mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-04-20 11:38:34 +00:00
Code Issues Projects Releases Wiki Activity
17,147 Commits 63 Branches 0 Tags
48b0721fac470a474dec94e6907ac3535a53032b
Commit Graph

17147 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Omkar Patil
48b0721fac ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3 
Changes:
Rejected zero-sized runs
Avoided merging runlists with no runs

Fix CVE-2022-40284

Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-11-25 10:35:23 -05:00
Hitendra Prajapati
986f3ceb44 nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ngx_http_mp4_module 
Upstream-Status: Backport from 6b022a5556

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-11-25 10:35:23 -05:00
Ranjitsinh Rathod
b2c7d54b40 strongswan: Fix CVE-2022-40617 
Add a patch to fix CVE-2022-40617 issue which allows remote attackers to
cause a denial of service in the revocation plugin by sending a crafted
end-entity (and intermediate CA) certificate that contains a CRL/OCSP
URL that points to a server (under the attacker's control) that doesn't
properly respond but (for example) just does nothing after the initial
TCP handshake, or sends an excessive amount of application data.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-11-25 10:35:23 -05:00
Colin Finck
7203130ed8 [dunfell] wireguard: Upgrade to 1.0.20220627 (module) and 1.0.20210914 (tools) 
Quoting Jason A. Donenfeld on IRC:

<zx2c4> Colin_Finck: you should never, ever use old versions
<zx2c4> Notice that neither the major nor minor version numbers change
<zx2c4> Use the latest versions on your LTS

With that definite answer, I'd like to fix the problem described in https://lore.kernel.org/yocto/CswA.1659543156268567471.pbrp@lists.yoctoproject.org/ by importing the latest versions instead of maintaining our own fork of wireguard 1.0.20200401.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-10-30 14:47:43 -04:00
Mathieu Dubois-Briand
44d843ecad networkmanager: Update to 1.22.16 
Update network manager stable branch to last version, allowing to fix
CVE-2020-10754.

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-10-30 14:47:43 -04:00
Hitendra Prajapati
8377de1624 dnsmasq: CVE-2022-0934 Heap use after free in dhcp6_no_relay 
Source: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git
MR: 121726
Type: Security Fix
Disposition: Backport from https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39
ChangeID: be554ef6ebedd7148404ea3cc280f2e42e17dc8c
Description:
	 CVE-2022-0934 dnsmasq: Heap use after free in dhcp6_no_relay.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 2022-10-30 14:47:43 -04:00
Hitendra Prajapati
62842aac98 postgresql: CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox 
Source: https://git.postgresql.org/gitweb/?p=postgresql.git;
MR: 121822
Type: Security Fix
Disposition: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda && https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=677a494789062ca88e0142a17bedd5415f6ab0aa
ChangeID: 5011e2e09f30f76fc27dc4cb5fa98a504d1aaec9
Description:
	 CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 2022-10-30 14:47:35 -04:00
wangmy
6792ebdd96 c-ares: upgrade 1.17.2 -> 1.18.1 
c-ares version 1.18.1 - Oct 27 2021
Bug fixes:

ares_getaddrinfo() would return ai_addrlen of 16 for ipv6 adddresses
rather than the sizeof(struct sockaddr_in6)

Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e251d7b827)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Sinan Kaya
ad1dcf68b6 c-ares: remove custom patches 
Current patch is breaking the library dependencies added by cmake
especially when you are static linking.

Applications need the ws2_32 library to be linked for mingw32
and with the existing patch this is not getting passed to the users.

Current patch seems to address this issue:
https://github.com/c-ares/c-ares/issues/373

Both issues are resolved in 1.17.2:

1.17.2-r0/git $ find . | grep c-ares-config.cmake.in
./c-ares-config.cmake.in
1.17.2-r0/git $ find . | grep libcares.pc.cmake
./libcares.pc.cmake

Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb

Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 621bdc1993)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
wangmy
cd8d2f689f c-ares: upgrade 1.17.1 -> 1.17.2 
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c49173b09c)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Khem Raj
de05a500b9 c-ares: Upgrade to 1.17.1 release 
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile

Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.1.bb

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b65f290419)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Armin Kuster
87841f0c18 Revert "c-ares: Add fix for CVE-2021-3672" 
This reverts commit b06724bc27.
Revert this CVE fix as we upgrade c-ares to 1.18.1

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
 2022-09-11 13:49:52 -04:00
Yi Zhao
a33dca5297 cryptsetup: upgrade 2.3.2 -> 2.3.7 
Stable security bug-fix release that fixes CVE-2021-4122.

ReleaseNotes:
https://kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5dca16b451)
This is just the rename and SRC_URI hash updates made to apply
to dunfell.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
 2022-09-11 13:49:52 -04:00
Ranjitsinh Rathod
a1a40c95eb nodejs: Upgrade to 12.22.12 
As per the below release note, it should be a last release for 12.x
stable LTS series.
Link: https://github.com/nodejs/node/releases/tag/v12.22.12

Remove CVE-2021-44532 fix as it already available in this release
v12.22.12

License-Update: src/gtest additional file in the LICENSE

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
 2022-09-11 13:49:52 -04:00
Hitendra Prajapati
e5e63be86e python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to cause a denial of service 
Source: https://github.com/lxml/lxml
MR: 119399
Type: Security Fix
Disposition: Backport from 86368e9cf7
ChangeID: 0b1ef4ce4c901ef6574a83ecbe4c4b1d2ab24777
Description:
        CVE-2022-2309 libxml: NULL Pointer Dereference allows attackers to cause a denial of service.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 2022-09-11 13:49:52 -04:00
Khem Raj
f22bf6efaa meta-oe: Add leading whitespace for append operator 
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 92441f9d6a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-08-02 06:59:38 -07:00
Armin Kuster
a04c5444c9 bigbuckbunny-1080p: update SRC_URI 
fixes:
ERROR: bigbuckbunny-1080p-1.0-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi')

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-08-02 06:59:38 -07:00
Chen Qi
3ba409127c ntfs-3g-ntfsprogs: upgrade to 2022.5.17 
Upgrade from 2021.8.22 to 2022.5.17.
This upgrade mainly include CVE fixes.

According to https://github.com/tuxera/ntfs-3g/releases:
"""
Changelog:
* Improved defence against maliciously tampered NTFS partitions
* Improved defence against improper use of options
* Updated the documentation
"""

Fixed CVE's:
CVE-2021-46790
CVE-2022-30783
CVE-2022-30784
CVE-2022-30785
CVE-2022-30786
CVE-2022-30787
CVE-2022-30788
CVE-2022-30789

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 35a51898e7)
Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-08-02 06:59:27 -07:00
Chen Qi
52cee67833 ntfs-3g-ntfsprogs: upgrade to 2021.8.22 
This upgrade revolves a bunch of CVEs. See more details in:
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp.

Fixed CVE's:
CVE-2021-33285
CVE-2021-33289
CVE-2021-33286
CVE-2021-35266
CVE-2021-33287
CVE-2021-35267
CVE-2021-35268
CVE-2021-35269
CVE-2021-39251
CVE-2021-39252
CVE-2021-39253
CVE-2021-39254
CVE-2021-39255
CVE-2021-39256
CVE-2021-39257
CVE-2021-39258
CVE-2021-39259
CVE-2021-39260
CVE-2021-39261
CVE-2021-39262
CVE-2021-39263

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6791dc5364)

Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Hitendra Prajapati
9f3d116fdd cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands 
Source: https://github.com/cyrusimap/cyrus-sasl
MR: 118501
Type: Security Fix
Disposition: Backport from 9eff746c9d
ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51
Description:
       CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Hitendra Prajapati
b406297d3b xterm: CVE-2022-24130 Buffer overflow in set_sixel in graphics_sixel.c 
Source: https://github.com/ThomasDickey/xterm-snapshots/
MR: 115675
Type: Security Fix
Disposition: Backport from 1584fc2276
ChangeID: 6ad000b744527ae863187b570714792fc29467d9
Description:
         CVE-2022-24130 xterm: Buffer overflow in set_sixel in graphics_sixel.c.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Hitendra Prajapati
a24773d39e openldap: CVE-2022-29155 OpenLDAP SQL injection 
Source: https://git.openldap.org/openldap/openldap
MR: 117821
Type: Security Fix
Disposition: Backport from 87df6c1991
ChangeID: d534808c796600ca5994bcda28938d45405bc7b4
Description:
	CVE-2022-29155 openldap: OpenLDAP SQL injection

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Akash Hadke
1d0b2d78c2 ntfs-3g-ntfsprogs: Set CVE_PRODUCT to "tuxera:ntfs-3g" 
Set CVE_PRODUCT to 'tuxera:ntfs-3g' for ntfs-3g-ntfsprogs recipe,
cve-check class is setting default CVE_PRODUCT to 'ntfs-3g-ntfsprogs'
which ignores the ntfs-3g-ntfsprogs CVEs from NVD Database.

Reference:
CVE-2019-9755
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9755

Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-07-16 12:56:17 -07:00
Jeroen Hofstee
d6795ab0ee php: move to version v7.4.28 
CVE: CVE-2021-21703 CVE-2021-21706 CVE-2021-21707 CVE-2021-21708

Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
[Didn't apply cleanly, corrected.]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Akash Hadke
512a3caee4 iperf: Set CVE_PRODUCT to "iperf_project:iperf" 
Set CVE_PRODUCT as 'iperf_project:iperf' for iperf2 and iperf3
recipes, cve-check class is setting default CVE_PRODUCT to
'iperf2' and 'iperf3' respectively which ignores the iperf
CVEs from NVD Database.

Reference:
CVE-2016-4303
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-4303

Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Martin Jansa
245a1ab46b grpc: switch from master branch to main for upb 
* hardknott and newer branches don't need this as upb repo was removed in:
  commit 15cff67fd6
  Author: Anatol Belski <anbelski@linux.microsoft.com>
  Date:   Fri Feb 19 12:39:55 2021 +0000

    grpc: Upgrade 1.24.3 -> 1.35.0

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Martin Jansa
96e9636f7d leveldb: switch from master branch to main 
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Mingli Yu
d865d97f9b bridge-utils: Switch to use the main branch 
Fix the below do_fetch warning:
WARNING: bridge-utils-1.7-r0 do_fetch: Failed to fetch URL git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git, attempting MIRRORS if available

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Martin Jansa
2526b14d39 tesseract-lang: switch from master branch to main 
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Adrian Fiergolski
986bb14aaf python3-matplotlib: add missing dependency 
In order to fix the dependency issue on PIL module, python3-pillow is required.

Signed-off-by: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d4e70a1960)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit fcc7d7eae8)
[fixup for honister context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 44c394f3cbdce8c7297af01c0f5ee030e1e3dacd)
[fixup for dunfell context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-06-15 06:45:03 -07:00
Armin Kuster
04212afa12 mariadb: update to 10.4.25 
Source: mariadb.org
MR: 117530, 117522, 117514, 117506, 117497, 117489, 117481, 117473, 117465, 117457, 117449, 117380, 117364, 117356, 117336, 117212, 117204, 117196, 117180, 117188, 117169, 117161, 117441, 117372
Type: Security Fix
Disposition: Backport from mariagdb.org
ChangeID: 8bf787570ebe8503d2974af92e17b505e70440e5
Description:

LTS version, bug fix only.

Include these CVES:
CVE-2022-27458
CVE-2022-27457
CVE-2022-27456
CVE-2022-27455
CVE-2022-27452
CVE-2022-27451
CVE-2022-27449
CVE-2022-27448
CVE-2022-27447
CVE-2022-27446
CVE-2022-27445
CVE-2022-27444
CVE-2022-27387
CVE-2022-27386
CVE-2022-27385
CVE-2022-27384
CVE-2022-27383
CVE-2022-27382
CVE-2022-27381
CVE-2022-27380
CVE-2022-27379
CVE-2022-27378
CVE-2022-27377
CVE-2022-27376

Signed-off-by: Armin Kuster <akuster@mvista.com>
 2022-06-05 06:53:33 -07:00
Riyaz Ahmed Khan
deee226017 tcpdump: Add fix for CVE-2018-16301 
Add patch for CVE issue: CVE-2018-16301
Link: 8ab211a7ec

Upstream-Status: Pending

Issue: MGUBSYS-5370

Change-Id: I2aac084e61ba9d71ae614a97b4924eaa60328b79
Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Julien STEPHAN
9f361cff9c opencl-headers: switch to main branch 
master branch was renamed main on upstream project, so update the URI

Signed-off-by: Julien STEPHAN <jstephan@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Mikko Rapeli
a1c7bb2098 fuse: set CVE_PRODUCT to "fuse_project:fuse" 
Other products like "RedHat:fuse" introduce false CVE findings like:

https://nvd.nist.gov/vuln/detail/CVE-2018-10906
https://nvd.nist.gov/vuln/detail/CVE-2019-14860
https://nvd.nist.gov/vuln/detail/CVE-2020-25689

Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit fd7dc34871)
[Fixup for Dunfell context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Julien STEPHAN
c9e034fbaa opencl-icd-loader: switch to main branch 
master branch was renamed main, so update the URI

Signed-off-by: Julien STEPHAN <jstephan@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Sana Kazi
a38c92d8e9 openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239 
Whitelist CVE-2020-27844 as it is introduced by
4edb8c8337
but the contents of this patch is not present in openjpeg_2.3.1

Link: https://security-tracker.debian.org/tracker/CVE-2020-27844

Whitelist CVE-2015-1239 as the CVE description clearly states that
j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239
but in openjpeg_2.3.1 this function is not present.
Hence, CVE-2015-1239 does not affect openjpeg_2.3.1.

Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Martin Jansa
de4b76934c ostree: prevent ostree-native depending on target virtual/kernel to provide kernel-module-overlay 
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Martin Jansa
b99a386cd1 python3-cryptography: backport 3 changes to fix CVE-2020-36242 
* backport the actual code change from
  https://github.com/pyca/cryptography/pull/5747
  without the docs and CI changes (which aren't applicable on old 2.8
  version) and backport 2 older changes to make this fix applicable
  on 2.8.

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Steve Sakoman
abd7cf838d lua: fix CVE-2022-28805 
singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.

https://nvd.nist.gov/vuln/detail/CVE-2022-28805

(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)

Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:39 -07:00
Ranjitsinh Rathod
a8d82c80a1 atftp: Add fix for CVE-2021-41054 and CVE-2021-46671 
Add patches to fix CVE-2021-41054 and CVE-2021-46671 issues
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-41054
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-46671

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-05-25 19:34:31 -07:00
Khem Raj
8ff12bfffc postgresql: Fix build on riscv 
Remove duplicate code

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aa22894fa3)
[Fixup for Dunfell context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-19 10:15:37 -07:00
Khem Raj
fdd1dfe6b4 mongodb: Pass OBJCOPY to scons so it does not use it from host 
Fixes
objcopy: Unable to recognise the format of the input file `build/opt/mongo/mongos'

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Vincent Prince <vincent.prince.fr@gmail.com.com>
(cherry picked from commit e91940073a)
[Fix up for Dunfell context:
also fixes Please add a conforming MONGO_VERSION=x.y.z[-extra] as an argument to SCons]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-18 07:37:42 -07:00
Armin Kuster
df8259cc49 Mariadb: update to 10.4.24 
Source: Mariadb.org
MR:  115460, 115507, 1115549, 115549, 115488
Type: Security Fix
Disposition: Backport from mariadb.org
ChangeID: 722782cefa6805e907ee377a340f1b8bec174079
Description:

Bug fix only update, includes these CVES:
CVE-2021-46665
CVE-2021-46664
CVE-2021-46661
CVE-2021-46668
CVE-2021-46663

For more information see: https://mariadb.com/kb/en/mariadb-10424-release-notes/

drop mariadb/c11_atomics.patch as its include in the update.
drop mariadb/clang_version_header_conflict.patch different fix  applied

Signed-off-by: Armin Kuster <akuster@mvista.com>
 2022-04-18 07:37:42 -07:00
Yi Zhao
8314be774a apache2: upgrade 2.4.52 -> 2.4.53 
Source: meta-openembedded
MR: 117176, 116633
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?id=81bbe65791459538ab578ac13e612f7dc6f692f0

ChangeID: 5b86888b06765a3b5aa7ff301da4f8b87f2dd154
Description:

ChangeLog:
https://downloads.apache.org/httpd/CHANGES_2.4.53

Security fixes:
CVE-2022-23943
CVE-2022-22721
CVE-2022-22720
CVE-2022-22719

Refresh patches.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
 2022-04-18 07:37:42 -07:00
Ranjitsinh Rathod
dbf01a10e2 python3-urllib3: Fix CVE-2020-26137 and CVE-2021-33503 
Add patch to fix CVE-2020-26137
Link: https://ubuntu.com/security/CVE-2020-26137
Link: 1dd69c5c59.patch

Add patch to fix  CVE-2021-33503
Link: https://ubuntu.com/security/CVE-2021-33503
Link: 2d4a3fee6d.patch

Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-18 07:37:42 -07:00
Ralph Siemsen
aa316ee2bb polkit: fix overlapping changes in recent CVE patches 
Commit 17e931e77 ("polkit: fix CVE-2021-3560") contains
- upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81

Commit 67ec3e049 ("polkit: Fix for CVE-2021-4115") contains both:
- upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 (CVE-2021-3560)
- upstream commit 41cb093f554da8772362654a128a84dd8a5542a7 (CVE-2021-4115)

Thus the fix for CVE-2021-3560 is applied twice, resulting in warnings
during do_patch. Curiously it neither fails nor complains about patch
already applied. Also devtool silently discards the duplicate patch.

Drop the duplicate patch, to resolve following warnings:

WARNING: polkit-0.116-r0 do_patch: Fuzz detected:

Applying patch 0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
patching file src/polkit/polkitsystembusname.c
Hunk #1 succeeded at 438 with fuzz 2 (offset 3 lines).

Applying patch CVE-2021-4115.patch
patching file src/polkit/polkitsystembusname.c
Hunk #4 succeeded at 439 with fuzz 2.

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-18 07:37:42 -07:00
Minjae Kim
5cdde2991e multipath-tools: update SRC_URI 
The git repo for multipath-tools was changed, so update the
SRC_URI accordingly with the new link.

Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-18 07:37:42 -07:00
Mingli Yu
388dc2830a geoip: Switch to use the main branch 
Fix the below do_fetch warning:
WARNING: geoip-1.6.12-r0 do_fetch: Failed to fetch URL git://github.com/maxmind/geoip-api-c.git, attempting MIRRORS if available

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit df3ef15834)
[Fix up for dunfell context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-18 07:37:42 -07:00
Nisha Parrakat
89d2876e2e nodejs: upgrade to 12.22.2 
upgrading to next maintainence LTS version

Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-18 07:37:42 -07:00
Armin Kuster
7abb2382cd spirv-tools: update SRC_URI for googletest to main 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2022-04-18 07:37:42 -07:00