From: Ricardo Simoes
From: Ricardo Simoes
This commit sets the CVE_PRODUCT variable to "libusb" to match the
product name used in the NIST CPE database [1].
[1]: https://nvd.nist.gov/products/cpe/search
Signed-off-by: Ricardo Simoes
Signed-off-by: Mark Jonas
Signed-off-by: Alexandre
From: Khem Raj
From: Khem Raj
Brings
617a15a9eac9 [clang codegen] Fix MS ABI detection of user-provided
constructors. (#90151)
20b9ed64ea07 [RISCV][ISel] Fix types in tryFoldSelectIntoOp (#90659)
ece9d35f1a70 [GlobalISel] Fix store merging incorrectly classifying an unknown
index expr as 0.
From: Khem Raj
From: Khem Raj
Brings following fixes
* e6c3289804a6 [CMake][Release] Disable PGO (#88465) (#89000)
* 028e425f86cc [MIPS] Fix the opcode of max.fmt and mina.fmt (#85609)
* e3c832b37b0a Fix override keyword being print to the left side
* 1d3f5da4 Revert "[Mips] Fix missing
Pick some commits from master:
* llvm updates to match meta-clang scarthgap branch
* security related (CVE, CVE_PRODUCT, version)
Note that libusb1 CVE_PRODUCT patch is not on master yet and it was
picked from abelloni/master-next branch.
Khem Raj (3):
llvm: Upgrade to 18.1.4
llvm: Upgrade
From: Soumya Sambu
From: Soumya Sambu
ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in
tinfo/lib_termcap.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45918
(From OE-Core rev: 6573995adf4cfd48b036f8463b39f3864fcfd85b)
Signed-off-by: Soumya Sambu
Signed-off-by:
From: Khem Raj
From: Khem Raj
git checkouts are in excess of 3G, which is not
ideal for everyone to download/clone, instead switch to
fetching release tarball which is ~126M as of 18.1.5 release
(From OE-Core rev: 800e6576e4f3af10846af13c2f217f986c1afdb4)
Signed-off-by: Khem Raj
From: Peter Marko
This hash is ahead of the tag, so adapt PV accordingly.
(From OE-Core rev: c94e46019a7d443ccc4763ba16d87e7e97abe977)
Signed-off-by: Peter Marko
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
---
meta/recipes-core/update-rc.d/update-rc.d_0.8.bb | 1 +
1
via lists.openembedded.org
> wrote:
> >
> > Hi Peter,
> >
> > On 5/22/24 11:10 PM, Peter Marko via lists.openembedded.org wrote:
> > > Hello,
> > >
> > > I'd like to request following backports from master to scarthgap
> > >
> >
From: Peter Marko
Single executable ttyrun is taken ouf of s390-tools repository
containing ton of other helper tools.
CVEs are not assigned to executables, but to whole components.
Historically there also already exists one CVE for s390-tools.
Most of the CVEs will not be for ttyrun, but this
Hello,
I'd like to request following backports from master to scarthgap
To match versions in scarthgap branches between oe-core and meta-clang:
adc2651a8e902af24fee6ff30a72f4b7c63bef6f llvm: Upgrade to 18.1.4
02df2fc6241ac8fb0e78f2fdff97a04e5c561d54 llvm: Upgrade to 18.1.5
Fix CVEs:
-Original Message-
From: Alexander Kanavin
Sent: Tuesday, May 21, 2024 21:31
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror
> On Tue, 21 May 2024 at 21:17, Marko, Peter wrote:
> > I
-Original Message-
From: Alexander Kanavin
Sent: Tuesday, May 21, 2024 12:17
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror
> On Sat, 18 May 2024 at 23:30, Peter Marko
From: Peter Marko
Removed 4 backported patched included in this release.
Updated patches by devtool.
License-Update: copyright years refreshed
Signed-off-by: Peter Marko
---
.../files/0001-Fix-CVE-2023-29491.patch | 462
...eset-code-ncurses-6.4-patch-20231104.patch |
From: Peter Marko
github.com/mirror/ncurses is not updated for over a year.
Switch to new mirror from Thomas Dickey (ncurses maintainer).
Sources are identical.
Updated upstream check regex by:
* changed dot to underscore as this repo is tagged like this
* added v prefix to not propose updates
From: Peter Marko
Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-4603.patch | 179 ++
.../openssl/openssl_3.3.0.bb | 1 +
2 files changed, 180 insertions(+)
create mode 100644
From: Peter Marko
Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-4603.patch | 179 ++
.../openssl/openssl_3.2.1.bb | 1 +
2 files changed, 180 insertions(+)
create mode 100644
From: Peter Marko
Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-4603.patch | 180 ++
.../openssl/openssl_3.0.13.bb | 1 +
2 files changed, 181 insertions(+)
create mode 100644
This will not apply to scarthgap-nut as that already has the same version as
master...
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199525):
https://lists.openembedded.org/g/openembedded-core/message/199525
Mute This Topic:
g/pipermail/libc-alpha/2022-May/139167.html
> but the discussion upstream stopped shortly after and the oe-core change was
> never merged because of that. Maybe it's time to re-check and ping upstream
> again after 2 years.
>
> Cheers,
>
> On Mon, May 6, 2024 at 9:46 AM
Hello Marta,
Glibc fixes are already staged in scarthgap-nut.
Interesting would be to check why the prototype does not list glib-2.0
CVE-2024-34397 which is staged there, too.
Peter
From: yocto-secur...@lists.yoctoproject.org
On Behalf Of Marta Rybczynska via
lists.yoctoproject.org
Sent:
From: Peter Marko
Handle regression of CVE-2024-34397 fix.
News
(https://gitlab.gnome.org/GNOME/glib/-/commit/d40f72e98e4734ba826ba9a278814530720ba760):
Overview of changes in GLib 2.78.6, 2024-05-08
==
* Fix a regression with IBus caused by the fix
From: Peter Marko
Handle CVE-2024-34397
Remove backported patch included in this release.
News
(https://gitlab.gnome.org/GNOME/glib/-/commit/d18807b5ffc6dedc2db5225b044063f65720bf56):
Overview of changes in GLib 2.78.5, 2024-05-07
==
* Fix
From: Peter Marko
The license per [1] is LGPL-2.1-or-later and
[2] converted last LGPL-2.1-only references.
License-Update: corrected from LGPL-2.1-only to LGPL-2.1-or-later based on [1]
and [2]
[1] https://www.gnu.org/software/libc/
[2]
From: Khem Raj
Sent: Sunday, May 5, 2024 21:22
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] glibc: correct license
> On Sun, May 5, 2024 at 2:18 AM Peter Marko via http://lists.openembedded.org
>
From: Peter Marko
The license per https://www.gnu.org/software/libc/ is LGPL-2.1-or-later.
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=273a835fe7c685cc54266bb8b502787bad5e9bae
converted last LGPL-2.1-only references.
License-Update: correction
Signed-off-by: Peter Marko
---
From: Peter Marko
Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
Changes:
54a666dc5c elf: Disable some subtests of ifuncmain1, ifuncmain5 for !PIE
3a38600cc7 malloc: Exit early on test failure in tst-realloc
924a98402a nscd: Use time_t for return type of
From: Peter Marko
Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
Changes:
273a835fe7 time: Allow later version licensing.
acc56074b0 nscd: Use time_t for return type of addgetnetgrentX
836d43b989 login: structs utmp, utmpx, lastlog _TIME_BITS independence (bug
I wonder if it we could name it "U" instead of "UNPACKDIR".
It will be mostly used on the same places as all the other short names like
S/B/T...
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198900):
From: Peter Marko
There was no CVE assigned but the commit message is clear.
Signed-off-by: Peter Marko
---
...ix-multiple-security-vulnerabilities.patch | 107 ++
.../libarchive/libarchive_3.6.2.bb| 4 +-
2 files changed, 110 insertions(+), 1 deletion(-)
create
From: Peter Marko
Addresses CVEs:
* CVE-2023-52425 (bundled expat)
* CVE-2023-6597 (https://github.com/python/cpython/pull/112840)
News: https://github.com/python/cpython/blob/3.10/Misc/NEWS.d/3.10.14.rst
Signed-off-by: Peter Marko
---
.../python/{python3_3.10.13.bb => python3_3.10.14.bb}
Looks like yocto-5.0 tag in openembedded-core repository was done on master
instead of scarthgap branch.
Tag in poky repository seems to be fine.
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198756):
From: Peter Marko
Adresses CVE-2024-2961
Remove backported patch included in hash update.
Changes:
31da30f23c iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
sequence (CVE-2024-2961)
423099a032 x86_64: Exclude SSE, AVX and FMA4 variants in libm multiarch
04df8652eb Apply
From: Peter Marko
Adresses CVE-2024-2961
Changes:
36280d1ce5 iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
sequence (CVE-2024-2961)
4a7de5e215 powerpc: Fix ld.so address determination for PCREL mode (bug 31640)
f4a45af368 AArch64: Check kernel version for SVE ifuncs
Identical patch was already submitted and then requested to be ignored because
the issue is apparently introduced by one of the added patches.
https://lists.openembedded.org/g/openembedded-core/message/197670
Since the vulnerability report claims that our version IS vulnerable, it would
be
From: Peter Marko
Single executable ttyrun is taken ouf of s390-tools repository
containing ton of other helper tools.
CVEs are not assigned to executables, but to whole components.
Historically there also already exists one CVE for s390-tools.
Most of the CVEs will not be for ttyrun, but this
I think that sending this patch was correct, see comments below.
Peter
From: openembedded-core@lists.openembedded.org
On Behalf Of Tim Orling via
lists.openembedded.org
Sent: Sunday, April 14, 2024 6:45
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject:
From: Peter Marko
Patch:
https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
News:
https://github.com/openssl/openssl/commit/b7acb6731a96b073d6150465bd090e2052a595c2
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-2511.patch | 120
From: Peter Marko
Patch:
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
News:
https://github.com/openssl/openssl/commit/daee101e39073d4b65a68faeb2f2de5ad7b05c36
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-2511.patch | 122
@lists.openembedded.org
Subject: Re: [OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts
> On Fri, Apr 12, 2024 at 10:02 AM Peter Marko via lists.openembedded.org
> wrote:
> >
> > I know that binary patches are problematic over mailing list.
> > Here the patch as zipped
From: Peter Marko
backport relevant parts from
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
Signed-off-by: Peter Marko
---
.../ncurses/files/CVE-2023-50495.patch| 81 +++
.../ncurses/ncurses_6.3+20220423.bb | 1 +
2 files
embedded.org
> > Subject: Re: [OE-core][PATCH] systemd: make predictable name mac
> > policy opt-out
> >
> > > On 8 Apr 2024, at 08:04, Peter Marko via lists.openembedded.org
> > > wrote:
> > > > + ${@bb.utils.contains('PAC
I know that binary patches are problematic over mailing list.
Here the patch as zipped attachment just in case.
Peter
<>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198182):
https://lists.openembedded.org/g/openembedded-core/message/198182
From: Peter Marko
Pine keymap was added with GPL-3 license.
https://github.com/legionus/kbd/commit/1589e9e1019756b5287b41dddcd7285271c5990e
Split this GPL-3 keymap and install it via recommendation
so it is easy to remove it by excluding recommendations.
Signed-off-by: Peter Marko
---
From: Peter Marko
Its license makes it impossible to distribute kbd
in any commercial products.
Backport commit which removes it.
Signed-off-by: Peter Marko
---
.../0001-Remove-non-free-Agafari-fonts.patch | 336 ++
meta/recipes-core/kbd/kbd_2.6.4.bb| 3 +
2
From: Peter Marko
GPL-3 is used for keymaps-pine
LGPL2 is used in all C source files under src/libkfont/
which generate binaries included in main kbd package.
This is seen in their SPDX headers.
Signed-off-by: Peter Marko
---
meta/recipes-core/kbd/kbd_2.6.4.bb | 16 +---
1 file
kbd consists of many parts with different licenses which
are not properly documented/handled.
This series tries to fix the most problematic issues,
which are non-commercial and gpl-3 licenses.
Peter Marko (3):
kbd: split gpl-3 keymap to separate package
kbd: remove non-free Agafari fonts
-Original Message-
From: Ross Burton
Sent: Wednesday, April 10, 2024 18:00
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out
> On 8 Apr 2024, at 08:04, Peter Marko
From: Peter Marko
Even the patch says it's inappropriate for upstream,
and it's also inappropriate for some downstream projects, too.
So make it possible to opt-out on it by replacing
the patch by sed and depend on distro feature pni-names.
Signed-off-by: Peter Marko
---
From: Peter Marko
oldincludedir was removed by 506c91cbc6a604a84e37e53ccff430436369802e
Signed-off-by: Peter Marko
---
meta/conf/bitbake.conf | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 6f180d18b0..ba8bd5f975
-Original Message-
From: Ross Burton
Sent: Wednesday, April 10, 2024 18:18
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out
> On 8 Apr 2024, at 08:04, Peter Marko
From: Peter Marko
This hash is ahead of the tag, so adapt PV accordingly.
Signed-off-by: Peter Marko
---
meta/recipes-core/update-rc.d/update-rc.d_0.8.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
-Original Message-
From: Alexander Kanavin
Sent: Tuesday, April 9, 2024 11:16
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out
> On Mon, 8 Apr 2024 at 09:06, Peter Marko
From: Peter Marko
Even the patch says it's inappropriate for upstream,
and it's also inappropriate for some downstream projects, too.
So make it possible to opt-out on it.
Signed-off-by: Peter Marko
---
meta/recipes-core/systemd/systemd_255.4.bb | 4 +++-
1 file changed, 3 insertions(+), 1
100, Peter Marko via
> lists.openembedded.org wrote:
> > From: Peter Marko
> >
> > Following workflow is broken when built from sstate-cache:
> > https://docs.yoctoproject.org/singleindex.html#setting-up-the-extensible-sdk-environment-directly-in-a-yocto-build
> >
From: Peter Marko
Picked patch from https://github.com/libexpat/libexpat/pull/842
which is referenced in the NVD CVE report.
Signed-off-by: Peter Marko
---
.../expat/expat/CVE-2024-28757.patch | 58 +++
meta/recipes-core/expat/expat_2.5.0.bb| 1 +
2 files
From: Peter Marko
Following workflow is broken when built from sstate-cache:
https://docs.yoctoproject.org/singleindex.html#setting-up-the-extensible-sdk-environment-directly-in-a-yocto-build
This is already broken in kirkstone.
Reproducer:
$ bitbake meta-ide-support && bitbake build-sysroots
I already mentioned this last week.
https://lists.openembedded.org/g/openembedded-core/message/196199
I think that partial NVD DB update is not working properly as things which were
corrected by NVD are still showing up in patchmetrics but not in email reports.
For example:
Hello,
It looks like
graph in https://autobuilder.yocto.io/pub/non-release/patchmetrics/
and list in
https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-kirkstone.txt
are no longer updated properly and show old status compared to this email.
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Hello,
This change looks like the right way forward, but it will need two things first:
* dissolve cve-extra-exclusions.inc into recipes, as every exclusion in that
file will generate a warning in all components except the one for which the
exclusion actually is meant
* create a (per-recipe)
From: Peter Marko
This CVE was backported to glibc 2.35 branch 9 months ago.
NVD recently updated CPE and it appeared in kirkstone cve reports.
https://sourceware.org/git/?p=glibc.git;a=log;h=refs/heads/release/2.35/master
gmon: Fix allocated buffer overflow (bug 29444)
From: Peter Marko
CVE-2023-36191 is now rejected in NVD DB so it won't shoup up in
cve-check report anymore.
Signed-off-by: Peter Marko
---
meta/recipes-support/sqlite/sqlite3_3.43.2.bb | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/recipes-support/sqlite/sqlite3_3.43.2.bb
From: Peter Marko
This fixes CVE-2024-0232
Signed-off-by: Peter Marko
---
.../sqlite/{sqlite3_3.43.1.bb => sqlite3_3.43.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-support/sqlite/{sqlite3_3.43.1.bb => sqlite3_3.43.2.bb}
(78%)
diff --git
From: Peter Marko
This CVE reports bug which was fixed in 3.43.2 by [1].
Code analysis shows that it is fixing caching issue
and this cache was introduced by [2].
This landed only in 3.43.0 so 3.85.5 is not affected.
[1] https://sqlite.org/src/info/5b09212ac05615fc
[2]
From: Peter Marko
This CVE reports bug which was fixed in 3.43.2 by [1].
Code analysis shows that it is fixing caching issue
and this cache was introduced by [2].
This landed only in 3.43.0 so 3.85.5 is not affected.
[1] https://sqlite.org/src/info/5b09212ac05615fc
[2]
-Original Message-
From: Ross Burton
Sent: Monday, January 22, 2024 15:27
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
> On 22 Jan 2024, at 14:16, Marko, Peter wrote:
> >
> > Hi Ross,
>
Hi Ross,
I think this one is better -
https://lists.openembedded.org/g/openembedded-core/message/193603
I'm not sure why it was not picked up yet after 9 days, but It's CPE which is
not matching, not our configuration options...
Peter
-Original Message-
From:
From: Peter Marko
Documentation for this patch is under
https://github.com/mkj/dropbear/commit/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3
Signed-off-by: Peter Marko
---
meta/recipes-core/dropbear/dropbear.inc | 1 +
.../dropbear/dropbear/CVE-2023-48795.patch| 234 ++
From: Peter Marko
Backport https://sqlite.org/src/info/0e4e7a05c4204b47
Signed-off-by: Peter Marko
---
.../sqlite/files/CVE-2023-7104.patch | 44 +++
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644
From: Peter Marko
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
Signed-off-by: Peter Marko
---
meta/recipes-core/zlib/zlib_1.2.11.bb | 3 +++
1
From: Peter Marko
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
Signed-off-by: Peter Marko
---
meta/recipes-core/zlib/zlib_1.2.11.bb | 3 +++
1
From: Peter Marko
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
Signed-off-by: Peter Marko
---
meta/recipes-core/zlib/zlib_1.3.bb | 1 +
1 file
Hi Alex,
I'm upgrading my layer from kirkstone to scarthgap and observed that my image
failed due to gpl3 license.
I want to conveniently install whole alsa-utils except for parts where license
forbids me to do it.
After your path I would need to list all alsa-utils subpackages except the
CVE_STATUS was not backported to kirkstone.
Any idea how to skip some tests for old branches?
Peter
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Patchtest via
lists.openembedded.org
Sent: Wednesday, January 10, 2024 12:48
To: Vivek Kumbhar
Cc:
-Original Message-
From: Richard Purdie
Sent: Wednesday, December 13, 2023 22:58
To: Marko, Peter (ADV D EU SK BFS1) ;
openembedded-core@lists.openembedded.org; Kanavin, Alexander (EXT) (Linutronix
GmbH)
Subject: Re: [OE-core][PATCH] dtc: pass version as parameter instead of
querying
From: Peter Marko
Since switch from Makefile to meson based build,
the version is no longer hardcoded but queried from git tag.
This works only if git history is available.
When shallow tarballs are used, tag is not available.
Example error for trusted-firmware-a from meta-arm:
dtc version too
100, Peter Marko via lists.openembedded.org
> wrote:
> > From: Peter Marko
> >
> > Since switch from Makefile to meson based build, the version is no
> > longer hardcoded but queried from git tag.
> >
> > This works only if git history is availabl
From: Peter Marko
Since switch from Makefile to meson based build,
the version is no longer hardcoded but queried from git tag.
This works only if git history is available.
When shallow tarballs are used, tag is not available.
Example error for trusted-firmware-a from meta-arm:
dtc version too
I don't think that this is a good idea.
Currently you have a possibility to add to your IMAGE_INSTALL either tzdata (to
install all data) or tzdata-core (to install minimal subset),
After this change, you can add tzdata or tzdata-core to install minimal subset
(these packages will be now equal)
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Marco Felsch via
lists.openembedded.org
Sent: Tuesday, November 28, 2023 23:48
To: openembedded-core@lists.openembedded.org
Cc: yo...@pengutronix.de; m...@pengutronix.de
Subject: [OE-core] [PATCH] json-c: fix
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Xu, Lizhi via
lists.openembedded.org
Sent: Tuesday, November 28, 2023 9:45
To: Marko, Peter (ADV D EU SK BFS1)
Cc: alex.kier...@gmail.com; openembedded-core@lists.openembedded.org
Subject: Re: [PATCH V2]
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Xu, Lizhi via
lists.openembedded.org
Sent: Tuesday, November 28, 2023 3:38
To: alex.kier...@gmail.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH V2] [OE-core] tzdata: Reduced time zone
From: Peter Marko
Sometimes NVD servers are unstable and return too many errors.
Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.
Keep retries low as default and allow to increase as needed.
From: Peter Marko
This variable is not referenced in oe-core anymore.
Signed-off-by: Peter Marko
---
v2: typo in commit message
meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
From: Peter Marko
Sometimes NVD servers are unstable and return too many errors.
Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.
Keep retries low as default and allow to increase as needed.
From: Peter Marko
This variable is not referenced in oe-core anymore.
Signed-off-by: Peter Marko
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
Yes, nvd servers are in really bad state currently.
I need up to 12 retries on http calls to get trough...
I will contribute to make the retry count value (currently hardcoded to 5)
configurable via variable.
I'm planning to run it at low default and increase temporarily when quality
decreases.
From: openembedded-core@lists.openembedded.org
On Behalf Of Khem Raj via
lists.openembedded.org
> The rcS script that busybox-init provides is able to run scripts that
> are available as part of sysvinit, therefore its fine to keep sysvinit
> distro feature enabled so that we can build complex
From: Peter Marko
These CVEs affect path handling on Windows.
Signed-off-by: Peter Marko
---
meta/recipes-devtools/go/go-1.17.13.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
b/meta/recipes-devtools/go/go-1.17.13.inc
index
From: Peter Marko
Other spaces uses the Go architecture definitions as their own (for
example, container arches are defined to be Go arches). To make it
easier for other places to use this mapping, move the code that does the
translation of OpenEmbedded arches to Go arches to a library.
(From
The new website looks nice, just https://yoctoproject.org/development/releases/
is populated by:
Plugin JSON Content Importer Pro not running: Check Licence! Check that a
Licence is active for https://yoctoproject.org
Instead of actual release data.
Peter
From: yo...@lists.yoctoproject.org On
From: Peter Marko
This vulnerability was introduced in 2.36, so 2.31 is not vulnerable.
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc_2.31.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb
From: Peter Marko
This vulnerability was introduced in 2.36, so 2.35 is not vulnerable.
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc_2.35.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb
From: Peter Marko
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
*
Gentle ping.
It would be great to have this in next kirkstone release which will be built in
a week.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189769):
https://lists.openembedded.org/g/openembedded-core/message/189769
Mute This Topic:
Hello Marta,
Major reason why we introduced CVE_STATUS was exactly to avoid patch like this.
There were ideas to introduce 5 or 10 or 15 different statuses and we decided
to keep 3 and introduce “sub-statuses”.
These sub-statuses are listed in cve reports, too.
Currently we have three main
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023
Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs.
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023
Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs.
From: Peter Marko
Backport commit merged to develop branch from PR linked in NVD report:
* https://nvd.nist.gov/vuln/detail/CVE-2023-45853
* https://github.com/madler/zlib/pull/843
Signed-off-by: Peter Marko
---
.../zlib/zlib/CVE-2023-45853.patch| 42 +++
ed machine failed (e.g. due to
temporary network problem).
Did you check log on the networked machine?
Peter
>
> Le ven. 6 oct. 2023 à 22:10, Peter Marko via lists.openembedded.org
> a écrit :
> >
> > From: Peter Marko
> >
> > Adresses CVE-2023-4911.
> >
&g
-Original Message-
From: Marek Vasut
Sent: Monday, October 9, 2023 21:28
To: Marko, Peter (ADV D EU SK BFS1) ;
richard.pur...@linuxfoundation.org
Cc: Alexandre Belloni ; st...@sakoman.com;
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate
1 - 100 of 163 matches
Mail list logo