Age | Commit message (Collapse) | Author |
|
With MountFlags=slave, those mounts then become private to the systemd-udevd
namespace and are no longer accessible from outside the namespace, which is
not expected
[YOCTO #8613]
(From OE-Core rev: 73f43d857fe0102033f25491007b6dbe3d5fa8ee)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f2092e67ea880301058396b831a9a18905317d0d)
Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The backported upgrade to 1.0.2h included an updated GNU LD
version-script which results in an ABI change. In order to try and
respect ABI for existing binaries built against fido this commit
partially reverts the version-script to maintain the existing ABI
and instead only add the new symbols required by 1.0.2h.
Suggested-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* CVEs:
- CVE-2016-0705
- CVE-2016-0798
- CVE-2016-0797
- CVE-2016-0799
- CVE-2016-0702
- CVE-2016-0703
- CVE-2016-0704
- CVE-2016-2105
- CVE-2016-2106
- CVE-2016-2109
- CVE-2016-2176
* The LICENSE's checksum is changed because of date changes (2011 ->
2016), the contents are the same.
* Remove backport patches
- 0001-Add-test-for-CVE-2015-3194.patch
- CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
- CVE-2015-3194-1-Add-PSS-parameter-check.patch
- CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
- CVE-2015-3197.patch
- CVE-2016-0701_1.patch
- CVE-2016-0701_2.patch
- CVE-2016-0800.patch
- CVE-2016-0800_2.patch
- CVE-2016-0800_3.patch
* Update crypto_use_bigint_in_x86-64_perl.patch
* Add version-script.patch and update block_diginotar.patch (From master branch)
* Update openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
(From Armin)
(From OE-Core master rev: bca156013af0a98cb18d8156626b9acc8f9883e3)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
This backports a patch from gtk+ upstream to prevent an issue when
building on Fedora 23 hosts.
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
Changes affecting future time stamps
America/Caracas switches from -0430 to -04 on 2016-05-01 at 02:30.
(Thanks to Alexander Krivenyshev for the heads-up.)
Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00.
(Thanks to Alexander Krivenyshev and Matt Johnson.)
New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers
Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29
at 02:00. (Thanks to Stepan Golosunov.)
Changes affecting past time stamps
New zone Europe/Kirov, split off from Europe/Volgograd. It covers
Kirov Oblast, Russia, which switched from +04/+05 to +03/+04 on
1989-03-26 at 02:00, roughly a year after Europe/Volgograd made
the same change. (Thanks to Stepan Golosunov.)
Russia and nearby locations had daylight-saving transitions on
1992-03-29 at 02:00 and 1992-09-27 at 03:00, instead of on
1992-03-28 at 23:00 and 1992-09-26 at 23:00. (Thanks to Stepan
Golosunov.)
Many corrections to historical time in Kazakhstan from 1991
through 2005. (Thanks to Stepan Golosunov.) Replace Kazakhstan's
invented time zone abbreviations with numeric abbreviations.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(From OE-Core master rev: 10194ca3d8c2f4d8648a685c5c239a33d944b6fe)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
they keep the versions in-sync. changes are all in data.
Changes affecting future time stamps
America/Caracas switches from -0430 to -04 on 2016-05-01 at 02:30.
(Thanks to Alexander Krivenyshev for the heads-up.)
Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00.
(Thanks to Alexander Krivenyshev and Matt Johnson.)
New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers
Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29
at 02:00. (Thanks to Stepan Golosunov.)
Changes affecting past time stamps
New zone Europe/Kirov, split off from Europe/Volgograd. It covers
Kirov Oblast, Russia, which switched from +04/+05 to +03/+04 on
1989-03-26 at 02:00, roughly a year after Europe/Volgograd made
the same change. (Thanks to Stepan Golosunov.)
Russia and nearby locations had daylight-saving transitions on
1992-03-29 at 02:00 and 1992-09-27 at 03:00, instead of on
1992-03-28 at 23:00 and 1992-09-26 at 23:00. (Thanks to Stepan
Golosunov.)
Many corrections to historical time in Kazakhstan from 1991
through 2005. (Thanks to Stepan Golosunov.) Replace Kazakhstan's
invented time zone abbreviations with numeric abbreviations.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(From OE-Core master rev: db8223e4dd2e513a656aedfae217d94e053c2366)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core master rev: 41adb87c2f1aa20e51f1af3542d65c920eb94be6)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
The 2016c release of the tz code and data is available. Its most urgent change is for Asia/Baku, where the update takes effect this weekend.
This release reflects the following changes, which were either circulated on the tz mailing list or are relatively minor technical or administrative changes:
Changes affecting future time stamps
Azerbaijan no longer observes DST. (Thanks to Steffen Thorsen.)
Chile reverts from permanent to seasonal DST. (Thanks to Juan
Correa for the heads-up, and to Tim Parenti for corrections.)
Guess that future transitions are August's and May's second
Saturdays at 24:00 mainland time. Also, call the period from
2014-09-07 through 2016-05-14 daylight saving time instead of
standard time, as that seems more appropriate now.
Changes affecting past time stamps
Europe/Kaliningrad and Europe/Vilnius changed from +03/+04 to
+02/+03 on 1989-03-26, not 1991-03-31. Europe/Volgograd changed
from +04/+05 to +03/+04 on 1988-03-27, not 1989-03-26.
(Thanks to Stepan Golosunov.)
Changes to commentary
Several updates and URLs for historical and proposed Russian changes.
(Thanks to Stepan Golosunov, Matt Johnson, and Alexander Krivenyshev.)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core master rev: 66031bcf8cec2e8e7a6803f2c6cfc2c2ba071ffe)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
change SRC_URI http seems more reliable
Changes to code
tzselect's diagnostics and checking, and checktab.awk's checking,
have been improved. (Thanks to J William Piggott.)
tzcode now builds under MinGW. (Thanks to Ian Abbott and Esben Haabendal.)
tzselect now tests Julian-date TZ settings more accurately.
(Thanks to J William Piggott.)
Changes to commentary
Comments in zone tables have been improved. (Thanks to J William Piggott.)
tzselect again limits its menu comments so that menus fit on a
24x80 alphanumeric display.
A new web page tz-how-to.html. (Thanks to Bill Seymour.)
In the Theory file, the description of possible time zone abbreviations in
tzdata has been cleaned up, as the old description was unclear and
inconsistent. (Thanks to Alain Mouette for reporting the problem.)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core master rev: 0c4816c1f723951179988a274f236f28fe4db20f)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
updated SRC_URI to http as it seems more stable.
Changes affecting future time stamps
New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and
Ulyanovsk Oblasts, Russia, both of which will switch from +03 to +04 on
2016-03-27 at 02:00 local time. They need distinct zones since their
post-1970 histories disagree. New zone Asia/Barnaul for Altai Krai and
Altai Republic, Russia, which will switch from +06 to +07 on the same date
and local time. Also, Asia/Sakhalin moves from +10 to +11 on 2016-03-27
at 02:00. (Thanks to Alexander Krivenyshev for the heads-up, and to
Matt Johnson and Stepan Golosunov for followup.)
As a trial of a new system that needs less information to be made up,
the new zones use numeric time zone abbreviations like "+04"
instead of invented abbreviations like "ASTT".
Haiti will not observe DST in 2016. (Thanks to Jean Antoine via
Steffen Thorsen.)
Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00.
(Thanks to Hannah Kreitem.) Guess future transitions will be March's last
Saturday at 01:00, not March's last Friday at 24:00.
Changes affecting past time stamps
Europe/Chisinau observed DST during 1990, and switched from +04 to
+03 at 1990-05-06 02:00, instead of switching from +03 to +02.
(Thanks to Stepan Golosunov.)
1991 abbreviations in Europe/Samara should be SAMT/SAMST, not
KUYT/KUYST. (Thanks to Stepan Golosunov.)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core master rev: d3ab7005f0c899da9f9f132b22861bd5d4f952ba)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure
[YOCTO #9400]
External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
References to the Upstream commits and Security Advisories:
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=31e4657cf246e41d4c5c890315cb6cf89a0db25a
CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7
CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=ce3cd91caee698cb144e1350c6c78292c6be6339
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
The SRCREV in the busybox git recipe did not point to a commit ID
on the master branch. Point the variable to something reachable from
the master branch (which fixes this recipe's fetch()).
Suggested-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Brad Mouring <brad.mouring@ni.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
Busybox upstream fixed the issue where an incorrect comparison of
addresses led to bogus renegotiation of a new ll ip in 1.24. Backport
this change to 1.23.1.
Signed-off-by: Brad Mouring <brad.mouring@ni.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
The code assumes that PKG_DATADIR exists and will fail if an image has not been
generated which creates it. This occurs when something like buildtools-tarball
is built which doesn't have target packages, only nativesdk ones.
Since this shouldn't be fatal, workaround this by creating the missing
directory.
(From OE-Core master rev: 319c5d55bb0c7e429766f46dd42a15e16a43c4dd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
Ubuntu 15.10 and Debian testing can't build qemu-native against the host libsdl.
Now that libsdl-native is buildable, comment out the ASSUME_PROVIDED which meant
it wouldn't be used.
[ YOCTO #8553 ]
Signed-off-by: Ross Burton <ross.burton@intel.com>
(From OE-Core master rev: 81f009d173f24501ab0e04d845db74ecb5f8e332)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
The Xorg libraries use REQUIRED_DISTRO_FEATURES to stop building on
distributions without the x11 feature but this stops people building native
tooling that uses libX11, such as libsdl-native.
(From OE-Core master rev: 161bb3409edee21827cf594cc011fe88185f1496)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxcb change removed as it's not valid in fido
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
When the DEPENDS are added as part of the PACKAGECONFIG logic the list of
packages are expanded so that any required nativesdk-/-native/multilib prefixes
and suffixes are added.
However the special handling of virtual/foo names doesn't check that the prefix
already exists, which breaks under nativesdk as in that situation there's an
explicit nativesdk- prefix *and* MLPREFIX is set to nativesdk-. This results in
the same prefix being applied twice, and virtual packages such as virtual/libx11
ending up as virtual/nativesdk-nativesdk-libx11.
(From OE-Core master rev: 9e7d207e207bf0319b09d403d87d37f24e3dfbee)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
Use PACKAGECONFIG instead of using logic in DEPENDS and EXTRA_OECONF, adding new
options for PulseAudio, tslib, DirectFB, OpenGL and X11. Pass
--disable-x11-shared so that it links to the X libraries instead of using
dlopen().
Disable tslib by default as the kernel event input subsystem is generally used.
SDL's OpenGL support requires X11 so check for both x11 and opengl, and merge
the dependencies.
Finally enable native builds, with a minimal PACKAGECONFIG that will build from
oe-core for native and nativesdk.
(From OE-Core master rev: 3d6c31c3a4ff34376e17005a981bb55fc6f7a38f)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
The libglu requires both opengl (depends on virtual/libgl) and x11
(needs libGL.so which is provided by mesa when x11 in DISTRO_FEATURES),
so let libsdl depends on libglu when both x11 and opengl in
DISTRO_FEATURES.
(From OE-Core master rev: b33e927096292f22f1bd9b2b0f633a6d645fc1eb)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
The default test list only works for rpm packaging. This fixes it for
deb and ipk too.
(From OE-Core master rev: 210c8926405fcf695ec00f5768f29ba198320d6a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
ISC DHCP allows remote attackers to cause a denial of
service (application crash) via an invalid length field
in a UDP IPv4 packet.
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The variable in question should have been called ecc->p. The patch has been
updated so that the compilation of the nettle recipe would complete
successfully. The backport originated from this commit
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
Signed-off-by: ngutzmann <nathangutzmann@gmail.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
https://www.openssl.org/news/secadv/20160301.txt
Signed-off-by: Armin Kuster <akuster@mvista.com>
Not required for master, an update to 1.0.2g has been submitted.
Backport from jethro.
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
Backport patch from http://w1.fi/security/2015-5/
and rebase for wpa-supplicant 2.4
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Not needed in master since the upgrade to 2.5
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-7545 git: arbitrary code execution via crafted URLs
Signed-off-by: Armin Kuster <akuster@mvista.com>
Already in Jethro, not needed in master due to shipping a version of git
which is already fixes (> 2.6.1)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
(From OE-Core master rev: 7474c7dbf98c1a068bfd9b14627b604da5d79b67)
minor tweak to get x86_64/ecc-384-modp.asm to apply
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
(From OE-Core master rev: f62eb452244c3124cc88ef01c14116dac43f377a)
hand applied changes for ecc-256.c
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c\
(From OE-Core master rev: 1656eaa722952861ec73362776bd0c4826aec3da)
Hand applied Changelog changes.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
rpcbind: Fix memory corruption in PMAP_CALLIT code
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in
rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of
service (daemon crash) via crafted packets, involving a PMAP_CALLIT
code.
The patch comes from
<http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't
been in rpcbind upstream yet.
(From OE-Core master rev: cc4f62f3627f3804907e8ff9c68d9321979df32b)
(From OE-Core rev: 224bcc2ead676600bcd9e290ed23d9b2ed2f481e)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use
(From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378)
hand applied changed to url.c
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2016-0754 curl: remote file name path traversal in curl tool for Windows
(From OE-Core master rev: b2c9b48dea2fd968c307a809ff95f2e686435222)
minor tweak to tool_operate.c to get it to apply
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves
affects libgcrypt < 1.6.5
adjust SRC_URI + for this version.
Patch 1 is a dependancy patch. simple macro name change.
Patch 2 is the cve fix.
(From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions
this patch fixes an incomplete patch in CVE-2015-8126
adjusted dir to match this version.
(From OE-Core master rev: f4a805702df691cbd2b80aa5f75d6adfb0f145eb)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions
Adjusted dir location to match the version.
(From OE-Core master rev: d0a8313a03711ff881ad89b6cfc545f66a0bc018)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-7674 Heap overflow with a gif file in gdk-pixbuf < 2.32.1
(From OE-Core master rev: f2b16d0f9c3ad67fdf63e9e41f42a6d54f1043e4)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-7558 librsvg2: Stack exhaustion causing DoS
including two supporting patches.
(From OE-Core master rev: 4945643bab1ee6b844115cc747e5c67d874d5fe6)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
(From OE-Core master rev: 3e89477c8ad980fabd13694fa72a0be2e354bbe2)
minor tweak to get tif_next.c changes to apply.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images
(From OE-Core master rev: 29c80024bdb67477dae47d8fb903feda2efe75d4)
minor tweek to get Changelog changes to apply
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character
this time with the recipe changes.
(From OE-Core master rev: 62d6876033476592a8ca35f4e563c996120a687b)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-8560 cups-filters: foomatic-rip did not consider semicolon as illegal shell escape character
(From OE-Core master rev: 307056ce062bf4063f6effeb4c891c82c949c053)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2016-2198 Qemu: usb: ehci null pointer dereference in ehci_caps_write
(From OE-Core master rev: 646a8cfa5398a22062541ba9c98539180ba85d58)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd
affects libbsd <= 0.8.1 (and therefore not needed in master)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
CVE-2015-7547: getaddrinfo() stack-based buffer overflow
(Based on OE-Core rev: cf754c5c806307d6eb522d4272b3cd7485f82420)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
If externalsrc is enabled the 'do_unpack' task is run if the recipe has
some local source files. In the case of kernel recipe this caused the
(externalsrc) source tree to be moved/symlinked. This patch prevents the
behaviour, making sure the source tree is not moved around when
externalsrc is enabled. Instead of moving the source tree,
STAGING_KERNEL_DIR will be a symlink to it.
[YOCTO #6658]
(From OE-Core master rev: 8f6c564661a3801012eb2d9a98cdc99c91712367)
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
this is related to [Yocto # 9008]
8.38:
The following security fixes are included:
CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() compile_regex()
CVE-2015-3217 pcre: stack overflow in match()
CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain patterns with an unmatched closing parenthesis
CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec
CVE-2015-8381 pcre: Heap Overflow in compile_regex()
CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group
CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference by name within certain group
CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name to certain group
CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion
CVE-2015-8387 pcre: Integer overflow in subroutine calls
CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns
CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns
CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with duplicated named groups
CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary
CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions
CVE-2015-8395 pcre: Buffer overflow caused by certain references
CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS
8.37:
The following security fixes are included:
CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()
LICENSE file changed do to Copyright date updates.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Jethro and master don't require this patch as they have newer libpcre which
contains these fixes.
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
* this is left-over from upgrade to 2016a
* it's safer to remove so that .bbappends in other layers really apply to version
used in build (currently we have bbappend for 2015d and build will use 2016a
without any warning
* the same problem was reported with 2015f upgrade:
http://lists.openembedded.org/pipermail/openembedded-core/2015-August/109708.html
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Not required by other branches as this is removing a leftover file in Fido
only.
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|