A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack
via improper synchronization during socket closure when a client keeps a socket open as the server
is taken offline.
(From OE-Core rev: 334f70c408ce5c95f145aa4657f343b023f7e1b4)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the QEMU disk image utility (qemu-img) 'info'
command. A specially crafted image file containing a `json:{}`
value describing block devices in QMP could cause the qemu-img
process on the host to consume large amounts of memory or CPU time,
leading to denial of service or read/write to an existing external file
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-4467
Upstream Patches:
bd385a52982eb42a728d7e1110664e6bc30f19497ead946998
(From OE-Core rev: 0e309919b8807950cebc8924fc1e15763548b1f1)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upgrade to latest 1.22.x release [1]:
$ git --no-pager log --oneline go1.22.5..go1.22.6
cb4eee693c (tag: go1.22.6, origin/release-branch.go1.22) [release-branch.go1.22] go1.22.6
8c8adffd53 [release-branch.go1.22] cmd/compile: add 0-sized-value simplification to copyelim
70a1aae67f [release-branch.go1.22] cmd/trace/v2: make the -pprof actually useful
2c88c1d599 [release-branch.go1.22] cmd/trace/v2: handle the -pprof flag
4c50f9162c [release-branch.go1.22] cmd/internal/cov: close counter data files eagerly
9e148a4150 [release-branch.go1.22] internal/bytealg: extend memchr result correctly on wasm
4b27560db9 [release-branch.go1.22] go/types: fix assertion failure when range over int is not permitted
4e548f2c8e [release-branch.go1.22] cmd/link: don't let dsymutil delete our temp directory
45f9ded1df [release-branch.go1.22] cmd/compile: don't elide zero extension on top of signed values
49906f9575 [release-branch.go1.22] cmd/go: fix build config before creating actions for 'go list -cover'
ea96074191 [release-branch.go1.22] os/exec: only use cachedLookExtensions if Cmd.Path is unmodified
[1] https://github.com/golang/go/compare/go1.22.5...go1.22.6
(From OE-Core rev: bd62a437ddd8470ff5a3a3d543885908901b7bce)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit edaedfce685f13decad7608aefa36dece02665b0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This package can be built using pep517 classes now.
(From OE-Core rev: a9ac262d9dbc57be6ac5c8905c803009e5c4ef4e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a32fa3e64d1daf5846c29403e9f258aea42212d3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root
certificates from `GLOBALTRUST` from the root store. These are in the
process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root
certificates are being removed pursuant to an investigation which
identified "long-running and unresolved compliance issues."Certifi is a
curated collection of Root Certificates for validating the trustworthiness
of SSL certificates while verifying the identity of TLS hosts. Certifi
starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates
from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from
`GLOBALTRUST` from the root store. These are in the process of being removed
from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being
removed pursuant to an investigation which identified "long-running and
unresolved compliance issues."
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-39689
Upstream-patch:
bd8153872e
(From OE-Core rev: 2ec1ba32a23611484e5d3819008bbab85336ae20)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Removes CVE-2022-46456 from reports.
(From OE-Core rev: 4a5b6e8dd315b2281afb232410db585d431be00f)
(From OE-Core rev: 5b330f3dfe7a37eff5251d2c29d324e90677b33c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is fixed in v8.2.2 with v8.2.1-55-g480a6adc83
480a6adc83
(From OE-Core rev: 422fc84ddbe46580dc6d647eff62c4dbc8551e63)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is a need to enable some extra tools from the rust for the build
and so this new variable will help for that
This varaible then we can use during do_configure task to add overall
values as per json format in build -> tools
(From OE-Core rev: 136a25567499191b23a4d000a06bf83a473224ca)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to a new revision which includes "Bugfix for Linux open(O_CREAT|O_EXCL)"
(From OE-Core rev: 97410e90f7233e5c9ce38eea0fa99b76160ffce9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 92a9710ec88c8729fa3d83baa2e63dd74d95cdf8)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
glibc 2.40 renames some internal header variables. Update our hack to
work with the new version. These kinds of problems illustrate we need to
address the issue properly.
(From OE-Core rev: 1d5903bf749436d9b26df858041337b723614963)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 35021d650de3eecc3f42000181b39a5db5a8eaa0)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes fix for: CVE-2024-26327, CVE-2024-26328 and CVE-2024-3447
General changelog for 8.2: https://wiki.qemu.org/ChangeLog/8.2
Droped 0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch,
CVE-2024-3446 and CVE-2024-3567 since already contained the fix.
(From OE-Core rev: 1a6d502c04fad0d190bb665e9d454b85c0853fcc)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These recipes come from rust sources and CVEs are reported for them
under rust-lang:rust vendor:product touple.
Especially libstd-rs needs correct CVE_PRODUCT as is it installed on
target devices (being statically linked to rust compiled binaries).
before:
cargo: CVE_PRODUCT="cargo"
cargo-c-native: CVE_PRODUCT="cargo-c"
libstd-rs: CVE_PRODUCT="libstd-rs"
rust: CVE_PRODUCT="rust"
rust-cross-canadian: CVE_PRODUCT="rust-cross-canadian-<arch>"
rust-llvm: CVE_PRODUCT="rust-llvm"
after:
cargo: CVE_PRODUCT="cargo"
cargo-c-native: CVE_PRODUCT="cargo-c"
libstd-rs: CVE_PRODUCT="rust"
rust: CVE_PRODUCT="rust"
rust-cross-canadian-x86-64: CVE_PRODUCT="rust"
rust-llvm: CVE_PRODUCT="rust-llvm"
Product for rust-llvm is uncertain and, should be handled in another
commit if it is desired to align it, too.
sqlite> select vendor, product, count(product) from products where vendor="rust-lang" group by product;
rust-lang|async-h1|2
rust-lang|cargo|5
rust-lang|future-utils|2
rust-lang|futures-task|2
rust-lang|mdbook|1
rust-lang|regex|2
rust-lang|rsa|2
rust-lang|rust|45
rust-lang|socket2|1
(From OE-Core rev: 91bfe1f64ee3e2b8534baa8a3eb2fb7fa3521657)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e8cf1df16a6ec2785cacaf608bec5cd8496103af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
python3-ctypes was dropped as a dependency in v19.2.0
(From OE-Core rev: 48c43d2ff467c067d1518dc55d8d6da39bea159a)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8d06116caf2382ad4782b9b2da50534d076a736d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patch is specific to how oe-core runs autotools-generated tests:
by cherry-picking needed bits from builddir and srcdir, then hacking
Makefile with sed until it runs.
As GNU is not interested in installable tests, they wouldn't be
interested in this patch either; and if they become interested,
it's probably going to be done in a whole different way.
(From OE-Core rev: c7a8632469913638070878022bffac5588201006)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd13c29bee330d381e1e574351348e526500e396)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This test is causing problems on the Autobuilder, so disable it for now.
(From OE-Core rev: 9eafd0c56b279a7c3025b0dcd00745baead15bb6)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ac000b00ec615b3e51dda8d819015d5e7110ed88)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These tests are causing hangs on the Autobuilder, so disable them for
now.
(From OE-Core rev: 141c348ce83552beae88e115d9c4db5802c6e0f4)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 291f37808f1a2b2fdc8190696867f974994457c0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-Update: Updated copyright year
Changelog:
==========
* Fix issue where specially crafted inputs to encode() could take exceptionally
long amount of time to process. [CVE-2024-3651]
(From OE-Core rev: b6f8938c8048d08e29233fa29f5104b044353cf7)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The current mmc-utils git URL still (for now?) redirects to the URL in
this patch, but the homepage doesn't, so let's just migrate both to the
new URL.
(From OE-Core rev: 03b1b0798e6eda991f78ada80d4c2846034ea0ff)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 59870f6d87bb516d74081fde1c670e4838e6e134)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below commits on binutils-2.42 stable branch are updated.
29ae8b8ea71 x86-64: Skip -z mark-plt tests on MUSL
92cc764e58f hppa: Fix handling of relocations that apply to data
c439c1e1f56 elf: Add glibc version dependency only if needed
68ae8e2a849 ld: pass -g for ld-elf tests
a1e3cb45c67 aarch64: Enable +cssc for armv8.9-a
(From OE-Core rev: f5a56716b40bb8911e5bb31d5dc49b434e733a9a)
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- refresh patches with devtool
Upgrade to latest 1.22.x release [1]:
$ git --no-pager log --oneline go1.22.4..go1.22.5
8e1fdea831 (tag: go1.22.5, origin/release-branch.go1.22) [release-branch.go1.22] go1.22.5
c2d4f852ce [release-branch.go1.22] cmd/link: handle dynamic import variables on Darwin in plugin mode
3222951439 [release-branch.go1.22] net/http: send body or close connection on expect-100-continue requests
ceaf26ecce [release-branch.go1.22] cmd/compile: mark pointer to noalg type as noalg
dfe4dbf8c0 [release-branch.go1.22] os/exec: on Windows look for extensions in Run if not already done
3560cf0afb [release-branch.go1.22] runtime: always update stack bounds on cgocallback
5159a7193a [release-branch.go1.22] cmd/compile: put constants before variables in initialization order
11b861e459 [release-branch.go1.22] go/types, types2: report error for floating-point iteration variable
81fc616267 [release-branch.go1.22] crypto/tls: don't call tlsrsakex.IncNonDefault with FIPS
14f0251867 [release-branch.go1.22] cmd/cgo/internal/swig: force use of lld for LTO tests on the builders
ab60a7bc18 [release-branch.go1.22] cmd/cgo/internal/testsanitizers: make the libfuzzer tests all short
4c97e883b5 [release-branch.go1.22] cmd/link: put runtime.end in the last section of data segment
179ccb7042 [release-branch.go1.22] cmd/go: fix go list -u -m all with too new retractions dependency
fe9b3c3399 [release-branch.go1.22] net: add GODEBUG=netedns0=0 to disable sending EDNS0 header
b515c5208b [release-branch.go1.22] go/internal/gccgoimporter: recognize "any" as a builtin type
[1] https://github.com/golang/go/compare/go1.22.4...go1.22.5
(From OE-Core rev: 8786cb9cdda93545315f79927f933a261ed3cb31)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0a1d4a42282bd9f0bdc8dd53c7865aa81d4a5821)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Mitigate occurrences where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
(From OE-Core rev: 314041fd126a4800a5a5d9fcd84c525319479256)
(From OE-Core rev: eb06788f3abef4af727da7399e7e97830b2f7c8c)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b6ca9beef)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As with a previous change to the class[1], the "pkgconfig" entry is now
deprecated and "pkg-config" should be used instead.
[1] oe-core d64b307891422e290bbe821d4303b3af526bbe17
(From OE-Core rev: 14ee7a2310b5d3da5e7af442454f7957c6c090b7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3e441544f1aa7258718a1cadd6836d9cd9dc65ab)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
==========
- Fixes issues where LLVM is either generating the incorrect thunk for a
function with aligned parameters or didn't correctly pass through the
return value when StructRet was used.
- -Xclang -target-feature -Xclang +unaligned-scalar-mem can be used to enable
unaligned scalar memory accesses for CPUs that do not support unaligned
vector accesses. -mno-strict-align will enable unaligned scalar and vector
memory accesses.
- Don't replace an aliasee with an alias that has weak linkage. This avoids
incorrect linkage that can lead to using the wrong symbols during linking time.
- This patch fixes build failures when compiling AVX512 code using
-march=native on machines without AVX512.
- Fixes crash in AArch64 backend when having true or false as operand for a
fcmp instruction on IR level.
- Fixes compiler crash when user specifies -mno-evex512 with AVX512 features
but no AVX512VL.
- Fixes a bug that tries to do VBROADCAST_LOAD for f16 without AVX2.
(From OE-Core rev: 941474ed77f6f5397ff4f83a4e4dae1c3b9103d3)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3cd5c40f5736506b2cfc23b180fa915b01d8220c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
With --force-overwrite (implied by --force-all), dpkg will not abort
when a package overwrites files from different packages. As this can
also lead to "The following package disappeared from your system as
all files have been overwritten by other packages: <package>" and
subsequently broken dependencies, this makes the simple case of
conflicting files hard to debug.
Instead of finding all possibly required force options, only disable
overwrite for now.
(From OE-Core rev: 30cc69f094729e3d11dc6021daf77f5038c4de61)
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Take back from https://git.openembedded.org/openembedded-core/commit/?id=4292387ef6c4e80428bad6a07c844a288b27d9a1
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This was a bugfix release, this version fixed several important fixes
according to upstream.
Dropped CVE-2023-6683.patch since already contained the fix.
(From OE-Core rev: f548a3a24f3fc26b09e2fcc8544065beb5293f91)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Python 2.7 support was dropped in version 22.0.0
python3-six was dropped as a dependency in 22.0.0
(From OE-Core rev: d7ad0495c543ec952817860595c047e5e4263978)
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6eab37a0cdcc6071f79aa5c8198df0b2ba23dd7a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Python 2.7 support was dropped in version 3.2.0 and
python3-six dependency was subsequently dropped in version 3.2.1
(From OE-Core rev: 214d41b73d235176123fd78143747845aa9c951e)
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50757cc95b3062f11a7455af33e7a7e74ea1d0f7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2to3 module was dropped as a dependency in setuptools 58.0
(From OE-Core rev: 0d5cd1d867a826cf83fcaee3e8390b9defec47d1)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Drop the following dependencies from RDEPENDS:
- python3-ndg-httpsclient
- python3-pyasn1
- python3-pyopenssl
Add a missing dependency into RDEPENDS:
- python3-certifi
Additional fix HOMEPAGE, the old link doesn't work
(From OE-Core rev: 3d9072c346bf7bdeecd6197df8b14e39399bdabd)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Switch to use flit core since upstream changed.
They also changed the capitalisation under pypi.
The license didn't change but the file was renamed, probably as it wasn't
rst.
(From OE-Core rev: ac35432687624ad58ff6586446e5e73710658a68)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e352680528b18c3cdae26233bef7cddc2771d42d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The configure script has many fragments that fail to compile with GCC 14,
take a patch submitted upstream to fix these issues.
(From OE-Core rev: 5c6630e61ad85a4bf9eecd94005e14f0e34df463)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5c21ca789c288662aa3d307b30813cd03cc8c158)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Bootstrap [1]
As mentioned in the Go 1.20 release notes, Go 1.22 now requires the final point release of Go 1.20 or later for bootstrap.
We expect that Go 1.24 will require the final point release of Go 1.22 or later for bootstrap.
The default recipe for bootstrap is the go-binary-native as can be seen in:
meta/conf/distro/include/tcmode-default.inc:68:PREFERRED_PROVIDER_go-native ?= "go-binary-native"
Currently if we change it to use the old go-native and compile the go1.4-bootstrap-20170531
it fails:
| Building Go cmd/dist using /build/workdir/tmp-glibc/work/x86_64-linux/go-native/1.22.3-r0/go1.4/go. (go1.4-bootstrap-20170531 linux/amd64)
| can't load package: package ./cmd/dist: found packages build.go (main) and notgo120.go (building_Go_requires_Go_1_20_6_or_later) in /build/workdir/tmp-glibc/work/x86_64-linux/go-native/1.22.3-r0/go/src/cmd/dist
This has been broken for some time but as we used go-binary-native by default it went unnoticed.
[1] https://go.dev/doc/go1.22#bootstrap
(From OE-Core rev: f350f5b6302fc226e477d5283e4a9722a11d4170)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 876d344d2ec3d6ce283d01974146392d76685824)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
