All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH RESEND] package/icu: bump to version 68-1
@ 2020-11-23 10:07 Heiko Stuebner
  2020-11-23 12:20 ` Peter Korsgaard
  0 siblings, 1 reply; 4+ messages in thread
From: Heiko Stuebner @ 2020-11-23 10:07 UTC (permalink / raw)
  To: buildroot

From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>

This includes the fix [0] for CVE-2020-10531 .

[0] https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
---
I'm not sure if I did something wrong in the initial submission,
but so far got no response at all, so am including some more
people who recently committed changes to icu.

As this fixes a CVE, I guess this might need some sort of priority.

 package/icu/icu.hash | 2 +-
 package/icu/icu.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/icu/icu.hash b/package/icu/icu.hash
index 5c10008d8a..8067b8e217 100644
--- a/package/icu/icu.hash
+++ b/package/icu/icu.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  94a80cd6f251a53bd2a997f6f1b5ac6653fe791dfab66e1eb0227740fb86d5dc  icu4c-67_1-src.tgz
+sha256  a9f2e3d8b4434b8e53878b4308bd1e6ee51c9c7042e2b1a376abefb6fbb29f2d  icu4c-68_1-src.tgz
 sha256  25e21013a7bc2fad735e28c5278a120e4c7f1c327c8c8b9b4df1751748cddbb2  LICENSE
diff --git a/package/icu/icu.mk b/package/icu/icu.mk
index c07ca2da3b..8d0288578c 100644
--- a/package/icu/icu.mk
+++ b/package/icu/icu.mk
@@ -7,7 +7,7 @@
 # Git tags (and therefore versions on release-monitoring.org) use the
 # XX-Y format, but the tarballs are named XX_Y and the containing
 # directories XX.Y.
-ICU_VERSION = 67-1
+ICU_VERSION = 68-1
 ICU_SOURCE = icu4c-$(subst -,_,$(ICU_VERSION))-src.tgz
 ICU_SITE = \
 	https://github.com/unicode-org/icu/releases/download/release-$(ICU_VERSION)
-- 
2.28.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH RESEND] package/icu: bump to version 68-1
  2020-11-23 10:07 [Buildroot] [PATCH RESEND] package/icu: bump to version 68-1 Heiko Stuebner
@ 2020-11-23 12:20 ` Peter Korsgaard
  2020-11-23 14:25   ` Heiko Stübner
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2020-11-23 12:20 UTC (permalink / raw)
  To: buildroot

>>>>> "Heiko" == Heiko Stuebner <heiko@sntech.de> writes:

 > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
 > This includes the fix [0] for CVE-2020-10531 .

 > [0] https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca

 > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
 > ---
 > I'm not sure if I did something wrong in the initial submission,
 > but so far got no response at all, so am including some more
 > people who recently committed changes to icu.

 > As this fixes a CVE, I guess this might need some sort of priority.

There is quite some pending patches. It would be good to explicitly mark
it as a security fix, E.G. 'package/icu: security bump to version 68-1',
to make sure it isn't missed for master, as package bumps otherwise now
only go to next as we are busy getting 2020.11 stablized and released.

How much have you tested this? New icu releases unfortunately have a
tendency to cause various breakage? Would it be an option to backport
this fix to the 67-1 release for 2020.11 / 2020.02 and only bump to 68-1
for next?

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH RESEND] package/icu: bump to version 68-1
  2020-11-23 12:20 ` Peter Korsgaard
@ 2020-11-23 14:25   ` Heiko Stübner
  2020-11-23 15:11     ` Peter Korsgaard
  0 siblings, 1 reply; 4+ messages in thread
From: Heiko Stübner @ 2020-11-23 14:25 UTC (permalink / raw)
  To: buildroot

Hi Peter,

Am Montag, 23. November 2020, 13:20:20 CET schrieb Peter Korsgaard:
> >>>>> "Heiko" == Heiko Stuebner <heiko@sntech.de> writes:
> 
>  > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
>  > This includes the fix [0] for CVE-2020-10531 .
> 
>  > [0] https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
> 
>  > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
>  > ---
>  > I'm not sure if I did something wrong in the initial submission,
>  > but so far got no response at all, so am including some more
>  > people who recently committed changes to icu.
> 
>  > As this fixes a CVE, I guess this might need some sort of priority.
> 
> There is quite some pending patches. It would be good to explicitly mark
> it as a security fix, E.G. 'package/icu: security bump to version 68-1',
> to make sure it isn't missed for master, as package bumps otherwise now
> only go to next as we are busy getting 2020.11 stablized and released.
> 
> How much have you tested this? New icu releases unfortunately have a
> tendency to cause various breakage? Would it be an option to backport
> this fix to the 67-1 release for 2020.11 / 2020.02 and only bump to 68-1
> for next?

This is running on a device we're doing right now as part of qt5 and a qt5
main application for a week now (on a buildroot 2020.05-base) and I didn't
hear about any specific hickups so far.

But while re-researching the CVE I noticed that it (now) marks 66.1 as up-to
affected - I do remember reading 67.1 there [0] before, though don't have
proof that it's not just my eyes ;-) .

So the 67.1 in buildroot is actually secure and doesn't need an update.

So I'll re-send this as v2 without the security-related text then ;-) .


Heiko


[0] https://nvd.nist.gov/vuln/detail/CVE-2020-10531

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH RESEND] package/icu: bump to version 68-1
  2020-11-23 14:25   ` Heiko Stübner
@ 2020-11-23 15:11     ` Peter Korsgaard
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2020-11-23 15:11 UTC (permalink / raw)
  To: buildroot

>>>>> "Heiko" == Heiko St?bner <heiko@sntech.de> writes:

Hi,

 >> There is quite some pending patches. It would be good to explicitly mark
 >> it as a security fix, E.G. 'package/icu: security bump to version 68-1',
 >> to make sure it isn't missed for master, as package bumps otherwise now
 >> only go to next as we are busy getting 2020.11 stablized and released.
 >> 
 >> How much have you tested this? New icu releases unfortunately have a
 >> tendency to cause various breakage? Would it be an option to backport
 >> this fix to the 67-1 release for 2020.11 / 2020.02 and only bump to 68-1
 >> for next?

 > This is running on a device we're doing right now as part of qt5 and a qt5
 > main application for a week now (on a buildroot 2020.05-base) and I didn't
 > hear about any specific hickups so far.

Ok.

 > But while re-researching the CVE I noticed that it (now) marks 66.1 as up-to
 > affected - I do remember reading 67.1 there [0] before, though don't have
 > proof that it's not just my eyes ;-) .

heh ;)

 > So the 67.1 in buildroot is actually secure and doesn't need an update.

Except for 2020.02.x, which has 65-1. I'll fix that.

 > So I'll re-send this as v2 without the security-related text then ;-) .

Great, thanks!

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-23 15:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-23 10:07 [Buildroot] [PATCH RESEND] package/icu: bump to version 68-1 Heiko Stuebner
2020-11-23 12:20 ` Peter Korsgaard
2020-11-23 14:25   ` Heiko Stübner
2020-11-23 15:11     ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.