summaryrefslogtreecommitdiffstats
path: root/meta
Commit message (Collapse)AuthorAgeFilesLines
...
* openssl: Upgrade 1.1.1b -> 1.1.1cAdrian Bunk2020-01-283-75/+5
| | | | | | | | | | | Backported patch removed. (From OE-Core rev: 3402c001bc585bacb6e00495a7c3c66c75d16e7c) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* systemd: Upgrade to a more recent snapshot from the 241 branchAdrian Bunk2020-01-281-1/+1
| | | | | | | | | | | Bugfix-only changes on the 241 stable branch, including a fix for a breakage with OpenSSL >= 1.1.1c. (From OE-Core rev: 9160dc4dbee6fb13f1a46963ced7961505154213) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* systemd: Whitelist CVE-2018-21029 CVE-2019-3843 CVE-2019-3844Adrian Bunk2020-01-281-0/+7
| | | | | | | | | | | One does not strictly apply to 241, for the other two a fix was already backported to the 241 branch. (From OE-Core rev: d328696acfd4967d19e32680033d9594dd00b92c) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* iputils: Whitelist CVE-2000-1213 CVE-2000-1214Adrian Bunk2020-01-281-0/+4
| | | | | | | | | (From OE-Core rev: 7c51ca8538f228d98a4b3411a15fde83516c0419) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lz4: Whitelist CVE-2014-4715Adrian Bunk2020-01-281-0/+3
| | | | | | | | | (From OE-Core rev: ca4fc78584ec5a7bbeac188f4ed935b3128eb6eb) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sysstat: fix CVE-2019-19725Anuj Mittal2020-01-282-1/+31
| | | | | | | | | (From OE-Core rev: 7f8f018ea5ef6ecb80c5b5250df90a8b690e6f47) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* base.bbclass: add dependency on pseudo from do_prepare_recipe_sysrootMattias Hansson2020-01-281-0/+1
| | | | | | | | | | | | | | | | | | | do_prepare_recipe_sysroot may perform groupadd, which requires pseudo. However, do_prepare_recipe_sysroot does not depend on pseudo explicitly, which sometimes causes a build error when building a recipe that adds groups. This issue only occurs when executing do_prepare_recipe_sysroot for a recipe that adds groups before finishing a task that depends on pseudo for a recipe that doesn't add groups. (From OE-Core rev: 86f196dc077de7f3f6664e69703a96245b42ddc0) Signed-off-by: Mattias Hansson <mattihn@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2019-17596Hongxu Jia2020-01-282-0/+43
| | | | | | | | | | | | https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 (From OE-Core rev: a8adb7d23172acb587c259a28aa0c9e2df83f228) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nasm: fix CVE-2019-14248Anuj Mittal2020-01-282-0/+44
| | | | | | | | | | | | | See: https://bugzilla.nasm.us/show_bug.cgi?id=3392576 (From OE-Core rev: 49dca79c6e5f631d1f55422864ee57c86cafe1a4) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nasm: fix CVE-2018-19755Anuj Mittal2020-01-282-1/+119
| | | | | | | | | (From OE-Core rev: 021c8ae8e115ff6bab167146d97a340d4945118d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glib-2.0: Backport the CVE-2019-12450 fixAdrian Bunk2020-01-282-0/+58
| | | | | | | (From OE-Core rev: 9c4d7a92f4f6e4070102b12de44d9bfe6f944735) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lighttpd: Backport the CVE-2019-11072 fixAdrian Bunk2020-01-282-0/+55
| | | | | | | (From OE-Core rev: abc2d1fad91f1378be3946e35d8f8f450823599e) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc: fix CVE-2019-19126Anuj Mittal2020-01-282-0/+33
| | | | | | | | | | | | Backport from 2.30 stable branch and drop NEWS section. (From OE-Core rev: de04ec5dcf72d76f2e8274af4bcddf27cb02e544) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: fix CVE-2019-19221Anuj Mittal2020-01-282-0/+102
| | | | | | | | | | | | | Also see: https://github.com/libarchive/libarchive/issues/1276 (From OE-Core rev: b4628dd1ef9d50e8778cadae09e6d31886bd47d2) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gdb: Fix CVE-2019-1010180Vinay Kumar2020-01-282-0/+133
| | | | | | | | | | | | | | | | | Source: git://sourceware.org/git/binutils-gdb.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657 Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] (From OE-Core rev: 536a2656b44fbb98a3cdc60eed32f378184cce7c) Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: Whitelist CVE-2019-6470Adrian Bunk2020-01-281-0/+4
| | | | | | | (From OE-Core rev: a45f9d2047d7d1156fafc44554c4908a0c7d2647) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils: fix CVE-2019-17451Trevor Gamblin2020-01-282-0/+52
| | | | | | | | | | | | | Backport upstream fix. (From OE-Core rev: 02c54859c009be191958a19a5c3549a6635cc647) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils: fix CVE-2019-17450Trevor Gamblin2020-01-282-0/+100
| | | | | | | | | | | | | Backport upstream fix. (From OE-Core rev: dcd3406c79bdee46fabc2310c9e278918e26ce80) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* wpa-supplicant: fix CVE-2019-16275Ross Burton2020-01-282-0/+83
| | | | | | | | | (From OE-Core rev: 4b764c25d7396cba41c28c66a78a7a8f0ea3a5be) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: RDEPEND on libgccJoshua Watt2020-01-281-0/+2
| | | | | | | | | | | | | | | | | | | | Python uses features of glibc that require it to dynamically load (i.e. dlopen()) libgcc_s at runtime. However, since this isn't a link time dependency, it doesn't get picked up automatically by bitbake so manually add it to RDEPENDS. There is an outstanding bug in Python to make it explicitly link against libgcc at link time which would remove the need for this. See: https://bugs.python.org/issue37395 (From OE-Core rev: 04297ee03f5f4e4edafaf332a6648465f52ba1eb) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> [ merged the fix to make it glibc only ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: Upgrade 3.7.5 -> 3.7.6Adrian Bunk2020-01-281-2/+2
| | | | | | | (From OE-Core rev: 262ac0c4d534b1858b81c7d69b6ff57c5d3a4559) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python/python3: Whitelist CVE-2019-18348Adrian Bunk2020-01-282-0/+6
| | | | | | | | | | | This is not exploitable when glibc has CVE-2016-10739 fixed, which is fixed in the upstream version since warrior. (From OE-Core rev: a2507600fecdf815ad80da569c5e8ad65286b812) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652Adrian Bunk2020-01-281-0/+10
| | | | | | | | | | One Windows-only CVE that cannot be fixed, and two CVEs where upstream agreement is that they are not vulnerabilities. (From OE-Core rev: 1b69d141b73e46cc377f8566868da44dd5b1ea42) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* stress: update SRC_URIArmin Kuster2020-01-161-1/+1
| | | | | | | | | | Fixes: WARNING: stress-1.0.4-r0 do_fetch: Failed to fetch URL http://people.seas.harvard.edu/~apw/stress/stress-1.0.4.tar.gz, attempting MIRRORS if available (From OE-Core rev: 279c4da2e5f46dccfeff0c898c2205940be9e174) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: Fix fetching sourcesFerry Toth2020-01-161-1/+1
| | | | | | | | | | | | | | It looks like https://www.sudo.ws/download.html changed certificate and directory structure. This breaks fetching sources. (From OE-Core rev: adb6af60dcf098bfce64168e6443c26d124661c4) Signed-off-by: Ferry Toth <ftoth@exalondelft.nl> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit f02e9f46ce54fed3c7ddfad7d1003a2fb7ba3a67) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: correct SRC_URIAlexander Kanavin2020-01-161-1/+1
| | | | | | | | | | | | The old URI returns 404, and has an invalid TLS certificate. (From OE-Core rev: abb42b83e1a96cdc7dac73e223a87cf078979c49) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 73ff6aba0a53ffc3ee0a5859a3ad4c8021be4de0) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* popt: fix SRC_URIOleksandr Kravchuk2020-01-161-1/+1
| | | | | | | | | | | | | rpm5.org has been down for about a year now. Use linuxfromscratch.org as an alternative reliable source instead. (From OE-Core rev: 2e2fb4e9db2e328dcb771951feb7f7ab5c0c4dd6) Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d9224014da9a512b1b8837e4e7a736d465c97be3) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Switch to NVD CVE JSON feed version 1.1Niko Mauno2020-01-162-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Switch to recently released version 1.1 of NVD CVE JSON feed, as in https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release it is mentioned that Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. ... The JSON 1.1 data feeds will be available on September 9th, 2019. At that time the current JSON 1.0 data feeds will no longer available. This change was tested briefly by issuing 'bitbake core-image-minimal' with 'cve-check.bbclass' inherited via local.conf, and then comparing the content between the resulting two 'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not seem to contain any other change, except total of 167 entries like CVSS v3 BASE SCORE: 0.0 were replaced with similar 'CVSS v3 BASE SCORE:' entries which had scores that were greater than '0.0' (up to '9.8'). (From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323) (From OE-Core rev: 72c22b8791707480c380f49305c6d394578b2a4b) Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c92b8804d6e59b2707332859957f0e6a46db0a73) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: fetch CVE data once at a time instead of in a single callRoss Burton2020-01-161-10/+10
| | | | | | | | | | | | | | | | | | | | | This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) (From OE-Core rev: 0f5b748a5b7fec41bac16bbc1346230e86bb99e3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: neaten get_cve_infoRoss Burton2020-01-161-13/+5
| | | | | | | | | | | | | Remove obsolete Python 2 code, and use convenience methods for neatness. (From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff) (From OE-Core rev: 0ec6843bec3e817c3bc62d04adea5fd385307b32) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: rewrite look to fix false negativesRoss Burton2020-01-161-29/+34
| | | | | | | | | | | | | | | | | | | A previous optimisation was premature and resulted in false-negatives in the report. Rewrite the checking algorithm to first get the list of potential CVEs by vendor:product, then iterate through every matching CPE for that CVE to determine if the bounds match or not. By doing this in two stages we can know if we've checked every CPE, instead of accidentally breaking out of the scan too early. (From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69) (From OE-Core rev: 9948dd86d100bec56e22e6c0bbf4759925a4b306) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: clean up proxy handlingRoss Burton2020-01-161-26/+5
| | | | | | | | | | | | | | urllib handles adding proxy handlers if the proxies are set in the environment, so call bb.utils.export_proxies() to do that and remove the manual setup. (From OE-Core rev: 6b73004668b3b71c9c38814b79fbb58c893ed434) (From OE-Core rev: 2ddf1c0bc4267d38069f9dbb0f716fdac29a49a9) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: add an index on the CVE ID columnRoss Burton2020-01-161-0/+3
| | | | | | | | | | | | | | Create an index on the PRODUCTS table which contains a row for each CPE, drastically increasing the performance of lookups for a specific CVE. (From OE-Core rev: b4048b05b3a00d85c40d09961f846eadcebd812e) (From OE-Core rev: 9abd2b5c4ddfb98f3b8574954e1fd0e95a47ebcc) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: don't hardcode the database nameRoss Burton2020-01-161-2/+2
| | | | | | | | | | | | | | Don't hardcode the database filename, there's a variable for this in cve-check.bbclass. (From OE-Core rev: 0d188a9dc4ae64c64cd661e9d9c3841e86f226ab) (From OE-Core rev: f774665ee4dcdc5a1fe1f51384d82fb8e1b219e1) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: don't refresh more than once an hourRoss Burton2020-01-161-1/+9
| | | | | | | | | | | | | | | We already fetch the yearly CVE metadata and check that for updates before downloading the full data, but we can speed up CVE checking further by only checking the CVE metadata once an hour. (From OE-Core rev: 50d898fd360c58fe85460517d965f62b7654771a) (From OE-Core rev: fd16e1bb582d3135411e2e3dad46731114d2b955) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: we don't actually need to unpack to checkRoss Burton2020-01-161-2/+1
| | | | | | | | | | | | | | The patch scanner works with patch files in the layer, not in the workdir, so it doesn't need to unpack. (From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17) (From OE-Core rev: 8bfe83d53c39e4a88f808af617db7db091694841) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: failure to parse versions should be more visibleRoss Burton2020-01-161-2/+2
| | | | | | | | (From OE-Core rev: d1a16e6f0edda5d9f03191d187788fc8b666bd7f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: ensure all known CVEs are in the reportRoss Burton2020-01-161-2/+7
| | | | | | | | | | | | | | | CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 430e95cd819577d4d71fe6d579a175b8776aa467) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sdk: Install nativesdk locales for all TCLIBC variantsKhem Raj2020-01-161-4/+0
| | | | | | | | | | | | | | | | | | | | | | | install_locales() here is actually operating on nativesdk and only glibc is the default library for nativesdk, since thats what most of desktop/server distros use, therefore bailing out based on TCLIBC is not needed here, since nativesdk-glibc would be required for all non-glibc targetting SDKs as well. Fixes SDK install time error ERROR: OE-core's config sanity checker detected a potential misconfiguration. Either fix the cause of this error or at your own risk disable the checker (see sanity.conf). Following is the list of potential problems / advisories: Your system needs to support the en_US.UTF-8 locale. ERROR: SDK preparation failed (From OE-Core rev: 7b8f6388e0a1e1eab35918a3764e98553a2452f4) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpcap: upgrade 1.9.0 -> 1.9.1Zang Ruochen2020-01-162-32/+2
| | | | | | | | | | | | | | -libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch Removed since this is included in 1.9.1. (From OE-Core rev: d0e3d1f9437b2e2c6284d9fad51bb11ebe72a46c) Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [CVE-2018-16301 CVE-2019-15161 CVE-2019-15162 CVE-2019-15163 CVE-2019-15164 CVE-2019-15165] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* procps: whitelist CVE-2018-1121Ross Burton2020-01-161-0/+3
| | | | | | | | | | | | | | This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. (From OE-Core rev: afc529aa689daed18af29ecc64f3dae1fcbdc282) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* webkitgtk: set CVE_PRODUCTChen Qi2020-01-161-0/+2
| | | | | | | | | | (From OE-Core rev: 5fbf5eead50ab5a8cbacf277ddfff2eeca26f738) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsndfile1: whitelist CVE-2018-13419Ross Burton2020-01-161-0/+3
| | | | | | | | | | | | | This is a memory leak that nobody else can replicate and has been rejected by upstream. (From OE-Core rev: 583990fc583a96dbf0655bff1630b2ebe199021d) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxfont2: set CVE_PRODUCTChen Qi2020-01-161-0/+2
| | | | | | | | | | (From OE-Core rev: ab5cc4a6119527e48299d7d6b7fac440c4b9bb6c) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpam: set CVE_PRODUCTRoss Burton2020-01-161-0/+2
| | | | | | | | | | (From OE-Core rev: c214c6c7c0f011c933da8b271630fd6833d84685) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* boost: set CVE vendor to BoostRoss Burton2020-01-161-0/+2
| | | | | | | | | | | | There's a Boost module for Drupal. (From OE-Core rev: e8ffa02f3efcf5303b8cf57eb29e498e816e63c0) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ed: set CVE vendor to avoid false positivesRoss Burton2020-01-161-0/+2
| | | | | | | | | | (From OE-Core rev: 154e286042c289cbd225ba82aaf1247714aee857) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: set CVE vendor to ApacheRoss Burton2020-01-161-0/+2
| | | | | | | | | | | | There's a Jenkins plugin for Subversion. (From OE-Core rev: 9b5437f9afb4dd1366d5e21ea861f683d8cd2a09) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: set CVE vendor to git-scmRoss Burton2020-01-161-0/+2
| | | | | | | | | | | | There's a Jenkins plugin for Git. (From OE-Core rev: 44d4dda6db56107d7ce900730b370a2ec81d9c30) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* flex: set CVE_PRODUCT to include vendorRoss Burton2020-01-161-0/+3
| | | | | | | | | | | | | There are many projects called Flex and they have CVEs, so also set the vendor to remove these false positives. (From OE-Core rev: e128bd76ae9f4b30948e6b8fc68f4374e03c7bec) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-08 07:01:28 +0000