| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add below patch to fix CVE-2022-37454
CVE-2022-37454.patch
Link: https://security-tracker.debian.org/tracker/CVE-2022-37454
Link: https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631
(From OE-Core rev: 6a8ef6cc3604008860dcb6aa5d7155b914d7c391)
Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
Signed-off-by: pawan <badganchipv@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997
(From OE-Core rev: 2470c52db633f206dbfcd049fcca828d1ff5f82a)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Links:
Dependent Patches:
CVE-2021-3521-01
https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
CVE-2021-3521-02
https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c
CVE-2021-3521-03
https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38
CVE-2021-3521
https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8
(From OE-Core rev: ddb4f775a86855e4ddc6c0d0d1f24a55e0ecbfe0)
Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
guest crash
Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
(From OE-Core rev: 1523fcbb6fef60d30c07377673fca265c5c9781c)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
gcc stable version upgraded from v9.3 to v9.5
Below is the bug fix list for v9.5
https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&resolution=FIXED&target_milestone=9.5
(From OE-Core rev: 698c3323fd95592e815345acd9070e5089a1bd00)
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CVE is in the io/fs package, which first appeared in go1.16.
Since dunfell is using go1.14, this issue does not apply.
CVE was fixed in fa2d41d0ca736f3ad6b200b2a4e134364e9acc59
Original code in b64202bc29b9c1cf0118878d1c0acc9cdb2308f6
(From OE-Core rev: 1e258940e9a6fabda6e7e60841082c113fdf9500)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only affects Windows platform, as per the release announcement [1]:
"If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
are executed when Cmd.Path is unset and, in the working directory, there
are binaries named either "..com" or "..exe", they will be executed."
[1] https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
(From OE-Core rev: 54c40730bc54aa2b2c12b37decbcc99bbcafd07a)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dunfell uses golang 1.14 which does not contain the affected code (it
was introduced in golang 1.16). From the golang announcement [1]
"Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can
be made to panic by an attacker providing either a crafted ZIP archive
containing completely invalid names or an empty filename argument.
[1] https://groups.google.com/g/golang-announce/c/0fM21h43arc
(From OE-Core rev: 2329902f994b631d6b77e8bd501d5599db6d5306)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a bug in golang.org/x/net/html/parse.go. The golang compiler
includes a partial copy of this under src/vendor/golang.org/x/net/
however the "html" subdirectory is not included. So this bug does not
apply to the compiler itself.
(From OE-Core rev: b8a851faef9990ccb41ded875fc79cf28abd4a4e)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issue only affects Windows per the golang announcement [1]:
On Windows, the filepath.Clean function could convert an invalid path to
a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.
[1] https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg
(From OE-Core rev: bca720eca95929752436b56aa01e7fddfa1c834f)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58]
CVE: CVE-2022-28327
(From OE-Core rev: aab2a343be4b0b21dcaf22a7fbf77007d48c08d6)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae]
CVE: CVE-2022-28131
(From OE-Core rev: 09a820fe21d7884c6733d569f6560ef1ded5435d)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b]
CVE: CVE-2022-24921
(From OE-Core rev: a2d3d80a7df5b8f57105ef2b680e9e01a9da6486)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a]
CVE: CVE-2021-44716
(From OE-Core rev: c5ec3e8701a1b81d8e5b17d2521530345892a09b)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3]
CVE: CVE-2021-33198
(From OE-Core rev: 078260dd63e205d3a433b03357f2332f44daa397)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e]
CVE: CVE-2021-33195
(From OE-Core rev: f1051e11fd0eb5b0e9924a0acdcb078ddc8f9772)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix CVE-2022-45061, referenced as
https://github.com/python/cpython/issues/98433
patch taken from
https://github.com/python/cpython/pull/99231/commits/064ec20bf7a181ba5fa961aaa12973812aa6ca5d
(From OE-Core rev: 4498ca9a299bd5d9a7173ec67daf17cb66b6d286)
Signed-off-by: Omkar <omkarpatil10.93@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Below commits on binutils-2.34 stable branch are updated.
c4e78c0868a PR27755, powerpc-ld infinite loop
33973d228c9 gas, arm: PR26858 Fix availability of single precision vmul/vmla in arm mode
0c8652fe288 x86: Update GNU property tests
5c1bd3f52c6 x86: Properly merge -z ibt and -z shstk
93b9bf1651a PowerPC TPREL_HA/LO optimisation
58950a3bfd4 Date update
e3b314d3a61 aarch64: set sh_entsize of .plt to 0
26b6ab7a0e4 S/390: z13: Accept vector alignment hints
7324292cd94 gas: Fix checking for backwards .org with negative offset
463ec189fe9 Prevent a potential use-after-fee memory corruption bug in the linker (for PE format files).
ef2826c0fdb Fix the ARM assembler to generate a Realtime profile for armv8-r.
8524bb5bd28 Re: Fix tight loop on recursively-defined symbols
5768460022b Fix tight loop on recursively-defined symbols
a72427b1ae0 gas: PR 25863: Fix scalar vmul inside it block when assembling for MVE
9f57ab49b32 BFD: Exclude sections with no content from compress check.
aaf3f0599a2 Arm: Fix LSB of GOT for Thumb2 only PLT.
97f92b3e90a Arm: Fix thumb2 PLT branch offsets.
3053d7a163c include: Sync plugin-api.h with GCC
f7aec2b8e09 PR25745, powerpc64-ld overflows string buffer in --stats mode
1b2bf0f65c1 include: Sync plugin-api.h with GCC
5e8619b9597 include: Sync lto-symtab.h and plugin-api.h with GCC
23820109ced plugin: Don't invoke LTO-wrapper
64f5c0afcc4 plugin: Use LDPT_ADD_SYMBOLS_V2 to get symbol type
aaa1e160040 Silence warnings due to plugin API change
e7c0ee5110c Include: Sync lto-symtab.h and plugin-api.h with GCC
b6520be37fd Fix dwarf.c build with GCC 10
a560c29ca5a bfd: Change num_group to unsigned int
3ca4cd1ebde gas, arm: Fix bad backport
b3174859c4b gas, arm: PR25660L Fix vadd/vsub with lt and le condition codes for MVE
de9c1b7cfe6 powerpc64-ld infinite loop
0318fc4e18e Adjust PR25355 testcase
40bfb976274 Re: PR24511, nm should not mark symbols in .init_array as "t"
42b2380cdce Don't call lto-wrapper for ar and ranlib
acc4a8b8ac8 PR25585, PHDR segment not covered by LOAD segment
(From OE-Core rev: ad15d44b6c56ccbbe8e4c12717e7dfe3492a659a)
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
to out-of-bounds write
Upstream-Status: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html
(From OE-Core rev: 8b5d38abdbfd3bdeb175c793b4d33f9054e89f77)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
archive/tar: limit size of headers
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.
Link: https://github.com/golang/go/commit/0a723816cd2
(From OE-Core rev: a8e2f91edfe2df5204a482c4e53fbdd08f80e878)
Signed-off-by: Sunil Kumar <sukumar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
parameters
Upstream-Status: Backport from https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e
(From OE-Core rev: f977d712455411c091aeee04ea7096d9e8c5b563)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid accidentally linking to the rdma library from the host by
adding a PACKAGECONFIG for the option. This was found on new
Fedora 36 autobuilder workers.
(From OE-Core rev: aa9d0c2b777c10bb6c68b0232d54cbcd1af1493f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2a0f3cb225e4d5471155abbcd05d09bd6bf1620f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Avoid accidentally linking to the rbd library from the host by
adding a PACKAGECONFIG for the option.
(From OE-Core rev: bb32854dbe68335d834aaa80e42d6a524ea4e1b2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid accidentally linking to the vde library from the host by
adding a PACKAGECONFIG for the option.
(From OE-Core rev: cc979908beec8a40a636d00a1fdcf2769358377f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8839e9540528b0b46c4fb4f95e508f038bcef8b9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security and bug fixes.
* Drop CVE-2021-28861.patch as it was merged in 3.8.14 release.
Fixes:
* CVE-2020-10735
https://nvd.nist.gov/vuln/detail/CVE-2020-10735
* CVE-2021-28861
https://nvd.nist.gov/vuln/detail/CVE-2021-28861
* CVE-2018-25032
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Python 3.8.14
Release Date: Sept. 6, 2022
This is a security release of Python 3.8
Note: The release you're looking at is Python 3.8.14, a security bugfix
release for the legacy 3.8 series. Python 3.10 is now the latest
feature release series of Python 3.
Security content in this release
CVE-2020-10735: converting between int and str in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits in string
form is above a limit to avoid potential denial of service attacks due
to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP
server when an URI path starts with //.
gh-93065: Fix contextvars HAMT implementation to handle iteration over
deep trees to avoid a potential crash of the interpreter.
gh-90355: Fix ensurepip environment isolation for the subprocess running
pip.
gh-80254: Raise ProgrammingError instead of segfaulting on recursive usage
of cursors in sqlite3 converters.
(From OE-Core rev: 25fafd35a4698daa0d4abb814a91601e68223128)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://git.qemu.org/?p=qemu.git
MR: 117886
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529 && https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced && https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9
ChangeID: 3af901d20ad8ff389468eda2c53b4943e3a77bb8
Description:
CVE-2021-3750 QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free.
(From OE-Core rev: 0f4b1db4fdc655e880ec66525eb7642978529e82)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Link: https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec
(From OE-Core rev: 3362bbb1a1ce599418dc8377043f7549f9327315)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/golang/go
MR: 121912
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479
ChangeID: 0b76a92a774279d7bffc9d6fa05564dfd8371e8c
Description:
CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY.
(From OE-Core rev: 4e2f723a4288ad4839fac2769e487612252b1d40)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
(From OE-Core rev: 7fdd4d2dc019071525349fbb153e2e80f6583217)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
(From OE-Core rev: f547c9610f8c17c3da9ca3f7a79902d2ffbfca49)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 482471a617e5f682416b7ec1a920dfaeac65f1a3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream qemu recipe uses host's pkg-config files as a solution to
detecting host's SDL. This has a side effect of using other host
libraries that are later queried by the configure script. This can get
into a situation when the host provides libnfs (for example) and because
later this dependency is not in place anymore, qemu will fail at
runtime.
This change adds a PACKAGECONFIG definition for libnfs that is disabled
by default, in turn disabling the pkgconfig autodetection in configure.
(From OE-Core rev: 9badcf0261f6b735d65a5498bb8fbb9979d7a07f)
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42b364a25fdbc987c85dd46b8427045033924d99)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
backport fixes:
CVE-2020-13754, backport patches as debian security tracker notes
https://security-tracker.debian.org/tracker/CVE-2020-13754
CVE-2021-3713
CVE-2021-3748
CVE-2021-3930
CVE-2021-4206
CVE-2021-4207
CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2.
Ignore:
CVE-2020-27661, issue introduced in v5.1.0-rc0
https://security-tracker.debian.org/tracker/CVE-2020-27661
(From OE-Core rev: 16a6e8530c4820f070973a1b4d64764c20706087)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
backport fixes:
CVE-2021-27918
CVE-2021-36221
CVE-2021-39293
CVE-2021-41771
ignore:
CVE-2022-29526
CVE-2022-30634
(From OE-Core rev: ddb09ccc3caebbd3cf643bb3bb3c198845050c69)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797]
(From OE-Core rev: 2cf26e2e5a83d2b2efd01de34c11da07eeb9c8f9)
Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add patch to fix CVE-2021-28861
CVE-2021-28861.patch
Link: https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672
(From OE-Core rev: cbf57b25c78ea9d56863d9546b51fc2c88adb8cf)
Signed-off-by: Riyaz Khan <rak3033@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/golang/go
MR: 120634
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102
ChangeID: 3ade323dd52a6b654358f6738a0b3411ccc6d3f8
Description:
CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.
(From OE-Core rev: 9b3420c9a91059eb55754078bb1e733972e94489)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/golang/go
MR: 120628, 120631
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e && https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e
ChangeID: fbd8d61bdc2e9cb0cdbe9879e02aed218ee93dbe
Description:
Fixed CVE:
1. CVE-2022-30635
2. CVE-2022-32148
(From OE-Core rev: 2c4fb77f417464d9cd40f0ebd8cc52e6e6ca689e)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/golang/go
MR: 120622, 120625
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df && https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827
ChangeID: aabb29a6dd6a89842f451c95af228aaf66e58bb5
Description:
Fixed CVE:
1. CVE-2022-30632
2. CVE-2022-30633
(From OE-Core rev: 9ffaae887743d77839fb758657b1dec71a9b8880)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/golang/go
MR: 120613, 120613
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c && https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3
ChangeID: 366db775dec045d7b312b8da0436af36ab322046
Description:
Fixed CVE:
1. CVE-2022-30629
2. CVE-2022-30631
(From OE-Core rev: 6813a265c7c21e24636d07a6a8df16ef0cf7da50)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://git.qemu.org/?p=qemu.git;
MR: 107558
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442
ChangeID: c5d25422f43edb7d8728118eb482eba09474ef2c
Description:
CVE-2020-27821 qemu: heap buffer overflow in msix_table_mmio_write() in hw/pci/msix.c.
(From OE-Core rev: 198bd53bdc77d2b01dae19993bde79f03f4dd02c)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes
ERROR: QA Issue: : /work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/sysroot-destdir/work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/recipe-sysroot-native/usr/bin/config_data maximum shebang size exceeded, the maximum size is 128. [shebang-size]
(From OE-Core rev: f11ed8c8fd78b88a50f382df419afff6ccde02a0)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 54ecb2d3f2523293383103cbe590ebdd037ee483)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
path, leading to an io_readx or io_writex crash
Source: https://github.com/qemu/qemu
MR: 119832
Type: Security Fix
Disposition: Backport from https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c
ChangeID: 1246afd7bb950d2d5fe2e198961797c0fa14ac00
Description:
CVE-2022-35414 qemu: can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.
(From OE-Core rev: 7c3043df56b3090138fe56f8c06df5ca08cafd26)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Autobuilder workers were non-deterministically enabling capstone
depending on whether the worker had libcapstone installed.
Add PACKAGECONFIG for capstone with default off, since qemu does not
require capstone support.
Qemu version in dunfell has capstone in the source tree as a submodule
and has configure options to enable it using that source code or using
the system libcapstone.
Qemu versions in master and kirkstone have removed the capstone
submodule and configure options, but added libcapstone autodetection to
meson.
In all cases using PACKAGECONFIG will allow a deterministic build.
(From OE-Core rev: af25fff399fa623b4fd6efbca21e01ea6b4d1fd7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 052ef1f14d1e6a5ee34f742f65e51b20b416f79f)
Signed-off-by: Steve Sakoman <steve@sakoman.com
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reading a very large header
Source: https://github.com/argoheyard/lang-net
MR: 114874
Type: Security Fix
Disposition: Backport from https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282
ChangeID: bd3c4f9f44dd1c45e810172087004778522d28eb
Description:
CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header.
(From OE-Core rev: 2850ef58f2a39a5ab19b1062d1b50160fec4daa8)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://go-review.googlesource.com/c/go
MR: 117551
Type: Security Fix
Disposition: Backport from https://go-review.googlesource.com/c/go/+/399816/
ChangeID: 347f22f93e8eaecb3d39f8d6c0fe5a70c5cf7b7c
Description:
CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode.
(From OE-Core rev: 6625e24a6143765ce2e4e08d25e3fe021bc2cdf6)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
update include fixes for CVE-2022-1664.
(From OE-Core rev: 12169c1104adbfd9f5196fdbdab16536e98fd43f)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/golang/go
MR: 114884
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/44a3fb49
ChangeID: 7b28553d4e23828b20c3357b1cca79ee3ca18058
Description:
CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error.
(From OE-Core rev: b835c65845b1445e1bb547c192cb22c2db4c7e6f)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
references
Source: https://github.com/pypa/pip
MR: 113864
Type: Security Fix
Disposition: Backport from https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
ChangeID: 717948e217d6219d1f03afb4d984342d7dea4636
Description:
CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references.
(From OE-Core rev: 841a8fb5b6351f79a4d756232a544d1a6480c562)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some tasks may reference ${B} for gcc-source which in general would not exist.
It has dependencies on HOST_SYS and TARGET_SYS which are not appropriate for a
shared recipe like gcc-source. This causes problems for the archiver and
multiconfigs in particlar.
Set B to something else to avoid these task hash issues.
Acked-by: Jose Quaresma <jose.quaresma@foundries.io>
(From OE-Core rev: 14aa189c2e47a2c5a4a0099235a2605666651f74)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit beb2a76c591e985c6fc7ed473abd1bee27f955a2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building busybox with CONFIG_LSATTR=y and installing that in the same
filesystem as e2fsprogs breaks:
ERROR: ... do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget:${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Fix that by also alternatifying lsattr just as chattr already is.
(From OE-Core rev: 28090d32c88d99ea36a03f3bb723838746001e4b)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 96703961eeb3460e9da26503d7942cc965d1e573)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
