From: Vijay Anusuri
Upstream Patch:
https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch
LINK: https://security-tracker.debian.org/tracker/CVE-2023-2828
Signed-off-by: Vijay Anusuri
---
.../bind/bind/CVE-2023-2828.patch | 166 ++
Hi Siddharth,
CVE-2023-40303 patch for kirkstone already submitted and landed in
kirkstone-nut.
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=2d2fc8e2b0eaa20f6bf8cfc0d1acd908f3dac2ec
Thanks & Regards,
Vjay
On Wed, Sep 6, 2023 at 1:45 PM Siddharth via
From: Vijay Anusuri
A DMA-MMIO reentrancy problem may lead to memory corruption bugs
like stack overflow or use-after-free.
Summary of the problem from Peter Maydell:
https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
Reference:
Hi Steve,
Same patch I've submitted for dunfell. Please revert it, if it is failing.
Thanks & Regards,
Vijay
On Fri, Sep 15, 2023 at 8:56 PM Steve Sakoman wrote:
> On Wed, Sep 13, 2023 at 4:44 AM Steve Sakoman via
> lists.openembedded.org
> wrote:
> >
> > Unfortunately this change breaks the
From: Vijay Anusuri
Upstream-commit:
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
&
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-commit:
https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f
Signed-off-by: Vijay Anusuri
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2023-29409.patch | 175 ++
2 files changed,
From: Vijay Anusuri
- The commit
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
- The commit
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
&
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
&
Hi Steve,
Xserver-xorg version is the same for both mickledore and kirkstone. Could
you please merge this patch to mickledore along with kirkstone.
Thanks & Regards,
Vijay
On Mon, Nov 6, 2023 at 4:51 PM Vijay Anusuri via lists.openembedded.org
wrote:
> From: Vijay Anusuri
>
> Up
>
> > On 6 Nov 2023, at 05:47, Vijay Anusuri via lists.openembedded.org
> wrote:
> >
> > From: Vijay Anusuri
> >
> > Upstream-Status: Backport
> > [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f
&
Hi Steve,
Any update on this ?
Thanks & Regards,
Vijay
On Tue, Sep 26, 2023 at 10:01 AM wrote:
> From: Vijay Anusuri
>
> Artifex Ghostscript through 10.01.2 mishandles permission validation for
> pipe devices (with the %pipe% prefix or the | pipe character prefix).
>
> Reference:
>
From: Vijay Anusuri
Upstream-Status: Backport
[https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security
&
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream commits:
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
&
https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31
Signed-off-by: Vijay Anusuri
---
meta/recipes-extended/cups/cups.inc |
From: Vijay Anusuri
Artifex Ghostscript through 10.01.2 mishandles permission validation for
pipe devices (with the %pipe% prefix or the | pipe character prefix).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-36664
Upstream commits:
From: Vijay Anusuri
Upstream-commit:
https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50
&
https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8
&
https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43
&
From: Vijay Anusuri
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote
code execution via crafted PostScript documents because they can switch to the
IJS device, or change the IjsServer parameter, after SAFER has been activated.
NOTE: it is a documented risk that
From: Vijay Anusuri
Upstream-Status: Backport
[https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/jammy-security
&
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
Signed-off-by: Vijay Anusuri
---
>
> On Mon, Aug 28, 2023 at 8:39 AM Vijay Anusuri via
> lists.openembedded.org
> wrote:
> >
> > From: Vijay Anusuri
> >
> > Upstream-commit:
> https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
> >
From: Vijay Anusuri
Upstream-commit:
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
&
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-commit:
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
&
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-Status: Backport [import from debian
security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz
Upstream commit
https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
Reference:
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175
Signed-off-by: Vijay Anusuri
---
.../libtiff/tiff/CVE-2023-41175.patch | 69
From: Vijay Anusuri
Upstream-Status: Backport from
https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
Signed-off-by: Vijay Anusuri
---
.../pam/libpam/CVE-2024-22365.patch | 59 +++
meta/recipes-extended/pam/libpam_1.3.1.bb |
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]
Signed-off-by: Vijay Anusuri
---
.../libxml/libxml2/CVE-2021-3516.patch| 35 +++
meta/recipes-core/libxml/libxml2_2.9.10.bb| 1
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be]
Signed-off-by: Vijay Anusuri
---
.../flac/files/CVE-2021-0561.patch| 34 +++
meta/recipes-multimedia/flac/flac_1.3.3.bb| 1 +
2 files
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-48795
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches?h=ubuntu%2Ffocal-security
Upstream commit
From: Vijay Anusuri
import patches from ubuntu to fix
fix-authorized-principals-command
CVE-2023-48795
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
From: Vijay Anusuri
Results:
$ ptest-runner libssh
START: ptest-runner
2023-03-16T02:56
BEGIN: /usr/lib/libssh/ptest
PASS: torture_bind_config
PASS: torture_buffer
PASS: torture_bytearray
PASS: torture_callbacks
PASS: torture_channel
PASS: torture_config
PASS: torture_crypto
PASS: torture_hashes
From: Vijay Anusuri
Signed-off-by: Khem Raj
Ref:
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=9323b287ef588f41c13f3520de85eb198f6eaf83
Signed-off-by: Vijay Anusuri
---
...prototype-of-des3_encrypt-des3_decry.patch | 46 +++
From: Vijay Anusuri
Changelog:
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.5
* Generate cases list dynamically in run-ptest.
* Install missing file to fix ptest failure.
Signed-off-by: Yi Zhao
Ref:
From: Vijay Anusuri
ChangeLog:
https://git.libssh.org/projects/libssh.git/tree/CHANGELOG?h=libssh-0.10.4
Drop CVE-2020-16135.patch
Ref:
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=4b7e4341327e867208bfc3d8ba1954af66641e60
Signed-off-by: Vijay Anusuri
From: Vijay Anusuri
Upstream-Status: Backport
[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5d2da96e81c7455338302c71a291088a8396245a]
Signed-off-by: Vijay Anusuri
---
.../ghostscript/CVE-2023-46751.patch | 41 +++
.../ghostscript/ghostscript_9.55.0.bb
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-1981
CVE-2023-38469-2
CVE-2023-38470-2
CVE-2023-38471-2
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
From: Vijay Anusuri
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
From: Vijay Anusuri
A bug in QEMU could cause a guest I/O operation otherwise
addressed to an arbitrary disk offset to be targeted to
offset 0 instead (potentially overwriting the VM's boot code).
This change is to fix CVE-2023-5088.
Link:
From: Vijay Anusuri
Upstream-Status: Backport [import from debian
https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.7.3-4ubuntu1.3/gnutls28_3.7.3-4ubuntu1.3.debian.tar.xz
Upstream-Commit:
https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255
&
https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3
&
https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807
&
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255
&
https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3
&
https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807
&
From: Vijay Anusuri
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
*
From: Vijay Anusuri
Updated 0012-fix-libcap-header-issue-on-some-distro.patch to resolve
patch fuzz caused by the CVE-2023-2861 patch
Upstream-Status: Backport
[https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b
&
Hi Meenali Gupta,
Already CVE-2023-48795 patch for openssh recipe has been merged to
kirkstone branch.
Please find the below links
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=df5dc8d67e67a2aebf1a552c3e22374e305270bf
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
Signed-off-by: Vijay Anusuri
---
.../openssh/openssh/CVE-2023-51385.patch | 96 +++
.../openssh/openssh_8.2p1.bb |
From: Vijay Anusuri
Backport https://sqlite.org/src/info/0e4e7a05c4204b47
Signed-off-by: Vijay Anusuri
---
.../sqlite/files/CVE-2023-7104.patch | 46 +++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644
From: Vijay Anusuri
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed
ciphertexts in RSA-PSK ClientKeyExchange differ from response times of
ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote
attacker to perform a timing side-channel
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255
&
https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3
&
https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807
&
From: Vijay Anusuri
import patch from ubuntu to fix
CVE-2022-40090
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
From: Vijay Anusuri
The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.
(From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa)
Upstream-Status:
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-1981
CVE-2023-38469-2
CVE-2023-38470-2
CVE-2023-38471-2
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
Signed-off-by: Vijay Anusuri
---
.../bind/bind/CVE-2023-3341.patch | 175 ++
.../recipes-connectivity/bind/bind_9.11.37.bb |
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-1981
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream
From: Vijay Anusuri
Upstream-Status: Backport [import from ubuntu
https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
Upstream-Commit:
https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
From: Vijay Anusuri
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed
ciphertexts in RSA-PSK ClientKeyExchange differ from response times of
ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote
attacker to perform a timing side-channel
From: Vijay Anusuri
Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409
Signed-off-by: Vijay Anusuri
---
.../xserver-xorg/CVE-2023-6816.patch | 55 +
.../xserver-xorg/CVE-2024-0229-1.patch| 87 +++
From: Vijay Anusuri
Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409
Signed-off-by: Vijay Anusuri
---
.../xserver-xorg/CVE-2023-6816.patch | 55 +
.../xserver-xorg/CVE-2024-0229-1.patch| 87 +++
From: Vijay Anusuri
Patches to fix:
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Upstream-Status: Backport
[https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
From: Vijay Anusuri
Patches to fix:
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Upstream-Status: Backport
[https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
ving to the new version may have too many knock on
> effects to make sense.
> In this instance, Khem has already indicated moving to the new release
> may make sense for both kirkstone and master.
>
> >
> > Luckily the avahi
ted moving to the new release
> may make sense for both kirkstone and master.
>
> >
> > Luckily the avahi recipe is fairly untouched so this should be trivial.
> Can you both discuss and agree who is going to do this?
> Vijay can you work with Meenali to consolidate this
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-43785
CVE-2023-43786
CVE-2023-43787
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-43785
CVE-2023-43786
CVE-2023-43787
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-43785
CVE-2023-43786
CVE-2023-43787
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-1981
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/focal-security
Upstream
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-1981
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
Signed-off-by: Vijay Anusuri
---
.../libtiff/files/CVE-2023-6228.patch | 30 +++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
Signed-off-by: Vijay Anusuri
---
.../less/less/CVE-2022-48624.patch| 41 +++
meta/recipes-extended/less/less_600.bb| 1 +
2 files
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
Signed-off-by: Vijay Anusuri
---
.../less/less/CVE-2022-48624.patch| 41 +++
meta/recipes-extended/less/less_551.bb| 1 +
2 files
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52]
Signed-off-by: Vijay Anusuri
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2024-24474.patch| 44 +++
2 files
Hi Steve,
I've sent mail to cpe_diction...@nist.gov to update the information.
Now it was updated in https://nvd.nist.gov/vuln/detail/CVE-2020-36773
Thanks & Regards,
Vijay
On Thu, Feb 8, 2024 at 8:40 PM Steve Sakoman wrote:
> On Wed, Feb 7, 2024 at 8:42 PM Vijay Anus
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508
&
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
* CVE-2023-6683: not affected, introduced in v6.1.0-rc0
* CVE-2023-6693: not affected, introduced in v5.1.0-rc0
* CVE-2023-42467: not affected, introduced in v7.1.0-rc0 & v7.1.0-rc2
* CVE-2024-24474: not affected, introduced in v6.0.0-rc0
* CVE-2024-26328: not affected,
From: Vijay Anusuri
Upstream-Status: Backport from
https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
Signed-off-by: Vijay Anusuri
---
.../python3-cryptography/CVE-2024-26130.patch | 66 +++
.../python/python3-cryptography_36.0.2.bb | 1
From: Vijay Anusuri
import patches from ubuntu to fix
CVE-2023-6277
CVE-2023-52356
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1
&
https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0
&
https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]
Hi Steve,
Please ignore this patch.
Thanks & Regards,
Vijay
On Fri, Mar 29, 2024 at 4:44 PM Vijay Anusuri via lists.openembedded.org
wrote:
> From: Vijay Anusuri
>
> Upstream-Status: Backport from
>
> https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1
&
https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0
&
https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]
From: Vijay Anusuri
import patch from ubuntu to fix
CVE-2024-2398
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Fjammy-security
Upstream commit
From: Vijay Anusuri
Upstream-Status: Backport from
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
Signed-off-by: Vijay Anusuri
---
.../tar/tar/CVE-2023-39804.patch | 64 +++
meta/recipes-extended/tar/tar_1.32.bb
From: Vijay Anusuri
Upstream-Status: Backport from
https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f
&
https://github.com/util-linux/util-linux/commit/27ee6446503af7ec0c2647704ca47ac4de3852ef
&
From: Vijay Anusuri
import patch from ubuntu to fix
CVE-2024-2398
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
From: Vijay Anusuri
Upstream-Status: Backport from
https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a
Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683
Signed-off-by: Vijay Anusuri
---
meta/recipes-devtools/qemu/qemu.inc | 1
"wall: use fputs_careful()")
I have added offending commits as dependency patches. As vulnerable
code is not present, it's not affected. So, I want it to be ignored.
Thanks & Regards,
Vijay
On Sun, Mar 31, 2024 at 5:54 AM Randy MacLeod wrote:
>
>
> On Fri, Mar 29, 2024, 11:52 Vijay A
From: Vijay Anusuri
Upstream-Status: Backport from
https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
Reference:
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-Status: Backport from
https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee
Signed-off-by: Vijay Anusuri
---
From: Vijay Anusuri
Upstream-Status: Backport from
https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b
Signed-off-by: Vijay Anusuri
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2023-45288.patch | 95 +++
2
Hi Soumya,
I've already sent patch for the Kirkstone branch.
https://lists.openembedded.org/g/openembedded-core/message/198495
Thanks & Regards,
Vijay
On Fri, Apr 19, 2024 at 6:52 PM Soumya via lists.openembedded.org
wrote:
> From: Soumya Sambu
>
> An attacker may cause an HTTP/2 endpoint
From: Vijay Anusuri
Upstream-Status: Backport
[https://github.com/bluez/bluez/commit/f54299a850676d92c3dafd83e9174fcfe420ccc9
&
https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443]
Signed-off-by: Vijay Anusuri
---
meta/recipes-connectivity/bluez5/bluez5.inc | 2 +
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5]
Signed-off-by: Vijay Anusuri
---
.../CVE-2023-50186.patch | 70 +++
.../gstreamer1.0-plugins-bad_1.20.7.bb
From: Vijay Anusuri
import patch from ubuntu to fix
CVE-2024-32487
Upstream-Status: Backport [import from ubuntu
https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
95 matches
Mail list logo