Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0
@ 2024-05-08 20:49 Fabrice Fontaine
  2024-05-09 14:31 ` Thomas Petazzoni via buildroot
  2024-05-31 15:17 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2024-05-08 20:49 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

- Use official tarball and so drop autoreconf
- Update hash of LICENSE file, verbatim copy of the current MPL 2.0 with
  https://github.com/benmcollins/libjwt/commit/ebebb5027f37a85c40c072a02681e206d31875ca
- Fix CVE-2024-25189: libjwt 1.15.3 uses strcmp (which is not constant
  time) to verify authentication, which makes it easier to bypass
  authentication via a timing side channel.

https://github.com/benmcollins/libjwt/compare/v1.15.3...v1.17.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/libjwt/libjwt.hash | 4 ++--
 package/libjwt/libjwt.mk   | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/libjwt/libjwt.hash b/package/libjwt/libjwt.hash
index 47e8b2c506..adc32c3a26 100644
--- a/package/libjwt/libjwt.hash
+++ b/package/libjwt/libjwt.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  cb2fd95123689e7d209a3a8c060e02f68341c9a5ded524c0cd881a8cd20d711f  libjwt-1.15.3.tar.gz
-sha256  fab3dd6bdab226f1c08630b1dd917e11fcb4ec5e1e020e2c16f83a0a13863e85  LICENSE
+sha256  b8b257da9b64ba9075fce3a3f670ae02dee7fc95ab7009a2e1ad60905e3f8d48  libjwt-1.17.0.tar.bz2
+sha256  3f3d9e0024b1921b067d6f7f88deb4a60cbe7a78e76c64e3f1d7fc3b779b9d04  LICENSE
diff --git a/package/libjwt/libjwt.mk b/package/libjwt/libjwt.mk
index 8929904d10..f143ba4b62 100644
--- a/package/libjwt/libjwt.mk
+++ b/package/libjwt/libjwt.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-LIBJWT_VERSION = 1.15.3
-LIBJWT_SITE = $(call github,benmcollins,libjwt,v$(LIBJWT_VERSION))
+LIBJWT_VERSION = 1.17.0
+LIBJWT_SITE = https://github.com/benmcollins/libjwt/releases/download/v$(LIBJWT_VERSION)
+LIBJWT_SOURCE = libjwt-$(LIBJWT_VERSION).tar.bz2
 LIBJWT_DEPENDENCIES = host-pkgconf jansson
-LIBJWT_AUTORECONF = YES
 LIBJWT_INSTALL_STAGING = YES
 LIBJWT_LICENSE = MPL-2.0
 LIBJWT_LICENSE_FILES = LICENSE
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0
  2024-05-08 20:49 [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0 Fabrice Fontaine
@ 2024-05-09 14:31 ` Thomas Petazzoni via buildroot
  2024-05-31 15:17 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-05-09 14:31 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

On Wed,  8 May 2024 22:49:10 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> - Use official tarball and so drop autoreconf
> - Update hash of LICENSE file, verbatim copy of the current MPL 2.0 with
>   https://github.com/benmcollins/libjwt/commit/ebebb5027f37a85c40c072a02681e206d31875ca
> - Fix CVE-2024-25189: libjwt 1.15.3 uses strcmp (which is not constant
>   time) to verify authentication, which makes it easier to bypass
>   authentication via a timing side channel.
> 
> https://github.com/benmcollins/libjwt/compare/v1.15.3...v1.17.0
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/libjwt/libjwt.hash | 4 ++--
>  package/libjwt/libjwt.mk   | 6 +++---
>  2 files changed, 5 insertions(+), 5 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0
  2024-05-08 20:49 [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0 Fabrice Fontaine
  2024-05-09 14:31 ` Thomas Petazzoni via buildroot
@ 2024-05-31 15:17 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-05-31 15:17 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Use official tarball and so drop autoreconf
 > - Update hash of LICENSE file, verbatim copy of the current MPL 2.0 with
 >   https://github.com/benmcollins/libjwt/commit/ebebb5027f37a85c40c072a02681e206d31875ca
 > - Fix CVE-2024-25189: libjwt 1.15.3 uses strcmp (which is not constant
 >   time) to verify authentication, which makes it easier to bypass
 >   authentication via a timing side channel.

 > https://github.com/benmcollins/libjwt/compare/v1.15.3...v1.17.0

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2024.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-05-31 15:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-08 20:49 [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0 Fabrice Fontaine
2024-05-09 14:31 ` Thomas Petazzoni via buildroot
2024-05-31 15:17 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox