summaryrefslogtreecommitdiffstats
path: root/meta-oe
Commit message (Collapse)AuthorAgeFilesLines
* postgresql: refresh patchesArmin Kuster2023-09-093-24/+15
| | | | | | | | | | | | fixes: WARNING: postgresql-12.16-r0 do_patch: Fuzz detected: Applying patch 0001-Add-support-for-RISC-V.patch patching file src/include/storage/s_lock.h Hunk #2 succeeded at 339 with fuzz 1. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-oe-components: Avoid usage of nobranch=1Sourav Kumar Pramanik2023-09-042-2/+2
| | | | | | | | | The usage of nobranch=1 in SRC_URI allows using unprotected branches. This change updates the real branch name in place of nobranch=1 for these components. Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nlohmann-json: Avoid usage of nobranch=1Sourav Pramanik2023-09-041-1/+1
| | | | | | | | | The usage of nobranch=1 in SRC_URI allows using unprotected branches. This change updates the real branch name in place of nobranch=1. Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* rapidjson: Avoid usage of nobranch=1Sourav Pramanik2023-09-041-1/+1
| | | | | | | | | The usage of nobranch=1 in SRC_URI allows using unprotected branches. This change updates the real branch name in place of nobranch=1. Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: Update to 12.16Robert Joslyn2023-09-048-2307/+11
| | | | | | | | | | | | | | | | | | | This is a minor release to address CVEs and other bug fixes without new features. Remove patches that are fixed in this release. Release notes are available at: https://www.postgresql.org/docs/release/12.10/ https://www.postgresql.org/docs/release/12.11/ https://www.postgresql.org/docs/release/12.12/ https://www.postgresql.org/docs/release/12.13/ https://www.postgresql.org/docs/release/12.14/ https://www.postgresql.org/docs/release/12.15/ https://www.postgresql.org/docs/release/12.16/ License-Update: Copyright year updated Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: Backport fix CVE-2023-3247Ashish Sharma2023-08-163-0/+118
| | | | | Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs-14: add -fpermissive BUILD_CXXFLAGS to fix build with gcc-13 on hostMartin Jansa2023-07-251-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes nodejs-native build with gcc-13 on host: http://errors.yoctoproject.org/Errors/Details/728221/ nodejs-12 doesn't need it yet and nodejs-16 doesn't need it as well '-DV8_TYPED_ARRAY_MAX_SIZE_IN_HEAP=64' '-D__STDC_FORMAT_MACROS' '-DOPENSSL_NO_PINSHARED' '-DOPENSSL_THREADS' '-DV8_TARGET_ARCH_X64' '-DV8_EMBEDDER_STRING="-node.84"' '-DENABLE_DISASSEMBLER' '-DV8_PROMISE_INTERNAL_FIELD_COUNT=1' '-DENABLE_MINOR_MC' '-DOBJECT_PRINT' '-DV8_INTL_SUPPORT' '-DV8_CONCURRENT_MARKING' '-DV8_ARRAY_BUFFER_EXTENSION' '-DV8_ENABLE_LAZY_SOURCE_POSITIONS' '-DV8_USE_SIPHASH' '-DDISABLE_UNTRUSTED_CODE_MITIGATIONS' '-DV8_WIN64_UNWINDING_INFO' '-DV8_ENABLE_REGEXP_INTERPRETER_THREADED_DISPATCH' '-DV8_SNAPSHOT_COMPRESSION' -ITOPDIR/tmp-glibc/work/x86_64-linux/nodejs-native/14.18.1-r0/recipe-sysroot-native/usr/include -I../deps/v8 -I../deps/v8/include -I.//Release/obj/gen/torque-output-root -I.//Release/obj/gen/generate-bytecode-output-root -pthread -Wno-unused-parameter -m64 -Wno-return-type -fno-strict-aliasing -m64 -O3 -fno-omit-frame-pointer -fdata-sections -ffunction-sections -O3 -fno-rtti -fno-exceptions -std=gnu++1y -MMD -MF .//Release/.deps/Release/obj.host/v8_initializers/gen/torque-output-root/torque-generated/../../deps/v8/src/builtins/array-find-tq-csa.o.d.raw -isystemTOPDIR/tmp-glibc/work/x86_64-linux/nodejs-native/14.18.1-r0/recipe-sysroot-native/usr/include -isystemTOPDIR/tmp-glibc/work/x86_64-linux/nodejs-native/14.18.1-r0/recipe-sysroot-native/usr/include -O2 -pipe -c In file included from /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/bits/move.h:37, from /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/bits/stl_function.h:60, from /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/functional:49, from ../deps/v8/src/codegen/code-stub-assembler.h:8, from ../deps/v8/src/builtins/builtins-promise-gen.h:8, from ../deps/v8/src/builtins/builtins-async-gen.h:8, from ../deps/v8/src/builtins/builtins-async-function-gen.cc:5: /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/type_traits: In instantiation of ‘struct std::is_convertible<v8::internal::Cell, v8::internal::Object>’: ../deps/v8/src/codegen/tnode.h:262:72: required from ‘const bool v8::internal::is_subtype<v8::internal::Cell, v8::internal::Cell>::value’ ../deps/v8/src/codegen/tnode.h:346:75: required by substitution of ‘template<class U, typename std::enable_if<v8::internal::is_subtype<U, v8::internal::Cell>::value, int>::type <anonymous> > v8::internal::TNode<v8::internal::Cell>::TNode(const v8::internal::TNode<T>&) [with U = v8::internal::Cell; typename std::enable_if<v8::internal::is_subtype<U, v8::internal::Cell>::value, int>::type <anonymous> = <missing>]’ ../deps/v8/src/codegen/code-stub-assembler.h:1868:33: required from here /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/type_traits:1417:30: error: invalid use of incomplete type ‘class v8::internal::Cell’ [-fpermissive] 1417 | : public __bool_constant<__is_convertible(_From, _To)> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../deps/v8/src/objects/objects.h:26, from ../deps/v8/src/objects/fixed-array.h:10, from ../deps/v8/src/objects/contexts.h:8, from ../deps/v8/src/execution/thread-local-top.h:10, from ../deps/v8/src/execution/isolate-data.h:12, from ../deps/v8/src/execution/isolate.h:24, from ../deps/v8/src/codegen/interface-descriptors.h:14, from ../deps/v8/src/codegen/callable.h:8, from ../deps/v8/src/codegen/code-factory.h:8, from ../deps/v8/src/compiler/code-assembler.h:17, from ../deps/v8/src/codegen/code-stub-assembler.h:15: ../deps/v8/src/objects/object-list-macros.h:19:7: note: forward declaration of ‘class v8::internal::Cell’ 19 | class Cell; | ^~~~ In file included from ../deps/v8/src/codegen/interface-descriptors.h:12: ../deps/v8/src/codegen/tnode.h: In instantiation of ‘const bool v8::internal::is_subtype<v8::internal::Cell, v8::internal::Cell>::value’: ../deps/v8/src/codegen/tnode.h:346:75: required by substitution of ‘template<class U, typename std::enable_if<v8::internal::is_subtype<U, v8::internal::Cell>::value, int>::type <anonymous> > v8::internal::TNode<v8::internal::Cell>::TNode(const v8::internal::TNode<T>&) [with U = v8::internal::Cell; typename std::enable_if<v8::internal::is_subtype<U, v8::internal::Cell>::value, int>::type <anonymous> = <missing>]’ ../deps/v8/src/codegen/code-stub-assembler.h:1868:33: required from here ../deps/v8/src/codegen/tnode.h:262:72: error: ‘value’ is not a member of ‘std::is_convertible<v8::internal::Cell, v8::internal::Object>’ 262 | std::is_convertible<T, Object>::value); | ^~~~~ Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: Fix build with gcc13Khem Raj2023-07-253-0/+65
| | | | | | | | | | | | | | | | | * MJ: remove AUTHORS modification from the original patch from nodejs-16, so that the same patch does apply for both 14 and 12 versions used in dunfell * MJ: gcc-13 isn't used for target builds in dunfell, but can be used on host, so this is useful backport for nodejs-native * MJ: this fixes default nodejs-native-12, nodejs-native-14 with negative D_P might need additional fix on top Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: CVE-2023-32067 0-byte UDP payload Denial of ServiceVijay Anusuri2023-07-222-0/+85
| | | | | | | Upstream-Status: Backport from https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* sysdig: Depend on system libb64Khem Raj2023-07-221-2/+1
| | | | | | | | | | | | | | | | avoid using vendored version Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d8053b7e2b21c651b34b48f025f47cb511c36e37) [FIxes this error --- LOG END --- | error: downloading 'http://download.draios.com/dependencies/libb64-1.2.src.zip' failed | status_code: 22 | status_string: "HTTP response code said error" | log: | --- LOG BEGIN --- ] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libb64: Add recipeKhem Raj2023-07-228-0/+337
| | | | | | | | | | | | Add Base64 encode/decode library, some packages e.g. sysdig can benefit from it Disable parallel make as it races at times make[1]: *** No rule to make target 'libb64.a', needed by 'c-example1'. Stop. Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6946f40707ed43426cd05ada1933e4867c7f6d4f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Fix tigervnc crash due to missing xkbcomp rdependsAlexander Thoma2023-07-221-1/+1
| | | | | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 447de4d47ba2deba1af80201b91bb312f184fe0e) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit b3b00a270edfd27e2dfc05d5a6a5cab94324ad65) [Fixup for Dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openldap: fix CVE-2021-27212 Assertion failure in slapdHitendra Prajapati2023-07-142-0/+32
| | | | | | | Upstream-Status: Backport from https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* multipath-tools: fix CVE-2022-41974Hitendra Prajapati2023-07-142-0/+163
| | | | | | | Upstream-Status: Backport from https://github.com/openSUSE/multipath-tools/commit/fbbf280a0e26026c19879d938ebb2a8200b6357c Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* yajl: CVE-2023-33460 memory leak in yajl_tree_parse functionHitendra Prajapati2023-07-142-1/+32
| | | | | | | Upstream-Status: Backport from https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: fix CVE-2023-2454 & CVE-2023-2455vkumbhar2023-07-143-0/+355
| | | | | | | | | fixed Below security CVE: 1)CVE-2023-2454 postgresql: schema_element defeats protective search_path changes. 2)CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: whitelist CVE-2023-31124virendra thakur2023-07-141-0/+4
| | | | | | | | | | | | CVE-2023-31124 applies only when cross-compiling using autotools. Yocto cross-compiles via cmake which is also listed as official workaround. See: * https://nvd.nist.gov/vuln/detail/CVE-2023-31124 * https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4 Signed-off-by: virendra thakur <virendrak@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libssh: CVE-2020-16135 NULL pointer dereference in sftpserver.c if ↵Vijay Anusuri2023-07-145-1/+193
| | | | | | | | | | | | | | | | ssh_buffer_new returns NULL Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53 & https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40 & https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181 & https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: CVE-2023-31147 Insufficient randomness in generation of DNS query IDsHitendra Prajapati2023-06-232-0/+718
| | | | | | | Upstream-Status: Backport from https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: CVE-2023-31130 fix Buffer UnderwriteHitendra Prajapati2023-06-232-0/+330
| | | | | | | Upstream-Status: Backport from https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* c-ares: fix CVE-2022-4904 & Update SRC_URI branch and protocolsVijay Anusuri2023-06-232-1/+70
| | | | | | | | | | | Upstream-Status: Backport [https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/kirkstone-nut&id=092e125f44f65427d42db95db3779daf4893d10f & https://git.openembedded.org/meta-openembedded-contrib/commit/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb?h=stable/kirkstone-nut&id=b402a3076fbafe05d0b8621e50603b65c3fe8147 Upstream-Commit: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openldap: Fix CVE-2023-2953Vijay Anusuri2023-06-233-0/+108
| | | | | | | | | | Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce & https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* gnulib: Update recipe name to 2018-12-18schitrod=cisco.com@lists.openembedded.org2023-06-231-0/+0
| | | | | | | | | | | | | | | | | | As per gnulib_2018-03-07 recipe information, SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3" This revision was committed on "2018-12-18". There is a discrepancy between SRCREV and the recipe version. Which reports "CVE-2018-17942" as unpatched. To report "CVE-2018-17942" as patched, We need to align a recipe name with SRCREV commit date. Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9edbe7033cc41f4a49f74717cd3146b52588ce22) Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* spirv-tools: switch from master branch to main for re2Samuli Piippo2023-06-231-1/+1
| | | | | Signed-off-by: Samuli Piippo <samuli.piippo@qt.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: fix native node-gyp to work with python-3.11Martin Jansa2023-06-232-0/+47
| | | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: make 14.18.1 available but not defaultNarpat Mali2023-05-168-0/+493
| | | | | | | | | | | | | | | | | | | | | | | | | Chromium 112 needs nodejs-native version 14 or later. Add the nodejs_14.18.1 recipe from kirkstone: 246b20b92 nodejs: Upgrade to 14.18.1 but, use DEFAULT_PREFERENCE to make sure that the default version of nodejs remains 12.x. 7 patches which were modified between nodejs 12 & nodejs 14 were renamed by adding the suffix "-nodejs14". Note there are some common patches used by nodejs 12 & 14 so, that will require attention during future maintenance. In addition, there were 3 CVE-2022* patches which applied cleanly to nodejs 14 so, they were added to the nodejs 14 recipe. One patch, CVE-llhttp.patch conflicted so, it has not been applied in nodejs 14 yet. Nodejs 14 compile for qemux86-64 but, no run-time testing has been performed. For chromium, we would either require users to modify the local.conf file or we may create a dunfell specific branch in meta-browser. See: https://github.com/OSSystems/meta-browser/pull/709 Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: backport fix for native build failure due to dangling pointer with gcc13Jack Mitchell2023-05-162-0/+76
| | | | | | | | Upstream-Status: Backport Link: https://github.com/nss-dev/nss/commit/cbf5a2bce75ca2c2fd3e247796b9892f5298584e Signed-off-by: Jack Mitchell <ml@embed.me.uk> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: backport fix for native build failure due to implicit casting with gcc13Jack Mitchell2023-05-162-0/+47
| | | | | | | | Upstream-Status: Backport Link: https://github.com/nss-dev/nss/commit/4e7e332b25a2794f381323518e52d8d95273b69e Signed-off-by: Jack Mitchell <ml@embed.me.uk> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* multipath-tools: CVE-2022-41973 Symlink attack multipathd operates insecurelyHitendra Prajapati2023-05-052-0/+158
| | | | | | | | | | | | | | | | | | | | | Upstream-Status: Backport from https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f dev/shm may have unsafe permissions. Use /run instead. Use systemd's tmpfiles.d mechanism to create /run/multipath early during boot. For backward compatibilty, make the runtime directory configurable via the "runtimedir" make variable. QA Issue: non -dev/-dbg/nativesdk- package multipath-tools-libs contains symlink .so '/usr/lib/libdmmp.so' ... Fix this by making the new pattern for multipath-tools-libs package more specific. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lcov: Fix Perl PathAlex Yao2023-05-051-1/+1
| | | | | | | | | | Fixes an issue where lcov is using the system Perl rather than the yocto provided Perl. This causes packages to not be found during runtime such as PerlIO::gzip. Signed-off-by: Alex Yao <alexyao1@meraki.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* jsoncpp: Fix broken handling of escape charactersViktor Rosendahl2023-05-052-1/+56
| | | | | | | | | | | | | | | | | | | | | | | Applying this backported patch from upstream fixes the following BAT test failure: jsoncpp.jsoncpp_system_tests.TestJsoncpp.test_run_jsoncpp_test (from systemtests--bmt--BAT) : * Detail of EscapeSequenceTest/writeEscapeSequence test failure: /usr/src/debug/jsoncpp/1.9.2-r0/git/src/test_lib_json/main.cpp(3370): expected == result Expected: '["\"","\\","\b","\f","\n","\r","\t","\u0278","\ud852\udf62"] ' Actual : '["\"","\\","\b","\f","\n","\r","\t","ɸ","𤭢"] This test failure happens because aarch64 uses unsigned char as default type for char, while x86 uses signed char. Also, there is another bug in the code that is fixed by this upstream patch: "static_cast<unsigned char>(*cur) < 0x80" should be: "static_cast<unsigned char>(*cur) >= 0x80" Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libmodbus: Fix CVE-2022-0367Hugo SIMELIERE2023-05-032-1/+42
| | | | | Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mariadb: Update to latest lts 10.4.28Armin Kuster2023-04-063-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Source: Mariadb.org MR: 119595, 119604, 119613, 119622, 119631, 119640, 119649, 119658, 119573 Type: Security Fix Disposition: Backport from mariadb.org ChangeID: 2aacce87739247d98ee5b61d1b714930da961a30 Description: This is a bug fix only update. Includes these CVES: CVE-2022-32081 CVE-2022-32083 CVE-2022-32084 CVE-2022-32085 CVE-2022-32086 CVE-2022-32087 CVE-2022-32088 CVE-2022-32089 CVE-2022-32091 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> -- V2] Missed on CVE reference.
* syslog-ng: CVE-2022-38725 An integer overflow in the RFC3164 parserHitendra Prajapati2023-04-062-0/+630
| | | | | | | Upstream-Status: Backport from https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8 && https://github.com/syslog-ng/syslog-ng/commit/81a07263f1e522a376d3a30f96f51df3f2879f8a && https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d && https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37 && https://github.com/syslog-ng/syslog-ng/commit/45f051239312e43bd4f92b9339fe67c6798a0321 && https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4 && https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 && https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mariadb: fix CVE-2022-47015 NULL pointer dereference in ↵vkumbhar2023-04-062-0/+270
| | | | | | | | | | | | spider_db_mbase::print_warnings() The function spider_db_mbase::print_warnings() can potentially result in a null pointer dereference. Remove the null pointer dereference by cleaning up the function. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: CVE-2022-41862 Client memory disclosure when connecting with ↵Hitendra Prajapati2023-04-062-0/+49
| | | | | | | | | Kerberos to modified server Upstream-Status: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3f7342671341a7a137f2d8b06ab3461cdb0e1d88 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: Fix CVE CVE-2023-0767Virendra Thakur2023-04-062-0/+125
| | | | | | | | Add CVE-2023-0767.patch to fix CVE-2023-0767 Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Bhabu Bindu <bindudaniel1996@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xterm: Remove undeclared variables introduced by backportChris Rogers2023-03-181-15/+6
| | | | | | | | | | | | | | | CVE-2022-45063 ported onto the dunfell baseline introduces two variables that cause xterm to fail compilation with the error ./fontutils.c:4143:13: error: 'added' undeclared (first use in this function) These two variables don't appear to be defined at all in findXftGlyph for xterm_353, so they should be removed. Fixes: 10148c538ebc("xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063") Signed-off-by: Chris Rogers <crogers122@gmail.com> Tested-by: Jason Andryuk <jandryuk@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: Fix CVEs for nodejsPoonam Jadhav2023-03-182-0/+4349
| | | | | | | | | | | Add patch file CVE-llhttp.patch to fix CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-35256 of nodejs. Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-llhttp.patch Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: Fix CVE-2022-43548Poonam Jadhav2023-03-182-0/+215
| | | | | | | | | | Add patch to fix CVE-2022-43548 Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-43548.patch Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: Fix CVE-2022-35255Poonam Jadhav2023-03-182-0/+238
| | | | | | | | | | Add patch to fix CVE-2022-35255 Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-35255.patch Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: Fix CVE-2022-32212Poonam Jadhav2023-03-182-0/+134
| | | | | | | | | | Add patch to fix CVE-2022-32212 Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-32212.patch Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: Security fix for CVE-2022-31676Priyal Doshi2023-03-182-0/+40
| | | | | | | Backport from https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 Signed-off-by: Priyal Doshi <pdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* zeromq: 4.3.2 -> 4.3.4Roger Knecht2023-02-222-6/+6
| | | | | | | | | | | Fixes: - CVE-2021-20236 Patch changes: - Refreshed 0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch Signed-off-by: Roger Knecht <roger@norberthealth.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsingHitendra Prajapati2023-02-222-0/+111
| | | | | | | Upstream-Status: Backport from https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: Fix CVE-2020-25648Mathieu Dubois-Briand2023-02-222-0/+164
| | | | | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: Whitelist CVEs related to libnssdbmMathieu Dubois-Briand2023-02-221-0/+4
| | | | | | | | | | | | These CVEs only affect libnssdbm, compiled when --enable-legacy-db is used. https://bugzilla.mozilla.org/show_bug.cgi?id=1360782#c6 https://bugzilla.mozilla.org/show_bug.cgi?id=1360778#c8 https://bugzilla.mozilla.org/show_bug.cgi?id=1360900#c6 https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9 Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: Add missing CVE productMathieu Dubois-Briand2023-02-221-0/+2
| | | | | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: update 7.4.28 -> 7.4.33Valeria Petrov2023-01-191-1/+1
| | | | | | | | | | | | | | | Update php from 7.4.28 to 7.4.33 Fixes below CVEs: CVE-2021-21708 CVE-2022-31626 CVE-2022-31625 CVE-2022-31628 CVE-2022-31629 CVE-2022-31630 CVE-2022-37454 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] ↵Siddharth Doshi2023-01-192-0/+786
| | | | | | | | | | CVE-2022-45063 Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/787636674918873a091e7a4ef5977263ba982322] CVE: CVE-2022-45063 Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-03 19:14:29 +0000