-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Dhairya Nagodra via
lists.openembedded.org
Sent: Friday, September 1, 2023 6:08
To: openembedded-core@lists.openembedded.org
Cc: qi.c...@windriver.com; xe-linux-exter...@cisco.com; Dhairya Nagodra
Subject:
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Changqing Li via
lists.openembedded.org
Sent: Friday, September 1, 2023 11:02
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191
> From:
What's the reason for ignoring this CVE in all branches when CVE_PRODUCT =
"flex_project:flex" means it's not reported by cve-check?
Peter
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Dhairya Nagodra via
lists.openembedded.org
Sent: Friday, September
Gentle ping.
Thanks.
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Peter Marko via
lists.openembedded.org
Sent: Tuesday, August 1, 2023 8:19
To: openembedded-core@lists.openembedded.org
Cc: Marko, Peter (ADV D EU SK BFS1)
Subject: [OE-core][PATCH] gcc
Hello Marta,
Major reason why we introduced CVE_STATUS was exactly to avoid patch like this.
There were ideas to introduce 5 or 10 or 15 different statuses and we decided
to keep 3 and introduce “sub-statuses”.
These sub-statuses are listed in cve reports, too.
Currently we have three main
From: Peter Marko
Backport commit merged to develop branch from PR linked in NVD report:
* https://nvd.nist.gov/vuln/detail/CVE-2023-45853
* https://github.com/madler/zlib/pull/843
Signed-off-by: Peter Marko
---
.../zlib/zlib/CVE-2023-45853.patch| 42 +++
From: Peter Marko
This vulnerability was introduced in 2.36, so 2.35 is not vulnerable.
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc_2.35.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb
From: Peter Marko
This vulnerability was introduced in 2.36, so 2.31 is not vulnerable.
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc_2.31.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb
The new website looks nice, just https://yoctoproject.org/development/releases/
is populated by:
Plugin JSON Content Importer Pro not running: Check Licence! Check that a
Licence is active for https://yoctoproject.org
Instead of actual release data.
Peter
From: yo...@lists.yoctoproject.org On
From: Peter Marko
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
*
Gentle ping.
It would be great to have this in next kirkstone release which will be built in
a week.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189769):
https://lists.openembedded.org/g/openembedded-core/message/189769
Mute This Topic:
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023
Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs.
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023
Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs.
We have recently introduced CVE_CHECK_STATUSMAP which should be used to declare
more detailed status information instead of introducing additional statuses.
In this case, "out of range" should be subtype of patched and "undecidable"
subtype of unpatched I think.
Peter
-Original
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Peter Marko via
lists.openembedded.org
Sent: Wednesday, September 27, 2023 16:21
To: soumya.sa...@windriver.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][kirkstone][PATCH 1/1] glibc
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Soumya via
lists.openembedded.org
Sent: Wednesday, September 27, 2023 9:46
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 2.35
branch
From: Peter Marko
Recently NVD updated all CVEs for json-c and old fixed
cves are reported in some older yocto branches.
NVD match clause now includes full tag name including
date which is "greater" than tag without additional numbers.
Define CVE_VERSION identical to full tag also on master to
From: Peter Marko
Recently NVD updated all CVEs for json-c and old fixed
CVE-2020-12762 is reported by cve_check now.
NVD match clause now includes full tag name including
date which is "greater" than tag without additional numbers.
Fix it by defining CVE_VERSION identical to full tag.
Put it
Yes, that's how we designed this feature.
Peter
-Original Message-
From: Shinji Matsunaga (Fujitsu)
Sent: Wednesday, October 4, 2023 4:19
To: Marko, Peter (ADV D EU SK BFS1) ;
richard.pur...@linuxfoundation.org
Cc: openembedded-core@lists.openembedded.org
Subject: RE: [OE-core] [PATCH]
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3010-and-openssl-3011-19-sep-2023
Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-312-and-openssl-313-19-sep-2023
Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows
(CVE-2023-4807)
From: Peter Marko
Adresses CVE-2023-4911.
Single commit bump:
* c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911)
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc-version.inc | 2 +-
meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
2 files changed, 2
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Richard Purdie via
lists.openembedded.org
Sent: Monday, October 9, 2023 18:44
To: Marek Vasut ; st...@sakoman.com;
openembedded-core@lists.openembedded.org
Cc: Alexandre Belloni
Subject: Re: [OE-core]
-Original Message-
From: Marek Vasut
Sent: Monday, October 9, 2023 18:57
To: Marko, Peter (ADV D EU SK BFS1) ;
richard.pur...@linuxfoundation.org
Cc: Alexandre Belloni ; st...@sakoman.com;
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate
Hi Marek,
Could you please describe why you add this configuration in kirkstone branch?
This CVE is already patched:
https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone
Peter
-Original Message-
From:
-Original Message-
From: Marek Vasut
Sent: Monday, October 9, 2023 21:28
To: Marko, Peter (ADV D EU SK BFS1) ;
richard.pur...@linuxfoundation.org
Cc: Alexandre Belloni ; st...@sakoman.com;
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate
ed machine failed (e.g. due to
temporary network problem).
Did you check log on the networked machine?
Peter
>
> Le ven. 6 oct. 2023 à 22:10, Peter Marko via lists.openembedded.org
> a écrit :
> >
> > From: Peter Marko
> >
> > Adresses CVE-2023-4911.
> >
&g
From: Peter Marko
Other spaces uses the Go architecture definitions as their own (for
example, container arches are defined to be Go arches). To make it
easier for other places to use this mapping, move the code that does the
translation of OpenEmbedded arches to Go arches to a library.
(From
This CVE is specific to Microsoft Windows, ignore it.
Patch fixing it (https://go-review.googlesource.com/c/go/+/446916)
also adds a redundant check to generic os/exec which
could be backported but it should not be necessary as
backport always takes a small risk to break old code.
Signed-off-by:
This CVE is specific to Microsoft Windows, ignore it.
Patch fixing it (https://go-review.googlesource.com/c/go/+/446916)
also adds a redundant check to generic os/exec which
could be backported but it should not be necessary as
backport always takes a small risk to break old code.
Signed-off-by:
Newly introduced kirkstone-only commit
https://git.openembedded.org/openembedded-core/commit/?h=kirkstone=80839835ec9fcb63069289225a3c1af257ffdef7
broke builds with externalsrc in Gitlab-CI.
This is yocto-4.0.9 regression.
It checks if directory starts with "build" instead of
if checking if it
From: Peter Marko
Last couple days it is not possible to update NVD DB as servers
are returning lot of errors.
Mostly "HTTP Error 503: Service Unavailable" is observed but
sporadially also some others.
Retrying helps in most cases, so extend retries to all errors.
Additionally add sleep which
From: Peter Marko
Current 503 errors seem to last several seconds.
In most cases there are two errors and third request succeeds.
However sometimes the outage takes more than time needed
for two retries and third one also fails.
Extend retry count from 3 to 5 to improve the probablity
that the
:37 AM Peter Marko via
lists.openembedded.org<http://lists.openembedded.org>
mailto:siemens@lists.openembedded.org>>
wrote:
From: Peter Marko mailto:peter.ma...@siemens.com>>
Last couple days it is not possible to update NVD DB as servers
are returning lot of errors.
Most
s
Thank you Peter for debugging this. Could you dump us a log of one of your
typical runs to see what the errors are?
We might consider mirroring at some point.
Kind regards,
Marta
On Tue, Jul 11, 2023 at 8:37 AM Peter Marko via
lists.openembedded.org<http://lists.openembedded
From: Peter Marko
* fix CVEs CVE-2023-1255 and CVE-2023-2650
* drop CVE patches merged upstream
* refresh 0001-Configure-do-not-tweak-mips-cflags.patch
https://www.openssl.org/news/openssl-3.0-notes.html
Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
* Mitigate for very
Hi,
> From: openembedded-core@lists.openembedded.org
> On Behalf Of Marta Rybczynska via
> lists.openembedded.org
> Sent: Tuesday, June 6, 2023 7:34
> To: Geoffrey GIRY mailto:geoffrey.g...@smile.fr; Richard Purdie
> mailto:richard.pur...@linuxfoundation.org
> Cc: OE-core
From: Peter Marko
Debian 12 no longer supports replacing dash with bash as default shell.
Therefore to achieve compatibility with Debian 12, all bashisms need
to be removed.
Shell comparison via == gives an error with dash and thus the condition
is always false.
Signed-off-by: Peter Marko
---
This is already fixed, see
https://lists.openembedded.org/g/openembedded-core/message/185053
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=410cdbc70cfba709ec5bef508e772f52514ba28a
Peter
-Original Message-
From:
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-311-and-openssl-312-1-aug-2023
Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix DH_check()
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-309-and-openssl-3010-1-aug-2023
Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix
New openssl version was released 2 hours ago, I have sent an update which
should make this patch obsolete.
Peter
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Narpat Mali via
lists.openembedded.org
Sent: Tuesday, August 1, 2023 18:06
To:
From: Peter Marko
https://www.openssl.org/news/openssl-1.1.1-notes.html
Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
Major
There is already a patch available to convert all of meta-openembedded recipes
https://lists.openembedded.org/g/openembedded-devel/message/103992
Also this is incorrect mailing list...
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184865):
Sorry that I missed that during my review.
I have sent a patch for this now.
Peter
> -Original Message-
> From: openembedded-core@lists.openembedded.org
> On Behalf Of Steve Sakoman via
> lists.openembedded.org
> Sent: Sunday, July 23, 2023 16:29
> To: Patches and discussions about
From: Peter Marko
CVE_STATUS conversion for CVE-2020-18974 dad a syntax error
by not adding continuation backslash.
Signed-off-by: Peter Marko
---
meta/conf/distro/include/cve-extra-exclusions.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git
From: Peter Marko
This issue was reported and discusses under [1] which is linked in NVD CVE
report.
It was already documented that some parts or libarchive are thread safe and
some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports
From: Peter Marko
This issue was reported and discusses under [1] which is linked in NVD CVE
report.
It was already documented that some parts or libarchive are thread safe and
some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports
From: Peter Marko
This issue was reported and discusses under [1] which is linked in NVD CVE
report.
It was already documented that some parts or libarchive are thread safe and
some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports
Alex, Jose,
I could not find documentation how to handle mixins layer.
Could you please pick this to kirkstone/go meta-lts-mixins?
Or should I send a patch to yo...@lists.yoctoproject.org (or other mailing
list) instead of asking for a cherry-pick?
Thanks,
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Some old CVEs are coming back.
I think this is a regression from CVE_CHECK_IGNORE conversion.
http://git.openembedded.org/openembedded-core/commit/?id=1634ed4048cf56788cd5c2c1bdc979b70afcdcd7
I'll check these tomorrow.
Peter
> -Original Message-
> From:
From: Peter Marko
Backport commit mentioned in NVD DB links.
https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35
Signed-off-by: Peter Marko
---
.../libpcre/libpcre2/CVE-2022-41409.patch | 75 +++
From: Peter Marko
Backport commit mentioned in NVD DB links.
https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35
Signed-off-by: Peter Marko
---
.../libpcre/libpcre2/CVE-2022-41409.patch | 74 +++
Rewrite of CVE_CHECK_IGNORE to CVE_STATUS contained copy+paste
problem changing CVE numbers.
CVE-2020-12352 -> CVE-2022-3563
CVE-2020-24490 -> CVE-2022-3637
CVE-2020-12352 is now for kernel only in NVD BD, so remove it.
CVE-2020-24490 is corrected in this commit.
Signed-off-by: Peter Marko
---
This will remove 6 CVEs which were already excluded before.
Signed-off-by: Peter Marko
---
meta/recipes-kernel/linux/cve-exclusion_6.1.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
From: Peter Marko
This will remove 6 CVEs which were already excluded before.
Signed-off-by: Peter Marko
---
meta/recipes-kernel/linux/cve-exclusion_6.1.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
From: Peter Marko
Rewrite of CVE_CHECK_IGNORE to CVE_STATUS contained copy+paste
problem changing CVE numbers.
CVE-2020-12352 -> CVE-2022-3563
CVE-2020-24490 -> CVE-2022-3637
CVE-2020-12352 is now for kernel only in NVD BD, so remove it.
CVE-2020-24490 is corrected in this commit.
From: Peter Marko
Relevant links:
* linked fronm NVD:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
* picked commits fix all issues mentioned in
From: Peter Marko
Relevant links:
* linked fronm NVD:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
* picked commits fix all issues mentioned in
From: Peter Marko
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
Signed-off-by: Ross Burton
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
From: Peter Marko
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
Signed-off-by: Ross Burton
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
From: Peter Marko
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
Signed-off-by: Ross Burton
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Please ignore this dunfell patch, I'll send a v2.
Peter
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Peter Marko via
lists.openembedded.org
Sent: Sunday, July 23, 2023 13:07
To: openembedded-core@lists.openembedded.org
Cc: Marko, Peter (ADV D EU SK
From: Peter Marko
Relevant links:
* linked fronm NVD:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
* picked commits fix all issues mentioned in
From: Peter Marko
Backport patch from upstream master.
There were three changes needed to apply the patch:
* move NEWS change to start of the file
* change file location from src/ps/ to ps/
* change xmalloc/xcmalloc to malloc/cmalloc
The x*malloc functions were introduced in commit in future
From: Peter Marko
Backport patch from upstream master.
There were three changes needed to apply the patch:
* move NEWS change to start of the file
* change file location from src/ps/ to ps/
* change xmalloc/xcmalloc to malloc/cmalloc
The x*malloc functions were introduced in commit in future
From: Peter Marko
https://www.openssl.org/news/openssl-1.1.1-notes.html
Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
Major
This is already in kirkstone nut
* https://lists.openembedded.org/g/openembedded-core/message/185255
*
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=94ce10791ce10aa30d3a3bdef53f9b2f3c1b331a
Peter
-Original Message-
From:
I see.
Openssl backported following to 1_1_1 -
https://github.com/openssl/openssl/commit/969327390220aee7515a4054d5189186402d6687
So I need to backport following to dunfell -
From: Peter Marko
Currently only CFLAGS contains sections optimizations.
This is used during C compilation.
C++ compilation uses CXXFLAGS instead.
I did not introduce CXXFLAGS_SECTION_REMOVAL because the options
are identical in C and C++, while adding it would add whole lot
of additional
From: Peter Marko
After upgrade to soon-to-be-released kirkstone 4.0.11
CVE annotations got broken.
Anything which has only cvssV3 did not resolve properly.
Fix the API fields used to extract it.
Number of CVEs with score 0.0 is still not at 1.1 API level,
but that is probably NVD API difference
From: Peter Marko
After upgrade to soon-to-be-released kirkstone 4.0.11 CVE annotations got
broken.
Anything which has only cvssV3 does not resolve properly.
Fix the API fields used to extract it.
i0.0 score is now at level of NVD DB 1.1.
All CVEs with UNKNOWN vector are not present in NVD DB
Backports from:
*
https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
*
https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
Signed-off-by: Peter Marko
---
.../libxml/libxml2/CVE-2023-28484.patch | 79
Backports from:
*
https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
*
https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
Signed-off-by: Peter Marko
---
.../libxml/libxml2/CVE-2023-28484.patch | 79
Gentle ping.
Is there any problem with this patch?
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185870):
https://lists.openembedded.org/g/openembedded-core/message/185870
Mute This Topic: https://lists.openembedded.org/mt/100487930/21656
From: Peter Marko
Since switch from Makefile to meson based build,
the version is no longer hardcoded but queried from git tag.
This works only if git history is available.
When shallow tarballs are used, tag is not available.
Example error for trusted-firmware-a from meta-arm:
dtc version too
100, Peter Marko via lists.openembedded.org
> wrote:
> > From: Peter Marko
> >
> > Since switch from Makefile to meson based build, the version is no
> > longer hardcoded but queried from git tag.
> >
> > This works only if git history is availabl
From: Peter Marko
Since switch from Makefile to meson based build,
the version is no longer hardcoded but queried from git tag.
This works only if git history is available.
When shallow tarballs are used, tag is not available.
Example error for trusted-firmware-a from meta-arm:
dtc version too
-Original Message-
From: Richard Purdie
Sent: Wednesday, December 13, 2023 22:58
To: Marko, Peter (ADV D EU SK BFS1) ;
openembedded-core@lists.openembedded.org; Kanavin, Alexander (EXT) (Linutronix
GmbH)
Subject: Re: [OE-core][PATCH] dtc: pass version as parameter instead of
querying
I don't think that this is a good idea.
Currently you have a possibility to add to your IMAGE_INSTALL either tzdata (to
install all data) or tzdata-core (to install minimal subset),
After this change, you can add tzdata or tzdata-core to install minimal subset
(these packages will be now equal)
CVE_STATUS was not backported to kirkstone.
Any idea how to skip some tests for old branches?
Peter
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Patchtest via
lists.openembedded.org
Sent: Wednesday, January 10, 2024 12:48
To: Vivek Kumbhar
Cc:
From: Peter Marko
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
Signed-off-by: Peter Marko
---
meta/recipes-core/zlib/zlib_1.2.11.bb | 3 +++
1
From: Peter Marko
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
Signed-off-by: Peter Marko
---
meta/recipes-core/zlib/zlib_1.2.11.bb | 3 +++
1
From: Peter Marko
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
Signed-off-by: Peter Marko
---
meta/recipes-core/zlib/zlib_1.3.bb | 1 +
1 file
From: Peter Marko
Backport https://sqlite.org/src/info/0e4e7a05c4204b47
Signed-off-by: Peter Marko
---
.../sqlite/files/CVE-2023-7104.patch | 44 +++
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644
Hi Alex,
I'm upgrading my layer from kirkstone to scarthgap and observed that my image
failed due to gpl3 license.
I want to conveniently install whole alsa-utils except for parts where license
forbids me to do it.
After your path I would need to list all alsa-utils subpackages except the
From: Peter Marko
Documentation for this patch is under
https://github.com/mkj/dropbear/commit/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3
Signed-off-by: Peter Marko
---
meta/recipes-core/dropbear/dropbear.inc | 1 +
.../dropbear/dropbear/CVE-2023-48795.patch| 234 ++
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Xu, Lizhi via
lists.openembedded.org
Sent: Tuesday, November 28, 2023 9:45
To: Marko, Peter (ADV D EU SK BFS1)
Cc: alex.kier...@gmail.com; openembedded-core@lists.openembedded.org
Subject: Re: [PATCH V2]
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Marco Felsch via
lists.openembedded.org
Sent: Tuesday, November 28, 2023 23:48
To: openembedded-core@lists.openembedded.org
Cc: yo...@pengutronix.de; m...@pengutronix.de
Subject: [OE-core] [PATCH] json-c: fix
Yes, nvd servers are in really bad state currently.
I need up to 12 retries on http calls to get trough...
I will contribute to make the retry count value (currently hardcoded to 5)
configurable via variable.
I'm planning to run it at low default and increase temporarily when quality
decreases.
From: openembedded-core@lists.openembedded.org
On Behalf Of Khem Raj via
lists.openembedded.org
> The rcS script that busybox-init provides is able to run scripts that
> are available as part of sysvinit, therefore its fine to keep sysvinit
> distro feature enabled so that we can build complex
From: Peter Marko
Sometimes NVD servers are unstable and return too many errors.
Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.
Keep retries low as default and allow to increase as needed.
From: Peter Marko
This variable is not referenced in oe-core anymore.
Signed-off-by: Peter Marko
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
From: Peter Marko
Sometimes NVD servers are unstable and return too many errors.
Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.
Keep retries low as default and allow to increase as needed.
From: Peter Marko
This variable is not referenced in oe-core anymore.
Signed-off-by: Peter Marko
---
v2: typo in commit message
meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Xu, Lizhi via
lists.openembedded.org
Sent: Tuesday, November 28, 2023 3:38
To: alex.kier...@gmail.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH V2] [OE-core] tzdata: Reduced time zone
From: Peter Marko
This CVE reports bug which was fixed in 3.43.2 by [1].
Code analysis shows that it is fixing caching issue
and this cache was introduced by [2].
This landed only in 3.43.0 so 3.85.5 is not affected.
[1] https://sqlite.org/src/info/5b09212ac05615fc
[2]
From: Peter Marko
This CVE reports bug which was fixed in 3.43.2 by [1].
Code analysis shows that it is fixing caching issue
and this cache was introduced by [2].
This landed only in 3.43.0 so 3.85.5 is not affected.
[1] https://sqlite.org/src/info/5b09212ac05615fc
[2]
From: Peter Marko
This fixes CVE-2024-0232
Signed-off-by: Peter Marko
---
.../sqlite/{sqlite3_3.43.1.bb => sqlite3_3.43.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-support/sqlite/{sqlite3_3.43.1.bb => sqlite3_3.43.2.bb}
(78%)
diff --git
From: Peter Marko
CVE-2023-36191 is now rejected in NVD DB so it won't shoup up in
cve-check report anymore.
Signed-off-by: Peter Marko
---
meta/recipes-support/sqlite/sqlite3_3.43.2.bb | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/recipes-support/sqlite/sqlite3_3.43.2.bb
1 - 100 of 163 matches
Mail list logo
