| Message ID | 20210111201441.1414609-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/libupnp: set LIBUPNP_CPE_ID_VALID | expand |
On Mon, 11 Jan 2021 21:14:41 +0100 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/libupnp/libupnp.mk | 1 + > 1 file changed, 1 insertion(+) Applied to master after adding more details to the commit log. Note that we have a strange situation with this package: libupnp is stuck at 1.6.x, libupnp is stuck at 1.8.x, while the latest upstream version known by the CPE dictionary is 1.12.x. Thomas
Hi Thomas, Le lun. 11 janv. 2021 à 21:37, Thomas Petazzoni <thomas.petazzoni@bootlin.com> a écrit : > > On Mon, 11 Jan 2021 21:14:41 +0100 > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > --- > > package/libupnp/libupnp.mk | 1 + > > 1 file changed, 1 insertion(+) > > Applied to master after adding more details to the commit log. Note > that we have a strange situation with this package: libupnp is stuck at > 1.6.x, libupnp is stuck at 1.8.x, while the latest upstream version > known by the CPE dictionary is 1.12.x. I sent a patch serie in September to bump libupnp to the latest version: https://patchwork.ozlabs.org/project/buildroot/list/?series=198748 I think it should be reviewed and applied especially because libupnp 1.6 and 1.8 are old and vulnerable to Call Stranger. > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com Best Regards, Fabrice
On Mon, 11 Jan 2021 21:41:34 +0100 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > I sent a patch serie in September to bump libupnp to the latest version: > https://patchwork.ozlabs.org/project/buildroot/list/?series=198748 > > I think it should be reviewed and applied especially because libupnp > 1.6 and 1.8 are old and vulnerable to Call Stranger. Ah right. I was also surprised when I saw libupnp/libupnp18, as I remember seeing patches that were finally resolving this annoyance. But seems like indeed those patches have not yet been reviewed/applied. We should get to that, I guess! Thanks! Thomas
diff --git a/package/libupnp/libupnp.mk b/package/libupnp/libupnp.mk index 8831885ba4..b7836590c2 100644 --- a/package/libupnp/libupnp.mk +++ b/package/libupnp/libupnp.mk @@ -11,5 +11,6 @@ LIBUPNP_CONF_ENV = ac_cv_lib_compat_ftime=no LIBUPNP_INSTALL_STAGING = YES LIBUPNP_LICENSE = BSD-3-Clause LIBUPNP_LICENSE_FILES = LICENSE +LIBUPNP_CPE_ID_VALID = YES $(eval $(autotools-package))
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/libupnp/libupnp.mk | 1 + 1 file changed, 1 insertion(+)