[OE-core][hardknott][PATCH] cpio: fix CVE-2021-38185

Signed-off-by: Chen Qi --- .../0001-Rewrite-dynamic-string-support.patch | 458 ++ meta/recipes-extended/cpio/cpio_2.13.bb | 1 + 2 files changed, 459 insertions(+) create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Rewrite-dynamic-string-support.patch diff

Re: [OE-core] [PATCH] bitbake.conf: support persistent /var/tmp

ping On 8/30/21 4:11 PM, Changqing Li wrote: ping On 8/6/21 9:21 AM, Changqing Li wrote: From: Changqing Li Steps: 1. build out rootfs core-image-minimal-qemux86-64.tar.bz2 2. docker import core-image-minimal-qemux86-64.tar.bz2 poky:latest 3. docker run -it --rm poky:latest /bin/sh 4. /var

Re: [OE-core] [master][honister][hardknott][dunfell][PATCH] tar: ignore node-tar CVEs

I'm wondering if we could restrict CVE_PRODUCT to 'gnu:tar' as an alternative solution. Regards, Qi On 09/13/2021 12:27 AM, Armin Kuster wrote: These three CVEs are specific to the Node package node-tar. exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713 Signed-off-by: Armin Kuster ---

Re: [oe-core][PATCH] util-linux: disable raw

Looks like this is the plan https://bugzilla.redhat.com/show_bug.cgi?id=1981729#c3 Am 13.09.21 um 00:18 schrieb Khem Raj: On Sun, Sep 12, 2021 at 10:20 AM Markus Volk > wrote: raw.h has been dropped in linux-libc-headers-5.14 leading to: configure:

Re: [oe-core][PATCH] util-linux: disable raw

On Sun, Sep 12, 2021 at 10:20 AM Markus Volk wrote: > raw.h has been dropped in linux-libc-headers-5.14 leading to: > > configure: error: raw selected, but required raw.h header file not > available > WARNING: exit code 1 from a shell command. Overall this is a fine change however I wonder

[oe-core][PATCH] util-linux: disable raw

raw.h has been dropped in linux-libc-headers-5.14 leading to: configure: error: raw selected, but required raw.h header file not available WARNING: exit code 1 from a shell command. Signed-off-by: MarkusVolk --- meta/recipes-core/util-linux/util-linux_2.37.2.bb | 2 +- 1 file changed, 1

[OE-core] [master][honister][hardknott][dunfell][PATCH] tar: ignore node-tar CVEs

These three CVEs are specific to the Node package node-tar. exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713 Signed-off-by: Armin Kuster --- meta/recipes-extended/tar/tar_1.34.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-extended/tar/tar_1.34.bb

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 12 Sep 2021 04:00:01 AM HST

On 9/12/21 7:03 AM, Steve Sakoman wrote: > Branch: master > > New this week: 8 CVEs > CVE-2020-18974: nasm:nasm-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 * > CVE-2021-36690: sqlite3:sqlite3-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36690

Re: [OE-core] [PATCH] wic/bootimg-efi: Add Unified Kernel Image option

Den Fri, Sep 10, 2021 at 09:31:18 +0100 skrev Richard Purdie: > On Thu, 2021-09-09 at 17:53 +, Kristian Klausen via lists.openembedded.org > wrote: > > "A unified kernel image is a single EFI PE executable combining an EFI > > stub loader, a kernel image, an initramfs image, and the kernel

Re: [OE-core] [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST

On Sun, Sep 12, 2021, 5:57 AM Richard Purdie < richard.pur...@linuxfoundation.org> wrote: > On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote: > > Branch: hardknott > > > > New this week: 0 CVEs > > > > Removed this week: 2 CVEs > > CVE-2020-27748: xdg-utils >

Re: [OE-core] Public project sstate/hash equivalence mirror now live

On Sun, Sep 12, 2021, 10:58 AM Richard Purdie < richard.pur...@linuxfoundation.org> wrote: > On Sun, 2021-09-12 at 07:55 -0700, akuster808 wrote: > > > > On 9/12/21 4:46 AM, Richard Purdie wrote: > > > We made the autobuilder sstate public a while ago but it wasn't useful > after we > > >

Re: [OE-core] can one identify how much work sstate cache would save a build?

Quoting Richard Purdie : On Sun, 2021-09-12 at 10:00 -0400, Robert P. J. Day wrote: off the wall question from a friend, but is there a way to get a general idea of how much work (how many tasks?) could be saved for a build based on some available sstate cache directory? Run a build with

Re: [OE-core] Public project sstate/hash equivalence mirror now live

On Sun, 2021-09-12 at 07:55 -0700, akuster808 wrote: > > On 9/12/21 4:46 AM, Richard Purdie wrote: > > We made the autobuilder sstate public a while ago but it wasn't useful > > after we > > switched to hash equivalence by default. I'm pleased to be able to report > > that > > we now have a

Re: [OE-core] [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST

On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote: > Branch: hardknott > > New this week: 0 CVEs > > Removed this week: 2 CVEs > CVE-2020-27748: xdg-utils > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 * > CVE-2021-38185: cpio >

Re: [OE-core] can one identify how much work sstate cache would save a build?

On Sun, 2021-09-12 at 10:00 -0400, Robert P. J. Day wrote: > off the wall question from a friend, but is there a way to get a > general idea of how much work (how many tasks?) could be saved for a > build based on some available sstate cache directory? Run a build with bitbake -n against it and

[OE-core] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST

Branch: hardknott New this week: 0 CVEs Removed this week: 2 CVEs CVE-2020-27748: xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 * CVE-2021-38185: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 * Full list: Found 27 unpatched CVEs

Re: [OE-core] Public project sstate/hash equivalence mirror now live

On 9/12/21 4:46 AM, Richard Purdie wrote: > We made the autobuilder sstate public a while ago but it wasn't useful after > we > switched to hash equivalence by default. I'm pleased to be able to report that > we now have a read-only public server for the hash equivalence. We did have to > fix a

[OE-core] OE-core CVE metrics for dunfell on Sun 12 Sep 2021 04:30:01 AM HST

Branch: dunfell New this week: 9 CVEs CVE-2021-33928: libsolv https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33928 * CVE-2021-33929: libsolv https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33929 * CVE-2021-33930: libsolv

[OE-core] OE-core CVE metrics for master on Sun 12 Sep 2021 04:00:01 AM HST

Branch: master New this week: 8 CVEs CVE-2020-18974: nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 * CVE-2021-36690: sqlite3:sqlite3-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36690 * CVE-2021-3713: qemu:qemu-native:qemu-system-native

[OE-core] can one identify how much work sstate cache would save a build?

off the wall question from a friend, but is there a way to get a general idea of how much work (how many tasks?) could be saved for a build based on some available sstate cache directory? rday -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online

[OE-core] Public project sstate/hash equivalence mirror now live

We made the autobuilder sstate public a while ago but it wasn't useful after we switched to hash equivalence by default. I'm pleased to be able to report that we now have a read-only public server for the hash equivalence. We did have to fix a small API omission and a couple of sstate related bugs