Branch: kirkstone
New this week: 0 CVEs
Removed this week: 1 CVEs
CVE-2023-48795 (CVSS3: 5.9 MEDIUM): libssh2:libssh2-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-48795 *
Full list: Found 33 unpatched CVEs
CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native
Branch: dunfell
New this week: 0 CVEs
Removed this week: 1 CVEs
CVE-2023-6683 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6683 *
Full list: Found 105 unpatched CVEs
CVE-2020-15705 (CVSS3: 6.4 MEDIUM):
Branch: master
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 38 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
This patch caused multiple build failures both locally and on the autobuilder.
Here is a link to the autobuilder run:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6845
Sample error log:
https://errors.yoctoproject.org/Errors/Details/763370/
Steve
On Tue, Apr 23, 2024 at
There is already a fix for this CVE in kirkstone:
https://git.yoctoproject.org/poky/commit/?h=kirkstone=888ea24812c21910e74c864313be56f02fad6c2e
Steve
On Fri, Apr 19, 2024 at 1:19 AM dnyandev via lists.openembedded.org
wrote:
>
> Backport the upstream fix for CVE-2023-48795.
>
> (From OE-Core
Dunfell has reached end of life and we are no longer taking changes.
The final build was done on April 15.
Steve
On Mon, Apr 15, 2024 at 12:21 AM Timon Bergelt via
lists.openembedded.org
wrote:
>
> Overwriting the lsb string without inheriting from uninative causes
> shared state cache entries
Dunfell has reached end of life and we are no longer taking changes.
The final build was done on April 15.
Steve
On Tue, Apr 23, 2024 at 12:35 AM virendra thakur via
lists.openembedded.org
wrote:
>
> Add patch file to fix CVE-2022-44840
>
> Reference:
>
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d
>
> (From OE-Core rev: 5819c839e1de92ab7669a0d4997886d0306c4cc1)
>
> Signed-off-by: Soumya
> Signed-off-by: Steve Sakoman
> (cherry picked from commit 80ecd63cc84d7eb9db26ec47d4afcf5a59d598
Branch: nanbield
New this week: 26 CVEs
CVE-2023-52436 (CVSS3: 7.8 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52436 *
CVE-2023-52454 (CVSS3: 5.5 MEDIUM): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52454 *
CVE-2023-52458 (CVSS3: 5.5
Branch: kirkstone
New this week: 1 CVEs
CVE-2023-52425 (CVSS3: 7.5 HIGH): expat:expat-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52425 *
Removed this week: 2 CVEs
CVE-2023-47100 (CVSS3: 9.8 CRITICAL): perl:perl-native
Branch: dunfell
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 106 unpatched CVEs
CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 *
CVE-2020-25742 (CVSS3: 3.2 LOW):
Branch: master
New this week: 1 CVEs
CVE-2024-26596 (CVSS3: 5.5 MEDIUM): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26596 *
Removed this week: 0 CVEs
Full list: Found 38 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
On Wed, Apr 17, 2024 at 3:33 PM Steve Sakoman via
lists.openembedded.org
wrote:
>
>
>
> On Wed, Apr 17, 2024, 2:33 PM Richard Purdie
> wrote:
>>
>> On Wed, 2024-04-17 at 13:35 -0700, Steve Sakoman via lists.openembedded.org
>> wrote:
>> > From: Poo
On Wed, Apr 17, 2024, 2:33 PM Richard Purdie <
richard.pur...@linuxfoundation.org> wrote:
> On Wed, 2024-04-17 at 13:35 -0700, Steve Sakoman via
> lists.openembedded.org wrote:
> > From: Poonam Jadhav
> >
> > ppp package has "RSA Data Security" license tex
Intermittent failures on autobuilder:
AssertionError: Failed ptests:
{'valgrind': ['memcheck/tests/linux/timerfd-syscall']}
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/valgrind/valgrind/remove-for-all | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools
Kazi
Signed-off-by: Steve Sakoman
---
.../systemd/fix-vlan-qos-mapping.patch| 140 ++
meta/recipes-core/systemd/systemd_250.5.bb| 1 +
2 files changed, 141 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/fix-vlan-qos-mapping.patch
diff --git a/meta
From: Poonam Jadhav
ppp package has "RSA Data Security" license text
in Message-Digest Algorithm source file md5.c and md4.c
Add RSA-MD in LICENSE field for ppp package
Signed-off-by: Poonam Jadhav
Signed-off-by: Steve Sakoman
---
meta/recipes-connectivity/ppp/ppp_2.4.9.bb | 2
usage to decode HPACK stream. nghttp2 v1.61.0
mitigates this vulnerability by limiting the number of CONTINUATION
frames it accepts per stream. There is no workaround for this
vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28182
Signed-off-by: Soumya Sambu
Signed-off-by: Steve
-off-by: Steve Sakoman
---
meta/recipes-devtools/rust/rust-source.inc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/rust/rust-source.inc
b/meta/recipes-devtools/rust/rust-source.inc
index ea70ad786f..c377a680a7 100644
--- a/meta/recipes-devtools/rust/rust-source.inc
+++ b/
From: Yogita Urade
ruby: RCE vulnerability with .rdoc_options in RDoc
References:
https://github.com/ruby/ruby/pull/10316
https://security-tracker.debian.org/tracker/CVE-2024-27281
Signed-off-by: Yogita Urade
Signed-off-by: Steve Sakoman
---
.../ruby/ruby/CVE-2024-27281.patch
From: Meenali Gupta
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-48795
Signed-off-by: Meenali Gupta
Signed-off-by: Steve Sakoman
---
.../libssh2/libssh2/CVE-2023-48795.patch | 459 ++
.../recipes-support/libssh2/libssh2_1.10.0.bb | 1 +
2 files changed, 460
CVE_CHECK_IGNORE for CVE-2024-24576
Meenali Gupta (1):
libssh2: fix CVE-2023-48795
Poonam Jadhav (1):
ppp: Add RSA-MD in LICENSE
Sana Kazi (1):
systemd: Fix vlan qos mapping
Soumya Sambu (1):
nghttp2: Fix CVE-2024-28182
Steve Sakoman (1):
valgrind: skip intermittently failing ptest
From: Ross Burton
These test suites are full of timing-sensitive test cases, so skip
them too.
[ YOCTO #15321 ]
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
(cherry picked from commit dd06c3668dbe9ec1cf9a0a84d7a6bc9851f9c662)
Signed-off-by: Steve Sakoman
---
meta/recipes
68beb4f4b5a0bea5d431decddf7656f18ac7a04a)
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/tcltk/tcl/run-ptest | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/tcltk/tcl/run-ptest
b/meta/recipes-devtools/tcltk/tcl/run-ptest
index 5b9127784e..51e1e4aa7b 100644
--- a/meta
-by: Steve Sakoman
---
.../expat/expat/CVE-2023-52425-0001.patch | 40
.../expat/expat/CVE-2023-52425-0002.patch | 87 ---
.../expat/expat/CVE-2023-52425-0003.patch | 222 --
.../expat/expat/CVE-2023-52425-0004.patch | 42
.../expat/expat/CVE-2023
fa66f1cee2d88c2276442e8b4aaeccde5490f9ea)
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/tcltk/tcl/run-ptest | 4 ++--
meta/recipes-devtools/tcltk/tcl_8.6.11.bb | 5 +
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/tcltk/tcl/run-ptest
b/meta/recipes-devtools
From: Peter Marko
backport relevant parts from
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
Signed-off-by: Peter Marko
Signed-off-by: Steve Sakoman
---
.../ncurses/files/CVE-2023-50495.patch| 81 +++
.../ncurses/ncurses_6.3+20220423
From: Peter Marko
Patch:
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
News:
https://github.com/openssl/openssl/commit/daee101e39073d4b65a68faeb2f2de5ad7b05c36
Signed-off-by: Peter Marko
Signed-off-by: Steve Sakoman
---
.../openssl/openssl/CVE-2024-2511
From: Vijay Anusuri
Upstream-Status: Backport from
https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee
Signed-off-by: Vijay Anusuri
Signed-off-by: S
From: Sana Kazi
Add CVE-2023-51767 to CVE_CHECK_IGNORE to avoid in cve-check reports
as upstream does not consider CVE-2023-51767 a bug underlying in
OpenSSH and does not intent to address it in OpenSSH.
Signed-off-by: Sana Kazi
Signed-off-by: Sana Kazi
Signed-off-by: Steve Sakoman
---
meta
From: Alex Stewart
CVE-2023-47100 is a duplicate of CVE-2023-47038. They have the same
advertised fix commit, which has already been merged into the
perl_5.34.3 sources used in kirkstone.
Signed-off-by: Alex Stewart
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/perl/perl_5.34.3.bb
directive AuthType on line 77 of /etc/cups/cupsd.conf.
Signed-off-by: Jonathan GUILLOT
Signed-off-by: Steve Sakoman
---
meta/recipes-extended/cups/cups/CVE-2023-32360.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.pat
and event tests in run-ptest
Sana Kazi (1):
openssh: Add CVE-2023-51767 to CVE_CHECK_IGNORE
Steve Sakoman (1):
Revert "expat: fix CVE-2023-52425"
Vijay Anusuri (1):
xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081
.../openssh/openssh_8.9p1.bb | 5 +
.
CVE_STATUS is not supported in kirkstone, you should use CVE_CHECK_IGNORE
Steve
On Mon, Apr 15, 2024 at 5:01 AM Sadineni, Harish via
lists.openembedded.org
wrote:
>
> From: Harish Sadineni
>
> CVE-2024-24576 only applies when invoking batch files (with the `bat` and
> `cmd` extensions) on
Branch: nanbield
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 128 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
Branch: kirkstone
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 35 unpatched CVEs
CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 *
CVE-2021-35938 (CVSS3: 6.7 MEDIUM): rpm:rpm-native
Branch: dunfell
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 106 unpatched CVEs
CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 *
CVE-2020-25742 (CVSS3: 3.2 LOW):
Branch: master
New this week: 0 CVEs
Removed this week: 21 CVEs
CVE-2014-4859 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4859 *
CVE-2014-4860 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native
On Fri, Apr 12, 2024 at 2:52 AM Heiko wrote:
>
> I used "git send-email". I don`t know, why the tabs were replaced.
>
> I have attached the patch with tabs. (Or do I have to create a new post?)
You should send a new patch targeted for the master branch since we
need to fix this there first
This patch doesn't apply for me:
Applying: kernel.bbclass: check, if directory exists before removing
empty module directory
Using index info to reconstruct a base tree...
error: patch failed: meta/classes/kernel.bbclass:452
error: meta/classes/kernel.bbclass: patch does not apply
error: Did you
From: Colin McAllister
Adds LGPLv2.0+ license variation to match LGPLv2+.
Signed-off-by: Colin McAllister
Signed-off-by: Steve Sakoman
---
meta/conf/licenses.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/conf/licenses.conf b/meta/conf/licenses.conf
index d14c365977
From: Ashish Sharma
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
Signed-off-by: Ashish Sharma
Signed-off-by: Steve Sakoman
---
.../xserver-xorg/CVE-2024-31080.patch | 49 +++
.../xorg-xserver
From: Ashish Sharma
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
Signed-off-by: Ashish Sharma
Signed-off-by: Steve Sakoman
---
.../xserver-xorg/CVE-2024-31081.patch | 47 +++
.../xorg-xserver
From: Ashish Sharma
Upstream-Status: Backport
[https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
Signed-off-by: Ashish Sharma
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2024-24784.patch
From: Vijay Anusuri
Upstream-Status: Backport from
https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
Reference:
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve
Please review this set of changes for dunfell and have comments back by
end of day Friday, April 12
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6774
The following changes since commit 47ce772102b45db14dc21112367534ea1c37e33c:
perf: bump PR
Unfortunately this change is causing ptest failures:
{'expat': ['test_accounting_precision',
'test_return_ns_triplet',
'test_column_number_after_parse',
'test_default_current',
'test_external_entity_values']}
Could you investigate and see if you can
Branch: nanbield
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 128 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
Branch: kirkstone
New this week: 1 CVEs
CVE-2023-44487 (CVSS3: 7.5 HIGH): go
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44487 *
Removed this week: 9 CVEs
CVE-2023-44487 (CVSS3: 7.5 HIGH): go:nghttp2
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44487 *
CVE-2023-45803
Branch: dunfell
New this week: 0 CVEs
Removed this week: 3 CVEs
CVE-2023-52356 (CVSS3: 7.5 HIGH): tiff
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52356 *
CVE-2023-6277 (CVSS3: 6.5 MEDIUM): tiff
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6277 *
CVE-2024-0727
Branch: master
New this week: 21 CVEs
CVE-2014-4859 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4859 *
CVE-2014-4860 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4860 *
CVE-2019-14553 (CVSS3:
Hi Bruce,
I'm getting warnings in my autobuilder testing:
WARNING: linux-yocto-5.4.273+gitAUTOINC+c841eec84c_fe901e2f4b-r0
do_kernel_configcheck: [kernel config]: This BSP sets config options
that are not offered anywhere within this kernel:
CONFIG_NET_SCH_DSMARK
CONFIG_NET_SCH_CBQ
Steve
On
On Wed, Apr 3, 2024 at 2:29 AM Hugo Simeliere via
lists.openembedded.org
wrote:
>
> From: Hugo SIMELIERE
>
> Upstream-Status: Backport
> [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904]
>
> Signed-off-by: Hugo SIMELIERE
> ---
>
From: Colin McAllister
Backports missing license from master to kirkstone.
Signed-off-by: Colin McAllister
Signed-off-by: Steve Sakoman
---
.../LGPL-3.0-with-zeromq-exception| 181 ++
1 file changed, 181 insertions(+)
create mode 100644 meta/files/common-licenses
project, as gcc has not yet backported
anything for the 11 series.
Signed-off-by: Claus Stovgaard
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/gcc/gcc-11.4.inc| 1 +
.../gcc/gcc/0031-gcc-sanitizers-fix.patch | 63 +++
2 files changed, 64 insertions(+)
create
E-Core rev: 74da05b63634c248910594456dae286947f33da5)
Signed-off-by: Tan Wen Yan
Signed-off-by: Steve Sakoman
Signed-off-by: Lee Chee Yang
Signed-off-by: Steve Sakoman
---
.../{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Lee Chee Yang
import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277
import from
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
Signed-off-by: Lee Chee Yang
Signed-off-by: Steve Sakoman
---
.../libtiff/tiff/CVE-2023-52356.patch | 54
From: Vijay Anusuri
Upstream-Status: Backport from
https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a
Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools
directory are not included as most of the files are not
present
and are introduced in the later version.
Signed-off-by: Meenali Gupta
Signed-off-by: Steve Sakoman
---
.../expat/expat/CVE-2023-52425-0001.patch | 40
.../expat/expat/CVE-2023-52425-0002.patch | 87 +++
.../expat
/deca8039991886a559b67bcd6701db800a5cf764]
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
.../curl/curl/CVE-2024-2398.patch | 89 +++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 90 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398
From: Lee Chee Yang
fix CVE-2023-6816 CVE-2024-0408 CVE-2024-0409
Signed-off-by: Lee Chee Yang
Signed-off-by: Steve Sakoman
---
.../xwayland/xwayland/CVE-2023-6816.patch | 57
.../xwayland/xwayland/CVE-2024-0408.patch | 65 +++
.../xwayland/xwayland
/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
Signed-off-by: Zahir Hussain
Signed-off-by: Steve Sakoman
---
.../nghttp2/nghttp2/CVE-2023-44487.patch | 927 ++
.../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 +
2 files changed, 928 insertions(+)
create mode
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6758
The following changes since commit 1b5405955c7c2579ed1f52522e2e177d0281fa33:
glibc: Fix
Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue
Signed-off-by: Steve Sakoman
---
meta/recipes-kernel/perf/perf.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index
Signed-off-by: Steve Sakoman
---
.../openssl/openssl/CVE-2024-0727.patch | 122 ++
.../openssl/openssl_1.1.1w.bb | 1 +
2 files changed, 123 insertions(+)
create mode 100644
meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
diff --git a/me
Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue
Signed-off-by: Steve Sakoman
---
meta/recipes-extended/tar/tar_1.32.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/tar/tar_1.32.bb
b/meta/recipes-extended/tar/tar_1.32.bb
index
/deca8039991886a559b67bcd6701db800a5cf764]
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
.../curl/curl/CVE-2024-2398.patch | 88 +++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 89 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398
From: Vijay Anusuri
Upstream-Status: Backport from
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
.../tar/tar/CVE-2023-39804.patch | 64 +++
meta/recipes
gned-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.14.inc | 3 +
.../go/go-1.14/CVE-2023-45289.patch | 121
.../go/go-1.14/CVE-2023-45290.patch | 271 ++
.../go/go-1.14/CVE-2024-24785.patch
c35a
&
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
.../libtiff/files/CVE-2023-52356.patch| 53 +
.../libtiff/files/CVE-2023-6277-1.patch | 191 ++
.../l
-uninative: Update to 4.4 for glibc 2.39 (2024-03-18 11:44:32 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Steve Sakoman (2):
tar: bump PR
I'm getting oe-selftest failures with this patch:
https://errors.yoctoproject.org/Errors/Details/761408/
"Failed: qemux86 does not shutdown within timeout(120)"
Steve
On Fri, Mar 29, 2024 at 12:38 AM Urade, Yogita via
lists.openembedded.org
wrote:
>
> From: Yogita Urade
>
> A DMA reentrancy
On Sun, Mar 31, 2024 at 3:50 PM Vijay Anusuri wrote:
>
> Sure Randy.
>
> Issue introduced last year in util-linux v2.39.
>
> The offending commits are:
>
> * https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7c
>("write: correctly handle wide characters")
> *
Branch: nanbield
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 128 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
Branch: kirkstone
New this week: 0 CVEs
Removed this week: 1 CVEs
CVE-2023-52426 (CVSS3: 5.5 MEDIUM): expat:expat-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52426 *
Full list: Found 43 unpatched CVEs
CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native
Branch: dunfell
New this week: 0 CVEs
Removed this week: 1 CVEs
CVE-2024-25062 (CVSS3: 7.5 HIGH): libxml2:libxml2-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062 *
Full list: Found 109 unpatched CVEs
CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native
Branch: master
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 37 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
Sorry for the delayed response, but I found the same issue with the
kirkstone version that Vivek did.
Awaiting a V2 :-)
Steve
On Thu, Mar 28, 2024 at 5:51 PM Vivek Kumbhar via
lists.openembedded.org
wrote:
>
> Kirkstone-nut openssl compile error:
>
> Error Log:
>
> ERROR: openssl-3.0.13-r0
Sorry, it is outside of stable branch policy to add features so I
can't take this patch series.
Steve
On Tue, Mar 26, 2024 at 9:22 PM Yu, Mingli wrote:
>
> From: Ross Burton
>
> This package contains modules for both unittest and pytest that alter
> the output to look like automake's 'make
On Tue, Mar 26, 2024 at 11:34 AM Randy MacLeod via
lists.openembedded.org
wrote:
>
> On 2024-03-19 7:23 p.m., Steve Sakoman wrote:
>
> On Tue, Mar 19, 2024 at 11:45 AM Randy MacLeod
> wrote:
>
> Hi Haitao, et al,
>
>
> Summary:
>
> I think we could bring thes
Branch: nanbield
New this week: 11 CVEs
CVE-2023-52448 (CVSS3: 5.5 MEDIUM): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52448 *
CVE-2023-52449 (CVSS3: 5.5 MEDIUM): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52449 *
CVE-2023-52450 (CVSS3: 5.5
https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers
On Sun, Mar 24, 2024, 4:11 AM Alexander Kanavin
wrote:
> I’m getting slightly concerned, no new CVEs second week in a row? Did the
> checker break?
>
> Alex
>
> On Sun 24. Mar 20
Branch: kirkstone
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 44 unpatched CVEs
CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 *
CVE-2021-35938 (CVSS3: 6.7 MEDIUM): rpm:rpm-native
Branch: dunfell
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 110 unpatched CVEs
CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 *
CVE-2020-25742 (CVSS3: 3.2 LOW):
Branch: master
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 37 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
If you have any patches you would like to submit for dunfell before
it goes EOL, please do so now!
I'll be taking patches until around April 8 in preparation for an
April 15 build.
Steve
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197417):
From: Michael Halstead
Signed-off-by: Michael Halstead
Signed-off-by: Richard Purdie
(cherry picked from commit 56fdd8b79e2f7ec30d2cdcfa0c399a6553efac1e)
Signed-off-by: Steve Sakoman
---
meta/conf/distro/include/yocto-uninative.inc | 10 +-
1 file changed, 5 insertions(+), 5
From: Alexander Kanavin
License-Update: additional files
Signed-off-by: Alexander Kanavin
Signed-off-by: Richard Purdie
(cherry picked from commit add81ef0299ea5260f9bdc59ffc8f5cc0e74276f)
Signed-off-by: Steve Sakoman
---
...{linux-firmware_20231211.bb => linux-firmware_20240220.bb}
From: Alexander Sverdlin
Signed-off-by: Alexander Sverdlin
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
(cherry picked from commit 0caafdbbf4e7dc84b919afe14f7cb8c46a9e4ac2)
Signed-off-by: Steve Sakoman
---
...nux-firmware_20231030.bb => linux-firmware_20231211.bb}
d to not depend on file
order") are required if you are using kernel signature verification.
Signed-off-by: Alex Kiernan
Signed-off-by: Alexandre Belloni
(cherry picked from commit abf169fbbf8bab13224adf4c8bfa2e26607f360c)
Signed-off-by: Steve Sakoman
---
...eless-regdb_2023.09.01.bb => wi
) from March 2022 guidel...
wireless-regdb: Update regulatory rules for Philippines (PH)
Signed-off-by: Wang Mingyu
Signed-off-by: Richard Purdie
(cherry picked from commit 2f5edb6904bf16a9c52a9b124aeb5297487cd716)
Signed-off-by: Steve Sakoman
---
...ireless-regdb_2023.05.03.bb => wirel
Purdie
(cherry picked from commit f276a980b8930b98e6c8f0e1a865d77dfcfe5085)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 4
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
b/meta/recipes-core/meta/cve
e-check.
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 4
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-core/met
From: Yoann Congal
Add a URL to the doc of the API used in the function.
... and fix a small typo dabase -> database
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit e0157b3b81333a24abd31dbb23a6abebca3e7ba7)
Signed-off-by: Steve Sakoman
---
meta/reci
(cherry picked from commit e5f3f223885c17b7007c310273fc7c80b90a4105)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 --
1 file changed, 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
b/meta/recipes-core/meta/cve-update-nvd2
off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit 74c1765111b6610348eae4b7e41d7045ce58ef86)
Signed-off-by: Steve Sakoman
---
.../meta/cve-update-nvd2-native.bb| 20 +++
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/meta/r
From: Yoann Congal
attmepts -> attempts
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit dc18aaeda8e810f9082a0ceac08e5e4275bbd0f7)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 +-
1 file changed, 1 insertion(+)
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508
&
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sak
Please review this set of changes for dunfell and have comments back by
end of day Friday, March 22
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6692
The following changes since commit b49b0a3dd74c24f3a011c9c0b5cf8f6530956cfa:
/show_bug.cgi?id=29605
Upstream-patch:
https://sourceware.org/git/?p=glibc.git;a=commit;h=c9226c03da0276593a0918eaa9a14835183343e8
Signed-off-by: Haitao Liu
Signed-off-by: Steve Sakoman
---
...dresses-Fix-subscript-typos-BZ-29605.patch | 40 +++
meta/recipes-core/glibc/glibc_2.35.bb
1 - 100 of 7754 matches
Mail list logo