mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity
17,269 Commits 64 Branches 0 Tags
dunfell-next
Commit Graph

17269 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Rogers 7ae42df58f xterm: Remove undeclared variables introduced by backport 
CVE-2022-45063 ported onto the dunfell baseline introduces two
variables that cause xterm to fail compilation with the error

./fontutils.c:4143:13: error: 'added' undeclared (first use in this function)

These two variables don't appear to be defined at all in findXftGlyph for
xterm_353, so they should be removed.

Fixes: 10148c538ebc("xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063")
Signed-off-by: Chris Rogers <crogers122@gmail.com>
Tested-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-03-18 16:16:42 -04:00
Poonam Jadhav 068acc4ec7 nodejs: Fix CVEs for nodejs 
Add patch file CVE-llhttp.patch to fix CVE-2022-32213,
CVE-2022-32214, CVE-2022-32215, CVE-2022-35256 of nodejs.

Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-llhttp.patch

Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-03-18 16:16:42 -04:00
Poonam Jadhav 9291a88738 nodejs: Fix CVE-2022-43548 
Add patch to fix CVE-2022-43548

Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-43548.patch

Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-03-18 16:16:42 -04:00
Poonam Jadhav b691797f77 nodejs: Fix CVE-2022-35255 
Add patch to fix CVE-2022-35255

Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-35255.patch

Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-03-18 16:16:42 -04:00
Poonam Jadhav df7fba3744 nodejs: Fix CVE-2022-32212 
Add patch to fix CVE-2022-32212

Link: https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-32212.patch

Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-03-18 16:16:42 -04:00
Priyal Doshi 0a7d275985 open-vm-tools: Security fix for CVE-2022-31676 
Backport from https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745

Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-03-18 16:16:42 -04:00
Roger Knecht 8757134505 zeromq: 4.3.2 -> 4.3.4 
Fixes:
- CVE-2021-20236

Patch changes:
- Refreshed 0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch

Signed-off-by: Roger Knecht <roger@norberthealth.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Wang Mingyu 05e1a96745 apache2: upgrade 2.4.54 -> 2.4.55 
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.55

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Shubham Kulkarni eadcdb97d4 python3-pillow: Security fix for CVE-2022-45198 
Fix for CVE-2022-45198: Improper Handling of Highly Compressed GIF Data
Backport from https://github.com/python-pillow/Pillow/commit/884437f8a2b953a0abd2a3b130a87fcfb438092e

Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Hitendra Prajapati 1172ebfa20 krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsing 
Upstream-Status: Backport from https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Hitendra Prajapati d07c7f658f net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer Exception 
Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Mathieu Dubois-Briand 56403db5e3 nss: Fix CVE-2020-25648 
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Mathieu Dubois-Briand 50b6fb7d62 nss: Whitelist CVEs related to libnssdbm 
These CVEs only affect libnssdbm, compiled when --enable-legacy-db is
used.

https://bugzilla.mozilla.org/show_bug.cgi?id=1360782#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778#c8
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Mathieu Dubois-Briand f0f9398891 nss: Add missing CVE product 
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-02-22 11:24:23 -05:00
Yi Zhao e707e9b7cf postfix: upgrade 3.4.23 -> 3.4.27 
Changelog:
http://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.4.27.HISTORY

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-01-19 07:49:31 -05:00
wangmy 6b65103660 apache2: upgrade 2.4.53 -> 2.4.54 
0004-apache2-log-the-SELinux-context-at-startup.patch
refresh for new version.

Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.54

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-01-19 07:49:31 -05:00
Valeria Petrov 09c3ac0da6 php: update 7.4.28 -> 7.4.33 
Update php from 7.4.28 to 7.4.33

    Fixes below CVEs:
    CVE-2021-21708
    CVE-2022-31626
    CVE-2022-31625
    CVE-2022-31628
    CVE-2022-31629
    CVE-2022-31630
    CVE-2022-37454

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-01-19 07:49:31 -05:00
Siddharth Doshi 10148c538e xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063 
Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/787636674918873a091e7a4ef5977263ba982322]
CVE: CVE-2022-45063

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-01-19 07:49:31 -05:00
Virendra Thakur 6464eb9fc4 capnproto: Fix CVE-2022-46149 
This patch contains a fix for CVE-2022-46149

Patch backported from :
https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9

Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-01-19 07:49:31 -05:00
Hitendra Prajapati 82f77e2b3c proftpd: CVE-2021-46854 memory disclosure to radius server 
Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 2023-01-19 07:49:31 -05:00
Hitendra Prajapati 7952135f65 postgresql: Fix CVE-2022-2625 
Upstream-Status: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89
Description:
	CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-12-11 16:01:15 -05:00
Ivan Stepic 1e9bf08cca flatbuffers: adapt for cross-compilation environments 
Flatbuffers contains a library and a schema compiler. The package
contains cmake files to discover the libraries and the compiler tool.
Currently, all of these cmake files are installed into the target
sysroot. However, the compiler utility isn't installed into the sysroot
(as it is not runnable on the build machine).

When an application that depends on flatbuffers gets built, it uses
flatbuffers' exported cmake targets to configure the project. One of the
exported targets is FlatcTarget.cmake which expects to see flatc binary
in /usr/bin of the sysroot. Since binaries for target don't end up in
target sysroot, cmake configuration fails.

This patch addresses this problem of flatbuffers' build infrastructure
in cross-compiling environments. By removing FlatcTarget.cmake for
target builds from the sysroot we essentially skip this step of
flatbuffers' configuration.

Signed-off-by: Ivan Stepic <Ivan.Stepic@bmw.de>
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
 2022-11-25 10:35:23 -05:00
Omkar Patil 48b0721fac ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3 
Changes:
Rejected zero-sized runs
Avoided merging runlists with no runs

Fix CVE-2022-40284

Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-11-25 10:35:23 -05:00
Hitendra Prajapati 986f3ceb44 nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ngx_http_mp4_module 
Upstream-Status: Backport from https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-11-25 10:35:23 -05:00
Ranjitsinh Rathod b2c7d54b40 strongswan: Fix CVE-2022-40617 
Add a patch to fix CVE-2022-40617 issue which allows remote attackers to
cause a denial of service in the revocation plugin by sending a crafted
end-entity (and intermediate CA) certificate that contains a CRL/OCSP
URL that points to a server (under the attacker's control) that doesn't
properly respond but (for example) just does nothing after the initial
TCP handshake, or sends an excessive amount of application data.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-11-25 10:35:23 -05:00
Colin Finck 7203130ed8 [dunfell] wireguard: Upgrade to 1.0.20220627 (module) and 1.0.20210914 (tools) 
Quoting Jason A. Donenfeld on IRC:

<zx2c4> Colin_Finck: you should never, ever use old versions
<zx2c4> Notice that neither the major nor minor version numbers change
<zx2c4> Use the latest versions on your LTS

With that definite answer, I'd like to fix the problem described in https://lore.kernel.org/yocto/CswA.1659543156268567471.pbrp@lists.yoctoproject.org/ by importing the latest versions instead of maintaining our own fork of wireguard 1.0.20200401.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-10-30 14:47:43 -04:00
Mathieu Dubois-Briand 44d843ecad networkmanager: Update to 1.22.16 
Update network manager stable branch to last version, allowing to fix
CVE-2020-10754.

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-10-30 14:47:43 -04:00
Hitendra Prajapati 8377de1624 dnsmasq: CVE-2022-0934 Heap use after free in dhcp6_no_relay 
Source: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git
MR: 121726
Type: Security Fix
Disposition: Backport from https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39
ChangeID: be554ef6ebedd7148404ea3cc280f2e42e17dc8c
Description:
	 CVE-2022-0934 dnsmasq: Heap use after free in dhcp6_no_relay.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 2022-10-30 14:47:43 -04:00
Hitendra Prajapati 62842aac98 postgresql: CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox 
Source: https://git.postgresql.org/gitweb/?p=postgresql.git;
MR: 121822
Type: Security Fix
Disposition: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda && https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=677a494789062ca88e0142a17bedd5415f6ab0aa
ChangeID: 5011e2e09f30f76fc27dc4cb5fa98a504d1aaec9
Description:
	 CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 2022-10-30 14:47:35 -04:00
wangmy 6792ebdd96 c-ares: upgrade 1.17.2 -> 1.18.1 
c-ares version 1.18.1 - Oct 27 2021
Bug fixes:

ares_getaddrinfo() would return ai_addrlen of 16 for ipv6 adddresses
rather than the sizeof(struct sockaddr_in6)

Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e251d7b827)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Sinan Kaya ad1dcf68b6 c-ares: remove custom patches 
Current patch is breaking the library dependencies added by cmake
especially when you are static linking.

Applications need the ws2_32 library to be linked for mingw32
and with the existing patch this is not getting passed to the users.

Current patch seems to address this issue:
https://github.com/c-ares/c-ares/issues/373

Both issues are resolved in 1.17.2:

1.17.2-r0/git $ find . | grep c-ares-config.cmake.in
./c-ares-config.cmake.in
1.17.2-r0/git $ find . | grep libcares.pc.cmake
./libcares.pc.cmake

Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb

Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 621bdc1993)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
wangmy cd8d2f689f c-ares: upgrade 1.17.1 -> 1.17.2 
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c49173b09c)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Khem Raj de05a500b9 c-ares: Upgrade to 1.17.1 release 
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile

Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.1.bb

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b65f290419)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Armin Kuster 87841f0c18 Revert "c-ares: Add fix for CVE-2021-3672" 
This reverts commit b06724bc27.
Revert this CVE fix as we upgrade c-ares to 1.18.1

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Yi Zhao a33dca5297 cryptsetup: upgrade 2.3.2 -> 2.3.7 
Stable security bug-fix release that fixes CVE-2021-4122.

ReleaseNotes:
https://kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5dca16b451)
This is just the rename and SRC_URI hash updates made to apply
to dunfell.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
 2022-09-11 13:49:52 -04:00
Ranjitsinh Rathod a1a40c95eb nodejs: Upgrade to 12.22.12 
As per the below release note, it should be a last release for 12.x
stable LTS series.
Link: https://github.com/nodejs/node/releases/tag/v12.22.12

Remove CVE-2021-44532 fix as it already available in this release
v12.22.12

License-Update: src/gtest additional file in the LICENSE

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
 2022-09-11 13:49:52 -04:00
Hitendra Prajapati e5e63be86e python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to cause a denial of service 
Source: https://github.com/lxml/lxml
MR: 119399
Type: Security Fix
Disposition: Backport from https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
ChangeID: 0b1ef4ce4c901ef6574a83ecbe4c4b1d2ab24777
Description:
        CVE-2022-2309 libxml: NULL Pointer Dereference allows attackers to cause a denial of service.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 2022-09-11 13:49:52 -04:00
Khem Raj f22bf6efaa meta-oe: Add leading whitespace for append operator 
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 92441f9d6a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-08-02 06:59:38 -07:00
Armin Kuster a04c5444c9 bigbuckbunny-1080p: update SRC_URI 
fixes:
ERROR: bigbuckbunny-1080p-1.0-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi')

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-08-02 06:59:38 -07:00
Chen Qi 3ba409127c ntfs-3g-ntfsprogs: upgrade to 2022.5.17 
Upgrade from 2021.8.22 to 2022.5.17.
This upgrade mainly include CVE fixes.

According to https://github.com/tuxera/ntfs-3g/releases:
"""
Changelog:
* Improved defence against maliciously tampered NTFS partitions
* Improved defence against improper use of options
* Updated the documentation
"""

Fixed CVE's:
CVE-2021-46790
CVE-2022-30783
CVE-2022-30784
CVE-2022-30785
CVE-2022-30786
CVE-2022-30787
CVE-2022-30788
CVE-2022-30789

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 35a51898e7)
Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-08-02 06:59:27 -07:00
Chen Qi 52cee67833 ntfs-3g-ntfsprogs: upgrade to 2021.8.22 
This upgrade revolves a bunch of CVEs. See more details in:
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp.

Fixed CVE's:
CVE-2021-33285
CVE-2021-33289
CVE-2021-33286
CVE-2021-35266
CVE-2021-33287
CVE-2021-35267
CVE-2021-35268
CVE-2021-35269
CVE-2021-39251
CVE-2021-39252
CVE-2021-39253
CVE-2021-39254
CVE-2021-39255
CVE-2021-39256
CVE-2021-39257
CVE-2021-39258
CVE-2021-39259
CVE-2021-39260
CVE-2021-39261
CVE-2021-39262
CVE-2021-39263

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6791dc5364)

Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Hitendra Prajapati 9f3d116fdd cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands 
Source: https://github.com/cyrusimap/cyrus-sasl
MR: 118501
Type: Security Fix
Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc
ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51
Description:
       CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Hitendra Prajapati b406297d3b xterm: CVE-2022-24130 Buffer overflow in set_sixel in graphics_sixel.c 
Source: https://github.com/ThomasDickey/xterm-snapshots/
MR: 115675
Type: Security Fix
Disposition: Backport from https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d
ChangeID: 6ad000b744527ae863187b570714792fc29467d9
Description:
         CVE-2022-24130 xterm: Buffer overflow in set_sixel in graphics_sixel.c.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Hitendra Prajapati a24773d39e openldap: CVE-2022-29155 OpenLDAP SQL injection 
Source: https://git.openldap.org/openldap/openldap
MR: 117821
Type: Security Fix
Disposition: Backport from https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134
ChangeID: d534808c796600ca5994bcda28938d45405bc7b4
Description:
	CVE-2022-29155 openldap: OpenLDAP SQL injection

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Akash Hadke 1d0b2d78c2 ntfs-3g-ntfsprogs: Set CVE_PRODUCT to "tuxera:ntfs-3g" 
Set CVE_PRODUCT to 'tuxera:ntfs-3g' for ntfs-3g-ntfsprogs recipe,
cve-check class is setting default CVE_PRODUCT to 'ntfs-3g-ntfsprogs'
which ignores the ntfs-3g-ntfsprogs CVEs from NVD Database.

Reference:
CVE-2019-9755
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9755

Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Jeroen Hofstee d6795ab0ee php: move to version v7.4.28 
CVE: CVE-2021-21703 CVE-2021-21706 CVE-2021-21707 CVE-2021-21708

Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
[Didn't apply cleanly, corrected.]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Akash Hadke 512a3caee4 iperf: Set CVE_PRODUCT to "iperf_project:iperf" 
Set CVE_PRODUCT as 'iperf_project:iperf' for iperf2 and iperf3
recipes, cve-check class is setting default CVE_PRODUCT to
'iperf2' and 'iperf3' respectively which ignores the iperf
CVEs from NVD Database.

Reference:
CVE-2016-4303
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-4303

Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Martin Jansa 245a1ab46b grpc: switch from master branch to main for upb 
* hardknott and newer branches don't need this as upb repo was removed in:
  commit 15cff67fd6
  Author: Anatol Belski <anbelski@linux.microsoft.com>
  Date:   Fri Feb 19 12:39:55 2021 +0000

    grpc: Upgrade 1.24.3 -> 1.35.0

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Martin Jansa 96e9636f7d leveldb: switch from master branch to main 
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Mingli Yu d865d97f9b bridge-utils: Switch to use the main branch 
Fix the below do_fetch warning:
WARNING: bridge-utils-1.7-r0 do_fetch: Failed to fetch URL git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git, attempting MIRRORS if available

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00