summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
Commit message (Collapse)AuthorAgeFilesLines
* python3: upgrade 3.8.13 -> 3.8.14Tim Orling2022-10-272-138/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Security and bug fixes. * Drop CVE-2021-28861.patch as it was merged in 3.8.14 release. Fixes: * CVE-2020-10735 https://nvd.nist.gov/vuln/detail/CVE-2020-10735 * CVE-2021-28861 https://nvd.nist.gov/vuln/detail/CVE-2021-28861 * CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032 Python 3.8.14 Release Date: Sept. 6, 2022 This is a security release of Python 3.8 Note: The release you're looking at is Python 3.8.14, a security bugfix release for the legacy 3.8 series. Python 3.10 is now the latest feature release series of Python 3. Security content in this release CVE-2020-10735: converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees to avoid a potential crash of the interpreter. gh-90355: Fix ensurepip environment isolation for the subprocess running pip. gh-80254: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. (From OE-Core rev: 25fafd35a4698daa0d4abb814a91601e68223128) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: CVE-2021-3750 hcd-ehci: DMA reentrancy issue leads to use-after-freeHitendra Prajapati2022-10-272-0/+181
| | | | | | | | | | | | | | | | Source: https://git.qemu.org/?p=qemu.git MR: 117886 Type: Security Fix Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529 && https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced && https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 ChangeID: 3af901d20ad8ff389468eda2c53b4943e3a77bb8 Description: CVE-2021-3750 QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free. (From OE-Core rev: 0f4b1db4fdc655e880ec66525eb7642978529e82) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: Add fix for CVE-2022-32190Shubham Kulkarni2022-09-305-0/+244
| | | | | | | | | | Link: https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec (From OE-Core rev: 3362bbb1a1ce599418dc8377043f7549f9327315) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-27664 net/http: handle server errors after sending GOAWAYHitendra Prajapati2022-09-302-0/+69
| | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 121912 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479 ChangeID: 0b76a92a774279d7bffc9d6fa05564dfd8371e8c Description: CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY. (From OE-Core rev: 4e2f723a4288ad4839fac2769e487612252b1d40) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix CVE-2021-28544Lee Chee Yang2022-09-232-0/+147
| | | | | | | | (From OE-Core rev: 7fdd4d2dc019071525349fbb153e2e80f6583217) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Add PACKAGECONFIG for brlapiRichard Purdie2022-09-231-0/+1
| | | | | | | | | (From OE-Core rev: f547c9610f8c17c3da9ca3f7a79902d2ffbfca49) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 482471a617e5f682416b7ec1a920dfaeac65f1a3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Define libnfs PACKAGECONFIGAndrei Gherzan2022-09-231-0/+2
| | | | | | | | | | | | | | | | | | | | The upstream qemu recipe uses host's pkg-config files as a solution to detecting host's SDL. This has a side effect of using other host libraries that are later queried by the configure script. This can get into a situation when the host provides libnfs (for example) and because later this dependency is not in place anymore, qemu will fail at runtime. This change adds a PACKAGECONFIG definition for libnfs that is disabled by default, in turn disabling the pkgconfig autodetection in configure. (From OE-Core rev: 9badcf0261f6b735d65a5498bb8fbb9979d7a07f) Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 42b364a25fdbc987c85dd46b8427045033924d99) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix and ignore several CVEsChee Yang Lee2022-09-2312-0/+748
| | | | | | | | | | | | | | | | | | | | | | | backport fixes: CVE-2020-13754, backport patches as debian security tracker notes https://security-tracker.debian.org/tracker/CVE-2020-13754 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930 CVE-2021-4206 CVE-2021-4207 CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2. Ignore: CVE-2020-27661, issue introduced in v5.1.0-rc0 https://security-tracker.debian.org/tracker/CVE-2020-27661 (From OE-Core rev: 16a6e8530c4820f070973a1b4d64764c20706087) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix and ignore several CVEsChee Yang Lee2022-09-165-0/+467
| | | | | | | | | | | | | | | | | | backport fixes: CVE-2021-27918 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 ignore: CVE-2022-29526 CVE-2022-30634 (From OE-Core rev: ddb09ccc3caebbd3cf643bb3bb3c198845050c69) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils : CVE-2022-38533Florin Diaconescu2022-09-162-0/+38
| | | | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] (From OE-Core rev: 2cf26e2e5a83d2b2efd01de34c11da07eeb9c8f9) Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: Fix CVE-2021-28861 for python3Khan@kpit.com2022-09-162-0/+136
| | | | | | | | | | | | | Add patch to fix CVE-2021-28861 CVE-2021-28861.patch Link: https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672 (From OE-Core rev: cbf57b25c78ea9d56863d9546b51fc2c88adb8cf) Signed-off-by: Riyaz Khan <rak3033@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-32189 a denial of serviceHitendra Prajapati2022-09-032-0/+114
| | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120634 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102 ChangeID: 3ade323dd52a6b654358f6738a0b3411ccc6d3f8 Description: CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service. (From OE-Core rev: 9b3420c9a91059eb55754078bb1e733972e94489) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-30635 and CVE-2022-32148Hitendra Prajapati2022-09-033-0/+171
| | | | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120628, 120631 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e && https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e ChangeID: fbd8d61bdc2e9cb0cdbe9879e02aed218ee93dbe Description: Fixed CVE: 1. CVE-2022-30635 2. CVE-2022-32148 (From OE-Core rev: 2c4fb77f417464d9cd40f0ebd8cc52e6e6ca689e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-30632 and CVE-2022-30633Hitendra Prajapati2022-09-033-0/+204
| | | | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120622, 120625 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df && https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827 ChangeID: aabb29a6dd6a89842f451c95af228aaf66e58bb5 Description: Fixed CVE: 1. CVE-2022-30632 2. CVE-2022-30633 (From OE-Core rev: 9ffaae887743d77839fb758657b1dec71a9b8880) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-30629 and CVE-2022-30631Hitendra Prajapati2022-09-033-0/+165
| | | | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120613, 120613 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c && https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3 ChangeID: 366db775dec045d7b312b8da0436af36ab322046 Description: Fixed CVE: 1. CVE-2022-30629 2. CVE-2022-30631 (From OE-Core rev: 6813a265c7c21e24636d07a6a8df16ef0cf7da50) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: CVE-2020-27821 heap buffer overflow in msix_table_mmio_writeHitendra Prajapati2022-08-222-0/+74
| | | | | | | | | | | | | | | | Source: https://git.qemu.org/?p=qemu.git; MR: 107558 Type: Security Fix Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442 ChangeID: c5d25422f43edb7d8728118eb482eba09474ef2c Description: CVE-2020-27821 qemu: heap buffer overflow in msix_table_mmio_write() in hw/pci/msix.c. (From OE-Core rev: 198bd53bdc77d2b01dae19993bde79f03f4dd02c) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libmodule-build-perl: Use env utility to find perl interpreterKhem Raj2022-08-181-0/+1
| | | | | | | | | | | | | | Fixes ERROR: QA Issue: : /work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/sysroot-destdir/work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/recipe-sysroot-native/usr/bin/config_data maximum shebang size exceeded, the maximum size is 128. [shebang-size] (From OE-Core rev: f11ed8c8fd78b88a50f382df419afff6ccde02a0) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 54ecb2d3f2523293383103cbe590ebdd037ee483) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail ↵Hitendra Prajapati2022-08-082-0/+54
| | | | | | | | | | | | | | | | | | path, leading to an io_readx or io_writex crash Source: https://github.com/qemu/qemu MR: 119832 Type: Security Fix Disposition: Backport from https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c ChangeID: 1246afd7bb950d2d5fe2e198961797c0fa14ac00 Description: CVE-2022-35414 qemu: can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. (From OE-Core rev: 7c3043df56b3090138fe56f8c06df5ca08cafd26) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: add PACKAGECONFIG for capstoneSteve Sakoman2022-07-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Autobuilder workers were non-deterministically enabling capstone depending on whether the worker had libcapstone installed. Add PACKAGECONFIG for capstone with default off, since qemu does not require capstone support. Qemu version in dunfell has capstone in the source tree as a submodule and has configure options to enable it using that source code or using the system libcapstone. Qemu versions in master and kirkstone have removed the capstone submodule and configure options, but added libcapstone autodetection to meson. In all cases using PACKAGECONFIG will allow a deterministic build. (From OE-Core rev: af25fff399fa623b4fd6efbca21e01ea6b4d1fd7) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 052ef1f14d1e6a5ee34f742f65e51b20b416f79f) Signed-off-by: Steve Sakoman <steve@sakoman.com Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when ↵Hitendra Prajapati2022-07-082-0/+39
| | | | | | | | | | | | | | | | | | reading a very large header Source: https://github.com/argoheyard/lang-net MR: 114874 Type: Security Fix Disposition: Backport from https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282 ChangeID: bd3c4f9f44dd1c45e810172087004778522d28eb Description: CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header. (From OE-Core rev: 2850ef58f2a39a5ab19b1062d1b50160fec4daa8) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-24675 encoding/pem: fix stack overflow in DecodeHitendra Prajapati2022-07-082-0/+272
| | | | | | | | | | | | | | | | Source: https://go-review.googlesource.com/c/go MR: 117551 Type: Security Fix Disposition: Backport from https://go-review.googlesource.com/c/go/+/399816/ ChangeID: 347f22f93e8eaecb3d39f8d6c0fe5a70c5cf7b7c Description: CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode. (From OE-Core rev: 6625e24a6143765ce2e4e08d25e3fe021bc2cdf6) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dpkg: update to 1.19.8Chee Yang Lee2022-06-241-2/+2
| | | | | | | | | | update include fixes for CVE-2022-1664. (From OE-Core rev: 12169c1104adbfd9f5196fdbdab16536e98fd43f) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2021-44717 syscall: don't close fd 0 on ForkExec errorHitendra Prajapati2022-06-242-0/+84
| | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 114884 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/44a3fb49 ChangeID: 7b28553d4e23828b20c3357b1cca79ee3ca18058 Description: CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error. (From OE-Core rev: b835c65845b1445e1bb547c192cb22c2db4c7e6f) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python-pip: CVE-2021-3572 Incorrect handling of unicode separators in git ↵Hitendra Prajapati2022-06-242-0/+49
| | | | | | | | | | | | | | | | | | references Source: https://github.com/pypa/pip MR: 113864 Type: Security Fix Disposition: Backport from https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b ChangeID: 717948e217d6219d1f03afb4d984342d7dea4636 Description: CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references. (From OE-Core rev: 841a8fb5b6351f79a4d756232a544d1a6480c562) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc-source: Fix incorrect task dependencies from ${B}Richard Purdie2022-06-222-1/+2
| | | | | | | | | | | | | | | | | | | Some tasks may reference ${B} for gcc-source which in general would not exist. It has dependencies on HOST_SYS and TARGET_SYS which are not appropriate for a shared recipe like gcc-source. This causes problems for the archiver and multiconfigs in particlar. Set B to something else to avoid these task hash issues. Acked-by: Jose Quaresma <jose.quaresma@foundries.io> (From OE-Core rev: 14aa189c2e47a2c5a4a0099235a2605666651f74) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit beb2a76c591e985c6fc7ed473abd1bee27f955a2) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* e2fsprogs: add alternatives handling of lsattr as wellRasmus Villemoes2022-06-221-1/+4
| | | | | | | | | | | | | | | | | | | | Building busybox with CONFIG_LSATTR=y and installing that in the same filesystem as e2fsprogs breaks: ERROR: ... do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention is to defer them to first boot, then please place them into pkg_postinst_ontarget:${PN} (). Deferring to first boot via 'exit 1' is no longer supported. Fix that by also alternatifying lsattr just as chattr already is. (From OE-Core rev: 28090d32c88d99ea36a03f3bb723838746001e4b) Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 96703961eeb3460e9da26503d7942cc965d1e573) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted filesystemHitendra Prajapati2022-06-112-0/+43
| | | | | | | | | | | | | | | Source: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git MR: 117430 Type: Security Fix Disposition: Backport from https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=ab51d587bb9b229b1fade1afd02e1574c1ba5c76 ChangeID: e6db00c6e8375a2e869fd2e4ead61ca9149eb8fa Description: CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem. (From OE-Core rev: b4f9ba859ed1fe5e1d42258fee1dd2e8e85e7eba) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: Whitelist CVE-2021-28966 as this affects Windows OS onlyRanjitsinh Rathod2022-06-041-0/+4
| | | | | | | | | | | | As per below debian link, CVE-2021-28966 affects Windows only Link: https://security-tracker.debian.org/tracker/CVE-2021-28966 (From OE-Core rev: df6242b72b0477fb61c7dc18ad52a1f147ec7d07) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: Upgrade ruby to 2.7.6 for security fixRanjitsinh Rathod2022-06-041-2/+2
| | | | | | | | | | | | | Upgrade ruby to 2.7.6 Link: https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/ This includes CVE-2022-28739 security fix (From OE-Core rev: 4514b1b8cacb92b1790b636b111c071190b2e4b2) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: Use CVE_CHECK_WHITELIST instead of CVE_CHECK_IGNORERanjitsinh Rathod2022-05-201-1/+1
| | | | | | | | | | | Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell branch (From OE-Core rev: 970743af349e21a399da6241587b849b14933bc5) Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: ignore CVE-2015-20107Ross Burton2022-05-091-0/+3
| | | | | | | | | | | | | | | | | | | CVE-2015-20107 describes an arbitrary command execution in the mailcap module, but this is by design in mailcap and needs to be worked around by the calling application. Upstream Python will be documenting this flaw in the library reference, and it is likely that the mailcap module will be deprecated and removed in the future. (From OE-Core rev: 1ed7bb74d35f08af3babf73c68ee01af5f28a50b) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git update from 2.24.3 to 2.24.4Steve Sakoman2022-04-223-308/+2
| | | | | | | | | | | | | Security release, fixes CVE-2021-21300, so remove that patch. 22539ec3b5 unpack_trees(): start with a fresh lstat cache 0d58fef58a run-command: invalidate lstat cache after a command finished 684dd4c2b4 checkout: fix bug that makes checkout follow symlinks in leading path (From OE-Core rev: 8606d99041c3c1a002b2300c59afc116050c73cc) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apt: add -fno-strict-aliasing to CXXFLAGS to fix SHA256 bugRalph Siemsen2022-04-211-0/+4
| | | | | | | | | | | | | | | Recently we've begun seeing issues with apt SHA256 generation/checking on some distros (fedora 35, alma 8). The version of apt in dunfell uses its own SHA256 code, not a standard library. Investigation reveals that the issue is related to -fstrict-aliasing enabled by -O2 optimization, so turn it off with -fno-strict-aliasing (From OE-Core rev: dc61dfd7791976c70c93e0d253a8fdbd40d27f3b) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pseudo: Fix handling of absolute linksAlexandre Belloni2022-04-211-1/+1
| | | | | | | | | | | | | Update to a version of pseudo which has a fix for absolute links, evaluating them from the chroot path. (From OE-Core rev: 4e79b3fa07d6b8d044f2fb21e691ff3683aee1ea) Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 33147b89bc3c9e9bdd53a942a5551d8a1d06130c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pseudo: Add patch to workaround paths with crazy lengthsRichard Purdie2022-04-211-1/+1
| | | | | | | | | | | | Update to a version of pseudo which includes a workaround for crazy long paths, as shown by the libfm failures from the libtool upgrade. (From OE-Core rev: 5cac1e855e397b58c3c2b251a9794f3d480c8ad6) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 67dfa32d82b8862e6e543c37315f211aba3ec28b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: Ignore CVE-2022-24975Richard Purdie2022-04-211-0/+5
| | | | | | | | | | | | | | | Everyone I've talked to doesn't see this as a major issue. The CVE asks for a documentation improvement on the --mirror option to git clone as deleted content could be leaked into a mirror. For OE's general users/use cases, we wouldn't build or ship docs so this wouldn't affect us. (From OE-Core rev: f35500a442d6a4564d52e23f9602a3f90a4ceee5) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5dfe2dd5482c9a446f8e722fe51903d205e6770d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-jinja2: Correct HOMEPAGEPeter Kjellerstedt2022-04-091-1/+1
| | | | | | | | | | | (From OE-Core rev: 7d429e8385ca01728d797abe8ab9575140734476) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 261778c1e3665b34c0d4e49bda63b520d5335587) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: backport patch fix for CVE-2021-38297Davide Gardenal2022-04-092-0/+99
| | | | | | | | | | | | | | | | Patch taken from https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564 from the following issue https://github.com/golang/go/issues/48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 (From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gnu-config: update SRC_URIMinjae Kim2022-03-311-1/+1
| | | | | | | | | | | The git repo for gnu-config was changed, so update the SRC_URI accordingly with the new link. (From OE-Core rev: 4ee75d865b34f615bc649004e9dd0460eaf42dbf) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apt: backport patch fix for CVE-2020-3810Davide Gardenal2022-03-312-0/+175
| | | | | | | | | | | | | Upstream commit: https://salsa.debian.org/apt-team/apt/-/blob/dceb1e49e4b8e4dadaf056be34088b415939cda6/apt-pkg/contrib/arfile.cc CVE: CVE-2020-3810 (From OE-Core rev: 2c58d4691b07230616272f2727e0ad0a345064be) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: backport patch fix for CVE-2020-13791Davide Gardenal2022-03-312-0/+45
| | | | | | | | | | | | | Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00979.html CVE: CVE-2020-13791 (From OE-Core rev: 6d4e6302fa21b1c663b94b05088ecf9b9d544c0a) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: ignore CVE-2022-26488Ross Burton2022-03-311-1/+1
| | | | | | | | | | | | This CVE is specific to Microsoft Windows, so we can ignore it. (From OE-Core rev: d966a07d1f04aa76a4970d4af141f817197be0d2) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2bd3c5a93988140d9927340b3af68785ae03db65) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: upgrade 3.8.12 -> 3.8.13Tim Orling2022-03-232-22/+26
| | | | | | | | | | | | | | | | | | | | Security and bug fixes (including upgrades for security and bug fixes to bundled components). For changes see: https://docs.python.org/release/3.8.13/whatsnew/changelog.html#python-3-8-13-final CVE: CVE-2022-26488 License-Update: Add 2022 to copyright years * Update bpo-36852 patch to apply after change in 3.8.13 (From OE-Core rev: bcad36b6d34b3176dc313ed6af99897cc442bf2b) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: backport fix for CVE-2020-13253Davide Gardenal2022-03-236-0/+446
| | | | | | | | | | | | | | | | Backport commits from the following MR: https://git.qemu.org/?p=qemu.git;a=commit;h=3a9163af4e3dd61795a35d47b702e302f98f81d6 Two other commits have been backported in order to be able to correctly apply the patches. CVE: CVE-2020-13253 (From OE-Core rev: b258b0deccde2d8fd2c4372dd0f376c7b95945f5) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxml-parser-perl: Add missing RDEPENDSRichard Purdie2022-03-091-0/+1
| | | | | | | | | | | | Running the ptest package in an image alone highlighted missing module dependencies. Add them to fix those errors. (From OE-Core rev: 6e98fdf7832fed3d93645ed69f62c8df5e89b96b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3859f49db2d694c7b63fdbe25be0018afba5c738) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bootchart2: Add missing python3-math dependencyMarek Vasut2022-03-091-1/+1
| | | | | | | | | | | | | | | | Without this dependency, generating the bootchart may fail with: " ModuleNotFoundError: No module named 'random' " (cherry picked from commit 487e9f16a00f895159b79f1865fe8b626b47ddc2) (From OE-Core rev: 123d4a673dadfee14d5ad8bbc503405da9602bb0) Signed-off-by: Marek Vasut <marex@denx.de> Cc: Mingli Yu <mingli.yu@windriver.com> Cc: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2022-23772Minjae Kim2022-03-092-0/+51
| | | | | | | | | | | | | | | math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Upstream-Status: Backport [https://go.dev/issue/50699] CVE: CVE-2022-23772 (From OE-Core rev: e4d15040f62744265b9236ad7276f3371a9172da) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2022-23806Minjae Kim2022-03-092-0/+143
| | | | | | | | | | | | | | | | | crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Upstream-Status: Backport [https://go.dev/issue/50974] CVE: CVE-2022-23806 (From OE-Core rev: eb7aa0929ecd712aeeec0ff37dfb77c3da33b375) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: 2.7.4 -> 2.7.5Chee Yang Lee2022-03-021-2/+2
| | | | | | | | | | | | | This release includes security fixes. CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods CVE-2021-41816: Buffer Overrun in CGI.escape_html CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse (From OE-Core rev: a7935c9c4a47098f0c1b2eefdf7773bd85891945) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: fix DEPENDS appendKonrad Weihmann2022-02-231-1/+1
| | | | | | | | | | | | | | | | | | recent change create a blank scope of DEPENDS for class-target, basically leaving out all general dependencies, leading to the effect that ruby will be shipped without the runtime dependencies of zlib, openssl and libffi, making the corresponding gems unusable at runtime. As the class-target scope should be appended only the correct override is append:class-target (From OE-Core rev: 81fab225daf798792c139f669f5bfd96d9fd25a8) Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8f92444d388d2406be7d317578908975784d3f22) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-13 20:26:44 +0000