Re: [OE-core] [PATCH] openssl: update from 3.0.8 to 3.1.0

On 2023-03-15 00:48, Randy MacLeod via lists.openembedded.org wrote: >From the NEWS.md file: ### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023] I know we're in feature freeze but this openssl update that came out on March 14th looks interesting. I've sent it in before

[OE-core] [PATCH] openssl: update from 3.0.8 to 3.1.0

>From the NEWS.md file: ### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023] * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. * Performance enhancements and new platform support including new assembler code algorithm implementations. *

[OE-core] [kirkstone][PATCH v2] curl: Add fix for CVE-2023-23914, CVE-2023-23915

From: Pawan Badganchi Add below patches to fix CVE-2023-23914 [1], CVE-2023-23915 [2] CVE-2023-23914_5-1.patch CVE-2023-23914_5-2.patch CVE-2023-23914_5-3.patch CVE-2023-23914_5-4.patch CVE-2023-23914_5-5.patch [1] https://curl.se/docs/CVE-2023-23914.html [2]

[OE-core][PATCH] rng-tools: disable rngd daemon start by default

From: Xiangyu Chen Since we removed the openssh dependency[1] on rng-tools, there are no package requiring rng-tools in oe-core, meta-oe, meta-virt, one of the reasons for keeping rng-tools build into the image is that it can be used to test[2], so adding an option to disable rngd daemon by

Re: [oe-core][PATCH] glib: update 2.74.6 -> 2.76.0

e.cmd" == "/var/volatile/tmp/find_program_for_path_X5MZW11/sub-path/just-an-exe-file.cmd") Bail out! FAIL: glib/utils-c-99.test (Child process killed by signal 6) http://autobuilder.yocto.io/pub/non-release/20230314-13/testresults/qemux86-64-ptest/core-image-ptest-glib-2.0/log.do_

Re: [OE-core] base-files: any reason hosts contains localhost.localdomain

On Tue, Mar 14, 2023, 1:19 AM Jermain Horsman wrote: > Would it be appropriate to backport this to dunfell too? > > If so, should I send in a patch? I'm not entirely sure what the general > process is in these cases. > The correct procedure would be to send a patch to the mailing list for

[OE-core] [PATCH] systemtap: Disable dangling-pointer warning

This is to fix build in RISCV64 | In constructor 'symresolution_info::symresolution_info(systemtap_session&, bool)', | inlined from 'int semantic_pass_symbols(systemtap_session&)' at ../git/elaborate.cxx:1884:28: | ../git/elaborate.cxx:2601:21: error: storing the address of local variable

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

I think I'll dig into the checksum capability on crate fetcher in the coming days. For the offline option and the modication of the patch mentioned above, how do you want me to proceed? Submit a dedicated patch for each of these (one for offline option and one for checksum if I can come up with

Re: [OE-core] [poky] [meta-yocto][langdale][connman] Partial integration of CVE-2022-32293 fixes

On Tue, Mar 14, 2023 at 7:16 AM VAUTRIN Emmanuel (Canal Plus Prestataire) wrote: > I have noticed that 2 patches fixing CVE-2022-32293 have been backported on > meta/recipes-connectivity/connman/connman_1.41.bb (b33cf2d113d0 "connman: > Backports for security fixes") > Unfortunately, the last

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

On Tue, Mar 14, 2023 at 12:22 PM Alex Kiernan wrote: > > On Tue, Mar 14, 2023 at 10:25 AM Frédéric Martinsons > wrote: > > > > Moreover, I think we should add the `--offline` option to cargo build > > because the error generated will be more clear: > > > > Let me chuck that across our code base,

Re: [OE-core] [meta][kirkstone][PATCH 2/2] curl: Add fix for CVE-2023-23916

On Thu, Mar 2, 2023 at 9:52 PM Pawan Badganchi wrote: > > From: Pawan Badganchi > > Add below patch to fix CVE-2023-23916 > > CVE-2023-23916.patch > > Link: https://launchpad.net/ubuntu/+source/curl/7.87.0-2ubuntu2/ > > Signed-off-by: Pawan Badganchi > Signed-off-by: pawan > --- >

Re: [OE-core] [meta][kirkstone][PATCH 1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915

On Thu, Mar 2, 2023 at 9:52 PM Pawan Badganchi wrote: > > From: Pawan Badganchi > > Add below patches to fix CVE-2023-23914, CVE-2023-23915 > > CVE-2023-23914_5-1.patch > CVE-2023-23914_5-2.patch > CVE-2023-23914_5-3.patch > CVE-2023-23914_5-4.patch > CVE-2023-23914_5-5.patch > > Link:

[OE-core][langdale 00/24] Pull request (cover letter only)

The following changes since commit b995ea45773211bd7bdd60eabcc9bbffda6beb5c: build-appliance-image: Update to langdale head revision (2023-03-06 15:17:13 +) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/langdale-next

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

On Tue, 14 Mar 2023 at 16:10, Frédéric Martinsons wrote: > Understood, I searched how to add checksum support in crate fetcher but I > don't know enough of bitbake to be effective. You can check how for example http:// fetcher does it by utilizing verify_checksum() from

[OE-core][dunfell 4/6] oeqa/selftest/prservice: Improve debug output for failure

From: Richard Purdie We keep seeing this failure on the autobuilder but the output amounts to "False is not True". Improve the debug message on the chance it may make the issue clearer. Signed-off-by: Richard Purdie (cherry picked from commit d03f4cf19c2cc96e9d942252a451521dfec42ebc)

[OE-core][dunfell 6/6] linux: inherit pkgconfig in kernel.bbclass

From: Ming Liu pkgconfig is being required to find dependencies for building kernel native tools, move "inherit pkgconfig" to kernel.bbclass so BSP kernel recipes can also benefit from it. Signed-off-by: Ming Liu Signed-off-by: Alexandre Belloni (cherry picked from commit

[OE-core][dunfell 5/6] vim: add missing pkgconfig inherit

From: Ross Burton Vim uses pkgconfig to find dependencies but it wasn't present, so it silently doesn't enable features like GTK+ UI. [ YOCTO #15044 ] Signed-off-by: Ross Burton Signed-off-by: Alexandre Belloni (cherry picked from commit 70900616298f5e70732a34e7406e585e323479ed)

[OE-core][dunfell 2/6] harfbuzz: Security fix for CVE-2023-25193

From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- .../harfbuzz/CVE-2023-25193-pre0.patch| 335 ++

[OE-core][dunfell 3/6] shadow: ignore CVE-2016-15024

From: Ross Burton This recently got an updated CPE which matches this recipe, but the issue is related to an entirely different shadow project so ignore it. Signed-off-by: Ross Burton Signed-off-by: Alexandre Belloni (cherry picked from commit 2331e98abb09cbcd56625d65c4e5d258dc29dd04)

[OE-core][dunfell 0/6] Patch review

Please review this final set of patches for the dunfell 3.1.24 release. We hope to do the release build this Thursday, so please have any comments back as soon as possible. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5043 The following

[OE-core][dunfell 1/6] gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange code

From: Vivek Kumbhar Remove branching that depends on secret data. since the `ok` variable isn't used any more, we can remove all code used to calculate it Signed-off-by: Vivek Kumbhar Signed-off-by: Steve Sakoman --- .../gnutls/gnutls/CVE-2023-0361.patch | 85 +++

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

Understood, I searched how to add checksum support in crate fetcher but I don't know enough of bitbake to be effective. I'll check in the Cargo.lock in my project, backport your patch and continue my exploration of the wonderful rust world on embedded device ^^ Thank you very much for the help

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

On Tue, Mar 14, 2023 at 5:07 AM Valek, Andrej wrote: > > Hello Steve, > > Ok, looks like I received a wrong notification, sorry. So you can keep > there only the 42916. > Basically all the HSTS check features are not implemented in the 7.69.1 > version. I still have the same comment on how we

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

Hello Steve, Ok, looks like I received a wrong notification, sorry. So you can keep there only the 42916. Basically all the HSTS check features are not implemented in the 7.69.1 version. Regards, Andrej On Tue, 2023-03-14 at 04:39 -1000, Steve Sakoman wrote: > On Tue, Mar 14, 2023 at 4:26 AM

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

On Tue, Mar 14, 2023 at 12:58 PM Frédéric Martinsons wrote: > > On Tue, 14 Mar 2023 at 11:35, Alexander Kanavin > wrote: > > > > --offline seems like the right thing to add, if it produces better errors. > > > > Generating Cargo.lock on the other hand is not right. We rely on rust > > checking

[OE-core] Yocto Project Status 14 March 2023 (WW11)

Current Dev Position: YP 4.2 M4 Next Deadline: 3rd April 2023 YP 4.2 M4 Build Next Team Meetings: * Bug Triage meeting Thursday March 16th 7:30 am PDT ( https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)

Re: [OE-core] [RFC]] cve-update-nvd2-native: new CVE database fetcher

On 14 Mar 2023, at 14:24, Marta Rybczynska wrote: > On Fri, Feb 24, 2023 at 5:16 PM Marta Rybczynska wrote: > Add new fetcher for the NVD database using the 2.0 API [1]. > The implementation changes as little as possible, keeping the current > database format (but using a different database file

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via lists.openembedded.org wrote: > > On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek wrote: > > > > All mentioned CVEs are related to HSTS check feature, which is not > > implemented in version 7.69.1 . > > Is this due to an error in the CPE database?

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek wrote: > > All mentioned CVEs are related to HSTS check feature, which is not > implemented in version 7.69.1 . Is this due to an error in the CPE database? If so, perhaps the better approach would be to send a version correction request to

Re: [OE-core] [RFC]] cve-update-nvd2-native: new CVE database fetcher

On Fri, Feb 24, 2023 at 5:22 PM Marta Rybczynska via lists.openembedded.org wrote: > > > On Fri, Feb 24, 2023 at 5:16 PM Marta Rybczynska > wrote: > >> Add new fetcher for the NVD database using the 2.0 API [1]. >> The implementation changes as little as possible, keeping the current >>

[OE-core] [PATCH] systemd: fix wrong nobody-group assignment

The generated /etc/group file had a wrong group name for nobody-group which was nobody with same id as nogroup groupd. This was leading to duplcate groups, with same ids and different names. More can be read on this link: https://bugzilla.yoctoproject.org/show_bug.cgi?id=11766 Signed-off-by:

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

On Tue, Mar 14, 2023 at 1:00 PM Frédéric Martinsons wrote: > > On Tue, 14 Mar 2023 at 12:25, Alexander Kanavin > wrote: > > > > The other option is to add checksumming support to crate fetcher in > > bitbake. If all items in src_uri are verified by fetchers directly for > > integrity from

Re: [OE-core] [kirkstone][PATCH] qemu: fix compile error

On 3/13/23 23:43, Steve Sakoman wrote: On Tue, Feb 14, 2023 at 4:22 PM Kai Kang wrote: On 2/14/23 22:30, Martin Jansa wrote: Thanks Kai, this should fix what I've reported in: https://lists.openembedded.org/g/openembedded-core/message/176508 once this is merged, can you please add both

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

On Tue, 14 Mar 2023 at 12:25, Alexander Kanavin wrote: > > The other option is to add checksumming support to crate fetcher in bitbake. > If all items in src_uri are verified by fetchers directly for integrity from > checksums in the recipe, the cargo can generate cargo.lock anytime it wants >

[OE-core] [dunfell][PATCH 2/2] qemu: fix compile error

From: Kai Kang Backport 2 patches and rebase 0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch to fix compile error: ../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt': ../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in this function); did you

[OE-core] [dunfell][PATCH 1/2] QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read

From: Hitendra Prajapati Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman Replace the tabs with spaces to correct the indent. Signed-off-by: Kai Kang ---

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

On Tue, 14 Mar 2023 at 11:35, Alexander Kanavin wrote: > > --offline seems like the right thing to add, if it produces better errors. > > Generating Cargo.lock on the other hand is not right. We rely on rust > checking the source tree against the checksums in Cargo.lock (to > prevent supply chain

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

> Cool, will pick that up... the code needs some tests which is where it > stalled last time. Any help I can provide to you for having this patch merge ? Are you talking about unit testing ? > > > >

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

On Tue, Mar 14, 2023 at 10:25 AM Frédéric Martinsons wrote: > > Hello, I finally found why my setup didn't work. That was not related > to https versus ssh. > For the patch provided in > https://patchwork.yoctoproject.org/project/oe-core/patch/20221030173815.10212-2-alex.kier...@gmail.com/ > to

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

The other option is to add checksumming support to crate fetcher in bitbake. If all items in src_uri are verified by fetchers directly for integrity from checksums in the recipe, the cargo can generate cargo.lock anytime it wants to. Alex On Tue 14. Mar 2023 at 11.35, Alexander Kanavin via

Re: [OE-core] base-files: any reason hosts contains localhost.localdomain

Would it be appropriate to backport this to dunfell too? If so, should I send in a patch? I'm not entirely sure what the general process is in these cases. Sincerely, Jermain Horsman -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178481):

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

--offline seems like the right thing to add, if it produces better errors. Generating Cargo.lock on the other hand is not right. We rely on rust checking the source tree against the checksums in Cargo.lock (to prevent supply chain attacks), and this would completely subvert that. There could be

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

Hello, I finally found why my setup didn't work. That was not related to https versus ssh. For the patch provided in https://patchwork.yoctoproject.org/project/oe-core/patch/20221030173815.10212-2-alex.kier...@gmail.com/ to work, the repository should have a Cargo.lock file. WIthout the Cargo.lock

Re: [OE-core] [PATCH 2/7] bitbake.conf: do not set native opengl distro feature from target

On second thought I'm not sure anymore. The issue comes from items requiring -native versions of themselves, and REQUIRED_DISTRO_FEATURES (which skips unbuildable recipes) doesn't cross that boundary. If opengl is in target features, but not in native features, then it won't figure out that

[OE-core][dunfell][PATCH] libarchive: fix CVE-2022-26280

Backport fix from https://github.com/libarchive/libarchive/issues/1672 Signed-off-by: Andrej Valek --- .../libarchive/CVE-2022-26280.patch | 29 +++ .../libarchive/libarchive_3.4.2.bb| 1 + 2 files changed, 30 insertions(+) create mode 100644

Re: [OE-core] [PATCH 2/7] bitbake.conf: do not set native opengl distro feature from target

This means opengl has to be added to DISTRO_FEATURES_NATIVE for this build. I'll send a patch. Alex On Tue, 14 Mar 2023 at 00:10, Khem Raj wrote: > > also seeing below errors which are related too > > ERROR: Nothing PROVIDES 'gtk4-native' (but >

Re: [OE-core] [PATCH V2 4/5] xcb-proto: Fix install conflict when enable multilib.

Thanks, in this case the correct fix would be to install xcb-proto.pc into $libdir, as it is indeed library specific. You need to patch Makefile.am in xcb-proto's source tree, and offer the patch to upstream. Alex On Tue, 14 Mar 2023 at 01:49, wan...@fujitsu.com wrote: > > libxcb needs to find

[OE-core] [PATCH] scripts/combo-layer: Fix python deprecation warning

Address: DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13 pipes.quote is an alias for shlex.quote so switch to that. Signed-off-by: Richard Purdie --- scripts/combo-layer | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git