Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243
The issue is about file permissions: by default rsyslog creates world-readable
files. In case a log message contains some sensitive information, then that's
exposed to every user on the system.
However the rsyslog.conf file that is shipped with the recipe solves it: it
already sets non-world-readable default permissions on all files, so this
vulnerability is fixed in the default OE recipe.
See also this package in OpenSuse[1], where it is solved the same way.
[1]: https://build.opensuse.org/requests/619439/changes (rsyslog.conf.in)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 38ea8a4617)
Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2006-3376 is already patched, but the patch is missing
the required CVE tag, so the cve-checker misses it.
This patch adds the tag.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2009-1364 is already patched, but the patch didn't contain
the necessary tag so the cve-checker didn't pick it up.
This change adds the required tag.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The expected error message has changed between versions - update the test
in the patch accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The previous repository was moved to freedesktop's gitlab instance,
and was causing fetching failures.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The commit from the recipe got got detached from the master branch - use nobranch to
avoid fetching failure.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fcd57a086d)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The old repository was moved to a new freedesktop gitlab instance.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0e79b3a907)
Removed "tag" tag from SRC_URI for Kirkstone
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Since this file is downloaded and upstream does not version it on changes
we have to ensure that we store the versions in DL_DIR and also ensure they
do not step on each other
Fixes
stdio: WARNING: unicode-ucd-14.0.0-r0 do_fetch: Checksum mismatch for local file /srv/autobuilder/valkyrie.yocto.io/current_sources/license.txt
stdio: WARNING: unicode-ucd-14.0.0-r0 do_fetch: Renaming /srv/autobuilder/valkyrie.yocto.io/current_sources/license.txt to /srv/autobuilder/valkyrie.yocto.io/current_sources/license.txt_bad-checksum_f7830d126f59d83842565d3dddedc79db4ca978ed52aee0ebcc040ea76a85519
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 830535e5b6)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This is downloaded and does not have version, so we have to
update it whenever upstream update it. The copyright year
is changed this time.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6121f2907a)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Switch to https protocol to avoid fetching failures (anonymous fetching
with git protocol is not available anymore on this server).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The original xz-compressed tarball isn't available at the download
location anymore - switch to the gz tarball which is still there.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The previously used repo was moved to freedesktop's gitlab instance.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 955c5ab47a)
mongodb is in the dynamic-layers section of meta-oe, and not available
by default - which makes the layer not YP compatible.
To avoid this breakage, remove mongodb from RDEPENDS.
To run ptests fully, this is still required to be present however
(bbappend, or local.conf...).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Security-sensitive parts of the Python HTTP parser retained minor differences in
allowable character sets, that must trigger error handling to robustly match frame
boundaries of proxies in order to protect against injection of additional requests.
Additionally, validation could trigger exceptions that were not handled consistently
with processing of other malformed input. Being more lenient than internet standards
require could, depending on deployment environment, assist in request smuggling. The
unhandled exception could cause excessive resource consumption on the application
server and/or its logging facilities. This vulnerability exists due to an incomplete
fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-23829https://security-tracker.debian.org/tracker/CVE-2024-23829
Upstream patch:
https://github.com/aio-libs/aiohttp/commit/d33bc21414e283c9e6fe7f6caf69e2ed60d66c82
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Add ptest support for inotify-tools by introducing a run-ptest script.
The ptest verifies the correct functioning of inotify event handling
and related utilities.
Test coverage includes:
- File creation, modification, and deletion event monitoring
- Event handling and command-line option parsing
- Basic consistency and behavior of inotify event queues
The ptest completes in under 20 seconds
output:
root@qemux86-64:~# ptest-runner inotify-tools
START: ptest-runner
BEGIN: /usr/lib/inotify-tools/ptest
If you want to do a malloc trace, set MALLOC_TRACE to a path for logging.
event_to_str: test begin
event_to_str: test end
event_to_str_sep: test begin
event_to_str_sep: test end
str_to_event: test begin
str_to_event: test end
str_to_event_sep: test begin
str_to_event_sep: test end
basic_watch_info: test begin
basic_watch_info: test end
watch_limit: test begin
watch_limit: Warning, this test may take a while
watch_limit: test end
tst_inotifytools_snprintf: test begin
tst_inotifytools_snprintf: test end
Out of 362746 tests, 362746 succeeded and 0 failed.
All tests passed successfully.
DURATION: 16
END: /usr/lib/inotify-tools/ptest
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Verified that enabling ptest does not modify existing package contents
for inotify-tools
Signed-off-by: Nikhil R <nikhil.r@bmwtechworks.in>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Pick patches according to oe-core patch for this CVE in wpa-supplicant.
Leave out commit which patched only files not present in hostapd.
Note that Debian just picked the last commit (actually fixing the CVE)
and removed not-applicable parts, but it is probably better to be
consistent with oe-core status.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Pick patches as listed in NVD CVE report.
Note that Debian lists one of the patches as introducing the
vulnerability. This is against what the original report [1] says.
Also the commit messages provide hints that the first patch fixes this
issue and second is fixing problem with the first patch.
[1] https://jvn.jp/en/jp/JVN19358384/
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Gyorgy Sarvari
Peter Marko
Rajeshkumar Ramasamy
Soumya Sambu
Nikhil R
Yi Zhao
Chen Qi