summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libevdev: add libcheck dependencyAndre McCurdy2017-11-211-0/+2
| | | | | | | | | | | | | | | The libevdev configure script contains an unconditional check for libcheck. If libcheck is found, libevdev unit tests will be built. Without a dependency, the presence of libcheck in sysroot is non deterministic (in morty and earlier) and builds can fail if libcheck is available during do_configure but not during do_compile. (In pyro and later, the libcheck dependency is not required to make libevdev builds deterministic due to recipe specific sysroots). Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ruby: Security fix for CVE-2017-14064Rajkumar Veer2017-11-212-0/+80
| | | | | | | Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ruby: Security fix for CVE-2017-14033Rajkumar Veer2017-11-212-0/+90
| | | | | | | affects ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ruby: Security fix for CVE-2017-9229Thiruvadi Rajaraman2017-11-212-0/+37
| | | | | | | affects ruby < 2.4.1 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ruby: Secruity fix for CVE-2017-9226Thiruvadi Rajaraman2017-11-212-0/+34
| | | | | | | affects ruby < 2.4.1 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ruby: Security fix for CVE-2017-9228Thiruvadi Rajaraman2017-11-212-0/+27
| | | | | | | affects ruby < 2.4.1 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ruby: Security fix for CVE-2017-9227Thiruvadi Rajaraman2017-11-212-0/+25
| | | | | | | affects ruby < 2.4.1 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ruby: Security fix for CVE-2016-7798Thiruvadi Rajaraman2017-11-212-1/+167
| | | | | | | affectes ruby < 2.3.1 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2017-1000101Rajkumar Veer2017-11-212-0/+95
| | | | | | | | Affected versions: curl 7.34.0 to and including 7.54.1 Not affected versions: curl < 7.34.0 and >= 7.55.0 Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2017-1000100Rajkumar Veer2017-11-212-0/+48
| | | | | | | | Affected versions: libcurl 7.15.0 to and including 7.54.1 Not affected versions: libcurl < 7.15.0 and >= 7.55.0 Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-9586Thiruvadi Rajaraman2017-11-212-0/+67
| | | | | | | | Affected versions: libcurl 7.1 to and including 7.51.0 Not affected versions: libcurl >= 7.52.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8624Thiruvadi Rajaraman2017-11-212-0/+69
| | | | | | | | Affected versions: curl 7.1 to and including 7.50.3 Not affected versions: curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8617Thiruvadi Rajaraman2017-11-212-0/+31
| | | | | | | | Affected versions: curl 7.1 to and including 7.50.3 Not affected versions: curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8623Thiruvadi Rajaraman2017-11-212-0/+175
| | | | | | | | Affected versions: curl 7.10.7 to and including 7.50.3 Not affected versions: curl < 7.10.7 and curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8621Thiruvadi Rajaraman2017-11-212-0/+105
| | | | | | | | Affected versions: curl 7.12.2 to and including 7.50.3 Not affected versions: curl < 7.12.2 and curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8620Thiruvadi Rajaraman2017-11-212-0/+147
| | | | | | | | Affected versions: curl 7.34.0 to and including 7.50.3 Not affected versions: curl < 7.34.0 and curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8619Thiruvadi Rajaraman2017-11-212-0/+57
| | | | | | | | Affected versions: curl 7.3 to and including 7.50.3 Not affected versions: curl < 7.3 and curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8618Thiruvadi Rajaraman2017-11-212-0/+50
| | | | | | | | Affected versions: curl 7.1 to and including 7.50.3 Not affected versions: curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* curl: Security fix for CVE-2016-8615Thiruvadi Rajaraman2017-11-212-1/+74
| | | | | | | | Affected versions: curl 7.1 to and including 7.50.3 Not affected versions: curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7593Rajkumar Veer2017-11-212-0/+99
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7602Rajkumar Veer2017-11-212-0/+70
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7601Rajkumar Veer2017-11-212-0/+53
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7598Rajkumar Veer2017-11-212-0/+66
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7596Rajkumar Veer2017-11-212-0/+309
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7595Rajkumar Veer2017-11-212-0/+49
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7594Rajkumar Veer2017-11-213-0/+95
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2017-7592Rajkumar Veer2017-11-212-1/+42
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2016-10270Rajkumar Veer2017-11-212-0/+135
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2016-10269Rajkumar Veer2017-11-212-0/+132
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix CVE-2016-10267Rajkumar Veer2017-11-212-0/+71
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix CVE-2016-10266Rajkumar Veer2017-11-212-0/+61
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix CVE-2016-10268Rajkumar Veer2017-11-212-0/+31
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Secruity fix CVE-2016-10093Rajkumar Veer2017-11-212-0/+48
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix for CVE-2016-10271Rajkumar Veer2017-11-212-0/+31
| | | | | Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fixesYi Zhao2017-11-215-0/+395
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 https://nvd.nist.gov/vuln/detail/CVE-2017-9936 https://nvd.nist.gov/vuln/detail/CVE-2017-10668 https://nvd.nist.gov/vuln/detail/CVE-2017-11335 Patches from: CVE-2017-9147: https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 CVE-2017-9936: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-10688: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-11355: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 (From OE-Core rev: 5c89539edb17d01ffe82a1b2e7d092816003ecf3) (From OE-Core rev: eaf72d105bed54e332e2e5c0c5c0a0087ecd91dd) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> minor fixes to get to apply Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com>
* libtiff: Security Advisory - libtiff - CVE-2017-5225Li Zhou2017-11-212-0/+93
| | | | | | | | | | | | | | | Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. Porting patch from <https://github.com/vadz/libtiff/commit/ 5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225. (From OE-Core rev: 434990304bdfb70441b399ff8998dbe3fe1b1e1f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ruby: fix build of ruby-native with gcc7Joshua Lock2017-11-212-0/+34
| | | | | | | | | | | | Marsalling is broken when ruby-2.2.x is built with gcc7, backport the change fix in Ruby SVN r57410 to apply to ruby 2.2.5: https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=57410 Fixes [YOCTO #12271] Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wpa_supplicant: fix WPA2 key replay security bugRoss Burton2017-10-162-0/+940
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WPA2 is vulnerable to replay attacks which result in unauthenticated users having access to the network. * CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake * CVE-2017-13078: reinstallation of the group key in the Four-way handshake * CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake * CVE-2017-13080: reinstallation of the group key in the Group Key handshake * CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake * CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it * CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake * CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame * CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame Backport patches from upstream to resolve these CVEs. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* hostap-utils: use w1.fi for SRC_URIMaxin B. John2017-10-101-3/+2
| | | | | | | | | | | | | | | | | | epitest.fi is down and hostap-utils source is now available in w1.fi. So, move SRC_URI to https://w1.fi Since hostap-utils is only meant for old Intersil Prism2/2.5/3 wifi cards, this recipe will be removed from oe-core in future (most likely to meta-handheld) [YOCTO #12051] (From OE-Core rev: 541b14c58132e8460a762617889bd5e3d736c1a4) Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* diffstat: use HTTP mirror for SRC_URIRoss Burton2017-10-101-1/+1
| | | | | | | | | | | The Invisible Mirror FTP service is currently down, and FTP is horrible, so switch to the HTTP mirror. (From OE-Core rev: f31461f8ea11e82dbe14454a1149d9ec2120404d) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* v86d: take tarball from debianAlexander Kanavin2017-10-101-3/+3
| | | | | | | | | | | Gentoo is removing the package due to dead upstream; Debian might carry it for a while longer. (From OE-Core rev: 5026730a2f0701ebad4ddf57990b1ae3b484ae72) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libpng: lsb version 1.2.56 url fixArmin Kuster2017-10-101-4/+2
| | | | | | The mirrors are not working so remove them. Simplify the SRC_URI as the archive in only in the older-releases dir. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libpng: use SourceForge mirrorRoss Burton2017-10-101-2/+4
| | | | | | | | | | | | | | | | | The Gentoo mirror also deletes old versions when they're not used, so revert back to the canonical SourceForge site, adding /older-releases/ to MIRRORS to handle new releases moving the version we want. Original idea by Maxin B. John <maxin.john@intel.com>. (From OE-Core rev: 791a3493c88c9c249f21f6d893b2061e1d8a0af6) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Hand applied to work with morty version Signed-off-by: Armin Kuster <akuster808@gmail.com>
* sign_rpm.bbclass: force rpm serial signingLeonardo Sandoval2017-10-101-0/+6
| | | | | | | | | | | | Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel so (unfortunately) the signing must be done serially. Once the upstream problem is fixed, this patch must be reverted, otherwise we loose all the intrinsic parallelism from bitbake. [YOCTO #12022] Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* selftest/cases/signing: ignore removal errors when cleaning temporary gpg ↵Leonardo Sandoval2017-10-101-2/+5
| | | | | | | | | | | | | | | | | | | | directory The high-level method tempfile.TemporaryDirectory give us no way to ignore erros on removal thus use tempfile.mkdtemp instead. Ignoring possible issues on removal is neccesary because it contains gpg sockets that are automatically removed by the system once the process terminates, otherwise the following log is observed: .. .. File "/usr/lib/python3.5/shutil.py", line 436, in _rmtree_safe_fd os.unlink(name, dir_fd=topfd) FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.browser' [YOCTO #11821] Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lunux-yocto/4.8: update to 4.8.25 plus bluetooth: CVE-2017-1000251Armin Kuster2017-10-103-16/+16
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto/4.4: update to 4.4.87 plus bluetooth: CVE-2017-1000251Armin Kuster2017-10-103-16/+16
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto/4.1: update to 4.1.43 plus bluetooth CVE-2017-1000251Armin Kuster2017-10-103-16/+16
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto/4.1: fix gcc7 compilation and v4.1.39Bruce Ashfield2017-10-103-16/+16
| | | | | | | | | | | | | | | | | | Porting the mainline commit, to fix gcc7 builds: 474c90156c [give up on gcc ilog2() constant optimizations] We also integrate the 4.1.39 -stable update to pick up additional fixes. (From OE-Core rev: 774e0d3f429d383c55e9f54ab095f13694e1d8e6) Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit f0effea8716faae749a7d15003647d68fa0cabf7) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* kernel.bbclass: fix KERNEL_IMAGETYPE(S) for Image.gzNicolas Dechesne2017-10-101-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | KERNEL_IMAGETYPES lists all the kernel images that we want to build. in cb17b6c2a7 (kernel.bbclass: support kernel image type of vmlinux.gz), some logic was added to support vmlinux.gz which is not a target built by kernel makefiles (only vmlinux). It is clear that the goal of this logic is only to support vmlinux.gz and not others compressed format (such as Image.gz) which are valid target for kernel makefiles. For Image.gz we should rely on the kernel makefiles and not do the compression in kernel class. This patch updates the logic used to filter out non supported kernel target from KERNEL_IMAGETYPES, and make vmlinux.gz a 'special case', instead of *.gz. If more special cases are needed in the future, we could add them in a similar way. This patch should be a no-op for anyone using vmlinux or vmlinux.gz, and on top of that it is fixing the build for Image.gz which was not working until now. Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cfc0c897656fe67e81a6a5dcd936dff785529f41) Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>