Add patch for Libwebp 1.3.1 to fix CVE-2023-5129.
(From OE-Core rev: 852068debb268669699ad9a8dbe44907a19aa482)
Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This document was suggesting a way to version pre-releases
which doesn't match the latest recommendations from the
contributor guide.
(From yocto-docs rev: bb74a9f83b84fa0d2836ed09175cac3c671b1042)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Replace "duplicate" by "obsolete", more appropriate.
"duplicate" probably comes from the "--remove-duplicated"
option of the sstate-cache-management.sh script.
Improve other sentences too.
(From yocto-docs rev: e893d66999a97732780ff2b1ba6fb7e6e9d2eff7)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CC: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Take advantage of this edit to also fix alignment
issues in the sources.
(From yocto-docs rev: 6d17f91c3078b5aeb6fa4acab8c9a0ff8e962fa5)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Variable overrides in KCONFIG_CONFIG_COMMAND do not work as expected due
to double quote mismatches. The issue is reproducible in an environment
where gold is the default linker. Below is an example snippet of
run.do_terminal generated by do_menuconfig.
do_terminal() {
exec sh -c "make menuconfig CC="aarch64-webos-linux-gcc ..."
LD="aarch64-webos-linux-ld.bfd ..."
...
}
Although LD override is set to bfd correctly, it is not passed to make
and make menuconfig ends up with messages like:
| gold linker is not supported as it is not capable of linking the kernel proper.
| scripts/Kconfig.include:56: Sorry, this linker is not supported.
(From OE-Core rev: 9c483765db762dbe8020423c8778518612b7e5f7)
(From OE-Core rev: 75f8485d7862b08e2f96f919e992d203df6c8d9c)
Signed-off-by: Jaeyoon Jung <jaeyoon.jung@lge.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d4664d2b79)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The gcc_multilib_setup function is a function that is run at the
do_configure step, so it's counted into the signature computation.
The MULTILIB_VARIANTS this function uses is also extracted to be
taken into consideration. After the change of setting MULTILIB_VARIANTS
explictly vardeps on MULTILIBS, the change of MULTILIBS changes the
signature, thus causing rebuilding. However, in case of gcc-crosssdk,
the setting of multilib should have no effect on it, as it's used
to build nativesdk packages, not the target packages. So ignore
MULTILIB_VARIANTS in signature computation. This fixes oe-selftest
case sstatetests.SStateHashSameSigs2.test_sstate_nativesdk_samesigs_multilib.
(From OE-Core rev: 537c71162a711dec32a63a657c4b101269a3e267)
(From OE-Core rev: 6b87f7c9e955abe5833820ee7eda9d525c77d2ea)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This patch is to ensure recipes get rebuilt correctly and avoid
incorrect sstate cache reuse when toggling multilib.
The following steps show one example of such incorrect sstate cache reuse.
1. enable multilib && bitbake <some_image> -c populate_sdk
2. disable multilib && bitbake <some_image> -c populate_sdk
The error message is as below:
Error:
Problem: conflicting requests
- nothing provides binutils-cross-canadian-i686 needed by packagegroup-cross-canadian-intel-x86-64-1.0-r0.x86_64_nativesdk
- nothing provides gcc-cross-canadian-i686 needed by packagegroup-cross-canadian-intel-x86-64-1.0-r0.x86_64_nativesdk
- nothing provides gdb-cross-canadian-i686 needed by packagegroup-cross-canadian-intel-x86-64-1.0-r0.x86_64_nativesdk
(try to add '--skip-broken' to skip uninstallable packages)
We get this error because packagegroup-cross-canadian recipe is
not rebuilt when it should be.
Current codes have tracked the dependency to MULTILIB_VARIANTS, as
shown in the following chain:
RDEPENDS:packagegroup-cross-canadian-intel-x86-64 ->
all_multilib_tune_values -> MULTILIB_VARIANTS.
However, MULTILIB_VARIANTS cannot automatically depend on MULTILIBS.
See some results from 'bitbake-dumpsigs' below:
List of dependencies for variable MULTILIB_VARIANTS is ['extend_variants']
Variable MULTILIB_VARIANTS value is ${@extend_variants(d,'MULTILIBS','multilib')}
It's obvious that the value of MULTILIB_VARIANTS depend on the
value of MULTILIBS, so let's set this dependency manually.
(From OE-Core rev: 9f47d8eb51816d16078a23c0cef4d697555f913f)
(From OE-Core rev: 8ed254dd5e44d0685e5b952f724af08d75ce3d9d)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
drop patch which is already part of 5.1.3.
0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch(CVE-2022-3964):
1eb002596e
0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch(CVE-2022-3965):
293dc39bca
ffmpeg-fix-vulkan.patch : 7268323193
(From OE-Core rev: aeee19cda946b67f33c7b7c02c86513676bc89bd)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
release notes:
https://downloads.isc.org/isc/bind9/9.18.19/doc/arm/html/notes.html#notes-for-bind-9-18-19
Security Fixes
Previously, sending a specially crafted message over the control channel
could cause the packet-parsing code to run out of available stack
memory, causing named to terminate unexpectedly. This has been fixed.
(CVE-2023-3341)
ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing
this vulnerability to our attention. [GL #4152]
A flaw in the networking code handling DNS-over-TLS queries could cause
named to terminate unexpectedly due to an assertion failure under
significant DNS-over-TLS query load. This has been fixed.
(CVE-2023-4236)
ISC would like to thank Robert Story from USC/ISI Root Server Operations
for bringing this vulnerability to our attention. [GL #4242]
Removed Features
The dnssec-must-be-secure option has been deprecated and will be removed
in a future release. [GL #4263]
Feature Changes
If the server command is specified, nsupdate now honors the nsupdate -v
option for SOA queries by sending both the UPDATE request and the
initial query over TCP. [GL #1181]
Bug Fixes
The value of the If-Modified-Since header in the statistics channel was
not being correctly validated for its length, potentially allowing an
authorized user to trigger a buffer overflow. Ensuring the statistics
channel is configured correctly to grant access exclusively to
authorized users is essential (see the statistics-channels block
definition and usage section). [GL #4124]
This issue was reported independently by Eric Sesterhenn of X41 D-Sec
GmbH and Cameron Whitehead.
The Content-Length header in the statistics channel was lacking proper
bounds checking. A negative or excessively large value could potentially
trigger an integer overflow and result in an assertion failure. [GL
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
Several memory leaks caused by not clearing the OpenSSL error stack were
fixed. [GL #4159]
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs
UPDATE policies accidentally caused named to return SERVFAIL responses
to deletion requests for non-existent PTR and SRV records. This has been
fixed. [GL #4280]
The stale-refresh-time feature was mistakenly disabled when the server
cache was flushed by rndc flush. This has been fixed. [GL #4278]
BIND’s memory consumption has been improved by implementing dedicated
jemalloc memory arenas for sending buffers. This optimization ensures
that memory usage is more efficient and better manages the return of
memory pages to the operating system. [GL #4038]
Previously, partial writes in the TLS DNS code were not accounted for
correctly, which could have led to DNS message corruption. This has been
fixed. [GL #4255]
Known Issues
There are no new known issues with this release. See above for a list of
all known issues affecting this BIND 9 branch.
(From OE-Core rev: 663397edba278184a736e97aa602d3f96d2d937a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
============
Deprecate the 'dialup' and 'heartbeat-interval' options.
Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
Return REFUSED to GSS-API TKEY requests if GSS-API support is not configured.
Mark a primary server as temporarily unreachable if the TCP connection attempt times out.
Don't process detach and close netmgr events when the netmgr has been paused.
(cherry-pick from commit e78ec619beea6e541b2d83a5dc845ce57ff12564)
(From OE-Core rev: 3cb92c8746f589ef74e337e5866378e04a8133ef)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and
CVE-2023-41040 fixes and other bugfixes.
Changelog:
==========
- WIP Quick doc by @LeoDaCoda in #1608
- Partial clean up wrt mypy and black by @bodograumann in #1617
- Disable merge_includes in config writers by @bodograumann in #1618
- feat: full typing for "progress" parameter in Repo class by @madebylydia in #1634
- Fix CVE-2023-40590 by @EliahKagan in #1636
- #1566 Creating a lock now uses python built-in "open()" method to work arou… by @HageMaster3108 in #1619
- util: close lockfile after opening successfully by @skshetry in #1639
- Bump actions/checkout from 3 to 4 by @dependabot in #1643
- Fix 'Tree' object has no attribute '_name' when submodule path is normal path by @CosmosAtlas in #1645
- Fix CVE-2023-41040 by @facutuesca in #1644
- Only make config more permissive in tests that need it by @EliahKagan in #1648
- Added test for PR #1645 submodule path by @CosmosAtlas in #1647
- Fix Windows environment variable upcasing bug by @EliahKagan in #1650
- Improve Python version and OS compatibility, fixing deprecations by @EliahKagan in #1654
- Better document env_case test/fixture and cwd by @EliahKagan in #1657
- Remove spurious executable permissions by @EliahKagan in #1658
- Fix up checks in Makefile and make them portable by @EliahKagan in #1661
- Fix URLs that were redirecting to another license by @EliahKagan in #1662
- Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663
- Use venv instead of virtualenv in test_installation by @EliahKagan in #1664
- Omit py_modules in setup by @EliahKagan in #1665
- Don't track code coverage temporary files by @EliahKagan in #1666
- Configure tox by @EliahKagan in #1667
- Format tests with black and auto-exclude untracked paths by @EliahKagan in #1668
- Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in #1673
- Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675
- Remove @NoEffect annotations by @EliahKagan in #1677
- Add more checks for the validity of refnames by @facutuesca in #1672
Note that the changes to the license file are just removal of excess whitespace
(the extra blank line at the end, and spaces appearing at the end of lines).
References:
https://github.com/gitpython-developers/GitPython/releaseshttps://github.com/gitpython-developers/GitPython/blob/main/doc/source/changes.rste1af18377f
(From OE-Core rev: 931af3758a2d79aea534ab6d23db392ede7cc1bb)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The override syntax should be ":allarch" instead of "_allarch".
(From OE-Core rev: 72d3ecb22fea59d2520997b3f0a0651557d69ae7)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bea74c9942a3bb4f71aca0f722b4a7306ae52fb4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes multiple CVE fixes.
The license change is due to changes in maintainership, the license
itself is unchanged.
(From OE-Core rev: a90e3d1bac7c965e357103c05bf31fd804b87c0b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91e66b93a0c0928f0c2cfe78e22898a6c9800f34)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the QEMU built-in VNC server. When a client connects
to the VNC server, QEMU checks whether the current number of connections
crosses a certain threshold and if so, cleans up the previous connection.
If the previous connection happens to be in the handshake phase and fails,
QEMU cleans up the connection again, resulting in a NULL pointer dereference
issue. This could allow a remote unauthenticated client to cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3354
(From OE-Core rev: 8f0b34f7ad5ef842d60c9b93ce2c6142d3249890)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
":term:`Initramfs`" in bold text appears verbatim (no link is created).
The term link is present elsewhere in the text so remove the extra
markup.
(From yocto-docs rev: fc8e220290414dab45299d0ac829c8c461b1903c)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- Update according to changes in SANITY_TESTED_DISTROS
(meta-poky/conf/distro/poky.conf)
- No longer declare as "Supported" the distributions versions
which are End of Life for their vendors, as some of them
(Ubuntu for example) ship updates to subscribers only,
which the Yocto Project has no access to.
- List distribution versions which were previously tested
for the branch of the Yocto Project being considered.
(From yocto-docs rev: fd5113b7e20844a44a2c9da37e1bc10034d46cfe)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add in stable updates to glibc 2.38 to fix malloc bugs
(From OE-Core rev: 055b7acd73a591cb529629a780558cc0f5b19456)
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 39f987fcb20ad7c0e45425b9f508d463c50ce0c1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6:
* drop the patches for the files WasmAirIRGenerator64.cpp and
WasmAirIRGeneratorBase.h which are involved in 2.40.0
* drop test cases as well
CVE: CVE-2023-32435
(From OE-Core rev: c54f98d35f2cb276dc49a5ccd4813ccc34c6f668)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch to fix CVE-2023-32439 for webkitgtk.
CVE: CVE-2023-32439
(From OE-Core rev: 71edb4ec115208950ae5da5305b5fd75823121ec)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Envoy is a cloud-native high-performance edge/middle/service
proxy. Envoy’s HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving `RST_STREAM` immediately
followed by the `GOAWAY` frames from an upstream server. In
nghttp2, cleanup of pending requests due to receipt of the
`GOAWAY` frame skips de-allocation of the bookkeeping structure
and pending compressed header. The error return [code path] is
taken if connection is already marked for not sending more
requests due to `GOAWAY` frame. The clean-up code is right after
the return statement, causing memory leak. Denial of service
through memory exhaustion. This vulnerability was patched in
versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
(From OE-Core rev: 18277a43f7fd6522a67f194f40595bc378468733)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: ff2288cd466c46c4e2cac24498b260037dba5071)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
vim 8.3 has been out for a long time, so this comment is obsolete.
However we still need UPSTREAM_VERSION_UNKNOWN, since we ignore
the last digit of the upstream version number.
Test result:
$ devtool check-upgrade-status vim
...
INFO: vim 9.0.1592 UNKNOWN Tom Rini <trini@konsulko.com> c0370529c027abc5b1698d53fcfb8c02a0c515da
(From OE-Core rev: 65f5de85c3f488136d1ec2b1f7fe8d8426d6c5b3)
(From OE-Core rev: 981fa51afe040550c7c351fff028553d4bbbd1ca)
Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 868a19357841470eb55fb7f1c4ab1af09dea99ed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We need to ensure this recipe doesn't have dependencies on others. The SPDX
classes/tasks introduce dependenies quilt-native and patch-native which can
introduce races on files in the sysroots. Avoid the races by removing the
tasks we don't need.
[YOCTO #15186]
(From OE-Core rev: a3e2e156c602e7fabf0024a6c9dc4603d327f08b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a5dc278b077edba8f4099f0f6dfb97e97f680320)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
04update-uuid and 07revert-inplace tests are unreliable and fail intermittently
on the autobuilder (BZ#15181 and BZ#15159). Unfortunately, the failures cannot
be reproduced locally and the logs cannot be retrieved from the AB.
Mark the testcases as BROKEN to skip them when running ptest.
(From OE-Core rev: f39988353743e35418a730bfd6b9a9b68d946641)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit eb219aff7cfe1cff1da93107ac7b22c678c0000f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The kickstart parser defaults fstype to "vfat". This leads to an attempt
to create an empty file system even for regions configured with "--no-table"
if used without fstype when no --sourceparams given.
The fix tests for fstype "none" or no_table in Partition prepare method.
This will omit the file system creation an the potential error for small
region with --no-table option.
(From OE-Core rev: 47b395fe2dc393e82d0a42cfab96d134c1397a43)
Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit db771a4cd36bf291a8b68edfd905e03243f2c8b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It checks build host filesystem and if it doesn't find UTC or GMT
files it installs another copy of tzdata files in:
/usr/lib/tcl8.6/tzdata
Buildhistory shows the difference:
-PKGSIZE = 2227075
+PKGSIZE = 3433088
See the autodetection in configure.in:
#------------------------------------------------------------------------
# Check whether the timezone data is supplied by the OS or has
# to be installed by Tcl. The default is autodetection, but can
# be overridden on the configure command line either way.
#------------------------------------------------------------------------
AC_MSG_CHECKING([for timezone data])
AC_ARG_WITH(tzdata,
AC_HELP_STRING([--with-tzdata],
[install timezone data (default: autodetect)]),
[tcl_ok=$withval], [tcl_ok=auto])
#
# Any directories that get added here must also be added to the
# search path in ::tcl::clock::Initialize (library/clock.tcl).
#
case $tcl_ok in
no)
AC_MSG_RESULT([supplied by OS vendor])
;;
yes)
# nothing to do here
;;
auto*)
AC_CACHE_VAL([tcl_cv_dir_zoneinfo], [
for dir in /usr/share/zoneinfo \
/usr/share/lib/zoneinfo \
/usr/lib/zoneinfo
do
if test -f $dir/UTC -o -f $dir/GMT
then
tcl_cv_dir_zoneinfo="$dir"
break
fi
done])
if test -n "$tcl_cv_dir_zoneinfo"; then
tcl_ok=no
AC_MSG_RESULT([$dir])
else
tcl_ok=yes
fi
;;
*)
AC_MSG_ERROR([invalid argument: $tcl_ok])
;;
esac
if test $tcl_ok = yes
then
AC_MSG_RESULT([supplied by Tcl])
INSTALL_TZDATA=install-tzdata
fi
(From OE-Core rev: d5a038b764720bd3267f258994371909f3f34ad6)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ace9fbfeb42ebf920812e3dd6d665b8b20a1ca0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
