Skip to content

GitLab

Switch branch/tag
  1. 15 Jun, 2022 1 commit
  3. 23 May, 2022 2 commits
  5. 16 Apr, 2022 2 commits
  7. 07 Apr, 2022 5 commits
  9. 31 Mar, 2022 2 commits
    • Trevor Gamblin's avatar
      python3-django: upgrade 3.2.10 -> 3.2.12 · de18681d
      Trevor Gamblin authored 
      
The delta between 3.2.10 and 3.2.12 contains numerous CVE and other
bugfixes. git log --online 3.2.10..3.2.12 shows:

fdf209eab8 (tag: 3.2.12) [3.2.x] Bumped version for 3.2.12 release.
d16133568e [3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
1a1e8278c4 [3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.
a7e89fe776 [3.2.x] Added stub release notes for 3.2.12 and 2.2.27.
027f4c4ceb [3.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security archive.
0a9a46a1d7 [3.2.x] Post-release version bump.
6e499a28ac (tag: 3.2.11) [3.2.x] Bumped version for 3.2.11 release.
8d2f7cff76 [3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.
c7fe895bca [3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.
a8b32fe13b [3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator.
b0aa0709a5 [3.2.x] Added stub release notes for 3.2.11, and 2.2.26 releases.
ae242235db [3.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10.
ecd2793897 [3.2.x] Added CVE-2021-44420 to security archive.
1cea03ab00 [3.2.x] Post-release version bump.
Signed-off-by: default avatarTrevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      de18681d
    • Trevor Gamblin's avatar
      python3-django: upgrade 2.2.24 -> 2.2.27 · af8cc48d
      Trevor Gamblin authored 
      
The delta between 2.2.24 and 2.2.27 contain numerous CVE and other
bugfixes. git log --oneline 2.2.24..2.2.27 shows:

e541f2d05b (tag: 2.2.27) [2.2.x] Bumped version for 2.2.27 release.
c477b76180 [2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
c27a7eb9f4 [2.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.
4cafd3aacb [2.2.x] Added stub release notes 2.2.27.
77d0fe5868 [2.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security archive.
e085d46e4b [2.2.x] Post-release version bump.
44e7cca623 (tag: 2.2.26) 2.2.x] Bumped version for 2.2.26 release.
4cb35b384c [2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.
c9f648ccfa [2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.
2135637fdd [2.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator.
03b733d8a8 [2.2.x] Added stub release notes for 2.2.26 release.
b87820668e [2.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10.
573e70ea48 [2.2.x] Added CVE-2021-44420 to security archive.
8439938602 [2.2.x] Post-release version bump.
79d8dcefb2 (tag: 2.2.25) [2.2.x] Bumped version for 2.2.25 release.
7cf7d74e8a [2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.
0007a5f9fa [2.2.x] Added requirements.txt to files ignored by Sphinx builds.
fac0fdd95d [2.2.x] Added stub release notes for 2.2.25.
4bc10b7955 [2.2.x] Fixed crash building HTML docs since Sphinx 4.3.
5289fcfffe [2.2.x] Configured Read The Docs to build all formats.
9a4a2b2089 [2.2.x] Refs #33247 -- Corrected configuration for Read The Docs.
029c830b71 [2.2.x] Fixed #33247 -- Added configuration for Read The Docs.
12141e3116 [2.2.x] Refs #32856 -- Clarified that psycopg2 < 2.9 is required.
cf63dd5c1b [2.2.x] Added 'formatter' to spelling wordlist.
05bc1c81aa [2.2.x] Fixed #33082 -- Fixed CommandTests.test_subparser_invalid_option on Python 3.9.7+.
a9c0aa11e7 [2.2.x] Refs #31676 -- Updated technical board description in organization docs.
66008c2af0 [2.2.x] Refs #31676 -- Added Mergers and Releasers to organization docs.
d4d1c2b3db [2.2.x] Refs #31676 -- Removed Core team from organization docs.
8f59f72a20 [2.2.x] Refs #31676 -- Removed Django Core-Mentorship mailing list references in docs.
837ffcfa68 [2.2.x] Refs #32856 -- Doc'd that psycopg2 < 2.9 is required.
dc43667eab [2.2.x] Fixed docs header underlines in security archive.
3e7bb564be [2.2.x] Added CVE-2021-33203 and CVE-2021-33571 to security archive.
48bde7cab4 [2.2.x] Post-release version bump.
Signed-off-by: default avatarTrevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      af8cc48d
  11. 15 Mar, 2022 2 commits
  13. 23 Feb, 2022 1 commit
  15. 20 Feb, 2022 3 commits
  17. 29 Jan, 2022 5 commits
  19. 27 Jan, 2022 1 commit
  21. 05 Jan, 2022 2 commits
    • Andreas Müller's avatar
      udisks2: upgrade 2.9.3 -> 2.9.4 · 4647e3ea
      Andreas Müller authored 
      
From announcement:
This release was focused on stability and hardening, notably fixing some
long-standing race conditions and memory leaks. Default mount options got
tweaked towards data safety.

All users are strongly advised to upgrade.
Signed-off-by: default avatarAndreas Müller <schnitzeltony@gmail.com>
Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
(cherry picked from commit 2b2666b7

)
[Minor fixup for honister context, bug fix only]
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      4647e3ea
    • wangmy's avatar
      apache2: upgrade 2.4.51 -> 2.4.52 · 69780891
      wangmy authored 
      Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <https://github.com/icing/mod_h2/issues/212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <https://github.com/icing/mod_md/issues/268

>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.
Signed-off-by: default avatarWang Mingyu <wangmy@fujitsu.com>
Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc64

)
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      69780891
  23. 02 Jan, 2022 1 commit
    • Armin Kuster's avatar
      wireshark: update to latest stable 3.4.11 · 89bf10d0
      Armin Kuster authored 
      For more infromation, see:
https://www.wireshark.org/docs/relnotes/wireshark-3.4.11.html



refresh 0004-lemon-Remove-line-directives.patch

Includes CVEs:

3.4.11:
wnpa-sec-2021-16 Gryphon dissector crash. Issue 17737. CVE-2021-4186.
wnpa-sec-2021-17 RTMPT dissector infinite loop. Issue 17745. CVE-2021-4185.
wnpa-sec-2021-18 BitTorrent DHT dissector infinite loop. Issue 17754. CVE-2021-4184.
wnpa-sec-2021-20 RFC 7468 file parser infinite loop. Issue 17801. CVE-2021-4182.
wnpa-sec-2021-21 Sysdig Event dissector crash. CVE-2021-4181.

3.4.10:
wnpa-sec-2021-07 Bluetooth DHT dissector crash. Issue 17651. CVE-2021-39929.
wnpa-sec-2021-08 Bluetooth HCI_ISO dissector crash. Issue 17649. CVE-2021-39926.
wnpa-sec-2021-09 Bluetooth SDP dissector crash. Issue 17635. CVE-2021-39925.
wnpa-sec-2021-10 Bluetooth DHT dissector large loop. Issue 17677. CVE-2021-39924.
wnpa-sec-2021-11 PNRP dissector large loop. Issue 17684.
wnpa-sec-2021-12 C12.22 dissector crash. Issue 17636. CVE-2021-39922.
wnpa-sec-2021-13 IEEE 802.11 dissector crash. Issue 17704. CVE-2021-39928.
wnpa-sec-2021-14 Modbus dissector crash. Issue 17703. CVE-2021-39921.
wnpa-sec-2021-15 IPPUSB dissector crash. Issue 17705. CVE-2021-39920.
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      89bf10d0
  25. 30 Dec, 2021 5 commits
  27. 28 Dec, 2021 2 commits
    • Changqing Li's avatar
      postgresql: fix CVE-2021-23214,CVE-2021-23222 · b707efaf
      Changqing Li authored 
      Signed-off-by: default avatarChangqing Li <changqing.li@windriver.com>
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
(cherry picked from commit 8e57fb9b

)
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      b707efaf
    • Trevor Gamblin's avatar
      python3-django: upgrade 3.2.5 -> 3.2.10 · 7e8de0e5
      Trevor Gamblin authored 
      From the release notes page
(https://docs.djangoproject.com/en/4.0/releases/3.2.10/

):

Django 3.2.10 fixes a security issue with severity “low” and a bug in
3.2.9.

CVE-2021-44420: Potential bypass of an upstream access control based on
URL paths
HTTP requests for URLs with trailing newlines could bypass an upstream
access control based on URL paths.

Bugfixes
Fixed a regression in Django 3.2 that caused a crash of setUpTestData()
with BinaryField on PostgreSQL, which is memoryview-backed (#33333).

Django 3.2.9 fixes a bug in 3.2.8 and adds compatibility with Python
3.10.

Bugfixes
Fixed a bug in Django 3.2 that caused a migration crash on SQLite when
altering a field with a functional index (#33194).

Django 3.2.8 fixes two bugs in 3.2.7.

Bugfixes
Fixed a bug in Django 3.2 that caused incorrect links on read-only
fields in the admin (#33077).
Fixed a regression in Django 3.2 that caused incorrect selection of
items across all pages when actions were placed both on the top and
bottom of the admin change-list view (#33083).

Django 3.2.7 fixes a bug in 3.2.6.

Bugfixes
Fixed a regression in Django 3.2 that caused the incorrect offset
extraction from fixed offset timezones (#32992).

Django 3.2.6 fixes several bugs in 3.2.5.

Bugfixes
Fixed a regression in Django 3.2 that caused a crash validating "NaN"
input with a forms.DecimalField when additional constraints, e.g.
max_value, were specified (#32949).
Fixed a bug in Django 3.2 where a system check would crash on a model
with a reverse many-to-many relation inherited from a parent class
(#32947).
Signed-off-by: default avatarTrevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
Signed-off-by: default avatarTrevor Gamblin <trevor.gamblin@windriver.com>
(cherry picked from commit 446a503a

)
Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      7e8de0e5
  29. 18 Dec, 2021 2 commits
  31. 09 Dec, 2021 4 commits