summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
Commit message (Collapse)AuthorAgeFilesLines
* libarchive: Fix CVE-2021-31566 issueRanjitsinh Rathod2022-09-123-0/+197
| | | | | | | | | | | Add patch to fix CVE-2021-31566 issue for libarchive Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz (From OE-Core rev: 7028803d7d10c0b041a7bda16f9d9261f220459f) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: Fix CVE-2021-23177 issueRanjitsinh Rathod2022-09-122-0/+184
| | | | | | | | | | | Add patch to fix CVE-2021-23177 issue for libarchive Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz (From OE-Core rev: 01d7e2c7a0da55a7c00aebed107c1338f5f032b1) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: upgrade 2022a -> 2022bAlexander Kanavin2022-09-031-3/+3
| | | | | | | | | | | (From OE-Core rev: b0a0abbcc5e631e693b9e896bd0fc9b9432dd297) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b301d5203a4da0a0985670848126c5db762ddc86) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtirpc: CVE-2021-46828 DoS vulnerability with lots of connectionsHitendra Prajapati2022-08-082-1/+158
| | | | | | | | | | | | | | | | Source: http://git.linux-nfs.org/?p=steved/libtirpc.git; MR: 120231 Type: Security Fix Disposition: Backport from http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed ChangeID: 544120a5f10a4717cd2c7291821a012e26b14b7f Description: CVE-2021-46828 libtirpc: DoS vulnerability with lots of connections. (From OE-Core rev: 73d2b640ad665f6ff3c4fbe8f5da4ef0dbb175f2) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Port debian fixes for two CVEsRichard Purdie2022-07-083-0/+74
| | | | | | | | | | | | | | | | Add two fixes from debian for two CVEs. From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 I wans't able to get the reproducers to work but the added error checking isn't probably a bad thing. (From OE-Core rev: 097469513f6dea7c678438e71a152f4e77fe670d) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 054be00a632c2918dd1f973e76514e459fc6f017) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix CVE-2021-4217Joe Slater2022-07-082-0/+68
| | | | | | | | | | | | Avoid a null pointer dereference. (From OE-Core rev: 357791da82f767ad695e4476aa12fea3d7db5e04) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 36db85b9b127e5a9f5d3d6e428168cf597ab95f3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cups: fix CVE-2022-26691Steve Sakoman2022-06-222-1/+35
| | | | | | | | | | | | | | | | In scheduler/cert.c the previous algorithm didn't expect the strings can have a different length, so one string can be a substring of the other and such substring was reported as equal to the longer string. Backport patch from upstream to fix: https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444 CVE: CVE-2022-26691 (From OE-Core rev: cc657868d31cc8b4218a07aa10fa098c379e473c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* xz: fix CVE-2022-1271Ralph Siemsen2022-04-212-1/+99
| | | | | | | | | | | | | | Malicious filenames can make xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch] CVE: CVE-2022-1271 (From OE-Core rev: da4180062f12aa855a0dd2c0dbe4f0721df67055) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gzip: fix CVE-2022-1271Ralph Siemsen2022-04-212-0/+46
| | | | | | | | | | | | | | zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file. Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c] CVE: CVE-2022-1271 (From OE-Core rev: b7f0696bc60409af215549d26621526c1a93a002) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: update to 2022aOleksandr Kravchuk2022-04-091-3/+3
| | | | | | | | | (From OE-Core rev: aa762b7ca2417b80dd114a4ab263d69074912f82) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b280aecd79e95811f8baec6c4479c5752c54d9e5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: backport patch fix for CVE-2021-3781Davide Gardenal2022-03-314-0/+399
| | | | | | | | | | | | | | Upstream advisory: https://ghostscript.com/blog/CVE-2021-3781.html Other than the CVE fix other two commits are backported to fit the patch. (From OE-Core rev: ce856e5e07589d49d5ff84b515c48735cc78cd01) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2020-15900 and CVE-2021-45949 for -nativeSteve Sakoman2022-03-311-3/+3
| | | | | | | | | | | CVE patches (and the stack limits check patch) should have been added to SRC_URI_BASE so that they are applied for both target and -native packages. (From OE-Core rev: da9b7b8973913c80c989aee1f5b34c98362725a8) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsolv: fix CVE: CVE-2021-44568-71 and CVE-2021-44573-77Steve Sakoman2022-03-311-0/+10
| | | | | | | | | | | | | | | The existing patch for CVE-2021-3200 also fixes CVE-2021-44568 through CVE-2021-44671 and CVE-2021-44573 through CVE-2021-44677, so update CVE tags in patch to reflect this. Reference: https://github.com/openSUSE/libsolv/issues/426 (From OE-Core rev: 3096134d25fc4cf9bd18839838a62a6c89344e31) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* asciidoc: update git repositoryRoss Burton2022-03-111-1/+1
| | | | | | | | | The asciidoc-py3 repository has been renamed to asciidoc-py. (From OE-Core rev: 6b899f694ec57bb3c6254d59ac5c51378579c014) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: Fix for CVE-2021-36976Virendra Thakur2022-03-094-1/+540
| | | | | | | | | | | | | | | | Add patch to fix CVE-2021-36976 CVE-2021-36976 fix are provided by below mentioned pull request. 1) https://github.com/libarchive/libarchive/pull/1491 2) https://github.com/libarchive/libarchive/pull/1492 3) https://github.com/libarchive/libarchive/pull/1493 (From OE-Core rev: 6c356aec8dabc08bd98da3106780896dc7b52501) Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lighttpd: backport a fix for CVE-2022-22707Ross Burton2022-02-232-0/+101
| | | | | | | | | | | | | | | | | | | Backport the fix for CVE-2022-22707, a buffer overflow in mod_extforward. (From OE-Core rev: d54d7e7b43da621be8e6fcca34feb7b3d49b8160) (From OE-Core rev: bf57c164501c0a60279d069aa8130fb622db8273) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7758596613cc442f647fd4625b36532f30e6129f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7695d11dd09b1e9e87d6741135d0b28e82672f0a) Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* shadow-sysroot: sync license with shadowRoss Burton2022-02-161-1/+1
| | | | | | | | | | | | | | | | This recipe is just a single data file from shadow, but as we can't easily tell what license that specific file is under just copy the full license statement. (From OE-Core rev: f0e2f3b1f855ea6e184bd1d8d796279fedcbfa33) (From OE-Core rev: b4bd6c8a400a52fcd7b7e580cfee5b48f5756d1a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Nisha Parrakat <nisha.m.parrakat@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* shadow: Use specific BSD license variantJoshua Watt2022-02-161-1/+1
| | | | | | | | | | | | | | | | Make the license more accurate by specifying the specific variant of BSD license instead of the generic one. This helps with SPDX license attribution as "BSD" is not a valid SPDX license. (From OE-Core rev: 65e3b23e1b266653fd30c90222e953f7e37fba0c) (From OE-Core rev: a3a2044ae72fc73f64ea124465ec654e8c590eee) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Nisha Parrakat <nisha.m.parrakat@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: Remove BSD License specifierJoshua Watt2022-02-161-1/+1
| | | | | | | | | | | | | | | The code in question is licensed under the BSD-3-Clause license, so including the generic "BSD" license is unnecessary. (From OE-Core rev: c39fc075ce3fd5b53c2a2fccb43500ee0a12f39d) (From OE-Core rev: e62c10d3560cd11441dbf648e19e3ed6269fa60d) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Nisha Parrakat <nisha.m.parrakat@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lsof: correct LICENSERoss Burton2022-02-161-1/+1
| | | | | | | | | | | | | | | The lsof LICENSE is superficially BSD-like, but it isn't BSD. Now that we have the full SPDX license set in oe-core, use Spencer-94. (From OE-Core rev: 5c1d61d1d4dfacb643a366285c0392e6a31087ed) (From OE-Core rev: 5ccd9b18c406517c8b7f25ac6e258f11d42556c9) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Nisha Parrakat <nisha.m.parrakat@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2021-45949Minjae Kim2022-02-163-0/+118
| | | | | | | | | | | | | | | | | Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). To apply this CVE-2021-45959 patch, the check-stack-limits-after-function-evalution.patch should be applied first. References: https://nvd.nist.gov/vuln/detail/CVE-2021-45949 (From OE-Core rev: 5fb43ed64ae32abe4488f2eb37c1b82f97f83db0) Signed-off-by: Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* asciidoc: properly detect and compare Python versions >= 3.10Steve Sakoman2022-01-112-1/+44
| | | | | | | | | | | | | | | asciidoc.py cannot properly detect versions of Python >= 3.10 Backport patch from upstream to correct this: https://github.com/asciidoc-py/asciidoc-py/commit/44d2d6095246124c024230f89c1029794491839f Fixed upstream in version 9.04, so this patch is not required in master. (From OE-Core rev: da3bd5e0934b6462ae53225a58305235849b32d5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsolv: update tag for missing CVEsRanjitsinh Rathod2021-12-081-2/+7
| | | | | | | | | | | | | | | | | | | | | | It seems like CVE-2021-33928, CVE-2021-33929, CVE-2021-33930 and CVE-2021-33938 are pointing to same patch as CVE-2021-3200 So add CVE tag inside the patch file which is the remedy for CVE-2021-33928, CVE-2021-33929, CVE-2021-33930 and CVE-2021-33938 Link: https://ubuntu.com/security/CVE-2021-3200 https://ubuntu.com/security/CVE-2021-33928 https://ubuntu.com/security/CVE-2021-33929 https://ubuntu.com/security/CVE-2021-33930 https://ubuntu.com/security/CVE-2021-33938 (From OE-Core rev: 371c247a78da64fefb0daa166e90c4fdd0745eed) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cups: Fix missing installation of cups sysv init scriptsClaus Stovgaard2021-12-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The packageconfig needs to be --disable-systemd as documented in configure file for cups. With the current value "--without-systemd" the SYSTEM_DIR variable ends up being set to "no" It is caused by the --without-* section in configure file resulting in eval with_$ac_useropt=no ;; $ac_useropt is "systemd" causing the variable $with_systemd to be set to "no", because of below test if test ${with_systemd+y} then : withval=$with_systemd; SYSTEMD_DIR="$withval" else $as_nop SYSTEMD_DIR="" fi cups configure test for i if SYSTEMD_DIR is empty to decide if the init scripts need to be installed. A value of "no" results in that no init scripts is installed. With --disable-systemd it works as expected - installing the init files. Though cups should properly improve their configure script. (From OE-Core rev: a4c8e2abb7d71697c8d0c53894e82bf2790ae5ac) Signed-off-by: Claus Stovgaard <clst@ambu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 967fdd2ba12f22d8e46600ff085833993a32cfeb) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Add explict branch to git SRC_URIs, handle github url changesSteve Sakoman2021-11-1113-13/+13
| | | | | | | | | | | | | | | | | | | | This update was made with the convert-scruri.py script in scripts/contrib This script handles two emerging issues: 1. There is uncertainty about the default branch name in git going forward. To try and cover the different possible outcomes, add branch names to all git:// and gitsm:// SRC_URI entries. 2. Github are dropping support for git:// protocol fetching, so remap github urls as needed. For more details see: https://github.blog/2021-09-01-improving-git-protocol-security-github/ (From OE-Core rev: 827a805349f9732b2a5fa9184dc7922af36de327) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: update 2021d -> 2021eAlexander Kanavin2021-11-031-3/+3
| | | | | | | | | | (From OE-Core rev: 6cd21ddc6f998eec4d9be05f080e32072fddd2bd) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 660f932c21fed410ad092ec610749e7090b6a324) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: upgrade 2021a -> 2021dAlexander Kanavin2021-11-031-3/+4
| | | | | | | | | | | (From OE-Core rev: c062c7c7c29e233bb245b2dc8b68b3903dfc8094) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f171f4f528090fc108624de6049274aa4d4880eb) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* stress-ng: improve reproducibilitySteve Sakoman2021-11-032-0/+27
| | | | | | | (From OE-Core rev: 3df6dc6aa0fe8f00b4051c77a11510e97db3d105) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* stress-ng: convert to git, website is downSteve Sakoman2021-11-031-3/+3
| | | | | | | (From OE-Core rev: f332dd83231102684881785a8610e614a57e97a4) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libnewt: Use python3targetconfig to fix reproducibility issueRichard Purdie2021-10-231-1/+1
| | | | | | | | | | | | | We're seeing pthread being linked sometimes and not others leading to non-reproducible target binaries. The reason is mixing the native python config with the target one. We should use the target one. (From OE-Core rev: 8fc9963d70247d243c8fc5597d68d88a1757f2fd) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3fe5101b335384ef83e96ccc58687fd631164075) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tar: filter CVEs using vendor nameRalph Siemsen2021-10-231-3/+3
| | | | | | | | | | | | | | | | | | | | Recently a number of CVEs have been logged against a nodejs project called "node-tar". These appear as false positives against the GNU tar being built by Yocto. Some of these have been manually excluded using CVE_CHECK_WHITELIST. To avoid this problem, use the vendor name (in addition to package name) for filtering CVEs. The syntax for this is: CVE_PRODUCT = "vendor:package" When not specified, the vendor defaults to "%" which matches anything. (From OE-Core rev: 4d0ad4962bd3c69800f70770dc9123a694e16c26) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 45d1a0bea0c628f84a00d641a4d323491988106f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bzip2: Update soname for libbz2 1.0.8Tom Pollard2021-10-071-1/+1
| | | | | | | | | | | | | Set shared library name as libbz2.so.1.0.8, version in configure.ac already synced via do_configure PV substitution. (From OE-Core rev: acb560a78ecd5403cf1f79e5a452c52cd58d1cfa) Signed-off-by: Tom Pollard <tom.pollard@codethink.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 07e3abc9d282a54add69a6905ec4248f3104219f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bash: Ensure deterministic buildRichard Purdie2021-09-301-0/+5
| | | | | | | | | | | | | Bash keeps a count of the number of times make was invoked on a directory and changes the output versioning accordingly. We want deterministic output so disable this behaviour. (From OE-Core rev: 8ca4fad65d267c178a416546486c8422001115b0) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 13a039e03195a47c750d5901e96fe81cf523481f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* iputils: Fix regression of arp table updateVisa Hankala2021-09-302-0/+80
| | | | | | | | | | | | Backport a fix from iputils 20210202 to make arp table updating work again. Fixes: 77c5792aa5e7 ("iputils: fix various arping regressions") (From OE-Core rev: 9df63cd89939b2f4e0b7ea983db8c047e987ff26) Signed-off-by: Visa Hankala <visa@hankala.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tar: ignore node-tar CVEsArmin Kuster2021-09-301-0/+1
| | | | | | | | | | | | | | These three CVEs are specific to the Node package node-tar. exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713 (From OE-Core rev: 8653ed5bc02c794944372be5c4ba785a7739f6d0) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9f9317a02d73c1e5aea026683a037e52c996c7bb) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lighttpd: Add patch for reuse large memory chunksPurushottam Choudhary2021-09-104-6/+265
| | | | | | | | | | | | | | | | | | | | | Added 0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch to fix large memory usage for large file downloads from dynamic backends reuse or release large memory chunks. Also, added patch to set default chunk size 8k earlier it was 4k. This issue is caused by a bug in the lighttpd 1.4.55 version and has been fixed in lighttpd 1.4.58. Hence, it is not needed for master and hardknott branch because lighttpd has 1.4.59 version. Link: https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/7ba521ffb4959f6f74a609d5d4acafc29a038337 Link: https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/304e46d4f808c46cbb025edfacf2913a30ce8855 (From OE-Core rev: d3ac63230b98251d67a75a67456b769b6a002df0) Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* xdg-utils: Add fix for CVE-2020-27748Richard Purdie2021-09-102-0/+59
| | | | | | | | | | | Backport an upstream patch for the CVE. (From OE-Core rev: 5042a4116a024bbc320d97ea29b21a589dea9942) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 87191ed0303f6552865ad1edcacd674c57f2010c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cpio: backport fix for CVE-2021-38185Ross Burton2021-09-082-0/+582
| | | | | | | | | | (From OE-Core rev: d1b4b4b6104e7b94ba49e61774c772a9181a67f6) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4accf77ea5b5810cb2330acc6773690ec1b1c71b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tar: ignore node-tar CVEsRoss Burton2021-08-261-0/+3
| | | | | | | | | | | | These two CVEs are specific to the Node package node-tar. (From OE-Core rev: d1b09f81ad80e5099ae670c965dcf7d39ad09ac1) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bc7216e8148d0dee7b56e6851da6615e93647a0a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsolv: fix CVE-2021-3200Lee Chee Yang2021-08-182-0/+68
| | | | | | | | (From OE-Core rev: e8e06e4175c010a7dc0a4e3598b70b89d43f8475) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: Allow controlling zoneinfo binary formatZoltán Böszörményi2021-07-151-3/+7
| | | | | | | | | | | | | tzcode 2020b changed the default format from "-b fat" to "-b slim". Allow external control for the binary format. (From OE-Core rev: 1e9393cae53b4de260ec951e7855d74f206730d0) Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c9e8b716eb71d4526517825eacefb91ab2c1781c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cups: whitelist CVE-2021-25317Ross Burton2021-06-031-0/+4
| | | | | | | | | | | | This CVE relates to bad ownership of /var/log/cups, which we don't have. (From OE-Core rev: 68ee8fd1ec0f09c6477578de40e1adfc7ba35027) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 0792312f3637ec160d2ef90781a8cb1f75b84940) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lsb-release: fix reproducibility failureAnuj Mittal2021-05-202-0/+28
| | | | | | | | | | | | | | | | Make sure help2man output is reproducible. Fixes: | .\"·DO·NOT·MODIFY·THIS·FILE!··It·was·generated·by·help2man·1.022. .\"·DO·NOT·MODIFY·THIS·FILE!··It·was·generated·by·help2man·1.022. | .TH·FSG·"1"·"April·2021"·"FSG·lsb_release·v1.4"·FSG .TH·FSG·"1"·"May·2021"·"FSG·lsb_release·v1.4"·FSG | .SH·NAME 3 .SH·NAME (From OE-Core rev: a5f34c7a95d227610ed9b6047ed53f43f84cbba9) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 49371207a7f1fe3d3feb7b8b9aabb62b43ae34d1) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Exclude CVE-2013-6629 from cve-checkRichard Purdie2021-05-201-0/+4
| | | | | | | | | | | | The CVE is in the jpeg sources included with ghostscript. We use our own external jpeg library so this doesn't affect us. (From OE-Core rev: 829296767ecfbd443d738367b7146a91506e25f2) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8556d6a6722f21af5e6f97589bec3cbd31da206c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cpio: Exclude CVE-2010-4226 from cve-checkRichard Purdie2021-05-201-0/+3
| | | | | | | | | | | Issue applies to use of cpio in SUSE/OBS, doesn't apply to us. (From OE-Core rev: 0f759992b7713e9664a4276a068a65f5e638fe33) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 915b38c54a7932744a9f56713d1c6bd00a789331) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Exclude CVE-2008-0888 from cve-checkRichard Purdie2021-05-201-0/+3
| | | | | | | | | | | | The patch mentioned as the fix for the CVE is applied to the 6.0 source code. Zip versioning makes CPE entry changes hard. (From OE-Core rev: 4ff9d2c57d9cade1faa3916f171e5ad96ee32487) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8917e5ae2bb44d017fc0155f16632c5decadb0bd) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* logrotate: Exclude CVE-2011-1548,1549,1550 from cve-checkRichard Purdie2021-05-201-0/+3
| | | | | | | | | | | | These CVEs apply to the way logrotate was installed on Gentoo, Debian and SUSE, exclude from cve-check as they don't apply to OE. (From OE-Core rev: 99cb9534902717e637f1460c1d1c10d290bbebf2) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 23643016f3b8794db772e333ff0b8f598571b628) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tar: Fix CVE-2021-20193Anatol Belski2021-05-132-0/+134
| | | | | | | | (From OE-Core rev: c8f48471bea67cbf0f12a35639b764f90acae854) Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* groff: not ship /usr/bin/grap2graphMingli Yu2021-04-301-0/+4
| | | | | | | | | | | | | | | | | | | | | | | grap2graph which converts a GRAP diagram into a cropped image fails to run as below: $ grap2graph /usr/bin/grap2graph: line 89: convert: command not found /usr/bin/grap2graph: warning: falling back to old '-crop 0x0' trim method /usr/bin/grap2graph: line 104: convert: command not found /usr/bin/grap2graph: line 103: grap: command not found Considering we don't often need to convert a GRAP diagram into a cropped image and the recipe ImageMagick which provides convert command is in meta-oe layer, so don't ship the related files to avoid the confusion about the above run time error. (From OE-Core rev: 5619bc0e98c02cf80601eb399bb205f33f8e4098) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 251be7279a475ee18c0c53fe9795bb37bffc2b45) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: CVE_VERSION_SUFFIX to work with patched releaseLee Chee Yang2021-03-281-0/+2
| | | | | | | | | | | | | | | | CVE_VERSION_SUFFIX in "patch" to treat version string with suffix "pX" or "patchX" as patched release. also update testcases to cover this changes and set CVE_VERSION_SUFFIX for sudo. (From OE-Core rev: d75f95a09e5e85eb759e748f9e0fee1c5fa1b318) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8076815fc2ffc8f632e73527ce2b7d158a29e9ea) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-07-03 23:30:41 +0000