Age | Commit message (Collapse) | Author |
|
openssh < 7.3
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
affects openssh < 7.3
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
affects openssl <= 1.0.2h
CVSS v2 Base Score: 2.1 LOW
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 5b3df0c5e8885ea34f66b41fcf209a9960fbbf5e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Affects openssl <= 1.0.2h
CVSS v2 Base Score: 7.5 HIGH
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 2848c7d3e454cbc84cba9183f23ccdf3e9200ec9)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Apply a patch taken from Gentoo to hopefully fix the remaining parallel make
races.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d806d59a4c5e8ff35c7e7c5a3a6ef85e2b4b259)
Minor fixup to get patch to apply to jethro
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Upstream in 5.33 btmgmt was moved from experimental to common READLINE section,
in commit e4f0c5582f1fe3451d5588243adba9de1ed68b80, but this was never updated
in the recipe.
This is a backport from master branch, commit
28777e593d3dd3a5d0ee2effcdca6a971e2887f9.
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
|
|
The backported upgrade to 1.0.2h included an updated GNU LD
version-script which results in an ABI change. In order to try and
respect ABI for existing binaries built against fido this commit
partially reverts the version-script to maintain the existing ABI
and instead only add the new symbols required by 1.0.2h.
Suggested-by: Martin Jansa <martin.jansa@gmail.com>
(From OE-Core rev: 480db6be99f9a53d8657b31b846f0079ee1a124f)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
opehssh <= 7.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* CVEs:
- CVE-2016-0705
- CVE-2016-0798
- CVE-2016-0797
- CVE-2016-0799
- CVE-2016-0702
- CVE-2016-0703
- CVE-2016-0704
- CVE-2016-2105
- CVE-2016-2106
- CVE-2016-2109
- CVE-2016-2176
* The LICENSE's checksum is changed because of date changes (2011 ->
2016), the contents are the same.
* Remove backport patches
- 0001-Add-test-for-CVE-2015-3194.patch
- CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
- CVE-2015-3194-1-Add-PSS-parameter-check.patch
- CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
- CVE-2015-3197.patch
- CVE-2016-0701_1.patch
- CVE-2016-0701_2.patch
- CVE-2016-0800.patch
- CVE-2016-0800_2.patch
- CVE-2016-0800_3.patch
* Update crypto_use_bigint_in_x86-64_perl.patch
* Add version-script.patch and update block_diginotar.patch (From master branch)
* Update openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
(From Armin)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure
[YOCTO #9400]
External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
References to the Upstream commits and Security Advisories:
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=e7e15d1302b26a96fa0a5307d6f2cb0d8ad4ea63
CVE-2016-1286: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=499952eb459c9a41d2092f1d98899c131f9103b2
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream nfs-utils use 'rpc-statd.service' and Yocto introduced
'nfs-statd.service' instead but forgot to update the mount.nfs helper
'start-statd' accordingly.
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This includes a proper D-Bus service file for obexd in systems that do
not support systemd.
(From OE-Core rev: 75c5dc8d4a5506bf5b89292a96c7b9f91e9d71c8)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ISC DHCP allows remote attackers to cause a denial of
service (application crash) via an invalid length field
in a UDP IPv4 packet.
(From OE-Core master rev: f9739b7fa8d08521dc5e42a169753d4c75074ec7)
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
https://www.openssl.org/news/secadv/20160301.txt
Signed-off-by: Armin Kuster <akuster@mvista.com>
Not required for master, an update to 1.0.2g has been submitted.
Backport to fido is required.
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport patch from http://w1.fi/security/2015-5/
and rebase for wpa-supplicant 2.4
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Not needed in master since the upgrade to 2.5
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
this address both
Socat security advisory 7 and MSVR-1499: "Bad DH p parameter in OpenSSL"
and Socat security advisory 8: "Stack overflow in arguments parser
[Yocto # 9024]
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c\
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
CVE-2015-8000 bind: responses with a malformed class attribute can trigger an assertion failure in db.c
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
CVE-2016-0701 OpenSSL: DH small subgroups
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE-2015-8704:
Allows remote authenticated users to cause a denial of service via a malformed Address Prefix List record
CVE-2015-8705:
When debug logging is enabled, allows remote attackers to cause a denial of service or have possibly unspecified impact via OPT data or ECS option
[YOCTO 8966]
References:
https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
This issue requires three commits:
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0
(From OE-Core master rev: a42229df424552955c0ac62da1063461f97f5938)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
This fixes a number of security issues.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
The crypto_use_bigint_in_x86-64_perl patch uses the "bigint" module to
transparently support 64-bit integers on 32-bit hosts. Whilst bigint (part of
bignum) is a core Perl module not all distributions install it (notable Fedora
23).
As the error message when bignum isn't installed is obscure, add a task to check
that it is available and alert the user if it isn't.
[ YOCTO #8562 ]
(From OE-Core master rev: 2f9a2fbc46aa435a0a7f7662bb62029ac714f25a)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
wired-setup script should not be in ${libdir} as it's not arch
dependent.
This also fixes (or works around) a practical issue where a multilib
build installs the wrong version of connman-conf and then connman
can't find the script.
[YOCTO #8550]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The file permission should be 0644 instead of 0755.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Update bugtracker web address
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Move connmans xuser-related D-Bus policy to a separate file that
xuser-account installs: This way connman does not need to depend on
xuser-account. Add policies for bluez and ofono in the same file.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The Bluez D-Bus policy is much too open and affects not just bluez but
all system services: Use upstream policy configuration instead.
This change has a chance of affecting other D-Bus services: the bug
that is fixed here may have hidden problems in other policies.
[YOCTO #8414]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
[YOCTO #8365]
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The gettext 0.16.1 doesn't install any m4 files to sysroot, please see
the following commit:
commit 9e10db5bdfe77c0ef2aff2f1cf89958b62c294a1
Author: Christopher Larson <kergoth@gmail.com>
Date: Mon Mar 17 18:10:54 2014 +0000
gettext-0.16.1: kill target m4 macros from sysroot
This is aim for using gettext-native's macros(gettext-native-0.19.4),
but when we set:
PREFERRED_VERSION_gettext = "0.16.1"
And build the recipes like pcmanfm, we would get errors when
do_configure:
configure:5164: error: possibly undefined macro: AM_NLS
This is because autotools_copy_aclocals doesn't copy the native macros
for target unless they're direct dependencies.
Add gettext-native to DEPENDS will fix the problem.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove dependencies for test targets. Otherwise, during ptest
execution, "make" tries to rebuild those executables and fails
there.
[YOCTO #8059]
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If you currently do a DISTRO_FEATURES_remove = "x11" with OE-Core, you
see failures due to dependency problems. The work in resolving this was
partially completed a while back. This adds in the markup mainly for
gtk/gtk3+ recipes and means "bitbake world" will work successfully.
Rather than code the gtk/gtk+ specific distro features into each recipe,
a shared variable is used.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously, the iproute2's configure script is actually run in the
do_compile stage. There's a Makefile rule 'all: Config' which makes
the configure process run to generate the Config file.
However, this makes it hard to fix the dependency problems. We need
to generate the Config file in the do_configure stage.
Add do_configure_append to separate the configure process from the
compile process.
Besides, explicitly disable ATM support for iproute2, otherwise we'll
sometimes meet errors like below when building.
ld: cannot find -latm
collect2: error: ld returned 1 exit status
Makefile:154: recipe for target 'q_atm.so' failed
make[1]: *** [q_atm.so] Error 1
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
There are already "allow" rules for root and conditionally xuser to
send messages to connman: there should be no reason for a default
allow policy.
Also, conditionally add a policy to allow xuser to send to the
connman vpn service (similar to main service).
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This means dragging in xuser-account even when it's not used but
that's a lesser evil than the recipe depending on machine specific
settings.
This also prevents a warning on connman service startup when
ROOTLESS_X is not set:
Unknown username "xuser" in message bus
[YOCTO #8005]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Map nios2 architecture to linux-generic32 target.
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
gen.c uses 512 as the path length which is a little short when build in
deep dir, and cause "too long" error, use PATH_MAX if defined.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Bugfixes.
build-create-dirs-before-putting-files-in-them.patch
patch removed, patch included upstream.
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This will help one to disable the targets via bbappends if needed
e.g. musl can not compile irdaping since it uses includes
net/if_packet.h, which (on GLIBC) only defines struct sockaddr_pkt but
not in other libc e.g. musl that makes irdaping specific to glibc
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix the building path is long, when building bind, we would meet the following
error.
".../long/path/to/bind/9.10.2-P3-r0/bind-9.10.2-P3/lib/dns" too long
This is because the in gen.c, DIRNAMESIZE is limited to 256. But in OE, the
path length limit is more than 400. So we change it to 512.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fixes two secruity issues:
CVE-2015-5722 and CVE-2015-5986.
see release notes for more information.
ftp://ftp.isc.org/isc/bind9/9.10.2-P4/RELEASE-NOTES.bind-9.10.2-P4.html
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The Makefile for mount and osd_login utilities forces
/sbin as asbindir, however on a merged /usr system this directory
might not exist. Instead sed in the system sbindir.
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When building with a merged /usr dir the udev directory
lives at /usr/lib/udev - update the FILES pattern to also
pick up udev files installed two levels below the / to
ensure a merged /usr works.
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|