Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=daisy 2015-04-27T14:20:45+00:00 2015-04-27T14:20:45+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-04-22T12:57:28+00:00 urn:sha1:97e9be81304ddebdee1045105264f09cac6b239a Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. PoC: (From OE-Core rev: 2590eb53a6dac90cba52edd09ea56a6bdf4c4533) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-02-06T14:56:07+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-01-16T10:16:03+00:00 urn:sha1:d759301a34125d2aa27707cb3610f4be1fa8a786 This is related to "SSLv3 POODLE vulnerability" CVE-2014-3566 Building python without SSLv3 support when openssl is built without any support for SSLv3 (e.g. by adding EXTRA_OECONF = " -no-ssl3" in the openssl recipes). Backport from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768611#22 [python2.7-nossl3.patch] only Modules/_ssl.c is backported. References: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7015 https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843 http://bugs.python.org/issue22638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 (From OE-Core rev: 926904f65db33aa7a6a54bd6cdc9c8b34f000b0d) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-11-06T11:40:38+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2014-11-06T05:08:50+00:00 urn:sha1:19dc8bf950ae2dcca3e8165eaf122d3c1cb7006e If DISTRO_FEATURES contains "largefile", force the size of off_t to 8 as a workaround for having ac_cv_sizeof_off_t=4 on 32-bit systems. In future we will likely drop the value from the site file, but for now this is a slightly safer fix. Fixes [YOCTO #6813]. (From OE-Core master rev: a8216030ee6c65531de8fbf3eed878a345a94edc) (From OE-Core rev: 94483eff5d0858ef1b5a8850268aa6a7bc6e6463) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-06-17T08:00:26+00:00 Philip Balister philip@balister.org 2014-05-21T12:57:12+00:00 urn:sha1:232af2ec04fefaa286804f0d646a77989c47da1e We apply this patch to the python recipe already. Without this patch the zeroc-ice-native recipe will not build. See: http://bugs.python.org/issue17547 for more details. (From OE-Core rev: da5c99c7893b589f0d2f2e6d76261b4063ffdd32) Signed-off-by: Philip Balister <philip@balister.org> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-29T12:42:21+00:00 Tyler Hall tylerwhall@gmail.com 2014-05-05T00:06:43+00:00 urn:sha1:361ddb10de4d5e27597e60ac66e7277f2fe3cd8e The newer sysconfig module shares some code with distutils.sysconfig, but the same modifications as in 12-distutils-prefix-is-inside-staging-area.patch makes distutils.sysconfig affect the native runtime as well as cross building. Use the old, patched implementation which returns paths in the staging directory and for the target, as appropriate. This change reverts this upstream patch http://hg.python.org/cpython/diff/712970b019f7/Misc/python-config.in (From OE-Core rev: 7b2ffd68ae8235dcc3ddff9cbe8525e61f3b3d28) (From OE-Core rev: de5797b27a358954eb15318d0d77ad1981981861) Signed-off-by: Tyler Hall <tylerwhall@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-29T12:42:21+00:00 Tyler Hall tylerwhall@gmail.com 2014-05-04T22:37:50+00:00 urn:sha1:133472e7aaddcf9cbf2a6aa34bd7049b3990dcf6 If python2 and python3 are both available, scripts that are subject to this substitution can possibly run with the wrong python version. python3-config is one such script. (From OE-Core rev: 23849347d0fe60a01578efdd6c6e23ebb444dcd6) (From OE-Core rev: ae49adc13db10cb39eeb9377eb4c60a4db436e00) Signed-off-by: Tyler Hall <tylerwhall@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-04-09T08:53:14+00:00 Maxin B. John maxin.john@enea.com 2014-04-07T15:48:11+00:00 urn:sha1:e34ad1e27b7db3237ae0435864cced32133d7025 A remote user can send specially crafted data to trigger a buffer overflow in socket.recvfrom_into() and execute arbitrary code on the target system. The code will run with the privileges of the target service. This back-ported patch fixes CVE-2014-1912 (From OE-Core rev: 344049ccfa59ae489c35fe0fb7592f7d34720b51) Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-04-04T10:53:51+00:00 Chong Lu Chong.Lu@windriver.com 2014-04-03T07:52:22+00:00 urn:sha1:b996f22f8bed0c587392e33cc58c4b9c673ad50e Backport two patches from upstream: use new readline function types (closes #20374) Issue #20374: Avoid compiler warnings when compiling readline with libedit. [YOCTO #6107] (From OE-Core rev: a6b91ae7dec2edebc0eaea0592c42b1c455ad4d7) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-03-21T12:05:55+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2014-03-20T17:41:39+00:00 urn:sha1:7df7404d7becb32aa76f99a34620a8c9f6c6826f These have been added recently to 2.7 but were missing in the 3.3 script/inc file. (From OE-Core rev: 4669afac1004a89e6b87ec46136ca3e7448700d4) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-03-21T12:05:55+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2014-03-20T17:23:08+00:00 urn:sha1:dd1e12a585586cc6e880a4ed9e0874e03aa77f5b (From OE-Core rev: 081bc11c347d11d285f2948127bca81a285ada84) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>