summaryrefslogtreecommitdiffstats
path: root/meta
Commit message (Collapse)AuthorAgeFilesLines
* uninative: Update to 2.7 releaseMichael Halstead2019-10-101-5/+5
| | | | | | | | | | | | The 2.7 release updates glibc to version 2.30. Recently added to openSUSE Tumbleweed and needed for Fedora Core 31. (From OE-Core rev: e6728a873f1eef335a9e21bdface304f13f0c952) Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gnupg: Do not apply -Woverride-init guard for gcc >= 9Khem Raj2019-10-104-5/+37
| | | | | | | | | (From OE-Core rev: e40c38afc1747d1ed71c9bd2ab3189bbb1efcee9) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libgpg-error: Fix build with gawk 5.xSean Nyekjaer2019-10-102-0/+162
| | | | | | | | | | | | | Based on poky master, but for version 1.35 (From OE-Core rev: ff3b021136d7af66f05475da8475495fe7c653ee) Signed-off-by: Sean Nyekjaer <sean@geanix.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> [backported to thud yocto# 13580] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix build issue on new hosts with glibc 2.30Armin Kuster2019-10-103-0/+146
| | | | | | | | | | | | | | | | | | | | | | This fixes the following error: TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:254:16: error: static declaration of ‘gettid’ follows non-static declaration 254 | _syscall0(int, gettid) | ^~~~~~ TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:185:13: note: in definition of macro ‘_syscall0’ 185 | static type name (void) \ | ^~~~ In file included from /usr/include/unistd.h:1170, from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/include/qemu/osdep.h:90, from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:20: /usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here 34 | extern __pid_t gettid (void) __THROW; | ^~~~~~ (From OE-Core rev: 5b5ca76cc5dd424248c7e687e562597a2c85df57) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* wget: Security fixes CVE-2018-20483Andrii Bordunov via Openembedded-core2019-10-103-0/+202
| | | | | | | | | | | | | | | | Source: http://git.savannah.gnu.org/cgit/wget.git/ Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/ Description: Fixes CVE-2018-20483 (From OE-Core rev: c901bc8cd9de5853185af2059c6f1efeb4ccdd60) Signed-off-by: Aviraj CJ <acj@cisco.com> [Affects Wget before 1.20.1] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sqlite3: Security fix for CVE-2019-8457Shubham Agrawal2019-10-102-0/+127
| | | | | | | | | (From OE-Core rev: c0c66d213b4b6deb0a5e9a688810d2e9674d3ecf) Signed-off-by: Shubham Agrawal <shuagr@microsoft.com> [Cleaned up patch] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* perl: Fix CVE-2018-18311 to 18314Dan Tran2019-10-105-0/+518
| | | | | | | | | (From OE-Core rev: cffd085ef77d055e5e837887b0eaf820aa982f00) Signed-off-by: Dan Tran <dantran@microsoft.com> [Perl before 5.26.3 and 5.28.x before 5.28.1] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* json-c: Don't --enable-rdrandAdrian Bunk2019-10-101-2/+0
| | | | | | | | | | | | | | | | | | | | | In recent years AMD CPUs have had various problems with RDRAND giving either non-random data or no result at all, which is problematic if either build or target machine has a CPU with this problem. The fallback is /dev/urandom, and I'd trust the kernel here. --enable-rdrand was added in an upgrade to a new upstream version without mentioning any reason. [YOCTO #13534] (From OE-Core rev: fad633eb5c464d4e2a984b9259625bcd150ee357) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix CVE-2019-13232Dan Tran2019-10-104-0/+513
| | | | | | | | (From OE-Core rev: 7857d85db69bcb2cb94399a22de6903263e52965) Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* elfutils: CVE fix for elfutilsShubham Agrawal2019-10-103-0/+221
| | | | | | | | | | | | CVE: CVE-2019-7664.patch CVE: CVE-2019-7665.patch Sign off: Shubham Agrawal <shuagr@microsoft.com> (From OE-Core rev: 8ca80002aa21897834b8c9869137461221e50225) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Fix 4 CVEsDan Tran2019-10-107-54/+351
| | | | | | | | | | | | Fixes CVE-2018-18954, CVE-2019-3812, CVE-2019-6778, and CVE-2019-8934. Also deleted duplicated patch and cleanup. (From OE-Core rev: e4b6a39bdf1b660233a7145599cd4fc3e971fc8f) Signed-off-by: Dan Tran <dantran@microsoft.com> [fixup for thud-next] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oeqa/selftest/context: ensure log directory existsChen Qi2019-10-101-0/+1
| | | | | | | | | | | | | Ensure log directory exists to avoid the following error. FileNotFoundError: [Errno 2] No such file or directory: '/.../build-selftest/tmp/log/oe-selftest-results-20181207043431.log' (From OE-Core rev: c54411d0e03fe1cea8b6bb0c80dea029dd264f36) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* linux-yocto/4.14: update to v4.14.143Bruce Ashfield2019-10-083-16/+16
| | | | | | | | | | | Updating to the latest 4.14 -stable. Lightly build and boot tested on qemu* (From OE-Core rev: f5be8c8309a932cde507ba24d042880a922df0b6) Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pango: fix CVE-2019-1010238Anuj Mittal2019-10-082-1/+41
| | | | | | | | | | | (From OE-Core rev: 20b23cb40917b1c83b862817b13f0eefc8fa7a64) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 65631a048f57965745dc8cc23cb80c4c3a71ba94) [Fix up for thud context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* patch: backport fixesAnuj Mittal2019-10-083-0/+175
| | | | | | | | | | | | | | | | The original fix for CVE-2018-1000156 was incomplete. Backport more fixes done later for a complete fix. Also see: https://savannah.gnu.org/bugs/index.php?53820 (From OE-Core rev: e2869ff2f76adb2b1ba6f003d6d02d242afe49e8) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 12f9689cba740da6b8c7d9292c74c3992c2e18f2) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* patch: fix CVE-2019-13638Trevor Gamblin2019-10-082-0/+45
| | | | | | | | | | | | | (From OE-Core rev: b59b1222b3f73f982286222a583de09c661dc781) (From OE-Core rev: 308c44fd8f1d7d348c6c7cf9054f9c8403d8e8bd) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 555b0642579c00c41bc3daab9cef08452f9834d5) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxslt: fix CVE-2019-13117 CVE-2019-13118Anuj Mittal2019-10-083-1/+112
| | | | | | | | | | | | (From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5) (From OE-Core rev: 07cd0d606fea63e683c7de7ebfaa6a55170b8318) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Fixup for thud context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxslt: Cve fix CVE-2019-11068Muminul Islam2019-10-082-0/+129
| | | | | | | | (From OE-Core rev: c9c3fabddb4e1779ef330f2073f85dce83cb460b) Signed-off-by: Muminul Islam <muislam@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: Fix CVEsDan Tran2019-10-085-0/+599
| | | | | | | | | | | Fixes CVE-2018-14647, CVE-2018-20406, CVE-2018-20852, CVE-2019-9636, CVE-2019-9740, and CVE-2019-9747. (From OE-Core rev: 5862716f22ca9f5745d3bca85c6ed0d8c35c437b) Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python: Fix 3 CVEsDan Tran2019-10-083-0/+348
| | | | | | | | | | Fixes CVE-2018-20852, CVE-2019-9740, and CVE-2019-9747 (From OE-Core rev: 3f1c02aa7b7d485e64503d601124c335d4b7299f) Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils: Fix 4 CVEsDan Tran2019-10-085-0/+342
| | | | | | | | | | | | Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and CVE-2018-1000876 for binutils 2.31.1. (From OE-Core rev: 981eeec0f26f25db444782f40a86c558a2358215) Signed-off-by: Dan Tran <dantran@microsoft.com> [fixed up .inc for thud-next context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dhcp: Replace OE specific patch for compatibility with latest bind with ↵Adrian Bunk2019-10-083-2883/+80
| | | | | | | | | | | | | upstream patch This also fixes a dhcp breakage noticed by Enrico Scholz. (From OE-Core rev: 5deab12cdcf1d7372634324e1fd70145ff59f9f9) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dhcp: drop lost patchRuslan Bilovol2019-10-081-117/+0
| | | | | | | | | | | | | | | Commit 7cb42ae87ef9 "dhcp: update 4.4.1" dropped 0008-tweak-to-support-external-bind.patch from recipe, but left the patch itself in source tree. Remove this patch since nobody uses it. Cc: Armin Kuster <akuster808@gmail.com> (From OE-Core rev: 109e8420c8a4e94dccb3c83e2b0b7fc6ceb66b04) Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dhcp: fix issue with new bind changesArmin Kuster2019-10-082-0/+2883
| | | | | | | (From OE-Core rev: d0e2babdab1625e86d0abc7fa7dab25caa73ccb6) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: update to 1.11.13, minor updatesArmin Kuster2019-10-081-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | Source: golang.org MR: 99376 Type: Security Fix Disposition: Backport from golang.org ChangeID: 41576ab4a0abdebbc44f1a35a83bf04e5f2fde06 Description: https://golang.org/doc/devel/release.html go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details. go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details. go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details. Includes CVE: CVE-2019-14809 (From OE-Core rev: 6018e9755dce3eaa22a1fe691dc18546c43c9cbe) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: upgrade 9.11.5 -> 9.11.5-P4Adrian Bunk2019-10-081-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Source: OE.org MR: 99751, 99752, 99753 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4 ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01 Description: Bugfix-only compared to 9.11.5, mostly CVE fixes. COPYRIGHT checksum changed due to 2018 -> 2019. (From OE-Core rev: b24447b40e4988e337bdd4b5cf194df0827f9887) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Included cves: CVE-2018-5744 CVE-2018-5745 CVE-2019-6465 ] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: update to latest LTS 9.11.5Armin Kuster2019-10-082-75/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Source: bind.org MR: 99750 Type: Security Fix Disposition: Backport from bind.org ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224 Description: includes: CVE-2018-5738 drop patch for CVE-2018-5740 now included in update see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html Add RECIPE_NO_UPDATE_REASON for lts (From OE-Core rev: 25b2f2c6fc67eabb0e7f0b7c5ffe08c554613c10) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Also includes CVE-2018-5740] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils: Security fix for CVE-2019-12972Armin Kuster2019-10-082-0/+40
| | | | | | | | | | | | | | | | | | | | Source: git://sourceware.org / binutils-gdb.git MR: 98770 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c Description: Fixes CVE-2019-12972 (From OE-Core rev: 16f4520f5cb581eb93bd3f0e3aa1feecc5c567ba) Signed-off-by: Armin Kuster <akuster@mvista.com> [v2] forgot to refresh inc file before sending Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils: Security fix for CVE-2019-14444Armin Kuster2019-10-082-0/+34
| | | | | | | | | | | | | | | | | | Source: git://sourceware.org / binutils-gdb.git MR: 99255 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 ChangeID: 67ad4ab1ec34b941bdcfbb4f55d16176bbbd3d72 Description: Affects: <= 2.32.0 Fixes CVE-2019-14444 (From OE-Core rev: a367928942411b36a0b0bbb95055d01548430e8e) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc: Security fix for CVE-2019-14250Armin Kuster2019-10-082-0/+45
| | | | | | | | | | | | | | | | | Source: gcc.org MR: 99120 Type: Security Fix Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794&root=gcc&view=rev ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb Description: Affects < 9.2 (From OE-Core rev: 79205966072bb6179d96b3af5aabc521da83e841) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: add a patch fixing the native build on newer kernelsBartosz Golaszewski2019-10-083-10/+346
| | | | | | | | | | | | | | The build fails on qemu-native if we're using kernels after commit 0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream patch that fixes the issue. (From OE-Core rev: fac2d3846dadfda256e94500bdf33f546a8d1fb4) Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Refactoried for thud context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libcomps: fix CVE-2019-3817Andrii Bordunov via Openembedded-core2019-10-082-0/+98
| | | | | | | | (From OE-Core rev: 2cebc7faa10c7ac6f60437658702f7adce3b3a89) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glib-2.0: fix CVE-2019-13012Andrii Bordunov via Openembedded-core2019-10-082-0/+48
| | | | | | | | (From OE-Core rev: 51f7ecf2259e1fb669cd84c5317cbd8810d731b7) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dbus: fix CVE-2019-12749Andrii Bordunov via Openembedded-core2019-10-082-0/+128
| | | | | | | | (From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823Andrii Bordunov via Openembedded-core2019-10-084-0/+155
| | | | | | | | (From OE-Core rev: 75a4b4d8fb14414bbe2e38be8ccda0af94ef9b40) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: fix CVE-2019-9740Anuj Mittal2019-10-082-0/+156
| | | | | | | | | | | | CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See: https://bugs.python.org/issue30458 (From OE-Core rev: ad90312adabbad951f62e3bd4ad95fcc763ad0c4) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* patch: fix CVE-2019-13636Anuj Mittal2019-10-082-0/+114
| | | | | | | | (From OE-Core rev: bd367f58d9d6b5f0ce213e1be36763c5a9e425b6) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* buildhistory: call a dependency parser only on actual dependency listsAlexander Kanavin2019-10-081-1/+1
| | | | | | | | | | | | Previously it was also called on filelists and possibly other items which broke the parser. (From OE-Core rev: f965ecbf558b6db1959e4ba8e599d65a5c8022b2) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* build-appliance-image: Update to thud head revisionyocto-2.6.3thud-20.0.3Richard Purdie2019-08-011-1/+1
| | | | | | (From OE-Core rev: d3d3f443039b03f1200a14bfe99f985592632018) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* expat: fix CVE-2018-20843Anuj Mittal2019-07-292-0/+27
| | | | | | | (From OE-Core rev: aad245ea1c55f8e778ae3420c5c31e94301e7cba) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libcroco: fix CVE-2017-7961Ross Burton2019-07-292-1/+48
| | | | | | | | | (From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9) (From OE-Core rev: f5cf064b3c138c8a6591d34f40253e10a6f01a14) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Fix 3 CVEsOvidiu Panait2019-07-297-0/+702
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. References: https://nvd.nist.gov/vuln/detail/CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 https://nvd.nist.gov/vuln/detail/CVE-2019-3835 https://nvd.nist.gov/vuln/detail/CVE-2019-3838 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e (From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18) (From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Fix for CVE-2019-6116 is already in thud, so that has been removed] Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bzip2: fix CVE-2019-12900Anuj Mittal2019-07-293-0/+117
| | | | | | | | | | | Also include a patch to fix regression caused by it. See: https://gitlab.com/federicomenaquintero/bzip2/issues/24 (From OE-Core rev: 7c0b2d228f51aebb4415e63a07bdd645e85b09d8) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: integrate security fixesRoss Burton2019-07-297-0/+337
| | | | | | | | | | | | | | | | | Fix the following CVEs by backporting patches from upstream: - CVE-2019-1000019 - CVE-2019-1000020 - CVE-2018-1000877 - CVE-2018-1000878 - CVE-2018-1000879 - CVE-2018-1000880 (From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c) (From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-plugins-base: fix CVE-2019-9928Anuj Mittal2019-07-292-0/+34
| | | | | | | (From OE-Core rev: 276567b6a8e4b21dc978b352b5c715d6381867b1) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsdl: CVE fixesAnuj Mittal2019-07-2910-0/+832
| | | | | | | | | | | Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637, CVE-2019-7638. (From OE-Core rev: 2cfcb3b0fce7e1156eb52260df4330c95d87dc17) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* OpkgPM: use --add-ignore-recommends to process BAD_RECOMMENDATIONSAlejandro del Castillo2019-07-292-41/+2
| | | | | | | | | | | | | | | | | | Currently, BAD_RECOMMENDATIONS on the opkg backed relies on editing the opkg status file (it sets BAD_RECOMMENDATIONS pkg want state to deinstalled and pinned). This is brittle, and not consistent across the different solver backends. Use new --add-ignore-recommends flag instead. (From OE-Core rev: 0d11e813ba9b4e8de9e6e5099ff85f5d914243bc) (From OE-Core rev: bfb0acb6bc6bc11e4aa2c9527916359e1a763e85) (From OE-Core rev: 13ba66338d16cc07cb0129de932f090d0edb7760) Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* opkg: add --ignore-recommends flagAlejandro del Castillo2019-07-292-0/+261
| | | | | | | | | | | | | | | | | To be used for BAD_RECOMMENDATIONS feature. (From OE-Core rev: 788d97b4f8e4452cef1ba6bb3e565e1b52dbb7de) (From OE-Core rev: 85007cdb260bc77ac4ae5f914b0e3a4408606dfd) (From OE-Core rev: c60f9c47380bb53bd2b54373b72f86006edf326e) Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Backport from opkg_0.4.0.bb] Signed-off-by: Quentin Schulz <quentin.schulz@streamunlimited.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* uboot-sign.bbclass: Remove tab indentations in python codeRobert Yang2019-07-271-10/+10
| | | | | | | | | | | Use 4 spaces to replace a tab. (From OE-Core rev: 2bf6098ac1cbbf7ed28522b7f7dce84c8341ce00) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glib: Security fix for CVE-2019-9633Armin Kuster2019-07-273-0/+549
| | | | | | | | | | | | | | | | | | Source: gnome.org MR: 98802 Type: Security Fix Disposition: Backport from https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e ChangeID: b73c332f27f47ddc1b1cfd7424f24778acc0c318 Description: includes supporting patch. Fixes CVE-2019-9633 (From OE-Core rev: 3ebf0fc043b6c9b6c2381dab893b54ebcb8ac13d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-23 18:32:29 +0000