On Thu, 21 Sept 2023, 11:03 Matsunaga-Shinji,
wrote:
> CVEs that are currently considered "Patched" are classified into the
> following 3 statuses:
> 1. "Patched" - means that a patch file that fixed the vulnerability
> has been applied
> 2. "Out of range" - means that the package version
Sorry for the late reply.
In addition to the changes to meta/classes/cve-check.bbclass,
Does it mean that the following processing needs to be added to
meta/conf/cve-check-map.conf?
CVE_CHECK_STATUSMAP[out-of-range] = "Patched"
CVE_CHECK_STATUSMAP[undecidable] = "Unpatched"
Shinji
On Tue, 2023-10-03 at 21:05 +0100, Richard Purdie via
lists.openembedded.org wrote:
> On Mon, 2023-10-02 at 20:09 -0700, Hemraj, Deepthi via
> lists.openembedded.org wrote:
> > From: Deepthi Hemraj
> >
> > Below commits on glibc-2.38 stable branch are updated.
> > 0e1ef6779a (HEAD ->
Pull in stable branch fixes including:
* tunables: Terminate if end of input is reached (CVE-2023-4911)
* Propagate GLIBC_TUNABLES in setxid binaries
* Document CVE-2023-4806 and CVE-2023-5156 in NEWS
* Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
Also set
'imp' was deprecated in Python 3.4 and removed in 3.12. The
piece of importlib we use has been around since 3.3.
Signed-off-by: Chris Laplante
---
scripts/lib/recipetool/create_buildsys_python.py | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git
On Mon, 2023-10-02 at 20:09 -0700, Hemraj, Deepthi via
lists.openembedded.org wrote:
> From: Deepthi Hemraj
>
> Below commits on glibc-2.38 stable branch are updated.
> 0e1ef6779a (HEAD -> release/2.38/master, origin/release/2.38/master)
> manual/jobs.texi: Add missing @item EPERM for getpgid
>
From: Shubham Kulkarni
Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
Upstream Link -
CVE-2023-24538:
https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
CVE-2023-39318:
https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
From: Martin Jansa
* this caused liberation-font-native to depend on TUNE_PKGARCH target fontconfig
because ${MLPREFIX}fontconfig-utils is added to RDEPENDS in anonymous python
* the dependency tree for liberation-font-native got much shorter
(just quilt-native and liberation-font-native
From: Narpat Mali
The output of python3-jinja2 ptest should follow a unified format as below
result: testname
Reference:
https://wiki.yoctoproject.org/wiki/Ptest
Signed-off-by: Narpat Mali
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/python/python3-jinja2/run-ptest | 2 +-
1 file
From: Martin Jansa
* needed on hosts with gcc-13 for ccache-native
Signed-off-by: Martin Jansa
Signed-off-by: Steve Sakoman
---
...x-FTBFS-with-not-yet-released-GCC-13.patch | 92 +++
meta/recipes-devtools/ccache/ccache_4.6.bb| 4 +-
2 files changed, 95 insertions(+), 1
From: Bruce Ashfield
Updating to the latest korg -stable release that comprises
the following commits:
393e225fe8ff Linux 5.10.197
242c5740dd17 ext4: fix rec_len verify error
8768583b2509 scsi: pm8001: Setup IRQs on resume
f4fffa1abb7f scsi: megaraid_sas: Fix deadlock on
From: Bruce Ashfield
Updating to the latest korg -stable release that comprises
the following commits:
006d5847646b Linux 5.10.194
d93ba6e46e5f rcu-tasks: Add trc_inspect_reader() checks for exiting
critical section
3e22624f8fd3 rcu-tasks: Wait for trc_read_check_handler() IPIs
From: Bruce Ashfield
Updating to the latest korg -stable release that comprises
the following commits:
1599cb60bace Linux 5.10.192
0e8139f92304 x86/srso: Correct the mitigation status when SMT is disabled
23e59874657c objtool/x86: Fixup frame-pointer vs rethunk
26e3f7690cda
From: Bruce Ashfield
Updating to the latest korg -stable release that comprises
the following commits:
da742ebfa00c Linux 5.10.191
3b55ce96efc5 sch_netem: fix issues in netem_change() vs get_dist_table()
db9d161a0407 alpha: remove __init annotation from exported page_is_ram()
From: Bruce Ashfield
Updating to the latest korg -stable release that comprises
the following commits:
de5f63612d16 Linux 5.10.189
2ae9a73819a7 x86: fix backwards merge of GDS/SRSO bit
f9167a2d6b94 xen/netback: Fix buffer overrun triggered by unusual packet
8457fb5740b1
Please review this set of patches for kirkstone and have comments back by
end of day Thursday, October 5
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5984
except for the meta-aws test, which breaks due to recent commits there.
Maintainer
From: Peter Marko
Recently NVD updated all CVEs for json-c and old fixed
CVE-2020-12762 is reported by cve_check now.
NVD match clause now includes full tag name including
date which is "greater" than tag without additional numbers.
Fix it by defining CVE_VERSION identical to full tag.
Put it
Unfortunately this patch doesn't apply (even after I edited for the
previous addition of glibc: fix CVE-2023-4806
ERROR: glibc-2.37-r1 do_patch: Applying patch
'0024-CVE-2023-5156-1.patch' on target directory
From: Shubham Kulkarni
Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
Upstream Link -
CVE-2023-24538:
https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
CVE-2023-39318:
https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
The original solution replaced all overrides with the package name that
was being checked. This can have unforseen consequences where some
variable involved in defining the value for the PKG: variable
may rely on some override which is not set as expected. It also meant
that any PKG variable set
On Tue, Oct 3, 2023 at 3:49 AM Shubham Kulkarni wrote:
>
> Hi Steve,
>
> I have recreated the patch from scratch for dunfell and sent it as v4 -
> https://lists.openembedded.org/g/openembedded-core/message/188639
> The issue in v3 might be due to whitespaces. But v4 should be good.
Sorry, it
Current Dev Position: YP 4.3 M4 (Feature Freeze)
Next Deadline: 2nd October 2023 YP 4.3 M4 build date
Next Team Meetings:
-
Bug Triage meeting Thursday October 5th 7:30 am PDT (
https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
-
Weekly Project Engineering Sync
From: Jermain Horsman
Previously _is_repo_git_repo() would return a result containing b'true\n' or
b'false\n' if 'git rev-parse' ran successfully, instead of True of False.
While this can be solved using e.g. result.strip().decode("utf-8") == "true",
there are some other cases to consider.
On Mon, Oct 2, 2023 at 12:40 PM Richard Purdie
wrote:
>
> It isn't any secret that I'm overloaded and struggle to keep up with
> the demands of the project. People often ask me "how do you need
> help?". Today, we have a fairly good example of the kind of problem I
> struggle with. So it is
From: Shubham Kulkarni
Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
Upstream Link -
CVE-2023-24538:
https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
CVE-2023-39318:
https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
On 2023-10-03 1:34 a.m., Deepthi.Hemraj via lists.openembedded.org wrote:
Regression testing is done and below are the test results.
Before glibc update
Summary of test results:
213 FAIL
4805 PASS
16 XFAIL
4 XPASS
218 UNSUPPORTED
After glibc update
Summary of test results:
216 FAIL
4805 PASS
Hi,
Le sam. 30 sept. 2023 à 00:05, Yoann Congal a
écrit :
> To increase ptest coverage we can check if the sources of a recipe looks
> like
> it contains unittest and warn the user that a test may be implemented
> there.
>
> This series provide the check infrastructure as a package QA check and
Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41
Signed-off-by: Hitendra Prajapati
---
.../libtiff/tiff/CVE-2022-40090.patch | 569 ++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
2 files
I have a theory that some of the console boot issues we're seeing are due to
starting images with three serial ports yet only starting gettys on two of them.
This means that occasionally, depending on the port numbering we may not get
a login prompt on the console we expect it on.
To fix this,
From: Ross Burton
Sometimes the jitterentropy RNG fails to initialise on boot. My hunch
is that this is due to the hardware timer not being high resolution
enough combined with running inside a virtualised machine on a loaded
host, and whilst the message looks bad it basically says "driver not
From: Deepthi Hemraj
Signed-off-by: Deepthi Hemraj
---
.../glibc/glibc/0024-CVE-2023-5156-1.patch| 329 ++
.../glibc/glibc/0024-CVE-2023-5156-2.patch| 93 +
meta/recipes-core/glibc/glibc_2.37.bb | 2 +
3 files changed, 424 insertions(+)
create mode
Hi,
These are for master-next.
Cheers,
-Mikko
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188632):
https://lists.openembedded.org/g/openembedded-core/message/188632
Mute This Topic: https://lists.openembedded.org/mt/101731194/21656
Group
Don't process captured boot log in case it contains
invalid utf8 characters etc which may filter out important
log entries.
Signed-off-by: Mikko Rapeli
---
meta/lib/oeqa/utils/qemurunner.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/meta/lib/oeqa/utils/qemurunner.py
Converting boot log to utf-8 strings may drop content
breaking the prompt detection resulting in timeouts.
Signed-off-by: Mikko Rapeli
---
meta/lib/oeqa/utils/qemurunner.py | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/meta/lib/oeqa/utils/qemurunner.py
Hi folks.
It should have been marked with kirkstone - sory for missing this.
On Tue, 2023-10-03 at 12:24 +0200, Claus Stovgaard via
lists.openembedded.org wrote:
> A spelling error was missed when backporting fix for CVE-2023-32360
>
> Signed-off-by: Claus Stovgaard
> ---
>
A spelling error was missed when backporting fix for CVE-2023-32360
Signed-off-by: Claus Stovgaard
---
meta/recipes-extended/cups/cups/CVE-2023-32360.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
Avoid setting sdk-wide RUSTFLAGS as these flags only are valid when
building for target.
This will enable building for different targets with different
RUSTFLAGS.
Signed-off-by: Sean Nyekjaer
---
meta/recipes-devtools/rust/rust-cross-canadian.inc | 4 +++-
1 file changed, 3 insertions(+), 1
Add a QA test to the SDK to test that a basic cargo build works for the
SDK host.
Signed-off-by: Sean Nyekjaer
---
Changes since v1:
- use SDK_SYS for compiling for SDK Host
meta/lib/oeqa/sdk/cases/rust.py | 22 ++
1 file changed, 22 insertions(+)
diff --git
This will enable us to build and run rust programs on the sdk host.
% cargo run --target x86_64-oesdk-linux-gnu -vv
Fresh hello v0.1.0 (~/development/hello)
Finished dev [unoptimized + debuginfo] target(s) in 0.02s
Running
From: Vijay Anusuri
Upstream-Status: Backport
[https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security
&
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
Signed-off-by: Vijay Anusuri
---
40 matches
Mail list logo
