From: Björn Stenberg
Signed-off-by: Sona Sarmadi
---
meta/recipes-extended/bash/bash-4.2/run-ptest |2 +-
meta/recipes-extended/bash/bash.inc |1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-extended/bash/bash-4.2/run-ptest
b/meta/recipes
ptest,
to get rid of these messages.
Signed-off-by: Sona Sarmadi
---
meta/recipes-extended/bash/bash-4.2/run-ptest |2 +-
meta/recipes-extended/bash/bash.inc |1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-extended/bash/bash-4.2/run-ptest
b/meta/r
From: Björn Stenberg
The existing bzip2 tests in the upstream Makefile are copied to Makefile.am
(yocto's) and modified to adopt to the ptest format.
Signed-off-by: Björn Stenberg
Signed-off-by: Anders Roxell
Signed-off-by: Sona Sarmadi
---
.../recipes-extended/bzip2/bzip2-
Prevent out-of-bounds array access on acpi_pcihp_pci_status.
[From QEMU: fa365d7cd11185237471823a5a33d36765454e16]
Signed-off-by: Sona Sarmadi
---
...1-Back-porting-security-fix-CVE-2014-5388.patch | 30 ++
meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 +
2 files
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment.
CVE-2014-6277: bash: untrusted pointer use issue leading to code execution
CVE-2014-6278: bash: code execution via specially crafted environment variables
Signed-off-by: Sona Sarmadi
From: Steffen Sledz
Currently linux-firmware rebuilds for each machine due to its usage of
update-alternatives which in turn means a dependency on opkg-utils.
Marking opkg-utils as ABISAFE is the only option we have right now
to avoid this.
(From OE-Core rev: e4c4ca3101062ecc956294ac968dc488321e
From: Steffen Sledz
Currently linux-firmware rebuilds for each machine due to its usage of
update-alternatives which in turn means a dependency on opkg-utils.
Marking opkg-utils as ABISAFE is the only option we have right now
to avoid this.
(From OE-Core rev: e4c4ca3101062ecc956294ac968dc488321e
x27;s contents to determine whether or not to interpret it as a shell
function.
Signed-off-by: Sona Sarmadi
---
...r-bash-exported-function-namespace-change.patch | 158 +++
...r-bash-exported-function-namespace-change.patch | 175 +
meta/recipes-extended/bash/bash_3
From: Catalin Popeanga
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
Signed-off-by: Sona Sarmadi
---
.../bash
From: Steffen Sledz
Currently linux-firmware rebuilds for each machine due to its usage of
update-alternatives which in turn means a dependency on opkg-utils.
Marking opkg-utils as ABISAFE is the only option we have right now
to avoid this.
(From OE-Core rev: e4c4ca3101062ecc956294ac968dc488321e
From: Catalin Popeanga
Follow up bash43-026 to parse properly function definitions in the values of
environment variables, to not allow remote attackers to execute arbitrary code
or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
Signed-off-by:
From: Catalin Popeanga
This vulnerability exists because of an incomplete fix for CVE-2014-6271,
CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
Signed-off-by: Catalin Popeanga
---
.../bash/bash-3.2.48/cve-2014-6278.patch | 99 ++
From: Steffen Sledz
Currently linux-firmware rebuilds for each machine due to its usage of
update-alternatives which in turn means a dependency on opkg-utils.
Marking opkg-utils as ABISAFE is the only option we have right now
to avoid this.
(From OE-Core rev: e4c4ca3101062ecc956294ac968dc488321e
Please ignore this email, this was sent by mistake.
/Sona
> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Sona Sarmadi
> Sent: den 9 oktober 2014 14:25
> To:
Please ignore this email, this was sent by mistake.
/Sona
> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Sona Sarmadi
> Sent: den 9 oktober 2014 14:25
> To:
Please ignore this email, this was sent by mistake.
/Sona
> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Sona Sarmadi
> Sent: den 9 oktober 2014 14:25
> To:
Hi all,
It seems that another vulnerability is coming soon, the advice is disable
SSLv3.:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
>From Hanno Böck [ha...@hboeck.de]:
Whether it's scary or not I have an adv
.html
The advice is: Disable SSLv3.
I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843 so we can
start to work with this immediately.
It would be good to sync the work like we did with the "shellshock" at the end
:) .
Cheers
Sona
Sona Sarmadi
Security Responsibl
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
https://www.openssl.org/~bodo/ssl-poodle.pdf
Signed-off-by: Sona Sarmadi
---
.../support-TLS_FALLBACK_SCSV-CVE-2014-3566.patch | 499 +
.../recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 +
2 files ch
>
> Sona,
>
> Does it make more sense to update to 1.0.1j directly (I know it's late in the
> 1.7 release cycle), but given there are 3 other CVEs fixed in 'j'
> along with some other fixes. People may look more at the version that is
> part of 1.7 than the back ported fixes.
>
> Please review
3566
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://www.openssl.org/news/secadv_20141015.txt
Signed-off-by: Sona Sarmadi
---
.../openssl/openssl/openssl-CVE-2014-3566.patch| 502 +
.../recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 +
2 files changed, 503
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
https://www.openssl.org/news/secadv_20141015.txt
Signed-off-by: Sona Sarmadi
---
.../openssl/openssl/openssl-CVE-2014-3513.patch| 213 +
.../recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 +
2
Hi Ross
> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including "disabling
> SSLv3 didn't work"...). I think considering the situation we'd take the
> upgrade for dizzy, even though we've frozen. Anyone volunteering to take
> lead of upgrading dizzy to 1.0.1j and backporting the rele
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
https://www.openssl.org/news/secadv_20141015.txt
Signed-off-by: Sona Sarmadi
---
.../openssl/openssl/openssl-CVE-2014-3567.patch| 34 ++
.../recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 +
2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
https://www.openssl.org/news/secadv_20141015.txt
Signed-off-by: Sona Sarmadi
---
.../openssl/openssl/openssl-CVE-2014-3568.patch| 101 +
.../recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 +
2
Ross,
> > Presumably the list of affected packages is:
> > - gnutls
> > - openssl
> > - nss
>
> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including "disabling
> SSLv3 didn't work"...). I think considering the situation we'd take the
> upgrade for dizzy, even though we've frozen. A
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE-2014-3566)
This patch is a backport from OpenSSL_1.0.1j.
Signed-off-by: Sona Sarmadi
---
.../openssl-1.0.1e/openssl-fix-CVE-2014-3566.patch | 502 +
.../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
2 files changed
Hi Paul,
> Just to be clear, this is for the dora branch right?
>
> Cheers,
> Paul
Yes, I send the patch as below, why does not the branch name come in the
subject :( ?
git send-email --to=openembedded-core@lists.openembedded.org --confirm=always
--subject-prefix="dora][PATCH" 000*
-- Son
> > git send-email --to=openembedded-core@lists.openembedded.org
> > --confirm=always --subject-prefix="dora][PATCH" 000*
>
> Because you're sending already generated files (000*), it works only when
> you specify git revisions (e.g. -1 my_branch).
>
> Or you need to pass --subject-prefix when y
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE-2014-3566)
This patch is a backport from OpenSSL_1.0.1j.
Signed-off-by: Sona Sarmadi
---
.../openssl-1.0.1e/openssl-fix-CVE-2014-3566.patch | 502 +
.../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
2 files changed
Fix for SRTP Memory Leak
This patch is a backport from OpenSSL_1.0.1j.
Signed-off-by: Sona Sarmadi
---
.../openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch | 211 +
.../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
2 files changed, 212 insertions(+)
create mode
Fix for session tickets memory leak.
This patch is a backport from OpenSSL_1.0.1j.
Signed-off-by: Sona Sarmadi
---
.../openssl-1.0.1e/openssl-fix-CVE-2014-3567.patch | 32 ++
.../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
2 files changed, 33 insertions
Fix for no-ssl3 configuration option
This patch is a backport from OpenSSL_1.0.1j.
Signed-off-by: Sona Sarmadi
---
.../openssl-1.0.1e/openssl-fix-CVE-2014-3568.patch | 99 ++
.../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
2 files changed, 100 insertions
Signed-off-by: Sona Sarmadi
---
.../python/python/python2.7.3-nossl3.patch | 37 ++
meta/recipes-devtools/python/python_2.7.3.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/python2.7.3-nossl3.patch
diff --
Hi Ross,
Sure.
I forgot to make sure that python can be built when "OPENSSL_NO_SSL3" is
defined in the openssl. I will check this as well and re-send the patch.
-- Sona
On 3 December 2014 at 08:09, Sona Sarmadi
mailto:sona.sarm...@enea.com>> wrote:
Building pyth
Hi guys,
> This should be applied to master first, and then backported to any stable
> branches. Can you re-send in a form that applies to master?
>
> Ross
Python has fixed this issue in version 3.5. and backported to 2.7:
See the patch here:
https://hg.python.org/cpython/rev/f762cbb712de
> Python has fixed this issue in version 3.5. and backported to 2.7:
> See the patch here:
> https://hg.python.org/cpython/rev/f762cbb712de
>
> But this patch doesn’t apply, I have downloaded the latest 2.7.8, it is the
> Same problem there. I have sent email to the guy responsible to this patc
Hi Paul,
> I think we should apply the patch now anyway; we'll want to know that it
> works for backports to the stable branch(es), and in any case the upgrade to
> 2.7.9 is not going to be a straightforward task based upon my earlier attempt
> to upgrade to 2.7.6 (the current state of which is s
Hi all,
> > I think we should consider (start looking at upgrading to python 2.7.9
> > in master), to address this issue. I feel uncomfortable with this
> > Debian patch. It seems that we need to do more manual changes in
> > order to make this work. I will soon update the bug 7015 with my test
>
[From upstream commit: 603a0e2637b35a2da820bc807f69bcf09c682dce]
[YOCTO #7098]
External References:
===
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
Signed-off-by: Sona Sarmadi
---
.../bind/bind/bind9_9_5-CVE-2014-8500.patch| 990
support
+
+Building without SSLv3 support when openssl is built
+without any support for SSLv3
+
+Upstream-Status: Backport
+
+Reference:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=76A8611#22
+
+Signed-off-by: Sona Sarmadi
+---
+diff -ruN a/Modules/_ssl.c b/Modules/_ssl.c
+--- a/Modules/_ssl.
Maxin,
Is this related to (URL request injection CVE-2014-8150)
http://curl.haxx.se/mail/archive-2015-01/0019.html?
If yes, wouldn't it be better to mention this (the CVE) in the commit message?
//Sona
-Original Message-
From: openembedded-core-boun...@lists.openembedded.org
[mailto:o
Fixes directory traversal vulnerability in elfutils 'ar' utility
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
Signed-off-by: Sona Sarmadi
---
.../elfutils/elfutils/CVE-2014-9447.patch | 51 ++
meta/recipes-devtools/elfutils/elfu
From: Armin Kuster
CVE-2014-8484
CVE-2014-8485
CVE-2014-8501
CVE-2014-8502
CVE-2014-8503
CVE-2014-8504
CVE-2014-8737
and one supporting patch.
[Yocto # 7084]
(From OE-Core rev: 859fb4d9ec6974be9ce755e4ffefd9b199f3604c)
(From OE-Core rev: d2b2d8c9ce3ef16ab053bd19a5705b01402b76ba)
Signed-off-b
Fixes a heap buffer overflow in lib/ext2fs/openfs.c which allows
a trivial arbitrary memory write under certain conditions.
References
http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
http://www.ocert.org/advisories/ocert-2015-002.html
Signed-off-by: Sona Sarmadi
Hi,
The OpenSSL Project will repair a "high severity" security hole in updates due
Thursday (19th March), is it possible to include this as well?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Forthcoming OpenSSL releases
The OpenSSL project team would lik
uffer(a, sys.maxsize, sys.maxsize)
print b[:8192]
---
References:
http://bugs.python.org/issue21831
http://seclists.org/oss-sec/2014/q3/638
https://hg.python.org/cpython/diff/8d963c7db507/Objects/bufferobject.c
Signed-off-by: Sona Sarmadi
---
.../python/python/python-2.7.3-CVE-
Hi all,
To monitor/scan vulnerabilities (CVE), check affected packages, versions,
branches, fixed versions/branches etc ... we need either to file a bug in
bugzilla for each publically disclosed CVE or have a simple data base. Today,
we sometimes file a bug but most of the time vulnerabilities
Trying with correct email address :)
Hi all,
To monitor/scan vulnerabilities (CVE), check affected packages, versions,
branches, fixed versions/branches etc ... we need either to file a bug in
bugzilla for each publically disclosed CVE or have a simple data base. Today,
we sometimes file a bu
Hi
> SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG
> 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...' line
> for each package.
Does anyone know where do I specify this PACKAGECONFIG configuration? I want
all ipk packages to be checksummed using sha256 (
> I'm guessing you would want something like this in your custom distro config
> (or local.conf if you must):
>
> PACKAGECONFIG_append_pn-opkg = " sha256"
> PACKAGECONFIG_append_pn-opkg-native = " sha256"
Thanks Paul, it looks like this should be the configuration but I have tried
this and didn
> > I'm guessing you would want something like this in your custom distro
> > config (or local.conf if you must):
> >
> > PACKAGECONFIG_append_pn-opkg = " sha256"
> > PACKAGECONFIG_append_pn-opkg-native = " sha256"
>
Thanks a lot guys for your help, this is now working :)
There is support for sha
> >> Do you think this patch would be of interest for someone?
> >
> > Yes but it would be good to make it choosable at distro level.
Opkg has support for 'sha256' but opkg-utils only supports md5.
We could pass the sha256 option to opkg-utils (like other parameters such as
Maintainer),
and mak
Hi Lei, all,
> --- a/meta/classes/spdx.bbclass
> +++ b/meta/classes/spdx.bbclass
> @@ -1,12 +1,9 @@
> # This class integrates real-time license scanning, generation of SPDX
> standard # output and verifiying license info during the building process.
> -# It is a combination of efforts from the O
-by: Sona Sarmadi
---
meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb}
(78%)
diff --git a/meta/recipes-graphics/xorg-lib/libxtst_1.
-by: Sona Sarmadi
---
meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb}
(78%)
diff --git a/meta/recipes-graphics/xorg-lib/libxtst_1.
.
Cheers
//Sona
> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On
> Behalf Of Sona Sarmadi
> Sent: den 10 januari 2017 12:11
> To: openembedded-core@lists.openembedded.org
> Subj
> On 01/10/2017 03:10 AM, Sona Sarmadi wrote:
> > Upgrade libxtst from 1.2.2 to 1.2.3 to address:
> What else changed in this update?
> - armin
Hi Armin,
I believe the only changes between 1.2.2 and 1.2.3 is one commit
" Remove fallback for _XEatDataWords, require libX11 1
vanilla Expat 2.1.1, addressing:
* CVE-2012-6702 -- unanticipated internal calls to srand
* CVE-2016-5300 -- use of too little entropy
Signed-off-by: Sona Sarmadi
---
.../expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch | 123 +
meta/recipes-core/expat/expat_2.1.0.bb
.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libxrender/CVE-2016-7949.patch| 59 ++
meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 ++
2 files changed, 62 insertions(+)
create mode 100644
meta
.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libxrender/CVE-2016-7949.patch| 59 ++
meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 ++
2 files changed, 62 insertions(+)
create mode 100644
meta
?name=CVE-2016-7948
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
Upstream patch for both CVEs:
https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6
Signed-off-by: Sona Sarmadi
---
.../libxrandr/CVE-2016-7947_CVE-2016-7948.patch
://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7942.patch| 69 ++
meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 +
2 files changed, 70 insertions(+)
create mode
-announce/2016-October/002720.html
Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7943.patch| 103 +
meta/recipes-graphics/xorg-lib/libx11_1.6.3
-announce/2016-October/002720.html
Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7943.patch| 103 +
meta/recipes-graphics/xorg-lib/libx11_1.6.3
://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
Signed-off-by: Sona Sarmadi
---
.../xorg-lib/libx11/CVE-2016-7942.patch| 69 ++
meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 +
2 files changed, 70 insertions(+)
create mode
Hi all,
Does anyone know if there is an issue with cve-check tool on master branch?
It seems that "cve-check-update -d" fails, does anyone know why?
poky/build-cve-check$ bitbake -k -c cve_check universe
WARNING: cve-check-tool-native-5.6.4-r0 do_populate_cve_db: Error in executing
cve-check
Hi Alexandru,
Shouldn't CVE-2017-3731 in the patch files have CVE: tag?
i.e. CVE-2017-3731 in 0001-CVE-2017-3731.patch & 0002-CVE-2017-3731.patch
should be:
CVE: CVE-2017-3731
You have this tag in the meta patch, we add this normally inside the patch.
> * CVE: CVE-2017-3731
>
> Upstream-
>> I am just curious if this is ok, or should we always put the CVE: tag inside
>> the patch?
> The tag should always be in the patch file.
>
> Ross
So I guess this needs to be fixed:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=morty&id=8ba5b9eae34bbab537954ccee1726c7ee7a82750
//S
Hi Fan,
dizzy branch has Openssl version 1.0.1p now:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb?h=dizzy
How can this patch be applied to dizzy branch?
You have only sent patch for CVE-2015-3195, how about CVE-2015-3194?
CVE-2015-3193 d
/cvename.cgi?name=CVE-2015-3195
Signed-off-by: Sona Sarmadi
---
.../CVE-2015-3194-Add-PSS-parameter-check.patch| 35 +
...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 59 ++
.../recipes-connectivity/openssl/openssl_1.0.1p.bb | 2 +
3 files changed, 96 insertions
=glibc.git;a=commit;
h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
Signed-off-by: Sona Sarmadi
Signed-off-by: Tudor Florea
---
...5-1472-wscanf-allocates-too-little-memory.patch | 108 +
meta/recipes-core/glibc/glibc_2.20.bb | 1 +
2 files changed, 109 insertions
?name=CVE-2015-7696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697
Signed-off-by: Tudor Florea
Signed-off-by: Sona Sarmadi
---
.../unzip/unzip/CVE-2015-7696.patch| 38 ++
.../unzip/unzip/CVE-2015-7697.patch| 31
: Sona Sarmadi
---
meta/recipes-core/libxml/libxml2.inc | 1 +
.../libxml/libxml2/CVE-2015-8035.patch | 35 ++
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
diff --git a/meta/recipes-core
Fixes heap-based buffer overflow in xmlParseConditionalSections().
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456
Signed-off-by: Sona Sarmadi
Signed-off-by: Tudor Florea
Fixes heap-based buffer overflow flaw in grep.
Affected versions are: grep 2.19 through 2.21
Upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2
Signed-off-by: Sona Sarmadi
---
.../grep/grep-2.19/grep2.19-CVE-2015-1345.patch| 129
Upstream bug (contains reproducer):
https://bugzilla.gnome.org/show_bug.cgi?id=756263
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=
ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe
Signed-off-by: Tudor Florea
Signed-off-by: Sona Sarmadi
---
meta/recipes-core/libxml/libxml2.inc
d-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Sona Sarmadi
> Sent: den 14 december 2015 11:25
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195
/cvename.cgi?name=CVE-2015-3195
Upstream patches:
CVE-2015-3194:
https://git.openssl.org/?p=openssl.git;a=commit;h=
d8541d7e9e63bf5f343af24644046c8d96498c17
CVE-2015-3195:
https://git.openssl.org/?p=openssl.git;a=commit;h=
b29ffa392e839d05171206523e84909146f7a77c
Signed-off-by: Sona Sarmadi
---
.../CVE
Hi Mariano, all,
See my comments regarding "Bug 8119 - Define a format to mark Upstream CVE
patches" below.
> There is an initiative to track vulnerable software being built (see bugs 8119
> and 7515). The idea is to have a testing tool that would check the recipe
> versions against CVEs. In or
]
References:
http://www.openwall.com/lists/oss-security/2015/12/15/14
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
https://bugzilla.redhat.com/attachment.cgi?id=1105581
Signed-off-by: Sona Sarmadi
---
.../bind/bind/CVE-2015-8000.patch | 194 +
meta
Hi Philip, all,
I am going to attend FOSDEM 2016, I am glad if I can help. I don't have
anything for demo, but perhaps we can mention security updates/backport. I
thinks some people might be interested in knowing that we continually backport
security fixes :)
//Sona
> -Original Message---
09/3
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3710
Signed-off-by: Sona Sarmadi
---
.../recipes-devtools/qemu/qemu/CVE-2016-3710.patch | 111 +
meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 +
2 files changed, 112 insertions(+)
create mode 100644 meta/recipes-dev
|the \h or \H and \s escape sequences, respectively.
|
|Patch (apply with `patch -p0')
|
|CVE: CVE-2016-0634
|Upstream-Status: Backport
|Signed-off-by: Sona Sarmadi
|
|*** ../bash-4.3-patched/parse.y2015-08-13 15:11:54.0 -0400
|--- parse.y2016-03-07 15:44:14.0 -0500
-
Thanks Ross,
I guess you mean striplevel? Right? It didn’t work with stripnum but it worked
with striplevel:
file://CVE-2016-0634.patch;striplevel=0 \
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 10 oktober 2016 13:26
To: Sona Sarmadi
Cc: Armin Kuster (akuster
References to upstream patch:
https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047
http://openwall.com/lists/oss-security/2016/09/16/8
Signed-off-by: Sona Sarmadi
---
.../recipes-extended/bash/bash/CVE-2016-0634.patch | 136 +
meta/recipes-extended/bash/bash_4.3.30
CVE-2016-7406
CVE-2016-7407
CVE-2016-7408
CVE-2016-7409
Reference:
https://matt.ucc.asn.au/dropbear/CHANGES
[YOCTO #10443]
Signed-off-by: Sona Sarmadi
---
meta/recipes-core/dropbear/dropbear.inc|4 +
.../dropbear/dropbear/CVE-2016-7406.patch | 104 +
.../dropbear
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0
[mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf Of Sona
Sarmadi
Sent: den 8 november 2016 11:42
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb
The upgrade addresses following CVEs:
CVE-2016-8615: cookie injection for other serv
e.patch is needed
for CVE-2016-8625]
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 70 +++
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 50 ++
meta/recipes-support/curl/cur
e.patch is needed
for CVE-2016-8625]
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 70 +++
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 50 ++
meta/recipes-support/curl/cur
e.patch is needed
for CVE-2016-8625]
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 70 +++
meta/recipes-support/curl/curl/CVE-2016-8616.patch | 50 ++
meta/recipes-support/curl/cur
invalid URL parsing with '#'
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102J.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8624.patch | 51 ++
meta/recipes-support/curl/curl
OOB write via unchecked multiplication
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102C.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8617.patch | 28 ++
meta/recipes-support/curl
URL unescape heap overflow via integer truncation
Affected versions: curl 7.24.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102H.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8622.patch | 94 ++
meta/recipes-support
double-free in krb5 code
Affected versions: curl 7.3 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102E.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8619.patch | 52 ++
meta/recipes-support/curl/curl_7.47.1.bb
double-free in curl_maprintf
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102D.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8618.patch | 52 ++
meta/recipes-support/curl/curl_7.47.1.bb
cookie injection for other servers
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102A.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8615.patch | 77 ++
meta/recipes-support/curl/curl_7.47.1
IDNA 2003 makes curl use wrong host
Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
meta/recipes-support/curl
curl_getdate read out of bounds
Affected versions: curl 7.12.2 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102G.html
Signed-off-by: Sona Sarmadi
---
meta/recipes-support/curl/curl/CVE-2016-8621.patch | 120 +
meta/recipes-support/curl/curl_7.47.1
1 - 100 of 157 matches
Mail list logo