setuptools.patch
removed since it's included in 3.8.5.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cc532b9d4e)
Shortlog:
python: Replace distutils with setuptools
sanlock: fix memory leak of lockspace renewal_history
sanlock: fix pthread_create error check
Revert "sanlock: Shrink thread pool when there is no work"
sanlock: fix pthread_create error paths
sanlock: acquire should ignore unused options str
sanlock: use helper to set max_sectors_kb
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
It fetches from multiple repositories, but didn't have SRCREV_FORMAT
set. Because of this, the recipe couldn't use sstate artifacts from
a mirror, just threw many warnings:
WARNING: sysdig-0.28.0-r0 do_package_qa_setscene: ExpansionError('SRCPV',
'${@bb.fetch2.get_srcrev(d)}', FetchError('The SRCREV_FORMAT variable
must be set when multiple SCMs are used.\nThe SCMs
are:\ngit://github.com/draios/sysdig.git;branch=dev;protocol=https;name=sysdig
git://github.com/falcosecurity/libs;protocol=https;branch=master;name=falco;subdir=git/falcosecurity-libs',
None))
WARNING: Setscene task (/cocto/kirkstone-next/meta-openembedded/meta-oe/recipes-extended/sysdig/sysdig_0.28.0.bb
:do_package_qa_setscene) failed with exit code '1' - real task will be run instead
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This upgrade contains a list of vunerability fixes: CVE-2025-49844,
CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-32023,
CVE-2025-48367, CVE-2025-21605, CVE-2024-46981, CVE-2024-31449,
CVE-2024-31228, CVE-2023-45145, CVE-2022-24834
Dropped the CVE patches that are included above.
Release notes: https://github.com/redis/redis/blob/6.2.21/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8f1269507a)
Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243
The issue is about file permissions: by default rsyslog creates world-readable
files. In case a log message contains some sensitive information, then that's
exposed to every user on the system.
However the rsyslog.conf file that is shipped with the recipe solves it: it
already sets non-world-readable default permissions on all files, so this
vulnerability is fixed in the default OE recipe.
See also this package in OpenSuse[1], where it is solved the same way.
[1]: https://build.opensuse.org/requests/619439/changes (rsyslog.conf.in)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 38ea8a4617)
Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2006-3376 is already patched, but the patch is missing
the required CVE tag, so the cve-checker misses it.
This patch adds the tag.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2009-1364 is already patched, but the patch didn't contain
the necessary tag so the cve-checker didn't pick it up.
This change adds the required tag.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The expected error message has changed between versions - update the test
in the patch accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
1. Fix tests that output colored text but try to verify uncolored text - filter the
output through "tee" to remove coloring.
2. Add missing dependency
3. Fix a test that fails when C.utf-8 locale is not available on the machine (patch submitted upstream)
4. Enable network connection by setting a nameserver in resolv.conf
While execution is possible, it still requires both ostree and busybox to be compiled statically.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The original tarball URL no longer provides version 1.7.3 or any other
historical releases.To ensure reproducible builds, the source has been
switched to the official GitHub repository.
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c5de36f588)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
With the exception of paho-mqtt-cpp, the double protocol= attributes
were added to the SRC_URIs when protocol=https was added to all SRC_URIs
fetching from github.com in commit b402a3076f (recipes: Update SRC_URI
branch and protocols).
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2e0a581bee)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2025-6019:
A Local Privilege Escalation (LPE) vulnerability was found in
libblockdev. Generally, the "allow_active" setting in Polkit permits a
physically present user to take certain actions based on the session
type. Due to the way libblockdev interacts with the udisks daemon, an
"allow_active" user on a system may be able escalate to full root
privileges on the target host. Normally, udisks mounts user-provided
filesystem images with security flags like nosuid and nodev to prevent
privilege escalation. However, a local attacker can create a specially
crafted XFS image containing a SUID-root shell, then trick udisks into
resizing it. This mounts their malicious filesystem with root
privileges, allowing them to execute their SUID-root shell and gain
complete control of the system.
Refer:
https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The git server at git.pengutronix.de no longer supports the git
protocol, so switch to https.
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The git server at git.pengutronix.de no longer supports the git
protocol, so switch to https.
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Pick commit mentioning the bug and two follow-up commits mentioning the
first commit.
Tested by running the test-suite (test starter scripts were copied from
scarthgap version which has them working).
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2022-39836:
An issue was discovered in Connected Vehicle Systems Alliance (COVESA)
dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted
DLT file that crashes the process can be created. This is due to missing
validation checks. There is a heap-based buffer over-read of one byte.
CVE-2022-39837:
An issue was discovered in Connected Vehicle Systems Alliance (COVESA)
dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted
DLT file that crashes the process can be created. This is due to missing
validation checks. There is a NULL pointer dereference.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-39836https://nvd.nist.gov/vuln/detail/CVE-2022-39837
Upstream patch:
https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Redis is an open source, in-memory database that persists on disk.
An authenticated user may use a specially crafted Lua script to
manipulate the garbage collector and potentially lead to remote
code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17.
An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to restrict EVAL and EVALSHA
commands.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-46981
Upstream-patch:
https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Wang Mingyu
Gyorgy Sarvari
Emil Kronborg Andersen
Khem Raj
Naman Jain
Zhang Peng
Vijay Anusuri
Mingli Yu
Jiaying Song
Markus Volk
Peter Kjellerstedt
Praveen Kumar
Changqing Li
Bastian Krause
Peter Marko
Yogita Urade
Divya Chellam