* [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls
@ 2021-02-16 8:07 Fabrice Fontaine
2021-02-16 8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Fabrice Fontaine @ 2021-02-16 8:07 UTC (permalink / raw)
To: buildroot
MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and
https://github.com/cesanta/mongoose/commit/f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85
So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/mongoose/mongoose.mk | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index ae20965be4..996cbff757 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -16,14 +16,10 @@ MONGOOSE_CFLAGS = $(TARGET_CFLAGS)
ifeq ($(BR2_PACKAGE_OPENSSL),y)
MONGOOSE_DEPENDENCIES += openssl
-MONGOOSE_CFLAGS += \
- -DMG_ENABLE_SSL \
- -DMG_SSL_IF=MG_SSL_IF_OPENSSL
+MONGOOSE_CFLAGS += -DMG_ENABLE_OPENSSL=1
else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
MONGOOSE_DEPENDENCIES += mbedtls
-MONGOOSE_CFLAGS += \
- -DMG_ENABLE_SSL \
- -DMG_SSL_IF=MG_SSL_IF_MBEDTLS
+MONGOOSE_CFLAGS += -DMG_ENABLE_MBEDTLS=1
endif
define MONGOOSE_BUILD_CMDS
--
2.30.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1
2021-02-16 8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
@ 2021-02-16 8:07 ` Fabrice Fontaine
2021-02-16 19:40 ` Peter Korsgaard
2021-02-16 8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
2021-02-16 19:35 ` [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Peter Korsgaard
2 siblings, 1 reply; 6+ messages in thread
From: Fabrice Fontaine @ 2021-02-16 8:07 UTC (permalink / raw)
To: buildroot
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
to remote OOB write attack via connection request after exhausting
memory pool.
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
write attack via connection request after exhausting memory pool.
https://github.com/cesanta/mongoose/releases/tag/7.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/mongoose/mongoose.hash | 2 +-
package/mongoose/mongoose.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
index 149c0f5866..d9ed76c4ac 100644
--- a/package/mongoose/mongoose.hash
+++ b/package/mongoose/mongoose.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 28206185873b5c448765f56e54d86a7af5a856b0b5f241aa44ac94bf34af7eee mongoose-7.0.tar.gz
+sha256 f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b mongoose-7.1.tar.gz
sha256 9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05 LICENSE
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 996cbff757..5c331cf48e 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -4,7 +4,7 @@
#
################################################################################
-MONGOOSE_VERSION = 7.0
+MONGOOSE_VERSION = 7.1
MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
MONGOOSE_LICENSE = GPL-2.0
MONGOOSE_LICENSE_FILES = LICENSE
--
2.30.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR
2021-02-16 8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
2021-02-16 8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
@ 2021-02-16 8:07 ` Fabrice Fontaine
2021-02-16 19:41 ` Peter Korsgaard
2021-02-16 19:35 ` [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Peter Korsgaard
2 siblings, 1 reply; 6+ messages in thread
From: Fabrice Fontaine @ 2021-02-16 8:07 UTC (permalink / raw)
To: buildroot
cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/mongoose/mongoose.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 5c331cf48e..0974c76446 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -8,6 +8,7 @@ MONGOOSE_VERSION = 7.1
MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
MONGOOSE_LICENSE = GPL-2.0
MONGOOSE_LICENSE_FILES = LICENSE
+MONGOOSE_CPE_ID_VENDOR = cesenta
MONGOOSE_INSTALL_STAGING = YES
# static library
MONGOOSE_INSTALL_TARGET = NO
--
2.30.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls
2021-02-16 8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
2021-02-16 8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
2021-02-16 8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
@ 2021-02-16 19:35 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-16 19:35 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and
> https://github.com/cesanta/mongoose/commit/f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85
> So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1
2021-02-16 8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
@ 2021-02-16 19:40 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-16 19:40 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
> Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
> connection request after exhausting memory pool.
> - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
> server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
> to remote OOB write attack via connection request after exhausting
> memory pool.
> - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
> server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
> write attack via connection request after exhausting memory pool.
> https://github.com/cesanta/mongoose/releases/tag/7.1
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR
2021-02-16 8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
@ 2021-02-16 19:41 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-16 19:41 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package:
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-16 19:41 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-16 8:07 [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Fabrice Fontaine
2021-02-16 8:07 ` [Buildroot] [PATCH 2/3] package/mongoose: security bump to version 7.1 Fabrice Fontaine
2021-02-16 19:40 ` Peter Korsgaard
2021-02-16 8:07 ` [Buildroot] [PATCH 3/3] package/mongoose: add MONGOOSE_CPE_ID_VENDOR Fabrice Fontaine
2021-02-16 19:41 ` Peter Korsgaard
2021-02-16 19:35 ` [Buildroot] [PATCH 1/3] package/mongoose: fix activation of openssl/mbedtls Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.