Steve Sakoman [Tue, 22 Mar 2022 17:49:46 +0000 (07:49 -1000)]
libsolv: fix CVE: CVE-2021-44568-71 and CVE-2021-44573-77
The existing patch for CVE-2021-3200 also fixes CVE-2021-44568 through
CVE-2021-44671 and CVE-2021-44573 through CVE-2021-44677, so update
CVE tags in patch to reflect this.
Richard Purdie [Thu, 17 Mar 2022 21:05:15 +0000 (21:05 +0000)]
oeqa/selftest/tinfoil: Improve tinfoil event test debugging
We still see occasional test failures for unknown reasons. Add some debugging to
show whether the matching files event was received even if the command complete wasn't.
Also ensure any commandfailed/commandexit event is shown.
This will hopefully aid debugging the next time the issue occurs.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2f7a788bb51ef09ee23c94176285437ea760fab7) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Sat, 12 Mar 2022 13:44:03 +0000 (13:44 +0000)]
oeqa/runtime/ping: Improve failure message to include more detail
When the ping test fails due to a timeout we only get limited debug
information. Tweak the code to improve that in case it sheds any light
on intermittent failures.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d81704057950e1970ef7f673fa771834fd2b3f1e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Wed, 23 Feb 2022 15:50:40 +0000 (15:50 +0000)]
python3targetconfig: Use for nativesdk too
nativesdk is a cross compiled target and therefore should use the target
config, not the native one. Copy the target entries accordingly.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b1b5fec350b390fa7f2d26966df1411b032faf87) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 93a335993ce592a8ee34fc9a490e327f2775e03f) Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-Update:
year updated to 2022
Version of some driver files updated
Added files for some drivers
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be1b1d204c89035c54a626db46c5054e553b82c2) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ovidiu Panait [Sun, 20 Mar 2022 09:25:36 +0000 (11:25 +0200)]
openssl: upgrade 1.1.1l -> 1.1.1n
Upgrade openssl 1.1.1l -> 1.1.1n to fix CVE-2022-0778:
https://nvd.nist.gov/vuln/detail/CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
This also fixes an evp_extra_test ptest failure introduced by openssl-1.1.1m:
"""
not ok 19 - test_signatures_with_engine
ERROR: (ptr) 'e = ENGINE_by_id(engine_id) != NULL' failed @ ../openssl-1.1.1m/test/evp_extra_test.c:1890
0x0
not ok 20 - test_cipher_with_engine
<snip>
"""
The ptest change is already present in Yocto master since oe-core
commit 5cd40648b0ba ("openssl: upgrade to 3.0.1").
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ralph Siemsen [Fri, 11 Mar 2022 16:58:54 +0000 (11:58 -0500)]
libxml2: move to gitlab.gnome.org
The project has migrated from www.xmlsoft.org to gitlab.gnome.org.
Update the homepage accordingly, and use gnomebase to construct the
download URL, rather than including it in SRC_URI explicitly.
Note that the download is now in .xz format rather than .gz, so the
sha256sum is updated accordingly. Post-decompression tarballs are
identical, so there is no change to the libxml2 code.
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8bc17ceb997f8f31a03e5f5efc41c03ef1df3add) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ralph Siemsen [Thu, 10 Mar 2022 18:32:34 +0000 (13:32 -0500)]
bind: update to 9.11.36
Security Fixes
The lame-ttl option controls how long named caches certain types of
broken responses from authoritative servers (see the security advisory
for details). This caching mechanism could be abused by an attacker to
significantly degrade resolver performance. The vulnerability has been
mitigated by changing the default value of lame-ttl to 0 and overriding
any explicitly set value with 0, effectively disabling this mechanism
altogether. ISC's testing has determined that doing that has a
negligible impact on resolver performance while also preventing abuse.
Administrators may observe more traffic towards servers issuing certain
types of broken responses than in previous BIND 9 releases, depending on
client query patterns. (CVE-2021-25219)
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
bringing this vulnerability to our attention. [GL #2899]
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
When executing the daemon test on Arm64 and x86 with Debian (Buster)
distro, both skip the test case with the log:
Changes tools/perf/tests/shell/daemon.sh to be explicitly bash
(it was already required, but was just skipped on various
distros).
We add it into our RDEPENDS for perf-tests to fixup 5.12+
builds.
We already have relatively heavy RDEPENDS for perf tests (python3), so
adding bash into the RDEPENDS isn't signifcant even for older perf
builds that use the same recipe.
(cherry picked from commit 159cdb159ad0e9d3ed73cfc07f9acd5c0b608e7b) Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
sana kazi [Wed, 9 Mar 2022 11:59:32 +0000 (17:29 +0530)]
tiff: Add backports for two CVEs from upstream
Based on commit from master
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6ae14b4ff7a655b48c6d99ac565d12bf8825414f) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Mon, 7 Mar 2022 17:00:18 +0000 (17:00 +0000)]
vim: Update to 8.2.4524 for further CVE fixes
Includes CVE-2022-0696, CVE-2022-0714, CVE-2022-0729.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0d29988958e48534a0076307bb2393a3c1309e03) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Jose Quaresma [Sun, 6 Mar 2022 21:08:23 +0000 (21:08 +0000)]
sstate: inside the threadedpool don't write to the shared localdata
When inside the threadedpool we make a copy of the localdata
to avoid some race condition, so we need to use this new
localdata2 and stop write the shared localdata.
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90fe6948a9df0b43c58120a9358adb3da1ceb5b9) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Sat, 19 Dec 2020 11:20:31 +0000 (11:20 +0000)]
systemd: Ensure uid/gid ranges are set deterministically
meson.build will fall back to greping /etc/login.defs for values of these
if they're not set. Different distros set them (Centos 7/8 does, Ubuntu
does not) so output was not deterministic. Avoid this by setting to the
default values. We now match the vaules from login.defs from shadow.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 77a6ac0ac266d71e4fe67fd332662081f30cd7bf) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Michael Halstead [Fri, 11 Feb 2022 18:10:45 +0000 (10:10 -0800)]
uninative: Upgrade to 3.5
Add support for glibc 2.35.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 347b8c87fb4e2c398644f900728cf6e22ba4516d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Fri, 12 Nov 2021 13:51:09 +0000 (13:51 +0000)]
uninative: Add version to uninative tarball name
uninative works via hashes and doesn't need the version in the tarball name but
it does make things easier to inspect in DL_DIR. There were reasons such as
ease of publication of the build tarballs but we can handle those differently
now and the signature issues from the early code aren't an issue now. From 3.4
onwards we can use a version'd name.
[YOCTO #12970]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dadba70d6a24d8ebb5576598efffa973151c7218) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Jose Quaresma [Wed, 2 Mar 2022 00:45:27 +0000 (00:45 +0000)]
buildhistory.bbclass: create the buildhistory directory when needed
When the BUILDHISTORY_RESET is enabled we need to move the
content from BUILDHISTORY_DIR to BUILDHISTORY_OLD_DIR but
when we start a clean build in the first run we don't have the
BUILDHISTORY_DIR so the move of files will fail.
| ERROR: Command execution failed: Traceback (most recent call last):
| File "/xxx/poky/bitbake/lib/bb/command.py", line 110, in runAsyncCommand
| commandmethod(self.cmds_async, self, options)
| File "/xxx/poky/bitbake/lib/bb/command.py", line 564, in buildTargets
| command.cooker.buildTargets(pkgs_to_build, task)
| File "/xxx/poky/bitbake/lib/bb/cooker.py", line 1481, in buildTargets
| bb.event.fire(bb.event.BuildStarted(buildname, ntargets), self.databuilder.mcdata[mc])
| File "/xxx/home/builder/src/base/poky/bitbake/lib/bb/event.py", line 214, in fire
| fire_class_handlers(event, d)
| File "/xxx/poky/bitbake/lib/bb/event.py", line 121, in fire_class_handlers
| execute_handler(name, handler, event, d)
| File "/xxx/poky/bitbake/lib/bb/event.py", line 93, in execute_handler
| ret = handler(event)
| File "/xxx/poky/meta/classes/buildhistory.bbclass", line 919, in buildhistory_eventhandler
| entries = [ x for x in os.listdir(rootdir) if not x.startswith('.') ]
| FileNotFoundError: [Errno 2] No such file or directory: '/xxx/buildhistory'
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 97bc2168da7dbacdfbf79cd70db674363ab84f6b) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Sun, 20 Feb 2022 14:05:36 +0000 (14:05 +0000)]
libxml-parser-perl: Add missing RDEPENDS
Running the ptest package in an image alone highlighted missing module
dependencies. Add them to fix those errors.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3859f49db2d694c7b63fdbe25be0018afba5c738) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Nathan Rossi [Tue, 1 Mar 2022 23:55:32 +0000 (00:55 +0100)]
cml1.bbclass: Handle ncurses-native being available via pkg-config
The linux kernel will by default use pkg-config to get ncurses(w) paths,
falling back to absolute path checks otherwise. If the build host does
not have ncurses installed this will fail as pkg-config will not search
the native sysroot for ncurses.
To more all kernel/kconfig sources, inject the equivalent native
pkg-config variables similar to what is done by the pkg-config-native
script. This only affects the menuconfig python task itself and the
oe_terminal call inside it.
(cherry picked from commit abb95c421bb67d452691819e3f63dabd02e2ba37) Signed-off-by: Nathan Rossi <nathan@nathanrossi.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
wangmy [Wed, 23 Feb 2022 13:41:54 +0000 (21:41 +0800)]
wireless-regdb: upgrade 2021.08.28 -> 2022.02.18
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5c06ddfd3c0db0d0762c0241c019f59ad310e53) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e60d149b41d14d177df20dbecaef943696df1586) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Wed, 23 Feb 2022 12:54:31 +0000 (12:54 +0000)]
cve-check: get_cve_info should open the database read-only
All of the function in cve-check should open the database read-only, as
the only writer is the fetch task in cve-update-db. However,
get_cve_info() was failing to do this, which might be causing locking
issues with sqlite.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8de517238f1f418d9af1ce312d99de04ce2e26fc) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Wed, 23 Feb 2022 13:07:50 +0000 (13:07 +0000)]
coreutils: remove obsolete ignored CVE list
Three CVEs were meant to be ignored via CVE_WHITELIST, but that wasn't
the correct variable name.
The CPEs for those CVEs mean that they don't get picked up in our report,
so just remove the assignment.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dea00faf30ec7c19b6b5ed4651b430ba3faf69ff) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Steve Sakoman [Mon, 28 Feb 2022 15:15:13 +0000 (05:15 -1000)]
expat: fix CVE-2022-25235
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain
validation of encoding, such as checks for whether a UTF-8 character
is valid in a certain context.
Minjae Kim [Sat, 26 Feb 2022 20:55:34 +0000 (20:55 +0000)]
go: fix CVE-2022-23806
crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
Upstream-Status: Backport [https://go.dev/issue/50974]
CVE: CVE-2022-23806
Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Marta Rybczynska [Fri, 18 Feb 2022 10:05:22 +0000 (11:05 +0100)]
grub: add structure initialization in zstd
This patch adds initialization of a structure in grub's zstd, which
might be left uninitialized by the compiler. It is a part of a security
series [1].
Marta Rybczynska [Fri, 18 Feb 2022 10:05:13 +0000 (11:05 +0100)]
grub: add a fix for malformed device path handling
This change fixes the malformed device paths in EFI handling.
Device paths of length 4 or shorter could cause different
kinds of unexpected behaviours.
This patch is NOT a part of [1], but is a dependency of one
of the patches included in the series.
Chee Yang Lee [Wed, 23 Feb 2022 06:17:30 +0000 (14:17 +0800)]
ruby: 2.7.4 -> 2.7.5
This release includes security fixes.
CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
CVE-2021-41816: Buffer Overrun in CGI.escape_html
CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a patch to fix CVE-2021-4160
The issue only affects OpenSSL on MIPS platforms. Link: https://security-tracker.debian.org/tracker/CVE-2021-4160 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Sun, 20 Feb 2022 14:51:40 +0000 (14:51 +0000)]
vim: Upgrade 8.2.4314 -> 8.2.4424
License file had some grammar fixes.
Includes CVE-2022-0554.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a8d0a4026359c2c8a445dba9456f8a05470293c1) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Sun, 6 Feb 2022 20:52:43 +0000 (20:52 +0000)]
vim: Upgrade 4269 -> 4134
License text underwent changes on how to submit Uganda donations, switch from http
to https urls and an update date change but the license itself is unchanged.
Also, add an entry for the top level license file. This is also the vim license
so LICENSE is unchanged but we should monitor it too.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d195005e415b0b2d7c8b0b65c0aef888d4d6fc8e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Mon, 31 Jan 2022 12:44:07 +0000 (12:44 +0000)]
vim: upgrade to patch 4269
Upgrade to the latest patch release to fix the following CVEs:
- CVE-2022-0261
- CVE-2022-0318
- CVE-2022-0319
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 96442e681c3acd82b09e3becd78e902709945f1f) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Also remove the explicit whitelisting of CVE-2021-3968 as this is now
handled with an accurate CPE specifying the fixed version.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 764519ad0da6b881918667ca272fcc273b56168a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
vim: do not report upstream version check as broken
As upstream tags point releases with every commit and
the version check still reports 8.2, it should not be considered
broken (e.g. current version newer than latest version)
until 8.3 is released.
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 11d8ee09b1bdec4824203dc0169093b2ae9d101a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
