| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
Mitigate occurence where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d25967208bc8c4b1e2099e34150a67508744e4b9)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
The kernel_add_regdb should run before do_compile to make it take
effect.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Changelog:
http://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.6.7.HISTORY
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is no need for these configs on their own and they would only mess
up the sechash and privdrop configs. To actually enable sechash one also
had to enable nss, and to enable privdrop one also had to enable libcap.
This also avoids passing --with-libcap if privdrop is enabled since the
option does not exist.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Support for readline was dropped in Chrony 4.2. Enabling the readline
PACKAGECONFIG would result in no suppport for command line editing as
only editline is supported and it would be disabled.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Revocation Checking
Upstream-Status: Backport from https://download.strongswan.org/security/CVE-2022-40617
Affects "strongswan < 5.9.8"
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://downloads.isc.org/isc/dhcp
MR: 122791, 122806
Type: Security Fix
Disposition: Backport from https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/
ChangeID: e90f768e445b7d41b86f04c634cc125546998f0f
Description:
Fixed CVEs:
1. CVE-2022-2928
2. CVE-2022-2929
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch from using DISTUTILS_*_ARGS to SETUPTOOLS_*_ARGS to correspond
with the earlier change to use setuptools3_legacy instead of distutils3.
Without this change, you will get the following error if your build host
does not have iptables installed:
Fixes:
ERROR: ufw-0.36.1-r0 do_compile: 'python3 setup.py build ' execution failed.
Log data follows:
| DEBUG: Executing shell function do_compile
| ERROR: could not find required binary 'iptables'
| ERROR: 'python3 setup.py build ' execution failed.
| WARNING: exit code 1 from a shell command.
ERROR: Task ([snip]/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb:do_compile) failed with exit code '1'
Also, although the build will not fail on a host that has iptables, it
could cause a problem if it is installed at a different path than where
OpenEmbedded's iptables will be installed on the target.
Fixes: 3e2ed1dcc088 ("ufw: port to setuptools, use setuptools_legacy")
Signed-off-by: Howard Cochran <howard_cochran@jabil.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-37032:
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may
lead to a segmentation fault and denial of service. This occurs in
bgp_capability_msg_parse in bgpd/bgp_packet.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37032
Patch from:
https://github.com/FRRouting/frr/commit/3c4821679f2362bcd38fcc7803f28a5210441ddb
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2022-37049
CVE-2022-37048
CVE-2022-37047
CVE-2022-28487
CVE-2022-25484
CVE-2022-27939
CVE-2022-27940
CVE-2022-27941
CVE-2022-27942
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-31676:
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege
escalation vulnerability. A malicious actor with local
non-administrative access to the Guest OS can escalate privileges as a
root user in the virtual machine.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-31676
Patch from:
https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrade summary:
----------------
- drop 0002-configure-fix-a-cc-check-issue.patch, as it was replaced with
upstream commit https://github.com/net-snmp/net-snmp/commit/dbb49acfa2af
- drop 0001-snmpd-always-exit-after-displaying-usage.patch backport
- rebase net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch manually
- refresh patches with devtool to get rid of fuzz
Changelog:
----------
*5.9.3*:
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Windows:
- WinExtDLL: Fix multiple compiler warnings
- WinExtDLL: Make long strings occupy a single line Make it easier to
look up error messages in the source code by making long strings
occupy a single source code line.
- WinExtDLL: Restore MIB-II support Make winExtDLL work on 64-bit
Windows systems") caused snmpd to skip MIB-II on 64-bit systems.
IF-MIB: Update ifTable entries even if the interface name has changed
At least on Linux a network interface index may be reused for a
network interface with a different name. Hence this patch that
enables replacing network interface information even if the network
interface name has changed.
unspecified:
- Moved transport code into a separate subdirectory in snmplib
- Snmplib: remove inline versions of container funcs".
misc:
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
*5.9.2*:
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf4a826c7de51dcdac87f81fa2bd2301629d50db)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
License-Update : format of License file changed.
CVE-2022-0934.patch
deleted since it's included in 2.87.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 79ed6782a66590d769a516d8b4c15a4330bf7515)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
MR: 122044
Type: Security Fix
Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
Description:
CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit de66eb0c0dae0930f9e1ba7a358db1ae6b3f2849)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-37035:
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37035
Patch from:
https://github.com/FRRouting/frr/commit/71ca5b09bc71e8cbe38177cf41e83fe164e52eee
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test case tfork_cmd_send in smbtorture fails on target as it
requries a script located in the source directory:
$ smbtorture ncalrpc:localhost local.tfork.tfork_cmd_send
test: tfork_cmd_send
/buildarea/build/tmp/work/core2-64-poky-linux/samba/4.14.14-r0/samba-4.14.14/testprogs/blackbox/tfork.sh:
Failed to exec child - No such file or directory
This also triggers the buildpaths warning:
QA Issue: File /usr/bin/smbtorture in package samba-testsuite contains reference to TMPDIR [buildpaths]
Skip this test case in smbtorture to avoid the warning.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2b8b5dbe03cb83df1bb6c6dc1cfbf5c2bf836cf9)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release in order to address the following defects:
CVE-2022-2031: Samba AD users can bypass certain restrictions associated
with changing passwords.
https://www.samba.org/samba/security/CVE-2022-2031.html
CVE-2022-32744: Samba AD users can forge password change requests for
any user.
https://www.samba.org/samba/security/CVE-2022-32744.html
CVE-2022-32745: Samba AD users can crash the server process with an LDAP
add or modify request.
https://www.samba.org/samba/security/CVE-2022-32745.html
CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request.
https://www.samba.org/samba/security/CVE-2022-32746.html
CVE-2022-32742: Server memory information leak via SMB1.
https://www.samba.org/samba/security/CVE-2022-32742.html
Release Notes:
https://www.samba.org/samba/history/samba-4.14.14.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0afcb4be77acdb7af3624278ebd5869f0e88bdfe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Required by samba 4.14.14.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1cd743f8d8053cc9d34cd1a0204d4d333722e0f5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
wscript detects .git directory and if its present them invokes git
describe --dirty which does not work on the devtool created git
repository, since its synthesized.
Add GNU_SOURCE define to get strptime() definition
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 375be9fd60e22fb60b53d664983cb70d26d8a288)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
- This will move the dependencie of bash to wg-quick
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f36a158aa0b6dc5d595c08f33733f889a7202b36)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also change the git protocol to https.
Relevant changes:
- 18fbcd6 version: bump
- 3ec3e82 compat: handle backported rng and blake2s
- ba45dd6 qemu: give up on RHEL8 in CI
- c7560fd qemu: set panic_on_warn=1 from cmdline
- 33c87a1 qemu: use vports on arm
- 894152a netns: limit parallelism to $(nproc) tests at once
- f888673 netns: make routing loop test non-fatal
- f9d9b4d device: check for metadata_dst with skb_valid_dst()
- f909532 qemu: enable ACPI for SMP
- ec89ca6 socket: ignore v6 endpoints when ipv6 is disabled
- fa32671 socket: free skb in send6 when ipv6 is disabled
- ffb8cd6 qemu: simplify RNG seeding
- 4eff63d queueing: use CFI-safe ptr_ring cleanup function
- 273018b crypto: curve25519-x86_64: use in/out register constraints more precisely
- 4f4c019 compat: drop Ubuntu 14.04
- 743eef2 version: bump
- 3c9f3b6 crypto: curve25519-x86_64: solve register constraints with reserved registers
- 8e40dd6 compat: udp_tunnel: don't take reference to non-init namespace
- ea6b8e7 compat: siphash: use _unaligned version by default
- 5325bc8 ratelimiter: use kvcalloc() instead of kvzalloc()
- e44c78c receive: drop handshakes if queue lock is contended
- 5707d38 receive: use ring buffer for incoming handshakes
- 68abb1b device: reset peer src endpoint when netns exits
- ea3f5fb main: rename 'mod_init' & 'mod_exit' functions to be module-specific
- cb001d4 netns: actually test for routing loops
- 2715e64 compat: update for RHEL 8.5
- 2974725 compat: account for grsecurity backports and changes
- 50dda8c compat: account for latest c8s backports
- d378f93 version: bump
- fb4a0da qemu: increase default dmesg log size
- 8f4414d qemu: add disgusting hacks for RHEL 8
- fd7a462 allowedips: add missing __rcu annotation to satisfy sparse
- 383461d allowedips: free empty intermediate nodes when removing single node
- 03add82 allowedips: allocate nodes in kmem_cache
- b56d48c allowedips: remove nodes in O(1)
- 3c14c4b allowedips: initialize list head in selftest
- 4d8b7ed peer: allocate in kmem_cache
- 6fbc0e6 global: use synchronize_net rather than synchronize_rcu
- 405caf0 kbuild: do not use -O3
- b50ef4d netns: make sure rp_filter is disabled on vethc
- e67b722 version: bump
- 1edffe2 Revert "compat: skb_mark_not_on_list will be backported to Ubuntu 18.04"
- 2cf9543 compat: update and improve detection of CentOS Stream 8
- 122f06b compat: icmp_ndo_send functions were backported extensively
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e2a2320a7953fd70e8b416f9f6741d0b6654f280)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/lib/libfrr.a in package frr-staticdev contains reference to TMPDIR [buildpaths]
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/src/debug/frr/8.2.2-r0/git/lib/version.h in package frr-src contains reference to TMPDIR [buildpaths]
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/include/frr/version.h in package frr-dev contains reference to TMPDIR [buildpaths]
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/bin/vtysh in package frr contains reference to TMPDIR
File /usr/lib/libfrr.so.0.0.0 in package frr contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8b76b6c8e3ffdb30da839408084289c57e292752)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: openipmi-2.0.32-r0 do_package_qa: QA Issue: File /usr/src/debug/openipmi/2.0.32-r0/OpenIPMI-2.0.32/swig/perl/OpenIPMI_wrap.c in package openipmi-src contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5abd81567d5ed091ed870abf24e51f260747d593)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: freeradius-3.0.21-r0 do_package_qa: QA Issue: File /usr/bin/radeapclient in package freeradius-utils contains reference to TMPDIR [buildpaths]
WARNING: freeradius-3.0.21-r0 do_package_qa: QA Issue: File /usr/lib/libfreeradius-server.so.0.0.0 in package freeradius contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1c91de67b4981f62ddc7308bf88c1a6f4a844fdb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: net-snmp-5.9.1-r0 do_package_qa: QA Issue: File /usr/include/net-snmp/net-snmp-config-64.h in package net-snmp-dev contains reference to TMPDIR
File /usr/bin/net-snmp-create-v3-user in package net-snmp-dev contains reference to TMPDIR [buildpaths]
WARNING: net-snmp-5.9.1-r0 do_package_qa: QA Issue: File /usr/lib/net-snmp/ptest/include/net-snmp/net-snmp-config.h in package net-snmp-ptest contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1bf83255aee9850bf5ce5138c4bdefbe9eeb120c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fix-openssl-no-des.patch
refreshed for version 5.65
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.5.
Bugfixes
Fixed handling globally enabled FIPS.
Fixed the default openssl.cnf path in stunnel.exe.
Fixed a number of MSVC warnings.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 72f84335cb372dbf00d2d07429a595fced0c4f4f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.3.
New features
Updated the pkcs11 engine for Windows.
Bugfixes
Removed the SERVICE_INTERACTIVE_PROCESS flag in "stunnel -install".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6f3b52f4589bfa942e473488f91ecef85d339e78)
[New feature does not affect linux]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
# ndisc6: print NAT64 prefix if present.
# rdnssd: fix timeout calculation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c77bc200813dec8a1317ea6651d0f398a3fa5d65)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
CVE-2015-1611 and CVE-2015-1612 are not referred to our implementation
of openflow as specified by the NVD database, ignore them.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
| |
CVE-2002-0318 and CVE-2011-4966 are both patched in our version of
freeradius. The CPE in the NVD database doesn't reflect correctly
the vulnerable versions that's why they are incorrectly picked up.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
| |
CVE-2016-4049 is not affecting our version, so we can ignore it.
This is caused because the CPE in the NVD database doesn't specify
a vulnerable version range.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The following CVEs are already patched so we can ignore them:
- CVE-2016-0749
- CVE-2016-2150
- CVE-2018-10893
This is caused by inaccurate CPE in the NVD database.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This upgrade includes the following CVE fixes:
- CVE-2021-4190
- CVE-2022-0581
- CVE-2022-0582
- CVE-2022-0583
- CVE-2022-0585
- CVE-2022-0586
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
| |
cve-check is not able to correctly identify many of the patched
CVEs because of the non standard version number. All the ignored
CVEs were manually checked with the NVD database and deemed not
applicable to the current version.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
| |
CVE-2018-1078 is not for openflow but in the NVD database the
CVE is for a specific implementation that we don't have so we
can ignore it.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
| |
The current version of usrsctp is not a release so cve-check
is not able to find the product version. CVE_VERSION is now set
to 0.9.3.0 that is the nearest version in the past starting from
the revision we have.
This is done because we don't have the complete 0.9.4.0 release.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
attacker to execute arbitrary SQL commands
Source: https://github.com/cyrusimap/cyrus-sasl
MR: 118497
Type: Security Fix
Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc
ChangeID: 4736aae2b7d8986787b1666cfd6eecd590915120
Description:
CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Define raddbdir based on multilib
Add multilib headers and scripts for conflicting content
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8687d488f7352fa0c5c7dbc919aa14e577ce153e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop backport patch 0001-openssl-Don-t-unload-providers.patch
* Backport a patch to fix the build error:
src/libstrongswan/utils/enum.c: In function 'enum_flags_to_string':
src/libstrongswan/utils/enum.c:100:9: error: format not a string literal and no format arguments [-Werror=format-security]
100 | if (snprintf(buf, len, e->names[0]) >= len)
| ^~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 689e8422b836d804d9ab102cb3de0a4f6e1f24c8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If 'ppp' packageconfig option is enabled, but the build system does NOT
have pppd binary installed, the build fails with:
| Has header "pppd/pppd.h" : YES
| Program pppd /sbin/pppd /usr/sbin/pppd found: NO
|
| ../NetworkManager-1.36.2/meson.build:570:4: ERROR: Assert failed: pppd required but not found, please provide a valid pppd path or use -Dppp=false to disable it
This is due to meson trying to look for the 'pppd' binary in the build
system when it should not. If the build system does not contain pppd,
the build fails.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Ensure /var/lib/chrony exist to avoid error like:
chronyd.service: Failed to set up mount namespacing: /run/systemd/unit-root/var/lib/chrony: No such>
chronyd.service: Failed at step NAMESPACE spawning /usr/sbin/chronyd: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-0934:
Heap use after free in dhcp6_no_relay
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-0934
Patch from:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=03345ecefe
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: MontaVista Software, LLC
MR: 117141
Type: Defect Fix
Disposition: Backport from [https://github.com/HewlettPackard/netperf/pull/27/commits/78c9ae7d9a6735575bc72dd28a19b2bc3a251981]
ChangeID: 199f8618971de15d177dab9651f82f5696ff1aa1
Description:
the (now default) suppress_debug=1 changes permissions on /dev/null
to 0644. Don't do this.
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix error caused by postinst script of conntrack-tools:
do_rootfs: Postinstall scriptlets of ['conntrack-tools'] have failed...
Configuring ... rootfs//var/lib/opkg/info/conntrack-tools.postinst:
line 2: setcap: command not found
conntrack-tools.postinst returned 127, marking as unpacked only...
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 55fd9844830bc835c2bf8def9406edc9e2df0e16)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix error caused by postinst script of conntrack-tools:
| /var/tmp/rpm-tmp.or09Iq: line 4: unexpected EOF while looking for matching `"'
| %post(conntrack-tools-1.4.6-r0.core2_64): waitpid(1173) rc 1173 status 200
| warning: %post(conntrack-tools-1.4.6-r0.core2_64) scriptlet failed, exit status 2
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add dependency libnm_client_public_dep to libnm-client-test to fix
parallel build error:
| In file included from ../NetworkManager-1.36.0/src/libnm-client-test/nm-test-utils-impl.c:10:
| ../NetworkManager-1.36.0/src/libnm-client-public/NetworkManager.h:47:10: fatal error: nm-enum-types.h: No such file or directory
| 47 | #include "nm-enum-types.h"
| | ^~~~~~~~~~~~~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dedf55890abd21a198e16fca59ab8c7e5ff2ce62)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
default baselib in ppc64 is lib64 which catches this latent issue
ERROR: ufw-0.36.1-r0 do_package: QA Issue: ufw: Files/directories were installed but not shipped in any package:
/usr/lib/ufw
/usr/lib/ufw/ufw-init
/usr/lib/ufw/ufw-init-functions
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 42e6f16583e36857152ccb53b177e74f20b02667)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
The commit fix this error message: Do not forget that you need *root* or CAP_NET_ADMIN capabilities ;-)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 77c2fda04e406c210fe2a1870c8473748302bfb5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a parallel build error in separate build directory:
| /home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/recipe-sysroot-native/usr/lib/clippy ../git/python/clidef.py -o isisd/isis_cli_clippy.c ../git/isisd/isis_cli.c
| Traceback (most recent call last):
| File "../git/python/clidef.py", line 466, in <module>
| clippy.wrdiff(
| File "/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/git/python/clippy/__init__.py", line 78, in wrdiff
| with open(newname, "w") as out:
| FileNotFoundError: [Errno 2] No such file or directory: 'isisd/isis_cli_clippy.c.new-372541'
| make[1]: Leaving directory '/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/build'
| make[1]: *** [Makefile:17386: isisd/isis_cli_clippy.c] Error 1
This is beacuse clidef.py only creates new file but doesn't check if
parent directory exists. Inherit autotools-brokensep can fix this issue
as these parent directories always exist in source directory.
Also set ac_cv_path_PERL to '/usr/bin/env perl' to avoid path too long.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 09a97158f80a779c3f45b3189adcddbd535e5baf)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
