summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support
Commit message (Collapse)AuthorAgeFilesLines
* curl: backport Debian patch for CVE-2024-2398Vijay Anusuri2024-04-052-0/+89
| | | | | | | | | | | | | | import patch from ubuntu to fix CVE-2024-2398 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] (From OE-Core rev: ce65f86c55ecf2c0e52564488e0237ba24429c45) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: upgrade v9.0.2130 -> v9.0.2190Tim Orling2024-02-271-2/+2
| | | | | | | | | | | | | | | | This is the latest/last of the 9.0.z upgrades, since 9.1 is now released. CVE: CVE-2024-22667 (includes the patch for .2142 https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47) Changes: https://github.com/vim/vim/compare/v9.0.2130...v9.0.2190 (From OE-Core rev: 15c0077162f6af1908b3767b12ac79f24090b59d) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: ignore CVE-2023-42915Peter Marko2024-02-161-0/+3
| | | | | | | | | | | | | | This CVE reports that apple had to upgrade curl because of other already reported CVEs: * CVE-2023-38039: not affected, introduced in 7.84.0 * CVE-2023-38545: patch already backported * CVE-2023-38546: patch already backported * CVE-2023-42915: reference to itself (From OE-Core rev: 067740c834a98cd8f5cfff7f73418d18b8e1249a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: Backport fix for CVE-2024-0553Vijay Anusuri2024-01-312-0/+126
| | | | | | | | | | | | CVE-2024-0553 A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] (From OE-Core rev: a07cc0b6fa4a485f318fd2957e434b63f5907d7e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: Backport fix for CVE-2023-5981Vijay Anusuri2024-01-312-0/+207
| | | | | | | | | | | | | Upstream-Status: Backport [import from ubuntu https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d] References: https://ubuntu.com/security/CVE-2023-5981 (From OE-Core rev: 087b7c5d8363bcc6ae801d3ca18e6490e86a1381) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: Backport fix for CVE-2023-7104Vijay Anusuri2024-01-312-0/+47
| | | | | | | | | Backport https://sqlite.org/src/info/0e4e7a05c4204b47 (From OE-Core rev: 2a418c0a55d0d4e9a70a41c9a7cfea97ec0edee9) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2023-46218Lee Chee Yang2023-12-292-0/+53
| | | | | | | | | | | | import patch from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.68.0-1ubuntu2.21.debian.tar.xz upstream https://github.com/curl/curl/commit/2b0994c29a721c91c57 (From OE-Core rev: 7bf11847b18d2f9a7e5467d686af817cb504b206) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: upgrade 9.0.2068 -> 9.0.2130Tim Orling2023-12-081-2/+2
| | | | | | | | | | | | | | | | | | | https://github.com/vim/vim/compare/v9.0.2068...v9.0.2130 CVE: CVE-2023-48231 CVE: CVE-2023-48232 CVE: CVE-2023-48233 CVE: CVE-2023-48234 CVE: CVE-2023-48235 CVE: CVE-2023-48236 CVE: CVE-2023-48237 (From OE-Core rev: 6baa307e0445bef8993b50cf45eeeeb1c2c3529d) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 5978d565a9e700485fc563dfe2e3c0045dd74b59) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: use upstream generated .po filesSteve Sakoman2023-12-011-2/+4
| | | | | | | | | | | | | | | | | A previous commit attempted to fix reproducibility errors by forcing regeneration of .po files. Unfortunately this triggered a different type of reproducibility issue. Work around this by adjusting the timestamps of the troublesome .po files so they are not regenerated and we use the shipped upstream versions of the files. The shipped version of ru.cp1251.po doesn't seem to have been created with the vim tooling and specifies CP1251 instead of cp1251, fix that. (From OE-Core rev: 0764da7e3f1d71eb390e5eb8a9aa1323c24d1c19) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.0.2048 -> 9.0.2068Archana Polampalli2023-12-011-2/+2
| | | | | | | | | | | | | This includes CVE fix for CVE-2023-46246. 9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history References: https://nvd.nist.gov/vuln/detail/CVE-2023-46246 (From OE-Core rev: 2854c285ebf615ea71ecfc6fc559419e72005c5e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: update obsolete commentEtienne Cordonnier2023-12-011-3/+2
| | | | | | | | | | | | | | | | | | | | | vim 8.3 has been out for a long time, so this comment is obsolete. However we still need UPSTREAM_VERSION_UNKNOWN, since we ignore the last digit of the upstream version number. Test result: $ devtool check-upgrade-status vim ... INFO: vim 9.0.1592 UNKNOWN Tom Rini <trini@konsulko.com> c0370529c027abc5b1698d53fcfb8c02a0c515da (From OE-Core rev: 65f5de85c3f488136d1ec2b1f7fe8d8426d6c5b3) (From OE-Core rev: be68cf4c3e4218cc360ce7a645c92b631224ce94) Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 868a19357841470eb55fb7f1c4ab1af09dea99ed) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Improve locale handlingRichard Purdie2023-12-011-10/+4
| | | | | | | | | | | | | | | | When making checkouts from git, the timestamps can vary and occasionally two files can end up with the same stamp. This triggers make to regenerate ru.cp1251.po from ru.po for example. If it isn't regenerated, the output isn't quite the same leading to reproducibility issues (CP1251 vs cp1251). Since we added all locales to buildtools tarball now, we can drop the locale restrictions too. We need to generate a native binary for the sjis conversion tool so also tweak that. (From OE-Core rev: 14982eabcdb96c2f7ef9e28d6c0daedb53aa96c4) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2023-28321 CVE-2023-28322Lee Chee Yang2023-12-013-0/+654
| | | | | | | | | | | | import patch from ubuntu curl_7.68.0-1ubuntu2.20. minor change to CVE-2023-28321.patch tests/data/test1397 part so the patch can be apply. (From OE-Core rev: 5cc1f487928df04c58709dd88ef6c17c171da7a5) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* lz4: Update sstate/equiv versions to clean cacheSteve Sakoman2023-11-171-0/+4
| | | | | | | | | There are cached reproducibility issues on the autobuilder due to CFLAGS issues, flush the bad data out the system by bumping the versions. (From OE-Core rev: f398c84405913bd8038c007f43f991f54d136571) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* lz4: use CFLAGS from bitbakeMikko Rapeli2023-11-171-1/+1
| | | | | | | | | | | | | Currently lz4 uses it's own defaults which include O3 optimization. Switch from O3 to bitbake default O2 reduces binary package size from 467056 to 331888 bytes. Enables also building with Os if needed. (From OE-Core rev: af571c0841265dfa4bd87546080e499336a37fcc) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit abaaf8c6bcd368728d298937a9406eb2aebc7a7d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.0.2009 -> 9.0.2048Siddharth Doshi2023-10-271-2/+2
| | | | | | | | | This includes CVE fix for CVE-2023-5535. (From OE-Core rev: 35fc341402f38619922dcfc4dc9e58b00be26259) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.0.1894 -> 9.0.2009Siddharth Doshi2023-10-201-2/+2
| | | | | | | | | This includes CVE fix for CVE-2023-5441. (From OE-Core rev: 624081236d5554dbc7c044396caabc3464b1b3ac) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Backport fix for CVE-2023-38546Mike Crowe2023-10-202-0/+133
| | | | | | | | | | Take patch from Debian 7.64.0-4+deb10u7. (From OE-Core rev: 364a9e46f167c2501785cd55a71cf9a614e64710) Signed-off-by: Mike Crowe <mac@mcrowe.com> CVE: CVE-2023-38546 Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Backport fix for CVE-2023-38545Mike Crowe2023-10-202-0/+149
| | | | | | | | | | | | | Backporting this change required tweaking the error value since the two-level CURLE_PROXY error reporting was introduced after curl 7.69.1. The test required some tweaks to not rely on more-recent improvements to the test infrastructure too. (From OE-Core rev: ccec26b1437f1ece4cb4f27581b0df904297358f) Signed-off-by: Mike Crowe <mac@mcrowe.com> CVE: CVE-2023-38545 Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpcre2 : Follow up fix CVE-2022-1586Shinu Chandran2023-10-132-0/+31
| | | | | | | | | | | | | | | | | | | CVE-2022-1586 was originally fixed by OE commit https://github.com/openembedded/openembedded-core/commit/7f4daf88b71f through libpcre2 commit https://github.com/PCRE2Project/pcre2/commit/50a51cb7e672 The follow up patch is required to resolve a bug in the initial fix[50a51cb7e672] https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3 Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1586 https://security-tracker.debian.org/tracker/CVE-2022-1586 (From OE-Core rev: 7e2fe508b456207fd991ece7621ef8ba24b89e59) Signed-off-by: Shinu Chandran <shinucha@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.0.1664 -> 9.0.1894Richard Purdie2023-09-291-3/+3
| | | | | | | | | | | | | This includes multiple CVE fixes. The license change is due to changes in maintainership, the license itself is unchanged. (From OE-Core rev: a9d194f21a3bdebca8aaff204804a5fdc67c76d1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 91e66b93a0c0928f0c2cfe78e22898a6c9800f34) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: upgrade 9.0.1592 -> 9.0.1664Archana Polampalli2023-09-291-2/+2
| | | | | | | | | | | | | Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-3896 8154e642a (tag: v9.0.1664) patch 9.0.1664: divide by zero when scrolling with 'smoothscroll' set (From OE-Core rev: e9591ead43b70da5665f53f8a54f6e0c8f4d0dda) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4a1ab744142c9229f03a359b45e5e89a1fbae0d3) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Backport fix CVE-2023-32001Ashish Sharma2023-08-272-0/+39
| | | | | | | (From OE-Core rev: 71ed22673545fc2bca5ac599416ecb42eb2781f8) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpcre2: patch CVE-2022-41409Peter Marko2023-08-162-0/+75
| | | | | | | | | | Backport commit mentioned in NVD DB links. https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35 (From OE-Core rev: c25b88fc321b7c050108b29c75c0a159e0754f84) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: upgrade 9.0.1527 -> 9.0.1592Trevor Gamblin2023-07-221-2/+2
| | | | | | | | | | | | | | | | | Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-2609 d1ae836 patch 9.0.1531: crash when register contents ends up being invalid https://nvd.nist.gov/vuln/detail/CVE-2023-2610 ab9a2d8 patch 9.0.1532: crash when expanding "~" in substitute causes very long text (From OE-Core rev: 8a481b1dfeeee8d8d3430f527da1f3f5b7d96999) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1e4b4dfb4145bc00eb6937b5f54a41170e9a5b4c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2023-28320 siglongjmp race condition may lead to crashVivek Kumbhar2023-07-223-0/+285
| | | | | | | | | | | | Introduced by: https://github.com/curl/curl/commit/3c49b405de4fbf1fd7127f91908261268640e54f (curl-7_9_8) Fixed by: https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2 (curl-8_1_0) Follow-up: https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3 (curl-8_1_0) https://curl.se/docs/CVE-2023-28320.html (From OE-Core rev: a6b2b550690c2ffdce1aef9da1595a42d1bc6348) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libcap: backport Debian patches to fix CVE-2023-2602 and CVE-2023-2603Vijay Anusuri2023-07-043-0/+112
| | | | | | | | | | | | | | | | | import patches from ubuntu to fix CVE-2023-2602 CVE-2023-2603 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb & https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18] (From OE-Core rev: d0718a43a00223aa074f14e769214ba11d4f8ef2) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: upgrade 9.0.1429 -> 9.0.1527Randy MacLeod2023-06-171-2/+2
| | | | | | | | | | | | Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-2426 caf642c25 patch 9.0.1499: using uninitialized memory with fuzzy matching (From OE-Core rev: 51a6a2f7917f18f67879ea9559084393ab68520b) Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 4f9a8df5aca99d0a5c2d2346b27ce7be08e7896c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabledSiddharth2023-05-253-106/+68
| | | | | | | | | | | | | | | | | | The upstream patch for CVE-2023-27534 does three things: 1) creates new path with dynbuf(dynamic buffer) 2) solves the tilde error which causes CVE-2023-27534 3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. This patch completes the 3rd task of the patch which was implemented without using dynbuf Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] (From OE-Core rev: df489f644e41108cf0e2ff55af7ce5e9bca40471) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libbsd: Add correct license for all packagesRanjitsinh Rathod2023-05-161-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | BSD-4-Clause is only applicable to the {PN}-doc package as when I check for the source code I find below files which only uses the license BSD-4-Clause ~/sources/libbsd$ grep -rl "All advertising materials mentioning features or use of this software" *|grep -v \.1|grep -v \.5|grep -v \.8 | sort COPYING man/arc4random.3bsd man/getprogname.3bsd man/tree.3bsd ~/sources/libbsd$ grep -rnB6 "BSD-4" COPYING-9-Files: COPYING-10- man/arc4random.3bsd COPYING-11- man/tree.3bsd COPYING-12-Copyright: COPYING-13- Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> COPYING-14- All rights reserved. COPYING:15:License: BSD-4-clause-Niels-Provos (From OE-Core rev: 187f1588240a0eb5cc753c2114fd6c0cef66e14f) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Security fix CVE-2023-27533, CVE-2023-27535 and CVE-2023-27536Vijay Anusuri2023-05-035-0/+524
| | | | | | | | | Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/focal-security & https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 & https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c & https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 & https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] (From OE-Core rev: 08ffa2437967a642a4c8e35e2158bb369454764a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: CVE-2023-27538 fix SSH connection too eager reuseHitendra Prajapati2023-04-262-0/+32
| | | | | | | | | Upstream-Status: Backport from https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb (From OE-Core rev: b2740d1ff74b2c55011b5d4230c7b06b5109376d) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: CVE-2023-27534 SFTP path ~ resolving discrepancyHitendra Prajapati2023-04-192-0/+124
| | | | | | | | | Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 (From OE-Core rev: 9aefb4e46cf4fbf14b46f9adaf3771854553e7f3) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bmap-tools: switch to main branchMartin Jansa2023-04-141-1/+1
| | | | | | | | | | | | | | | | | | | | * master branch was removed upstream: downloads/git2/github.com.intel.bmap-tools $ git remote prune origin Pruning origin URL: https://github.com/intel/bmap-tools * [pruned] refs/heads/master * [pruned] refs/pull/73/merge * downloads/git2/github.com.intel.bmap-tools $ git branch -a --contains c0673962a8ec1624b5189dc1d24f33fe4f06785a main release-3.0 (From OE-Core rev: 4045bf02bbc6e87a05ba689a63c675e49c940772) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 369fee186d6916322b9be9d936b654d0c5910cb3) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: upgrade 9.0.1403 -> 9.0.1429Randy MacLeod2023-04-141-2/+2
| | | | | | | | | | | | Fixes: CVE-2023-1127, CVE-2023-1170, CVE-2023-1175, CVE-2023-1264, CVE-2023-1355 (From OE-Core rev: 821229f48f5b31aeb646f08c7e4656dc4ce8b0f4) Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2415072c3800feb164dd4d1fa0b56bd141a5cbd8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: CVE-2023-23916 HTTP multi-header compression denial of serviceHitendra Prajapati2023-04-142-0/+232
| | | | | | | | | Upstream-Status: Backport from https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9 (From OE-Core rev: b121b59cf6f642f46c97c96f3c4cf4cd84ff2af5) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: set modified-by to the recipe MAINTAINERRoss Burton2023-03-251-0/+1
| | | | | | | | | | | | | | | | | | | Clause II.3 of the Vim license states that any distribution of Vim that has been extended or modified must _at least_ indicate in the :version output that this is the case. Handily, Vim has a --with-modified-by argument to add a line in that text, so use MAINTAINER. This is the distribution maintainer contact, by default it is OE-Core Developers <openembedded-core@lists.openembedded.org>. (From OE-Core rev: e630b404b1d1797be5e915592a6ef71e34aaf680) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit acc007e23445aa53182e13902dd9509c39dd5645) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: upgrade to 9.0.1403Ross Burton2023-03-251-4/+3
| | | | | | | | | | | | | | | This incorporates fixes for CVE-2023-1127, CVE-2023-1170, CVE-2023-1175. Also remove runtime/doc/uganda.txt from the license checksum: the Vim license is also in the top-level LICENSE file so this is redundant. (From OE-Core rev: 9351cd3bf259260c17e7c99612b3c28d58a89bf3) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 71111e6b62d37c5e6853d7940dec2993df127a35) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libksba: fix CVE-2022-3515Chee Yang Lee2023-03-252-0/+48
| | | | | | | | (From OE-Core rev: 16d8176218230007dac98cd0d941da03a354e90c) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: add missing pkgconfig inheritRoss Burton2023-03-151-1/+1
| | | | | | | | | | | | | | | Vim uses pkgconfig to find dependencies but it wasn't present, so it silently doesn't enable features like GTK+ UI. [ YOCTO #15044 ] (From OE-Core rev: c84f0822e7cffc62e2f042bf9d2e424f85f74ecd) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 70900616298f5e70732a34e7406e585e323479ed) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange codeVivek Kumbhar2023-03-152-0/+86
| | | | | | | | | | | | | Remove branching that depends on secret data. since the `ok` variable isn't used any more, we can remove all code used to calculate it (From OE-Core rev: 5b8a3601ebff7a0cdfaa50d7a0b5e384a7e2514c) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apr-util: update 1.6.1 -> 1.6.3Alexander Kanavin2023-03-142-139/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes with APR-util 1.6.3 *) Correct a packaging issue in 1.6.2. The contents of the release were correct, but the top level directory was misnamed. Changes with APR-util 1.6.2 *) SECURITY: CVE-2022-25147 (cve.mitre.org) Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. *) Teach configure how to find and build against MariaDB 10.2. PR 61517 [Kris Karas <bugs-a17 moonlit-rail.com>] *) apr_crypto_commoncrypto: Remove stray reference to -lcrypto that prevented commoncrypto being enabled. [Graham Leggett] *) Add --tag=CC to libtool invocations. PR 62640. [Michael Osipov] *) apr_dbm_gdbm: Fix handling of error codes. This makes gdbm 1.14 work. apr_dbm_gdbm will now also return error codes starting with APR_OS_START_USEERR, as apr_dbm_berkleydb does, instead of always returning APR_EGENERAL. [Stefan Fritsch] Drop backport. (From OE-Core rev: 9eb027bebb19bfb0fb136169e865ca269890fa6f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit dca707f9fecc805503e17f6db3e4c88069ac0125) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 43cd36b178ebb602edd5919c26f8b8642736a3a8) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit e24b38a14b3520648ec418783fb74fcf61df7ff2) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apr-util: Fix CFLAGS used in buildRichard Purdie2023-03-141-0/+2
| | | | | | | | | | | | We need to use CFLAGS with the correct WORKDIR in them, replace those in the sysroot file with the ones appropriate to the current recipe. (From OE-Core rev: 92fb7261a1c7ebe6330832a9a71d1bed82c85a6a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 45edf189961aff1858be9bb7b63116073c0a0c10) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apr: update 1.7.0 -> 1.7.2Alexander Kanavin2023-03-1410-320/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes for APR 1.7.2 *) Correct a packaging issue in 1.7.1. The contents of the release were correct, but the top level directory was misnamed. Changes for APR 1.7.1 *) SECURITY: CVE-2022-24963 (cve.mitre.org) Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. *) SECURITY: CVE-2022-28331 (cve.mitre.org) On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow. *) SECURITY: CVE-2021-35940 (cve.mitre.org) Restore fix for out-of-bounds array dereference in apr_time_exp*() functions. (This issue was addressed as CVE-2017-12613 in APR 1.6.3 and later 1.6.x releases, but was missing in 1.7.0.) [Stefan Sperling] *) configure: Fix various build issues for compilers enforcing strict C99 compliance. PR 66396, 66408, 66426. [Florian Weimer <fweimer redhat.com>, Sam James <sam gentoo.org>] *) apr_atomic_read64(): Fix non-atomic read on 32-bit Windows [Ivan Zhakov] *) configure: Prefer posix name-based shared memory over SysV IPC. [Jim Jagielski] *) configure: Add --disable-sctp argument to forcibly disable SCTP support, or --enable-sctp which fails if SCTP support is not detected. [Lubos Uhliarik <luhliari redhat.com>, Joe Orton] *) Fix handle leak in the Win32 apr_uid_current implementation. PR 61165. [Ivan Zhakov] *) Add error handling for lseek() failures in apr_file_write() and apr_file_writev(). [Joe Orton] *) Don't silently set APR_FOPEN_NOCLEANUP for apr_file_mktemp() created file to avoid a fd and inode leak when/if later passed to apr_file_setaside(). [Yann Ylavic] *) APR's configure script uses AC_TRY_RUN to detect whether the return type of strerror_r is int. When cross-compiling this defaults to no. This commit adds an AC_CACHE_CHECK so users who cross-compile APR may influence the outcome with a configure variable. [Sebastian Kemper <sebastian_ml gmx net>] *) Add a cache check with which users who cross-compile APR can influence the outcome of the /dev/zero test by setting the variable ac_cv_mmap__dev_zero=yes [Sebastian Kemper <sebastian_ml gmx net>] *) Trick autoconf into printing the correct default prefix in the help. [Stefan Fritsch] *) Don't try to use PROC_PTHREAD by default when cross compiling. [Yann Ylavic] *) Add the ability to cross compile APR. [Graham Leggett] *) While cross-compiling, the tools/gen_test_char could not be executed at build time, use AX_PROG_CC_FOR_BUILD to build native tools/gen_test_char Support explicit libtool by variable assigning before buildcheck.sh, it is helpful for cross-compiling (such as libtool=aarch64-linux-libtool) [Hongxu Jia <hongxu.jia windriver.com>] *) Avoid an overflow on 32 bit platforms. [René Hjortskov Nielsen <r... hjortskov.dk>] *) Use AC_CHECK_SIZEOF, so as to support cross compiling. PR 56053. [Mike Frysinger <vapier gentoo.org>] *) Add --tag=CC to libtool invocations. PR 62640. [Michael Osipov] *) apr_pools: Fix pool debugging output so that creation events are always emitted before allocation events and subpool destruction events are emitted on pool clear/destroy for proper accounting. [Brane Čibej] *) apr_socket_listen: Allow larger listen backlog values on Windows 8+. [Evgeny Kotkov <evgeny.kotkov visualsvn.com>] *) Fixed: apr_get_oslevel() was returning APR_WIN_XP on Windows 10 *) Fix attempt to free invalid memory on exit when apr_app is used on Windows. [Ivan Zhakov] *) Fix double free on exit when apr_app is used on Windows. [Ivan Zhakov] *) Fix a regression in apr_stat() for root path on Windows. [Ivan Zhakov] Dropped patches have all been merged, addressed separately or are backports. (From OE-Core rev: 013633b9f4b7dff2616c6d2e59e4d8118e3ce51f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3ffae93f24bb1e3954b232099153fd059cfd7daf) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit a308e10ef4ad9e097b025f009866eae178259781) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apr: Cache configure tests which use AC_TRY_RUNKhem Raj2023-03-142-2/+75
| | | | | | | | | | | | | | | | | AC_TRY_RUN macro means the test needs to run to find the result and we are cross compiling so this will always get wrong results, this results in miscompiling apache2 on musl because it disables rlimit (ac_cv_struct_rlimit) wrongly. All these variables are determined with AC_TRY_RUN checks (From OE-Core rev: 104c9ddf7a5323e5193c611b98b3e7465157aecd) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> (cherry picked from commit 504eb0ff1cae200ee85ec18ebae564cae9bf9c8c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apr: Use correct strerror_r implementation based on libc typeKhem Raj2023-03-142-0/+56
| | | | | | | | | | | | | | | | | | | musl does not implement GNU extention of strerror_r but XSI compliant version, therefore add it via a packageconfig to set right variables during configure to cache the value. configure detection logic depends on runtime test which will always be wrong on cross compiles therefore backport a patch to make it possible to cache the needed configure variable. (From OE-Core rev: 993cfeaefa73e3b82cf15db78584e5f9b9f86ddf) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ded3d76a844dd1aef9ac610fbe506bf76285369b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apr: Fix to work with autoconf 2.70Richard Purdie2023-03-142-0/+23
| | | | | | | | | | | | | Fix an issue with autoconf 2.70 where duplicate macro includes caused configure failures. (From OE-Core rev: 41121149212b3684991a62261c17a45afd50bb83) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Ross Burton <ross.burton@arm.com> (cherry picked from commit 4e5d7c86a8a5e752df451d988861a86236e8c8ff) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: update 9.0.1211 -> 9.0.1293 to resolve open CVEsAlexander Kanavin2023-03-141-2/+2
| | | | | | | | | | | (From OE-Core rev: ea88ec38aa0e42b8c45e300e69dae7c2f7a13299) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6d77dbe499ee362b6e28902f1efcf52b961037a5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* curl: fix CVE-2022-43552 Use-after-free triggered by an HTTP proxy deny responseHitendra Prajapati2023-03-142-0/+83
| | | | | | | | | | Upstream-Status: Backport from https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2 (From OE-Core rev: e172a9d7dc92561e26b8ec7ff11d4c598dcaf5c8) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vim: upgrade 9.0.0947 -> 9.0.1211Randy MacLeod2023-02-131-2/+2
| | | | | | | | | | | | | | | | | Includes fixes for: https://nvd.nist.gov/vuln/detail/CVE-2023-0049 https://nvd.nist.gov/vuln/detail/CVE-2023-0051 https://nvd.nist.gov/vuln/detail/CVE-2023-0054 https://nvd.nist.gov/vuln/detail/CVE-2023-0288 (From OE-Core rev: ac7c32ee2c3624052c2a22aa66758c4ab4d9f5c5) Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1c51068c78d12ee02789a6dbecf5e7e91d141af5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>