From: Lee Chee Yang
Signed-off-by: Lee Chee Yang
---
.../libsolv/files/CVE-2021-3200.patch | 67 +++
.../libsolv/libsolv_0.7.10.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
diff
This release includes security fixes.
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
CVE-2021-31799: A command injection vulnerability in RDoc
CVE-2021-28965: XML round-trip vulnerability in REXML
CVE-2021-28966
This release includes security fixes.
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
CVE-2021-31799: A command injection vulnerability in RDoc
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
-
All,
The triage team is starting to try and collect up and classify bugs which a
newcomer to the project would be able to work on in a way which means people
can find them. They're being listed on the triage page under the appropriate
heading:
https://wiki.yoctoproject.org/wiki/Bug_Triage#Newc
All,
The triage team is starting to try and collect up and classify bugs which a
newcomer to the project would be able to work on in a way which means people
can find them. They're being listed on the triage page under the appropriate
heading:
https://wiki.yoctoproject.org/wiki/Bug_Triage#Newc
The following changes since commit 9ae339ace9274be71bfd3b5e5da64dceac9fa963:
kernel-devsrc: fix 32bit ARM devsrc builds (2021-07-20 06:36:58 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-next
http://cgit.openembedded.org
To provide more context, these are the ALTERNATIVE variables in the recipe
around ALTERNATIVE_LINK_NAME[sh]
ALTERNATIVE:${PN} = "bash sh"
ALTERNATIVE_LINK_NAME[bash] = "${base_bindir}/bash"
ALTERNATIVE_TARGET[bash] = "${base_bindir}/bash"
ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh"
ALTERNATIV
colleague asks about the state of ntpsec (https://www.ntpsec.org/)
on OE/YP, a quick search does not show official support of any kind,
any pointers?
rday
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#154662):
https://lists.openembedded.org/g/
Hello,
I've added bash recipe (version 5.1.8) to a target but it does not seem to
produce the /bin/sh link. I've checked that the recipe is supposed to provide
the following link
ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh"
Is that by itself sufficient to produce the link? If so, it does no
A separate u-boot-extlinux package is created for the extlinux.conf file
so that it can be installed on its own if needed. If this package is
populated, it is added as a dependency of the main u-boot package so
that installing just u-boot still results in the extlinux.conf file
being present in the
This CVE is fixed in the upstream glibc-2.31 branch, and dunfell already
includes an update to this version in commit e1e89ff7d75c3d22 ("glibc:
update to lastest 2.31 release HEAD")
Signed-off-by: Ralph Siemsen
---
meta/recipes-core/glibc/glibc_2.31.bb | 10 ++
1 file changed, 10 inserti
On Mon, Aug 9, 2021 at 8:37 AM Ralph Siemsen wrote:
>
> On Sun, Aug 08, 2021 at 04:33:59AM -1000, Steve Sakoman wrote:
> >Branch: dunfell
> >
> >New this week: 3 CVEs
> >CVE-2021-28966: ruby:ruby-native
> >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28966 *
> >CVE-2021-31810: ruby:r
On Sun, Aug 08, 2021 at 04:33:59AM -1000, Steve Sakoman wrote:
Branch: dunfell
New this week: 3 CVEs
CVE-2021-28966: ruby:ruby-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28966 *
CVE-2021-31810: ruby:ruby-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-318
This version of the patch is still throwing warnings on the autobuilder:
stdio: WARNING: lighttpd-1.4.55-r0 do_patch: Fuzz detected:
stdio: WARNING: lighttpd-1.4.55-r0 do_patch: QA Issue: Patch log
indicates that patches do not apply cleanly. [patch-fuzz]
Steve
On Sun, Aug 8, 2021 at 9:20 PM Pur
On Tue, 3 Aug 2021 at 05:41, Zhang, Qiang wrote:
> The timeout for threading.Lock, threading.Condition, etc, is not using
> a monotonic clock, it is affected if the system time (realtime clock)
> is set.
>
> This patch will make condvar use monotonic clock.
> Refence: https://bugs.python.org/issue
On 8/9/21 7:39 AM, Tony Battersby wrote:
On 8/6/21 10:19 PM, Khem Raj wrote:
I am seeing bunch of failures on meta-oe and meta-atmel
https://errors.yoctoproject.org/Errors/Details/600064/
https://errors.yoctoproject.org/Errors/Details/600065/
https://errors.yoctoproject.org/Errors/Details/600
This patch has now been submitted to parted-devel.
Signed-off-by: Ross Burton
---
meta/recipes-extended/parted/files/check-vfat.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/parted/files/check-vfat.patch
b/meta/recipes-extended/parted/files/chec
This patch doesn't appear to be needed anymore, so drop it.
Signed-off-by: Ross Burton
---
...ize-link-against-libuuid-explicitly-.patch | 34 ---
meta/recipes-extended/parted/parted_3.4.bb| 1 -
2 files changed, 35 deletions(-)
delete mode 100644
meta/recipes-extended/par
On Mon, Aug 2, 2021 at 6:41 PM Zhang, Qiang wrote:
>
> From: Zqiang
>
> The timeout for threading.Lock, threading.Condition, etc, is not using
> a monotonic clock, it is affected if the system time (realtime clock)
> is set.
>
> This patch will make condvar use monotonic clock.
> Refence: https:/
e2fsprogs calls filesystems larger than 3MB but smaller than 512MB
"small", which has some implications:
- blocksize 1024 instead of 4096
- inode_ratio 4096 instead of 16384
- inode_size 128 instead of 256
The outcome of the inode size dropping to 128 bytes is that they cannot
store 64-bit timest
This reverts part of oe-core eecbe62555, which was a previous attempt
to solve the Y2038 problem. This is now solved centrally in e2fsprogs,
so doesn't need to be dealt with in wic.
We don't revert the commit entirely, to retain the warning if a
filesystem has small inodes.
Signed-off-by: Ross B
From: Alexander Kanavin
fix CVE-2021-3580
(From OE-Core rev: 219c89310264f99c2c43bb80e437a8a1e8e3217a)
Signed-off-by: Alexander Kanavin
Signed-off-by: Richard Purdie
Signed-off-by: Changqing Li
Signed-off-by: Anuj Mittal
---
.../recipes-support/nettle/{nettle_3.7.2.bb => nettle_3.7.3.bb} |
From: Lee Chee Yang
(cherry picked from commit 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a)
Signed-off-by: Lee Chee Yang
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
Signed-off-by: Anuj Mittal
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-352
From: Ross Burton
Fix a slew of CVEs (CVE-2021-3544, CVE-2021-3545, CVE-2021-3546) by
backporting the relevant patches from qemu's git.
(From OE-Core rev: ce850a5ce84f949d3114024c89ae3dd98fcbef41)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
(cherry picked from commit ce850a5ce84f
From: Joe Slater
Backport patch, which should be in next release (2.37.2).
Signed-off-by: Joe Slater
Signed-off-by: Anuj Mittal
---
meta/recipes-core/util-linux/util-linux.inc | 1 +
.../util-linux/CVE-2021-37600.patch | 38 +++
2 files changed, 39 insertions(+)
From: Mingli Yu
Backport patches to fix below CVEs:
CVE-2021-22901
CVE-2021-22924
CVE-2021-22926
Signed-off-by: Mingli Yu
Signed-off-by: Anuj Mittal
---
.../curl/curl/CVE-2021-22901.patch| 453 ++
.../curl/curl/CVE-2021-22924.patch| 298
..
From: Mingli Yu
CVE-2021-22925
Reported-by: Red Hat Product Security
Bug: https://curl.se/docs/CVE-2021-22925.html
Signed-off-by: Mingli Yu
Signed-off-by: Anuj Mittal
---
.../curl/curl/CVE-2021-22925.patch| 50 +++
meta/recipes-support/curl/curl_7.75.0.bb |
From: Michael Opdenacker
Signed-off-by: Michael Opdenacker
Signed-off-by: Richard Purdie
(cherry picked from commit 8aa613480663e11ecc62278d8c57ca719eb23899)
Signed-off-by: Anuj Mittal
---
meta/classes/cve-check.bbclass | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --gi
From: Michael Opdenacker
The old URL schema
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-ID
now redirects to
https://nvd.nist.gov/vuln/detail/CVE-ID
Signed-off-by: Michael Opdenacker
Signed-off-by: Richard Purdie
(cherry picked from commit 57adb57a9d9b08c08ab606ec7b561792e4f4ff2d)
Sign
From: Michael Opdenacker
This implements various fixes in comments in cve-check.bbclass
In particular, the "whitlisted" typo is important as the "whitelisted"
word is going to be replaced in a near future.
Signed-off-by: Michael Opdenacker
Signed-off-by: Richard Purdie
(cherry picked from comm
From: Richard Purdie
Some tests such as lttng-tools are marginal and timing out on the autobuilder
with the current 300s default. Increase to avoid this noise in the ptest
failures list.
Signed-off-by: Richard Purdie
(cherry picked from commit 5fb902a52e35130af6b0735a087c709daa35655f)
Signed-of
From: hongxu
In sdk, call createrepo-c failed with:
...
$ createrepo_c --update ./test_repo/rpm
Directory walk started Critical: Failed to detect compression for file
./test_repo/rpm/cortexa72/hello-2.10-r0.cortexa72.rpm: magic_load() failed:
could not find any valid magic files!
...
Since comm
From: Lee Chee Yang
Signed-off-by: Lee Chee Yang
Signed-off-by: Richard Purdie
(cherry picked from commit 297f8c4eb4ff209b5ea69910902d216d86dbe2bf)
Signed-off-by: Anuj Mittal
---
meta/recipes-support/aspell/aspell_0.60.8.bb | 4 +-
.../aspell/files/CVE-2019-25051.patch | 101 ++
From: Matthias Klein
Signed-off-by: Matthias Klein
Signed-off-by: Richard Purdie
(cherry picked from commit 5cc0051d50974e198313f9513b24fd7ae9a96dd4)
Signed-off-by: Anuj Mittal
---
scripts/runqemu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/runqemu b/scripts/ru
From: Richard Purdie
Along with the other license exclusions, we need to exclude the
top level COPYING.MIT file else when:
COPY_LIC_DIRS = "1"
COPY_LIC_MANIFEST = "1"
is set, we see eSDK failures from a pseudo abort.
[YOCTO #14366]
Signed-off-by: Richard Purdie
(cherry picked from commit
From: Richard Purdie
When adding a layer which changed SSTATE_EXCLUDEDEPS_SYSROOT, the state
hashes were changing when they should not. This was caused by wider use
of setscene_depvalid which means the dependency on the variable was seen
when it was previously not.
Exclude the variable since thi
From: Bruce Ashfield
To make the usbc fragment more generally usable, we enable
the Type-C Port Controller driver for TCPCI-compliant controller.
Signed-off-by: Bruce Ashfield
Signed-off-by: Richard Purdie
(cherry picked from commit 485baca981188896a555d3a48c8b560718bb6e9d)
Signed-off-by: Anuj
From: Bruce Ashfield
Integrating the following commit(s) to linux-yocto/5.10:
969fef49cbbc Linux 5.10.52-rt47
bb5ff998ba62 Linux 5.10.47-rt46
340f6b6cdd37 sched: Don't defer CPU pick to migration_cpu_stop()
f3d0be7cdae8 sched: Simplify set_affinity_pending refcounts
6b2ca
From: Bruce Ashfield
Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:
0a0beb1f9120 Linux 5.4.135
d2f7b384a74f udp: annotate data races around unix_sk(sk)->gso_size
c72374978b3f perf test bpf: Free obj_buf
17bc942c0b96 bpftool: Prop
From: Bruce Ashfield
Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:
71046eac2db9 Linux 5.10.53
6cd9bd2a2ddb udp: annotate data races around unix_sk(sk)->gso_size
bfdb38a4268a drm/panel: nt35510: Do not fail if DSI read fails
0d9
From: Chen Qi
zstd uses 'zstandard' in NVD database. e.g. CVE-2021-24031
Signed-off-by: Chen Qi
Signed-off-by: Richard Purdie
(cherry picked from commit 304eb663e414171d38faeebb3c72e49e6e4e1112)
Signed-off-by: Anuj Mittal
---
meta/recipes-extended/zstd/zstd_1.4.9.bb | 2 ++
1 file changed, 2
From: Jon Mason
All of the errors being masked off for qemuarm are legacy from before
the migration of qemuarm to qemuarmv5. Rename the machine to that to
allow for qemuarmv5 to pass parselog test. Light testing shows no
errors in dmesg for qemuarm.
Signed-off-by: Jon Mason
Signed-off-by: Ric
From: Alexander Kanavin
Signed-off-by: Alexander Kanavin
Signed-off-by: Richard Purdie
(cherry picked from commit 0b0f53eed0aadbf45d9eead96ebf7725cc7447e6)
Signed-off-by: Anuj Mittal
---
scripts/lib/devtool/upgrade.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/scripts/lib/devtool/
Please review these changes for hardknott. Testing on autobuilder
resulted in some intermittent ptest failures in valgrind, tcl and
lttng-tools and also a qemu timeout failure in musl-qemux86-64.
Thanks,
Anuj
The following changes since commit 2fd915eda136e20ab52baea6bb908d08ef8f5cbc:
oe-setu
From: Khem Raj
This is fixed differently upstream [1]
[1]
https://github.com/ColinIanKing/stress-ng/commit/7e150ab18b0e8954ca426eb5366000a8f0d01110
Signed-off-by: Khem Raj
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
(cherry picked from commit 96b1d483ccf2166bf577e73075d5fe
Adds extended package data which is encoded as JSON which allows it to
encode more structure than the "flat" package data files. The extended
data might be much larger than the standard package data, so it is not
read by default and instead requires
oe.packagedata.read_subpkgdata_extended() to be c
On 8/6/21 10:19 PM, Khem Raj wrote:
> I am seeing bunch of failures on meta-oe and meta-atmel
>
> https://errors.yoctoproject.org/Errors/Details/600064/
> https://errors.yoctoproject.org/Errors/Details/600065/
> https://errors.yoctoproject.org/Errors/Details/600071/
>
>
I sent patches for meta-open
Adding -f*-prefix-map to LDFLAGS caused the following issue:
QA Issue: ldns.pc failed sanity test (tmpdir)
Fix by filtering out -f*-prefix-map from *.pc files.
[YOCTO #14481]
Signed-off-by: Tony Battersby
---
meta-oe/recipes-devtools/ldns/ldns_1.7.1.bb | 7 +++
1 file changed, 7 insertion
Adding -f*-prefix-map to LDFLAGS caused the following issue:
QA Issue: curlpp.pc failed sanity test (tmpdir)
Fix by filtering out -f*-prefix-map from *.pc files.
[YOCTO #14481]
Signed-off-by: Tony Battersby
---
meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb | 7 +++
1 file changed
On Mon, 9 Aug 2021 13:19:51 +0100
"Mike Crowe via lists.openembedded.org"
wrote:
> Cleaning the work directory makes the problem go away because that
> deletes the pseudo databases.
>
> Does the above make sense as an explanation for these errors? If so,
> is there a good way to avoid these erro
Add a testsdk task, which is essentially the same as testsdk.bbclass but
the test case directory is changed. This lets us exercise the
buildtools tarballs at build time.
Signed-off-by: Ross Burton
---
meta/recipes-core/meta/buildtools-tarball.bb | 13 +
1 file changed, 13 insertions
These two tests are designed to exercise the buildtools-tarball.
SanityTests simply verifies that inside the SDK, some commands are used
from the SDK.
BuildTests creates a new OE build directory and builds virtual/libc to
verify that a basic build works correctly. DL_DIR is reused to avoid
needle
Our CI Dunfell builds started failing during image creation with pseudo
aborts like:
path mismatch [2 links]: ino 123107550 db
'/.../build/tmp-glibc/work/mymachine-oe-linux/myimage/1.0-r2/oe-rootfs-repo/mymachine/mypackage-dbg_1.0-r7_mymachine.ipk'
req '/.../build/mymachine-root/usr/bin'.
Inode
Yeah not sure how that happened!
V2 incoming :)
On Thu, 22 Jul 2021 at 07:50, Richard Purdie
wrote:
>
> On Wed, 2021-07-21 at 14:54 +0100, Ross Burton wrote:
> > Add a testsdk task, which is essentially the same as testsdk.bbclass but
> > the test case directory is changed. This lets us exercis
Did ten minutes digging into some recent issues:
> CVE-2021-3507: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3507 *
No fixes in flight for this.
> CVE-2021-35331: tcl:tcl-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-353
We only has the progress bar when we have more than 100 objects.
So check for this and store the result to show the progress bar.
Signed-off-by: Jose Quaresma
---
meta/classes/sstate.bbclass | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/meta/classes/sstate.bbcl
commit f2053844958325496a9387874a8f3182400b71ca
'classes/sstate.bbclass: Enable thread lock when checkstatus'
adds a thread lock to don't lose the events from multiple threads
that runs on the ThreadPool.
commit 1444b8a2ae226829e719d3d184fca27e5940ae0d
'sstate.bbclass: Only show sstate mirror prog
It uses the python os.sched_getaffinity and it is more acurrate
Signed-off-by: Jose Quaresma
---
meta/classes/sstate.bbclass | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index c3c145e7f3..63085a7f3a 100644
---
On the first search we found some files on the local sstate cache.
The missing files are know as well when this step finish.
When we have sstate mirrors we don't need to iterate all files again
because we already know what's missing.
Signed-off-by: Jose Quaresma
---
meta/classes/sstate.bbclass |
We don't need extra python collections to count the found files
on the sstate cache and sstate mirrors.
The main found collections provides all the files that were found,
then we only need to count the files on sstate mirror
Signed-off-by: Jose Quaresma
---
meta/classes/sstate.bbclass | 13 +
On 8/9/21 4:38 PM, Alexander Kanavin wrote:
**[Please note: This e-mail is from an EXTERNAL e-mail address]
Can you please explain the SRC_URI change in the commit message? Does
upstream version check work and report the latest version properly?
Hi,
I have send a V2, and update the commit
From: Changqing Li
Old homepage is bad link, cannot be accessed. Now this project is
development on github, and the new homepage is get from
https://github.com/gbarr/perl-Convert-ASN1
Old SRC_URI is not used any more, the lastest update is in 2014.
>From 0.28, the download link changed to:
https
Source: https://sourceware.org/git/glibc.git
Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=28011
Backported upstream commit 5adda61f62b77384718b4c0d8336ade8f2b4b35c to
glibc-2.33 source.
Upstream-Status: Backport
[https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b773847
Can you please explain the SRC_URI change in the commit message? Does
upstream version check work and report the latest version properly?
Alex
On Mon, 9 Aug 2021 at 08:01, Changqing Li
wrote:
> ping
> On 8/2/21 9:41 AM, Changqing Li wrote:
>
> From: Changqing Li
>
> Signed-off-by: Changqing L
Hello Alexandre,
On Sun, 2021-08-08 at 21:19 +0200, Alexandre Belloni wrote:
> Hello,
>
> On 06/08/2021 18:10:38+0200, Thomas Perrot wrote:
> > Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set
> > to "conf"
> > and no error will be raised in case of error.
> >
> > Signed-off
Added 0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch
to fix large memory usage for large file downloads
from dynamic backends reuse or release large memory chunks.
This issue is caused by a bug in the lighttpd 1.4.55 version and
has been fixed in lighttpd 1.4.58. Hence, it is not
66 matches
Mail list logo
