Age | Commit message (Collapse) | Author |
|
Fixes [YOCTO #15383]
This bug was introduced into upstream when fixing CVE-2022-29154. It was
later discovered and fixed upstream but this fix didn't make it into
poky yet.
The added patch is taken from upstreams git repository:
https://github.com/WayneD/rsync/commit/fabef23bea6e9963c06e218586fda1a823e3c6bf
(From OE-Core rev: fb448f87c0b3906b91d453451083dc003ac94ebe)
Signed-off-by: Matthias Schmitz <matthias.schmitz@port4949.net>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
memory corruption when processing malformed terminfo data entries
loaded by setuid/setgid programs
CVE-2023-29491.patch change the --disable-root-environ configure option
behavior.
set --disable-root-environ in configuration options.
--disable-root-environ option with a few additional changes
to the code allows us to mitigate CVE-2023-29491 and avoid
other issues that involve the possibility of malicious use of
environment variables through setuid applications, and, therefore,
it was the fix chosen in order to resolve this vulnerability.
Reference:
https://ubuntu.com/security/CVE-2023-29491
https://launchpad.net/ubuntu/+source/ncurses/6.2-0ubuntu2.1
(From OE-Core rev: 041433f0767ae9112f6a74a7d7c93ce9b411792c)
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The original CVE-2023-29406.patch is not complete, causing docker
failures at runtime, backport a complementary fix from golang upstream.
(From OE-Core rev: bff621d5399e5ff2930d21f403bb2f274febd2e4)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874]
(From OE-Core rev: 1a25a8ebedf39f1a868fcf646684b2eeaa67301f)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
This CVE is related to Windows.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-47039
(From OE-Core rev: 970a0a64ce147970c7743411584c9bd1dc1ce414)
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
This CVE reports that apple had to upgrade curl because of other
already reported CVEs:
* CVE-2023-38039: not affected, introduced in 7.84.0
* CVE-2023-38545: patch already backported
* CVE-2023-38546: patch already backported
* CVE-2023-42915: reference to itself
(From OE-Core rev: 067740c834a98cd8f5cfff7f73418d18b8e1249a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
import/add local layer
(Bitbake rev: 7ce4107bf824b3e115b40558336de25f99af31f8)
Signed-off-by: Alassane Yattara <alassane.yattara@savoirfairelinux.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Backport a patch to fix
| ../git/util.cxx:1766:56: error: 'std::pointer_to_unary_function<_Arg, _Result> std::ptr_fun(_Result (*)(_Arg)) [with _Arg = int; _Result = int]' is deprecated: use 'std::function' instea
d [-Werror=deprecated-declarations]
| 1766 | std::not1(std::ptr_fun<int, int>(std::isspace))));
| | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
(From OE-Core rev: 18ae4fea4bf8681f9138d21124589918e336ff6b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b360d12203aafd8bf96433d11221a6ed910a11f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
In the case of a zero length string being returned by fgets(), the condition
checking for a trailing new line would perform a bad memory access outside
of `buf`. This might happen when line with a leading null byte is read.
Avoid this case by checking that the string has a length of at least one
byte.
Link: https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba
(From OE-Core rev: 32e3618891295cec1ee5d4195998aa97f93b2207)
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409
(From OE-Core rev: 14ffb41e7a49a4c0076db9ec4449a97c0f143b67)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
(From OE-Core rev: a3fbe1156fccb3e60a183263a3bde5a8ef6725a8)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
(From OE-Core rev: a07cc0b6fa4a485f318fd2957e434b63f5907d7e)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport [import from ubuntu https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
References:
https://ubuntu.com/security/CVE-2023-5981
(From OE-Core rev: 087b7c5d8363bcc6ae801d3ca18e6490e86a1381)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Backport https://sqlite.org/src/info/0e4e7a05c4204b47
(From OE-Core rev: 2a418c0a55d0d4e9a70a41c9a7cfea97ec0edee9)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
OS command injection might occur if a user name or host name has shell
metacharacters, and this name is referenced by an expansion token in
certain situations. For example, an untrusted Git repository can have a
submodule with shell metacharacters in a user name or host name.
This patch fixes the above issue
Link: http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.11.debian.tar.xz
Link: https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a
(From OE-Core rev: a0561ca36bd3be8f44d11908caaf8c9ce5f69032)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Running 'bitbake-layers layerindex-show-depends meta-filesystems' fails with:
```
Traceback (most recent call last):
File "<...>/poky/bitbake/bin/bitbake-layers", line 93, in <module>
ret = main()
File "<...>/poky/bitbake/bin/bitbake-layers", line 86, in main
return args.func(args)
File "<...>/poky/bitbake/lib/bblayers/layerindex.py", line 209, in do_layerindex_show_depends
self.do_layerindex_fetch(args)
File "<...>/poky/bitbake/lib/bblayers/layerindex.py", line 182, in do_layerindex_fetch
args.shallow)
AttributeError: 'Namespace' object has no attribute 'shallow'
```
Initialize the shallow attribute to fix it.
(Bitbake rev: 146cd25252ef065d09df0980b7dc670cb7e7b109)
Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
(From OE-Core rev: 82e67bd9c77f0c5cbb652ca91071b9e57bdcfb33)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
(From meta-yocto rev: 11fa082996c6c9e95b2f31eabaf22bc7167fe370)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
(From yocto-docs rev: b56d349ae7cabf7d84d5dbde3751d93ab2f11747)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
insserv.bbclass was removed from oe-core:
commit e6bb5dbb62257a7de730ea9085dfd89520f3e47d
Author: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Sun May 10 12:30:49 2015 +0100
insserv: Remove
(From yocto-docs rev: 383fbedb057ffb28dddf201995ae622ce7b7eff5)
Signed-off-by: Maxin John <maxin.john@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The yocto website has changed its structure. Update the section for
Accessing the Downloads page to match the new structure.
(From yocto-docs rev: f9a3b59c130d498c02dfdc016958c92ac74737a7)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
(From OE-Core rev: ff66998ef81dbc35465e30eec96ee9be51f5da80)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Updated 0012-fix-libcap-header-issue-on-some-distro.patch to resolve
patch fuzz caused by the CVE-2023-2861 patch
Upstream-Status: Backport
[https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b
&
https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda]
(From OE-Core rev: cede843cdd1d1a83b2d616086aa69a2b584f9442)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
(From OE-Core rev: 5dc87309639e78195eb1283afc193f6eac63b044)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).
(From OE-Core rev: 03b766e42beb42a2085285308acbcf941f346b06)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
& https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
(From OE-Core rev: f5eff24d386215e5b5aee5c3261f5602b47c7f02)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255
&
https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3
&
https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807
&
https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035]
(From OE-Core rev: 20e1d10a3ebefc8c5237c065c25eba4182d22efd)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
According to currently active workers
https://autobuilder.yoctoproject.org/typhoon/#/workers
and to the "workers_prev_releases" definition
in https://git.yoctoproject.org/yocto-autobuilder2/tree/config.py
Also correct the text saying that SANITY_TESTED_DISTROS
lists currently tested distros.
Also replace AlmaLinux 8.8 and 9.2 by just AlmaLinux 8 and 9,
as we update our workers anyway.
(From yocto-docs rev: db466a25a3cf8dfb660f65c12573265a702d0d8f)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
License-Update: additional firmwares
(From OE-Core rev: b3dd6852c0d6b8aa9b36377d7024ac95062e8098)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7c725d1f2ed9a271d39d899ac2534558c2d103fc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Sometimes NVD servers are unstable and return too many errors.
There is an option to have higher fetch attempts to increase the chances
of successfully fetching the CVE data.
Additionally, it also makes sense to progressively increase the delay
after a failed request to an already unstable or busy server.
The increase in delay is reset after every successful request and
the maximum delay is limited to 30 seconds.
Also, the logs are improved to give more clarity.
(From OE-Core rev: 9e03b7a9879fd16e32f4eccb78b438f6fa9db74d)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7101d654635b707e56b0dbae8c2146b312d211ea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
As per NVD, the public rate limit is 5 requests in 30s (6s delay).
Using an API key increases the limit to 50 requests in 30s (0.6s delay).
However, NVD still recommends sleeping for several seconds so that the
other legitimate requests are serviced without denial or interruption.
Keeping the default sleep at 6 seconds and 2 seconds with an API key.
For failures, the wait time is unchanged (6 seconds).
Reference: https://nvd.nist.gov/developers/start-here#RateLimits
(From OE-Core rev: eb5ab00be33a503205401541e88c32ba9da1d75c)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 5c32e2941d1dc3d04a799a1b7cbd275c1ccc9e79)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Sometimes NVD servers are unstable and return too many errors.
Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.
Keep retries low as default and allow to increase as needed.
(From OE-Core rev: ee2a6ade703317d09f7df60ef7ce300d8f868f54)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6b6fd8043d83b99000054ab6ad2c745d07c6bcc1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
This variable is not referenced in oe-core anymore.
(From OE-Core rev: 70676801f1f8fe498ff34fc1db72b6a3bf438d4a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 905b45a814cb33327503b793741c19b44c8550b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
(From OE-Core rev: 3ea36d92800b139eaaf75995cdd59912b63db9ee)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2956b1aa22129951b8c08ac06ff1ffd66811a26c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
A bug in QEMU could cause a guest I/O operation otherwise
addressed to an arbitrary disk offset to be targeted to
offset 0 instead (potentially overwriting the VM's boot code).
This change is to fix CVE-2023-5088.
Link: https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e
(From OE-Core rev: df9e2d40c52b752940de61388997e485da56de0c)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
https://security-tracker.debian.org/tracker/CVE-2023-39326
(From OE-Core rev: 5b55648f3142762c9563289c1b19aa3b7de27164)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
With python 3.8 and 3.9, we see intermittent errors of:
libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted (core dumped)
which seem related to:
https://stackoverflow.com/questions/64797838/libgcc-s-so-1-must-be-installed-for-pthread-cancel-to-work
https://bugs.ams1.psf.io/issue42888
These tend to occur on debian 11 and ubuntu 20.04.
Workaround this by ensuring libgcc is preloaded in all cases.
(Bitbake rev: 36959b25c64044dd4bca65bd1bb1243823d51545)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
A recipe variable handles its dependencies even on the "contains"
variables within the "inline Python expressions" like bb.utils.filter().
And it also handles those in the append operator correctly, but the
problem is that it does not so in the remove operator.
Fix it by adding the missing dependencies every time the remove
operator has been handled.
Also add a test case to check if the override operators handle
dependencies correctly.
(Bitbake rev: 48799c68b69b7921c809e0fc970303866643eb2a)
Signed-off-by: Insu Park <insu0.park@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Cherry-picked from master: b90520eedb1dbc7f6a3928d089fe74fafb864eb5
- Conflicts in data.py are resolved as the master branch moved
handle_contains() and handle_remove() out of the try block
and added the 3rd argument, "exclusions", to handle_contains().
- The test code in codeparser.py are modified as the master branch
added three more arguments to the build_dependencies().
Signed-off-by: Insu Park <insu0.park@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The target_dumper code is basically broken. It has been reading binary files
over the text base serial communication and runs at every command failure which
makes no sense. Each run might overwrite files from the previous run and the
output appears corrupted due to confusion from the binary data.
It isn't possible to cherry-pick "testimage: Drop target_dumper and most of monitor_dumper"
from master, so just make target_dumper and host_dumper empty functions.
For further details see:
https://lists.openembedded.org/g/openembedded-architecture/message/1888
(From OE-Core rev: 94e9019d2f170a26206c2774381a1d183313ecaa)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport from https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
(From OE-Core rev: 1df2bdf370346dac70451159adf1ae85d1a2dacd)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
import patches from ubuntu to fix
CVE-2023-48795
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches?h=ubuntu%2Ffocal-security
Upstream commit https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]
Reference: https://ubuntu.com/security/CVE-2023-48795
(From OE-Core rev: 4026a1cc3aa242a80c306b34b030f05d41b55dda)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Fix below CVE's
CVE-2022-47007
CVE-2022-47008
CVE-2022-47010
CVE-2022-47011
CVE-2022-48063
CVE-2022-47695
(From OE-Core rev: 873163936937a583278e3cd97c6226935f2faa0c)
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport [https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be]
(From OE-Core rev: 9b2cd2d5e0dac297b3a1779e6720e0ee2a3de168)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
import patch from ubuntu
http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.68.0-1ubuntu2.21.debian.tar.xz
upstream https://github.com/curl/curl/commit/2b0994c29a721c91c57
(From OE-Core rev: 7bf11847b18d2f9a7e5467d686af817cb504b206)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
wtmp is filled with binary data which the run_serial command can't cope with.
Catting this results in confusion of the serial interface and potentially large
backlogs of data in the buffers which can hang qemu.
Exclude the problematic files from the command.
(From OE-Core rev: 05d9f9c6b27c0216fa4e349109ef42cf91bb4084)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 599ac08a6f6fb3f6a89a897c8e06367c63c2f979)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]
(From OE-Core rev: 29c182375d91806d1e802b026f84b24e7c5d4b35)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
flac_buffer_copy
Upstream-Status: Backport from https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc
(From OE-Core rev: d922a288f79834d8f1120a4454b97803290e5c36)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
import patch from ubuntu to fix CVE-2023-25584
http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz
upstream patch :
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44
(From OE-Core rev: 8eff0e0ce44c60efcf6bec083d5794313f3ac4ad)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
import patch from ubuntu
http://archive.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.30.0-9ubuntu0.5.debian.tar.xz
fix:
CVE-2023-31484
CVE-2023-47038
CVE-2023-47100
as per https://ubuntu.com/security/CVE-2023-47100 ,
CVE-2023-47100 is duplicate of CVE-2023-47038.
perl import entire CPAN in single commit,
hence backport fix from their upstream cpan instead.
(From OE-Core rev: 74861848ba0d3ba920ef54f016240807ba42682a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Add patch to fix CVE-2023-4813
Link: https://security-tracker.debian.org/tracker/CVE-2023-4813
(From OE-Core rev: d735b2a94091f9a4a91917c73bd73d9ce4a31e3e)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Poonam Jadhav <ppjadhav456@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|