Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap-5.0.6 2024-12-13T13:24:12+00:00 2024-12-13T13:24:12+00:00 Steve Sakoman steve@sakoman.com 2024-12-13T13:22:28+00:00 urn:sha1:2541a8171f91812a4b16e7dc4da0d77d2318a256 (From OE-Core rev: 336eec6808710f260a5336ca8ca98139a80ccb14) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:54+00:00 Steve Sakoman steve@sakoman.com 2024-12-10T13:48:31+00:00 urn:sha1:6a80352d51bd2cf141b0dc4dd946d1b131ed94a7 (From meta-yocto rev: e9b828fdf46d3b3ad6ccd51710845bdfd29357bb) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:54+00:00 Ross Burton ross.burton@arm.com 2024-09-12T16:57:36+00:00 urn:sha1:61ec07c6cf2c1cd35eb1f0d4b904b45ac965724f If user namespaces are not available (typically because AppArmor is blocking them), alert the user. We consider network isolation sufficiently important that this is a fatal error, and the user will need to configure AppArmor to allow bitbake to create a user namespace. [ YOCTO #15592 ] (From OE-Core rev: 3577ceca39c7c3be81563de9ccf06a805f61d3ca) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:54+00:00 Guðni Már Gilbert gudni.m.g@gmail.com 2024-12-08T13:10:34+00:00 urn:sha1:6ae367c861f108a7415786dec8a5eaf4b5d773f1 python3-iniparse dependency was dropped 2019, see the following commit as reference: https://github.com/rpm-software-management/dnf/pull/1329/commits/d7d0e0e2f9d8c7d021c794821ad0b56a39ebc01f When looking at the Git history, this happened around tag 4.2.1 (From OE-Core rev: 3273ace1e5e4b0573ceaa44f2710f651db9ae525) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:54+00:00 Guðni Már Gilbert gudni.m.g@gmail.com 2024-12-08T13:10:33+00:00 urn:sha1:30fd1ca222be35c918b8bae701522837bb0209b2 Looking at the history, python3-six was removed as a dependency in the poetry.lock file in v1.5.2 Even before v1.5.2 and until now (v1.9.1) there is no code in the package which imports the six module. So it can be safely dropped from the recipe. (From OE-Core rev: 09378088bba46b6e505f69381496da0ecd0ecf2c) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:54+00:00 Guðni Már Gilbert gudni.m.g@gmail.com 2024-12-08T13:10:32+00:00 urn:sha1:418996278d39dbbf081b171d053b64b80a8c4e42 intltool was dropped as a dependency in v236 See commit for reference: https://github.com/systemd/systemd/pull/7313/commits/c81217920effddc93fb780cf8f9eb699d6fe1319 (From OE-Core rev: fffffc22e9cdfee5afe05baadaae941785f5a18b) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:54+00:00 Guðni Már Gilbert gudni.m.g@gmail.com 2024-12-08T13:10:31+00:00 urn:sha1:83293db0bcbf445c926b88c313af05ec4e4378d8 intltool was dropped as a dependency in v236 See commit for reference: https://github.com/systemd/systemd/pull/7313/commits/c81217920effddc93fb780cf8f9eb699d6fe1319 (From OE-Core rev: 60e6fd2b7e3adfbe4260cd266dbe245c745344a9) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:54+00:00 Divya Chellam divya.chellam@windriver.com 2024-12-09T13:18:26+00:00 urn:sha1:a5e0237596b3d4b7026bba75c6cc6e5f44bc8197 A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. References: https://security-tracker.debian.org/tracker/CVE-2024-10041 Upstream patches: https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be (From OE-Core rev: 0e76d9bf150ac3bf96081cc1bda07e03e16fe994) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:53+00:00 Peter Marko peter.marko@siemens.com 2024-12-08T17:34:47+00:00 urn:sha1:cbafea41f5fa7f196d159b32171e9a693150a08b CVE patch was removed on last upgrade as fixing commit was backported to stable 8.2.x branch. NVD DB has this CVE as version-less (with "-"). So explicit status set is needed to mark it as fixed. (From OE-Core rev: 64359ec3b60ae68d39c2e6444f903fd20e397cff) (From OE-Core rev: 33050bf82add43409675122a8f29acbcda4e8439) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-12-13T13:21:53+00:00 Archana Polampalli archana.polampalli@windriver.com 2024-12-06T13:11:48+00:00 urn:sha1:c2186ed9ea48ef8b3d91f741f04e1077d4e6fd64 A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651. (From OE-Core rev: 71a9c2d01ad8ed83f9da6e6b9541fcf1d9baed48) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>