* [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0
@ 2024-05-08 20:49 Fabrice Fontaine
2024-05-09 14:31 ` Thomas Petazzoni via buildroot
2024-05-31 15:17 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2024-05-08 20:49 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
- Use official tarball and so drop autoreconf
- Update hash of LICENSE file, verbatim copy of the current MPL 2.0 with
https://github.com/benmcollins/libjwt/commit/ebebb5027f37a85c40c072a02681e206d31875ca
- Fix CVE-2024-25189: libjwt 1.15.3 uses strcmp (which is not constant
time) to verify authentication, which makes it easier to bypass
authentication via a timing side channel.
https://github.com/benmcollins/libjwt/compare/v1.15.3...v1.17.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/libjwt/libjwt.hash | 4 ++--
package/libjwt/libjwt.mk | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/libjwt/libjwt.hash b/package/libjwt/libjwt.hash
index 47e8b2c506..adc32c3a26 100644
--- a/package/libjwt/libjwt.hash
+++ b/package/libjwt/libjwt.hash
@@ -1,3 +1,3 @@
# Locally computed
-sha256 cb2fd95123689e7d209a3a8c060e02f68341c9a5ded524c0cd881a8cd20d711f libjwt-1.15.3.tar.gz
-sha256 fab3dd6bdab226f1c08630b1dd917e11fcb4ec5e1e020e2c16f83a0a13863e85 LICENSE
+sha256 b8b257da9b64ba9075fce3a3f670ae02dee7fc95ab7009a2e1ad60905e3f8d48 libjwt-1.17.0.tar.bz2
+sha256 3f3d9e0024b1921b067d6f7f88deb4a60cbe7a78e76c64e3f1d7fc3b779b9d04 LICENSE
diff --git a/package/libjwt/libjwt.mk b/package/libjwt/libjwt.mk
index 8929904d10..f143ba4b62 100644
--- a/package/libjwt/libjwt.mk
+++ b/package/libjwt/libjwt.mk
@@ -4,10 +4,10 @@
#
################################################################################
-LIBJWT_VERSION = 1.15.3
-LIBJWT_SITE = $(call github,benmcollins,libjwt,v$(LIBJWT_VERSION))
+LIBJWT_VERSION = 1.17.0
+LIBJWT_SITE = https://github.com/benmcollins/libjwt/releases/download/v$(LIBJWT_VERSION)
+LIBJWT_SOURCE = libjwt-$(LIBJWT_VERSION).tar.bz2
LIBJWT_DEPENDENCIES = host-pkgconf jansson
-LIBJWT_AUTORECONF = YES
LIBJWT_INSTALL_STAGING = YES
LIBJWT_LICENSE = MPL-2.0
LIBJWT_LICENSE_FILES = LICENSE
--
2.43.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0
2024-05-08 20:49 [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0 Fabrice Fontaine
@ 2024-05-09 14:31 ` Thomas Petazzoni via buildroot
2024-05-31 15:17 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-05-09 14:31 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
On Wed, 8 May 2024 22:49:10 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> - Use official tarball and so drop autoreconf
> - Update hash of LICENSE file, verbatim copy of the current MPL 2.0 with
> https://github.com/benmcollins/libjwt/commit/ebebb5027f37a85c40c072a02681e206d31875ca
> - Fix CVE-2024-25189: libjwt 1.15.3 uses strcmp (which is not constant
> time) to verify authentication, which makes it easier to bypass
> authentication via a timing side channel.
>
> https://github.com/benmcollins/libjwt/compare/v1.15.3...v1.17.0
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/libjwt/libjwt.hash | 4 ++--
> package/libjwt/libjwt.mk | 6 +++---
> 2 files changed, 5 insertions(+), 5 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0
2024-05-08 20:49 [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0 Fabrice Fontaine
2024-05-09 14:31 ` Thomas Petazzoni via buildroot
@ 2024-05-31 15:17 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-05-31 15:17 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Use official tarball and so drop autoreconf
> - Update hash of LICENSE file, verbatim copy of the current MPL 2.0 with
> https://github.com/benmcollins/libjwt/commit/ebebb5027f37a85c40c072a02681e206d31875ca
> - Fix CVE-2024-25189: libjwt 1.15.3 uses strcmp (which is not constant
> time) to verify authentication, which makes it easier to bypass
> authentication via a timing side channel.
> https://github.com/benmcollins/libjwt/compare/v1.15.3...v1.17.0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2024.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-05-31 15:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-08 20:49 [Buildroot] [PATCH 1/1] package/libjwt: security bump to version 1.17.0 Fabrice Fontaine
2024-05-09 14:31 ` Thomas Petazzoni via buildroot
2024-05-31 15:17 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox