aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/alpine-base/APKBUILD2
-rw-r--r--main/alpine-keys/APKBUILD36
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub9
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub14
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub14
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub14
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub14
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub14
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub14
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub14
-rw-r--r--main/alpine-keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub14
-rw-r--r--main/apache2/APKBUILD18
-rw-r--r--main/apk-tools/APKBUILD4
-rw-r--r--main/asterisk/APKBUILD12
-rw-r--r--main/asterisk/CVE-2021-32558.patch126
-rw-r--r--main/bind/APKBUILD14
-rw-r--r--main/bind/bind-9.16.20-map-format-fix.patch8
-rw-r--r--main/c-ares/APKBUILD10
-rw-r--r--main/curl/APKBUILD8
-rw-r--r--main/dahdi-linux-lts/APKBUILD2
-rw-r--r--main/drbd-lts/APKBUILD2
-rw-r--r--main/gd/APKBUILD25
-rw-r--r--main/gd/CVE-2021-38115.patch26
-rw-r--r--main/gd/CVE-2021-40145.patch124
-rw-r--r--main/geoip/APKBUILD11
-rwxr-xr-xmain/geoip/geoip.cron7
-rw-r--r--main/gnupg/APKBUILD6
-rw-r--r--main/gnupg/change-default-keyserver.patch25
-rw-r--r--main/gpsd/APKBUILD35
-rw-r--r--main/haproxy/APKBUILD13
-rw-r--r--main/libgcrypt/APKBUILD9
-rw-r--r--main/libgcrypt/CVE-2021-40528.patch51
-rw-r--r--main/libspf2/APKBUILD14
-rw-r--r--main/libspf2/CVE-2021-20314.patch22
-rw-r--r--main/linux-lts/APKBUILD28
-rw-r--r--main/linux-lts/config-lts.aarch643
-rw-r--r--main/linux-lts/config-lts.armv74
-rw-r--r--main/linux-lts/config-lts.mips3
-rw-r--r--main/linux-lts/config-lts.mips643
-rw-r--r--main/linux-lts/config-lts.ppc64le3
-rw-r--r--main/linux-lts/config-lts.s390x2
-rw-r--r--main/linux-lts/config-lts.x863
-rw-r--r--main/linux-lts/config-lts.x86_644
-rw-r--r--main/linux-lts/config-virt.aarch643
-rw-r--r--main/linux-lts/config-virt.armv73
-rw-r--r--main/linux-lts/config-virt.x863
-rw-r--r--main/linux-lts/config-virt.x86_643
-rw-r--r--main/mariadb/APKBUILD7
-rw-r--r--main/mosquitto/APKBUILD15
-rw-r--r--main/mosquitto/CVE-2021-34432.patch61
-rw-r--r--main/nodejs/APKBUILD16
-rw-r--r--main/nodejs/fix-build-with-system-c-ares.patch535
-rw-r--r--main/openssh/APKBUILD13
-rw-r--r--main/openssh/CVE-2021-41617.patch25
-rw-r--r--main/openssl/APKBUILD11
-rw-r--r--main/perl-net-cidr-lite/APKBUILD16
-rw-r--r--main/postgresql/APKBUILD10
-rw-r--r--main/redis/APKBUILD15
-rw-r--r--main/ruby/APKBUILD12
-rw-r--r--main/squashfs-tools/APKBUILD26
-rw-r--r--main/squashfs-tools/fix-compat.patch4
-rw-r--r--main/squid/APKBUILD10
-rw-r--r--main/strongswan/APKBUILD16
-rw-r--r--main/tzdata/APKBUILD12
-rw-r--r--main/vim/APKBUILD12
-rw-r--r--main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch83
-rw-r--r--main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch58
-rw-r--r--main/xen/APKBUILD42
-rw-r--r--main/xen/stubdom-hack.patch11
-rw-r--r--main/xen/xsa373-4.13-1.patch120
-rw-r--r--main/xen/xsa373-4.13-2.patch95
-rw-r--r--main/xen/xsa373-4.13-3.patch163
-rw-r--r--main/xen/xsa373-4.13-4.patch86
-rw-r--r--main/xen/xsa373-4.13-5.patch145
-rw-r--r--main/xen/xsa375-4.13.patch50
-rw-r--r--main/xen/xsa377.patch27
-rw-r--r--main/xtables-addons-lts/APKBUILD2
-rw-r--r--main/zfs-lts/APKBUILD2
78 files changed, 1491 insertions, 1005 deletions
diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD
index be182595ba..c3eee98e1d 100644
--- a/main/alpine-base/APKBUILD
+++ b/main/alpine-base/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-base
-pkgver=3.12.7
+pkgver=3.12.8
pkgrel=0
pkgdesc="Meta package for minimal alpine base"
url="https://alpinelinux.org"
diff --git a/main/alpine-keys/APKBUILD b/main/alpine-keys/APKBUILD
index 1ca5e93b6f..9c95f33c46 100644
--- a/main/alpine-keys/APKBUILD
+++ b/main/alpine-keys/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-keys
-pkgver=2.2
+pkgver=2.4
pkgrel=0
pkgdesc="Public keys for Alpine Linux packages"
url="https://alpinelinux.org"
@@ -12,17 +12,27 @@ options="!check" # No testsuite
_arch_keys="
aarch64:alpine-devel@lists.alpinelinux.org-58199dcc.rsa.pub
- armhf:alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub
+ aarch64:alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub
+ armhf,armv7:alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub
+ armv7:alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub
+ armhf:alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub
x86:alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
+ x86:alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub
x86,x86_64:alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
x86_64:alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
+ x86_64:alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
ppc64le:alpine-devel@lists.alpinelinux.org-58cbb476.rsa.pub
+ ppc64le:alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub
s390x:alpine-devel@lists.alpinelinux.org-58e4f17d.rsa.pub
+ s390x:alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub
mips64:alpine-devel@lists.alpinelinux.org-5e69ca50.rsa.pub
+
+ riscv64:alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub
+ riscv64:alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub
"
for _i in $_arch_keys; do
@@ -64,6 +74,12 @@ _install_mips() {
esac
}
+_install_riscv() {
+ case "$1" in
+ riscv*) _ins_key $1 $2 ;;
+ esac
+}
+
package() {
# copy keys for repos
mkdir -p "$pkgdir"/etc/apk/keys
@@ -83,16 +99,28 @@ package() {
ppc*) _install_ppc $_arch $_key ;;
s390x) _install_s390x $_arch $_key ;;
mips*) _install_mips $_arch $_key ;;
+ riscv*) _install_riscv $_arch $_key ;;
esac
done
done
}
-sha512sums="e4f9e314f8e506fba2cb3e599c6412a036ec37ce3a54990fc7d80a821d8728f40ee3b4aa8a15218d50341fa785d9ddf7c7471f45018c6a2065ab13664a1aa9e9 alpine-devel@lists.alpinelinux.org-58199dcc.rsa.pub
+sha512sums="
+e4f9e314f8e506fba2cb3e599c6412a036ec37ce3a54990fc7d80a821d8728f40ee3b4aa8a15218d50341fa785d9ddf7c7471f45018c6a2065ab13664a1aa9e9 alpine-devel@lists.alpinelinux.org-58199dcc.rsa.pub
+51a5ec21283fe218809b2325202e1f8c9b2551705db48254b9d48a04f4ed0075de51e9886c4704647ffb309fd32d9850d14013848a53038039e85011251fe1cc alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub
698fda502f70365a852de3c10636eadfc4f70a7a00f096581119aef665e248b787004ceef63f4c8cb18c6f88d18b8b1bd6b3c5d260e79e6d73a3cc09537b196e alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub
+a98095a626f2dcbda73ffd8873ba2d609ee1d881f5da13b0eb3469ddd58b06440b4b0b2f791b037c88073e9a17c6dfc62dc1a4c8491bed871524d772ef04ad24 alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub
+7aa5526a88519ae91f997bf914a9bd3d230b21c011587f155ce22c4bb94b70181b28590027eb555d96d1122dffb8242c1fb044228e99b4e9b7650fcf6f5121c7 alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub
e18e65ee911eb1f8ea869f758e8f2c94cf2ac254ee7ab90a3de1d47b94a547c2066214abf710da21910ebedc0153d05fd4fe579cc5ce24f46e0cfd29a02b1a68 alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
+b89d825e6af73687339848817791b294e2404162e2e069d9212d76d4ee53d6216eb75421a07b02f9778ef57dbb27962b2436247264eea1a1d882967ca0c18724 alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub
2d4064cbe09ff958493ec86bcb925af9b7517825d1d9d8d00f2986201ad5952f986fea83d1e2c177e92130700bafa8c0bff61411b3cdb59a41e460ed719580a6 alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
721134f289ab1e7dde9158359906017daee40983199fe55f28206c8cdc46b8fcf177a36f270ce374b0eba5dbe01f68cbb3e385ae78a54bb0a2ed1e83a4d820a5 alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
+8b9c2208c904c9f34d9d01d3d68b224208530e684265df214deb8c9e6b4b19633aa48a405e673249c9e93a8ee194a336e951cd82a4e27e5e66e85fdc5e0d495e alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
bb5a3df8fac14a62d5936fb3722873fa6a121219b703cba955eb77de38c4384aeaf378fb9321a655e255f0be761e894e309b3789867279c1524dab6300cd8ef1 alpine-devel@lists.alpinelinux.org-58cbb476.rsa.pub
+bad4da65221150a5d4cc6f63981e4dd203d40844d32e82c17f346eee5350e460e32d28f0e231a2b78d326ec32b898eec597d3787dae47dcacc9a9776d19fb4a1 alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub
0666389ca53121453578cd4bef5fd06e159e291164b3e3233e7d6521604f8bebd30caeef1663adcd5309e07278833402c8a92c33294ec0c5cada24dc47c8cc98 alpine-devel@lists.alpinelinux.org-58e4f17d.rsa.pub
-66ce9677e9c2a7961d5d7bc5b162ed3114a7aef6d01181073c1f42a9934966eecded2ec09deb210f5a389d434d1641ba35fe3abdd5246b2e97d5a5b26a945c5c alpine-devel@lists.alpinelinux.org-5e69ca50.rsa.pub"
+83fc29066f6073418ecf01176ce24c1c0e788508f3083a97691706e2c78323e53448060fb0d2abb8118a759570f1f0db9d39953c63fe26fe06da2be05dff393c alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub
+66ce9677e9c2a7961d5d7bc5b162ed3114a7aef6d01181073c1f42a9934966eecded2ec09deb210f5a389d434d1641ba35fe3abdd5246b2e97d5a5b26a945c5c alpine-devel@lists.alpinelinux.org-5e69ca50.rsa.pub
+34514100e502f449dcabe0aa550232c3330ed2f0b789b977eb228d4ac86afc93479474ac005914992a3b47c18ee3eb32ca27ccd0d392700a8f11f47d64a78969 alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub
+7cea57204a50d72bddff201c509ccbf06773d87062a3ead0a206cc6e4a00e0960f52d21f7cee7aaec6a4abba7a697e2e2e7f630fa1ccef7ee2c33908fca18998 alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub
+"
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub
new file mode 100644
index 0000000000..2b8a4a93e0
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwR4uJVtJOnOFGchnMW5Y
+j5/waBdG1u5BTMlH+iQMcV5+VgWhmpZHJCBz3ocD+0IGk2I68S5TDOHec/GSC0lv
+6R9o6F7h429GmgPgVKQsc8mPTPtbjJMuLLs4xKc+viCplXc0Nc0ZoHmCH4da6fCV
+tdpHQjVe6F9zjdquZ4RjV6R6JTiN9v924dGMAkbW/xXmamtz51FzondKC52Gh8Mo
+/oA0/T0KsCMCi7tb4QNQUYrf+Xcha9uus4ww1kWNZyfXJB87a2kORLiWMfs2IBBJ
+TmZ2Fnk0JnHDb8Oknxd9PvJPT0mvyT8DA+KIAPqNvOjUXP4bnjEHJcoCP9S5HkGC
+IQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
new file mode 100644
index 0000000000..f2165aebad
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAutQkua2CAig4VFSJ7v54
+ALyu/J1WB3oni7qwCZD3veURw7HxpNAj9hR+S5N/pNeZgubQvJWyaPuQDm7PTs1+
+tFGiYNfAsiibX6Rv0wci3M+z2XEVAeR9Vzg6v4qoofDyoTbovn2LztaNEjTkB+oK
+tlvpNhg1zhou0jDVYFniEXvzjckxswHVb8cT0OMTKHALyLPrPOJzVtM9C1ew2Nnc
+3848xLiApMu3NBk0JqfcS3Bo5Y2b1FRVBvdt+2gFoKZix1MnZdAEZ8xQzL/a0YS5
+Hd0wj5+EEKHfOd3A75uPa/WQmA+o0cBFfrzm69QDcSJSwGpzWrD1ScH3AK8nWvoj
+v7e9gukK/9yl1b4fQQ00vttwJPSgm9EnfPHLAtgXkRloI27H6/PuLoNvSAMQwuCD
+hQRlyGLPBETKkHeodfLoULjhDi1K2gKJTMhtbnUcAA7nEphkMhPWkBpgFdrH+5z4
+Lxy+3ek0cqcI7K68EtrffU8jtUj9LFTUC8dERaIBs7NgQ/LfDbDfGh9g6qVj1hZl
+k9aaIPTm/xsi8v3u+0qaq7KzIBc9s59JOoA8TlpOaYdVgSQhHHLBaahOuAigH+VI
+isbC9vmqsThF2QdDtQt37keuqoda2E6sL7PUvIyVXDRfwX7uMDjlzTxHTymvq2Ck
+htBqojBnThmjJQFgZXocHG8CAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub
new file mode 100644
index 0000000000..aa63d81d66
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlEyxkHggKCXC2Wf5Mzx4
+nZLFZvU2bgcA3exfNPO/g1YunKfQY+Jg4fr6tJUUTZ3XZUrhmLNWvpvSwDS19ZmC
+IXOu0+V94aNgnhMsk9rr59I8qcbsQGIBoHzuAl8NzZCgdbEXkiY90w1skUw8J57z
+qCsMBydAueMXuWqF5nGtYbi5vHwK42PffpiZ7G5Kjwn8nYMW5IZdL6ZnMEVJUWC9
+I4waeKg0yskczYDmZUEAtrn3laX9677ToCpiKrvmZYjlGl0BaGp3cxggP2xaDbUq
+qfFxWNgvUAb3pXD09JM6Mt6HSIJaFc9vQbrKB9KT515y763j5CC2KUsilszKi3mB
+HYe5PoebdjS7D1Oh+tRqfegU2IImzSwW3iwA7PJvefFuc/kNIijfS/gH/cAqAK6z
+bhdOtE/zc7TtqW2Wn5Y03jIZdtm12CxSxwgtCF1NPyEWyIxAQUX9ACb3M0FAZ61n
+fpPrvwTaIIxxZ01L3IzPLpbc44x/DhJIEU+iDt6IMTrHOphD9MCG4631eIdB0H1b
+6zbNX1CXTsafqHRFV9XmYYIeOMggmd90s3xIbEujA6HKNP/gwzO6CDJ+nHFDEqoF
+SkxRdTkEqjTjVKieURW7Swv7zpfu5PrsrrkyGnsRrBJJzXlm2FOOxnbI2iSL1B5F
+rO5kbUxFeZUIDq+7Yv4kLWcCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub
new file mode 100644
index 0000000000..59c330e9f7
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnC+bR4bHf/L6QdU4puhQ
+gl1MHePszRC38bzvVFDUJsmCaMCL2suCs2A2yxAgGb9pu9AJYLAmxQC4mM3jNqhg
+/E7yuaBbek3O02zN/ctvflJ250wZCy+z0ZGIp1ak6pu1j14IwHokl9j36zNfGtfv
+ADVOcdpWITFFlPqwq1qt/H3UsKVmtiF3BNWWTeUEQwKvlU8ymxgS99yn0+4OPyNT
+L3EUeS+NQJtDS01unau0t7LnjUXn+XIneWny8bIYOQCuVR6s/gpIGuhBaUqwaJOw
+7jkJZYF2Ij7uPb4b5/R3vX2FfxxqEHqssFSg8FFUNTZz3qNZs0CRVyfA972g9WkJ
+hPfn31pQYil4QGRibCMIeU27YAEjXoqfJKEPh4UWMQsQLrEfdGfb8VgwrPbniGfU
+L3jKJR3VAafL9330iawzVQDlIlwGl6u77gEXMl9K0pfazunYhAp+BMP+9ot5ckK+
+osmrqj11qMESsAj083GeFdfV3pXEIwUytaB0AKEht9DbqUfiE/oeZ/LAXgySMtVC
+sbC4ESmgVeY2xSBIJdDyUap7FR49GGrw0W49NUv9gRgQtGGaNVQQO9oGL2PBC41P
+iWF9GLoX30HIz1P8PF/cZvicSSPkQf2Z6TV+t0ebdGNS5DjapdnCrq8m9Z0pyKsQ
+uxAL2a7zX8l5i1CZh1ycUGsCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub
new file mode 100644
index 0000000000..915bc566b7
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0MfCDrhODRCIxR9Dep1s
+eXafh5CE5BrF4WbCgCsevyPIdvTeyIaW4vmO3bbG4VzhogDZju+R3IQYFuhoXP5v
+Y+zYJGnwrgz3r5wYAvPnLEs1+dtDKYOgJXQj+wLJBW1mzRDL8FoRXOe5iRmn1EFS
+wZ1DoUvyu7/J5r0itKicZp3QKED6YoilXed+1vnS4Sk0mzN4smuMR9eO1mMCqNp9
+9KTfRDHTbakIHwasECCXCp50uXdoW6ig/xUAFanpm9LtK6jctNDbXDhQmgvAaLXZ
+LvFqoaYJ/CvWkyYCgL6qxvMvVmPoRv7OPcyni4xR/WgWa0MSaEWjgPx3+yj9fiMA
+1S02pFWFDOr5OUF/O4YhFJvUCOtVsUPPfA/Lj6faL0h5QI9mQhy5Zb9TTaS9jB6p
+Lw7u0dJlrjFedk8KTJdFCcaGYHP6kNPnOxMylcB/5WcztXZVQD5WpCicGNBxCGMm
+W64SgrV7M07gQfL/32QLsdqPUf0i8hoVD8wfQ3EpbQzv6Fk1Cn90bZqZafg8XWGY
+wddhkXk7egrr23Djv37V2okjzdqoyLBYBxMz63qQzFoAVv5VoY2NDTbXYUYytOvG
+GJ1afYDRVWrExCech1mX5ZVUB1br6WM+psFLJFoBFl6mDmiYt0vMYBddKISsvwLl
+IJQkzDwtXzT2cSjoj3T5QekCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub
new file mode 100644
index 0000000000..1e49d24690
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvaaoSLab+IluixwKV5Od
+0gib2YurjPatGIbn5Ov2DLUFYiebj2oJINXJSwUOO+4WcuHFEqiL/1rya+k5hLZt
+hnPL1tn6QD4rESznvGSasRCQNT2vS/oyZbTYJRyAtFkEYLlq0t3S3xBxxHWuvIf0
+qVxVNYpQWyM3N9RIeYBR/euXKJXileSHk/uq1I5wTC0XBIHWcthczGN0m9wBEiWS
+0m3cnPk4q0Ea8mUJ91Rqob19qETz6VbSPYYpZk3qOycjKosuwcuzoMpwU8KRiMFd
+5LHtX0Hx85ghGsWDVtS0c0+aJa4lOMGvJCAOvDfqvODv7gKlCXUpgumGpLdTmaZ8
+1RwqspAe3IqBcdKTqRD4m2mSg23nVx2FAY3cjFvZQtfooT7q1ItRV5RgH6FhQSl7
++6YIMJ1Bf8AAlLdRLpg+doOUGcEn+pkDiHFgI8ylH1LKyFKw+eXaAml/7DaWZk1d
+dqggwhXOhc/UUZFQuQQ8A8zpA13PcbC05XxN2hyP93tCEtyynMLVPtrRwDnHxFKa
+qKzs3rMDXPSXRn3ZZTdKH3069ApkEjQdpcwUh+EmJ1Ve/5cdtzT6kKWCjKBFZP/s
+91MlRrX2BTRdHaU5QJkUheUtakwxuHrdah2F94lRmsnQlpPr2YseJu6sIE+Dnx4M
+CfhdVbQL2w54R645nlnohu8CAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub
new file mode 100644
index 0000000000..bb15efe96d
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq0BFD1D4lIxQcsqEpQzU
+pNCYM3aP1V/fxxVdT4DWvSI53JHTwHQamKdMWtEXetWVbP5zSROniYKFXd/xrD9X
+0jiGHey3lEtylXRIPxe5s+wXoCmNLcJVnvTcDtwx/ne2NLHxp76lyc25At+6RgE6
+ADjLVuoD7M4IFDkAsd8UQ8zM0Dww9SylIk/wgV3ZkifecvgUQRagrNUdUjR56EBZ
+raQrev4hhzOgwelT0kXCu3snbUuNY/lU53CoTzfBJ5UfEJ5pMw1ij6X0r5S9IVsy
+KLWH1hiO0NzU2c8ViUYCly4Fe9xMTFc6u2dy/dxf6FwERfGzETQxqZvSfrRX+GLj
+/QZAXiPg5178hT/m0Y3z5IGenIC/80Z9NCi+byF1WuJlzKjDcF/TU72zk0+PNM/H
+Kuppf3JT4DyjiVzNC5YoWJT2QRMS9KLP5iKCSThwVceEEg5HfhQBRT9M6KIcFLSs
+mFjx9kNEEmc1E8hl5IR3+3Ry8G5/bTIIruz14jgeY9u5jhL8Vyyvo41jgt9sLHR1
+/J1TxKfkgksYev7PoX6/ZzJ1ksWKZY5NFoDXTNYUgzFUTOoEaOg3BAQKadb3Qbbq
+XIrxmPBdgrn9QI7NCgfnAY3Tb4EEjs3ON/BNyEhUENcXOH6I1NbcuBQ7g9P73kE4
+VORdoc8MdJ5eoKBpO8Ww8HECAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub
new file mode 100644
index 0000000000..0ecbccc2e4
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyduVzi1mWm+lYo2Tqt/0
+XkCIWrDNP1QBMVPrE0/ZlU2bCGSoo2Z9FHQKz/mTyMRlhNqTfhJ5qU3U9XlyGOPJ
+piM+b91g26pnpXJ2Q2kOypSgOMOPA4cQ42PkHBEqhuzssfj9t7x47ppS94bboh46
+xLSDRff/NAbtwTpvhStV3URYkxFG++cKGGa5MPXBrxIp+iZf9GnuxVdST5PGiVGP
+ODL/b69sPJQNbJHVquqUTOh5Ry8uuD2WZuXfKf7/C0jC/ie9m2+0CttNu9tMciGM
+EyKG1/Xhk5iIWO43m4SrrT2WkFlcZ1z2JSf9Pjm4C2+HovYpihwwdM/OdP8Xmsnr
+DzVB4YvQiW+IHBjStHVuyiZWc+JsgEPJzisNY0Wyc/kNyNtqVKpX6dRhMLanLmy+
+f53cCSI05KPQAcGj6tdL+D60uKDkt+FsDa0BTAobZ31OsFVid0vCXtsbplNhW1IF
+HwsGXBTVcfXg44RLyL8Lk/2dQxDHNHzAUslJXzPxaHBLmt++2COa2EI1iWlvtznk
+Ok9WP8SOAIj+xdqoiHcC4j72BOVVgiITIJNHrbppZCq6qPR+fgXmXa+sDcGh30m6
+9Wpbr28kLMSHiENCWTdsFij+NQTd5S47H7XTROHnalYDuF1RpS+DpQidT5tUimaT
+JZDr++FjKrnnijbyNF8b98UCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub
new file mode 100644
index 0000000000..ceffa3ace9
--- /dev/null
+++ b/main/alpine-keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnpUpyWDWjlUk3smlWeA0
+lIMW+oJ38t92CRLHH3IqRhyECBRW0d0aRGtq7TY8PmxjjvBZrxTNDpJT6KUk4LRm
+a6A6IuAI7QnNK8SJqM0DLzlpygd7GJf8ZL9SoHSH+gFsYF67Cpooz/YDqWrlN7Vw
+tO00s0B+eXy+PCXYU7VSfuWFGK8TGEv6HfGMALLjhqMManyvfp8hz3ubN1rK3c8C
+US/ilRh1qckdbtPvoDPhSbTDmfU1g/EfRSIEXBrIMLg9ka/XB9PvWRrekrppnQzP
+hP9YE3x/wbFc5QqQWiRCYyQl/rgIMOXvIxhkfe8H5n1Et4VAorkpEAXdsfN8KSVv
+LSMazVlLp9GYq5SUpqYX3KnxdWBgN7BJoZ4sltsTpHQ/34SXWfu3UmyUveWj7wp0
+x9hwsPirVI00EEea9AbP7NM2rAyu6ukcm4m6ATd2DZJIViq2es6m60AE6SMCmrQF
+wmk4H/kdQgeAELVfGOm2VyJ3z69fQuywz7xu27S6zTKi05Qlnohxol4wVb6OB7qG
+LPRtK9ObgzRo/OPumyXqlzAi/Yvyd1ZQk8labZps3e16bQp8+pVPiumWioMFJDWV
+GZjCmyMSU8V6MB6njbgLHoyg2LCukCAeSjbPGGGYhnKLm1AKSoJh3IpZuqcKCk5C
+8CM1S15HxV78s9dFntEqIokCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index bce77b3b37..e8ad6cfa80 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=apache2
_pkgreal=httpd
-pkgver=2.4.48
+pkgver=2.4.51
pkgrel=0
pkgdesc="A high performance Unix-based HTTP server"
url="https://httpd.apache.org/"
@@ -26,7 +26,7 @@ subpackages="$pkgname-ctl
$pkgname-ssl
$pkgname-utils
$pkgname-webdav"
-source="https://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
+source="https://dlcdn.apache.org/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
apache2.confd
apache2.logrotate
apache2.initd
@@ -50,6 +50,17 @@ options="suid"
builddir="$srcdir"/$_pkgreal-$pkgver
# secfixes:
+# 2.4.51-r0:
+# - CVE-2021-42013
+# 2.4.50-r0:
+# - CVE-2021-41524
+# - CVE-2021-41773
+# 2.4.49-r0:
+# - CVE-2021-40438
+# - CVE-2021-39275
+# - CVE-2021-36160
+# - CVE-2021-34798
+# - CVE-2021-33193
# 2.4.48-r0:
# - CVE-2019-17657
# - CVE-2020-13938
@@ -355,8 +366,9 @@ _lua() {
"$subpkgdir"/usr/lib/apache2/
_load_mods
}
+
sha512sums="
-6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724 httpd-2.4.48.tar.bz2
+9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66 httpd-2.4.51.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD
index ed72590aba..38a43ff33f 100644
--- a/main/apk-tools/APKBUILD
+++ b/main/apk-tools/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=apk-tools
-pkgver=2.10.7
+pkgver=2.10.8
pkgrel=0
pkgdesc="Alpine Package Keeper - package manager for alpine"
arch="all"
@@ -84,5 +84,5 @@ luaapk() {
}
sha512sums="
-9e8b189543f2c326504bbafe3a88e310ce6486cb9f4f1acf34b303298adbc4cd45b0e9a45f2120dd4f6819f33f8f98b8a5e7b822acb25de6c314c17079ffcb88 apk-tools-v2.10.7.tar.gz
+865772688b93343361d82847e3fc0846a52062304c2370e8da5c5a86a23ce37edf44b213174c85b27f1c392b0ac4851e0b8b44e90fc371412458e0b9321a82e1 apk-tools-v2.10.8.tar.gz
"
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index 8d939b74dd..ccaddeeabc 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=asterisk
pkgver=16.16.1
-pkgrel=0
+pkgrel=1
pkgdesc="Asterisk: A Module Open Source PBX System"
pkgusers="asterisk"
pkggroups="asterisk"
@@ -33,6 +33,7 @@ source="$_download/asterisk-$pkgver.tar.gz
musl-astmm-fix.patch
asterisk-mariadb.patch
asterisk-cdefs.patch
+ CVE-2021-32558.patch
asterisk.initd
asterisk.confd
@@ -41,6 +42,8 @@ source="$_download/asterisk-$pkgver.tar.gz
builddir="$srcdir/$pkgname-${pkgver/_/-}"
# secfixes:
+# 16.16.1-r1:
+# - CVE-2021-32558
# 16.16.1-r0:
# - CVE-2020-35776
# - CVE-2021-26712
@@ -249,12 +252,15 @@ sound_en() {
chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
}
-sha512sums="24e8e5e9d7abd415a46b3028528eca55f0c7db76424fd06087bad84c8df7dd1259ab2ea2d843985808d90d5dabf1b17abf5fa0b286c8e353e5088e3c23dea90f asterisk-16.16.1.tar.gz
+sha512sums="
+24e8e5e9d7abd415a46b3028528eca55f0c7db76424fd06087bad84c8df7dd1259ab2ea2d843985808d90d5dabf1b17abf5fa0b286c8e353e5088e3c23dea90f asterisk-16.16.1.tar.gz
aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz
f72c2e04de80d3ed9ce841308101383a1655e6da7a3c888ad31fffe63d1280993e08aefcf8e638316d439c68b38ee05362c87503fca1f36343976a01af9d6eb1 musl-mutex-init.patch
fdac3868ed2ba566397e3a71314568787e4a84d37738f210a6e288c4285215879756c576e2fd064be9cf5169a7e08dbbfd341f50a87e4e6dbfae20e19bcc4d71 musl-astmm-fix.patch
c76a882588194372d0c45a2bd1a9a946543f2dc07fde9240b3e600682e9737337c7602da35bfaeddb4d9fe568daa668016237c6f7986e7c44cf5a8dbba291e1f asterisk-mariadb.patch
05b8fc2e585fbd00c18fa6f13f4ecb1a1226777d1f9d66abd9ffd496c14741fb19abaec5c2c83f50da04f41957392344454154315f5826d9eb469b66dac4b95b asterisk-cdefs.patch
+08e4f66ab6890c70b080240cf876c4b5f7d04d8224cb67bbe0c362eb1943f592591f0d28fdd58ea3395fe18dd7ec853d3e9f944f3e4bc76651751564ad8c3f73 CVE-2021-32558.patch
0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd
ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd
-7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate"
+7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate
+"
diff --git a/main/asterisk/CVE-2021-32558.patch b/main/asterisk/CVE-2021-32558.patch
new file mode 100644
index 0000000000..1d90d9a1f0
--- /dev/null
+++ b/main/asterisk/CVE-2021-32558.patch
@@ -0,0 +1,126 @@
+From 2db19e3f2a26b5d0b6e7201349bb17cdfbc8c01b Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@sangoma.com>
+Date: Mon, 10 May 2021 17:59:00 -0500
+Subject: [PATCH] AST-2021-008 - chan_iax2: remote crash on unsupported media format
+
+If chan_iax2 received a packet with an unsupported media format, for
+example vp9, then it would set the frame's format to NULL. This could
+then result in a crash later when an attempt was made to access the
+format.
+
+This patch makes it so chan_iax2 now ignores/drops frames received
+with unsupported media format types.
+
+ASTERISK-29392 #close
+
+Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
+---
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 3d8cd72..b43cf14 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -4132,6 +4132,7 @@
+ long ms;
+ long next;
+ struct timeval now = ast_tvnow();
++ struct ast_format *voicefmt;
+
+ /* Make sure we have a valid private structure before going on */
+ ast_mutex_lock(&iaxsl[callno]);
+@@ -4151,10 +4152,9 @@
+
+ ms = ast_tvdiff_ms(now, pvt->rxcore);
+
+- if(ms >= (next = jb_next(pvt->jb))) {
+- struct ast_format *voicefmt;
+- voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
+- ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);
++ voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
++ if (voicefmt && ms >= (next = jb_next(pvt->jb))) {
++ ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));
+ switch(ret) {
+ case JB_OK:
+ fr = frame.data;
+@@ -4182,7 +4182,7 @@
+ pvt = iaxs[callno];
+ }
+ }
+- break;
++ break;
+ case JB_DROP:
+ iax2_frame_free(frame.data);
+ break;
+@@ -6451,8 +6451,14 @@
+ f->frametype = fh->type;
+ if (f->frametype == AST_FRAME_VIDEO) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else if (f->frametype == AST_FRAME_VOICE) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else {
+ f->subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -9929,8 +9935,8 @@
+ } else if (iaxs[fr->callno]->voiceformat == 0) {
+ ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+- } else {
+- f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
++ } else if ((f.subclass.format = ast_format_compatibility_bitfield2format(
++ iaxs[fr->callno]->voiceformat))) {
+ f.datalen = len;
+ if (f.datalen >= 0) {
+ if (f.datalen)
+@@ -10173,11 +10179,17 @@
+ f.frametype = fh->type;
+ if (f.frametype == AST_FRAME_VIDEO) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ if ((fh->csub >> 6) & 0x1) {
+ f.subclass.frame_ending = 1;
+ }
+ } else if (f.frametype == AST_FRAME_VOICE) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ } else {
+ f.subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -11795,6 +11807,11 @@
+ f.subclass.frame_ending = 1;
+ }
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
+ } else {
+ ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");
+ iax2_vnak(fr->callno);
+@@ -11816,9 +11833,14 @@
+ } else {
+ /* A mini frame */
+ f.frametype = AST_FRAME_VOICE;
+- if (iaxs[fr->callno]->voiceformat > 0)
++ if (iaxs[fr->callno]->voiceformat > 0) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
+- else {
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
++ } else {
+ ast_debug(1, "Received mini frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+ ast_variables_destroy(ies.vars);
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 4b9a640955..b78bd522d1 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -5,12 +5,12 @@
# Contributor: ungleich <alpinelinux@ungleich.ch>
# Maintainer:
pkgname=bind
-pkgver=9.16.15
+pkgver=9.16.20
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
_major=${pkgver%%.*}
[ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p"
-pkgrel=0
+pkgrel=1
pkgdesc="The ISC DNS server"
url="https://www.isc.org/"
arch="all"
@@ -57,9 +57,12 @@ source="
named.conf.recursive
127.zone
localhost.zone
+ bind-9.16.20-map-format-fix.patch
"
# secfixes:
+# 9.16.20-r0:
+# - CVE-2021-25218
# 9.16.15-r0:
# - CVE-2021-25214
# - CVE-2021-25215
@@ -269,7 +272,8 @@ _gpgfingerprints="
BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57
"
-sha512sums="30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917915fdf39c26fd223396fc1e873410a50da305f0b870864f7fbbdccec8033 bind-9.16.15.tar.xz
+sha512sums="
+bd4ffcc2589ca8f1ac228576ec11e86f317d5a78d7964a0a7ae70b2fa38831d5bd65c2e8c35d8190502de7139f85d8b080b3b8ee968811a8df78e5761781525d bind-9.16.20.tar.xz
2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6 bind.plugindir.patch
7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch
53db80f7ee4902f42fb1d0bc959242bcb6f20d95256bda99ce2c206af8b4703c7f72bb26d026c633f70451b84a37c3946b210951e34dd5d6620b181cd0183de4 named.initd
@@ -277,4 +281,6 @@ sha512sums="30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917
d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative
3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
-340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone"
+340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
+d9224712ee2c6f6d0ff483ed253497548935fe35f45e5bdf26c9bd25c6234adde00727df7eb49fbfbfb34aad9d9fa0f112e900804794ad90a5cd8a64e9db61c6 bind-9.16.20-map-format-fix.patch
+"
diff --git a/main/bind/bind-9.16.20-map-format-fix.patch b/main/bind/bind-9.16.20-map-format-fix.patch
new file mode 100644
index 0000000000..f6e3c9b378
--- /dev/null
+++ b/main/bind/bind-9.16.20-map-format-fix.patch
@@ -0,0 +1,8 @@
+--- a/lib/dns/mapapi
++++ b/lib/dns/mapapi
+@@ -13,4 +13,4 @@
+ # Whenever releasing a new major release of BIND9, set this value
+ # back to 1.0 when releasing the first alpha. Map files are *never*
+ # compatible across major releases.
+-MAPAPI=2.0
++MAPAPI=3.0
diff --git a/main/c-ares/APKBUILD b/main/c-ares/APKBUILD
index 1ebd75ed55..c174483767 100644
--- a/main/c-ares/APKBUILD
+++ b/main/c-ares/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=c-ares
-pkgver=1.16.1
+pkgver=1.17.2
pkgrel=0
pkgdesc="An asynchronously DNS/names resolver library"
url="https://c-ares.haxx.se/"
@@ -11,6 +11,10 @@ license="MIT"
subpackages="$pkgname-doc $pkgname-static $pkgname-dev"
source="https://c-ares.haxx.se/download/c-ares-$pkgver.tar.gz"
+# secfixes:
+# 1.17.2-r0:
+# - CVE-2021-3672
+
build() {
./configure \
--build=$CBUILD \
@@ -36,4 +40,6 @@ package() {
make -j1 DESTDIR="$pkgdir" install
}
-sha512sums="4ac2a5d5c6da74eb1d6155c4eadc7127ab1b53a8d13caec41bd6172db5417a79f3ab022e77ba37d8b13da6893d7ced5fd8baf5cc3950a4154b4de8743ad31471 c-ares-1.16.1.tar.gz"
+sha512sums="
+f625e0ef8508af6475d3e83b51ab29be8a4878e2a87e7f518bea046b76a74bfde7043ca6ec2a9e714c898ab9e5d4a5a678c3347a9f9eb68980438f7ca8ae3fc8 c-ares-1.17.2.tar.gz
+"
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 73e4da6f3c..fb207bd681 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
-pkgver=7.78.0
+pkgver=7.79.1
pkgrel=0
pkgdesc="URL retrival utility and library"
url="https://curl.se/"
@@ -18,6 +18,10 @@ source="https://curl.se/download/curl-$pkgver.tar.xz"
options="net" # Required for running tests
# secfixes:
+# 7.79.0-r0:
+# - CVE-2021-22945
+# - CVE-2021-22946
+# - CVE-2021-22947
# 7.78.0-r0:
# - CVE-2021-22922
# - CVE-2021-22923
@@ -154,5 +158,5 @@ static() {
}
sha512sums="
-f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a curl-7.78.0.tar.xz
+1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d curl-7.79.1.tar.xz
"
diff --git a/main/dahdi-linux-lts/APKBUILD b/main/dahdi-linux-lts/APKBUILD
index a7b041e512..3ca1f199bf 100644
--- a/main/dahdi-linux-lts/APKBUILD
+++ b/main/dahdi-linux-lts/APKBUILD
@@ -9,7 +9,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.4.111
+_kver=5.4.143
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/drbd-lts/APKBUILD b/main/drbd-lts/APKBUILD
index 529edff555..5b326e8afe 100644
--- a/main/drbd-lts/APKBUILD
+++ b/main/drbd-lts/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.4.111
+_kver=5.4.143
_krel=0
_kabi="$_kver-$_krel-$_flavor"
_kpkgver="$_kver-r$_krel"
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index f247e91900..251ffccf16 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -1,24 +1,37 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=gd
-pkgver=2.3.0
+pkgver=2.3.2
pkgrel=1
_pkgreal=lib$pkgname
pkgdesc="Library for the dynamic creation of images by programmers"
url="https://libgd.github.io/"
arch="all"
license="custom"
-makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev"
+makedepends="
+ libjpeg-turbo-dev
+ libpng-dev
+ libwebp-dev
+ freetype-dev
+ zlib-dev
+ "
subpackages="$pkgname-dev $_pkgreal:libs"
-source="https://github.com/$_pkgreal/$_pkgreal/releases/download/gd-$pkgver/$_pkgreal-$pkgver.tar.xz"
+source="https://github.com/$_pkgreal/$_pkgreal/releases/download/gd-$pkgver/$_pkgreal-$pkgver.tar.xz
+ CVE-2021-38115.patch
+ CVE-2021-40145.patch
+ "
builddir="$srcdir/$_pkgreal-$pkgver"
# https://github.com/libgd/libgd/issues/359
options="!check"
# secfixes:
+# 2.3.0-r1:
+# - CVE-2021-38115
+# - CVE-2021-40145
# 2.3.0-r0:
# - CVE-2019-11038
# - CVE-2018-14553
+# - CVE-2017-6363
# 2.2.5-r2:
# - CVE-2018-5711
# - CVE-2019-6977
@@ -54,4 +67,8 @@ dev() {
mv "$pkgdir"/usr/bin/bdftogd "$subpkgdir"/usr/bin/
}
-sha512sums="5b201d22560e147a3d5471010b898ad0268c3a2453b870d1267b6ba92e540cf9f75099336c1ab08217e41827ac86fe04525726bf29ad117e5dcbaef9a8d0622a libgd-2.3.0.tar.xz"
+sha512sums="
+a31c6dbb64e7b725b63f3b400f7bebc289e2d776bdca0595af23006841660dc93a56c2247b98f8a584438a826f9e9ff0bea17d0b3900e48e281580b1308794d2 libgd-2.3.2.tar.xz
+cf455c3487dd3ef074abb0d89c2763e5652b11273a63eb050212dbed911e6fe9b65bf26c2de8ac9dc32d8225c096389075f518296280c3109c19612daafdb043 CVE-2021-38115.patch
+778ec72d6bcccd5fac032bb165f198cd588bc59e8358cb0933fe2e7e688416d693c517b0c2afd1c3b682619404a94bb4f0babbdf895774e83c869a34f191f84a CVE-2021-40145.patch
+"
diff --git a/main/gd/CVE-2021-38115.patch b/main/gd/CVE-2021-38115.patch
new file mode 100644
index 0000000000..94083594e0
--- /dev/null
+++ b/main/gd/CVE-2021-38115.patch
@@ -0,0 +1,26 @@
+From 8b111b2b4a4842179be66db68d84dda91a246032 Mon Sep 17 00:00:00 2001
+From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
+Date: Mon, 19 Jul 2021 10:07:13 +0430
+Subject: [PATCH] fix read out-of-bands in reading tga header file
+
+---
+ src/gd_tga.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index cae9428da..286febb28 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -191,7 +191,11 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ return -1;
+ }
+
+- gdGetBuf(tga->ident, tga->identsize, ctx);
++
++ if (gdGetBuf(tga->ident, tga->identsize, ctx) != tga->identsize) {
++ gd_error("fail to read header ident");
++ return -1;
++ }
+ }
+
+ return 1;
diff --git a/main/gd/CVE-2021-40145.patch b/main/gd/CVE-2021-40145.patch
new file mode 100644
index 0000000000..3f6b855eb2
--- /dev/null
+++ b/main/gd/CVE-2021-40145.patch
@@ -0,0 +1,124 @@
+From e95059590fadaabd9aadc0c0489804d75a3c5d52 Mon Sep 17 00:00:00 2001
+From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
+Date: Mon, 19 Jul 2021 18:52:50 +0430
+Subject: [PATCH 1/3] gdImageGd2Ptr memory leak
+
+---
+ src/gd_gd2.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 760e85b9f..84ec53375 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1,4 +1,4 @@
+-/*
++
/*
+ * gd_gd2.c
+ *
+ * Implements the I/O and support for the GD2 format.
+@@ -910,9 +910,11 @@ _gd2PutHeader (gdImagePtr im, gdIOCtx * out, int cs, int fmt, int cx, int cy)
+
+ }
+
+-static void
++/* returns 0 on success, 1 on failure */
++static int
+ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ {
++ int ret = 0;
+ int ncx, ncy, cx, cy;
+ int x, y, ylo, yhi, xlo, xhi;
+ int chunkLen;
+@@ -974,10 +976,12 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ /* */
+ chunkData = gdCalloc (cs * bytesPerPixel * cs, 1);
+ if (!chunkData) {
++ ret = 1;
+ goto fail;
+ }
+ compData = gdCalloc (compMax, 1);
+ if (!compData) {
++ ret = 1;
+ goto fail;
+ }
+
+@@ -992,6 +996,7 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+
+ chunkIdx = gdCalloc (idxSize * sizeof (t_chunk_info), 1);
+ if (!chunkIdx) {
++ ret = 1;
+ goto fail;
+ }
+ };
+@@ -1107,6 +1112,8 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ }
+ GD2_DBG (printf ("Done\n"));
+
++ return ret;
++
+ }
+
+ /*
+@@ -1128,8 +1135,11 @@ BGD_DECLARE(void *) gdImageGd2Ptr (gdImagePtr im, int cs, int fmt, int *size)
+ void *rv;
+ gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+ if (out == NULL) return NULL;
+- _gdImageGd2 (im, out, cs, fmt);
+- rv = gdDPExtractData (out, size);
++ if (_gdImageGd2(im, out, cs, fmt)) {
++ rv = NULL;
++ } else {
++ rv = gdDPExtractData(out, size);
++ }
+ out->gd_free (out);
+ return rv;
+ }
+
+From e8eeb8dde5bc4c9d4e7ae1ab43d9fd1780ceb792 Mon Sep 17 00:00:00 2001
+From: Maryam Ebrahimzadeh <61263086+me22bee@users.noreply.github.com>
+Date: Tue, 24 Aug 2021 11:46:07 +0430
+Subject: [PATCH 2/3] trigger the github actions
+
+---
+ src/gd_gd2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 84ec53375..097c93d0d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1135,11 +1135,13 @@ BGD_DECLARE(void *) gdImageGd2Ptr (gdImagePtr im, int cs, int fmt, int *size)
+ void *rv;
+ gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+ if (out == NULL) return NULL;
++
+ if (_gdImageGd2(im, out, cs, fmt)) {
+ rv = NULL;
+ } else {
+ rv = gdDPExtractData(out, size);
+ }
++
+ out->gd_free (out);
+ return rv;
+ }
+
+From a1d4caace613d31209b42d22d9f7ebe37c381f9a Mon Sep 17 00:00:00 2001
+From: Maryam Ebrahimzadeh <61263086+me22bee@users.noreply.github.com>
+Date: Tue, 24 Aug 2021 12:02:23 +0430
+Subject: [PATCH 3/3] remove non-printable bytes
+
+---
+ src/gd_gd2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 097c93d0d..5c57d44a6 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1,4 +1,4 @@
+-
/*
++/*
+ * gd_gd2.c
+ *
+ * Implements the I/O and support for the GD2 format.
diff --git a/main/geoip/APKBUILD b/main/geoip/APKBUILD
index dcde2c3a59..245a56315e 100644
--- a/main/geoip/APKBUILD
+++ b/main/geoip/APKBUILD
@@ -2,15 +2,14 @@
pkgname="geoip"
_pkgname="GeoIP"
pkgver=1.6.12
-pkgrel=1
+pkgrel=2
pkgdesc="Lookup countries by IP addresses"
url="http://www.maxmind.com/app/ip-location"
arch="all"
license="GPL"
makedepends="zlib-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://github.com/maxmind/geoip-api-c/releases/download/v$pkgver/$_pkgname-$pkgver.tar.gz
- geoip.cron"
+source="https://github.com/maxmind/geoip-api-c/releases/download/v$pkgver/$_pkgname-$pkgver.tar.gz"
builddir="$srcdir"/$_pkgname-$pkgver
build() {
@@ -29,7 +28,6 @@ package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
mkdir -p "$pkgdir"/usr/share/GeoIP
- install -m755 -D ../../geoip.cron "$pkgdir"/etc/periodic/monthly/geoip
}
check() {
@@ -37,5 +35,6 @@ check() {
make check
}
-sha512sums="a1c8120692a7ba6de5836550917f86f4797dd236a8b7d71b6f92b5389e4b071d89e57036654f5de1d4b762730a2a5c331c31414eab0c889c9befaa097941fee7 GeoIP-1.6.12.tar.gz
-910b1efc93898416057aa7fc1a3f57d35f354973656ed40fbe266c737c4b4aa37f28b42e4163ed850a454c999bc880c27d863a04a14328b7b7e65348a85dd7d3 geoip.cron"
+sha512sums="
+a1c8120692a7ba6de5836550917f86f4797dd236a8b7d71b6f92b5389e4b071d89e57036654f5de1d4b762730a2a5c331c31414eab0c889c9befaa097941fee7 GeoIP-1.6.12.tar.gz
+"
diff --git a/main/geoip/geoip.cron b/main/geoip/geoip.cron
deleted file mode 100755
index 8d74aff5cf..0000000000
--- a/main/geoip/geoip.cron
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz -O /tmp/GeoIP.dat.gz && gunzip /tmp/GeoIP.dat.gz && mv /tmp/GeoIP.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz -O /tmp/GeoIPv6.dat.gz && gunzip /tmp/GeoIPv6.dat.gz && mv /tmp/GeoIPv6.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz -O /tmp/GeoLiteCity.dat.gz && gunzip /tmp/GeoLiteCity.dat.gz && mv /tmp/GeoLiteCity.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz -O /tmp/GeoLiteCityv6.dat.gz && gunzip /tmp/GeoLiteCityv6.dat.gz && mv /tmp/GeoLiteCityv6.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz -O /tmp/GeoIPASNum.dat.gz && gunzip /tmp/GeoIPASNum.dat.gz && mv /tmp/GeoIPASNum.dat /usr/share/GeoIP
-wget -q http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz -O /tmp/GeoIPASNumv6.dat.gz && gunzip /tmp/GeoIPASNumv6.dat.gz && mv /tmp/GeoIPASNumv6.dat /usr/share/GeoIP
diff --git a/main/gnupg/APKBUILD b/main/gnupg/APKBUILD
index bb7f4fcb82..58675c400f 100644
--- a/main/gnupg/APKBUILD
+++ b/main/gnupg/APKBUILD
@@ -3,7 +3,7 @@
pkgname=gnupg
pkgver=2.2.23
_ver=${pkgver/_beta/-beta}
-pkgrel=0
+pkgrel=1
pkgdesc="GNU Privacy Guard 2 - a PGP replacement tool"
url="https://www.gnupg.org/"
arch="all"
@@ -16,12 +16,13 @@ subpackages="$pkgname-doc $pkgname-scdaemon"
source="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$_ver.tar.bz2
0001-Include-sys-select.h-for-FD_SETSIZE.patch
fix-i18n.patch
+ change-default-keyserver.patch
60-scdaemon.rules
"
install="$pkgname-scdaemon.pre-install"
# secfixes:
-# 2.2.13-r0:
+# 2.2.23-r0:
# - CVE-2020-25125
# 2.2.18-r0:
# - CVE-2019-14855
@@ -77,4 +78,5 @@ scdaemon() {
sha512sums="736b39628f7e4adc650b3f9937c81f27e9ad41e77f5345dc54262c91c1cf7004243fa7f932313bcde955e0e9b3f1afc639bac18023ae878b1d26e3c5a3cabb90 gnupg-2.2.23.tar.bz2
c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7 0001-Include-sys-select.h-for-FD_SETSIZE.patch
b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b fix-i18n.patch
+770f9c9c32fa1a297bef34f00cc4e5837f6afe5f26a9739465d8096223b15705947dfe538b2039762a765525cf08fdf2b75b57497d905240ebf965090c3d032e change-default-keyserver.patch
4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules"
diff --git a/main/gnupg/change-default-keyserver.patch b/main/gnupg/change-default-keyserver.patch
new file mode 100644
index 0000000000..f2be04460d
--- /dev/null
+++ b/main/gnupg/change-default-keyserver.patch
@@ -0,0 +1,25 @@
+hkps.pool.sks-keyservers.net is dead. This patch backports the change of
+the default keyserver from newer versions of gnupg to keyserver.ubuntu.com.
+
+--- a/configure
++++ b/configure
+@@ -16059,7 +16059,7 @@
+
+
+ cat >>confdefs.h <<_ACEOF
+-#define DIRMNGR_DEFAULT_KEYSERVER "hkps://hkps.pool.sks-keyservers.net"
++#define DIRMNGR_DEFAULT_KEYSERVER "hkps://keyserver.ubuntu.com"
+ _ACEOF
+
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -1839,7 +1839,7 @@
+ AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr",
+ [The name of the dirmngr socket])
+ AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER,
+- "hkps://hkps.pool.sks-keyservers.net",
++ "hkps://keyserver.ubuntu.com",
+ [The default keyserver for dirmngr to use, if none is explicitly given])
+
+ AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])
diff --git a/main/gpsd/APKBUILD b/main/gpsd/APKBUILD
index 94dd16d17c..8554e6a750 100644
--- a/main/gpsd/APKBUILD
+++ b/main/gpsd/APKBUILD
@@ -1,17 +1,25 @@
# Contributor: Nathan Angelacos <nangel@alpinelinux.org>
# Maintainer: Nathan Angelacos <nangel@alpinelinux.org>
+
+# gpsd is commonly used with NTP servers to provide a stable clock,
+# please do not move to community.
+
pkgname=gpsd
-pkgver=3.20
-pkgrel=1
-pkgdesc="A GPS daemon"
-arch=all
+pkgver=3.23
+pkgrel=0
+pkgdesc="GPS daemon"
+arch="all"
url="http://catb.org/gpsd/"
license="BSD-2-Clause"
-makedepends="scons python3-dev libcap-dev ncurses-dev"
-subpackages="$pkgname-dev $pkgname-doc py3-$pkgname:_py $pkgname-clients:_clients"
+makedepends="scons asciidoctor python3-dev libcap-dev ncurses-dev"
+subpackages="
+ $pkgname-dev
+ $pkgname-doc
+ py3-$pkgname:_py:noarch
+ $pkgname-clients:_clients
+ $pkgname-openrc"
source="https://download-mirror.savannah.gnu.org/releases/gpsd/gpsd-$pkgver.tar.gz
timepps.h
- gpsd-use-local-timepps-header.patch
gpsd.initd
gpsd.confd"
@@ -32,10 +40,11 @@ prepare() {
}
build() {
- CPPFLAGS="$CPPFLAGS -I. -DHAVE_SYS_TIMEPPS_H"
+ CPPFLAGS="$CPPFLAGS -I$builddir -DHAVE_SYS_TIMEPPS_H"
scons -j${JOBS:-1} \
prefix=/usr \
target_python=python3 \
+ python_shebang=/usr/bin/python3 \
dbus_export=no \
systemd=no
}
@@ -46,9 +55,6 @@ check() {
package() {
DESTDIR="$pkgdir" scons install
- # fix python interpreter path
- sed -e "s,#!/usr/bin/\(python[23]\?\|env \+python[23]\?\),#!/usr/bin/python3},g" -i \
- gegps gpscat gpsfake xgps xgpsspeed gpsprof gps/*.py
install -m755 -D "$srcdir"/gpsd.initd "$pkgdir"/etc/init.d/gpsd
install -m644 -D "$srcdir"/gpsd.confd "$pkgdir"/etc/conf.d/gpsd
}
@@ -75,8 +81,9 @@ _clients() {
mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin
}
-sha512sums="557ef5e5f3b511da4fc441f4bb2e0cd2e23c2981e8b3ce2999973767a04fde070d3ec6f14af60d0e471320078e9f4d1144e5796e7927975ecfbd55fc97f470a9 gpsd-3.20.tar.gz
+sha512sums="
+967cc9801271418023630df02b457b76108968992151f6e80b569e99b856bd79cc3d0369d2088f3bc609b2ab22b29dba87639bf466bf262ab80b2b3f04055f8b gpsd-3.23.tar.gz
eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h
-b692c9fc77a9db3fc621693d3b9e3ef9bc2efbbc7b01651168d7b928d29d48a489b8859930bad01b6021e211372e069a726b78dd5938385ed4ae0153b38f4170 gpsd-use-local-timepps-header.patch
51319247eb78c3021d3eb897cb5d6026cc09d46a532a245a835459ed525947ffb6239f08126dd7e344de52e3b0387226bce060191ec3f14f99fc9f255d96f8ea gpsd.initd
-75dbfe39eb900cc9587dd70794ee77ae2230765bbede47760ca227145aa3f2290b6995335ffcfeae6cd86f56b01ca87367548f4fbcf810aff1bc012b7416deef gpsd.confd"
+75dbfe39eb900cc9587dd70794ee77ae2230765bbede47760ca227145aa3f2290b6995335ffcfeae6cd86f56b01ca87367548f4fbcf810aff1bc012b7416deef gpsd.confd
+"
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index 3206e6a094..b6d0bc8014 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Milan P. Stanić <mps@arvanta.net>
pkgname=haproxy
-pkgver=2.1.12
+pkgver=2.2.17
_pkgmajorver=${pkgver%.*}
-pkgrel=0
+pkgrel=1
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
url="https://www.haproxy.org/"
arch="all"
@@ -33,8 +33,7 @@ build() {
USE_LUA=1 \
USE_NS=1 \
LUA_LIB=/usr/lib/lua$_luaver \
- LUA_INC=/usr/include/lua$_luaver \
- CFLAGS="$CFLAGS"
+ LUA_INC=/usr/include/lua$_luaver
}
check() {
@@ -54,6 +53,8 @@ package() {
"$pkgdir"/etc/haproxy/haproxy.cfg
}
-sha512sums="e33735311b0c7f349d5f6aa88fd69e1e9838c08fdf793f6e0d27779cd0c165d9a85022c778be880a8284f62c3c511c2b2d16374bf466268c902045631a4fbff1 haproxy-2.1.12.tar.gz
+sha512sums="
+174197e1e0915a6ae6062b9a070f16102ac7f3429f991f36cdb2e2cce587bd26059bd1dc71a368f904bcdecd292ab5926715160400ae96d498d902aac356864f haproxy-2.2.17.tar.gz
3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd
-26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg"
+26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg
+"
diff --git a/main/libgcrypt/APKBUILD b/main/libgcrypt/APKBUILD
index e578b56927..7aabd83c2b 100644
--- a/main/libgcrypt/APKBUILD
+++ b/main/libgcrypt/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libgcrypt
pkgver=1.8.8
-pkgrel=0
+pkgrel=1
pkgdesc="general purpose crypto library based on the code used in GnuPG"
url="https://www.gnupg.org/"
arch="all"
@@ -9,9 +9,13 @@ license="LGPL-2.1-or-later"
depends_dev="libgpg-error-dev"
makedepends="$depends_dev texinfo"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
-source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-$pkgver.tar.bz2"
+source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-$pkgver.tar.bz2
+ CVE-2021-40528.patch
+ "
# secfixes:
+# 1.8.8-r1:
+# - CVE-2021-40528
# 1.8.8-r0:
# - CVE-2021-33560
# 1.8.5-r0:
@@ -65,4 +69,5 @@ static() {
sha512sums="
9861f3b5da3cb013eb79efbf2859864f8c2c11b41484b051c981c45cc0bf1569202838226da10ebddeb7a7b7f39ebd3a95f107b9bf6f908074ccc9a51ea94db8 libgcrypt-1.8.8.tar.bz2
+1af48fddb687aa68ff6db9e1c69d6870fbed2dc1e523d0174f6636f92d8b9a918c86a9e26696ca21ee9a3cb5ba38bb21009618343feb8a8fdaa753245113c0e3 CVE-2021-40528.patch
"
diff --git a/main/libgcrypt/CVE-2021-40528.patch b/main/libgcrypt/CVE-2021-40528.patch
new file mode 100644
index 0000000000..52a376f327
--- /dev/null
+++ b/main/libgcrypt/CVE-2021-40528.patch
@@ -0,0 +1,51 @@
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index ae7a631..eead450 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -510,8 +510,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ static void
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+- gcry_mpi_t t1, t2, r;
++ gcry_mpi_t t1, t2, r, r1, h;
+ unsigned int nbits = mpi_get_nbits (skey->p);
++ gcry_mpi_t x_blind;
+
+ mpi_normalize (a);
+ mpi_normalize (b);
+@@ -522,20 +523,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+
+ t2 = mpi_snew (nbits);
+ r = mpi_new (nbits);
++ r1 = mpi_new (nbits);
++ h = mpi_new (nbits);
++ x_blind = mpi_snew (nbits);
+
+ /* We need a random number of about the prime size. The random
+ number merely needs to be unpredictable; thus we use level 0. */
+ _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+
++ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
++ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
++ mpi_set_highbit (r1, nbits - 1);
++ mpi_sub_ui (h, skey->p, 1);
++ mpi_mul (x_blind, h, r1);
++ mpi_add (x_blind, skey->x, x_blind);
++
+ /* t1 = r^x mod p */
+- mpi_powm (t1, r, skey->x, skey->p);
++ mpi_powm (t1, r, x_blind, skey->p);
+ /* t2 = (a * r)^-x mod p */
+ mpi_mulm (t2, a, r, skey->p);
+- mpi_powm (t2, t2, skey->x, skey->p);
++ mpi_powm (t2, t2, x_blind, skey->p);
+ mpi_invm (t2, t2, skey->p);
+ /* t1 = (t1 * t2) mod p*/
+ mpi_mulm (t1, t1, t2, skey->p);
+
++ mpi_free (x_blind);
++ mpi_free (h);
++ mpi_free (r1);
+ mpi_free (r);
+ mpi_free (t2);
+
diff --git a/main/libspf2/APKBUILD b/main/libspf2/APKBUILD
index 80843440bf..5739e5ebd6 100644
--- a/main/libspf2/APKBUILD
+++ b/main/libspf2/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libspf2
pkgver=1.2.10
-pkgrel=4
+pkgrel=5
pkgdesc="Sender Policy Framework library, a part of the SPF/SRS protocol pair."
url="https://wiki.gnome.org/Projects/Libsecret"
arch="all"
@@ -16,8 +16,13 @@ source="http://www.libspf2.org/spf/$pkgname-$pkgver.tar.gz
netdb_success.patch
musl-res_close.patch
fix-gcc-variadic-macros.patch
+ CVE-2021-20314.patch
"
+# secfixes:
+# 1.2.10-r5:
+# - CVE-2021-20314
+
prepare() {
cd "$builddir"
update_config_sub
@@ -53,9 +58,12 @@ tools() {
rm -fr "$pkgdir"/usr/bin
}
-sha512sums="162ce382628c6fcadac3e11f5a12442db622bb23f7ec503e16f5ba7fc88afdd777bce6b093c12a58210355985fd11b74b140f08fab347334d82d953dd183b130 libspf2-1.2.10.tar.gz
+sha512sums="
+162ce382628c6fcadac3e11f5a12442db622bb23f7ec503e16f5ba7fc88afdd777bce6b093c12a58210355985fd11b74b140f08fab347334d82d953dd183b130 libspf2-1.2.10.tar.gz
3b9bff9b5a5b95f6722f86a43373b0c84cbb79a4509cf0c73486612c0a1b33587bb0b42966b0d2e3a317e4d7a730091fa444bd1258afd06bb3553c4a96d3ee34 00001.patch
18ddfe106b652e2fb9e36a9f1743fc7cecf38530da65a06ac892b60d2c430aaad657f5653495950d4af4b9833826366b79e629937498e5ce7f6af716303221c4 00002.patch
033dd1e959004f7a1026fb1de73813e934560101e04897297e468918ee28e4d7d0f271d6f05d984db22dd43e097f6aa133df18d11419b085d89db89b120750c9 netdb_success.patch
4fb8a28a667d8fe54a48fa89230446b758c6d532866ee26e8b9ef3032f6e0993ec19a2cc2fb265d18d259e35de6fe66183763bbc69c424de70ad8fe0dbcf7a2f musl-res_close.patch
-2face288cfb2cbcfced0f6d47f905b9efdccf696de780892c4e36b134bb4dbe77416b42f42f8ccb16da47551d800fe037899324dec33e140fb8cea0f201abd74 fix-gcc-variadic-macros.patch"
+2face288cfb2cbcfced0f6d47f905b9efdccf696de780892c4e36b134bb4dbe77416b42f42f8ccb16da47551d800fe037899324dec33e140fb8cea0f201abd74 fix-gcc-variadic-macros.patch
+809c9a001b21831a6840359bea3f4e302e1589a5e77bceff85dd63d631ac25ce217ba11446d537d044a1e87481323940da25e6159ad19dd62fcb0803bcd2dcf6 CVE-2021-20314.patch
+"
diff --git a/main/libspf2/CVE-2021-20314.patch b/main/libspf2/CVE-2021-20314.patch
new file mode 100644
index 0000000000..412d5f322a
--- /dev/null
+++ b/main/libspf2/CVE-2021-20314.patch
@@ -0,0 +1,22 @@
+From c37b7c13c30e225183899364b9f2efdfa85552ef Mon Sep 17 00:00:00 2001
+From: Shevek <shevek@anarres.org>
+Date: Sat, 5 Jun 2021 21:39:04 -0700
+Subject: [PATCH] spf_compile.c: Correct size of ds_avail.
+
+---
+ src/libspf2/spf_compile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libspf2/spf_compile.c b/src/libspf2/spf_compile.c
+index ff02f87..b08ffe2 100644
+--- a/src/libspf2/spf_compile.c
++++ b/src/libspf2/spf_compile.c
+@@ -455,7 +455,7 @@ SPF_c_parse_var(SPF_response_t *spf_response, SPF_data_var_t *data,
+ /* Magic numbers for x/Nc in gdb. */ \
+ data->ds.__unused0 = 0xba; data->ds.__unused1 = 0xbe; \
+ dst = SPF_data_str( data ); \
+- ds_avail = _avail; \
++ ds_avail = _avail - sizeof(SPF_data_t); \
+ ds_len = 0; \
+ } while(0)
+
diff --git a/main/linux-lts/APKBUILD b/main/linux-lts/APKBUILD
index 7214692453..c9ceacf4d2 100644
--- a/main/linux-lts/APKBUILD
+++ b/main/linux-lts/APKBUILD
@@ -2,7 +2,7 @@
_flavor=lts
pkgname=linux-${_flavor}
-pkgver=5.4.111
+pkgver=5.4.143
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -223,16 +223,16 @@ _dev() {
sha512sums="9f60f77e8ab972b9438ac648bed17551c8491d6585a5e85f694b2eaa4c623fbc61eb18419b2656b6795eac5deec0edaa04547fc6723fbda52256bd7f3486898f linux-5.4.tar.xz
d19365fe94431008768c96a2c88955652f70b6df6677457ee55ee95246a64fdd2c6fed9b3bef37c29075178294a7fc91f148ead636382530ebfa822be4ad8c2f 0002-powerpc-config-defang-gcc-check-for-stack-protector-.patch
-3128c42297694701fdf7f2fa2677b15ff3be649d1dcbe01ce68dcbfde34d0c8695f5e6056977e1dbbcd71eda082f15b1eef2fed9127a032292ba189a5f299724 config-lts.aarch64
-3a34d3d5168ec8f38ac9f72b94f02f4521daada69629050794535b69689596e4f184c3f6f916085af59e135be7b625e70fb265bedf750d438d414cbb92ba5df5 config-lts.armv7
-898f5d81cc00ba739dfc7366e5c984fa628936ec0e8f7a2ba4b0bb48e3a541e8ea6c853adba309492e7d913178f564eb1041119d71a91e15164275ba8d5d1670 config-lts.x86
-64dadca4bb9dd898867463e9f1ce0dd43e0dea0e5bbd3cfd59af8691b3d1ca3b633630c466e18302161ab6d00f47ab34d9a63ee9f02dc64cba3a1bce25565079 config-lts.x86_64
-7b5c1de69ae67b3084450c7b6f1c2860720a12b45455f8353db020b65adc2473bf7eee3aa6f41bb941dbbb811df1fd1da6f93df303d3648591092cc993cb2494 config-lts.ppc64le
-65795e40e99ca1b67f8654152010e05fa7b50c06b6ca7ebb3e5c8901f6cccbf629a2ab708e51bb009af0120ef7e61b2fc14ae4681b5243cf9cacd4b1c4220a54 config-lts.s390x
-0196375dff9d789b36a9885296f7caecf10584b830ca194ecc778bc54f2bc22d6ebad355de2f47b3630b839ecb9bfaf5062a37d5eecf4020a97b58c28d7d6077 config-lts.mips64
-66f2c87f7bd7383208bc81ed95193ca207cae011acab18aca7ca4bc64fe91d21dfc2c9a35ba88420caa8b8852ed8144fe92dacd4758243254d80f35270272bc4 config-lts.mips
-a494d3dad3e9eac5e7f4982884e413509c7679cdfc71d09c3ed1462ef86827911a95ed0cbbfa4208bd5b3c53a7956ca7307b91595e63318136995137f6eed708 config-virt.aarch64
-98fcfdfac4aeb5a7457dc509d12a6adbed9ee4ac385a5df4f3ab344127867a674966b39ac008501015ab6962543899c53b1cc728fcb377f61890ef73cb356269 config-virt.armv7
-fa94257984f4fe5b3b8edb70cc9ec281c67f9c4d566cd059a6df76dd0a2e72647a63655cd810c5530ee5ad9a36a25ad475b4499ab3292c1315dcbd7ad58c2413 config-virt.x86
-e56df3a1437796640cae3c1f913a9ddf5236273f34254f04e4771f4fd8608fb8239701c1d0ae7abc0a3ff873d17aee039160c38d0a3dfbfc8247acb3cad6a361 config-virt.x86_64
-6ea6441cfe82713a6426d7dc9ce0dfdbe48db1a6c898eb80f5f687f9866d3bd066c141704cd79ea5894e8b2d09e63ac94465fae8d6316cd963ca35e1c779f9c8 patch-5.4.111.xz"
+748ec78861d04a6db073ba6392fcfa790376015e66f442c297fe7733122aa99057a4e6a3986833f8114c881a69f1307dfba10a9cd90fd3af653ef4b64b386889 config-lts.aarch64
+ebdadeda46194bcc7ddf3c2db401ba1d32e1eeebee0c7fa3d103ac9fcf08bf53dbd83b5dddc3f990d40c06aace12ba91f6eb7d917d19e7991def3de64990fe85 config-lts.armv7
+f9a090756f5c6d504b9af8bff7ce1ac98c45dfb5540bd03de515a859504f6e9d59e8d77983c90b36e2d5fe1d1975f41ac7351e27e67d264bdb3946b10ee125d2 config-lts.x86
+b5c92c8278f605e15d50695eff0dbf84872422eef357e98fa46642fd37b516f5616215bd98c79b7b6516d52e0efe8b5b8dfe9049eb319535d1e2acb74ecfee1e config-lts.x86_64
+1912e515aa5dedaaa15151c9b160aebbf7b45e4bd1616fc562c30dbf4b38cd59c3b04a892ef6207bcbe90fa42b4628a924777f22f980753387890e6aceaae0ff config-lts.ppc64le
+1f7291fcb6dd4a0226ca9846116ada50ef03a6b67028e16d6c6c3e0fe59e45c94f54f6ef8ed6a067e16332bf6da7adc3bb7c43c2ed8fa4b743d6bb22d4ebeeb4 config-lts.s390x
+2121ff443bbc617cb0f5f77b698120f71b1cdc4d18bd4312cc6ab5659635f74995d7a194820128b7aa7790f5912d5e30f00b11d6d225dab88ab9a00dc5a9c717 config-lts.mips64
+1fc4cf98951ff88ceaaaca01a884c41d71f26da1d6e6c772012dead5bb530244388d5be54346c29a37df7781d05e35c83aa00e8b5f0358fa3280007423f243b7 config-lts.mips
+e19a0e494bfead5846770fef9a8d4fa8ab9e7290b78a14403404f61dc71c3d667f5f199f29a817c1fbced901ed6871c70fe1e1baade78a967a2426f510e93f18 config-virt.aarch64
+3a9bad315329228b368e399854c94ecbdf3f211de35c2f70cb1287f5ecbe5f50cb31f97b02f99e880ca1cf1772dd3341c8d888509718baaf78593664bc822d70 config-virt.armv7
+bbf2b9b8d1cf45e95d02438c23c8b5646dc21b51b16ac34498213f8517ea94f4769781e8902a6d8a32b5f7c1b174e15afde147aeefde221024af2dc686f1b575 config-virt.x86
+8a64728776209d1305f10d8310694088ec38ada723da0ef9caf1ac4390c580704cefb0f8487bd9632974fac31b6db4684e650ab2db222a63e3223658254dc8d7 config-virt.x86_64
+5850c88f4cfe6d26e543bb96b77691d846e5f3d506a607a7a083fc54561113f4b5afb48e93a963b056f34beb4f75cc64dd693f128ae5be795cdd8274c5955330 patch-5.4.143.xz"
diff --git a/main/linux-lts/config-lts.aarch64 b/main/linux-lts/config-lts.aarch64
index 8295766046..4caadac48d 100644
--- a/main/linux-lts/config-lts.aarch64
+++ b/main/linux-lts/config-lts.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.4.109 Kernel Configuration
+# Linux/arm64 5.4.143 Kernel Configuration
#
#
@@ -4279,6 +4279,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25890 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_UCS1002 is not set
CONFIG_HWMON=m
diff --git a/main/linux-lts/config-lts.armv7 b/main/linux-lts/config-lts.armv7
index 99e984f29c..02b53137cc 100644
--- a/main/linux-lts/config-lts.armv7
+++ b/main/linux-lts/config-lts.armv7
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.4.109 Kernel Configuration
+# Linux/arm 5.4.143 Kernel Configuration
#
#
@@ -2066,6 +2066,7 @@ CONFIG_NVME_CORE=m
CONFIG_NVME_MULTIPATH=y
CONFIG_NVME_FABRICS=m
# CONFIG_NVME_FC is not set
+# CONFIG_NVME_TCP is not set
CONFIG_NVME_TARGET=m
CONFIG_NVME_TARGET_LOOP=m
# CONFIG_NVME_TARGET_FC is not set
@@ -3524,6 +3525,7 @@ CONFIG_AXP20X_POWER=m
# CONFIG_CHARGER_SMB347 is not set
CONFIG_CHARGER_TPS65217=m
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_UCS1002 is not set
CONFIG_HWMON=m
diff --git a/main/linux-lts/config-lts.mips b/main/linux-lts/config-lts.mips
index 64f7256da1..c0f1c0e8a7 100644
--- a/main/linux-lts/config-lts.mips
+++ b/main/linux-lts/config-lts.mips
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/mips 5.4.109 Kernel Configuration
+# Linux/mips 5.4.143 Kernel Configuration
#
#
@@ -990,6 +990,7 @@ CONFIG_BLK_DEV_CRYPTOLOOP=m
#
# CONFIG_BLK_DEV_NVME is not set
# CONFIG_NVME_FC is not set
+# CONFIG_NVME_TCP is not set
# end of NVME Support
#
diff --git a/main/linux-lts/config-lts.mips64 b/main/linux-lts/config-lts.mips64
index 0e1bc625ce..fcbad214e8 100644
--- a/main/linux-lts/config-lts.mips64
+++ b/main/linux-lts/config-lts.mips64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/mips 5.4.109 Kernel Configuration
+# Linux/mips 5.4.143 Kernel Configuration
#
#
@@ -1004,6 +1004,7 @@ CONFIG_BLK_DEV_CRYPTOLOOP=m
#
# CONFIG_BLK_DEV_NVME is not set
# CONFIG_NVME_FC is not set
+# CONFIG_NVME_TCP is not set
# end of NVME Support
#
diff --git a/main/linux-lts/config-lts.ppc64le b/main/linux-lts/config-lts.ppc64le
index a487704943..f957f32c87 100644
--- a/main/linux-lts/config-lts.ppc64le
+++ b/main/linux-lts/config-lts.ppc64le
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 5.4.109 Kernel Configuration
+# Linux/powerpc 5.4.143 Kernel Configuration
#
#
@@ -2512,6 +2512,7 @@ CONFIG_POWER_SUPPLY_HWMON=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
CONFIG_HWMON=y
# CONFIG_HWMON_DEBUG_CHIP is not set
diff --git a/main/linux-lts/config-lts.s390x b/main/linux-lts/config-lts.s390x
index 9640056824..64aca87a7a 100644
--- a/main/linux-lts/config-lts.s390x
+++ b/main/linux-lts/config-lts.s390x
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/s390 5.4.109 Kernel Configuration
+# Linux/s390 5.4.143 Kernel Configuration
#
#
diff --git a/main/linux-lts/config-lts.x86 b/main/linux-lts/config-lts.x86
index 9adf3a8b3e..f9e30c3c3c 100644
--- a/main/linux-lts/config-lts.x86
+++ b/main/linux-lts/config-lts.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.4.109 Kernel Configuration
+# Linux/x86 5.4.143 Kernel Configuration
#
#
@@ -4113,6 +4113,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25890 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
CONFIG_HWMON=m
CONFIG_HWMON_VID=m
diff --git a/main/linux-lts/config-lts.x86_64 b/main/linux-lts/config-lts.x86_64
index e5e208a42d..35dc076f4d 100644
--- a/main/linux-lts/config-lts.x86_64
+++ b/main/linux-lts/config-lts.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.4.109 Kernel Configuration
+# Linux/x86_64 5.4.143 Kernel Configuration
#
#
@@ -305,7 +305,6 @@ CONFIG_RETPOLINE=y
CONFIG_X86_EXTENDED_PLATFORM=y
# CONFIG_X86_NUMACHIP is not set
# CONFIG_X86_VSMP is not set
-# CONFIG_X86_UV is not set
# CONFIG_X86_GOLDFISH is not set
# CONFIG_X86_INTEL_MID is not set
CONFIG_X86_INTEL_LPSS=y
@@ -4156,6 +4155,7 @@ CONFIG_GENERIC_ADC_BATTERY=m
# CONFIG_CHARGER_BQ25890 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
CONFIG_HWMON=m
CONFIG_HWMON_VID=m
diff --git a/main/linux-lts/config-virt.aarch64 b/main/linux-lts/config-virt.aarch64
index fdf088230e..bf1b27db9b 100644
--- a/main/linux-lts/config-virt.aarch64
+++ b/main/linux-lts/config-virt.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.4.109 Kernel Configuration
+# Linux/arm64 5.4.143 Kernel Configuration
#
#
@@ -2855,6 +2855,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25890 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
CONFIG_HWMON=m
# CONFIG_HWMON_DEBUG_CHIP is not set
diff --git a/main/linux-lts/config-virt.armv7 b/main/linux-lts/config-virt.armv7
index 20fce9c8da..fdda900065 100644
--- a/main/linux-lts/config-virt.armv7
+++ b/main/linux-lts/config-virt.armv7
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.4.109 Kernel Configuration
+# Linux/arm 5.4.143 Kernel Configuration
#
#
@@ -2753,6 +2753,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ25890 is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
# CONFIG_CHARGER_RT9455 is not set
CONFIG_HWMON=m
# CONFIG_HWMON_DEBUG_CHIP is not set
diff --git a/main/linux-lts/config-virt.x86 b/main/linux-lts/config-virt.x86
index aef35f55e8..177958aea3 100644
--- a/main/linux-lts/config-virt.x86
+++ b/main/linux-lts/config-virt.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.4.109 Kernel Configuration
+# Linux/x86 5.4.143 Kernel Configuration
#
#
@@ -2615,6 +2615,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
CONFIG_HWMON=m
# CONFIG_HWMON_DEBUG_CHIP is not set
diff --git a/main/linux-lts/config-virt.x86_64 b/main/linux-lts/config-virt.x86_64
index b2aa0e5ba2..e472491596 100644
--- a/main/linux-lts/config-virt.x86_64
+++ b/main/linux-lts/config-virt.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.4.109 Kernel Configuration
+# Linux/x86_64 5.4.143 Kernel Configuration
#
#
@@ -2697,6 +2697,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_SMB347 is not set
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
CONFIG_HWMON=m
# CONFIG_HWMON_DEBUG_CHIP is not set
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index c2423b3599..a31189fade 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -7,7 +7,7 @@
# Contributor: Jake Buchholz <tomalok@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb
-pkgver=10.4.19
+pkgver=10.4.21
pkgrel=0
pkgdesc="A fast SQL database server"
url="https://www.mariadb.org/"
@@ -46,6 +46,9 @@ source="https://downloads.mariadb.org/interstitial/mariadb-$pkgver/source/mariad
#options="!check"
# secfixes:
+# 10.4.21-r0:
+# - CVE-2021-2372
+# - CVE-2021-2389
# 10.4.19-r0:
# - CVE-2021-2154
# - CVE-2021-2166
@@ -460,7 +463,7 @@ _plugin_rocksdb() {
}
sha512sums="
-837bd4e46e2033d0e996c33125c50b98e141e4c31cf4753a4bd1a7bd1e6a25ebe2a0ea7c8061d29f3c635e24d8e4bf2bbca62ea3b0089bde6576c39ffc6f5e28 mariadb-10.4.19.tar.gz
+2be398cd80f0b8c938ab310f47ccd410f0209f8308bfc202014b71aee3f0bea7f535d1eceb82a4407202d9732c77874d773c6f13e54cf556fc79ed0d49390345 mariadb-10.4.21.tar.gz
c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd
70da971aa78815495098205bcbd28428430aa83c3f1050fec0231ca86af9d9def2d2108a48ee08d86812c8dc5ad8ab1ef4e17a49b4936ed5187ae0f6a7ef8f63 pcre.cmake.patch
dbd0970ea34e8bc8510431b3dc78f90b68be6f84bd27909a88516a469c2d5b402cfa62c548d78bac1e3eb717bb1b361cc375a3a77321a497e16dfba883233949 ppc-remove-glibc-dep.patch
diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD
index 6c25d423d6..3aa0cb3aef 100644
--- a/main/mosquitto/APKBUILD
+++ b/main/mosquitto/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mosquitto
pkgver=1.6.9
-pkgrel=0
+pkgrel=1
pkgdesc="An Open Source MQTT v3.1 Message Broker"
url="https://mosquitto.org/"
arch="all"
@@ -17,9 +17,13 @@ subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname
source="http://mosquitto.org/files/source/mosquitto-$pkgver.tar.gz
config.patch
disable-ci-tests.patch
- mosquitto.initd"
+ mosquitto.initd
+ CVE-2021-34432.patch
+ "
# secfixes:
+# 1.6.9-r1:
+# - CVE-2021-34432
# 1.6.7-r0:
# - CVE-2019-11779
# 1.5.6-r0:
@@ -87,7 +91,10 @@ clients() {
mv "$pkgdir"/usr/bin/mosquitto_[ps]ub "$subpkgdir"/usr/bin/
}
-sha512sums="f78228a1e8305e4d89b34250981ed2c5fe5317636003636dc90f6fa2b1e3ca3c8fadb705ee7301f5252456cb093a6547bd46a255ca3d9fb5cdced697738d6eb7 mosquitto-1.6.9.tar.gz
+sha512sums="
+f78228a1e8305e4d89b34250981ed2c5fe5317636003636dc90f6fa2b1e3ca3c8fadb705ee7301f5252456cb093a6547bd46a255ca3d9fb5cdced697738d6eb7 mosquitto-1.6.9.tar.gz
fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33 config.patch
21df2006a5eb9e1248cf261e555ded8e80e79f2a2d2a55b1f8a153af7c0feb867f3b3bd71efbe4d8569e3031c65f3e144794724f012e7539244a9bd97b6b6bb3 disable-ci-tests.patch
-d5406c258351133d85fc90056d78286a0ed1defde90e68d84fa9a1d65244d2baef76fd30fd04855e4bf6fc87532ef8ff274a6b70564f09f69fc6d14b5106fef0 mosquitto.initd"
+d5406c258351133d85fc90056d78286a0ed1defde90e68d84fa9a1d65244d2baef76fd30fd04855e4bf6fc87532ef8ff274a6b70564f09f69fc6d14b5106fef0 mosquitto.initd
+5dfd7ac9a49284a08e75f36cea6ea7b5ed6126e5afb43ba4ecfe8efe38ddf6b15f52b1b1eff0b8901f065f0773595ed8f66757b70e12283a7d1a2e876b39f092 CVE-2021-34432.patch
+"
diff --git a/main/mosquitto/CVE-2021-34432.patch b/main/mosquitto/CVE-2021-34432.patch
new file mode 100644
index 0000000000..14037ba13c
--- /dev/null
+++ b/main/mosquitto/CVE-2021-34432.patch
@@ -0,0 +1,61 @@
+From 9b08faf0bdaf5a4f2e6e3dd1ea7e8c57f70418d6 Mon Sep 17 00:00:00 2001
+From: "Roger A. Light" <roger@atchoo.org>
+Date: Tue, 9 Feb 2021 14:09:53 +0000
+Subject: [PATCH] Fix mosquitto_{pub|sub}_topic_check() function returns.
+
+The would not return MOSQ_ERR_INVAL on topic == NULL.
+---
+ lib/util_topic.c | 19 ++++++++++++++++---
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/lib/util_topic.c b/lib/util_topic.c
+index fc24f0d1cb..62b531127c 100644
+--- a/lib/util_topic.c
++++ b/lib/util_topic.c
+@@ -54,6 +54,11 @@ int mosquitto_pub_topic_check(const char *str)
+ #ifdef WITH_BROKER
+ int hier_count = 0;
+ #endif
++
++ if(str == NULL){
++ return MOSQ_ERR_INVAL;
++ }
++
+ while(str && str[0]){
+ if(str[0] == '+' || str[0] == '#'){
+ return MOSQ_ERR_INVAL;
+@@ -81,7 +86,9 @@ int mosquitto_pub_topic_check2(const char *str, size_t len)
+ int hier_count = 0;
+ #endif
+
+- if(len > 65535) return MOSQ_ERR_INVAL;
++ if(str == NULL || len > 65535){
++ return MOSQ_ERR_INVAL;
++ }
+
+ for(i=0; i<len; i++){
+ if(str[i] == '+' || str[i] == '#'){
+@@ -115,7 +122,11 @@ int mosquitto_sub_topic_check(const char *str)
+ int hier_count = 0;
+ #endif
+
+- while(str && str[0]){
++ if(str == NULL){
++ return MOSQ_ERR_INVAL;
++ }
++
++ while(str[0]){
+ if(str[0] == '+'){
+ if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){
+ return MOSQ_ERR_INVAL;
+@@ -150,7 +161,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
+ int hier_count = 0;
+ #endif
+
+- if(len > 65535) return MOSQ_ERR_INVAL;
++ if(str == NULL || len > 65535){
++ return MOSQ_ERR_INVAL;
++ }
+
+ for(i=0; i<len; i++){
+ if(str[i] == '+'){
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index 0c644ca20f..a4154f99ae 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -6,6 +6,16 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 12.22.6-r0:
+# - CVE-2021-37701
+# - CVE-2021-37712
+# - CVE-2021-37713
+# - CVE-2021-39134
+# - CVE-2021-39135
+# 12.22.5-r0:
+# - CVE-2021-3672
+# - CVE-2021-22931
+# - CVE-2021-22939
# 12.22.4-r0:
# - CVE-2021-22930
# 12.22.2-r0:
@@ -68,7 +78,7 @@
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=12.22.4
+pkgver=12.22.6
pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
@@ -90,6 +100,7 @@ replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility
source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
dont-run-gyp-files-for-bundled-deps.patch
link-with-libatomic-on-mips32.patch
+ fix-build-with-system-c-ares.patch
"
builddir="$srcdir/node-v$pkgver"
@@ -170,7 +181,8 @@ npm() {
}
sha512sums="
-9493959c1038b383ef394c76c2f7a17a23018c91b8b9550c17bdb56930f4e58657025714e13eac77e656e4db9e8304c34dd652d8fbfefdb9e7b43beb83fac571 node-v12.22.4.tar.gz
+8d0c40147960c4aeed100321054c1d5cc473d66d6513bca13f81409e067d8bbd76f7247208b6e1d7fac4f1f8a4000aedbbf3fc259d4b483b37da96d0a5475968 node-v12.22.6.tar.gz
fc5848ced3e591e732b6a9af27679ca82f7605a4b2cd2f7eb6a411664b7c065892fb67a1db5aec7a26207582eecd8377476ed550c1dfb6c7917ba7babfa66a2d dont-run-gyp-files-for-bundled-deps.patch
a63b42c08b55139c1c363f6ba8aba9d85a0621b383ed514f7562cfa02f0cc290785d7cfe09892ac39962980d1b318957511f57b3f9b9d1fbc8704c0603597c9a link-with-libatomic-on-mips32.patch
+30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f fix-build-with-system-c-ares.patch
"
diff --git a/main/nodejs/fix-build-with-system-c-ares.patch b/main/nodejs/fix-build-with-system-c-ares.patch
new file mode 100644
index 0000000000..8121891d04
--- /dev/null
+++ b/main/nodejs/fix-build-with-system-c-ares.patch
@@ -0,0 +1,535 @@
+From aff98a5667c22794e2eaf658f6dfbee54cdd4a3b Mon Sep 17 00:00:00 2001
+From: Felix Yan <felixonmars@archlinux.org>
+Date: Thu, 12 Aug 2021 02:44:43 +0800
+Subject: [PATCH 1/2] deps: fix building with system c-ares on Linux
+Patch-Source: https://github.com/nodejs/node/pull/39739
+
+The change in #39724 breaks building with system c-ares
+(`--shared-cares`):
+```
+In file included from ../src/cares_wrap.cc:25:
+../src/cares_wrap.h:25:11: fatal error: ares_nameser.h: No such file or
+directory
+ 25 | # include <ares_nameser.h>
+ | ^~~~~~~~~~~~~~~~
+```
+
+Since `ares_nameser.h` isn't available with a default system c-ares
+installation, let's copy it as our private header here.
+
+Tested to build fine on Arch Linux with shared c-ares.
+---
+ src/ares_nameser.h | 482 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 482 insertions(+)
+ create mode 100644 src/ares_nameser.h
+
+diff --git a/src/ares_nameser.h b/src/ares_nameser.h
+new file mode 100644
+index 000000000000..5270e5a3a6a0
+--- /dev/null
++++ b/src/ares_nameser.h
+@@ -0,0 +1,482 @@
++
++#ifndef ARES_NAMESER_H
++#define ARES_NAMESER_H
++
++#ifdef HAVE_ARPA_NAMESER_H
++# include <arpa/nameser.h>
++#endif
++#ifdef HAVE_ARPA_NAMESER_COMPAT_H
++# include <arpa/nameser_compat.h>
++#endif
++
++/* ============================================================================
++ * arpa/nameser.h may or may not provide ALL of the below defines, so check
++ * each one individually and set if not
++ * ============================================================================
++ */
++
++#ifndef NS_PACKETSZ
++# define NS_PACKETSZ 512 /* maximum packet size */
++#endif
++
++#ifndef NS_MAXDNAME
++# define NS_MAXDNAME 256 /* maximum domain name */
++#endif
++
++#ifndef NS_MAXCDNAME
++# define NS_MAXCDNAME 255 /* maximum compressed domain name */
++#endif
++
++#ifndef NS_MAXLABEL
++# define NS_MAXLABEL 63
++#endif
++
++#ifndef NS_HFIXEDSZ
++# define NS_HFIXEDSZ 12 /* #/bytes of fixed data in header */
++#endif
++
++#ifndef NS_QFIXEDSZ
++# define NS_QFIXEDSZ 4 /* #/bytes of fixed data in query */
++#endif
++
++#ifndef NS_RRFIXEDSZ
++# define NS_RRFIXEDSZ 10 /* #/bytes of fixed data in r record */
++#endif
++
++#ifndef NS_INT16SZ
++# define NS_INT16SZ 2
++#endif
++
++#ifndef NS_INADDRSZ
++# define NS_INADDRSZ 4
++#endif
++
++#ifndef NS_IN6ADDRSZ
++# define NS_IN6ADDRSZ 16
++#endif
++
++#ifndef NS_CMPRSFLGS
++# define NS_CMPRSFLGS 0xc0 /* Flag bits indicating name compression. */
++#endif
++
++#ifndef NS_DEFAULTPORT
++# define NS_DEFAULTPORT 53 /* For both TCP and UDP. */
++#endif
++
++/* ============================================================================
++ * arpa/nameser.h should provide these enumerations always, so if not found,
++ * provide them
++ * ============================================================================
++ */
++#ifndef HAVE_ARPA_NAMESER_H
++
++typedef enum __ns_class {
++ ns_c_invalid = 0, /* Cookie. */
++ ns_c_in = 1, /* Internet. */
++ ns_c_2 = 2, /* unallocated/unsupported. */
++ ns_c_chaos = 3, /* MIT Chaos-net. */
++ ns_c_hs = 4, /* MIT Hesiod. */
++ /* Query class values which do not appear in resource records */
++ ns_c_none = 254, /* for prereq. sections in update requests */
++ ns_c_any = 255, /* Wildcard match. */
++ ns_c_max = 65536
++} ns_class;
++
++typedef enum __ns_type {
++ ns_t_invalid = 0, /* Cookie. */
++ ns_t_a = 1, /* Host address. */
++ ns_t_ns = 2, /* Authoritative server. */
++ ns_t_md = 3, /* Mail destination. */
++ ns_t_mf = 4, /* Mail forwarder. */
++ ns_t_cname = 5, /* Canonical name. */
++ ns_t_soa = 6, /* Start of authority zone. */
++ ns_t_mb = 7, /* Mailbox domain name. */
++ ns_t_mg = 8, /* Mail group member. */
++ ns_t_mr = 9, /* Mail rename name. */
++ ns_t_null = 10, /* Null resource record. */
++ ns_t_wks = 11, /* Well known service. */
++ ns_t_ptr = 12, /* Domain name pointer. */
++ ns_t_hinfo = 13, /* Host information. */
++ ns_t_minfo = 14, /* Mailbox information. */
++ ns_t_mx = 15, /* Mail routing information. */
++ ns_t_txt = 16, /* Text strings. */
++ ns_t_rp = 17, /* Responsible person. */
++ ns_t_afsdb = 18, /* AFS cell database. */
++ ns_t_x25 = 19, /* X_25 calling address. */
++ ns_t_isdn = 20, /* ISDN calling address. */
++ ns_t_rt = 21, /* Router. */
++ ns_t_nsap = 22, /* NSAP address. */
++ ns_t_nsap_ptr = 23, /* Reverse NSAP lookup (deprecated). */
++ ns_t_sig = 24, /* Security signature. */
++ ns_t_key = 25, /* Security key. */
++ ns_t_px = 26, /* X.400 mail mapping. */
++ ns_t_gpos = 27, /* Geographical position (withdrawn). */
++ ns_t_aaaa = 28, /* Ip6 Address. */
++ ns_t_loc = 29, /* Location Information. */
++ ns_t_nxt = 30, /* Next domain (security). */
++ ns_t_eid = 31, /* Endpoint identifier. */
++ ns_t_nimloc = 32, /* Nimrod Locator. */
++ ns_t_srv = 33, /* Server Selection. */
++ ns_t_atma = 34, /* ATM Address */
++ ns_t_naptr = 35, /* Naming Authority PoinTeR */
++ ns_t_kx = 36, /* Key Exchange */
++ ns_t_cert = 37, /* Certification record */
++ ns_t_a6 = 38, /* IPv6 address (deprecates AAAA) */
++ ns_t_dname = 39, /* Non-terminal DNAME (for IPv6) */
++ ns_t_sink = 40, /* Kitchen sink (experimentatl) */
++ ns_t_opt = 41, /* EDNS0 option (meta-RR) */
++ ns_t_apl = 42, /* Address prefix list (RFC3123) */
++ ns_t_ds = 43, /* Delegation Signer (RFC4034) */
++ ns_t_sshfp = 44, /* SSH Key Fingerprint (RFC4255) */
++ ns_t_rrsig = 46, /* Resource Record Signature (RFC4034) */
++ ns_t_nsec = 47, /* Next Secure (RFC4034) */
++ ns_t_dnskey = 48, /* DNS Public Key (RFC4034) */
++ ns_t_tkey = 249, /* Transaction key */
++ ns_t_tsig = 250, /* Transaction signature. */
++ ns_t_ixfr = 251, /* Incremental zone transfer. */
++ ns_t_axfr = 252, /* Transfer zone of authority. */
++ ns_t_mailb = 253, /* Transfer mailbox records. */
++ ns_t_maila = 254, /* Transfer mail agent records. */
++ ns_t_any = 255, /* Wildcard match. */
++ ns_t_zxfr = 256, /* BIND-specific, nonstandard. */
++ ns_t_caa = 257, /* Certification Authority Authorization. */
++ ns_t_max = 65536
++} ns_type;
++
++typedef enum __ns_opcode {
++ ns_o_query = 0, /* Standard query. */
++ ns_o_iquery = 1, /* Inverse query (deprecated/unsupported). */
++ ns_o_status = 2, /* Name server status query (unsupported). */
++ /* Opcode 3 is undefined/reserved. */
++ ns_o_notify = 4, /* Zone change notification. */
++ ns_o_update = 5, /* Zone update message. */
++ ns_o_max = 6
++} ns_opcode;
++
++typedef enum __ns_rcode {
++ ns_r_noerror = 0, /* No error occurred. */
++ ns_r_formerr = 1, /* Format error. */
++ ns_r_servfail = 2, /* Server failure. */
++ ns_r_nxdomain = 3, /* Name error. */
++ ns_r_notimpl = 4, /* Unimplemented. */
++ ns_r_refused = 5, /* Operation refused. */
++ /* these are for BIND_UPDATE */
++ ns_r_yxdomain = 6, /* Name exists */
++ ns_r_yxrrset = 7, /* RRset exists */
++ ns_r_nxrrset = 8, /* RRset does not exist */
++ ns_r_notauth = 9, /* Not authoritative for zone */
++ ns_r_notzone = 10, /* Zone of record different from zone section */
++ ns_r_max = 11,
++ /* The following are TSIG extended errors */
++ ns_r_badsig = 16,
++ ns_r_badkey = 17,
++ ns_r_badtime = 18
++} ns_rcode;
++
++#endif /* HAVE_ARPA_NAMESER_H */
++
++
++/* ============================================================================
++ * arpa/nameser_compat.h typically sets these. However on some systems
++ * arpa/nameser.h does, but may not set all of them. Lets conditionally
++ * define each
++ * ============================================================================
++ */
++
++#ifndef PACKETSZ
++# define PACKETSZ NS_PACKETSZ
++#endif
++
++#ifndef MAXDNAME
++# define MAXDNAME NS_MAXDNAME
++#endif
++
++#ifndef MAXCDNAME
++# define MAXCDNAME NS_MAXCDNAME
++#endif
++
++#ifndef MAXLABEL
++# define MAXLABEL NS_MAXLABEL
++#endif
++
++#ifndef HFIXEDSZ
++# define HFIXEDSZ NS_HFIXEDSZ
++#endif
++
++#ifndef QFIXEDSZ
++# define QFIXEDSZ NS_QFIXEDSZ
++#endif
++
++#ifndef RRFIXEDSZ
++# define RRFIXEDSZ NS_RRFIXEDSZ
++#endif
++
++#ifndef INDIR_MASK
++# define INDIR_MASK NS_CMPRSFLGS
++#endif
++
++#ifndef NAMESERVER_PORT
++# define NAMESERVER_PORT NS_DEFAULTPORT
++#endif
++
++
++/* opcodes */
++#ifndef O_QUERY
++# define O_QUERY 0 /* ns_o_query */
++#endif
++#ifndef O_IQUERY
++# define O_IQUERY 1 /* ns_o_iquery */
++#endif
++#ifndef O_STATUS
++# define O_STATUS 2 /* ns_o_status */
++#endif
++#ifndef O_NOTIFY
++# define O_NOTIFY 4 /* ns_o_notify */
++#endif
++#ifndef O_UPDATE
++# define O_UPDATE 5 /* ns_o_update */
++#endif
++
++
++/* response codes */
++#ifndef SERVFAIL
++# define SERVFAIL ns_r_servfail
++#endif
++#ifndef NOTIMP
++# define NOTIMP ns_r_notimpl
++#endif
++#ifndef REFUSED
++# define REFUSED ns_r_refused
++#endif
++#if defined(_WIN32) && !defined(HAVE_ARPA_NAMESER_COMPAT_H) && defined(NOERROR)
++# undef NOERROR /* it seems this is already defined in winerror.h */
++#endif
++#ifndef NOERROR
++# define NOERROR ns_r_noerror
++#endif
++#ifndef FORMERR
++# define FORMERR ns_r_formerr
++#endif
++#ifndef NXDOMAIN
++# define NXDOMAIN ns_r_nxdomain
++#endif
++/* Non-standard response codes, use numeric values */
++#ifndef YXDOMAIN
++# define YXDOMAIN 6 /* ns_r_yxdomain */
++#endif
++#ifndef YXRRSET
++# define YXRRSET 7 /* ns_r_yxrrset */
++#endif
++#ifndef NXRRSET
++# define NXRRSET 8 /* ns_r_nxrrset */
++#endif
++#ifndef NOTAUTH
++# define NOTAUTH 9 /* ns_r_notauth */
++#endif
++#ifndef NOTZONE
++# define NOTZONE 10 /* ns_r_notzone */
++#endif
++#ifndef TSIG_BADSIG
++# define TSIG_BADSIG 16 /* ns_r_badsig */
++#endif
++#ifndef TSIG_BADKEY
++# define TSIG_BADKEY 17 /* ns_r_badkey */
++#endif
++#ifndef TSIG_BADTIME
++# define TSIG_BADTIME 18 /* ns_r_badtime */
++#endif
++
++
++/* classes */
++#ifndef C_IN
++# define C_IN 1 /* ns_c_in */
++#endif
++#ifndef C_CHAOS
++# define C_CHAOS 3 /* ns_c_chaos */
++#endif
++#ifndef C_HS
++# define C_HS 4 /* ns_c_hs */
++#endif
++#ifndef C_NONE
++# define C_NONE 254 /* ns_c_none */
++#endif
++#ifndef C_ANY
++# define C_ANY 255 /* ns_c_any */
++#endif
++
++
++/* types */
++#ifndef T_A
++# define T_A 1 /* ns_t_a */
++#endif
++#ifndef T_NS
++# define T_NS 2 /* ns_t_ns */
++#endif
++#ifndef T_MD
++# define T_MD 3 /* ns_t_md */
++#endif
++#ifndef T_MF
++# define T_MF 4 /* ns_t_mf */
++#endif
++#ifndef T_CNAME
++# define T_CNAME 5 /* ns_t_cname */
++#endif
++#ifndef T_SOA
++# define T_SOA 6 /* ns_t_soa */
++#endif
++#ifndef T_MB
++# define T_MB 7 /* ns_t_mb */
++#endif
++#ifndef T_MG
++# define T_MG 8 /* ns_t_mg */
++#endif
++#ifndef T_MR
++# define T_MR 9 /* ns_t_mr */
++#endif
++#ifndef T_NULL
++# define T_NULL 10 /* ns_t_null */
++#endif
++#ifndef T_WKS
++# define T_WKS 11 /* ns_t_wks */
++#endif
++#ifndef T_PTR
++# define T_PTR 12 /* ns_t_ptr */
++#endif
++#ifndef T_HINFO
++# define T_HINFO 13 /* ns_t_hinfo */
++#endif
++#ifndef T_MINFO
++# define T_MINFO 14 /* ns_t_minfo */
++#endif
++#ifndef T_MX
++# define T_MX 15 /* ns_t_mx */
++#endif
++#ifndef T_TXT
++# define T_TXT 16 /* ns_t_txt */
++#endif
++#ifndef T_RP
++# define T_RP 17 /* ns_t_rp */
++#endif
++#ifndef T_AFSDB
++# define T_AFSDB 18 /* ns_t_afsdb */
++#endif
++#ifndef T_X25
++# define T_X25 19 /* ns_t_x25 */
++#endif
++#ifndef T_ISDN
++# define T_ISDN 20 /* ns_t_isdn */
++#endif
++#ifndef T_RT
++# define T_RT 21 /* ns_t_rt */
++#endif
++#ifndef T_NSAP
++# define T_NSAP 22 /* ns_t_nsap */
++#endif
++#ifndef T_NSAP_PTR
++# define T_NSAP_PTR 23 /* ns_t_nsap_ptr */
++#endif
++#ifndef T_SIG
++# define T_SIG 24 /* ns_t_sig */
++#endif
++#ifndef T_KEY
++# define T_KEY 25 /* ns_t_key */
++#endif
++#ifndef T_PX
++# define T_PX 26 /* ns_t_px */
++#endif
++#ifndef T_GPOS
++# define T_GPOS 27 /* ns_t_gpos */
++#endif
++#ifndef T_AAAA
++# define T_AAAA 28 /* ns_t_aaaa */
++#endif
++#ifndef T_LOC
++# define T_LOC 29 /* ns_t_loc */
++#endif
++#ifndef T_NXT
++# define T_NXT 30 /* ns_t_nxt */
++#endif
++#ifndef T_EID
++# define T_EID 31 /* ns_t_eid */
++#endif
++#ifndef T_NIMLOC
++# define T_NIMLOC 32 /* ns_t_nimloc */
++#endif
++#ifndef T_SRV
++# define T_SRV 33 /* ns_t_srv */
++#endif
++#ifndef T_ATMA
++# define T_ATMA 34 /* ns_t_atma */
++#endif
++#ifndef T_NAPTR
++# define T_NAPTR 35 /* ns_t_naptr */
++#endif
++#ifndef T_KX
++# define T_KX 36 /* ns_t_kx */
++#endif
++#ifndef T_CERT
++# define T_CERT 37 /* ns_t_cert */
++#endif
++#ifndef T_A6
++# define T_A6 38 /* ns_t_a6 */
++#endif
++#ifndef T_DNAME
++# define T_DNAME 39 /* ns_t_dname */
++#endif
++#ifndef T_SINK
++# define T_SINK 40 /* ns_t_sink */
++#endif
++#ifndef T_OPT
++# define T_OPT 41 /* ns_t_opt */
++#endif
++#ifndef T_APL
++# define T_APL 42 /* ns_t_apl */
++#endif
++#ifndef T_DS
++# define T_DS 43 /* ns_t_ds */
++#endif
++#ifndef T_SSHFP
++# define T_SSHFP 44 /* ns_t_sshfp */
++#endif
++#ifndef T_RRSIG
++# define T_RRSIG 46 /* ns_t_rrsig */
++#endif
++#ifndef T_NSEC
++# define T_NSEC 47 /* ns_t_nsec */
++#endif
++#ifndef T_DNSKEY
++# define T_DNSKEY 48 /* ns_t_dnskey */
++#endif
++#ifndef T_TKEY
++# define T_TKEY 249 /* ns_t_tkey */
++#endif
++#ifndef T_TSIG
++# define T_TSIG 250 /* ns_t_tsig */
++#endif
++#ifndef T_IXFR
++# define T_IXFR 251 /* ns_t_ixfr */
++#endif
++#ifndef T_AXFR
++# define T_AXFR 252 /* ns_t_axfr */
++#endif
++#ifndef T_MAILB
++# define T_MAILB 253 /* ns_t_mailb */
++#endif
++#ifndef T_MAILA
++# define T_MAILA 254 /* ns_t_maila */
++#endif
++#ifndef T_ANY
++# define T_ANY 255 /* ns_t_any */
++#endif
++#ifndef T_ZXFR
++# define T_ZXFR 256 /* ns_t_zxfr */
++#endif
++#ifndef T_CAA
++# define T_CAA 257 /* ns_t_caa */
++#endif
++#ifndef T_MAX
++# define T_MAX 65536 /* ns_t_max */
++#endif
++
++
++#endif /* ARES_NAMESER_H */
+
+From db4643979ee676b3a3d6cdf2fb597d399cf8013f Mon Sep 17 00:00:00 2001
+From: Felix Yan <felixonmars@archlinux.org>
+Date: Fri, 13 Aug 2021 00:01:59 +0800
+Subject: [PATCH 2/2] build: ignore cpplint for third-party ares_nameser.h
+
+---
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile b/Makefile
+index ec4c774748cd..c418995c53c1 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1289,6 +1289,7 @@ jslint-ci: lint-js-ci
+ LINT_CPP_ADDON_DOC_FILES_GLOB = test/addons/??_*/*.cc test/addons/??_*/*.h
+ LINT_CPP_ADDON_DOC_FILES = $(wildcard $(LINT_CPP_ADDON_DOC_FILES_GLOB))
+ LINT_CPP_EXCLUDE ?=
++LINT_CPP_EXCLUDE += src/ares_nameser.h
+ LINT_CPP_EXCLUDE += src/node_root_certs.h
+ LINT_CPP_EXCLUDE += $(LINT_CPP_ADDON_DOC_FILES)
+ LINT_CPP_EXCLUDE += $(wildcard test/js-native-api/??_*/*.cc test/js-native-api/??_*/*.h test/node-api/??_*/*.cc test/node-api/??_*/*.h)
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index bba95c9a60..0e2ea02907 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
pkgname=openssh
pkgver=8.3_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=2
+pkgrel=3
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html"
arch="all"
@@ -38,10 +38,14 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
CVE-2020-14145.patch
CVE-2021-28041.patch
+ CVE-2021-41617.patch
+
sshd.initd
sshd.confd
"
# secfixes:
+# 8.3_p1-r3:
+# - CVE-2021-41617
# 8.3_p1-r2:
# - CVE-2021-28041
# 8.3_p1-r1:
@@ -209,12 +213,15 @@ _pkg_flavour() {
done
}
-sha512sums="b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40 openssh-8.3p1.tar.gz
+sha512sums="
+b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40 openssh-8.3p1.tar.gz
f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 fix-utmp.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch
367c4f4e2777cd4608a9a7455c1d9744683938fab9b07333af8bbe26aef30091040e69b6ee84dee82c09d50d93e15a9c005cc799b5d15d40d2fa31f879ba0850 CVE-2020-14145.patch
927863c0778d4933d90d5cbd97ba2d6f6deb3c44def522bfb764103e72320512d91a4d4f21ae46b46e72c5fd379d523511f3827b7b0834862483eb3796916bf9 CVE-2021-28041.patch
+25f73470597d2281ab4f13e992b5d56630c12c6f0b65507ebfa60b31003c828e8098012d2561f23f99858e430af67b178df0e94e0116a02e559e427cc287899f CVE-2021-41617.patch
8122ac1838586a1487dad1f70ed2ec8161ae57b4a7ee8bfef9757b590aa76a887a6c5e5f2575728da4c6c2f00d2a924360e23d84a4df204d7021b44b690cb2f8 sshd.initd
-ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd"
+ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd
+"
diff --git a/main/openssh/CVE-2021-41617.patch b/main/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..ec9b8392b4
--- /dev/null
+++ b/main/openssh/CVE-2021-41617.patch
@@ -0,0 +1,25 @@
+diff --git a/auth.c b/auth.c
+index b8d1040d..0134d694 100644
+--- a/auth.c
++++ b/auth.c
+@@ -56,6 +56,7 @@
+ # include <paths.h>
+ #endif
+ #include <pwd.h>
++#include <grp.h>
+ #ifdef HAVE_LOGIN_H
+ #include <login.h>
+ #endif
+@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
+ }
+ closefrom(STDERR_FILENO + 1);
+
++ if (geteuid() == 0 &&
++ initgroups(pw->pw_name, pw->pw_gid) == -1) {
++ error("%s: initgroups(%s, %u): %s", tag,
++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++ _exit(1);
++ }
+ /* Don't use permanently_set_uid() here to avoid fatal() */
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index f3831e4686..da22526bd3 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
-pkgver=1.1.1k
+pkgver=1.1.1l
_abiver=${pkgver%.*}
pkgrel=0
pkgdesc="Toolkit for Transport Layer Security (TLS)"
@@ -18,6 +18,9 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
"
# secfixes:
+# 1.1.1l-r0:
+# - CVE-2021-3711
+# - CVE-2021-3712
# 1.1.1k-r0:
# - CVE-2021-3449
# - CVE-2021-3450
@@ -119,5 +122,7 @@ _libssl() {
done
}
-sha512sums="73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121 openssl-1.1.1k.tar.gz
-43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch"
+sha512sums="
+d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0 openssl-1.1.1l.tar.gz
+43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch
+"
diff --git a/main/perl-net-cidr-lite/APKBUILD b/main/perl-net-cidr-lite/APKBUILD
index f8a0f9f6fc..fcd6a6fb3a 100644
--- a/main/perl-net-cidr-lite/APKBUILD
+++ b/main/perl-net-cidr-lite/APKBUILD
@@ -2,19 +2,17 @@
# Maintainer: Matt Smith <mcs@darkregion.net>
pkgname=perl-net-cidr-lite
_realname=Net-CIDR-Lite
-pkgver=0.21
-pkgrel=5
+pkgver=0.22
+pkgrel=0
pkgdesc="Perl extension for merging IPv4 or IPv6 CIDR addresses"
-url="http://search.cpan.org/~dougw/Net-CIDR-Lite-0.21/"
+url="https://metacpan.org/release/Net-CIDR-Lite/"
arch="noarch"
license="Artistic-Perl-1.0 GPL+"
depends="perl"
-makedepends="perl-dev"
-install=
subpackages="$pkgname-doc"
-source="https://cpan.metacpan.org/authors/id/D/DO/DOUGW/$_realname-$pkgver.tar.gz"
-
+source="https://cpan.metacpan.org/authors/id/S/ST/STIGTSP/Net-CIDR-Lite-$pkgver.tar.gz"
builddir="$srcdir/$_realname-$pkgver"
+
build() {
cd "$builddir"
PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor
@@ -33,4 +31,6 @@ package() {
find "$pkgdir" -name perllocal.pod -delete
}
-sha512sums="c8a5b00a26fb823e637825eac72ca7002f401a1a623d8b77b694848975124f24fba86830df8d41f6bdba4d2e2f0f93b2b155ac1511b607efa67942189614dc7c Net-CIDR-Lite-0.21.tar.gz"
+sha512sums="
+5d89c0b6d950e5cb4c7eb9639829d76a67373865f5582f61d3e384636b176ac08335a9210d05a53c54105fecfb8ec98ae115cba3d181aed3032370d50f3aec9f Net-CIDR-Lite-0.22.tar.gz
+"
diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD
index 61f0d5790f..1cbd6b7db4 100644
--- a/main/postgresql/APKBUILD
+++ b/main/postgresql/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: G.J.R. Timmer <gjr.timmer@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=postgresql
-pkgver=12.7
+pkgver=12.8
pkgrel=0
pkgdesc="A sophisticated object-relational DBMS"
url="https://www.postgresql.org/"
@@ -33,6 +33,8 @@ source="https://ftp.postgresql.org/pub/source/v$pkgver/postgresql-$pkgver.tar.bz
"
# secfixes:
+# 12.8-r0:
+# - CVE-2021-3677
# 12.7-r0:
# - CVE-2021-32027
# - CVE-2021-32028
@@ -266,7 +268,8 @@ _run_tests() {
}
}
-sha512sums="47ca347df63a441e52e52442074e85d0ebd3a89f7eb037022c4690cbe88b21a6a959092a812b79bb30db47b5975a5d7908318c73b2685683d48b4789d4ae6a44 postgresql-12.7.tar.bz2
+sha512sums="
+970fe1041e427ac1c8a786c93e2079b0a9c8b3fcaf9d38877894eb02e8a9afc7cd73d7ac28078c455845a922a1b7d9c1e22cb7990d8d523dd6496af9442fba01 postgresql-12.8.tar.bz2
1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch
5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch
8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch
@@ -275,4 +278,5 @@ c4179fcd8b71791cdc41ea7b622cf82e9bd42ac1de66999234b98a83c0c508c79c492a9301274fe8
a6d9cba5c7270484b3a22083b2b37742faefb01b6643040050c92235840c601b2e206ebda32804937b729c6cf42c79a558b921900e52fc420df2a03b5f29e1f7 postgresql.confd
f5a1cba051e7d846c2d16703514601cb25729ed96b677c9bd0c199d64552120a8b14b238af01917fdb87106681e12dee6fff7447558155ba273e4f96be5e2892 pg-restore.initd
c14a5684e914abb3b0ee71bbf15eed71a9264deacaa404a6e3af6bfc330d93e7598624d0ed11a94263106cc660f7f54c8ff57e759033cf606a795f69ff6c1c7c pg-restore.confd
-5c9bfd9e295dcf678298bf0aa974347a7c311d6e7c2aa76a6920fcb751d01fd1ab77abbec11f3c672f927ad9deaa88e04e370c0b5cd1b60087554c474b748731 pltcl_create_tables.sql"
+5c9bfd9e295dcf678298bf0aa974347a7c311d6e7c2aa76a6920fcb751d01fd1ab77abbec11f3c672f927ad9deaa88e04e370c0b5cd1b60087554c474b748731 pltcl_create_tables.sql
+"
diff --git a/main/redis/APKBUILD b/main/redis/APKBUILD
index e378416ebe..737b946d0d 100644
--- a/main/redis/APKBUILD
+++ b/main/redis/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Eivind Uggedal <eu@eju.no>
# Maintainer: TBK <alpine@jjtc.eu>
pkgname=redis
-pkgver=5.0.13
+pkgver=5.0.14
pkgrel=0
pkgdesc="Advanced key-value store"
url="https://redis.io/"
@@ -14,7 +14,7 @@ makedepends="linux-headers"
checkdepends="tcl procps"
install="$pkgname.pre-install $pkgname.post-install"
subpackages="$pkgname-openrc"
-source="http://download.redis.io/releases/redis-$pkgver.tar.gz
+source="https://download.redis.io/releases/redis-$pkgver.tar.gz
makefile-dont-duplicate-binary.patch
redis.conf.patch
sentinel.conf.patch
@@ -27,6 +27,15 @@ source="http://download.redis.io/releases/redis-$pkgver.tar.gz
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 5.0.14-r0:
+# - CVE-2021-32626
+# - CVE-2021-32627
+# - CVE-2021-32628
+# - CVE-2021-32672
+# - CVE-2021-32675
+# - CVE-2021-32687
+# - CVE-2021-32762
+# - CVE-2021-41099
# 5.0.13-r0:
# - CVE-2021-32761
# 5.0.11-r0:
@@ -87,7 +96,7 @@ package() {
}
sha512sums="
-9784193a53b459a2e4937e8f0d18652a0677d29746e359e5f8ffddeea4cea305f10c8eeae9007e49c0ba9ebedb9b603aced61592ba3302e5b64be78020b3b4bf redis-5.0.13.tar.gz
+513299ae8b967a659d54812fab4dfdfaf0081b20136a3d89b6a761e93548583c96436fedb84baa4d23385b42110ef615527efc3690b873f5bec7793403fe7eaf redis-5.0.14.tar.gz
0d6710543f111a7e9d07ac8398ceee0b38c6a4da35fd34088cb3b5a8efb3aa2eefc49dc2b58d7386c72113834bbe27625333b9283da2ae1e3df252a5712f62cf makefile-dont-duplicate-binary.patch
c8a35e3c30be99fef8678acb2502f424bcca478dcc1ef1750f8c8c8e9e9c462f97586159f32ebba84b6a4eb398a9d568e3200241fb0de1f96293c9fdaafb06c9 redis.conf.patch
e8cd03ab08b354d7d852cc43719ef537586c024f3911e27f0be052de471d3e6c1af947313ba0b045af3f2212afd41eb0cd4e0464cc6568853cfbfd4718b09fa5 sentinel.conf.patch
diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD
index b41666f7cc..0b6ac7c989 100644
--- a/main/ruby/APKBUILD
+++ b/main/ruby/APKBUILD
@@ -3,6 +3,10 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 2.7.4-r0:
+# - CVE-2021-31799
+# - CVE-2021-31810
+# - CVE-2021-32066
# 2.7.3-r0:
# - CVE-2021-28965
# - CVE-2021-28966
@@ -39,7 +43,7 @@
# - CVE-2017-17405
#
pkgname=ruby
-pkgver=2.7.3
+pkgver=2.7.4
_abiver="${pkgver%.*}.0"
pkgrel=0
pkgdesc="An object-oriented language for quick and easy programming"
@@ -373,8 +377,10 @@ _mvgem() {
done
}
-sha512sums="1d036d08016351e8f9e7506a6abaf490fe226cf2ff9c2f9df582b57bff22a960dbaf271a8a167ac09f864613b9b8b14191bb79f8a6900ad5ca24131ecf571d54 ruby-2.7.3.tar.gz
+sha512sums="
+a317752e9a32c8d1261e67ca89c396722ee779ec8ba4594987812d065b73751f51485a1ede8044aae14b3b16e8d049c6953cef530ae1b82abb135b446c653f8a ruby-2.7.4.tar.gz
cfdc5ea3b2e2ea69c51f38e8e2180cb1dc27008ca55cc6301f142ebafdbab31c3379b3b6bba9ff543153876dd98ed2ad194df3255b7ea77a62e931c935f80538 rubygems-avoid-platform-specific-gems.patch
814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch
8d730f02f76e53799f1c220eb23e3d2305940bb31216a7ab1e42d3256149c0721c7d173cdbfe505023b1af2f5cb3faa233dcc1b5d560fa8f980c17c2d29a9d81 fix-get_main_stack.patch
-0300bd6f596db73603e9bf1b1ccbc09da27dc2082aa00ef6cecef474809bb91248739375c405e43819e86b0c8cee8dedefdad102478082eba011bdc795e657c7 arm-coroutines.patch"
+0300bd6f596db73603e9bf1b1ccbc09da27dc2082aa00ef6cecef474809bb91248739375c405e43819e86b0c8cee8dedefdad102478082eba011bdc795e657c7 arm-coroutines.patch
+"
diff --git a/main/squashfs-tools/APKBUILD b/main/squashfs-tools/APKBUILD
index 44121f25db..f72ef3aa04 100644
--- a/main/squashfs-tools/APKBUILD
+++ b/main/squashfs-tools/APKBUILD
@@ -1,28 +1,34 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squashfs-tools
-pkgver=4.4
+pkgver=4.5
pkgrel=0
-pkgdesc="Tools for squashfs, a highly compressed read-only filesystem for Linux."
+pkgdesc="Tools for squashfs, a highly compressed read-only filesystem for Linux"
url="https://github.com/plougher/squashfs-tools"
arch="all"
-license="GPL"
+license="GPL-2.0-or-later"
+options="!check" # no testsuite
makedepends="zlib-dev xz-dev lzo-dev lz4-dev attr-dev zstd-dev"
source="$pkgname-$pkgver.tar.gz::https://github.com/plougher/squashfs-tools/archive/$pkgver.tar.gz
fix-compat.patch
-"
+ "
+builddir="$srcdir/$pkgname-$pkgver/$pkgname"
-_builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 4.5-r0:
+# - CVE-2021-40153
build() {
- cd "$builddir"/$pkgname
- CFLAGS="$CFLAGS -std=gnu89" \
+ cd "$builddir"
make XZ_SUPPORT=1 LZO_SUPPORT=1 LZ4_SUPPORT=1 ZSTD_SUPPORT=1
}
package() {
- cd "$builddir"/$pkgname
+ cd "$builddir"
mkdir -p "$pkgdir"/sbin
cp -a mksquashfs unsquashfs "$pkgdir"/sbin
}
-sha512sums="133ce437fb8c929933d52cff710b61dd9181f6f8be58250b0d6a59a7bb79a2b350f68f456b06a0e17c469409a71272d586802d570248273ddcd5dad088c00308 squashfs-tools-4.4.tar.gz
-157379cf4bafb72d717f14b1bc5dc350c97a9e68a7018e0febba4b1e59f9fd90c1de8485c4ffc48a035b53be8c3aa62046281291664bee4699100cec637b0bfa fix-compat.patch"
+
+sha512sums="
+e00610487d24eed9e5dadcf84014a3d7faa9815d8ce00fd4660e6c8ce394dccf185ed9f387f4fa1313b9812fe770f802bdcbaef87887f2bcefacf234594a72e0 squashfs-tools-4.5.tar.gz
+656242ec396d95a5e1029b60299bc91be7266ceedb50978c09a82ad80b32881576909dbd4e1e889abc3fa8c361da5ca9978ce6c319f40f5145bb532acb6c881d fix-compat.patch
+"
diff --git a/main/squashfs-tools/fix-compat.patch b/main/squashfs-tools/fix-compat.patch
index 8a5ff0697d..366d2fb696 100644
--- a/main/squashfs-tools/fix-compat.patch
+++ b/main/squashfs-tools/fix-compat.patch
@@ -1,5 +1,5 @@
---- a/squashfs-tools/action.c
-+++ b/squashfs-tools/action.c
+--- a/action.c
++++ b/action.c
@@ -1905,6 +1905,9 @@
return 1;
}
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index 228a05d5e4..540b729fd9 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squid
-pkgver=4.15
+pkgver=4.17
pkgrel=0
pkgdesc="A full-featured Web proxy cache server."
url="http://www.squid-cache.org"
@@ -28,6 +28,8 @@ pkggroups="squid"
options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox
# secfixes:
+# 4.17-r0:
+# - CVE-2021-28116
# 4.15-r0:
# - CVE-2021-28651
# - CVE-2021-28652
@@ -122,7 +124,9 @@ squid_kerb_auth() {
mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
}
-sha512sums="8f0ce6e30dd9173927e8133618211ffb865fb5dde4c63c2fb465e2efccda4a6efb33f2c0846870c9b915340aff5f59461a60171882bcc0c890336b846fe60bd1 squid-4.15.tar.xz
+sha512sums="
+cea36de10f128f5beb51bdc89604c16af3a820a5ac27284b2aa181ac87144930489688e1d85ce357fe1ed8a4e96e300277b95034a2475cbf86c9d6923ddf7c0a squid-4.17.tar.xz
8320820c02c824ed96065e0b66cabdd80b11c23e911880a42f5bd7e3f6e7a5c1c6def910a1843cca810c62a7dc8ccdb9ae82c0cf52bf08259c3b50058232132d squid.initd
7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd
-89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate"
+89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate
+"
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD
index 2ac8c18478..7143fb4417 100644
--- a/main/strongswan/APKBUILD
+++ b/main/strongswan/APKBUILD
@@ -3,7 +3,7 @@
pkgname=strongswan
pkgver=5.8.4
_pkgver=${pkgver//_rc/rc}
-pkgrel=2
+pkgrel=3
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="https://www.strongswan.org/"
arch="all"
@@ -16,8 +16,11 @@ makedepends="linux-headers python3 sqlite-dev openssl-dev curl-dev
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dbg $pkgname-logfile $pkgname-openrc"
source="https://download.strongswan.org/strongswan-$_pkgver.tar.bz2
+ https://download.strongswan.org/security/CVE-2021-41990/strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch
+ https://download.strongswan.org/security/CVE-2021-41991/strongswan-4.4.1-5.9.3_cert-cache-random.patch
0001-file-logger-Set-owner-group-of-log-file.patch
0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
+
1001-charon-add-optional-source-and-remote-overrides-for-.patch
1002-vici-send-certificates-for-ike-sa-events.patch
1003-vici-add-support-for-individual-sa-state-changes.patch
@@ -29,6 +32,9 @@ source="https://download.strongswan.org/strongswan-$_pkgver.tar.bz2
"
# secfixes:
+# 5.8.4-r3:
+# - CVE-2021-41990
+# - CVE-2021-41991
# 5.7.1-r0:
# - CVE-2018-17540
# 5.7.0-r0:
@@ -123,7 +129,10 @@ logfile() {
install -m 2750 -o ipsec -g wheel -d "$subpkgdir/var/log/ipsec"
}
-sha512sums="15e866b0d6cc4ea94f17856b519d926ae08c15d3b62f675f62685d0722ca8fa26b46afb1ad1c866e9d5f347d77a747f57d0c6d7f6bd57762f37d7798f9e28103 strongswan-5.8.4.tar.bz2
+sha512sums="
+15e866b0d6cc4ea94f17856b519d926ae08c15d3b62f675f62685d0722ca8fa26b46afb1ad1c866e9d5f347d77a747f57d0c6d7f6bd57762f37d7798f9e28103 strongswan-5.8.4.tar.bz2
+42bb9dc02e04735183cb2966e23f26bdb2b14b56b10dc3df770cfbea066a690130ce84dc3a17b1369c2d45852bcd8a2902f19368099a1e71c858293decdb48ee strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch
+39f607625bc6aa128b71e65e9806c60051015378d0250961bafbe787aa652141e1b3126d235b9cede08e4fe816b3220dbae54e40492b0aeb48f034220f1ee446 strongswan-4.4.1-5.9.3_cert-cache-random.patch
7ea3cecb6ed1d730b4417699715ec1f02f592848a7736448187c3fff8df7c194983021c370019a63cc56ee3cfec881e13e950ac31ba49a5ecae75abab64dbcfc 0001-file-logger-Set-owner-group-of-log-file.patch
c829b59d33f5dcffd86fbc81d824b51397ed48dc94da6271ec2d7d70e5975cff0c13d235147f92e1981b391857d5573507972593fed0ce831968da10d119da0f 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
cdc8b9d56fbd7c079dfa37e8de822cfa925d3b6741ff7d04afbc8b856d717ed090750e85b19af2296e28ee030c2d91597d2492f4b9b3540a5647b120bf609556 1001-charon-add-optional-source-and-remote-overrides-for-.patch
@@ -132,4 +141,5 @@ da39b5654c6f39d175c5491dabd5ed5c1b552857af7cbe7eeb8d0ecb34dad265bb8cd7725930eb75
8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9 strongswan.initd
4ac8dc83f08998fe672d5446dc6071f95a6a437b9df7c19d5f1a41707fb44451ec37aa237d0b86b0a9edf36a9ce7c29ba8959a38b04536c994dd4300daf737e5 charon.initd
0417de0c0aa779602b216f29b1ad58cc842f0b0fbb8f5238d39199125dac30eaae89d869b337f8f504f8427f074ee7a363f55e3b3875516fe1ed5f0ed7f34c6f charon.logrotate
-5896a9c5ecbef1a6c36b7bd31c83e18603f49105aedd4af80c42b0036c75950eac6e92abccfca09c9cb5bb3f3c4010f0daba068208e7dff05e7b1849d5a6e363 charon-logfile.conf"
+5896a9c5ecbef1a6c36b7bd31c83e18603f49105aedd4af80c42b0036c75950eac6e92abccfca09c9cb5bb3f3c4010f0daba068208e7dff05e7b1849d5a6e363 charon-logfile.conf
+"
diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD
index e2b48d56b7..a7611d6e3a 100644
--- a/main/tzdata/APKBUILD
+++ b/main/tzdata/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=tzdata
-pkgver=2021a
-_tzcodever=2021a
+pkgver=2021e
+_tzcodever=2021e
_ptzver=0.5
pkgrel=0
pkgdesc="Timezone data"
@@ -50,8 +50,10 @@ package() {
"$pkgdir"/usr/bin/posixtz
}
-sha512sums="bf1d53bcbfecd3b09d57a9e6d3cb49b5dc5f8e1b6674b67e7f974e1a268c2aaf13ca89a7ef12f49d0665aff782bd72685e00c22a41ca88a028da0429f972fd45 tzcode2021a.tar.gz
-7cdd762ec90ce12a30fa36b1d66d1ea82d9fa21e514e2b9c7fcbe2541514ee0fadf30843ff352c65512fb270857b51d1517b45e1232b89c6f954ba9ff1833bb3 tzdata2021a.tar.gz
+sha512sums="
+87b0335129ea41c5f42f687f548712e5da892baa8494cecf5d34851beceecf6ae52f22104696ed187713cf9e502570eb2041e277dfd3c043c11d0253bfde685a tzcode2021e.tar.gz
+c1e8d04e049157ed5d4af0868855bbd75517e3d7e1db9c41d5283ff260109de46b6fac6be94828201d093e163d868044ac2a9db2bf0aeab800e264d0c73a9119 tzdata2021e.tar.gz
68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz
0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch
-fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch"
+fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch
+"
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index cf02df3e4a..add81d3932 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vim
-pkgver=8.2.0735
+pkgver=8.2.3437
pkgrel=0
pkgdesc="Improved vi-style text editor"
url="https://www.vim.org/"
@@ -18,6 +18,10 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/vim/vim/archive/v$pkgver.tar
"
# secfixes:
+# 8.2.3437-r0:
+# - CVE-2021-3770
+# - CVE-2021-3778
+# - CVE-2021-3796
# 8.1.1365-r0:
# - CVE-2019-12735
# 8.0.1521-r0:
@@ -108,5 +112,7 @@ xxd() {
"$subpkgdir/usr/bin/"
}
-sha512sums="933ca7c0a0cf5afc1fa9de3df3221ae741b343909fe5dc5166df75237213b900ed15e402a27781297e6f40a0bcba8e25032629ea34d955a353b99d8b747607cb vim-8.2.0735.tar.gz
-d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc"
+sha512sums="
+7f6fc24f8f4a4fa01d20702684cc09aa5c3b51cdc2c96f3afcb484bc60874fab5dcafc33a9daa5ff25f7ae7b90ba0b124a7667d33d9fa5d9553a11be9a1ee069 vim-8.2.3437.tar.gz
+d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc
+"
diff --git a/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch b/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch
deleted file mode 100644
index a5289a821a..0000000000
--- a/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From f98c20aaaf909be04ada5cb6cb88c14b9bc75e15 Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Mon, 17 May 2021 17:47:13 +0100
-Subject: [PATCH 1/2] xen/arm: Create dom0less domUs earlier
-
-In a follow-up patch we will need to unallocate the boot modules
-before heap_init_late() is called.
-
-The modules will contain the domUs kernel and initramfs. Therefore Xen
-will need to create extra domUs (used by dom0less) before heap_init_late().
-
-This has two consequences on dom0less:
- 1) Domains will not be unpaused as soon as they are created but
- once all have been created. However, Xen doesn't guarantee an order
- to unpause, so this is not something one could rely on.
-
- 2) The memory allocated for a domU will not be scrubbed anymore when an
- admin select bootscrub=on. This is not something we advertised, but if
- this is a concern we can introduce either force scrub for all domUs or
- a per-domain flag in the DT. The behavior for bootscrub=off and
- bootscrub=idle (default) has not changed.
-
-This is part of XSA-372 / CVE-2021-28693.
-
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-Tested-by: Stefano Stabellini <sstabellini@kernel.org>
----
- xen/arch/arm/domain_build.c | 2 --
- xen/arch/arm/setup.c | 9 +++++----
- 2 files changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
-index e824ba34b012..b07461f5d376 100644
---- a/xen/arch/arm/domain_build.c
-+++ b/xen/arch/arm/domain_build.c
-@@ -2515,8 +2515,6 @@ void __init create_domUs(void)
-
- if ( construct_domU(d, node) != 0 )
- panic("Could not set up domain %s\n", dt_node_name(node));
--
-- domain_unpause_by_systemcontroller(d);
- }
- }
-
-diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
-index 7968cee47d05..1f26080b30bf 100644
---- a/xen/arch/arm/setup.c
-+++ b/xen/arch/arm/setup.c
-@@ -779,7 +779,7 @@ void __init start_xen(unsigned long boot_phys_offset,
- int cpus, i;
- const char *cmdline;
- struct bootmodule *xen_bootmodule;
-- struct domain *dom0;
-+ struct domain *dom0, *d;
- struct xen_domctl_createdomain dom0_cfg = {
- .flags = XEN_DOMCTL_CDF_hvm | XEN_DOMCTL_CDF_hap,
- .max_evtchn_port = -1,
-@@ -962,6 +962,8 @@ void __init start_xen(unsigned long boot_phys_offset,
- if ( construct_dom0(dom0) != 0)
- panic("Could not set up DOM0 guest OS\n");
-
-+ create_domUs();
-+
- heap_init_late();
-
- init_trace_bufs();
-@@ -975,9 +977,8 @@ void __init start_xen(unsigned long boot_phys_offset,
-
- system_state = SYS_STATE_active;
-
-- create_domUs();
--
-- domain_unpause_by_systemcontroller(dom0);
-+ for_each_domain( d )
-+ domain_unpause_by_systemcontroller(d);
-
- /* Switch on to the dynamically allocated stack for the idle vcpu
- * since the static one we're running on is about to be freed. */
---
-2.17.1
-
diff --git a/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch b/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
deleted file mode 100644
index 3ed62f360e..0000000000
--- a/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From e7e475c1a3dc6b149252413589eebaa4ae138824 Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Sat, 17 Apr 2021 17:38:28 +0100
-Subject: [PATCH 2/2] xen/arm: Boot modules should always be scrubbed if
- bootscrub={on, idle}
-
-The function to initialize the pages (see init_heap_pages()) will request
-scrub when the admin request idle bootscrub (default) and state ==
-SYS_STATE_active. When bootscrub=on, Xen will scrub any free pages in
-heap_init_late().
-
-Currently, the boot modules (e.g. kernels, initramfs) will be discarded/
-freed after heap_init_late() is called and system_state switched to
-SYS_STATE_active. This means the pages associated with the boot modules
-will not get scrubbed before getting re-purposed.
-
-If the memory is assigned to an untrusted domU, it may be able to
-retrieve secrets from the modules.
-
-This is part of XSA-372 / CVE-2021-28693.
-
-Fixes: 1774e9b1df27 ("xen/arm: introduce create_domUs")
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-Tested-by: Stefano Stabellini <sstabellini@kernel.org>
----
- xen/arch/arm/setup.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
-index 1f26080b30bf..34b1c1a11ef6 100644
---- a/xen/arch/arm/setup.c
-+++ b/xen/arch/arm/setup.c
-@@ -75,7 +75,6 @@ static __used void init_done(void)
- /* Must be done past setting system_state. */
- unregister_init_virtual_region();
-
-- discard_initial_modules();
- free_init_memory();
- startup_cpu_idle_loop();
- }
-@@ -964,6 +963,12 @@ void __init start_xen(unsigned long boot_phys_offset,
-
- create_domUs();
-
-+ /*
-+ * This needs to be called **before** heap_init_late() so modules
-+ * will be scrubbed (unless suppressed).
-+ */
-+ discard_initial_modules();
-+
- heap_init_late();
-
- init_trace_bufs();
---
-2.17.1
-
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 781501a5fe..5054641f7f 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xen
-pkgver=4.13.3
-pkgrel=1
+pkgver=4.13.4
+pkgrel=0
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -221,6 +221,17 @@ options="!strip"
# - CVE-2021-28692 XSA-373
# - CVE-2021-0089 XSA-375
# - CVE-2021-28690 XSA-377
+# 4.13.3-r2:
+# - CVE-2021-28694 XSA-378
+# - CVE-2021-28695 XSA-378
+# - CVE-2021-28696 XSA-378
+# - CVE-2021-28697 XSA-379
+# - CVE-2021-28698 XSA-380
+# - CVE-2021-28699 XSA-382
+# - CVE-2021-28700 XSA-383
+# 4.13.3-r3:
+# - CVE-2021-28701 XSA-384
+
case "$CARCH" in
x86*)
@@ -279,18 +290,7 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xenqemu-xattr-size-max.patch
- 0001-xen-arm-Create-dom0less-domUs-earlier.patch
- 0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
-
- xsa373-4.13-1.patch
- xsa373-4.13-2.patch
- xsa373-4.13-3.patch
- xsa373-4.13-4.patch
- xsa373-4.13-5.patch
-
- xsa375-4.13.patch
-
- xsa377.patch
+ stubdom-hack.patch
hotplug-Linux-iscsi-block-handle-lun-1.patch
@@ -364,7 +364,7 @@ prepare() {
update_config_sub
msg "Autoreconf..."
- autoreconf
+ autoreconf --install
unset CFLAGS
unset LDFLAGS
@@ -521,7 +521,7 @@ EOF
}
sha512sums="
-622127d824b9c49b57282a887fb404e0bad05ff60bccade82e4e0e9b5ad975ff9aa1fba83392e6d8379e9a15340e8ae9785c0913eb11027816e4600432eea6b6 xen-4.13.3.tar.gz
+1f6d67e0270b10be45b6444322ced791b44df09a3a51e0fe690f5ad76cd80d35115efc93056e99f73b4e550178e0e780c9ee827ced04b09caf12fdf34d9a9b71 xen-4.13.4.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -540,15 +540,7 @@ f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2
79cb1b6b81b17cb87a064dfe3548949dfb80f64f203cac11ef327102b7a25794549ce2d9c019ebf05f752214da8e05065e9219d069e679c0ae5bee3d090c685e xen-hotplug-lockfd.patch
e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3ac853c5dbad8082da3c9cd53b65081910516feb492577b7fc xen-fd-is-file.c
2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b xenqemu-xattr-size-max.patch
-57bae240ac94fd35e8a2a39a06fdc4178a1cf0782832a77fd768ca3c773d8b27d76692703ac481733874e5a0198ef20d7319ea504c6b7836d4edd0a198adede1 0001-xen-arm-Create-dom0less-domUs-earlier.patch
-2b47e612c23c8bb65a2432f93a877f592b75b8de2ae97d5a22ed37588594a38b740f5c3e0694dd7ceff5f949e24ff38113e543038d5ae22e8c1dc142c3e8d1b3 0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
-7010225962e7c22d6aa2e14d10e5091b3876a76f195e9725e7f175b108f933ea9ad5a080663d27279ccd20e2d4e344620ec414e17437d971a8f3cb9420520696 xsa373-4.13-1.patch
-682476c1e44590268c5f84b96a15a44942ec73a54748264b2879ac7ffdd36336db0fa5b51659de3368c9bc6d12e8ecc551761d04f08301e5055d117ae7430475 xsa373-4.13-2.patch
-bb04c86c57058b674237d6d81b8a5a600e39e6c2144ae72b7312ee7e72d4305c5fa4b8d5194a0aecd5631e66fcd2165208a821a1fb7034c0c413ae1b1a5525d4 xsa373-4.13-3.patch
-1c93e62bfeb8ed0d5fe6db10baebc00cf54f7a6e2255f53e2770220db86c69fe46dd2fac17502d9da2109a60c93d8703b9bb618977cfe0e9919659f133f87c8d xsa373-4.13-4.patch
-8fb77d16b60efa4307c0008c8773a9d5341f1b0577c6de46fe6e5630a7243c7b2eb55089a1ce778e4ed03ebf29fad69042746121b50cb953016e95a60549a728 xsa373-4.13-5.patch
-9e354ab79cc182ca71c1d60be18b207c0254f35cf89f5020791d98a081bafc0a84ae7320ceb9c6215ccc4846e2daa258f72f577268bda84f5c7153e0bc03cabb xsa375-4.13.patch
-9c104793facd9d595a1cbca21034d700e7e25398cad1440131258a349cd60d6145e5847e9c4bd066a5d63a63aceb8995456126a51b6d3ca872cd90717ebc2dbe xsa377.patch
+6c28470dab368ce94d94db9e66954e4d915394ea730f6d4abb198ae122dbd7412453d6d8054f0a348d43d7f807fb13294363162f8b19f47311e802ffa9a40a90 stubdom-hack.patch
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
61f66bab603778fb41bfe8e85320c15f2bf3e5d8583e077b56a93784dbdb9b2c7c5e55ce18f06b87501429086f8410d102d3ed5f2a77d54bcfa328bc07681f4d drop-test.py.patch
8cb12dbfc05a53898a97d47d71ab6b8a6f81c5e5579fd765b37303faea95c645cb8dedc05e3d064bdf070e93814e00bf8939767acc1127513375bab0fe2f4436 py3-compat.patch
diff --git a/main/xen/stubdom-hack.patch b/main/xen/stubdom-hack.patch
new file mode 100644
index 0000000000..2e7ddc8926
--- /dev/null
+++ b/main/xen/stubdom-hack.patch
@@ -0,0 +1,11 @@
+--- xen-4.15.0.orig/stubdom/Makefile
++++ xen-4.15.0/stubdom/Makefile
+@@ -186,7 +186,7 @@
+ rm $@ -rf || :
+ mv gmp-$(GMP_VERSION) $@
+ #patch -d $@ -p0 < gmp.patch
+- cd $@; CPPFLAGS="-isystem $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include $(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" CC=$(CC) $(GMPEXT) ./configure --disable-shared --enable-static --disable-fft --without-readline --prefix=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf --libdir=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib --build=`gcc -dumpmachine` --host=$(GNU_TARGET_ARCH)-xen-elf
++ cd $@; CPPFLAGS="-isystem $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include $(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" CC=$(CC) $(GMPEXT) ./configure --disable-shared --enable-static --disable-fft --without-readline --prefix=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf --libdir=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib --host=$(GNU_TARGET_ARCH)-xen-elf
+ sed -i 's/#define HAVE_OBSTACK_VPRINTF 1/\/\/#define HAVE_OBSTACK_VPRINTF 1/' $@/config.h
+ touch $@
+
diff --git a/main/xen/xsa373-4.13-1.patch b/main/xen/xsa373-4.13-1.patch
deleted file mode 100644
index ee5229a11c..0000000000
--- a/main/xen/xsa373-4.13-1.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: VT-d: size qinval queue dynamically
-
-With the present synchronous model, we need two slots for every
-operation (the operation itself and a wait descriptor). There can be
-one such pair of requests pending per CPU. To ensure that under all
-normal circumstances a slot is always available when one is requested,
-size the queue ring according to the number of present CPUs.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/vtd/iommu.h
-+++ b/xen/drivers/passthrough/vtd/iommu.h
-@@ -450,17 +450,9 @@ struct qinval_entry {
- }q;
- };
-
--/* Order of queue invalidation pages(max is 8) */
--#define QINVAL_PAGE_ORDER 2
--
--#define QINVAL_ARCH_PAGE_ORDER (QINVAL_PAGE_ORDER + PAGE_SHIFT_4K - PAGE_SHIFT)
--#define QINVAL_ARCH_PAGE_NR ( QINVAL_ARCH_PAGE_ORDER < 0 ? \
-- 1 : \
-- 1 << QINVAL_ARCH_PAGE_ORDER )
--
- /* Each entry is 16 bytes, so 2^8 entries per page */
- #define QINVAL_ENTRY_ORDER ( PAGE_SHIFT - 4 )
--#define QINVAL_ENTRY_NR (1 << (QINVAL_PAGE_ORDER + 8))
-+#define QINVAL_MAX_ENTRY_NR (1u << (7 + QINVAL_ENTRY_ORDER))
-
- /* Status data flag */
- #define QINVAL_STAT_INIT 0
---- a/xen/drivers/passthrough/vtd/qinval.c
-+++ b/xen/drivers/passthrough/vtd/qinval.c
-@@ -31,6 +31,9 @@
-
- #define VTD_QI_TIMEOUT 1
-
-+static unsigned int __read_mostly qi_pg_order;
-+static unsigned int __read_mostly qi_entry_nr;
-+
- static int __must_check invalidate_sync(struct vtd_iommu *iommu);
-
- static void print_qi_regs(struct vtd_iommu *iommu)
-@@ -55,7 +58,7 @@ static unsigned int qinval_next_index(st
- tail >>= QINVAL_INDEX_SHIFT;
-
- /* (tail+1 == head) indicates a full queue, wait for HW */
-- while ( ( tail + 1 ) % QINVAL_ENTRY_NR ==
-+ while ( ((tail + 1) & (qi_entry_nr - 1)) ==
- ( dmar_readq(iommu->reg, DMAR_IQH_REG) >> QINVAL_INDEX_SHIFT ) )
- cpu_relax();
-
-@@ -68,7 +71,7 @@ static void qinval_update_qtail(struct v
-
- /* Need hold register lock when update tail */
- ASSERT( spin_is_locked(&iommu->register_lock) );
-- val = (index + 1) % QINVAL_ENTRY_NR;
-+ val = (index + 1) & (qi_entry_nr - 1);
- dmar_writeq(iommu->reg, DMAR_IQT_REG, (val << QINVAL_INDEX_SHIFT));
- }
-
-@@ -403,8 +406,28 @@ int enable_qinval(struct vtd_iommu *iomm
-
- if ( iommu->qinval_maddr == 0 )
- {
-- iommu->qinval_maddr = alloc_pgtable_maddr(QINVAL_ARCH_PAGE_NR,
-- iommu->node);
-+ if ( !qi_entry_nr )
-+ {
-+ /*
-+ * With the present synchronous model, we need two slots for every
-+ * operation (the operation itself and a wait descriptor). There
-+ * can be one such pair of requests pending per CPU. One extra
-+ * entry is needed as the ring is considered full when there's
-+ * only one entry left.
-+ */
-+ BUILD_BUG_ON(CONFIG_NR_CPUS * 2 >= QINVAL_MAX_ENTRY_NR);
-+ qi_pg_order = get_order_from_bytes((num_present_cpus() * 2 + 1) <<
-+ (PAGE_SHIFT -
-+ QINVAL_ENTRY_ORDER));
-+ qi_entry_nr = 1u << (qi_pg_order + QINVAL_ENTRY_ORDER);
-+
-+ dprintk(XENLOG_INFO VTDPREFIX,
-+ "QI: using %u-entry ring(s)\n", qi_entry_nr);
-+ }
-+
-+ iommu->qinval_maddr =
-+ alloc_pgtable_maddr(qi_entry_nr >> QINVAL_ENTRY_ORDER,
-+ iommu->node);
- if ( iommu->qinval_maddr == 0 )
- {
- dprintk(XENLOG_WARNING VTDPREFIX,
-@@ -418,15 +441,16 @@ int enable_qinval(struct vtd_iommu *iomm
-
- spin_lock_irqsave(&iommu->register_lock, flags);
-
-- /* Setup Invalidation Queue Address(IQA) register with the
-- * address of the page we just allocated. QS field at
-- * bits[2:0] to indicate size of queue is one 4KB page.
-- * That's 256 entries. Queued Head (IQH) and Queue Tail (IQT)
-- * registers are automatically reset to 0 with write
-- * to IQA register.
-+ /*
-+ * Setup Invalidation Queue Address (IQA) register with the address of the
-+ * pages we just allocated. The QS field at bits[2:0] indicates the size
-+ * (page order) of the queue.
-+ *
-+ * Queued Head (IQH) and Queue Tail (IQT) registers are automatically
-+ * reset to 0 with write to IQA register.
- */
- dmar_writeq(iommu->reg, DMAR_IQA_REG,
-- iommu->qinval_maddr | QINVAL_PAGE_ORDER);
-+ iommu->qinval_maddr | qi_pg_order);
-
- dmar_writeq(iommu->reg, DMAR_IQT_REG, 0);
-
diff --git a/main/xen/xsa373-4.13-2.patch b/main/xen/xsa373-4.13-2.patch
deleted file mode 100644
index ceb5bea6c3..0000000000
--- a/main/xen/xsa373-4.13-2.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: AMD/IOMMU: size command buffer dynamically
-
-With the present synchronous model, we need two slots for every
-operation (the operation itself and a wait command). There can be one
-such pair of commands pending per CPU. To ensure that under all normal
-circumstances a slot is always available when one is requested, size the
-command ring according to the number of present CPUs.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/amd/iommu_cmd.c
-+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
-@@ -35,8 +35,8 @@ static int queue_iommu_command(struct am
- if ( head != tail )
- {
- memcpy(iommu->cmd_buffer.buffer +
-- (iommu->cmd_buffer.tail * IOMMU_CMD_BUFFER_ENTRY_SIZE),
-- cmd, IOMMU_CMD_BUFFER_ENTRY_SIZE);
-+ (iommu->cmd_buffer.tail * sizeof(cmd_entry_t)),
-+ cmd, sizeof(cmd_entry_t));
-
- iommu->cmd_buffer.tail = tail;
- return 1;
---- a/xen/drivers/passthrough/amd/iommu_init.c
-+++ b/xen/drivers/passthrough/amd/iommu_init.c
-@@ -125,7 +125,7 @@ static void register_iommu_cmd_buffer_in
- writel(entry, iommu->mmio_base + IOMMU_CMD_BUFFER_BASE_LOW_OFFSET);
-
- power_of2_entries = get_order_from_bytes(iommu->cmd_buffer.alloc_size) +
-- IOMMU_CMD_BUFFER_POWER_OF2_ENTRIES_PER_PAGE;
-+ PAGE_SHIFT - IOMMU_CMD_BUFFER_ENTRY_ORDER;
-
- entry = 0;
- iommu_set_addr_hi_to_reg(&entry, addr_hi);
-@@ -1050,9 +1050,31 @@ static void *__init allocate_ring_buffer
- static void * __init allocate_cmd_buffer(struct amd_iommu *iommu)
- {
- /* allocate 'command buffer' in power of 2 increments of 4K */
-+ static unsigned int __read_mostly nr_ents;
-+
-+ if ( !nr_ents )
-+ {
-+ unsigned int order;
-+
-+ /*
-+ * With the present synchronous model, we need two slots for every
-+ * operation (the operation itself and a wait command). There can be
-+ * one such pair of requests pending per CPU. One extra entry is
-+ * needed as the ring is considered full when there's only one entry
-+ * left.
-+ */
-+ BUILD_BUG_ON(CONFIG_NR_CPUS * 2 >= IOMMU_CMD_BUFFER_MAX_ENTRIES);
-+ order = get_order_from_bytes((num_present_cpus() * 2 + 1) <<
-+ IOMMU_CMD_BUFFER_ENTRY_ORDER);
-+ nr_ents = 1u << (order + PAGE_SHIFT - IOMMU_CMD_BUFFER_ENTRY_ORDER);
-+
-+ AMD_IOMMU_DEBUG("using %u-entry cmd ring(s)\n", nr_ents);
-+ }
-+
-+ BUILD_BUG_ON(sizeof(cmd_entry_t) != (1u << IOMMU_CMD_BUFFER_ENTRY_ORDER));
-+
- return allocate_ring_buffer(&iommu->cmd_buffer, sizeof(cmd_entry_t),
-- IOMMU_CMD_BUFFER_DEFAULT_ENTRIES,
-- "Command Buffer", false);
-+ nr_ents, "Command Buffer", false);
- }
-
- static void * __init allocate_event_log(struct amd_iommu *iommu)
---- a/xen/include/asm-x86/hvm/svm/amd-iommu-defs.h
-+++ b/xen/include/asm-x86/hvm/svm/amd-iommu-defs.h
-@@ -20,9 +20,6 @@
- #ifndef _ASM_X86_64_AMD_IOMMU_DEFS_H
- #define _ASM_X86_64_AMD_IOMMU_DEFS_H
-
--/* IOMMU Command Buffer entries: in power of 2 increments, minimum of 256 */
--#define IOMMU_CMD_BUFFER_DEFAULT_ENTRIES 512
--
- /* IOMMU Event Log entries: in power of 2 increments, minimum of 256 */
- #define IOMMU_EVENT_LOG_DEFAULT_ENTRIES 512
-
-@@ -168,8 +165,8 @@ struct amd_iommu_dte {
- #define IOMMU_CMD_BUFFER_LENGTH_MASK 0x0F000000
- #define IOMMU_CMD_BUFFER_LENGTH_SHIFT 24
-
--#define IOMMU_CMD_BUFFER_ENTRY_SIZE 16
--#define IOMMU_CMD_BUFFER_POWER_OF2_ENTRIES_PER_PAGE 8
-+#define IOMMU_CMD_BUFFER_ENTRY_ORDER 4
-+#define IOMMU_CMD_BUFFER_MAX_ENTRIES (1u << 15)
-
- #define IOMMU_CMD_OPCODE_MASK 0xF0000000
- #define IOMMU_CMD_OPCODE_SHIFT 28
diff --git a/main/xen/xsa373-4.13-3.patch b/main/xen/xsa373-4.13-3.patch
deleted file mode 100644
index f2a24ea416..0000000000
--- a/main/xen/xsa373-4.13-3.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: VT-d: eliminate flush related timeouts
-
-Leaving an in-progress operation pending when it appears to take too
-long is problematic: If e.g. a QI command completed later, the write to
-the "poll slot" may instead be understood to signal a subsequently
-started command's completion. Also our accounting of the timeout period
-was actually wrong: We included the time it took for the command to
-actually make it to the front of the queue, which could be heavily
-affected by guests other than the one for which the flush is being
-performed.
-
-Do away with all timeout detection on all flush related code paths.
-Log excessively long processing times (with a progressive threshold) to
-have some indication of problems in this area.
-
-Additionally log (once) if qinval_next_index() didn't immediately find
-an available slot. Together with the earlier change sizing the queue(s)
-dynamically, we should now have a guarantee that with our fully
-synchronous model any demand for slots can actually be satisfied.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/vtd/dmar.h
-+++ b/xen/drivers/passthrough/vtd/dmar.h
-@@ -127,6 +127,34 @@ do {
- } \
- } while (0)
-
-+#define IOMMU_FLUSH_WAIT(what, iommu, offset, op, cond, sts) \
-+do { \
-+ static unsigned int __read_mostly threshold = 1; \
-+ s_time_t start = NOW(); \
-+ s_time_t timeout = start + DMAR_OPERATION_TIMEOUT * threshold; \
-+ \
-+ for ( ; ; ) \
-+ { \
-+ sts = op(iommu->reg, offset); \
-+ if ( cond ) \
-+ break; \
-+ if ( timeout && NOW() > timeout ) \
-+ { \
-+ threshold |= threshold << 1; \
-+ printk(XENLOG_WARNING VTDPREFIX \
-+ " IOMMU#%u: %s flush taking too long\n", \
-+ iommu->index, what); \
-+ timeout = 0; \
-+ } \
-+ cpu_relax(); \
-+ } \
-+ \
-+ if ( !timeout ) \
-+ printk(XENLOG_WARNING VTDPREFIX \
-+ " IOMMU#%u: %s flush took %lums\n", \
-+ iommu->index, what, (NOW() - start) / 10000000); \
-+} while ( false )
-+
- int vtd_hw_check(void);
- void disable_pmr(struct vtd_iommu *iommu);
- int is_igd_drhd(struct acpi_drhd_unit *drhd);
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -320,8 +320,8 @@ static void iommu_flush_write_buffer(str
- dmar_writel(iommu->reg, DMAR_GCMD_REG, val | DMA_GCMD_WBF);
-
- /* Make sure hardware complete it */
-- IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, dmar_readl,
-- !(val & DMA_GSTS_WBFS), val);
-+ IOMMU_FLUSH_WAIT("write buffer", iommu, DMAR_GSTS_REG, dmar_readl,
-+ !(val & DMA_GSTS_WBFS), val);
-
- spin_unlock_irqrestore(&iommu->register_lock, flags);
- }
-@@ -370,8 +370,8 @@ int vtd_flush_context_reg(struct vtd_iom
- dmar_writeq(iommu->reg, DMAR_CCMD_REG, val);
-
- /* Make sure hardware complete it */
-- IOMMU_WAIT_OP(iommu, DMAR_CCMD_REG, dmar_readq,
-- !(val & DMA_CCMD_ICC), val);
-+ IOMMU_FLUSH_WAIT("context", iommu, DMAR_CCMD_REG, dmar_readq,
-+ !(val & DMA_CCMD_ICC), val);
-
- spin_unlock_irqrestore(&iommu->register_lock, flags);
- /* flush context entry will implicitly flush write buffer */
-@@ -448,8 +448,8 @@ int vtd_flush_iotlb_reg(struct vtd_iommu
- dmar_writeq(iommu->reg, tlb_offset + 8, val);
-
- /* Make sure hardware complete it */
-- IOMMU_WAIT_OP(iommu, (tlb_offset + 8), dmar_readq,
-- !(val & DMA_TLB_IVT), val);
-+ IOMMU_FLUSH_WAIT("iotlb", iommu, (tlb_offset + 8), dmar_readq,
-+ !(val & DMA_TLB_IVT), val);
- spin_unlock_irqrestore(&iommu->register_lock, flags);
-
- /* check IOTLB invalidation granularity */
---- a/xen/drivers/passthrough/vtd/qinval.c
-+++ b/xen/drivers/passthrough/vtd/qinval.c
-@@ -29,8 +29,6 @@
- #include "extern.h"
- #include "../ats.h"
-
--#define VTD_QI_TIMEOUT 1
--
- static unsigned int __read_mostly qi_pg_order;
- static unsigned int __read_mostly qi_entry_nr;
-
-@@ -60,7 +58,11 @@ static unsigned int qinval_next_index(st
- /* (tail+1 == head) indicates a full queue, wait for HW */
- while ( ((tail + 1) & (qi_entry_nr - 1)) ==
- ( dmar_readq(iommu->reg, DMAR_IQH_REG) >> QINVAL_INDEX_SHIFT ) )
-+ {
-+ printk_once(XENLOG_ERR VTDPREFIX " IOMMU#%u: no QI slot available\n",
-+ iommu->index);
- cpu_relax();
-+ }
-
- return tail;
- }
-@@ -180,23 +182,32 @@ static int __must_check queue_invalidate
- /* Now we don't support interrupt method */
- if ( sw )
- {
-- s_time_t timeout;
--
-- /* In case all wait descriptor writes to same addr with same data */
-- timeout = NOW() + MILLISECS(flush_dev_iotlb ?
-- iommu_dev_iotlb_timeout : VTD_QI_TIMEOUT);
-+ static unsigned int __read_mostly threshold = 1;
-+ s_time_t start = NOW();
-+ s_time_t timeout = start + (flush_dev_iotlb
-+ ? iommu_dev_iotlb_timeout
-+ : 100) * MILLISECS(threshold);
-
- while ( ACCESS_ONCE(*this_poll_slot) != QINVAL_STAT_DONE )
- {
-- if ( NOW() > timeout )
-+ if ( timeout && NOW() > timeout )
- {
-- print_qi_regs(iommu);
-+ threshold |= threshold << 1;
- printk(XENLOG_WARNING VTDPREFIX
-- " Queue invalidate wait descriptor timed out\n");
-- return -ETIMEDOUT;
-+ " IOMMU#%u: QI%s wait descriptor taking too long\n",
-+ iommu->index, flush_dev_iotlb ? " dev" : "");
-+ print_qi_regs(iommu);
-+ timeout = 0;
- }
- cpu_relax();
- }
-+
-+ if ( !timeout )
-+ printk(XENLOG_WARNING VTDPREFIX
-+ " IOMMU#%u: QI%s wait descriptor took %lums\n",
-+ iommu->index, flush_dev_iotlb ? " dev" : "",
-+ (NOW() - start) / 10000000);
-+
- return 0;
- }
-
diff --git a/main/xen/xsa373-4.13-4.patch b/main/xen/xsa373-4.13-4.patch
deleted file mode 100644
index 7f0370b15a..0000000000
--- a/main/xen/xsa373-4.13-4.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: AMD/IOMMU: wait for command slot to be available
-
-No caller cared about send_iommu_command() indicating unavailability of
-a slot. Hence if a sufficient number prior commands timed out, we did
-blindly assume that the requested command was submitted to the IOMMU
-when really it wasn't. This could mean both a hanging system (waiting
-for a command to complete that was never seen by the IOMMU) or blindly
-propagating success back to callers, making them believe they're fine
-to e.g. free previously unmapped pages.
-
-Fold the three involved functions into one, add spin waiting for an
-available slot along the lines of VT-d's qinval_next_index(), and as a
-consequence drop all error indicator return types/values.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/amd/iommu_cmd.c
-+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
-@@ -22,48 +22,36 @@
- #include <asm/hvm/svm/amd-iommu-proto.h>
- #include "../ats.h"
-
--static int queue_iommu_command(struct amd_iommu *iommu, u32 cmd[])
-+static void send_iommu_command(struct amd_iommu *iommu,
-+ const uint32_t cmd[4])
- {
-- uint32_t tail, head;
-+ uint32_t tail;
-
- tail = iommu->cmd_buffer.tail;
- if ( ++tail == iommu->cmd_buffer.entries )
- tail = 0;
-
-- head = iommu_get_rb_pointer(readl(iommu->mmio_base +
-- IOMMU_CMD_BUFFER_HEAD_OFFSET));
-- if ( head != tail )
-+ while ( tail == iommu_get_rb_pointer(readl(iommu->mmio_base +
-+ IOMMU_CMD_BUFFER_HEAD_OFFSET)) )
- {
-- memcpy(iommu->cmd_buffer.buffer +
-- (iommu->cmd_buffer.tail * sizeof(cmd_entry_t)),
-- cmd, sizeof(cmd_entry_t));
--
-- iommu->cmd_buffer.tail = tail;
-- return 1;
-+ printk_once(XENLOG_ERR
-+ "AMD IOMMU %04x:%02x:%02x.%u: no cmd slot available\n",
-+ iommu->seg, PCI_BUS(iommu->bdf),
-+ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf));
-+ cpu_relax();
- }
-
-- return 0;
--}
-+ memcpy(iommu->cmd_buffer.buffer +
-+ (iommu->cmd_buffer.tail * sizeof(cmd_entry_t)),
-+ cmd, sizeof(cmd_entry_t));
-
--static void commit_iommu_command_buffer(struct amd_iommu *iommu)
--{
-- u32 tail = 0;
-+ iommu->cmd_buffer.tail = tail;
-
-+ tail = 0;
- iommu_set_rb_pointer(&tail, iommu->cmd_buffer.tail);
- writel(tail, iommu->mmio_base+IOMMU_CMD_BUFFER_TAIL_OFFSET);
- }
-
--int send_iommu_command(struct amd_iommu *iommu, u32 cmd[])
--{
-- if ( queue_iommu_command(iommu, cmd) )
-- {
-- commit_iommu_command_buffer(iommu);
-- return 1;
-- }
--
-- return 0;
--}
--
- static void flush_command_buffer(struct amd_iommu *iommu)
- {
- u32 cmd[4], status;
diff --git a/main/xen/xsa373-4.13-5.patch b/main/xen/xsa373-4.13-5.patch
deleted file mode 100644
index 984536760d..0000000000
--- a/main/xen/xsa373-4.13-5.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: AMD/IOMMU: drop command completion timeout
-
-First and foremost - such timeouts were not signaled to callers, making
-them believe they're fine to e.g. free previously unmapped pages.
-
-Mirror VT-d's behavior: A fixed number of loop iterations is not a
-suitable way to detect timeouts in an environment (CPU and bus speeds)
-independent manner anyway. Furthermore, leaving an in-progress operation
-pending when it appears to take too long is problematic: If a command
-completed later, the signaling of its completion may instead be
-understood to signal a subsequently started command's completion.
-
-Log excessively long processing times (with a progressive threshold) to
-have some indication of problems in this area. Allow callers to specify
-a non-default timeout bias for this logging, using the same values as
-VT-d does, which in particular means a (by default) much larger value
-for device IO TLB invalidation.
-
-This is part of XSA-373 / CVE-2021-28692.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-
---- a/xen/drivers/passthrough/amd/iommu_cmd.c
-+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
-@@ -52,10 +52,12 @@ static void send_iommu_command(struct am
- writel(tail, iommu->mmio_base+IOMMU_CMD_BUFFER_TAIL_OFFSET);
- }
-
--static void flush_command_buffer(struct amd_iommu *iommu)
-+static void flush_command_buffer(struct amd_iommu *iommu,
-+ unsigned int timeout_base)
- {
-- u32 cmd[4], status;
-- int loop_count, comp_wait;
-+ uint32_t cmd[4];
-+ s_time_t start, timeout;
-+ static unsigned int __read_mostly threshold = 1;
-
- /* RW1C 'ComWaitInt' in status register */
- writel(IOMMU_STATUS_COMP_WAIT_INT_MASK,
-@@ -71,24 +73,31 @@ static void flush_command_buffer(struct
- IOMMU_COMP_WAIT_I_FLAG_SHIFT, &cmd[0]);
- send_iommu_command(iommu, cmd);
-
-- /* Make loop_count long enough for polling completion wait bit */
-- loop_count = 1000;
-- do {
-- status = readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
-- comp_wait = get_field_from_reg_u32(status,
-- IOMMU_STATUS_COMP_WAIT_INT_MASK,
-- IOMMU_STATUS_COMP_WAIT_INT_SHIFT);
-- --loop_count;
-- } while ( !comp_wait && loop_count );
--
-- if ( comp_wait )
-+ start = NOW();
-+ timeout = start + (timeout_base ?: 100) * MILLISECS(threshold);
-+ while ( !(readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET) &
-+ IOMMU_STATUS_COMP_WAIT_INT_MASK) )
- {
-- /* RW1C 'ComWaitInt' in status register */
-- writel(IOMMU_STATUS_COMP_WAIT_INT_MASK,
-- iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
-- return;
-+ if ( timeout && NOW() > timeout )
-+ {
-+ threshold |= threshold << 1;
-+ printk(XENLOG_WARNING
-+ "AMD IOMMU %04x:%02x:%02x.%u: %scompletion wait taking too long\n",
-+ iommu->seg, PCI_BUS(iommu->bdf),
-+ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf),
-+ timeout_base ? "iotlb " : "");
-+ timeout = 0;
-+ }
-+ cpu_relax();
- }
-- AMD_IOMMU_DEBUG("Warning: ComWaitInt bit did not assert!\n");
-+
-+ if ( !timeout )
-+ printk(XENLOG_WARNING
-+ "AMD IOMMU %04x:%02x:%02x.%u: %scompletion wait took %lums\n",
-+ iommu->seg, PCI_BUS(iommu->bdf),
-+ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf),
-+ timeout_base ? "iotlb " : "",
-+ (NOW() - start) / 10000000);
- }
-
- /* Build low level iommu command messages */
-@@ -300,7 +309,7 @@ void amd_iommu_flush_iotlb(u8 devfn, con
- /* send INVALIDATE_IOTLB_PAGES command */
- spin_lock_irqsave(&iommu->lock, flags);
- invalidate_iotlb_pages(iommu, maxpend, 0, queueid, daddr, req_id, order);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, iommu_dev_iotlb_timeout);
- spin_unlock_irqrestore(&iommu->lock, flags);
- }
-
-@@ -337,7 +346,7 @@ static void _amd_iommu_flush_pages(struc
- {
- spin_lock_irqsave(&iommu->lock, flags);
- invalidate_iommu_pages(iommu, daddr, dom_id, order);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- spin_unlock_irqrestore(&iommu->lock, flags);
- }
-
-@@ -361,7 +370,7 @@ void amd_iommu_flush_device(struct amd_i
- ASSERT( spin_is_locked(&iommu->lock) );
-
- invalidate_dev_table_entry(iommu, bdf);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- }
-
- void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf)
-@@ -369,7 +378,7 @@ void amd_iommu_flush_intremap(struct amd
- ASSERT( spin_is_locked(&iommu->lock) );
-
- invalidate_interrupt_table(iommu, bdf);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- }
-
- void amd_iommu_flush_all_caches(struct amd_iommu *iommu)
-@@ -377,7 +386,7 @@ void amd_iommu_flush_all_caches(struct a
- ASSERT( spin_is_locked(&iommu->lock) );
-
- invalidate_iommu_all(iommu);
-- flush_command_buffer(iommu);
-+ flush_command_buffer(iommu, 0);
- }
-
- void amd_iommu_send_guest_cmd(struct amd_iommu *iommu, u32 cmd[])
-@@ -387,7 +396,8 @@ void amd_iommu_send_guest_cmd(struct amd
- spin_lock_irqsave(&iommu->lock, flags);
-
- send_iommu_command(iommu, cmd);
-- flush_command_buffer(iommu);
-+ /* TBD: Timeout selection may require peeking into cmd[]. */
-+ flush_command_buffer(iommu, 0);
-
- spin_unlock_irqrestore(&iommu->lock, flags);
- }
diff --git a/main/xen/xsa375-4.13.patch b/main/xen/xsa375-4.13.patch
deleted file mode 100644
index 6fab954418..0000000000
--- a/main/xen/xsa375-4.13.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/spec-ctrl: Protect against Speculative Code Store Bypass
-
-Modern x86 processors have far-better-than-architecturally-guaranteed self
-modifying code detection. Typically, when a write hits an instruction in
-flight, a Machine Clear occurs to flush stale content in the frontend and
-backend.
-
-For self modifying code, before a write which hits an instruction in flight
-retires, the frontend can speculatively decode and execute the old instruction
-stream. Speculation of this form can suffer from type confusion in registers,
-and potentially leak data.
-
-Furthermore, updates are typically byte-wise, rather than atomic. Depending
-on timing, speculation can race ahead multiple times between individual
-writes, and execute the transiently-malformed instruction stream.
-
-Xen has stubs which are used in certain cases for emulation purposes. Inhibit
-speculation between updating the stub and executing it.
-
-This is XSA-375 / CVE-2021-0089.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
-index 6dc4f92a84..59c15ca0e7 100644
---- a/xen/arch/x86/pv/emul-priv-op.c
-+++ b/xen/arch/x86/pv/emul-priv-op.c
-@@ -97,6 +97,8 @@ static io_emul_stub_t *io_emul_stub_setup(struct priv_op_ctxt *ctxt, u8 opcode,
- BUILD_BUG_ON(STUB_BUF_SIZE / 2 < MAX(9, /* Default emul stub */
- 5 + IOEMUL_QUIRK_STUB_BYTES));
-
-+ block_speculation(); /* SCSB */
-+
- /* Handy function-typed pointer to the stub. */
- return (void *)stub_va;
- }
-diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
-index bba6dd0187..cd123492a6 100644
---- a/xen/arch/x86/x86_emulate/x86_emulate.c
-+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
-@@ -1172,6 +1172,7 @@ static inline int mkec(uint8_t e, int32_t ec, ...)
- # define invoke_stub(pre, post, constraints...) do { \
- stub_exn.info = (union stub_exception_token) { .raw = ~0 }; \
- stub_exn.line = __LINE__; /* Utility outweighs livepatching cost */ \
-+ block_speculation(); /* SCSB */ \
- asm volatile ( pre "\n\tINDIRECT_CALL %[stub]\n\t" post "\n" \
- ".Lret%=:\n\t" \
- ".pushsection .fixup,\"ax\"\n" \
diff --git a/main/xen/xsa377.patch b/main/xen/xsa377.patch
deleted file mode 100644
index 1a1887b60e..0000000000
--- a/main/xen/xsa377.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/spec-ctrl: Mitigate TAA after S3 resume
-
-The user chosen setting for MSR_TSX_CTRL needs restoring after S3.
-
-All APs get the correct setting via start_secondary(), but the BSP was missed
-out.
-
-This is XSA-377 / CVE-2021-28690.
-
-Fixes: 8c4330818f6 ("x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sidechannel")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
-index 91a8c4d0bd..31a56f02d0 100644
---- a/xen/arch/x86/acpi/power.c
-+++ b/xen/arch/x86/acpi/power.c
-@@ -288,6 +288,8 @@ static int enter_state(u32 state)
-
- microcode_update_one();
-
-+ tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */
-+
- if ( !recheck_cpu_features(0) )
- panic("Missing previously available feature(s)\n");
-
diff --git a/main/xtables-addons-lts/APKBUILD b/main/xtables-addons-lts/APKBUILD
index fdd1031a7c..f2c808db8b 100644
--- a/main/xtables-addons-lts/APKBUILD
+++ b/main/xtables-addons-lts/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.4.111
+_kver=5.4.143
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zfs-lts/APKBUILD b/main/zfs-lts/APKBUILD
index 6b75984f00..632c64cba9 100644
--- a/main/zfs-lts/APKBUILD
+++ b/main/zfs-lts/APKBUILD
@@ -8,7 +8,7 @@ _rel=2
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.4.111
+_kver=5.4.143
_krel=0
_kpkgver="$_kver-r$_krel"