summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* openssl: patch CVE-2024-2511Peter Marko2024-04-192-0/+123
| | | | | | | | | | Patch: https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d News: https://github.com/openssl/openssl/commit/daee101e39073d4b65a68faeb2f2de5ad7b05c36 (From OE-Core rev: 42fc40198dfcbb5e96d7f2af7fc134e2b021d82a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081Vijay Anusuri2024-04-193-0/+98
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b & https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee (From OE-Core rev: 223950f9c748f89ee1b2a9df9cd77a0099e74581) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssh: Add CVE-2023-51767 to CVE_CHECK_IGNORESana Kazi2024-04-191-0/+5
| | | | | | | | | | | | Add CVE-2023-51767 to CVE_CHECK_IGNORE to avoid in cve-check reports as upstream does not consider CVE-2023-51767 a bug underlying in OpenSSH and does not intent to address it in OpenSSH. (From OE-Core rev: de4186610335201c69d8952d605bb291f4a7427c) Signed-off-by: Sana Kazi <sana.kazi@kpit.com> Signed-off-by: Sana Kazi <sana.kazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* perl: ignore CVE-2023-47100Alex Stewart2024-04-191-0/+3
| | | | | | | | | | | CVE-2023-47100 is a duplicate of CVE-2023-47038. They have the same advertised fix commit, which has already been merged into the perl_5.34.3 sources used in kirkstone. (From OE-Core rev: 8df158f39f1eed1e3ae88ddf935c67e067b72525) Signed-off-by: Alex Stewart <alex.stewart@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cups: fix typo in CVE-2023-32360 backport patchJonathan GUILLOT2024-04-191-1/+1
| | | | | | | | | | | | | | Typo prevents cupsd to start correctly with following error: Unable to read "/etc/cups/cupsd.conf" due to errors. Using `/usr/sbin/cupsd -t` to check the configuration: Unknown authorization type Defaul on line 77 of /etc/cups/cupsd.conf. Unknown Policy Limit directive AuthType on line 77 of /etc/cups/cupsd.conf. (From OE-Core rev: eab100205bc5cdffc5ccc7752e1ee5abd9ebb58a) Signed-off-by: Jonathan GUILLOT <jonathan@joggee.fr> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: improve descriptions of 'bitbake -S printdiff'Alexander Kanavin2024-04-052-7/+13
| | | | | | | | | | | Try to particularly emphasize that it can be used to find out why something rebuilds when it shouldn't. (From yocto-docs rev: 1cd543e62e8f1b65e65108d919c2f481001e044c) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: add documentation of the variable SPDX_NAMESPACE_PREFIXBELOUARGA Mohamed2024-04-051-0/+5
| | | | | | | | | | | The documentation of the variable SPDX_NAMESPACE_PREFIX does not exist. This variable is used to change the prefix of some links in SPDX docs. (From yocto-docs rev: 0055b7ea1cdf72359695e08fe6d2ca9a405fba51) Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* profile-manual: usage.rst: further style improvementsMichael Opdenacker2024-04-053-173/+187
| | | | | | | | | According to errors reported by "make stylecheck" (From yocto-docs rev: b3aaf4523190f7528d49c29a9aea234bb1647eae) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* contributor-guide: be more specific about meta-* treesMartin Jansa2024-04-051-1/+1
| | | | | | | | | | | | * this is often confused to apply for e.g. meta-oe as well where it doesn't apply as meta-oe has own ML mentioned in README. (From yocto-docs rev: 98102408fe5468529e040a138f09c8fbc5fe065a) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guides: add release notes for 4.0.17Lee Chee Yang2024-04-052-0/+239
| | | | | | | | (From yocto-docs rev: 8267ccacea77a657cf92bcd2b48bec5f2ef61849) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* profile-manual: usage.rst: fix reference to bug reportMichael Opdenacker2024-04-051-3/+3
| | | | | | | | | Allowing to remove nested parentheses in the text! (From yocto-docs rev: a0ba062f8b31426f80ccd760e29b054405ee2a8e) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* manuals: use "manual page(s)"Michael Opdenacker2024-04-053-16/+16
| | | | | | | | | | Instead of "manpage(s)" or "man page(s)". To address one of the errors reported by "make stylecheck" (From yocto-docs rev: f6e69f8877d1d33200993f21b448e7fa3cf7859b) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* profile-manual: usage.rst: formatting fixesMichael Opdenacker2024-04-051-235/+238
| | | | | | | | | Plus a few text styling improvements, some reported by "make stylecheck" (From yocto-docs rev: ce0e83716197773d8eae0c2f0edc1cf290ebd60f) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* manuals: add initial stylechecks with ValeMichael Opdenacker2024-04-057-1/+58
| | | | | | | | | | | | | Use the "Vale" (https://vale.sh) tool to perform text style checks Run "make stylecheck" to run the checks. This just checks the text, not the Sphinx syntax style choices. (From yocto-docs rev: e3e4ba2aa963d4d178c4e9e842e66f4ee4bd3736) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Suggested-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* common-licenses: Backport missing licenseColin McAllister2024-04-051-0/+181
| | | | | | | | | Backports missing license from master to kirkstone. (From OE-Core rev: 26a878cbfbb3bc7a6e892e105577ebf8138ce150) Signed-off-by: Colin McAllister <colin.mcallister@garmin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: Backport sanitizer fix for 32-bit ALSRClaus Stovgaard2024-04-052-0/+64
| | | | | | | | | | | | | | | | When using the gcc-sanitizers as part of the SDK on a Linux with a newer kernel, the ASAN fails randomly. This was seen on Ubuntu 22.04. This is also described at https://stackoverflow.com/questions/77894856/possible-bug-in-gcc-sanitizers Backport the fix from LLVM project, as gcc has not yet backported anything for the 11 series. (From OE-Core rev: 7af8e24d6c60a01e398b10a57939947fb156feec) Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: update to v1.26.18Tan Wen Yan2024-04-051-1/+1
| | | | | | | | | | | | | | | | https://github.com/urllib3/urllib3/releases/tag/1.26.18 Major changes in python3-urllib3 1.26.18: - Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803) (cherry picked from OE-Core rev: 74da05b63634c248910594456dae286947f33da5) (From OE-Core rev: c473f32184ea0ab41f6eb4c8dcc1d7bb5fd7b16f) Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix CVE-2023-52356 CVE-2023-6277Lee Chee Yang2024-04-056-0/+527
| | | | | | | | | | | import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277 import from http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz (From OE-Core rev: 4728df36bb3888df4d3cc0db1fd66138e865c511) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: Fix for CVE-2023-6683Vijay Anusuri2024-04-052-0/+93
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683 (From OE-Core rev: f099f9ff95c42444cbfa63630a6f160fd98997ed) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: backport Debian patch for CVE-2024-2398Vijay Anusuri2024-04-052-0/+90
| | | | | | | | | | | | | import patch from ubuntu to fix CVE-2024-2398 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Fjammy-security Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] (From OE-Core rev: 67026cbb62e166b6a9f5509708531ebe0f36c36d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* expat: fix CVE-2023-52425Meenali Gupta2024-04-0513-0/+1132
| | | | | | | | | | | | | | | | | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. References: https://nvd.nist.gov/vuln/detail/CVE-2023-52425 Changes related to test directory are not included as most of the files are not present and are introduced in the later version. (From OE-Core rev: 1bdcd10930a2998f6bbe56b3ba4c9b6c91203b39) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: fix CVE-2023-6816 CVE-2024-0408/0409Lee Chee Yang2024-04-054-0/+172
| | | | | | | | | fix CVE-2023-6816 CVE-2024-0408 CVE-2024-0409 (From OE-Core rev: e8feba36e09aefffcafcebc85ec75abb5b97b3eb) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* nghttp2: fix CVE-2023-44487aszh072024-04-052-0/+928
| | | | | | | | | | | | | | | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. References: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 (From OE-Core rev: 0156b57dcdb2e5acdd9421a7c24c235f13da2d97) Signed-off-by: Zahir Hussain <zahir.basha@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* manuals: document VIRTUAL-RUNTIME variablesMichael Opdenacker2024-03-252-9/+36
| | | | | | | | | | | | | | Document the convention to use variables prefixed by VIRTUAL_RUNTIME. Add references to the new term where possible. Another reason is that such variables are recommended in a warning issued by meta/classes-global/insane.bbclass (From yocto-docs rev: db88c2021062c95fe49b54351952753390d45a6a) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Reported-by: Tim Orling <ticotimo@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* contributor-guide: add notes for testsSimone Weiß2024-03-251-0/+32
| | | | | | | | | | | | This adds some hints that and how changes should be tested when contributing. Fixes [YOCTO #15412] (From yocto-docs rev: 649843f4d20d1d840e1c6c4ce15e89b3a8508e0f) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* manuals: replace hyphens with em dashesMichael Opdenacker2024-03-2523-92/+91
| | | | | | | | | | | | | | | | | | | | Fix some hyphens being improperly used as em dashes. See https://www.grammarly.com/blog/hyphens-and-dashes/ Using em dashes may also allow Sphinx to hyphenate and break lines in the best way. Note that the first character after an em dash not supposed to be capitalized, unless a specific rule applies, typically when what follows is a proper noun. Fix a few misuses of parentheses in following text. (From yocto-docs rev: a0d93ea1ddfdfbcde8dac3aa328307be778f9e3c) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: packages: fix capitalizationMichael Opdenacker2024-03-251-1/+1
| | | | | | | | | | | | Using "PR service" instead of "PR Service", like in the other two instances in this document. (From yocto-docs rev: ef8b7d30738fe8ae6702da111bbafdc0e00e86bf) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Reported-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Reviewed-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: adding multiple groups in GROUPADD_PARAMGeoff Parker2024-03-251-0/+8
| | | | | | | | | | | Add missing documentation on how to add multiple groups with a single GROUPADD_PARAM:${PN} (From yocto-docs rev: 46f82dcb3b4042491efd44b9c15a06e3c910ec85) Signed-off-by: Geoff Parker <geoffrey.parker@arthrex.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: correct sdk installation default pathJohan Bezem2024-03-252-2/+6
| | | | | | | | | | | | | | | | | | The SDKPATH variable seems mistakenly identified as the default path where the SDK will be installed by the generated installation script, unless option '-d' or a manual input overrides this default. The intended variable is SDKPATHINSTALL. SDKPATH indicates where the SDK is being composed and built. The definitions have been added/updated. (From yocto-docs rev: f7ce2abbdcff625356b337137e91f642ff6a4dc2) Signed-off-by: Johan Bezem <jbezem.extern@arri.de> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: tasks: do_cleansstate: recommend using '-f' instead for a shared ↵Luca Ceresoli2024-03-251-1/+13
| | | | | | | | | | | | | | | | | sstate do_cleansstat can produce build errors when using a shared sstate cache. Add a note to clearly discourage, provide a safe alternative (bitbake -f), and the rationale. Suggested-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Link: https://lore.kernel.org/yocto-docs/20240219155513.76738-1-luca.ceresoli@bootlin.com/T/#m5529687ecb0f9ec2dacddcb6ff58e2df73af9cde (From yocto-docs rev: 3fb8b5ad7edfa186744396deb7111ba3e31a857b) Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Reviewed-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: tasks: do_cleanall: recommend using '-f' insteadLuca Ceresoli2024-03-251-3/+23
| | | | | | | | | | | | | | | | | | do_cleanall can produce failures when used in legitimate cases, such as with recipe variants (foo and foo-native) or a shared DL_DIR. This is why it is forbidden when writing tests that will run on the autobuilders (https://docs.yoctoproject.org/test-manual/intro.html?highlight=cleanall#considerations-when-writing-tests). Reword the documentation to clearly discourage, provide a safe alternative (bitbake -f -c fetch), and the rationale with an example. Reported-by: Sam Liddicott Link: https://bootlin.com/blog/yocto-sharing-the-sstate-cache-and-download-directories/#comment-2650335 (From yocto-docs rev: 92e1d1fba336de12637b75b043b86485b80324a2) Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Reviewed-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: Fix subscript typos for get_nscd_addressesHaitao Liu2024-03-252-0/+41
| | | | | | | | | | | | | | | | | | | | Fix the following error: root@intel-x86-64:~# wget -6 http://localhost --2024-01-12 07:18:42-- http://localhost/ Resolving localhost... failed: No IPv4/IPv6 addresses for host. wget: unable to resolve host address 'localhost' Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=29605 Upstream-patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=c9226c03da0276593a0918eaa9a14835183343e8 (From OE-Core rev: 1b5405955c7c2579ed1f52522e2e177d0281fa33) Signed-off-by: Haitao Liu <haitao.liu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* stress-ng: avoid calling sync during do_compileMartin Jansa2024-03-252-0/+36
| | | | | | | | | | calling 'sync' from do_compile in the middle of big OE world build harms the build time. (From OE-Core rev: b2de7d75692fd4c9e0a6f46a099b89089edb10d4) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* yocto-uninative: Update to 4.4 for glibc 2.39Michael Halstead2024-03-251-5/+5
| | | | | | | | | (From OE-Core rev: d8e3d1eb489f658c8c328a35d41b29bc849c3207) Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 56fdd8b79e2f7ec30d2cdcfa0c399a6553efac1e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* linux-firmware: upgrade 20231211 -> 20240220Alexander Kanavin2024-03-251-3/+3
| | | | | | | | | | | License-Update: additional files (From OE-Core rev: e5956d94ba9fa5b5b2f6bfda8e533bc8c6d4c59f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit add81ef0299ea5260f9bdc59ffc8f5cc0e74276f) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wireless-regdb: Upgrade 2023.09.01 -> 2024.01.23Alex Kiernan2024-03-251-2/+2
| | | | | | | | | | | | | | | | | Upstream maintainer has changed to Chen-Yu Tsai <wens@kernel.org>: https://lore.kernel.org/all/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/ Note that fb768d3b13ff ("wifi: cfg80211: Add my certificate") and 3c2a8ebe3fe6 ("wifi: cfg80211: fix certs build to not depend on file order") are required if you are using kernel signature verification. (From OE-Core rev: 11c9c6eec5ff45cd1fd4858bc28f38693c5d0fde) Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit abf169fbbf8bab13224adf4c8bfa2e26607f360c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wireless-regdb: upgrade 2023.05.03 -> 2023.09.01Wang Mingyu2024-03-251-1/+1
| | | | | | | | | | | | | | | | | Changelog: ========== wireless-regdb: update regulatory database based on preceding changes wireless-regdb: Update regulatory rules for Australia (AU) for June 2023 wireless-regdb: Update regulatory info for Türkiye (TR) wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidel... wireless-regdb: Update regulatory rules for Philippines (PH) (From OE-Core rev: 3af65ed130493e14a87818b76b06f9ca7c717874) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2f5edb6904bf16a9c52a9b124aeb5297487cd716) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Remove rejected CVE from databaseYoann Congal2024-03-251-0/+4
| | | | | | | | | | | | | | When a CVE is updated to be rejected, matching database entries must be removed. Otherwise: * an incremental update is not equivalent the to an initial download. * rejected CVEs might still appear as Unpatched in cve-check. (From OE-Core rev: 717f0df5f35272f7706e4f92cc8b57cdda8066b6) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f276a980b8930b98e6c8f0e1a865d77dfcfe5085) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Fix CVE configuration updateYoann Congal2024-03-251-0/+4
| | | | | | | | | | | | | | When a CVE is created, it often has no precise version information and this is stored as "-" (matching any version). After an update, version information is added. The previous "-" must be removed, otherwise, the CVE is still "Unpatched" for cve-check. (From OE-Core rev: 38402b5e89d43bf2a45c8f5f2d631033be5019cd) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: nvd_request_next: Improve commentYoann Congal2024-03-251-1/+2
| | | | | | | | | | | | Add a URL to the doc of the API used in the function. ... and fix a small typo dabase -> database (From OE-Core rev: a98387021d80b5055a773f909eb685513902fb12) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e0157b3b81333a24abd31dbb23a6abebca3e7ba7) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definitionYoann Congal2024-03-251-2/+0
| | | | | | | | | | | | | | | CVE_CHECK_DB_FILE is already defined in cve-check.bbclass which is always inherited in cve-update-nvd2-native (There is a check line 40). Remove it to avoid confusion. Otherwise, this should not change anything. (From OE-Core rev: b6285f0549d1c708adfe147c63eb6cda24462ff3) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e5f3f223885c17b7007c310273fc7c80b90a4105) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Add an age threshold for incremental updateYoann Congal2024-03-251-4/+16
| | | | | | | | | | | | | | | Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to specify the maximum age of the database for doing an incremental update For older databases, a full re-download is done. With a value of "0", this forces a full-redownload. (From OE-Core rev: 5259971a4785e7f664c0f588f34f8ef537c5c4c5) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 74c1765111b6610348eae4b7e41d7045ce58ef86) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Fix typo in commentYoann Congal2024-03-251-1/+1
| | | | | | | | | | | attmepts -> attempts (From OE-Core rev: 6f49c54a0ecc9d6e79816ce8dd7b65e5a8013df6) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit dc18aaeda8e810f9082a0ceac08e5e4275bbd0f7) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-cryptography: Backport fix for CVE-2024-26130Vijay Anusuri2024-03-252-0/+67
| | | | | | | | | Upstream-Status: Backport from https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (From OE-Core rev: 7864c4605cde4851df644dd1d2867bd28d155710) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* expat: fix CVE-2023-52426Meenali Gupta2024-03-2512-0/+1322
| | | | | | | | | | | | | | | | A flaw was found in Expat (libexpat). If XML_DTD is undefined at compile time, a recursive XML Entity Expansion condition can be triggered.This issue may lead to a condition where data is expanded exponentially, which will quickly consume system resources and cause a denial of service. References: https://nvd.nist.gov/vuln/detail/CVE-2023-52426 https://github.com/libexpat/libexpat/pull/777 (From OE-Core rev: aa20dd9eb68f04a5f1556123ad1b2398de911d93) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* expat: patch CVE-2024-28757Peter Marko2024-03-252-0/+59
| | | | | | | | | | Picked patch from https://github.com/libexpat/libexpat/pull/842 which is referenced in the NVD CVE report. (From OE-Core rev: c02175e97348836429cecbfad15d89be040bbd92) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to kirkstone head revisionyocto-4.0.17kirkstone-4.0.17Steve Sakoman2024-03-131-1/+1
| | | | | | (From OE-Core rev: 2501534c9581c6c3439f525d630be11554a57d24) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* poky.conf: bump version for 4.0.17Steve Sakoman2024-03-131-1/+1
| | | | | | (From meta-yocto rev: 2e1962250eeb91ac4037ddaa844b5611ce287745) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* yocto-bsp: update to v5.15.150Bruce Ashfield2024-03-131-8/+8
| | | | | | | | | | Bumping the reference BSPs to match the version of the qemu* BSPs in oe-core. (From meta-yocto rev: 26e04e6682c2658673b0295f853a59c630d5e16d) Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* librsvg: Fix do_package_qa error for librsvgNikhil R2024-03-131-0/+2
| | | | | | | | | | | | | When using meta-rust layer for rust below do_package_qa error in librsvg is observed Fix the below error: ERROR: librsvg-2.52.10-r0 do_package_qa: QA Issue: File /usr/bin/rsvg-convert in package rsvg doesn't have GNU_HASH (didn't pass LDFLAGS?) File /usr/bin/rsvg-convert in package rsvg doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags] ERROR: librsvg-2.52.10-r0 do_package_qa: Fatal QA errors were found, failing task. (From OE-Core rev: 8829495c716d48bae47b5f738abb3c85ad3f21b1) Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>