Age | Commit message (Collapse) | Author |
|
Do not tweak a file that is no longer installed.
Ruby 3.0.3 includes security fixes.
CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
CVE-2021-41816: Buffer Overrun in CGI.escape_html
CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
Ruby 3.0.2 release includes security fixes.
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
CVE-2021-31799: A command injection vulnerability in RDoc
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
go 1.16.14 release includes fix for CVE-2022-23806.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
License-Update: add license information of src/third_party/win32/winerror_to_errno.h
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 12f0aa9533edc7ac5a65b1c165797b049349b19e)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Backport a patch in 1.46.3 which fix one regression:
This is what the changelog says:
Fix e2fsck so that the if the s_interval is zero, and the last mount
or write time is in the future, it will fix invalid last mount/write
timestamps in the superblock. (This was a regression introduced in
v1.45.5.)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
gcc-10.2 in Hardknott branch has been upgraded to gcc-10.3 version
that includes many bug fixes.
Regression tested on X86-64, Arm and Aarch64 without issues.
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
binutils-2.36 in Hardknott branch has been upgraded to latest version
that includes many bug fixes.
Regression tested on X86-64, Arm and Aarch64 without any new issues.
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Release 1.16.13 includes fixes for CVE-2021-44716 and CVE-2021-44717.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
An earlier patch cherry-picked from master used : for override. Change
it to use _ for hardknott.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
This patch backports the AArch32 support for Arm's Neoverse N2 CPU.
Upstream-Status: Backport
[https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=d7e8411f6a333d4054894ad3b23f23415a525230]
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=004bb936d6d5f177af26ad4905595e843d5665a5]
Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=bd5e882cf6e0def3dd1bc106075d59a303fe0d1e]
Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=51c500269bf53749b107807d84271385fad35628]
Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=1a7f2c0774129750fdf73e9f1b78f0ce983c9ab3]
Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=bef32d4a28595e933f24fef378cf052a30b674a7]
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
The patch backports the AArch64 support for Arm's Neoverse N2 CPU
Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=9428e9267435a62f672e2ba42df46432c021a9cf]
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
python3-pyelftools uses python3-debugger, python3-pprint.
So add dependencies on these packages.
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 22e84cdd05870f1a19c6389b66c4dfd5e9b418f7)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=b3aa80b45c4f46029efeb204bb9f2d2c4278a0e5]
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Backport patch and tweak it to fix PT_PHDR program header corruption.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
The CVE applies to binutils 2.26 and not to gcc so ignore there.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fea2726663a3db03170c49fceaffc632c509aeea)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 9612bb0639c13571e661f208aa7b28789953d9ec)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
0001-Makefile-fix-Issue36464-parallel-build-race-problem.patch
removed since it is included in 3.9.6
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1a12d978f2046fc5d3abc96db3753e378f29ecae)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
The release includes fixes for CVE-2021-41771 and CVE-2021-41772
Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This release also contains a fix for CVE-2021-38297 and the changes are
minor, so backport the uprev rather than manually backporting individual
commits.
CVE: CVE-2021-38297
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Backport patches to fix CVE-2021-41072. And update context for verison
4.4 at same time.
CVE: CVE-2021-41072
Ref:
* https://nvd.nist.gov/vuln/detail/CVE-2021-41072
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
source : https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102035
Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=3929bca9ca95de9d35e82ae8828b188029e3eb70]
Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=574e7950bd6b34e9e2cacce18c802b45505d1d0a]
Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=30461cf8dba3d3adb15a125e4da48800eb2b9b8f]
Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=809330ab8450261e05919b472783bf15e4b000f7]
Signed-off-by: Pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
gcc11 has -std=gnu++17 as default. Remove deprecated C++17 exceptions based
on http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit ef8b7946b4793db653ef7dd716e1d3f919a84725)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
llvm embeds the repository location in a header file. We just changed
the SRC_URI to fetch using https instead of git. This has started giving
errors in reproducibility testing when one of the RPMs to be compared is
fetched from sstate.
Bump HASHEQUIV_HASH_VERSION and PR so its rebuilt.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Add branch name explicitly to SRC_URI where it's not defined and switch
to using https protocol for Github projects.
The change was made using convert-srcuri script in scripts/contrib.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Add fcntl64 wrapper which hopefully fixes issues seen in findutils and the find
command in the libtool removal code when built with LFS compile flags on Gentoo.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f26867fe4daec7299f59a82ae4a0d70cceb3e082)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Pulls in:
pseudo_db: Flush DB if there is a shutdown request
fcntl: Add support for fcntl F_GETPIPE_SZ and F_SETPIPE_SZ (test fix)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0882095d608ce3abbcc9814517434c21ea549063)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
"make install" may attempt to compile the python modules but it uses the host python
and host paths which means the binaries are not reproducbile. Make things consistent.
If anyone needs compiling, it will beed to be fixed to be cross compile compatible.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1189f95e05c80286e009e1ab46a603ee5b7ca239)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
If the tests fail, dump the log so we can see the failures.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3154a65039831b1e041217707fdd6ca042f588fb)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=25162c795b1a2becf936bb3581d86a307ea491eb]
Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=999566402e3]
Signed-off-by: Pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
On an aarch64 build host, vendor is found to be "unknown", on x86 systems
it is "pc". This filters through to the PLATFORM tag in target rpms.
We saw reproducibility test failures where the PLATFORM tags in noarch
rpms were changing depending upon which host built them. Forcing the
vendor value to a consistent one makes things deterministic.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f6434075b2bdfc23c683d22281b674b1e6abde77)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 97a2f406635f51bad1ab070f018a6466209f257b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Apply some changes on the Ruby makefiles in order to fix the reproducibility:
- use a fixed timestamp,
- sort linked objects,
- doesn't use the current date,
- and use UTC date.
[YOCTO #14268]
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 59b07ab51ff932a4632a31675445ba4192bae36b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Pull in the following changes:
* ports/linux/guts: Add closefrom support for glibc 2.34
* pseudo_client: Make msg static in pseudo_op_client
* ports/linux/guts: Add close_range wrapper for glibc 2.34
* pseudo_client: Do not pass null argument to pseudo_diag()
* test-openat: Consider device as well as inode number
* test: Add missing test-statx test case
* fcntl: Add support for fcntl F_GETPIPE_SZ and F_SETPIPE_SZ
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 71b549924a7fa7973a8e03e11f3db45fdc29889d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Since commit [df313aa810 pseudo: Fix to work with glibc 2.34
systems] applied, it fixed native only. And nativesdk has
the similar issue
Tweak library search order, make prebuilt lib ahead of recipe lib,
after apply the fix:
...
$ readelf -a lib/pseudo/lib64/libpseudo.so | grep 'Shared library'
0x0000000000000001 (NEEDED) Shared library: [libdl.so.2]
0x0000000000000001 (NEEDED) Shared library:[libpthread.so.0]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d6d116b5db78645958ea30be3d0572e0f6d7bd92)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
The merge of libdl into libc in glibc 2.34 causes problems for pseudo. Add a fix
that works around this issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd3e46a043c81cd4d81731a0f691868d3c059742)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Fixes
../../m4-1.4.18/lib/c-stack.c:55:26: error: missing binary operator before token "("
55 | #elif HAVE_LIBSIGSEGV && SIGSTKSZ < 16384
| ^~~~~~~~
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 44ca8edd622782733d507e20a3d5ee9e44eb8be4)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Add a fix for reproducibility issues where pyc files for python-config.py
may not always be generated.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d1c3a87c48b598b6e5624d0affe8bd89320631bf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
We don't want the compression thread numbers to be encoded into the rpm
since this results in the rpm not being deterministic. Add a patch
from Alex Kanavin which addresses this issue (was queued for rpm 4.17
but we need to fix this with 4.16 too).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1ba0bf50c72f2506dfa507559c49a70e16cd5124)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e16cd155c5ef7cfe8b4d3a94485cb7b13fd95036)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Upstream don't believe it is a signifiant real world issue and will only
fix in 1.17 onwards. Therefore exclude it from our reports.
https://github.com/golang/go/issues/30999#issuecomment-910470358
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5bd5faf0c34b47b2443975d66b71482d2380a01a)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
CVE is effectively disputed - yes there is stack exhaustion but no bug and it
is building the parser, not running it, effectively similar to a compiler ICE.
Upstream no plans to address and there is no security issue.
https://github.com/westes/flex/issues/414
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0cae5d7a24bedf6784781b62cbb3795a44bab4d1)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Upstream don't believe this is an issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit adf7bafee3f8884e525b5639ba092a1cd8e3beb9)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Backport patch to fix CVE-2021-40153, and remove version update in
unsquashfs.c for compatible.
CVE: CVE-2021-40153
Ref:
* https://security-tracker.debian.org/tracker/CVE-2021-40153
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Backport a patch to fix CVE-2021-31799.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|