| Message ID | 20201123100751.4095539-1-heiko@sntech.de |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [RESEND] package/icu: bump to version 68-1 | expand |
>>>>> "Heiko" == Heiko Stuebner <heiko@sntech.de> writes: > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > This includes the fix [0] for CVE-2020-10531 . > [0] https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > --- > I'm not sure if I did something wrong in the initial submission, > but so far got no response at all, so am including some more > people who recently committed changes to icu. > As this fixes a CVE, I guess this might need some sort of priority. There is quite some pending patches. It would be good to explicitly mark it as a security fix, E.G. 'package/icu: security bump to version 68-1', to make sure it isn't missed for master, as package bumps otherwise now only go to next as we are busy getting 2020.11 stablized and released. How much have you tested this? New icu releases unfortunately have a tendency to cause various breakage? Would it be an option to backport this fix to the 67-1 release for 2020.11 / 2020.02 and only bump to 68-1 for next?
Hi Peter, Am Montag, 23. November 2020, 13:20:20 CET schrieb Peter Korsgaard: > >>>>> "Heiko" == Heiko Stuebner <heiko@sntech.de> writes: > > > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > This includes the fix [0] for CVE-2020-10531 . > > > [0] https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca > > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > --- > > I'm not sure if I did something wrong in the initial submission, > > but so far got no response at all, so am including some more > > people who recently committed changes to icu. > > > As this fixes a CVE, I guess this might need some sort of priority. > > There is quite some pending patches. It would be good to explicitly mark > it as a security fix, E.G. 'package/icu: security bump to version 68-1', > to make sure it isn't missed for master, as package bumps otherwise now > only go to next as we are busy getting 2020.11 stablized and released. > > How much have you tested this? New icu releases unfortunately have a > tendency to cause various breakage? Would it be an option to backport > this fix to the 67-1 release for 2020.11 / 2020.02 and only bump to 68-1 > for next? This is running on a device we're doing right now as part of qt5 and a qt5 main application for a week now (on a buildroot 2020.05-base) and I didn't hear about any specific hickups so far. But while re-researching the CVE I noticed that it (now) marks 66.1 as up-to affected - I do remember reading 67.1 there [0] before, though don't have proof that it's not just my eyes ;-) . So the 67.1 in buildroot is actually secure and doesn't need an update. So I'll re-send this as v2 without the security-related text then ;-) . Heiko [0] https://nvd.nist.gov/vuln/detail/CVE-2020-10531
>>>>> "Heiko" == Heiko Stübner <heiko@sntech.de> writes: Hi, >> There is quite some pending patches. It would be good to explicitly mark >> it as a security fix, E.G. 'package/icu: security bump to version 68-1', >> to make sure it isn't missed for master, as package bumps otherwise now >> only go to next as we are busy getting 2020.11 stablized and released. >> >> How much have you tested this? New icu releases unfortunately have a >> tendency to cause various breakage? Would it be an option to backport >> this fix to the 67-1 release for 2020.11 / 2020.02 and only bump to 68-1 >> for next? > This is running on a device we're doing right now as part of qt5 and a qt5 > main application for a week now (on a buildroot 2020.05-base) and I didn't > hear about any specific hickups so far. Ok. > But while re-researching the CVE I noticed that it (now) marks 66.1 as up-to > affected - I do remember reading 67.1 there [0] before, though don't have > proof that it's not just my eyes ;-) . heh ;) > So the 67.1 in buildroot is actually secure and doesn't need an update. Except for 2020.02.x, which has 65-1. I'll fix that. > So I'll re-send this as v2 without the security-related text then ;-) . Great, thanks!
diff --git a/package/icu/icu.hash b/package/icu/icu.hash index 5c10008d8a..8067b8e217 100644 --- a/package/icu/icu.hash +++ b/package/icu/icu.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 94a80cd6f251a53bd2a997f6f1b5ac6653fe791dfab66e1eb0227740fb86d5dc icu4c-67_1-src.tgz +sha256 a9f2e3d8b4434b8e53878b4308bd1e6ee51c9c7042e2b1a376abefb6fbb29f2d icu4c-68_1-src.tgz sha256 25e21013a7bc2fad735e28c5278a120e4c7f1c327c8c8b9b4df1751748cddbb2 LICENSE diff --git a/package/icu/icu.mk b/package/icu/icu.mk index c07ca2da3b..8d0288578c 100644 --- a/package/icu/icu.mk +++ b/package/icu/icu.mk @@ -7,7 +7,7 @@ # Git tags (and therefore versions on release-monitoring.org) use the # XX-Y format, but the tarballs are named XX_Y and the containing # directories XX.Y. -ICU_VERSION = 67-1 +ICU_VERSION = 68-1 ICU_SOURCE = icu4c-$(subst -,_,$(ICU_VERSION))-src.tgz ICU_SITE = \ https://github.com/unicode-org/icu/releases/download/release-$(ICU_VERSION)