| Age | Commit message (Collapse) | Author |
|---|
|
(From OE-Core rev: d3d3f443039b03f1200a14bfe99f985592632018)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From meta-yocto rev: 9a1d9fd77e2dd2d324654755633e143ef7730dc5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: aad245ea1c55f8e778ae3420c5c31e94301e7cba)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9)
(From OE-Core rev: f5cf064b3c138c8a6591d34f40253e10a6f01a14)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.
It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.
It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e
(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)
(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Also include a patch to fix regression caused by it. See:
https://gitlab.com/federicomenaquintero/bzip2/issues/24
(From OE-Core rev: 7c0b2d228f51aebb4415e63a07bdd645e85b09d8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880
(From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c)
(From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 276567b6a8e4b21dc978b352b5c715d6381867b1)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.
(From OE-Core rev: 2cfcb3b0fce7e1156eb52260df4330c95d87dc17)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Currently, BAD_RECOMMENDATIONS on the opkg backed relies on editing the
opkg status file (it sets BAD_RECOMMENDATIONS pkg want state to
deinstalled and pinned). This is brittle, and not consistent across the
different solver backends. Use new --add-ignore-recommends flag instead.
(From OE-Core rev: 0d11e813ba9b4e8de9e6e5099ff85f5d914243bc)
(From OE-Core rev: bfb0acb6bc6bc11e4aa2c9527916359e1a763e85)
(From OE-Core rev: 13ba66338d16cc07cb0129de932f090d0edb7760)
Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To be used for BAD_RECOMMENDATIONS feature.
(From OE-Core rev: 788d97b4f8e4452cef1ba6bb3e565e1b52dbb7de)
(From OE-Core rev: 85007cdb260bc77ac4ae5f914b0e3a4408606dfd)
(From OE-Core rev: c60f9c47380bb53bd2b54373b72f86006edf326e)
Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport from opkg_0.4.0.bb]
Signed-off-by: Quentin Schulz <quentin.schulz@streamunlimited.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The imp module is deprecated, port the code over to use importlib
as recently done for bb.utils as well.
(From OE-Core rev: f3ba6cee5927c7475c3dc47658fa0548aec52115)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Use 4 spaces to replace a tab.
(From OE-Core rev: 2bf6098ac1cbbf7ed28522b7f7dce84c8341ce00)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: gnome.org
MR: 98802
Type: Security Fix
Disposition: Backport from https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e
ChangeID: b73c332f27f47ddc1b1cfd7424f24778acc0c318
Description:
includes supporting patch.
Fixes CVE-2019-9633
(From OE-Core rev: 3ebf0fc043b6c9b6c2381dab893b54ebcb8ac13d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: qemu.org
MR: 98623
Type: Security Fix
Disposition: Backport from qemu.org
ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37
Description:
Fixes both CVE-2018-20815 and CVE-2019-9824
(From OE-Core rev: 5c45cd09fb29d4a1ebda6153a25f16e312049c44)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591
(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)
Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 0dbd16a40a28bb75962f38c6ce450c909c22ee79)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes
compatibility with recent fedora/suse releases.
The difference is one is built with obsolete APIs enabled and one disabled.
We now ship both in uninative for compatibility regardless of which distro
a binary is built on.
(From OE-Core rev: 352ab80333096df92ef0f4cd331baea98e71aa21)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a)
(From OE-Core rev: 16785ebdc50f38ef4bc30d477a6833bdd4b541d1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This includes libstdc++ changes from gcc 9.X.
It also switches uninative from bz2 to xz compression.
(From OE-Core rev: 0497623882da714cbe098a4281982b7f9ce6030f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: qemu.org
MR: 98382
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
ChangeID: e4e5983ec1fa489eb8a0db08d1afa0606e59dde3
Description:
Fixes CVE-2019-12155
Affects: <= 4.0.0
(From OE-Core rev: 6045c57895cad301c5e3a94de740427343a08065)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: CUrl.org
MR: 98455
Type: Security Fix
Disposition: Backport from https://curl.haxx.se/
ChangeID: 86b094a440ea473b114764e8d64df8142d561609
Description:
Fixes CVE-2019-5435 CVE-2019-5436
(From OE-Core rev: 9d5a7dd654a17b67f5cd8a73145e5f5299bfebcc)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: http://git.savannah.gnu.org/cgit/wget.git
MR: 89341
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b
Description:
Fixes CVE-2019-5953
Affects: < 1.20.1
(From OE-Core rev: c897b862c6cfaa341cc6155b2c9d98ea7ad02884)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: glib-2.0
MR: 98443
Type: Security Fix
Disposition: Backport from https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
ChangeID: 880b9b349cb8d82c7c1314a3657ec9094baba741
Description:
(From OE-Core rev: 71bfb9dfdc806e0e95f1302d0d6c3c751f03bb4b)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: tar.git
MR: 97928
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
ChangeID: 7aee4c0daf8ce813242fe7b872583560a32bc4e3
Description:
Affects tar < 1.32
fixes CVE-2019-9923
(From OE-Core rev: fc77edc8245ab90eee1f1e857f470b6842dc256f)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: Qemu.org
MR: 97453
Type: Security Fix
Disposition: Backport from git.qemu.org/gemu.git
ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace
Description:
In the spirt of YP Compatible, sending change upstream.
fixes CVE CVE-2018-19489
Affect < = 4.0.0
(From OE-Core rev: 249447828cd1ed13f9faf19793208b503acf0d30)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I goofed up the scissor line on the last attempt. Not sure how much it matters,
but here it is correct this time.
Here it is, updated to work with wpa-supplicant_2.6.bb.
-- >8 --
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=
When building root filesystems with any of the wpa_supplicant systemd
template service files enabled (current default is to have them disabled) the
systemd-native-fake script would not process the line:
Alias=multi-user.target.wants/wpa_supplicant@%i.service
appropriately due the the use of "%i."
According to the systemd documentation "WantedBy=foo.service in a service
bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in
the same file." However, this is not really the intended purpose of install
Aliases.
All lines of the form:
Alias=multi-user.target.wants/*%i.service
Were replaced with the following lines:
WantedBy=multi-user.target
(From OE-Core rev: d05e98cdccbe36be8906c31249adeb0f0bc13ac5)
Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: golang.org
MR: 97548,
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/issues?q=milestone%3AGo1.11.5
ChangeID: 54377c454f038a41bf35dd447a784e3e66db6268
Description:
Bug fix updates only
https://golang.org/doc/devel/release.html#go1.11
Fixes:
Affects <= 1.11.6
CVE-2019-6486
CVE-2019-9741
(From OE-Core rev: 4e40da53851c550f1a38eff5737d4b69c8cd0afb)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: OpenEmbedded.org
MR: 98328, 98329, 98330
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/go?h=warrior&id=b964551a0d08aa921d4e0ceea2f1e28a5e83510e
ChangeID: 0b4cc69c357ba14c4e7a6c7ff926cfc6f09489b2
Description:
include:
CVE-2018-16873
CVE-2018-16874
CVE-2018-16875
Changes: https://golang.org/doc/devel/release.html#go1.11
(From OE-Core rev: 69964488112899371b7fd88b6e86e533d968b457)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Bug fix only update]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The crosssdk dependencies are handled using the virtual/ namespace so
this name doesn't matter in the general sense. We want to be able to provide
recipe maintainer information through overrides though, so this standardises it
with the behaviour from gcc-crosssdk and ensures the maintainer overrides work.
(From OE-Core rev: 025cd45d4129266d34a919573c02a8504f092c1b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Go binaries were installed to ${libdir}/go/bin, and create symlink
in ${bindir}, while enabling multilib, libdir was extended (such as
/usr/lib64), but BASELIB was not (still /lib), so use
baselib (such as /lib64)) to replace
(From OE-Core rev: fca74928bf2002daf526ad8c1446c8d9ba891a78)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: OpenEmbedded.org
MR: 97538, 97543
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-graphics/cairo?h=warrior&id=078e4d5c2114d942806cd0d5ad501805a011e841
ChangeID: fa8bdd44ad8613bb0679a1f6d9d670c3b47a0677
Description:
CVE-2018-19876 is a backport from upstream.
CVE-2019-6461 and CVE-2019-6462 are patches taken from Clear Linux.
(From OE-Core rev: 8b5e68afc9767d8b6b966503e9353cadafae9bfb)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Dropped CVE-2018-19876, not affected]
Issue was introduced in 1.15.8 by:
commit 721b7ea0a785afaa04b6da63f970c3c57666fdfe
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: OpenEmbedded.org
MR: 97351
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/cups?h=warrior&id=fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd
ChangeID: fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd
Description:
(From OE-Core rev: 85541b9ae8cff770e2c20a9132c0867a25d190c2)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CUPS 2.2.10 is a bug fix release that addresses issues in the scheduler, IPP Everywhere support, CUPS library, and USB printer support. Changes include:
CVE-2018-4300: Linux session cookies used a predictable random number seed.
The lpoptions command now works with IPP Everywhere printers that have not yet been added as local queues (Issue #5045)
Added USB quirk rules (Issue #5395, Issue #5443)
The generated PPD files for IPP Everywhere printers did not contain the cupsManualCopies keyword (Issue #5433)
Kerberos credentials might be truncated (Issue #5435)
The handling of MaxJobTime 0 did not match the documentation (Issue #5438)
Incorporated the page accounting changes from CUPS 2.3 (Issue #5439)
Fixed a bug adding a queue with the -E option (Issue #5440)
Fixed a crash bug when mapping PPD duplex options to IPP attributes (rdar://46183976)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: OpenEmbedded.org
MR: 97351
Type: Integration
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/cups?h=warrior&id=ee57d79aec06e9b160cf2713636cda650ba68d5a
ChangeID: ee57d79aec06e9b160cf2713636cda650ba68d5a
Description:
The following patch is rebased.
0001-don-t-try-to-run-generated-binaries.patch
(From OE-Core rev: 3c76b6660fc21a987e960dedb2631dcd27b87d07)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CUPS 2.2.9 is a bug fix release that addresses issues in the scheduler,
IPP Everywhere support, CUPS library, and USB printer support. Changes include:
Localization changes (Issue #5348, Issue #5362, Issue #5408)
Documentation updates (Issue #5369)
The lpadmin command would create a non-working printer in some error cases
(Issue #5305)
The scheduler would crash if an empty AccessLog directive was specified
(Issue #5309)
Fixed a regression in the changes to ippValidateAttribute (Issue #5322,
Issue #5330)
Fixed a crash bug in the Epson dot matrix driver (Issue #5323)
Automatic debug logging of job errors did not work with systemd (Issue #5337)
The web interface did not list the IPP Everywhere "driver" (Issue #5338)
The IPP Everywhere "driver" now properly supports face-up printers
(Issue #5345)
Fixed some typos in the label printer drivers (Issue #5350)
Multi-file jobs could get stuck if the backend failed (Issue #5359,
Issue #5413)
The IPP Everywhere "driver" no longer does local filtering when printing to
a shared CUPS printer (Issue #5361)
The lpadmin command now correctly reports IPP errors when configuring an
IPP Everywhere printer (Issue #5370)
Fixed some memory leaks discovered by Coverity (Issue #5375)
The PPD compiler incorrectly terminated JCL options (Issue #5379)
The cupstestppd utility did not generate errors for missing/mismatched
CloseUI/JCLCloseUI keywords (Issue #5381)
The scheduler now reports the actual location of the log file (Issue #5398)
Added a USB quirk rule (Issue #5420)
The scheduler was being backgrounded on macOS, causing applications to spin
(rdar://40436080)
The scheduler did not validate that required initial request attributes were
in the operation group (rdar://41098178)
Authentication in the web interface did not work on macOS (rdar://41444473)
Fixed an issue with HTTP Digest authentication (rdar://41709086)
The scheduler could crash when job history was purged (rdar://42198057)
Dropped non-working RSS subscriptions UI from web interface templates.
Fixed a memory leak for some IPP (extension) syntaxes.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: https://github.com/file
MR: 97573, 97578, 97583, 97588
Type: Security Fix
Disposition: Backport from https://github.com/file/file
ChangeID: 159e532d518623f19ba777c8edc24d2dc7e3a4e9
Description:
CVE-2019-8905 is the same fix as CVE-2019-8907
Affects < 5.36.0
Fixes:
CVE-2019-8904
CVE-2019-8906
CVE-2019-8906
CVE-2019-8907
(From OE-Core rev: 3d7375eb2e459b891b4ba16c1fc486afbfecef2c)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: sqlite.org
MR: 97484, 97490
Type: Security Fix
Disposition: Backport from sqilte.org
ChangeID: c6105b5d3ce4fb2c0f38c3cab745b769d2df38f5
Description:
Affects < 3.26.0
fixes:
CVE-2018-20505
CVE-2018-20506
(From OE-Core rev: e2f9efdc93068bce00b07021aa447f0b8786f69d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: busybox.git
MR: 97332
Type: Security Fix
Disposition: Backport from busybox.git
ChangeID: ec203c79e7322de1ed5721d08b6f59b1eca67c7d
Description:
Affects < 1.30.0
Fixes:
CVE-2018-20679
CVE-2019-5747
(From OE-Core rev: 7db146abad6d2bbb7d7a549e7091412e0e494db2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: OpenEmbedded.org
MR: 98320, 98319
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/python/python_2.7.16.bb?id=9d23b982fa4e0290761b3d15f6959779fed72ad6
ChangeID: e79b6fe3b7b4253bf0d76b029070ae869d5234bd
Description:
Fixes:
CVE-2019-9948
CVE-2019-9636
CVE-2019-9940 is a dup of 9948 per python.org
CVE-2019-9947 appears to be a dup of 9940 per https://bugs.python.org/issue30458#msg295067
(From OE-Core rev: e7bdff05da6075efc21c5ac9492b06e481e5a239)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Minor clean up for thud]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: Python.org
MR: 98220
Type: Security Fix & Integration
Disposition: Backport from python.org
ChangeID: 96fdd2dee9fe9317eb72584583ae0100c0be9eaa
Description:
Bug fix update per Python.org
https://www.python.org/downloads/release/python-2716/
drop backported patch
License-update: copyright years
Helps prepare Thud for 2.7 EOL support moving forward.
Update includes:
CVE-CVE-2019-5010
https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595
(From OE-Core rev: 592e7de7f5208940fbcfcad3371f93f8ce2ca738)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:
These issues affect qemu < 3.1.0
Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364
(From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: http://sourceware.org/git/elfutils.git
MR: 97563, 97568, 97558
Type: Security Fix
Disposition: Backport from http://sourceware.org/git/elfutils.git
ChangeID: 6183c2a25d5e32eec1846a428dd165e1de659f24
Description:
Affects <= 0.175
Fixes:
CVE-2019-7146
CVE-2019-7149
CVE-2019-7150
(From OE-Core rev: ac5dca7dc68519b36aa976dfd25d8efa76af74ec)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 3103f407ff0c579c7e5887fd925d52d5c92c83f9)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There was a typo in the BBMULTICONFIG variable description.
It appeared as "BBMULTIFONFIG". I fixed it.
(From yocto-docs rev: 2ef4ab6d93ccb6208169db9757f9ca2c2551a6d2)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I accidently submitted this with a build error.
(From yocto-docs rev: 44b659aa7fa1dca96cb38cd272ea96e20b94aadb)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From yocto-docs rev: de86d2725fc70e5805727ad1eca1a4cebd14228d)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I ran fresh commands for several output examples where
repositories are cloned. I also dumped the really detailed
listing of the Raspberry Pi BSP. Rather, I provided a link
to the layer itself and sent the reader there to do their
own exploring.
(From yocto-docs rev: d6976296f237420cae7c9f157a4e3a868b0ac588)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I ran the examples against the latest poky repo to get updated
example output.
(From yocto-docs rev: c2b272f10b731e744f0ecddab6ad37dc13579dcf)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
poky.ent - updated variables
mega-manual.sed - updated release string
<manual>.xml - updated manual revision history tables
(From yocto-docs rev: 6fd8afecc73b6734f9beb02e7ae3cea4d1148177)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
new SRCREV
If the system had previously fetched a source repository for use by gitsm,
and then the SRCREV was updated and the new commit already existed, the system
would not re-evaluate the submodules and update them accordingly.
The cause of this issue was that need_update was being used, unmodified, from
the base git fetcher. It did not have any knowledge, nor did it care if we
were moving commits and needed to re-evaluate what was happening due to this
switch.
To fix the issue, during the download process we add all processed (by
gitsm) srcrevs to the git config file, as bitbake.srcrev. This allows us to
use a new need_update function that not only checks if the git commit is
present, but if we have previously processed this commit to ensure all of the
submodule components are also present.
This approach is used, instead of iterating over the submodules in need_update
to avoid a potential race condition that has affected us in the past. The
need_update is called only with the parent locking. Any time we need to dive
into the submodules, we need to lock, and unlock them, at each stage. This
opens the possibility of errors in either the code, or unintended race
conditions with rm_work.
This issue was discovered by William A. Kennington III <wak@google.com>. The
included test case was also written by him, and included unmodified.
(Bitbake rev: 4ce92f43eeac6a4bfd06e8567fa6891614b5b3b0)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Because we are trying to avoid network activity and use our own fetcher,
the system emulates the behavior of 'git submodule init'.
git submodule init uses the .gitmodules file, where typically the module
name and path are the same. However, in this case the module name and
path (in the tree) were different. i.e.:
[submodule "edgelet/hsm-sys/azure-iot-hsm-c/deps/azure-c-shared-utility"]
path = edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared
url = https://github.com/Azure/azure-c-shared-utility.git
Previously the code assumed the 'path' was both the checkout location
under .git/modules, as well as the path to extract the components. This
proved to be incorrect as the .git/modules path needs to match the submodule
'name'. This causes the components that were fetched to be initialized in
the wrong location, which later caused the 'git submodule update' process to
skip not properly initialized modules.
A test case was added for this specific case to ensure a regression does
not appear in the future.
(Bitbake rev: ffd7ed530a17d22df576d986ac78428a6979e79c)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Richard Purdie
Anuj Mittal
Ross Burton
Ovidiu Panait
Alejandro del Castillo
Robert Yang
Armin Kuster
Joshua DeWeese
Khem Raj
Hongxu Jia
Chen Qi
Armin Kuster
Martin Jansa
Scott Rifenbark
Mark Hatle