| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301
Curl in the upstream pyro is 7.53.1.
CVE-2018-1000120 affected versions are 7.12.3 to and including 7.58.0
CVE-2018-1000121 affected versions are 7.21.0 to and including 7.58.0
CVE-2018-1000122 affected versions are 7.20.0 to and including 7.58.0
CVE-2018-1000301 affected versions are 7.20.0 to and including 7.59.0
Reference:
CVE-2018-1000120 https://curl.haxx.se/CVE-2018-1000120.patch
CVE-2018-1000121 https://curl.haxx.se/CVE-2018-1000121.patch
CVE-2018-1000122 https://curl.haxx.se/CVE-2018-1000122.patch
CVE-2018-1000301 https://curl.haxx.se/CVE-2018-1000301.patch
Change-Id: I0b7269c83e1662ed16a1b216853c3b4408889954
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HTTP/2 trailer out-of-bounds read
An out-of-bounds read in code handling HTTP/2 trailers was found.
This could lead to a denial-of-service or an information disclosure
in some circumstances.
Affected versions: libcurl 7.49.0 to and including 7.57.0
Upstream patch:
https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
FTP wildcard out of bounds read
References:
https://curl.haxx.se/docs/adv_2017-ae72.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
NTLM buffer overflow via integer overflow
References:
https://curl.haxx.se/docs/adv_2017-12e7.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
IMAP FETCH response out of bounds read
References:
https://curl.haxx.se/docs/adv_20171023.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
FTP PWD response parser out of bounds read
References:
https://curl.haxx.se/docs/adv_20171004.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
| |
The patch is already applied in upstream poky/pyro.
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
| |
These CVEs have been fixed in upstream poky/pyro.
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes
a NULL pointer dereference and crash when reading crafted input that
triggers assignment of a NULL value within an asn1_node structure. It
may lead to a remote denial of service attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-10790
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;
h=d8d805e1f2e6799bb2dff4871a8598dc83088a39
(From OE-Core rev: 6176151625c971de031e14c97601ffd75a29772f)
(From OE-Core rev: 649f78102222ec156d490968c13d3222379a1956)
Patch from: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=
pyro&id=cb4fd41504826905455a34d3cb85e952f4ed4991
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
| |
--write-out out of buffer read
Reference:
https://curl.haxx.se/docs/adv_20170403.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
| |
URL globbing out of bounds read
Reference:
https://curl.haxx.se/docs/adv_20170809A.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
| |
TFTP sends more than buffer size
Reference:
https://curl.haxx.se/docs/adv_20170809B.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
URL file scheme drive letter buffer overflow
References:
https://curl.haxx.se/docs/adv_20170614.html
https://curl.haxx.se/CVE-2017-9502.patch
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
TLS session resumption client cert bypass (again)
References:
https://curl.haxx.se/docs/adv_20170419.html
https://curl.haxx.se/CVE-2017-7468.patch
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes a vulnerability in libxslt where the EXSLT math.random
function was not initialized with a random seed during startup,
which could cause usage of this function to produce predictable outputs.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-9019
Upstream patch:
https://bug758400.bugzilla-attachments.gnome.org/attachment.cgi?id=349240&action=diff&collapsed=&context=patch&format=raw&headers=1
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer
overflow and heap-based buffer overflow related to the cdk_pkt_read
function in opencdk/read-packet.c. This issue (which is a
subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.
This issue affects only applications which utilize the OpenPGP certificate
functionality of GnuTLS.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7869
Upstream patch:
https://gitlab.com/gnutls/gnutls/commit/51464af713d71802e3c6d5ac15f1a95132a354fe
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove bbappend for fuse since the problem it was supposed
to fix no longer persists.
A bug was reported [1] that error occured when using
$ /etc/init.d/fuse status
When building the openembedded version without this bbappend
there is no longer any error:
root@qemuppc:~# /etc/init.d/fuse status
Checking fuse filesystem ok.
root@qemuppc:~#
--------
[1] http://patchwork.openembedded.org/patch/68995/
Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
|
|
Signed-off-by: Mihaela Martinas <Mihaela.Martinas@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
|
