aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* flatbuffers: adapt for cross-compilation environmentsdunfell-nextIvan Stepic2022-11-251-1/+6
| | | | | | | | | | | | | | | | | | | | | | Flatbuffers contains a library and a schema compiler. The package contains cmake files to discover the libraries and the compiler tool. Currently, all of these cmake files are installed into the target sysroot. However, the compiler utility isn't installed into the sysroot (as it is not runnable on the build machine). When an application that depends on flatbuffers gets built, it uses flatbuffers' exported cmake targets to configure the project. One of the exported targets is FlatcTarget.cmake which expects to see flatc binary in /usr/bin of the sysroot. Since binaries for target don't end up in target sysroot, cmake configuration fails. This patch addresses this problem of flatbuffers' build infrastructure in cross-compiling environments. By removing FlatcTarget.cmake for target builds from the sysroot we essentially skip this step of flatbuffers' configuration. Signed-off-by: Ivan Stepic <Ivan.Stepic@bmw.de> Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
* ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3Omkar Patil2022-11-251-1/+1
| | | | | | | | | | | Changes: Rejected zero-sized runs Avoided merging runlists with no runs Fix CVE-2022-40284 Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ↵Hitendra Prajapati2022-11-252-1/+322
| | | | | | | | | ngx_http_mp4_module Upstream-Status: Backport from https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: Fix CVE-2022-40617Ranjitsinh Rathod2022-11-252-0/+211
| | | | | | | | | | | | | Add a patch to fix CVE-2022-40617 issue which allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* [dunfell] wireguard: Upgrade to 1.0.20220627 (module) and 1.0.20210914 (tools)dunfellColin Finck2022-10-305-93/+25
| | | | | | | | | | | | Quoting Jason A. Donenfeld on IRC: <zx2c4> Colin_Finck: you should never, ever use old versions <zx2c4> Notice that neither the major nor minor version numbers change <zx2c4> Use the latest versions on your LTS With that definite answer, I'd like to fix the problem described in https://lore.kernel.org/yocto/CswA.1659543156268567471.pbrp@lists.yoctoproject.org/ by importing the latest versions instead of maintaining our own fork of wireguard 1.0.20200401. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* networkmanager: Update to 1.22.16Mathieu Dubois-Briand2022-10-301-1/+2
| | | | | | | | Update network manager stable branch to last version, allowing to fix CVE-2020-10754. Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: CVE-2022-0934 Heap use after free in dhcp6_no_relayHitendra Prajapati2022-10-302-0/+189
| | | | | | | | | | | | Source: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git MR: 121726 Type: Security Fix Disposition: Backport from https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39 ChangeID: be554ef6ebedd7148404ea3cc280f2e42e17dc8c Description: CVE-2022-0934 dnsmasq: Heap use after free in dhcp6_no_relay. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
* postgresql: CVE-2022-1552 Autovacuum, REINDEX, and others omit "security ↵Hitendra Prajapati2022-10-302-0/+948
| | | | | | | | | | | | | | restricted operation" sandbox Source: https://git.postgresql.org/gitweb/?p=postgresql.git; MR: 121822 Type: Security Fix Disposition: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda && https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=677a494789062ca88e0142a17bedd5415f6ab0aa ChangeID: 5011e2e09f30f76fc27dc4cb5fa98a504d1aaec9 Description: CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
* c-ares: upgrade 1.17.2 -> 1.18.1wangmy2022-09-111-1/+1
| | | | | | | | | | | | | | | | | | c-ares version 1.18.1 - Oct 27 2021 Bug fixes: ares_getaddrinfo() would return ai_addrlen of 16 for ipv6 adddresses rather than the sizeof(struct sockaddr_in6) Conflicts: meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e251d7b827d63277a36f1b8094d992303329b866) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.vom>
* c-ares: remove custom patchesSinan Kaya2022-09-113-108/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Current patch is breaking the library dependencies added by cmake especially when you are static linking. Applications need the ws2_32 library to be linked for mingw32 and with the existing patch this is not getting passed to the users. Current patch seems to address this issue: https://github.com/c-ares/c-ares/issues/373 Both issues are resolved in 1.17.2: 1.17.2-r0/git $ find . | grep c-ares-config.cmake.in ./c-ares-config.cmake.in 1.17.2-r0/git $ find . | grep libcares.pc.cmake ./libcares.pc.cmake Conflicts: meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 621bdc1993d2e8da08b9b240043dc13481cd644f) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.vom>
* c-ares: upgrade 1.17.1 -> 1.17.2wangmy2022-09-111-8/+5
| | | | | | | | | | | | Conflicts: meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c49173b09c998bb3893ae873f68823647f1a7e18) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.vom>
* c-ares: Upgrade to 1.17.1 releaseKhem Raj2022-09-112-19/+12
| | | | | | | | | | | | | | | | | | Forward port cmake-install-libcares.pc.patch, drop the need to install pkgconfig files as its already being done by main Makefile Signed-off-by: Khem Raj <raj.khem@gmail.com> Forward port cmake-install-libcares.pc.patch, drop the need to install pkgconfig files as its already being done by main Makefile Conflicts: meta-oe/recipes-support/c-ares/c-ares_1.17.1.bb Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b65f2904191b8d309b3971d4e65c5e1701156b1c) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.vom>
* Revert "c-ares: Add fix for CVE-2021-3672"Armin Kuster2022-09-113-207/+0
| | | | | | | | | This reverts commit b06724bc274f751004ade2ceeddfb8ec40d93f16. Revert this CVE fix as we upgrade c-ares to 1.18.1 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.vom>
* cryptsetup: upgrade 2.3.2 -> 2.3.7Yi Zhao2022-09-111-2/+2
| | | | | | | | | | | | | | Stable security bug-fix release that fixes CVE-2021-4122. ReleaseNotes: https://kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 5dca16b451abf80b1bfacfc533daf447ff4dad7c) This is just the rename and SRC_URI hash updates made to apply to dunfell. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
* nodejs: Upgrade to 12.22.12Ranjitsinh Rathod2022-09-112-3093/+2
| | | | | | | | | | | | | | As per the below release note, it should be a last release for 12.x stable LTS series. Link: https://github.com/nodejs/node/releases/tag/v12.22.12 Remove CVE-2021-44532 fix as it already available in this release v12.22.12 License-Update: src/gtest additional file in the LICENSE Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
* python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to ↵Hitendra Prajapati2022-09-112-0/+96
| | | | | | | | | | | | | | cause a denial of service Source: https://github.com/lxml/lxml MR: 119399 Type: Security Fix Disposition: Backport from https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f ChangeID: 0b1ef4ce4c901ef6574a83ecbe4c4b1d2ab24777 Description: CVE-2022-2309 libxml: NULL Pointer Dereference allows attackers to cause a denial of service. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
* meta-oe: Add leading whitespace for append operatorKhem Raj2022-08-026-7/+7
| | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 92441f9d6a958c245a03f89ec44ef2c17dd6b0ee) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* bigbuckbunny-1080p: update SRC_URIArmin Kuster2022-08-021-1/+1
| | | | | | | fixes: ERROR: bigbuckbunny-1080p-1.0-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi') Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntfs-3g-ntfsprogs: upgrade to 2022.5.17Chen Qi2022-08-021-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upgrade from 2021.8.22 to 2022.5.17. This upgrade mainly include CVE fixes. According to https://github.com/tuxera/ntfs-3g/releases: """ Changelog: * Improved defence against maliciously tampered NTFS partitions * Improved defence against improper use of options * Updated the documentation """ Fixed CVE's: CVE-2021-46790 CVE-2022-30783 CVE-2022-30784 CVE-2022-30785 CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789 Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 35a51898e7a89fe65fef877a1016e751eea748db) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntfs-3g-ntfsprogs: upgrade to 2021.8.22Chen Qi2022-07-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This upgrade revolves a bunch of CVEs. See more details in: https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp. Fixed CVE's: CVE-2021-33285 CVE-2021-33289 CVE-2021-33286 CVE-2021-35266 CVE-2021-33287 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263 Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6791dc536444a1dd0f473653501ba43fc84704f2) Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an ↵Hitendra Prajapati2022-07-162-0/+84
| | | | | | | | | | | | | | | attacker to execute arbitrary SQL commands Source: https://github.com/cyrusimap/cyrus-sasl MR: 118501 Type: Security Fix Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51 Description: CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xterm: CVE-2022-24130 Buffer overflow in set_sixel in graphics_sixel.cHitendra Prajapati2022-07-162-1/+85
| | | | | | | | | | | | | Source: https://github.com/ThomasDickey/xterm-snapshots/ MR: 115675 Type: Security Fix Disposition: Backport from https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d ChangeID: 6ad000b744527ae863187b570714792fc29467d9 Description: CVE-2022-24130 xterm: Buffer overflow in set_sixel in graphics_sixel.c. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openldap: CVE-2022-29155 OpenLDAP SQL injectionHitendra Prajapati2022-07-162-1/+278
| | | | | | | | | | | | | Source: https://git.openldap.org/openldap/openldap MR: 117821 Type: Security Fix Disposition: Backport from https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134 ChangeID: d534808c796600ca5994bcda28938d45405bc7b4 Description: CVE-2022-29155 openldap: OpenLDAP SQL injection Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntfs-3g-ntfsprogs: Set CVE_PRODUCT to "tuxera:ntfs-3g"Akash Hadke2022-07-161-0/+2
| | | | | | | | | | | | | | Set CVE_PRODUCT to 'tuxera:ntfs-3g' for ntfs-3g-ntfsprogs recipe, cve-check class is setting default CVE_PRODUCT to 'ntfs-3g-ntfsprogs' which ignores the ntfs-3g-ntfsprogs CVEs from NVD Database. Reference: CVE-2019-9755 Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9755 Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: move to version v7.4.28Jeroen Hofstee2022-06-151-1/+1
| | | | | | | | CVE: CVE-2021-21703 CVE-2021-21706 CVE-2021-21707 CVE-2021-21708 Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> [Didn't apply cleanly, corrected.] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* iperf: Set CVE_PRODUCT to "iperf_project:iperf"Akash Hadke2022-06-152-0/+4
| | | | | | | | | | | | | | | Set CVE_PRODUCT as 'iperf_project:iperf' for iperf2 and iperf3 recipes, cve-check class is setting default CVE_PRODUCT to 'iperf2' and 'iperf3' respectively which ignores the iperf CVEs from NVD Database. Reference: CVE-2016-4303 Link: https://nvd.nist.gov/vuln/detail/CVE-2016-4303 Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* grpc: switch from master branch to main for upbMartin Jansa2022-06-151-1/+1
| | | | | | | | | | | | * hardknott and newer branches don't need this as upb repo was removed in: commit 15cff67fd6cdb34e3621368fe9ce94a98356f27a Author: Anatol Belski <anbelski@linux.microsoft.com> Date: Fri Feb 19 12:39:55 2021 +0000 grpc: Upgrade 1.24.3 -> 1.35.0 Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* leveldb: switch from master branch to mainMartin Jansa2022-06-151-1/+1
| | | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* bridge-utils: Switch to use the main branchMingli Yu2022-06-151-1/+1
| | | | | | | | | Fix the below do_fetch warning: WARNING: bridge-utils-1.7-r0 do_fetch: Failed to fetch URL git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git, attempting MIRRORS if available Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tesseract-lang: switch from master branch to mainMartin Jansa2022-06-151-1/+1
| | | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-matplotlib: add missing dependencyAdrian Fiergolski2022-06-151-0/+1
| | | | | | | | | | | | | | | In order to fix the dependency issue on PIL module, python3-pillow is required. Signed-off-by: Adrian Fiergolski <adrian.fiergolski@fastree3d.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d4e70a19600bee178d81b467dd9e118cbf057f65) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit fcc7d7eae82be4c180f2e8fa3db90a8ab3be07b7) [fixup for honister context] Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 44c394f3cbdce8c7297af01c0f5ee030e1e3dacd) [fixup for dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mariadb: update to 10.4.25Armin Kuster2022-06-053-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Source: mariadb.org MR: 117530, 117522, 117514, 117506, 117497, 117489, 117481, 117473, 117465, 117457, 117449, 117380, 117364, 117356, 117336, 117212, 117204, 117196, 117180, 117188, 117169, 117161, 117441, 117372 Type: Security Fix Disposition: Backport from mariagdb.org ChangeID: 8bf787570ebe8503d2974af92e17b505e70440e5 Description: LTS version, bug fix only. Include these CVES: CVE-2022-27458 CVE-2022-27457 CVE-2022-27456 CVE-2022-27455 CVE-2022-27452 CVE-2022-27451 CVE-2022-27449 CVE-2022-27448 CVE-2022-27447 CVE-2022-27446 CVE-2022-27445 CVE-2022-27444 CVE-2022-27387 CVE-2022-27386 CVE-2022-27385 CVE-2022-27384 CVE-2022-27383 CVE-2022-27382 CVE-2022-27381 CVE-2022-27380 CVE-2022-27379 CVE-2022-27378 CVE-2022-27377 CVE-2022-27376 Signed-off-by: Armin Kuster <akuster@mvista.com>
* tcpdump: Add fix for CVE-2018-16301Riyaz Ahmed Khan2022-05-252-0/+112
| | | | | | | | | | | | | Add patch for CVE issue: CVE-2018-16301 Link: https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Upstream-Status: Pending Issue: MGUBSYS-5370 Change-Id: I2aac084e61ba9d71ae614a97b4924eaa60328b79 Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opencl-headers: switch to main branchJulien STEPHAN2022-05-251-1/+1
| | | | | | | master branch was renamed main on upstream project, so update the URI Signed-off-by: Julien STEPHAN <jstephan@baylibre.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* fuse: set CVE_PRODUCT to "fuse_project:fuse"Mikko Rapeli2022-05-252-0/+4
| | | | | | | | | | | | | | Other products like "RedHat:fuse" introduce false CVE findings like: https://nvd.nist.gov/vuln/detail/CVE-2018-10906 https://nvd.nist.gov/vuln/detail/CVE-2019-14860 https://nvd.nist.gov/vuln/detail/CVE-2020-25689 Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit fd7dc3487134aae50382c651996077ee1d109060) [Fixup for Dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opencl-icd-loader: switch to main branchJulien STEPHAN2022-05-251-1/+1
| | | | | | | master branch was renamed main, so update the URI Signed-off-by: Julien STEPHAN <jstephan@baylibre.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239Sana Kazi2022-05-251-0/+14
| | | | | | | | | | | | | | | | | Whitelist CVE-2020-27844 as it is introduced by https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 but the contents of this patch is not present in openjpeg_2.3.1 Link: https://security-tracker.debian.org/tracker/CVE-2020-27844 Whitelist CVE-2015-1239 as the CVE description clearly states that j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. Hence, CVE-2015-1239 does not affect openjpeg_2.3.1. Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ostree: prevent ostree-native depending on target virtual/kernel to provide ↵Martin Jansa2022-05-251-1/+1
| | | | | | | kernel-module-overlay Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-cryptography: backport 3 changes to fix CVE-2020-36242Martin Jansa2022-05-254-0/+182
| | | | | | | | | | | * backport the actual code change from https://github.com/pyca/cryptography/pull/5747 without the docs and CI changes (which aren't applicable on old 2.8 version) and backport 2 older changes to make this fix applicable on 2.8. Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lua: fix CVE-2022-28805Steve Sakoman2022-05-253-0/+102
| | | | | | | | | | | | | | | | | | singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code. https://nvd.nist.gov/vuln/detail/CVE-2022-28805 (From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) Signed-off-by: Sana Kazi <sana.kazi@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* atftp: Add fix for CVE-2021-41054 and CVE-2021-46671Ranjitsinh Rathod2022-05-253-0/+161
| | | | | | | | | | Add patches to fix CVE-2021-41054 and CVE-2021-46671 issues Link: https://nvd.nist.gov/vuln/detail/CVE-2021-41054 Link: https://nvd.nist.gov/vuln/detail/CVE-2021-46671 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: Fix build on riscvKhem Raj2022-04-192-0/+39
| | | | | | | | | Remove duplicate code Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit aa22894fa352986a62c4530ad8facd8868b2e535) [Fixup for Dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mongodb: Pass OBJCOPY to scons so it does not use it from hostKhem Raj2022-04-181-0/+2
| | | | | | | | | | | | Fixes objcopy: Unable to recognise the format of the input file `build/opt/mongo/mongos' Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Vincent Prince <vincent.prince.fr@gmail.com.com> (cherry picked from commit e91940073af4e19cd18a09cd12aa381ff60fe54b) [Fix up for Dunfell context: also fixes Please add a conforming MONGO_VERSION=x.y.z[-extra] as an argument to SCons] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Mariadb: update to 10.4.24Armin Kuster2022-04-185-109/+2
| | | | | | | | | | | | | | | | | | | | | | | Source: Mariadb.org MR: 115460, 115507, 1115549, 115549, 115488 Type: Security Fix Disposition: Backport from mariadb.org ChangeID: 722782cefa6805e907ee377a340f1b8bec174079 Description: Bug fix only update, includes these CVES: CVE-2021-46665 CVE-2021-46664 CVE-2021-46661 CVE-2021-46668 CVE-2021-46663 For more information see: https://mariadb.com/kb/en/mariadb-10424-release-notes/ drop mariadb/c11_atomics.patch as its include in the update. drop mariadb/clang_version_header_conflict.patch different fix applied Signed-off-by: Armin Kuster <akuster@mvista.com>
* apache2: upgrade 2.4.52 -> 2.4.53Yi Zhao2022-04-1811-66/+63
| | | | | | | | | | | | | | | | | | | | | | | | | Source: meta-openembedded MR: 117176, 116633 Type: Security Fix Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?id=81bbe65791459538ab578ac13e612f7dc6f692f0 ChangeID: 5b86888b06765a3b5aa7ff301da4f8b87f2dd154 Description: ChangeLog: https://downloads.apache.org/httpd/CHANGES_2.4.53 Security fixes: CVE-2022-23943 CVE-2022-22721 CVE-2022-22720 CVE-2022-22719 Refresh patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-urllib3: Fix CVE-2020-26137 and CVE-2021-33503Ranjitsinh Rathod2022-04-183-2/+143
| | | | | | | | | | | | | | | Add patch to fix CVE-2020-26137 Link: https://ubuntu.com/security/CVE-2020-26137 Link: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b.patch Add patch to fix CVE-2021-33503 Link: https://ubuntu.com/security/CVE-2021-33503 Link: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec.patch Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* polkit: fix overlapping changes in recent CVE patchesRalph Siemsen2022-04-182-33/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 17e931e77 ("polkit: fix CVE-2021-3560") contains - upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Commit 67ec3e049 ("polkit: Fix for CVE-2021-4115") contains both: - upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 (CVE-2021-3560) - upstream commit 41cb093f554da8772362654a128a84dd8a5542a7 (CVE-2021-4115) Thus the fix for CVE-2021-3560 is applied twice, resulting in warnings during do_patch. Curiously it neither fails nor complains about patch already applied. Also devtool silently discards the duplicate patch. Drop the duplicate patch, to resolve following warnings: WARNING: polkit-0.116-r0 do_patch: Fuzz detected: Applying patch 0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch patching file src/polkit/polkitsystembusname.c Hunk #1 succeeded at 438 with fuzz 2 (offset 3 lines). Applying patch CVE-2021-4115.patch patching file src/polkit/polkitsystembusname.c Hunk #4 succeeded at 439 with fuzz 2. Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* multipath-tools: update SRC_URIMinjae Kim2022-04-181-1/+1
| | | | | | | | The git repo for multipath-tools was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* geoip: Switch to use the main branchMingli Yu2022-04-181-1/+1
| | | | | | | | | | | Fix the below do_fetch warning: WARNING: geoip-1.6.12-r0 do_fetch: Failed to fetch URL git://github.com/maxmind/geoip-api-c.git, attempting MIRRORS if available Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit df3ef158347072a409b4e276a9dab8c2e89350ec) [Fix up for dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: upgrade to 12.22.2Nisha Parrakat2022-04-181-1/+1
| | | | | | | upgrading to next maintainence LTS version Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>