summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* python3-urllib3: Fix CVE-2020-26137 and CVE-2021-33503Ranjitsinh Rathod2022-04-183-2/+143
| | | | | | | | | | | | | | | Add patch to fix CVE-2020-26137 Link: https://ubuntu.com/security/CVE-2020-26137 Link: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b.patch Add patch to fix CVE-2021-33503 Link: https://ubuntu.com/security/CVE-2021-33503 Link: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec.patch Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* polkit: fix overlapping changes in recent CVE patchesRalph Siemsen2022-04-182-33/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 17e931e77 ("polkit: fix CVE-2021-3560") contains - upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Commit 67ec3e049 ("polkit: Fix for CVE-2021-4115") contains both: - upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 (CVE-2021-3560) - upstream commit 41cb093f554da8772362654a128a84dd8a5542a7 (CVE-2021-4115) Thus the fix for CVE-2021-3560 is applied twice, resulting in warnings during do_patch. Curiously it neither fails nor complains about patch already applied. Also devtool silently discards the duplicate patch. Drop the duplicate patch, to resolve following warnings: WARNING: polkit-0.116-r0 do_patch: Fuzz detected: Applying patch 0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch patching file src/polkit/polkitsystembusname.c Hunk #1 succeeded at 438 with fuzz 2 (offset 3 lines). Applying patch CVE-2021-4115.patch patching file src/polkit/polkitsystembusname.c Hunk #4 succeeded at 439 with fuzz 2. Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* multipath-tools: update SRC_URIMinjae Kim2022-04-181-1/+1
| | | | | | | | The git repo for multipath-tools was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* geoip: Switch to use the main branchMingli Yu2022-04-181-1/+1
| | | | | | | | | | | Fix the below do_fetch warning: WARNING: geoip-1.6.12-r0 do_fetch: Failed to fetch URL git://github.com/maxmind/geoip-api-c.git, attempting MIRRORS if available Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit df3ef158347072a409b4e276a9dab8c2e89350ec) [Fix up for dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: upgrade to 12.22.2Nisha Parrakat2022-04-181-1/+1
| | | | | | | upgrading to next maintainence LTS version Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* spirv-tools: update SRC_URI for googletest to mainArmin Kuster2022-04-181-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* breakpad: Update SRC_URI for protobuf and lssArmin Kuster2022-04-181-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* breakpad: fix branch for gtest in SRC_URIThomas Perrot2022-04-181-2/+2
| | | | | | | | | | The commit 4fe018038f87 is in the main branch, so the do_fetch task failed. Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b8bb7dc157b248802218fcf80215f80a6c7cd6f3) [Fix up for Dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cli11: switch from default master branch to main to fix do_fetch failureChristian Ege2022-04-181-1/+1
| | | | | | | The branch was renamed in the upstream repository Signed-off-by: Christian Ege <christian.ege@ifm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* imagemagick: update SRC_URI branch from master to mainDaniel Stadelmann2022-04-181-1/+1
| | | | | | | master branch in imagemagick was renamed to main (https://github.com/ImageMagick/ImageMagick). Similar change is already in master branch for version 7.0.10 (see 248739128389) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openjpeg: Fix multiple CVESana Kazi2022-03-2714-0/+754
| | | | | | | | | | | | | | | | | Add patch to fix below CVE: CVE-2019-12973 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845 Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* p7zip: Fix for CVE-2016-9296Virendra Thakur2022-03-272-0/+28
| | | | | | | Add patch to fix CVE-2016-9296 Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* polkit: fix CVE-2021-3560Mingli Yu2022-03-272-0/+34
| | | | | | | | | | | | | Backport a patch [1] to fix CVE-2021-3560. [1] https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Squashed together 6000f5a3b and 7f4f1ee71 Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: backport fix for CVE-2019-20372Ralph Siemsen2022-03-272-0/+41
| | | | | | | | | | | | | | Fixed an HTTP request smuggling with certain error_page configurations which could have allowed unauthorized web page reads. This issue affects nginx prior to 1.17.7, so only the recipe for 1.16.1 needs the patch applied. Fix is taken directly from https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* p7zip: refresh patchesArmin Kuster2022-03-272-42/+44
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.vom>
* p7zip: build and package lib7z.so needed for fastbootNisha Parrakat2022-03-272-2/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | a) use option 7z to build the lib7z.so library This is needed for android-tools for building fastboot from android-tools b) Packaged the lib7z.so and codec libraries as a part of this recipe Fastboot RDepends on it lib7z.so c) Fixed a C++17 forbidden error when lib7z.so is built fixes the below error | ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp: In member function 'virtual LONG NArchive::NWim::CHandler::GetArchiveProperty(PROPID, PROPVARIANT*)': | ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:308:11: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 | 308 | numMethods++; | | ^~~~~~~~~~ | ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:318:9: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 | 318 | numMethods++; Signed-off-by: Nisha Parrakat <Nisha.Parrakat@kpit.com> Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Akash Hadke <Akash.Hadke@kpit.com> Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> (cherry picked from commit 3c36a8efe2a964c3aa9bfcd836cee3f80a837fcd) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* googletest: Switch branch from master to mainPeter Kjellerstedt2022-03-271-1/+1
| | | | | | | | | The master branch has been renamed to main in the github repo. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* protobuf: fix patch fuzzRoss Burton2022-03-271-8/+17
| | | | | | | | | | | | | Applying patch CVE-2021-22570.patch patching file src/google/protobuf/descriptor.cc Hunk #1 succeeded at 2603 with fuzz 1 (offset -23 lines). Hunk #2 succeeded at 2817 with fuzz 1 (offset -14 lines). Hunk #3 succeeded at 4006 (offset -17 lines). Hunk #4 succeeded at 4050 (offset -18 lines). Hunk #5 succeeded at 4368 (offset -18 lines). Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpreplay: Add fix for CVE-2020-24265 and CVE-2020-24266Akash Hadke2022-03-272-1/+39
| | | | | | | | | | Add below patch to fix CVE-2020-24265 and CVE-2020-24266 CVE-2020-24265-and-CVE-2020-24266.patch Link: https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* pw-am.sh: update to new patcwork systemArmin Kuster2022-03-271-1/+1
| | | | | | | | | Point to patchwork.yoctoproject.org Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8b8bfbcadf188cd5b234358590764e20d03d7861) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* polkit: Fix for CVE-2021-4115Ranjitsinh Rathod2022-03-273-0/+121
| | | | | | | | | | Add patch to fix CVE-2021-4115 Also, add a support patch to cleanly apply CVE patch Link: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/109 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* protobuf: Fix CVE-2021-22570Sana Kazi2022-02-232-0/+65
| | | | | | | | | | | | | | | | Fix CVE-2021-22570. Link: https://koji.fedoraproject.org/koji/buildinfo?buildID=1916865 Link: https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch Remove first and second hunk because the second argument in InsertIfNotPresent() function is of type const char* const& but the first and second hunk makes the type of second argument as const string which is not compatible with the type of second argument in InsertIfNotPresent(). Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cryptsetup: Add runtime dependency on lvm2-udevrules for udevKristian Klausen2022-02-231-1/+1
| | | | | | | | | | | | Without the udevrules cryptsetup luksOpen will be hanging with "Udev cookie 0xd4de0f6 (semid 5) waiting for zero". Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 60b33e376b2331cd20950f0745336397790d2201) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 32f1d758a14bba35d67a75778ae747f1ff5c5482) [Minor fixup for Dunfell] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* graphviz: native: create /usr/lib/graphviz/config6 in populate_sysrootChristian Eggers2022-02-201-0/+11
| | | | | | | | | | | | | | | | | The `dot` tool requires to be run once after installation in order to create its configuration file. The do_prepare_recipe_sysroot task uses do_populate_sysroot in order to prepare the recipe-sysroot-native. Package postinstall scripts are not executed for -native packages, but files under ${BINDIR}/postinst-* are. This is quite the same as graphviz-setup.sh does for nativesdk. The general idea has been taken from OECORE/meta/classes/pixbufcache.bbclass. Signed-off-by: Christian Eggers <ceggers@arri.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: Add fix for CVE-2022-22747Ranjitsinh Rathod2022-02-132-0/+64
| | | | | | | | Add a patch to fix CVE-2022-22747 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: Add fix of CVE-2021-45079Ranjitsinh Rathod2022-02-132-0/+157
| | | | | | | | Add a patch to fix CVE-2021-45079 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: Fix for CVE-2021-44532Virendra Thakur2022-02-062-0/+3091
| | | | | | | | Add patch to fix CVE-2021-44532 Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linuxptp: Update to 2.0.1Robert Joslyn2022-02-061-3/+2
| | | | | | | Fixes CVE-2021-3570 and CVE-2021-3571 Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* p7zip: fix for CVE-2018-5996Virendra Thakur2022-02-062-0/+227
| | | | | | | Add patch to fix CVE-2018-5996 Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* udisks2: Fix for CVE-2021-3802Virendra Thakur2022-01-292-0/+64
| | | | | | | Add patch to fix CVE-2021-3802 Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dbus-daemon-proxy: add missing `return` statementLeif Middelschulte2022-01-291-1/+1
| | | | | | | | | The missing `return` statement leads to a `SIGABRT`. Signed-off-by: Leif Middelschulte <Leif.Middelschulte@klsmartin.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 77479e1c9b7bffb6ad89ae68f80605ad1c65ea75) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* CVE-2021-4034: polkit Local privilege escalation in pkexec due to incorrect ↵Jeremy Puhlman2022-01-272-0/+75
| | | | | | | | | | handling of argument vector Upstream-Status: Backport CVE: CVE-2021-4034 Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: bump PV in recipe to 1.16.1Armin Kuster2022-01-271-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Update to 3.2.18Armin Kuster2022-01-262-2/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Source: wireshark.org MR: 114425, 114409, 114441, 114269, 114417, 114311, 114449 Type: Security Fix Disposition: Backport from wireshark.org ChangeID: 8663cdebb2f10ee84817e5199fa3be0acb715af9 Description: This is a bugfix only update. Addresses these CVES: wnpa-sec-2021-07 Bluetooth DHT dissector crash. Issue 17651. CVE-2021-39929. wnpa-sec-2021-09 Bluetooth SDP dissector crash. Issue 17635. CVE-2021-39925. wnpa-sec-2021-10 Bluetooth DHT dissector large loop. Issue 17677. CVE-2021-39924. wnpa-sec-2021-11 PNRP dissector large loop. Issue 17684. CVE-2021-39920, CVE-2021-39923. wnpa-sec-2021-12 C12.22 dissector crash. Issue 17636. CVE-2021-39922. wnpa-sec-2021-13 IEEE 802.11 dissector crash. Issue 17704. CVE-2021-39928. wnpa-sec-2021-14 Modbus dissector crash. Issue 17703. CVE-2021-39921. Signed-off-by: Armin Kuster <akuster@mvista.com> --- V2] Fixes: /build/run/lemon: Exec format error revert "cmake: lemon: fix path to internal lemon tool" so the wireshark-native version is instead. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: Fix for CVE-2021-41990 and CVE-2021-41991Virendra Thakur2022-01-223-0/+105
| | | | | | | Add patch to fix CVE-2021-41990 and CVE-2021-41991 Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* netcat: Set CVE_PRODUCTAndre Carvalho2022-01-111-0/+2
| | | | | | | | | | | | | | | | | | | | | | | This way yocto cve-check can find open CVE's. See also: http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html "Results from cve-check are not very good at the moment. One of the reasons for this is that component names used in CVE database differ from yocto recipe names. This series fixes several of those name mapping problems by setting the CVE_PRODUCT correctly in the recipes. To check this mapping with after a build, I'm exporting LICENSE and CVE_PRODUCT variables to buildhistory for recipes and packages." Value added is based on: https://nvd.nist.gov/products/cpe/search/results?keyword=netcat&status=FINAL&orderBy=CPEURI&namingFormat=2.3 Signed-off-by: Andre Carvalho <andrestc@fb.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* apache2: upgrade 2.4.51 -> 2.4.52wangmy2022-01-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). *) http: Enforce that fully qualified uri-paths not to be forward-proxied have an http(s) scheme, and that the ones to be forward proxied have a hostname, per HTTP specifications. *) OpenSSL autoconf detection improvement: pick up openssl.pc in the specified openssl path. *) mod_proxy_connect, mod_proxy: Do not change the status code after we already sent it to the client. *) mod_http: Correctly sent a 100 Continue status code when sending an interim response as result of an Expect: 100-Continue in the request and not the current status code of the request. PR 65725 *) mod_dav: Some DAV extensions, like CalDAV, specify both document elements and property elements that need to be taken into account when generating a property. The document element and property element are made available in the dav_liveprop_elem structure by calling dav_get_liveprop_element(). *) mod_dav: Add utility functions dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() so that other modules get to play too. *) mpm_event: Restart stopping of idle children after a load peak. PR 65626. *) mod_http2: fixes 2 regressions in server limit handling. 1. When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731. The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. 2. A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See <https://github.com/icing/mod_h2/issues/212>. *) mod_ssl: Add build support for OpenSSL v3. *) mod_proxy_connect: Honor the smallest of the backend or client timeout while tunneling. *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP half-close forwarding when tunneling protocols. *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by a third-party module. PR 65627. *) mod_md: Fix memory leak in case of failures to load the private key. PR 65620 *) mod_md: adding v2.4.8 with the following changes - Added support for ACME External Account Binding (EAB). Use the new directive `MDExternalAccountBinding` to provide the server with the value for key identifier and hmac as provided by your CA. While working on some servers, EAB handling is not uniform across CAs. First tests with a Sectigo Certificate Manager in demo mode are successful. But ZeroSSL, for example, seems to regard EAB values as a one-time-use-only thing, which makes them fail if you create a seconde account or retry the creation of the first account with the same EAB. - The directive 'MDCertificateAuthority' now checks if its parameter is a http/https url or one of a set of known names. Those are 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test' for now and they are not case-sensitive. The default of LetsEncrypt is unchanged. - `MDContactEmail` can now be specified inside a `<MDomain dnsname>` section. - Treating 401 HTTP status codes for orders like 403, since some ACME servers seem to prefer that for accessing oders from other accounts. - When retrieving certificate chains, try to read the repsonse even if the HTTP Content-Type is unrecognized. - Fixed a bug that reset the error counter of a certificate renewal and prevented the increasing delays in further attempts. - Fixed the renewal process giving up every time on an already existing order with some invalid domains. Now, if such are seen in a previous order, a new order is created for a clean start over again. See <https://github.com/icing/mod_md/issues/268> - Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. *) mod_md: values for External Account Binding (EAB) can now also be configured to be read from a separate JSON file. This allows to keep server configuration permissions world readable without exposing secrets. *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. PR 65616. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ea76fc643713915a1618597be8bdbe0e4a3d993e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postfix: upgrade 3.4.12 -> 3.4.23Yi Zhao2021-12-311-2/+2
| | | | | | | Changelog: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.3.20.HISTORY Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* postfix: fix build with glibc 2.34Yi Zhao2021-12-312-0/+47
| | | | | | | | | | | | | | | | | | Backport a patch to fix build against glibc 2.34 (e.g. on Fedora 35) Fixes: | In file included from attr_clnt.c:88: | /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’ | 363 | extern void closefrom (int __lowfd) __THROW; | | ^~~~~~~~~ | In file included from attr_clnt.c:87: | ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’ | 1506 | extern int closefrom(int); | | ^~~~~~~~~ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* dovecot: refresh patchesstable/dufell-nutArmin kuster2021-12-273-22/+18
| | | | Signed-off-by: Armin kuster <akuster808@gamil.com>
* postgresql: Update to 12.9Robert Joslyn2021-12-272-4/+4
| | | | | | | | | | | | | | | | | | Bug and security fixes. Fix patch fuzz as well to remove bitbake warning. Release notes available at: https://www.postgresql.org/docs/release/12.8/ https://www.postgresql.org/docs/release/12.9/ 12.8 fixes: CVE-2021-3677 12.9 fixes: CVE-2021-23214 CVE-2021-23222 Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libmicrohttpd: Add patch to fix CVE-2021-3466Ernst Sjöstrand2021-12-272-1/+160
| | | | | | | | | | Extract patch from the 0.9.71 release commit. Upstream-Status: Backport CVE: CVE-2021-3466 Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: Fix CVE-2021-43527sana kazi2021-12-182-0/+284
| | | | | | | | Add patch to fix CVE-2021-43527 which causes heap overflow in nss. Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: switch from master to mainJeremy Puhlman2021-12-181-1/+1
| | | | | Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* brotli: add patch to fix CVE-2020-8927Spectrejan2021-12-032-1/+47
| | | | | | | | | | Port patch to fix CVE-2020-8927 for brotli from Debian Buster CVE: CVE-2020-8927 Signed-off-by: Jan Kraemer <jan@spectrejan.de> [Fixup to apply with URL changes] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dovecot: Fix CVE-2020-12674sana kazi2021-12-032-0/+31
| | | | | | | | | | Added patch for CVE-2020-12674 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dovecot: Fix CVE-2020-12673sana kazi2021-12-032-0/+38
| | | | | | | | | | Added patch for CVE-2020-12673 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dovecot: Fix CVE-2020-12100sana kazi2021-12-0315-0/+1264
| | | | | | | | | | Added patches to fix CVE-2020-12100 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* jansson: whitelist CVE-2020-36325Marta Rybczynska2021-11-301-0/+3
| | | | | | | | | | According to the upstream [1], the bug happens only if the programmer does not follow the API definition. [1] https://github.com/akheron/jansson/issues/548 Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* sdbus-c++: don't fetch googletest during do_configureMartin Jansa2021-11-182-3/+102
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * with PTEST_ENABLED it enables with-tests PACKAGECONFIG which instead of using system googletest gmock, tries to fetch googletest from github and fails because branch was recently renamed from master to main | -- Found PkgConfig: /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/bin/pkg-config (found version "0.29.2") | -- Checking for module 'libsystemd>=236' | -- Found libsystemd, version 249 | -- Building with tests | Fetching googletest... | [1/9] Creating directories for 'googletest-populate' | [1/9] Performing download step (git clone) for 'googletest-populate' | Cloning into 'googletest-src'... | fatal: invalid reference: master | CMake Error at googletest-subbuild/googletest-populate-prefix/tmp/googletest-populate-gitclone.cmake:40 (message): | Failed to checkout tag: 'master' | | | FAILED: googletest-populate-prefix/src/googletest-populate-stamp/googletest-populate-download | cd /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/build/_deps && /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/bin/cmake -P /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/build/_deps/googletest-subbuild/googletest-populate-prefix/tmp/googletest-populate-gitclone.cmake && /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/bin/cmake -E touch /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/build/_deps/googletest-subbuild/googletest-populate-prefix/src/googletest-populate-stamp/googletest-populate-download | ninja: build stopped: subcommand failed. | | CMake Error at /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/share/cmake-3.19/Modules/FetchContent.cmake:989 (message): | Build step for googletest failed: 1 | Call Stack (most recent call first): | /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/share/cmake-3.19/Modules/FetchContent.cmake:1118:EVAL:2 (__FetchContent_directPopulate) | /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/share/cmake-3.19/Modules/FetchContent.cmake:1118 (cmake_language) | tests/CMakeLists.txt:17 (FetchContent_Populate) | | | -- Configuring incomplete, errors occurred! * unfortunately this backported patch fixes the fetching failure, because it uses release-${GOOGLETEST_VERSION} tag instead of now non-existent master branch, but is not enough to prevent fetching from github during do_configure: -- Building with tests -- Could NOT find GTest (missing: GTest_DIR) -- Checking for module 'gmock>=1.10.0' -- No package 'gmock' found Fetching googletest... we also need to add googletest dependency to with-tests PACKAGECONFIG was fixed in meta-oe/master with the upgrade to 1.0.0: https://github.com/openembedded/meta-openembedded/commit/b26b66e5da92718b4e99a57fbfaaef9e751c3cfe#diff-48a847e7323703994fd2ce0fcb731ff860fa955a77cdfe39d71a9cc84a042c06L15 then it's ok and not fetching: -- Building with tests -- Looking for pthread.h -- Looking for pthread.h - found Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>