Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before
4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote
authenticated users to inject arbitrary web script or HTML via a crafted ENUM
value that is improperly handled during rendering of the (1) table search or (2)
table structure page, related to
libraries/TableSearch.class.php and libraries/Util.class.php.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7217
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Cross-site scripting (XSS) vulnerability in the view operations page in
phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote
authenticated users to inject arbitrary web script or HTML via a crafted
view name, related to js/functions.js.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5274
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow
remote authenticated users to inject arbitrary web script or HTML via the
(1) browse table page, related to js/sql.js; (2) ENUM editor page, related
to js/functions.js; (3) monitor page, related to js/server_status_monitor.js;
(4) query charts page, related to js/tbl_chart.js; or (5) table relations
page, related to libraries/tbl_relation.lib.php.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5273
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted DNS record, related to the
dns_get_record function and the dn_expand function. NOTE: this issue
exists because of an incomplete fix for CVE-2014-4049.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3597
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Integer overflow in the cdf_read_property_info function in cdf.c in file
through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and
5.5.x before 5.5.16, allows remote attackers to cause a denial of
service (application crash) via a crafted CDF file. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2012-1571.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3587
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before
5.5.16 does not ensure that pathnames lack %00 sequences, which might
allow remote attackers to overwrite arbitrary files via crafted input to
an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif,
(4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Bashism:
possible bashism in plugins/transformations/generator_plugin.sh line 16 (echo -e):
echo -e "Usage: ./generator_plugin.sh MIMEType MIMESubtype TransformationName [Description]\n"
possible bashism in plugins/transformations/generator_plugin.sh line 28 (${parm,[,][pat]} or ${parm^[^][pat]}):
MT="${MT^}"
possible bashism in plugins/transformations/generator_plugin.sh line 29 (${parm,[,][pat]} or ${parm^[^][pat]}):
MS="${MS^}"
possible bashism in plugins/transformations/generator_plugin.sh line 30 (${parm,[,][pat]} or ${parm^[^][pat]}):
TN="${TN^}"
possible bashism in plugins/transformations/generator_plugin.sh line 51 (should be 'b = a'):
if [ "$4" == "--generate_only_main_class" ]; then
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
sstate processing for items in sysroot scans certain
file name patterns for absolute paths to be adjusted
when items are installed into sysroot from sstate.
phpize is not one of these patterns (surprise!) so we
add it to the list.
Signed-off-by: Joe Slater <jslater@windriver.com>
Previously, modphp estimates endian on host rather than checks it on
target. If the host is little-endian and the target is big-endian,
modphp claims that endian is little. As a result, a memory location
that it is not allowed to access when calling libphp5.so module on
target. It will occur segmentation fault.
This patch enables endian check support for modphp.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* Remove all PR = "r0" from all .bb files in meta-oe repo. This was done
with the command sed -e '/^PR.*=.*r0\"/d' meta*/recipes*/*/*.bb -i
* We've switching to the PR server, PR bumps are no longer needed and
this saves people either accidentally bumping them or forgetting to
remove the lines (r0 is the default anyway).
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* LIC_FILES_CHKSUM needed to change because the copyright year changed
* Enabled mcrypt since upstream recommend this for acceptable
performance (and we now have a libmcrypt recipe in meta-oe)
* Disabled the opcache; this is a new feature in 5.5 and the configure
check for it currently breaks when cross-compiling.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Remove some mostly superfluous scripts for adding additional mimetype
support that add an explicit dependency on bash.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Copying files and then modifying them is preferred rather than the other
way around because then the modification can never be run twice if the
function is re-executed on an existing work directory.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Fixes the following warning:
WARNING: QA Issue: ELF binary '${WORKDIR}/packages-split/modphp/usr/lib/apache2/modules/libphp5.so' has relocations in .text
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* This change is only aesthetic (unlike indentation in Python
tasks).
* Some recipes were using tabs.
* Some were using 8 spaces.
* Some were using mix or different number of spaces.
* Make them consistently use 4 spaces everywhere.
* Yocto styleguide advises to use tabs (but the only reason to keep
tabs is the need to update a lot of recipes). Lately this advice
was also merged into the styleguide on the OE wiki.
* Using 4 spaces in both types of tasks is better because it's less
error prone when someone is not sure if e.g.
do_generate_toolchain_file() is Python or shell task and also allows
to highlight every tab used in .bb, .inc, .bbappend, .bbclass as
potentially bad (shouldn't be used for indenting of multiline
variable assignments and cannot be used for Python tasks).
* Don't indent closing quote on multiline variables
we're quite inconsistent wheater it's first character on line
under opening quote or under first non-whitespace character in
previous line.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Acked-by: Koen Kooi <koen@dominion.thruhere.net>
* enable mysql option in PACKAGECONFIG
* add patch to support autoconf 2.59+ so we can use
autotools do_configure to fix a libtool cross-compile issue
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
revert pthread-check.patch which hacks the old configure,
instead, add one against threads.m4 to enable pthread support
when cross-compiling.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
When we change the apache2 files layout to debian style,
the ServerRoot in httpd.conf was changed to "/" from "/usr",
then the relative path to libphp5 module in 70_mod_php5.conf
will be invalid so it fails to load the module, use libdir
(absolute path) instead so it will always find the module.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
The hardcoded lib path will cause apache2 fail to start on
the target with other baselib like lib64.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Wenzong Fan
Kai Kang
Roy Li
Paul Eggleton
Martin Jansa
Yue Tao
Robert Yang
Joe Slater
Chong Lu
Marcin Juszkiewicz
Jackie Huang
Eric Bénard