| Message ID | 20241113211522.31841-1-ju.o@free.fr |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/tiff: security bump to version 4.7.0 | expand |
>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes: > For the release note, see: > http://www.simplesystems.org/libtiff/releases/v4.7.0.html > This commit also adds the _SOURCE variable, to switch to the xz > archive, which saves ~1.5MB. The _SITE url is also updated to switch > to the https protocol. > This commit also adds a comment in the hash file about pgp signature > veritication. > Fixes: > - https://nvd.nist.gov/vuln/detail/CVE-2023-6277 > - https://nvd.nist.gov/vuln/detail/CVE-2023-52356 > - https://nvd.nist.gov/vuln/detail/CVE-2024-7006 > Signed-off-by: Julien Olivain <ju.o@free.fr> > --- > Patch tested in: > Minimal config, only BR2_PACKAGE_TIFF=y: > https://gitlab.com/jolivain/buildroot/-/pipelines/1541199649 > Maximal config, all BR2_PACKAGE_TIFF.*=y: > https://gitlab.com/jolivain/buildroot/-/pipelines/1541210686 Committed, thanks.
>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes: > For the release note, see: > http://www.simplesystems.org/libtiff/releases/v4.7.0.html > This commit also adds the _SOURCE variable, to switch to the xz > archive, which saves ~1.5MB. The _SITE url is also updated to switch > to the https protocol. > This commit also adds a comment in the hash file about pgp signature > veritication. > Fixes: > - https://nvd.nist.gov/vuln/detail/CVE-2023-6277 > - https://nvd.nist.gov/vuln/detail/CVE-2023-52356 > - https://nvd.nist.gov/vuln/detail/CVE-2024-7006 > Signed-off-by: Julien Olivain <ju.o@free.fr> > --- > Patch tested in: > Minimal config, only BR2_PACKAGE_TIFF=y: > https://gitlab.com/jolivain/buildroot/-/pipelines/1541199649 > Maximal config, all BR2_PACKAGE_TIFF.*=y: > https://gitlab.com/jolivain/buildroot/-/pipelines/1541210686 Committed to 2024.02.x and 2024.08.x, thanks.
diff --git a/package/tiff/tiff.hash b/package/tiff/tiff.hash index 3aae7dc4d5..5e2dcca73c 100644 --- a/package/tiff/tiff.hash +++ b/package/tiff/tiff.hash @@ -1,3 +1,5 @@ -# Locally computed -sha256 88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a tiff-4.6.0.tar.gz +# Locally computed after checking pgp signature +# https://download.osgeo.org/libtiff/tiff-4.7.0.tar.xz.sig +# with key: B1FA7D81EEB8E66399178B9733EBBFC47B3DD87D +sha256 273a0a73b1f0bed640afee4a5df0337357ced5b53d3d5d1c405b936501f71017 tiff-4.7.0.tar.xz sha256 0780558a8bfba0af1160ec1ff11ade4f41c0d7deafd6ecfc796b492a788e380d LICENSE.md diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk index 0e5e0dd48a..5d7219d7da 100644 --- a/package/tiff/tiff.mk +++ b/package/tiff/tiff.mk @@ -4,8 +4,9 @@ # ################################################################################ -TIFF_VERSION = 4.6.0 -TIFF_SITE = http://download.osgeo.org/libtiff +TIFF_VERSION = 4.7.0 +TIFF_SOURCE = tiff-$(TIFF_VERSION).tar.xz +TIFF_SITE = https://download.osgeo.org/libtiff TIFF_LICENSE = tiff license TIFF_LICENSE_FILES = LICENSE.md TIFF_CPE_ID_VENDOR = libtiff
For the release note, see: http://www.simplesystems.org/libtiff/releases/v4.7.0.html This commit also adds the _SOURCE variable, to switch to the xz archive, which saves ~1.5MB. The _SITE url is also updated to switch to the https protocol. This commit also adds a comment in the hash file about pgp signature veritication. Fixes: - https://nvd.nist.gov/vuln/detail/CVE-2023-6277 - https://nvd.nist.gov/vuln/detail/CVE-2023-52356 - https://nvd.nist.gov/vuln/detail/CVE-2024-7006 Signed-off-by: Julien Olivain <ju.o@free.fr> --- Patch tested in: Minimal config, only BR2_PACKAGE_TIFF=y: https://gitlab.com/jolivain/buildroot/-/pipelines/1541199649 Maximal config, all BR2_PACKAGE_TIFF.*=y: https://gitlab.com/jolivain/buildroot/-/pipelines/1541210686 --- package/tiff/tiff.hash | 6 ++++-- package/tiff/tiff.mk | 5 +++-- 2 files changed, 7 insertions(+), 4 deletions(-)