The Azure go-autorest project (https://github.com/Azure/go-autorest)
provides several go modules within the same tarball, but the Grafana
code requires different commits for several of those modules, hence
the same source appearing multiple times at different commmit hashes
in distinfo.
Unfortunately, with grafana 8.3.3, three of the go-autorest modules
required the same commit hash, leading to duplication in the distinfo.
This causes a problem when trying to download the distfiles the first
time -- a number of the downloads will fail. Repeatedly attempting to
download will succeed for one more of the various different versions
of the go-autorest distfile, until eventually everything has been
successfully downloaded.
Remove the duplicate items in distinfo so that first-time download
into a virgin distfiles directory does succeed. This means that the
result of `make makesum` cannot be used un-edited.
PR: 260537
Reported by: John D.
(cherry picked from commit dcd67527ab)
Quick3d is at the moment not compatible with assimp-5.1.0. In poudriere,
due to assimp not being available, the port was already built with the
bundled assimp version.
For builds in a non-clean-room environment, explitely specify, that we
want the bundled one too.
PR: 260355
Reported by: Bertrand Petit <bsdpr@phoe.frmug.org>
(cherry picked from commit b452cf359e)
Since Qt5 testlib tries to be a build-dependency only when
needed, and since we build the QML bits without installing
the corresponding test-tools, declarative had the following
problem:
- without testlib installed, would build fine
- with testlib installed, would assume the QML test bits
are available, and then fail in the build.
This is basically our split-up-packaging without subpackages
shooting us in the foot; fix the build by removing one more
place where testlib leads to the building-of-tests. (The existing
patch files/patch-src_src.pro does something similar)
PR: 257102 260433
Reported by: Frank Reisert, Philipp Ost
(cherry picked from commit 9224581a10)
get_patch_data() may recurse on itself, which is not OK to do while
using std::lock_guard<>. Move the contents of get_patch_data() to a
get_patch_data_locked() that may recurse on itself.
This is a direct commit to quarterly, as this has since been fixed by
the version present in main. Specifically, a later refactoring ends up
dropping the patch_lock entirely after get_patch_data() and friends are
pushed into an Instruments class anyways.
Based on triage work and an initial patch by wpaul@.
This update fixes a couple of security issues. Quoting the ChangeLog:
- Security/Reliability:
- cgi_error_no_template(): Encode the template name to prevent
XSS (cross-side scripting) when Privoxy is configured to servce
the user-manual itself.
Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
Reported by: Artem Ivanov
- get_url_spec_param(): Free memory of compiled pattern spec
before bailing.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
- process_encrypted_request_headers(): Free header memory when
failing to get the request destination.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
- send_http_request(): Prevent memory leaks when handling errors
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.
The complete list of changes is available at:
https://lists.privoxy.org/pipermail/privoxy-announce/2021-December/000009.html
PR: 260290
MFH: 2021Q4
Security: 897e1962-5d5a-11ec-a3ed-040e3c3cf7e7
(cherry picked from commit dec093e215)
