Skip to content

[pull] master from buildroot:master#1084

Merged
pull[bot] merged 4 commits into
mir-one:masterfrom
buildroot:master
Jul 10, 2026
Merged

[pull] master from buildroot:master#1084
pull[bot] merged 4 commits into
mir-one:masterfrom
buildroot:master

Conversation

@pull

@pull pull Bot commented Jul 10, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

bkuhls added 4 commits July 10, 2026 18:27
https://matt.ucc.asn.au/dropbear/CHANGES

- Security: server: Don't allow -B (accept blank password) with
  -t (two factor auth). If run with -t and -B a user configured with a
  blank password would be allowed to log in without pubkey auth.
  mkj/dropbear@23ec782
  Reported by nvidia

- Security: server: Fix parsing of long authorized_keys lines.
  The remainder of a long line would be handled as the start of a new line.
  In the case where external programs add semi-trusted public keys to
  authorized_keys, a crafted key might bypass restrictions such as "command=".
  mkj/dropbear@8d8e193
  Reported by nvidia

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add upstream commit to buildroot to fix build errors introduced by the
upcoming bump of acl to 2.4.0:

https://lists.nongnu.org/archive/html/acl-devel/2026-06/msg00000.html
"Compatibility Notes

  - libacl now exports the new functions acl_get_file_at(),
    acl_set_file_at(), acl_delete_def_file_at(), and acl_extended_file_at(),
    which are declared in <sys/acl.h>.  This may cause conflicts in programs
    that define functions of the same name and link against libacl.

    One such program is GNU tar which defines its own versions of functions
    like acl_get_file_at().  The fix is to rename those functions.  (In the
    case if GNU tar, a fix is already on the way.)"

This patch will also fix build errors seen on the autobuilders for
host-tar on hosts which already provide acl >= 2.4.0.

Fixes:
https://autobuild.buildroot.net/results/478/478a9781f481df7cf2eecda80a4c13f900a0dc80/

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://lists.nongnu.org/archive/html/acl-devel/2026-06/msg00000.html

Fixes CVE-2026-54369, CVE-2026-54370 and CVE-2026-54371.

Removed patches which are included in this release.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://lists.nongnu.org/archive/html/acl-devel/2026-06/msg00000.html

Fixes CVE-2026-54369, CVE-2026-54370 and CVE-2026-54371.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
@pull pull Bot locked and limited conversation to collaborators Jul 10, 2026
@pull pull Bot added the ⤵️ pull label Jul 10, 2026
@pull pull Bot merged commit d1111db into mir-one:master Jul 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant