Hi,
Does anyone know how can I add meta-security layer
(https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/) to my Extensible
SDK using devtool and build e.g. nmap?
Thanks
//Sona
This message, including attachments, is CONFIDENTIAL. It may also be privileged
or otherwise protected by la
dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
[YOCTO #11959]
(From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)
Signed-off-by: Sona Sarmadi
Signed-off-b
dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
[YOCTO #11959]
(From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)
Signed-off-by: Sona Sarmadi
Signed-off-b
dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
[YOCTO #11959]
Signed-off-by: Sona Sarmadi
---
.../connman/connman/CVE-2017-12865.patch
iption of vulnerability of some unknown reason :) we have requested an
update/correction (see below) but they haven't changed the description yet:
From: CVE Request [mailto:cve-requ...@mitre.org]
Sent: Monday, June 19, 2017 12:09 PM
To: Sona Sarmadi
Subject: CVE Request 349461 for Update Pu
: Sona Sarmadi
---
meta/recipes-devtools/qemu/{qemu_2.8.0.bb => qemu_2.8.1.1.bb} | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
rename meta/recipes-devtools/qemu/{qemu_2.8.0.bb => qemu_2.8.1.1.bb} (87%)
diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb
b/meta/recipes-de
Hi guys,
Does anyone know why "Use-SHA256-not-MD5-as-default-digest.patch" is in the
openssl directory but has not been added to the openssl recipes? (both in
master and morty branches):
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl
Use-SHA256-not
virtio-gpu: memory leakage when destroying gpu resource
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9912
Reference to upstream patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=b8e23926c568f2e963af39028b71c472e3023793
Signed-off-by: Sona Sarmadi
---
.../recipes
virtio-gpu: information leakage in virgl_cmd_get_capset
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908
Signed-off-by: Sona Sarmadi
---
.../recipes-devtools/qemu/qemu/CVE-2016-9908.patch | 44 ++
meta/recipes-devtools/qemu/qemu_2.8.0.bb
Skip members whose names contain "..".
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
Upstream patch:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f671
Signed-off-by: Sona Sarmadi
---
meta/recipes-extended/tar/tar/CVE
Skip members whose names contain "..".
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
Upstream patch:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f671
Signed-off-by: Sona Sarmadi
---
meta/recipes-extended/tar/tar/CVE
>> I am just curious if this is ok, or should we always put the CVE: tag inside
>> the patch?
> The tag should always be in the patch file.
>
> Ross
So I guess this needs to be fixed:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=morty&id=8ba5b9eae34bbab537954ccee1726c7ee7a82750
//S
Hi Alexandru,
Shouldn't CVE-2017-3731 in the patch files have CVE: tag?
i.e. CVE-2017-3731 in 0001-CVE-2017-3731.patch & 0002-CVE-2017-3731.patch
should be:
CVE: CVE-2017-3731
You have this tag in the meta patch, we add this normally inside the patch.
> * CVE: CVE-2017-3731
>
> Upstream-
Hi all,
Does anyone know if there is an issue with cve-check tool on master branch?
It seems that "cve-check-update -d" fails, does anyone know why?
poky/build-cve-check$ bitbake -k -c cve_check universe
WARNING: cve-check-tool-native-5.6.4-r0 do_populate_cve_db: Error in executing
cve-check
://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7942.patch| 69 ++
meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 +
2 files changed, 70 insertions(+)
create mode
-announce/2016-October/002720.html
Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7943.patch| 103 +
meta/recipes-graphics/xorg-lib/libx11_1.6.3
-announce/2016-October/002720.html
Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7943.patch| 103 +
meta/recipes-graphics/xorg-lib/libx11_1.6.3
://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7942.patch| 69 ++
meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 +
2 files changed, 70 insertions(+)
create mode
?name=CVE-2016-7948
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
Upstream patch for both CVEs:
https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6
Signed-off-by: Sona Sarmadi
---
.../libxrandr/CVE-2016-7947_CVE-2016-7948.patch
.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libxrender/CVE-2016-7949.patch| 59 ++
meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 ++
2 files changed, 62 insertions(+)
create mode 100644
meta
.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libxrender/CVE-2016-7949.patch| 59 ++
meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 ++
2 files changed, 62 insertions(+)
create mode 100644
meta
vanilla Expat 2.1.1, addressing:
* CVE-2012-6702 -- unanticipated internal calls to srand
* CVE-2016-5300 -- use of too little entropy
Signed-off-by: Sona Sarmadi
---
.../expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch | 123 +
meta/recipes-core/expat/expat_2.1.0.bb
> On 01/10/2017 03:10 AM, Sona Sarmadi wrote:
> > Upgrade libxtst from 1.2.2 to 1.2.3 to address:
> What else changed in this update?
> - armin
Hi Armin,
I believe the only changes between 1.2.2 and 1.2.3 is one commit
" Remove fallback for _XEatDataWords, require libX11 1
.
Cheers
//Sona
> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On
> Behalf Of Sona Sarmadi
> Sent: den 10 januari 2017 12:11
> To: openembedded-core@lists.openembedded.org
> Subj
-by: Sona Sarmadi
---
meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb}
(78%)
diff --git a/meta/recipes-graphics/xorg-lib/libxtst_1.
-by: Sona Sarmadi
---
meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb}
(78%)
diff --git a/meta/recipes-graphics/xorg-lib/libxtst_1.
Hi Lei, all,
> --- a/meta/classes/spdx.bbclass
> +++ b/meta/classes/spdx.bbclass
> @@ -1,12 +1,9 @@
> # This class integrates real-time license scanning, generation of SPDX
> standard # output and verifiying license info during the building process.
> -# It is a combination of efforts from the O
Specially crafted SHELLOPTS+PS4 variables allows command substitution
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7543
http://lists.gnu.org/archive/html/bug-bash/2016-10/msg9.html
Signed-off-by: Sona Sarmadi
---
.../recipes-extended/bash/bash/CVE-2016-7543.patch | 38
buffer overflow in stellaris_enet emulator
Reference to upstream patch:
http://git.qemu.org/?p=qemu.git;a=patch;h=3a15cc0e1ee7168db0782133d2607a6bfa422d66
Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4001
Signed-off-by: Sona Sarmadi
---
.../recipes-devtools/qemu/qemu
invalid URL parsing with '#'
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102J.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8624.patch | 51 ++
meta/recipes-support/curl/curl
IDNA 2003 makes curl use wrong host
Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
.../url-remove-unconditional-idn2.h
glob parser write/read out of bounds
Affected versions: curl 7.34.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102F.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8620.patch | 44 ++
meta/recipes-support/curl
curl_getdate read out of bounds
Affected versions: curl 7.12.2 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102G.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8621.patch | 120 +
meta/recipes-support/curl/curl_7.47.1
cookie injection for other servers
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102A.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 77 ++
meta/recipes-support/curl/curl_7.47.1
URL unescape heap overflow via integer truncation
Affected versions: curl 7.24.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102H.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8622.patch | 94 ++
meta/recipes-support
Use-after-free via shared cookies
Affected versions: curl 7.10.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102I.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8623.patch | 209 +
meta/recipes-support/curl/curl_7.47.1
double-free in krb5 code
Affected versions: curl 7.3 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102E.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8619.patch | 52 ++
meta/recipes-support/curl/curl_7.47.1.bb
case insensitive password comparison
Affected versions: curl 7.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102B.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 49 ++
meta/recipes-support/curl
double-free in curl_maprintf
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102D.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8618.patch | 52 ++
meta/recipes-support/curl/curl_7.47.1.bb
OOB write via unchecked multiplication
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102C.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8617.patch | 28 ++
meta/recipes-support/curl
IDNA 2003 makes curl use wrong host
Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
.../url-remove-unconditional-idn2.h
glob parser write/read out of bounds
Affected versions: curl 7.34.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102F.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8620.patch | 44 ++
meta/recipes-support/curl
case insensitive password comparison
Affected versions: curl 7.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102B.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 49 ++
meta/recipes-support/curl
Use-after-free via shared cookies
Affected versions: curl 7.10.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102I.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8623.patch | 209 +
meta/recipes-support/curl/curl_7.47.1
Mistake brought by 9c91ec778104a [fix to CVE-2016-8625]
Signed-off-by: Sona Sarmadi
---
.../url-remove-unconditional-idn2.h-include.patch | 28 ++
meta/recipes-support/curl/curl_7.47.1.bb | 1 +
2 files changed, 29 insertions(+)
create mode 100644
meta/recipes
IDNA 2003 makes curl use wrong host
Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
meta/recipes-support/curl
curl_getdate read out of bounds
Affected versions: curl 7.12.2 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102G.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8621.patch | 120 +
meta/recipes-support/curl/curl_7.47.1
double-free in curl_maprintf
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102D.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8618.patch | 52 ++
meta/recipes-support/curl/curl_7.47.1.bb
cookie injection for other servers
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102A.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 77 ++
meta/recipes-support/curl/curl_7.47.1
URL unescape heap overflow via integer truncation
Affected versions: curl 7.24.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102H.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8622.patch | 94 ++
meta/recipes-support
double-free in krb5 code
Affected versions: curl 7.3 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102E.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8619.patch | 52 ++
meta/recipes-support/curl/curl_7.47.1.bb
invalid URL parsing with '#'
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102J.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8624.patch | 51 ++
meta/recipes-support/curl/curl
OOB write via unchecked multiplication
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102C.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8617.patch | 28 ++
meta/recipes-support/curl
e.patch is needed
for CVE-2016-8625]
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 70 +++
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 50 ++
meta/recipes-support/curl/cur
e.patch is needed
for CVE-2016-8625]
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 70 +++
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 50 ++
meta/recipes-support/curl/cur
e.patch is needed
for CVE-2016-8625]
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 70 +++
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 50 ++
meta/recipes-support/curl/cur
[mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf Of Sona
Sarmadi
Sent: den 8 november 2016 11:42
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb
The upgrade addresses following CVEs:
CVE-2016-8615: cookie injection for other serv
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0
CVE-2016-7406
CVE-2016-7407
CVE-2016-7408
CVE-2016-7409
Reference:
https://matt.ucc.asn.au/dropbear/CHANGES
[YOCTO #10443]
Signed-off-by: Sona Sarmadi
---
meta/recipes-core/dropbear/dropbear.inc|4 +
.../dropbear/dropbear/CVE-2016-7406.patch | 104 +
.../dropbear
References to upstream patch:
https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047
http://openwall.com/lists/oss-security/2016/09/16/8
Signed-off-by: Sona Sarmadi
---
.../recipes-extended/bash/bash/CVE-2016-0634.patch | 136 +
meta/recipes-extended/bash/bash_4.3.30
Thanks Ross,
I guess you mean striplevel? Right? It didn’t work with stripnum but it worked
with striplevel:
file://CVE-2016-0634.patch;striplevel=0 \
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 10 oktober 2016 13:26
To: Sona Sarmadi
Cc: Armin Kuster (akuster
|the \h or \H and \s escape sequences, respectively.
|
|Patch (apply with `patch -p0')
|
|CVE: CVE-2016-0634
|Upstream-Status: Backport
|Signed-off-by: Sona Sarmadi
|
|*** ../bash-4.3-patched/parse.y2015-08-13 15:11:54.0 -0400
|--- parse.y2016-03-07 15:44:14.0 -0500
-
09/3
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3710
Signed-off-by: Sona Sarmadi
---
.../recipes-devtools/qemu/qemu/CVE-2016-3710.patch | 111 +
meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 +
2 files changed, 112 insertions(+)
create mode 100644 meta/recipes-dev
/cgi-bin/cvename.cgi?name=CVE-2016-3116
Signed-off-by: Sona Sarmadi
---
meta/recipes-core/dropbear/dropbear_2015.71.bb | 5 -
meta/recipes-core/dropbear/dropbear_2016.72.bb | 4
2 files changed, 4 insertions(+), 5 deletions(-)
delete mode 100644 meta/recipes-core/dropbear/dropbear_2015.71
> >> That said, I vote for updating to the version that comes with the
> >> fix.
> >> Backporting fixes should not be the default in the stable yocto
> >> releases; we should trust the upstream more.
> >
> > Taking that argument to the extreme, we should update all versions in
> > the "stable" rele
Hi guys,
I need your advice how to address this CVE in krogoth (master is not affected)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116
I couldn't find a patch for this specific CVE in dropbear git or somewhere
else, if we want to address this issue it seems that we need to update t
Affected versions:
Affected versions: libcurl 7.19.6 to and including 7.50.1
Not affected versions: libcurl >= 7.50.2
Reference to upstream patch:
https://curl.haxx.se/CVE-2016-7141.patch
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-7141.patch |
Hi Ross,
This seems to be fixed in master. I checked the code.
//Sona
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 9 augusti 2016 13:54
To: Sona Sarmadi
Cc: OE-core
Subject: Re: [OE-core] [PATCH][krogoth] sudo: CVE-2015-8239
On 9 August 2016 at 12:04, Sona Sarmadi
Fixes race condition when checking digests in sudoers.
Reference:
http://seclists.org/oss-sec/2015/q4/327
Reference to upstream fixes:
https://www.sudo.ws/repos/sudo/raw-rev/397722cdd7ec
https://www.sudo.ws/repos/sudo/raw-rev/0cd3cc8fa195
Signed-off-by: Sona Sarmadi
---
.../sudo/sudo/CVE-2015
=a3d327bf1ceaaeabb20223d8de85166e940b9f12
CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=7602be276a73a6eb5431c5acd9718e68a55e8b61
Signed-off-by: Sona Sarmadi
---
.../bind/bind/CVE-2016-1285.patch | 154 ++
.../bind
Yes, They are all tested; build bind & boot core image … but I send the old
patch, sorry about this ☹
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 12 april 2016 13:18
To: Sona Sarmadi
Cc: Joshua G Lock ;
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [P
I guess you need this patch:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=a078c9eeae8c2db7edf2b15ff1d25a3a297c751
Can I send you a new patch or can you add this?
> Unfortunately I can't build bind with this patch applied:
>
> | cc.c: In function 'verify':
> | cc.c:293:27: e
Sure, I can try ☺
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 12 april 2016 12:19
To: Sona Sarmadi
Cc: OE-core
Subject: Re: [OE-core] [PATCH] bind: Upgrade 9.10.3-P3 -> 9.10.3-P4
On 12 April 2016 at 11:13, Sona Sarmadi
mailto:sona.sarm...@enea.com>> wrote:
Th
The upgrade addresses following vulnerabilities:
CVE-2016-1285
CVE-2016-1286
CVE-2016-2088
Fixes [YOCTO #9400 and #9438].
References:
https://kb.isc.org/article/AA-01352
https://kb.isc.org/article/AA-01353
https://kb.isc.org/article/AA-01351
Signed-off-by: Sona Sarmadi
---
.../bind
=499952eb459c9a41d2092f1d98899c131f9103b2
Signed-off-by: Sona Sarmadi
---
.../bind/bind/CVE-2016-1285.patch | 138 +
.../bind/bind/CVE-2016-1286_1.patch| 79 +
.../bind/bind/CVE-2016-1286_2.patch| 318 +
meta/recipes
://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=ce3cd91caee698cb144e1350c6c78292c6be6339
Signed-off-by: Sona Sarmadi
---
.../bind/bind/CVE-2016-1285.patch | 141 +
.../bind/bind/CVE-2016-1286_1.patch| 78 +
.../bind/bind/CVE-2016-1286_2.patch
://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=ce3cd91caee698cb144e1350c6c78292c6be6339
Signed-off-by: Sona Sarmadi
---
.../bind/bind/CVE-2016-1285.patch | 141 +
.../bind/bind/CVE-2016-1286_1.patch| 78 +
.../bind/bind/CVE-2016-1286_2.patch
Hi Philip, all,
I am going to attend FOSDEM 2016, I am glad if I can help. I don't have
anything for demo, but perhaps we can mention security updates/backport. I
thinks some people might be interested in knowing that we continually backport
security fixes :)
//Sona
> -Original Message---
]
References:
http://www.openwall.com/lists/oss-security/2015/12/15/14
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
https://bugzilla.redhat.com/attachment.cgi?id=1105581
Signed-off-by: Sona Sarmadi
---
.../bind/bind/CVE-2015-8000.patch | 194 +
meta
Hi Mariano, all,
See my comments regarding "Bug 8119 - Define a format to mark Upstream CVE
patches" below.
> There is an initiative to track vulnerable software being built (see bugs 8119
> and 7515). The idea is to have a testing tool that would check the recipe
> versions against CVEs. In or
/cvename.cgi?name=CVE-2015-3195
Upstream patches:
CVE-2015-3194:
https://git.openssl.org/?p=openssl.git;a=commit;h=
d8541d7e9e63bf5f343af24644046c8d96498c17
CVE-2015-3195:
https://git.openssl.org/?p=openssl.git;a=commit;h=
b29ffa392e839d05171206523e84909146f7a77c
Signed-off-by: Sona Sarmadi
---
.../CVE
d-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Sona Sarmadi
> Sent: den 14 december 2015 11:25
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195
Upstream bug (contains reproducer):
https://bugzilla.gnome.org/show_bug.cgi?id=756263
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=
ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe
Signed-off-by: Tudor Florea
Signed-off-by: Sona Sarmadi
---
meta/recipes-core/libxml/libxml2.inc
Fixes heap-based buffer overflow flaw in grep.
Affected versions are: grep 2.19 through 2.21
Upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2
Signed-off-by: Sona Sarmadi
---
.../grep/grep-2.19/grep2.19-CVE-2015-1345.patch| 129
Fixes heap-based buffer overflow in xmlParseConditionalSections().
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456
Signed-off-by: Sona Sarmadi
Signed-off-by: Tudor Florea
: Sona Sarmadi
---
meta/recipes-core/libxml/libxml2.inc | 1 +
.../libxml/libxml2/CVE-2015-8035.patch | 35 ++
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
diff --git a/meta/recipes-core
=glibc.git;a=commit;
h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
Signed-off-by: Sona Sarmadi
Signed-off-by: Tudor Florea
---
...5-1472-wscanf-allocates-too-little-memory.patch | 108 +
meta/recipes-core/glibc/glibc_2.20.bb | 1 +
2 files changed, 109 insertions
?name=CVE-2015-7696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697
Signed-off-by: Tudor Florea
Signed-off-by: Sona Sarmadi
---
.../unzip/unzip/CVE-2015-7696.patch| 38 ++
.../unzip/unzip/CVE-2015-7697.patch| 31
/cvename.cgi?name=CVE-2015-3195
Signed-off-by: Sona Sarmadi
---
.../CVE-2015-3194-Add-PSS-parameter-check.patch| 35 +
...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 59 ++
.../recipes-connectivity/openssl/openssl_1.0.1p.bb | 2 +
3 files changed, 96 insertions
Hi Fan,
dizzy branch has Openssl version 1.0.1p now:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb?h=dizzy
How can this patch be applied to dizzy branch?
You have only sent patch for CVE-2015-3195, how about CVE-2015-3194?
CVE-2015-3193 d
Hi Maxin,
I think the warning below " bb.warn" is incorrect, it should be " dirname"
instead of " patch", see below:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/classes/spdx.bbclass
(master)
def get_ver_code(dirname):
chksums = []
for f_dir, f in list_files(dirname):
Fixes heap-based buffer overflow in xmlParseConditionalSections().
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456
Signed-off-by: Sona Sarmadi
Signed-off-by: Tudor Florea
=
83a95bd8c8561875b948cadd417c653dbe7ef2e2
Signed-off-by: Sona Sarmadi
---
.../grep/grep-2.19/grep2.19-CVE-2015-1345.patch| 129 +
meta/recipes-extended/grep/grep_2.19.bb| 4 +-
2 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes
_asn1_extract_der_octet: prevent past of boundary access
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=patch;
h=f979435823a02f842c41d49cd41cc81f25b5d677
Signed-off-by: Sona Sarmadi
---
.../gnutls/libtasn1/libtasn1
Hi Armin,
I guess you will backport these to dizzy as well. I created Bug 8281 just to
have track of
recent bind vulnerabilities:
CVEs, CVE-2015-1349, CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986.
I think all have been addressed in master and fido, remaining are only these
three
Hi guys,
These qemu/xen patches have been backported to fido branch:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-devtools/qemu/qemu_2.2.0.bb?h=fido
but not dizzy:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-devtools/qemu/qemu_2.1.0.bb?h=dizzy
Do you kno
/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162
Signed-off-by: Sona Sarmadi
---
.../icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch | 49 ++
meta/recipes-support/icu/icu_53.1.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644
meta
Signed-off-by: Sona Sarmadi
---
.../better-fix-for-double-free-CVE-2015-3308.patch | 65 ++
.../eliminated-double-free-CVE-2015-3308.patch | 33 +++
meta/recipes-support/gnutls/gnutls_3.3.12.bb | 2 +
3 files changed, 100 insertions(+)
create mode 100644
meta
Signed-off-by: Sona Sarmadi
---
.../better-fix-for-double-free-CVE-2015-3308.patch | 65 ++
.../eliminated-double-free-CVE-2015-3308.patch | 33 +++
meta/recipes-support/gnutls/gnutls_3.3.5.bb| 2 +
3 files changed, 100 insertions(+)
create mode 100644
meta
/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162
Signed-off-by: Sona Sarmadi
---
.../icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch | 49 ++
meta/recipes-support/icu/icu_54.1.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644
meta
1 - 100 of 157 matches
Mail list logo