This change fixes patches for two issues reported in a research
paper [1]: a side channel attack (*) and a cross-configuration
attack (**).
In this commit we add a fix for (*) that wasn't marked as a CVE
initially upstream. A fix of (**) previosly available in OE
backports is in fact fixing CVE-2021-40528, not CVE-2021-33560
as marked in the commit message.
We commit the accual fix for CVE-2021-33560 and rename the
existing fix with the correct CVE-2021-40528.
For details of the mismatch and the timeline see [2] (fix of the
documentation) and [3] (the related ticket upstream).
[1] https://eprint.iacr.org/2021/923.pdf
[2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13
[3] https://dev.gnupg.org/T5328#149606
(From OE-Core rev: 0ce5c68933b52d2cfe9eea967d24d57ac82250c3)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The build was injection git information from the wrong git tree, stop this
to allow reproducible builds.
(From OE-Core rev: 506b36b6d86b3454fcc3cb85f6229cbe8d14f5b5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade libgcrypt. Upstream repo now has a pkg-config
feature. The new patch for compatibility with oe-core
is a replacement for a patch that added pkg-config as
a feature when upstream did not have it.
(From OE-Core rev: 53b73a39ae4a4c8db19fb18ef1881033f6b9ff51)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
