[OE-core] OE-core CVE metrics for kirkstone on Sun 28 Apr 2024 03:00:01 AM HST

Branch: kirkstone New this week: 0 CVEs Removed this week: 1 CVEs CVE-2023-48795 (CVSS3: 5.9 MEDIUM): libssh2:libssh2-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-48795 * Full list: Found 33 unpatched CVEs CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native

[OE-core] OE-core CVE metrics for dunfell on Sun 28 Apr 2024 02:00:01 AM HST

Branch: dunfell New this week: 0 CVEs Removed this week: 1 CVEs CVE-2023-6683 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6683 * Full list: Found 105 unpatched CVEs CVE-2020-15705 (CVSS3: 6.4 MEDIUM):

[OE-core] OE-core CVE metrics for master on Sun 28 Apr 2024 01:00:01 AM HST

Branch: master New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 38 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto

Re: [OE-core][kirkstone][PATCH] rpm: Backport fix CVE-2021-35939

This patch caused multiple build failures both locally and on the autobuilder. Here is a link to the autobuilder run: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6845 Sample error log: https://errors.yoctoproject.org/Errors/Details/763370/ Steve On Tue, Apr 23, 2024 at

Re: [OE-core][kirkstone][PATCH] libssh2: backport fix for CVE-2023-48795

There is already a fix for this CVE in kirkstone: https://git.yoctoproject.org/poky/commit/?h=kirkstone=888ea24812c21910e74c864313be56f02fad6c2e Steve On Fri, Apr 19, 2024 at 1:19 AM dnyandev via lists.openembedded.org wrote: > > Backport the upstream fix for CVE-2023-48795. > > (From OE-Core

Re: [OE-core] [dunfell][PATCH] populate_sdk_ext.bbclass: only overwrite lsb string if uninative is used

Dunfell has reached end of life and we are no longer taking changes. The final build was done on April 15. Steve On Mon, Apr 15, 2024 at 12:21 AM Timon Bergelt via lists.openembedded.org wrote: > > Overwriting the lsb string without inheriting from uninative causes > shared state cache entries

Re: [OE-core][dunfell][PATCH 1/4] binutils: Fix CVE-2022-44840

Dunfell has reached end of life and we are no longer taking changes. The final build was done on April 15. Steve On Tue, Apr 23, 2024 at 12:35 AM virendra thakur via lists.openembedded.org wrote: > > Add patch file to fix CVE-2022-44840 > > Reference: >

Re: [OE-core][dunfell][PATCH] perl: Fix CVE-2023-31486

https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d > > (From OE-Core rev: 5819c839e1de92ab7669a0d4997886d0306c4cc1) > > Signed-off-by: Soumya > Signed-off-by: Steve Sakoman > (cherry picked from commit 80ecd63cc84d7eb9db26ec47d4afcf5a59d598

[OE-core] OE-core CVE metrics for nanbield on Sun 21 Apr 2024 04:00:02 AM HST

Branch: nanbield New this week: 26 CVEs CVE-2023-52436 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52436 * CVE-2023-52454 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52454 * CVE-2023-52458 (CVSS3: 5.5

[OE-core] OE-core CVE metrics for kirkstone on Sun 21 Apr 2024 03:00:01 AM HST

Branch: kirkstone New this week: 1 CVEs CVE-2023-52425 (CVSS3: 7.5 HIGH): expat:expat-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52425 * Removed this week: 2 CVEs CVE-2023-47100 (CVSS3: 9.8 CRITICAL): perl:perl-native

[OE-core] OE-core CVE metrics for dunfell on Sun 21 Apr 2024 02:00:01 AM HST

Branch: dunfell New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 106 unpatched CVEs CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 * CVE-2020-25742 (CVSS3: 3.2 LOW):

[OE-core] OE-core CVE metrics for master on Sun 21 Apr 2024 01:00:01 AM HST

Branch: master New this week: 1 CVEs CVE-2024-26596 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26596 * Removed this week: 0 CVEs Full list: Found 38 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto

Re: [OE-core][kirkstone 6/7] ppp: Add RSA-MD in LICENSE

On Wed, Apr 17, 2024 at 3:33 PM Steve Sakoman via lists.openembedded.org wrote: > > > > On Wed, Apr 17, 2024, 2:33 PM Richard Purdie > wrote: >> >> On Wed, 2024-04-17 at 13:35 -0700, Steve Sakoman via lists.openembedded.org >> wrote: >> > From: Poo

Re: [OE-core][kirkstone 6/7] ppp: Add RSA-MD in LICENSE

On Wed, Apr 17, 2024, 2:33 PM Richard Purdie < richard.pur...@linuxfoundation.org> wrote: > On Wed, 2024-04-17 at 13:35 -0700, Steve Sakoman via > lists.openembedded.org wrote: > > From: Poonam Jadhav > > > > ppp package has "RSA Data Security" license tex

[OE-core][kirkstone 5/7] valgrind: skip intermittently failing ptest

Intermittent failures on autobuilder: AssertionError: Failed ptests: {'valgrind': ['memcheck/tests/linux/timerfd-syscall']} Signed-off-by: Steve Sakoman --- meta/recipes-devtools/valgrind/valgrind/remove-for-all | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools

[OE-core][kirkstone 7/7] systemd: Fix vlan qos mapping

Kazi Signed-off-by: Steve Sakoman --- .../systemd/fix-vlan-qos-mapping.patch| 140 ++ meta/recipes-core/systemd/systemd_250.5.bb| 1 + 2 files changed, 141 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/fix-vlan-qos-mapping.patch diff --git a/meta

[OE-core][kirkstone 6/7] ppp: Add RSA-MD in LICENSE

From: Poonam Jadhav ppp package has "RSA Data Security" license text in Message-Digest Algorithm source file md5.c and md4.c Add RSA-MD in LICENSE field for ppp package Signed-off-by: Poonam Jadhav Signed-off-by: Steve Sakoman --- meta/recipes-connectivity/ppp/ppp_2.4.9.bb | 2

[OE-core][kirkstone 4/7] nghttp2: Fix CVE-2024-28182

usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. References: https://nvd.nist.gov/vuln/detail/CVE-2024-28182 Signed-off-by: Soumya Sambu Signed-off-by: Steve

[OE-core][kirkstone 3/7] rust: add CVE_CHECK_IGNORE for CVE-2024-24576

-off-by: Steve Sakoman --- meta/recipes-devtools/rust/rust-source.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/rust/rust-source.inc b/meta/recipes-devtools/rust/rust-source.inc index ea70ad786f..c377a680a7 100644 --- a/meta/recipes-devtools/rust/rust-source.inc +++ b/

[OE-core][kirkstone 2/7] ruby: fix CVE-2024-27281

From: Yogita Urade ruby: RCE vulnerability with .rdoc_options in RDoc References: https://github.com/ruby/ruby/pull/10316 https://security-tracker.debian.org/tracker/CVE-2024-27281 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2024-27281.patch

[OE-core][kirkstone 1/7] libssh2: fix CVE-2023-48795

From: Meenali Gupta References: https://nvd.nist.gov/vuln/detail/CVE-2023-48795 Signed-off-by: Meenali Gupta Signed-off-by: Steve Sakoman --- .../libssh2/libssh2/CVE-2023-48795.patch | 459 ++ .../recipes-support/libssh2/libssh2_1.10.0.bb | 1 + 2 files changed, 460

[OE-core][kirkstone 0/7] Patch review

CVE_CHECK_IGNORE for CVE-2024-24576 Meenali Gupta (1): libssh2: fix CVE-2023-48795 Poonam Jadhav (1): ppp: Add RSA-MD in LICENSE Sana Kazi (1): systemd: Fix vlan qos mapping Soumya Sambu (1): nghttp2: Fix CVE-2024-28182 Steve Sakoman (1): valgrind: skip intermittently failing ptest

[OE-core][kirkstone 10/10] tcl: skip async and event tests in run-ptest

From: Ross Burton These test suites are full of timing-sensitive test cases, so skip them too. [ YOCTO #15321 ] Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit dd06c3668dbe9ec1cf9a0a84d7a6bc9851f9c662) Signed-off-by: Steve Sakoman --- meta/recipes

[OE-core][kirkstone 09/10] tcl: skip timing-dependent tests in run-ptest

68beb4f4b5a0bea5d431decddf7656f18ac7a04a) Signed-off-by: Steve Sakoman --- meta/recipes-devtools/tcltk/tcl/run-ptest | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/tcltk/tcl/run-ptest b/meta/recipes-devtools/tcltk/tcl/run-ptest index 5b9127784e..51e1e4aa7b 100644 --- a/meta

[OE-core][kirkstone 07/10] Revert "expat: fix CVE-2023-52425"

-by: Steve Sakoman --- .../expat/expat/CVE-2023-52425-0001.patch | 40 .../expat/expat/CVE-2023-52425-0002.patch | 87 --- .../expat/expat/CVE-2023-52425-0003.patch | 222 -- .../expat/expat/CVE-2023-52425-0004.patch | 42 .../expat/expat/CVE-2023

[OE-core][kirkstone 08/10] tcl: Add a way to skip ptests

fa66f1cee2d88c2276442e8b4aaeccde5490f9ea) Signed-off-by: Steve Sakoman --- meta/recipes-devtools/tcltk/tcl/run-ptest | 4 ++-- meta/recipes-devtools/tcltk/tcl_8.6.11.bb | 5 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/meta/recipes-devtools/tcltk/tcl/run-ptest b/meta/recipes-devtools

[OE-core][kirkstone 06/10] ncurses: patch CVE-2023-50495

From: Peter Marko backport relevant parts from https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../ncurses/files/CVE-2023-50495.patch| 81 +++ .../ncurses/ncurses_6.3+20220423

[OE-core][kirkstone 05/10] openssl: patch CVE-2024-2511

From: Peter Marko Patch: https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d News: https://github.com/openssl/openssl/commit/daee101e39073d4b65a68faeb2f2de5ad7b05c36 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../openssl/openssl/CVE-2024-2511

[OE-core][kirkstone 04/10] xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081

From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b & https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee Signed-off-by: Vijay Anusuri Signed-off-by: S

[OE-core][kirkstone 03/10] openssh: Add CVE-2023-51767 to CVE_CHECK_IGNORE

From: Sana Kazi Add CVE-2023-51767 to CVE_CHECK_IGNORE to avoid in cve-check reports as upstream does not consider CVE-2023-51767 a bug underlying in OpenSSH and does not intent to address it in OpenSSH. Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi Signed-off-by: Steve Sakoman --- meta

[OE-core][kirkstone 02/10] perl: ignore CVE-2023-47100

From: Alex Stewart CVE-2023-47100 is a duplicate of CVE-2023-47038. They have the same advertised fix commit, which has already been merged into the perl_5.34.3 sources used in kirkstone. Signed-off-by: Alex Stewart Signed-off-by: Steve Sakoman --- meta/recipes-devtools/perl/perl_5.34.3.bb

[OE-core][kirkstone 01/10] cups: fix typo in CVE-2023-32360 backport patch

directive AuthType on line 77 of /etc/cups/cupsd.conf. Signed-off-by: Jonathan GUILLOT Signed-off-by: Steve Sakoman --- meta/recipes-extended/cups/cups/CVE-2023-32360.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.pat

[OE-core][kirkstone 00/10] Patch review

and event tests in run-ptest Sana Kazi (1): openssh: Add CVE-2023-51767 to CVE_CHECK_IGNORE Steve Sakoman (1): Revert "expat: fix CVE-2023-52425" Vijay Anusuri (1): xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081 .../openssh/openssh_8.9p1.bb | 5 + .

Re: [OE-core] [kirkstone][PATCH] rust: set CVE_STATUS for CVE-2024-24576

CVE_STATUS is not supported in kirkstone, you should use CVE_CHECK_IGNORE Steve On Mon, Apr 15, 2024 at 5:01 AM Sadineni, Harish via lists.openembedded.org wrote: > > From: Harish Sadineni > > CVE-2024-24576 only applies when invoking batch files (with the `bat` and > `cmd` extensions) on

[OE-core] OE-core CVE metrics for nanbield on Sun 14 Apr 2024 04:00:01 AM HST

Branch: nanbield New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 128 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto

[OE-core] OE-core CVE metrics for kirkstone on Sun 14 Apr 2024 03:00:01 AM HST

Branch: kirkstone New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 35 unpatched CVEs CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 * CVE-2021-35938 (CVSS3: 6.7 MEDIUM): rpm:rpm-native

[OE-core] OE-core CVE metrics for dunfell on Sun 14 Apr 2024 02:00:01 AM HST

Branch: dunfell New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 106 unpatched CVEs CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 * CVE-2020-25742 (CVSS3: 3.2 LOW):

[OE-core] OE-core CVE metrics for master on Sun 14 Apr 2024 01:00:01 AM HST

Branch: master New this week: 0 CVEs Removed this week: 21 CVEs CVE-2014-4859 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4859 * CVE-2014-4860 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native

Re: [OE-core] [kirkstone][PATCH] kernel.bbclass: check, if directory exists before removing empty module directory

On Fri, Apr 12, 2024 at 2:52 AM Heiko wrote: > > I used "git send-email". I don`t know, why the tabs were replaced. > > I have attached the patch with tabs. (Or do I have to create a new post?) You should send a new patch targeted for the master branch since we need to fix this there first

Re: [OE-core] [kirkstone][PATCH] kernel.bbclass: check, if directory exists before removing empty module directory

This patch doesn't apply for me: Applying: kernel.bbclass: check, if directory exists before removing empty module directory Using index info to reconstruct a base tree... error: patch failed: meta/classes/kernel.bbclass:452 error: meta/classes/kernel.bbclass: patch does not apply error: Did you

[OE-core][dunfell 5/5] licenses.conf: Add missing LGPLv2.0+ license

From: Colin McAllister Adds LGPLv2.0+ license variation to match LGPLv2+. Signed-off-by: Colin McAllister Signed-off-by: Steve Sakoman --- meta/conf/licenses.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/conf/licenses.conf b/meta/conf/licenses.conf index d14c365977

[OE-core][dunfell 4/5] xserver-xorg: Backport fix for CVE-2024-31080

From: Ashish Sharma Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- .../xserver-xorg/CVE-2024-31080.patch | 49 +++ .../xorg-xserver

[OE-core][dunfell 3/5] xserver-xorg: Backport fix for CVE-2024-31081

From: Ashish Sharma Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- .../xserver-xorg/CVE-2024-31081.patch | 47 +++ .../xorg-xserver

[OE-core][dunfell 2/5] go: Backport fix for CVE-2024-24784

From: Ashish Sharma Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c] Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2024-24784.patch

[OE-core][dunfell 1/5] ncurses: Backport fix for CVE-2023-50495

From: Vijay Anusuri Upstream-Status: Backport from https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc Reference: https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz Signed-off-by: Vijay Anusuri Signed-off-by: Steve

[OE-core][dunfell 0/5] Patch review

Please review this set of changes for dunfell and have comments back by end of day Friday, April 12 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6774 The following changes since commit 47ce772102b45db14dc21112367534ea1c37e33c: perf: bump PR

Re: [oe-core][kirkstone][PATCH v2 1/1] expat: fix CVE-2023-52425

Unfortunately this change is causing ptest failures: {'expat': ['test_accounting_precision', 'test_return_ns_triplet', 'test_column_number_after_parse', 'test_default_current', 'test_external_entity_values']} Could you investigate and see if you can

[OE-core] OE-core CVE metrics for nanbield on Sun 07 Apr 2024 04:00:01 AM HST

Branch: nanbield New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 128 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto

[OE-core] OE-core CVE metrics for kirkstone on Sun 07 Apr 2024 03:00:01 AM HST

Branch: kirkstone New this week: 1 CVEs CVE-2023-44487 (CVSS3: 7.5 HIGH): go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44487 * Removed this week: 9 CVEs CVE-2023-44487 (CVSS3: 7.5 HIGH): go:nghttp2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44487 * CVE-2023-45803

[OE-core] OE-core CVE metrics for dunfell on Sun 07 Apr 2024 02:00:01 AM HST

Branch: dunfell New this week: 0 CVEs Removed this week: 3 CVEs CVE-2023-52356 (CVSS3: 7.5 HIGH): tiff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52356 * CVE-2023-6277 (CVSS3: 6.5 MEDIUM): tiff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6277 * CVE-2024-0727

[OE-core] OE-core CVE metrics for master on Sun 07 Apr 2024 01:00:01 AM HST

Branch: master New this week: 21 CVEs CVE-2014-4859 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4859 * CVE-2014-4860 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4860 * CVE-2019-14553 (CVSS3:

Re: [OE-core] [PATCH][dunfell] linux-yocto/5.4: update to v5.4.273

Hi Bruce, I'm getting warnings in my autobuilder testing: WARNING: linux-yocto-5.4.273+gitAUTOINC+c841eec84c_fe901e2f4b-r0 do_kernel_configcheck: [kernel config]: This BSP sets config options that are not offered anywhere within this kernel: CONFIG_NET_SCH_DSMARK CONFIG_NET_SCH_CBQ Steve On

Re: [OE-core] [dunfell][PATCH] shadow: fix CVE-2023-4641

On Wed, Apr 3, 2024 at 2:29 AM Hugo Simeliere via lists.openembedded.org wrote: > > From: Hugo SIMELIERE > > Upstream-Status: Backport > [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] > > Signed-off-by: Hugo SIMELIERE > --- >

[OE-core][kirkstone 9/9] common-licenses: Backport missing license

From: Colin McAllister Backports missing license from master to kirkstone. Signed-off-by: Colin McAllister Signed-off-by: Steve Sakoman --- .../LGPL-3.0-with-zeromq-exception| 181 ++ 1 file changed, 181 insertions(+) create mode 100644 meta/files/common-licenses

[OE-core][kirkstone 8/9] gcc: Backport sanitizer fix for 32-bit ALSR

project, as gcc has not yet backported anything for the 11 series. Signed-off-by: Claus Stovgaard Signed-off-by: Steve Sakoman --- meta/recipes-devtools/gcc/gcc-11.4.inc| 1 + .../gcc/gcc/0031-gcc-sanitizers-fix.patch | 63 +++ 2 files changed, 64 insertions(+) create

[OE-core][kirkstone 7/9] python3-urllib3: update to v1.26.18

E-Core rev: 74da05b63634c248910594456dae286947f33da5) Signed-off-by: Tan Wen Yan Signed-off-by: Steve Sakoman Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename

[OE-core][kirkstone 6/9] tiff: fix CVE-2023-52356 CVE-2023-6277

From: Lee Chee Yang import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277 import from http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2023-52356.patch | 54

[OE-core][kirkstone 5/9] qemu: Fix for CVE-2023-6683

From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- meta/recipes-devtools

[OE-core][kirkstone 3/9] expat: fix CVE-2023-52425

directory are not included as most of the files are not present and are introduced in the later version. Signed-off-by: Meenali Gupta Signed-off-by: Steve Sakoman --- .../expat/expat/CVE-2023-52425-0001.patch | 40 .../expat/expat/CVE-2023-52425-0002.patch | 87 +++ .../expat

[OE-core][kirkstone 4/9] curl: backport Debian patch for CVE-2024-2398

/deca8039991886a559b67bcd6701db800a5cf764] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2024-2398.patch | 89 +++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398

[OE-core][kirkstone 2/9] xwayland: fix CVE-2023-6816 CVE-2024-0408/0409

From: Lee Chee Yang fix CVE-2023-6816 CVE-2024-0408 CVE-2024-0409 Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2023-6816.patch | 57 .../xwayland/xwayland/CVE-2024-0408.patch | 65 +++ .../xwayland/xwayland

[OE-core][kirkstone 1/9] nghttp2: fix CVE-2023-44487

/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 Signed-off-by: Zahir Hussain Signed-off-by: Steve Sakoman --- .../nghttp2/nghttp2/CVE-2023-44487.patch | 927 ++ .../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 + 2 files changed, 928 insertions(+) create mode

[OE-core][kirkstone 0/9] Patch review

Please review this set of changes for kirkstone and have comments back by end of day Thursday, April 4 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6758 The following changes since commit 1b5405955c7c2579ed1f52522e2e177d0281fa33: glibc: Fix

[OE-core][dunfell 7/7] perf: bump PR to deal with sstate corruption on autobuilder

Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue Signed-off-by: Steve Sakoman --- meta/recipes-kernel/perf/perf.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb index

[OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727

Signed-off-by: Steve Sakoman --- .../openssl/openssl/CVE-2024-0727.patch | 122 ++ .../openssl/openssl_1.1.1w.bb | 1 + 2 files changed, 123 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch diff --git a/me

[OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder

Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue Signed-off-by: Steve Sakoman --- meta/recipes-extended/tar/tar_1.32.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index

[OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398

/deca8039991886a559b67bcd6701db800a5cf764] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2024-2398.patch | 88 +++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398

[OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804

From: Vijay Anusuri Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../tar/tar/CVE-2023-39804.patch | 64 +++ meta/recipes

[OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

gned-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 3 + .../go/go-1.14/CVE-2023-45289.patch | 121 .../go/go-1.14/CVE-2023-45290.patch | 271 ++ .../go/go-1.14/CVE-2024-24785.patch

[OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356

c35a & https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libtiff/files/CVE-2023-52356.patch| 53 + .../libtiff/files/CVE-2023-6277-1.patch | 191 ++ .../l

[OE-core][dunfell 0/7] Patch review

-uninative: Update to 4.4 for glibc 2.39 (2024-03-18 11:44:32 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Steve Sakoman (2): tar: bump PR

Re: [OE-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3019

I'm getting oe-selftest failures with this patch: https://errors.yoctoproject.org/Errors/Details/761408/ "Failed: qemux86 does not shutdown within timeout(120)" Steve On Fri, Mar 29, 2024 at 12:38 AM Urade, Yogita via lists.openembedded.org wrote: > > From: Yogita Urade > > A DMA reentrancy

Re: [OE-core][kirkstone][PATCH] util-linux: Fix for CVE-2024-28085

On Sun, Mar 31, 2024 at 3:50 PM Vijay Anusuri wrote: > > Sure Randy. > > Issue introduced last year in util-linux v2.39. > > The offending commits are: > > * https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7c >("write: correctly handle wide characters") > *

[OE-core] OE-core CVE metrics for nanbield on Sun 31 Mar 2024 04:00:01 AM HST

Branch: nanbield New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 128 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto

[OE-core] OE-core CVE metrics for kirkstone on Sun 31 Mar 2024 03:00:01 AM HST

Branch: kirkstone New this week: 0 CVEs Removed this week: 1 CVEs CVE-2023-52426 (CVSS3: 5.5 MEDIUM): expat:expat-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52426 * Full list: Found 43 unpatched CVEs CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native

[OE-core] OE-core CVE metrics for dunfell on Sun 31 Mar 2024 02:00:01 AM HST

Branch: dunfell New this week: 0 CVEs Removed this week: 1 CVEs CVE-2024-25062 (CVSS3: 7.5 HIGH): libxml2:libxml2-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062 * Full list: Found 109 unpatched CVEs CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native

[OE-core] OE-core CVE metrics for master on Sun 31 Mar 2024 01:00:01 AM HST

Branch: master New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 37 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto

Re: [OE-core] [PATCH][kirkstone] openssl: fix crash on aarch64 if BTI is enabled but no Crypto instructions

Sorry for the delayed response, but I found the same issue with the kirkstone version that Vivek did. Awaiting a V2 :-) Steve On Thu, Mar 28, 2024 at 5:51 PM Vivek Kumbhar via lists.openembedded.org wrote: > > Kirkstone-nut openssl compile error: > > Error Log: > > ERROR: openssl-3.0.13-r0

Re: [OE-core] [kirkstone][PATCH 1/2] python3-unittest-automake-output: add new recipe for ptest integration

Sorry, it is outside of stable branch policy to add features so I can't take this patch series. Steve On Tue, Mar 26, 2024 at 9:22 PM Yu, Mingli wrote: > > From: Ross Burton > > This package contains modules for both unittest and pytest that alter > the output to look like automake's 'make

Re: [OE-core][kirkstone][PATCH] openssl: Improve FIPS RSA keygen performac

On Tue, Mar 26, 2024 at 11:34 AM Randy MacLeod via lists.openembedded.org wrote: > > On 2024-03-19 7:23 p.m., Steve Sakoman wrote: > > On Tue, Mar 19, 2024 at 11:45 AM Randy MacLeod > wrote: > > Hi Haitao, et al, > > > Summary: > > I think we could bring thes

[OE-core] OE-core CVE metrics for nanbield on Sun 24 Mar 2024 04:00:01 AM HST

Branch: nanbield New this week: 11 CVEs CVE-2023-52448 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52448 * CVE-2023-52449 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52449 * CVE-2023-52450 (CVSS3: 5.5

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers On Sun, Mar 24, 2024, 4:11 AM Alexander Kanavin wrote: > I’m getting slightly concerned, no new CVEs second week in a row? Did the > checker break? > > Alex > > On Sun 24. Mar 20

[OE-core] OE-core CVE metrics for kirkstone on Sun 24 Mar 2024 03:00:01 AM HST

Branch: kirkstone New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 44 unpatched CVEs CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 * CVE-2021-35938 (CVSS3: 6.7 MEDIUM): rpm:rpm-native

[OE-core] OE-core CVE metrics for dunfell on Sun 24 Mar 2024 02:00:01 AM HST

Branch: dunfell New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 110 unpatched CVEs CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 * CVE-2020-25742 (CVSS3: 3.2 LOW):

[OE-core] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

Branch: master New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 37 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto

[OE-core] Final dunfell release build on April 15, 2024

If you have any patches you would like to submit for dunfell before it goes EOL, please do so now! I'll be taking patches until around April 8 in preparation for an April 15 build. Steve -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197417):

[OE-core][dunfell 12/12] yocto-uninative: Update to 4.4 for glibc 2.39

From: Michael Halstead Signed-off-by: Michael Halstead Signed-off-by: Richard Purdie (cherry picked from commit 56fdd8b79e2f7ec30d2cdcfa0c399a6553efac1e) Signed-off-by: Steve Sakoman --- meta/conf/distro/include/yocto-uninative.inc | 10 +- 1 file changed, 5 insertions(+), 5

[OE-core][dunfell 11/12] linux-firmware: upgrade 20231211 -> 20240220

From: Alexander Kanavin License-Update: additional files Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie (cherry picked from commit add81ef0299ea5260f9bdc59ffc8f5cc0e74276f) Signed-off-by: Steve Sakoman --- ...{linux-firmware_20231211.bb => linux-firmware_20240220.bb}

[OE-core][dunfell 10/12] linux-firmware: upgrade 20231030 -> 20231211

From: Alexander Sverdlin Signed-off-by: Alexander Sverdlin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 0caafdbbf4e7dc84b919afe14f7cb8c46a9e4ac2) Signed-off-by: Steve Sakoman --- ...nux-firmware_20231030.bb => linux-firmware_20231211.bb}

[OE-core][dunfell 09/12] wireless-regdb: Upgrade 2023.09.01 -> 2024.01.23

d to not depend on file order") are required if you are using kernel signature verification. Signed-off-by: Alex Kiernan Signed-off-by: Alexandre Belloni (cherry picked from commit abf169fbbf8bab13224adf4c8bfa2e26607f360c) Signed-off-by: Steve Sakoman --- ...eless-regdb_2023.09.01.bb => wi

[OE-core][dunfell 08/12] wireless-regdb: upgrade 2023.05.03 -> 2023.09.01

) from March 2022 guidel... wireless-regdb: Update regulatory rules for Philippines (PH) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie (cherry picked from commit 2f5edb6904bf16a9c52a9b124aeb5297487cd716) Signed-off-by: Steve Sakoman --- ...ireless-regdb_2023.05.03.bb => wirel

[OE-core][dunfell 07/12] cve-update-nvd2-native: Remove rejected CVE from database

Purdie (cherry picked from commit f276a980b8930b98e6c8f0e1a865d77dfcfe5085) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 1 file changed, 4 insertions(+) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve

[OE-core][dunfell 06/12] cve-update-nvd2-native: Fix CVE configuration update

e-check. Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 1 file changed, 4 insertions(+) diff --git a/meta/recipes-core/met

[OE-core][dunfell 05/12] cve-update-nvd2-native: nvd_request_next: Improve comment

From: Yoann Congal Add a URL to the doc of the API used in the function. ... and fix a small typo dabase -> database Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit e0157b3b81333a24abd31dbb23a6abebca3e7ba7) Signed-off-by: Steve Sakoman --- meta/reci

[OE-core][dunfell 04/12] cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definition

(cherry picked from commit e5f3f223885c17b7007c310273fc7c80b90a4105) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2

[OE-core][dunfell 03/12] cve-update-nvd2-native: Add an age threshold for incremental update

off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit 74c1765111b6610348eae4b7e41d7045ce58ef86) Signed-off-by: Steve Sakoman --- .../meta/cve-update-nvd2-native.bb| 20 +++ 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/meta/r

[OE-core][dunfell 02/12] cve-update-nvd2-native: Fix typo in comment

From: Yoann Congal attmepts -> attempts Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit dc18aaeda8e810f9082a0ceac08e5e4275bbd0f7) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 +- 1 file changed, 1 insertion(+)

[OE-core][dunfell 01/12] libxml2: Backport fix for CVE-2024-25062

From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508 & https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sak

[OE-core][dunfell 00/12] Patch review

Please review this set of changes for dunfell and have comments back by end of day Friday, March 22 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6692 The following changes since commit b49b0a3dd74c24f3a011c9c0b5cf8f6530956cfa:

[OE-core][kirkstone 15/15] glibc: Fix subscript typos for get_nscd_addresses

/show_bug.cgi?id=29605 Upstream-patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=c9226c03da0276593a0918eaa9a14835183343e8 Signed-off-by: Haitao Liu Signed-off-by: Steve Sakoman --- ...dresses-Fix-subscript-typos-BZ-29605.patch | 40 +++ meta/recipes-core/glibc/glibc_2.35.bb

  1   2   3   4   5   6   7   8   9   10   >