This fixes:
  - CVE-2020-7062
  - CVE-2020-7063

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

Signed-off-by: Alexander Ryzhov <github@ryzhov-al.ru>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit fed1b3b1)

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 2628584f)

This fixes:
  - CVE-2020-7059
  - CVE-2020-7060

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>

* Set GOENV=off when building Go compiler and packages, to ignore user's
  environment configuration file
* Set GOCACHE when building host Go
* Unset GOTMPDIR, to use the buildroot temp directory instead of temp
  directories in build_dir

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from 3b5f1c73)

This update includes fixes for[1]:
* CVE-2020-7919 - doesn't appear to be published publicly yet
* CVE-2020-0601 - a Windows-related issue

[1]: https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved



Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from 0dc4fa6e)

This is a regular Mozilla CA bundle update.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit c799f2a9)

This backports patches from bpo-34585[1] to fix byte order detection of
floats.

Fixing byte order detection allows the repr() of floats to be
shorter[2]. sys.float_repr_style should be 'short' instead of 'legacy'
on supported platforms.

See #11134.

[1]: https://bugs.python.org/issue34585
[2]: https://docs.python.org/3.8/whatsnew/3.1.html#other-language-changes



Signed-off-by: Jeffery To <jeffery.to@gmail.com>

This backports patches from bpo-34585[1] to fix byte order detection of
floats.

Fixing byte order detection allows the repr() of floats to be shorter (a
feature backported to Python 2.7 from Python 3.1[2]).
sys.float_repr_style should be 'short' instead of 'legacy' on supported
platforms.

See #11134.

[1]: https://bugs.python.org/issue34585
[2]: https://docs.python.org/2.7/whatsnew/2.7.html#python-3-1-features



Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from a0da5aec)
Omitted PKG_RELEASE change

Optionally fixes compilation with uClibc-ng.

Based on the surrounding code, this looks like an oversight.

Signed-off-by: Rosen Penev <rosenp@gmail.com>

(cherry picked from 608df65a)
Adjusted PKG_RELEASE
Signed-off-by: Jeffery To <jeffery.to@gmail.com>

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

This fixes how GOARM is selected for arm platforms, based on support for
VFP/VFPv3 rather than CPU version.

Fixes #10967.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

Fixes: CVE-2019-19844

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

This package is required by other packages to run some binaries via
`load_entry_point`.

So, this splits this package away from setuptools.
setuptools is pretty big, akd pkg-resources is also big, but not as big.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

(cherry picked from commit ed0e77f3)
Reference to discussion at
https://github.com/openwrt/packages/commit/c61579b564a3877235d74684b1a75915d77e42a9#commitcomment-36665837


Adjusted python PKG_RELEASE items to current situation
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

go invokes the external linker by calling gcc, so -zxxx options in
TARGET_LDFLAGS (in golang-package.mk) need to be formatted as -Wl,z,xxx.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from dbd6f224)

Relevant bits of upstream changelog

New Features

    argon2: Support more hashes
    scrypt: Now uses python 3.6 stdlib’s hashlib.scrypt() as backend, if present (issue 86).

Bugfixes

    Python 3.8 compatibility fixes
    passlib.apache.HtpasswdFile: improve compatibility with Apache 2.4's htpasswd
    passlib.totp: fix some compatibility issues with older TOTP clients (issue 92)
    Fixed error in argon2.parsehash() (issue 97)

Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>

go build/install supports multiple -ldflags arguments, but they are not
combined; for each package, the latest match on the command line is
used.[1]

Previously, the main executable would not be affected by the default
ldflags if GO_PKG_LDFLAGS or GO_PKG_LDFLAGS_X were set. (The default
ldflags instructs go to use the external linker.)

This fixes golang-package.mk so that the default ldflags take effect in
all cases.

[1]: https://golang.org/cmd/go/#hdr-Compile_packages_and_dependencies



Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from 4827bc75)

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

This fixes:
  - CVE-2019-11046
  - CVE-2019-11044
  - CVE-2019-11045
  - CVE-2019-11050
  - CVE-2019-11047

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit d5c18b1d)

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 791729cfc06ab6608018c15ce84d7f6e37ba3f5a)

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
(cherry-picked from 4bade3b2)

We use luasrcdiet in Gluon as well. Move it from the luci feed to packages.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 46d68b86)

- Fixes CVE-2019-11043

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9bc48abd)

Signed-off-by: W. Michael Petullo <mike@flyn.org>
(cherry picked from commit 5bc9bb04)

PHP7 fails to load xmlreader.so (php7-mod-xmlreader) module without
dom.so (php7-mod-dom) module loaded:

-snip-
PHP Warning:  PHP Startup: Unable to load dynamic library 'xmlreader.so'
 (tried: /usr/lib/php/xmlreader.so (Error relocating /usr/lib/php/xmlreader.so:
 dom_node_class_entry: symbol not found), /usr/lib/php/xmlreader.so.so (Error
 loading shared library /usr/lib/php/xmlreader.so.so: No such file or
 directory)) in Unknown on line 0
^C
-snap-

However, this dependency only exists when during build also php7-mod-dom
is selected.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit b8c22fc1)

Signed-off-by: Stefaan Ghysels <stefaang@gmail.com>
(cherry picked from commit dacda447)

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from aff03aee)

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from 5e8feda0)

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from c56770a5)

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from b99abe8d)

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from 5be603a8)

This is required as curl 7.66.0 was cherry-picked to openwrt-19.07 3
days ago. Otherwise, compilation of perl-www-curl fails.

This reverts commit ec6cd9b9.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry-picked from commit 426ed75d)

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
(cherry-picked from commit f0a79ca1)

All symbols on MacOS are prefixed with an underscore which
interfered with the filtering mechanism (added in perl 5.28)
for extension libraries to be linked into static perl.

Signed-off-by: Jakub Piotr Cłapa <jpc@loee.pl>
(cherry-picked from commit 3954356a)