summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix missing leading whitespace with ':append'Niko Mauno2023-01-292-2/+2
| | | | | | | | | | | | Mitigate occurences where ':append' operator is used and leading whitespace character is obviously missing, risking inadvertent string concatenation. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6a87f2ba9cdd4b9689b0d1c86b2e99071d1e069b) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nftables: Fix missing leading whitespace with ':append'Niko Mauno2023-01-291-1/+1
| | | | | | | | | | | | Mitigate occurence where ':append' operator is used and leading whitespace character is obviously missing, risking inadvertent string concatenation. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d25967208bc8c4b1e2099e34150a67508744e4b9) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* grpc: upgrade 1.45.2 -> 1.46.6Andrej Valek2023-01-291-2/+2
| | | | | | | | Backporting the version from master (1.50.1) would a big risk. So use the version 1.46.6 which also includes fixes of bundled z-lib library. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: 7.0.5 -> 7.0.7Changqing Li2023-01-252-10/+12
| | | | | | | | | This upgrade include fix for CVE-2022-3647 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d869383b0f9848a07ab3d7fbb5b7f687dce7744a) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: upgrade 7.0.4 to 7.0.5Changqing Li2023-01-251-1/+1
| | | | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c8d9407eec21e1eb3e34b66cac8d11fe13c6e63e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsingHitendra Prajapati2023-01-252-0/+111
| | | | | | | Upstream-Status: Backport from https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer ExceptionHitendra Prajapati2023-01-252-0/+117
| | | | | | | Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: 6.2.7 -> 6.2.8Changqing Li2023-01-252-7/+10
| | | | | | | This upgrade include fix for CVE-2022-3647 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* kernel_add_regdb: Change the task orderHermes Zhang2023-01-191-1/+1
| | | | | | | | The kernel_add_regdb should run before do_compile to make it take effect. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* zsh: Fix CVE-2021-45444Chee Yang Lee2023-01-194-1/+282
| | | | | | | backport patch from debian Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postfix: upgrade 3.6.5 -> 3.6.7Yi Zhao2023-01-121-1/+1
| | | | | | | | Changelog: http://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.6.7.HISTORY Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* zabbix: fix CVE-2022-43515,CVE-2022-46768Changqing Li2023-01-123-0/+92
| | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* multipath-tools: fix QA "dev-so" regressionS. Lockwood-Childs2023-01-101-1/+1
| | | | | | | | | | | | | | the commit addressing CVE-2022-41973 caused new QA errors due to .so symlinks getting slurped into multipath-tools-libs: QA Issue: non -dev/-dbg/nativesdk- package multipath-tools-libs contains symlink .so '/usr/lib/libdmmp.so' ... Fix this by making the new pattern for multipath-tools-libs package more specific. Signed-off-by: S. Lockwood-Childs <sjl@vctlabs.com>
* mariadb: Upgrade to 10.7.7Mingli Yu2023-01-044-419/+2
| | | | | | | Remove the backported patch mariadb-openssl3.patch. Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mariadb: not use qemu to run cross-compiled binariesMingli Yu2023-01-045-15/+116
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The build fails when use qemu to run build for amd64 as below: | make -f libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/build.make libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/depend | make -f libmariadb/libmariadb/CMakeFiles/libmariadb.dir/build.make libmariadb/libmariadb/CMakeFiles/libmariadb.dir/depend | make[2]: Entering directory '/build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build' | cd /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build && /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/recipe-sysroot-native/usr/bin/cmake -E cmake_depends "Unix Makefiles" /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/mariadb-10.7.4 /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/mariadb-10.7.4/libmariadb/libmariadb /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build/libmariadb/libmariadb /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build/libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/DependInfo.cmake --color= | make[2]: Leaving directory '/build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build' | make -f libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/build.make libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/build | Illegal instruction (core dumped) | make[2]: *** [sql/CMakeFiles/GenServerSource.dir/build.make:76: sql/lex_hash.h] Error 132 | make[2]: *** Deleting file 'sql/lex_hash.h' | make[2]: Entering directory '/build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build' | [ 8%] Linking C static library libmariadbclient.a | cd /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build/libmariadb/libmariadb && /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/recipe-sysroot-native/usr/bin/cmake -P CMakeFiles/mariadbclient.dir/cmake_clean_target.cmake | Illegal instruction (core dumped) | Illegal instruction (core dumped) | make[2]: *** [scripts/CMakeFiles/GenFixPrivs.dir/build.make:78: scripts/mysql_fix_privilege_tables_sql.c] Error 132 So don't use qemu to run cross-compiled binaries. Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4facf6815c4d10a4c7a373d81056af2533d0df12) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] ↵Siddharth Doshi2023-01-042-0/+783
| | | | | | | | | | | CVE-2022-45063 Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/787636674918873a091e7a4ef5977263ba982322] CVE: CVE-2022-45063 Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xfce4-settings: 4.16.2 -> 4.16.5Polampalli, Archana2022-12-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It fixes CVE-2022-45062 in xfce4-settings 4.16.5. CVE: CVE-2022-45062 $ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5 | grep -v "Update translation" 83ea11cf Updates for release f1cb5bda mime-settings: Properly quote command parameters f7707d8b Revert "Escape characters which do not belong into an URI/URL (Issue #390)" b532324f Back to development b9729c85 Updates for release 55e3c5fb Escape characters which do not belong into an URI/URL (Issue #390) 341443f8 Prefer full command when basic command is env (Fixes #358) 8d4106b3 Back to development 024399b1 Updates for release af601e32 build: Fix intltool lock file problem during make distcheck 0875cfba xfsettingsd: Fix recursive lock in libX11 (Fixes #369) 20d866dc Back to developmen Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> [ alt summary 4.16.5 (2022-11-12) ====== - mime-settings: Properly quote command parameters - Revert "Escape characters which do not belong into an URI/URL (Issue 4.16.4 (2022-11-07) ====== - Escape characters which do not belong into an URI/URL (Issue #390) - Prefer full command when basic command is env (Fixes #358) - Translation Updates: Japanese, Portuguese, Russian 4.16.3 ====== - xfsettingsd: Fix recursive lock in libX11 (Fixes #369) - build: Fix intltool lock file problem during make distcheck - Translation Updates: Armenian (Armenia), Belarusian, Catalan, English (Canada), English (United Kingdom), Estonian, Galician, Greek, Indonesian, Kazakh, Korean, Lithuanian, Malay, Occitan (post 1500), Polish, Romanian, Swedish ] Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: Upgrade to 8.1.12Mingli Yu2022-12-261-1/+1
| | | | | | | | | This is a security release[1]. [1] https://www.php.net/ChangeLog-8.php#8.1.12 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Nodejs: Fixed python3 DeprecationWarningArchana Polampalli2022-12-202-1/+37
| | | | | | | Distutils package and pipes are deprecated and slated for removal in Python 3.13 for Nodejs 16.18 Replaced distutils with setuptools Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
* multipath-tools:fix CVE-2022-41973Yogita Urade2022-12-202-0/+163
| | | | | | | | | | | | | | | /dev/shm may have unsafe permissions. Use /run instead. Use systemd's tmpfiles.d mechanism to create /run/multipath early during boot. For backward compatibilty, make the runtime directory configurable via the "runtimedir" make variable. References: https://nvd.nist.gov/vuln/detail/CVE-2022-41973 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Fix collections.abc deprecation warning in downloadutils Warning appears as:Narpat Mali2022-12-202-2/+44
| | | | | | | | | | | tests/test_downloadutils.py::test_stream_response_to_specific_filename requests_toolbelt/downloadutils/stream.py:161: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working if path and isinstance(getattr(path, 'write', None), collections.Callable): Upstream-Status: Backport [https://github.com/requests/toolbelt/commit/7188b06330e5260be20bce8cbcf0d5ae44e34eaf] Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dool: Add patch to fix rebuildAlexander Stein2022-12-112-0/+262
| | | | | | | | | When cleaning the package during rebuild in base_do_configure() 'make clean' deletes docs/dool.1. This files comes from source repository but can't be recreated using 'make docs'. Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-protobuf: upgrade 3.20.0 -> 3.20.3He Zhe2022-12-111-1/+1
| | | | | Signed-off-by: He Zhe <zhe.he@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* protobuf: upgrade 3.19.4 -> 3.19.6He Zhe2022-12-111-1/+1
| | | | | Signed-off-by: He Zhe <zhe.he@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Nodejs - Upgrade to 16.18.1Archana Polampalli2022-11-196-268/+27
| | | | | | | | | * Drop Openssl legacy provider patch and install both binaries patch which are already available in 16.x * Refresh native binaries patch against 16.x base Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-oauthlib: upgrade 3.2.0 -> 3.2.2Narpat Mali2022-11-191-1/+1
| | | | | | | | | | | | | | | | | | | As per CVE reference, version 3.2.1 fixes the CVE-2022-36087 issue. But after upgrading the python3-oauthlib version to 3.2.1, observed that the vulnerable code lines are still available. The same observations were reported here in github at https://github.com/oauthlib/oauthlib/issues/837 and found that it was a mistake during 3.2.1 release preparation and due to which vulnerable code was still existing in 3.2.1 source code. To fix CVE-2022-36087 issue, we need to upgrade python3-oauthlib to 3.2.2 version and here are the changelog of version 3.2.2 https://github.com/oauthlib/oauthlib/blob/v3.2.2/CHANGELOG.rst Reference : https://nvd.nist.gov/vuln/detail/CVE-2022-36087 Upstream fix : https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: build with USE_SYSTEMD=yes when systemd is enabledZheng Qiu2022-11-192-2/+7
| | | | | | | | | | | | | Compile redis with full systemd support when the chosen init system is systemd. Enabling systemd supervision allows redis to communicate the actual server status (i.e. "Loading dataset", "Waiting for master<->replica sync") to systemd, instead of declaring readiness right after initializing the server process. Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ↵Hitendra Prajapati2022-11-192-1/+322
| | | | | | | | | ngx_http_mp4_module Upstream-Status: Backport from https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chrony: Remove the libcap and nss PACKAGECONFIGsPeter Kjellerstedt2022-11-121-4/+4
| | | | | | | | | | | | There is no need for these configs on their own and they would only mess up the sechash and privdrop configs. To actually enable sechash one also had to enable nss, and to enable privdrop one also had to enable libcap. This also avoids passing --with-libcap if privdrop is enabled since the option does not exist. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chrony: Remove the readline PACKAGECONFIGPeter Kjellerstedt2022-11-121-9/+4
| | | | | | | | | Support for readline was dropped in Chrony 4.2. Enabling the readline PACKAGECONFIG would result in no suppport for command line editing as only editline is supported and it would be disabled. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: CVE-2022-40617 A possible DoS in Using Untrusted URIs for ↵Hitendra Prajapati2022-11-122-0/+158
| | | | | | | | | | | Revocation Checking Upstream-Status: Backport from https://download.strongswan.org/security/CVE-2022-40617 Affects "strongswan < 5.9.8" Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dhcp: Fix CVE-2022-2928 & CVE-2022-2929Hitendra Prajapati2022-11-123-0/+162
| | | | | | | | | | | | | | | | Source: https://downloads.isc.org/isc/dhcp MR: 122791, 122806 Type: Security Fix Disposition: Backport from https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/ ChangeID: e90f768e445b7d41b86f04c634cc125546998f0f Description: Fixed CVEs: 1. CVE-2022-2928 2. CVE-2022-2929 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* re2: fix branch name from master to mainMartin Jansa2022-11-021-1/+1
| | | | | | | | | | re2 $ git branch -a --contains 166dbbeb3b0ab7e733b278e8f42a84f6882b8a25 * main remotes/origin/HEAD -> origin/main remotes/origin/main Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* kernel-selftest: install kselftest runnerChase Qi2022-11-011-1/+7
| | | | | | | | | Install kselftest runner and the required kselftest-list.txt. Signed-off-by: Chase Qi <chase.qi@linaro.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit fd330c4514ae5acefa5e472e6775419066d60385) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Fix tigervnc crash due to missing xkbcomp rdependsAlexander Thoma2022-11-011-1/+1
| | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 447de4d47ba2deba1af80201b91bb312f184fe0e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* spdlog: Fix CMake flagCarsten Bäcker2022-11-011-2/+2
| | | | | | | | https://github.com/gabime/spdlog/blob/eb3220622e73a4889eee355ffa37972b3cac3df5/CMakeLists.txt#L72 Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b20af98b5ad28e330c97770f7d0db75890784f98) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* pim435: Relocate sources to eclipsePhilippe Coval2022-11-011-2/+2
| | | | | | | | | | | | | | | | | | | This driver is now part of Eclipse's oniro-blueprints project Note: Once transition is finished, existing copies will be need to be archived For history referer to related tickets if curious. Relate-to: https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/issues/787 Relate-to: https://gitlab.eclipse.org/eclipse/oniro-blueprints/vending-machine/meta-oniro-blueprints-vending-machine/-/issues/1 Relate-to: https://gitlab.eclipse.org/pcoval/pim435/-/issues/2 Relate-to: https://git.ostc-eu.org/distro/components/vending-machine-control-application/-/issues/2 Forwarded: https://github.com/openembedded/meta-openembedded/pull/603 Origin: https://github.com/astrolabe-coop/meta-openembedded Signed-off-by: Philippe Coval <philippe.coval.ext@huawei.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6b50ce8f07b61d111f82c3ca88c5125192c214a0) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ufw: Fix "could not find required binary 'iptables'"Howard Cochran2022-11-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Switch from using DISTUTILS_*_ARGS to SETUPTOOLS_*_ARGS to correspond with the earlier change to use setuptools3_legacy instead of distutils3. Without this change, you will get the following error if your build host does not have iptables installed: Fixes: ERROR: ufw-0.36.1-r0 do_compile: 'python3 setup.py build ' execution failed. Log data follows: | DEBUG: Executing shell function do_compile | ERROR: could not find required binary 'iptables' | ERROR: 'python3 setup.py build ' execution failed. | WARNING: exit code 1 from a shell command. ERROR: Task ([snip]/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb:do_compile) failed with exit code '1' Also, although the build will not fail on a host that has iptables, it could cause a problem if it is installed at a different path than where OpenEmbedded's iptables will be installed on the target. Fixes: 3e2ed1dcc088 ("ufw: port to setuptools, use setuptools_legacy") Signed-off-by: Howard Cochran <howard_cochran@jabil.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* frr: Security fix CVE-2022-37032Yi Zhao2022-10-132-0/+43
| | | | | | | | | | | | | | | | CVE-2022-37032: An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-37032 Patch from: https://github.com/FRRouting/frr/commit/3c4821679f2362bcd38fcc7803f28a5210441ddb Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpreplay: upgrade 4.4.1 -> 4.4.2Wang Mingyu2022-10-131-1/+1
| | | | | | | | | | | | | | | | | | | This release contains bug fixes only. The following CVEs have been addressed: CVE-2022-37049 CVE-2022-37048 CVE-2022-37047 CVE-2022-28487 CVE-2022-25484 CVE-2022-27939 CVE-2022-27940 CVE-2022-27941 CVE-2022-27942 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: Security fix CVE-2022-31676Yi Zhao2022-10-132-0/+44
| | | | | | | | | | | | | | | | | CVE-2022-31676: VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-31676 Patch from: https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* net-snmp: upgrade 5.9.1 -> 5.9.3Ovidiu Panait2022-10-0414-126/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upgrade summary: ---------------- - drop 0002-configure-fix-a-cc-check-issue.patch, as it was replaced with upstream commit https://github.com/net-snmp/net-snmp/commit/dbb49acfa2af - drop 0001-snmpd-always-exit-after-displaying-usage.patch backport - rebase net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch manually - refresh patches with devtool to get rid of fuzz Changelog: ---------- *5.9.3*: security: - These two CVEs can be exploited by a user with read-only credentials: - CVE-2022-24805 A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference. - These CVEs can be exploited by a user with read-write credentials: - CVE-2022-24806 Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously - CVE-2022-24807 A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access. - CVE-2022-24808 A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference. - To avoid these flaws, use strong SNMPv3 credentials and do not share them. If you must use SNMPv1 or SNMPv2c, use a complex community string and enhance the protection by restricting access to a given IP address range. - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for reporting the following CVEs that have been fixed in this release, and to Arista Networks for providing fixes. Windows: - WinExtDLL: Fix multiple compiler warnings - WinExtDLL: Make long strings occupy a single line Make it easier to look up error messages in the source code by making long strings occupy a single source code line. - WinExtDLL: Restore MIB-II support Make winExtDLL work on 64-bit Windows systems") caused snmpd to skip MIB-II on 64-bit systems. IF-MIB: Update ifTable entries even if the interface name has changed At least on Linux a network interface index may be reused for a network interface with a different name. Hence this patch that enables replacing network interface information even if the network interface name has changed. unspecified: - Moved transport code into a separate subdirectory in snmplib - Snmplib: remove inline versions of container funcs". misc: - snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is expanded in ${datarootdir} so datarootdir must be set before @datadir@ is used. *5.9.2*: skipped due to a last minute library versioning found bug -- use 5.9.3 instead Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bf4a826c7de51dcdac87f81fa2bd2301629d50db) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* polkit: refresh patchChen Qi2022-10-041-10/+10
| | | | | | Refresh patch to avoid QA issue about patch fuzz. Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
* libsdl: add CVE-2019-14906 to allowlistHitomi Hasegawa2022-10-041-0/+3
| | | | | | | | | | CVE-2019-14906 is a Red Hat vulnerability and Yocto is not applicable. So add it to the allowlist. Signed-off-by: Hitomi Hasegawa <hasegawa-hitomi@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8803be17aada56ec6a11fba4db9df74f16f9c58c) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: upgrade 2.86 -> 2.87wangmy2022-10-044-201/+10
| | | | | | | | | | | | License-Update : format of License file changed. CVE-2022-0934.patch deleted since it's included in 2.87. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 79ed6782a66590d769a516d8b4c15a4330bf7515) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: CVE-2022-3190 Infinite loop in legacy style dissectorHitendra Prajapati2022-10-042-0/+146
| | | | | | | | | | | | | | | Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67 MR: 122044 Type: Security Fix Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67 ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5 Description: CVE-2022-3190 wireshark: Infinite loop in legacy style dissector. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit de66eb0c0dae0930f9e1ba7a358db1ae6b3f2849) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* minicoredumper: retry elf parsing as long as neededSakib Sajal2022-09-252-0/+129
| | | | | | | | | | Maximum number of tries, in rare cases, is insufficient for elf parse. Backport patch that fixes the issue. Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e231c86e282eefff0e8164551f75f8e01682abe6) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
* libcec: fix runtime dependencies for ${PN}-examplesMartin Jansa2022-09-251-0/+3
| | | | | | | | | | | | | | | | | | | | | | * cec-client doesn't link with libcec, but uses LibCecInitialise to dlopen libcec, so do_package cannot add the runtime dependency automatically * fixes: root@rpi4:# cec-client -l libcec.so.6: cannot open shared object file: No such file or directory root@rpi4:# cecc-client -l libcec.so.6: cannot open shared object file: No such file or directory libcec.so.6: cannot open shared object file: No such file or directory libcec/6.0.2-r0 $ objdump -p ./build/src/cec-client/cec-client-6.0.2 | grep NEEDED NEEDED libncurses.so.5 NEEDED libtinfo.so.5 NEEDED libstdc++.so.6 NEEDED libgcc_s.so.1 NEEDED libc.so.6 Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* frr: Security fix CVE-2022-37035Yi Zhao2022-09-252-0/+152
| | | | | | | | | | | | | | | | | CVE-2022-37035: An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-37035 Patch from: https://github.com/FRRouting/frr/commit/71ca5b09bc71e8cbe38177cf41e83fe164e52eee Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* lmdb: Don't inherit baseRichard Purdie2022-09-221-1/+1
| | | | | | | | | base is always inherited so remove this code which will soon cause an error. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a755af4fb5ca2e158b00214bb18e27ba69c200fd) Signed-off-by: Ming Liu <liu.ming50@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-04 14:28:15 +0000