All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls
@ 2021-02-16  8:07 Fabrice Fontaine
  2021-02-16  8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Fabrice Fontaine @ 2021-02-16  8:07 UTC (permalink / raw)
  To: buildroot

MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and
https://github.com/cesanta/mongoose/commit/f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85

So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/mongoose/mongoose.mk | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index ae20965be4..996cbff757 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -16,14 +16,10 @@ MONGOOSE_CFLAGS = $(TARGET_CFLAGS)
 
 ifeq ($(BR2_PACKAGE_OPENSSL),y)
 MONGOOSE_DEPENDENCIES += openssl
-MONGOOSE_CFLAGS += \
-	-DMG_ENABLE_SSL \
-	-DMG_SSL_IF=MG_SSL_IF_OPENSSL
+MONGOOSE_CFLAGS += -DMG_ENABLE_OPENSSL=1
 else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
 MONGOOSE_DEPENDENCIES += mbedtls
-MONGOOSE_CFLAGS += \
-	-DMG_ENABLE_SSL \
-	-DMG_SSL_IF=MG_SSL_IF_MBEDTLS
+MONGOOSE_CFLAGS += -DMG_ENABLE_MBEDTLS=1
 endif
 
 define MONGOOSE_BUILD_CMDS
-- 
2.30.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1
  2021-02-16  8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
@ 2021-02-16  8:07 ` Fabrice Fontaine
  2021-02-16 19:40   ` Peter Korsgaard
  2021-02-16  8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
  2021-02-16 19:35 ` [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Peter Korsgaard
  2 siblings, 1 reply; 6+ messages in thread
From: Fabrice Fontaine @ 2021-02-16  8:07 UTC (permalink / raw)
  To: buildroot

- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
  Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
  connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
  to remote OOB write attack via connection request after exhausting
  memory pool.
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
  write attack via connection request after exhausting memory pool.

https://github.com/cesanta/mongoose/releases/tag/7.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/mongoose/mongoose.hash | 2 +-
 package/mongoose/mongoose.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
index 149c0f5866..d9ed76c4ac 100644
--- a/package/mongoose/mongoose.hash
+++ b/package/mongoose/mongoose.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  28206185873b5c448765f56e54d86a7af5a856b0b5f241aa44ac94bf34af7eee  mongoose-7.0.tar.gz
+sha256  f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b  mongoose-7.1.tar.gz
 sha256  9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05  LICENSE
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 996cbff757..5c331cf48e 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MONGOOSE_VERSION = 7.0
+MONGOOSE_VERSION = 7.1
 MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
 MONGOOSE_LICENSE = GPL-2.0
 MONGOOSE_LICENSE_FILES = LICENSE
-- 
2.30.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR
  2021-02-16  8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
  2021-02-16  8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
@ 2021-02-16  8:07 ` Fabrice Fontaine
  2021-02-16 19:41   ` Peter Korsgaard
  2021-02-16 19:35 ` [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Peter Korsgaard
  2 siblings, 1 reply; 6+ messages in thread
From: Fabrice Fontaine @ 2021-02-16  8:07 UTC (permalink / raw)
  To: buildroot

cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/mongoose/mongoose.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 5c331cf48e..0974c76446 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -8,6 +8,7 @@ MONGOOSE_VERSION = 7.1
 MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
 MONGOOSE_LICENSE = GPL-2.0
 MONGOOSE_LICENSE_FILES = LICENSE
+MONGOOSE_CPE_ID_VENDOR = cesenta
 MONGOOSE_INSTALL_STAGING = YES
 # static library
 MONGOOSE_INSTALL_TARGET = NO
-- 
2.30.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls
  2021-02-16  8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
  2021-02-16  8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
  2021-02-16  8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
@ 2021-02-16 19:35 ` Peter Korsgaard
  2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-16 19:35 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and
 > https://github.com/cesanta/mongoose/commit/f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85

 > So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1
  2021-02-16  8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
@ 2021-02-16 19:40   ` Peter Korsgaard
  0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-16 19:40 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
 >   Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
 >   connection request after exhausting memory pool.
 > - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
 >   server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
 >   to remote OOB write attack via connection request after exhausting
 >   memory pool.
 > - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
 >   server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
 >   write attack via connection request after exhausting memory pool.

 > https://github.com/cesanta/mongoose/releases/tag/7.1

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR
  2021-02-16  8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
@ 2021-02-16 19:41   ` Peter Korsgaard
  0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-16 19:41 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package:
 >   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-16 19:41 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-16  8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
2021-02-16  8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
2021-02-16 19:40   ` Peter Korsgaard
2021-02-16  8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
2021-02-16 19:41   ` Peter Korsgaard
2021-02-16 19:35 ` [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.