Message ID | 20161202201652.17515-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Hello, On Fri, 2 Dec 2016 21:16:52 +0100, Peter Korsgaard wrote: > c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more > information at https://c-ares.haxx.se/adv_20160929.html Thanks. What about our c-ares package itself? Thomas
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@free-electrons.com> writes: > Hello, > On Fri, 2 Dec 2016 21:16:52 +0100, Peter Korsgaard wrote: >> c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more >> information at https://c-ares.haxx.se/adv_20160929.html > Thanks. What about our c-ares package itself? That one was fixed quite some time ago: commit 2d199dcff054d22a1ccc730fadfc7543b8c6e8f3 Author: Gustavo Zacarias <gustavo@zacarias.com.ar> Date: Wed Oct 12 20:17:17 2016 -0300 c-ares: security bump to version 1.12.0 Fixes: CVE-2016-5180 - ares_create_query single byte out of buffer write Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> I don't know enough about node to know if it can be convinced to use a system c-ares instead of the embedded copy. Anyone?
Hello, On Fri, 02 Dec 2016 22:11:13 +0100, Peter Korsgaard wrote: > >>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@free-electrons.com> writes: > > > Hello, > > On Fri, 2 Dec 2016 21:16:52 +0100, Peter Korsgaard wrote: > >> c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more > >> information at https://c-ares.haxx.se/adv_20160929.html > > > Thanks. What about our c-ares package itself? > > That one was fixed quite some time ago: > > commit 2d199dcff054d22a1ccc730fadfc7543b8c6e8f3 > Author: Gustavo Zacarias <gustavo@zacarias.com.ar> > Date: Wed Oct 12 20:17:17 2016 -0300 > > c-ares: security bump to version 1.12.0 > > Fixes: > CVE-2016-5180 - ares_create_query single byte out of buffer write > > Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Ah, ok. Sorry, I didn't check that 1.12.0 fixed the issue. Thanks for confirming. Thomas
Hello, On Fri, 2 Dec 2016 21:16:52 +0100, Peter Korsgaard wrote: > c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more > information at https://c-ares.haxx.se/adv_20160929.html > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > .../{0.10.47 => 0.10.48}/0001-remove-python-bz2-dependency.patch | 0 > .../{0.10.47 => 0.10.48}/0002-gyp-force-link-command-to-use-CXX.patch | 0 > .../{0.10.47 => 0.10.48}/0003-fix-musl-USE-MISC-build-issue.patch | 0 > .../nodejs/{0.10.47 => 0.10.48}/0004-Fix-support-for-uClibc-ng.patch | 0 > package/nodejs/Config.in | 2 +- > package/nodejs/nodejs.hash | 4 ++-- > 6 files changed, 3 insertions(+), 3 deletions(-) > rename package/nodejs/{0.10.47 => 0.10.48}/0001-remove-python-bz2-dependency.patch (100%) > rename package/nodejs/{0.10.47 => 0.10.48}/0002-gyp-force-link-command-to-use-CXX.patch (100%) > rename package/nodejs/{0.10.47 => 0.10.48}/0003-fix-musl-USE-MISC-build-issue.patch (100%) > rename package/nodejs/{0.10.47 => 0.10.48}/0004-Fix-support-for-uClibc-ng.patch (100%) Applied to master, thanks. Thomas
diff --git a/package/nodejs/0.10.47/0001-remove-python-bz2-dependency.patch b/package/nodejs/0.10.48/0001-remove-python-bz2-dependency.patch similarity index 100% rename from package/nodejs/0.10.47/0001-remove-python-bz2-dependency.patch rename to package/nodejs/0.10.48/0001-remove-python-bz2-dependency.patch diff --git a/package/nodejs/0.10.47/0002-gyp-force-link-command-to-use-CXX.patch b/package/nodejs/0.10.48/0002-gyp-force-link-command-to-use-CXX.patch similarity index 100% rename from package/nodejs/0.10.47/0002-gyp-force-link-command-to-use-CXX.patch rename to package/nodejs/0.10.48/0002-gyp-force-link-command-to-use-CXX.patch diff --git a/package/nodejs/0.10.47/0003-fix-musl-USE-MISC-build-issue.patch b/package/nodejs/0.10.48/0003-fix-musl-USE-MISC-build-issue.patch similarity index 100% rename from package/nodejs/0.10.47/0003-fix-musl-USE-MISC-build-issue.patch rename to package/nodejs/0.10.48/0003-fix-musl-USE-MISC-build-issue.patch diff --git a/package/nodejs/0.10.47/0004-Fix-support-for-uClibc-ng.patch b/package/nodejs/0.10.48/0004-Fix-support-for-uClibc-ng.patch similarity index 100% rename from package/nodejs/0.10.47/0004-Fix-support-for-uClibc-ng.patch rename to package/nodejs/0.10.48/0004-Fix-support-for-uClibc-ng.patch diff --git a/package/nodejs/Config.in b/package/nodejs/Config.in index a47ba37..832152b 100644 --- a/package/nodejs/Config.in +++ b/package/nodejs/Config.in @@ -44,7 +44,7 @@ config BR2_PACKAGE_NODEJS_V8_ARCH_SUPPORTS config BR2_PACKAGE_NODEJS_VERSION_STRING string default "6.9.1" if BR2_PACKAGE_NODEJS_V8_ARCH_SUPPORTS - default "0.10.47" + default "0.10.48" config BR2_PACKAGE_NODEJS_NPM bool "NPM for the target" diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash index 5df79af..e55bb16 100644 --- a/package/nodejs/nodejs.hash +++ b/package/nodejs/nodejs.hash @@ -1,5 +1,5 @@ -# From upstream URL: http://nodejs.org/dist/v0.10.47/SHASUMS256.txt -sha256 335bdf4db702885a8acaf2c9f241c70cabd62497361da81aca65c8e8a8e7ff09 node-v0.10.47.tar.xz +# From upstream URL: http://nodejs.org/dist/v0.10.48/SHASUMS256.txt +sha256 365a93d9acc076a0d93f087d269f376abeebccad599a9dab72f2f6ed96c8ae6e node-v0.10.48.tar.xz # From upstream URL: http://nodejs.org/dist/v6.9.1/SHASUMS256.txt sha256 0bdd8d1305777cc8cd206129ea494d6c6ce56001868dd80147aff531d6df0729 node-v6.9.1.tar.xz
c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more information at https://c-ares.haxx.se/adv_20160929.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- .../{0.10.47 => 0.10.48}/0001-remove-python-bz2-dependency.patch | 0 .../{0.10.47 => 0.10.48}/0002-gyp-force-link-command-to-use-CXX.patch | 0 .../{0.10.47 => 0.10.48}/0003-fix-musl-USE-MISC-build-issue.patch | 0 .../nodejs/{0.10.47 => 0.10.48}/0004-Fix-support-for-uClibc-ng.patch | 0 package/nodejs/Config.in | 2 +- package/nodejs/nodejs.hash | 4 ++-- 6 files changed, 3 insertions(+), 3 deletions(-) rename package/nodejs/{0.10.47 => 0.10.48}/0001-remove-python-bz2-dependency.patch (100%) rename package/nodejs/{0.10.47 => 0.10.48}/0002-gyp-force-link-command-to-use-CXX.patch (100%) rename package/nodejs/{0.10.47 => 0.10.48}/0003-fix-musl-USE-MISC-build-issue.patch (100%) rename package/nodejs/{0.10.47 => 0.10.48}/0004-Fix-support-for-uClibc-ng.patch (100%)