All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/nghttp2: bump to 1.64.0
@ 2024-10-29 15:49 Marcus Hoffmann via buildroot
  2024-10-29 15:51 ` Marcus Hoffmann via buildroot
  2024-10-29 20:22 ` Thomas Petazzoni via buildroot
  0 siblings, 2 replies; 4+ messages in thread
From: Marcus Hoffmann via buildroot @ 2024-10-29 15:49 UTC (permalink / raw)
  To: buildroot

Changelog:
* https://github.com/nghttp2/nghttp2/releases/tag/v1.59.0
* https://github.com/nghttp2/nghttp2/releases/tag/v1.60.0
* https://github.com/nghttp2/nghttp2/releases/tag/v1.61.0
* https://github.com/nghttp2/nghttp2/releases/tag/v1.62.0
* https://github.com/nghttp2/nghttp2/releases/tag/v1.63.0
* https://github.com/nghttp2/nghttp2/releases/tag/v1.64.0

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 package/nghttp2/nghttp2.hash | 2 +-
 package/nghttp2/nghttp2.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/nghttp2/nghttp2.hash b/package/nghttp2/nghttp2.hash
index dddf6fe1bd..4b60d6d143 100644
--- a/package/nghttp2/nghttp2.hash
+++ b/package/nghttp2/nghttp2.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  4a68a3040da92fd9872c056d0f6b0cd60de8410de10b578f8ade9ecc14d297e0  nghttp2-1.58.0.tar.xz
+sha256  88bb94c9e4fd1c499967f83dece36a78122af7d5fb40da2019c56b9ccc6eb9dd  nghttp2-1.64.0.tar.xz
 sha256  6b94f3abc1aabd0c72a7c7d92a77f79dda7c8a0cb3df839a97890b4116a2de2a  COPYING
diff --git a/package/nghttp2/nghttp2.mk b/package/nghttp2/nghttp2.mk
index 7a05e38fa9..98f837e28e 100644
--- a/package/nghttp2/nghttp2.mk
+++ b/package/nghttp2/nghttp2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGHTTP2_VERSION = 1.58.0
+NGHTTP2_VERSION = 1.64.0
 NGHTTP2_SOURCE =  nghttp2-$(NGHTTP2_VERSION).tar.xz
 NGHTTP2_SITE = https://github.com/nghttp2/nghttp2/releases/download/v$(NGHTTP2_VERSION)
 NGHTTP2_LICENSE = MIT
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/nghttp2: bump to 1.64.0
  2024-10-29 15:49 [Buildroot] [PATCH] package/nghttp2: bump to 1.64.0 Marcus Hoffmann via buildroot
@ 2024-10-29 15:51 ` Marcus Hoffmann via buildroot
  2024-11-13 16:46   ` Peter Korsgaard
  2024-10-29 20:22 ` Thomas Petazzoni via buildroot
  1 sibling, 1 reply; 4+ messages in thread
From: Marcus Hoffmann via buildroot @ 2024-10-29 15:51 UTC (permalink / raw)
  To: buildroot

On 29.10.24 16:49, Marcus Hoffmann via buildroot wrote:
> Changelog:
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.59.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.60.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.61.0

Turns out that this fixes a security issue:

Fixes: CVE-2024-28182 [1] - Reading unbounded number of HTTP/2
        CONTINUATION frames to cause excessive CPU usage

[1]: 
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q

> * https://github.com/nghttp2/nghttp2/releases/tag/v1.62.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.63.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.64.0
> 
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
> ---
>   package/nghttp2/nghttp2.hash | 2 +-
>   package/nghttp2/nghttp2.mk   | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/nghttp2/nghttp2.hash b/package/nghttp2/nghttp2.hash
> index dddf6fe1bd..4b60d6d143 100644
> --- a/package/nghttp2/nghttp2.hash
> +++ b/package/nghttp2/nghttp2.hash
> @@ -1,3 +1,3 @@
>   # Locally calculated
> -sha256  4a68a3040da92fd9872c056d0f6b0cd60de8410de10b578f8ade9ecc14d297e0  nghttp2-1.58.0.tar.xz
> +sha256  88bb94c9e4fd1c499967f83dece36a78122af7d5fb40da2019c56b9ccc6eb9dd  nghttp2-1.64.0.tar.xz
>   sha256  6b94f3abc1aabd0c72a7c7d92a77f79dda7c8a0cb3df839a97890b4116a2de2a  COPYING
> diff --git a/package/nghttp2/nghttp2.mk b/package/nghttp2/nghttp2.mk
> index 7a05e38fa9..98f837e28e 100644
> --- a/package/nghttp2/nghttp2.mk
> +++ b/package/nghttp2/nghttp2.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -NGHTTP2_VERSION = 1.58.0
> +NGHTTP2_VERSION = 1.64.0
>   NGHTTP2_SOURCE =  nghttp2-$(NGHTTP2_VERSION).tar.xz
>   NGHTTP2_SITE = https://github.com/nghttp2/nghttp2/releases/download/v$(NGHTTP2_VERSION)
>   NGHTTP2_LICENSE = MIT

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/nghttp2: bump to 1.64.0
  2024-10-29 15:49 [Buildroot] [PATCH] package/nghttp2: bump to 1.64.0 Marcus Hoffmann via buildroot
  2024-10-29 15:51 ` Marcus Hoffmann via buildroot
@ 2024-10-29 20:22 ` Thomas Petazzoni via buildroot
  1 sibling, 0 replies; 4+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-10-29 20:22 UTC (permalink / raw)
  To: Marcus Hoffmann via buildroot; +Cc: Marcus Hoffmann

On Tue, 29 Oct 2024 16:49:10 +0100
Marcus Hoffmann via buildroot <buildroot@buildroot.org> wrote:

> Changelog:
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.59.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.60.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.61.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.62.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.63.0
> * https://github.com/nghttp2/nghttp2/releases/tag/v1.64.0
> 
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
> ---
>  package/nghttp2/nghttp2.hash | 2 +-
>  package/nghttp2/nghttp2.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master after updating the commit title and log to indicate
that it's a security bump. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/nghttp2: bump to 1.64.0
  2024-10-29 15:51 ` Marcus Hoffmann via buildroot
@ 2024-11-13 16:46   ` Peter Korsgaard
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2024-11-13 16:46 UTC (permalink / raw)
  To: Marcus Hoffmann via buildroot; +Cc: Marcus Hoffmann

>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:

 > On 29.10.24 16:49, Marcus Hoffmann via buildroot wrote:
 >> Changelog:
 >> * https://github.com/nghttp2/nghttp2/releases/tag/v1.59.0
 >> * https://github.com/nghttp2/nghttp2/releases/tag/v1.60.0
 >> * https://github.com/nghttp2/nghttp2/releases/tag/v1.61.0

 > Turns out that this fixes a security issue:

 > Fixes: CVE-2024-28182 [1] - Reading unbounded number of HTTP/2
 >        CONTINUATION frames to cause excessive CPU usage

 > [1]:
 > https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q

Committed to 2024.02.x and 2024.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-11-13 16:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-29 15:49 [Buildroot] [PATCH] package/nghttp2: bump to 1.64.0 Marcus Hoffmann via buildroot
2024-10-29 15:51 ` Marcus Hoffmann via buildroot
2024-11-13 16:46   ` Peter Korsgaard
2024-10-29 20:22 ` Thomas Petazzoni via buildroot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.