[OE-core] [dunfell][PATCH] ruby/cgi-gem: CVE-2021-33621 HTTP response splitting in CGI

Upstream-Status: Backport from https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 Signed-off-by: Hitendra Prajapati --- .../ruby/ruby/CVE-2021-33621.patch| 139 ++ meta/recipes-devtools/ruby/ruby_2.7.6.bb | 1 + 2 files changed, 140

[OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs

-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 Signed-off-by: Hitendra Prajapati --- .../CVE-2023-0795_0796_0797_0798_0799.patch | 162 ++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 163 insertions(+) create mode 100644 meta

[OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs

tream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 Signed-off-by: Hitendra Prajapati --- .../libtiff/tiff/CVE-2023-25433.patch | 195 ++ .../tiff/CVE-2023-25434-CVE-2023-25435.patch | 94 + meta/recipe

[OE-core] [kirkstone][PATCH] libtiff: fix CVE-2023-26965 heap-based use after free

Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Signed-off-by: Hitendra Prajapati --- .../libtiff/tiff/CVE-2023-26965.patch | 97 +++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files

[OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs

-2023-3618 - Upstream-Status: Backport from ttps://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb11acaaeaa493334f8 Signed-off-by: Hitendra Prajapati --- .../libtiff/tiff/CVE-2023-2908.patch | 33 +++ .../libtiff/tiff/CVE-2023-3316.patch | 59

[OE-core] [kirkstone][PATCHv2] tiff: fix multiple CVEs

-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb11acaaeaa493334f8 Signed-off-by: Hitendra Prajapati --- .../libtiff/tiff/CVE-2023-29

[OE-core] [kirkstone][PATCH] libtiff: fix CVE-2023-26966 libtiff: Buffer Overflow

Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Signed-off-by: Hitendra Prajapati --- .../libtiff/tiff/CVE-2023-26966.patch | 35 +++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files

[OE-core] [kirkstone][PATCHv2] libtiff: fix CVE-2023-26966 Buffer Overflow

Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Signed-off-by: Hitendra Prajapati --- .../libtiff/tiff/CVE-2023-26966.patch | 35 +++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files

[OE-core] [dunfell][PATCH] tiff: fix multiple CVEs

191117-2~deb10u8.debian.tar.xz] Signed-off-by: Hitendra Prajapati --- .../libtiff/files/CVE-2023-25433.patch| 173 ++ .../files/CVE-2023-25434-CVE-2023-25435.patch | 94 ++ .../libtiff/files/CVE-2023-26965.patch| 90 + .../libtiff/files/CVE-2023-26966.pa

Re: [OE-core] [kirkstone][PATCHv2] libtiff: fix CVE-2023-26966 Buffer Overflow

Hi Team, Gentle reminder. Is there any issue with patch ?? Regards, Hitendra -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185372): https://lists.openembedded.org/g/openembedded-core/message/185372 Mute This Topic: https://lists.openembedded.or

Re: [OE-core] [kirkstone][PATCHv2] tiff: fix multiple CVEs

Hi Team, Gentle reminder. Is there any issue with patch ?? Regards, Hitendra -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185373): https://lists.openembedded.org/g/openembedded-core/message/185373 Mute This Topic: https://lists.openembedded.or

[OE-core] [dunfell][PATCH] tiff: fix multiple CVEs

-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb11acaaeaa493334f8 Signed-off-by: Hitendra Prajapati --- .../libtiff/files/CVE-2023-29

Re: [OE-core] [kirkstone][PATCHv2] tiff: fix multiple CVEs

Hi Team, Gentle reminder. Is there any issue with patch ??  what is the issue here ?? Regards, Hitendra -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185721): https://lists.openembedded.org/g/openembedded-core/message/185721 Mute This Topic: ht

[OE-core] [kirkstone][PATCH] sysstat: Fix CVE-2023-33204

Upstream-Status: Backport from https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 Signed-off-by: Hitendra Prajapati --- .../sysstat/sysstat/CVE-2023-33204.patch | 80 +++ .../sysstat/sysstat_12.4.5.bb | 5 +- 2 files changed

[OE-core] [kirkstone][PATCHv2] sysstat: Fix CVE-2023-33204

Upstream-Status: Backport from https://github.com/sysstat/sysstat/commit/954ff2e2673c Signed-off-by: Hitendra Prajapati --- .../sysstat/sysstat/CVE-2023-33204.patch | 80 +++ .../sysstat/sysstat_12.4.5.bb | 5 +- 2 files changed, 83 insertions(+), 2

[OE-core] [dunfell][PATCH] openssl: CVE-2023-2650 Possible DoS translating ASN.1 object identifiers

Upstream-Status: Backport from https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098 Signed-off-by: Hitendra Prajapati --- .../openssl/openssl/CVE-2023-2650.patch | 122 ++ .../openssl/openssl_1.1.1t.bb | 1 + 2 files changed

[OE-core] [kirkstone][PATCH] libcap: CVE-2023-2602 Memory Leak on pthread_create() Error

Upstream-Status: Backport from https://git.kernel.org/pub/scm/libs/libcap/libcap.git/patch/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb Signed-off-by: Hitendra Prajapati --- .../libcap/files/CVE-2023-2602.patch | 45 +++ meta/recipes-support/libcap/libcap_2.66.bb

[OE-core] [dunfell][PATCH] go: fix CVE-2023-29402 & CVE-2023-29404

: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 2 + .../go/go-1.14/CVE-2023-29402.patch | 201 ++ .../go/go-1.14/CVE-2023-29404.patch | 84 3 files changed, 287 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE

[OE-core] [dunfell][PATCH] grub2: fix CVE-2020-27749 Stack buffer overflow

Upstream-Status: Backport [https://launchpad.net/debian/+source/grub2/2.02+dfsg1-20+deb10u4/] Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2020-27749.patch | 609 ++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 610 insertions

[OE-core] [dunfell][PATCH] grub2: CVE-2021-20225 Heap out-of-bounds write in short form option parser

Upstream-Status: Backport [https://launchpad.net/debian/+source/grub2/2.02+dfsg1-20+deb10u4/] Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2021-20225.patch | 57 +++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 58 insertions

[OE-core] [dunfell][PATCH] grub2: fix CVE-2021-20233 Heap out-of-bounds write error

Upstream-Status: Backport [https://launchpad.net/debian/+source/grub2/2.02+dfsg1-20+deb10u4/] Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2021-20233.patch | 50 +++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 51 insertions

[OE-core] [dunfell][PATCH] grub2: Fix Multiple CVEs

6&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6 * CVE-2021-20233 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2020-27749.patch

[OE-core] [dunfell][PATCHv2] grub2: Fix Multiple CVEs

6&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6 * CVE-2021-20233 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2020-27749.patch

Re: [OE-core] [dunfell][PATCH] grub2: fix CVE-2020-27749 Stack buffer overflow

Hi Steve, I have added v2 : *https://lists.openembedded.org/g/openembedded-core/message/183996* Thank you. Hitendra -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183997): https://lists.openembedded.org/g/openembedded-core/message/183997 Mute Th

[OE-core] [dunfell][PATCHv3] grub2: Fix Multiple CVEs

/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6 * CVE-2021-20233 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2020-27749

[OE-core] [kirkstone][PATCH] bind : fix CVE-2023-2828 & CVE-2023-2911

/240caa32b9cab90a38ab863fd64e6becf5d1393c && https://gitlab.isc.org/isc-projects/bind9/-/commit/ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d Signed-off-by: Hitendra Prajapati --- .../bind/bind-9.18.11/CVE-2023-2828.patch | 197 ++ .../bind/bind-9.18.11/CVE-2023-2911.patch | 97 + ...

[OE-core] [dunfell][PATCH] qemu: fix compile error which imported by CVE-2022-4144

Upstream-Status: Backport from https://github.com/qemu/qemu/commit/61c34fc && https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/qemu/qemu.inc | 1 + ...ass-requested-buffer

[OE-core] [kirkstone][PATCH] curl: CVE-2023-27533 TELNET option IAC injection

Upstream-Status: Backport from https://github.com/curl/curl/commit/0c28ba2faae2d7da780a66d2446045a560192cdc && https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2023-27533.patch

[OE-core] [kirkstone][PATCH] curl: CVE-2023-27534 SFTP path resolving discrepancy

Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2023-27534.patch| 122 ++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 123

[OE-core] [dunfell][PATCH] ruby: CVE-2023-28756 ReDoS vulnerability in Time

Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e Signed-off-by: Hitendra Prajapati --- .../ruby/ruby/CVE-2023-28756.patch| 61 +++ meta/recipes-devtools/ruby/ruby_2.7.6.bb | 1 + 2 files changed, 62

[OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy

Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2023-27534.patch| 123 ++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 124

[OE-core] [kirkstone][PATCH] ruby: CVE-2023-28756 ReDoS vulnerability in Time

Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e Signed-off-by: Hitendra Prajapati --- .../ruby/ruby/CVE-2023-28756.patch| 73 +++ meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 + 2 files changed, 74

[OE-core] [dunfell][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse

Upstream-Status: Backport from https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2023-27538.patch| 31 +++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 32

[OE-core] [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse

Upstream-Status: Backport from https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2023-27538.patch| 31 +++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 32

Re: [OE-core] [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse

sage/180143 Could you review the above patch and ack if you approve. It would be nice to fix all three patches in a single commit if possible. Thanks! Steve On Sun, Apr 16, 2023 at 10:05 PM Hitendra Prajapati wrote: Upstream-Status: Backport fromhttps://github.com/curl/curl/co

[OE-core] [dunfell][PATCH] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs

Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Signed-off-by: Hitendra Prajapati --- .../screen/screen/CVE-2023-24626.patch| 40 +++ meta/recipes-extended/screen/screen_4.8.0.bb | 1 + 2

[OE-core] [kirkstone][PATCH] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs

Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Signed-off-by: Hitendra Prajapati --- .../screen/screen/CVE-2023-24626.patch| 40 +++ meta/recipes-extended/screen/screen_4.9.0.bb | 1 + 2

[OE-core] [kirkstone][PATCH] connman: fix CVE-2023-28488 DoS in client.c

Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138 Signed-off-by: Hitendra Prajapati --- .../connman/connman/CVE-2023-28488.patch | 60 +++ .../connman/connman_1.41.bb

Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy

bssh2` i.e. PACKAGECONFIG_append = " libssh2"): https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114 Could you investigate and advise whether there is an easy fix or whether we should revert? Thanks, Steve On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati wrote: Upstream-Status:

Re: [OE-core] [dunfell][PATCHv3] curl: Security fix for CVE-2023-27534

Hi Siddharth, Thank you for looking into this issue while I'm away from work. Thank you & Regards, Hitendra -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181178): https://lists.openembedded.org/g/openembedded-core/message/181178 Mute This Topic:

Re: [OE-core] [dunfell][PATCHv3] curl: Security fix for CVE-2023-27534

++ On 12/05/23 17:02, Hitendra Prajapati wrote: Hi Siddharth, Thank you for looking into this issue while I'm away from work. Thank you & Regards, Hitendra -- Regards, Hitendra Prajapati MontaVista Software LLC -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to t

[OE-core] [dunfell][PATCH] git: fix CVE-2023-25652

/9db05711c98efc14f414d4c87135a34c13586e0b Signed-off-by: Hitendra Prajapati --- .../git/files/CVE-2023-25652.patch| 95 +++ meta/recipes-devtools/git/git.inc | 1 + 2 files changed, 96 insertions(+) create mode 100644 meta/recipes-devtools/git/files/CVE-2023-25652.patch diff --git a

[OE-core] [dunfell][PATCH] git: fix CVE-2023-29007

ommit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8 https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a Signed-off-by: Hitendra Prajapati --- .../git/files/CVE

Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy

APIs are not available in curl 7.69. Regards, Abdurrahman *From:* openembedded-core@lists.openembedded.org *On Behalf Of *Hitendra Prajapati *Sent:* Friday, May 12, 2023 4:26 AM *To:* Steve Sakoman *Cc:* openembedded-core@lists.openembedded.org *Subject:* Re: [OE-core] [dunfell][PATCH] curl

Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy

e or Siddharth. Thank you Siddharth. Regards, Hitendra  Prajapati// On 17/05/23 00:08, Abdurrahman Hussain (fib) wrote: Hi Hitendra, Any update on this? This should be reverted since the dynbuf APIs are not available in curl 7.69. Regards, Abdurrahman *From:* openembedded-

[OE-core] [dunfell][PATCHv2] git: fix CVE-2023-25652

/9db05711c98efc14f414d4c87135a34c13586e0b Signed-off-by: Hitendra Prajapati --- .../git/files/CVE-2023-25652.patch| 94 +++ meta/recipes-devtools/git/git.inc | 1 + 2 files changed, 95 insertions(+) create mode 100644 meta/recipes-devtools/git/files/CVE-2023-25652.patch diff --git a

[OE-core] [dunfell][PATCH] git: CVE-2022-23521 gitattributes parsing integer overflow

6d & https://github.com/git/git/commit/d74b1fd54fdbc45966d12ea907dece11e072fb2b & https://github.com/git/git/commit/dfa6b32b5e599d97448337ed4fc18dd50c90758f & https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579 Signed-off-by: Hitendra Prajapati ---

[OE-core] [dunfell][PATCH] curl: fix CVE-2022-43552 Use-after-free triggered by an HTTP proxy deny response

Upstream-Status: Backport from https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2 Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2022-43552.patch| 82 +++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 83

Re: [OE-core] [dunfell 1/4] cve-extra-exclusions.inc: Use CVE_CHECK_WHITELIST

Hi Ranjitsinh, Any specific reason to ignore the QEMU: CVE-2021-20255  CVE ?? Regards, Hitendra -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177863): https://lists.openembedded.org/g/openembedded-core/message/177863 Mute This Topic: https://lis

[OE-core] [kirkstone][PATCH] less: backport the fix for CVE-2022-46663

Upstream-Status: Backport from https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c Signed-off-by: Hitendra Prajapati --- .../less/less/CVE-2022-46663.patch| 31 +++ meta/recipes-extended/less/less_600.bb| 1 + 2 files changed, 32

[OE-core] [dunfell][PATCH] curl: CVE-2023-23916 HTTP multi-header compression denial of service

Upstream-Status: Backport from https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9 Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2023-23916.patch| 231 ++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 232

[OE-core] [dunfell][PATCH] cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands

: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati --- .../cyrus-sasl/CVE-2022-24407.patch | 83 +++ .../cyrus-sasl/cyrus-sasl_2.1.27.bb | 1 + 2 files changed, 84 insertions(+) create mode

[OE-core] [dunfell][PATCH] python-pip: CVE-2021-3572 Incorrect handling of unicode separators in git references

separators in git references. Signed-off-by: Hitendra Prajapati --- .../python/python3-pip/CVE-2021-3572.patch| 48 +++ .../python/python3-pip_20.0.2.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2021

[OE-core] [dunfell][PATCH] golang: CVE-2021-44717 syscall: don't close fd 0 on ForkExec error

ff-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2021-44717.patch | 83 +++ 2 files changed, 84 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch diff --git a/meta/recipes-devtools/

[OE-core] [dunfell][PATCH] openldap: CVE-2022-29155 OpenLDAP SQL injection

: OpenLDAP SQL injection Signed-off-by: Hitendra Prajapati --- .../openldap/openldap/CVE-2022-29155.patch| 277 ++ .../openldap/openldap_2.4.57.bb | 2 +- 2 files changed, 278 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/openldap

Re: [OE-core] [dunfell][PATCH] openldap: CVE-2022-29155 OpenLDAP SQL injection

Hi Team, I'm sorry for my mistake in MAIL address. Thank you for the correct direction. On 20/06/22 23:07, akuster808 wrote: This should be sent to openembedded-de...@lists.openembedded.org it applies against meta-openembedded, not core. -armin On 6/19/22 22:21, Hitendra Prajapati

[OE-core] [dunfell][PATCH] golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode

. Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-24675.patch | 271 ++ 2 files changed, 272 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch diff --git a/meta/recipes

[OE-core] [dunfell][PATCH] golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when reading a very large header

: panic in ReadRequest and ReadResponse when reading a very large header. Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2021-31525.patch | 38 +++ 2 files changed, 39 insertions(+) create mode 100644 meta

[OE-core] [dunfell][PATCH] grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content

: CVE-2021-3981 grub2: Incorrect permission in grub.cfg allow unprivileged user to read the file content. Affects "grub2 < 2.06" Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2021-3981.patch| 32 +++ meta/recipes-bsp/grub/grub2.inc

[OE-core] [dunfell][PATCH] grub2: Fix buffer underflow write in the heap

Affects "grub2 < 2.06" Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2021-3695.patch| 176 ++ .../grub/files/CVE-2021-3696.patch| 46 + .../grub/files/CVE-2021-3697.patch| 82 meta/recipes-bsp/grub/grub2.

[OE-core] [dunfell][PATCH] gnupg: CVE-2022-34903 possible signature forgery via injection into the status line

: CVE-2022-34903 gnupg: possible signature forgery via injection into the status line. Signed-off-by: Hitendra Prajapati --- .../gnupg/gnupg/CVE-2022-34903.patch | 44 +++ meta/recipes-support/gnupg/gnupg_2.2.27.bb| 1 + 2 files changed, 45 insertions(+) create mode

[OE-core] [kirkstone][PATCH] gnupg: CVE-2022-34903 possible signature forgery via injection into the status line

: CVE-2022-34903 gnupg: possible signature forgery via injection into the status line. Affects "gnupg < 2.3.6" Signed-off-by: Hitendra Prajapati --- .../gnupg/gnupg/CVE-2022-34903.patch | 44 +++ meta/recipes-support/gnupg/gnupg_2.3.4.bb | 1 + 2 file

[OE-core] [dunfell][PATCH V2] grub2: Fix buffer underflow write in the heap

Affects "grub2 < 2.06" Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2021-3695.patch| 178 ++ .../grub/files/CVE-2021-3696.patch| 46 + .../grub/files/CVE-2021-3697.patch| 82 meta/recipes-bsp/grub/grub2.

[OE-core] [kirkstone][PATCH] qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash

on the translate_fail path, leading to an io_readx or io_writex crash. Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-35414.patch| 53 +++ 2 files changed, 54 insertions(+) create mode 100644 meta

[OE-core] [dunfell][PATCH] qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash

on the translate_fail path, leading to an io_readx or io_writex crash. Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-35414.patch| 53 +++ 2 files changed, 54 insertions(+) create mode 100644 meta

[OE-core] [dunfell][PATCH] libTiff: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 DoS from Divide By Zero Error

-2058 libTiff: DoS from Divide By Zero Error. Signed-off-by: Hitendra Prajapati --- ...022-2056-CVE-2022-2057-CVE-2022-2058.patch | 183 ++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + 2 files changed, 184 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff

[OE-core] [kirkstone][PATCH] libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections

-46828 libtirpc: DoS vulnerability with lots of connections. Signed-off-by: Hitendra Prajapati --- .../libtirpc/libtirpc/CVE-2021-46828.patch| 155 ++ .../libtirpc/libtirpc_1.3.2.bb| 4 +- 2 files changed, 158 insertions(+), 1 deletion(-) create mode 100644

[OE-core] [dunfell][PATCH] libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections

-46828 libtirpc: DoS vulnerability with lots of connections. Signed-off-by: Hitendra Prajapati --- .../libtirpc/libtirpc/CVE-2021-46828.patch| 155 ++ .../libtirpc/libtirpc_1.2.6.bb| 4 +- 2 files changed, 158 insertions(+), 1 deletion(-) create mode 100644

[OE-core] [dunfell][PATCH] python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to cause a denial of service

attackers to cause a denial of service. Signed-off-by: Hitendra Prajapati --- .../recipes-devtools/python/python-lxml.inc | 2 + .../python/python3-lxml/CVE-2022-2309.patch | 94 +++ 2 files changed, 96 insertions(+) create mode 100644 meta-python/recipes-devtools/python

[OE-core] [dunfell][PATCH] grub2: Fix several security issue of integer underflow

6 Signed-off-by: Hitendra Prajapati --- .../grub/files/CVE-2022-28733.patch | 60 .../grub/files/CVE-2022-28734.patch | 67 + .../grub/files/CVE-2022-28736.patch | 275 ++ meta/recipes-bsp/grub/grub2.inc | 3 + 4 fi

[OE-core] [master][PATCH] qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash

Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] CVE: CVE-2022-35414 Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-35414.patch| 53 +++ 2

[OE-core] [kirkstone][PATCH] gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow

: a heap-based buffer overflow when compositing or clearing frames in GIF files. Signed-off-by: Hitendra Prajapati --- .../gdk-pixbuf/CVE-2021-46829.patch | 61 +++ .../gdk-pixbuf/gdk-pixbuf_2.42.6.bb | 1 + 2 files changed, 62 insertions(+) create mode

[OE-core] [dunfell][PATCH] gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow

: a heap-based buffer overflow when compositing or clearing frames in GIF files. Signed-off-by: Hitendra Prajapati --- .../gdk-pixbuf/CVE-2021-46829.patch | 61 +++ .../gdk-pixbuf/gdk-pixbuf_2.40.0.bb | 1 + 2 files changed, 62 insertions(+) create mode

[OE-core] [dunfell][PATCH] qemu: CVE-2020-27821 heap buffer overflow in msix_table_mmio_write

overflow in msix_table_mmio_write() in hw/pci/msix.c. Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2020-27821.patch| 73 +++ 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-devtools/qemu

[OE-core] [dunfell][PATCH] gnutls: CVE-2022-2509 Double free during gnutls_pkcs7_verify

gnutls_pkcs7_verify. Signed-off-by: Hitendra Prajapati --- .../gnutls/gnutls/CVE-2022-2509.patch | 282 ++ meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 + 2 files changed, 283 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch

[OE-core] [kirkstone][PATCH] gnutls: CVE-2022-2509 Double free during gnutls_pkcs7_verify

gnutls_pkcs7_verify. Signed-off-by: Hitendra Prajapati --- .../gnutls/gnutls/CVE-2022-2509.patch | 282 ++ meta/recipes-support/gnutls/gnutls_3.7.4.bb | 1 + 2 files changed, 283 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch

[OE-core] [dunfell][PATCH] zlib: CVE-2022-37434 a heap-based buffer over-read

geID: 364c17d74213c64fe40b9b37ee78aa172ff93acf Description: CVE-2022-37434 zlib: a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. Signed-off-by: Hitendra Prajapati --- .../zlib/zlib/CVE-2022-37434.patch| 44 +++ meta/recipes-

[OE-core] [kirkstone][PATCH] zlib: CVE-2022-37434 a heap-based buffer over-read

geID: 94d9b7d372b83cc1022c0a15046c5449d39208c3 Description: CVE-2022-37434 zlib: a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. Signed-off-by: Hitendra Prajapati --- .../zlib/zlib/CVE-2022-37434.patch| 44 +++ meta/recipes-

[OE-core] [kirkstone][PATCH] libtiff: CVE-2022-34526 A stack overflow was discovered

overflow was discovered in the _TIFFVGetField function of Tiffsplit. Signed-off-by: Hitendra Prajapati --- .../libtiff/tiff/CVE-2022-34526.patch | 29 +++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes

[OE-core] [dunfell][PATCH] golang: CVE-2022-2880 ReverseProxy should not forward unparseable query parameters

Upstream-Status: Backport from https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-2880.patch| 164 ++ 2 files changed, 165

[OE-core] [dunfell][PATCH] golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps

Upstream-Status: Backport from https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-41715.patch | 253 ++ 2 files changed, 254

[OE-core] [dunfell][PATCH] libX11: CVE-2022-3554 Fix memory leak

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef Signed-off-by: Hitendra Prajapati --- .../xorg-lib/libx11/CVE-2022-3554.patch | 58 +++ .../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 + 2

[OE-core] [kirkstone][PATCH] libX11: CVE-2022-3554 & CVE-2022-3555 Fix memory leak

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef && https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af Signed-off-by: Hitendra Prajapati --- .../xorg-lib/li

[OE-core] [kirkstone][PATCH] golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps

Upstream-Status: Backport from https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2022-41715.patch | 253 ++ 2 files changed, 254

[OE-core] [kirkstone][PATCH] curl: Fix multiple CVEs

://github.com/curl/curl/commit/53bcf55b4538067e6 Signed-off-by: Hitendra Prajapati --- .../curl/curl/CVE-2022-32221.patch| 29 .../curl/curl/CVE-2022-42915.patch| 55 +++ .../curl/curl/CVE-2022-42916.patch| 136 ++ meta/recipes-support

[OE-core] [kirkstone][PATCH] bluez: CVE-2022-3637 A DoS exists in monitor/jlink.c

Upstream-Status: Backport from https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f Signed-off-by: Hitendra Prajapati --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2022-3637.patch | 39

[OE-core] [kirkstone][PATCH] bluez: CVE-2022-3563 Fix null pointer derefference

Upstream-Status: Backport from https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e Signed-off-by: Hitendra Prajapati --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2022-3563.patch | 44

[OE-core] [dunfell][PATCH] bluez: CVE-2022-3637 A DoS exists in monitor/jlink.c

Upstream-Status: Backport from https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f Signed-off-by: Hitendra Prajapati --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2022-3637.patch | 39

[OE-core] [kirkstone][PATCH] golang: CVE-2022-2880 ReverseProxy should not forward unparseable query parameters

Upstream-Status: Backport from https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2022-2880.patch| 164 ++ 2 files changed, 165

[OE-core] [kirkstone][PATCH] QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion

Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/d307040b18 Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/qemu/qemu.inc | 2 +- .../qemu/qemu/CVE-2022-3165.patch | 61 +++ 2 files changed, 62 insertions(+), 1

[OE-core] [dunfell][PATCH] sudo: CVE-2022-43995 heap-based overflow with very small passwords

Upstream-Status: Backport from https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050 Signed-off-by: Hitendra Prajapati --- .../sudo/sudo/CVE-2022-43995.patch| 59 +++ meta/recipes-extended/sudo/sudo_1.8.32.bb | 1 + 2 files

[OE-core] [kirkstone][PATCH] systemd: CVE-2022-3821 Fix buffer overrun

Upstream-Status: Backport from https://github.com/systemd/systemd-stable/commit/72d4c15a946d20143cd4c6783c802124bc894dc7 Affects "systemd <= 251" Signed-off-by: Hitendra Prajapati --- .../systemd/systemd/CVE-2022-3821.patch | 45 +++ meta/recipes

Re: [OE-core] [kirkstone][PATCH] curl: Fix multiple CVEs

Hi Steve , Any update or issue with this patches ?? Why it is not picked or merged ? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173415): https://lists.openembedded.org/g/openembedded-core/message/173415 Mute This Topic: https://lists.openembedd

Re: [OE-core] [kirkstone][PATCH] curl: Fix multiple CVEs

Hi Steve/Team , Any update or issue with this patches ?? Why it is not picked or merged ? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174219): https://lists.openembedded.org/g/openembedded-core/message/174219 Mute This Topic: https://lists.opene

Re: [OE-core] [kirkstone][PATCH] golang: CVE-2022-2880 ReverseProxy should not forward unparseable query parameters

Hi team, Why this issue is unattended ??  Any issue in merged ?? Please look at this issue, Which fixed for Go package . -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174220): https://lists.openembedded.org/g/openembedded-core/message/174220 Mut

Re: [OE-core] [kirkstone][PATCH] golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps

Hi team, Why this issue is unattended ?? Any issue in merged ?? Please look at this issue, Which fixed for Go package . -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174221): https://lists.openembedded.org/g/openembedded-core/message/174221 Mute

[OE-core] [kirkstone][PATCH] libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c

Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5 Signed-off-by: Hitendra Prajapati --- .../libarchive/CVE-2022-36227.patch | 41 +++ .../libarchive/libarchive_3.6.1.bb| 4 +- 2 files

Re: [OE-core] [kirkstone][PATCH] curl: Fix multiple CVEs

Hi Martin/Team, Yes, I missed that part. It is my mistake. I'm extremely sorry for that. I'll take care of it in next patches. Regards, Hitendra Prajapati On Fri, 2 Dec 2022, 1:11 pm Martin Jansa, wrote: > I see the same fixes with correct Author in .patch files (please don&#

Re: [OE-core] [kirkstone][PATCH] libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c

Hi Martin/Team, Yes, I missed that part. It is my mistake. I'm extremely sorry for that. I'll correct the patch and resubmit. Regards, Hitendra Prajapati On Fri, 2 Dec 2022, 1:19 pm Martin Jansa, wrote: > >> +From afa85b75607649f3a89cb4d17cf3f003738d3576 Mon Sep 17 00:

[OE-core] [kirkstone][PATCH v2] libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c

Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5 Signed-off-by: Hitendra Prajapati --- .../libarchive/CVE-2022-36227.patch | 42 +++ .../libarchive/libarchive_3.6.1.bb| 4 +- 2 files

  1   2   >