summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support
Commit message (Collapse)AuthorAgeFilesLines
* vim: Upgrade 8.2.5034 -> 8.2.5083Richard Purdie2022-06-221-2/+2
| | | | | | | | | | | | | Includes fixes for CVE-2022-1927, CVE-2022-1942. (From OE-Core rev: 2bba60d687fb45a8367cb683a8e9d385384ad51a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1e740b5c2227c0040621ae63436d06db4873670f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* curl: Fix CVE_CHECK_WHITELIST typoRobert Joslyn2022-06-111-1/+1
| | | | | | | | | | Fix typo to properly whitelist CVE-2021-22945. (From OE-Core rev: 7b2a1d908d3b63da5e9f072b61dd3c5fa91c7b8f) Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* curl: Backport CVE fixesRobert Joslyn2022-06-118-0/+730
| | | | | | | | | | | Backport patches to address CVE-2022-27774, CVE-2022-27781, and CVE-2022-27782. (From OE-Core rev: f8cdafc0ef54ab203164366ad96288fd10144b30) Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxslt: Mark CVE-2022-29824 as not applyingRichard Purdie2022-06-111-0/+4
| | | | | | | | | | | | | | | We have libxml2 2.9.10 and we don't link statically against libxml2 anyway so the CVE doesn't apply to libxslt. (From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c) (From OE-Core rev: 9c736c9dcf5f18b8db082a0903be0acb3fbb51c2) Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxslt: Fix CVE-2021-30560omkar patil2022-06-112-0/+202
| | | | | | | | | | CVE: CVE-2021-30560 (From OE-Core rev: 3e01aa47b85ebeba26443fc3293c341b5ef72817) Signed-off-by: omkar patil <omkar.patil@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pcre2: CVE-2022-1587 Out-of-bounds readHitendra Prajapati2022-06-112-0/+661
| | | | | | | | | | | | | | | Source: https://github.com/PCRE2Project/pcre2 MR: 118031 Type: Security Fix Disposition: Backport from https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 ChangeID: 8fbc562b3e6b6a3674f435f6527a62afc67ef933 Description: CVE-2022-1587 pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c. (From OE-Core rev: 46323b9e0f44f58f6aae242ebf5a0101d8c36654) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEsRichard Purdie2022-06-041-2/+2
| | | | | | | | | | | | Address CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1733, CVE-2022-1735 CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796 (From OE-Core rev: cd259a00503af360524f58c9cea51aa142dee250) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit fafce97bd440150ac5c586b53b887ee70a5b66bd) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pcre2: CVE-2022-1586 Out-of-bounds readHitendra Prajapati2022-05-282-0/+60
| | | | | | | | | | | | | | | | | | Source: https://github.com/PCRE2Project/pcre2 MR: 118027 Type: Security Fix Disposition: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a ChangeID: e9b448d96a7e58b34b2c4069757a6f3ca0917713 Description: CVE-2022-1586: pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c. (From OE-Core rev: 7f4daf88b71f486ddc7140500d2b44181a99222f) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* curl: Fix CVEs for curlSana Kazi2022-05-204-0/+304
| | | | | | | | | | | | | | | | | | | Fix below listed CVEs: CVE-2022-22576 Link: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch CVE-2022-27775 Link: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch CVE-2022-27776 Link: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch (From OE-Core rev: bbbd258a1c56d75ccb7e07ddc3bc1beb11d48a3a) Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: Upgrade 8.2.4681 -> 8.2.4912Richard Purdie2022-05-201-2/+2
| | | | | | | | | | | Includes fixes for CVE-2022-1381, CVE-2022-1420. (From OE-Core rev: c7d43000ce137e1f9302b4b6cec149adb1435f47) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 77d745bd49c979de987c75fd7a3af116e99db82b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310Pawan Badganchi2022-05-144-0/+114
| | | | | | | | | | | | | | | | | | | Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 CVE-2022-25308.patch Link: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 CVE-2022-25309.patch Link: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 CVE-2022-25310.patch Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f (From OE-Core rev: 1c96b8af59e105724db884967a982bb5a47a7eb1) Signed-off-by: Pawan Badganchi <badganchipv@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* boost: don't specify gcc versionRoss Burton2022-05-031-1/+1
| | | | | | | | | | | | | There's no need to specify an ancient GCC version here as Boost will probe it. (From OE-Core rev: 9ef2a0d98d705dacf8909d846993a6d68c80e4aa) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: Upgrade 8.2.4524 -> 8.2.4681Richard Purdie2022-04-211-3/+3
| | | | | | | | | | | | | | | License change is a date in the license file only. This includes a fix for CVE-2022-0943. (From OE-Core rev: 1c68d33f4742df9bcec7d1032dab61d676f86371) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 69bc2f37d6ca7fa4823237b45dd698b8debca0a9) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* boost: fix native build with glibc-2.34Martin Jansa2022-04-093-0/+58
| | | | | | | | (From OE-Core rev: 64ba0d40a4c77a23778c51511f2d167e2056eea3) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* re2c: backport fix for CVE-2018-21232Davide Gardenal2022-03-235-1/+917
| | | | | | | | | | | | | Backport commits from the following issue: https://github.com/skvadrik/re2c/issues/219 CVE: CVE-2018-21232 (From OE-Core rev: 8c5ee47d446b36d6832acc8452687f50101f3e65) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: Update to 8.2.4524 for further CVE fixesRichard Purdie2022-03-111-2/+2
| | | | | | | | | | | Includes CVE-2022-0696, CVE-2022-0714, CVE-2022-0729. (From OE-Core rev: b7fa41cda88bffa5345d5b9768774cdf28f62b7b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 0d29988958e48534a0076307bb2393a3c1309e03) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: Upgrade 8.2.4314 -> 8.2.4424Richard Purdie2022-02-231-3/+3
| | | | | | | | | | | | | License file had some grammar fixes. Includes CVE-2022-0554. (From OE-Core rev: 9360b92f98222cb74a93690f53570cd62633c0cf) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a8d0a4026359c2c8a445dba9456f8a05470293c1) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: Upgrade 4269 -> 4134Richard Purdie2022-02-231-3/+4
| | | | | | | | | | | | | | | License text underwent changes on how to submit Uganda donations, switch from http to https urls and an update date change but the license itself is unchanged. Also, add an entry for the top level license file. This is also the vim license so LICENSE is unchanged but we should monitor it too. (From OE-Core rev: f27f15977085dbdf7da28ed8ed60c02ffa009db8) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d195005e415b0b2d7c8b0b65c0aef888d4d6fc8e) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: upgrade to patch 4269Ross Burton2022-02-231-2/+2
| | | | | | | | | | | | | | | | Upgrade to the latest patch release to fix the following CVEs: - CVE-2022-0261 - CVE-2022-0318 - CVE-2022-0319 (From OE-Core rev: e23cc56c6b8bd9cfb86803a1e1160a0b768cb286) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 96442e681c3acd82b09e3becd78e902709945f1f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: update to include latest CVE fixesRoss Burton2022-02-231-5/+2
| | | | | | | | | | | | | | | | | | | | | Update the version to 4.2.4118, which incorporates the following CVE fixes: - CVE-2021-4187 - CVE-2022-0128 - CVE-2022-0156 - CVE-2022-0158 Also remove the explicit whitelisting of CVE-2021-3968 as this is now handled with an accurate CPE specifying the fixed version. (From OE-Core rev: faf83cac9ff82a3c795b2e8d82719bea43830f7f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 764519ad0da6b881918667ca272fcc273b56168a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: do not report upstream version check as brokenAlexander Kanavin2022-02-231-0/+3
| | | | | | | | | | | | | | | As upstream tags point releases with every commit and the version check still reports 8.2, it should not be considered broken (e.g. current version newer than latest version) until 8.3 is released. (From OE-Core rev: 3db417e002684b4f09c52997017bed139ad95f5f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 11d8ee09b1bdec4824203dc0169093b2ae9d101a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: upgrade to 8.2 patch 3752Ross Burton2022-02-2315-865/+28
| | | | | | | | | | | | | | | | | There's a fairly constant flow of CVEs being fixed in Vim, which are getting increasing non-trivial to backport. Instead of trying to backport (and potentially introduce more bugs), or just ignoring them entirely, upgrade vim to the latest patch in the hope that vim 8.3 will be released before we release Kirkstone. (From OE-Core rev: 7b8b096000759357aa251a58a756e770a54590ad) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 78a4796de27d710f97c336d288d797557a58694e) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: set PACKAGECONFIG idiomaticallyRoss Burton2022-02-231-3/+1
| | | | | | | | | | | | Don't set an empty default value and them immediately assign to it. (From OE-Core rev: ad373242381feec72d0c257031da7671281c0321) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d7565241437487618a57d8f3f21da6fed69f6b8a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Revert "vim: fix CVE-2021-4069"Steve Sakoman2022-02-232-44/+0
| | | | | | | | | | | Prepare to cherry-pick CVE fixes from master This reverts commit 9db3b4ac4018bcaedb995bc77a9e675c2bca468f. (From OE-Core rev: 519f30e697f14d6a3864a22ec2e12544a9d3a107) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libusb1: correct SRC_URIAlexander Kanavin2022-02-161-2/+2
| | | | | | | | | | (From OE-Core rev: 88c0290520c9e4982d25c20e783bd91eec016b52) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d4c37ca1f1e97d53045521e9894dc9ed5b1c22a1) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libcap: Use specific BSD license variantJoshua Watt2022-02-161-1/+1
| | | | | | | | | | | | | | | | Make the license more accurate by specifying the specific variant of BSD license instead of the generic one. This helps with SPDX license attribution as "BSD" is not a valid SPDX license. (From OE-Core rev: 9e8b2bc55792932e23d3b053b393b7ff88bffd6b) (From OE-Core rev: 8f374ea044d5c3d2ea81917b3480149ca036674c) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Nisha Parrakat <nisha.m.parrakat@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpcre2: update SRC_URISteve Sakoman2022-01-111-1/+1
| | | | | | | | | | Version 10.34 tarball is no longer available at current URL, use downloads.yoctoproject.org mirror instead (From OE-Core rev: b24838b8173c6853cdcbff6512a12557e479df86) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: fix CVE-2021-4069Minjae Kim2021-12-302-0/+44
| | | | | | | | | | | Use After Free in vim/vim Upstream-Status: Backport [https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9] CVE: CVE-2021-4069 (From OE-Core rev: 9db3b4ac4018bcaedb995bc77a9e675c2bca468f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libgcrypt: solve CVE-2021-33560 and CVE-2021-40528Marta Rybczynska2021-12-143-85/+163
| | | | | | | | | | | | | | | | | | | | | | | | | | | This change fixes patches for two issues reported in a research paper [1]: a side channel attack (*) and a cross-configuration attack (**). In this commit we add a fix for (*) that wasn't marked as a CVE initially upstream. A fix of (**) previosly available in OE backports is in fact fixing CVE-2021-40528, not CVE-2021-33560 as marked in the commit message. We commit the accual fix for CVE-2021-33560 and rename the existing fix with the correct CVE-2021-40528. For details of the mismatch and the timeline see [2] (fix of the documentation) and [3] (the related ticket upstream). [1] https://eprint.iacr.org/2021/923.pdf [2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13 [3] https://dev.gnupg.org/T5328#149606 (From OE-Core rev: 0ce5c68933b52d2cfe9eea967d24d57ac82250c3) Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libunwind: Backport a fix for -fno-common option to compileKhem Raj2021-12-082-0/+421
| | | | | | | | | | | | | | | | | | | | | | [Khem Raj] defaults for gcc is to use -fno-common this ensures that it keeps building with gcc -fno-common Fixes src/arm/Ginit.c:60: multiple definition of `_U_dyn_info_list'; mi/.libs/dyn-info-list.o:/usr/src/debug/libunwind/1.4.0-r0/build/src/../../libunwind-1.4.0/src/mi/dyn-info-list.c:28: first defined here [Philippe Coval] Change and related patch ported to dunfell branch on 1.3.1 version (From OE-Core rev: 0c12a3a3008ec1202dff3b4986029dd1a4e8f9a7) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Origin: https://github.com/openembedded/openembedded-core/commit/6cd2cf6525bcb241b3a2538e559fcef2a2084a7e Signed-off-by: Philippe Coval <philippe.coval@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: fix CVE-2021-3968 and CVE-2021-3973Ross Burton2021-12-082-0/+96
| | | | | | | | | | | | | Backport a fix for -3972, and whitelist -3968: it isn't valid as it fixes a bug which was introduced after 8.2. (From OE-Core rev: ba1ae7dcd2eeb57a6e288449a26a6121c6ccac5c) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bec5caadfb53638748d8c41ce7230c2bf7808d27) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpcre/libpcre2: correct SRC_URIAlexander Kanavin2021-12-022-2/+2
| | | | | | | | | | | | | http://ftp.pcre.org is down, take sources according to links on http://www.pcre.org (From OE-Core rev: a1bb6b60bbde7da4496db1a2f7e48bbfb637fa4e) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 81ba0ba3e8d9c08b8dc69c24fb1d91446739229b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gmp: fix CVE-2021-43618Ross Burton2021-12-022-0/+28
| | | | | | | | | | (From OE-Core rev: abf73599c5706a8553a4b1f3553313059c4d9c69) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit fb3b9a7f668a6ffd56a99e1e8b83cdbad2a4bc66) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: fix CVE-2021-3927 and CVE-2021-3928Ross Burton2021-12-023-0/+127
| | | | | | | | | | (From OE-Core rev: b3e4ae0b9fa44a6c604a6228f3e1b63a215aae74) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2001631e7a6edb7adc40ee4357466cc54472db71) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: add patch number to CVE-2021-3778 patchRoss Burton2021-12-021-6/+18
| | | | | | | | | | (From OE-Core rev: dc7789ac5277752060c7f5aeede5c4d861951e39) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 222be29051a3543ac63a0eb07019e90d44429b16) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: fix CVE-2021-3796, CVE-2021-3872, and CVE-2021-3875Ross Burton2021-12-025-2/+344
| | | | | | | | | | | | Backport patches from upstream to fix these CVEs. (From OE-Core rev: 5b69e1116a553a38506b75f5d455ff52d57ce70b) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b493eb4f9a6bb75a2f01a53b6c70762845bf79f9) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Revert "vim: fix 2021-3796"Steve Sakoman2021-12-021-50/+0
| | | | | | | | | | | This reverts commit 53ce5f292fd8d65fd89c977364ea6f7d813c7566. Reverting in preparation for fixes from master (From OE-Core rev: bf489893714d1c2d2e4694a5a1e313b661c9fdc4) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* linunistring: Add missing gperf-native dependencyRichard Purdie2021-11-151-0/+1
| | | | | | | | | (From OE-Core rev: fc7dddf939b04dbd5b5d92ecf3a5c422ee5caf15) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 73d3efbaeb2f412ab8d3491d2da3f3124fc009f3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Add explict branch to git SRC_URIs, handle github url changesSteve Sakoman2021-11-1111-11/+11
| | | | | | | | | | | | | | | | | | | | This update was made with the convert-scruri.py script in scripts/contrib This script handles two emerging issues: 1. There is uncertainty about the default branch name in git going forward. To try and cover the different possible outcomes, add branch names to all git:// and gitsm:// SRC_URI entries. 2. Github are dropping support for git:// protocol fetching, so remap github urls as needed. For more details see: https://github.blog/2021-09-01-improving-git-protocol-security-github/ (From OE-Core rev: 827a805349f9732b2a5fa9184dc7922af36de327) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: update 20210119 -> 20211016Alexander Kanavin2021-11-034-62/+82
| | | | | | | | | | | (From OE-Core rev: 43aa25b523b2c11ce483ea22435196dfca259b30) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c479b8a810d966d7267af1b4dac38a46f55fc547) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: fix 2021-3796Minjae Kim2021-11-031-0/+50
| | | | | | | | | | | | | | vim is vulnerable to Use After Free Problem: Checking first character of url twice. reference: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 (From OE-Core rev: 53ce5f292fd8d65fd89c977364ea6f7d813c7566) Signed-off-by: Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* curl: Whitelist CVE-2021-22897Ranjitsinh Rathod2021-11-031-0/+5
| | | | | | | | | | | | | CVE-2021-22897 is affecting only Windows, hence whitelisting this CVE. Link: https://security-tracker.debian.org/tracker/CVE-2021-22897 Link: https://ubuntu.com/security/CVE-2021-22897 (From OE-Core rev: 543a72e115340f3a7378b8b85bd48a0b495b3919) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gnupg: Be deterministic about sendmailRichard Purdie2021-10-231-0/+1
| | | | | | | | | | | | | Set a path to where sendmail would exist making the output deterministic as it no longer depends on the build host and the presense of sendmail there. (From OE-Core rev: a8ec8c9eaed898c3cc719efd87a2f4296c6304a6) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 32e03a430f13960fe07f08c04eaa58017d977f6c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gpgme: Use glibc provided closefrom API when availableKhem Raj2021-10-232-1/+26
| | | | | | | | | | | | | glibc 2.34+ has added this API new (From OE-Core rev: eaebf0884d7e1ffb8a14cc1ff947d0724e7bb6a1) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a2b2479d20d029f5a11dba8cf7f7ca3e4a5bbbe2) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpsl: Add config knobs for runtime/builtin conversion choicesAndrej Valek2021-10-231-4/+3
| | | | | | | | | | | Based on d22d87b9c4ac85ffb3506e2acaf2a8a627f55e8e, but kept idn2 as default. (From OE-Core rev: c912cd493f02458d22c78791fc3175f613b8108e) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* rng-tools: add systemd-udev-settle wants to serviceClaudius Heine2021-10-231-0/+1
| | | | | | | | | | | | | | | | | | | | rngd needs to start after `systemd-udev-settle` in order for the kernel modules of the random source hardware to be loaded before it is started. However, since the `rngd.service` does not require or want `systemd-udev-settle.service` it might not be scheduled for start and the `After=systemd-udev-settle.service` there has no effect. Adding `Wants=systemd-udev-settle.service` provides a weak requirement to it, so that the `rngd` is started after it, if possible. (From OE-Core rev: 006b5221ed6dac9964f49a03a55de2e847118dc1) Signed-off-by: Claudius Heine <ch@denx.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e9715d4234eb7b45dee8b323799014646f0a1b07) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: fix CVE-2021-3778Minjae Kim2021-10-072-0/+50
| | | | | | | | | | | vim is vulnerable to Heap-based Buffer Overflow reference: https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f (From OE-Core rev: 0fb9be3925f258a7e8009c581c1cf93ace2a498b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsoup-2.4: remove obsolete intltool dependencyRoss Burton2021-09-301-1/+1
| | | | | | | | | | | | This hasn't been needed since libsoup 2.65.2. (From OE-Core rev: bdaa86fa4636e4b48e7a001d969d2f9175fb1ff2) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 250a3f9a804917c8a9427d0209365d27b1b8fa4a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: Backport fix for CVE-2021-3770Richard Purdie2021-09-302-0/+209
| | | | | | | | | (From OE-Core rev: 8e5bb5f05cf171889ec2b34dcf24ff1985660074) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 54d3d023ce55ba4a7160ed25a283f0918e7d8e2e) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nettle: Security fix for CVE-2021-20305Armin Kuster2021-09-306-0/+496
| | | | | | | | | | | | | | | | | | Source: Debian.org MR: 110174 Type: Security Fix Disposition: Backport from https://sources.debian.org/patches/nettle/3.4.1-1+deb10u1/ ChangeID: 47746f3e58c03a62fef572797d0ae6e0cd865092 Description: Affects: Nettle < 3.7.2 Minor fixup for nettle_secp_224r1 to _nettle_secp_224r1 to match 3.5.1 (From OE-Core rev: 10f2333afd739669013a65112f6471f09e13d124) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-10-05 03:51:13 +0000