linux/poky.git/meta/recipes-devtools, branch daisy-enea

patch: fix CVE-2015-1196

2015-09-09T01:26:32+00:00

A directory traversal flaw was reported in patch: References: http://www.openwall.com/lists/oss-security/2015/01/18/6 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227 https://bugzilla.redhat.com/show_bug.cgi?id=1182154 [YOCTO #7182] (From OE-Core rev: 4c389880dc9c6221344f7aed221fe8356e8c2056) (From OE-Core rev: e2032c5788f7a77aa0e4e8545b550551c23a25fb) Signed-off-by: Robert Yang Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Sona Sarmadi

qemu: remove patch already applied

2015-07-20T23:24:45+00:00

This fix a build issue for qemu package Signed-off-by: Tudor Florea

python: Backport CVE-2013-1752 fix from upstream

2015-07-07T20:58:50+00:00

This back ported patch fixes CVE-2013-1752 for ftplib,imaplib,nntplib and poplib References: http://bugs.python.org/issue16038 http://bugs.python.org/issue16039 http://bugs.python.org/issue16040 http://bugs.python.org/issue16041 https://access.redhat.com/security/cve/CVE-2013-1752 The ftplib,imaplib,nntplib and poplib modules doesn't limit the amount of read data in its call to readline(). The modules should be modified to use limited readline() with _MAXLINE. Signed-off-by: Tudor Florea

python: Backport CVE-2013-1752 fix from upstream

2015-07-06T22:42:39+00:00

This back ported patch fixes CVE-2013-1752 for httplib References: http://bugs.python.org/issue16037 https://access.redhat.com/security/cve/CVE-2013-1752 The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all Signed-off-by: Tudor Florea

binutils: Fix building nativesdk binutils with gcc 4.9

2015-07-06T22:41:01+00:00

Patches explain the issue in detail but this is exposed with gcc 4.9 in binutils 2.24 This is from upstream daisy [474ea6b826b53cb1e4e01a262683091f6c9d9309 ] Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea

qemu: CVE-2014-7840

2015-07-06T22:33:18+00:00

Fixes insufficient parameter validation during ram load Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea

qemu: fixed multiple CVEs

2015-07-06T22:29:37+00:00

CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access CVE-2014-5263, missing field list terminator in vmstate_xhci_event CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle functions CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea

qemu-slirp: CVE-2014-3640

2015-07-06T18:19:40+00:00

Fixes a NULL pointer deref in sosendto() References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640 Signed-off-by: Sona Sarmadi

python: CVE-2014-7185

2015-07-06T18:19:40+00:00

Fixes buffer() integer overflow leading to out of bounds read This bug is only an issue if offset and size arguments are untrusted. The buffer() was removed from Python 3 and hence Python 3 was not affected by this issue. Reference http://openwall.com/lists/oss-security/2014/09/25/47 Signed-off-by: Sona Sarmadi

qemu: upgrade to 1.7.2

2015-07-06T18:19:40+00:00

The upgrade addresses following CVEs: CVE-2014-0222 CVE-2014-0223 CVE-2014-0142 CVE-2014-0143 CVE-2014-0144 CVE-2014-0145 CVE-2014-0146 CVE-2014-0147 Signed-off-by: Sona Sarmadi