09825964eb
vboxguestdrivers: add a fix for build failure with kernel 5.13
...
Its already upstream and also used in Debian and Ubuntu
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it >
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d0f2d7c954akuster808@gmail.com >
(cherry picked from commit 2e15d7eb66akuster808@gmail.com >
2021-07-19 16:26:28 -07:00
9b7a52e06b
vboxguestdrivers: upgrade 6.1.20 -> 6.1.22
...
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it >
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 319490178bakuster808@gmail.com >
(cherry picked from commit 97a5a4b40cakuster808@gmail.com >
2021-07-19 16:26:01 -07:00
17828d03d6
vboxguestdrivers: upgrade 6.1.18 -> 6.1.20
...
Drop all patches, now part of upstream codebase
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it >
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 37537bda8cakuster808@gmail.com >
(cherry picked from commit 703daeb65fakuster808@gmail.com >
2021-07-19 16:25:45 -07:00
12bc39d8c5
vboxguestdrivers: Add __divmoddi4 builtin support
...
gcc 11 needs it on i686
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 57f7692e8eakuster808@gmail.com >
2021-07-19 16:25:25 -07:00
4435dfaa9e
vboxguestdrivers: Add patch proposed upstream to fix a build failure on i386
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 09eb0ad187akuster808@gmail.com >
2021-07-19 16:25:08 -07:00
c67ddfd590
vboxguestdrivers: upgrade 6.1.16 -> 6.1.18
...
Drop kernel 5.10 build fixes patches, now part of upstream codebase
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it >
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f8f2331158akuster808@gmail.com >
2021-07-19 16:23:48 -07:00
9c33c42196
vboxguestdrivers: fix build against kernel v5.10+
...
We need to adjust the vboxguest drivers to build against kernels
5.10+.
These are backports from the virtual box SVN repository and can be
dropped in future uprevs.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 22eaac640fakuster808@gmail.com >
2021-07-19 16:22:55 -07:00
0066ffb6eb
vboxguestdrivers: upgrade 6.1.14 -> 6.1.16
...
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it >
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7839164921akuster808@gmail.com >
2021-07-19 16:22:25 -07:00
5d3ac060df
vboxguestdrivers: upgrade 6.1.12 -> 6.1.14 Drop kernel 5.8 compatibility patch, now part of upstream codebase
...
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it >
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1cd14bf124akuster808@gmail.com >
2021-07-19 16:20:16 -07:00
155c453355
vboxguestdrivers: Fix build with kernel 5.8
...
Remove patches which are already covered in this new patch
Fixes
step1b: ERROR: modpost: "__get_vm_area_caller" [/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/qemux86_64-poky-linux/vboxguestdrivers/6.1.12-r0/vboxguestdrivers-6.1.12/vboxguest/vboxguest.ko] undefined!
step1b: ERROR: modpost: "map_kernel_range" [/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/qemux86_64-poky-linux/vboxguestdrivers/6.1.12-r0/vboxguestdrivers-6.1.12/vboxguest/vboxguest.ko] undefined!
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 5efb06176aakuster808@gmail.com >
2021-07-19 16:20:08 -07:00
8d62c9d4c9
vboxguestdrivers: fix failed to compile with kernel 5.8.0
...
Backport patches from upstream [1] to fix the issue
It also requires to apply a patch on 5.8 kernel [2]
[1] https://www.virtualbox.org/ticket/19644
[2] https://www.virtualbox.org/raw-attachment/ticket/19644/local_patches
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9c10ed4baaakuster808@gmail.com >
2021-07-19 16:17:21 -07:00
2fe2ea3f15
vboxguestdrivers: upgrade 6.1.6 -> 6.1.12
...
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it >
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 21bc66202eakuster808@gmail.com >
2021-07-19 16:16:54 -07:00
10082fce3b
postgresql: update to 12.7
...
Source: MontaVista Software, LLC
MR: 111582, 111965, 111974, 110084
Type: Security Fix
Disposition: Backport from postgres.org
ChangeID: f1e8c58bedd5dd60404e3a0eb120888ad83fdc42
Description:
Bug fix only update.
https://www.postgresql.org/docs/12/release-12-7.html
LIC_FILES_CHKSUM changed do to yr update
Includes these CVEs:
CVE-2021-32027
CVE-2021-32028
CVE-2021-32029
12.6:
CVE-2021-3393
Signed-off-by: Armin kuster <akuster@mvista.com >
2021-07-17 07:42:33 -07:00
13ceac25a8
sysprof: Enable sysprofd/libsysprof only when polkit in DISTRO_FEATURES
...
This change is cherry-picked from upstream/master.
It fixes yocto-check-layer error:
ERROR: Nothing PROVIDES 'polkit' (but /home/builder/src/base/meta-openembedded/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb DEPENDS on or otherwise requires it)
polkit was skipped: missing required distro feature 'polkit' (not in DISTRO_FEATURES)
ERROR: Required build target 'meta-world-pkgdata' has no buildable providers.
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Cc: Andreas Müller <schnitzeltony@gmail.com >
Signed-off-by: akash hadke <akash.hadke@kpit.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-07-12 06:49:51 -07:00
ff470b3e85
tracker-miners: Check for commercial license to enable ffmpeg
...
This change is cherry-picked from upstream/master branch.
This fixes below yocto-layer-check error:
ERROR: Nothing PROVIDES 'ffmpeg' (but /home/builder/src/base/meta-openembedded/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb DEPENDS on or otherwise requires it)
ffmpeg was skipped: because it has a restricted license 'commercial'. Which is not whitelisted in LICENSE_FLAGS_WHITELIST
ERROR: Required build target 'meta-world-pkgdata' has no buildable providers.
Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'tracker-miners', 'ffmpeg']
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Cc: Andreas Müller <schnitzeltony@gmail.com >
Signed-off-by: akash hadke <akash.hadke@kpit.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-07-12 06:49:48 -07:00
65c7872a3f
nss: add CVE-2006-5201 to allowlist
...
CVE-2006-5201 affects only using an RSA key with exponent 3 on Sun Solaris.
Signed-off-by: Masaki Ambai <ambai.masaki@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 44113dcb5fakuster808@gmail.com >
(cherry picked from commit ace5cd9a8bakuster808@gmail.com >
2021-07-10 21:18:50 -07:00
5c1356a1ec
ntp: fix ntpdate to wait for subprocesses
...
When using systemd, ntpdate-sync script will start in background
triggering the start of ntpd without actually exiting.
This results in an bind error in ntpd startup.
Add wait at the end of ntpdate script to ensure that when the ntpdate.service
is marked as finished the oneshot script ntpdate-sync finished and unbind the
ntp port
Fixes #386
Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 73d5cd5e8dakuster808@gmail.com >
(cherry picked from commit f52ce99b46akuster808@gmail.com >
2021-07-10 21:16:42 -07:00
aeae0a34cf
apache2: fix CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641
...
CVE-2020-13950:
Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be
made to crash (NULL pointer dereference) with specially crafted
requests using both Content-Length and Transfer-Encoding headers,
leading to a Denial of Service
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-13950
Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966738
https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b
CVE-2020-35452:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Digest nonce can cause a stack overflow in
mod_auth_digest. There is no report of this overflow
being exploitable, nor the Apache HTTP Server team could
create one, though some particular compiler and/or
compilation option might make it possible, with limited
consequences anyway due to the size (a single byte) and
the value (zero byte) of the overflow
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-35452
Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2020-35452
https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b
CVE-2021-26690:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Cookie header handled by mod_session can cause
a NULL pointer dereference and crash, leading to a
possible Denial Of Service
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26690
Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2021-26690
https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8
CVE-2021-26691:
In Apache HTTP Server versions 2.4.0 to 2.4.46 a
specially crafted SessionHeader sent by an origin server
could cause a heap overflow
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26691
Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966732
https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b
CVE-2021-30641:
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected
matching behavior with 'MergeSlashes OFF'
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30641
Upstream patches:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3
Signed-off-by: Li Wang <li.wang@windriver.com >
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
(cherry picked from commit 70b1aa0a4cakuster808@gmail.com >
2021-07-10 21:15:33 -07:00
d9c8c33db8
nginx: fix CVE-2021-23017
...
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
(cherry picked from commit 8238504903akuster808@gmail.com >
2021-07-10 21:14:18 -07:00
7bd47ef6c9
dovecot: add CVE-2016-4983 to allowlist
...
CVE-2016-4983 affects only postinstall script on specific distribution, so add it to allowlist.
Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3613b50a84akuster808@gmail.com >
(cherry picked from commit d1fb027f89akuster808@gmail.com >
2021-07-06 07:50:13 -07:00
50ffe3b559
cyrus-sasl: add CVE-2020-8032 to allowlist
...
This affects only openSUSE, so add it to allowlist.
Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 711e932b14akuster808@gmail.com >
(cherry picked from commit 2681937544akuster808@gmail.com >
2021-07-05 15:27:25 -07:00
bbd2addbcf
add CVE-2011-2411 to allowlist
...
This affects only on HP NonStop Server, so add it to allowlist.
Signed-off-by: Sekine Shigeki <sekine.shigeki@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit bb4a4f0ff8akuster808@gmail.com >
(cherry picked from commit d614d160a1akuster808@gmail.com >
2021-07-05 15:26:43 -07:00
cca0a50ab0
python3-django: upgrade 2.2.23 -> 2.2.24
...
Version 2.2.24 contains a fix for CVE-2021-33571 and is the latest LTS
release.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit fa2d3338fbakuster808@gmail.com >
(cherry picked from commit c51e79dd85akuster808@gmail.com >
2021-07-05 15:25:06 -07:00
91fe0bd098
python3-django: upgrade 2.2.22 -> 2.2.23
...
2.2.23 is a bugfix release:
- Fixed a regression in Django 2.2.21 where saving FileField would raise a
SuspiciousFileOperation even when a custom upload_to returns a valid
file path (#32718 ).
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
(cherry picked from commit f07a8c1376akuster808@gmail.com >
(cherry picked from commit b2716ef06aakuster808@gmail.com >
2021-07-05 14:54:58 -07:00
732b073b99
python3-django: upgrade 2.2.20 -> 2.2.22
...
Version 2.2.22 includes a fix for CVE-2021-32052.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
(cherry picked from commit b26099fc15akuster808@gmail.com >
(cherry picked from commit f3758cb444akuster808@gmail.com >
2021-07-05 14:54:49 -07:00
958d8a5286
python3-django: upgrade to 2.2.20
...
2.2.x is LTS, so upgrade to latest release 2.2.20.
This upgrade fixes several CVEs such as CVE-2021-3281.
Also, CVE-2021-28658.patch is dropped as it's already in 2.2.20.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
(cherry picked from commit e705d4932aakuster808@gmail.com >
2021-07-05 14:54:40 -07:00
f01a9056a9
python3-django: fix CVE-2021-28658
...
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,
MultiPartParser allowed directory traversal via uploaded files with
suitably crafted file names. Built-in upload handlers were not affected
by this vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-28658
Upstream patches:
https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
(cherry picked from commit aef354a0c2akuster808@gmail.com >
2021-07-05 14:54:38 -07:00
f1d5b6260f
python3-django: upgrade 2.2.13 -> 2.2.16
...
Summary of release notes from https://docs.djangoproject.com/en/2.2/releases/
2.2.14 release notes:
- Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings
raised by cache key validation (#31654 ).
2.2.15 release notes:
- Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie()
(#31790 ).
- Fixed crash when sending emails to addresses with display names longer than
75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+ (#31784 ).
2.2.16 release notes:
- Fixed CVE-2020-24583: Incorrect permissions on intermediate-level directories
on Python 3.7+
- Fixed CVE-2020-24584: Permission escalation in intermediate-level directories
of the file system cache on Python 3.7+
- Fixed a data loss possibility in the select_for_update(). When using related
fields pointing to a proxy model in the of argument, the corresponding model
was not locked (#31866 ).
- Fixed a data loss possibility, following a regression in Django 2.0, when
copying model instances with a cached fields value (#31863 ).
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit eb69aad33fakuster808@gmail.com >
2021-07-05 14:53:48 -07:00
7ee3eeffed
python3-django: upgrade 2.2.7 -> 2.2.13
...
Upgrade from 2.2.7 for:
- Bugfixes, including CVE-2020-13254, CVE-2020-13596, many
others;
- Official support for Python 3.8 (as of Django 2.2.8)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8c4e201c62akuster808@gmail.com >
2021-07-05 14:53:33 -07:00
54207c3575
nss: Fix build on Centos 7
...
Centos 7 has glibc 2.18 and nss-native build fails due to implicit
declaration of function putenv during build. This is because of the
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
putenv(): _XOPEN_SOURCE
|| /* Glibc since 2.19: */ _DEFAULT_SOURCE
|| /* Glibc versions <= 2.19: */ _SVID_SOURCE
and because nss coreconf/Linux.mk only defines
-D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE
So on such system with glibc 2.18, neither macro makes putenv()
available. Add -D_XOPEN_SOURCE for the Centos 7 and glibc 2.18
native build case.
Signed-off-by: Marek Vasut <marex@denx.de >
Cc: Armin Kuster <akuster808@gmail.com >
Cc: Armin Kuster <akuster@mvista.com >
Cc: Khem Raj <raj.khem@gmail.com >
Cc: Richard Purdie <richard.purdie@linuxfoundation.org >
Cc: Ross Burton <ross.burton@arm.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-06-06 20:42:32 -07:00
c38d2a74f7
dnsmasq: Add fixes for CVEs reported for dnsmasq
...
Applied single patch for below listed CVEs:
CVE-2020-25681
CVE-2020-25682
CVE-2020-25683
CVE-2020-25687
as they are fixed by single commit
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a
Link: https://www.openwall.com/lists/oss-security/2021/01/19/1
Also, applied patch for below listed CVEs:
CVE-2020-25684
CVE-2020-25685
CVE-2020-25686
all CVEs applicable to v2.81
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com >
Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com >
[Refreshed patches]
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-29 11:41:45 -07:00
587fe58949
ebtables: use bitbake optimization levels
...
Don't overwrite with O3 optimization. Reduces ebtables
binary package size from 416241 to 412145 bytes, and
enables further optimizations with e.g. -Os flags
via bitbake distro wide settings.
Only ebtables versions up to 2.0.10-4 and dunfell are affected.
The version 2.0.11 from hardknott and master branch use system
wide flags already.
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-29 11:02:09 -07:00
943f5560aa
opencv: Add fix for CVE-2019-5063 and CVE-2019-5064
...
Added fix for below CVE's
CVE-2019-5063
CVE-2019-5064
Link: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch
Signed-off-by: akash hadke <akash.hadke@kpit.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-25 04:50:10 -07:00
f56fb13a2c
hostapd: fix building with CONFIG_TLS=internal
...
The patch recently added for CVE-2021-30004 broke compilation with
CONFIG_TLS=internal. This adds the necessary function to let it
compile again.
Signed-off-by: Alexander Vickberg <wickbergster@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d6ef417074akuster808@gmail.com >
2021-05-22 16:18:11 -07:00
9d50b9f995
libsdl: Fix CVE-2019-13616
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13616
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read
in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.
Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/97fefd050976bbbfca9608499f6a7d9fb86e70db ]
CVE: CVE-2019-13616
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-22 16:14:30 -07:00
a3a0e02319
exiv2: Fix CVE-2021-29473
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1587/commits/e6a0982f7cd9282052b6e3485a458d60629ffa0b ]
CVE: CVE-2021-29473
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a9aecd2c32akuster808@gmail.com >
2021-05-22 16:13:38 -07:00
8ac1650275
exiv2: Fix CVE-2021-29470
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1581/commits/6628a69c036df2aa036290e6cd71767c159c79ed ]
CVE: CVE-2021-29470
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit bb1400efdaakuster808@gmail.com >
2021-05-22 16:13:38 -07:00
29953069d9
exiv2: Fix CVE-2021-29464
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54 ]
CVE: CVE-2021-29464
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8c9470bdfaakuster808@gmail.com >
2021-05-22 16:13:38 -07:00
be0cc5e79b
exiv2: Fix CVE-2021-3482
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp
can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1523/commits/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da ]
CVE: CVE-2021-3482
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9e7c2c9713akuster808@gmail.com >
2021-05-22 16:13:38 -07:00
f38ed30c08
exiv2: Fix CVE-2021-29463
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b ]
CVE: CVE-2021-29463
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8e63ac6c86akuster808@gmail.com >
2021-05-22 16:13:38 -07:00
6990c93dbd
exiv2: Fix CVE-2021-29458
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1536/commits/06d2db6e5fd2fcca9c060e95fc97f8a5b5d4c22d ]
CVE: CVE-2021-29458
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f0d83c14d9akuster808@gmail.com >
2021-05-22 16:13:38 -07:00
eee3b137a0
exiv2: Fix CVE-2021-29457
...
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22 ]
CVE: CVE-2021-29457
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 5be7269309akuster808@gmail.com >
2021-05-22 16:13:27 -07:00
11eae11452
linuxptp: Fix cross build
...
Adjust incdefs.sh to use cross tools to poke for system functionality
Re-enable using incdefs.sh
export KBUILD_OUTPUT to point to recipe sysroot
(From meta-oe rev: b6022761d6raj.khem@gmail.com >
Signed-off-by: Denys Dmytriyenko <denis@denix.org >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-14 10:03:51 -07:00
f81318a4f8
fuse: Whitelisted CVE-2019-14860
...
CVE-2019-14860 is a REDHAT specific issue and
was addressed for REDHAT Fuse products on
Red Hat Fuse 7.4.1 and Red Hat Fuse 7.5.0.
REDHAT has also released the fix and updated their
security advisories after significant releases.
Hence, whitelisted the CVE-2019-14860.
Link: https://access.redhat.com/security/cve/cve-2019-14860
Link: https://access.redhat.com/errata/RHSA-2019:3244
Link: https://access.redhat.com/errata/RHSA-2019:3892
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-14 10:03:51 -07:00
d460525cd5
nodejs: 12.20.2 -> 12.21.0
...
Fixes :
- CVE-2021-22883
- CVE-2021-22884
- CVE-2021-23840
Signed-off-by: Clément Péron <peron.clem@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 02feb1d932akuster808@gmail.com >
2021-05-14 10:03:51 -07:00
1ea5c51d98
nodejs: 12.20.1 -> 12.20.2
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 6322c63987akuster808@gmail.com >
2021-05-14 10:03:51 -07:00
0026462c0c
packagegroup-meta-webserver: remove nostromo from pkg grp
...
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-14 10:03:51 -07:00
bbf344afaf
nostromo: Blacklist and exclude from world builds
...
Host site is dead.
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-14 10:03:51 -07:00
2915810edb
ostree: switch from default master branch to main to fix do_fetch failure
...
* branch was renamed in upstream repo
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-05-13 21:52:34 -07:00
c1a5068322
libupnp: Fix CVE-2020-13848
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2020-13848
Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 ]
CVE: CVE-2020-13848
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-04-23 19:13:09 -07:00
Gianfranco
Khem Raj
Bruce Ashfield
Hongxu Jia
Armin kuster
Masaki Ambai
Adrian Zaharia
Li Wang
Changqing Li
Armin Kuster
ito-yuichi@fujitsu.com
Sekine Shigeki
Trevor Gamblin
Chen Qi
Stefan Ghinea
Marek Vasut
Sana Kazi
Mikko Rapeli
akash.hadke
Alexander Vickberg
wangmy
Saloni Jain
Clément Péron
Sean Nyekjaer
Martin Jansa
Andrej Kozemcak