These patches are about a number of CVEs files against the application:
CVE-2025-63649, CVE-2025-63650, CVE-2025-63651, CVE-2025-63652, CVE-2025-63653, CVE-2025-63655,
CVE-2025-63656, CVE-2025-63657 and CVE-2025-63658.
These patches are taken from a pull request[1] that is referenced in the relevant bug report[2].
The patches don't target specific CVEs on separately, but they fix a number of CVEs altogether.
Based on upstream analysis (in the linked issue) a number of these CVEs are duplicates of each
other and/or not exploitable. The valid CVEs are fixed by these patches.
I haven't added specific CVE info to the patches, one hand because of the above, it is hard to
separate the patches by CVE, and secondarily because NVD tracks these CVEs with incorrect version
info: NVD considers 1.8.6 fully fixed, even though the patches are only in the master branch,
untagged at this time. After updating the recipe to 1.8.6+, the vulnerabilites will disappear
from the CVE report due to this.
[1]: https://github.com/monkey/monkey/pull/434
[2]: https://github.com/monkey/monkey/issues/426
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Current version (1.6.9) is not affected. Issue was addressed in version 1.3.0
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It has paths to compiler and assembler which are technically cross
compilers in OE. We do have these names symlinked on target too but
paths needs to be removed.
Fixes
WARNING: monkey-1.6.9-r0 do_package_qa: QA Issue: File /usr/include/monkey/mk_env.h in package monkey-dev contains reference to TMPDIR [buildpaths]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey-project.com doesn't resolve anymore
* use v1.6.9 tag from github
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
/var/volatile is populated at runtime as it can be mounted from a
different partition, therefore its better to keep it empty and only
populate it during runtime.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
base_contains() is a compatibility wrapper and may warn in the future, so
replace all instances with bb.utils.contains().
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the new Monkey HTTP Server v1.5.6.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.6
=== Build Tests ==
This version have been tested on Yocto/Dizzy based on RPM.
monkey-yocto/5aee7684cd66f78fb51f78138603a4dde4ef2484
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the new Monkey HTTP Server v1.5.4.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.4
=== Build Tests ==
This version have been tested on Yocto/Daisy based on RPM.
monkey-yocto/a617991e40bd5c3779ad7b3689f78857d3e45248
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the new Monkey HTTP Server v1.5.3.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.3
=== Build Tests ==
This version have been tested on Yocto/Daisy being packaged and
deployed on images based on RPM successfully.
monkey-yocto/672eadb254e754b91efe691a6594985ee6d9a22e
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the new Monkey HTTP Server v1.5.2. The new Bitbake file
contains the modifications suggested over the patch set for v1.5.1. It
specify each configuration file for CONFFILES_${PN}.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.2
=== Build Tests ==
This version and new Bitbake file have been tested on Yocto/Daisy being
packaged and deployed on images based on rpm and ipk successfully.
monkey-yocto/70d57bfd19c01ec055db57e35385ffc4185ae186
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the minor release fix of Monkey HTTP Server v1.5.1. It fixes
some problems when switching user when started as root.
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch make use of autotools-brokensep on main
recipe to avoid a broken build when using a different
build directory.
monkey-yocto/f15c9e7cd9143ce8486ae5e78db9092238c3d0ec
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
This patch adds the Monkey HTTP Server v1.5.0 recipes. The content
on this patch includes the modifications suggested by people in the
Maling List.
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Gyorgy Sarvari
Khem Raj
Alexander Kanavin
Jason Schonberg
Peter Marko
Ninette Adhikari
Martin Jansa
Derek Straka
Ross Burton
Richard Purdie
Eduardo Silva