Age | Commit message (Collapse) | Author |
|
It was mentioned that when developing a BSP, the information about what
definition was used, or what fragments have been applied is not obvious
and requires looking at the code.
With this change, we can trigger a full summary of the meta data gathering
phase when KCONF_AUDIT_LEVEL > 0.
Sample output follows:
NOTE: do_kernel_metadata: for summary/debug, set KCONF_AUDIT_LEVEL > 0
NOTE: kernel meta data summary for qemux86-64 (standard):
NOTE:
======================================================================
NOTE: BSP entry point / definition:
/build/tmp/work/qemux86_64-poky-linux/linux-yocto/5.10.34+gitAUTOINC+bca3bfbc74_85c17ad073-r0/kernel-meta/bsp/common-pc-64/common-pc-64-standard.scc
NOTE: Fragments from SRC_URI:
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/xt-checksum.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/ebtables.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/vswitch.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/lxc.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/docker.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/cgroup-hugetlb.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/xen.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/kubernetes.scc
NOTE: KERNEL_FEATURES: features/nfsd/nfsd-enable.scc
features/debug/printk.scc features/kernel-sample/kernel-sample.scc
features/netfilter/netfilter.scc cfg/virtio.scc
features/drm-bochs/drm-bochs.scc cfg/sound.scc cfg/paravirt_kvm.scc
features/scsi/scsi-debug.scc features/gpio/mockup.scc
features/aufs/aufs-enable.scc cfg/fs/flash_fs.scc cfg/virtio.scc
NOTE: Final scc/cfg list:
/build/tmp/work/qemux86_64-poky-linux/linux-yocto/5.10.34+gitAUTOINC+bca3bfbc74_85c17ad073-r0/kernel-meta/bsp/common-pc-64/common-pc-64-standard.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/xt-checksum.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/ebtables.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/vswitch.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/lxc.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/docker.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/cgroup-hugetlb.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/xen.scc
/poky/meta-virtualization/recipes-kernel/linux/linux-yocto/kubernetes.scc
features/nfsd/nfsd-enable.scc features/debug/printk.scc
features/kernel-sample/kernel-sample.scc
features/netfilter/netfilter.scc cfg/virtio.scc
features/drm-bochs/drm-bochs.scc cfg/sound.scc cfg/paravirt_kvm.scc
features/scsi/scsi-debug.scc features/gpio/mockup.scc
features/aufs/aufs-enable.scc cfg/fs/flash_fs.scc cfg/virtio.scc
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b95b11e130e91cb7c5e65f0f9a1c655bcbcbc919)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
syslog.cfg is added to the list of sources for busybox
independent of the VIRTUAL-RUNTIME_base-utils-syslog variable. So even
if VIRTUAL-RUNTIME_base-utils-syslog being set e.g. to empty, syslogd will
be enabled. So only include syslog.cfg in SRC_URI if
VIRTUAL-RUNTIME_base-utils-syslog is set to busybox-syslog.
Signed-off-by: Volker Vogelhuber <v.vogelhuber@digitalendoscopy.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2ba6d58e77430cceeca9db61fdb06882a92e1e7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d4d4644e7c127e8b88b180635124e8afc905c69e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The preferred methods for CVE resolution are:
1. Version upgrades where possible
2. Patches where not possible
3. Database updates where version info is incorrect
4. Exclusion from checking where it is determined that the CVE
does not apply to our environment
In some cases none of these methods are possible. For example the
CVE may be decades old with no apparent resolution, and with broken
links that make further research impractical. Some CVEs are vauge
with no specific action the project can take too.
This patch creates a mechanism for users to remove this type of
CVE from the cve-check results via an optional include file.
Based on an initial patch from Steve Sakoman <steve@sakoman.com>
but extended heavily by RP.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf282ae03db3f09df42dcd110d7086c2d854642c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Upstream database uses both "expat" and "libexpat" to report CVEs
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 706bdcaec5fd7c59d7877bbefa5ed4ce5b4f3da1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Applied patch for CVE-2020-14145
Link: https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
Also, whitelisted below CVEs:
1.CVE-2020-15778:
As per upstream, because of the way scp is based on a historical
protocol called rcp which relies on that style of argument passing
and therefore encounters expansion problems. Making changes to how
the scp command line works breaks the pattern used by scp consumers.
Upstream therefore recommends the use of rsync in the place of
scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487
2.CVE-2008-3844: It was reported in OpenSSH on Red Hat Enterprise Linux
and certain packages may have been compromised. This CVE is not
applicable as our source is OpenBSD.
Links:
https://securitytracker.com/id?1020730
https://www.securityfocus.com/bid/30794
Also, for CVE-2007-2768 no fix is available yet as it's unavoidable
drawback of using one time passwords as per
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2007-2768
Also it is marked as unimportant on debian
https://security-tracker.debian.org/tracker/CVE-2007-2768
Mailed to CPE to update database for CVE-2020-15778, CVE-2008-3844
and CVE-2007-2768. We can upstream CVE-2020-14145 till we recieve
response from CPE.
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Added fix for CVE-2020-35521 and CVE-2020-35522
Link: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch
Added below support patches for CVE-2020-35521 and CVE-2020-35522
1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch
2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch
Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
This CVE relates to bad ownership of /var/log/cups, which we don't have.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0792312f3637ec160d2ef90781a8cb1f75b84940)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Under certain build patterns, warnings about missing manifests can appear. These
are real issues where the manifest was removed and shouldn't have been.
Martin Jansa was able to find a reproducer of:
MACHINE=qemux86 bitbake zlib-native
echo 'PR = "r1"' >> meta/recipes-core/zlib/zlib_1.2.11.bb
MACHINE=qemux86-64 bitbake zlib-native
MACHINE=qemux86 bitbake zlib-native
<the zlib-native manifest is now removed along with the sysroot-components contents>
The code maintains a per machine list of stamps but a per PACAGE_ARCH list of
stamp/manifest/workdir mappings. The latter is only appended to for speed with
the assumption that once stamps are gone, the code wouldn't trigger.
The code only ever appends to the mapping list (for speed/efficency under lock)
meaning that multiple entries can result where the stamp/workdir differs due to
version changes but the manifest remains the same.
By switching MACHINE part way through the build, the older stamp is referenced
and the manifest is incorrectly removed as it matches an now obsolete entry in
the mapping file.
There are two possible fixes, one is to rewrite the mapping file every time
which means adding regexs, iterating and generally complicating that code. The
second option is to only use the last mapping entry in the file for a given
manifest and ignore any earlier ones. This patch implments the latter.
Also drop the stale entries if we are rewriting it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 63da9a4f889c5b0e41bc8ec08abe0acea1546479)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Bintray service has been discontinued causing boost do_fetch to fail:
WARNING: boost-1.72.0-r0 do_fetch: Failed to fetch URL
https://dl.bintray.com/boostorg/release/1.76.0/source/boost_1_72_0.tar.bz2,
attempting MIRRORS if available
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6a76da15ece9d27fca20ace12db4978092e042b7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This reverts commit dee41e92f0efac7e453597bed4b4c02f867e3aa9.
This patch breaks cases where some config files make changes to earlier ones,
ordering is important. The reproducibility issue in busybox was elsewhere.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ab0a296607b58775e91948ba40956c666dbb1244)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2621dbbc1181808f18ca4ae79408d0d5b557670f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5c5f0d21799c2bff6875ef9fdc22d11035ea3320)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 414f8a75ce4e2a2f833593ba34151a897b1e9833)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
runtest return an error due to missing expect on the target.
Add expect as runtime dependency.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d9a3a08edc1efcbe7b02e80be98370792d3c6cc2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Integrating the following commit(s) to linux-yocto/5.4:
qemuppc32: reduce serial issues seen on shutdown
Richard reported:
We've been seeing a lot of the qemuppc shutdown issue and I decided to
look into it. The really worrying thing looking at the logs locally is the
serial ports are showing irq issues and becoming disabled as nobody would
handle them.
Errors like:
[ 9.194886] irq 36: nobody cared (try booting with the "irqpoll" option)
[ 9.198712] CPU: 0 PID: 127 Comm: bootlogd Not tainted
[ 9.202283] Call Trace:
[ 9.205611] [d1005f00] [c00a0da8] __report_bad_irq+0x50/0x138 (unreliable)
[ 9.209347] [d1005f30] [c00a0cc0] note_interrupt+0x324/0x378
[ 9.212855] [d1005f70] [c009d138] handle_irq_event+0xe8/0x104
[ 9.216353] [d1005fa0] [c00a1d9c] handle_fasteoi_irq+0xc0/0x29c
[ 9.219960] [d1005fc0] [c009b798] generic_handle_irq+0x40/0x5c
[ 9.223496] [d1005fd0] [c00075d0] __do_irq+0x58/0x188
[ 9.226948] [d1005ff0] [c0010040] call_do_irq+0x20/0x38
[ 9.230391] [d29eda60] [c0007788] do_IRQ+0x88/0xfc
[ 9.233860] [d29eda90] [c0016454] ret_from_except+0x0/0x14
[ 9.237288] --- interrupt: 501 at __setup_irq+0x3c4/0x838
[ 9.237288] LR = __setup_irq+0x790/0x838
[ 9.244155] [d29edb88] [c009f0a4] request_threaded_irq+0x114/0x1c8
[ 9.247672] [d29edbb8] [c07a5a18] pmz_startup+0x17c/0x32c
[ 9.251203] [d29edbd8] [c07a1140] uart_port_startup+0x184/0x2f8
[ 9.254651] [d29edc08] [c07a1974] uart_port_activate+0x78/0xf4
[ 9.258141] [d29edc28] [c07839f8] tty_port_open+0xd4/0x170
[ 9.261579] [d29edc58] [c079db74] uart_open+0x2c/0x48
[ 9.265116] [d29edc68] [c077a288] tty_open+0x168/0x640
[ 9.268574] [d29edcd8] [c0280be8] chrdev_open+0x138/0x2a4
[ 9.272123] [d29edd18] [c027421c] do_dentry_open+0x228/0x410
[ 9.275643] [d29edd48] [c028e9f4] path_openat+0xb04/0xf28
[ 9.279184] [d29eddd8] [c02917e4] do_filp_open+0x120/0x164
[ 9.282535] [d29ede98] [c0276238] do_sys_openat2+0xd8/0x19c
[ 9.285790] [d29edee8] [c0276574] sys_openat+0x88/0xdc
[ 9.289096] [d29edf38] [c00160d8] ret_from_syscall+0x0/0x34
[ 9.292620] --- interrupt: c01 at 0xfec3738
[ 9.292620] LR = 0xfec36e0
[ 9.299035] handlers:
[ 9.302312] [<7f7f7da8>] pmz_interrupt
[ 9.305541] Disabling IRQ #36
(and the irqpoll option does not help)
This is problematic as the shutdown test uses the serial interface to
shut down the system. If the serial interface fails to login or run the command,
game over for the test.
CONFIG_SERIAL_PMACZILOG_CONSOLE complicates that handling, but doesn't provide
any output or capabilities that we need. So we disable it here, and
reduce the chances of issues during shutdown.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42355cb73049ee7a4af0f539a2a5b7d4ee1abc65)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
This currently catches the .clb_blob and .vamrs,rock960.txt, and other
.txt files may come in future upstream releases.
Signed-off-by: Yann Dirson <yann@blade-group.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e332738a8aae0914c58b40faae8b9d7a82fd6a95)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
License-Update: additional firmware files, version changes
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2f10b9dbb4fb8ccb9a427883370fbbeb6f394551)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Update CVE_PRODUCT to also include 'berkeley_db'. For example,
CVE-2020-2981 uses 'berkeley_db'.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Make sure help2man output is reproducible. Fixes:
| .\"·DO·NOT·MODIFY·THIS·FILE!··It·was·generated·by·help2man·1.022. .\"·DO·NOT·MODIFY·THIS·FILE!··It·was·generated·by·help2man·1.022.
| .TH·FSG·"1"·"April·2021"·"FSG·lsb_release·v1.4"·FSG .TH·FSG·"1"·"May·2021"·"FSG·lsb_release·v1.4"·FSG
| .SH·NAME 3 .SH·NAME
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 49371207a7f1fe3d3feb7b8b9aabb62b43ae34d1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
When running a shutdown command, the serial port can close without the
command returning. This is seen as the socket being readable but having
no data. Change the way this case is handled in the code to avoid
tracebacks.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 396a3ba884820d040c91f7592daf20ac28c49b5d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The recent logging changes for qemurunner showed up as errors on the
autobuilder where decode couldn't be called on the returned string.
Since the code returns binary data, return b'' instead of '' to match
to avoid tracebacks.
One of these cases was newly added, copied from the other which has
been there for a long time, always broken.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b8995b27db265b0a0b2d2ca595915f70f9f96e07)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Rather than totally disabling the logging, inform it we're about to exit
so we can log messages over the exit cleanly too. This aids debugging. It
also avoids a race where the logging handler could still error whilst
shutting down.
Also remove a race window by notificing the handler of the shutdown
first, before triggering it. This removes a race window I watched in
local testing.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0e19f31a1005f94105e1cef252abfffcef2aafad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Issue only affects Debian and SUSE.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 72522fa1a5f3b9b2855043fe6b421886d641385f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Issue only affects windows.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a90d3b056992346003d96765fc8639f5235cca55)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
"Given runcon is not really a sandbox command, the advice is to use
`runcon ... setsid ...` to avoid this particular issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2d273b5aed4a5bd509ec9c68a6f451c17ec17d0c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3874da694ae1d9de06dd003bd80705205e2b033b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
These CVEs are fixed with kernel changes and don't affect the bluez recipe.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 658902477840ea34d414083c4c79616bf5e999a2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8556d6a6722f21af5e6f97589bec3cbd31da206c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Issue applies to use of cpio in SUSE/OBS, doesn't apply to us.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 915b38c54a7932744a9f56713d1c6bd00a789331)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The patch mentioned as the fix for the CVE is applied to the 6.0 source
code. Zip versioning makes CPE entry changes hard.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8917e5ae2bb44d017fc0155f16632c5decadb0bd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
CVE only applies to some distributed RHEL binaries so irrelavent to us.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5d8b3ddf91050f6745a99a8abb1c3b03c35247af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
We don't build/use the OPIE PAM module, exclude the CVE from this recipe.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3670be602f2ace24dc49e196407efec577164050)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
These CVEs apply to the way logrotate was installed on Gentoo, Debian
and SUSE, exclude from cve-check as they don't apply to OE.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 23643016f3b8794db772e333ff0b8f598571b628)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The CVE is non-specific and depends on the users of jquery, doesn't
make sense to have this flagged against jquery as there is nothing we can
do about it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1f82843584f6d2843c5bbd2fe5dcbc654a0fbcfb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The issues were investigated and found not to be an issue therefore
exclude from checks.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee6ee9bd489c126b99d15c1011560df2f840a6e9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The CVE applies to the built-in VNC server but we don't enable this by default.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d62b9974a5f3a0f462434ce2763c28a4b4bbcfc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
The CVE applies to virglrender before 0.6.0 which we don't have.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9b5355375d028577de0b98e05992de6a088cb972)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 107987b342a834badfad286474b03543b4764d23)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be04484f99a5b29cc9066e350b526fc4420ad6d4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0c4e6f99332ae253855708845a41fdfeb72d4c30)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
These CVEs are disputed by upstream and there is no plan to fix/address them. No
other distros are carrying patches for them. There is a patch for 1010025
however it isn't merged upstream and probably carries more risk of other bugs
than not having it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b238db678083cc15313b98d2e33f83cccab03fc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
updates include fix for CVE-2020-28493
changelog:
https://jinja.palletsprojects.com/en/2.11.x/changelog/#version-2-11-3
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Both don't seem to be reproducible with fedora 33
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61cc9acb54be09a12aac7c79f4b14e7e525d5596)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|