[OE-core][kirkstone][scarthgap][PATCH 2/2] wpa-supplicant: Patch security advisory 2024-2

2024-09-29 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Pick patches according to http://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt SAE H2E and incomplete downgrade protection for group negotiation Signed-off-by: Peter Marko --- ...valid-Rejected-Groups-element-length.patch | 52 +++

[OE-core][kirkstone][scarthgap][PATCH 1/2] wpa-supplicant: Patch CVE-2024-3596

2024-09-29 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Picked patches according to http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt First patch is style commit picked to have a clean cherry-pick of all mentioned commits without any conflict. Patch CVE-2024-3596_07.patch has hostapd code removed as it is

[OE-core][kirkstone][PATCH 2/2] wpa-supplicant: Ignore CVE-2024-5290

2024-09-28 Thread Peter Marko via lists.openembedded.org
From: Peter Marko NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto. Quote: So upstream isn't vul

[OE-core][kirkstone][PATCH 1/2] gnupg: Document CVE-2022-3219 and mark wontfix

2024-09-28 Thread Peter Marko via lists.openembedded.org
From: Peter Marko (From OE-Core rev: f10f9c3a8d2c17d5a6c3f0b00749e5b34a66e090) Signed-off-by: Khem Raj Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Peter Marko --- meta/recipes-support/gnupg/gnupg_2.3.7.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git

[OE-core][scarthgap][PATCH 3/3] wpa-supplicant: Ignore CVE-2024-5290

2024-09-28 Thread Peter Marko via lists.openembedded.org
From: Peter Marko NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto. Quote: So upstream isn't vul

[OE-core][scarthgap][PATCH 2/3] openssh: Mark CVE-2023-51767 as wont-fix

2024-09-28 Thread Peter Marko via lists.openembedded.org
From: Khem Raj (From OE-Core rev: 1b4bada6c003ef743df09283e45953e6d9ea4c5a) Signed-off-by: Khem Raj Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Peter Marko --- meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 1 + 1 file changed, 1 insertion(+) diff --

[OE-core][scarthgap][PATCH 1/3] gnupg: Document CVE-2022-3219 and mark wontfix

2024-09-28 Thread Peter Marko via lists.openembedded.org
From: Khem Raj (From OE-Core rev: f10f9c3a8d2c17d5a6c3f0b00749e5b34a66e090) Signed-off-by: Khem Raj Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Peter Marko --- meta/recipes-support/gnupg/gnupg_2.4.4.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/met

[OE-core][PATCH] wpa-supplicant: Ignore CVE-2024-5290

2024-09-28 Thread Peter Marko via lists.openembedded.org
From: Peter Marko NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto. Quote: So upstream isn't vul

[OE-core][PATCH] curl: Upgrade 8.9.1 -> 8.10.1

2024-09-27 Thread Peter Marko via lists.openembedded.org
From: Peter Marko resolves CVE-2024-8096 possibility to set random was removed in commit https://github.com/curl/curl/commit/269fdd4c6ed5d837d57448ac977f6f300968df15 tests have new perl module dependency removed backported patch present in new version Signed-off-by: Peter Marko --- ...e-str

[OE-core][scarthgap][PATCH 3/3] python3: Upgrade 3.12.5 -> 3.12.6

2024-09-17 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232, CVE-2023-27043 and other bug fixes. Removed below patches, as the fix is included in 3.12.6 upgrade: 1. CVE-2024-7592.patch 2. CVE-2024-8088.patch Release Notes: https://www.python.org/downloads/release/p

[OE-core][scarthgap][PATCH 2/3] python3: skip readline limited history tests

2024-09-17 Thread Peter Marko via lists.openembedded.org
From: Trevor Gamblin Python 3.12.5 is failing a newer ptest for reading/writing limited history when editline (default) is set in PACKAGECONFIG. Skip it for now until a proper fix (if any) is determined. A bug has been opened upstream: https://github.com/python/cpython/issues/123018 (From OE-Co

[OE-core][scarthgap][PATCH 1/3] python3: upgrade 3.12.4 -> 3.12.5

2024-09-17 Thread Peter Marko via lists.openembedded.org
From: Trevor Gamblin Changelog: https://docs.python.org/release/3.12.5/whatsnew/changelog.html (From OE-Core rev: d9e2ebd6b24b802d1d4cd38b3b910e068c308809) Signed-off-by: Trevor Gamblin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Peter Marko --- .../python

[OE-core][scarthgap][PATCH] curl: Ignore CVE-2024-32928

2024-08-26 Thread Peter Marko via lists.openembedded.org
From: Simone Weiß This CVE affects google cloud services that utilize libcurl wrongly. (From OE-Core rev: 27ac7879711e7119b4ec8b190b0a9da5b3ede269) Signed-off-by: Simone Weiß Signed-off-by: Richard Purdie Signed-off-by: Peter Marko --- meta/recipes-support/curl/curl_8.7.1.bb | 1 + 1 file c

[OE-core][kirkstone][PATCH] curl: Ignore CVE-2024-32928

2024-08-26 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This CVE affects google cloud services that utilize libcurl wrongly. (From OE-Core rev: 27ac7879711e7119b4ec8b190b0a9da5b3ede269) Changed CVE ignore syntax Signed-off-by: Simone Weiß Signed-off-by: Richard Purdie Signed-off-by: Peter Marko --- meta/recipes-support/curl/cur

[OE-core][kirkstone][PATCH] libyaml: Ignore CVE-2024-35325

2024-08-25 Thread Peter Marko via lists.openembedded.org
This is similar CVE as the previous ones from the same author. https://github.com/yaml/libyaml/issues/303 explain why this is misuse (or wrong use) of libyaml. Signed-off-by: Peter Marko --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/

[OE-core][scarthgap][PATCH] libyaml: Ignore CVE-2024-35325

2024-08-25 Thread Peter Marko via lists.openembedded.org
This is similar CVE as the previous ones from the same author. https://github.com/yaml/libyaml/issues/303 explain why this is misuse (or wrong use) of libyaml. Signed-off-by: Peter Marko --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/re

[OE-core][PATCH] libyaml: Ignore CVE-2024-35325

2024-08-25 Thread Peter Marko via lists.openembedded.org
This is similar CVE as the previous ones from the same author. https://github.com/yaml/libyaml/issues/303 explain why this is misuse (or wrong use) of libyaml. Signed-off-by: Peter Marko --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/re

[OE-core][scarthgap][PATCH] curl: Patch CVE-2024-7264

2024-08-24 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Pick commits per https://curl.se/docs/CVE-2024-7264.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2024-7264-1.patch | 61 .../curl/curl/CVE-2024-7264-2.patch | 316 ++ meta/recipes-support/curl/curl_8.7.1.bb | 2 + 3 f

Re: [OE-core][kirkstone][PATCH] libyaml: ignore CVE-2024-35326

2024-08-13 Thread Peter Marko via lists.openembedded.org
Gentle ping maybe this was missed because of title similarity with the CVE-2024-35328? Peter > -Original Message- > From: Marko, Peter (ADV D EU SK BFS1) > Sent: Wednesday, August 7, 2024 23:55 > To: openembedded-core@lists.openembedded.org > Cc: Marko, Peter (ADV D EU SK BFS1) > Subject

Re: [OE-core] [PATCH] lz4: upgrade 1.9.4 -> 1.10.0

2024-08-13 Thread Peter Marko via lists.openembedded.org
Hello again, This should have been [PATCH v2] (and next one should be [PATCH v3]. Also see below for one more finding. Cheers, Peter > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Thorsten Fuchs via > lists.openembedded.

Re: [OE-core] [PATCH] lz4: upgrade 1.9.4 -> 1.10.0

2024-08-12 Thread Peter Marko via lists.openembedded.org
The CVE_STATUS needs to stay (forever), as r118 > 1.x.y so it would reappear in CVE reports. Also, you're not fixing this CVE with this upgrade, so commit message should not have "CVE: " flag. Additionally upstream-status flag is missing in your patch, move it there from commit message. Cheers

Re: [OE-core] [PATCH v4][OE-core 1/6] cve-check: encode affected product/vendor in CVE_STATUS

2024-08-12 Thread Peter Marko via lists.openembedded.org
Hi Marta, I have some comments also to this respin. Peter > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Marta Rybczynska via > lists.openembedded.org > Sent: Monday, August 12, 2024 6:09 > To: openembedded-core@lists.openem

Re: [OE-core] [RFC][PATCH 1/2] cve-check: encode affected product/vendor in CVE_STATUS

2024-08-09 Thread Peter Marko via lists.openembedded.org
> From: Marta Rybczynska > Sent: Friday, August 9, 2024 12:45 > To: Marko, Peter (ADV D EU SK BFS1) > Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska > > Subject: Re: [OE-core] [RFC][PATCH 1/2] cve-check: encode affected > product/vendor in CVE_STATUS > > > On Fri, Aug 9, 2024

Re: [OE-core] [RFC][PATCH 1/2] cve-check: encode affected product/vendor in CVE_STATUS

2024-08-09 Thread Peter Marko via lists.openembedded.org
> -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Marta Rybczynska via > lists.openembedded.org > Sent: Friday, August 9, 2024 8:24 > To: openembedded-core@lists.openembedded.org > Cc: Marta Rybczynska > Subject: [OE-core] [R

Re: [OE-core] [PATCH] zlib: add vendor to CVE_PRODUCT to exclude false positives

2024-08-07 Thread Peter Marko via lists.openembedded.org
There is also gnu:zlib in CVE reports for zlib... sqlite3 nvdcve_2-1.db sqlite> select vendor, count(*) from products where product='zlib' group by vendor; cloudflare|1 gnu|1 zlib|13 sqlite> select * from products where product='zlib' and vendor = 'gnu'; CVE-2016-9842|gnu|zlib|1.2.3.4|>=|1.2.9|<

[OE-core][kirkstone][PATCH] libyaml: ignore CVE-2024-35326

2024-08-07 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This is the same problem as already ignored CVE-2024-35328. See laso this comment in addition: https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233 Signed-off-by: Peter Marko --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 +- 1 file changed, 1 insertion(+

[OE-core][scarthgap][PATCH] libyaml: ignore CVE-2024-35326

2024-08-07 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This is the same problem as already ignored CVE-2024-35328. See laso this comment in addition: https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233 Signed-off-by: Peter Marko --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 + 1 file changed, 1 insertion(+)

[OE-core][PATCH] libyaml: ignore CVE-2024-35326

2024-08-07 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This is the same problem as already ignored CVE-2024-35328. See laso this comment in addition: https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233 Signed-off-by: Peter Marko --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 + 1 file changed, 1 insertion(+)

Re: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to "Unpatched" status

2024-08-07 Thread Peter Marko via lists.openembedded.org
> -Original Message- > From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) > > Sent: Wednesday, August 7, 2024 12:17 > To: Marko, Peter (ADV D EU SK BFS1) ; Richard > Purdie ; Marta Rybczynska > ; openembedded-core@lists.openembedded.org > Cc: xe-linux-external(mailer list

[OE-core][scarthgap][PATCH] qemu: set cve status for CVE-2023-6683

2024-08-05 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This CVE is fixed in v8.2.2 with v8.2.1-55-g480a6adc83 https://github.com/qemu/qemu/commit/480a6adc83a7bbc84bfe67229e084603dc061824 Signed-off-by: Peter Marko --- meta/recipes-devtools/qemu/qemu.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/

[OE-core][scarthgap][PATCH] libmnl: explicitly disable doxygen

2024-08-05 Thread Peter Marko via lists.openembedded.org
From: Peter Marko libmnl autoconf autodetects doxygen to generate manpages. If doxygen is provided via hosttools, the build fails. Also until now manpages were not needed. So explicitly disable doxygen in configure step. (From OE-Core rev: 8d7bbf4d6936d831e341e9443a6b3711be09c7ab) Signed-off-by

[OE-core] Expired certificate https://git.openembedded.org/

2024-08-05 Thread Peter Marko via lists.openembedded.org
In case no one noticed yet, the certificate expired an hour ago, so the repositories can't be viewed in a browser... Peter -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202992): https://lists.openembedded.org/g/openembedded-core/message/202992 Mu

Re: [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS

2024-08-05 Thread Peter Marko via lists.openembedded.org
-Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Richard Purdie via lists.openembedded.org Sent: Sunday, August 4, 2024 23:33 To: st...@sakoman.com; openembedded-core@lists.openembedded.org Subject: Re: [OE-core][scarthgap 18/18] rust: Add new varaible RUST

[OE-core][PATCH] libmnl: explicitly disable doxygen

2024-08-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko libmnl autoconf autodetects doxygen to generate manpages. If doxygen is provided via hosttools, the build fails. Also until now manpages were not needed. So explicitly disable doxygen in configure step. Signed-off-by: Peter Marko --- meta/recipes-extended/libmnl/libmnl_1.0.5.

[OE-core][scarthgap][PATCH] curl: Patch CVE-2024-6197

2024-08-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Picked commit per https://curl.se/docs/CVE-2024-6197.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2024-6197.patch | 24 +++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 25 insertions(+) create mode 100644 meta/re

[OE-core][scarthgap][PATCH v2] glibc: cleanup old cve status

2024-08-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This CVE status should have been removed on version update. CPE says >=2.34 and <2.39 while our version is already 2.39. (From OE-Core rev: b568a8f428e76f75bb8c374983f62822325ebe8a) Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- meta/recipes-core/glibc/glibc-v

[OE-core][scarthgap][PATCH] glibc: cleanup old cve status

2024-08-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This CVE status should have been removed on version update. CPE says >=2.34 and <2.39 while our version is already 2.40. (From OE-Core rev: b568a8f428e76f75bb8c374983f62822325ebe8a) Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- meta/recipes-core/glibc/glibc-v

[OE-core][scarthgap][PATCH] nasm: Upgrade 2.16.01 -> 2.16.03

2024-08-04 Thread Peter Marko via lists.openembedded.org
From: Richard Purdie Removes CVE-2022-46456 from reports. (From OE-Core rev: 4a5b6e8dd315b2281afb232410db585d431be00f) Signed-off-by: Richard Purdie Signed-off-by: Peter Marko --- meta/recipes-devtools/nasm/{nasm_2.16.01.bb => nasm_2.16.03.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deleti

[OE-core][kirkstone][PATCH] libyaml: Update status of CVE-2024-35328

2024-08-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This is open yet but seems to be disputed This has not yet been disputed officially Based on: OE-Core rev: 4cba8ad405b1728afda3873f99ac88711ab85644 OE-Core rev: 7ec7384837f3e3fb68b25a6108ed7ec0f261a4aa OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473 Squashed and converted

Re: [OE-core] [PATCH 3/6] mesa: enable a rich set of drivers for native builds

2024-08-02 Thread Peter Marko via lists.openembedded.org
> -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Alexander Kanavin via > lists.openembedded.org > Sent: Thursday, March 16, 2023 10:41 > To: openembedded-core@lists.openembedded.org > Cc: Kanavin, Alexander (EXT) (Linutronix G

Re: [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis

2024-08-01 Thread Peter Marko via lists.openembedded.org
> -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Richard Purdie via > lists.openembedded.org > Sent: Thursday, August 1, 2024 15:45 > To: rybczyn...@gmail.com; openembedded-core@lists.openembedded.org > Cc: Marta Rybczynska ;

Re: [OE-core][master][scarthgap][PATCH] libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust

2024-07-30 Thread Peter Marko via lists.openembedded.org
Gentle ping for scrathgap > -Original Message- > From: Marko, Peter (ADV D EU SK BFS1) > Sent: Sunday, July 14, 2024 11:36 > To: openembedded-core@lists.openembedded.org > Cc: Marko, Peter (ADV D EU SK BFS1) > Subject: [OE-core][master][scarthgap][PATCH] libstd-rs,rust-cross-canadian: >

[OE-core][kirkstone][PATCH] gcc-runtime: remove bashism

2024-07-27 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Debian 12 no longer supports replacing dash with bash as default shell. Therefore to achieve compatibility with Debian 12, all bashisms need to be removed. Shell comparison via == gives an error with dash and thus the condition is always false. (From OE-Core rev: 3723b26f82219

[OE-core] [PATCH] glibc: cleanup old cve status

2024-07-25 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This CVE status should have been removed on version update. CPE says >=2.34 and <2.39 while our version is already 2.40. Signed-off-by: Peter Marko --- meta/recipes-core/glibc/glibc-version.inc | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta/recipes-core/glibc/glibc

Re: [OE-core][scarthgap][master][PATCH] gpgme: move gpgme-tool to own sub-package

2024-07-24 Thread Peter Marko via lists.openembedded.org
Gentle ping -Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Patrick Wicki via lists.openembedded.org Sent: Tuesday, June 18, 2024 12:06 To: openembedded-core@lists.openembedded.org Cc: Wicki, Patrick (SI BP R&D ZG SW 2) Subject: [OE-core][scarthgap][maste

Re: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to "Unpatched" status

2024-07-23 Thread Peter Marko via lists.openembedded.org
-Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Dhairya Nagodra via lists.openembedded.org Sent: Wednesday, July 24, 2024 6:45 To: openembedded-core@lists.openembedded.org Cc: xe-linux-exter...@cisco.com; Dhairya Nagodra Subject: [OE-core] [PATCH] cve-chec

Re: [OE-core] [PATCH 1/3] cve-check: enrich annotation of CVEs

2024-07-22 Thread Peter Marko via lists.openembedded.org
> > I think that there is a fundamental change in behavior here. > > Previously we were taking (NVD) DB as base and only vulnerable CVEs were > > compared annotated with CVE_STATUS or our presence of CVE patches. > > Now we take the CVE_STATUS and CVE patches as base and add entries from DB > >

[OE-core][kirkstone][PATCH] wpa-supplicant: Patch CVE-2023-52160

2024-07-19 Thread Peter Marko via lists.openembedded.org
From: Peter Marko PEAP client: Update Phase 2 authentication requirements. Also see https://www.top10vpn.com/research/wifi-vulnerabilities/ Patch is copied from scarthgap, the recipes differ too much for cherry-pick even if they have the same version. Signed-off-by: Peter Marko --- ...te-Phas

[OE-core][kirkstone][PATCH] busybox: Patch CVE-2021-42380

2024-07-18 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Backport patch for CVE-2021-42380. Move if before patch for CVE-2023-42363 because they touch the same code and they are in this order in git history so we avoid fuzz modifications. This will remove fuzz modifications from CVE-2023-42363 and both will apply cleanly without modi

[OE-core][kirkstone][PATCH] libarchive: ignore CVE-2024-37407

2024-07-18 Thread Peter Marko via lists.openembedded.org
From: Peter Marko History of code changes: * introduced: https://github.com/ilibarchive/libarchive/commit/390d83012fdba8c8db7fc9915338805882b0597a (v3.7.2-52-g390d8301) * reverted: 6https://github.com/libarchive/libarchive/commit/2c8caf6611a7d0662d80176c4fdb40f85794699 (v3.7.2-53-g62c8caf6) *

Re: [OE-core] [PATCH 1/3] cve-check: enrich annotation of CVEs

2024-07-17 Thread Peter Marko via lists.openembedded.org
Hi Marta, Thanks for the great work on this topic. I have left 3 comments below. Thanks for considering them. Peter > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Marta Rybczynska via > lists.openembedded.org > Sent: Mon

[OE-core][master][scarthgap][PATCH] libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust

2024-07-14 Thread Peter Marko via lists.openembedded.org
From: Peter Marko These recipes come from rust sources and CVEs are reported for them under rust-lang:rust vendor:product touple. Especially libstd-rs needs correct CVE_PRODUCT as is it installed on target devices (being statically linked to rust compiled binaries). before: cargo: CVE_PRODUCT="c

[OE-core][master][scarthgap][PATCH 1/2] busybox: Patch CVE-2021-42380

2024-07-12 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Backport patch for CVE-2021-42380. Additionally backport clang regression fix caused by this patch. Signed-off-by: Peter Marko --- ...-fix-segfault-when-compiled-by-clang.patch | 41 + .../busybox/busybox/CVE-2021-42380.patch | 151 ++ meta/recipes-c

[OE-core][master][scarthgap][PATCH 2/2] busybox: Patch CVE-2023-42363

2024-07-12 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Backport patch for CVE-2023-42363. Signed-off-by: Peter Marko --- .../busybox/busybox/CVE-2023-42363.patch | 67 +++ meta/recipes-core/busybox/busybox_1.36.1.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-core/busybox/busy

[OE-core][master][scarthgap][PATCH] cargo: remove True option to getVar calls

2024-06-25 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Layer cleanup similar to https://git.openembedded.org/openembedded-core/commit/?id=26c74fd10614582e177437608908eb43688ab510 Signed-off-by: Peter Marko --- meta/classes-recipe/cargo_common.bbclass | 4 ++-- meta/classes-recipe/ptest-cargo.bbclass | 18 +- 2 f

[OE-core][master][scarthgap][PATCH] flac: fix buildpaths warnings

2024-06-25 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Generated documentation (html) contain absolute paths cources using buildpaths warnings. Replace them with relative links. The file with root path to sources is in my build /usr/share/doc/flac/api/dir_c122f5d6544f32779f55e8358fb78605.html which does not looks as stable name, so

[OE-core][kirkstone][PATCH] glib-2.0: patch CVE-2024-34397

2024-06-08 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This is taken from https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4047 That MR was not merged as 2.72 is inactive branch now. But it can be used by distributions, like Ubuntu did under https://git.launchpad.net/ubuntu/+source/glib2.0/commit/?h=applied/ubuntu/jammy-security

[OE-core][PATCH] openssl: Upgrade 3.3.0 -> 3.3.1

2024-06-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Handles CVE-2024-4741 Removed included backports. Release information: https://github.com/openssl/openssl/blob/openssl-3.3/NEWS.md#major-changes-between-openssl-330-and-openssl-331-4-jun-2024 Signed-off-by: Peter Marko --- .../openssl/openssl/CVE-2024-4603.patch | 179

Re: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741

2024-06-02 Thread Peter Marko via lists.openembedded.org
-Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Siddharth via lists.openembedded.org Sent: Sunday, June 2, 2024 18:45 To: openembedded-core@lists.openembedded.org Cc: Siddharth Doshi Subject: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4

Re: [OE-core][scarthgap][PATCH] opencl: fix virtual PROVIDES warnings

2024-05-30 Thread Peter Marko via lists.openembedded.org
-Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Bin Lan via lists.openembedded.org Sent: Friday, May 31, 2024 8:30 To: openembedded-core@lists.openembedded.org Cc: Bin Lan Subject: [OE-core][scarthgap][PATCH] opencl: fix virtual PROVIDES warnings > From:

[OE-core][scarthgap][PATCH 6/6] libusb1: Set CVE_PRODUCT

2024-05-25 Thread Peter Marko via lists.openembedded.org
From: Ricardo Simoes From: Ricardo Simoes This commit sets the CVE_PRODUCT variable to "libusb" to match the product name used in the NIST CPE database [1]. [1]: https://nvd.nist.gov/products/cpe/search Signed-off-by: Ricardo Simoes Signed-off-by: Mark Jonas Signed-off-by: Alexandre Belloni

[OE-core][scarthgap][PATCH 2/6] llvm: Upgrade to 18.1.5

2024-05-25 Thread Peter Marko via lists.openembedded.org
From: Khem Raj From: Khem Raj Brings 617a15a9eac9 [clang codegen] Fix MS ABI detection of user-provided constructors. (#90151) 20b9ed64ea07 [RISCV][ISel] Fix types in tryFoldSelectIntoOp (#90659) ece9d35f1a70 [GlobalISel] Fix store merging incorrectly classifying an unknown index expr as 0.

[OE-core][scarthgap][PATCH 1/6] llvm: Upgrade to 18.1.4

2024-05-25 Thread Peter Marko via lists.openembedded.org
From: Khem Raj From: Khem Raj Brings following fixes * e6c3289804a6 [CMake][Release] Disable PGO (#88465) (#89000) * 028e425f86cc [MIPS] Fix the opcode of max.fmt and mina.fmt (#85609) * e3c832b37b0a Fix override keyword being print to the left side * 1d3f5da4 Revert "[Mips] Fix missing si

[OE-core][scarthgap][PATCH 0/6] scarthgap backports

2024-05-25 Thread Peter Marko via lists.openembedded.org
Pick some commits from master: * llvm updates to match meta-clang scarthgap branch * security related (CVE, CVE_PRODUCT, version) Note that libusb1 CVE_PRODUCT patch is not on master yet and it was picked from abelloni/master-next branch. Khem Raj (3): llvm: Upgrade to 18.1.4 llvm: Upgrade to

[OE-core][scarthgap][PATCH 4/6] ncurses: Fix CVE-2023-45918

2024-05-25 Thread Peter Marko via lists.openembedded.org
From: Soumya Sambu From: Soumya Sambu ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45918 (From OE-Core rev: 6573995adf4cfd48b036f8463b39f3864fcfd85b) Signed-off-by: Soumya Sambu Signed-off-by: R

[OE-core][scarthgap][PATCH 3/6] llvm: Switch to using release tarballs

2024-05-25 Thread Peter Marko via lists.openembedded.org
From: Khem Raj From: Khem Raj git checkouts are in excess of 3G, which is not ideal for everyone to download/clone, instead switch to fetching release tarball which is ~126M as of 18.1.5 release (From OE-Core rev: 800e6576e4f3af10846af13c2f217f986c1afdb4) Signed-off-by: Khem Raj Signed-off-b

[OE-core][scarthgap][PATCH 5/6] update-rc.d: add +git to PV

2024-05-25 Thread Peter Marko via lists.openembedded.org
From: Peter Marko This hash is ahead of the tag, so adapt PV accordingly. (From OE-Core rev: c94e46019a7d443ccc4763ba16d87e7e97abe977) Signed-off-by: Peter Marko Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- meta/recipes-core/update-rc.d/update-rc.d_0.8.bb | 1 + 1 file

Re: [OE-core] scarthgap backports

2024-05-23 Thread Peter Marko via lists.openembedded.org
via lists.openembedded.org > wrote: > > > > Hi Peter, > > > > On 5/22/24 11:10 PM, Peter Marko via lists.openembedded.org wrote: > > > Hello, > > > > > > I'd like to request following backports from master to scarthgap > > > >

[OE-core][scarthgap][PATCH] ttyrun: define CVE_PRODUCT

2024-05-22 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Single executable ttyrun is taken ouf of s390-tools repository containing ton of other helper tools. CVEs are not assigned to executables, but to whole components. Historically there also already exists one CVE for s390-tools. Most of the CVEs will not be for ttyrun, but this i

[OE-core] scarthgap backports

2024-05-22 Thread Peter Marko via lists.openembedded.org
Hello, I'd like to request following backports from master to scarthgap To match versions in scarthgap branches between oe-core and meta-clang: adc2651a8e902af24fee6ff30a72f4b7c63bef6f llvm: Upgrade to 18.1.4 02df2fc6241ac8fb0e78f2fdff97a04e5c561d54 llvm: Upgrade to 18.1.5 Fix CVEs: bdf7b7460a48

Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror

2024-05-21 Thread Peter Marko via lists.openembedded.org
-Original Message- From: Alexander Kanavin Sent: Tuesday, May 21, 2024 21:31 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror > On Tue, 21 May 2024 at 21:17, Marko, Peter wrote: > > I alread

Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror

2024-05-21 Thread Peter Marko via lists.openembedded.org
-Original Message- From: Alexander Kanavin Sent: Tuesday, May 21, 2024 12:17 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror > On Sat, 18 May 2024 at 23:30, Peter Marko

[OE-core][PATCH 2/2] ncurses: Upgrade 6.4 -> 6.5

2024-05-18 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Removed 4 backported patched included in this release. Updated patches by devtool. License-Update: copyright years refreshed Signed-off-by: Peter Marko --- .../files/0001-Fix-CVE-2023-29491.patch | 462 ...eset-code-ncurses-6.4-patch-20231104.patch | 4

[OE-core][PATCH 1/2] ncurses: switch to new mirror

2024-05-18 Thread Peter Marko via lists.openembedded.org
From: Peter Marko github.com/mirror/ncurses is not updated for over a year. Switch to new mirror from Thomas Dickey (ncurses maintainer). Sources are identical. Updated upstream check regex by: * changed dot to underscore as this repo is tagged like this * added v prefix to not propose updates

[OE-core][PATCH] openssl: patch CVE-2024-4603

2024-05-18 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46 Signed-off-by: Peter Marko --- .../openssl/openssl/CVE-2024-4603.patch | 179 ++ .../openssl/openssl_3.3.0.bb | 1 + 2 files changed, 180 insertions(+) create mode 100644 me

[OE-core][scarthgap][PATCH] openssl: patch CVE-2024-4603

2024-05-18 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46 Signed-off-by: Peter Marko --- .../openssl/openssl/CVE-2024-4603.patch | 179 ++ .../openssl/openssl_3.2.1.bb | 1 + 2 files changed, 180 insertions(+) create mode 100644 me

[OE-core][kirkstone][PATCH] openssl: patch CVE-2024-4603

2024-05-18 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46 Signed-off-by: Peter Marko --- .../openssl/openssl/CVE-2024-4603.patch | 180 ++ .../openssl/openssl_3.0.13.bb | 1 + 2 files changed, 181 insertions(+) create mode 100644 me

Re: [OE-core] [scarthgap][PATCH] glibc: stable 2.39 branch updates.

2024-05-17 Thread Peter Marko via lists.openembedded.org
This will not apply to scarthgap-nut as that already has the same version as master... -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199525): https://lists.openembedded.org/g/openembedded-core/message/199525 Mute This Topic: https://lists.openem

Re: [OE-core][PATCH v2] glibc: correct license

2024-05-16 Thread Peter Marko via lists.openembedded.org
re.org/pipermail/libc-alpha/2022-May/139167.html > but the discussion upstream stopped shortly after and the oe-core change was > never merged because of that. Maybe it's time to re-check and ping upstream > again after 2 years. > > Cheers, > > On Mon, May 6, 2024 a

Re: [OE-core] [yocto-security] CVE status for scathgap on 2024-05-16 and ask for help

2024-05-16 Thread Peter Marko via lists.openembedded.org
Hello Marta, Glibc fixes are already staged in scarthgap-nut. Interesting would be to check why the prototype does not list glib-2.0 CVE-2024-34397 which is staged there, too. Peter From: yocto-secur...@lists.yoctoproject.org On Behalf Of Marta Rybczynska via lists.yoctoproject.org Sent: Thu

[OE-core][scarthgap][PATCH] glib-2.0: Upgrade 2.78.5 -> 2.78.6

2024-05-09 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Handle regression of CVE-2024-34397 fix. News (https://gitlab.gnome.org/GNOME/glib/-/commit/d40f72e98e4734ba826ba9a278814530720ba760): Overview of changes in GLib 2.78.6, 2024-05-08 == * Fix a regression with IBus caused by the fix

[OE-core][scarthgap][PATCH] glib-2.0: Upgrade 2.78.4 -> 2.78.5

2024-05-08 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Handle CVE-2024-34397 Remove backported patch included in this release. News (https://gitlab.gnome.org/GNOME/glib/-/commit/d18807b5ffc6dedc2db5225b044063f65720bf56): Overview of changes in GLib 2.78.5, 2024-05-07 == * Fix CVE-2024-3

[OE-core][PATCH v2] glibc: correct license

2024-05-06 Thread Peter Marko via lists.openembedded.org
From: Peter Marko The license per [1] is LGPL-2.1-or-later and [2] converted last LGPL-2.1-only references. License-Update: corrected from LGPL-2.1-only to LGPL-2.1-or-later based on [1] and [2] [1] https://www.gnu.org/software/libc/ [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=

Re: [OE-core][PATCH] glibc: correct license

2024-05-05 Thread Peter Marko via lists.openembedded.org
From: Khem Raj Sent: Sunday, May 5, 2024 21:22 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH] glibc: correct license > On Sun, May 5, 2024 at 2:18 AM Peter Marko via http://lists.openembedded.org > mailto:siemens@lists.openemb

[OE-core][PATCH] glibc: correct license

2024-05-05 Thread Peter Marko via lists.openembedded.org
From: Peter Marko The license per https://www.gnu.org/software/libc/ is LGPL-2.1-or-later. https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=273a835fe7c685cc54266bb8b502787bad5e9bae converted last LGPL-2.1-only references. License-Update: correction Signed-off-by: Peter Marko --- meta/re

[OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch

2024-05-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 Changes: 54a666dc5c elf: Disable some subtests of ifuncmain1, ifuncmain5 for !PIE 3a38600cc7 malloc: Exit early on test failure in tst-realloc 924a98402a nscd: Use time_t for return type of addgetnetg

[OE-core][master][scarthgap][PATCH] glibc: Update to latest on stable 2.39 branch

2024-05-04 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 Changes: 273a835fe7 time: Allow later version licensing. acc56074b0 nscd: Use time_t for return type of addgetnetgrentX 836d43b989 login: structs utmp, utmpx, lastlog _TIME_BITS independence (bug 307

Re: [OE-core] [PATCH 1/4] base/bitbake.conf: Introduce UNPACKDIR

2024-05-01 Thread Peter Marko via lists.openembedded.org
I wonder if it we could name it "U" instead of "UNPACKDIR". It will be mostly used on the same places as all the other short names like S/B/T... Peter -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198900): https://lists.openembedded.org/g/openem

[OE-core][kirkstone][PATCH] libarchive: fix multiple security vulnerabilities in pax writer

2024-05-01 Thread Peter Marko via lists.openembedded.org
From: Peter Marko There was no CVE assigned but the commit message is clear. Signed-off-by: Peter Marko --- ...ix-multiple-security-vulnerabilities.patch | 107 ++ .../libarchive/libarchive_3.6.2.bb| 4 +- 2 files changed, 110 insertions(+), 1 deletion(-) create

[OE-core][kirkstone][PATCH] python3: Upgrade 3.10.13 -> 3.10.14

2024-04-30 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Addresses CVEs: * CVE-2023-52425 (bundled expat) * CVE-2023-6597 (https://github.com/python/cpython/pull/112840) News: https://github.com/python/cpython/blob/3.10/Misc/NEWS.d/3.10.14.rst Signed-off-by: Peter Marko --- .../python/{python3_3.10.13.bb => python3_3.10.14.bb}

[OE-core] Yocto-5.0 tag on master instead of scarthgap

2024-04-30 Thread Peter Marko via lists.openembedded.org
Looks like yocto-5.0 tag in openembedded-core repository was done on master instead of scarthgap branch. Tag in poky repository seems to be fine. Peter -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198756): https://lists.openembedded.org/g/opene

[OE-core][master][scarthgap][PATCH] glibc: Update to latest on stable 2.39 branch

2024-04-23 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Adresses CVE-2024-2961 Remove backported patch included in hash update. Changes: 31da30f23c iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961) 423099a032 x86_64: Exclude SSE, AVX and FMA4 variants in libm multiarch 04df8652eb Apply th

[OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch

2024-04-23 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Adresses CVE-2024-2961 Changes: 36280d1ce5 iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961) 4a7de5e215 powerpc: Fix ld.so address determination for PCREL mode (bug 31640) f4a45af368 AArch64: Check kernel version for SVE ifuncs 7f3c14

Re: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

2024-04-19 Thread Peter Marko via lists.openembedded.org
Identical patch was already submitted and then requested to be ignored because the issue is apparently introduced by one of the added patches. https://lists.openembedded.org/g/openembedded-core/message/197670 Since the vulnerability report claims that our version IS vulnerable, it would be inter

[OE-core][PATCH] ttyrun: define CVE_PRODUCT

2024-04-15 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Single executable ttyrun is taken ouf of s390-tools repository containing ton of other helper tools. CVEs are not assigned to executables, but to whole components. Historically there also already exists one CVE for s390-tools. Most of the CVEs will not be for ttyrun, but this i

Re: [OE-core][PATCH] openssl: openssl: patch CVE-2024-2511

2024-04-14 Thread Peter Marko via lists.openembedded.org
I think that sending this patch was correct, see comments below. Peter From: openembedded-core@lists.openembedded.org On Behalf Of Tim Orling via lists.openembedded.org Sent: Sunday, April 14, 2024 6:45 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-core@lists.openembedded.org Subject: R

[OE-core][PATCH] openssl: openssl: patch CVE-2024-2511

2024-04-13 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Patch: https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 News: https://github.com/openssl/openssl/commit/b7acb6731a96b073d6150465bd090e2052a595c2 Signed-off-by: Peter Marko --- .../openssl/openssl/CVE-2024-2511.patch | 120

[OE-core][kirkstone][PATCH] openssl: patch CVE-2024-2511

2024-04-13 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Patch: https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d News: https://github.com/openssl/openssl/commit/daee101e39073d4b65a68faeb2f2de5ad7b05c36 Signed-off-by: Peter Marko --- .../openssl/openssl/CVE-2024-2511.patch | 122

Re: [OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts

2024-04-12 Thread Peter Marko via lists.openembedded.org
-core@lists.openembedded.org Subject: Re: [OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts > On Fri, Apr 12, 2024 at 10:02 AM Peter Marko via lists.openembedded.org > wrote: > > > > I know that binary patches are problematic over mailing list. > > Here the patch as z

[OE-core][kirkstone][PATCH] ncurses: patch CVE-2023-50495

2024-04-12 Thread Peter Marko via lists.openembedded.org
From: Peter Marko backport relevant parts from https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz Signed-off-by: Peter Marko --- .../ncurses/files/CVE-2023-50495.patch| 81 +++ .../ncurses/ncurses_6.3+20220423.bb | 1 + 2 files ch

  1   2   3   >