[OE-core][dunfell][PATCH] bind: Backport fix for CVE-2023-2828

2023-09-05 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream Patch: https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch LINK: https://security-tracker.debian.org/tracker/CVE-2023-2828 Signed-off-by: Vijay Anusuri --- .../bind/bind/CVE-2023-2828.patch | 166 ++

Re: [OE-core][kirkstone][PATCH] inetutils: Security fix for CVE-2023-40303

2023-09-06 Thread Vijay Anusuri via lists.openembedded.org
Hi Siddharth, CVE-2023-40303 patch for kirkstone already submitted and landed in kirkstone-nut. https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=2d2fc8e2b0eaa20f6bf8cfc0d1acd908f3dac2ec Thanks & Regards, Vjay On Wed, Sep 6, 2023 at 1:45 PM Siddharth via

[OE-core][dunfell][PATCH] qemu: Backport fix for CVE-2023-0330

2023-09-11 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Summary of the problem from Peter Maydell: https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com Reference:

Re: [OE-core][mickledore][PATCH 2/2] qemu: fix CVE-2023-0330

2023-09-17 Thread Vijay Anusuri via lists.openembedded.org
Hi Steve, Same patch I've submitted for dunfell. Please revert it, if it is failing. Thanks & Regards, Vijay On Fri, Sep 15, 2023 at 8:56 PM Steve Sakoman wrote: > On Wed, Sep 13, 2023 at 4:44 AM Steve Sakoman via > lists.openembedded.org > wrote: > > > > Unfortunately this change breaks the

[OE-core][kirkstone][PATCH] inetutils: Fix CVE-2023-40303

2023-08-28 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-commit: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 & https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d Signed-off-by: Vijay Anusuri ---

[OE-core][dunfell][PATCH] go: Backport fix for CVE-2023-29409

2023-08-31 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-commit: https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f Signed-off-by: Vijay Anusuri --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2023-29409.patch | 175 ++ 2 files changed,

[OE-core][dunfell][PATCH] tiff: CVE patch correction for CVE-2023-3576

2023-10-30 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri - The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] fixes CVE-2023-3576 - Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch - Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576

[OE-core][dunfell][PATCH v2] xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380

2023-11-07 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a & https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] Signed-off-by: Vijay Anusuri ---

[OE-core][mickledore][kirkstone][PATCH v2] xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380

2023-11-07 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a & https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] Signed-off-by: Vijay Anusuri ---

[OE-core][kirkstone][PATCH] tiff: CVE patch correction for CVE-2023-3576

2023-10-30 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri - The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] fixes CVE-2023-3576 - Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch - Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576

[OE-core][dunfell][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-05 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a & https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7 &

[OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a & https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7 &

Re: [OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org
Hi Steve, Xserver-xorg version is the same for both mickledore and kirkstone. Could you please merge this patch to mickledore along with kirkstone. Thanks & Regards, Vijay On Mon, Nov 6, 2023 at 4:51 PM Vijay Anusuri via lists.openembedded.org wrote: > From: Vijay Anusuri > > Up

Re: [OE-core][dunfell][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org
> > > On 6 Nov 2023, at 05:47, Vijay Anusuri via lists.openembedded.org > wrote: > > > > From: Vijay Anusuri > > > > Upstream-Status: Backport > > [ > https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a

[OE-core][master][PATCH] xserver-xorg: Fix for CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f &

Re: [OE-core][dunfell][PATCH] ghostscript: fix CVE-2023-36664

2023-09-29 Thread Vijay Anusuri via lists.openembedded.org
Hi Steve, Any update on this ? Thanks & Regards, Vijay On Tue, Sep 26, 2023 at 10:01 AM wrote: > From: Vijay Anusuri > > Artifex Ghostscript through 10.01.2 mishandles permission validation for > pipe devices (with the %pipe% prefix or the | pipe character prefix). > > Reference: >

[OE-core][dunfell][PATCH] gawk: backport Debian patch to fix CVE-2023-4156

2023-10-03 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security & https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] Signed-off-by: Vijay Anusuri ---

[OE-core][dunfell][PATCH] cups: Backport fix for CVE-2023-32360 and CVE-2023-4504

2023-10-02 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream commits: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 & https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Signed-off-by: Vijay Anusuri --- meta/recipes-extended/cups/cups.inc |

[OE-core][dunfell][PATCH] ghostscript: fix CVE-2023-36664

2023-09-25 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36664 Upstream commits:

[OE-core][dunfell][PATCH] go: Backport fix for CVE-2022-41725 and CVE-2023-24536

2023-09-25 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-commit: https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50 & https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8 & https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 &

[OE-core][dunfell][PATCH] ghostscript: Backport fix CVE-2023-43115

2023-10-08 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that

[OE-core][kirkstone][PATCH] gawk: backport Debian patch to fix CVE-2023-4156

2023-10-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/jammy-security & https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] Signed-off-by: Vijay Anusuri ---

Re: [OE-core][kirkstone][PATCH] inetutils: Fix CVE-2023-40303

2023-08-28 Thread Vijay Anusuri via lists.openembedded.org
> > On Mon, Aug 28, 2023 at 8:39 AM Vijay Anusuri via > lists.openembedded.org > wrote: > > > > From: Vijay Anusuri > > > > Upstream-commit: > https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 > >

[OE-core][kirkstone][PATCH v2] inetutils: Backport fix for CVE-2023-40303

2023-08-28 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-commit: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 & https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d Signed-off-by: Vijay Anusuri ---

[OE-core][dunfell][PATCH] inetutils: Backport fix for CVE-2023-40303

2023-08-29 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-commit: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 & https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d Signed-off-by: Vijay Anusuri ---

[OE-core][dunfell][PATCH] tiff: backport Debian patch to fix CVE-2023-41175

2023-11-10 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] Reference:

[OE-core][kirkstone][PATCH] tiff: Backport fix for CVE-2023-41175

2023-11-09 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175 Signed-off-by: Vijay Anusuri --- .../libtiff/tiff/CVE-2023-41175.patch | 69

[OE-core][dunfell][PATCH] pam: Fix for CVE-2024-22365

2024-01-23 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb Signed-off-by: Vijay Anusuri --- .../pam/libpam/CVE-2024-22365.patch | 59 +++ meta/recipes-extended/pam/libpam_1.3.1.bb |

[OE-core][dunfell][PATCH] libxml2: Backport fix for CVE-2021-3516

2023-12-17 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539] Signed-off-by: Vijay Anusuri --- .../libxml/libxml2/CVE-2021-3516.patch| 35 +++ meta/recipes-core/libxml/libxml2_2.9.10.bb| 1

[OE-core][dunfell][PATCH] flac: Backport fix for CVE-2021-0561

2023-12-18 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be] Signed-off-by: Vijay Anusuri --- .../flac/files/CVE-2021-0561.patch| 34 +++ meta/recipes-multimedia/flac/flac_1.3.3.bb| 1 + 2 files

[OE-core][dunfell][PATCH] openssh: backport Debian patch for CVE-2023-48795

2023-12-22 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-48795 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches?h=ubuntu%2Ffocal-security Upstream commit

[OE-core][kirkstone][PATCH] openssh: backport Debian patch for CVE-2023-48795

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix fix-authorized-principals-command CVE-2023-48795 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches?h=ubuntu/jammy-security Upstream commit

[OE-core][kirkstone][PATCH 2/4] libssh: add ptest

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Results: $ ptest-runner libssh START: ptest-runner 2023-03-16T02:56 BEGIN: /usr/lib/libssh/ptest PASS: torture_bind_config PASS: torture_buffer PASS: torture_bytearray PASS: torture_callbacks PASS: torture_channel PASS: torture_config PASS: torture_crypto PASS: torture_hashes

[OE-core][kirkstone][PATCH 3/4] libssh: Fix build with clang16

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Signed-off-by: Khem Raj Ref: https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=9323b287ef588f41c13f3520de85eb198f6eaf83 Signed-off-by: Vijay Anusuri --- ...prototype-of-des3_encrypt-des3_decry.patch | 46 +++

[OE-core][kirkstone][PATCH 4/4] libssh: upgrade 0.10.4 -> 0.10.5

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Changelog: https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.5 * Generate cases list dynamically in run-ptest. * Install missing file to fix ptest failure. Signed-off-by: Yi Zhao Ref:

[OE-core][kirkstone][PATCH 1/4] libssh: upgrade 0.8.9 -> 0.10.4

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri ChangeLog: https://git.libssh.org/projects/libssh.git/tree/CHANGELOG?h=libssh-0.10.4 Drop CVE-2020-16135.patch Ref: https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=4b7e4341327e867208bfc3d8ba1954af66641e60 Signed-off-by: Vijay Anusuri

[OE-core][kirkstone][PATCH] ghostscript: Backport fix for CVE-2023-46751

2023-12-12 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5d2da96e81c7455338302c71a291088a8396245a] Signed-off-by: Vijay Anusuri --- .../ghostscript/CVE-2023-46751.patch | 41 +++ .../ghostscript/ghostscript_9.55.0.bb

[OE-core][master][PATCH] avahi: backport CVE-2023-1981 & CVE's follow-up patches

2023-12-12 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-1981 CVE-2023-38469-2 CVE-2023-38470-2 CVE-2023-38471-2 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security Upstream commit

[OE-core][dunfell][PATCH] go: Fix CVE-2023-39326

2023-12-26 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount

[OE-core][dunfell][PATCH] qemu: Fix CVE-2023-5088

2023-12-28 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This change is to fix CVE-2023-5088. Link:

[OE-core][kirkstone][PATCH] gnutls: Backport fix for CVE-2023-5981

2023-12-11 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [import from debian https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.7.3-4ubuntu1.3/gnutls28_3.7.3-4ubuntu1.3.debian.tar.xz Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]

[OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478

2024-01-04 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd & https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] Signed-off-by: Vijay Anusuri ---

[OE-core][dunfell][PATCH v2] go: Backport fix for CVE-2023-45287

2024-01-04 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255 & https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3 & https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807 &

[OE-core][dunfell][PATCH] go: Backport fix for CVE-2023-45287

2024-01-03 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255 & https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3 & https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807 &

[OE-core][dunfell][PATCH] libxml2: Fix for CVE-2023-45322

2024-01-11 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Backport patch for gitlab issue mentioned in NVD CVE report. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 Backport also one of 14 patches for older issue with similar errors to have clean cherry-pick without patch fuzz. *

[OE-core][dunfell][PATCH] qemu: Backport fix for CVE-2023-2861

2024-01-15 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Updated 0012-fix-libcap-header-issue-on-some-distro.patch to resolve patch fuzz caused by the CVE-2023-2861 patch Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b &

Re: [oe-core][kirkstone][PATCH 1/1] openssh: fix CVE-2023-48795

2024-01-17 Thread Vijay Anusuri via lists.openembedded.org
Hi Meenali Gupta, Already CVE-2023-48795 patch for openssh recipe has been merged to kirkstone branch. Please find the below links https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=df5dc8d67e67a2aebf1a552c3e22374e305270bf

[OE-core][dunfell][PATCH] openssh: Backport fix for CVE-2023-51385

2024-01-17 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a] Signed-off-by: Vijay Anusuri --- .../openssh/openssh/CVE-2023-51385.patch | 96 +++ .../openssh/openssh_8.2p1.bb |

[OE-core][dunfell][PATCH] sqlite3: Backport fix for CVE-2023-7104

2024-01-18 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Backport https://sqlite.org/src/info/0e4e7a05c4204b47 Signed-off-by: Vijay Anusuri --- .../sqlite/files/CVE-2023-7104.patch | 46 +++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644

[OE-core][kirkstone][PATCH] gnutls: Fix for CVE-2024-0553 and CVE-2024-0567

2024-01-18 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri CVE-2024-0553 A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel

[OE-core][dunfell][PATCH] xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478

2024-01-09 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd & https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] Signed-off-by: Vijay Anusuri ---

[OE-core][dunfell][PATCH v3] go: Backport fix for CVE-2023-45287

2024-01-05 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255 & https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3 & https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807 &

[OE-core][dunfell][PATCH] tiff: backport Debian patch to fix CVE-2022-40090

2023-11-28 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patch from ubuntu to fix CVE-2022-40090 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches?h=ubuntu/focal-security Upstream commit

[OE-core][dunfell][PATCH] shadow: backport patch to fix CVE-2023-29383

2023-11-22 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri The fix of CVE-2023-29383.patch contains a bug that it rejects all characters that are not control ones, so backup another patch named "0001-Overhaul-valid_field.patch" from upstream to fix it. (From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa) Upstream-Status:

[OE-core][kirkstone][PATCH] avahi: backport CVE-2023-1981 & CVE's follow-up patches

2023-12-07 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-1981 CVE-2023-38469-2 CVE-2023-38470-2 CVE-2023-38471-2 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security Upstream commit

[OE-core][dunfell][PATCH] bind: Backport fix for CVE-2023-3341

2023-11-26 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71] Signed-off-by: Vijay Anusuri --- .../bind/bind/CVE-2023-3341.patch | 175 ++ .../recipes-connectivity/bind/bind_9.11.37.bb |

[OE-core][nanbield][PATCH] avahi: backport Debian patches to fix multiple CVE's

2023-11-27 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security Upstream

[OE-core][dunfell][PATCH] gnutls: Backport fix for CVE-2023-5981

2024-01-21 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [import from ubuntu https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]

[OE-core][dunfell][PATCH] gnutls: Backport fix for CVE-2024-0553

2024-01-22 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri CVE-2024-0553 A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel

[OE-core][dunfell][PATCH] xserver-xorg: Multiple CVE fixes

2024-01-24 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Fix below CVE's CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2023-6816.patch | 55 + .../xserver-xorg/CVE-2024-0229-1.patch| 87 +++

[OE-core][kirkstone][PATCH] xserver-xorg: Multiple CVE fixes

2024-01-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Fix below CVE's CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2023-6816.patch | 55 + .../xserver-xorg/CVE-2024-0229-1.patch| 87 +++

[OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's

2023-11-15 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Patches to fix: CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf &

[OE-core][master][PATCH] avahi: Fix for multiple CVE's

2023-11-20 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Patches to fix: CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf &

Re: [OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's

2023-11-20 Thread Vijay Anusuri via lists.openembedded.org
ving to the new version may have too many knock on > effects to make sense. > In this instance, Khem has already indicated moving to the new release > may make sense for both kirkstone and master. > > > > > Luckily the avahi

Re: [OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's

2023-11-16 Thread Vijay Anusuri via lists.openembedded.org
ted moving to the new release > may make sense for both kirkstone and master. > > > > > Luckily the avahi recipe is fairly untouched so this should be trivial. > Can you both discuss and agree who is going to do this? > Vijay can you work with Meenali to consolidate this

[OE-core][dunfell][PATCH] libx11: backport Debian patches to fix CVE-2023-43785 CVE-43786 and CVE-2023-43787

2023-11-14 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security Upstream commit

[OE-core][dunfell][PATCH v2] libx11: backport Debian patches to fix CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787

2023-11-14 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security Upstream commit

[OE-core][dunfell][PATCH v3] libx11: Fix for CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787

2023-11-14 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security Upstream commit

[OE-core][dunfell][PATCH] avahi: backport Debian patches to fix multiple CVE's

2023-11-21 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/focal-security Upstream

[OE-core][mickledore][PATCH] avahi: backport Debian patches to fix multiple CVE's

2023-11-22 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security Upstream

[OE-core][dunfell][PATCH] libtiff: Fix for CVE-2023-6228

2024-01-16 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a] Signed-off-by: Vijay Anusuri --- .../libtiff/files/CVE-2023-6228.patch | 30 +++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +

[OE-core][kirkstone][PATCH] less: Fix for CVE-2022-48624

2024-02-22 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144] Signed-off-by: Vijay Anusuri --- .../less/less/CVE-2022-48624.patch| 41 +++ meta/recipes-extended/less/less_600.bb| 1 + 2 files

[OE-core][dunfell][PATCH] less: Fix for CVE-2022-48624

2024-02-25 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144] Signed-off-by: Vijay Anusuri --- .../less/less/CVE-2022-48624.patch| 41 +++ meta/recipes-extended/less/less_551.bb| 1 + 2 files

[OE-core][kirkstone][PATCH] qemu: Fix for CVE-2024-24474

2024-02-25 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52] Signed-off-by: Vijay Anusuri --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-24474.patch| 44 +++ 2 files

Re: [OE-core][kirkstone][PATCH] ghostscript: ignore CVE-2020-36773

2024-03-03 Thread Vijay Anusuri via lists.openembedded.org
Hi Steve, I've sent mail to cpe_diction...@nist.gov to update the information. Now it was updated in https://nvd.nist.gov/vuln/detail/CVE-2020-36773 Thanks & Regards, Vijay On Thu, Feb 8, 2024 at 8:40 PM Steve Sakoman wrote: > On Wed, Feb 7, 2024 at 8:42 PM Vijay Anus

[OE-core][dunfell][PATCH] libxml2: Backport fix for CVE-2024-25062

2024-03-06 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508 & https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7] Signed-off-by: Vijay Anusuri ---

[OE-core][dunfell][PATCH] qemu: Ignore multiple CVEs

2024-03-21 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri * CVE-2023-6683: not affected, introduced in v6.1.0-rc0 * CVE-2023-6693: not affected, introduced in v5.1.0-rc0 * CVE-2023-42467: not affected, introduced in v7.1.0-rc0 & v7.1.0-rc2 * CVE-2024-24474: not affected, introduced in v6.0.0-rc0 * CVE-2024-26328: not affected,

[OE-core][kirkstone][PATCH] python3-cryptography: Backport fix for CVE-2024-26130

2024-03-19 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 Signed-off-by: Vijay Anusuri --- .../python3-cryptography/CVE-2024-26130.patch | 66 +++ .../python/python3-cryptography_36.0.2.bb | 1

[OE-core][dunfell][PATCH] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356

2024-03-22 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-6277 CVE-2023-52356 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit

[OE-core][dunfell][PATCH] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

2024-03-26 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1 & https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0 & https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]

Re: [OE-core][kirkstone][PATCH] util-linux: Fix for CVE-2024-28085

2024-03-29 Thread Vijay Anusuri via lists.openembedded.org
Hi Steve, Please ignore this patch. Thanks & Regards, Vijay On Fri, Mar 29, 2024 at 4:44 PM Vijay Anusuri via lists.openembedded.org wrote: > From: Vijay Anusuri > > Upstream-Status: Backport from > > https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d

[OE-core][dunfell][PATCH v2] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

2024-03-26 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1 & https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0 & https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]

[OE-core][kirkstone][PATCH] curl: backport Debian patch for CVE-2024-2398

2024-04-01 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patch from ubuntu to fix CVE-2024-2398 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Fjammy-security Upstream commit

[OE-core][dunfell][PATCH] tar: Fix for CVE-2023-39804

2024-03-28 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 Signed-off-by: Vijay Anusuri --- .../tar/tar/CVE-2023-39804.patch | 64 +++ meta/recipes-extended/tar/tar_1.32.bb

[OE-core][kirkstone][PATCH] util-linux: Fix for CVE-2024-28085

2024-03-29 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f & https://github.com/util-linux/util-linux/commit/27ee6446503af7ec0c2647704ca47ac4de3852ef &

[OE-core][dunfell][PATCH] curl: backport Debian patch for CVE-2024-2398

2024-04-01 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patch from ubuntu to fix CVE-2024-2398 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit

[OE-core][kirkstone][PATCH] qemu: Fix for CVE-2023-6683

2024-04-01 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683 Signed-off-by: Vijay Anusuri --- meta/recipes-devtools/qemu/qemu.inc | 1

Re: [OE-core][kirkstone][PATCH] util-linux: Fix for CVE-2024-28085

2024-03-31 Thread Vijay Anusuri via lists.openembedded.org
"wall: use fputs_careful()") I have added offending commits as dependency patches. As vulnerable code is not present, it's not affected. So, I want it to be ignored. Thanks & Regards, Vijay On Sun, Mar 31, 2024 at 5:54 AM Randy MacLeod wrote: > > > On Fri, Mar 29, 2024, 11:52 Vijay A

[OE-core][dunfell][PATCH] ncurses: Backport fix for CVE-2023-50495

2024-04-02 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc Reference: https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz Signed-off-by: Vijay Anusuri ---

[OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081

2024-04-09 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b & https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee Signed-off-by: Vijay Anusuri ---

[OE-core][kirkstone][PATCH] go: Fix for CVE-2023-45288

2024-04-17 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport from https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Signed-off-by: Vijay Anusuri --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2023-45288.patch | 95 +++ 2

Re: [OE-core][kirkstone][PATCH 1/1] go: Fix CVE-2023-45288

2024-04-19 Thread Vijay Anusuri via lists.openembedded.org
Hi Soumya, I've already sent patch for the Kirkstone branch. https://lists.openembedded.org/g/openembedded-core/message/198495 Thanks & Regards, Vijay On Fri, Apr 19, 2024 at 6:52 PM Soumya via lists.openembedded.org wrote: > From: Soumya Sambu > > An attacker may cause an HTTP/2 endpoint

[OE-core][kirkstone][PATCH] bluez5: Fix CVE-2023-27349 CVE-2023-50229 & CVE-2023-50230

2024-05-10 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://github.com/bluez/bluez/commit/f54299a850676d92c3dafd83e9174fcfe420ccc9 & https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443] Signed-off-by: Vijay Anusuri --- meta/recipes-connectivity/bluez5/bluez5.inc | 2 +

[OE-core][kirkstone][PATCH] gstreamer1.0-plugins-bad: fix CVE-2023-50186

2024-05-10 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5] Signed-off-by: Vijay Anusuri --- .../CVE-2023-50186.patch | 70 +++ .../gstreamer1.0-plugins-bad_1.20.7.bb

[OE-core][kirkstone][PATCH] less: backport Debian patch for CVE-2024-32487

2024-05-06 Thread Vijay Anusuri via lists.openembedded.org
From: Vijay Anusuri import patch from ubuntu to fix CVE-2024-32487 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches?h=ubuntu/jammy-security Upstream commit