From patchwork Tue Feb 16 08:07:55 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabrice Fontaine <fontaine.fabrice@gmail.com>
X-Patchwork-Id: 1440846
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.136; helo=smtp3.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=IWmeir45;
	dkim-atps=neutral
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dfttl6NYmz9sVJ
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Tue, 16 Feb 2021 19:10:07 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp3.osuosl.org (Postfix) with ESMTP id 943846ED68
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Tue, 16 Feb 2021 08:10:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
	by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id A3jtYO_q5L_O
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Tue, 16 Feb 2021 08:10:04 +0000 (UTC)
Received: by smtp3.osuosl.org (Postfix, from userid 1001)
	id E49F06F5B4; Tue, 16 Feb 2021 08:10:00 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by smtp3.osuosl.org (Postfix) with ESMTP id 0515E6F56B;
	Tue, 16 Feb 2021 08:09:54 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by ash.osuosl.org (Postfix) with ESMTP id 872B51BF306
 for <buildroot@lists.busybox.net>; Tue, 16 Feb 2021 08:09:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by hemlock.osuosl.org (Postfix) with ESMTP id 8198187005
 for <buildroot@lists.busybox.net>; Tue, 16 Feb 2021 08:09:41 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id t0qpt0IhF44v for <buildroot@lists.busybox.net>;
 Tue, 16 Feb 2021 08:09:41 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com
 [209.85.128.50])
 by hemlock.osuosl.org (Postfix) with ESMTPS id B085187004
 for <buildroot@buildroot.org>; Tue, 16 Feb 2021 08:09:40 +0000 (UTC)
Received: by mail-wm1-f50.google.com with SMTP id v62so4022654wmg.4
 for <buildroot@buildroot.org>; Tue, 16 Feb 2021 00:09:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=IOL3k1N9D9xEwcryEoViDtCghSfUbWlKNBh0Sw7X2fA=;
 b=IWmeir45crJMi5fZF7AWUwL69aON/JUf/++ChTWZv3cizYNgxdbo6qyzjQYRZ10/G2
 xmdb+CENAqdNOzJWBz0JWoELe4m1EJE1+jCDAMPpwN3N9RljDttRHp98zOqGiTmvNyz9
 28MSHo5MWTu73NvxaSJlAuMuU6Avf05KA00NH4sjqzNxW/u37NKnNOGA7Drko1WARKyU
 aKh1+an8rz2qepUQ55qerAm0QcO8FJmyzeHkCHcemK06T8V7wQZOADbkApBoAJdJPbm9
 6l8QnxrF18yHE9PwtAezrVr3eFi/BMxrFFoUDun3PXN+KirehF34z0cPzYg59hKLFK+U
 IHiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=IOL3k1N9D9xEwcryEoViDtCghSfUbWlKNBh0Sw7X2fA=;
 b=DHU9VXs/juyz6LxcqKj9dNU4BA2TozFN5k7qb+OzBfONh+PT7oMIg0nhfpYCQEkQ2x
 WTxzT52X0gc/GfHuzBqzsHmSN/DrRhHiEU8Y8D0qZTl0caywEymcLp+T9so5Ptj2+2a2
 uz7rFVFwVp/7Y2UW9JN1J1fv7TVnX9/9CezfWHtHUDmDsdXM7ZPd1ZE3ilmyQloQwSBE
 62UEWFsYUHa5wZYm+DOl++A8w81t3TbNxN7MhodGcb9RSoU0O8JtoHjt71W9+xq3c7U7
 nb/1xzs/uOu8l3Zp65D5wXsWXBXkt95o0Ms6q87OgzdVGcnkGsqfjvMWCQCCvPmo6atl
 2lIw==
X-Gm-Message-State: AOAM533bXFgmCpt/4a9z6fxjtxYGcvgnMzyRE1Nghbt/406xYChvFk61
 rDKVwscWA7AiHLlLQ+21JJ1NMJTt8YI=
X-Google-Smtp-Source: 
 ABdhPJwEJVClq5BChDxwSn18CjQESylUQKNpQaMIO+tIrmMkWFvBKEW2NM9FfrPhU7YOpdUCq06avw==
X-Received: by 2002:a05:600c:3595:: with SMTP id
 p21mr2089667wmq.127.1613462978906;
 Tue, 16 Feb 2021 00:09:38 -0800 (PST)
Received: from kali.home (lfbn-ren-1-417-75.w2-10.abo.wanadoo.fr.
 [2.10.242.75])
 by smtp.gmail.com with ESMTPSA id r17sm5290101wrx.82.2021.02.16.00.09.38
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 16 Feb 2021 00:09:38 -0800 (PST)
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Tue, 16 Feb 2021 09:07:55 +0100
Message-Id: <20210216080756.1635858-2-fontaine.fabrice@gmail.com>
X-Mailer: git-send-email 2.30.0
In-Reply-To: <20210216080756.1635858-1-fontaine.fabrice@gmail.com>
References: <20210216080756.1635858-1-fontaine.fabrice@gmail.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 2/3] package/mongoose: security bump to version
 7.1
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Pierre-Jean Texier <texier.pj2@gmail.com>,
 Fabrice Fontaine <fontaine.fabrice@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
  Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
  connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
  to remote OOB write attack via connection request after exhausting
  memory pool.
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
  write attack via connection request after exhausting memory pool.

https://github.com/cesanta/mongoose/releases/tag/7.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/mongoose/mongoose.hash | 2 +-
 package/mongoose/mongoose.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
index 149c0f5866..d9ed76c4ac 100644
--- a/package/mongoose/mongoose.hash
+++ b/package/mongoose/mongoose.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  28206185873b5c448765f56e54d86a7af5a856b0b5f241aa44ac94bf34af7eee  mongoose-7.0.tar.gz
+sha256  f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b  mongoose-7.1.tar.gz
 sha256  9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05  LICENSE
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 996cbff757..5c331cf48e 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MONGOOSE_VERSION = 7.0
+MONGOOSE_VERSION = 7.1
 MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
 MONGOOSE_LICENSE = GPL-2.0
 MONGOOSE_LICENSE_FILES = LICENSE