mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-29 23:02:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
33,977 Commits 38 Branches 622 Tags
a4f91cb18b9da485dd7700e5e37dfbbe80264021
Commit Graph

23653 Commits

Author SHA1 Message Date
Richard Purdie
a4f91cb18b build-appliance-image: Update to fido head revision 
(From OE-Core rev: aba91bb6e2b748f05051bf824531e4f283eb5f09)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-12 15:15:52 +00:00
ngutzmann
be0c978fa1 nettle: The variable named p in the patch file was incorrectly named. 
The variable in question should have been called ecc->p. The patch has been
updated so that the compilation of the nettle recipe would complete
successfully. The backport originated from this commit

c71d2c9d20

(From OE-Core rev: 7f4d3b90840a14d660a56d23e1fe79f4fb633d59)

Signed-off-by: ngutzmann <nathangutzmann@gmail.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-11 10:56:02 +00:00
Armin Kuster
dbb46510cc openssl: Security fix CVE-2016-0800 
CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)

https://www.openssl.org/news/secadv/20160301.txt

(From OE-Core rev: 6c06c42594539bec4c360c8cc28ebee8a338e6b4)

Signed-off-by: Armin Kuster <akuster@mvista.com>

Not required for master, an update to 1.0.2g has been submitted.
Backport from jethro.
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Hongxu Jia
7d663e9c47 wpa-supplicant: Fix CVE-2015-8041 
Backport patch from http://w1.fi/security/2015-5/
and rebase for wpa-supplicant 2.4

(From OE-Core rev: 12520d7f729fe3d07c2f94b813994718edb2d987)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

Not needed in master since the upgrade to 2.5
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
f98b8b767d git: Security fixes CVE-2015-7545 
CVE-2015-7545 git: arbitrary code execution via crafted URLs

(From OE-Core rev: 0c4bdd61acbc1fa1b9bfb167d8eaf90c8bccc25c)

Signed-off-by: Armin Kuster <akuster@mvista.com>

Already in Jethro, not needed in master due to shipping a version of git
which is already fixes (> 2.6.1)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
3aa8ba185b nettle: Security fix CVE-2015-8804 
(From OE-Core master rev: 7474c7dbf98c1a068bfd9b14627b604da5d79b67)

minor tweak to get x86_64/ecc-384-modp.asm to apply

(From OE-Core rev: d1903e264ab62d34daeb652c89c6fb67e7c9b42d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
2250d4025b nettle: Security fix CVE-2015-8803 and CVE-2015-8805 
(From OE-Core master rev: f62eb452244c3124cc88ef01c14116dac43f377a)

hand applied changes for ecc-256.c

(From OE-Core rev: cb03397ac97bfa99df6b72c80e1e03214e059e6e)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
12cdd6d2b3 bind: Security fix CVE-2015-8461 
CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c\

(From OE-Core master rev: 1656eaa722952861ec73362776bd0c4826aec3da)

Hand applied Changelog changes.

(From OE-Core rev: 104d050d420ee4aa14b772850742699b15d127d6)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Li Zhou
d4b6c1657b rpcbind: Security Advisory - rpcbind - CVE-2015-7236 
rpcbind: Fix memory corruption in PMAP_CALLIT code

Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in
rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of
service (daemon crash) via crafted packets, involving a PMAP_CALLIT
code.

The patch comes from
<http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't
been in rpcbind upstream yet.

(From OE-Core master rev: cc4f62f3627f3804907e8ff9c68d9321979df32b)

(From OE-Core rev: 224bcc2ead676600bcd9e290ed23d9b2ed2f481e)

(From OE-Core rev: 16cf2f5386bc438dc20c4ae40de267618e9dc500)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
854c2e724d curl: Secuirty fix CVE-2016-0755 
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use

(From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378)

hand applied changed to url.c

(From OE-Core rev: e479ec9e6cbd34f3a7a56a170aaabcc4229f1959)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
8ca73f8fa4 curl: Security fix CVE-2016-0754 
CVE-2016-0754 curl: remote file name path traversal in curl tool for Windows

(From OE-Core master rev: b2c9b48dea2fd968c307a809ff95f2e686435222)

minor tweak to tool_operate.c to get it to apply

(From OE-Core rev: b8df558ece47e51653e1fc0fb0637ec2cdf2907b)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
d25973e203 libgcrypt: Security fix CVE-2015-7511 
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves

affects libgcrypt < 1.6.5

adjust SRC_URI + for this version.

Patch 1 is a dependancy patch. simple macro name change.
Patch 2 is the cve fix.

(From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c)

(From OE-Core rev: 88ba5ea3f3a421ac91d670e450f4b0645a53d733)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
e1a2fb6e85 libpng: Security fix CVE-2015-8472 
libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions

this patch fixes an incomplete patch in CVE-2015-8126

adjusted dir to match this version.

(From OE-Core master rev: f4a805702df691cbd2b80aa5f75d6adfb0f145eb)

(From OE-Core rev: bed289a9ac39fb9b613e3075d5a062b24c59c956)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:40 +00:00
Armin Kuster
fbe015523f libpng: Security fix CVE-2015-8126 
libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions

Adjusted dir location to match the version.

(From OE-Core master rev: d0a8313a03711ff881ad89b6cfc545f66a0bc018)

(From OE-Core rev: 20a1f80f554c2dc9da414c5846fb5bafd73e2cac)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
2f9a715583 gdk-pixbuf: Security fix CVE-2015-7674 
CVE-2015-7674 Heap overflow with a gif file in gdk-pixbuf < 2.32.1

(From OE-Core master rev: f2b16d0f9c3ad67fdf63e9e41f42a6d54f1043e4)

(From OE-Core rev: 50602eebe1150819c320b6b611dcd792573eb55a)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
d192c62891 librsvg: Security fix CVE-2015-7558 
CVE-2015-7558 librsvg2: Stack exhaustion causing DoS

including two supporting patches.

(From OE-Core master rev: 4945643bab1ee6b844115cc747e5c67d874d5fe6)

(From OE-Core rev: 4e21caee47a0ca3e66e84a15d104d3b532731263)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
34c865c7ba tiff: Security fix CVE-2015-8784 
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()

(From OE-Core master rev: 3e89477c8ad980fabd13694fa72a0be2e354bbe2)
minor tweak to get tif_next.c changes to apply.

(From OE-Core rev: 645255274769bfaeb737f66a6222a9a929823160)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
d9a3e4a5cf tiff: Security fix CVE-2015-8781 
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images

(From OE-Core master rev: 29c80024bdb67477dae47d8fb903feda2efe75d4)

minor tweek to get Changelog changes to apply

(From OE-Core rev: fa7fac56be40fdb519d426e9465436415e3f5527)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
83af960b7d foomatic-filters: Security fixes CVE-2015-8327 
CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character

this time with the recipe changes.

(From OE-Core master rev: 62d6876033476592a8ca35f4e563c996120a687b)

(From OE-Core rev: 9ca5534b1d8ce71eb150964e11ce79ba79ced7e4)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
9a6a7150d9 foomatic-filters: Security fix CVE-2015-8560 
CVE-2015-8560 cups-filters: foomatic-rip did not consider semicolon as illegal shell escape character

(From OE-Core master rev: 307056ce062bf4063f6effeb4c891c82c949c053)

(From OE-Core rev: 4f92365ebfb382509d152dfe6220e225193645f1)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
37905e7663 qemu: Security fix CVE-2016-2198 
CVE-2016-2198 Qemu: usb: ehci null pointer dereference in ehci_caps_write

(From OE-Core master rev: 646a8cfa5398a22062541ba9c98539180ba85d58)

(From OE-Core rev: 082031bdd4b5c5d4acea816c95d94a731b7855c2)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-03-03 11:11:39 +00:00
Armin Kuster
06d9c89463 libbsd: Security fix CVE-2016-2090 
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd

affects libbsd <= 0.8.1 (and therefore not needed in master)

(From OE-Core rev: ab29efb8e85020a3621079c7fde217c1bfaa5289)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-18 11:03:10 +00:00
Joshua Lock
d7be819eed glibc: Security fix CVE-2015-7547 
CVE-2015-7547: getaddrinfo() stack-based buffer overflow

(Based on OE-Core rev: cf754c5c806307d6eb522d4272b3cd7485f82420)

(From OE-Core rev: ed6299ab0970d836d6719795531458078ba4cbf6)

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-18 11:03:10 +00:00
Markus Lehtonen
e6fca31dc0 kernel.bbclass: do not mv/link sources when externalsrc enabled 
If externalsrc is enabled the 'do_unpack' task is run if the recipe has
some local source files. In the case of kernel recipe this caused the
(externalsrc) source tree to be moved/symlinked. This patch prevents the
behaviour, making sure the source tree is not moved around when
externalsrc is enabled. Instead of moving the source tree,
STAGING_KERNEL_DIR will be a symlink to it.

[YOCTO #6658]

(From OE-Core master rev: 8f6c564661a3801012eb2d9a98cdc99c91712367)

(From OE-Core rev: ca55a01908126c45120fc18e68e78f8f49ecf0ce)

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-16 15:16:55 +00:00
Armin Kuster
b213ada9a7 libpcre: Security fixes and package update. 
this is related to [Yocto # 9008]

8.38:
The following security fixes are included:
CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2()  compile_regex()
CVE-2015-3217 pcre: stack overflow in match()
CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain patterns with an unmatched closing parenthesis
CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec
CVE-2015-8381 pcre: Heap Overflow in compile_regex()
CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group
CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference by name within certain group
CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name to certain group
CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion
CVE-2015-8387 pcre: Integer overflow in subroutine calls
CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns
CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns
CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with duplicated named groups
CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary
CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions
CVE-2015-8395 pcre: Buffer overflow caused by certain references
CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS

8.37:
The following security fixes are included:
CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()

LICENSE file changed do to Copyright date updates.

(From OE-Core rev: 3bbd53035fb62793f1e44b24b18eb275bd860ed1)

Signed-off-by: Armin Kuster <akuster@mvista.com>

Jethro and master don't require this patch as they have newer libpcre which
contains these fixes.

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-16 15:16:55 +00:00
Martin Jansa
2f1fc8c899 tzdata: remove 2015d version 
* this is left-over from upgrade to 2016a

* it's safer to remove so that .bbappends in other layers really apply to version
  used in build (currently we have bbappend for 2015d and build will use 2016a
  without any warning

* the same problem was reported with 2015f upgrade:
  http://lists.openembedded.org/pipermail/openembedded-core/2015-August/109708.html

(From OE-Core rev: 6b0f0ed6b9ffc3e81b04cf442645130bb41b7ee9)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

Not required by other branches as this is removing a leftover file in Fido
only.

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-16 15:16:54 +00:00
Mariano Lopez
c94eb07d53 rpmresolve.c: Fix unfreed pointers that keep DB opened 
There are some unfreed rpmmi pointers in printDepList()
function; this happens when the package have null as
the requirement.

This patch fixes these unfreed pointers and add small
changes to keep consistency with some variables.

[YOCTO #8028]

(From OE-Core master rev: da7aa183f94adc1d0fff5bb81e827c584f9938ec)

(From OE-Core rev: 8821b0443b4b39b3bd4f41800a6fc809197fda82)

Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-16 15:16:54 +00:00
Armin Kuster
528bdf528d dpkg: Security fix CVE-2015-0860 
CVE-2015-0860 dpkg: stack overflows and out of bounds read

(From OE-Core rev: 5aaec01acc9e5a19374a566307a425d43c887f4b)

(From OE-Core rev: 4dea3e7b9a0041e7359981e68c561e7de8ad3ae5)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:06 +00:00
Armin Kuster
db99f58eea bind: Security fix CVE-2015-8704 
CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c

(From OE-Core rev: 600c1d2beb64e23123e478051537b917f5d4a8a7)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:06 +00:00
Armin Kuster
092903a2ef libxml2: Security fix CVE-2015-8710 
CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment

(From OE-Core rev: 03d481070ebc6f9af799aec5d038871f9c73901c)

(From OE-Core rev: d5db25213613cb862255047c0e995fd5489d9765)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:06 +00:00
Armin Kuster
c2f4fe8d0c libxml2: Security fix CVE-2015-8241 
CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar

(From OE-Core rev: f3c19a39cdec435f26a7f46a3432231ba4daa19c)

(From OE-Core rev: 428878a67fd723908af74c4881e933969f2928a7)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Paul Eggleton
ce70f38442 tzdata: reinstate changes reverted in 2014c upgrade 
OE-Core commit 57af3fb9662106f0a65a1b4edf83e2398be0a8f1 upgraded tzdata
but also reverted a couple of changes to SUMMARY and LIC_FILES_CHKSUM.
Reinstate these (with an update to the README md5 value since that has
changed slightly, without any change to the licensing statements
within).

(From OE-Core rev: cea4f6b86129f84a99700207777929bf7e811ed6)

(From OE-Core rev: 37069c7511603f9fe33bcc48e38ac58ab89138f9)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Armin Kuster
f359ebd78d tzdata: update to 2016a 
Changed LIC_CHKSUM_FILES to a new LICENSE  file.
Add BSD-3-clause to licenses

Changes affecting future time stamps

America/Cayman will not observe daylight saving this year after all.
Revert our guess that it would.  (Thanks to Matt Johnson.)

Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00.
(Thanks to Alexander Krivenyshev.)

Asia/Tehran now has DST predictions for the year 2038 and later,
to be March 21 00:00 to September 21 00:00.  This is likely better
than predicting no DST, albeit off by a day every now and then.

Changes affecting past and future time stamps

America/Metlakatla switched from PST all year to AKST/AKDT on
2015-11-01 at 02:00.  (Thanks to Steffen Thorsen.)

America/Santa_Isabel has been removed, and replaced with a
backward compatibility link to America/Tijuana.  Its contents were
apparently based on a misreading of Mexican legislation.

Changes affecting past time stamps
Asia/Karachi's two transition times in 2002 were off by a minute.
(Thanks to Matt Johnson.)

(From OE-Core rev: 790315dbd2dcb5b2024948ef412f32d2788cb6b5)

(From OE-Core rev: 6ebd2689f72b725c1ca493eae77d5a41386ee901)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 39e231cfabda8d75906c935d2a01f37df6121b84)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Armin Kuster
5ddc177fdf tzcode: update to 2016a 
Change LIC_CHKSUM_FILES to License. Some files are BSD clause 3

Changes affecting build procedure

An installer can now combine leap seconds with use of the backzone file,
e.g., with 'make PACKRATDATA=backzone REDO=posix_right zones'.
The old 'make posix_packrat' rule is now marked as obsolescent.
(Thanks to Ian Abbott for an initial implementation.)

Changes affecting documentation and commentary

A new file LICENSE makes it easier to see that the code and data
are mostly public-domain.  (Thanks to James Knight.) The three
non-public-domain files now use the current (3-clause) BSD license
instead of older versions of that license.

tz-link.htm mentions the BDE library (thanks to Andrew Paprocki),
CCTZ (thanks to Tim Parenti), TimeJones.com, and has a new section
on editing tz source files (with a mention of Sublime zoneinfo,
thanks to Gilmore Davidson).

The Theory and asia files now mention the 2015 book "The Global
Transformation of Time, 1870-1950", and cite a couple of reviews.

The America/Chicago entry now documents the informal use of US
central time in Fort Pierre, South Dakota.  (Thanks to Rick
McDermid, Matt Johnson, and Steve Jones.)

(From OE-Core rev: 1ee9072e16d96f95d07ec5a1f63888ce4730d60e)

(From OE-Core rev: 7d8a32361c45ab99c88bc65612327aa49cf3bd39)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit b7f292b84eea202fb13730c11452ac1957e41cf0)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Armin Kuster
3c686ae014 qemu: Security fix CVE-2015-7295 
CVE-2015-7295 Qemu: net: virtio-net possible remote DoS

(From OE-Core rev: 74771f8c41aaede0ddfb86983c6841bd1f1c1f0f)

(From OE-Core rev: 3a7c84952d40f95b0f34bc35eef4490ecc8da07e)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Armin Kuster
27aeaab726 qemu: Security fix CVE-2016-1568 
CVE-2016-1568 Qemu: ide: ahci use-after-free vulnerability in aio port commands

(From OE-Core rev: 166c19df8be28da255cc68032e2d11afc59d4197)

(From OE-Core rev: c2361dd9bb663b00dd194cb7fdb0e07d7e1ab5e1)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Armin Kuster
94c26caff1 qemu: Security fix CVE-2015-8345 
CVE-2015-8345 Qemu: net: eepro100: infinite loop in processing command block list

(From OE-Core rev: 99ffcd66895e4ba064542a1797057e45ec4d3220)

(From OE-Core rev: e51fc319b859f44be61822d93e0b72647a02f7c6)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Armin Kuster
05f4812d15 qemu: Security fix CVE-2015-7512 
CVE-2015-7512 Qemu: net: pcnet: buffer overflow in non-loopback mod

(From OE-Core rev: e6e9be51f77c9531f49cebe0ca6b495c23cf022d)

(From OE-Core rev: 90d2a8eb0853f506a457e9935f4354c71d2fc9c9)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:05 +00:00
Armin Kuster
caa104fd2a qemu: Security fix CVE-2015-7504 
CVE-2015-7504 Qemu: net: pcnet: heap overflow vulnerability in loopback mode

(From OE-Core rev: b01b569d7d7e651a35fa38750462f13aeb64a2f3)

(From OE-Core rev: 10752d6beb5520ec0fc83a7d0173e10144b11685)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
73941fbc6a qemu: Security fix CVE-2015-8504 
CVE-2015-8504 Qemu: ui: vnc: avoid floating point exception

(From OE-Core rev: c622bdd7133d31d7fbefe87fb38187f0aea4b592)

(From OE-Core rev: 38f102a9271896a49aa32aacf2c2be3a14f51493)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Wenzong Fan
4d3ce52194 subversion: fix CVE-2015-3187 
The svn_repos_trace_node_locations function in Apache Subversion before
1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used,
allows remote authenticated users to obtain sensitive path information
by reading the history of a node that has been moved from a hidden path.

Patch is from:
http://subversion.apache.org/security/CVE-2015-3187-advisory.txt

(From OE-Core master rev: 6da25614edcad30fdb4bea8ff47b81ff81cdaed2)

(From OE-Core rev: e1e277bf51c6f00268358f6bf8623261b1b9bc22)

(From OE-Core rev: b45dcbadc1a51188ac6dead855e14a181a7bccd9)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Wenzong Fan
f0ecaf46bb subversion: fix CVE-2015-3184 
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before
1.8.14, when using Apache httpd 2.4.x, does not properly restrict
anonymous access, which allows remote anonymous users to read hidden
files via the path name.

Patch is from:
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt

(From OE-Core master rev: 29eb921ed074d86fa8d5b205a313eb3177473a63)

(From OE-Core rev: 7af7a3e692a6cd0d92768024efe32bfa7d83bc8f)

(From OE-Core rev: e4a1caecc5ae6b8488ec8ed7d303296af99146c0)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
165fa6ce62 openssl: Security fix CVE-2016-0701 
CVE-2016-0701 OpenSSL: DH small subgroups

(From OE-Core rev: c5868a7cd0a28c5800dfa4be1c9d98d3de08cd12)

(From OE-Core rev: 5e73d0e88c28ca1e948f5c463b9d9d1001251a42)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
1098a7bc0c openssl: Security fix CVE-2015-3197 
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers

(From OE-Core rev: b387d9b8dff8e2c572ca14f9628ab8298347fd4f)

(From OE-Core rev: c037cbdac6a0e871a60077703432c08be6d29677)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
e6d734904d glibc: CVE-2015-8776 
it was found that out-of-range time values passed to the strftime function may
cause it to crash, leading to a denial of service, or potentially disclosure
information.

(From OE-Core rev: b9bc001ee834e4f8f756a2eaf2671aac3324b0ee)

(From OE-Core rev: 3527ba3be7cfdfd813f5ca495bc74db559a648cd)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
b03994fe3b glibc: CVE-2015-9761 
A stack overflow vulnerability was found in nan* functions that could cause
applications which process long strings with the nan function to crash or,
potentially, execute arbitrary code.

(From OE-Core rev: fd3da8178c8c06b549dbc19ecec40e98ab934d49)

(From OE-Core rev: 6cb0465247195ec25ef1073e79997001380aa807)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
ec05eebf8d glibc: CVE-2015-8779 
A stack overflow vulnerability in the catopen function was found, causing
applications which pass long strings to the catopen function to crash or,
potentially execute arbitrary code.

(From OE-Core rev: af20e323932caba8883c91dac610e1ba2b3d4ab5)

(From OE-Core rev: 2e1c8cab3bc7b70e2a05dca20cb5bcec4335f04d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:03 +00:00
Armin Kuster
7ff74d177c glibc: CVE-2015-8777 
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or
libc6) before 2.23 allows local users to bypass a pointer-guarding protection
mechanism via a zero value of the LD_POINTER_GUARD environment variable.

(From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252)

(From OE-Core rev: 9cc998978bd67bc5569cc1478f4ddee40020b929)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:03 +00:00
Armin Kuster
9845a542a7 openssh: CVE-2016-077x 
this address two CVE's.
CVE-2016-0777 and CVE-2016-0778

(From OE-Core rev: 1c05115a906499989d2159683195ed6d2cda75ba)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:30 +00:00
Hongxu Jia
368da33ee7 logrotate: do not move binary logrotate to /usr/bin 
In oe-core commit a46d3646a3e1781be4423b508ea63996b3cfca8a
...
Author: Fahad Usman <fahad_usman@mentor.com>
Date:   Tue Aug 26 13:16:48 2014 +0500

    logrotate: obey our flags

    Needed to quiet GNU_HASH warnings, and some minor fixes.
...
it explicitly move logrotate to /usr/bin without any reason,
which is against the original Linux location /usr/sbin.

So partly revert the above commit which let logrotate be
kept in the original place /usr/sbin.

(From OE-Core rev: 88015d6d0a887969ae82b0888bf32659a6d225d3)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:30 +00:00