[Buildroot] [PATCH 1/2] package/libhtp: bump to version 0.5.45

[Buildroot] [PATCH 1/2] package/libhtp: bump to version 0.5.45

[Fabrice Fontaine]

https://github.com/OISF/libhtp/blob/0.5.45/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/libhtp/libhtp.hash | 2 +-
 package/libhtp/libhtp.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libhtp/libhtp.hash b/package/libhtp/libhtp.hash
index 8759823e16..c016cb3439 100644
--- a/package/libhtp/libhtp.hash
+++ b/package/libhtp/libhtp.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  0afaff837c295c868db8c967b87b1b5e21c0386c15c3b5ead474799724c54ef8  libhtp-0.5.40.tar.gz
+sha256  d4214f94522fa5a1ec1909dbb52831c534788d93bc6b2ca8252de9332b11b606  libhtp-0.5.45.tar.gz
 sha256  87c93904e5434c81622ea690c2b90097b9f162aaa92a96542649a157dbf98d15  LICENSE
diff --git a/package/libhtp/libhtp.mk b/package/libhtp/libhtp.mk
index bb8aa73b42..8a732d1d5c 100644
--- a/package/libhtp/libhtp.mk
+++ b/package/libhtp/libhtp.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBHTP_VERSION = 0.5.40
+LIBHTP_VERSION = 0.5.45
 LIBHTP_SITE = $(call github,OISF,libhtp,$(LIBHTP_VERSION))
 LIBHTP_LICENSE = BSD-3-Clause
 LIBHTP_LICENSE_FILES = LICENSE
-- 
2.40.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/suricata: security bump to version 6.0.14

[Fabrice Fontaine]

- Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
  adversary who controls an external source of rules), a dataset
  filename, that comes from a rule, may trigger absolute or relative
  directory traversal, and lead to write access to a local filesystem.
  This is addressed in 6.0.13 by requiring allow-absolute-filenames and
  allow-write (in the datasets rules configuration section) if an
  installation requires traversal/writing in this situation.
- Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
  controls an external source of Lua rules may be able to execute Lua
  code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
  is true in the security lua configuration section.
- Drop first patch (not needed since
  https://github.com/OISF/suricata/commit/c8a3aa608eaae1acbaf33dba8a7c1a3cbfeb4285)

https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 .checkpackageignore                           |  3 +-
 ...ure-proper-shabang-on-python-scripts.patch | 47 -------------------
 ...low-the-user-to-override-RUST_TARGET.patch | 35 --------------
 package/suricata/suricata.hash                |  2 +-
 package/suricata/suricata.mk                  |  5 +-
 5 files changed, 4 insertions(+), 88 deletions(-)
 delete mode 100644 package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
 delete mode 100644 package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch

diff --git a/.checkpackageignore b/.checkpackageignore
index b41ab6918e..61de4d79a1 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1360,8 +1360,7 @@ package/statserial/0001-ncurses-link.patch Upstream
 package/stunnel/S50stunnel Indent Shellcheck Variables
 package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
 package/supervisor/S99supervisord Variables
-package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch Upstream
-package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
+package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
 package/suricata/S99suricata Shellcheck
 package/swupdate/swupdate.sh Shellcheck
 package/sylpheed/0001-harden-link-checker-before-accepting-click.patch Upstream
diff --git a/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch b/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
deleted file mode 100644
index 424b30d317..0000000000
--- a/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 44fe2328b715db25134ee095526d2fa47e6cd834 Mon Sep 17 00:00:00 2001
-From: "Yann E. MORIN" <yann.morin.1998@free.fr>
-Date: Wed, 1 Jan 2020 15:25:57 +0100
-Subject: [PATCH] python: ensure proper shabang on python scripts
-
-When instlling python scripts, distutils would use the python used to
-run setup.py as shabang for the scripts it installs.
-
-However, when cross-compiling, this is most often not correct.
-
-Instead, using '/usr/bin/env python' is guaranteed to find the proper
-python in the PATH, so we need to instruct setyup.py to use that as the
-executable.
-
-[yann.morin.1998@free.fr:
-  - author did not provide their SoB, but it's simple enough to
-    not require it for once
-  - provide proper commit log
-]
-Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
-[Fabrice: update for 6.0.0]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- python/Makefile.am | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/python/Makefile.am b/python/Makefile.am
-index 59d195f29..a41604f72 100644
---- a/python/Makefile.am
-+++ b/python/Makefile.am
-@@ -6,11 +6,11 @@ EXTRA_DIST =	setup.py \
- if HAVE_PYTHON_DISTUTILS
- all-local:
- 	cd $(srcdir) && \
--		$(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)"
-+		$(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)"
- 
- install-exec-local:
- 	cd $(srcdir) && \
--		$(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)" \
-+		$(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)" \
- 		install --prefix $(DESTDIR)$(prefix)
- 
- uninstall-local:
--- 
-2.20.1
-
diff --git a/package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch b/package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
deleted file mode 100644
index ec876a6852..0000000000
--- a/package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 7ab4d5eb55e1d3900390b76e5f46e80e22d4e80e Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sat, 10 Oct 2020 21:34:21 +0200
-Subject: [PATCH] configure.ac: allow the user to override RUST_TARGET
-
-When cross-compiling, RUST_TARGET is not always equal to host_triplet
-(e.g. buildroot) so allow the user to override this default value
-through RUST_TARGET environment variable
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- configure.ac | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 32c230209..7d7c9373f 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -2489,7 +2489,12 @@ fi
-     have_rust_vendor="no"
- 
-     if test "x$cross_compiling" = "xyes"; then
--      RUST_SURICATA_LIB_XC_DIR="${host_alias}/"
-+      if test "x$RUST_TARGET" != "x"; then
-+        RUST_SURICATA_LIB_XC_DIR="$RUST_TARGET/"
-+        AC_SUBST([RUST_TARGET],["--target $RUST_TARGET"])
-+      else
-+        RUST_SURICATA_LIB_XC_DIR="${host_alias}/"
-+      fi
-     else
-       if test "x$CARGO_BUILD_TARGET" = "x"; then
-         RUST_SURICATA_LIB_XC_DIR=
--- 
-2.28.0
-
diff --git a/package/suricata/suricata.hash b/package/suricata/suricata.hash
index 38ab5e9cd3..49341984a2 100644
--- a/package/suricata/suricata.hash
+++ b/package/suricata/suricata.hash
@@ -1,5 +1,5 @@
 # Locally computed:
-sha256  00173634fa76aee636e38a90b1c02616c903e42173107d47b4114960b5fbe839  suricata-6.0.6.tar.gz
+sha256  cfa93de900d0fd8ba67c79fddec58fb7afb8f6c45b0773040035a15407b796ce  suricata-6.0.14.tar.gz
 
 # Hash for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/suricata/suricata.mk b/package/suricata/suricata.mk
index 72b72cc94d..2aa5a0c5ed 100644
--- a/package/suricata/suricata.mk
+++ b/package/suricata/suricata.mk
@@ -4,13 +4,12 @@
 #
 ################################################################################
 
-SURICATA_VERSION = 6.0.6
+SURICATA_VERSION = 6.0.14
 SURICATA_SITE = https://www.openinfosecfoundation.org/download
 SURICATA_LICENSE = GPL-2.0
 SURICATA_LICENSE_FILES = COPYING LICENSE
 SURICATA_CPE_ID_VENDOR = oisf
-# 0001-python-ensure-proper-shabang-on-python-scripts.patch
-# 0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
+# 0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
 SURICATA_AUTORECONF = YES
 
 SURICATA_DEPENDENCIES = \
-- 
2.40.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/libhtp: bump to version 0.5.45

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > https://github.com/OISF/libhtp/blob/0.5.45/ChangeLog
 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/suricata: security bump to version 6.0.14

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
 >   adversary who controls an external source of rules), a dataset
 >   filename, that comes from a rule, may trigger absolute or relative
 >   directory traversal, and lead to write access to a local filesystem.
 >   This is addressed in 6.0.13 by requiring allow-absolute-filenames and
 >   allow-write (in the datasets rules configuration section) if an
 >   installation requires traversal/writing in this situation.
 > - Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
 >   controls an external source of Lua rules may be able to execute Lua
 >   code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
 >   is true in the security lua configuration section.
 > - Drop first patch (not needed since
 >   https://github.com/OISF/suricata/commit/c8a3aa608eaae1acbaf33dba8a7c1a3cbfeb4285)

 > https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 > ---
 >  .checkpackageignore                           |  3 +-
 >  ...ure-proper-shabang-on-python-scripts.patch | 47 -------------------
 >  ...low-the-user-to-override-RUST_TARGET.patch | 35 --------------
 >  package/suricata/suricata.hash                |  2 +-
 >  package/suricata/suricata.mk                  |  5 +-
 >  5 files changed, 4 insertions(+), 88 deletions(-)
 >  delete mode 100644 package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
 >  delete mode 100644 package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch

Hmm, did you mean to rename patch 0002 rather than delete it?

 > diff --git a/.checkpackageignore b/.checkpackageignore
 > index b41ab6918e..61de4d79a1 100644
 > --- a/.checkpackageignore
 > +++ b/.checkpackageignore
 > @@ -1360,8 +1360,7 @@ package/statserial/0001-ncurses-link.patch Upstream
 >  package/stunnel/S50stunnel Indent Shellcheck Variables
 >  package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
 >  package/supervisor/S99supervisord Variables
 > -package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch Upstream
 > -package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
 > +package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/libhtp: bump to version 0.5.45

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > https://github.com/OISF/libhtp/blob/0.5.45/ChangeLog
 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot