| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/urllib3/urllib3/releases/tag/1.26.18
Major changes in python3-urllib3 1.26.18:
- Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803)
(From OE-Core rev: 74da05b63634c248910594456dae286947f33da5)
Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Qemu introduced a commit "target/i386: Enable AVX cpuid bits when using TCG"
since v7.2.0. It causes qemu-system-i386 hang with following error:
traps: rndc-confgen[342] general protection fault ip:b7ef5545 sp:bfcc6e6c error:0
------------[ cut here ]------------
Bad FPU state detected at __restore_fpregs_from_fpstate+0x2f/0x60, reinitializing FPU registers.
WARNING: CPU: 7 PID: 353 at arch/x86/mm/extable.c:65 fixup_exception+0x29c/0x2d0
Modules linked in: cfg80211 8021q parport_pc parport sch_fq_codel openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 kvm irqbypass fuse configfs
CPU: 7 PID: 353 Comm: in:imklog Not tainted 5.15.78-yocto-standard #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
EIP: fixup_exception+0x29c/0x2d0
Code: 05 ed da 89 df 01 68 b0 cb 5f df e8 4f e7 b6 00 0f 0b 58 e9 9d fe ff ff c6 05 ef da 89 df 01 50 68 f0 cb 5f df e8 35 e7 b6 00 <0f> 0b 5b 5e e9 0a ff ff ff ba 01 00 00 00 89 f0 e8 8a c1 b6 00 0f
EAX: 00000060 EBX: df734b60 ECX: f5be9cd0 EDX: f5be9ccc
ESI: c3485eec EDI: 0000000d EBP: c3485e64 ESP: c3485e4c
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00000096
CR0: 80050033 CR2: b79fdde0 CR3: 03cbe000 CR4: 001506d0
Call Trace:
? __restore_fpregs_from_fpstate+0x2f/0x60
exc_general_protection+0x9a/0x390
? exc_bounds+0x90/0x90
handle_exception+0x133/0x133
Upstream has been fixed this issue[1], so backport the patch to fix it.
Ref:
[1] https://gitlab.com/qemu-project/qemu/-/commit/48b60eb6c917646df9efa7ddb4c25929f358d647
(From OE-Core rev: 11370f237dcf140e05014f82200e07d5cff38bd3)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can
be set via Retry.remove_headers_on_redirect. (CVE-2023-43804)
1.26.16 (2023-05-23)
Fixed thread-safety issue where accessing a PoolManager with many
distinct origins would cause connection pools to be closed while
requests are in progress (#2954)
(From OE-Core rev: 7466db00ca2f884cf58504c3910b858a87f33128)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 7300254fdb6659c0a7462c64133f893d1a152850)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous CVE-2023-30630_1.patch picked only the patch
"dmidecode: Write the whole dump file at once" d8cfbc808f.
But there was a refactoring which does not allow to cherry-pick it fast
forward. Resolving this conflict was not correctly done. The patch was:
+ u32 len;
+ u8 *table;
...
- if (!(opt.flags & FLAG_QUIET))
- pr_comment("Writing %d bytes to %s.", crafted[0x05],
- opt.dumpfile);
- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+ dmi_table_dump(crafted, crafted[0x05], table, len);
It looks like the variables len and table have been added without
initialization.
Now this problem is solved by applying the previous refactoring as
well. Patch 1 gets replaced by Patch 1a and Patch 1b. Patch 2..4 are
rebased without changes.
This is basically the same patch as in kirkstone:
ea069a94a2 dmidecode: fixup for CVE-2023-30630
(From OE-Core rev: 0bc69dc078c39381a39789d3c5fff673d7da994c)
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TUI mode needs terminfo at runtime, which is required to be
explicitly stated in the respective PACKAGECONFIG variable.
Without this change /etc/terminfo/ might be missing, which
leads to a runtime error when trying to use tui, e.g.:
(gdb) tui enable
Cannot enable the TUI: error opening terminal [TERM=xterm-256color]
(From OE-Core rev: 266944eb216912b7b2a935360aa51cd79847a071)
Signed-off-by: Stefan Tauner <stefan.tauner@artech.at>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5f17bc03a0c2d894e43c3c835fa38a24b1d5df64)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
strace is one of the slowest tests otherwise (can take 40 minutes or more),
and this brings it to under 10 minutes \0/
(From OE-Core rev: 30b6692ef4a12958419c94b96e3fc5a50e8a7ad6)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0c632b418a785494318d9f375a07d879772e8ced)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some tests hardcode assumptions on locales, which may not be present in
musl systems e.g., therefore add a way to skip such tests using -skip
option.
Skip unixInit-3* test on musl
(From OE-Core rev: c6f4728d4e483067e353e91f5fb20ed552e6c911)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit fa66f1cee2d88c2276442e8b4aaeccde5490f9ea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Debian 12 no longer supports replacing dash with bash as default shell.
Therefore to achieve compatibility with Debian 12, all bashisms need
to be removed.
Shell comparison via == gives an error with dash and thus the condition
is always false.
(From OE-Core rev: f842d8a9dc2d785e75981ce009e68227796135be)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3723b26f82219ff71823335d550dbf29086d63d4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add zstd LTO support for target and nativesdk compiler.
This also brings gcc into sync with gcc-cross.
% x86_64-oe-linux-gcc -v
[...]
Supported LTO compression algorithms: zlib zstd
gcc version 12.2.0 (GCC)
% x86_64-oesdk-linux-gcc -v
[...]
Supported LTO compression algorithms: zlib
gcc version 12.2.0 (GCC)
(From OE-Core rev: fdabb7a54bb994d3680c410c8a46eed30e23ec47)
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
=============
Fixes and optimizations in header files
Fix lr_gpg_list_keys function when keys are empty
Update PGP test vectors
Fix CMake warnings
Bump glib version
(From OE-Core rev: eba267b4ed4e4d90f0ef053925c80b4c5499d4ba)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 583882c25eec915cfc37e334fcb7e41d6ea6d88e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset
in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not
prevent s->qdev.blocksize from being 256. This stops QEMU and the guest
immediately.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-42467
https://gitlab.com/qemu-project/qemu/-/issues/1813
(From OE-Core rev: 4925ac7120605d551e1b28196b4a4dab7bc72b66)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A flaw was found in the QEMU virtual crypto device while handling
data encryption/decryption requests in virtio_crypto_handle_sym_req.
There is no check for the value of `src_len` and `dst_len` in
virtio_crypto_sym_op_helper, potentially leading to a heap buffer
overflow when the two values differ.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3180
(From OE-Core rev: 2038b5e977481cac2e9e35101a467fbd5268231e)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Systemd upstream has reiterated that the only supported libc
implementation is glibc.
(From OE-Core rev: 836d8d5b645ded6cb1da9368efc9ca563595503a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3655b965a0b13518e35b3312e1ae7b59b1f231a6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the version of glibc, localtime_r() must
be preceded by a call to tzset() or it will ignore any
value of TZ in the environment. This problem will only
be seen when building file-native on outdated hosts.
(From OE-Core rev: c99d7fc46a1070b1c659ed16fbff6a3553aaf209)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 791145f3064d7807630d3591b9e7c7b2dc37152c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The gcc_multilib_setup function is a function that is run at the
do_configure step, so it's counted into the signature computation.
The MULTILIB_VARIANTS this function uses is also extracted to be
taken into consideration. After the change of setting MULTILIB_VARIANTS
explictly vardeps on MULTILIBS, the change of MULTILIBS changes the
signature, thus causing rebuilding. However, in case of gcc-crosssdk,
the setting of multilib should have no effect on it, as it's used
to build nativesdk packages, not the target packages. So ignore
MULTILIB_VARIANTS in signature computation. This fixes oe-selftest
case sstatetests.SStateHashSameSigs2.test_sstate_nativesdk_samesigs_multilib.
(From OE-Core rev: 537c71162a711dec32a63a657c4b101269a3e267)
(From OE-Core rev: 6b87f7c9e955abe5833820ee7eda9d525c77d2ea)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and
CVE-2023-41040 fixes and other bugfixes.
Changelog:
==========
- WIP Quick doc by @LeoDaCoda in #1608
- Partial clean up wrt mypy and black by @bodograumann in #1617
- Disable merge_includes in config writers by @bodograumann in #1618
- feat: full typing for "progress" parameter in Repo class by @madebylydia in #1634
- Fix CVE-2023-40590 by @EliahKagan in #1636
- #1566 Creating a lock now uses python built-in "open()" method to work arou… by @HageMaster3108 in #1619
- util: close lockfile after opening successfully by @skshetry in #1639
- Bump actions/checkout from 3 to 4 by @dependabot in #1643
- Fix 'Tree' object has no attribute '_name' when submodule path is normal path by @CosmosAtlas in #1645
- Fix CVE-2023-41040 by @facutuesca in #1644
- Only make config more permissive in tests that need it by @EliahKagan in #1648
- Added test for PR #1645 submodule path by @CosmosAtlas in #1647
- Fix Windows environment variable upcasing bug by @EliahKagan in #1650
- Improve Python version and OS compatibility, fixing deprecations by @EliahKagan in #1654
- Better document env_case test/fixture and cwd by @EliahKagan in #1657
- Remove spurious executable permissions by @EliahKagan in #1658
- Fix up checks in Makefile and make them portable by @EliahKagan in #1661
- Fix URLs that were redirecting to another license by @EliahKagan in #1662
- Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663
- Use venv instead of virtualenv in test_installation by @EliahKagan in #1664
- Omit py_modules in setup by @EliahKagan in #1665
- Don't track code coverage temporary files by @EliahKagan in #1666
- Configure tox by @EliahKagan in #1667
- Format tests with black and auto-exclude untracked paths by @EliahKagan in #1668
- Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in #1673
- Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675
- Remove @NoEffect annotations by @EliahKagan in #1677
- Add more checks for the validity of refnames by @facutuesca in #1672
Note that the changes to the license file are just removal of excess whitespace
(the extra blank line at the end, and spaces appearing at the end of lines).
References:
https://github.com/gitpython-developers/GitPython/releases
https://github.com/gitpython-developers/GitPython/blob/main/doc/source/changes.rst
https://github.com/gitpython-developers/GitPython/commit/e1af18377fd69f9c1007f8abf6ccb95b3c5a6558
(From OE-Core rev: 931af3758a2d79aea534ab6d23db392ede7cc1bb)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A flaw was found in the QEMU built-in VNC server. When a client connects
to the VNC server, QEMU checks whether the current number of connections
crosses a certain threshold and if so, cleans up the previous connection.
If the previous connection happens to be in the handshake phase and fails,
QEMU cleans up the connection again, resulting in a NULL pointer dereference
issue. This could allow a remote unauthenticated client to cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3354
(From OE-Core rev: 8f0b34f7ad5ef842d60c9b93ce2c6142d3249890)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* see:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111418
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111411
(From OE-Core rev: c49f6b9dc8436322359029fecb90b23d639a2100)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This series of patches fixes deficiencies in GCC's -fstack-protector
implementation for AArch64 when using dynamically allocated stack space.
This is CVE-2023-4039. See:
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
for more details.
(From OE-Core rev: 0cb253565c863aa1f677084a440294fe2a03beb0)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are
disabling gdb in binutils configure.
Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d]
CVE: CVE-2023-39128
(From OE-Core rev: 173d7ab67f14fc6d8b5d46e1c1de39d20965d6e9)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Avoid buffer overflow in ada_decode.
(From OE-Core rev: a6587352b4d204134443430b2ddc605f25a5ae3f)
Signed-off-by: Sanjana <sanjanasanju1608@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrade to latest 1.20.x release [1]:
$ git log --oneline go1.20.6..go1.20.7 origin/release-branch.go1.20
adb775e309 (tag: go1.20.7, origin/release-branch.go1.20) [release-branch.go1.20] go1.20.7
659f2a2207 [release-branch.go1.20] crypto/tls: restrict RSA keys in certificates to <= 8192 bits
10d85fa0f6 [release-branch.go1.20] cmd/asm, cmd/internal/obj: generate proper atomic ops for riscv64
bd3a1f24e7 [release-branch.go1.20] net: tolerate permission errors in interface tests
6211a024b4 [release-branch.go1.20] cmd/compile: on PPC64, fix sign/zero extension when masking
[1] https://github.com/golang/go/compare/go1.20.6...go1.20.7
Upgrade include fix for CVE-2023-29409 CVE-2023-39533
(cherry picked from commit 039324d917ed124228a14ac1effdd66b27d9e82b)
(From OE-Core rev: 8397964d5a8d995a06c5c2a34883047546edc077)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
upgrade include fix for CVE-2023-40217
Release notes:
https://docs.python.org/3/whatsnew/changelog.html#python-3-11-5-final
(From OE-Core rev: 4a3e3042a0cef3a215d286b0f32be293c3948d1e)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
upgrade include fix for CVE-2023-24329
(cherry picked from commit f7f163ebe8c53de4314d04595c1fbcc7af2deccc )
(From OE-Core rev: 8687de9f20bde7aba118a50342848031adfb7641)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
(cherry picked from commit 7d5bb3a4690ef61a1fee21773b4717e829789e32)
(From OE-Core rev: a991fe85dca51ddf36994666e14e69839dd694b2)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It checks build host filesystem and if it doesn't find UTC or GMT
files it installs another copy of tzdata files in:
/usr/lib/tcl8.6/tzdata
Buildhistory shows the difference:
-PKGSIZE = 2227075
+PKGSIZE = 3433088
See the autodetection in configure.in:
#------------------------------------------------------------------------
# Check whether the timezone data is supplied by the OS or has
# to be installed by Tcl. The default is autodetection, but can
# be overridden on the configure command line either way.
#------------------------------------------------------------------------
AC_MSG_CHECKING([for timezone data])
AC_ARG_WITH(tzdata,
AC_HELP_STRING([--with-tzdata],
[install timezone data (default: autodetect)]),
[tcl_ok=$withval], [tcl_ok=auto])
#
# Any directories that get added here must also be added to the
# search path in ::tcl::clock::Initialize (library/clock.tcl).
#
case $tcl_ok in
no)
AC_MSG_RESULT([supplied by OS vendor])
;;
yes)
# nothing to do here
;;
auto*)
AC_CACHE_VAL([tcl_cv_dir_zoneinfo], [
for dir in /usr/share/zoneinfo \
/usr/share/lib/zoneinfo \
/usr/lib/zoneinfo
do
if test -f $dir/UTC -o -f $dir/GMT
then
tcl_cv_dir_zoneinfo="$dir"
break
fi
done])
if test -n "$tcl_cv_dir_zoneinfo"; then
tcl_ok=no
AC_MSG_RESULT([$dir])
else
tcl_ok=yes
fi
;;
*)
AC_MSG_ERROR([invalid argument: $tcl_ok])
;;
esac
if test $tcl_ok = yes
then
AC_MSG_RESULT([supplied by Tcl])
INSTALL_TZDATA=install-tzdata
fi
(From OE-Core rev: d5a038b764720bd3267f258994371909f3f34ad6)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ace9fbfeb42ebf920812e3dd6d665b8b20a1ca0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.
The CVE issue is fixed by these 3 different commits in different version:
1. Improve the Smithy metadata matcher (These changes are already available as part
of current python3-pygments_2.14.0 version):
https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04 (2.14.0)
2. SQL+Jinja: use a simpler regex in analyse_text:
https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194 (2.15.0)
3. Improve Java properties lexer (#2404):
https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52 (2.15.1)
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-40896
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
(From OE-Core rev: 5a02307af5e593be864423a9f3ab309703d61dbf)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a horrible hack to get pseudo working with glibc 2.38. We can't
drop _GNU_SOURCE to something like _DEFAULT_SOURCE since we need the defines
the gnu options bring in. That leaves using internal glibc defines to disable
the c23 versions of strtol/fscanf and friends. Which would break pseudo
build with 2.38 from running on hosts with older glibc.
We'll probably need to come up with something better but this gets glibc 2.38
and working and avoids autobuilder failures.
(From OE-Core rev: 387b276c2d56d58c2a25d59984fcaaf9c88ac788)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 596fb699d470d7779bfa694e04908929ffeabcf7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
-PR/465: psrok1: Avoid muslc asctime_r crash
-add SIMH tape format support
-bump the max size of the elf section notes to be read to 128K
and make it configurable
-PR/415: Fix decompression with program returning empty
-PR/408: fix -p with seccomp
-PR/412: fix MinGW compilation
(From OE-Core rev: 6f1caa944982e265c394a554bfcfa8a105b1d698)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit facef006da35e22394a4cbb13243769586d10f31)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The delta between 3.1.31 & 3.1.32 contains the CVE-2023-40267 fix and other bugfixes.
Changelog:
https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32
- Bump cygwin/cygwin-install-action from 3 to 4 by @dependabot in #1572
- Fix up the commit trailers functionality by @itsluketwist in #1576
- Name top-level exceptions as private variables by @Hawk777 in #1590
- fix pypi long description by @eUgEntOptIc44 in #1603
- Don't rely on del by @r-darwish in #1606
- Block insecure non-multi options in clone/clone_from by @Beuc in #1609
(From OE-Core rev: fd38c8d91f95b44ea7b833772b9a07e1f1d74479)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New 1.8 release of tcf-agent. Implements DWARF 5 support and various
bug fixes.
Changelog since last SRCREV:
Releng: Upversion TCF to 1.8
Fixed possible SEGFAULT after error message queue overflow
Fixed misspelling in a comment
TCF Agent: update breakpoint error message
Fixed regression: possible segfault in run_safe_events()
Bug 581978 - TCF agent wrong handle the call frame debug info generated by LLVM 16 for RISC-V
DWARF: a bit faster implementation of dio_ReadAddressX()
Bug 581971 - Failed to handle loclist for DWARF 5
Fixed handling of situation when a context resumed or exited during breakpoint evaluation
Bug 581799 - when loads .debug_info section from dwarf 5 file, the content of some part are zero
Updated examples/daytime/readme.txt
(From OE-Core rev: 1b5b577f1b766ed6f98b6854e6968d4b9b02a45a)
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 0c2c7c910fa933bc46f69207f1f7641c1e7b77e0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Below commits on binutils-2.40 stable branch are updated.
391fd4d9ee5 PR30697, ppc32 mix of local-dynamic and global-dynamic TLS
7ad52a2357f [GOLD] powerpc DT_RELACOUNT
03f49a0619c PR30536, ppc64el gold linker produces unusable clang-16 binary
(From OE-Core rev: 74e6452a9fbeb928a635869160bc17cfeab867f0)
Signed-off-by: sanjana <sanjanasanju1608@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
qemu: 9pfs: prevent opening special files
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-2861
(From OE-Core rev: 4dd99f7f48664dbaef7f3a083a9d362552ba44ac)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3255
(From OE-Core rev: 886536b056230a9d72c900eacc8d1d8b44bd2836)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
qemu: hotplug/hotunplug mlx vdpa device to the occupied addr port,
then qemu core dump occurs after shutdown guest
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3301
(From OE-Core rev: 82bf6c4cba88dc9f25caf14d60e79ce0c366919c)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
$OECORE_NATIVE_SYSROOT is not escaped, thus it is expanded to an empty string.
This happens to work because we have ${datadir} which in this context is
relocated to the buildtools sysroot after installation of buildtools.
If the $ before OECORE_NATIVE_SYSROOT is escaped, it will be saved to file.sh
as intended, but MAGIC will point to the wrong location because both
OECORE_NATIVE_SYSROOT and datadir resolve to sysroot which doubles the path
like so:
/path/to/buildtools/sysroots/x86_64-xesdk-linux/path/to/buildtools/sysroots/x86_64-xesdk-linux/usr/share/misc/magic.mgc
which does not exist. So, removing reference to OECORE_NATIVE_SYSROOT.
(From OE-Core rev: 7ae5c9a17d6f8133fa5b4e127dd4e9cc43454ee8)
Signed-off-by: Oleksandr Hnatiuk <ohnatiuk@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit c6206249683876670602888e78ecaf719753a317)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wrapper that adds proper path to magic file was removed in
47db876d09d9a4394048579c21d0b394450ce681 in favor of
environment-setup.d/file.sh which now contains `MAGIC` environment variable.
This breaks builds that rely on external buildtools with `file` included in
buildtools-tarball (e.g. via TOOLCHAIN_HOST_TASK) because do_populate_sysroot
task invokes `file` via `subprocess.check_output` (in is_elf function) and
doesn't use variables from files in environment-setup.d. To address this use
case, we need to preserve the wrapper, but also have
environment-setup.d/file.sh for the purposes described in
47db876d09d9a4394048579c21d0b394450ce681.
(From OE-Core rev: 4a9832c55044b894e933179e5c1b6a96634809c0)
Signed-off-by: Oleksandr Hnatiuk <ohnatiuk@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit e76b059cf4ba9a79150032d68d012b233dd79a65)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add check_PROGRAMS as a dependency of buildtest-TESTS target.
This is required because according to the official automake
documentation [1]:
* TESTS: contains all the tests files
* check_PROGRAMS: contains the programs used by the tests
* check_PROGRAMS is not automatically added to TESTS
So, by using only TESTS as a dependency for buildtest-TESTS we may end
up having runtime errors because of missing program required by the
tests.
[1]: https://www.gnu.org/software/automake/manual/html_node/Scripts_002dbased-Testsuites.html
(From OE-Core rev: 8a5630c113bd8509fcb62e8a32fcadfc2dc94181)
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee3e2af4f8ed95b4fd0f7cec52ae4e169401b719)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
(From OE-Core rev: 525459d2f387ec82fabccdae19aa8b977f534929)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit b0fe9b3dfbe78716c96b70ef098d9cfbf430d5b7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch
0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch
removed since they're included in 0.6.2.
Changelog:
===========
### Changed
- the project's developer documentation to be more correct and current.
### Fixed
- a bug in the 'opkg-keys' utility script which caused the script to ignore settings in the '/etc/opkg/gpg/gpg.conf' file.
- a compilation error in 'md5.c' when using clang16+ and '-std >= gnu11'.
(From OE-Core rev: 5bdfde3fd4266d637019b59d55a33438cb36903f)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d7c8a58297e38f6222035aa9135fedf2ca387742)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python3-certifi 2023.7.22 contains the CVE-2023-37920 fix.
No changelog provided. Commits:
8fb96ed (tag: 2023.07.22) 2023.07.22
afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
44df761 Hash pin Actions and enable dependabot (#228)
8b3d7ba (tag: 2023.05.07) 2023.05.07
53da240 ci: Add Python 3.12-dev to the testing (#224)
c2fc3b1 Create a Security Policy (#222)
c211ef4 Set up permissions to github workflows (#218)
2087de5 Don't let deprecation warning fail CI (#219)
e0b9fc5 remove paragraphs about 1024-bit roots from README
9427a5a fix CI
fed4048 get CI passing again
9e9e840 (tag: 2022.12.07) 2022.12.07
(From OE-Core rev: ec5e5ae6b304dee9b323bd20f3db25152a083398)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrade to latest 1.20.x release [1]:
$ git log --oneline go1.20.5..go1.20.6 origin/release-branch.go1.20
2c358ffe97 (tag: go1.20.6, origin/release-branch.go1.20) [release-branch.go1.20] go1.20.6
312920c00a [release-branch.go1.20] net/http: validate Host header before sending
4db13d762b [release-branch.go1.20] runtime: set raceignore to zero when starting a new goroutine
08a58dd8b6 [release-branch.go1.20] runtime: allow for 5 more threads in TestWindowsStackMemory*
65092835c5 [release-branch.go1.20] cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64
bca817594c [release-branch.go1.20] crypto/x509: tolerate multiple matching chains in testVerify
b8e67d1ddd [release-branch.go1.20] cmd/go/internal/test: don't wait for previous test actions when interrupted
3db4f8146c [release-branch.go1.20] runtime: resolve checkdead panic by refining `startm` lock handling in caller context
6b45fb7b73 [release-branch.go1.20] runtime: fallback to TEB arbitrary pointer when TLS slots are full
be30960e58 [release-branch.go1.20] runtime: use 1-byte load for address checking in racecallatomic
b59efe6c34 [release-branch.go1.20] net/mail: permit more characters in mail headers
c32f1afb41 [release-branch.go1.20] all: make safe for new vet analyzer
c7b145655b [release-branch.go1.20] cmd/go: fix tests for new builder environment
03063101a2 [release-branch.go1.20] text/template: set variables correctly in range assignment
d51e322a3f [release-branch.go1.20] go/printer: error out of Fprint when it would write a '//line' directive with a multiline file path
49594244d3 [release-branch.go1.20] cmd/cover: error out if a requested source file contains a newline
4719048211 [release-branch.go1.20] cmd/cgo: error out if the source path used in line directives would contain a newline
6c606fc191 [release-branch.go1.20] cmd/go: fix TestScript/build_cwd_newline with CGO_ENABLED=0
63ad2b5811 [release-branch.go1.20] cmd/compile: do not report division by error during typecheck
95f377daad [release-branch.go1.20] cmd/go: retain extra roots to disambiguate imports in 'go mod tidy'
a7a48fad7e [release-branch.go1.20] crypto/ecdsa: properly truncate P-521 hashes
f5172dcd38 [release-branch.go1.20] go/build: check for invalid import paths again
8b3acefcbe [release-branch.go1.20] cmd/go: omit checksums for go.mod files needed for go version lines more often in pre-1.21 modules
1008486a9f [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
[1] https://github.com/golang/go/compare/go1.20.5...go1.20.6
(From OE-Core rev: 944b186eeb6821654ce6ef56df7ac0f2829696f5)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8d8216d8c4d37cc0d9508eb644653f94fff8989c)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wes Tarro <wes.tarro@azuresummit.com> noticed a missing comma in a
preplace() call, add it.
That said, calling replace() with one argument results in a TypeError,
so this is obviously dead code.
(From OE-Core rev: f24236b7b52dd753d7170bac9c38dff1133db76e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9b2e2c8d809e7ca34451ec9702b029a00dfb410b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
dereferenced.org is now longer controlled by the pkgconf maintainers[1],
so use the the new hosting location.
[1] https://github.com/pkgconf/pkgconf/commit/437c2a3218bfcb1cae7fa38a4ccd0cb29575ff07
(From OE-Core rev: 7b50737b787311216670aa4b83b0a363d9a12aa3)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c3df4594513410c7a6352e62aa928c42982eac13)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backport two patches [1] [2] to fix CVE-2023-36617 [3].
[1] https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1
[2] https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8
[3] https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
(From OE-Core rev: 403a24f02600e2462e8ccfbb42651e15e002bd2e)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
(From OE-Core rev: 3e7f736fa07a132d4fe42a59baaabe565238da21)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After this change in qemu:
https://gitlab.com/qemu-project/qemu/-/commit/c7e89de13224c1e6409152602ac760ac91f606b4
there is no 'max' cpu model on ppc. Drop it to clean up ppc gcc testsuite failures.
In order for this to work we do need to pull in the alternative cpu option from
QEMU_EXTRAOPTIONS on powerpc.
(From OE-Core rev: ea3143b243bb979f9b89f01fc2e7826cac0a7d75)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c447f2b21b20fb2b1829d540af2cc0bf8242700c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By changing the default code generation of GCC we're inadvertently
breaking the GCC test suite, which has ~120K+ more failures when run for
aarch64 compared to x86-64.
This was because the generated code fragments included the BTI
instructions, which the test case wasn't expecting. We can't tell the
tests globally to run without branch protection, as that will break the
tests which also turn it on.
Remove the enabling of branch protection by standard in GCC, we'll
enable it in the tune files instead.
(From OE-Core rev: 81351d984bc6238e9b901ae83c0de6e3d3463c77)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bb4b9017db6a893ed054a2d2ad4cc671dec09c42)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Backport required commits to fix CVE-2023-24531.
(From OE-Core rev: 5d80e920c7ceaf091ccace8a3b6781b720abafbf)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
