From patchwork Thu Sep 12 19:43:53 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 1161753
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.137; helo=fraxinus.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=korsgaard.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="eTDao/3Y"; dkim-atps=neutral
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46Tq2x1mxcz9sCJ
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Fri, 13 Sep 2019 05:44:07 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 3B66283608;
	Thu, 12 Sep 2019 19:44:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id jZyF7B0I0aQ7; Thu, 12 Sep 2019 19:44:04 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 98A2683742;
	Thu, 12 Sep 2019 19:44:04 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	by ash.osuosl.org (Postfix) with ESMTP id CD92F1BF3DC
	for <buildroot@lists.busybox.net>;
	Thu, 12 Sep 2019 19:44:03 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 6644480662
	for <buildroot@lists.busybox.net>;
	Thu, 12 Sep 2019 19:44:03 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id JQXUl-xyjDuI for <buildroot@lists.busybox.net>;
	Thu, 12 Sep 2019 19:44:02 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com
	[209.85.208.66])
	by fraxinus.osuosl.org (Postfix) with ESMTPS id 37F2586303
	for <buildroot@buildroot.org>; Thu, 12 Sep 2019 19:44:02 +0000 (UTC)
Received: by mail-ed1-f66.google.com with SMTP id o9so25055313edq.0
	for <buildroot@buildroot.org>; Thu, 12 Sep 2019 12:44:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=84cTxpgM+SGVx+aOlHanQlpoTjcesrH/R5IV7CbKX/Y=;
	b=eTDao/3YOY0a91pxROlx6k7siE8DTRRXyosPbSbLruSAJRlwpRt9ZoN6SuyYkYjATX
	9g/3dzLrhLn71Opc59fA1Si4i44/7ClhWuLA2Ah1Ohdx8hyl59kU0safDnwnRuQOTzoI
	bN1ngEywcf8X/Di8n6g75VSf0i0w8E2dKYC80nVZHy8sIAf3yM3ySLe3k/SplwCYTIwP
	iDqlMR+E2LtRnXvvSeZL0LjiMwgHlc4f1nK/QDWB5MeqMBPpKweUpqMZYIC48WUamNYm
	feHWZ0C/hDYMBkahRaOqbM3HzB0Lglxl1CD9TMoZZnAm3DY4YvGueHBxsXs3ysLd+p8Z
	Dm7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:mime-version:content-transfer-encoding;
	bh=84cTxpgM+SGVx+aOlHanQlpoTjcesrH/R5IV7CbKX/Y=;
	b=FQvTOPG+0vCcDAlK1opVIY7OVZdtrXrX5VcNCA/I6nacKLxX24wSh+g3ASXFRARNCZ
	UKW5nR5nrJq1GBycIeOHkuJ7l1R1JD1pnzXM7/D+nGJH7wJr9p5495j1DC2TJWoUd3bQ
	9fCFwbFqZJcVXzvKtKvPe7QfEuImC3PCtMMCBsGes9txvP+qWhsgoCWDp/7dvqcJD4zr
	qkUTAPj4ZA4yS3h9BUkDP+oTtfXQf0ng++BpE24g0QsTcatNs9ahe8hcOADUzep6kPOv
	PjXbBl4Nxhjf7M/HMTOw6U9t+PQQpri3nJ+cQjXnEZoiwKgABEfBFdxP/QMg/P0eL6jQ
	1Orw==
X-Gm-Message-State: APjAAAViHWLdw8ciOsvcBQeP5OILTY2ARKjsbewc/GNJtqWXsfjb1nlV
	C1dMuS0p4U+LeDhlG56+E1lftb03
X-Google-Smtp-Source: 
 APXvYqzmF01S76pdpJ6lZRzaZi5YVrz5PmYic7OvgyXstyA+u8NI1ji4mw26pWymGDBp8mIAtWWpZQ==
X-Received: by 2002:a50:e40a:: with SMTP id
	d10mr45371742edm.194.1568317440095;
	Thu, 12 Sep 2019 12:44:00 -0700 (PDT)
Received: from dell.be.48ers.dk (d51a5bc31.access.telenet.be.
	[81.165.188.49]) by smtp.gmail.com with ESMTPSA id
	n8sm1380363ejk.85.2019.09.12.12.43.59
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Thu, 12 Sep 2019 12:43:59 -0700 (PDT)
Received: from peko by dell.be.48ers.dk with local (Exim 4.92)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1i8V0Y-0007Hp-K1; Thu, 12 Sep 2019 21:43:58 +0200
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Thu, 12 Sep 2019 21:43:53 +0200
Message-Id: <20190912194354.27963-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/2] package/nghttp2: security bump to version
	1.39.2
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Peter Korsgaard <peter@korsgaard.com>, Anisse Astier <anisse@astier.eu>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fixes the following security issues:

CVE-2019-9511: Data Dribble
CVE-2019-9513: Resource Loop

For details, see the advisory:
https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/

Notice that libnghttp2 itself is not affected by these vulnerabilities, only
nghttpx and nghttpd (which are currently not built).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/nghttp2/nghttp2.hash | 2 +-
 package/nghttp2/nghttp2.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/nghttp2/nghttp2.hash b/package/nghttp2/nghttp2.hash
index a56f56f222..e0512e891b 100644
--- a/package/nghttp2/nghttp2.hash
+++ b/package/nghttp2/nghttp2.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256 760981ab5703d3ed185eccb322321d379453974357a3263971a928c2879a43bf  nghttp2-1.37.0.tar.gz
+sha256 fc820a305e2f410fade1a3260f09229f15c0494fc089b0100312cd64a33a38c0  nghttp2-1.39.2.tar.gz
 sha256 6b94f3abc1aabd0c72a7c7d92a77f79dda7c8a0cb3df839a97890b4116a2de2a  COPYING
diff --git a/package/nghttp2/nghttp2.mk b/package/nghttp2/nghttp2.mk
index 7ce28b41fc..6a5ec72847 100644
--- a/package/nghttp2/nghttp2.mk
+++ b/package/nghttp2/nghttp2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGHTTP2_VERSION = 1.37.0
+NGHTTP2_VERSION = 1.39.2
 NGHTTP2_SITE = https://github.com/nghttp2/nghttp2/releases/download/v$(NGHTTP2_VERSION)
 NGHTTP2_LICENSE = MIT
 NGHTTP2_LICENSE_FILES = COPYING