getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Because they get renamed, it is better to ignore them and let a
dependency build them
Fixes errors like
ERROR: packagegroup-meta-multimedia-1.0-r0 do_package_write_ipk: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (gssdp to libgssdp-1.2-0)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit eafecde2ae)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a Web Server Gateway Interface web application library. Applications
using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug
prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications)
are vulnerable to a relatively simple but effective resource exhaustion (denial of
service) attack. A specifically crafted form submission request can cause the parser
to allocate and block 3 to 8 times the upload size in main memory. There is no upper
limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.
Werkzeug version 3.0.6 fixes this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49767
Upstream-patch:
https://github.com/pallets/werkzeug/commit/8760275afb72bd10b57d92cb4d52abf759b2f3a7
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Picked patches according to
http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt
First patch is style commit picked to have a clean cherry-pick of all
mentioned commits without any conflict.
Patch CVE-2024-3596_03.patch was removed as it only patched
wpa_supplicant. The patch names were not changed so it is comparable
with wpa_supplicant recipe.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Changelog:
libgsf 1.14.53
* Compilation fixes for libxml 2.13
* Fix ABR in gsf-vba-dump.
* Teach gsf (the tool) to handle odf properties.
* Fix integer overflows affecting memory allocation.
* Add missing "DocumentStatus" ole2 property.
* Avoid some undefined C behaviour in overflow checks.
libgsf 1.14.51
* Fix thumbnailer crash.
* Fix leaks.
libgsf 1.14.50
* Fix error handling problem when writing ole files.
License changed to LGPL-2.1-only from 1.14.51
[https://gitlab.gnome.org/GNOME/libgsf/-/commit/037c913eb631349c410ef45e49697bf5c46dac8a]
remove obsolete DEPENDS from upstream [103f49b5fc]
Security fixes:
CVE-2024-42415
An integer overflow vulnerability exists in the Compound Document Binary
File format parser of v1.14.52 of the GNOME Project G Structured File
Library (libgsf). A specially crafted file can result in an integer
overflow that allows for a heap-based buffer overflow when processing
the sector allocation table. This can lead to arbitrary code execution.
An attacker can provide a malicious file to trigger this vulnerability.
CVE-2024-36474
An integer overflow vulnerability exists in the Compound Document Binary
File format parser of the GNOME Project G Structured File Library
(libgsf) version v1.14.52. A specially crafted file can result in an
integer overflow when processing the directory from the file that allows
for an out-of-bounds index to be used when reading and writing to an
array. This can lead to arbitrary code execution. An attacker can
provide a malicious file to trigger this vulnerability.
Reference:
[https://gitlab.gnome.org/GNOME/libgsf/-/issues/34]
(master rev: 6ed5891c18)
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-49081:
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Improper validation made it possible for an attacker to modify
the HTTP request (e.g. to insert a new header) or create a new HTTP
request if the attacker controls the HTTP version. The vulnerability
only occurs if the attacker can control the HTTP version of the request.
This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49081
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
CVE-2024-30251:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
In affected versions an attacker can send a specially crafted POST
(multipart/form-data) request. When the aiohttp server processes it, the server
will enter an infinite loop and be unable to process any further requests. An
attacker can stop the application from serving requests after sending a single
request. This issue has been addressed in version 3.9.4. Users are advised to
upgrade. Users unable to upgrade may manually apply a patch to their systems.
Please see the linked GHSA for instructions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-30251
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
CVE-2024-52304:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Prior to version 3.10.11, the Python parser parses newlines in chunk extensions
incorrectly which can lead to request smuggling vulnerabilities under certain
conditions. If a pure Python version of aiohttp is installed (i.e. without the
usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may
be able to execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.10.11 fixes the issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-52304
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
CVE-2023-49082:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Improper validation makes it possible for an attacker to modify the HTTP
request (e.g. insert a new header) or even create a new HTTP request if the
attacker controls the HTTP method. The vulnerability occurs only if the
attacker can control the HTTP method (GET, POST etc.) of the request. If the
attacker can control the HTTP version of the request it will be able to modify
the request (request smuggling). This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49082
Upstream patches:
https://github.com/aio-libs/aiohttp/pull/7806/commits/a43bc1779892e7014b7723c59d08fb37a000955e
CVE-2024-27306:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
A XSS vulnerability exists on index pages for static file handling. This
vulnerability is fixed in 3.9.4. We have always recommended using a reverse
proxy server (e.g. nginx) for serving static files. Users following the
recommendation are unaffected. Other users can disable `show_index` if unable
to upgrade.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-27306
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport patch with tweaks for the current version to fix
CVE-2024-7254.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-52160:
The implementation of PEAP in wpa_supplicant through 2.10 allows
authentication bypass. For a successful attack, wpa_supplicant must be
configured to not verify the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability can then be abused
to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
Success packet instead of starting Phase 2. This allows an adversary to
impersonate Enterprise Wi-Fi networks.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-52160
Patch from:
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
According to [1] the ESI feature implementation in squid is vulnerable
without any fix available.
NVD says it's fixed in 6.10, however the change in this release only
disables ESI by default (which we always did via PACKAGECONFIG).
Commit in master branch related to this CVE is [2].
Title is "Remove Edge Side Include (ESI) protocol" and it's also what it
does. So there will never be a fix for these ESI vulnerabilities.
We should not break features in LTS branch and cannot fix this problem.
So ignrore this CVE based on set PACKAGECONFIG which should remove it
from reports for most users. Thos who need ESI need to assess the risk
themselves.
[1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
[2] https://github.com/squid-cache/squid/commit/5eb89ef3d828caa5fc43cd8064f958010dbc8158
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Branches used in langdale, mickledore, nanbield were re-written in upstream :(, fixes were sent to meta-oe:
langdale: https://lists.openembedded.org/g/openembedded-devel/message/107533
mickledore: https://lists.openembedded.org/g/openembedded-devel/message/107531
merged in:
https://git.openembedded.org/meta-openembedded/commit/?h=mickledore&id=b0d67900ae9e8911f734c25c0674fe55df8cd188
nanbield: https://lists.openembedded.org/g/openembedded-devel/message/107532
merged in:
https://git.openembedded.org/meta-openembedded/commit/?h=nanbield&id=2da6e1b0e43a8993fd422fee3f83940100b59f4c
fix for langdale wasn't ever fixed because it was sent after langdale
was already EOL, but looks like the version used in kirkstone got
broken recently as well, because master branch was removed:
poco/1.11.2-r0/git $ git branch -a --contains 9d1c428c861f2e5ccf09149bbe8d2149720c5896
* master
...
remotes/origin/dev-task-test-diag
remotes/origin/devel
remotes/origin/feat/acceptor-service-handler-args
remotes/origin/fix/posix-sleep
remotes/origin/issue-templates
remotes/origin/master
remotes/origin/poco-1.12.0
remotes/origin/poco-1.12.1
remotes/origin/poco-1.12.2
remotes/origin/poco-1.12.3
remotes/origin/poco-1.12.4
remotes/origin/poco-1.12.5
remotes/origin/poco-1.12.6
remotes/origin/poco-1.9.5-not-released
remotes/origin/poll-closed-server-test
remotes/origin/upgrade-ci-actions-to-v3
poco/1.11.2-r0/git $ git remote prune origin
Pruning origin
URL: https://github.com/pocoproject/poco.git
...
* [pruned] origin/android-ndk-action
* [pruned] origin/develop
* [pruned] origin/feat/wepoll
* [pruned] origin/fix/PollSet-race
* [pruned] origin/fix/swap-noexcept
* [pruned] origin/master
* [pruned] origin/poco-1.10.2
* [pruned] origin/poco-1.9.5
refs/remotes/origin/HEAD has become dangling!
poco/1.11.2-r0/git $ git branch -a --contains 9d1c428c861f2e5ccf09149bbe8d2149720c5896
* master
...
remotes/origin/dev-task-test-diag
remotes/origin/devel
remotes/origin/discourage-using-configure-and-make
remotes/origin/feat/acceptor-service-handler-args
remotes/origin/feat/json-logging
remotes/origin/fix/posix-sleep
remotes/origin/issue-templates
remotes/origin/main
remotes/origin/master-pre-1.13.0
remotes/origin/master-unused
remotes/origin/openssl_fix
remotes/origin/poco-1.12.0
remotes/origin/poco-1.12.1
remotes/origin/poco-1.12.2
remotes/origin/poco-1.12.3
remotes/origin/poco-1.12.4
remotes/origin/poco-1.12.5
remotes/origin/poco-1.12.6
remotes/origin/poco-1.13.0
remotes/origin/poco-1.13.1
remotes/origin/poco-1.13.2
remotes/origin/poco-1.13.3
remotes/origin/poco-1.13.4
remotes/origin/poco-1.9.5-not-released
remotes/origin/poll-closed-server-test
remotes/origin/release-1.14-changelog-authors
remotes/origin/search-support
remotes/origin/upgrade-ci-actions-to-v3
switch to main branch which is the most common and the least surprising.
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* it was updated in nanbield with upgrade to 3.0.5 in:
fc0a506bde libjs-jquery-cookie: upgrade 3.0.1 -> 3.0.5
* drop duplicated protocol param as in mickledore:
2e0a581bee recipes: Remove double protocol= from SRC_URIs
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes
DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13
pipes is an alias for shlex therefore switch to using shlex
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The branch names of several upstream repos have been changed, thus we
update the recipe to avoid fetching failure.
Signed-off-by: Ramax Lo <ramaxlo@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update SRC_URI, change the protocol to https.
do_fetch warning:
WARNING: wireguard-tools-1.0.20210914-r0 do_fetch: Failed to fetch URL
git://git.zx2c4.com/wireguard-tools;branch=master, attempting MIRRORS if
available
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
============
* Add NULL check to cJSON_SetValuestring()(CVE-2024-31755)
* Remove non-functional list handling of compiler flags
* Fix heap buffer overflow
* remove misused optimization flag -01
* Set free'd pointers to NULL whenever they are not reassigned immediately after
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(From meta-openembedded rev: 535822eff7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Location of the file that systemd uses to check whether to
start adbd or not has been updated from /var to /etc in
android-tools-adbd.service. This change changes the path
of creation of usb-debugging-enabled flag file in
android-tools recipes from /var/usb-debugging-enabled to
/etc/usb-debugging-enabled
Backport-of: 2a3d4be999 ("android-tools: create flag flag file for adbd at a proper location")
Fixes: a29c6386d5 ("android-toold-adbd: Fix inconsistency between selinux configurations")
Fixes: 8106cfe769 ("android-tools-adbd.service: Change /var to /etc in ConditionPathExists")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Raghuvarya S <quic_raghuvar@quicinc.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Yogita Urade
Zhang Peng
Wang Mingyu
akash hadke
Khem Raj
Colin McAllister
Soumya Sambu
Mingli Yu
Vijay Anusuri
Fabrice Aeschbacher
Peter Marko
Jiaying Song
Chen Qi
hongxu
Yi Zhao
Haixiao Yan
Archana Polampalli
Yi Zhao
Rohini Sangam
Martin Jansa
Ramax Lo
Liyin Zhang
Guocai He
Dmitry Baryshkov
