This is a read past end of buffer issue in the json_parse test app,
which can happened with malformed json data. It's not an issue with the
library itself. For what ever reason this CVE has a base score of 9.8.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-32292
Upstream issue:
This upgrade isn't straighforward as upstream made changes. A pyenv
is now needed containing meson. This doesn't work for us for reasons
as yet unclear however it does mean we need python3native inherited
for that to stand a chance of working as otherwise host system
dependencies may be missing.
All,
You are cordially invited to the next OpenEmbedded Happy Hour on August 30
for Asia/Pacific timezones @ 2100/9pm UTC (5pm ET / 2pm PT):
https://www.openembedded.org/wiki/Calendar
https://www.openembedded.org/wiki/Happy_Hours
This upgrade introduces a build failure when DEBUG_BUILD is enabled.
I've sent out a patch to disable it in this recipe as a workaround.
I've also filed a new issue for stress-ng upstream:
https://github.com/ColinIanKing/stress-ng/issues/315
Regards,
Qi
On 8/17/23 15:38, Anuj Mittal wrote:
From: Chen Qi
All other places in this bbclass are using ${UNINATIVE_STAGING_DIR}-uninative,
we should sync to use that too, although UNINATIVE_STAGING_DIR's default
value is STAGING_DIR.
Signed-off-by: Chen Qi
---
meta/classes-global/uninative.bbclass | 2 +-
1 file changed, 1 insertion(+),
From: Ross Burton
inetutils guesses a lot of target paths in cross builds, and warns that
some of them are known to be wrong (for example, whether /proc/net/dev
exists is guessed as 'no').
Add a post-configure function to check for these warnings, and pass
--with-path-* as appropriate to set
From: Ross Burton
fix-disable-ipv6.patch: we don't support uclibc, and most libcs don't
have optional support for IPv6.
inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch and
inetutils-1.8-0003-wchar.patch: these don't appear to be needed anymore.
From: Ross Burton
Backport the patch from upstream.
Signed-off-by: Ross Burton
---
...rsh-rshd-uucpd-fix-check-set-id-retu.patch | 283 ++
.../inetutils/inetutils_2.4.bb| 1 +
2 files changed, 284 insertions(+)
create mode 100644
This is a read past end of buffer issue in the json_parse test app,
which can happened with malformed json data. It's not an issue with the
library itself. For what ever reason this CVE has a base score of 9.8.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-32292
Upstream issue:
On Fri, Aug 25, 2023 at 07:37 AM, Tom Hochstein wrote:
>
> Please hold off on this. The -common design is not working correctly and
> is causing those firmware packages to be registered as a runtime
> dependency of the main package.
Actually, the -common design is working fine, there was just a
From: Yogita Urade
GNU inetutils through 2.4 may allow privilege escalation because
of unchecked return values of set*id() family functions in ftpd,
rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant
if the setuid system call fails when a process is trying to drop
privileges
Looks like this only is required when build with clang toolchain
and the fix is alredy merged [1] on meta-clang.
[1]
https://github.com/kraj/meta-clang/commit/83c94b8690f0a2922d28d0db9907c722382263c2
Signed-off-by: Jose Quaresma
---
meta/recipes-core/systemd/systemd-boot_254.bb | 3 ---
1
From: Vijay Anusuri
Upstream-commit:
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
&
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d
Signed-off-by: Vijay Anusuri
---
On 28 Aug 2023, at 08:18, Emil Kronborg Andersen wrote:
> No, you are right. However, I think it would make sense to include
> CVE_PRODUCT in xorg-lib-common.inc instead. What do you think?
That’s definitely wrong, as most of the X11 libraries use that file.
Ross
-=-=-=-=-=-=-=-=-=-=-=-
Backport a patch to fix buffer overflow for strlcpy:
$ dhcpcd enp0s3
dhcpcd-10.0.2 starting
*** buffer overflow detected ***: terminated
dhcpcd_fork_cb: truncated read 0 (expected 4)
Signed-off-by: Yi Zhao
---
.../dhcpcd/dhcpcd_10.0.2.bb | 1 +
Changelog:
https://github.com/NetworkConfiguration/dhcpcd/releases/tag/v10.0.2
Signed-off-by: Yi Zhao
---
.../dhcpcd/{dhcpcd_10.0.1.bb => dhcpcd_10.0.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/dhcpcd/{dhcpcd_10.0.1.bb =>
This will match other deviation subtask of the same main task,
a couple of them can be found on oe-core layer:
do_compile_kernelmodules
do_compile_ptest
native_add_do_populate_sysroot_deps
do_package_qa
cmake_do_configure
setuptools3_do_configure
cargo_common_do_configure
Current Dev Position: YP 4.3 Feature Freeze
Next Deadline: 28th August 2023 YP 4.3 M3 build date
Next Team Meetings:
-
Bug Triage meeting Thursday August 31th 7:30 am PDT (
https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
-
Weekly Project Engineering Sync
From: Narpat Mali
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.
The CVE issue is fixed by these 3 different commits in different version:
1. Improve the Smithy metadata matcher (These changes are already available as
part
of current
19 matches
Mail list logo
