summaryrefslogtreecommitdiffstats
path: root/meta-oe
Commit message (Collapse)AuthorAgeFilesLines
* indent: fix CVE-2023-40305stable/kirkstone-nutYogita Urade2023-11-033-0/+8452
| | | | | | | | | | | GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file. Reference: https://savannah.gnu.org/bugs/index.php?64503 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suiteparse: Adapt to upstream branch name changesRichard Purdie2023-11-031-1/+1
| | | | | | | meta-oe master branch already made this change. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: CVE-ID correction for CVE-2022-4904Shinu Chandran2023-09-271-1/+1
| | | | | | | | | | | | | - The c-ares commit https://github.com/c-ares/c-ares/commit/9903253c347f (Add str len check in config_sortlist to avoid stack overflow), fixes the CVE-2022-4904 instead of CVE-2022-4415 https://security-tracker.debian.org/tracker/CVE-2022-4904 - CVE-ID inside the CVE-2022-4904.patch is wrong in the OE commit[092e125f44f6] - Hence corrected the CVE-ID in CVE-2022-4904.patch Signed-off-by: Shinu Chandran <shinucha@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openldap: update to 2.5.16Armin Kuster2023-09-276-231/+1
| | | | | | | | 2.5.x is an LTS version per the project. Drop patch now included. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* freeglut: Add packageconfigs for x11/wayland/glesKhem Raj2023-09-231-4/+14
| | | | | | | | | helps it compiling on on different openGL implementations which may not implement fulll openGL specs Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a9212722c1b1a2ab29215651063ca94fb114c39b) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: upgrade 7.0.12 -> 7.0.13Polampalli, Archana2023-09-2310-1/+1
| | | | | | | | | | | | | | | | | | | | | This release has only security and bug fixes. ChangeLog: https://github.com/redis/redis/releases/tag/7.0.13 Security Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-41053 $ git log --oneline 7.0.12..7.0.13 49dbedb1d (tag: 7.0.13, origin/7.0) Redis 7.0.13 0f14d3279 Fix sort_ro get-keys function return wrong key number (#12522) 4d67bb6af do not call handleClientsBlockedOnKeys inside yielding command (#12459) 37599fe75 Ensure that the function load timeout is disabled during loading from RDB/AOF and on replicas. (#12451) ea1bc6f62 Process loss of slot ownership in cluster bus (#12344) 646069a90 Skip test for sdsRemoveFreeSpace when mem_allocator is not jemalloc (#11878) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* rabbitmq-c: Fix CVE-2023-35789Soumya Sambu2023-09-232-1/+138
| | | | | | | | | | | | | An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35789 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* opensc: ignore CVE-2021-34193Jose Quaresma2023-09-191-0/+5
| | | | | | | | | The CVE-2021-34193 is a duplicate CVE covering the 5 individual already fixed. https://github.com/OpenSC/OpenSC/pull/2855 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* hdf5: Fix CVE-2021-37501Mingli Yu2023-09-192-0/+38
| | | | | | | | | Backport a patch [1] to fix CVE-2021-37501. [1] https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* hwloc: fix CVE-2022-47022Soumya Sambu2023-09-062-1/+80
| | | | | | | | | | | | An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c. References: https://nvd.nist.gov/vuln/detail/CVE-2022-47022 https://github.com/open-mpi/hwloc/issues/544 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* iperf3: upgrade 3.11 -> 3.14Soumya Sambu2023-09-061-2/+2
| | | | | | | | | | | | | | | Upgrade iperf3 to 3.14 Fix CVE-2023-38403 and other bugs. The iperf3 release notes are available at: https://github.com/esnet/iperf/blob/99d738f496c96fd4fb50f45142e0bbc96bf71698/RELNOTES.md The only change in the LICENSE file was the year update: https://github.com/esnet/iperf/commit/6bfe27d82a3f74ad1239aba987a4fb75c1005078 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-oe-components: Avoid usage of nobranch=1Sourav Kumar Pramanik2023-09-046-6/+6
| | | | | | | | | The usage of nobranch=1 in SRC_URI allows using unprotected branches. This change updates the real branch name in place of nobranch=1 for these components. Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libiio: use main branch instead of masterMartin Jansa2023-09-041-1/+1
| | | | | | | * the branch was renamed upstream Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: fix CVE-2022-25883Polampalli, Archana2023-09-042-0/+263
| | | | | | | | | | | | | | | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. References: https://nvd.nist.gov/vuln/detail/CVE-2022-25883 Upstream patches: https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* krb5: Fix CVE-2023-36054Soumya Sambu2023-09-042-0/+69
| | | | | | | | | | | | | | lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count. References: https://nvd.nist.gov/vuln/detail/CVE-2023-36054 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nlohmann-json: Avoid usage of nobranch=1Sourav Pramanik2023-08-301-1/+1
| | | | | | | | | The usage of nobranch=1 in SRC_URI allows using unprotected branches. This change updates the real branch name in place of nobranch=1. Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* rapidjson: Avoid usage of nobranch=1Sourav Pramanik2023-08-301-1/+1
| | | | | | | | | The usage of nobranch=1 in SRC_URI allows using unprotected branches. This change updates the real branch name in place of nobranch=1. Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: Update to 14.9Robert Joslyn2023-08-3011-479/+31
| | | | | | | | | | | | | | | | | This is a minor release to address CVEs and other bug fixes without new features. Remove patches that are fixed in this release. Release notes are available at: https://www.postgresql.org/docs/release/14.6/ https://www.postgresql.org/docs/release/14.7/ https://www.postgresql.org/docs/release/14.8/ https://www.postgresql.org/docs/release/14.9/ License-Update: Copyright year updated Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> [Fixup patch fuzzy] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* poppler: fix CVE-2023-34872Yogita Urade2023-08-252-0/+47
| | | | | | | | | | | | A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in OutlineItem::open. Reference: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libqb: upgrade 2.0.6 -> 2.0.8Narpat Mali2023-08-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The delta between 2.0.6 and 2.0.8 contains the CVE-2023-39976 fix and other bugfixes. git log --oneline shows: 002171b (HEAD, tag: v2.0.8, origin/main, origin/HEAD, main) Update library version for 2.0.8 1bbaa92 log: fix potential overflow with long log messages (#490) 92ddd7c test - fix test dependancies (#489) 06c8641 (tag: v2.0.7) Update -version info for 2.0.7 0665086 spec: Migrate to SPDX license (#487) 5862acb blackbox: fix potential overlow/memory corruption (#486) a3aedbc tests: allow -j to work (#485) 335dbb6 test: Remove gnu/lib-names.h from libstat_wrapper.c (#482) 4dcdfe9 strlcpy: avoid compiler warning from strncpy (#473) 1a32a60 Add --disable-tests option (#475) 10b0623 m4/ax_pthread.m4: update to latest upstream version (serial 31) (#472) e038f59 tests: Close race condition in check_loop (#480) fde729e timer: Move state check to before time check (#479) 5594d37 ipc: Retry receiving credentials if the the message is short (#476) e8129a3 add simplified chinese readme (#474) eaa95ec lib: Fix some small bugs spotted by newest covscan (#471) 14507d5 configure: Modernize configure.ac a bit (#470) 8325d84 tests: Fix tests on FreeBSD-devel (#469) e407874 doxygen2man: Fix function parameter alignment (#468) 0eb0991 tests: cleanup the last of the empty directories (#467) 44a4cb2 tests: Make ipc test more portable (#466) 758044b (tag: v2.0.6) test: Include ipc_sock.test in the libqb-tests rpm (#463) Release Notes: https://github.com/ClusterLabs/libqb/releases Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: upgrade 8.1.16 -> 8.1.22Polampalli, Archana2023-08-251-1/+1
| | | | | | | | | | | | | | Upgrade php to 8.1.22 Security fixes: CVE-2023-3824 CVE-2023-3823 CVE-2023-3247 https://www.php.net/ChangeLog-8.php#8.1.22 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: upgrade 16.20.1 -> 16.20.2Polampalli, Archana2023-08-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | This release contains bug fixes only. The following CVEs have been addressed: CVE-2023-32002 CVE-2023-32006 CVE-2023-32559 $ git log --oneline v16.20.1..v16.20.2 dadbde963f (tag: v16.20.2) 2023-08-09, Version 16.20.2 'Gallium' (LTS) d8ccfe9ad4 policy: handle Module.constructor and main.extensions bypass 242aaa0caa policy: disable process.binding() when enabled 40c3958a5a deps: update archs files for OpenSSL-1.1.1v a9ac9da89a deps: fix openssl crypto clean 362d4c7494 deps: upgrade openssl sources to OpenSSL_1_1_1v 7447de2794 Working on v16.20.2 https://github.com/nodejs/node/releases/tag/v16.20.2 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lmsensors: do not pull in unneeded perl modules for run-time dependenciesBeniamin Sandu2023-08-111-2/+3
| | | | | | Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: upgrade 7.0.11 -> 7.0.12Polampalli, Archana2023-08-0310-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | This release has only security and bug fixes. ChangeLog: https://github.com/redis/redis/releases/tag/7.0.12 Security Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-36824 https://nvd.nist.gov/vuln/detail/CVE-2022-24834 $ git log --oneline 7.0.11..7.0.12 8e73f9d34 (tag: 7.0.12, origin/7.0) Redis 7.0.12 f90ecfb1f Fix compile errors when building with gcc-12 or clang (partial #12035) bd1dac0c6 Fix possible crash in command getkeys (#12380) 25f610fc2 Use Reservoir Sampling for random sampling of dict, and fix hang during fork (#12276) eb64a97d3 Add missing return on -UNKILLABLE sent by master case (#12277) 2ba8de9d5 Fix WAIT for clients being blocked in a module command (#12220) 1d2839a83 Fix memory leak when RM_Call's RUN_AS_USER fails (#12158) c340fd5a3 Prevent repetitive backlog trimming (#12155) 88682ca30 Free backlog only if rsi is invalid when master reboot (#12088) f6a7c9f9e Lua cjson and cmsgpack integer overflow issues (CVE-2022-24834) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* zabbix: fix CVE-2023-29450Urade, Yogita2023-08-032-0/+242
| | | | | | | | | | | | | JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. Reference: https://support.zabbix.com/browse/ZBX-22588 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* zabbix: fix CVE-2023-29449Urade, Yogitag2023-08-032-0/+248
| | | | | | | | | | | | | | | | | JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access. References: https://support.zabbix.com/browse/ZBX-22589 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* yasm: fix CVE-2023-31975Polampalli, Archana2023-08-032-0/+30
| | | | | | | | | | | | | | | yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31975 https://github.com/yasm/yasm/issues/210 Upstream patches: https://github.com/yasm/yasm/commit/b2cc5a1693b17ac415df76d0795b15994c106441 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* yaml-cpp: Fix cmake exportJasper Orschulko2023-07-252-0/+118
| | | | | Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libyang: fix CVE-2023-26917Urade, Yogita2023-07-252-0/+41
| | | | | | | | | | | | libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c. References: https://github.com/CESNET/libyang/issues/1987 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: upgrade 16.19.1 -> 16.20.1Polampalli, Archana2023-07-164-77/+1
| | | | | | | | | | | | | | | | | | | Drop the gcc13.patch as it has been merged in 16.20.1 56cbc7fdda deps: V8: cherry-pick c2792e58035f The list of the CVEs are fixed in this relase: CVE-2023-30581 CVE-2023-30585 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 https://nodejs.org/en/blog/release/v16.20.0 https://nodejs.org/en/blog/release/v16.20.1 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* yajl: CVE-2023-33460 memory leak in yajl_tree_parse functionHitendra Prajapati2023-07-022-1/+32
| | | | | | | Upstream-Status: Backport from https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* grpc: ignore CVE-2023-32732Peter Marko2023-07-021-0/+3
| | | | | | | | | It was introduced in in v1.53.0 and not backported to v1.46.x branch. NVD references PR which intrioduces the vulnerability: https://github.com/grpc/grpc/pull/32309#issuecomment-1589561295 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libssh: CVE-2020-16135 Fix NULL pointer dereference in sftpserver.cHitendra Prajapati2023-07-022-1/+47
| | | | | | | Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3748ca69bde5651f20e72761058c Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opensc: Fix CVE-2023-2977Soumya2023-07-022-0/+54
| | | | | | | | | | | | | A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible. Signed-off-by: Soumya <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: fix CVE-2023-2454 & CVE-2023-2455vkumbhar2023-06-233-0/+355
| | | | | | | | | fixed Below security CVE: 1)CVE-2023-2454 postgresql: schema_element defeats protective search_path changes. 2)CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opencv: fix for CVE-2023-2618Narpat Mali2023-06-232-0/+33
| | | | | | | | | | | | | | | A vulnerability, which was classified as problematic, has been found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this issue is the function DecodedBitStreamParser::decodeHanziSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to memory leak. The attack may be launched remotely. The name of the patch is 2b62ff6181163eea029ed1cab11363b4996e9cd6. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-228548. Signed-off-by: Narpat Mali <narpat.mali@windriver.com> [Refactored to apply to kirkstone] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: backport patch for CVE-2023-31147Peter Marko2023-06-232-0/+718
| | | | | | | Backported from https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ExprTk: Update package to release/0.0.2Arash Partow2023-06-191-2/+2
| | | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0522e66a26b1f4778948553a193a4728fb239efe) [The SRC_URI HASH no longer exists in repo so use 0.0.2 version] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Googletest: Adapt googletest 1.11.0 with gcc11sana kazi2023-06-192-1/+44
| | | | | | | | | | | | | | | | | | | Backport a commit to fix the build error when using gcc11. [commit] https://github.com/google/googletest/pull/3993/commits/096014a45dc38dff993f5b7bb28a258d8323344b [error] /usr/include/gtest/gtest-printers.h:291:36: error: no matching function for call to ‘testing::internal::internal_stream_operator_without_lexical_name_lookup::StreamPrinter::PrintValue(const A::B::C::D::E::F::G&, std::nullptr_t)’ 291 | T, decltype(Printer::PrintValue(std::declval<const T&>(), nullptr)), | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/gtest/gtest-printers.h:214:15: note: candidate: ‘template<class T, class, class> static void testing::internal::internal_stream_operator_without_lexical_name_lookup::StreamPrinter::PrintValue(const T&, std::ostream*)’ 214 | static void PrintValue(const T& value, ::std::ostream* os) { | ^~~~~~~~~~ Signed-off-by: Peng Cui <peng.ca.cui@bmw.com> Signed-off-by: Sana Kazi <sana.kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: use the files path correctlyChen Qi2023-06-1510-2/+0
| | | | | | | | | | | | | | | | | | | | | Recipes are not expected to set FILESPATH directly, they are expected to use FILESEXTRAPATH. I can see the seting of FILESPATH in this recipe only wants to find redis-7 specific patches and files. This could be easily achieved by using redis-7.0.11/ directory to hold all those files. Using FILESPATH in this way removes the possibility of overriding some files (e.g., the redis service file) from other layers via FILESEXTRAPATH:prepend, which is kind of a common practice and is actually working for basically all other recipes. This is because we have: meta/classes-global/base.bbclass:FILESPATH = "${@base_set_filespath(["${FILE_DIRNAME}/${BP}", "${FILE_DIRNAME}/${BPN}", "${FILE_DIRNAME}/files"], d)}" And FILESEXTRAPATH is handled in base_set_filespath. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-oe: add pahole to NON_MULTILIB_RECIPESXiangyu Chen2023-06-151-1/+1
| | | | | | | | pahole need to line up with kernel's architectures bitsize, so add it to NON_MULTILIB_RECIPES. Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openldap: Fix CVE-2023-2953Ashish Sharma2023-06-153-0/+108
| | | | | | | | | | Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce & https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b] Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: ignore CVE-2023-31124Peter Marko2023-06-151-0/+4
| | | | | | | | | | | | CVE-2023-31124 applies only when cross-compiling using autotools. Yocto cross-compiles via cmake which is also listed as official workaround. See: * https://nvd.nist.gov/vuln/detail/CVE-2023-31124 * https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opencv: Fix for CVE-2023-2617Soumya2023-06-152-0/+89
| | | | | | | | | | | | | | A vulnerability classified as problematic was found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this vulnerability is the function DecodedBitStreamParser::decodeByteSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-228547. Signed-off-by: Soumya <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lapack: add packageconfig for lapackeAdrian Zaharia2023-06-151-0/+3
| | | | | | | | | | backport of commit: d799db35d lapack: add packageconfig for lapacke Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* gnulib: Update recipe name to 2018-12-18schitrod=cisco.com@lists.openembedded.org2023-06-111-0/+0
| | | | | | | | | | | | | | | | | | | | As per gnulib_2018-03-07 recipe information, SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3" This revision was committed on "2018-12-18". There is a discrepancy between SRCREV and the recipe version. Which reports "CVE-2018-17942" as unpatched. To report "CVE-2018-17942" as patched, We need to align a recipe name with SRCREV commit date. Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9edbe7033cc41f4a49f74717cd3146b52588ce22) Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 928658212611ea457a5eacec48f0760e03269a24) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: fix CVEs CVE-2023-32067 and CVE-2023-31130vkumbhar2023-06-113-0/+415
| | | | | | | | | Fix below CVE: 1)CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service. 2)CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton(). Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libyang: backport a fix for CVE-2023-26916Natasha Bailey2023-06-032-0/+58
| | | | | | | | | | | | | This patch fixes a bug in libyang which could cause a null pointer dereference from a call to strcmp. Since this recipe includes ptests, the tests were run twice (once before the patch and once after) with the same results: all tests passing except utest_types, which is skipped. Signed-off-by: Natasha Bailey <nat.bailey@windriver.com> Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libbpf: installing uapi headers for native packageXiangyu Chen2023-05-231-0/+5
| | | | | | | using libbpf-native provided headers for pahole-native or other application. Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Revert "pahole: fix native package build error"Xiangyu Chen2023-05-231-1/+0
| | | | | | | | | | This reverts commit 0cc8e22c463324ddd833239116b1ff82ef82f42c. The pahole-native package should use the header from libbpf instead of linux-libc-headers, the 0cc8e22c would cause compile error, so revert it. Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>