
+ 
+diff --git a/rsa.h b/rsa.h
+index 3b10155f..2dd35a2d 100644
+--- a/rsa.h
++++ b/rsa.h
+@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
+ 	        size_t length, uint8_t *message,
+ 	        const mpz_t gibberish);
+ 
+-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
++/* Compute x, the e:th root of m. Calling it with x == m is allowed.
++   It is required that 0 <= m < n. */
+ void
+ rsa_compute_root(const struct rsa_private_key *key,
+ 		 mpz_t x, const mpz_t m);
+ 
+ /* Safer variant, using RSA blinding, and checking the result after
+-   CRT. */
++   CRT. It is required that 0 <= m < n. */
+ int
+ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ 		    const struct rsa_private_key *key,
+diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c
+index d3bc374b..d1a440f6 100644
+--- a/testsuite/rsa-encrypt-test.c
++++ b/testsuite/rsa-encrypt-test.c
+@@ -19,11 +19,12 @@ test_main(void)
+   uint8_t after;
+ 
+   mpz_t gibberish;
+-  mpz_t zero;
++  mpz_t bad_input;
+ 
+   rsa_private_key_init(&key);
+   rsa_public_key_init(&pub);
+   mpz_init(gibberish);
++  mpz_init(bad_input);
+ 
+   knuth_lfib_init(&lfib, 17);
+   
+@@ -103,15 +104,40 @@ test_main(void)
+   ASSERT(decrypted[0] == 'A');
+ 
+   /* Test zero input. */
+-  mpz_init_set_ui (zero, 0);
++  mpz_set_ui (bad_input, 0);
+   decrypted_length = msg_length;
+-  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+   ASSERT(!rsa_decrypt_tr(&pub, &key,
+ 			 &lfib, (nettle_random_func *) knuth_lfib_random,
+-			 &decrypted_length, decrypted, zero));
++			 &decrypted_length, decrypted, bad_input));
+   ASSERT(!rsa_sec_decrypt(&pub, &key,
+ 			  &lfib, (nettle_random_func *) knuth_lfib_random,
+-			  decrypted_length, decrypted, zero));
++			  decrypted_length, decrypted, bad_input));
++  ASSERT(decrypted_length == msg_length);
++
++  /* Test input that is slightly larger than n */
++  mpz_add(bad_input, gibberish, pub.n);
++  decrypted_length = msg_length;
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_decrypt_tr(&pub, &key,
++			 &lfib, (nettle_random_func *) knuth_lfib_random,
++			 &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_sec_decrypt(&pub, &key,
++			  &lfib, (nettle_random_func *) knuth_lfib_random,
++			  decrypted_length, decrypted, bad_input));
++  ASSERT(decrypted_length == msg_length);
++
++  /* Test input that is considerably larger than n */
++  mpz_mul_2exp (bad_input, pub.n, 100);
++  mpz_add (bad_input, bad_input, gibberish);
++  decrypted_length = msg_length;
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_decrypt_tr(&pub, &key,
++			 &lfib, (nettle_random_func *) knuth_lfib_random,
++			 &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_sec_decrypt(&pub, &key,
++			  &lfib, (nettle_random_func *) knuth_lfib_random,
++			  decrypted_length, decrypted, bad_input));
+   ASSERT(decrypted_length == msg_length);
+ 
+   /* Test invalid key. */
+@@ -124,6 +150,6 @@ test_main(void)
+   rsa_private_key_clear(&key);
+   rsa_public_key_clear(&pub);
+   mpz_clear(gibberish);
+-  mpz_clear(zero);
++  mpz_clear(bad_input);
+   free(decrypted);
+ }
+-- 
+GitLab
+
diff --git a/main/zlib/APKBUILD b/main/zlib/APKBUILD
index 989c41687b2..ef345c16e0c 100644
--- a/main/zlib/APKBUILD
+++ b/main/zlib/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=zlib
 pkgver=1.2.12
-pkgrel=1
+pkgrel=3
 pkgdesc="A compression/decompression Library"
 arch="all"
 license="Zlib"
@@ -11,8 +11,12 @@ source="https://zlib.net/zlib-$pkgver.tar.gz
 	Fix-CC-logic-in-configure.patch
 	configure-Pass-LDFLAGS-to-link-tests.patch
 	crc32.patch
+	$pkgname-CVE-2022-37434.patch::https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1.patch
+	$pkgname-CVE-2022-37434-bugfix.patch::https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch
 	"
 # secfixes:
+#   1.2.12-r2:
+#     - CVE-2022-37434
 #   1.2.12-r0:
 #     - CVE-2018-25032
 
@@ -41,4 +45,6 @@ cc2366fa45d5dfee1f983c8c51515e0cff959b61471e2e8d24350dea22d3f6fcc50723615a911b04
 faa19991e88cbfd624ac9ce4a0ba12e3d7d54f88680b1a0a156a542a45bafe2053d69c6f309327817f7cc74f5765204bbb3c56ff531efd29d8fd6bb682c78598  Fix-CC-logic-in-configure.patch
 76179eb7e498aef5bc88c3f826c6f2506a2d3c3a2e2560ef1825bd4a9297d68b0d2390619a4b3b0b2e6dde765431e5fba18fd15fbd1ad99827244f8f9bdbd909  configure-Pass-LDFLAGS-to-link-tests.patch
 38f0593a0bc17336d31191b7af684e31ec2eb34bd3add49bcb1f95c5e2bfb4405ffc341c2650d52c4fbf417ab4f80a0cc82fb868c9816b04d25210ae29a71f2c  crc32.patch
+13bf48cb15636d77428e7e20d8c72d772eade1e099740f8541b7adee0e789097fa867512b6f3ebcff8496727999f2bf408e38414771c9b4440ad283f4c029558  zlib-CVE-2022-37434.patch
+cadeb0b05da99435c2074cb0d7aebdec2bad1c745856c8ac6ea0f2474ef091d8efeea90deafe13757cbaa465ccfbbb1b8873a8025b24f3145b2a87abb84bac83  zlib-CVE-2022-37434-bugfix.patch
 "