From: Yogita Urade
A type confusion issue was addressed with improved checks.
This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, Safari
16.5.1, macOS Ventura 13.4.1, iOS 15.7.7 and iPadOS 15.7.7.
Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of
On Tue, Sep 26, 2023 at 7:55 PM Robert Joslyn
wrote:
>
> On 9/26/23 7:55 AM, Khem Raj wrote:
> > I am seeing a ptest failure on qemx86-64/glibc
> >
> >Failed ptests:
> >{'curl': ['test_1474', 'curl']}
>
> In looking at the test, it is marked as flaky with the comment:
>
> # Because of the
From: Qiu Tingting
Add a ptest for tar.
- It is taking around 3m to execute with kvm, so added it to PTEST_SLOW.
- It contains 244 cases.
- Below is parts of the run log:
START: ptest-runner
2023-09-26T08:37
BEGIN: /usr/lib/tar/ptest
## ##
## GNU tar 1.35 test
Backport two patches [1] [2] to fix CVE-2023-36617
Signed-off-by: Meenali Gupta
---
.../ruby/ruby/CVE-2023-36617_1.patch | 52 +++
.../ruby/ruby/CVE-2023-36617_2.patch | 47 +
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 2 +
3 files
On 9/26/23 7:55 AM, Khem Raj wrote:
I am seeing a ptest failure on qemx86-64/glibc
Failed ptests:
{'curl': ['test_1474', 'curl']}
In looking at the test, it is marked as flaky with the comment:
# Because of the timing sensitivity (scheduling delays of 500 msec can cause
# the test to
Add patch from libwebp 1.2.4 to fix CVE-2023-5129
Signed-off-by: Colin McAllister
---
.../webp/files/CVE-2023-5129.patch| 364 ++
meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 +
2 files changed, 365 insertions(+)
create mode 100644
Add patch from libwebp 1.1.0 to fix CVE-2023-5129.
Signed-off-by: Colin McAllister
---
.../webp/files/CVE-2023-5129.patch| 364 ++
meta/recipes-multimedia/webp/libwebp_1.1.0.bb | 1 +
2 files changed, 365 insertions(+)
create mode 100644
Add patch from libwebp 1.2.4 to fix CVE-2023-5129
Signed-off-by: Colin McAllister
---
.../webp/files/CVE-2023-5129.patch| 364 ++
meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 +
2 files changed, 365 insertions(+)
create mode 100644
Add patch for Libwebp 1.3.1 to fix CVE-2023-5129.
Signed-off-by: Colin McAllister
---
.../webp/files/CVE-2023-5129.patch| 364 ++
meta/recipes-multimedia/webp/libwebp_1.3.1.bb | 4 +-
2 files changed, 367 insertions(+), 1 deletion(-)
create mode 100644
I must not have gotten enough sleep last night. Please disregard this change.
From: openembedded-core@lists.openembedded.org
on behalf of Colin McAllister via
lists.openembedded.org
Sent: Tuesday, September 26, 2023 16:38
To:
clang is stricter about function parameter types in its functions and
errors out.
error: incompatible integer to pointer conversion initializing 'gchar *' (aka
'char *')
Real problem is in createrepo_c code where funciton definition and
declaration scopes are different
Signed-off-by: Khem Raj
Add patch from libwebp 1.3.1 branch to fix CVE-2023-5129.
---
.../webp/files/CVE-2023-5129.patch| 361 ++
meta/recipes-multimedia/webp/libwebp_1.3.1.bb | 4 +-
2 files changed, 364 insertions(+), 1 deletion(-)
create mode 100644
Hi Ross,
Sure thing. I just sent up a patch that upgrades master to Libwebp 1.3.2, which
contains the fix for the CVE.
I will also send up a patch for Nanbield to ensure all non-EOL branches are
patched.
Regards,
Colin
From: Ross Burton
Sent: Tuesday,
From: Jaeyoon Jung
Variable overrides in KCONFIG_CONFIG_COMMAND do not work as expected due
to double quote mismatches. The issue is reproducible in an environment
where gold is the default linker. Below is an example snippet of
run.do_terminal generated by do_menuconfig.
do_terminal() {
exec
From: Chen Qi
The gcc_multilib_setup function is a function that is run at the
do_configure step, so it's counted into the signature computation.
The MULTILIB_VARIANTS this function uses is also extracted to be
taken into consideration. After the change of setting MULTILIB_VARIANTS
explictly
From: Chen Qi
This patch is to ensure recipes get rebuilt correctly and avoid
incorrect sstate cache reuse when toggling multilib.
The following steps show one example of such incorrect sstate cache reuse.
1. enable multilib && bitbake -c populate_sdk
2. disable multilib && bitbake -c
From: Lee Chee Yang
drop patch which is already part of 5.1.3.
0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch(CVE-2022-3964):
https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/1eb002596e3761d88de4aeea3158692b82fb6307
From: Lee Chee Yang
release notes:
https://downloads.isc.org/isc/bind9/9.18.19/doc/arm/html/notes.html#notes-for-bind-9-18-19
Security Fixes
Previously, sending a specially crafted message over the control channel
could cause the packet-parsing code to run out of available stack
memory,
From: Ross Burton
Signed-off-by: Ross Burton
Signed-off-by: Steve Sakoman
---
.../linux/cve-exclusion_6.1.inc | 157 ++
1 file changed, 123 insertions(+), 34 deletions(-)
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
From: Wang Mingyu
Changelog:
Deprecate the 'dialup' and 'heartbeat-interval' options.
Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
Return REFUSED to GSS-API TKEY requests if GSS-API support is not configured.
Mark a primary server as temporarily unreachable if the TCP
From: Narpat Mali
The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and
CVE-2023-41040 fixes and other bugfixes.
Changelog:
==
- WIP Quick doc by @LeoDaCoda in #1608
- Partial clean up wrt mypy and black by @bodograumann in #1617
- Disable merge_includes in config writers by
From: Yash Shinde
Upstream-Status:
Backport[https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f]
Signed-off-by: Yash Shinde
Signed-off-by: Steve Sakoman
---
.../glibc/glibc/0023-CVE-2023-4527.patch | 219 ++
From: Sanjay Chitroda
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-28320
https://security-tracker.debian.org/tracker/CVE-2023-28320
Upstream Patch:
Introduced by: https://github.com/curl/curl/commit/3c49b405de4f (curl-7_9_8)
Fixed by: https://github.com/curl/curl/commit/13718030ad4b
Please review this set of changes for mickledore and have comments back by
end of day Thursday, September 28
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5950
The following changes since commit 72d3ecb22fea59d2520997b3f0a0651557d69ae7:
Upgrades libwebp to the latest version to fix CVE-2023-5129.
Change-Id: I061fcda90c7720bc41a575551b399a6f36dfd534
---
.../webp/{libwebp_1.3.1.bb => libwebp_1.3.2.bb} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename meta/recipes-multimedia/webp/{libwebp_1.3.1.bb =>
Hello,
On 26/09/2023 16:24:48+0800, wangmy wrote:
> From: Wang Mingyu
>
> License-Update: split license file in standard BSD 3-clause and bundled.
>
> Changelog:
> ==
> Python 3.12.0 support.
> Cython 3.0.0 compatibility.
> Use of the Meson build system
I'm a bit surprised
From: Alexandre Belloni
Signed-off-by: Alexandre Belloni
---
.../0001-test_ctypes.test_find-skip-without-tools-sdk.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
Can we also get a fix for master? It’s bad form to fix a CVE in the stable
branches without also fixing master, otherwise it’s possible that security
issues appear when you upgrade.
Ross
> On 26 Sep 2023, at 21:02, Colin McAllister via lists.openembedded.org
> wrote:
>
> Add patch from
Hi Steve and oe-core
Just noticed issues with cups, and can see the problem in this patch.
++ AuthType Defaul
should have been
++ AuthType Default
We are missing a "t" in the end.
Will send a patch - but I might first have time later this week, and it don't
know if it is needed for 4.0.13
Add patch from libwebp 1.2.4 branch to fix CVE-2023-5129.
Change-Id: Id9fd776e81105beba3d37564e83ade816270aedd
---
.../webp/files/CVE-2023-5129.patch| 362 ++
meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 +
2 files changed, 363 insertions(+)
create mode 100644
Add patch from libwebp 1.1.0 branch to fix CVE-2023-5129.
Change-Id: Idaabd9e118fb51a80159a25312000337427e23bf
---
.../webp/files/CVE-2023-5129.patch| 362 ++
meta/recipes-multimedia/webp/libwebp_1.1.0.bb | 1 +
2 files changed, 363 insertions(+)
create mode 100644
Add patch from libwebp 1.1.0 branch to fix CVE-2023-5129.
---
.../webp/files/CVE-2023-5129.patch| 362 ++
1 file changed, 362 insertions(+)
create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
diff --git
On Tue, Sep 26, 2023 at 10:55 AM Martin Jansa wrote:
>
> On Mon, Sep 25, 2023 at 6:47 PM Khem Raj wrote:
>>
>> gnupg failure seems related to this -
>> https://errors.yoctoproject.org/Errors/Details/738191/
>
>
> I've just sent a fix for this one (gupnp not gnupg :)):
Yeah poor eyes and
On Mon, Sep 25, 2023 at 6:47 PM Khem Raj wrote:
> gnupg failure seems related to this -
> https://errors.yoctoproject.org/Errors/Details/738191/
I've just sent a fix for this one (gupnp not gnupg :)):
https://lists.openembedded.org/g/openembedded-devel/message/105145
-=-=-=-=-=-=-=-=-=-=-=-
On 9/25/2023 2:42 PM, Richard Purdie wrote:
On Mon, 2023-09-25 at 11:17 -0700, Khem Raj wrote:
core-image-minimal does not have ssh server in image so maybe start
with core-image-base or something or add
IMAGE_FEATURES += "ssh-server-openssh package-management hwcodecs" to local.conf
Whilst
Current Dev Position: YP 4.3 M4 (Feature Freeze)
Next Deadline: 2nd October 2023 YP 4.3 M4 build date
Next Team Meetings:
-
Bug Triage meeting Thursday September 28th 7:30 am PDT (
https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
-
Weekly Project Engineering
I am seeing a ptest failure on qemx86-64/glibc
Failed ptests:
{'curl': ['test_1474', 'curl']}
On Sat, Sep 23, 2023 at 10:25 AM Robert Joslyn via
lists.openembedded.org
wrote:
>
> From: Robert Joslyn
>
> NSS support was removed, so adjust PACKAGECONFIG options.
>
> The --enable-crypto-auth
Just noticed your patches. Yes, this patch is not needed.
Regards,
Qi
From: Peter Kjellerstedt
Sent: Tuesday, September 26, 2023 9:10 PM
To: Jose Quaresma ; Chen, Qi
Cc: openembedded-core@lists.openembedded.org
Subject: RE: [OE-core][PATCH] oe-find-native-sysroot: avoid warning message
From: Richard Purdie
This includes multiple CVE fixes.
The license change is due to changes in maintainership, the license
itself is unchanged.
Signed-off-by: Richard Purdie
(cherry picked from commit 91e66b93a0c0928f0c2cfe78e22898a6c9800f34)
Signed-off-by: Steve Sakoman
---
From: Archana Polampalli
Fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-3896
8154e642a (tag: v9.0.1664) patch 9.0.1664: divide by zero when scrolling with
'smoothscroll' set
Signed-off-by: Archana Polampalli
Signed-off-by: Richard Purdie
(cherry picked from commit
From: Ross Burton
This series of patches fixes deficiencies in GCC's -fstack-protector
implementation for AArch64 when using dynamically allocated stack space.
This is CVE-2023-4039. See:
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
From: Vijay Anusuri
Upstream-commit:
https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50
&
https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8
&
https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43
&
From: Michael Opdenacker
Buffer Overflow vulnerability in function bitwriter_grow_ in flac before
1.4.0 allows remote attackers to run arbitrary code via crafted input to
the encoder.
Signed-off-by: Meenali Gupta
Signed-off-by: Michael Opdenacker
Tested-by: Michael Opdenacker
Signed-off-by:
From: Siddharth Doshi
Upstream-Status: Backport from
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9,
https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129]
CVE: CVE-2023-39615
Signed-off-by: Siddharth Doshi
From: Siddharth Doshi
Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are
disabling gdb in binutils configure.
Upstream-Status: Backport from
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d]
CVE: CVE-2023-39128
Please review this set of changes for dunfell and have comments back by
end of day Thursday, September 28
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5947
The following changes since commit 8b91c463fb3546836789e1890b3c68acf69c162a:
NAK
This is no longer needed since commit 6b7883533 (bitbake-getvar: Make --value
imply –quiet) landed in bitbake.
//Peter
From: openembedded-core@lists.openembedded.org
On Behalf Of Jose Quaresma
Sent: den 26 september 2023 12:21
To: qi.c...@windriver.com
Cc:
From: Ryan Eatmon
The latest 6.5 kernels do not appear to create the source file in
${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source so the
recipe errors out when trying to remove it. Simple fix is to add the
-f (force) flag to the call.
(From OE-Core rev:
Hi Chen,
I have raised this when it lands
https://lists.openembedded.org/g/openembedded-core/message/187378
Tested.by: Jose Quaresma
Jose
Chen Qi via lists.openembedded.org escreveu no dia terça, 26/09/2023
à(s) 11:15:
> From: Chen Qi
>
> Add '-q' option to bitbake-getvar to avoid warning
From: Chen Qi
Add '-q' option to bitbake-getvar to avoid warning messages contaminating
the actual result.
Signed-off-by: Chen Qi
---
scripts/oe-find-native-sysroot | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/oe-find-native-sysroot
On Tue, 26 Sept 2023 at 11:17, qi...@fujitsu.com wrote:
> +Upstream-Status: Submitted
> [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=39849e9d91f477d3fb839f93cd0815d0cb3273e9]
Thanks, this is nearly fine, only this line should say:
Upstream-Status: Backport
From: Qiu Tingting
Add a ptest for tar.
- It is taking around 3m to execute with kvm, so added it to PTEST_SLOW.
- It contains 244 cases.
- Below is parts of the run log:
START: ptest-runner
2023-09-26T08:37
BEGIN: /usr/lib/tar/ptest
## ##
## GNU tar 1.35 test
From: Wang Mingyu
Changelog:
===
-Added CompleteDirs.inject classmethod to make available for use elsewhere.
-Avoid matching path separators for '?' in glob.
Signed-off-by: Wang Mingyu
---
.../python/{python3-zipp_3.16.2.bb => python3-zipp_3.17.0.bb} | 2 +-
1 file changed, 1
From: Wang Mingyu
Changelog:
==
-Allowed pyOpenSSL third-party module without any deprecation warning.
-Fixed default blocksize of HTTPConnection classes to match high-level
classes. Previously was 8KiB, now 16KiB.
Signed-off-by: Wang Mingyu
---
.../{python3-urllib3_2.0.4.bb =>
From: Wang Mingyu
Changelog:
===
-Add typing_extensions.Doc, as proposed by PEP 727.
-Drop support for Python 3.7 (including PyPy-3.7).
-Fix bug where get_original_bases() would return incorrect results when called
on a concrete subclass of a generic class.
-Fix bug where
From: Wang Mingyu
Changelog:
Add Trove classifier for Django 5.0 (#153)
Signed-off-by: Wang Mingyu
---
...fiers_2023.8.7.bb => python3-trove-classifiers_2023.9.19.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Wang Mingyu
Signed-off-by: Wang Mingyu
---
.../python/{python3-smmap_5.0.0.bb => python3-smmap_6.0.0.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/python/{python3-smmap_5.0.0.bb =>
python3-smmap_6.0.0.bb} (87%)
diff --git
From: Wang Mingyu
Changelog:
===
-The update() methods of TupleHash128 and TupleHash256 objects can now hash
multiple items (byte strings) at once. Thanks to Sylvain Pelissier.
-Added support for ECDH, with Crypto.Protocol.DH.
-GH#754: due to a bug in cffi, do not use it on Windows with
From: Wang Mingyu
Changelog:
==
- The update() methods of TupleHash128 and TupleHash256 objects can now hash
multiple items (byte strings) at once. Thanks to Sylvain Pelissier.
- Added support for ECDH, with Crypto.Protocol.DH.
- GH#754: due to a bug in cffi, do not use it on Windows
From: Wang Mingyu
Changelog:
===
-Hotfix for issue #3747, a bug in explain mode which is so rare that we missed
it in six months of dogfooding.
-This patch improves the documentation of @example(...).xfail() by adding a
note about PEP 614, similar to @example(...).via(), and adds a
From: Wang Mingyu
Changelog:
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3.
Signed-off-by: Wang Mingyu
---
...vectors_41.0.3.bb => python3-cryptography-vectors_41.0.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Wang Mingyu
License-Update: Rely on external copy of iso8601
Changelog:
==
* Subunit now has a dependency on an external iso8601
module rather than shipping its own.
* Drop various compatibility wrappers for Python < 3.6.
* Fix "subunit-filter --fixup-expected-failures"
on
From: Wang Mingyu
License-Update: split license file in standard BSD 3-clause and bundled.
Changelog:
==
Python 3.12.0 support.
Cython 3.0.0 compatibility.
Use of the Meson build system
Updated SIMD support
f2py fixes, meson and bind(x) support
Support for the
From: Wang Mingyu
Changelog:
Avoid undefined behaviour in the Regress test suite
Signed-off-by: Wang Mingyu
---
...-introspection_1.78.0.bb => gobject-introspection_1.78.1.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Wang Mingyu
Changelog:
===
* Fix updating credentials by another process in the same Flatpak sandbox
[#62, !99]
* Migrate to g_memdup2 [!121]
* Print error logs in CI [!125]
* Updated translations
Signed-off-by: Wang Mingyu
---
.../libsecret/{libsecret_0.21.0.bb =>
From: Wang Mingyu
Signed-off-by: Wang Mingyu
---
meta/recipes-core/kbd/{kbd_2.6.2.bb => kbd_2.6.3.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-core/kbd/{kbd_2.6.2.bb => kbd_2.6.3.bb} (94%)
diff --git a/meta/recipes-core/kbd/kbd_2.6.2.bb
From: Wang Mingyu
Changelog:
Unicode 15.1 support.
Signed-off-by: Wang Mingyu
---
.../harfbuzz/{harfbuzz_8.2.0.bb => harfbuzz_8.2.1.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-graphics/harfbuzz/{harfbuzz_8.2.0.bb => harfbuzz_8.2.1.bb}
(95%)
diff
From: Wang Mingyu
Changelog:
==
-This version tweaks normalization of language tags so that only the part of
the tag that specifies country and language is altered; any extra that is
not removed is left alone.
-This version removes validation of language tags; dictionary names no
From: Lee Chee Yang
drop patch which is already part of 5.1.3.
0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch(CVE-2022-3964):
https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/1eb002596e3761d88de4aeea3158692b82fb6307
From: Wang Mingyu
Changelog:
Deprecate the 'dialup' and 'heartbeat-interval' options.
Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
Return REFUSED to GSS-API TKEY requests if GSS-API support is not configured.
Mark a primary server as temporarily unreachable if the TCP
From: Lee Chee Yang
release notes:
https://downloads.isc.org/isc/bind9/9.18.19/doc/arm/html/notes.html#notes-for-bind-9-18-19
Security Fixes
Previously, sending a specially crafted message over the control channel
could cause the packet-parsing code to run out of available stack
memory,
From: Wang Mingyu
Changelog:
===
* Fix at-spi2-atk test when running under a non-English locale.
* collection: Avoid locking up if an object has a very large child count
* Fix possible NULL pointer dereference when deregistering an event listener.
* Various fixes for the new key grabbing
To reproduce:
local.conf:
DEFAULTTUNE = "x86-64-x32"
baselib = "lib32"
bitbake -c install librsvg
Alex
On Tue, 26 Sept 2023 at 08:38, Alexander Kanavin via
lists.openembedded.org
wrote:
>
> "| thread 'main' panicked at 'TARGET x86_64-poky-linux-gnux32-gnu is
> not a builtin target, and it
"| thread 'main' panicked at 'TARGET x86_64-poky-linux-gnux32-gnu is
not a builtin target, and it could not be parsed as a valid triplet:
Unrecognized binary format: gnu',
Hello,
contents of tarball at *1 is determined by EXTRA_DIST setting in
https://git.savannah.gnu.org/cgit/tar.git/tree/tests/Makefile.am?id=39849e9d91f477d3fb839f93cd0815d0cb3273e9#n20
which in turn refers to TESTSUITE_AT.
As of 1.35 release, TESTSUITE_AT was missing exclude17/18.at and the
75 matches
Mail list logo
