mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-20 08:29:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
52,827 Commits 38 Branches 617 Tags
ebf1cc65a96ba01edccb56f0a50235dedfca8478
Commit Graph

36787 Commits

Author SHA1 Message Date
Muminul Islam
ebf1cc65a9 curl: Security fix for CVE-2019-5482 
(From OE-Core rev: 57d30f26c3dbba720079e98d429dfcb53d527d54)

Signed-off-by: Muminul Islam <muislam@microsoft.com>
[Fixup for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-15 15:54:01 +01:00
Muminul Islam
507434199d libsolv: Security fix for CVEs: <CVE-2018-20532, CVE-2018-20533, CVE-2018-20534> 
(From OE-Core rev: 82a9850d6ef8cca816f9e0a53a8d20b056f95320)

Signed-off-by: Muminul Islam <muislam@microsoft.com>

CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534

Upstream-Status: Backport

Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-15 15:54:01 +01:00
Dan Tran
ab318acf53 gnutls: Fix CVE-2019-3829 and CVE-2019-3836 
(From OE-Core rev: 54c6892543319c4b8f7248e95966e956053c97b7)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-15 15:54:01 +01:00
c-thaler
dba05668f7 kernel-devsrc: check for localversion files in the kernel source tree 
localversion files are ignored. This might lead to a bad version magic when
building out-of-tree modules via SDK.
(Backport from master https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-kernel/linux/kernel-devsrc.bb?id=59fcee90de0cbb5b6b8333ab2b0e36214b174e52)

(From OE-Core rev: 85da4ccfff2103815eb3cd9a0b0f1af122b05567)

Signed-off-by: Christian Thaler <christian.thaler@tes-dst.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-15 15:54:01 +01:00
Muminul Islam
7e20a2238c glibc: Security fix for cve <CVE-2019-6488, CVE-2019-7309> 
(From OE-Core rev: d68441ed80fd43f091baf01bfdb47c3ec010c662)

Signed-off-by: Muminul Islam <muislam@microsoft.com>

CVE: CVE-2019-6488, CVE-2019-7309

Upstream-Status: Backport
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-15 15:54:00 +01:00
Peter Kjellerstedt
01d107f5c1 arch-arm64.inc: Lower the priority of aarch64 in MACHINEOVERRIDES 
This makes sure, e.g., ${SOC_FAMILY} and ${MACHINE} have higher
priorities than aarch64.

(From OE-Core rev: 3b8db95973fc144b00d59c4797adb405a935cd7c)

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-15 15:54:00 +01:00
Dmitry Eremin-Solenikov
9257748714 kernel.bbclass: fix installation of modules signing certificates 
If one has provided external key/certificate for modules signing, Kbuild
will skip creating signing_key.pem and will write only signing_key.x509
certificate. Thus we have to check for .x509 file existence rather than
.pem one.

(From OE-Core rev: 4972582767a3325d22a16db9a5479c2d0001964b)

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2527e731eba43bd36d0ea268aca6b03155376134)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-15 15:54:00 +01:00
Michael Halstead
8e23315bda uninative: Update to 2.7 release 
The 2.7 release updates glibc to version 2.30. Recently added to openSUSE
Tumbleweed and needed for Fedora Core 31.

(From OE-Core rev: e6728a873f1eef335a9e21bdface304f13f0c952)

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Khem Raj
d31a23609c gnupg: Do not apply -Woverride-init guard for gcc >= 9 
(From OE-Core rev: e40c38afc1747d1ed71c9bd2ab3189bbb1efcee9)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Sean Nyekjaer
0077503ed8 libgpg-error: Fix build with gawk 5.x 
Based on poky master, but for version 1.35

(From OE-Core rev: ff3b021136d7af66f05475da8475495fe7c653ee)

Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
[backported to thud
 yocto# 13580]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Armin Kuster
f3a4b20850 qemu: fix build issue on new hosts with glibc 2.30 
This fixes the following error:

TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:254:16: error: static declaration of ‘gettid’ follows non-static declaration
 254 | _syscall0(int, gettid)
 |                ^~~~~~
 TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:185:13: note: in definition of macro ‘_syscall0’
 185 | static type name (void)   \
 |             ^~~~
 In file included from /usr/include/unistd.h:1170,
 from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/include/qemu/osdep.h:90,
 from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:20:
 /usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
 34 | extern __pid_t gettid (void) __THROW;
 |                ^~~~~~

(From OE-Core rev: 5b5ca76cc5dd424248c7e687e562597a2c85df57)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Andrii Bordunov via Openembedded-core
93cde08301 wget: Security fixes CVE-2018-20483 
Source: http://git.savannah.gnu.org/cgit/wget.git/
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/
Description:

Fixes CVE-2018-20483

(From OE-Core rev: c901bc8cd9de5853185af2059c6f1efeb4ccdd60)

Signed-off-by: Aviraj CJ <acj@cisco.com>
[Affects Wget before 1.20.1]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Shubham Agrawal
6d5867a94c sqlite3: Security fix for CVE-2019-8457 
(From OE-Core rev: c0c66d213b4b6deb0a5e9a688810d2e9674d3ecf)

Signed-off-by: Shubham Agrawal <shuagr@microsoft.com>
[Cleaned up patch]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Dan Tran
bda26ff31c perl: Fix CVE-2018-18311 to 18314 
(From OE-Core rev: cffd085ef77d055e5e837887b0eaf820aa982f00)

Signed-off-by: Dan Tran <dantran@microsoft.com>
[Perl before 5.26.3 and 5.28.x before 5.28.1]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Adrian Bunk
cc0605bad6 json-c: Don't --enable-rdrand 
In recent years AMD CPUs have had various problems with RDRAND
giving either non-random data or no result at all, which is
problematic if either build or target machine has a CPU with
this problem.

The fallback is /dev/urandom, and I'd trust the kernel here.

--enable-rdrand was added in an upgrade to a new upstream
version without mentioning any reason.

[YOCTO #13534]

(From OE-Core rev: fad633eb5c464d4e2a984b9259625bcd150ee357)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Dan Tran
b15ffd14ac unzip: fix CVE-2019-13232 
(From OE-Core rev: 7857d85db69bcb2cb94399a22de6903263e52965)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Shubham Agrawal
2d699f84a3 elfutils: CVE fix for elfutils 
CVE: CVE-2019-7664.patch
CVE: CVE-2019-7665.patch

Sign off: Shubham Agrawal <shuagr@microsoft.com>

(From OE-Core rev: 8ca80002aa21897834b8c9869137461221e50225)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Dan Tran
7d0a5058e6 qemu: Fix 4 CVEs 
Fixes CVE-2018-18954, CVE-2019-3812, CVE-2019-6778, and CVE-2019-8934.
Also deleted duplicated patch and cleanup.

(From OE-Core rev: e4b6a39bdf1b660233a7145599cd4fc3e971fc8f)

Signed-off-by: Dan Tran <dantran@microsoft.com>
[fixup for thud-next]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Chen Qi
70f57755d7 oeqa/selftest/context: ensure log directory exists 
Ensure log directory exists to avoid the following error.

  FileNotFoundError: [Errno 2] No such file or directory: '/.../build-selftest/tmp/log/oe-selftest-results-20181207043431.log'

(From OE-Core rev: c54411d0e03fe1cea8b6bb0c80dea029dd264f36)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Bruce Ashfield
87d0be72e7 linux-yocto/4.14: update to v4.14.143 
Updating to the latest 4.14 -stable. Lightly build and boot tested
on qemu*

(From OE-Core rev: f5be8c8309a932cde507ba24d042880a922df0b6)

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Anuj Mittal
d8b63d9ad6 pango: fix CVE-2019-1010238 
(From OE-Core rev: 20b23cb40917b1c83b862817b13f0eefc8fa7a64)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 65631a048f57965745dc8cc23cb80c4c3a71ba94)
[Fix up for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Anuj Mittal
65ba01d602 patch: backport fixes 
The original fix for CVE-2018-1000156 was incomplete. Backport more
fixes done later for a complete fix.

Also see:
https://savannah.gnu.org/bugs/index.php?53820

(From OE-Core rev: e2869ff2f76adb2b1ba6f003d6d02d242afe49e8)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 12f9689cba740da6b8c7d9292c74c3992c2e18f2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Trevor Gamblin
6fc3dc1af5 patch: fix CVE-2019-13638 
(From OE-Core rev: b59b1222b3f73f982286222a583de09c661dc781)

(From OE-Core rev: 308c44fd8f1d7d348c6c7cf9054f9c8403d8e8bd)

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 555b0642579c00c41bc3daab9cef08452f9834d5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Anuj Mittal
d59f2b0a74 libxslt: fix CVE-2019-13117 CVE-2019-13118 
(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5)

(From OE-Core rev: 07cd0d606fea63e683c7de7ebfaa6a55170b8318)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fixup for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Muminul Islam
94ac57739c libxslt: Cve fix CVE-2019-11068 
(From OE-Core rev: c9c3fabddb4e1779ef330f2073f85dce83cb460b)

Signed-off-by: Muminul Islam <muislam@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
26ab554fd5 python3: Fix CVEs 
Fixes CVE-2018-14647, CVE-2018-20406, CVE-2018-20852, CVE-2019-9636,
CVE-2019-9740, and CVE-2019-9747.

(From OE-Core rev: 5862716f22ca9f5745d3bca85c6ed0d8c35c437b)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
90e5385568 python: Fix 3 CVEs 
Fixes CVE-2018-20852, CVE-2019-9740, and CVE-2019-9747

(From OE-Core rev: 3f1c02aa7b7d485e64503d601124c335d4b7299f)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
45cebeda6e binutils: Fix 4 CVEs 
Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and
CVE-2018-1000876 for binutils 2.31.1.

(From OE-Core rev: 981eeec0f26f25db444782f40a86c558a2358215)

Signed-off-by: Dan Tran <dantran@microsoft.com>
[fixed up .inc for thud-next context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Adrian Bunk
36fa7fce02 dhcp: Replace OE specific patch for compatibility with latest bind with upstream patch 
This also fixes a dhcp breakage noticed by Enrico Scholz.

(From OE-Core rev: 5deab12cdcf1d7372634324e1fd70145ff59f9f9)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Ruslan Bilovol
458009f31a dhcp: drop lost patch 
Commit 7cb42ae87ef9 "dhcp: update 4.4.1" dropped
0008-tweak-to-support-external-bind.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.

Cc: Armin Kuster <akuster808@gmail.com>
(From OE-Core rev: 109e8420c8a4e94dccb3c83e2b0b7fc6ceb66b04)

Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
5f125a31e1 dhcp: fix issue with new bind changes 
(From OE-Core rev: d0e2babdab1625e86d0abc7fa7dab25caa73ccb6)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
6518c248e6 go: update to 1.11.13, minor updates 
Source: golang.org
MR: 99376
Type: Security Fix
Disposition: Backport from golang.org
ChangeID: 41576ab4a0abdebbc44f1a35a83bf04e5f2fde06
Description:

https://golang.org/doc/devel/release.html

go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details.

go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details.

go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details.

Includes CVE: CVE-2019-14809

(From OE-Core rev: 6018e9755dce3eaa22a1fe691dc18546c43c9cbe)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Adrian Bunk
6eaf69d732 bind: upgrade 9.11.5 -> 9.11.5-P4 
Source: OE.org
MR: 99751, 99752, 99753
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4
ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01
Description:

Bugfix-only compared to 9.11.5, mostly CVE fixes.

COPYRIGHT checksum changed due to 2018 -> 2019.

(From OE-Core rev: b24447b40e4988e337bdd4b5cf194df0827f9887)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Included cves:
CVE-2018-5744
CVE-2018-5745
CVE-2019-6465
]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
3d3a165925 bind: update to latest LTS 9.11.5 
Source: bind.org
MR: 99750
Type: Security Fix
Disposition: Backport from bind.org
ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224
Description:

includes:
CVE-2018-5738

drop patch for CVE-2018-5740 now included in update

see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html

Add RECIPE_NO_UPDATE_REASON for lts

(From OE-Core rev: 25b2f2c6fc67eabb0e7f0b7c5ffe08c554613c10)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Also includes CVE-2018-5740]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
176dc6eb01 binutils: Security fix for CVE-2019-12972 
Source: git://sourceware.org / binutils-gdb.git
MR: 98770
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c
Description:

Fixes CVE-2019-12972

(From OE-Core rev: 16f4520f5cb581eb93bd3f0e3aa1feecc5c567ba)

Signed-off-by: Armin Kuster <akuster@mvista.com>

[v2]
forgot to refresh inc file before sending

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
d39b67e491 binutils: Security fix for CVE-2019-14444 
Source: git://sourceware.org / binutils-gdb.git
MR: 99255
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7
ChangeID: 67ad4ab1ec34b941bdcfbb4f55d16176bbbd3d72
Description:

Affects: <= 2.32.0

Fixes CVE-2019-14444

(From OE-Core rev: a367928942411b36a0b0bbb95055d01548430e8e)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
09d46e9131 gcc: Security fix for CVE-2019-14250 
Source: gcc.org
MR: 99120
Type: Security Fix
Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794&root=gcc&view=rev
ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb
Description:

Affects < 9.2

(From OE-Core rev: 79205966072bb6179d96b3af5aabc521da83e841)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Bartosz Golaszewski
0f7e6681a8 qemu: add a patch fixing the native build on newer kernels 
The build fails on qemu-native if we're using kernels after commit
0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream
patch that fixes the issue.

(From OE-Core rev: fac2d3846dadfda256e94500bdf33f546a8d1fb4)

Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Refactoried for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
4e6a44598f libcomps: fix CVE-2019-3817 
(From OE-Core rev: 2cebc7faa10c7ac6f60437658702f7adce3b3a89)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
9da2eb4bef glib-2.0: fix CVE-2019-13012 
(From OE-Core rev: 51f7ecf2259e1fb669cd84c5317cbd8810d731b7)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
fe27c50545 dbus: fix CVE-2019-12749 
(From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
1b62838428 curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 
(From OE-Core rev: 75a4b4d8fb14414bbe2e38be8ccda0af94ef9b40)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
20ee17a579 python3: fix CVE-2019-9740 
CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See:

https://bugs.python.org/issue30458

(From OE-Core rev: ad90312adabbad951f62e3bd4ad95fcc763ad0c4)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
d581f111db patch: fix CVE-2019-13636 
(From OE-Core rev: bd367f58d9d6b5f0ce213e1be36763c5a9e425b6)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Alexander Kanavin
fa4683a484 buildhistory: call a dependency parser only on actual dependency lists 
Previously it was also called on filelists and possibly other items which
broke the parser.

(From OE-Core rev: f965ecbf558b6db1959e4ba8e599d65a5c8022b2)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Richard Purdie
cb26830f76 build-appliance-image: Update to thud head revision 
(From OE-Core rev: d3d3f443039b03f1200a14bfe99f985592632018)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-08-01 11:58:15 +01:00
Anuj Mittal
d49de3810a expat: fix CVE-2018-20843 
(From OE-Core rev: aad245ea1c55f8e778ae3420c5c31e94301e7cba)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ross Burton
9e0a120c8e libcroco: fix CVE-2017-7961 
(From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9)

(From OE-Core rev: f5cf064b3c138c8a6591d34f40253e10a6f01a14)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ovidiu Panait
e6058824bb ghostscript: Fix 3 CVEs 
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.

It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.

It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e

(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)

(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
885459d264 bzip2: fix CVE-2019-12900 
Also include a patch to fix regression caused by it. See:

https://gitlab.com/federicomenaquintero/bzip2/issues/24

(From OE-Core rev: 7c0b2d228f51aebb4415e63a07bdd645e85b09d8)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00