Rewrite of CVE_CHECK_IGNORE to CVE_STATUS contained copy+paste
problem changing CVE numbers.
CVE-2020-12352 -> CVE-2022-3563
CVE-2020-24490 -> CVE-2022-3637
CVE-2020-12352 is now for kernel only in NVD BD, so remove it.
CVE-2020-24490 is corrected in this commit.
Signed-off-by: Peter Marko
---
This will remove 6 CVEs which were already excluded before.
Signed-off-by: Peter Marko
---
meta/recipes-kernel/linux/cve-exclusion_6.1.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
b/meta/recipes-kernel/linux/cve-exclusio
On Sun, 30 Jul 2023 at 22:36, Alexandre Belloni
wrote:
> This is not 100% reproducible and so difficult to bisect. This is the
> log:
>
> diff-{{{
> --- /usr/lib/util-linux/ptest/tests/expected/lsfd/option-inet
> +++ /usr/lib/util-linux/ptest/tests/output/lsfd/option-inet
> @@ -5,10 +5,10 @@
>
From: Chen Qi
Backport patch to fix CVE-2023-29491.
Signed-off-by: Chen Qi
---
.../files/0001-Fix-CVE-2023-29491.patch | 462 ++
meta/recipes-core/ncurses/ncurses_6.4.bb | 1 +
2 files changed, 463 insertions(+)
create mode 100644
meta/recipes-core/ncurses/files/
Hi All,
QA for yocto-3.1.27.rc1 is completed. This is the full report for this release:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults
=== Summary
No high milestone defects.
No new issue found.
Thanks,
Jing Hui
> -
Got it. I'll check this failure.
Regards,
Qi
-Original Message-
From: Richard Purdie
Sent: Saturday, July 29, 2023 6:08 AM
To: Chen, Qi ; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] multilib.conf: explicitly make MULTILIB_VARIANTS
vardeps on MULTILIBS
On Thu
Signed-off-by: Khem Raj
---
...0001-riscv64-adjust-type-definitions.patch | 34 +++
.../0001-riscv64-ignore-unknown-relocs.patch | 32 +
meta/recipes-bsp/gnu-efi/gnu-efi_3.0.17.bb| 2 ++
3 files changed, 68 insertions(+)
create mode 100644
meta/recipes-bsp/
On 28/07/2023 17:25:46+0200, Alexander Kanavin wrote:
> I just locally ran the ptest against current abelloni/master-next
> (1db230c0191eefffd94be0e8f40312b76e8b8769) with arm-64 target on an
> x86 host, and that passed too. I can try to do that on the actual arm
> host in the AB cluster, but other
https://wheel.readthedocs.io/en/stable/news.html
0.41.0 (2023-07-22)
* Added full support of the build tag syntax to wheel tags (you can now
set a build tag like 123mytag)
* Fixed warning on Python 3.12 about onerror deprecation. (PR by Henry
Schreiner)
* Support testing on Python 3.12 betas (
https://more-itertools.readthedocs.io/en/stable/versions.html
10.0.0
* Potentially breaking changes
- Python 3.7 support was dropped, since it went EOL on 2023-06-27
- batched() no longer issues a DeprecationWarning; it is now an alias
for itertools.batched for Python 3.12+
- batched() a
No changelog provided. Commits:
8fb96ed (tag: 2023.07.22) 2023.07.22
afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
44df761 Hash pin Actions and enable dependabot (#228)
Signed-off-by: Tim Orling
---
...python3-certifi_2
No longer need to set PYPI_PACKAGE, download is
now sphinx-${PV}.tar.gz not Sphinx-${PV}.tar.gz.
https://www.sphinx-doc.org/en/master/changes.html#release-7-1-1-released-jul-27-2023
https://www.sphinx-doc.org/en/master/changes.html#release-7-1-0-released-jul-24-2023
Signed-off-by: Tim Orling
---
From: Benjamin Bouvier
When enabling ipcs and ipcrm configuration into busybox, both tools are
built and then deployed during do_rootfs. These operation lead to below
issue (similar behavior happens for ipcs):
do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention
is to
From: Jose Quaresma
The Text-Template was updated from 1.46 to 1.56
| ERROR: openssl-native-3.1.1-r0 do_configure: PERLEXTERNAL
'/build/tmp/work/x86_64-linux/openssl-native/3.1.1-r0/openssl-3.1.1/external/perl/Text-Template-1.46/lib'
not found!
Signed-off-by: Jose Quaresma
Signed-off-by: Ale
From: Jose Quaresma
When upstream change is better to fail or removing the PERL5LIB
if they are not need anymore.
Signed-off-by: Jose Quaresma
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
(cherry picked from commit 337ac1159644678508990927923ef8af30f34cd7)
Signed-off-by: Ste
From: Yoann Congal
Fix [Yocto #15085]
Co-authored-by: Fawzi KHABER
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit d5eedf8ca689ccb433c2f5d0b324378f966dd627)
Signed-off-by: Steve Sakoman
---
meta/lib/oeqa/selftest/cases/devtool.py | 32 +++
From: Ross Burton
str.format() doesn't use % notation, update the formatting to work.
assertTrue() is a member of self not a global, and assertTrue(True) will
always pass. Change this to just self.fail() as this is the failure case.
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
(ch
From: Khem Raj
Default search in meson would grok /usr/bin for llvm-config and if found
will use it, which might add wrong paths into cflags/ldflags, since we
depend on llvm-native when building gallium support ( thats when
llvm-config is effective), its better to point llvm-config into native
sy
From: Ross Burton
Wes Tarro noticed a missing comma in a
preplace() call, add it.
That said, calling replace() with one argument results in a TypeError,
so this is obviously dead code.
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
(cherry picked from commit 9b2e2c8d809e7ca34451ec9
From: Ovidiu Panait
Upstream marked some testcases as "KNOWN BROKEN" and introduced the
"--skip-broken" flag to ignore them when running the testsuite (commits [1]
and [2]). Backport these two commits to get rid of the last remaining ptest
failures.
Also, add the "--skip-broken" option to the ru
From: Ovidiu Panait
Currently, some segfaults are reported when running ptest:
mdadm[12333]: segfault at 0 ip 7fe855924060 sp 7ffc4d6caf88 error 4 in
libc.so.6[7f)
Code: d2 0f 84 b7 0f 00 00 48 83 fa 01 0f 84 b9 0f 00 00 49 89 d3 89 f1 89 f8
48 83 e1 3f 4f
Backport the following upstre
From: Ovidiu Panait
Testcase 07revert-inplace fails if strace is not installed:
...
strace -o /tmp/str ./mdadm -A /dev/md0 --update=revert-reshape /dev/<...>
tests/07revert-inplace: line 40: strace: command not found
Add strace to mdadm-ptest RDEPENDS to make sure the testcase passes even with
a
From: Ovidiu Panait
Trying to run mdadm-ptest in a core-image-minimal build will result in:
root@qemux86-64:~# ptest-runner mdadm
START: ptest-runner
BEGIN: /usr/lib/mdadm/ptest
which: no lsblk in
(/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin)
lsblk command not found!
DURATION: 0
From: Quentin Schulz
The comment specifies how to use the variables but uses the older and
now unsupported override syntax. Let's update to match the newer syntax.
Cc: Quentin Schulz
(From OE-Core rev: 0a381eea4d50ff1c6e7c7d0d4df62eb581454b48)
Signed-off-by: Quentin Schulz
Signed-off-by: Alex
From: Yuta Hayama
If the instance name indicated by %i begins with a number, the meaning of the
replacement string "\\1{}".format(instance) is ambiguous.
To indicate group number 1 regardless of the instance name, use "\g<1>".
Signed-off-by: Yuta Hayama
Signed-off-by: Richard Purdie
(cherry p
From: Yoann Congal
native and nativesdk classes are special and must be inherited last :
put them at the end of the gathered classes to inherit.
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit a6614fd800cbe791264aeb102d379ba79bd145c2)
Signed-off-by: Steve S
From: Andrej Valek
Since explicit debug package creation via ${KERNEL_PACKAGE_NAME}-dbg has
been added to kernel, it has to cover all PACKAGE_DEBUG_SPLIT_STYLE
options. For ex. when the variable "debug-file-directory" package search
path has to be set explicitly, otherwise it will not find any fi
From: Martin Jansa
* fixes do_configure failure:
checking whether all ucontext.h functions are available... yes
when is deprecated at
libxcrypt/4.4.30-r0/git/build-aux/scripts/BuildCommon.pm line 522.
Compilation failed in require at
../git/build-aux/scripts/expand-selected-hashes line 28
From: Sundeep KOKKONDA
gcc stable version upgraded from v11.3 to v11.4
For changes in v11.4 see - https://gcc.gnu.org/gcc-11/changes.html
Below is the bug fix list for v11.4
https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&order=short_desc%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug
From: Wang Mingyu
Changelog:
===
* Fix: segmentation fault on filter interpretation in "switch" mode
* Fix: `ip` context is expressed as a base-10 field
* Fix: c99: use __asm__ __volatile__
* Fix: c99: static assert: clang build fails due to multiple typedef
* Fix: Reevaluate LTTNG_UST_TR
From: Wang Mingyu
Changelog:
Correctly detect CMS write errors.
Signed-off-by: Wang Mingyu
Signed-off-by: Richard Purdie
(cherry picked from commit 0296cf63007542c1cb209a4288be1c82aa2ba843)
Signed-off-by: Steve Sakoman
---
.../libksba/{libksba_1.6.3.bb => libksba_1.6.4.bb} | 2 +
From: Wang Mingyu
Changelog:
===
* Fix logging of confidential data. [rA0fc31770fa]
* Fix memory wiping. [T5977]
* Fix macOS build problem. [T5440,T5610]
* Upgrade autoconf stuff.
Signed-off-by: Wang Mingyu
Signed-off-by: Richard Purdie
(cherry picked from commit 90126be6dc32170
From: Alexander Kanavin
* Noteworthy changes in release 3.10 (2023-05-21) [stable]
** Bug fixes
cmp/diff can again work with file dates past Y2K38
[bug introduced in 3.9]
diff -D no longer fails to output #ifndef lines.
[bug#61193 introduced in 3.9]
Remove the comment addition from th
From: Tim Orling
Security and bugfix updates.
* Drop cve-2023-24329.patch as it is merged in 3.10.12
CVE: CVE-2023-24329
Includes openssl 1.1.1u which addresses:
CVE: CVE-2023-0286
CVE: CVE-2022-4304
CVE: CVE-2022-4203
https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-1
From: Yogita Urade
Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
This has security relevance because, for example, execution of
Dmidecode via Sudo is plausible.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30630
https://lists.nongnu.org/archive/html/dmidecode-devel/20
From: Archana Polampalli
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
insufficiently trustworthy search path, leading to remote code
execution if an agent is forwarded to an attacker-controlled system.
(Code in /usr/lib is not necessarily safe for loading into ssh-agent.)
NOTE:
From: Hitendra Prajapati
Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf
Signed-off-by: Hitendra Prajapati
Signed-off-by: Steve Sakoman
---
.../libtiff/tiff/CVE-2023-26965.patch | 97 +++
meta/recipes
From: Hitendra Prajapati
Backport fixes for:
* CVE-2023-25433 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678
&&
https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
* CVE-2023-25434 & CVE-202
From: Peter Marko
Relevant links:
* linked fronm NVD:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
*
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
* picked commits fix all issues mentioned in
From: Vivek Kumbhar
Signed-off-by: Vivek Kumbhar
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2023-29406.patch | 210 ++
2 files changed, 211 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.
From: Hitendra Prajapati
Bug-Debian: https://bugs.debian.org/1031632
Origin:
https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
import from debian
http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz
From: Peter Marko
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
Signed-off-by: Ross Burton
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Si
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5667
The following changes since commit e7d3e02a624f7ce23d012bb11ad1df2049066b37:
package.bbclass: movi
On Sun, 30 Jul 2023 at 13:43, Alexander Kanavin wrote:
>
> On Sun, 30 Jul 2023 at 14:37, Luca Bocassi wrote:
> > > Jul 30 00:29:43 qemuarm64 systemd-logind[240]: New seat seat0.
> > > Jul 30 00:29:43 qemuarm64 systemd-logind[240]: Watching system buttons on
> > > /dev/input/event1 (QEMU QEMU USB
From: Luca Boccassi
- Drop dependency on gnu-efi, add dependency on pyelftools for EFI builds
- Refresh patches
- Ship new files and directories
- Use meson target to build sd-boot instead of filenames
Signed-off-by: Luca Boccassi
---
Note that the musl patches have been rebased to solve merge
Branch: mickledore
New this week: 17 CVEs
CVE-2020-25668 (CVSS3: 7.0 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25668 *
CVE-2020-2 (CVSS3: 6.7 MEDIUM): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-2 *
CVE-2020-27815 (CVSS3: 7.8 H
Hi,
I will cherry-pick it tomorrow.
Thanks for the reminder.
Jose
A domingo, 30/07/2023, 14:46, Alexander Kanavin
escreveu:
> On Sat, 29 Jul 2023 at 21:19, Peter Marko via lists.openembedded.org
> wrote:
> > I could not find documentation how to handle mixins layer.
> > Could you please pick
Branch: kirkstone
New this week: 6 CVEs
CVE-2022-33065 (CVSS3: 7.8 HIGH): libsndfile1
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33065 *
CVE-2022-3563 (CVSS3: 5.7 MEDIUM): bluez5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3563 *
CVE-2022-3637 (CVSS3: 5.5 MEDIUM): bl
Some old CVEs are coming back.
I think this is a regression from CVE_CHECK_IGNORE conversion.
http://git.openembedded.org/openembedded-core/commit/?id=1634ed4048cf56788cd5c2c1bdc979b70afcdcd7
I'll check these tomorrow.
Peter
> -Original Message-
> From: yocto-secur...@lists.yoctoproject.o
On Sat, 29 Jul 2023 at 21:19, Peter Marko via lists.openembedded.org
wrote:
> I could not find documentation how to handle mixins layer.
> Could you please pick this to kirkstone/go meta-lts-mixins?
> Or should I send a patch to yo...@lists.yoctoproject.org (or other mailing
> list) instead of as
On Sun, 30 Jul 2023 at 14:37, Luca Bocassi wrote:
> > Jul 30 00:29:43 qemuarm64 systemd-logind[240]: New seat seat0.
> > Jul 30 00:29:43 qemuarm64 systemd-logind[240]: Watching system buttons on
> > /dev/input/event1 (QEMU QEMU USB Keyboard)
> > Jul 30 00:29:47 qemuarm64 login[263]: pam_unix(logi
From: Luca Boccassi
- Drop dependency on gnu-efi, add dependency on pyelftools for EFI builds
- Refresh patches
- Ship new files and directories
- Use meson target to build sd-boot instead of filenames
Signed-off-by: Luca Boccassi
---
Note that the musl patches have been rebased to solve merge
On Sun, 30 Jul 2023 at 09:06, Alexandre Belloni
wrote:
>
> Hello,
>
> I have the following failures:
>
> ERROR: systemd-1_254-r0 do_package: QA Issue: systemd: Files/directories were
> installed but not shipped in any package:
> /sbin/mount.ddi
Fixed in v2
> and
>
> Jul 30 00:29:43 qemuarm64
Branch: dunfell
New this week: 4 CVEs
CVE-2022-33065 (CVSS3: 7.8 HIGH): libsndfile1
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33065 *
CVE-2022-3563 (CVSS3: 5.7 MEDIUM): bluez5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3563 *
CVE-2022-41409 (CVSS3: 7.5 HIGH): libpc
Branch: master
New this week: 31 CVEs
CVE-2020-24490 (CVSS3: 6.5 MEDIUM): bluez5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24490 *
CVE-2020-25668 (CVSS3: 7.0 HIGH): linux-yocto
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25668 *
CVE-2020-2 (CVSS3: 6.7 MEDIUM): l
Since I had no answers to this, I'll send a patch series soon (tomorrow?)
targeting what I have in mind, for rust-hello-world, I think I'll send a
specific patch to disable frozen flag for this recipe (until its fate is
known).
Maybe sending code will help to know what it is about and, I hope, mak
Hello,
I have the following failures:
ERROR: systemd-1_254-r0 do_package: QA Issue: systemd: Files/directories were
installed but not shipped in any package:
/sbin/mount.ddi
and
Jul 30 00:29:43 qemuarm64 systemd-logind[240]: New seat seat0.
Jul 30 00:29:43 qemuarm64 systemd-logind[240]: Wat
57 matches
Mail list logo