summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* test-manual: reproducible-builds: stop mentioning LTO bugMichael Opdenacker2023-11-031-11/+0
| | | | | | | | | | Now that https://bugzilla.yoctoproject.org/show_bug.cgi?id=14481 is closed. (From yocto-docs rev: 260b446a1a75d99399a3421cd8d6ba276f508f37) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: add security team processesMarta Rybczynska2023-11-032-0/+190
| | | | | | | | | | | | Add the initial version of the section on vulnerability reports, operations of the Security Team with a transcription of https://wiki.yoctoproject.org/wiki/Security_private_reporting (From yocto-docs rev: 13927bd3e2f89f301331583b2c5752b963822976) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* manuals: correct "yocto-linux" by "linux-yocto"Michael Opdenacker2023-11-032-2/+2
| | | | | | | (From yocto-docs rev: 689f682c175e19664c090852d5c649280ce23fa0) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: ignore CVE-2023-4527Peter Marko2023-11-031-0/+7
| | | | | | | | | This vulnerability was introduced in 2.36, so 2.35 is not vulnerable. (From OE-Core rev: bf60773c882483f4bfe49e89be8e2f85f78b212b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: CVE patch correction for CVE-2023-3576Vijay Anusuri2023-11-033-3/+4
| | | | | | | | | | | | | - The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] fixes CVE-2023-3576 - Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch - Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576 https://security-tracker.debian.org/tracker/CVE-2023-3618 (From OE-Core rev: 63daa00279c0c3a8650d6e08a68cc32a2b98d843) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: Patch CVE-2023-45322Peter Marko2023-11-033-0/+130
| | | | | | | | | | | | | | | | | | | | | Backport patch for gitlab issue mentioned in NVD CVE report. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 Backport also one of 14 patches for older issue with similar errors to have clean cherry-pick without patch fuzz. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/344 The CVE is disputed because the maintainer does not think that errors after memory allocation failures are not critical enough to warrant a CVE ID. This patch will formally fix reported error case, trying to backport another 13 patches and resolve conflicts would be probably overkill due to disputed state. This CVE was ignored on master branch (as diputed). (From OE-Core rev: d29a89412b37995857269d617e16ada116f14270) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* linux-firmware: create separate packagesFahad Arslan2023-11-011-4/+228
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is backport of commit dfb7d2c426b46502784bc9e199a468e6c1 from poky master. This is in continuation of earlier commit: 3ddddfc14f805fe7572bba129605869fb848fed4 linux-firmware: create separate package for cirrus and cnm firmwares And creates separate sub packages for firmwares corresponding to following list of licenses: LICENSE.amphion_vpu LICENCE.cw1200 LICENSE.ice_enhanced LICENCE.mediatek LICENCE.microchip LICENCE.moxa LICENSE.nxp_mc_firmware LICENCE.OLPC LICENCE.phanfw LICENCE.qla2xxx LICENCE.ti-keystone LICENCE.wl1251 LICENCE.xc4000 LICENCE.xc5000 LICENCE.xc5000c (From OE-Core rev: c110e5708465a6becc611acf97f166302a17ebdf) (From OE-Core rev: 56503e3e80603de3b69acef2f6d32836bc9e5e5d) Signed-off-by: Fahad Arslan <fahad.arslan@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* linux-firmware: create separate package for cirrus and cnm firmwaresFahad Arslan2023-11-011-0/+28
| | | | | | | | | | | | | | | | | | | | | This is cherry-pick of commit 3ddddfc14f805fe7572bba129605869fb848fed4 from poky master. Some licenses only allow usage of corresponding firmwares when a specific hardware is present. This requires split of such firmwares from linux-firmware package to firmware specific sub package. As this split is based off of licensing, it makes sense to group firmware blobs having the same license in the same package. This commit is a first step in this direction, and creates separate packages for cirrus and cnm firmware. (From OE-Core rev: 53d9d8789efc701609a5a1e985287344c2209d62) (From OE-Core rev: 9b556e63ba3e89e83ba6e2647656a1fa6def87a4) Signed-off-by: Fahad Arslan <fahad.arslan@siemens.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* package_rpm: Allow compression mode overrideNiko Mauno2023-11-011-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit 4a4d5f78a6962dda5f63e9891825c80a8a87bf66 ("package_rpm: use zstd instead of xz") changed the rpm package compressor from 'xz' to 'zstd' which results in decompression failure with BusyBox-provided 'rpm2cpio' applet and 'rpm' applet when given the '-i' (Install package) option: rpm2cpio: no gzip/bzip2/xz magic Introduce a variable which makes it possible to use a different compression mode, making it possible to override the default value for example like RPMBUILD_COMPMODE = "${@'w6T%d.xzdio' % int(d.getVar('XZ_THREADS'))}" to enable rpm decompression without including the full rpm package in the resulting root filesystem. (From OE-Core rev: a40d9258148e28cbee2168c93179cd4c1232fb62) (From OE-Core rev: ad4ea9f225b0dd6396088cc70b34f886c5fa62b4) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: Upgrade 3.0.11 -> 3.0.12Peter Marko2023-11-011-1/+1
| | | | | | | | | | | | https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023 Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023] * Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363) (From OE-Core rev: 5cf9f9426de71a35b06c7b4b9b092f22243676fb) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2023-38546Archana Polampalli2023-11-012-0/+138
| | | | | | | | | | A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met. (From OE-Core rev: 9c0c09b81594979aafd74511366316419d23046e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2023-38545Archana Polampalli2023-11-012-0/+134
| | | | | | | | | This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. (From OE-Core rev: 44971c945a615d07c91100f514377f7247796334) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-exclusion_5.10.inc: update for 5.10.197Steve Sakoman2023-11-011-23/+100
| | | | | | (From OE-Core rev: effa2f7a7424e0f25eaf3680326164e859378332) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: add example for SYSROOT_DIRS variableBELHADJ SALEM Talel2023-10-251-0/+29
| | | | | | | | (From yocto-docs rev: 63fcc08bbb053262c3292c884ac91f389f1d9d97) Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: add TOOLCHAIN_OPTIONS variableBELHADJ SALEM Talel2023-10-251-0/+10
| | | | | | | | (From yocto-docs rev: d7397a985fa085b4ca97aaebedfec5fcaf4e82de) Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: add RECIPE_SYSROOT and RECIPE_SYSROOT_NATIVEBELHADJ SALEM Talel2023-10-251-0/+38
| | | | | | | | (From yocto-docs rev: e4c3fd543cb1b98255dcd3b40819ebcc7ef3a52a) Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: start.rst: remove obsolete referenceMichael Opdenacker2023-10-251-18/+6
| | | | | | | | | | | | | Remove a reference to a web resource which is clearly marked as obsolete. Replace the unnecessarily verbose note by just links to the mentioned tools. [YOCTO #15233] (From yocto-docs rev: b2db385b859faa775f7c92072ba9bbeebb90e713) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Reported-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* brief-yoctoprojectqs: use new CDN mirror for sstateMichael Opdenacker2023-10-251-1/+1
| | | | | | | | | | | Recommended instead of the Yocto Project mirror, because expected to be faster. Make sure you only set one such mirror. (From yocto-docs rev: 2c2dae48619f3e2a600fcdba7cd0dcb0bd313b75) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> CC: richard.purdie@linuxfoundation.org Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: layers: Add notes about layer.confBELHADJ SALEM Talel2023-10-251-0/+14
| | | | | | | | | | | | As discussed before with Richard Purdie, the code supports this but the documentation does not. Developers in general will not notice this or focus on it because they do not mess with the layer.conf template file, but in my opinion I think more details can help. (From yocto-docs rev: c4b94c24ff7e1b1609f9c7f0aebd24fd04d00ae9) Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: provide no-match example for COMPATIBLE_MACHINEQuentin Schulz2023-10-251-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | COMPATIBLE_MACHINE is used to forbid the use of a recipe or its packages for a specific set of machines. In some cases, it may make more sense to have the logic inverted and have the recipe always forbidden except for hand-picked machines. Such could be the case for pieces of software that only support some architectures. In that scenario, it is sometimes a bit easier on the eye and for maintenance to use the OVERRIDES mechanism but for that, a default should be set. COMPATIBLE_MACHINE:aarch64 = "^(aarch64)$" COMPATIBLE_MACHINE:mips64 = "^(mips64)$" wouldn't do much because if COMPATIBLE_MACHINE isn't set, the recipe is assumed compatible and therefore, if no default is provided we enter that case. Hence, we need to add COMPATIBLE_MACHINE = "^$" as default so that it only matches the empty string, which isn't possible for MACHINEOVERRIDES. Cc: Quentin Schulz <foss+yocto@0leil.net> (From yocto-docs rev: d66b53eebe5b2320ce12926b309e48c9e32523f3) Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* profile-manual: aesthetic cleanupsRobert P. J. Day2023-10-251-19/+21
| | | | | | | | | | | | | | | Various aesthetic cleanups of section 1 of that manual, including: * replace 'HOWTO' with manual * add more examples of sdk-related images * font fixes (From yocto-docs rev: 3f271b53f2103c3a7eb76ab17f0c945512493471) Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: Fix PACKAGECONFIG term and add an exampleBELHADJ SALEM Talel2023-10-251-10/+40
| | | | | | | | | | | | | | PACKAGECONFIG's first and second flag value will be added to PACKAGECONFIG_CONFARGS and then it will be added to the appropriate variable (EXTRA_OECMAKE, or ...) So we need to only mention PACKAGECONFIG_CONFARGS and it will lead to other variables. I added a custom example that can help understanding very well PACKAGECONFIG. (From yocto-docs rev: 94eb37ef56cbb19b5b6e28bef522a7288a1a61f9) Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev/ref-manual: Document INIT_MANAGERPaul Eggleton2023-10-251-0/+15
| | | | | | | | | | | | | The INIT_MANAGER variable was added in 3.0 but it seems we didn't get around to documenting it yet. I have added a variable glossary entry and made the basic adjustment of the "Using systemd Exclusively" section in the dev manual, however I think the latter section still needs work. (From yocto-docs rev: a84adfaeda5a790275d020fc77d721e8560a5728) Signed-off-by: Paul Eggleton <bluelightning@bluelightning.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: new-recipe.rst: add missing parenthesis to "Patching Code" sectionRobert P. J. Day2023-10-251-2/+2
| | | | | | | | | | Add missing parenthesis, and another example of a compressed patch filename. (From yocto-docs rev: febc0c6b7b5843c70ed01f9b2bda71c02091eae6) Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bsp-guide: bsp: skip Intel machines no longer supported in PokyMichael Opdenacker2023-10-251-14/+0
| | | | | | | | (From yocto-docs rev: ab6a260de80e8a73079e1ac5430a3688be025d5d) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Reported-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sdk-manual: appendix-obtain: improve and update descriptionsMichael Opdenacker2023-10-251-32/+18
| | | | | | | | | | | | - Improve text formatting - Stop mentioning all possible values - Update examples - Correct descriptions (From yocto-docs rev: d44cd995e4abc1bed57a7edbe27fdfd642768d4f) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: wic: update "wic list images" outputMichael Opdenacker2023-10-251-12/+15
| | | | | | | (From yocto-docs rev: 46fdf58f4a26de2989261eb451380905ae0f1a41) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* manuals: update linux-yocto append examplesMichael Opdenacker2023-10-254-41/+40
| | | | | | | (From yocto-docs rev: b5d385f20d22566e12a7938a9894b86429f1dcfb) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: Warn about COMPATIBLE_MACHINE skipping native recipesArne Schwerdt2023-10-251-0/+7
| | | | | | | | (From yocto-docs rev: 48e5fb383570dc6a067b14cc621e4cb347db900c) Signed-off-by: Arne Schwerdt <arne.schwerdt@elbbits.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.0.2009 -> 9.0.2048Siddharth Doshi2023-10-251-2/+2
| | | | | | | | | This includes CVE fix for CVE-2023-5535. (From OE-Core rev: 7681436190354b5c5b6c3a82b3094badd81113de) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libx11: Security Fix for CVE-2023-43785, CVE-2023-43786 and CVE-2023-43787Siddharth Doshi2023-10-256-0/+267
| | | | | | | | | | | | CVE's Fixed: CVE-2023-43785: libX11: out-of-bounds memory access in _XkbReadKeySyms() CVE-2023-43786: libX11: stack exhaustion from infinite recursion in PutSubImage() CVE-2023-43787: libX11: integer overflow in XCreateImage() leading to a heap overflow (From OE-Core rev: 8175d023c203d524d011d8947f90fbd02786c6db) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* linux-firmware: upgrade 20230625 -> 20230804Meenali Gupta2023-10-251-2/+2
| | | | | | | | | | | | | | | | | | | License-Update: additional firmwares upgrade include fix for CVE-2023-20569 CVE-2022-40982 CVE-2023-20593 Changelog: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/ References: https://nvd.nist.gov/vuln/detail/CVE-2023-20569 https://nvd.nist.gov/vuln/detail/CVE-2022-40982 https://nvd.nist.gov/vuln/detail/CVE-2023-20593 (From OE-Core rev: d3f1448246c9711f4f23f2e12c664e0ba3ae3f02) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zlib: patch CVE-2023-45853Peter Marko2023-10-252-0/+43
| | | | | | | | | | | Backport commit merged to develop branch from PR linked in NVD report: * https://nvd.nist.gov/vuln/detail/CVE-2023-45853 * https://github.com/madler/zlib/pull/843 (From OE-Core rev: 6e265e44febbb6fdf85c7926b9a64b731c98d814) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gawk: backport Debian patch to fix CVE-2023-4156Vijay Anusuri2023-10-252-0/+29
| | | | | | | | | | | | Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/jammy-security & https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] (From OE-Core rev: 0547b60d3485c2e3853e5a9e0a3e051882b283f3) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: ignore RHEL specific CVE-2023-2680Lee Chee Yang2023-10-251-0/+4
| | | | | | | (From OE-Core rev: a1256b8fa415002eee78427cc292b866570ee267) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* SECURITY.md: Add fileRichard Purdie2023-10-241-0/+24
| | | | | | | | | | Add a SECURITY.md file with hints for security researchers and other parties who might report potential security vulnerabilities. (From meta-yocto rev: e3c11a51dc814fdd400998f50b17e572d453e1d2) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: SECURITY.md: add fileMarta Rybczynska2023-10-241-0/+24
| | | | | | | | | | | Add a SECURITY.md file with hints for security researchers and other parties who might report potential security vulnerabilities. (Bitbake rev: 6c1ffa9091d0c53a100e8c8c15122d28642034bd) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* uboot-extlinux-config.bbclass: fix missed override syntax migrationQuentin Schulz2023-10-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | uboot-extlinux-config allows to specify multiple "labels" (entries in a menu, à-la grub) and each of them have their own values for some fields. Each "base" variable, e.g. UBOOT_EXTLINUX_FDT can be overridden for each label. This is done via the OVERRIDES mechanism based on the label name, e.g. UBOOT_EXTLINUX_FDT:linux if linux is a label. However, OVERRIDES doesn't contain the label globally because it's only necessary in one task. Therefore, the OVERRIDES itself is modified within the task. This means that the sigdata will not be told the dependency on UBOOT_EXTLINUX_FDT:linux, because it cannot know about it. For this reason, we need to explicitly specify which variables this task depends on via vardeps varflag for the task. This was done in the past, but we missed updating it during the override syntax migration so the cache wouldn't get invalidated if someone modifies UBOOT_EXTLINUX_FDT:linux from a configuration file or a bbappend for example. Let's fix this by migrating it to the new syntax. (From OE-Core rev: 5570e49791b770271f176a4deeb5f6f1a028cb4a) Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b4dd9d873508128adbbf5ff6cf0a3df3d2ffbcf6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxpm: upgrade to 3.5.17Siddharth Doshi2023-10-211-1/+1
| | | | | | | | | | | | | This release fixes the following CVEs: - CVE-2023-43788 - CVE-2023-43789 (From OE-Core rev: 1475a47239d77a368bcec69f12e5a63f8bebe14f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: Security fix for CVE-2023-40745Siddharth Doshi2023-10-212-0/+35
| | | | | | | | | Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] CVE: CVE-2023-40745 (From OE-Core rev: f1aa2dd493c01e18ee0f534ff00523a1274f9066) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libtiff: Add fix for tiffcrop CVE-2023-1916Hitendra Prajapati2023-10-212-0/+100
| | | | | | | | | | | | | | | | | | | | | | | | | | Add fix for tiffcrop tool CVE-2023-1916 [1]. A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. The tool is no longer part of newer libtiff distributions, hence the fix is rejected by upstream in [2]. The backport is still applicable to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3]. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916 [2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535 [3] https://packages.ubuntu.com/source/focal-updates/tiff (From OE-Core rev: 4d3e7f9a157e56a4a8ffb4d16fd6401a22851307) Signed-off-by: Marek Vasut <marex@denx.de> Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 && https://gitlab.com/libtiff/libtiff/-/merge_requests/535 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: CVE-2022-48063Armin Kuster2023-10-212-0/+49
| | | | | | | | | | | | | | | | Source: Binutils MR: 128800 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd ChangeID: ab04e4ec62d054c90d94f82230adb2342ce1ee1b Description: Affects binutils < 2.40 (From OE-Core rev: 80a8d16a4038868469b4583404b6f73e12bae0f1) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47011Deepthi Hemraj2023-10-212-0/+36
| | | | | | | (From OE-Core rev: 5ff2e3c880705c2e920a4a61a5165810fadd7b84) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47008Deepthi Hemraj2023-10-212-0/+68
| | | | | | | (From OE-Core rev: 3a299d1610bf085790017569de090b0a41cf809b) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Mark CVE-2022-47696 as patchedChaitanya Vadrevu2023-10-211-0/+2
| | | | | | | (From OE-Core rev: bc480221d8091be460a1b8c4d023b9841e1df3c2) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Mark CVE-2022-47673 as patchedChaitanya Vadrevu2023-10-211-0/+2
| | | | | | | (From OE-Core rev: 96fe4b522a35f75a7d2b597d7e650dfc7ae82e27) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47695Chaitanya Vadrevu2023-10-212-0/+59
| | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] (From OE-Core rev: 4d4732c2e295fea610d266fa12bae3cc01f93dfa) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guides: add release notes for 4.0.13Lee Chee Yang2023-10-182-0/+272
| | | | | | | | (From yocto-docs rev: 9a03e60370bb4f10fa340c1e29cd743e5703653b) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* overview: Add note about non-reproducibility side effectsJoshua Watt2023-10-181-0/+9
| | | | | | | | | | | Adds an additional note about some of the side effects that can occur if recipes are not reproducible and hash equivalence is enabled. (From yocto-docs rev: aaf3e97c78e235bf3042c79ecdcf0b7c1a68ca8f) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: fix testimage usage instructionsTrevor Gamblin2023-10-182-3/+3
| | | | | | | | | | | | | | | | The proper way to inherit the testimage class is now IMAGE_CLASSES += "testimage" so change lines with 'INHERIT += "testimage"' to match. This makes the dev-manual consistent with the migration guide, which already specifies that the old way causes an error. (From yocto-docs rev: 40d82ec5f55c2353ef6f052e8460a6003fd903f4) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>