<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-extended, branch dunfell-23.0.20</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=dunfell-23.0.20</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=dunfell-23.0.20'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2022-09-30T15:34:52+00:00</updated>
<entry>
<title>tzdata: Update from 2022b to 2022c</title>
<updated>2022-09-30T15:34:52+00:00</updated>
<author>
<name>Robert Joslyn</name>
<email>robert.joslyn@redrectangle.org</email>
</author>
<published>2022-09-18T17:33:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=35aaf7eadd62b09414be543217c63d775af4aa38'/>
<id>urn:sha1:35aaf7eadd62b09414be543217c63d775af4aa38</id>
<content type='text'>
(From OE-Core rev: efcb0b30244007545ab8b0231e003271dcd7fab2)

Signed-off-by: Robert Joslyn &lt;robert.joslyn@redrectangle.org&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit ecf88d151f265e5efb8e1dde5aba3ee2a8b76d8d)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>libarchive: Fix CVE-2021-31566 issue</title>
<updated>2022-09-12T07:41:51+00:00</updated>
<author>
<name>Ranjitsinh Rathod</name>
<email>ranjitsinh.rathod@kpit.com</email>
</author>
<published>2022-08-30T09:57:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=85637f30f37bf0f6773e3d29cb2437c0060c0d7f'/>
<id>urn:sha1:85637f30f37bf0f6773e3d29cb2437c0060c0d7f</id>
<content type='text'>
Add patch to fix CVE-2021-31566 issue for libarchive
Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz

(From OE-Core rev: 7028803d7d10c0b041a7bda16f9d9261f220459f)

Signed-off-by: Ranjitsinh Rathod &lt;ranjitsinh.rathod@kpit.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>libarchive: Fix CVE-2021-23177 issue</title>
<updated>2022-09-12T07:41:51+00:00</updated>
<author>
<name>Ranjitsinh Rathod</name>
<email>ranjitsinh.rathod@kpit.com</email>
</author>
<published>2022-08-30T09:52:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a5de603a1b9316dd945aaea3136af027bbc61fdd'/>
<id>urn:sha1:a5de603a1b9316dd945aaea3136af027bbc61fdd</id>
<content type='text'>
Add patch to fix CVE-2021-23177 issue for libarchive
Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz

(From OE-Core rev: 01d7e2c7a0da55a7c00aebed107c1338f5f032b1)

Signed-off-by: Ranjitsinh Rathod &lt;ranjitsinh.rathod@kpit.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>tzdata: upgrade 2022a -&gt; 2022b</title>
<updated>2022-09-03T12:10:37+00:00</updated>
<author>
<name>Alexander Kanavin</name>
<email>alex.kanavin@gmail.com</email>
</author>
<published>2022-08-19T07:26:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=3d435421bc184cb6f17d71aff4e35c9443a46ea7'/>
<id>urn:sha1:3d435421bc184cb6f17d71aff4e35c9443a46ea7</id>
<content type='text'>
(From OE-Core rev: b0a0abbcc5e631e693b9e896bd0fc9b9432dd297)

Signed-off-by: Alexander Kanavin &lt;alex@linutronix.de&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit b301d5203a4da0a0985670848126c5db762ddc86)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections</title>
<updated>2022-08-08T15:23:34+00:00</updated>
<author>
<name>Hitendra Prajapati</name>
<email>hprajapati@mvista.com</email>
</author>
<published>2022-07-28T05:47:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b9ae8da74e259378afb7100402633f5300090397'/>
<id>urn:sha1:b9ae8da74e259378afb7100402633f5300090397</id>
<content type='text'>
Source: http://git.linux-nfs.org/?p=steved/libtirpc.git;
MR: 120231
Type: Security Fix
Disposition: Backport from http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed
ChangeID: 544120a5f10a4717cd2c7291821a012e26b14b7f
Description:
        CVE-2021-46828 libtirpc: DoS vulnerability with lots of connections.

(From OE-Core rev: 73d2b640ad665f6ff3c4fbe8f5da4ef0dbb175f2)

Signed-off-by: Hitendra Prajapati &lt;hprajapati@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>unzip: Port debian fixes for two CVEs</title>
<updated>2022-07-08T07:27:20+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2022-06-24T16:51:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=31b4392e6e9546cb76346edaed6c938fc578e370'/>
<id>urn:sha1:31b4392e6e9546cb76346edaed6c938fc578e370</id>
<content type='text'>
Add two fixes from debian for two CVEs. From:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355

I wans't able to get the reproducers to work but the added error
checking isn't probably a bad thing.

(From OE-Core rev: 097469513f6dea7c678438e71a152f4e77fe670d)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 054be00a632c2918dd1f973e76514e459fc6f017)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>unzip: fix CVE-2021-4217</title>
<updated>2022-07-08T07:27:20+00:00</updated>
<author>
<name>Joe Slater</name>
<email>joe.slater@windriver.com</email>
</author>
<published>2022-03-31T18:42:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=4bc2324a25288162377c99c306b13543df982ca9'/>
<id>urn:sha1:4bc2324a25288162377c99c306b13543df982ca9</id>
<content type='text'>
Avoid a null pointer dereference.

(From OE-Core rev: 357791da82f767ad695e4476aa12fea3d7db5e04)

Signed-off-by: Joe Slater &lt;joe.slater@windriver.com&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
(cherry picked from commit 36db85b9b127e5a9f5d3d6e428168cf597ab95f3)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cups: fix CVE-2022-26691</title>
<updated>2022-06-22T22:46:32+00:00</updated>
<author>
<name>Steve Sakoman</name>
<email>steve@sakoman.com</email>
</author>
<published>2022-06-13T16:11:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=95cda9d09165412d1345a089a845d3adaf4ff851'/>
<id>urn:sha1:95cda9d09165412d1345a089a845d3adaf4ff851</id>
<content type='text'>
In scheduler/cert.c the previous algorithm didn't expect the strings can
have a different length, so one string can be a substring of the other
and such substring was reported as equal to the longer string.

Backport patch from upstream to fix:
https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444

CVE: CVE-2022-26691

(From OE-Core rev: cc657868d31cc8b4218a07aa10fa098c379e473c)

Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>xz: fix CVE-2022-1271</title>
<updated>2022-04-21T20:26:01+00:00</updated>
<author>
<name>Ralph Siemsen</name>
<email>ralph.siemsen@linaro.org</email>
</author>
<published>2022-04-09T02:17:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=62aefd3864e289c4ab71c80c4b27de93d184241a'/>
<id>urn:sha1:62aefd3864e289c4ab71c80c4b27de93d184241a</id>
<content type='text'>
Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.

Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch]
CVE: CVE-2022-1271

(From OE-Core rev: da4180062f12aa855a0dd2c0dbe4f0721df67055)

Signed-off-by: Ralph Siemsen &lt;ralph.siemsen@linaro.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>gzip: fix CVE-2022-1271</title>
<updated>2022-04-21T20:26:01+00:00</updated>
<author>
<name>Ralph Siemsen</name>
<email>ralph.siemsen@linaro.org</email>
</author>
<published>2022-04-09T02:17:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=170ce893e750630a9180ac0ae087b8105418db05'/>
<id>urn:sha1:170ce893e750630a9180ac0ae087b8105418db05</id>
<content type='text'>
zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.

Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
CVE: CVE-2022-1271

(From OE-Core rev: b7f0696bc60409af215549d26621526c1a93a002)

Signed-off-by: Ralph Siemsen &lt;ralph.siemsen@linaro.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
