Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=krogoth 2017-10-16T22:47:12+00:00 2017-10-16T22:47:12+00:00 Ross Burton ross.burton@intel.com 2017-10-16T22:23:37+00:00 urn:sha1:54e3f82bd77203c3d578e26c86506e6ef5c27000 WPA2 is vulnerable to replay attacks which result in unauthenticated users having access to the network. * CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake * CVE-2017-13078: reinstallation of the group key in the Four-way handshake * CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake * CVE-2017-13080: reinstallation of the group key in the Group Key handshake * CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake * CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it * CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake * CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame * CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame Backport patches from upstream to resolve these CVEs. (From OE-Core rev: bfa04fa71c47e8fe9528208848cfcec2e232777d) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-07-19T14:13:47+00:00 Ross Burton ross.burton@intel.com 2017-07-19T13:27:32+00:00 urn:sha1:3ca9f90dffad3907ceec605a851ae949dd3b6bd6 In libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library. (From OE-Core rev: fb28c54347fcf4957b9b8ee7dee423d859eb7820) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-07-19T14:13:46+00:00 Ross Burton ross.burton@intel.com 2017-07-19T13:27:31+00:00 urn:sha1:ccc964cf9fde0d71d289c22c2a231f0021461012 Fixes CVE-2017-7526, 'flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster"'. (From OE-Core rev: 1a713fb654a31a6dd218dc1b5b810e2b380ecbb1) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-27T22:41:01+00:00 California Sullivan california.l.sullivan@intel.com 2016-08-09T20:35:52+00:00 urn:sha1:50fdd784231299bedb008f20adeaeeca3eb1452d It can take a bit for USB devices to be detected, so if a USB device is your rootfs and you don't set rootwait you will most likely get a kernel panic. Fix this by adding rootwait to the kernel command line on installation. Fixes [YOCTO #9462]. (From OE-Core rev: 7f26cee3d8e4b2e9240b30c21be9fa7661186ccd) Signed-off-by: California Sullivan <california.l.sullivan@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-16T09:21:12+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2017-06-16T08:42:30+00:00 urn:sha1:4515fc952963e233d5f24bb319028e8c68ee7622 There is the potential for sensitive information to leak through the urls there and removing it brings this into the behavior of the other package backends since filtering it is likely error prone. Since ipks don't appear to be generated at all if we don't set this, set the field to the recipe name used (basename only, no paths). This avoids information leaking. We may want to drop the field if opkg can allow that at a future point but the recipe name is a suitable identifier for now. Reported-by: Andrej Valek <andrej.valek@siemens.com> (From OE-Core rev: 1aa51cfb4b8d10f478b1a6a68c69a3e35342b1c0) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-07T14:59:03+00:00 Ross Burton ross.burton@intel.com 2017-06-07T14:28:24+00:00 urn:sha1:3565a9697f53ba975a1b7235b802f659418746c3 The Meson revision was locked down but the license list change wasn't actually committed... Also specify the exact path for recipetool to write to, for clarity. (From OE-Core rev: cbd6a2de4d8bda44f1d53956acc49a4bef810e95) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-07T07:42:54+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2017-06-07T07:42:49+00:00 urn:sha1:fe7fb002216f7886d49942333ea6d8592339bb05 (From OE-Core rev: 2a1e8e2c9ff2caa6c207d8fe0d517e472715d1d1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-07T07:40:06+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2016-12-02T19:14:07+00:00 urn:sha1:7241042b708b415a25b6ef469ea21688fe3d6dc5 Recent distros are enabling -pie by default; in case of grub we need to turn it off. (From OE-Core rev: aaff6c99dde3f1058bb3c4b320f27753c6c992ad) (From OE-Core rev: 720ac6e2b46d4d78244033a2474a2716a7a08b03) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-06T17:52:39+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2017-06-06T17:52:35+00:00 urn:sha1:546c0cffca3ebbddcfe55a73b1588d6024522b1a (From OE-Core rev: 03487ba4d5eb12e826998c76c6f350672853550f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-06T17:28:39+00:00 Saul Wold sgw@linux.intel.com 2016-06-19T00:13:55+00:00 urn:sha1:172105c1ef5469737108ca51108826f7fec8d5d7 This doubles the amount of extra space that is provided for SMART and RPM, as they consume more disk space during qa testing via testimage [YOCTO #9800] (From OE-Core rev: 2d636068d9d3a1ea2db3ace49462be13ba9ef125) (From OE-Core rev: 1d35417502aa8bce9d65d15f29d9d7bee077b7cc) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>