aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* systemd: re-enable mount propagation for udevdfidoRoy Li2016-12-052-0/+32
| | | | | | | | | | | | | | | | | With MountFlags=slave, those mounts then become private to the systemd-udevd namespace and are no longer accessible from outside the namespace, which is not expected [YOCTO #8613] (From OE-Core rev: 73f43d857fe0102033f25491007b6dbe3d5fa8ee) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f2092e67ea880301058396b831a9a18905317d0d) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* build-appliance-image: Update to fido head revisionRichard Purdie2016-05-121-1/+1
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: prevent ABI break from earlier fido releasesJoshua Lock2016-05-121-9/+22
| | | | | | | | | | | | The backported upgrade to 1.0.2h included an updated GNU LD version-script which results in an ABI change. In order to try and respect ABI for existing binaries built against fido this commit partially reverts the version-script to maintain the existing ABI and instead only add the new symbols required by 1.0.2h. Suggested-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* build-appliance-image: Update to fido head revisionRichard Purdie2016-05-111-1/+1
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: 1.0.2d -> 1.0.2h (mainly for CVEs)Robert Yang2016-05-1115-1950/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * CVEs: - CVE-2016-0705 - CVE-2016-0798 - CVE-2016-0797 - CVE-2016-0799 - CVE-2016-0702 - CVE-2016-0703 - CVE-2016-0704 - CVE-2016-2105 - CVE-2016-2106 - CVE-2016-2109 - CVE-2016-2176 * The LICENSE's checksum is changed because of date changes (2011 -> 2016), the contents are the same. * Remove backport patches - 0001-Add-test-for-CVE-2015-3194.patch - CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch - CVE-2015-3194-1-Add-PSS-parameter-check.patch - CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch - CVE-2015-3197.patch - CVE-2016-0701_1.patch - CVE-2016-0701_2.patch - CVE-2016-0800.patch - CVE-2016-0800_2.patch - CVE-2016-0800_3.patch * Update crypto_use_bigint_in_x86-64_perl.patch * Add version-script.patch and update block_diginotar.patch (From master branch) * Update openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch (From Armin) (From OE-Core master rev: bca156013af0a98cb18d8156626b9acc8f9883e3) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* gtk+_2.24.25: backport a fix for building with newer host perlJoshua Lock2016-05-062-0/+76
| | | | | | | This backports a patch from gtk+ upstream to prevent an issue when building on Fedora 23 hosts. Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tzdata: update to 2016dArmin Kuster2016-05-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes affecting future time stamps America/Caracas switches from -0430 to -04 on 2016-05-01 at 02:30. (Thanks to Alexander Krivenyshev for the heads-up.) Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00. (Thanks to Alexander Krivenyshev and Matt Johnson.) New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29 at 02:00. (Thanks to Stepan Golosunov.) Changes affecting past time stamps New zone Europe/Kirov, split off from Europe/Volgograd. It covers Kirov Oblast, Russia, which switched from +04/+05 to +03/+04 on 1989-03-26 at 02:00, roughly a year after Europe/Volgograd made the same change. (Thanks to Stepan Golosunov.) Russia and nearby locations had daylight-saving transitions on 1992-03-29 at 02:00 and 1992-09-27 at 03:00, instead of on 1992-03-28 at 23:00 and 1992-09-26 at 23:00. (Thanks to Stepan Golosunov.) Many corrections to historical time in Kazakhstan from 1991 through 2005. (Thanks to Stepan Golosunov.) Replace Kazakhstan's invented time zone abbreviations with numeric abbreviations. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (From OE-Core master rev: 10194ca3d8c2f4d8648a685c5c239a33d944b6fe) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tzcode: update to 2016dArmin Kuster2016-05-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | they keep the versions in-sync. changes are all in data. Changes affecting future time stamps America/Caracas switches from -0430 to -04 on 2016-05-01 at 02:30. (Thanks to Alexander Krivenyshev for the heads-up.) Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00. (Thanks to Alexander Krivenyshev and Matt Johnson.) New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29 at 02:00. (Thanks to Stepan Golosunov.) Changes affecting past time stamps New zone Europe/Kirov, split off from Europe/Volgograd. It covers Kirov Oblast, Russia, which switched from +04/+05 to +03/+04 on 1989-03-26 at 02:00, roughly a year after Europe/Volgograd made the same change. (Thanks to Stepan Golosunov.) Russia and nearby locations had daylight-saving transitions on 1992-03-29 at 02:00 and 1992-09-27 at 03:00, instead of on 1992-03-28 at 23:00 and 1992-09-26 at 23:00. (Thanks to Stepan Golosunov.) Many corrections to historical time in Kazakhstan from 1991 through 2005. (Thanks to Stepan Golosunov.) Replace Kazakhstan's invented time zone abbreviations with numeric abbreviations. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (From OE-Core master rev: db8223e4dd2e513a656aedfae217d94e053c2366) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tzcode: update to 2016cArmin Kuster2016-05-061-4/+4
| | | | | | | | Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core master rev: 41adb87c2f1aa20e51f1af3542d65c920eb94be6) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tzdata: update to 2016cArmin Kuster2016-05-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 2016c release of the tz code and data is available. Its most urgent change is for Asia/Baku, where the update takes effect this weekend. This release reflects the following changes, which were either circulated on the tz mailing list or are relatively minor technical or administrative changes: Changes affecting future time stamps Azerbaijan no longer observes DST. (Thanks to Steffen Thorsen.) Chile reverts from permanent to seasonal DST. (Thanks to Juan Correa for the heads-up, and to Tim Parenti for corrections.) Guess that future transitions are August's and May's second Saturdays at 24:00 mainland time. Also, call the period from 2014-09-07 through 2016-05-14 daylight saving time instead of standard time, as that seems more appropriate now. Changes affecting past time stamps Europe/Kaliningrad and Europe/Vilnius changed from +03/+04 to +02/+03 on 1989-03-26, not 1991-03-31. Europe/Volgograd changed from +04/+05 to +03/+04 on 1988-03-27, not 1989-03-26. (Thanks to Stepan Golosunov.) Changes to commentary Several updates and URLs for historical and proposed Russian changes. (Thanks to Stepan Golosunov, Matt Johnson, and Alexander Krivenyshev.) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core master rev: 66031bcf8cec2e8e7a6803f2c6cfc2c2ba071ffe) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tzcode: update to 2016bArmin Kuster2016-05-062-25/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change SRC_URI http seems more reliable Changes to code tzselect's diagnostics and checking, and checktab.awk's checking, have been improved. (Thanks to J William Piggott.) tzcode now builds under MinGW. (Thanks to Ian Abbott and Esben Haabendal.) tzselect now tests Julian-date TZ settings more accurately. (Thanks to J William Piggott.) Changes to commentary Comments in zone tables have been improved. (Thanks to J William Piggott.) tzselect again limits its menu comments so that menus fit on a 24x80 alphanumeric display. A new web page tz-how-to.html. (Thanks to Bill Seymour.) In the Theory file, the description of possible time zone abbreviations in tzdata has been cleaned up, as the old description was unclear and inconsistent. (Thanks to Alain Mouette for reporting the problem.) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core master rev: 0c4816c1f723951179988a274f236f28fe4db20f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tzdata: update to 2016bArmin Kuster2016-05-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | updated SRC_URI to http as it seems more stable. Changes affecting future time stamps New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and Ulyanovsk Oblasts, Russia, both of which will switch from +03 to +04 on 2016-03-27 at 02:00 local time. They need distinct zones since their post-1970 histories disagree. New zone Asia/Barnaul for Altai Krai and Altai Republic, Russia, which will switch from +06 to +07 on the same date and local time. Also, Asia/Sakhalin moves from +10 to +11 on 2016-03-27 at 02:00. (Thanks to Alexander Krivenyshev for the heads-up, and to Matt Johnson and Stepan Golosunov for followup.) As a trial of a new system that needs less information to be made up, the new zones use numeric time zone abbreviations like "+04" instead of invented abbreviations like "ASTT". Haiti will not observe DST in 2016. (Thanks to Jean Antoine via Steffen Thorsen.) Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00. (Thanks to Hannah Kreitem.) Guess future transitions will be March's last Saturday at 01:00, not March's last Friday at 24:00. Changes affecting past time stamps Europe/Chisinau observed DST during 1990, and switched from +04 to +03 at 1990-05-06 02:00, instead of switching from +03 to +02. (Thanks to Stepan Golosunov.) 1991 abbreviations in Europe/Samara should be SAMT/SAMST, not KUYT/KUYST. (Thanks to Stepan Golosunov.) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core master rev: d3ab7005f0c899da9f9f132b22861bd5d4f952ba) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* bind: CVE-2016-1285 CVE-2016-1286Sona Sarmadi2016-05-065-0/+572
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure CVE-2016-1286 bind: malformed signature records for DNAME records can trigger assertion failure [YOCTO #9400] External References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286 References to the Upstream commits and Security Advisories: CVE-2016-1285: https://kb.isc.org/article/AA-01352 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=31e4657cf246e41d4c5c890315cb6cf89a0db25a CVE-2016-1286_1: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7 CVE-2016-1286_2: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=ce3cd91caee698cb144e1350c6c78292c6be6339 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* busybox_git: Fix SRCREVBrad Mouring2016-05-061-1/+1
| | | | | | | | | | The SRCREV in the busybox git recipe did not point to a commit ID on the master branch. Point the variable to something reachable from the master branch (which fixes this recipe's fetch()). Suggested-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Brad Mouring <brad.mouring@ni.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* busybox: Backport patch to fix zcip false-conflictBrad Mouring2016-05-062-0/+35
| | | | | | | | | Busybox upstream fixed the issue where an incorrect comparison of addresses led to bogus renegotiation of a new ll ip in 1.24. Backport this change to 1.23.1. Signed-off-by: Brad Mouring <brad.mouring@ni.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* populate_sdk_base: Ensure PKGDATA_DIR existsRichard Purdie2016-05-061-1/+1
| | | | | | | | | | | | | | The code assumes that PKG_DATADIR exists and will fail if an image has not been generated which creates it. This occurs when something like buildtools-tarball is built which doesn't have target packages, only nativesdk ones. Since this shouldn't be fatal, workaround this by creating the missing directory. (From OE-Core master rev: 319c5d55bb0c7e429766f46dd42a15e16a43c4dd) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* scripts/oe-pkgdata-util: Fix variable name in error handlingRichard Purdie2016-05-061-1/+1
| | | | | | | | | | | | Fix: logger.error('Unable to find pkgdata directory %s' % pkgdata_dir) NameError: global name 'pkgdata_dir' is not defined (From OE-Core master rev: a1202ed17e11400f08064c9065fdfa996554d4ad) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* conf/local.conf.sample: comment out ASSUME_PROVIDED=libsdl-nativeRoss Burton2016-05-061-3/+4
| | | | | | | | | | | | | Ubuntu 15.10 and Debian testing can't build qemu-native against the host libsdl. Now that libsdl-native is buildable, comment out the ASSUME_PROVIDED which meant it wouldn't be used. [ YOCTO #8553 ] Signed-off-by: Ross Burton <ross.burton@intel.com> (From OE-Core master rev: 81f009d173f24501ab0e04d845db74ecb5f8e332) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* xorg-lib: allow native building without x11 DISTRO_FEATURESRoss Burton2016-05-061-0/+1
| | | | | | | | | | | | | | The Xorg libraries use REQUIRED_DISTRO_FEATURES to stop building on distributions without the x11 feature but this stops people building native tooling that uses libX11, such as libsdl-native. (From OE-Core master rev: 161bb3409edee21827cf594cc011fe88185f1496) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> libxcb change removed as it's not valid in fido Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* base: check for existing prefix when expanding names in PACKAGECONFIGRoss Burton2016-05-061-1/+4
| | | | | | | | | | | | | | | | | | When the DEPENDS are added as part of the PACKAGECONFIG logic the list of packages are expanded so that any required nativesdk-/-native/multilib prefixes and suffixes are added. However the special handling of virtual/foo names doesn't check that the prefix already exists, which breaks under nativesdk as in that situation there's an explicit nativesdk- prefix *and* MLPREFIX is set to nativesdk-. This results in the same prefix being applied twice, and virtual packages such as virtual/libx11 ending up as virtual/nativesdk-nativesdk-libx11. (From OE-Core master rev: 9e7d207e207bf0319b09d403d87d37f24e3dfbee) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* libsdl: expand PACKAGECONFIG and enable native buildsRoss Burton2016-05-061-17/+18
| | | | | | | | | | | | | | | | | | | | Use PACKAGECONFIG instead of using logic in DEPENDS and EXTRA_OECONF, adding new options for PulseAudio, tslib, DirectFB, OpenGL and X11. Pass --disable-x11-shared so that it links to the X libraries instead of using dlopen(). Disable tslib by default as the kernel event input subsystem is generally used. SDL's OpenGL support requires X11 so check for both x11 and opengl, and merge the dependencies. Finally enable native builds, with a minimal PACKAGECONFIG that will build from oe-core for native and nativesdk. (From OE-Core master rev: 3d6c31c3a4ff34376e17005a981bb55fc6f7a38f) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* libsdl: depends on libglu when both x11 and openglRobert Yang2016-05-061-1/+2
| | | | | | | | | | | | | The libglu requires both opengl (depends on virtual/libgl) and x11 (needs libGL.so which is provided by mesa when x11 in DISTRO_FEATURES), so let libsdl depends on libglu when both x11 and opengl in DISTRO_FEATURES. (From OE-Core master rev: b33e927096292f22f1bd9b2b0f633a6d645fc1eb) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* testimage: Handle ipk/deb packaging format tests correctlyRichard Purdie2016-05-061-2/+4
| | | | | | | | | | | | The default test list only works for rpm packaging. This fixes it for deb and ipk too. (From OE-Core master rev: 210c8926405fcf695ec00f5768f29ba198320d6a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* dhcp: CVE-2015-8605Mariano Lopez2016-05-063-0/+234
| | | | | | | | | ISC DHCP allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet. Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* build-appliance-image: Update to fido head revisionRichard Purdie2016-03-131-1/+1
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* build-appliance-image: Update to fido head revisionRichard Purdie2016-03-121-1/+1
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nettle: The variable named p in the patch file was incorrectly named.ngutzmann2016-03-111-1/+1
| | | | | | | | | | | The variable in question should have been called ecc->p. The patch has been updated so that the compilation of the nettle recipe would complete successfully. The backport originated from this commit https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d Signed-off-by: ngutzmann <nathangutzmann@gmail.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* openssl: Security fix CVE-2016-0800Armin Kuster2016-03-034-0/+1296
| | | | | | | | | | | | CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) https://www.openssl.org/news/secadv/20160301.txt Signed-off-by: Armin Kuster <akuster@mvista.com> Not required for master, an update to 1.0.2g has been submitted. Backport from jethro. Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* wpa-supplicant: Fix CVE-2015-8041Hongxu Jia2016-02-292-0/+65
| | | | | | | | | | Backport patch from http://w1.fi/security/2015-5/ and rebase for wpa-supplicant 2.4 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Not needed in master since the upgrade to 2.5 Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* git: Security fixes CVE-2015-7545Armin Kuster2016-02-296-0/+888
| | | | | | | | | | CVE-2015-7545 git: arbitrary code execution via crafted URLs Signed-off-by: Armin Kuster <akuster@mvista.com> Already in Jethro, not needed in master due to shipping a version of git which is already fixes (> 2.6.1) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* nettle: Security fix CVE-2015-8804Armin Kuster2016-02-292-0/+273
| | | | | | | | | | | (From OE-Core master rev: 7474c7dbf98c1a068bfd9b14627b604da5d79b67) minor tweak to get x86_64/ecc-384-modp.asm to apply Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* nettle: Security fix CVE-2015-8803 and CVE-2015-8805Armin Kuster2016-02-292-0/+75
| | | | | | | | | | | (From OE-Core master rev: f62eb452244c3124cc88ef01c14116dac43f377a) hand applied changes for ecc-256.c Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* bind: Security fix CVE-2015-8461Armin Kuster2016-02-292-1/+47
| | | | | | | | | | | | | CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c\ (From OE-Core master rev: 1656eaa722952861ec73362776bd0c4826aec3da) Hand applied Changelog changes. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* rpcbind: Security Advisory - rpcbind - CVE-2015-7236Li Zhou2016-02-292-0/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | rpcbind: Fix memory corruption in PMAP_CALLIT code Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. The patch comes from <http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't been in rpcbind upstream yet. (From OE-Core master rev: cc4f62f3627f3804907e8ff9c68d9321979df32b) (From OE-Core rev: 224bcc2ead676600bcd9e290ed23d9b2ed2f481e) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* curl: Secuirty fix CVE-2016-0755Armin Kuster2016-02-292-1/+135
| | | | | | | | | | | | | CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use (From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378) hand applied changed to url.c Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* curl: Security fix CVE-2016-0754Armin Kuster2016-02-292-1/+386
| | | | | | | | | | | | | CVE-2016-0754 curl: remote file name path traversal in curl tool for Windows (From OE-Core master rev: b2c9b48dea2fd968c307a809ff95f2e686435222) minor tweak to tool_operate.c to get it to apply Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* libgcrypt: Security fix CVE-2015-7511Armin Kuster2016-02-293-0/+305
| | | | | | | | | | | | | | | | | | CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves affects libgcrypt < 1.6.5 adjust SRC_URI + for this version. Patch 1 is a dependancy patch. simple macro name change. Patch 2 is the cve fix. (From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* libpng: Security fix CVE-2015-8472Armin Kuster2016-02-292-0/+30
| | | | | | | | | | | | | | | libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions this patch fixes an incomplete patch in CVE-2015-8126 adjusted dir to match this version. (From OE-Core master rev: f4a805702df691cbd2b80aa5f75d6adfb0f145eb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* libpng: Security fix CVE-2015-8126Armin Kuster2016-02-295-0/+358
| | | | | | | | | | | | | libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions Adjusted dir location to match the version. (From OE-Core master rev: d0a8313a03711ff881ad89b6cfc545f66a0bc018) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* gdk-pixbuf: Security fix CVE-2015-7674Armin Kuster2016-02-292-0/+40
| | | | | | | | | | | CVE-2015-7674 Heap overflow with a gif file in gdk-pixbuf < 2.32.1 (From OE-Core master rev: f2b16d0f9c3ad67fdf63e9e41f42a6d54f1043e4) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* librsvg: Security fix CVE-2015-7558Armin Kuster2016-02-294-1/+597
| | | | | | | | | | | | | CVE-2015-7558 librsvg2: Stack exhaustion causing DoS including two supporting patches. (From OE-Core master rev: 4945643bab1ee6b844115cc747e5c67d874d5fe6) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tiff: Security fix CVE-2015-8784Armin Kuster2016-02-292-0/+74
| | | | | | | | | | | | CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode() (From OE-Core master rev: 3e89477c8ad980fabd13694fa72a0be2e354bbe2) minor tweak to get tif_next.c changes to apply. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* tiff: Security fix CVE-2015-8781Armin Kuster2016-02-292-1/+199
| | | | | | | | | | | | | CVE-2015-8781 libtiff: out-of-bounds writes for invalid images (From OE-Core master rev: 29c80024bdb67477dae47d8fb903feda2efe75d4) minor tweek to get Changelog changes to apply Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* foomatic-filters: Security fixes CVE-2015-8327Armin Kuster2016-02-292-0/+24
| | | | | | | | | | | | | CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character this time with the recipe changes. (From OE-Core master rev: 62d6876033476592a8ca35f4e563c996120a687b) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* foomatic-filters: Security fix CVE-2015-8560Armin Kuster2016-02-292-0/+26
| | | | | | | | | | | CVE-2015-8560 cups-filters: foomatic-rip did not consider semicolon as illegal shell escape character (From OE-Core master rev: 307056ce062bf4063f6effeb4c891c82c949c053) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* qemu: Security fix CVE-2016-2198Armin Kuster2016-02-292-0/+46
| | | | | | | | | | | CVE-2016-2198 Qemu: usb: ehci null pointer dereference in ehci_caps_write (From OE-Core master rev: 646a8cfa5398a22062541ba9c98539180ba85d58) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* libbsd: Security fix CVE-2016-2090Armin Kuster2016-02-182-1/+53
| | | | | | | | | CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd affects libbsd <= 0.8.1 (and therefore not needed in master) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* glibc: Security fix CVE-2015-7547Joshua Lock2016-02-182-0/+634
| | | | | | | | CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Based on OE-Core rev: cf754c5c806307d6eb522d4272b3cd7485f82420) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* kernel.bbclass: do not mv/link sources when externalsrc enabledMarkus Lehtonen2016-02-161-3/+7
| | | | | | | | | | | | | | | | | If externalsrc is enabled the 'do_unpack' task is run if the recipe has some local source files. In the case of kernel recipe this caused the (externalsrc) source tree to be moved/symlinked. This patch prevents the behaviour, making sure the source tree is not moved around when externalsrc is enabled. Instead of moving the source tree, STAGING_KERNEL_DIR will be a symlink to it. [YOCTO #6658] (From OE-Core master rev: 8f6c564661a3801012eb2d9a98cdc99c91712367) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
* libpcre: Security fixes and package update.Armin Kuster2016-02-161-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this is related to [Yocto # 9008] 8.38: The following security fixes are included: CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() compile_regex() CVE-2015-3217 pcre: stack overflow in match() CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain patterns with an unmatched closing parenthesis CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec CVE-2015-8381 pcre: Heap Overflow in compile_regex() CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference by name within certain group CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name to certain group CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion CVE-2015-8387 pcre: Integer overflow in subroutine calls CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with duplicated named groups CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions CVE-2015-8395 pcre: Buffer overflow caused by certain references CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS 8.37: The following security fixes are included: CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions CVE-2015-2325 pcre: heap buffer overflow in compile_branch() CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2() LICENSE file changed do to Copyright date updates. Signed-off-by: Armin Kuster <akuster@mvista.com> Jethro and master don't require this patch as they have newer libpcre which contains these fixes. Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>