From patchwork Thu Apr 22 07:50:16 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?J=C3=B6rg_Krause?=
 <joerg.krause@embedded.rocks>
X-Patchwork-Id: 1469045
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.133; helo=smtp2.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="key not found in DNS" header.d=embedded.rocks
 header.i=@embedded.rocks header.a=rsa-sha256 header.s=default
 header.b=NNkKJurJ;
	dkim-atps=neutral
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FQqN65zjVz9sTD
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Thu, 22 Apr 2021 17:50:30 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 289254041F;
	Thu, 22 Apr 2021 07:50:28 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id m2ZaCPPXqHgJ; Thu, 22 Apr 2021 07:50:27 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by smtp2.osuosl.org (Postfix) with ESMTP id 9B0DA40172;
	Thu, 22 Apr 2021 07:50:26 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by ash.osuosl.org (Postfix) with ESMTP id E61201BF352
 for <buildroot@lists.busybox.net>; Thu, 22 Apr 2021 07:50:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id D533960648
 for <buildroot@lists.busybox.net>; Thu, 22 Apr 2021 07:50:25 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=neutral
 reason="invalid (public key: not available)" header.d=embedded.rocks
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id CJZ2eHxZkOBo for <buildroot@lists.busybox.net>;
 Thu, 22 Apr 2021 07:50:24 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.141])
 by smtp3.osuosl.org (Postfix) with ESMTPS id BF9416063B
 for <buildroot@buildroot.org>; Thu, 22 Apr 2021 07:50:24 +0000 (UTC)
Received: from submission (posteo.de [89.146.220.130])
 by mout01.posteo.de (Postfix) with ESMTPS id AD415240027
 for <buildroot@buildroot.org>; Thu, 22 Apr 2021 09:50:21 +0200 (CEST)
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4FQqMx101rz9rxQ
 for <buildroot@buildroot.org>; Thu, 22 Apr 2021 09:50:21 +0200 (CEST)
Authentication-Results: mail.embedded.rocks (amavisd-new); dkim=pass
 reason="pass (just generated, assumed good)" header.d=embedded.rocks
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embedded.rocks;
 h=content-transfer-encoding:content-type:content-type
 :mime-version:x-mailer:message-id:date:date:subject:subject:from
 :from:received:received; s=default; t=1619077818; x=1619682619;
 bh=XpOuCUjQ4GxakzyJ2RGxvfHc9aRqDAM3dJulbf1Io1k=; b=NNkKJurJHCO+
 IC1fWYvwM/+/i9faqDcNS+F0GQUaeqsBTONiaqmNLGTbXAwbofS7/k+jvqjsly/z
 xELrzbE55/UR5R5hLOvGMJWZaMujhP2N0/TdjqW1SDAzQywmIs9PkfzbBBLoiVxW
 OwsaW2tJ4I7/r+sL7SkCy7ZxO/gO/i0aQb1UChYL8lkkf8ImnnHJ8OO83xm84ARR
 mES5Ac7K1EsG8YhRF+B+ntMPw5/t3E9LAqs7eRGXwQc7M2JSSYTYU3JDQTWGV9bp
 yQ398jcXm1BflK3VSQtNdm5EbkS0AQAAZzb1vQEa3J6y6NdX9N0DITxoyy1Ttq0j
 yfceJkgMbA==
Received: from mail.embedded.rocks ([127.0.0.1])
 by localhost (mail.embedded.rocks [127.0.0.1]) (amavisd-new, port 10025)
 with ESMTP id aI2vso--fZoG; Thu, 22 Apr 2021 09:50:18 +0200 (CEST)
Received: from nzxt.fritz.box (port-92-195-42-18.dynamic.as20676.net
 [92.195.42.18]) (Authenticated sender: joerg.krause@embedded.rocks)
 by mail.embedded.rocks (Postfix) with ESMTPSA;
 Thu, 22 Apr 2021 09:50:18 +0200 (CEST)
From: =?utf-8?q?J=C3=B6rg_Krause?= <joerg.krause@embedded.rocks>
To: buildroot@buildroot.org
Date: Thu, 22 Apr 2021 07:50:16 +0000
Message-Id: <20210422075016.91908-1-joerg.krause@embedded.rocks>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/libnpupnp: security bump to version
 4.1.4
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fix vulnerability to DNS-rebind attacks.

This security fix addresses the same vulnerability isue which was reported
for libupnp (which libnpupnp is derived from) in CVE-2021-29462.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
---
 package/libnpupnp/libnpupnp.hash | 4 ++--
 package/libnpupnp/libnpupnp.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libnpupnp/libnpupnp.hash b/package/libnpupnp/libnpupnp.hash
index d5053915f1..8451812eb7 100644
--- a/package/libnpupnp/libnpupnp.hash
+++ b/package/libnpupnp/libnpupnp.hash
@@ -1,5 +1,5 @@
-# Hash from: http://www.lesbonscomptes.com/upmpdcli/downloads/libnpupnp-4.1.1.tar.gz.sha256
-sha256  74703d49be52d29b52f59342ec7359178b127568399551d9d3f56bb7950fcc02  libnpupnp-4.1.3.tar.gz
+# Hash from: http://www.lesbonscomptes.com/upmpdcli/downloads/libnpupnp-4.1.4.tar.gz.sha256
+sha256  03506f02546e3b3d31b389e046c4691f020b82d315426ce79f1e2b1eb7958656  libnpupnp-4.1.4.tar.gz
 
 # Hash for license file:
 sha256  c8b99423cad48bb44e2cf52a496361404290865eac259a82da6d1e4331ececb3  COPYING
diff --git a/package/libnpupnp/libnpupnp.mk b/package/libnpupnp/libnpupnp.mk
index 0efddbf67f..6c6fa2f149 100644
--- a/package/libnpupnp/libnpupnp.mk
+++ b/package/libnpupnp/libnpupnp.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBNPUPNP_VERSION = 4.1.3
+LIBNPUPNP_VERSION = 4.1.4
 LIBNPUPNP_SITE = http://www.lesbonscomptes.com/upmpdcli/downloads
 LIBNPUPNP_LICENSE = BSD-3-Clause
 LIBNPUPNP_LICENSE_FILES = COPYING