Fixes: XSA-286, XSA-345, XSA-346 & XSA-347. CVEs not yet assigned

musl-hvmloader-fix-stdint.patch rebased

Leo authored 4 years ago and Henrik Riomar committed 4 years ago

Backport from edge to fix #12067

(cherry picked from commit eb1b72f4)

CVE-2020-15810
CVE-2020-15811
CVE-2020-24606

fixes #11896

See: #12052

CVE-2019-5747 was fixed in 1.29.3-r10 commit cf43a775
(main/busybox: security fixes (CVE-2018-20679, CVE-2019-5747))

The backported patch was later removed in commit 397f0cd9
(main/busybox: upgrade to 1.30.0) and added back again in 1.30.1-r2,
commit d310e6a3 (main/busybox: backport fix for CVE-2019-5747).

Adjust secfixes comment accordingly.

ref #11914

we backported the CVE-2017-* secfixes to 2.6-r7

CVE-2019-11555 was fixed in 2.7-r3

ref #11914

Upstream claimed[1] that CVE-2018-10393 is a duplicate of CVE-2017-14160
but added follow up patch[2]. We applied this patch in 1.3.6-r2.

[1]: https://gitlab.xiph.org/xiph/vorbis/-/issues/2334#note_52200
[2]: https://gitlab.xiph.org/xiph/vorbis/-/commit/a9eb99a5bd6f2d7da02d6cd13a428baf3a1bf48c

ref #11914

Fix for CVE-2019-3832 was incomplete and got a follow up CVE-2019-3832.
They were fixed in 1.0.28-r8. Update secfixes comment accordingly.

ref https://nvd.nist.gov/vuln/detail/CVE-2019-3832
ref #11914

commit 8fe31093 (main/sqlite: security fixes (CVE-2019-19242,
CVE-2019-19244)) had a typo that introduced a duplicate entry in
secfixes comment which was removed in commit d674ed89
({main,community}/*: remove duplicate CVEs). fix the typo instead of
simply remove the dupe.

ref #11914

CVE-2018-14629 was fixed in 4.8.11 according
https://www.samba.org/samba/history/samba-4.8.11.html

fixes commit d674ed89 ({main,community}/*: remove duplicate CVEs).

ref #11914

We moved to 2.4 after 2.2.8. Adjust secfixes comment accordingly. Fixes
commit e8d61b9a (community/wireshark: security upgrade to 2.6.20).

The compressed .tgz patch that was added in 9.26-r1 was never applied.
The issue was fixed in 9.26-r2.

ref #11914

fixes commit d674ed89 ({main,community}/*: remove duplicate CVEs)

Emergency security upgrade

This reverts commit 96a5e5e0.

It fails to build due to incompatibility with libuv 1.38.0:

    ../src/node.cc: In function 'int node::Start(int, char**)':
    ../src/node.cc:1022:42: error: 'UV_METRICS_IDLE_TIME' was not declared in this scope
     1022 |     uv_loop_configure(uv_default_loop(), UV_METRICS_IDLE_TIME);
          |

I'm sorry for this, I didn't test it on v3.12 before pushing. :(

Resolves #12028

Sören Tempel authored 4 years ago and Natanael Copa committed 4 years ago

Alternative solution would be to rename these man pages. This can be
implemented later if desired, the current approach (i.e. removing
conflict man pages) is also taken by other aports (e.g.
heirloom-doctools).

fixes #8450

(cherry picked from commit 4d714d9b)

fixes #11968

(cherry picked from commit 0ec748ac)