summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
Commit message (Collapse)AuthorAgeFilesLines
* shadow: fix CVE-2023-4641Hugo SIMELIERE2024-04-132-0/+147
| | | | | | | | | Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] (From OE-Core rev: d1f74ec0419dd13a23549cfdc228b91602bfb065) Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tar: bump PR to deal with sstate corruption on autobuilderSteve Sakoman2024-04-051-0/+2
| | | | | | | | Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue (From OE-Core rev: cbce426763592e82e6e0ed20f18cedfa4d01f61e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tar: Fix for CVE-2023-39804Vijay Anusuri2024-04-052-0/+65
| | | | | | | | | Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 (From OE-Core rev: 082c31db387957963952c485a436dc38a64498d0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* less: Fix for CVE-2022-48624Vijay Anusuri2024-03-012-0/+42
| | | | | | | | | Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144] (From OE-Core rev: e088a7e59532ede45549e6120be43531fa77855a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tzdata: Upgrade to 2024aPriyal Doshi2024-03-011-3/+3
| | | | | | | (From OE-Core rev: 8265efa6a2009e06094698532f3fb398cbab6415) Signed-off-by: Priyal Doshi <pdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Backport fix for CVE-2020-36773Vijay Anusuri2024-02-162-0/+110
| | | | | | | | | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874] (From OE-Core rev: 1a25a8ebedf39f1a868fcf646684b2eeaa67301f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* pam: Fix for CVE-2024-22365Vijay Anusuri2024-01-312-0/+60
| | | | | | | | | Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb (From OE-Core rev: a3fbe1156fccb3e60a183263a3bde5a8ef6725a8) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tzdata: Upgrade to 2023dShubham Kulkarni2024-01-051-3/+3
| | | | | | | | | (From OE-Core rev: 3ea36d92800b139eaaf75995cdd59912b63db9ee) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2956b1aa22129951b8c08ac06ff1ffd66811a26c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mdadm: Backport fix for CVE-2023-28938Ashish Sharma2023-12-082-0/+81
| | | | | | | | | Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62] CVE: CVE-2023-28938 (From OE-Core rev: 8cf02e6b60e2916b9e4832590257d5d184258e9c) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* shadow: backport patch to fix CVE-2023-29383Vijay Anusuri2023-12-013-0/+122
| | | | | | | | | | | | | | | | | | The fix of CVE-2023-29383.patch contains a bug that it rejects all characters that are not control ones, so backup another patch named "0001-Overhaul-valid_field.patch" from upstream to fix it. (From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa) Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d & https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] (From OE-Core rev: a53d446c289f07854e286479cd7e4843ddd0ee8c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream ↵Marek Vasut2023-10-134-40/+372
| | | | | | | | | | | | | backport Replace the original "Wrong CRC with ASCII CRC for large files" patch with upstream backport, and add additional fix on top of the same problem which upstream detected and fixed. (From OE-Core rev: 0e167ef0eb7ac62ddb991ce80c27882863d8ee7c) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Backport fix CVE-2023-43115Vijay Anusuri2023-10-132-0/+63
| | | | | | | | | | | | | | | | | | | In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). References: https://nvd.nist.gov/vuln/detail/CVE-2023-43115 Upstream commit: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 (From OE-Core rev: a43f7277061ee6c30c42c9318e3e9dd076563f5d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xdg-utils: Fix CVE-2022-4055Hitendra Prajapati2023-10-132-0/+166
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 (From OE-Core rev: 22d2c549ba6d8be137d1d290d9a04691ca1858f2) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gawk: backport Debian patch to fix CVE-2023-4156Vijay Anusuri2023-10-132-0/+29
| | | | | | | | | | | | Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security & https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] (From OE-Core rev: 68412b76948ce185d87fda73ead7b73e5ad6defd) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cups: Backport fix for CVE-2023-32360 and CVE-2023-4504Vijay Anusuri2023-10-133-0/+73
| | | | | | | | | | | Upstream commits: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 & https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 (From OE-Core rev: d14dce8ba2a8b4bf05c7c5ea7292b0c2c327f088) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2023-36664Vijay Anusuri2023-10-044-0/+270
| | | | | | | | | | | | | | | | | | Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36664 Upstream commits: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099 (From OE-Core rev: 13534218ec37706d9decca5b5bd0453e312d72b0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mdadm: Backport fix for CVE-2023-28736Ashish Sharma2023-10-042-0/+78
| | | | | | | (From OE-Core rev: fb37fa3661095b8ebe68c2ffa36aabf35da30b91) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gawk: remove load-sensitive testsRoss Burton2023-09-162-3/+35
| | | | | | | | | | | | | | | | The time and timeout tests are sensitive to system load, and as we run these on build machines they fail randomly. [ YOCTO #14371 ] (From OE-Core rev: d2b62913a5771169265171129fe972c8e252fe04) (From OE-Core rev: 309f1c6166f8535fa61fd1d01924df3c7fe9fbba) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a84b8d683b4b3f4d30999eac987790896d21eba6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libnss-nis: upgrade 3.1 -> 3.2Wang Mingyu2023-08-271-2/+2
| | | | | | | | | | | | | Changelog: * Do not call malloc_usable_size (From OE-Core rev: 143389388bf3a1d9e1407fe5c42fb6bd341a81b8) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5cd967503c0574f45b814572da9503182556b431) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* procps: patch CVE-2023-4016Peter Marko2023-08-162-0/+86
| | | | | | | | | | | | | | | | | | | | Backport patch from upstream master. There were three changes needed to apply the patch: * move NEWS change to start of the file * change file location from src/ps/ to ps/ * change xmalloc/xcmalloc to malloc/cmalloc The x*malloc functions were introduced in commit in future version. https://gitlab.com/procps-ng/procps/-/commit/584028dbe513127ef68c55aa631480454bcc26bf They call the original function plus additionally throw error when out of memory. https://gitlab.com/procps-ng/procps/-/blob/v4.0.3/local/xalloc.h?ref_type=tags So this replacement is correct in context of our version. (From OE-Core rev: 1632c7223b2f8cd595e1ba20bc006c68fc833295) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: backport fix for CVE-2023-38559Vijay Anusuri2023-08-162-0/+32
| | | | | | | | | Upstream-Status: Backport from https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f (From OE-Core rev: f70113d1d5b5359c8b668ba43aac362457927d9e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: ignore CVE-2023-30571Peter Marko2023-08-161-0/+3
| | | | | | | | | | | | | | | | | | | | | This issue was reported and discusses under [1] which is linked in NVD CVE report. It was already documented that some parts or libarchive are thread safe and some not. [2] was now merged to document that also reported function is not thread safe. So this CVE *now* reports thread race condition for non-thread-safe function. And as such the CVE report is now invalid. The issue is still not closed for 2 reasons: * better document what is and what is not thread safe * request to public if someone could make these functions thread safe This should however not invalidate above statment about ignoring this CVE. [1] https://github.com/libarchive/libarchive/issues/1876 [2] https://github.com/libarchive/libarchive/pull/1875 (From OE-Core rev: 9374e680ae2376589a9bfe4565dfcf4dc9791aa8) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tzdata: upgrade to 2023cPriyal Doshi2023-07-221-3/+3
| | | | | | | (From OE-Core rev: 62c42d4a1029de4fe9b19631cbd34722f6535edf) Signed-off-by: Priyal Doshi <pdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sysstat: fix CVE-2023-33204Chee Yang Lee2023-07-122-0/+47
| | | | | | | | | | | | | import patch from debian to fix CVE-2023-33204 http://security.debian.org/debian-security/pool/updates/main/s/sysstat/sysstat_12.0.3-2+deb10u2.debian.tar.xz upstream patch: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 (From OE-Core rev: c6bc5cfbed71b65753e50aee5a640934e754858a) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cups: Fix CVE-2023-34241Vijay Anusuri2023-07-122-0/+66
| | | | | | | | | | | | | | | | | OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version 2.4.6 has a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2023-34241 https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 https://security-tracker.debian.org/tracker/CVE-2023-34241 Upstream Patch: https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2 (From OE-Core rev: 28b25ba7a8c6aa5c5744ca17e8686f2762791c72) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cups: Fix CVE-2023-32324Sanjay Chitroda2023-06-272-0/+37
| | | | | | | | | | | | | | | | | | | | | | | OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication. References: https://nvd.nist.gov/vuln/detail/CVE-2023-32324 https://security-tracker.debian.org/tracker/CVE-2023-32324 Upstream Patch: https://github.com/OpenPrinting/cups/commit/fd8bc2d32589 (From OE-Core rev: cb46ae57abe3069d6a4dc2ab0b8dfce5a4a5bd15) Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Fix CVE-2023-28879Vijay Anusuri2023-06-132-0/+55
| | | | | | | | | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179] (From OE-Core rev: ec0c6f941826903b763be76c450f1d4e0e67908e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cpio: Fix wrong CRC with ASCII CRC for large filesMarek Vasut2023-05-252-0/+40
| | | | | | | | | | | | | | | | Due to signedness, the checksum is not computed when filesize is bigger a 2GB. Pick a fix for this problem from CPIO ML, where the fix has been posted for 5 years. Since CPIO upstream is effectively unresponsive and any and all attempts to communicate with the maintainer and get the fix applied upstream failed, add the fix here instead. (From OE-Core rev: bfff138af4bdd356ac66571e6ad91c1a5599b935) (From OE-Core rev: 0a8fb1c00e75e8434e0ef433d9074d54f038fba1) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sudo: Security fix for CVE-2023-28486 and CVE-2023-28487Vijay Anusuri2023-05-033-0/+674
| | | | | | | | | | | | | | import patches from ubuntu to fix CVE-2023-28486 CVE-2023-28487 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca & https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b] (From OE-Core rev: 4870543273bef9831c075ee0bce108c54355a92f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDsHitendra Prajapati2023-04-262-0/+41
| | | | | | | | | Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7 (From OE-Core rev: d1f99b928b0a57bec879dde1b1b94c3c09286ea0) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: add CVE tag for check-stack-limits-after-function-evalution.patchChee Yang Lee2023-03-251-1/+1
| | | | | | | | | | | This patch fix CVE-2021-45944. https://nvd.nist.gov/vuln/detail/CVE-2021-45944 (From OE-Core rev: d966b565d39bf50f058b388235ccea5ab0c2e60b) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: fix CVE-2022-26280Andrej Valek2023-03-252-0/+30
| | | | | | | | | | Backport fix from https://github.com/libarchive/libarchive/issues/1672 (From OE-Core rev: b23482f9ea1cc930a3d5ecfe5fc465e2f720a949) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* shadow: ignore CVE-2016-15024Ross Burton2023-03-151-0/+4
| | | | | | | | | | | | | This recently got an updated CPE which matches this recipe, but the issue is related to an entirely different shadow project so ignore it. (From OE-Core rev: 9d5a05c27a01b3859eae70590ba7dd836abe2719) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2331e98abb09cbcd56625d65c4e5d258dc29dd04) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tar: CVE-2022-48303Rodolfo Quesada Zumbado2023-03-142-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes CVE-2022-48303 by checking Base-256 encoding is at least 2 bytes long. GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-48303 Upstream patch: https://savannah.gnu.org/bugs/?62387 https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 (From OE-Core rev: 231360a55bf1b96d6bb1cf94820b08788677c58b) (From OE-Core rev: af77a413db59863a898c32dc7536b680473ae9c5) Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2a00f15354084cee6b2183fcdbfdfc7826c365da) Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com> Signed-off-by: Riyaz Khan <rak3033@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: Fix CVE-2023-22809Omkar Patil2023-02-242-0/+114
| | | | | | | | | | | Add CVE-2023-22809.patch to fix CVE-2023-22809. (From OE-Core rev: 186a5ab41927e6be0920e03e743f32ae4477c58e) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: pawan <badganchipv@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtirpc: Check if file exists before operating on itKhem Raj2023-02-131-1/+1
| | | | | | | | | | | | | In some cases (e.g. mingw) this file may not be installed (From OE-Core rev: a764e19736f24b8bf67ea87d58dd74652d6d81c9) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 547f3a13ee9268bbdd439c96108ba1fe9ab78873) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bc: extend to nativesdkChen Qi2023-01-061-1/+1
| | | | | | | | | | | | | | | | | bc is needed for compiling kernel modules, more specifially whenr running `make scripts prepare'. In linux-yocto.inc, we have bc-native in DEPENDS. But we will need nativesdk-bc in case we compile a kernel module inside SDK. (From OE-Core rev: aab8d528ceeb2ee1ab7cffdeff4007fd66275f1b) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 95b5c89066baccb1e64bfba7d9a66feeeb086da9) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: Use specific BSD license variantJoshua Watt2023-01-061-1/+1
| | | | | | | | | | | | | | | | | | Make the license more accurate by specifying the specific variant of BSD license instead of the generic one. This helps with SPDX license attribution as "BSD" is not a valid SPDX license. (From OE-Core rev: ff27ea21d7c14086335da5c3e2fac353e44438da) (From OE-Core rev: 0624c7a77cfc7288fd3154624150b49adce8d8f8) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b1596d37ba13db3aff61975a31d865f33333fa45) Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: update 2022d -> 2022gAlexander Kanavin2023-01-061-4/+3
| | | | | | | | | | (From OE-Core rev: 7ce0cd9ef0b40c23be8fe30fa3bb6ef810464fd0) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2394a481db1b41ad4581e22ba901ac76fa7b3dcd) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sysstat: fix CVE-2022-39377Hitendra Prajapati2022-12-232-1/+95
| | | | | | | | (From OE-Core rev: 2e770eb2213f3d5ff25a75467395ed4738c756ea) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.cHitendra Prajapati2022-12-232-0/+44
| | | | | | | | | | Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5 (From OE-Core rev: c39fd8264ac623f3cfb26305420b527dd9c4c891) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: CVE-2022-43995 heap-based overflow with very small passwordsHitendra Prajapati2022-12-072-0/+60
| | | | | | | | | | Upstream-Status: Backport from https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050 (From OE-Core rev: d1bdb663e6a69993d3f42547a27296b606965d47) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: update to 2022dAlexander Kanavin2022-11-091-3/+3
| | | | | | | | | | (From OE-Core rev: d325f5389a09ba03b4ded7c57c29dad773dbc0af) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ceac0492e75baa63a46365d8b63275437ad5671f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: Update from 2022b to 2022cRobert Joslyn2022-09-301-3/+3
| | | | | | | | | | (From OE-Core rev: efcb0b30244007545ab8b0231e003271dcd7fab2) Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ecf88d151f265e5efb8e1dde5aba3ee2a8b76d8d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: Fix CVE-2021-31566 issueRanjitsinh Rathod2022-09-123-0/+197
| | | | | | | | | | | Add patch to fix CVE-2021-31566 issue for libarchive Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz (From OE-Core rev: 7028803d7d10c0b041a7bda16f9d9261f220459f) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: Fix CVE-2021-23177 issueRanjitsinh Rathod2022-09-122-0/+184
| | | | | | | | | | | Add patch to fix CVE-2021-23177 issue for libarchive Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz (From OE-Core rev: 01d7e2c7a0da55a7c00aebed107c1338f5f032b1) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: upgrade 2022a -> 2022bAlexander Kanavin2022-09-031-3/+3
| | | | | | | | | | | (From OE-Core rev: b0a0abbcc5e631e693b9e896bd0fc9b9432dd297) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b301d5203a4da0a0985670848126c5db762ddc86) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtirpc: CVE-2021-46828 DoS vulnerability with lots of connectionsHitendra Prajapati2022-08-082-1/+158
| | | | | | | | | | | | | | | | Source: http://git.linux-nfs.org/?p=steved/libtirpc.git; MR: 120231 Type: Security Fix Disposition: Backport from http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed ChangeID: 544120a5f10a4717cd2c7291821a012e26b14b7f Description: CVE-2021-46828 libtirpc: DoS vulnerability with lots of connections. (From OE-Core rev: 73d2b640ad665f6ff3c4fbe8f5da4ef0dbb175f2) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Port debian fixes for two CVEsRichard Purdie2022-07-083-0/+74
| | | | | | | | | | | | | | | | Add two fixes from debian for two CVEs. From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 I wans't able to get the reproducers to work but the added error checking isn't probably a bad thing. (From OE-Core rev: 097469513f6dea7c678438e71a152f4e77fe670d) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 054be00a632c2918dd1f973e76514e459fc6f017) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix CVE-2021-4217Joe Slater2022-07-082-0/+68
| | | | | | | | | | | | Avoid a null pointer dereference. (From OE-Core rev: 357791da82f767ad695e4476aa12fea3d7db5e04) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 36db85b9b127e5a9f5d3d6e428168cf597ab95f3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-07-01 11:50:46 +0000