From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0
Date: Thu, 5 Aug 2021 23:48:36 +0200 [thread overview]
Message-ID: <20210805234836.77fde375@windsurf> (raw)
In-Reply-To: <20210805212540.3032007-1-fontaine.fabrice@gmail.com>
On Thu, 5 Aug 2021 23:25:40 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> After more than a decade, libESMTP version 1.0.6 is superceded. Despite
> proving robust a little bitrot has occurred, especially regarding
> OpenSSL support. The original application data APIs are prone to memory
> leaks and are deprecated in favour of safer replacements. Version 1.1
> updates libESMTP without breaking API and ABI compatibility and
> provides a basis for future development.
>
> In addition to updates to the codebase, documentation is modernised and
> is more comprehensive.
>
> All libESMTP users are encouraged to upgrade from version 1.0.6.
>
> - Update license files
> - Update indentation in hash file (two spaces)
> - Switch to meson-package
> - Handle threads and tls meson options
> - libesmtp-config has been dropped:
> https://github.com/libesmtp/libESMTP/issues/8
> - Fix CVE-2019-19977: libESMTP through 1.0.6 mishandles domain copying
> into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as
> demonstrated by a stack-based buffer over-read.
>
> https://github.com/libesmtp/libESMTP/releases/tag/v1.1.0
> https://libesmtp.github.io/changes-since-v1.0.6.html
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/libesmtp/Config.in | 1 +
> package/libesmtp/libesmtp.hash | 6 +++---
> package/libesmtp/libesmtp.mk | 24 +++++++++++++++++-------
> 3 files changed, 21 insertions(+), 10 deletions(-)
Wow, it's a massive bump for a security bump. So, I've applied to
master, but it's a bit risky. Could you make sure that collectd and
syslog-ng continue to build fine after this bump ?
Applied to master anyway, thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
next prev parent reply other threads:[~2021-08-05 21:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-05 21:25 [Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0 Fabrice Fontaine
2021-08-05 21:48 ` Thomas Petazzoni [this message]
2021-08-08 19:15 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210805234836.77fde375@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@buildroot.org \
--cc=eric.le.bihan.dev@free.fr \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.