mirrors/poky - poky - zepto initiative

mirror of https://git.yoctoproject.org/poky synced 2026-03-05 14:59:41 +01:00

Author	SHA1	Message	Date
Mattias Hansson	ee75698371	base.bbclass: add dependency on pseudo from do_prepare_recipe_sysroot do_prepare_recipe_sysroot may perform groupadd, which requires pseudo. However, do_prepare_recipe_sysroot does not depend on pseudo explicitly, which sometimes causes a build error when building a recipe that adds groups. This issue only occurs when executing do_prepare_recipe_sysroot for a recipe that adds groups before finishing a task that depends on pseudo for a recipe that doesn't add groups. (From OE-Core rev: 86f196dc077de7f3f6664e69703a96245b42ddc0) Signed-off-by: Mattias Hansson <mattihn@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Hongxu Jia	47de27d734	go: fix CVE-2019-17596 `2017d88dbc` (From OE-Core rev: a8adb7d23172acb587c259a28aa0c9e2df83f228) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	d8da51bd3b	nasm: fix CVE-2019-14248 See: https://bugzilla.nasm.us/show_bug.cgi?id=3392576 (From OE-Core rev: 49dca79c6e5f631d1f55422864ee57c86cafe1a4) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	dbd22b6cd7	nasm: fix CVE-2018-19755 (From OE-Core rev: 021c8ae8e115ff6bab167146d97a340d4945118d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	707e2b9d7d	glib-2.0: Backport the CVE-2019-12450 fix (From OE-Core rev: 9c4d7a92f4f6e4070102b12de44d9bfe6f944735) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	057dcb3ee3	lighttpd: Backport the CVE-2019-11072 fix (From OE-Core rev: abc2d1fad91f1378be3946e35d8f8f450823599e) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	ef2bec784b	glibc: fix CVE-2019-19126 Backport from 2.30 stable branch and drop NEWS section. (From OE-Core rev: de04ec5dcf72d76f2e8274af4bcddf27cb02e544) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	a2335757ba	libarchive: fix CVE-2019-19221 Also see: https://github.com/libarchive/libarchive/issues/1276 (From OE-Core rev: b4628dd1ef9d50e8778cadae09e6d31886bd47d2) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Vinay Kumar	c2644c6afc	gdb: Fix CVE-2019-1010180 Source: git://sourceware.org/git/binutils-gdb.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657 Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] (From OE-Core rev: 536a2656b44fbb98a3cdc60eed32f378184cce7c) Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	60ce01fec8	bind: Whitelist CVE-2019-6470 (From OE-Core rev: a45f9d2047d7d1156fafc44554c4908a0c7d2647) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Trevor Gamblin	271da31a92	binutils: fix CVE-2019-17451 Backport upstream fix. (From OE-Core rev: 02c54859c009be191958a19a5c3549a6635cc647) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Trevor Gamblin	f4c9970227	binutils: fix CVE-2019-17450 Backport upstream fix. (From OE-Core rev: dcd3406c79bdee46fabc2310c9e278918e26ce80) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Ross Burton	eb25d2fc66	wpa-supplicant: fix CVE-2019-16275 (From OE-Core rev: 4b764c25d7396cba41c28c66a78a7a8f0ea3a5be) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Joshua Watt	441f31d02f	python3: RDEPEND on libgcc Python uses features of glibc that require it to dynamically load (i.e. dlopen()) libgcc_s at runtime. However, since this isn't a link time dependency, it doesn't get picked up automatically by bitbake so manually add it to RDEPENDS. There is an outstanding bug in Python to make it explicitly link against libgcc at link time which would remove the need for this. See: https://bugs.python.org/issue37395 (From OE-Core rev: 04297ee03f5f4e4edafaf332a6648465f52ba1eb) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> [ merged the fix to make it glibc only ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	37e53c426b	python3: Upgrade 3.7.5 -> 3.7.6 (From OE-Core rev: 262ac0c4d534b1858b81c7d69b6ff57c5d3a4559) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	78c2ea1877	python/python3: Whitelist CVE-2019-18348 This is not exploitable when glibc has CVE-2016-10739 fixed, which is fixed in the upstream version since warrior. (From OE-Core rev: a2507600fecdf815ad80da569c5e8ad65286b812) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	57da5247c0	python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 One Windows-only CVE that cannot be fixed, and two CVEs where upstream agreement is that they are not vulnerabilities. (From OE-Core rev: 1b69d141b73e46cc377f8566868da44dd5b1ea42) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Armin Kuster	a19e3961a4	stress: update SRC_URI Fixes: WARNING: stress-1.0.4-r0 do_fetch: Failed to fetch URL http://people.seas.harvard.edu/~apw/stress/stress-1.0.4.tar.gz, attempting MIRRORS if available (From OE-Core rev: 279c4da2e5f46dccfeff0c898c2205940be9e174) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Ferry Toth	4c5f33c8fc	sudo: Fix fetching sources It looks like https://www.sudo.ws/download.html changed certificate and directory structure. This breaks fetching sources. (From OE-Core rev: adb6af60dcf098bfce64168e6443c26d124661c4) Signed-off-by: Ferry Toth <ftoth@exalondelft.nl> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit f02e9f46ce54fed3c7ddfad7d1003a2fb7ba3a67) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Alexander Kanavin	025e005d29	sudo: correct SRC_URI The old URI returns 404, and has an invalid TLS certificate. (From OE-Core rev: abb42b83e1a96cdc7dac73e223a87cf078979c49) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 73ff6aba0a53ffc3ee0a5859a3ad4c8021be4de0) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Oleksandr Kravchuk	178c487ed2	popt: fix SRC_URI rpm5.org has been down for about a year now. Use linuxfromscratch.org as an alternative reliable source instead. (From OE-Core rev: 2e2fb4e9db2e328dcb771951feb7f7ab5c0c4dd6) Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d9224014da9a512b1b8837e4e7a736d465c97be3) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Niko Mauno	8c7e02c9d1	cve-check: Switch to NVD CVE JSON feed version 1.1 Switch to recently released version 1.1 of NVD CVE JSON feed, as in https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release it is mentioned that Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. ... The JSON 1.1 data feeds will be available on September 9th, 2019. At that time the current JSON 1.0 data feeds will no longer available. This change was tested briefly by issuing 'bitbake core-image-minimal' with 'cve-check.bbclass' inherited via local.conf, and then comparing the content between the resulting two 'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not seem to contain any other change, except total of 167 entries like CVSS v3 BASE SCORE: 0.0 were replaced with similar 'CVSS v3 BASE SCORE:' entries which had scores that were greater than '0.0' (up to '9.8'). (From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323) (From OE-Core rev: 72c22b8791707480c380f49305c6d394578b2a4b) Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c92b8804d6e59b2707332859957f0e6a46db0a73) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Ross Burton	c12415cc7c	cve-check: fetch CVE data once at a time instead of in a single call This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) (From OE-Core rev: 0f5b748a5b7fec41bac16bbc1346230e86bb99e3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Ross Burton	1ab16a1b7a	cve-check: neaten get_cve_info Remove obsolete Python 2 code, and use convenience methods for neatness. (From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff) (From OE-Core rev: 0ec6843bec3e817c3bc62d04adea5fd385307b32) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	2ea29b7c24	cve-check: rewrite look to fix false negatives A previous optimisation was premature and resulted in false-negatives in the report. Rewrite the checking algorithm to first get the list of potential CVEs by vendor:product, then iterate through every matching CPE for that CVE to determine if the bounds match or not. By doing this in two stages we can know if we've checked every CPE, instead of accidentally breaking out of the scan too early. (From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69) (From OE-Core rev: 9948dd86d100bec56e22e6c0bbf4759925a4b306) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	1fb115f221	cve-update-db-native: clean up proxy handling urllib handles adding proxy handlers if the proxies are set in the environment, so call bb.utils.export_proxies() to do that and remove the manual setup. (From OE-Core rev: 6b73004668b3b71c9c38814b79fbb58c893ed434) (From OE-Core rev: 2ddf1c0bc4267d38069f9dbb0f716fdac29a49a9) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	ee2c8e04b8	cve-update-db-native: add an index on the CVE ID column Create an index on the PRODUCTS table which contains a row for each CPE, drastically increasing the performance of lookups for a specific CVE. (From OE-Core rev: b4048b05b3a00d85c40d09961f846eadcebd812e) (From OE-Core rev: 9abd2b5c4ddfb98f3b8574954e1fd0e95a47ebcc) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	55bec749c0	cve-update-db-native: don't hardcode the database name Don't hardcode the database filename, there's a variable for this in cve-check.bbclass. (From OE-Core rev: 0d188a9dc4ae64c64cd661e9d9c3841e86f226ab) (From OE-Core rev: f774665ee4dcdc5a1fe1f51384d82fb8e1b219e1) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	933a0a255f	cve-update-db-native: don't refresh more than once an hour We already fetch the yearly CVE metadata and check that for updates before downloading the full data, but we can speed up CVE checking further by only checking the CVE metadata once an hour. (From OE-Core rev: 50d898fd360c58fe85460517d965f62b7654771a) (From OE-Core rev: fd16e1bb582d3135411e2e3dad46731114d2b955) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	df244d25f0	cve-check: we don't actually need to unpack to check The patch scanner works with patch files in the layer, not in the workdir, so it doesn't need to unpack. (From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17) (From OE-Core rev: 8bfe83d53c39e4a88f808af617db7db091694841) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	50b6a611ea	cve-check: failure to parse versions should be more visible (From OE-Core rev: d1a16e6f0edda5d9f03191d187788fc8b666bd7f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	0be3c68cf4	cve-check: ensure all known CVEs are in the report CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 430e95cd819577d4d71fe6d579a175b8776aa467) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Khem Raj	665aea195a	sdk: Install nativesdk locales for all TCLIBC variants install_locales() here is actually operating on nativesdk and only glibc is the default library for nativesdk, since thats what most of desktop/server distros use, therefore bailing out based on TCLIBC is not needed here, since nativesdk-glibc would be required for all non-glibc targetting SDKs as well. Fixes SDK install time error ERROR: OE-core's config sanity checker detected a potential misconfiguration. Either fix the cause of this error or at your own risk disable the checker (see sanity.conf). Following is the list of potential problems / advisories: Your system needs to support the en_US.UTF-8 locale. ERROR: SDK preparation failed (From OE-Core rev: 7b8f6388e0a1e1eab35918a3764e98553a2452f4) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Zang Ruochen	366e5937f3	libpcap: upgrade 1.9.0 -> 1.9.1 -libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch Removed since this is included in 1.9.1. (From OE-Core rev: d0e3d1f9437b2e2c6284d9fad51bb11ebe72a46c) Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [CVE-2018-16301 CVE-2019-15161 CVE-2019-15162 CVE-2019-15163 CVE-2019-15164 CVE-2019-15165] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	2969279a63	procps: whitelist CVE-2018-1121 This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. (From OE-Core rev: afc529aa689daed18af29ecc64f3dae1fcbdc282) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Chen Qi	5982129110	webkitgtk: set CVE_PRODUCT (From OE-Core rev: 5fbf5eead50ab5a8cbacf277ddfff2eeca26f738) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	0931ac5431	libsndfile1: whitelist CVE-2018-13419 This is a memory leak that nobody else can replicate and has been rejected by upstream. (From OE-Core rev: 583990fc583a96dbf0655bff1630b2ebe199021d) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Chen Qi	33840314df	libxfont2: set CVE_PRODUCT (From OE-Core rev: ab5cc4a6119527e48299d7d6b7fac440c4b9bb6c) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	c1b31a5ce3	libpam: set CVE_PRODUCT (From OE-Core rev: c214c6c7c0f011c933da8b271630fd6833d84685) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	10662c6c3a	boost: set CVE vendor to Boost There's a Boost module for Drupal. (From OE-Core rev: e8ffa02f3efcf5303b8cf57eb29e498e816e63c0) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	fdbff91642	ed: set CVE vendor to avoid false positives (From OE-Core rev: 154e286042c289cbd225ba82aaf1247714aee857) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	7ee04f2c4b	subversion: set CVE vendor to Apache There's a Jenkins plugin for Subversion. (From OE-Core rev: 9b5437f9afb4dd1366d5e21ea861f683d8cd2a09) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	804ed96384	git: set CVE vendor to git-scm There's a Jenkins plugin for Git. (From OE-Core rev: 44d4dda6db56107d7ce900730b370a2ec81d9c30) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	775170b45c	flex: set CVE_PRODUCT to include vendor There are many projects called Flex and they have CVEs, so also set the vendor to remove these false positives. (From OE-Core rev: e128bd76ae9f4b30948e6b8fc68f4374e03c7bec) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Anuj Mittal	6b3469324e	openssl: set CVE vendor to openssl Differentiate it from openssl gem for Ruby. (From OE-Core rev: 925482bef72e80622e904ce437c5ebe8e78be338) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Alexander Kanavin	cc7bd25951	python: update to 2.7.17 Drop backports, rebase a couple of patches. This is the second last release of py 2.x; upstream support ends on 1 January 2020, there will be one final 2.x afterwards. Note that the only thing that still needs python 2.x in oe-core is u-boot; when the next u-boot update arrives, we should find out where the py3 migration is for that component before merging the update. (From OE-Core rev: 184b60eb905bb75ecc7a0c29a175e624d8555fac) (From OE-Core rev: 7009d823a0799ce7132bd77329b273a476718c8c) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> [Minor fixup for warrior context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Anuj Mittal	c8342197f8	python: fix CVE-2018-20852 (From OE-Core rev: 98cc3bfc6656b8648da591dcb64de8472e6c97e0) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Chen Qi	b9f8dfd5ac	python: fix CVE-2019-16935 (From OE-Core rev: 1a7593bcdaf8a8cf15259aee8a0e2686247f2987) (From OE-Core rev: 27fea8ea1da28bb3163b5d503e6d16948c50f2ae) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Kai Kang	56fc8c117d	bind: fix CVE-2019-6471 and CVE-2018-5743 Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind. CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the other 6 patches are for CVE-2018-5743. And backport one more patch to fix compile error on arm caused by these 6 commits. (From OE-Core rev: 3c39d4158677b97253df63f23b74c3a9dd5539f6) (From OE-Core rev: 230a96ddecf940a7caee9e9268b21aa5f65a7f14) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Scott Rifenbark	023ff85a9a	mega-manual: Fixed broken mega-manual build for 2.7.2 Fixes YOCTO #13553 This bug is where the mega-manual will not build because the mega-manual.xml file is looking in the wrong directory in a poky checkout such as a customer would have. It worked in my local development environment for the manuals. I fixed by updating mega-manual.xml pathname used to construct the mega-manual to look in $HOME/yocto-docs/bitbake for the HTML files that make up the mega-manual. Prior, it was looking in $HOME/bitbake. This also meant that I changed my production environment to use $HOME/yocto-docs as the folder in which to keep the local bitbake repo. (From yocto-docs rev: ee29f61b92c5ca7dd56393cef5fcd3ff3fe243aa) Signed-off-by: Scott Rifenbark <srifenbark@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2019-12-09 12:03:01 +00:00

1 2 3 4 5 ...

54297 Commits