[Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Thu Aug 5 21:48:36 UTC 2021
On Thu, 5 Aug 2021 23:25:40 +0200
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> After more than a decade, libESMTP version 1.0.6 is superceded. Despite
> proving robust a little bitrot has occurred, especially regarding
> OpenSSL support. The original application data APIs are prone to memory
> leaks and are deprecated in favour of safer replacements. Version 1.1
> updates libESMTP without breaking API and ABI compatibility and
> provides a basis for future development.
>
> In addition to updates to the codebase, documentation is modernised and
> is more comprehensive.
>
> All libESMTP users are encouraged to upgrade from version 1.0.6.
>
> - Update license files
> - Update indentation in hash file (two spaces)
> - Switch to meson-package
> - Handle threads and tls meson options
> - libesmtp-config has been dropped:
> https://github.com/libesmtp/libESMTP/issues/8
> - Fix CVE-2019-19977: libESMTP through 1.0.6 mishandles domain copying
> into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as
> demonstrated by a stack-based buffer over-read.
>
> https://github.com/libesmtp/libESMTP/releases/tag/v1.1.0
> https://libesmtp.github.io/changes-since-v1.0.6.html
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> package/libesmtp/Config.in | 1 +
> package/libesmtp/libesmtp.hash | 6 +++---
> package/libesmtp/libesmtp.mk | 24 +++++++++++++++++-------
> 3 files changed, 21 insertions(+), 10 deletions(-)
Wow, it's a massive bump for a security bump. So, I've applied to
master, but it's a bit risky. Could you make sure that collectd and
syslog-ng continue to build fine after this bump ?
Applied to master anyway, thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list