aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* binutils: Fix 4 CVEsDan Tran2019-09-245-0/+342
| | | | | | | | | Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and CVE-2018-1000876 for binutils 2.31.1. Signed-off-by: Dan Tran <dantran@microsoft.com> [fixed up .inc for thud-next context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dhcp: Replace OE specific patch for compatibility with latest bind with ↵Adrian Bunk2019-09-243-2883/+80
| | | | | | | | | | upstream patch This also fixes a dhcp breakage noticed by Enrico Scholz. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dhcp: drop lost patchRuslan Bilovol2019-09-241-117/+0
| | | | | | | | | | | | Commit 7cb42ae87ef9 "dhcp: update 4.4.1" dropped 0008-tweak-to-support-external-bind.patch from recipe, but left the patch itself in source tree. Remove this patch since nobody uses it. Cc: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dhcp: fix issue with new bind changesArmin Kuster2019-09-082-0/+2883
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* go: update to 1.11.13, minor updatesArmin Kuster2019-09-051-3/+3
| | | | | | | | | | | | | | | | | | | | | Source: golang.org MR: 99376 Type: Security Fix Disposition: Backport from golang.org ChangeID: 41576ab4a0abdebbc44f1a35a83bf04e5f2fde06 Description: https://golang.org/doc/devel/release.html go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details. go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details. go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details. Includes CVE: CVE-2019-14809 Signed-off-by: Armin Kuster <akuster@mvista.com>
* bind: upgrade 9.11.5 -> 9.11.5-P4Adrian Bunk2019-09-041-3/+3
| | | | | | | | | | | | | | | | | | | | | | Source: OE.org MR: 99751, 99752, 99753 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4 ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01 Description: Bugfix-only compared to 9.11.5, mostly CVE fixes. COPYRIGHT checksum changed due to 2018 -> 2019. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Included cves: CVE-2018-5744 CVE-2018-5745 CVE-2019-6465 ] Signed-off-by: Armin Kuster <akuster@mvista.com>
* bind: update to latest LTS 9.11.5Armin Kuster2019-09-042-75/+3
| | | | | | | | | | | | | | | | | | | | | | | Source: bind.org MR: 99750 Type: Security Fix Disposition: Backport from bind.org ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224 Description: includes: CVE-2018-5738 drop patch for CVE-2018-5740 now included in update see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html Add RECIPE_NO_UPDATE_REASON for lts Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Also includes CVE-2018-5740] Signed-off-by: Armin Kuster <akuster@mvista.com>
* binutils: Security fix for CVE-2019-12972Armin Kuster2019-09-042-0/+40
| | | | | | | | | | | | | | | | Source: git://sourceware.org / binutils-gdb.git MR: 98770 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c Description: Fixes CVE-2019-12972 Signed-off-by: Armin Kuster <akuster@mvista.com> [v2] forgot to refresh inc file before sending
* binutils: Security fix for CVE-2019-14444Armin Kuster2019-09-042-0/+34
| | | | | | | | | | | | | | | Source: git://sourceware.org / binutils-gdb.git MR: 99255 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 ChangeID: 67ad4ab1ec34b941bdcfbb4f55d16176bbbd3d72 Description: Affects: <= 2.32.0 Fixes CVE-2019-14444 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* gcc: Security fix for CVE-2019-14250Armin Kuster2019-09-042-0/+45
| | | | | | | | | | | | | | Source: gcc.org MR: 99120 Type: Security Fix Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794&root=gcc&view=rev ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb Description: Affects < 9.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* qemu: add a patch fixing the native build on newer kernelsBartosz Golaszewski2019-08-163-10/+346
| | | | | | | | | | | The build fails on qemu-native if we're using kernels after commit 0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream patch that fixes the issue. Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Refactoried for thud context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libcomps: fix CVE-2019-3817Andrii Bordunov via Openembedded-core2019-08-152-0/+98
| | | | | Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* glib-2.0: fix CVE-2019-13012Andrii Bordunov via Openembedded-core2019-08-152-0/+48
| | | | | Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dbus: fix CVE-2019-12749Andrii Bordunov via Openembedded-core2019-08-152-0/+128
| | | | | Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823Andrii Bordunov via Openembedded-core2019-08-154-0/+155
| | | | | Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: fix CVE-2019-9740Anuj Mittal2019-08-152-0/+156
| | | | | | | | | CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See: https://bugs.python.org/issue30458 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* patch: fix CVE-2019-13636Anuj Mittal2019-08-152-0/+114
| | | | | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* buildhistory: call a dependency parser only on actual dependency listsAlexander Kanavin2019-08-151-1/+1
| | | | | | | | | Previously it was also called on filelists and possibly other items which broke the parser. Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* build-appliance-image: Update to thud head revisionRichard Purdie2019-08-011-1/+1
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* expat: fix CVE-2018-20843Anuj Mittal2019-07-292-0/+27
| | | | | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libcroco: fix CVE-2017-7961Ross Burton2019-07-292-1/+48
| | | | | | | (From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Fix 3 CVEsOvidiu Panait2019-07-297-0/+702
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. References: https://nvd.nist.gov/vuln/detail/CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 https://nvd.nist.gov/vuln/detail/CVE-2019-3835 https://nvd.nist.gov/vuln/detail/CVE-2019-3838 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e (From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Fix for CVE-2019-6116 is already in thud, so that has been removed] Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bzip2: fix CVE-2019-12900Anuj Mittal2019-07-293-0/+117
| | | | | | | | | Also include a patch to fix regression caused by it. See: https://gitlab.com/federicomenaquintero/bzip2/issues/24 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: integrate security fixesRoss Burton2019-07-297-0/+337
| | | | | | | | | | | | | | | Fix the following CVEs by backporting patches from upstream: - CVE-2019-1000019 - CVE-2019-1000020 - CVE-2018-1000877 - CVE-2018-1000878 - CVE-2018-1000879 - CVE-2018-1000880 (From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-plugins-base: fix CVE-2019-9928Anuj Mittal2019-07-292-0/+34
| | | | | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsdl: CVE fixesAnuj Mittal2019-07-2910-0/+832
| | | | | | | | | Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637, CVE-2019-7638. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* OpkgPM: use --add-ignore-recommends to process BAD_RECOMMENDATIONSAlejandro del Castillo2019-07-272-41/+2
| | | | | | | | | | | | | | | | Currently, BAD_RECOMMENDATIONS on the opkg backed relies on editing the opkg status file (it sets BAD_RECOMMENDATIONS pkg want state to deinstalled and pinned). This is brittle, and not consistent across the different solver backends. Use new --add-ignore-recommends flag instead. (From OE-Core rev: 0d11e813ba9b4e8de9e6e5099ff85f5d914243bc) (From OE-Core rev: bfb0acb6bc6bc11e4aa2c9527916359e1a763e85) Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* opkg: add --ignore-recommends flagAlejandro del Castillo2019-07-272-0/+261
| | | | | | | | | | | | | | | To be used for BAD_RECOMMENDATIONS feature. (From OE-Core rev: 788d97b4f8e4452cef1ba6bb3e565e1b52dbb7de) (From OE-Core rev: 85007cdb260bc77ac4ae5f914b0e3a4408606dfd) Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Backport from opkg_0.4.0.bb] Signed-off-by: Quentin Schulz <quentin.schulz@streamunlimited.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* scripts: Remove deprecated imp module usageRichard Purdie2019-07-272-11/+8
| | | | | | | The imp module is deprecated, port the code over to use importlib as recently done for bb.utils as well. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* uboot-sign.bbclass: Remove tab indentations in python codeRobert Yang2019-07-041-10/+10
| | | | | | | | Use 4 spaces to replace a tab. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* glib: Security fix for CVE-2019-9633Armin Kuster2019-07-043-0/+549
| | | | | | | | | | | | | | | Source: gnome.org MR: 98802 Type: Security Fix Disposition: Backport from https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e ChangeID: b73c332f27f47ddc1b1cfd7424f24778acc0c318 Description: includes supporting patch. Fixes CVE-2019-9633 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* qemu: Security fixes CVE-2018-20815 CVE-2019-9824Armin Kuster2019-07-044-0/+144
| | | | | | | | | | | | | | Source: qemu.org MR: 98623 Type: Security Fix Disposition: Backport from qemu.org ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37 Description: Fixes both CVE-2018-20815 and CVE-2019-9824 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* glibc: backport CVE fixesRoss Burton2019-07-043-0/+282
| | | | | | | | | | Backport the fixes for several CVEs from the 2.28 stable branch: - CVE-2016-10739 - CVE-2018-19591 Signed-off-by: Ross Burton <ross.burton@intel.com> [Dropped CVE-2019-9169 as its in my contrib already] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lighttpd: fix CVE-2019-11072Ross Burton2019-07-012-0/+52
| | | | | Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* uninative: Update to 2.6 releaseRichard Purdie2019-06-251-4/+4
| | | | | | | | | | | | The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes compatibility with recent fedora/suse releases. The difference is one is built with obsolete APIs enabled and one disabled. We now ship both in uninative for compatibility regardless of which distro a binary is built on. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* uninative: Switch from bz2 to xzRichard Purdie2019-06-251-2/+2
| | | | | | | (From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* yocto-uninative: Update to 2.5 releaseRichard Purdie2019-06-251-4/+4
| | | | | | | | | This includes libstdc++ changes from gcc 9.X. It also switches uninative from bz2 to xz compression. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* qemu: Security fix for CVE-2019-12155Armin Kuster2019-06-252-0/+39
| | | | | | | | | | | | | Source: qemu.org MR: 98382 Type: Security Fix Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 ChangeID: e4e5983ec1fa489eb8a0db08d1afa0606e59dde3 Description: Fixes CVE-2019-12155 Affects: <= 4.0.0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436Armin Kuster2019-06-253-0/+234
| | | | | | | | | | | | | Source: CUrl.org MR: 98455 Type: Security Fix Disposition: Backport from https://curl.haxx.se/ ChangeID: 86b094a440ea473b114764e8d64df8142d561609 Description: Fixes CVE-2019-5435 CVE-2019-5436 Signed-off-by: Armin Kuster <akuster@mvista.com>
* wget: Security fix for CVE-2019-5953Armin Kuster2019-06-252-0/+52
| | | | | | | | | | | | | Source: http://git.savannah.gnu.org/cgit/wget.git MR: 89341 Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b Description: Fixes CVE-2019-5953 Affects: < 1.20.1 Signed-off-by: Armin Kuster <akuster@mvista.com>
* glib-2.0: Security fix for CVE-2019-12450Armin Kuster2019-06-252-0/+60
| | | | | | | | | | | Source: glib-2.0 MR: 98443 Type: Security Fix Disposition: Backport from https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174 ChangeID: 880b9b349cb8d82c7c1314a3657ec9094baba741 Description: Signed-off-by: Armin Kuster <akuster@mvista.com>
* Tar: Security fix CVE-2019-0023Armin Kuster2019-06-252-0/+39
| | | | | | | | | | | | | | | | Source: tar.git MR: 97928 Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120 ChangeID: 7aee4c0daf8ce813242fe7b872583560a32bc4e3 Description: Affects tar < 1.32 fixes CVE-2019-9923 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* qemu: Security fix for CVE-2018-19489Armin Kuster2019-06-252-0/+84
| | | | | | | | | | | | | | | | | | | Source: Qemu.org MR: 97453 Type: Security Fix Disposition: Backport from git.qemu.org/gemu.git ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace Description: In the spirt of YP Compatible, sending change upstream. fixes CVE CVE-2018-19489 Affect < = 4.0.0 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wpa_supplicant: Changed systemd template unitsJoshua DeWeese2019-06-252-0/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I goofed up the scissor line on the last attempt. Not sure how much it matters, but here it is correct this time. Here it is, updated to work with wpa-supplicant_2.6.bb. -- >8 -- https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy= When building root filesystems with any of the wpa_supplicant systemd template service files enabled (current default is to have them disabled) the systemd-native-fake script would not process the line: Alias=multi-user.target.wants/wpa_supplicant@%i.service appropriately due the the use of "%i." According to the systemd documentation "WantedBy=foo.service in a service bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in the same file." However, this is not really the intended purpose of install Aliases. All lines of the form: Alias=multi-user.target.wants/*%i.service Were replaced with the following lines: WantedBy=multi-user.target Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* go: update to minor update 1.11.10Armin Kuster2019-06-251-3/+3
| | | | | | | | | | | | | | | | | | | | Source: golang.org MR: 97548, Type: Security Fix Disposition: Backport from https://github.com/golang/go/issues?q=milestone%3AGo1.11.5 ChangeID: 54377c454f038a41bf35dd447a784e3e66db6268 Description: Bug fix updates only https://golang.org/doc/devel/release.html#go1.11 Fixes: Affects <= 1.11.6 CVE-2019-6486 CVE-2019-9741 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* go: Upgrade 1.11.1 -> 1.11.4 minor releaseKhem Raj2019-06-253-15/+11
| | | | | | | | | | | | | | | | | | | | | | Source: OpenEmbedded.org MR: 98328, 98329, 98330 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/go?h=warrior&id=b964551a0d08aa921d4e0ceea2f1e28a5e83510e ChangeID: 0b4cc69c357ba14c4e7a6c7ff926cfc6f09489b2 Description: include: CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 Changes: https://golang.org/doc/devel/release.html#go1.11 Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Bug fix only update] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* go-crosssdk: PN should use SDK_SYS, not TARGET_ARCHRichard Purdie2019-06-251-1/+1
| | | | | | | | | | | The crosssdk dependencies are handled using the virtual/ namespace so this name doesn't matter in the general sense. We want to be able to provide recipe maintainer information through overrides though, so this standardises it with the behaviour from gcc-crosssdk and ensures the maintainer overrides work. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* go-target.inc: fix go not found while multilib enabledHongxu Jia2019-06-251-1/+1
| | | | | | | | | | | | Go binaries were installed to ${libdir}/go/bin, and create symlink in ${bindir}, while enabling multilib, libdir was extended (such as /usr/lib64), but BASELIB was not (still /lib), so use baselib (such as /lib64)) to replace Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462Ross Burton2019-06-253-0/+41
| | | | | | | | | | | | | | | | | | | | | | Source: OpenEmbedded.org MR: 97538, 97543 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-graphics/cairo?h=warrior&id=078e4d5c2114d942806cd0d5ad501805a011e841 ChangeID: fa8bdd44ad8613bb0679a1f6d9d670c3b47a0677 Description: CVE-2018-19876 is a backport from upstream. CVE-2019-6461 and CVE-2019-6462 are patches taken from Clear Linux. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Dropped CVE-2018-19876, not affected] Issue was introduced in 1.15.8 by: commit 721b7ea0a785afaa04b6da63f970c3c57666fdfe Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cups: upgrade to 2.2.10Chen Qi2019-06-252-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | Source: OpenEmbedded.org MR: 97351 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/cups?h=warrior&id=fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd ChangeID: fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd Description: Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> CUPS 2.2.10 is a bug fix release that addresses issues in the scheduler, IPP Everywhere support, CUPS library, and USB printer support. Changes include: CVE-2018-4300: Linux session cookies used a predictable random number seed. The lpoptions command now works with IPP Everywhere printers that have not yet been added as local queues (Issue #5045) Added USB quirk rules (Issue #5395, Issue #5443) The generated PPD files for IPP Everywhere printers did not contain the cupsManualCopies keyword (Issue #5433) Kerberos credentials might be truncated (Issue #5435) The handling of MaxJobTime 0 did not match the documentation (Issue #5438) Incorporated the page accounting changes from CUPS 2.3 (Issue #5439) Fixed a bug adding a queue with the -E option (Issue #5440) Fixed a crash bug when mapping PPD duplex options to IPP attributes (rdar://46183976) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>