aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* php: Upgrade to 7.4.16dunfell-nextdunfellMingli Yu7 days3-187/+2
| | | | | | | | | | | | | License-Update: License updated (year updated) Fix some security issues such as CVE-2021-21702 and remove two cve patches which already included in the new version. Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e418ee4657e084c8b4d42aabf76ff6df99253e91) [Bug fix only updates plus: CVE-2020-7071 ] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: allow php as emptyChangqing Li7 days1-0/+2
| | | | | | | | | | | Since commit c4ffcaa2[php: split out phpdbg into a separate package], package php is empty, we might met error: nothing provides php needed by php-cli-7.4.9-r0.corei7_64 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9be6b4f5a2ec857475626c74457a94b8d9236fd5) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: split out phpdbg into a separate packageDiego Santa Cruz7 days1-1/+2
| | | | | | | | | | | Since PHP 7.0 the phpdbg debugger is built by default and gets shipped in the main php package, increasing its size by several MB; split it out into a php-phpdbg package, following Debian naming. Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c4ffcaa2ab3fbdef1ce58c253b32d82a57a3e2a8) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: update to 3.2.15Armin Kuster8 days1-1/+1
| | | | | | | | | | | | | | | | | | | | | Source: Wireshark.org MR: 109612, 110462, 112069 Type: Security Fix Disposition: Backport from wireshark.org ChangeID: 40f9f8ac2431f32680d4817607badbbe44875260 Description: Bug fix only update: see: https://www.wireshark.org/docs/relnotes/wireshark-3.2.15.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.14.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.13.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.12.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.11.html includes: CVE-2021-22191, CVE-2021-22207, CVE-2021-22235 Signed-off-by: Armin Kuster <akuster@mvista.com>
* ostree: Do not check for meta-pythonNicolas Dechesne8 days1-1/+1
| | | | | | | | | | | | It is a (non trivial) cherry pick from (cherry picked from commit b9ede0cb182ab095c863a6a5154bbe259a33f5c0) python3-pyyaml was moved from meta-python to meta-oe, so that we could apply this specific patch which breaks basic YP compatible check script. Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-{pyyaml,cython,pyparsing}: move from meta-python to meta-oeNicolas Dechesne8 days4-0/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | This specific statement in ostree recipe breaks the YP compatible status (yocto-check-layer): RDEPENDS_${PN}-ptest += " \ ... ${@bb.utils.contains('BBFILE_COLLECTIONS', 'meta-python', 'python3-pyyaml', '', d)} \ ... " Recently python3-pyyaml was moved to OE-core (0a8600f9cec0), and the ostree recipe was fixed with: b9ede0cb182a (python3-pyyaml: Do not check for meta-python) In dunfell, moving python3-pyyaml to OE-core is not a great idea, but moving it from meta-python to meta-oe allows us to fix ostree YP compatible issue. Since meta-python depends on meta-oe, it should not be a change with any visible effect. python3-cython and python3-pyparsing are collateral damages since they are dependency for python3-pyyaml, so needed to be moved too. Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-jinja2: remove recipeNicolas Dechesne8 days2-46/+0
| | | | | | | | | | | | | It was moved to OE-core/dunfell in cc0f56a788c3 (python3-jinja2: Import from meta-oe/meta-python) However it was not removed from meta-oe, as such this recipe is now duplicated, for no good reason. Worse than that, the version in meta-oe and oe-core differ. OE-core has 2.11.3 and meta-oe is older with 2.11.2. Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-markupsafe: remove recipeNicolas Dechesne8 days2-5/+0
| | | | | | | | | | | | It was moved to OE-core/dunfell in ec222f6af5f8 (python3-markupsafe: Import from meta-oe/meta-python) However it was not removed from meta-oe, as such this recipe is now duplicated, for no good reason. The version in meta-oe and oe-core match so, it's really a no-op. Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libdevmapper,lvm2: Do not inherit licenseKhem Raj8 days1-3/+2
| | | | | | | | | | | | | | | inheriting license class which brings in AVAILABLE_LICENSES into do_configure task checksums class since it wants to enable thin-provisioning-tools if distro allows GPL-3 automatically, but this brings issues when other layers which have additional licenses are provided which ends up in signature mismatches so leave that setting to end-user and keep it disabled by default with a comment in recipes stating that if needed then the user should enable it via config metadata or bbappends. Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f592e81f11d455546447ddff35b2f89e18c0cc0c) Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ufw: backport patches, update RRECOMMENDS, python3 support, testsJate Sujjavanich9 days9-7/+18155
| | | | | | | | | | | | | | | | | Backport patches: using conntrack instead of state eliminating warning support setup.py build (python 3) adjust runtime tests to use daytime port (netbase changes) empty out IPT_MODULES (nf conntrack warning) check-requirements patch for python 3.8 Update, add patches for python 3 interpreter Add ufw-test package. Backport fixes for check-requirements script Update kernel RRECOMMENDS for linux-yocto 5.4 in dunfell For dunfell Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* hiawatha: fix url.Armin Kuster9 days1-1/+1
| | | | | | | | files moved under a new dir structure. ERROR: hiawatha-10.10-r0 do_fetch: Fetcher failure for URL: 'http://hiawatha-webserver.org/files/hiawatha-10.10.tar.gz'. Unable to fetch URL from any source. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mariadb: update to 10.4.20Armin Kuster12 days3-2/+2
| | | | | | | | | | | | | | | | | | Source: mariadb.org MR: 109670, 110757, 110768 Type: Security Fix Disposition: Backport from mariadb ChangeID: 82a82ba3623ff39ca17443d0117d36bcee73e612 Description: LTS version https://mariadb.com/kb/en/mariadb-10420-release-notes/ CVE-2021-2166: MariaDB 10.4.19 CVE-2021-2154: MariaDB 10.4.19 CVE-2021-27928: MariaDB 10.4.18 Signed-off-by: Armin kuster <akuster@mvista.com>
* vboxguestdrivers: add a fix for build failure with kernel 5.13Gianfranco14 days2-0/+277
| | | | | | | | | | | | Its already upstream and also used in Debian and Ubuntu Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d0f2d7c954b9f3befd9470d97de581fe5b1fb2a8) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 2e15d7eb66624c1755e8670f8c5448e3a9be0a21) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: upgrade 6.1.20 -> 6.1.22Gianfranco14 days1-2/+2
| | | | | | | | | | | Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 319490178b999a74a82d092320de5d9d2e5c67bd) [Stable branch] Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 97a5a4b40c143f71c8bff403c51a061a0d5e8b6f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: upgrade 6.1.18 -> 6.1.20Gianfranco14 days2-26/+2
| | | | | | | | | | | | | Drop all patches, now part of upstream codebase Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 37537bda8c4775ce1c390d1a9a5b2f5fab89bfc7) [Stable branch] Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 703daeb65f49c60636e835ad53fc354ca641ab3f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: Add __divmoddi4 builtin supportKhem Raj14 days2-0/+37
| | | | | | | | gcc 11 needs it on i686 Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 57f7692e8ef707535ffa1683aa711de442736ec1) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: Add patch proposed upstream to fix a build failure on i386Gianfranco14 days2-0/+24
| | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 09eb0ad187fb14ac1bb83a5a8d1ac4e9e9fdb305) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: upgrade 6.1.16 -> 6.1.18Gianfranco14 days4-491/+2
| | | | | | | | | | Drop kernel 5.10 build fixes patches, now part of upstream codebase Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f8f2331158b33436bd53142e0e1b4b94f78b37e6) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: fix build against kernel v5.10+Bruce Ashfield14 days4-0/+489
| | | | | | | | | | | | | We need to adjust the vboxguest drivers to build against kernels 5.10+. These are backports from the virtual box SVN repository and can be dropped in future uprevs. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 22eaac640f80df44108a5565127181c94645a032) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: upgrade 6.1.14 -> 6.1.16Gianfranco Costamagna14 days1-2/+2
| | | | | | | | Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 7839164921ddb340a1bff322a1274c6022cb8565) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: upgrade 6.1.12 -> 6.1.14 Drop kernel 5.8 compatibility ↵Gianfranco Costamagna14 days2-5049/+2
| | | | | | | | | | | patch, now part of upstream codebase Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1cd14bf12472970d75df3172a2b9b0dff71da655) [Stable branch] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: Fix build with kernel 5.8Khem Raj14 days6-303/+5047
| | | | | | | | | | | | Remove patches which are already covered in this new patch Fixes step1b: ERROR: modpost: "__get_vm_area_caller" [/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/qemux86_64-poky-linux/vboxguestdrivers/6.1.12-r0/vboxguestdrivers-6.1.12/vboxguest/vboxguest.ko] undefined! step1b: ERROR: modpost: "map_kernel_range" [/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/qemux86_64-poky-linux/vboxguestdrivers/6.1.12-r0/vboxguestdrivers-6.1.12/vboxguest/vboxguest.ko] undefined! Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5efb06176add13c4b8287c9972651dcac94adf79) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: fix failed to compile with kernel 5.8.0Hongxu Jia14 days5-1/+305
| | | | | | | | | | | | | | Backport patches from upstream [1] to fix the issue It also requires to apply a patch on 5.8 kernel [2] [1] https://www.virtualbox.org/ticket/19644 [2] https://www.virtualbox.org/raw-attachment/ticket/19644/local_patches Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9c10ed4baa95648b7735757121e3af8b0aeb8e06) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* vboxguestdrivers: upgrade 6.1.6 -> 6.1.12Gianfranco Costamagna14 days1-2/+2
| | | | | | | | | Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 21bc66202e18a7b214869e3654b8547ea0ea9cbd) [Stable branch] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: update to 12.7Armin kuster2021-07-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Source: MontaVista Software, LLC MR: 111582, 111965, 111974, 110084 Type: Security Fix Disposition: Backport from postgres.org ChangeID: f1e8c58bedd5dd60404e3a0eb120888ad83fdc42 Description: Bug fix only update. https://www.postgresql.org/docs/12/release-12-7.html LIC_FILES_CHKSUM changed do to yr update Includes these CVEs: CVE-2021-32027 CVE-2021-32028 CVE-2021-32029 12.6: CVE-2021-3393 Signed-off-by: Armin kuster <akuster@mvista.com>
* sysprof: Enable sysprofd/libsysprof only when polkit in DISTRO_FEATURESKhem Raj2021-07-121-1/+3
| | | | | | | | | | | | | | | This change is cherry-picked from upstream/master. It fixes yocto-check-layer error: ERROR: Nothing PROVIDES 'polkit' (but /home/builder/src/base/meta-openembedded/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb DEPENDS on or otherwise requires it) polkit was skipped: missing required distro feature 'polkit' (not in DISTRO_FEATURES) ERROR: Required build target 'meta-world-pkgdata' has no buildable providers. Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Andreas Müller <schnitzeltony@gmail.com> Signed-off-by: akash hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tracker-miners: Check for commercial license to enable ffmpegKhem Raj2021-07-121-1/+1
| | | | | | | | | | | | | | | | This change is cherry-picked from upstream/master branch. This fixes below yocto-layer-check error: ERROR: Nothing PROVIDES 'ffmpeg' (but /home/builder/src/base/meta-openembedded/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb DEPENDS on or otherwise requires it) ffmpeg was skipped: because it has a restricted license 'commercial'. Which is not whitelisted in LICENSE_FLAGS_WHITELIST ERROR: Required build target 'meta-world-pkgdata' has no buildable providers. Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'tracker-miners', 'ffmpeg'] Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Andreas Müller <schnitzeltony@gmail.com> Signed-off-by: akash hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: add CVE-2006-5201 to allowlistMasaki Ambai2021-07-101-0/+3
| | | | | | | | | | | | CVE-2006-5201 affects only using an RSA key with exponent 3 on Sun Solaris. Signed-off-by: Masaki Ambai <ambai.masaki@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 44113dcb5feea5522696d43d00909db41e5e6dbc) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit ace5cd9a8bb6ba0058caf8a148437820a9336b9c) [Fixup for Dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntp: fix ntpdate to wait for subprocessesAdrian Zaharia2021-07-101-0/+5
| | | | | | | | | | | | | | | | | | | When using systemd, ntpdate-sync script will start in background triggering the start of ntpd without actually exiting. This results in an bind error in ntpd startup. Add wait at the end of ntpdate script to ensure that when the ntpdate.service is marked as finished the oneshot script ntpdate-sync finished and unbind the ntp port Fixes #386 Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 73d5cd5e8d9d8a922b6a8a9d90adf0470a99314e) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit f52ce99b468eff95b6e36caf41fb50808a26f8d5) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* apache2: fix CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 ↵Li Wang2021-07-106-0/+239
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2021-30641 CVE-2020-13950: Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service References: https://nvd.nist.gov/vuln/detail/CVE-2020-13950 Upstream patches: https://bugzilla.redhat.com/show_bug.cgi?id=1966738 https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b CVE-2020-35452: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow References: https://nvd.nist.gov/vuln/detail/CVE-2020-35452 Upstream patches: https://security-tracker.debian.org/tracker/CVE-2020-35452 https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b CVE-2021-26690: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service References: https://nvd.nist.gov/vuln/detail/CVE-2021-26690 Upstream patches: https://security-tracker.debian.org/tracker/CVE-2021-26690 https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8 CVE-2021-26691: In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow References: https://nvd.nist.gov/vuln/detail/CVE-2021-26691 Upstream patches: https://bugzilla.redhat.com/show_bug.cgi?id=1966732 https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b CVE-2021-30641: Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' References: https://nvd.nist.gov/vuln/detail/CVE-2021-30641 Upstream patches: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641 https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 70b1aa0a4cd4bfd08b6c8d36a76f9b7cf20d61a6) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: fix CVE-2021-23017Changqing Li2021-07-102-0/+47
| | | | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 82385049035a3a4a81b18af099d2131b46802965) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dovecot: add CVE-2016-4983 to allowlistkraj/dunfellArmin Kuster2021-07-061-0/+3
| | | | | | | | | | | | CVE-2016-4983 affects only postinstall script on specific distribution, so add it to allowlist. Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3613b50a84559ce771866cd1eef1141fa3e6d238) [mkcert.sh does mask 077 first] Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit d1fb027f894921ea02c984eb581ee1500c613470) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cyrus-sasl: add CVE-2020-8032 to allowlistito-yuichi@fujitsu.com2021-07-051-0/+3
| | | | | | | | | | | This affects only openSUSE, so add it to allowlist. Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 711e932b14de57a5f341124470b2f3f131615a25) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 26819375448077265cd4c9dbb88b6be08b899e3f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* add CVE-2011-2411 to allowlistSekine Shigeki2021-07-051-0/+4
| | | | | | | | | | | This affects only on HP NonStop Server, so add it to allowlist. Signed-off-by: Sekine Shigeki <sekine.shigeki@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bb4a4f0ff8d9926137cb152fd3f2808bd9f961ce) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit d614d160a10b3c5ac36702fbd433f98925a9aa8e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 2.2.23 -> 2.2.24Trevor Gamblin2021-07-052-9/+9
| | | | | | | | | | | | Version 2.2.24 contains a fix for CVE-2021-33571 and is the latest LTS release. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit fa2d3338fb87a38a66d11735b876ce2320045b0d) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit c51e79dd854460c6f6949a187970d05362152e84) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 2.2.22 -> 2.2.23Trevor Gamblin2021-07-052-9/+9
| | | | | | | | | | | | | | | | 2.2.23 is a bugfix release: - Fixed a regression in Django 2.2.21 where saving FileField would raise a SuspiciousFileOperation even when a custom upload_to returns a valid file path (#32718). Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit f07a8c1376fe9f5eb4fc0ddff8ca1a1b3c3f173b) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit b2716ef06a76854497de80c642bf7f63b07f7a6c) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 2.2.20 -> 2.2.22Trevor Gamblin2021-07-052-9/+9
| | | | | | | | | | | | Version 2.2.22 includes a fix for CVE-2021-32052. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit b26099fc156961ba252c3b6281f09799e91347ba) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit f3758cb44486ce87c96b803efb2b5417a8e90708) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade to 2.2.20Chen Qi2021-07-053-300/+9
| | | | | | | | | | | | | | 2.2.x is LTS, so upgrade to latest release 2.2.20. This upgrade fixes several CVEs such as CVE-2021-3281. Also, CVE-2021-28658.patch is dropped as it's already in 2.2.20. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit e705d4932a57d0dc3a961fed73ae5ad2e0313429) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: fix CVE-2021-28658Stefan Ghinea2021-07-052-0/+291
| | | | | | | | | | | | | | | | | | | | In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. References: https://nvd.nist.gov/vuln/detail/CVE-2021-28658 Upstream patches: https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2 Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit aef354a0c29a4c6aad4ace53190b5573c78d881b) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 2.2.13 -> 2.2.16Trevor Gamblin2021-07-052-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary of release notes from https://docs.djangoproject.com/en/2.2/releases/ 2.2.14 release notes: - Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised by cache key validation (#31654). 2.2.15 release notes: - Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie() (#31790). - Fixed crash when sending emails to addresses with display names longer than 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+ (#31784). 2.2.16 release notes: - Fixed CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ - Fixed CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+ - Fixed a data loss possibility in the select_for_update(). When using related fields pointing to a proxy model in the of argument, the corresponding model was not locked (#31866). - Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value (#31863). Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit eb69aad33fc06f06544589ec483f9b76464f6c5f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 2.2.7 -> 2.2.13Trevor Gamblin2021-07-052-9/+9
| | | | | | | | | | | | | Upgrade from 2.2.7 for: - Bugfixes, including CVE-2020-13254, CVE-2020-13596, many others; - Official support for Python 3.8 (as of Django 2.2.8) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8c4e201c6288e5fee7eef8f6eba576d4c426109c) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nss: Fix build on Centos 7Marek Vasut2021-06-061-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Centos 7 has glibc 2.18 and nss-native build fails due to implicit declaration of function putenv during build. This is because of the Feature Test Macro Requirements for glibc (see feature_test_macros(7)): putenv(): _XOPEN_SOURCE || /* Glibc since 2.19: */ _DEFAULT_SOURCE || /* Glibc versions <= 2.19: */ _SVID_SOURCE and because nss coreconf/Linux.mk only defines -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE So on such system with glibc 2.18, neither macro makes putenv() available. Add -D_XOPEN_SOURCE for the Centos 7 and glibc 2.18 native build case. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Armin Kuster <akuster808@gmail.com> Cc: Armin Kuster <akuster@mvista.com> Cc: Khem Raj <raj.khem@gmail.com> Cc: Richard Purdie <richard.purdie@linuxfoundation.org> Cc: Ross Burton <ross.burton@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: Add fixes for CVEs reported for dnsmasqSana Kazi2021-05-297-1/+1631
| | | | | | | | | | | | | | | | | | | | | | | | Applied single patch for below listed CVEs: CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 as they are fixed by single commit http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a Link: https://www.openwall.com/lists/oss-security/2021/01/19/1 Also, applied patch for below listed CVEs: CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 all CVEs applicable to v2.81 Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> [Refreshed patches] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ebtables: use bitbake optimization levelsMikko Rapeli2021-05-292-0/+20
| | | | | | | | | | | | | | Don't overwrite with O3 optimization. Reduces ebtables binary package size from 416241 to 412145 bytes, and enables further optimizations with e.g. -Os flags via bitbake distro wide settings. Only ebtables versions up to 2.0.10-4 and dunfell are affected. The version 2.0.11 from hardknott and master branch use system wide flags already. Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opencv: Add fix for CVE-2019-5063 and CVE-2019-5064akash.hadke2021-05-252-0/+79
| | | | | | | | | | | Added fix for below CVE's CVE-2019-5063 CVE-2019-5064 Link: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch Signed-off-by: akash hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* hostapd: fix building with CONFIG_TLS=internalAlexander Vickberg2021-05-222-0/+46
| | | | | | | | | | | The patch recently added for CVE-2021-30004 broke compilation with CONFIG_TLS=internal. This adds the necessary function to let it compile again. Signed-off-by: Alexander Vickberg <wickbergster@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d6ef4170747d6668fa940328334055eef3e1e1d6) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libsdl: Fix CVE-2019-13616wangmy2021-05-222-0/+28
| | | | | | | | | | | | | | | References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13616 SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/97fefd050976bbbfca9608499f6a7d9fb86e70db] CVE: CVE-2019-13616 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* exiv2: Fix CVE-2021-29473wangmy2021-05-222-0/+22
| | | | | | | | | | | | | | | | | References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473 The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1587/commits/e6a0982f7cd9282052b6e3485a458d60629ffa0b] CVE: CVE-2021-29473 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a9aecd2c32fc8f238f62ef70813e032b6b52c2f2) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* exiv2: Fix CVE-2021-29470wangmy2021-05-222-0/+33
| | | | | | | | | | | | | | | | | References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470 The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1581/commits/6628a69c036df2aa036290e6cd71767c159c79ed] CVE: CVE-2021-29470 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bb1400efda77a7289ca20782172bfbe1f457f161) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* exiv2: Fix CVE-2021-29464wangmy2021-05-222-0/+73
| | | | | | | | | | | | | | | | | References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464 The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54] CVE: CVE-2021-29464 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8c9470bdfaa1d33347ffaf25b3e18d2163667e18) Signed-off-by: Armin Kuster <akuster808@gmail.com>