aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* wpa_supplicant: fix WPA2 key replay security bugjethroRoss Burton2017-11-032-0/+944
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WPA2 is vulnerable to replay attacks which result in unauthenticated users having access to the network. * CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake * CVE-2017-13078: reinstallation of the group key in the Four-way handshake * CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake * CVE-2017-13080: reinstallation of the group key in the Group Key handshake * CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake * CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it * CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake * CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame * CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame Backport patches from upstream to resolve these CVEs. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* build-appliance-image: Update to jethro head revisionRichard Purdie2016-12-061-1/+1
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: update to 2016iArmin Kuster2016-12-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Briefly: Cyprus split into two time zones on 2016-10-30, and Tonga reintroduces DST on 2016-11-06. Changes to future time stamps Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on 2017-01-15 at 03:00. Assume future observances in Tonga will be from the first Sunday in November through the third Sunday in January, like Fiji. (Thanks to Pulu ʻAnau.) Switch to numeric time zone abbreviations for this zone. Changes to past and future time stamps Northern Cyprus is now +03 year round, causing a split in Cyprus time zones starting 2016-10-30 at 04:00. This creates a zone Asia/Famagusta. (Thanks to Even Scharning and Matt Johnson.) Antarctica/Casey switched from +08 to +11 on 2016-10-22. (Thanks to Steffen Thorsen.) Changes to past time stamps Several corrections were made for pre-1975 time stamps in Italy. These affect Europe/Malta, Europe/Rome, Europe/San_Marino, and Europe/Vatican. First, the 1893-11-01 00:00 transition in Italy used the new UT offset (+01), not the old (+00:49:56). (Thanks to Michael Deckers.) Second, rules for daylight saving in Italy were changed to agree with Italy's National Institute of Metrological Research (INRiM) except for 1944, as follows (thanks to Pierpaolo Bernardi, Brian Inglis, and Michael Deckers): The 1916-06-03 transition was at 24:00, not 00:00. The 1916-10-01, 1919-10-05, and 1920-09-19 transitions were at 00:00, not 01:00. The 1917-09-30 and 1918-10-06 transitions were at 24:00, not 01:00. The 1944-09-17 transition was at 03:00, not 01:00. This particular change is taken from Italian law as INRiM's table, (which says 02:00) appears to have a typo here. Also, keep the 1944-04-03 transition for Europe/Rome, as Rome was controlled by Germany then. The 1967-1970 and 1972-1974 fallback transitions were at 01:00, not 00:00. (From OE-Core rev: daf95f7fd9f7ab65685d7b764d8e50df8d00d308) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzcode: update to 2016iArmin Kuster2016-12-061-4/+4
| | | | | | | | | | | | | | Changes to code The code should now be buildable on AmigaOS merely by setting the appropriate Makefile variables. (From a patch by Carsten Larsen.) (From OE-Core rev: d2b8c4ee535684f5d874082a7f76efbda1907ea5) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzdata: Update to 2016hArmin Kuster2016-12-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes to future time stamps Asia/Gaza and Asia/Hebron end DST on 2016-10-29 at 01:00, not 2016-10-21 at 00:00. (Thanks to Sharef Mustafa.) Predict that future fall transitions will be on the last Saturday of October at 01:00, which is consistent with predicted spring transitions on the last Saturday of March. (Thanks to Tim Parenti.) Changes to past time stamps In Turkey, transitions in 1986-1990 were at 01:00 standard time not at 02:00, and the spring 1994 transition was on March 20, not March 27. (Thanks to Kıvanç Yazan.) Changes to past and future time zone abbreviations Asia/Colombo now uses numeric time zone abbreviations like "+0530" instead of alphabetic ones like "IST" and "LKT". Various English-language sources use "IST", "LKT" and "SLST", with no working consensus. (Usage of "SLST" mentioned by Sadika Sumanapala.) (From OE-Core rev: ff11ca44fec8e4b2aa523e032bd967e3ab8339a8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzcode-native: update to 2016hArmin Kuster2016-12-061-4/+4
| | | | | | | | | | | | | | | | Changes to code zic no longer mishandles relativizing file names when creating symbolic links like /etc/localtime, when these symbolic links are outside the usual directory hierarchy. This fixes a bug introduced in 2016g. (Problem reported by Andreas Stieger.) (From OE-Core rev: 9c5de646e01a83219be74e99dcf7c1e56ba38b53) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python-2.7: Security fix CVE-2016-1000110Armin Kuster2016-12-062-0/+146
| | | | | | affects python-2.7 < 2.7.12 Signed-off-by: Armin Kuster <akuster@mvista.com>
* python-2.7: Security fix CVE-2016-5699Armin Kuster2016-12-062-0/+163
| | | | | | affect python-2.7 < 2.7.10 Signed-off-by: Armin Kuster <akuster@mvista.com>
* python-2.7: Security fix CVE-2016-5636Armin Kuster2016-12-062-0/+43
| | | | | | Affects python-2.7 < 2.7.12 Signed-off-by: Armin Kuster <akuster@mvista.com>
* python-2.7: Security fix CVE-2016-0772Armin Kuster2016-12-062-0/+43
| | | | | | Affects python < 2.7.12 Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-8610Armin Kuster2016-12-062-0/+125
| | | | | | affects openssl < 1.0.2i Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-2179Armin Kuster2016-12-062-0/+256
| | | | | | affects openssl < 1.0.2i Signed-off-by: Armin Kuster <akuster@mvista.com>
* bind: Security fix CVE-2016-2776Armin Kuster2016-12-062-0/+113
| | | | | | affect bind < 9.10.4-p3 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* bind: Security fix CVE-2016-2775Armin Kuster2016-12-062-0/+85
| | | | | | affect bind < 9.10.4-p2 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* gnutils: Security fix CVE-2016-7444Armin Kuster2016-12-062-0/+32
| | | | | | affects gnutls < 3.3.24 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* gnupg: fix find-version for beta checkingWenzong Fan2016-11-032-0/+32
| | | | | | | | | | | | | | | | find-version always assumes that gnupg is beta if autogen.sh is run out of git-repo. This doesn't work for users whom just take release tarball and re-run autoconf in their local build dir. This fixes runtime issue: $gpg --list-sigs gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* perl: fix CVE-2016-1238Mingli Yu2016-10-062-0/+353
| | | | | | | | | | | | | Backport patch to fix CVE-2016-1238 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab (From OE-Core rev: 7d06ffcbcd0c71dc6dc9efde02bf0cd8d7c7d7e3) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Fixed up to apply to 5.20.0 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* perl: fix CVE-2015-8607Mingli Yu2016-10-062-0/+75
| | | | | | | | | | | | | | Backport patch to fix CVE-2015-8607 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/0b6f93036de171c12ba95d415e264d9cf7f4e1fd (From OE-Core rev: e2289647ace9ef96e6a7e4aae201fd9149e56678) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> fixed up to apply to 5.22.0 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* perl: fix CVE-2016-6185Mingli Yu2016-10-062-0/+129
| | | | | | | | | | | | | | Backport patch to fix CVE-2016-6185 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7 (From OE-Core rev: 81e550d0c23c9842b85207cdfa73bbe9102e01fb) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> fixed up to apply against 5.22.0 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* perl: fix CVE-2016-2381Kai Kang2016-10-062-0/+114
| | | | | | | | | | | | | | | Backport patch to fix CVE-2016-2381 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076 (From OE-Core rev: 07ca8a0131f43e9cc2f720e1cdbcb7ba7c074886) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Fixed up to apply again 5.22.0 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzdata: update to 2016gArmin Kuster2016-10-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LICENSE md5sum changed do to rewording some text not released to the license. see https://github.com/eggert/tz/commit/8c143a2b65fdfd43a7911be6fdb700c9c4553f58 Changes to future time stamps Turkey switched from EET/EEST (+02/+03) to permanent +03, effective 2016-09-07. (Thanks to Burak AYDIN.) Use "+03" rather than an invented abbreviation for the new time. New leap second 2016-12-31 23:59:60 UTC as per IERS Bulletin C 52. (Thanks to Tim Parenti.) Changes to past time stamps For America/Los_Angeles, spring-forward transition times have been corrected from 02:00 to 02:01 in 1948, and from 02:00 to 01:00 in 1950-1966. For zones using Soviet time on 1919-07-01, transitions to UT-based time were at 00:00 UT, not at 02:00 local time. The affected zones are Europe/Kirov, Europe/Moscow, Europe/Samara, and Europe/Ulyanovsk. (Thanks to Alexander Belopolsky.) Changes to past and future time zone abbreviations The Factory zone now uses the time zone abbreviation -00 instead of a long English-language string, as -00 is now the normal way to represent an undefined time zone. Several zones in Antarctica and the former Soviet Union, along with zones intended for ships at sea that cannot use POSIX TZ strings, now use numeric time zone abbreviations instead of invented or obsolete alphanumeric abbreviations. The affected zones are Antarctica/Casey, Antarctica/Davis, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/Rothera, Antarctica/Syowa, Antarctica/Troll, Antarctica/Vostok, Asia/Anadyr, Asia/Ashgabat, Asia/Baku, Asia/Bishkek, Asia/Chita, Asia/Dushanbe, Asia/Irkutsk, Asia/Kamchatka, Asia/Khandyga, Asia/Krasnoyarsk, Asia/Magadan, Asia/Omsk, Asia/Sakhalin, Asia/Samarkand, Asia/Srednekolymsk, Asia/Tashkent, Asia/Tbilisi, Asia/Ust-Nera, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan, Etc/GMT-14, Etc/GMT-13, Etc/GMT-12, Etc/GMT-11, Etc/GMT-10, Etc/GMT-9, Etc/GMT-8, Etc/GMT-7, Etc/GMT-6, Etc/GMT-5, Etc/GMT-4, Etc/GMT-3, Etc/GMT-2, Etc/GMT-1, Etc/GMT+1, Etc/GMT+2, Etc/GMT+3, Etc/GMT+4, Etc/GMT+5, Etc/GMT+6, Etc/GMT+7, Etc/GMT+8, Etc/GMT+9, Etc/GMT+10, Etc/GMT+11, Etc/GMT+12, Europe/Kaliningrad, Europe/Minsk, Europe/Samara, Europe/Volgograd, and Indian/Kerguelen. For Europe/Moscow the invented abbreviation MSM was replaced by +05, whereas MSK and MSD were kept as they are not our invention and are widely used. Changes to zone names Rename Asia/Rangoon to Asia/Yangon, with a backward compatibility link. (Thanks to David Massoud.) (From OE-Core rev: d1341aeda6d9fa5d7f13afabadae60a6fc295b87) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzcode-native: Update to 2016gArmin Kuster2016-10-061-6/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LICENSE file checksum changed do to a verbage change. Changes to code zic no longer generates binary files containing POSIX TZ-like strings that disagree with the local time type after the last explicit transition in the data. This fixes a bug with Africa/Casablanca and Africa/El_Aaiun in some year-2037 time stamps on the reference platform. (Thanks to Alexander Belopolsky for reporting the bug and suggesting a way forward.) If the installed localtime and/or posixrules files are symbolic links, zic now keeps them symbolic links when updating them, for compatibility with platforms like OpenSUSE where other programs configure these files as symlinks. zic now avoids hard linking to symbolic links, avoids some unnecessary mkdir and stat system calls, and uses shorter file names internally. zdump has a new -i option to generate transitions in a more-compact but still human-readable format. This option is experimental, and the output format may change in future versions. (Thanks to Jon Skeet for suggesting that an option was needed, and thanks to Tim Parenti and Chris Rovick for further comments.) Changes to build procedure An experimental distribution format is available, in addition to the traditional format which will continue to be distributed. The new format is a tarball tzdb-VERSION.tar.lz with signature file tzdb-VERSION.tar.lz.asc. It unpacks to a top-level directory tzdb-VERSION containing the code and data of the traditional two-tarball format, along with extra data that may be useful. (Thanks to Antonio Diaz Diaz, Oscar van Vlijmen, and many others for comments about the experimental format.) The release version number is now more accurate in the usual case where releases are built from a Git repository. For example, if 23 commits and some working-file changes have been made since release 2016g, the version number is now something like '2016g-23-g50556e3-dirty' instead of the misleading '2016g'. Official releases uses the same version number format as before, e.g., '2016g'. To support the more-accurate version number, its specification has moved from a line in the Makefile to a new source file 'version'. The experimental distribution contains a file to2050.tzs that contains what should be the output of 'zdump -i -c 2050' on primary zones. If this file is available, 'make check' now checks that zdump generates this output. 'make check_web' now works on Fedora-like distributions. Changes to documentation and commentary tzfile.5 now documents the new restriction on POSIX TZ-like strings that is now implemented by zic. Comments now cite URLs for some 1917-1921 Russian DST decrees. (Thanks to Alexander Belopolsky.) tz-link.htm mentions JuliaTime (thanks to Curtis Vogt) and Time4J (thanks to Meno Hochschild) and ThreeTen-Extra, and its description of Java 8 has been brought up to date (thanks to Stephen Colebourne). Its description of local time on Mars has been updated to match current practice, and URLs have been updated and some obsolete ones removed. (From OE-Core rev: 19c365b23c3b835dcb5595aba598f35bf16a6d81) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzcode-native: update to 2016fArmin Kuster2016-10-061-4/+4
| | | | | | | | | | | changes done in data (From OE-Core rev: 29377fa91a5f679909d582317c2b53d1f2e5da88) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzdata: update to 2016fArmin Kuster2016-10-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes affecting future time stamps The Egyptian government changed its mind on short notice, and Africa/Cairo will not introduce DST starting 2016-07-07 after all. (Thanks to Mina Samuel.) Asia/Novosibirsk switches from +06 to +07 on 2016-07-24 at 02:00. (Thanks to Stepan Golosunov.) Changes to past and future time stamps Asia/Novokuznetsk and Asia/Novosibirsk now use numeric time zone abbreviations instead of invented ones. Changes affecting past time stamps Europe/Minsk's 1992-03-29 spring-forward transition was at 02:00 not 00:00. (Thanks to Stepan Golosunov.) (From OE-Core rev: dc80bf9b092a76f758d01474619cd9db46a1070d) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openssl: Security fix CVE-2016-6306Armin Kuster2016-10-062-0/+72
| | | | | | affects openssl < 1.0.1i Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-6304Armin Kuster2016-10-062-0/+76
| | | | | | affects openssl < 1.0.1i Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-6303Armin Kuster2016-10-062-0/+37
| | | | | | affects openssl < 1.0.1i Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-6302Armin Kuster2016-10-062-0/+54
| | | | | | affects openssl < 1.0.1i Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-2182Armin Kuster2016-10-062-0/+71
| | | | | | affects openssl < 1.0.1i Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-2181Armin Kuster2016-10-064-0/+363
| | | | | | affects openssl < 1.0.1i Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssl: Security fix CVE-2016-2180Armin Kuster2016-10-062-0/+45
| | | | | | affects openssl < 1.0.1i Signed-off-by: Armin Kuster <akuster@mvista.com>
* init-install.sh: fix disk_sizeRobert Yang2016-09-273-3/+3
| | | | | | | | | | | | It mis-matched "SanDisk" or "Disk Flags" before, which caused unexpected error. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a68ac76c1b6ed4c1a2fbc944c5021c89fd26217f) [YOCTO #10333] Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* util-linux: Security fix for CVE-2016-5011Armin Kuster2016-09-233-0/+152
| | | | | | affects util-linux < 2.28.2 Signed-off-by: Armin Kuster <akuster@mvista.com>
* qemu: Secuirty fix for CVE-2016-5403Armin Kuster2016-09-232-0/+68
| | | | | | affects qemu < 2.7.0-rc0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* qemu: Security fix for CVE-2016-4002Armin Kuster2016-09-232-0/+40
| | | | | | affects qemu < 2.6.0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* qemu: Security fix CVE-2016-6351Armin Kuster2016-09-233-0/+137
| | | | | | affects qemu < 2.6.0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* qemu: Security fix CVE-2016-4439Armin Kuster2016-09-232-0/+47
| | | | | | affects qemu < 2.6.0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* qemu: Security Fix CVE-2016-3712Armin Kuster2016-09-235-0/+323
| | | | | | affects qemu < 2.6.0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* qemu: Security Fix CVE-2016-3710Armin Kuster2016-09-232-0/+113
| | | | | | affects Qemu < 2.6.0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* wget: Security fix CVE-2016-4971Armin Kuster2016-09-233-0/+404
| | | | | | affects wget < 1.18.0 Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssh: Security fix CVE-2015-8325Armin Kuster2016-09-232-0/+34
| | | | | | openssh < 7.2p2 Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssh: Security fix CVE-2016-5615Armin Kuster2016-09-232-0/+55
| | | | | | openssh < 7.3 Signed-off-by: Armin Kuster <akuster@mvista.com>
* openssh: Security fix CVE-2016-6210Armin Kuster2016-09-234-0/+289
| | | | | | affects openssh < 7.3 Signed-off-by: Armin Kuster <akuster@mvista.com>
* git: Security fix CVE-2016-2315 CVE-2016-2324Armin Kuster2016-09-236-0/+913
| | | | | | git versions < 2.5.5 & 2.7.4 Signed-off-by: Armin Kuster <akuster@mvista.com>
* bind: Security fix CVE-2016-2088Armin Kuster2016-09-232-0/+217
| | | | Signed-off-by: Armin Kuster <akuster@mvista.com>
* tiff: Security fix CVE-2016-5323Yi Zhao2016-09-232-0/+104
| | | | | | | | | | | | | | | | | CVE-2016-5323 libtiff: a maliciously crafted TIFF file could cause the application to crash when using tiffcrop command External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5323 http://bugzilla.maptools.org/show_bug.cgi?id=2559 Patch from: https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 4ad1220e0a7f9ca9096860f4f9ae7017b36e29e4) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tiff: Security fix CVE-2016-5321Yi Zhao2016-09-232-0/+46
| | | | | | | | | | | | | | | | | CVE-2016-5321 libtiff: a maliciously crafted TIFF file could cause the application to crash when using tiffcrop command External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5321 http://bugzilla.maptools.org/show_bug.cgi?id=2558 Patch from: https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 4a167cfb6ad79bbe2a2ff7f7b43c4a162ca42a4d) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tiff: Security fix CVE-2016-3186Yi Zhao2016-09-232-0/+25
| | | | | | | | | | | | | | | | | | CVE-2016-3186 libtiff: buffer overflow in the readextension function in gif2tiff.c allows remote attackers to cause a denial of service via a crafted GIF file External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186 https://bugzilla.redhat.com/show_bug.cgi?id=1319503 Patch from: https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 3d818fc862b1d85252443fefa2222262542a10ae) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libpcre: Fix CVE-2016-3191Ismo Puustinen2016-09-232-0/+175
| | | | | | | | | | | | | Fix workspace overflow for (*ACCEPT) with deeply nested parentheses. The patch is from libpcre version control at http://vcs.pcre.org/pcre?view=revision&revision=1631 with the ChangeLog part removed. Original author is Philip Hazel. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 386534f968f4da376ba7778b5d436bad4ce8355b) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openssl: Security fix CVE-2016-2178Armin Kuster2016-09-232-0/+52
| | | | | | | | | | affects openssl <= 1.0.2h CVSS v2 Base Score: 2.1 LOW Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 5b3df0c5e8885ea34f66b41fcf209a9960fbbf5e) Signed-off-by: Armin Kuster <akuster808@gmail.com>