This includes a fix for CVE-2020-16845 (encoding/binary: ReadUvarint and
ReadVarint can read an unlimited number of bytes from invalid inputs).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Fixes https://github.com/openwrt/packages/issues/13016
Patch [1] broke compilation for python-pynacl.
The fix is to patch PyNaCl to consider that
PYNACL_HAS_CRYPTO_SCALARMULT_ED25519 is always available.
[1] 3ef28a4ab0
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
upgrade npm to 6.14.6
update openssl to 1.1.1g
Vulnerabilities fixed:
* CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
* CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
* CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Also:
* Remove patches that are included in the update
* Replace the python3 dependency with a smaller list (python3-urllib is
needed because it is a dependency of python3-email)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This version includes fixes for:
* CVE-2020-15801 - Fixes python3x._pth being ignored on Windows
* CVE-2019-20907 - Avoid infinite loop when reading specially crafted
TAR files using the tarfile module
This also:
* Remove patches that are included in the update
* Add a dependency in python3-distutils for python3-email[1]
[1]: https://github.com/python/cpython/blob/v3.8.5/Lib/distutils/dist.py#L10
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This version includes fixes for:
* CVE-2020-14422: Hash collisions in IPv4Interface and IPv6Interface
* CVE-2020-15523: Python uses invalid DLL path after calling Py_SetPath
on Windows
This version also includes support for OpenSSL 1.1.x builds that use
'no-deprecated' and '--api=1.1.0'[1], and so this removes the previous
OpenSSL-related patches.
This also backports fixes for security issues, including:
* CVE-2019-20907: Infinite loop in the tarfile module
This also updates the setuptools and pip packages to 47.1.0 and 20.1.1,
respectively.
[1]: https://github.com/python/cpython/pull/20566
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds a new Makefile variable, GO_PKG_TAGS, for Go packages. When
set, the value is passed as the parameter of the -tags option for 'go
install'.
This also updates syncthing to use this variable.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This reverts commit 33525fa8d5.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[add me as co-maintainer, bump PKG_RELEASE, Makefile polishing]
Log:
pkg_resources.DistributionNotFound: The 'ciso8601==2.1.3' distribution was not found and is required by homeassistant
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This lets the Python build process set _PYTHON_HOST_PLATFORM instead of
forcing an explicit value.
Also:
* Save the target _PYTHON_HOST_PLATFORM value during Build/InstallDev
for use when building target Python packages (in python3-package.mk).
* Use the (mostly) default PYTHON_FOR_BUILD value, instead patch
configure to remove the platform triplet from the sysconfigdata file
name.
* Remove the "CROSS_COMPILE=yes" make variable (there is no indication
that this variable is necessary).
* Force host pip to build packages from source instead of downloading
binary wheels.
Previously, host pip can download universal (platform-independent)
wheels but not platform-specific wheels, because of the custom
_PYTHON_HOST_PLATFORM value. (Packages that do not have universal
wheels would be compiled from source.)
With a correct _PYTHON_HOST_PLATFORM, host pip can install
platform-specific wheels as well. However, the pre-built shared object
(.so) files in these wheels will have the host's platform triplet in
their file names. When target Python packages are built (using the
target's _PYTHON_HOST_PLATFORM), Python will not use these shared
object files.
By forcing host pip to build packages from source, the built shared
object files will not have the platform triplet in their file names.
(Host Python has been patched to remove the platform triplet from file
names.) This allows these packages to be used when building target
Python packages.
(The net effect of this complete change is that platform-dependent
packages will continue to be compiled from source, while
platform-independent packages will now also be compiled from source.)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The main user for this package was Seafile.
In the meantime, Seafile switch to PyMySQL.
https://pypi.org/project/PyMySQL/
PyMySQL seems to be a replacement for python-mysqlclient, and while it may
not be fully compatible with the MySQL API, it may be that those APIs
wouldn't be used.
This change drops this package.
If there is enough usage/reason to bring it back, we can.
For python-mysqlclient, the tag-line/description is:
```
This is a fork of MySQLdb1.
This project adds Python 3 support and bug fixes. I hope this fork is
merged back to MySQLdb1 like distribute was merged back to setuptools.
```
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>