summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* selftest: skip virgl test on all fedoraSteve Sakoman2023-11-171-8/+2
| | | | | | | | This test will fail any time the host has libdrm > 2.4.107 (From OE-Core rev: ff7dbcc0206203e2ece68ca91a37050a4bc822a2) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* lz4: Update sstate/equiv versions to clean cacheSteve Sakoman2023-11-171-0/+4
| | | | | | | | | There are cached reproducibility issues on the autobuilder due to CFLAGS issues, flush the bad data out the system by bumping the versions. (From OE-Core rev: f398c84405913bd8038c007f43f991f54d136571) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* lz4: use CFLAGS from bitbakeMikko Rapeli2023-11-171-1/+1
| | | | | | | | | | | | | Currently lz4 uses it's own defaults which include O3 optimization. Switch from O3 to bitbake default O2 reduces binary package size from 467056 to 331888 bytes. Enables also building with Os if needed. (From OE-Core rev: af571c0841265dfa4bd87546080e499336a37fcc) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit abaaf8c6bcd368728d298937a9406eb2aebc7a7d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* resolvconf: Fix fetch errorNaveen Saini2023-11-171-1/+1
| | | | | | | | | | | | | | Branch 'master' renamed to 'unstable', which causing following failure. Error: Fetcher failure: Unable to find revision cb19bbfbe7e52174332f68bf2f295b39d119fad3 in branch master even from upstream Switch to 'unstanble' branch. (From OE-Core rev: d4b96dc1e457b4e68c5bad685ffcfd2f250162e7) Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* assimp: Explicitly use nobranch=1 in SRC_URINaveen Saini2023-11-171-1/+1
| | | | | | | | | | | | | | Branch 'assimp_5.0_release' is not present in repo. Error: assimp-5.0.1-r0 do_fetch: Fetcher failure: Unable to find revision 8f0c6b04b2257a520aaab38421b2e090204b69df in branch assimp_5.0_release even from upstream Set nobranch=1, to fetch from v5.0.1 tag. (From OE-Core rev: 4bd92b9621909b8b528b648529baaaa48bc1c424) Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check: don't warn if a patch is remoteRoss Burton2023-11-171-5/+6
| | | | | | | | | | | | | | | | | | We don't make do_cve_check depend on do_unpack because that would be a waste of time 99% of the time. The compromise here is that we can't scan remote patches for issues, but this isn't a problem so downgrade the warning to a note. Also move the check for CVEs in the filename before the local file check so that even with remote patches, we still check for CVE references in the name. (From OE-Core rev: 32a19dfbaac38cd4864281a1131ac65e1216318f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 0251cad677579f5b4dcc25fa2f8552c6040ac2cf) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check: slightly more verbose warning when adding the same package twiceRoss Burton2023-11-171-1/+1
| | | | | | | | | | | | | Occasionally the cve-check tool will warn that it is adding the same package twice. Knowing what this package is might be the first step towards understanding where this message comes from. (From OE-Core rev: e3574760ee59c1ca7d2698f09ddd37ee568f04f3) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c1179faec8583a8b7df192cf1cbf221f0e3001fc) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check: sort the package list in the JSON reportRoss Burton2023-11-171-0/+2
| | | | | | | | | | | | | | | | The JSON report generated by the cve-check class is basically a huge list of packages. This list of packages is, however, unsorted. To make things easier for people comparing the JSON, or more specifically for git when archiving the JSON over time in a git repository, we can sort the list by package name. (From OE-Core rev: 5a509bc6f26247cc7561189d582c91816042fd91) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e9861be0e5020830c2ecc24fd091f4f5b05da036) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380Vijay Anusuri2023-11-173-0/+188
| | | | | | | | | | | | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a & https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] (From OE-Core rev: 41b87e7493f7b50ba0ddad941d37ef4a24a749d8) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "qemu: Backport fix for CVE-2023-0330"Steve Sakoman2023-11-173-137/+1
| | | | | | | | | | | | | | | This reverts commit 45ce9885351a2344737170e6e810dc67ab3e7ea9. Unfortunately this backport results in qemuarmv5 failing to boot with a qemu lsi hw error. [YOCTO #15274] See discussion: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15274 (From OE-Core rev: 14aa11aecf503cef08e43c90cf0bd574721ca965) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zlib: Backport fix for CVE-2023-45853Ashish Sharma2023-11-172-0/+41
| | | | | | | | | Upstream-Status: Backport from [https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c] (From OE-Core rev: bbe5e13c2ff981d7defd14f9e2d91ebbe107bb4b) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libwebp: Fix CVE-2023-4863Soumya Sambu2023-11-173-17/+66
| | | | | | | | | | | | | | | | | | | | Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863. CVE: CVE-2023-4863 References: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://security-tracker.debian.org/tracker/CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 (From OE-Core rev: b69bef1169cb33c153384be81845eaf903dc1570) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: ignore CVE-2023-4527Peter Marko2023-11-171-0/+7
| | | | | | | | | This vulnerability was introduced in 2.36, so 2.31 is not vulnerable. (From OE-Core rev: 3471922461627c0f0487feb09cfdc4cfeeb3f3ca) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: backport Debian patch to fix CVE-2023-41175Vijay Anusuri2023-11-172-0/+68
| | | | | | | | | | | | Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175 (From OE-Core rev: ef66190f834fde453af431cc2aadebac82b7e5b5) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: Security fix for CVE-2023-40745Hitendra Prajapati2023-11-172-0/+35
| | | | | | | | | Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5 (From OE-Core rev: d282b85cf69ecfbce12224428c713cd0dc639ced) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: CVE patch correction for CVE-2023-3576Vijay Anusuri2023-11-173-3/+4
| | | | | | | | | | | | | - The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] fixes CVE-2023-3576 - Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch - Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576 https://security-tracker.debian.org/tracker/CVE-2023-3618 (From OE-Core rev: 56088368bdd22a939b813c7aefd5ba475c6d4021) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* kexec-tools: Ignore Fedora/RedHat specific CVE-2021-20269Lee Chee Yang2023-11-171-0/+3
| | | | | | | (From OE-Core rev: d34567be6e87afdec55973f8f75be8d44b4acd1b) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: Fix disk space monitoring on cephfsSamantha Jalabert2023-11-091-3/+4
| | | | | | | | | | | | | Error occured while running bitbake on cephfs: WARNING: The free inode of path is running low (-0.001K left) ERROR: Immediately halt since the disk space monitor action is "HALT"! (Bitbake rev: 3c7b210e9599058a48d0c38ce8034b94e2d0f781) Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to dunfell head revisionyocto-3.1.29dunfell-23.0.29Steve Sakoman2023-10-271-1/+1
| | | | | | (From OE-Core rev: 0dbf3a15321b8033ff8ed86c6aa261fdb9c3d5bb) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* poky.conf: bump version for 3.1.29Steve Sakoman2023-10-271-1/+1
| | | | | | (From meta-yocto rev: ca9b97e06e2632b2a04002eb9bb06cd6a2c656c6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* documentation: update for 3.1.29Steve Sakoman2023-10-271-5/+5
| | | | | | | | (From yocto-docs rev: 4cb67f0f3c3e792b5925d9d3a7002a776e5c85e8) Signed-off-by: Steve Sakoman <steve@sakoman.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-exclusion_5.4.inc: update for 5.4.257Steve Sakoman2023-10-271-28/+179
| | | | | | (From OE-Core rev: 0f75737a408aef19937ee023a5e6b3e881cbd99b) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* patch.py: Use shlex instead of deprecated pipeSteve Sakoman2023-10-271-2/+4
| | | | | | | | | | | | | | The pipe library is deprecated in Python 3.11 and will be removed in Python 3.13. pipe.quote is just an import of shlex.quote anyway. Clean up imports while we're at it. (From OE-Core rev: a6ef13bdad40826d76a3331cd0878bb22510f375) Signed-off-by: Ola x Nilsson <olani@axis.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> (cherry picked from commit 5f33c7b99a991c380d1813da8248ba5470ca4d4e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* resulttool/report: Avoid divide by zeroRichard Purdie2023-10-271-1/+4
| | | | | | | | | | Avoid a divide by zero traceback if unfortunate test counts are encountered. (From OE-Core rev: 33d3374a7149ad1afe86d86c0dc2a948f70e26bd) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c5aeea53dfacb53dedb8445cb3523dc3a8cb6dca) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* linux-firmware: upgrade 20230625 -> 20230804Meenali Gupta2023-10-271-2/+2
| | | | | | | | | | | | | | | | | | | | | License-Update: additional firmwares upgrade include fix for CVE-2023-20569 CVE-2022-40982 CVE-2023-20593 Changelog: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/ References: https://nvd.nist.gov/vuln/detail/CVE-2023-20569 https://nvd.nist.gov/vuln/detail/CVE-2022-40982 https://nvd.nist.gov/vuln/detail/CVE-2023-20593 (From OE-Core rev: 42d08fdcd3c95dbef795bb74f0ff5db8ff1b0a19) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit d3f1448246c9711f4f23f2e12c664e0ba3ae3f02) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.0.2009 -> 9.0.2048Siddharth Doshi2023-10-271-2/+2
| | | | | | | | | This includes CVE fix for CVE-2023-5535. (From OE-Core rev: 35fc341402f38619922dcfc4dc9e58b00be26259) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Backport fix CVE-2023-25588Ashish Sharma2023-10-272-0/+147
| | | | | | | | | Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] CVE: CVE-2023-25588 (From OE-Core rev: 6ffbb78f63e5adaadfaa9f5d5e9871ce3cfe7abf) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* SECURITY.md: Add fileRichard Purdie2023-10-241-0/+24
| | | | | | | | | | Add a SECURITY.md file with hints for security researchers and other parties who might report potential security vulnerabilities. (From meta-yocto rev: d8b84cfded9137a74ab0052ff2d7710887f29f10) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: SECURITY.md: add fileMarta Rybczynska2023-10-241-0/+24
| | | | | | | | | | | Add a SECURITY.md file with hints for security researchers and other parties who might report potential security vulnerabilities. (Bitbake rev: dd826595414c5dc1a649f45a9dd2430bf6d4699b) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: Backport systemd-resolved: use hostname for certificate validation ↵Marek Vasut2023-10-202-0/+121
| | | | | | | | | | | | | | | | | | in DoT Widely accepted certificates for IP addresses are expensive and only affordable for larger organizations. Therefore if the user provides the hostname in the DNS= option, we should use it instead of the IP address. This fixes https://nvd.nist.gov/vuln/detail/CVE-2018-21029 per suggestion https://github.com/systemd/systemd-stable/issues/72 . CVE: CVE-2018-21029 (From OE-Core rev: 6b4a583169ae40a8d51e7ffa33785409b5111a81) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* kernel.bbclass: Add force flag to rm callsRyan Eatmon2023-10-201-2/+2
| | | | | | | | | | | | | | | | | | | | The latest 6.5 kernels do not appear to create the source file in ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source so the recipe errors out when trying to remove it. Simple fix is to add the -f (force) flag to the call. (From OE-Core rev: 2e669bf797b15d803e7d6a700e449bdc467a4bcc) (From OE-Core rev: 844faa7c51ae8ec0966e9c5c3f70a1dbf2222c21) Signed-off-by: Ryan Eatmon <reatmon@ti.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Backported from kirkstone commit 7e177848f97e. Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxpm: upgrade to 3.5.17Siddharth Doshi2023-10-202-45/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | - This upgrade includes multiple security fixes. CVE-2022-4883 CVE-2022-44617 CVE-2022-46285 CVE-2022-44617 CVE-2023-43788 CVE-2023-43789 - Removed CVE-2022-46285 as it is already fixed by this upgrade. - License-update: additional copyright holders f0857c0 man pages: Correct Copyright/License notices Due to this commit LIC_FILES_CHKSUM is changed - Disable reading compressed files as that requires compress/uncompress executables. Following the approach in oe-core/master: 7de4084634 libxpm: upgrade 3.5.14 -> 3.5.15 - Add XORG_EXT to specify tar.xz as upstream has switched from bz2 to xz compression. (From OE-Core rev: 47e270a4fd2e086b5ee9f38891f326ce505f2319) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xorg-lib-common: Add variable to set tarball typeSiddharth Doshi2023-10-201-1/+2
| | | | | | | | | | | | | | | | Upstream has switched some new releases from bz2 to xz compression. Add an XORG_EXT variable so recipes can set the file name extension needed for the compression type. Following the approach in oe-core/master: 6a8068e036b4b2a40b38896275b936916b4db76e xorg-lib-common: Add variable to set tarball type use a variable for the tarball suffix/compression format. (From OE-Core rev: ff386fb5632c26ceb12d2381e9128b0546aef795) Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.0.1894 -> 9.0.2009Siddharth Doshi2023-10-201-2/+2
| | | | | | | | | This includes CVE fix for CVE-2023-5441. (From OE-Core rev: 624081236d5554dbc7c044396caabc3464b1b3ac) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libwebp: Update CVE ID CVE-2023-4863Pawan2023-10-201-1/+8
| | | | | | | | | | | | | | Notice that it references different CVE id: https://nvd.nist.gov/vuln/detail/CVE-2023-5129 which was marked as a rejected duplicate of: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 but it's the same issue. Hence update CVE ID CVE-2023-4863 to CVE-2023-5129.patch. (From OE-Core rev: 7dce529515baa843ba3e5c89b2ad605b9845c59b) Signed-off-by: Pawan <badganchipv@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: Fix multiple vulnerabilitiesSiddharth Doshi2023-10-2015-0/+2710
| | | | | | | | | | | | | | CVE's Fixed: CVE-2023-29499: glib: GVariant offset table entry size is not checked in is_normal() CVE-2023-32611: glib: g_variant_byteswap() can take a long time with some non-normal inputs CVE-2023-32636: glib: Timeout in fuzz_variant_text CVE-2023-32643: glib: Heap-buffer-overflow in g_variant_serialised_get_child CVE-2023-32665: glib: GVariant deserialisation does not match spec for non-normal data (From OE-Core rev: b576beba80d44e67762d46bf3bc2f14c05bc0f6b) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Backport fix for CVE-2023-38546Mike Crowe2023-10-202-0/+133
| | | | | | | | | | Take patch from Debian 7.64.0-4+deb10u7. (From OE-Core rev: 364a9e46f167c2501785cd55a71cf9a614e64710) Signed-off-by: Mike Crowe <mac@mcrowe.com> CVE: CVE-2023-38546 Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Backport fix for CVE-2023-38545Mike Crowe2023-10-202-0/+149
| | | | | | | | | | | | | Backporting this change required tweaking the error value since the two-level CURLE_PROXY error reporting was introduced after curl 7.69.1. The test required some tweaks to not rely on more-recent improvements to the test infrastructure too. (From OE-Core rev: ccec26b1437f1ece4cb4f27581b0df904297358f) Signed-off-by: Mike Crowe <mac@mcrowe.com> CVE: CVE-2023-38545 Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libtiff: Add fix for tiffcrop CVE-2023-1916Marek Vasut2023-10-202-0/+92
| | | | | | | | | | | | | | | | | | | | | | | Add fix for tiffcrop tool CVE-2023-1916 [1]. A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. The tool is no longer part of newer libtiff distributions, hence the fix is rejected by upstream in [2]. The backport is still applicable to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3]. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916 [2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535 [3] https://packages.ubuntu.com/source/focal-updates/tiff (From OE-Core rev: 28ad0fdd30f490612aca6cc96ee503e5f92360a8) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream ↵Marek Vasut2023-10-134-40/+372
| | | | | | | | | | | | | backport Replace the original "Wrong CRC with ASCII CRC for large files" patch with upstream backport, and add additional fix on top of the same problem which upstream detected and fixed. (From OE-Core rev: 0e167ef0eb7ac62ddb991ce80c27882863d8ee7c) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: Upgrade 1.1.1v -> 1.1.1wSourav Pramanik2023-10-131-1/+1
| | | | | | | | | | | | | https://www.openssl.org/news/openssl-1.1.1-notes.html Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807) (From OE-Core rev: 79b29a5f77efab978f6a2918d02ee611638aef85) Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* busybox: Backport CVE-2022-48174 fixMarek Vasut2023-10-132-0/+83
| | | | | | | | | | | | | | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. https://nvd.nist.gov/vuln/detail/CVE-2022-48174 CVE: CVE-2022-48174 (From OE-Core rev: 634daf953e4bd8c6df3ee341b5e93cc81e1a620d) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Backport fix CVE-2023-43115Vijay Anusuri2023-10-132-0/+63
| | | | | | | | | | | | | | | | | | | In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). References: https://nvd.nist.gov/vuln/detail/CVE-2023-43115 Upstream commit: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 (From OE-Core rev: a43f7277061ee6c30c42c9318e3e9dd076563f5d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpcre2 : Follow up fix CVE-2022-1586Shinu Chandran2023-10-132-0/+31
| | | | | | | | | | | | | | | | | | | CVE-2022-1586 was originally fixed by OE commit https://github.com/openembedded/openembedded-core/commit/7f4daf88b71f through libpcre2 commit https://github.com/PCRE2Project/pcre2/commit/50a51cb7e672 The follow up patch is required to resolve a bug in the initial fix[50a51cb7e672] https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3 Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1586 https://security-tracker.debian.org/tracker/CVE-2022-1586 (From OE-Core rev: 7e2fe508b456207fd991ece7621ef8ba24b89e59) Signed-off-by: Shinu Chandran <shinucha@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xdg-utils: Fix CVE-2022-4055Hitendra Prajapati2023-10-132-0/+166
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 (From OE-Core rev: 22d2c549ba6d8be137d1d290d9a04691ca1858f2) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dbus: Add missing CVE_PRODUCTJulian Haller2023-10-131-0/+2
| | | | | | | | | | | The current dunfell CVE scans report 0 CVEs for our dbus version. This is not correct, though, as we use the wrong product name to query it. Fix this to get a proper CVE list. (From OE-Core rev: 922872c85d417a5a319aa4beef57ffa4d05faf27) Signed-off-by: Julian Haller <julian.haller@philips.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dbus: Backport fix for CVE-2023-34969Julian Haller2023-10-132-0/+97
| | | | | | | | | Upstream commit https://gitlab.freedesktop.org/dbus/dbus/-/commit/37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c (From OE-Core rev: 42bf7fee204890b15f80bf0749431aefb33efd99) Signed-off-by: Julian Haller <julian.haller@philips.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Update fix for CVE-2023-24538 & CVE-2023-39318Shubham Kulkarni2023-10-138-20/+2124
| | | | | | | | | | | | | Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 Upstream Link - CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c (From OE-Core rev: cc6f7a8e8805058aababb65e10da7ed2e3d77461) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gawk: backport Debian patch to fix CVE-2023-4156Vijay Anusuri2023-10-132-0/+29
| | | | | | | | | | | | Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security & https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] (From OE-Core rev: 68412b76948ce185d87fda73ead7b73e5ad6defd) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cups: Backport fix for CVE-2023-32360 and CVE-2023-4504Vijay Anusuri2023-10-133-0/+73
| | | | | | | | | | | Upstream commits: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 & https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 (From OE-Core rev: d14dce8ba2a8b4bf05c7c5ea7292b0c2c327f088) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-07 09:39:47 +0000