This repository was archived by the owner on Jun 28, 2021. It is now read-only.
Update buildroot fork to latest upstream master#8
Open
tmagik wants to merge 10000 commits intosifive:masterfrom
Open
Update buildroot fork to latest upstream master#8tmagik wants to merge 10000 commits intosifive:masterfrom
tmagik wants to merge 10000 commits intosifive:masterfrom
Conversation
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Remove the '-x' option from the shebang, which was a leftover from the debugging phase and not intended for the final submission. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are properly reported to the 'make' process. This prevents silent failures during the image generation phase. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
https://github.com/harfbuzz/harfbuzz/blob/12.3.2/NEWS Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Bump newlib-bare-metal to version 4.6.0.20260123. For NEWS, see [1]. This commit also updates the license file hashes, after upstream update in [2]. [1] https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=newlib/NEWS;h=99567683b27e1d432138b1f4728ed03e09fc13ec;hb=8ba4275b83ec27529f67e0d477611fa6d8d6e6bd [2] https://sourceware.org/git/?p=newlib-cygwin.git;a=commitdiff;h=cac47030fb003570295582606f158609f626347f Signed-off-by: Neal Frager <neal.frager@amd.com> [Julien: add link to NEWS and license hash update note] Signed-off-by: Julien Olivain <ju.o@free.fr>
For change log, see: https://www.greenwoodsoftware.com/less/news.691.html Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit bf36260 ("system cfg: remove mkpasswd MD5 format option") dropped the MD5 option, so stop referring to it from the sha256 one to limit confusion. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Make busybox follow the BR2_TARGET_GENERIC_PASSWD_* system configuration
option, E.G.
cat defconfig
BR2_x86_core2=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_CORE2_MUSL_BLEEDING_EDGE=y
BR2_STATIC_LIBS=y
BR2_TARGET_GENERIC_PASSWD_SHA512=y
./target/usr/bin/mkpasswd --help
BusyBox v1.37.0 (2026-01-27 17:31:51 CET) multi-call binary.
Usage: mkpasswd [-P FD] [-m TYPE] [-S SALT] [PASSWORD] [SALT]
Print crypt(3) hashed PASSWORD
-P N Read password from fd N
-m TYPE des,md5,sha256/512 (default sha512)
-S SALT
./target/usr/bin/mkpasswd test
$6$VQ6lDdGRJOgs8Exs$gEWp1nN/FHCAgmoB6lD.fN13EKA40yV7WQmZJcFp114VrL/st74zP5iPsLHi5NFX/A6GAa1gD.yqzp5Lz3DKl/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerabilities: - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm When parsing a URL-encoded form net/http may allocate an unexpected amount of memory when provided a large number of key-value pairs. This can result in a denial of service due to memory exhaustion. - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain The Config.Clone methods allows cloning a Config which has already been passed to a TLS function, allowing it to be mutated and reused. If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has not been called, crypto/tls will generate random session ticket keys and automatically rotate them. Config.Clone would copy these automatically generated keys into the returned Config, meaning that the two Configs would share session ticket keys, allowing sessions created using one Config could be used to resume sessions with the other Config. This can allow clients to resume sessions even though the Config may be configured such that they should not be able to do so. - CVE-2025-61731: cmd/go: unexpected code execution when invoking toolchain The Go toolchain supports multiple VCS which are used retrieving modules and embedding build information into binaries. On systems with Mercurial installed (hg) downloading modules (e.g. via go get or go mod download) from non-standard sources (e.g. custom domains) can cause unexpected code execution due to how external VCS commands are constructed. On systems with Git installed, downloading and building modules with malicious version strings could allow an attacker to write to arbitrary files on the system the user has access to. This can only be triggered by explicitly providing the malicious version strings to the toolchain, and does not affect usage of @latest or bare module paths. The toolchain now uses safer VCS options to prevent misinterpretation of untrusted inputs. In addition, the toolchain now disallows module version strings prefixed with a "-" or "/" character. - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. For details, see the announcement: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 18630db bumped the package from 4.7.1 to 4.8.1. Upstream version 4.8.0 includes commit syslog-ng/syslog-ng@163c894 which causes build errors with non-c++ toolchains: syslog-ng/syslog-ng#5040 Fixes: https://autobuild.buildroot.net/results/70c/70ca3364da15383a8270d180cd2bf67977d9cb56/ The earliest build error recorded by the autobuilders dates back to 2025-04-23 so a backport should be considered: https://autobuild.buildroot.net/results/dd2/dd2b1dedbd92280dac01ae4d6454ef7eb08cc539/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release note, see: https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.8.4/docs/v2.8.4-ReleaseNotes Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release announce, see: https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html gnupg2 version from 2.5.13 to 2.5.16 (inclusive) are affected by the following issue: A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack buffer overflow in gpg-agent during the PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse, the memory corruption can very likely also be used to mount a remote code execution attack. The bug was introduced while changing an internal API to the FIPS required KEM API. Fixes: https://dev.gnupg.org/T8044 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities: CVE-2025-11187 - Improper validation of PBMAC1 parameters in PKCS#12 MAC verification. CVE-2025-15467 - Stack buffer overflow in CMS AuthEnvelopedData parsing. CVE-2025-15468 - NULL dereference in SSL_CIPHER_find() function on unknown cipher ID. CVE-2025-15469 - ‘openssl dgst’ one-shot codepath silently truncates inputs >16MB. CVE-2025-66199 - TLS 1.3 CompressedCertificate excessive memory allocation. CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes. CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion. CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function. CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function For more details, see the announcement: https://openssl-library.org/post/2026-01-27-release-announcement/ Drop now upstreamed 0004-Scope-aes_cfb128_vaes_encdec_wrapper-to-x64.patch: openssl/openssl@f529d26 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Move the content referring to the LTS information from the 'support' page into a dedicated page. Also add LTS specific information about the sponsoring and the benefits. This page also contains clarification on the release cycle of the LTS. Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
https://forum.torproject.org/t/release-candidate-and-stable-release-0-4-8-22-and-0-4-9-4-rc/21160 https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.22/ReleaseNotes "o Major bugfixes (security): - Avoid an out-of-bounds read error that could occur with V1-formatted cells. Fixes bug 41180; bugfix on 0.4.8.1-alpha. This is tracked as TROVE-2025-016." Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes Fixes CVE-2026-24515 & CVE-2026-25210. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 9cfcd90 bumped the package from 1.33.1 to 1.37.1. Upstream changed the optional C++ support into a mandatory dependency with commit netdata/netdata@b6d2a36 added to version 1.35.0 causing build errors with toolchains without C++ support: GEN netdatacli /bin/sh: line 1: no: command not found make[3]: *** [Makefile:5502: netdatacli] Error 127 Fixes: https://autobuild.buildroot.org/results/7084a73d5727a86ca55eda3d1f01ea4d5b8ecf65/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Reviewed-by: Michael Cullen <michael@michaelcullen.name> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://github.com/transmission/transmission/releases/tag/4.1.0 Removed patch which is included in this release. Updated license hash due to copyright year bump: transmission/transmission@5ce17df Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://cmake.org/cmake/help/latest/release/4.2.html#id21 Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As described in https://gitlab.com/buildroot.org/buildroot/-/issues/160, the github mirror is getting shut down - So move to the sourceware.org git repo. The github mirror was originally used because of performance and reliability issues with sourceware, but that seems be resolved now after server/RAM upgrades - E.G. from the sourceware news: April 22, 2024 server2.sourceware.org now has 512GB RAM, thanks Red Hat. https://sourceware.org/ So change back to fetch glibc (and localedef) from sourceware.org over git. Notice: The git archiving leads to slightly different paths and permissions in the tarball, but the file content is identical: mkdir a && tar -C a -x --strip-components=1 -f \ path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125.tar.gz mkdir b && tar -C b -x --strip-components=1 -f \ path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125-git4.tar.gz Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [Julien: - add missing SoB line - fix command lines in commit log ] Signed-off-by: Julien Olivain <ju.o@free.fr>
Make shadow follow the the BR2_TARGET_GENERIC_PASSWD_* system configuration option when changing password rather than DES. Fixes: https://gitlab.com/buildroot.org/buildroot/-/issues/134 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Ensure that the SHA_CRYPT option is enabled when the system configuration is set to SHA256/512, as otherwise passwd complains when a password is changed: passwd ... Invalid ENCRYPT_METHOD value: 'SHA512'. Defaulting to DES. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Use of threading requires a C++20 compiler, and the oneTBB implementation. oneTBB is missing from Buildroot, but a system one may be used if found. Even if the default for threading is disabled, explicitly state so, in case the default changes in the future. Also disable examples, we don't and won't need them. Signed-off-by: Yann E. MORIN <yann.morin@orange.com> Cc: Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
For change log, see: https://github.com/BLAKE3-team/BLAKE3/releases/tag/1.8.3 Signed-off-by: Yann E. MORIN <yann.morin@orange.com> Cc: Heiko Thiery <heiko.thiery@gmail.com> [Julien: add link to change log] Signed-off-by: Julien Olivain <ju.o@free.fr>
Blake3 unconditionally enables C++ support, which unconditionally requires C++20 when built with cmake >= 3.12, even when this is not required. Fixing this does not look trivial, and rather than botching the build, just require C++20, available from gcc 8.x onward. Signed-off-by: Yann E. MORIN <yann.morin@orange.com> Cc: Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit eb1f160 bumped meson to 1.10.0, this release includes upstream commit mesonbuild/meson@35193dd This commit caused build errors mesonbuild/meson#15497 (comment) which were fixed by an upstream commit to the master branch: mesonbuild/meson@c1db93b This patch adds to upstream fix to buildroot. Fixes: https://autobuild.buildroot.net/results/aab/aaba3d6a9d55c3e8030d3e3487bf93074a4deac1/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
When the sane-airscan package was introduced in f78280b the dependency to c++ was not added to the package. The source directory fuzzer/ contains c++ files: https://github.com/alexpevzner/sane-airscan/tree/master/fuzzer meson.build requires c++: https://github.com/alexpevzner/sane-airscan/blob/0.99.33/meson.build#L1 Fixes: https://autobuild.buildroot.net/results/830/830374dcce8f29ad336cf8060bda552119c8377a/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
https://github.com/alexpevzner/sane-airscan/commits/0.99.36/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
And add (and default to) 6.19 to linux-headers. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
For an overview of changes in 6.19, see: https://kernelnewbies.org/Linux_6.19 Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Scott Fan <fancp2007@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability: CVE-2025-13151: Stack-based buffer overflow in asn1_expand_octet_string function https://lists.gnu.org/archive/html/help-libtasn1/2026-01/msg00001.html Release notes: https://lists.gnu.org/archive/html/help-libtasn1/2026-01/msg00000.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerabilities: CVE-2025-61732: cmd/cgo: remove user-content from doc strings in cgo ASTs A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. To prevent this behavior, the cgo compiler will no longer parse user-provided doc comments. CVE-2025-68121: crypto/tls: unexpected session resumption when using Config.GetConfigForClient Config.GetConfigForClient is documented to use the original Config's session ticket keys unless explicitly overridden. This can cause unexpected behavior if the returned Config modifies authentication parameters, like ClientCAs: a connection initially established with the parent (or a sibling) Config can be resumed, bypassing the modified authentication requirements. If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the server) or InsecureSkipVerify is false (on the client), crypto/tls now checks that the root of the previously-verified chain is still in ClientCAs/RootCAs when resuming a connection. Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue related to session ticket keys being implicitly shared by Config.Clone. Since this fix is broader, the Config.Clone behavior change has been reverted. Note that VerifyPeerCertificate still behaves as documented: it does not apply to resumed connections. Applications that use Config.GetConfigForClient or Config.Clone and do not wish to blindly resume connections established with the original Config must use VerifyConnection instead (or SetSessionTicketKeys or SessionTicketsDisabled). For more details, see the announcement: https://groups.google.com/g/golang-announce/c/K09ubi9FQFk Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security vulnerabilities: CVE-2026-1584: libgnutls: Fix NULL pointer dereference in PSK binder verification A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to a denial of service attack via crashing the server. The updated code guards against the problematic dereference. CVE-2025-14831: libgnutls: Fix name constraint processing performance issue Verifying certificates with pathological amounts of name constraints could lead to a denial of service attack via resource exhaustion. Reworked processing algorithms exhibit better performance characteristics. For more details, see the release notes: https://lists.gnupg.org/pipermail/gnutls-help/2026-February/004914.html Drop now upstreamed 0001-audit-crau-fix-compilation-with-gcc-11.patch: https://gitlab.com/gnutls/gnutls/-/commit/f5666f8f1f653cfe2bef808a9c9b61534f279ed1 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security vulnerability: CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize when called with no histogram and a palette larger than twice the requested maximum number of colors. For more details, see the advisory: GHSA-g8hp-mq4h-rqm3 Release notes: https://github.com/pnggroup/libpng/blob/v1.6.55/ANNOUNCE Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
https://ccache.dev/releasenotes.html#_ccache_4_12_3 Use sha256 tarball hash provided by upstream. Updated license hash due to copyright year bump: ccache/ccache@ec03916 Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
https://lists.gnu.org/archive/html/m4-announce/2026-02/msg00000.html Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
https://lists.infradead.org/pipermail/wireless-regdb/2026-February/001830.html Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Release Notes: https://github.com/zlib-ng/zlib-ng/releases/tag/2.3.3 Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Introduce the libxmlsec1 library package. libxmlsec implements XML security standards. The library has only a few mandatory dependencies(libxml2 and libxslt and a crypto library). It needs one of the following cryptographic libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to keep the package simple. Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes: 3963c3c ("package/python-scp: new package") Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues: - CVE-2025-13473 (low): Username enumeration through timing difference in mod_wsgi authentication handler - CVE-2025-14550 (moderate): Potential denial-of-service vulnerability via repeated headers when using ASGI - CVE-2026-1207 (high): Potential SQL injection via raster lookups on PostGIS - CVE-2026-1285 (moderate): Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods - CVE-2026-1287 (high): Potential SQL injection in column aliases via control characters - CVE-2026-1312 (high): Potential SQL injection via QuerySet.order_by and FilteredRelation See the release notes here: https://docs.djangoproject.com/en/dev/releases/6.0.2/ Also includes the bugfixes from version 6.0.1: https://docs.djangoproject.com/en/dev/releases/6.0.1/ Signed-off-by: Manuel Diener <manuel.diener@othermo.de> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> Signed-off-by: Julien Olivain <ju.o@free.fr>
Updated license hash due to copyright year bump: strace/strace@4d6755b This bump includes two upstream commits strace/strace@bf93845 strace/strace@822b5e8 that fix build errors introduced by the bump of linux-headers to version 6.19 with buildroot commit 5661507. This bump is not included in any buildroot LTS branch so no backport necessary. Fixes: https://autobuild.buildroot.net/results/7a3/7a35bfcae87b1fbe1d6e0c4271a364ce330c1d51/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
- Requirement for Boost.DateTime was removed in 2.54.0 [0] - Requirement for Boost.System was removed in 2.59.0 [1] - drop "WITH_GUI" conf_opt as it was dropped in 2.32.0 [2] - LICENSE hash changed due to year bump. Release notes: https://github.com/PurpleI2P/i2pd/releases/tag/2.59.0 [0] PurpleI2P/i2pd@0992a51 [1] PurpleI2P/i2pd@06a86f3 [2] PurpleI2P/i2pd@db6a0e6 Signed-off-by: Michael Nosthoff <buildroot@heine.tech> Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog: pikvm/ustreamer@v6.42...v6.52 Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
This version builds up to Linux version 6.19. Fixes: still not happened Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPIO filesystem generated by the test_firewalld test is too large, and doesn't fit as an initramfs in the 256MB of RAM available in the versatilepb machine. This causes a "Initramfs unpacking failed: write error" when booting, and many files being missing from the root filesystem, ultimately causing the test to fail. The test_firewalld test initially started to fail following a systemd update [1][3]: [BRTEST# systemctl is-active firewalld failed But really started to crash at boot following a python 3.14 update [2][4]: Run /init as init process /init: exec: line 15: /sbin/init: not found Also, update TestFirewalldSysVInit to use ext2 instead of cpio. [1] 926e050 [2] a0a6abc Fixes: [3] https://gitlab.com/buildroot.org/buildroot/-/jobs/12944797059 [4] https://gitlab.com/buildroot.org/buildroot/-/jobs/11856840940 Signed-off-by: Romain Naour <romain.naour@smile.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/DMTF/libspdm/releases/tag/3.8.1 Fixes two issues: * Unaligned memory access in VENDOR_DEFINED_* : #3196 * Build failure when mutual authentication is disabled : #3178 Signed-off-by: Alistair Francis <alistair.francis@wdc.com> [Julien: add link to release notes] Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes CVE-2025-14550: There was a potential DoS vector for users of the ``asgiref.wsgi.WsgiToAsgi`` adapter. Malicious requests, including an unreasonably large number of values for the same header, could lead to resource exhaustion when building the WSGI environment. Changelog: https://github.com/django/asgiref/blob/3.11.1/CHANGELOG.txt Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> Signed-off-by: Julien Olivain <ju.o@free.fr>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update to buildroot in preparation to switch freedom-u-sdk over to replace riscv-gnu-toolchain with the toolchain supported in buildroot, which builds faster using upstream sources and takes less space.