According to [1] the ESI feature implementation in squid is vulnerable
without any fix available.
NVD says it's fixed in 6.10, however the change in this release only
disables ESI by default (which we always did via PACKAGECONFIG).
Commit in master branch related to this CVE is [2].
Title is "Remove Edge Side Include (ESI) protocol" and it's also what it
does. So there will never be a fix for these ESI vulnerabilities.
We should not break features in LTS branch and cannot fix this problem.
So ignrore this CVE based on set PACKAGECONFIG which should remove it
from reports for most users. Thos who need ESI need to assess the risk
themselves.
[1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
[2] https://github.com/squid-cache/squid/commit/5eb89ef3d828caa5fc43cd8064f958010dbc8158
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Branches used in langdale, mickledore, nanbield were re-written in upstream :(, fixes were sent to meta-oe:
langdale: https://lists.openembedded.org/g/openembedded-devel/message/107533
mickledore: https://lists.openembedded.org/g/openembedded-devel/message/107531
merged in:
https://git.openembedded.org/meta-openembedded/commit/?h=mickledore&id=b0d67900ae9e8911f734c25c0674fe55df8cd188
nanbield: https://lists.openembedded.org/g/openembedded-devel/message/107532
merged in:
https://git.openembedded.org/meta-openembedded/commit/?h=nanbield&id=2da6e1b0e43a8993fd422fee3f83940100b59f4c
fix for langdale wasn't ever fixed because it was sent after langdale
was already EOL, but looks like the version used in kirkstone got
broken recently as well, because master branch was removed:
poco/1.11.2-r0/git $ git branch -a --contains 9d1c428c861f2e5ccf09149bbe8d2149720c5896
* master
...
remotes/origin/dev-task-test-diag
remotes/origin/devel
remotes/origin/feat/acceptor-service-handler-args
remotes/origin/fix/posix-sleep
remotes/origin/issue-templates
remotes/origin/master
remotes/origin/poco-1.12.0
remotes/origin/poco-1.12.1
remotes/origin/poco-1.12.2
remotes/origin/poco-1.12.3
remotes/origin/poco-1.12.4
remotes/origin/poco-1.12.5
remotes/origin/poco-1.12.6
remotes/origin/poco-1.9.5-not-released
remotes/origin/poll-closed-server-test
remotes/origin/upgrade-ci-actions-to-v3
poco/1.11.2-r0/git $ git remote prune origin
Pruning origin
URL: https://github.com/pocoproject/poco.git
...
* [pruned] origin/android-ndk-action
* [pruned] origin/develop
* [pruned] origin/feat/wepoll
* [pruned] origin/fix/PollSet-race
* [pruned] origin/fix/swap-noexcept
* [pruned] origin/master
* [pruned] origin/poco-1.10.2
* [pruned] origin/poco-1.9.5
refs/remotes/origin/HEAD has become dangling!
poco/1.11.2-r0/git $ git branch -a --contains 9d1c428c861f2e5ccf09149bbe8d2149720c5896
* master
...
remotes/origin/dev-task-test-diag
remotes/origin/devel
remotes/origin/discourage-using-configure-and-make
remotes/origin/feat/acceptor-service-handler-args
remotes/origin/feat/json-logging
remotes/origin/fix/posix-sleep
remotes/origin/issue-templates
remotes/origin/main
remotes/origin/master-pre-1.13.0
remotes/origin/master-unused
remotes/origin/openssl_fix
remotes/origin/poco-1.12.0
remotes/origin/poco-1.12.1
remotes/origin/poco-1.12.2
remotes/origin/poco-1.12.3
remotes/origin/poco-1.12.4
remotes/origin/poco-1.12.5
remotes/origin/poco-1.12.6
remotes/origin/poco-1.13.0
remotes/origin/poco-1.13.1
remotes/origin/poco-1.13.2
remotes/origin/poco-1.13.3
remotes/origin/poco-1.13.4
remotes/origin/poco-1.9.5-not-released
remotes/origin/poll-closed-server-test
remotes/origin/release-1.14-changelog-authors
remotes/origin/search-support
remotes/origin/upgrade-ci-actions-to-v3
switch to main branch which is the most common and the least surprising.
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* it was updated in nanbield with upgrade to 3.0.5 in:
fc0a506bde libjs-jquery-cookie: upgrade 3.0.1 -> 3.0.5
* drop duplicated protocol param as in mickledore:
2e0a581bee recipes: Remove double protocol= from SRC_URIs
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes
DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13
pipes is an alias for shlex therefore switch to using shlex
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The branch names of several upstream repos have been changed, thus we
update the recipe to avoid fetching failure.
Signed-off-by: Ramax Lo <ramaxlo@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update SRC_URI, change the protocol to https.
do_fetch warning:
WARNING: wireguard-tools-1.0.20210914-r0 do_fetch: Failed to fetch URL
git://git.zx2c4.com/wireguard-tools;branch=master, attempting MIRRORS if
available
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
============
* Add NULL check to cJSON_SetValuestring()(CVE-2024-31755)
* Remove non-functional list handling of compiler flags
* Fix heap buffer overflow
* remove misused optimization flag -01
* Set free'd pointers to NULL whenever they are not reassigned immediately after
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(From meta-openembedded rev: 535822eff7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Location of the file that systemd uses to check whether to
start adbd or not has been updated from /var to /etc in
android-tools-adbd.service. This change changes the path
of creation of usb-debugging-enabled flag file in
android-tools recipes from /var/usb-debugging-enabled to
/etc/usb-debugging-enabled
Backport-of: 2a3d4be999 ("android-tools: create flag flag file for adbd at a proper location")
Fixes: a29c6386d5 ("android-toold-adbd: Fix inconsistency between selinux configurations")
Fixes: 8106cfe769 ("android-tools-adbd.service: Change /var to /etc in ConditionPathExists")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Raghuvarya S <quic_raghuvar@quicinc.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To ensure android-tools-adbd.service starts at boot, the path
for ConditionPathExists must be present at build time. /etc is
more suitable for build-time files than /var, which is for
runtime files. Changed ConditionPathExists from
/var/usb-debugging-enabled to /etc/usb-debugging-enabled
Backport-of: 8106cfe769 ("android-tools-adbd.service: Change /var to /etc in ConditionPathExists")
CC: Khem Raj <raj.khem@gmail.com>
CC: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Raghuvarya S <quic_raghuvar@quicinc.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Change the reference to the Apache-2.0 license containing LICENSE file
in the downloaded archive.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The repositorys LICENSE file contains BSD-3-Clause license text, so
update the relevant recipe information field to match.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The expiration date of the "NameConstraints.*.cert" test certificate in
the nss package is Sep 4 2023 and causing a test failure.
This commit regenerate NameConstraints test certificates and changes the
validity period of test certs generated by `make-nc` from ~10 years to
~20 years.
regenerate_NameConstrain_test_certificates.tar.gz is a snapshot of certs
files based on the commit which update them. It fails to apply binary
commit, so create a tarball as part of SRC_URI rather than a .patch
file.
Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/rev/1d565dc7e17dad6d2851b2d6ff522c5d6345ae26]
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2848cc99a1 ("php-fpm: Add support for systemd") introduced a systemd
service file, where ExecStart and ExecStop uses /etc/init.d/php-fpm,
which does not exist if systemd is enabled. Consequently, the php-fpm
service fails to start even though it is correctly installed. This is
fixed by this commit in which the service file is identical to the one
from the PHP source code except for the use of BitBake variables. Also,
use ${systemd_system_unitdir} instead of ${systemd_unitdir}/system.
Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Peter Marko
Yi Zhao
Mingli Yu
Rohini Sangam
Jiaying Song
Martin Jansa
Khem Raj
Ramax Lo
Haixiao Yan
Liyin Zhang
Guocai He
Dmitry Baryshkov
Raghuvarya S
Vijay Anusuri
Divya Chellam
Peter Kjellerstedt
Niko Mauno
Soumya Sambu
Ashish Sharma
Hitendra Prajapati
Wentao Zhang
Emil Kronborg