| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rust-cross had special handling for armv7 targets but we also need this
for cross-canadian. Merge the code into the main function so everything is
consistent.
Also then fix the arm definition to be arm-eabi since ABI is correctly
being looked up.
(From OE-Core rev: 0adada8111c17e8e5a7c32cef86bdb8e7dfd79d3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ff3c3dbbd2bf1bb7bb70b55cca203e9eedcf14a8)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based upon a patch from Otavio Salvador <otavio@ossystems.com.br>,
ensure the target json files are written in the correct order with
the most specific last incase it overwrites earlier files if the prefixes
match.
(From OE-Core rev: d8c030ef90272e42a1697f5195f887d09878aa01)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1912c4e9e0ecf9655f3b3a41588b54d7956f5899)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a 'BUILD' target is requested we shouldn't be looking at TARGET_SYS but
at BUILD_SYS. Due to the way rust mangles triplets, we need the HOST_SYS triplet
to work with existing code - fixing that issue is a separate patch.
Also drop the arch_abi argument, it doens't make any sense to a getVar() call
and was a copy and paste error.
Based on a patch from Otavio Salvador <otavio@ossystems.com.br> but separated out
and tweaked.
Fixes: bd36593ba3 ("rust-common: Drop LLVM_TARGET and simplify")
(From OE-Core rev: cccbb8358be830b83a43fe1ff8a88932dee1c228)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d554161a045d12411f288394e253c54aa4c1257c)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the default value into a variable which can be overridden to
match more accurately the use case specific scenario.
(From OE-Core rev: 645370e85d8742d0614cd52ca7507b5df2d38ad8)
(From OE-Core rev: 93458c302938bf704e8e9f14dfdfee57454adf7a)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. Calling `load_pem_pkcs7_certificates`
or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference
and segfault. Exploitation of this vulnerability poses a serious risk of
Denial of Service (DoS) for any application attempting to deserialize a
PKCS7 blob/certificate. The consequences extend to potential disruptions
in system availability and stability. This vulnerability has been patched
in version 41.0.6.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49083
https://security-tracker.debian.org/tracker/CVE-2023-49083
(From OE-Core rev: 2d104f78cd13a10640bc284c7fc8358bf305279c)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds a patch that is a partial backport of an upstream
commit[1].
It fixes a bug in go's DNS resolver that was causing a docker issue
where the first "docker pull" always fails after system boot if docker
daemon is started before networking is completely up.
[1] https://github.com/golang/go/commit/d52883f443e1d564b0300acdd382af1769bf0477
(From OE-Core rev: 8c8b01e84844a7e721c668d5ffbc7161e67f0862)
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
| |
These CVEs affect path handling on Windows.
(From OE-Core rev: 60f75fd6a671fcbfeefb634fe88f6faa17b446b7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 88cbf5eb4a075e677b1f9e6444ec6378a5949978)
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 03e6ea59d82e613ba3b5d388fa87317cef982f2b)
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream Repository: https://gitlab.com/qemu-project/qemu.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1544
Type: Security Fix
CVE: CVE-2023-1544
Score: 6.3
Patch: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c
(From OE-Core rev: d019fcc99c542d49be6e1615a5c75f88f8ff5a52)
Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
| |
There was an extra space between the result and ':'.
After removing extra space, the ptest result will be:
result : testname -> result: testname
(From OE-Core rev: 4bb6373e5f4a1330a063d1afe855d6c24d5461e7)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 3fd5701a861aa263ad1d912bfd44d4d5826d11a1)
Signed-off-by: Sanjana <Sanjana.Venkatesh@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: a1256b8fa415002eee78427cc292b866570ee267)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: Binutils
MR: 128800
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd
ChangeID: ab04e4ec62d054c90d94f82230adb2342ce1ee1b
Description:
Affects binutils < 2.40
(From OE-Core rev: 80a8d16a4038868469b4583404b6f73e12bae0f1)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 5ff2e3c880705c2e920a4a61a5165810fadd7b84)
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 3a299d1610bf085790017569de090b0a41cf809b)
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: bc480221d8091be460a1b8c4d023b9841e1df3c2)
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 96fe4b522a35f75a7d2b597d7e650dfc7ae82e27)
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
(From OE-Core rev: 4d4732c2e295fea610d266fa12bae3cc01f93dfa)
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 2572b32e729831762790ebfbf930a1140657faea)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8c46ded67df2d830c8bbf5f7b82d75db81d797e2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can
be set via Retry.remove_headers_on_redirect. (CVE-2023-43804)
1.26.16 (2023-05-23)
Fixed thread-safety issue where accessing a PoolManager with many
distinct origins would cause connection pools to be closed while
requests are in progress (#2954)
(From OE-Core rev: 27a1de55a46b7b313eb2a6370e9d779a7cd49154)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
* Fix socket timeout value when "HTTPConnection" is reused ('#2645 <https://github.com/urllib3/urllib3/issues/2645>'__)
* Remove "!" character from the unreserved characters in IPv6 Zone ID parsing
('#2899 <https://github.com/urllib3/urllib3/issues/2899>'__)
* Fix IDNA handling of '\x80' byte ('#2901 <https://github.com/urllib3/urllib3/issues/2901>'__)
(From OE-Core rev: a335ccbcc9913e79bfe958c41690b7efa189ae93)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8e062efbac29a81831c3060bcae601dc533d65dd)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/urllib3/urllib3/blob/1.26.14/CHANGES.rst#12614-2023-01-11
1.26.14 (2023-01-11)
Fixed parsing of port 0 (zero) returning None, instead of 0. (#2850)
Removed deprecated getheaders() calls in contrib module.
(From OE-Core rev: aefb7af6b56269d45170beb99e6c878bf2448b78)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55ab1bf20e6893088acb6460e9004dac8e205559)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: e8ae3247795d9333f6252bbec85a8e09c0c9cb48)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b18552f69a2eb8900981a10ba386dc4f862b29c3)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 69a610b440b5e9e92931e43bd1c75230bb99f03e)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit cb05578af3ace6e3983f93e16d9ad1ac2a65fbe2)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: d83b4afc17839b6c11b540aabf056647ddacb587)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dbe07ff87e2cb1a8276e69a43c7cdbb9ae6e5493)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add dependence python3-logging.
Changelog:
=========
* Removed support for Python 3.5
* Fixed an issue where a "ProxyError" recommending configuring the proxy as HTTP
instead of HTTPS could appear even when an HTTPS proxy wasn't configured.
(From OE-Core rev: d9f200b931e48d957b721005f0140ef3fff55af3)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a8a26a92dfe367472daf086a33a1b30ff6d17540)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: b2fa5b29462a16b238f8a6a40886b45aa483e963)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 7a42ae332ebde565cc7c6fca568563f076bd26ba)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The output of python3-jinja2 ptest should follow a unified format as below
result: testname
Reference:
https://wiki.yoctoproject.org/wiki/Ptest
(From OE-Core rev: edfed23716e6240a65f53630bbaf8b7319f0d1ce)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
| |
* needed on hosts with gcc-13 for ccache-native
(From OE-Core rev: 6618e5bf994f49ed93bebc4280980e297be6af98)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
Upstream Link -
CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
(From OE-Core rev: 0d8f7062d4fb5525f34427b1a7304f165bee0cfc)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently NVD updated all CVEs for json-c and old fixed
CVE-2020-12762 is reported by cve_check now.
NVD match clause now includes full tag name including
date which is "greater" than tag without additional numbers.
Fix it by defining CVE_VERSION identical to full tag.
Put it close to hash so recipe update patch includes this line.
(From OE-Core rev: 55e9ff0fe1de70f226557529f73c28f34f6956ed)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and
CVE-2023-41040 fixes and other bugfixes.
Changelog:
==========
- WIP Quick doc by @LeoDaCoda in #1608
- Partial clean up wrt mypy and black by @bodograumann in #1617
- Disable merge_includes in config writers by @bodograumann in #1618
- feat: full typing for "progress" parameter in Repo class by @madebylydia in #1634
- Fix CVE-2023-40590 by @EliahKagan in #1636
- #1566 Creating a lock now uses python built-in "open()" method to work arou… by @HageMaster3108 in #1619
- util: close lockfile after opening successfully by @skshetry in #1639
- Bump actions/checkout from 3 to 4 by @dependabot in #1643
- Fix 'Tree' object has no attribute '_name' when submodule path is normal path by @CosmosAtlas in #1645
- Fix CVE-2023-41040 by @facutuesca in #1644
- Only make config more permissive in tests that need it by @EliahKagan in #1648
- Added test for PR #1645 submodule path by @CosmosAtlas in #1647
- Fix Windows environment variable upcasing bug by @EliahKagan in #1650
- Improve Python version and OS compatibility, fixing deprecations by @EliahKagan in #1654
- Better document env_case test/fixture and cwd by @EliahKagan in #1657
- Remove spurious executable permissions by @EliahKagan in #1658
- Fix up checks in Makefile and make them portable by @EliahKagan in #1661
- Fix URLs that were redirecting to another license by @EliahKagan in #1662
- Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663
- Use venv instead of virtualenv in test_installation by @EliahKagan in #1664
- Omit py_modules in setup by @EliahKagan in #1665
- Don't track code coverage temporary files by @EliahKagan in #1666
- Configure tox by @EliahKagan in #1667
- Format tests with black and auto-exclude untracked paths by @EliahKagan in #1668
- Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in #1673
- Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675
- Remove @NoEffect annotations by @EliahKagan in #1677
- Add more checks for the validity of refnames by @facutuesca in #1672
Note that the changes to the license file are just removal of excess whitespace
(the extra blank line at the end, and spaces appearing at the end of lines).
References:
https://github.com/gitpython-developers/GitPython/releases
https://github.com/gitpython-developers/GitPython/blob/main/doc/source/changes.rst
https://github.com/gitpython-developers/GitPython/commit/e1af18377fd69f9c1007f8abf6ccb95b3c5a6558
(From OE-Core rev: 35cb21d6c8076428c0c60f03bb1b8f6945e2a07c)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
| |
Backport two patches [1] [2] to fix CVE-2023-36617
(From OE-Core rev: 7a40082e4e080eaf5f88bd24f7169b7731028529)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
CVE: CVE-2023-39318
(From OE-Core rev: 35fa5c12f86bda2c8542bdb57074f55808697a42)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It checks build host filesystem and if it doesn't find UTC or GMT
files it installs another copy of tzdata files in:
/usr/lib/tcl8.6/tzdata
Buildhistory shows the difference:
-PKGSIZE = 2227075
+PKGSIZE = 3433088
See the autodetection in configure.in:
#------------------------------------------------------------------------
# Check whether the timezone data is supplied by the OS or has
# to be installed by Tcl. The default is autodetection, but can
# be overridden on the configure command line either way.
#------------------------------------------------------------------------
AC_MSG_CHECKING([for timezone data])
AC_ARG_WITH(tzdata,
AC_HELP_STRING([--with-tzdata],
[install timezone data (default: autodetect)]),
[tcl_ok=$withval], [tcl_ok=auto])
#
# Any directories that get added here must also be added to the
# search path in ::tcl::clock::Initialize (library/clock.tcl).
#
case $tcl_ok in
no)
AC_MSG_RESULT([supplied by OS vendor])
;;
yes)
# nothing to do here
;;
auto*)
AC_CACHE_VAL([tcl_cv_dir_zoneinfo], [
for dir in /usr/share/zoneinfo \
/usr/share/lib/zoneinfo \
/usr/lib/zoneinfo
do
if test -f $dir/UTC -o -f $dir/GMT
then
tcl_cv_dir_zoneinfo="$dir"
break
fi
done])
if test -n "$tcl_cv_dir_zoneinfo"; then
tcl_ok=no
AC_MSG_RESULT([$dir])
else
tcl_ok=yes
fi
;;
*)
AC_MSG_ERROR([invalid argument: $tcl_ok])
;;
esac
if test $tcl_ok = yes
then
AC_MSG_RESULT([supplied by Tcl])
INSTALL_TZDATA=install-tzdata
fi
(From OE-Core rev: 79498ea0e9eb88ad0175f7376c57efb46217a4a4)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ace9fbfeb42ebf920812e3dd6d665b8b20a1ca0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a horrible hack to get pseudo working with glibc 2.38. We can't
drop _GNU_SOURCE to something like _DEFAULT_SOURCE since we need the defines
the gnu options bring in. That leaves using internal glibc defines to disable
the c23 versions of strtol/fscanf and friends. Which would break pseudo
build with 2.38 from running on hosts with older glibc.
We'll probably need to come up with something better but this gets glibc 2.38
and working and avoids autobuilder failures.
(From OE-Core rev: 909fd25c2ebd25f5d3bc560e26f9df6862e033d0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 596fb699d470d7779bfa694e04908929ffeabcf7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Below commits on binutils-2.38 stable branch are updated.
ea5fe5d01e5 PR30697, ppc32 mix of local-dynamic and global-dynamic TLS
(From OE-Core rev: e8becc003d6926cc347ec42c0f13dcd5d9042b4d)
Signed-off-by: Sanjana <sanjanasanju1608@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This series of patches fixes deficiencies in GCC's -fstack-protector
implementation for AArch64 when using dynamically allocated stack space.
This is CVE-2023-4039. See:
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
for more details.
(From OE-Core rev: e6592fc8308240872300a6295162e14d54c5a905)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 860ecdbbf5cfd8737c914522af16dbc8bee0f72f)
Signed-off-by: Sanjana <sanjanasanju1608@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The html/template package does not apply the proper rules for handling
occurrences of "<script", "<!--", and "</script" within JS literals in
<script> contexts. This may cause the template parser to improperly
consider script contexts to be terminated early, causing actions to be
improperly escaped. This could be leveraged to perform an XSS attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39319
(From OE-Core rev: afdc322ecff4cfd8478c89a03f7fce748a132b48)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are
disabling gdb in binutils configure.
Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d]
CVE: CVE-2023-39128
(From OE-Core rev: 1a19a101cecc578aac84e365a361b76f129fe655)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to
out-of-bounds write.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3638
https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html
(From OE-Core rev: ebbdbb68a7804accd5430dd05f7899599ddbacd8)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-40896:
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.
The CVE issue is fixed by 3 different commits between the releases 2.14.0
(for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java
properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version.
Commit: https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04
Hence, backported the patch as CVE-2022-40896.patch.
2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version.
Commit: https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194
Actually, this code doesn't exist in 2.11.2 version and it has been introduce by
python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version.
SQL+Jinja lexers is introduced by: https://github.com/pygments/pygments/commit/0bdbd5992baca32d18e01f0ec65337e06abf9456
3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version.
Commit: https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52
Actually, this code also doesn't exist in 2.11.2 version as the code has been modified
in python3-pygments 2.14.0 by: https://github.com/pygments/pygments/commit/a38cb38e93c9635240b3ae89d78d38cf182745da
Hence, this is also not vulnerable for 2.11.2 version.
(From OE-Core rev: ebb224e65a7e1402ccf0d9517bd72748c18e012e)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the host gcc version, libdnf fails to compile due to
missing cstdint inclusions. These issue have already been addressed
upstream, add the patches to resolve this for older versions of the
library.
These commits are taken directly from the libdnf project at
https://github.com/rpm-software-management/libdnf
(From OE-Core rev: e1d9bc1f88bd989bafc20063938d7a70e1da104f)
Signed-off-by: Abe Kohandel <abe.kohandel@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release date: 2023-08-24
Security
gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included protections
(like certificate verification) and treating sent unencrypted data as if
it were post-handshake TLS encrypted data. Security issue reported as
CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.
Library
gh-107845: tarfile.data_filter() now takes the location of symlinks into
account when determining their target, so it will no longer reject some
valid tarballs with LinkOutsideDestinationError.
Tools/Demos
gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL
1.1.1v, 3.0.10, and 3.1.2.
C API
gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data:
*consumed was not set.
(From OE-Core rev: a30e51b8d13912f0d68bfffcd2d8ae6431d2b863)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A Segmentation Fault issue discovered in in ieee_segment function in outieee.c
in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service
via crafted assembly file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-21528
Upstream patches:
https://github.com/netwide-assembler/nasm/commit/93c774d482694643cafbc82578ac8b729fb5bc8b
(From OE-Core rev: 87c4ec2d73ac2e52005e16e38a9a12affb8d51bd)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
| |
ignore changes to FILE_RCSID part.
(From OE-Core rev: 20b5ead99d4904e70ea22f573bfefec8c6e862a2)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a read past end of buffer issue in the json_parse test app,
which can happened with malformed json data. It's not an issue with the
library itself. For what ever reason this CVE has a base score of 9.8.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-32292
Upstream issue:
https://github.com/json-c/json-c/issues/654
The CVE is fixed with version 0.16 (which is already in all active
branches of poky).
(From OE-Core rev: a7b93651028b55d71b8db53ea831eee7fd539f33)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|