summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge "libcroco: Fix CVE-2017-7961" into pyroDan Andresan2018-10-292-0/+53
|\
| * libcroco: Fix CVE-2017-7961Dan Andresan2018-10-262-0/+53
| | | | | | | | | | | | | | | | | | | | | | | | libcroco in the upstream pyro is 0.6.11. CVE: CVE-2017-7961 Reference: CVE-2017-7961 https://gitlab.gnome.org/GNOME/libcroco/commit/9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Change-Id: I7769b73a81e012d52309e0f47b24d99b23eb4a05 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
* | Merge "curl: Fix CVEs" into pyroDan Andresan2018-10-296-12/+274
|\ \
| * | curl: Fix CVEsAndreas Wellving2018-10-256-12/+274
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 Curl in the upstream pyro is 7.53.1. CVE-2018-1000120 affected versions are 7.12.3 to and including 7.58.0 CVE-2018-1000121 affected versions are 7.21.0 to and including 7.58.0 CVE-2018-1000122 affected versions are 7.20.0 to and including 7.58.0 CVE-2018-1000301 affected versions are 7.20.0 to and including 7.59.0 Reference: CVE-2018-1000120 https://curl.haxx.se/CVE-2018-1000120.patch CVE-2018-1000121 https://curl.haxx.se/CVE-2018-1000121.patch CVE-2018-1000122 https://curl.haxx.se/CVE-2018-1000122.patch CVE-2018-1000301 https://curl.haxx.se/CVE-2018-1000301.patch Change-Id: I0b7269c83e1662ed16a1b216853c3b4408889954 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
* | Merge "glibc: Fix CVEs" into pyroDan Andresan2018-10-295-8/+726
|\ \
| * | glibc: Fix CVEsAndreas Wellving2018-10-255-8/+726
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE: CVE-2017-12133 CVE-2017-16997 CVE-2018-6551 Glibc in the upstream pyro is 2.25. Reference: CVE-2017-12133 https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491 CVE-2017-16997 https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=21c5d14bfb4e08bee86f94fd815535d3be2c3869 CVE-2018-6551 https://sourceware.org/git/?p=glibc.git;a=patch;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22 Change-Id: I16492f0713f8134cf31597d2f38ab039c277d77c Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
* | Merge "libxml2: Fix CVEs" into pyroDan Andresan2018-10-295-0/+257
|\ \
| * | libxml2: Fix CVEsAndreas Wellving2018-10-255-0/+257
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE: CVE-2017-16932 CVE-2017-5130 CVE-2017-7375 CVE-2017-7376 Libxml2 in the upstream pyro is 2.9.4 CVE-2017-7376: For the stable distribution (stretch), these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u1 CVE-2017-7375: stretch (security) 2.9.4+dfsg1-2.2+deb9u2 Reference: CVE-2017-16932 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 CVE-2017-5130 https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed CVE-2017-7375 https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e CVE-2017-7376 https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Change-Id: Icf68eea8e0916be2bc9f3e844f7d38f6fae75300 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
* / openssl: fix CVEsDan Andresan2018-10-254-0/+330
|/ | | | | | | | | | | | | | | | | CVE: CVE-2018-0732 CVE-2018-0737 CVE-2018-0739 OpenSSL in the upstream pyro is 1.0.2n. CVE-2018-0732 and CVE-2018-0737 are first fixed in openssl 1.0.2p. CVE-2018-0739 is fixed in openssl 1.0.2o. Reference: CVE-2018-0732 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3984ef0b72831da8b3ece4745cac4f8575b19098 CVE-2018-0737 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787 CVE-2018-0739 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9310d45087ae546e27e61ddf8f6367f29848220d Change-Id: I46f80ef643e5f1c6857cc26086292cd393d3e748 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
* openssl: Drop obsolete CVEsSona Sarmadi2018-03-063-97/+0
| | | | | | | | OpenSSL in the upstream pyro has been updated to 1.0.2n. CVE-2017-3737 and CVE-2017-3735 are already fixed in openssl 1.0.2n. Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* curl: fix for CVE-2018-1000005Sona Sarmadi2018-03-022-0/+40
| | | | | | | | | | | | | | | HTTP/2 trailer out-of-bounds read An out-of-bounds read in code handling HTTP/2 trailers was found. This could lead to a denial-of-service or an information disclosure in some circumstances. Affected versions: libcurl 7.49.0 to and including 7.57.0 Upstream patch: https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* systemtap: Add dependency on systemtap-nativeAdrian Dudau2018-01-251-0/+2
| | | | | | | This allows running systemtap remotely using the crosstap script. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* enea-image-extra: Add dev and dbg packages to the SDKAdrian Dudau2018-01-231-0/+6
| | | | | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* packagegroup-core-tools-debug: Drop bbappendAdrian Dudau2018-01-221-1/+0
| | | | | | | | Neither rsync not systemtap are debug tools, so they have no place in this packagegroup. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* enea-image-extra: Add kernel-vmlinuxAdrian Dudau2018-01-191-1/+1
| | | | | | | | This installs the kernel vmlinux image under /boot in both the rootfs and SDK. This is used for kernel debugging and profiling. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* Update contents of enea-image-extraAdrian Dudau2018-01-151-35/+2
| | | | | | | | This will in turn update the contents of enea-image-standard-sdk from the Standard profile. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* DPKG: Fix and test case for CVE-2017-8283Sona Sarmadi2017-12-143-0/+279
| | | | | | | | | | | Directory Traversal Vulnerability References: https://nvd.nist.gov/vuln/detail/CVE-2017-8283 http://www.securityfocus.com/bid/98064/info Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* openssl: Fix for CVE-2017-3737Sona Sarmadi2017-12-142-0/+50
| | | | | | | | | | | Read/write after SSL object in error state References: https://www.openssl.org/news/secadv/20171207.txt https://nvd.nist.gov/vuln/detail/CVE-2017-3737 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* openssl: Fix for CVE-2017-3735Sona Sarmadi2017-12-142-0/+47
| | | | | | | | | | | openssl: Malformed X.509 IPAdressFamily could cause OOB read References: https://www.openssl.org/news/secadv/20170828.txt https://nvd.nist.gov/vuln/detail/CVE-2017-3735 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* run-postinsts: don't call update-rc.d if systemd is presentGabriel Ionescu2017-12-061-4/+11
| | | | | | | | This patch removes the call to update-rc.d in order to fix the console login issue for the Cavium board. Signed-off-by: Gabriel Ionescu <gabriel.ionescu@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: security fix for CVE-2017-8817Sona Sarmadi2017-12-062-0/+135
| | | | | | | | | | | FTP wildcard out of bounds read References: https://curl.haxx.se/docs/adv_2017-ae72.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: security fix for CVE-2017-8816Sona Sarmadi2017-12-062-0/+70
| | | | | | | | | | | NTLM buffer overflow via integer overflow References: https://curl.haxx.se/docs/adv_2017-12e7.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: Security fix for CVE-2017-1000257Sona Sarmadi2017-12-062-0/+40
| | | | | | | | | | | IMAP FETCH response out of bounds read References: https://curl.haxx.se/docs/adv_20171023.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: Security fix for CVE-2017-1000254Sona Sarmadi2017-12-062-0/+140
| | | | | | | | | | | FTP PWD response parser out of bounds read References: https://curl.haxx.se/docs/adv_20171004.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* spp: only return files that match KMACHINE and KTYPEMartin Borg2017-12-042-0/+88
| | | | | | | | | | | | | | | | | The search utility of spp was incorrect and was returning files that matched only a defined ktype. This leads to the system potentially building the wrong BSP, and not being able to report an error. We fix the search to only return files that match both ktype and kmachine, as well as return 0/1 for success/fail in the search. Patch backported from yocto-kernel-tools master branch: http://git.yoctoproject.org/cgit/cgit.cgi/yocto-kernel-tools/commit/?id=0571411cc033c11df7827508dd786876ce2f8c83 Signed-off-by: Martin Borg <martin.borg@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* bitcalc: disable gcc-sanitizers for aarch64Martin Borg2017-12-042-0/+29
| | | | | Signed-off-by: Martin Borg <martin.borg@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* Revert "distro: Update distro name and version"Adrian Dudau2017-11-281-2/+2
| | | | | | | | | This reverts commit d74d2d2928ef9d5cffab2c9c19b4b6d50532962c. This is the distro name and version used for the upcoming EL7 release. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* Update README for pyro branchAdrian Dudau2017-11-271-1/+1
| | | | | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* libtasn1: Drop duplicate CVE patchAdrian Dudau2017-11-242-68/+0
| | | | | | The patch is already applied in upstream poky/pyro. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* systemd: Drop duplicat CVE patchesAdrian Dudau2017-11-242-330/+0
| | | | | | This patch has already been applied in upstream poky/pyro. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: Drop CVE patchesAdrian Dudau2017-11-243-158/+0
| | | | | | These CVEs have been fixed in upstream poky/pyro. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* libxml: Remove CVE fixesAdrian Dudau2017-11-246-605/+0
| | | | | | These have been fixed already in upstream poky/pyro. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* enea mirror: add distro name to mirror pathAdrian Calianu2017-11-241-9/+11
| | | | | | | | Since we have multiple distributions now we need to have a mirror for each distro name and distro version. Signed-off-by: Adrian Calianu <adrian.calianu@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* run-postinsts: Disable dpkg --configure for debs to fix boot lockupGabriel Ionescu2017-11-221-0/+7
| | | | | | | | | | | | When a board boots for the first time, it executes run-postinsts.service and dpkg-configure.service. Since both services run dpkg --configure, it sometimes results in locking up the login service. This patch disables the execution of dpkg --configure from run-postinsts by removing the deb keyword from the list of scanned packet types. Signed-off-by: Gabriel Ionescu <gabriel.ionescu@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* Revert "enea distro: increase wget timeout"Adrian Dudau2017-11-131-3/+0
| | | | | | | | | This reverts commit eb6fe9f31ec566dd16d1120e4ed6d91e43d77545. This patch dinn't fix ther fetch issues, the only solution is to establish our own source mirros. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* enea distro: increase wget timeoutAdrian Calianu2017-11-101-0/+3
| | | | | | | to allow some slow downloads to finish, like openjre. Signed-off-by: Adrian Calianu <adrian.calianu@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* dnsmasq: CVE-2017-14495Sona Sarmadi2017-10-042-0/+70
| | | | | | | | | | | Lack of free() here. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14495 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* dnsmasq: CVE-2017-14496Sona Sarmadi2017-10-042-0/+95
| | | | | | | | | | | Invalid boundary checks here. Integer underflow leading to a huge memcpy. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14496 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* dnsmasq: CVE-2017-14494Sona Sarmadi2017-10-042-0/+56
| | | | | | | | | | | Can help bypass ASLR. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14494 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* dnsmasq: CVE-2017-14493Sona Sarmadi2017-10-042-0/+56
| | | | | | | | | | | Stack Based overflow. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14493 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* dnsmasq: CVE-2017-14492Sona Sarmadi2017-10-042-0/+58
| | | | | | | | | | | Heap based overflow. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14492 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* dnsmasq: CVE-2017-14491Sona Sarmadi2017-10-043-0/+348
| | | | | | | | | | | | Heap based overflow (2 bytes). Before 2.76 and this commit overflow was unrestricted. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14491 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* distro: Update distro name and versionAdrian Dudau2017-10-041-2/+2
| | | | | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
* systemd: CVE-2017-1000082Sona Sarmadi2017-10-042-0/+330
| | | | | | | | | | | | | | | | | | | | | | | refuse to load units with errors If a unit has a statement such as User=0day where the username exists but is strictly speaking invalid, the unit will be started as the root user instead. Backport a patch from upstream to mitigate this by refusing to start units such as this. (From OE-Core rev: a6eaef0f179a341c0b96bb30aaec2d80862a11d6) Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082 Backport from: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=pyro&id=b7e7b5e294f944c27fb1d2be61c0cf38f6c81ba8 Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* libtasn1: CVE-2017-10790Sona Sarmadi2017-10-042-0/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. References: https://nvd.nist.gov/vuln/detail/CVE-2017-10790 http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit; h=d8d805e1f2e6799bb2dff4871a8598dc83088a39 (From OE-Core rev: 6176151625c971de031e14c97601ffd75a29772f) (From OE-Core rev: 649f78102222ec156d490968c13d3222379a1956) Patch from: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h= pyro&id=cb4fd41504826905455a34d3cb85e952f4ed4991 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: CVE-2017-7407Sona Sarmadi2017-10-042-1/+202
| | | | | | | | | --write-out out of buffer read Reference: https://curl.haxx.se/docs/adv_20170403.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: CVE-2017-1000101Sona Sarmadi2017-10-042-0/+98
| | | | | | | | | | URL globbing out of bounds read Reference: https://curl.haxx.se/docs/adv_20170809A.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* curl: CVE-2017-1000100Sona Sarmadi2017-10-042-0/+60
| | | | | | | | | TFTP sends more than buffer size Reference: https://curl.haxx.se/docs/adv_20170809B.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* bind: CVE-2017-3136Sona Sarmadi2017-09-282-0/+48
| | | | | | | | | | | Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;" Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3136 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
* bind: CVE-2017-3135Sona Sarmadi2017-09-282-0/+31
| | | | | | | | | | Assertion failure when using DNS64 and RPZ Can Lead to Crash Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1420193 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-30 09:00:05 +0000