From: Saloni
Add fix for below CVE:
CVE-2021-3566
Link:
[http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54ba793d7da99ea5157532]
CVE-2021-38291
Link:
[http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
Signed-off-by: Saloni Jain
Happy to help!
I really appreciate you taking time to express gratitude.
Thanks & Regards,
Saloni Jain
From: Steve Sakoman
Sent: Monday, September 13, 2021 9:03 PM
To: Saloni Jain
Cc: Patches and discussions about the oe-core layer
; Khem Raj ;
N
From: Saloni Jain
Add fix for below CVE:
CVE-2021-33560
Link:
[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320]
Signed-off-by: Saloni Jain
---
.../libgcrypt/files/CVE-2021-33560.patch | 108 ++
.../libgcrypt
From: Saloni Jain
Below CVE affects only Oracle Berkeley DB as per upstream.
Hence, whitelisted them.
1. CVE-2015-2583
Link: https://security-tracker.debian.org/tracker/CVE-2015-2583
2. CVE-2015-2624
Link: https://security-tracker.debian.org/tracker/CVE-2015-2624
3. CVE-2015-2626
Link: https
Hello,
Sorry, please ignore the above mail, the changes have already been merged in
dunfell branches, Thanks!
Thanks & Regards,
Saloni
From: Saloni Jain
Sent: Wednesday, July 14, 2021 6:18 PM
To: openembedded-core@lists.openembedded.org
; raj.k...@gmail
Hello,
Please take the below changes and merge them in upstream dunfell branch.
Thanks & Regards,
Saloni
Thanks & Regards,
Saloni
From: openembedded-core@lists.openembedded.org
on behalf of Nisha Parrakat via
lists.openembedded.org
Sent: Friday
Hi,
Please take the below changes and merge them in upstream dunfell branch.
Thanks & Regards,
Saloni
From: Saloni Jain
Sent: Sunday, May 30, 2021 4:07 PM
To: openembedded-core@lists.openembedded.org
; raj.k...@gmail.com
Cc: Nisha Parrakat ; Saloni
From: Saloni Jain
Whitelisted below CVE:
CVE-2018-2799:
CVE only applies to some Oracle Java SE and Red Hat
Enterprise Linux versions which is already fixed with
updates and the issue is closed.
Link: https://access.redhat.com/security/cve/CVE-2018-2799
Link: https://bugzilla.redhat.com
Hi Anuj,
Thankyou for the inputs. Will send another patch with version 2 in devel list.
Thanks & Regards,
Saloni
From: Mittal, Anuj
Sent: Friday, April 9, 2021 12:21 PM
To: openembedded-core@lists.openembedded.org
; Saloni Jain ;
raj.k...@gmail.com
Cc: N
://access.redhat.com/security/cve/cve-2019-14860
Link: https://access.redhat.com/errata/RHSA-2019:3244
Link: https://access.redhat.com/errata/RHSA-2019:3892
Signed-off-by: Saloni Jain
---
meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb | 4
1 file changed, 4 insertions(+)
diff --git a/meta-filesystems
obsolete and will
be whitelisted, hence below changes can be ignored.
Thanks & Regards,
Saloni Jain
From: Khem Raj
Sent: Monday, March 22, 2021 9:58 PM
To: Saloni Jain ;
openembedded-core@lists.openembedded.org
Cc: Nisha Parrakat
Subject: Re: [poky][dun
=9a99c682144bdbd40792ebf822fe9264e0376fb5
Below patch is added:
1. CVE-2021-3326
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1932589
Link:
https://sourceware.org/git/?p=glibc.git;a=patch;h=dca565886b5e8bd7966e15f0ca42ee5cff686673
Signed-off-by: Saloni Jain
---
.../glibc/glibc/CVE-2019
=9a99c682144bdbd40792ebf822fe9264e0376fb5
Below patch is added:
1. CVE-2021-3326
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1932589
Link:
https://sourceware.org/git/?p=glibc.git;a=patch;h=dca565886b5e8bd7966e15f0ca42ee5cff686673
Signed-off-by: Saloni Jain
---
.../glibc/glibc/CVE-2019
presence... no
| checking for libxml/xmlversion.h... no
| configure: error: could not find parser.h, libxml installation problem?
| WARNING: exit code 1 from a shell command.
The patch lets configure use pkg-config
Signed-off-by: Nisha Parrakat
Signed-off-by: Saloni Jain
---
.../neon/fix
for which versions are affected.
Link: https://security-tracker.debian.org/tracker/CVE-2018-12438
Link: https://ubuntu.com/security/CVE-2018-12438
Signed-off-by: Saloni Jain
---
meta/recipes-connectivity/openssl/openssl_1.1.1j.bb | 10 ++
1 file changed, 10 insertions(+)
diff --git a/me
for which versions are affected.
Link: https://security-tracker.debian.org/tracker/CVE-2018-12438
Link: https://ubuntu.com/security/CVE-2018-12438
Signed-off-by: Saloni Jain
---
meta/recipes-connectivity/openssl/openssl_1.1.1j.bb | 10 ++
1 file changed, 10 insertions(+)
diff --git a/me
From: Saloni Jain
CVE tag was missing inside the patch file
which is the remedy for CVE-2020-8037,
hence CVE-2020-8037 will still be reported
in CVE checker cycle.
Hence, added CVE tag inside patch file to
resolve the issue.
Signed-off-by: Saloni.Jain
---
...-PPP-When-un-escaping-don-t
CVE-2000-0006 is not a valid bug number nor an alias to a bug
and no remedy for the CVE is available till now. Hence, can be
marked whitelisted.
Signed-off-by: Saloni Jain
---
meta/recipes-devtools/strace/strace_5.10.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes
Added below CVE:
CVE-2020-12825
Link: CVE-2020-12825
[https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a]
Link: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
Signed-off-by: Saloni Jain
---
.../libcroco/files/CVE-2020-12825.patch| 193
not directly affect libgcrypt or any specific
yocto distributions, hence, can be whitelisted.
Signed-off-by: Saloni Jain
---
meta/recipes-support/libgcrypt/libgcrypt_1.8.7.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.7.bb
b/meta/recipes
not directly affect libgcrypt or any specific
yocto distributions, hence, can be whitelisted.
Signed-off-by: Saloni Jain
---
meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
b/meta/recipes
Hello Steve,
The patches are generic to all Yocto implementations and are not reported for
any particular distros.
I have re-sent another patch version mentioning in detail why these CVEs can be
safely whitelisted. Please review and let me know for any change.
Thanks & Regards,
Sa
Added below CVE:
CVE-2020-12825
Link: CVE-2020-12825
[https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a]
Link: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
Signed-off-by: Saloni Jain
---
.../libcroco/files/CVE-2020-12825.patch| 193
/tracker/CVE-2018-12438
Signed-off-by: Saloni Jain
---
meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 4e0eb0a..ba3666f 100644
Hello Steve,
Thankyou for the feedback, I have fixed the comments and sent a v2 for the
patch. Please review again.
Regards,
Saloni Jain
From: Steve Sakoman
Sent: Wednesday, January 20, 2021, 9:56 PM
To: Saloni Jain
Cc: Patches and discussions about the oe-core
-15778
Link: CVE-2020-15778
[https://security-tracker.debian.org/tracker/CVE-2020-15778]
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1860487
Signed-off-by: Saloni Jain
---
.../openssh/openssh/CVE-2020-14145.patch | 88 ++
meta/recipes-connectivity/openssh
Added security fix for below CVE:
CVE-2020-14145
Link: https://security-tracker.debian.org/tracker/CVE-2020-14145
Link:
https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
Signed-off-by: Saloni Jain
---
.../openssh/openssh/CVE-2020-14145.patch
, an attacker
can execute arbitrary code on the system or
cause the application to crash.
Tested-by: Rahul Taya
Signed-off-by: Saloni Jain
Please Note: CVE already fixed in master and dunfell branches,
applicable for zeus only.
---
.../libpcre/libpcre/CVE-2020-14155.patch | 41
, an attacker
can execute arbitrary code on the system or
cause the application to crash.
Upstream-Status: Pending
Tested-by: Rahul Taya
Signed-off-by: Saloni Jain
---
.../libpcre/libpcre/CVE-2020-14155.patch | 40 ++
meta/recipes-support/libpcre/libpcre_8.43.bb
, an attacker
can execute arbitrary code on the system or
cause the application to crash.
Upstream-Status: Pending
Tested-by: Rahul Taya
Signed-off-by: Saloni Jain
---
.../libpcre/libpcre/CVE-2020-14155.patch | 40 ++
meta/recipes-support/libpcre/libpcre_8.44.bb
errun.
To avoid this unexpected behaviour, typecasted char type argument to
unsigned char type.
Upstream-Status: Pending
Signed-off-by: Amitanand Chikorde
mailto:amitanand.chiko...@kpit.com>>
Signed-off-by: Saloni Jain
---
.../files/davici_codesonar_warnings_fix.patch | 37
) ->
chunk_create_clone() -> memcpy() -> memcpy_noop(), it crashed with
SIGBUS (frames 10, 9, 8).
It could also be that chunk_map() has a bug which does not memmap()
the full or correct areas.
Upstream-Status: Pending
Tested By: Anuj Chougule
Signed-off-by: Anuj Chougule
Signed-off-by:
) ->
chunk_create_clone() -> memcpy() -> memcpy_noop(), it crashed with
SIGBUS (frames 10, 9, 8).
It could also be that chunk_map() has a bug which does not memmap()
the full or correct areas.
Upstream-Status: Pending
Tested By: Anuj Chougule
Signed-off-by: Anuj Chougule
Signed-off-by:
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
meta/recipes
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
1 file changed
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
1 file changed
From: Sana Kazi
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
1 file changed, 36 insertions(+)
create mode 100644 meta/recipes
Hi Ross,
I have added SOB details and sent another upstreaming request.
For warrier and thud we can simply backport from the master release or we can
additionally add the fix for both as well. Please suggest.
Thanks & Regards,
Saloni
From: Ross Burton
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 35 ++
1 file changed
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 35 ++
meta/recipes
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 35 ++
1 file changed
Hello Khem Raj,
We have tested the applicability for this patch on master as well and as per
analysis it is applicable.
I've sent the same patch for master branch as well in a separate mail.
Thanks & Regards,
Saloni
From: Khem Raj
Sent: Wednesday, Januar
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++
1 file changed
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++
meta/recipes
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++
1 file changed
45 matches
Mail list logo
