mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-04 22:39:49 +02:00
Code Issues Packages Projects Releases Wiki Activity
52,803 Commits 38 Branches 624 Tags
d59f2b0a74f6d114466f9b94395c59cf1bb2f7ca
Commit Graph

36764 Commits

Author SHA1 Message Date
Anuj Mittal
d59f2b0a74 libxslt: fix CVE-2019-13117 CVE-2019-13118 
(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5)

(From OE-Core rev: 07cd0d606fea63e683c7de7ebfaa6a55170b8318)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fixup for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Muminul Islam
94ac57739c libxslt: Cve fix CVE-2019-11068 
(From OE-Core rev: c9c3fabddb4e1779ef330f2073f85dce83cb460b)

Signed-off-by: Muminul Islam <muislam@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
26ab554fd5 python3: Fix CVEs 
Fixes CVE-2018-14647, CVE-2018-20406, CVE-2018-20852, CVE-2019-9636,
CVE-2019-9740, and CVE-2019-9747.

(From OE-Core rev: 5862716f22ca9f5745d3bca85c6ed0d8c35c437b)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
90e5385568 python: Fix 3 CVEs 
Fixes CVE-2018-20852, CVE-2019-9740, and CVE-2019-9747

(From OE-Core rev: 3f1c02aa7b7d485e64503d601124c335d4b7299f)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
45cebeda6e binutils: Fix 4 CVEs 
Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and
CVE-2018-1000876 for binutils 2.31.1.

(From OE-Core rev: 981eeec0f26f25db444782f40a86c558a2358215)

Signed-off-by: Dan Tran <dantran@microsoft.com>
[fixed up .inc for thud-next context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Adrian Bunk
36fa7fce02 dhcp: Replace OE specific patch for compatibility with latest bind with upstream patch 
This also fixes a dhcp breakage noticed by Enrico Scholz.

(From OE-Core rev: 5deab12cdcf1d7372634324e1fd70145ff59f9f9)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Ruslan Bilovol
458009f31a dhcp: drop lost patch 
Commit 7cb42ae87ef9 "dhcp: update 4.4.1" dropped
0008-tweak-to-support-external-bind.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.

Cc: Armin Kuster <akuster808@gmail.com>
(From OE-Core rev: 109e8420c8a4e94dccb3c83e2b0b7fc6ceb66b04)

Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
5f125a31e1 dhcp: fix issue with new bind changes 
(From OE-Core rev: d0e2babdab1625e86d0abc7fa7dab25caa73ccb6)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
6518c248e6 go: update to 1.11.13, minor updates 
Source: golang.org
MR: 99376
Type: Security Fix
Disposition: Backport from golang.org
ChangeID: 41576ab4a0abdebbc44f1a35a83bf04e5f2fde06
Description:

https://golang.org/doc/devel/release.html

go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details.

go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details.

go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details.

Includes CVE: CVE-2019-14809

(From OE-Core rev: 6018e9755dce3eaa22a1fe691dc18546c43c9cbe)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Adrian Bunk
6eaf69d732 bind: upgrade 9.11.5 -> 9.11.5-P4 
Source: OE.org
MR: 99751, 99752, 99753
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4
ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01
Description:

Bugfix-only compared to 9.11.5, mostly CVE fixes.

COPYRIGHT checksum changed due to 2018 -> 2019.

(From OE-Core rev: b24447b40e4988e337bdd4b5cf194df0827f9887)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Included cves:
CVE-2018-5744
CVE-2018-5745
CVE-2019-6465
]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
3d3a165925 bind: update to latest LTS 9.11.5 
Source: bind.org
MR: 99750
Type: Security Fix
Disposition: Backport from bind.org
ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224
Description:

includes:
CVE-2018-5738

drop patch for CVE-2018-5740 now included in update

see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html

Add RECIPE_NO_UPDATE_REASON for lts

(From OE-Core rev: 25b2f2c6fc67eabb0e7f0b7c5ffe08c554613c10)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Also includes CVE-2018-5740]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
176dc6eb01 binutils: Security fix for CVE-2019-12972 
Source: git://sourceware.org / binutils-gdb.git
MR: 98770
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c
Description:

Fixes CVE-2019-12972

(From OE-Core rev: 16f4520f5cb581eb93bd3f0e3aa1feecc5c567ba)

Signed-off-by: Armin Kuster <akuster@mvista.com>

[v2]
forgot to refresh inc file before sending

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
d39b67e491 binutils: Security fix for CVE-2019-14444 
Source: git://sourceware.org / binutils-gdb.git
MR: 99255
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7
ChangeID: 67ad4ab1ec34b941bdcfbb4f55d16176bbbd3d72
Description:

Affects: <= 2.32.0

Fixes CVE-2019-14444

(From OE-Core rev: a367928942411b36a0b0bbb95055d01548430e8e)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
09d46e9131 gcc: Security fix for CVE-2019-14250 
Source: gcc.org
MR: 99120
Type: Security Fix
Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794&root=gcc&view=rev
ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb
Description:

Affects < 9.2

(From OE-Core rev: 79205966072bb6179d96b3af5aabc521da83e841)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Bartosz Golaszewski
0f7e6681a8 qemu: add a patch fixing the native build on newer kernels 
The build fails on qemu-native if we're using kernels after commit
0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream
patch that fixes the issue.

(From OE-Core rev: fac2d3846dadfda256e94500bdf33f546a8d1fb4)

Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Refactoried for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
4e6a44598f libcomps: fix CVE-2019-3817 
(From OE-Core rev: 2cebc7faa10c7ac6f60437658702f7adce3b3a89)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
9da2eb4bef glib-2.0: fix CVE-2019-13012 
(From OE-Core rev: 51f7ecf2259e1fb669cd84c5317cbd8810d731b7)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
fe27c50545 dbus: fix CVE-2019-12749 
(From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
1b62838428 curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 
(From OE-Core rev: 75a4b4d8fb14414bbe2e38be8ccda0af94ef9b40)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
20ee17a579 python3: fix CVE-2019-9740 
CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See:

https://bugs.python.org/issue30458

(From OE-Core rev: ad90312adabbad951f62e3bd4ad95fcc763ad0c4)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
d581f111db patch: fix CVE-2019-13636 
(From OE-Core rev: bd367f58d9d6b5f0ce213e1be36763c5a9e425b6)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Alexander Kanavin
fa4683a484 buildhistory: call a dependency parser only on actual dependency lists 
Previously it was also called on filelists and possibly other items which
broke the parser.

(From OE-Core rev: f965ecbf558b6db1959e4ba8e599d65a5c8022b2)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Richard Purdie
cb26830f76 build-appliance-image: Update to thud head revision 
(From OE-Core rev: d3d3f443039b03f1200a14bfe99f985592632018)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-08-01 11:58:15 +01:00
Anuj Mittal
d49de3810a expat: fix CVE-2018-20843 
(From OE-Core rev: aad245ea1c55f8e778ae3420c5c31e94301e7cba)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ross Burton
9e0a120c8e libcroco: fix CVE-2017-7961 
(From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9)

(From OE-Core rev: f5cf064b3c138c8a6591d34f40253e10a6f01a14)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ovidiu Panait
e6058824bb ghostscript: Fix 3 CVEs 
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.

It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.

It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e

(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)

(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
885459d264 bzip2: fix CVE-2019-12900 
Also include a patch to fix regression caused by it. See:

https://gitlab.com/federicomenaquintero/bzip2/issues/24

(From OE-Core rev: 7c0b2d228f51aebb4415e63a07bdd645e85b09d8)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ross Burton
d0e65410f4 libarchive: integrate security fixes 
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880

(From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c)

(From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
acd46a34c4 gstreamer1.0-plugins-base: fix CVE-2019-9928 
(From OE-Core rev: 276567b6a8e4b21dc978b352b5c715d6381867b1)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
ecc1ac5b04 libsdl: CVE fixes 
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.

(From OE-Core rev: 2cfcb3b0fce7e1156eb52260df4330c95d87dc17)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Alejandro del Castillo
e8cd30ba6c OpkgPM: use --add-ignore-recommends to process BAD_RECOMMENDATIONS 
Currently, BAD_RECOMMENDATIONS on the opkg backed relies on editing the
opkg status file (it sets BAD_RECOMMENDATIONS pkg want state to
deinstalled and pinned). This is brittle, and not consistent across the
different solver backends. Use new --add-ignore-recommends flag instead.

(From OE-Core rev: 0d11e813ba9b4e8de9e6e5099ff85f5d914243bc)

(From OE-Core rev: bfb0acb6bc6bc11e4aa2c9527916359e1a763e85)

(From OE-Core rev: 13ba66338d16cc07cb0129de932f090d0edb7760)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Alejandro del Castillo
eecc4121ad opkg: add --ignore-recommends flag 
To be used for BAD_RECOMMENDATIONS feature.

(From OE-Core rev: 788d97b4f8e4452cef1ba6bb3e565e1b52dbb7de)

(From OE-Core rev: 85007cdb260bc77ac4ae5f914b0e3a4408606dfd)

(From OE-Core rev: c60f9c47380bb53bd2b54373b72f86006edf326e)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport from opkg_0.4.0.bb]
Signed-off-by: Quentin Schulz <quentin.schulz@streamunlimited.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Robert Yang
4d63da3fad uboot-sign.bbclass: Remove tab indentations in python code 
Use 4 spaces to replace a tab.

(From OE-Core rev: 2bf6098ac1cbbf7ed28522b7f7dce84c8341ce00)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
a51a3b1c82 glib: Security fix for CVE-2019-9633 
Source: gnome.org
MR: 98802
Type: Security Fix
Disposition: Backport from d553d92d6e
ChangeID: b73c332f27f47ddc1b1cfd7424f24778acc0c318
Description:

includes supporting patch.
Fixes CVE-2019-9633

(From OE-Core rev: 3ebf0fc043b6c9b6c2381dab893b54ebcb8ac13d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
e2f3997a84 qemu: Security fixes CVE-2018-20815 CVE-2019-9824 
Source: qemu.org
MR: 98623
Type: Security Fix
Disposition: Backport from qemu.org
ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37
Description:

Fixes both CVE-2018-20815 and CVE-2019-9824

(From OE-Core rev: 5c45cd09fb29d4a1ebda6153a25f16e312049c44)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Ross Burton
45e662b445 glibc: backport CVE fixes 
Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591

(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)

Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Ross Burton
f749c69115 lighttpd: fix CVE-2019-11072 
(From OE-Core rev: 0dbd16a40a28bb75962f38c6ce450c909c22ee79)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
573a935860 uninative: Update to 2.6 release 
The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes
compatibility with recent fedora/suse releases.

The difference is one is built with obsolete APIs enabled and one disabled.
We now ship both in uninative for compatibility regardless of which distro
a binary is built on.

(From OE-Core rev: 352ab80333096df92ef0f4cd331baea98e71aa21)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
59400377bb uninative: Switch from bz2 to xz 
(From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a)

(From OE-Core rev: 16785ebdc50f38ef4bc30d477a6833bdd4b541d1)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
594d5c20e2 yocto-uninative: Update to 2.5 release 
This includes libstdc++ changes from gcc 9.X.

It also switches uninative from bz2 to xz compression.

(From OE-Core rev: 0497623882da714cbe098a4281982b7f9ce6030f)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
8e6d657a9c qemu: Security fix for CVE-2019-12155 
Source: qemu.org
MR: 98382
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
ChangeID: e4e5983ec1fa489eb8a0db08d1afa0606e59dde3
Description:

Fixes CVE-2019-12155
Affects: <= 4.0.0
(From OE-Core rev: 6045c57895cad301c5e3a94de740427343a08065)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
a43499cf8e Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436 
Source: CUrl.org
MR: 98455
Type: Security Fix
Disposition: Backport from https://curl.haxx.se/
ChangeID: 86b094a440ea473b114764e8d64df8142d561609
Description:

Fixes CVE-2019-5435 CVE-2019-5436

(From OE-Core rev: 9d5a7dd654a17b67f5cd8a73145e5f5299bfebcc)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
21188466bc wget: Security fix for CVE-2019-5953 
Source: http://git.savannah.gnu.org/cgit/wget.git
MR: 89341
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b
Description:

Fixes CVE-2019-5953
Affects: < 1.20.1
(From OE-Core rev: c897b862c6cfaa341cc6155b2c9d98ea7ad02884)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
f2d2148adb glib-2.0: Security fix for CVE-2019-12450 
Source: glib-2.0
MR: 98443
Type: Security Fix
Disposition: Backport from d8f8f4d637
ChangeID: 880b9b349cb8d82c7c1314a3657ec9094baba741
Description:

(From OE-Core rev: 71bfb9dfdc806e0e95f1302d0d6c3c751f03bb4b)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
abefff23cd Tar: Security fix CVE-2019-0023 
Source: tar.git
MR: 97928
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
ChangeID: 7aee4c0daf8ce813242fe7b872583560a32bc4e3
Description:

Affects tar < 1.32

fixes CVE-2019-9923

(From OE-Core rev: fc77edc8245ab90eee1f1e857f470b6842dc256f)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
e53f7d53f4 qemu: Security fix for CVE-2018-19489 
Source: Qemu.org
MR: 97453
Type: Security Fix
Disposition: Backport from git.qemu.org/gemu.git

ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace
Description:

In the spirt of YP Compatible, sending change upstream.

fixes CVE CVE-2018-19489

Affect < = 4.0.0

(From OE-Core rev: 249447828cd1ed13f9faf19793208b503acf0d30)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Joshua DeWeese
f381b778ae wpa_supplicant: Changed systemd template units 
I goofed up the scissor line on the last attempt. Not sure how much it matters,
but here it is correct this time.

Here it is, updated to work with wpa-supplicant_2.6.bb.

-- >8 --
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=

When building root filesystems with any of the wpa_supplicant systemd
template service files enabled (current default is to have them disabled) the
systemd-native-fake script would not process the line:

Alias=multi-user.target.wants/wpa_supplicant@%i.service

appropriately due the the use of "%i."

According to the systemd documentation "WantedBy=foo.service in a service
bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in
the same file." However, this is not really the intended purpose of install
Aliases.

All lines of the form:

Alias=multi-user.target.wants/*%i.service

Were replaced with the following lines:

WantedBy=multi-user.target

(From OE-Core rev: d05e98cdccbe36be8906c31249adeb0f0bc13ac5)

Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
47d06b4c85 go: update to minor update 1.11.10 
Source: golang.org
MR: 97548,
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/issues?q=milestone%3AGo1.11.5
ChangeID: 54377c454f038a41bf35dd447a784e3e66db6268
Description:

Bug fix updates only
https://golang.org/doc/devel/release.html#go1.11

Fixes:
Affects <= 1.11.6
CVE-2019-6486
CVE-2019-9741

(From OE-Core rev: 4e40da53851c550f1a38eff5737d4b69c8cd0afb)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Khem Raj
d89c54ee99 go: Upgrade 1.11.1 -> 1.11.4 minor release 
Source: OpenEmbedded.org
MR: 98328, 98329, 98330
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/go?h=warrior&id=b964551a0d08aa921d4e0ceea2f1e28a5e83510e

ChangeID: 0b4cc69c357ba14c4e7a6c7ff926cfc6f09489b2
Description:
include:
CVE-2018-16873
CVE-2018-16874
CVE-2018-16875

Changes: https://golang.org/doc/devel/release.html#go1.11

(From OE-Core rev: 69964488112899371b7fd88b6e86e533d968b457)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Bug fix only update]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
94bacd598d go-crosssdk: PN should use SDK_SYS, not TARGET_ARCH 
The crosssdk dependencies are handled using the virtual/ namespace so
this name doesn't matter in the general sense. We want to be able to provide
recipe maintainer information through overrides though, so this standardises it
with the behaviour from gcc-crosssdk and ensures the maintainer overrides work.

(From OE-Core rev: 025cd45d4129266d34a919573c02a8504f092c1b)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00