mirrors/poky - poky - zepto initiative

mirror of https://git.yoctoproject.org/poky synced 2026-02-27 11:59:40 +01:00

Author	SHA1	Message	Date
Armin Kuster	6518c248e6	go: update to 1.11.13, minor updates Source: golang.org MR: 99376 Type: Security Fix Disposition: Backport from golang.org ChangeID: 41576ab4a0abdebbc44f1a35a83bf04e5f2fde06 Description: https://golang.org/doc/devel/release.html go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details. go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details. go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details. Includes CVE: CVE-2019-14809 (From OE-Core rev: 6018e9755dce3eaa22a1fe691dc18546c43c9cbe) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Adrian Bunk	6eaf69d732	bind: upgrade 9.11.5 -> 9.11.5-P4 Source: OE.org MR: 99751, 99752, 99753 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4 ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01 Description: Bugfix-only compared to 9.11.5, mostly CVE fixes. COPYRIGHT checksum changed due to 2018 -> 2019. (From OE-Core rev: b24447b40e4988e337bdd4b5cf194df0827f9887) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Included cves: CVE-2018-5744 CVE-2018-5745 CVE-2019-6465 ] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Armin Kuster	3d3a165925	bind: update to latest LTS 9.11.5 Source: bind.org MR: 99750 Type: Security Fix Disposition: Backport from bind.org ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224 Description: includes: CVE-2018-5738 drop patch for CVE-2018-5740 now included in update see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html Add RECIPE_NO_UPDATE_REASON for lts (From OE-Core rev: 25b2f2c6fc67eabb0e7f0b7c5ffe08c554613c10) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Also includes CVE-2018-5740] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Armin Kuster	176dc6eb01	binutils: Security fix for CVE-2019-12972 Source: git://sourceware.org / binutils-gdb.git MR: 98770 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c Description: Fixes CVE-2019-12972 (From OE-Core rev: 16f4520f5cb581eb93bd3f0e3aa1feecc5c567ba) Signed-off-by: Armin Kuster <akuster@mvista.com> [v2] forgot to refresh inc file before sending Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Armin Kuster	d39b67e491	binutils: Security fix for CVE-2019-14444 Source: git://sourceware.org / binutils-gdb.git MR: 99255 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 ChangeID: 67ad4ab1ec34b941bdcfbb4f55d16176bbbd3d72 Description: Affects: <= 2.32.0 Fixes CVE-2019-14444 (From OE-Core rev: a367928942411b36a0b0bbb95055d01548430e8e) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Armin Kuster	09d46e9131	gcc: Security fix for CVE-2019-14250 Source: gcc.org MR: 99120 Type: Security Fix Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794&root=gcc&view=rev ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb Description: Affects < 9.2 (From OE-Core rev: 79205966072bb6179d96b3af5aabc521da83e841) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Bartosz Golaszewski	0f7e6681a8	qemu: add a patch fixing the native build on newer kernels The build fails on qemu-native if we're using kernels after commit 0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream patch that fixes the issue. (From OE-Core rev: fac2d3846dadfda256e94500bdf33f546a8d1fb4) Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Refactoried for thud context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core	4e6a44598f	libcomps: fix CVE-2019-3817 (From OE-Core rev: 2cebc7faa10c7ac6f60437658702f7adce3b3a89) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core	9da2eb4bef	glib-2.0: fix CVE-2019-13012 (From OE-Core rev: 51f7ecf2259e1fb669cd84c5317cbd8810d731b7) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core	fe27c50545	dbus: fix CVE-2019-12749 (From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core	1b62838428	curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 (From OE-Core rev: 75a4b4d8fb14414bbe2e38be8ccda0af94ef9b40) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:27 +01:00
Anuj Mittal	20ee17a579	python3: fix CVE-2019-9740 CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See: https://bugs.python.org/issue30458 (From OE-Core rev: ad90312adabbad951f62e3bd4ad95fcc763ad0c4) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:27 +01:00
Anuj Mittal	d581f111db	patch: fix CVE-2019-13636 (From OE-Core rev: bd367f58d9d6b5f0ce213e1be36763c5a9e425b6) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:27 +01:00
Alexander Kanavin	fa4683a484	buildhistory: call a dependency parser only on actual dependency lists Previously it was also called on filelists and possibly other items which broke the parser. (From OE-Core rev: f965ecbf558b6db1959e4ba8e599d65a5c8022b2) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:27 +01:00
Armin Kuster	e694933647	bitbake: tests/fetch: Resolve fetch error in bitbake-selftest FAIL: test_wget_latest_versionstring (bb.tests.fetch.FetchLatestVersionTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/pokybuild/yocto-worker/oe-selftest/build/bitbake/lib/bb/tests/fetch.py", line 1229, in test_wget_latest_versionstring self.assertTrue(verstring, msg="Could not find upstream version for %s" % k[0]) AssertionError: '' is not true : Could not find upstream version for db [YOCTO #13496] The Oracle UPSTREAM_CHECK_URI used changed and does not work with logic in wget. Update UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to match the ones used in the recipe. Also change the version being checked. (Bitbake rev: 8a58c3c64240c6ab14858d18e6b89febdb315311) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-09 09:58:09 +01:00
Scott Rifenbark	55e9d7c1e4	YP Docs: Set up the August 2019 date for 2.6.3 release. (From yocto-docs rev: 49abb21ec1728a8794c69997316a95ed0251a1e2) Signed-off-by: Scott Rifenbark <srifenbark@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-06 11:59:53 +01:00
Martin Jansa	dab13e1c79	bitbake: fetch2: show warning when renaming the archive with bad checksum failed * noticed on read-only sshfs premirror * it was showing the warning about renaming the file: WARNING: laser-geometry-1.6.4-r0 do_fetch: Renaming /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz to /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz_bad-checksum_1ee7479b8c5914b4ffae996945121441 and then failed because of movefile() issue with python3 (fixed in previous commit): ERROR: laser-geometry-1.6.4-r0 do_fetch: Error executing a python function in exec_python_func() autogenerated: with movefile() fixed, it let do_fetch continue and re-fetch locally with the right checksum, but still the renamed file didn't exist, because of movefile failure - add another warning when the movefile fails - for whatever reason - unfortunately movefile prints error messages with just print() so the real error is hidden only in log.do_fetch in this case: movefile: Failed to move /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz to /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz_bad-checksum_1ee7479b8c5914b4ffae996945121441 [Errno 30] Read-only file system: '/jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz' -> '/jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz_bad-checksum_1ee7479b8c5914b4ffae996945121441' (Bitbake rev: d36438759344caa447d9a0bf30749a0aa31d1fba) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-06 11:58:56 +01:00
Martin Jansa	3103c383b3	bitbake: utils: Fix movefile() exception handling with python3 * with python3 this fails with: File: 'bitbake/lib/bb/utils.py', lineno: 799, function: movefile 0795: try: 0796: os.rename(src, destpath) 0797: renamefailed = 0 0798: except Exception as e: *** 0799: if e[0] != errno.EXDEV: 0800: # Some random error. 0801: print("movefile: Failed to move", src, "to", dest, e) 0802: return None 0803: # Invalid cross-device-link 'bind' mounted or actually Cross-Device Exception: TypeError: 'OSError' object is not subscriptable (Bitbake rev: 9f92322fa8d6f1a68c0c3f4984afdf65126b51dc) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-06 11:58:56 +01:00
Richard Purdie	cb26830f76	build-appliance-image: Update to thud head revision (From OE-Core rev: d3d3f443039b03f1200a14bfe99f985592632018) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> thud-20.0.3 yocto-2.6.3	2019-08-01 11:58:15 +01:00
Richard Purdie	d43a86de1a	poky.conf: Bump version for 2.6.3 thud release (From meta-yocto rev: 9a1d9fd77e2dd2d324654755633e143ef7730dc5) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-08-01 11:58:07 +01:00
Anuj Mittal	d49de3810a	expat: fix CVE-2018-20843 (From OE-Core rev: aad245ea1c55f8e778ae3420c5c31e94301e7cba) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Ross Burton	9e0a120c8e	libcroco: fix CVE-2017-7961 (From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9) (From OE-Core rev: f5cf064b3c138c8a6591d34f40253e10a6f01a14) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Ovidiu Panait	e6058824bb	ghostscript: Fix 3 CVEs It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. References: https://nvd.nist.gov/vuln/detail/CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 https://nvd.nist.gov/vuln/detail/CVE-2019-3835 https://nvd.nist.gov/vuln/detail/CVE-2019-3838 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e (From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18) (From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Fix for CVE-2019-6116 is already in thud, so that has been removed] Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Anuj Mittal	885459d264	bzip2: fix CVE-2019-12900 Also include a patch to fix regression caused by it. See: https://gitlab.com/federicomenaquintero/bzip2/issues/24 (From OE-Core rev: 7c0b2d228f51aebb4415e63a07bdd645e85b09d8) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Ross Burton	d0e65410f4	libarchive: integrate security fixes Fix the following CVEs by backporting patches from upstream: - CVE-2019-1000019 - CVE-2019-1000020 - CVE-2018-1000877 - CVE-2018-1000878 - CVE-2018-1000879 - CVE-2018-1000880 (From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c) (From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Anuj Mittal	acd46a34c4	gstreamer1.0-plugins-base: fix CVE-2019-9928 (From OE-Core rev: 276567b6a8e4b21dc978b352b5c715d6381867b1) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Anuj Mittal	ecc1ac5b04	libsdl: CVE fixes Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637, CVE-2019-7638. (From OE-Core rev: 2cfcb3b0fce7e1156eb52260df4330c95d87dc17) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Alejandro del Castillo	e8cd30ba6c	OpkgPM: use --add-ignore-recommends to process BAD_RECOMMENDATIONS Currently, BAD_RECOMMENDATIONS on the opkg backed relies on editing the opkg status file (it sets BAD_RECOMMENDATIONS pkg want state to deinstalled and pinned). This is brittle, and not consistent across the different solver backends. Use new --add-ignore-recommends flag instead. (From OE-Core rev: 0d11e813ba9b4e8de9e6e5099ff85f5d914243bc) (From OE-Core rev: bfb0acb6bc6bc11e4aa2c9527916359e1a763e85) (From OE-Core rev: 13ba66338d16cc07cb0129de932f090d0edb7760) Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Alejandro del Castillo	eecc4121ad	opkg: add --ignore-recommends flag To be used for BAD_RECOMMENDATIONS feature. (From OE-Core rev: 788d97b4f8e4452cef1ba6bb3e565e1b52dbb7de) (From OE-Core rev: 85007cdb260bc77ac4ae5f914b0e3a4408606dfd) (From OE-Core rev: c60f9c47380bb53bd2b54373b72f86006edf326e) Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Backport from opkg_0.4.0.bb] Signed-off-by: Quentin Schulz <quentin.schulz@streamunlimited.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Richard Purdie	a872c96192	scripts: Remove deprecated imp module usage The imp module is deprecated, port the code over to use importlib as recently done for bb.utils as well. (From OE-Core rev: f3ba6cee5927c7475c3dc47658fa0548aec52115) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +01:00
Robert Yang	4d63da3fad	uboot-sign.bbclass: Remove tab indentations in python code Use 4 spaces to replace a tab. (From OE-Core rev: 2bf6098ac1cbbf7ed28522b7f7dce84c8341ce00) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	a51a3b1c82	glib: Security fix for CVE-2019-9633 Source: gnome.org MR: 98802 Type: Security Fix Disposition: Backport from `d553d92d6e` ChangeID: b73c332f27f47ddc1b1cfd7424f24778acc0c318 Description: includes supporting patch. Fixes CVE-2019-9633 (From OE-Core rev: 3ebf0fc043b6c9b6c2381dab893b54ebcb8ac13d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	e2f3997a84	qemu: Security fixes CVE-2018-20815 CVE-2019-9824 Source: qemu.org MR: 98623 Type: Security Fix Disposition: Backport from qemu.org ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37 Description: Fixes both CVE-2018-20815 and CVE-2019-9824 (From OE-Core rev: 5c45cd09fb29d4a1ebda6153a25f16e312049c44) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Ross Burton	45e662b445	glibc: backport CVE fixes Backport the fixes for several CVEs from the 2.28 stable branch: - CVE-2016-10739 - CVE-2018-19591 (From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348) Signed-off-by: Ross Burton <ross.burton@intel.com> [Dropped CVE-2019-9169 as its in my contrib already] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Ross Burton	f749c69115	lighttpd: fix CVE-2019-11072 (From OE-Core rev: 0dbd16a40a28bb75962f38c6ce450c909c22ee79) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Richard Purdie	573a935860	uninative: Update to 2.6 release The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes compatibility with recent fedora/suse releases. The difference is one is built with obsolete APIs enabled and one disabled. We now ship both in uninative for compatibility regardless of which distro a binary is built on. (From OE-Core rev: 352ab80333096df92ef0f4cd331baea98e71aa21) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Richard Purdie	59400377bb	uninative: Switch from bz2 to xz (From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a) (From OE-Core rev: 16785ebdc50f38ef4bc30d477a6833bdd4b541d1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Richard Purdie	594d5c20e2	yocto-uninative: Update to 2.5 release This includes libstdc++ changes from gcc 9.X. It also switches uninative from bz2 to xz compression. (From OE-Core rev: 0497623882da714cbe098a4281982b7f9ce6030f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	8e6d657a9c	qemu: Security fix for CVE-2019-12155 Source: qemu.org MR: 98382 Type: Security Fix Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 ChangeID: e4e5983ec1fa489eb8a0db08d1afa0606e59dde3 Description: Fixes CVE-2019-12155 Affects: <= 4.0.0 (From OE-Core rev: 6045c57895cad301c5e3a94de740427343a08065) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	a43499cf8e	Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436 Source: CUrl.org MR: 98455 Type: Security Fix Disposition: Backport from https://curl.haxx.se/ ChangeID: 86b094a440ea473b114764e8d64df8142d561609 Description: Fixes CVE-2019-5435 CVE-2019-5436 (From OE-Core rev: 9d5a7dd654a17b67f5cd8a73145e5f5299bfebcc) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	21188466bc	wget: Security fix for CVE-2019-5953 Source: http://git.savannah.gnu.org/cgit/wget.git MR: 89341 Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b Description: Fixes CVE-2019-5953 Affects: < 1.20.1 (From OE-Core rev: c897b862c6cfaa341cc6155b2c9d98ea7ad02884) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	f2d2148adb	glib-2.0: Security fix for CVE-2019-12450 Source: glib-2.0 MR: 98443 Type: Security Fix Disposition: Backport from `d8f8f4d637` ChangeID: 880b9b349cb8d82c7c1314a3657ec9094baba741 Description: (From OE-Core rev: 71bfb9dfdc806e0e95f1302d0d6c3c751f03bb4b) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	abefff23cd	Tar: Security fix CVE-2019-0023 Source: tar.git MR: 97928 Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120 ChangeID: 7aee4c0daf8ce813242fe7b872583560a32bc4e3 Description: Affects tar < 1.32 fixes CVE-2019-9923 (From OE-Core rev: fc77edc8245ab90eee1f1e857f470b6842dc256f) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	e53f7d53f4	qemu: Security fix for CVE-2018-19489 Source: Qemu.org MR: 97453 Type: Security Fix Disposition: Backport from git.qemu.org/gemu.git ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace Description: In the spirt of YP Compatible, sending change upstream. fixes CVE CVE-2018-19489 Affect < = 4.0.0 (From OE-Core rev: 249447828cd1ed13f9faf19793208b503acf0d30) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Joshua DeWeese	f381b778ae	wpa_supplicant: Changed systemd template units I goofed up the scissor line on the last attempt. Not sure how much it matters, but here it is correct this time. Here it is, updated to work with wpa-supplicant_2.6.bb. -- >8 -- https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy= When building root filesystems with any of the wpa_supplicant systemd template service files enabled (current default is to have them disabled) the systemd-native-fake script would not process the line: Alias=multi-user.target.wants/wpa_supplicant@%i.service appropriately due the the use of "%i." According to the systemd documentation "WantedBy=foo.service in a service bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in the same file." However, this is not really the intended purpose of install Aliases. All lines of the form: Alias=multi-user.target.wants/*%i.service Were replaced with the following lines: WantedBy=multi-user.target (From OE-Core rev: d05e98cdccbe36be8906c31249adeb0f0bc13ac5) Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Armin Kuster	47d06b4c85	go: update to minor update 1.11.10 Source: golang.org MR: 97548, Type: Security Fix Disposition: Backport from https://github.com/golang/go/issues?q=milestone%3AGo1.11.5 ChangeID: 54377c454f038a41bf35dd447a784e3e66db6268 Description: Bug fix updates only https://golang.org/doc/devel/release.html#go1.11 Fixes: Affects <= 1.11.6 CVE-2019-6486 CVE-2019-9741 (From OE-Core rev: 4e40da53851c550f1a38eff5737d4b69c8cd0afb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Khem Raj	d89c54ee99	go: Upgrade 1.11.1 -> 1.11.4 minor release Source: OpenEmbedded.org MR: 98328, 98329, 98330 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/go?h=warrior&id=b964551a0d08aa921d4e0ceea2f1e28a5e83510e ChangeID: 0b4cc69c357ba14c4e7a6c7ff926cfc6f09489b2 Description: include: CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 Changes: https://golang.org/doc/devel/release.html#go1.11 (From OE-Core rev: 69964488112899371b7fd88b6e86e533d968b457) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Bug fix only update] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Richard Purdie	94bacd598d	go-crosssdk: PN should use SDK_SYS, not TARGET_ARCH The crosssdk dependencies are handled using the virtual/ namespace so this name doesn't matter in the general sense. We want to be able to provide recipe maintainer information through overrides though, so this standardises it with the behaviour from gcc-crosssdk and ensures the maintainer overrides work. (From OE-Core rev: 025cd45d4129266d34a919573c02a8504f092c1b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Hongxu Jia	3975d95822	go-target.inc: fix go not found while multilib enabled Go binaries were installed to ${libdir}/go/bin, and create symlink in ${bindir}, while enabling multilib, libdir was extended (such as /usr/lib64), but BASELIB was not (still /lib), so use baselib (such as /lib64)) to replace (From OE-Core rev: fca74928bf2002daf526ad8c1446c8d9ba891a78) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00
Ross Burton	fc06d9b06d	cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462 Source: OpenEmbedded.org MR: 97538, 97543 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-graphics/cairo?h=warrior&id=078e4d5c2114d942806cd0d5ad501805a011e841 ChangeID: fa8bdd44ad8613bb0679a1f6d9d670c3b47a0677 Description: CVE-2018-19876 is a backport from upstream. CVE-2019-6461 and CVE-2019-6462 are patches taken from Clear Linux. (From OE-Core rev: 8b5e68afc9767d8b6b966503e9353cadafae9bfb) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Dropped CVE-2018-19876, not affected] Issue was introduced in 1.15.8 by: commit 721b7ea0a785afaa04b6da63f970c3c57666fdfe Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +01:00

1 2 3 4 5 ...

52795 Commits