From: Peter Marko
Pick patches according to
http://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
SAE H2E and incomplete downgrade protection for group negotiation
Signed-off-by: Peter Marko
---
...valid-Rejected-Groups-element-length.patch | 52 +++
From: Peter Marko
Picked patches according to
http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt
First patch is style commit picked to have a clean cherry-pick of all
mentioned commits without any conflict.
Patch CVE-2024-3596_07.patch has hostapd code removed as it is
From: Peter Marko
NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.
Quote:
So upstream isn't vul
From: Peter Marko
(From OE-Core rev: f10f9c3a8d2c17d5a6c3f0b00749e5b34a66e090)
Signed-off-by: Khem Raj
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
Signed-off-by: Peter Marko
---
meta/recipes-support/gnupg/gnupg_2.3.7.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git
From: Peter Marko
NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.
Quote:
So upstream isn't vul
From: Khem Raj
(From OE-Core rev: 1b4bada6c003ef743df09283e45953e6d9ea4c5a)
Signed-off-by: Khem Raj
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
Signed-off-by: Peter Marko
---
meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 1 +
1 file changed, 1 insertion(+)
diff --
From: Khem Raj
(From OE-Core rev: f10f9c3a8d2c17d5a6c3f0b00749e5b34a66e090)
Signed-off-by: Khem Raj
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
Signed-off-by: Peter Marko
---
meta/recipes-support/gnupg/gnupg_2.4.4.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/met
From: Peter Marko
NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.
Quote:
So upstream isn't vul
From: Peter Marko
resolves CVE-2024-8096
possibility to set random was removed in commit
https://github.com/curl/curl/commit/269fdd4c6ed5d837d57448ac977f6f300968df15
tests have new perl module dependency
removed backported patch present in new version
Signed-off-by: Peter Marko
---
...e-str
From: Peter Marko
Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232,
CVE-2023-27043 and other bug fixes.
Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
2. CVE-2024-8088.patch
Release Notes:
https://www.python.org/downloads/release/p
From: Trevor Gamblin
Python 3.12.5 is failing a newer ptest for reading/writing limited
history when editline (default) is set in PACKAGECONFIG. Skip it for now
until a proper fix (if any) is determined.
A bug has been opened upstream: https://github.com/python/cpython/issues/123018
(From OE-Co
From: Trevor Gamblin
Changelog: https://docs.python.org/release/3.12.5/whatsnew/changelog.html
(From OE-Core rev: d9e2ebd6b24b802d1d4cd38b3b910e068c308809)
Signed-off-by: Trevor Gamblin
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
Signed-off-by: Peter Marko
---
.../python
From: Simone Weiß
This CVE affects google cloud services that utilize libcurl wrongly.
(From OE-Core rev: 27ac7879711e7119b4ec8b190b0a9da5b3ede269)
Signed-off-by: Simone Weiß
Signed-off-by: Richard Purdie
Signed-off-by: Peter Marko
---
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
1 file c
From: Peter Marko
This CVE affects google cloud services that utilize libcurl wrongly.
(From OE-Core rev: 27ac7879711e7119b4ec8b190b0a9da5b3ede269)
Changed CVE ignore syntax
Signed-off-by: Simone Weiß
Signed-off-by: Richard Purdie
Signed-off-by: Peter Marko
---
meta/recipes-support/curl/cur
This is similar CVE as the previous ones from the same author.
https://github.com/yaml/libyaml/issues/303 explain why this is misuse
(or wrong use) of libyaml.
Signed-off-by: Peter Marko
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/
This is similar CVE as the previous ones from the same author.
https://github.com/yaml/libyaml/issues/303 explain why this is misuse
(or wrong use) of libyaml.
Signed-off-by: Peter Marko
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/re
This is similar CVE as the previous ones from the same author.
https://github.com/yaml/libyaml/issues/303 explain why this is misuse
(or wrong use) of libyaml.
Signed-off-by: Peter Marko
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/re
From: Peter Marko
Pick commits per https://curl.se/docs/CVE-2024-7264.html
Signed-off-by: Peter Marko
---
.../curl/curl/CVE-2024-7264-1.patch | 61
.../curl/curl/CVE-2024-7264-2.patch | 316 ++
meta/recipes-support/curl/curl_8.7.1.bb | 2 +
3 f
Gentle ping
maybe this was missed because of title similarity with the CVE-2024-35328?
Peter
> -Original Message-
> From: Marko, Peter (ADV D EU SK BFS1)
> Sent: Wednesday, August 7, 2024 23:55
> To: openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (ADV D EU SK BFS1)
> Subject
Hello again,
This should have been [PATCH v2] (and next one should be [PATCH v3].
Also see below for one more finding.
Cheers,
Peter
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Thorsten Fuchs via
> lists.openembedded.
The CVE_STATUS needs to stay (forever), as r118 > 1.x.y so it would reappear in
CVE reports.
Also, you're not fixing this CVE with this upgrade, so commit message should
not have "CVE: " flag.
Additionally upstream-status flag is missing in your patch, move it there from
commit message.
Cheers
Hi Marta,
I have some comments also to this respin.
Peter
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Marta Rybczynska via
> lists.openembedded.org
> Sent: Monday, August 12, 2024 6:09
> To: openembedded-core@lists.openem
> From: Marta Rybczynska
> Sent: Friday, August 9, 2024 12:45
> To: Marko, Peter (ADV D EU SK BFS1)
> Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska
>
> Subject: Re: [OE-core] [RFC][PATCH 1/2] cve-check: encode affected
> product/vendor in CVE_STATUS
>
> > On Fri, Aug 9, 2024
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Marta Rybczynska via
> lists.openembedded.org
> Sent: Friday, August 9, 2024 8:24
> To: openembedded-core@lists.openembedded.org
> Cc: Marta Rybczynska
> Subject: [OE-core] [R
There is also gnu:zlib in CVE reports for zlib...
sqlite3 nvdcve_2-1.db
sqlite> select vendor, count(*) from products where product='zlib' group by
vendor;
cloudflare|1
gnu|1
zlib|13
sqlite> select * from products where product='zlib' and vendor = 'gnu';
CVE-2016-9842|gnu|zlib|1.2.3.4|>=|1.2.9|<
From: Peter Marko
This is the same problem as already ignored CVE-2024-35328.
See laso this comment in addition:
https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233
Signed-off-by: Peter Marko
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 +-
1 file changed, 1 insertion(+
From: Peter Marko
This is the same problem as already ignored CVE-2024-35328.
See laso this comment in addition:
https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233
Signed-off-by: Peter Marko
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 +
1 file changed, 1 insertion(+)
From: Peter Marko
This is the same problem as already ignored CVE-2024-35328.
See laso this comment in addition:
https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233
Signed-off-by: Peter Marko
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 +
1 file changed, 1 insertion(+)
> -Original Message-
> From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco)
>
> Sent: Wednesday, August 7, 2024 12:17
> To: Marko, Peter (ADV D EU SK BFS1) ; Richard
> Purdie ; Marta Rybczynska
> ; openembedded-core@lists.openembedded.org
> Cc: xe-linux-external(mailer list
From: Peter Marko
This CVE is fixed in v8.2.2 with v8.2.1-55-g480a6adc83
https://github.com/qemu/qemu/commit/480a6adc83a7bbc84bfe67229e084603dc061824
Signed-off-by: Peter Marko
---
meta/recipes-devtools/qemu/qemu.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/
From: Peter Marko
libmnl autoconf autodetects doxygen to generate manpages.
If doxygen is provided via hosttools, the build fails.
Also until now manpages were not needed.
So explicitly disable doxygen in configure step.
(From OE-Core rev: 8d7bbf4d6936d831e341e9443a6b3711be09c7ab)
Signed-off-by
In case no one noticed yet, the certificate expired an hour ago, so the
repositories can't be viewed in a browser...
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#202992):
https://lists.openembedded.org/g/openembedded-core/message/202992
Mu
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Richard Purdie via
lists.openembedded.org
Sent: Sunday, August 4, 2024 23:33
To: st...@sakoman.com; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][scarthgap 18/18] rust: Add new varaible
RUST
From: Peter Marko
libmnl autoconf autodetects doxygen to generate manpages.
If doxygen is provided via hosttools, the build fails.
Also until now manpages were not needed.
So explicitly disable doxygen in configure step.
Signed-off-by: Peter Marko
---
meta/recipes-extended/libmnl/libmnl_1.0.5.
From: Peter Marko
Picked commit per https://curl.se/docs/CVE-2024-6197.html
Signed-off-by: Peter Marko
---
.../curl/curl/CVE-2024-6197.patch | 24 +++
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
2 files changed, 25 insertions(+)
create mode 100644 meta/re
From: Peter Marko
This CVE status should have been removed on version update.
CPE says >=2.34 and <2.39 while our version is already 2.39.
(From OE-Core rev: b568a8f428e76f75bb8c374983f62822325ebe8a)
Signed-off-by: Peter Marko
Signed-off-by: Richard Purdie
---
meta/recipes-core/glibc/glibc-v
From: Peter Marko
This CVE status should have been removed on version update.
CPE says >=2.34 and <2.39 while our version is already 2.40.
(From OE-Core rev: b568a8f428e76f75bb8c374983f62822325ebe8a)
Signed-off-by: Peter Marko
Signed-off-by: Richard Purdie
---
meta/recipes-core/glibc/glibc-v
From: Richard Purdie
Removes CVE-2022-46456 from reports.
(From OE-Core rev: 4a5b6e8dd315b2281afb232410db585d431be00f)
Signed-off-by: Richard Purdie
Signed-off-by: Peter Marko
---
meta/recipes-devtools/nasm/{nasm_2.16.01.bb => nasm_2.16.03.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deleti
From: Peter Marko
This is open yet but seems to be disputed
This has not yet been disputed officially
Based on:
OE-Core rev: 4cba8ad405b1728afda3873f99ac88711ab85644
OE-Core rev: 7ec7384837f3e3fb68b25a6108ed7ec0f261a4aa
OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473
Squashed and converted
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Alexander Kanavin via
> lists.openembedded.org
> Sent: Thursday, March 16, 2023 10:41
> To: openembedded-core@lists.openembedded.org
> Cc: Kanavin, Alexander (EXT) (Linutronix G
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Richard Purdie via
> lists.openembedded.org
> Sent: Thursday, August 1, 2024 15:45
> To: rybczyn...@gmail.com; openembedded-core@lists.openembedded.org
> Cc: Marta Rybczynska ;
Gentle ping for scrathgap
> -Original Message-
> From: Marko, Peter (ADV D EU SK BFS1)
> Sent: Sunday, July 14, 2024 11:36
> To: openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (ADV D EU SK BFS1)
> Subject: [OE-core][master][scarthgap][PATCH] libstd-rs,rust-cross-canadian:
>
From: Peter Marko
Debian 12 no longer supports replacing dash with bash as default shell.
Therefore to achieve compatibility with Debian 12, all bashisms need
to be removed.
Shell comparison via == gives an error with dash and thus the condition
is always false.
(From OE-Core rev: 3723b26f82219
From: Peter Marko
This CVE status should have been removed on version update.
CPE says >=2.34 and <2.39 while our version is already 2.40.
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc-version.inc | 2 --
1 file changed, 2 deletions(-)
diff --git a/meta/recipes-core/glibc/glibc
Gentle ping
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Patrick Wicki via
lists.openembedded.org
Sent: Tuesday, June 18, 2024 12:06
To: openembedded-core@lists.openembedded.org
Cc: Wicki, Patrick (SI BP R&D ZG SW 2)
Subject: [OE-core][scarthgap][maste
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Dhairya Nagodra via
lists.openembedded.org
Sent: Wednesday, July 24, 2024 6:45
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-exter...@cisco.com; Dhairya Nagodra
Subject: [OE-core] [PATCH] cve-chec
> > I think that there is a fundamental change in behavior here.
> > Previously we were taking (NVD) DB as base and only vulnerable CVEs were
> > compared annotated with CVE_STATUS or our presence of CVE patches.
> > Now we take the CVE_STATUS and CVE patches as base and add entries from DB
> >
From: Peter Marko
PEAP client: Update Phase 2 authentication requirements. Also see
https://www.top10vpn.com/research/wifi-vulnerabilities/
Patch is copied from scarthgap, the recipes differ too much for
cherry-pick even if they have the same version.
Signed-off-by: Peter Marko
---
...te-Phas
From: Peter Marko
Backport patch for CVE-2021-42380.
Move if before patch for CVE-2023-42363 because they touch the same code
and they are in this order in git history so we avoid fuzz modifications.
This will remove fuzz modifications from CVE-2023-42363 and both will
apply cleanly without modi
From: Peter Marko
History of code changes:
* introduced:
https://github.com/ilibarchive/libarchive/commit/390d83012fdba8c8db7fc9915338805882b0597a
(v3.7.2-52-g390d8301)
* reverted:
6https://github.com/libarchive/libarchive/commit/2c8caf6611a7d0662d80176c4fdb40f85794699
(v3.7.2-53-g62c8caf6)
*
Hi Marta,
Thanks for the great work on this topic.
I have left 3 comments below.
Thanks for considering them.
Peter
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Marta Rybczynska via
> lists.openembedded.org
> Sent: Mon
From: Peter Marko
These recipes come from rust sources and CVEs are reported for them
under rust-lang:rust vendor:product touple.
Especially libstd-rs needs correct CVE_PRODUCT as is it installed on
target devices (being statically linked to rust compiled binaries).
before:
cargo: CVE_PRODUCT="c
From: Peter Marko
Backport patch for CVE-2021-42380.
Additionally backport clang regression fix caused by this patch.
Signed-off-by: Peter Marko
---
...-fix-segfault-when-compiled-by-clang.patch | 41 +
.../busybox/busybox/CVE-2021-42380.patch | 151 ++
meta/recipes-c
From: Peter Marko
Backport patch for CVE-2023-42363.
Signed-off-by: Peter Marko
---
.../busybox/busybox/CVE-2023-42363.patch | 67 +++
meta/recipes-core/busybox/busybox_1.36.1.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-core/busybox/busy
From: Peter Marko
Layer cleanup similar to
https://git.openembedded.org/openembedded-core/commit/?id=26c74fd10614582e177437608908eb43688ab510
Signed-off-by: Peter Marko
---
meta/classes-recipe/cargo_common.bbclass | 4 ++--
meta/classes-recipe/ptest-cargo.bbclass | 18 +-
2 f
From: Peter Marko
Generated documentation (html) contain absolute paths cources
using buildpaths warnings.
Replace them with relative links.
The file with root path to sources is in my build
/usr/share/doc/flac/api/dir_c122f5d6544f32779f55e8358fb78605.html
which does not looks as stable name, so
From: Peter Marko
This is taken from https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4047
That MR was not merged as 2.72 is inactive branch now.
But it can be used by distributions, like Ubuntu did under
https://git.launchpad.net/ubuntu/+source/glib2.0/commit/?h=applied/ubuntu/jammy-security
From: Peter Marko
Handles CVE-2024-4741
Removed included backports.
Release information:
https://github.com/openssl/openssl/blob/openssl-3.3/NEWS.md#major-changes-between-openssl-330-and-openssl-331-4-jun-2024
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-4603.patch | 179
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Siddharth via
lists.openembedded.org
Sent: Sunday, June 2, 2024 18:45
To: openembedded-core@lists.openembedded.org
Cc: Siddharth Doshi
Subject: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Bin Lan via
lists.openembedded.org
Sent: Friday, May 31, 2024 8:30
To: openembedded-core@lists.openembedded.org
Cc: Bin Lan
Subject: [OE-core][scarthgap][PATCH] opencl: fix virtual PROVIDES warnings
> From:
From: Ricardo Simoes
From: Ricardo Simoes
This commit sets the CVE_PRODUCT variable to "libusb" to match the
product name used in the NIST CPE database [1].
[1]: https://nvd.nist.gov/products/cpe/search
Signed-off-by: Ricardo Simoes
Signed-off-by: Mark Jonas
Signed-off-by: Alexandre Belloni
From: Khem Raj
From: Khem Raj
Brings
617a15a9eac9 [clang codegen] Fix MS ABI detection of user-provided
constructors. (#90151)
20b9ed64ea07 [RISCV][ISel] Fix types in tryFoldSelectIntoOp (#90659)
ece9d35f1a70 [GlobalISel] Fix store merging incorrectly classifying an unknown
index expr as 0.
From: Khem Raj
From: Khem Raj
Brings following fixes
* e6c3289804a6 [CMake][Release] Disable PGO (#88465) (#89000)
* 028e425f86cc [MIPS] Fix the opcode of max.fmt and mina.fmt (#85609)
* e3c832b37b0a Fix override keyword being print to the left side
* 1d3f5da4 Revert "[Mips] Fix missing si
Pick some commits from master:
* llvm updates to match meta-clang scarthgap branch
* security related (CVE, CVE_PRODUCT, version)
Note that libusb1 CVE_PRODUCT patch is not on master yet and it was
picked from abelloni/master-next branch.
Khem Raj (3):
llvm: Upgrade to 18.1.4
llvm: Upgrade to
From: Soumya Sambu
From: Soumya Sambu
ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in
tinfo/lib_termcap.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45918
(From OE-Core rev: 6573995adf4cfd48b036f8463b39f3864fcfd85b)
Signed-off-by: Soumya Sambu
Signed-off-by: R
From: Khem Raj
From: Khem Raj
git checkouts are in excess of 3G, which is not
ideal for everyone to download/clone, instead switch to
fetching release tarball which is ~126M as of 18.1.5 release
(From OE-Core rev: 800e6576e4f3af10846af13c2f217f986c1afdb4)
Signed-off-by: Khem Raj
Signed-off-b
From: Peter Marko
This hash is ahead of the tag, so adapt PV accordingly.
(From OE-Core rev: c94e46019a7d443ccc4763ba16d87e7e97abe977)
Signed-off-by: Peter Marko
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
---
meta/recipes-core/update-rc.d/update-rc.d_0.8.bb | 1 +
1 file
via lists.openembedded.org
> wrote:
> >
> > Hi Peter,
> >
> > On 5/22/24 11:10 PM, Peter Marko via lists.openembedded.org wrote:
> > > Hello,
> > >
> > > I'd like to request following backports from master to scarthgap
> > >
>
From: Peter Marko
Single executable ttyrun is taken ouf of s390-tools repository
containing ton of other helper tools.
CVEs are not assigned to executables, but to whole components.
Historically there also already exists one CVE for s390-tools.
Most of the CVEs will not be for ttyrun, but this i
Hello,
I'd like to request following backports from master to scarthgap
To match versions in scarthgap branches between oe-core and meta-clang:
adc2651a8e902af24fee6ff30a72f4b7c63bef6f llvm: Upgrade to 18.1.4
02df2fc6241ac8fb0e78f2fdff97a04e5c561d54 llvm: Upgrade to 18.1.5
Fix CVEs:
bdf7b7460a48
-Original Message-
From: Alexander Kanavin
Sent: Tuesday, May 21, 2024 21:31
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror
> On Tue, 21 May 2024 at 21:17, Marko, Peter wrote:
> > I alread
-Original Message-
From: Alexander Kanavin
Sent: Tuesday, May 21, 2024 12:17
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror
> On Sat, 18 May 2024 at 23:30, Peter Marko
From: Peter Marko
Removed 4 backported patched included in this release.
Updated patches by devtool.
License-Update: copyright years refreshed
Signed-off-by: Peter Marko
---
.../files/0001-Fix-CVE-2023-29491.patch | 462
...eset-code-ncurses-6.4-patch-20231104.patch | 4
From: Peter Marko
github.com/mirror/ncurses is not updated for over a year.
Switch to new mirror from Thomas Dickey (ncurses maintainer).
Sources are identical.
Updated upstream check regex by:
* changed dot to underscore as this repo is tagged like this
* added v prefix to not propose updates
From: Peter Marko
Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-4603.patch | 179 ++
.../openssl/openssl_3.3.0.bb | 1 +
2 files changed, 180 insertions(+)
create mode 100644
me
From: Peter Marko
Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-4603.patch | 179 ++
.../openssl/openssl_3.2.1.bb | 1 +
2 files changed, 180 insertions(+)
create mode 100644
me
From: Peter Marko
Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-4603.patch | 180 ++
.../openssl/openssl_3.0.13.bb | 1 +
2 files changed, 181 insertions(+)
create mode 100644
me
This will not apply to scarthgap-nut as that already has the same version as
master...
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199525):
https://lists.openembedded.org/g/openembedded-core/message/199525
Mute This Topic: https://lists.openem
re.org/pipermail/libc-alpha/2022-May/139167.html
> but the discussion upstream stopped shortly after and the oe-core change was
> never merged because of that. Maybe it's time to re-check and ping upstream
> again after 2 years.
>
> Cheers,
>
> On Mon, May 6, 2024 a
Hello Marta,
Glibc fixes are already staged in scarthgap-nut.
Interesting would be to check why the prototype does not list glib-2.0
CVE-2024-34397 which is staged there, too.
Peter
From: yocto-secur...@lists.yoctoproject.org
On Behalf Of Marta Rybczynska via
lists.yoctoproject.org
Sent: Thu
From: Peter Marko
Handle regression of CVE-2024-34397 fix.
News
(https://gitlab.gnome.org/GNOME/glib/-/commit/d40f72e98e4734ba826ba9a278814530720ba760):
Overview of changes in GLib 2.78.6, 2024-05-08
==
* Fix a regression with IBus caused by the fix
From: Peter Marko
Handle CVE-2024-34397
Remove backported patch included in this release.
News
(https://gitlab.gnome.org/GNOME/glib/-/commit/d18807b5ffc6dedc2db5225b044063f65720bf56):
Overview of changes in GLib 2.78.5, 2024-05-07
==
* Fix CVE-2024-3
From: Peter Marko
The license per [1] is LGPL-2.1-or-later and
[2] converted last LGPL-2.1-only references.
License-Update: corrected from LGPL-2.1-only to LGPL-2.1-or-later based on [1]
and [2]
[1] https://www.gnu.org/software/libc/
[2]
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=
From: Khem Raj
Sent: Sunday, May 5, 2024 21:22
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] glibc: correct license
> On Sun, May 5, 2024 at 2:18 AM Peter Marko via http://lists.openembedded.org
> mailto:siemens@lists.openemb
From: Peter Marko
The license per https://www.gnu.org/software/libc/ is LGPL-2.1-or-later.
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=273a835fe7c685cc54266bb8b502787bad5e9bae
converted last LGPL-2.1-only references.
License-Update: correction
Signed-off-by: Peter Marko
---
meta/re
From: Peter Marko
Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
Changes:
54a666dc5c elf: Disable some subtests of ifuncmain1, ifuncmain5 for !PIE
3a38600cc7 malloc: Exit early on test failure in tst-realloc
924a98402a nscd: Use time_t for return type of addgetnetg
From: Peter Marko
Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
Changes:
273a835fe7 time: Allow later version licensing.
acc56074b0 nscd: Use time_t for return type of addgetnetgrentX
836d43b989 login: structs utmp, utmpx, lastlog _TIME_BITS independence (bug
307
I wonder if it we could name it "U" instead of "UNPACKDIR".
It will be mostly used on the same places as all the other short names like
S/B/T...
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198900):
https://lists.openembedded.org/g/openem
From: Peter Marko
There was no CVE assigned but the commit message is clear.
Signed-off-by: Peter Marko
---
...ix-multiple-security-vulnerabilities.patch | 107 ++
.../libarchive/libarchive_3.6.2.bb| 4 +-
2 files changed, 110 insertions(+), 1 deletion(-)
create
From: Peter Marko
Addresses CVEs:
* CVE-2023-52425 (bundled expat)
* CVE-2023-6597 (https://github.com/python/cpython/pull/112840)
News: https://github.com/python/cpython/blob/3.10/Misc/NEWS.d/3.10.14.rst
Signed-off-by: Peter Marko
---
.../python/{python3_3.10.13.bb => python3_3.10.14.bb}
Looks like yocto-5.0 tag in openembedded-core repository was done on master
instead of scarthgap branch.
Tag in poky repository seems to be fine.
Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198756):
https://lists.openembedded.org/g/opene
From: Peter Marko
Adresses CVE-2024-2961
Remove backported patch included in hash update.
Changes:
31da30f23c iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
sequence (CVE-2024-2961)
423099a032 x86_64: Exclude SSE, AVX and FMA4 variants in libm multiarch
04df8652eb Apply th
From: Peter Marko
Adresses CVE-2024-2961
Changes:
36280d1ce5 iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
sequence (CVE-2024-2961)
4a7de5e215 powerpc: Fix ld.so address determination for PCREL mode (bug 31640)
f4a45af368 AArch64: Check kernel version for SVE ifuncs
7f3c14
Identical patch was already submitted and then requested to be ignored because
the issue is apparently introduced by one of the added patches.
https://lists.openembedded.org/g/openembedded-core/message/197670
Since the vulnerability report claims that our version IS vulnerable, it would
be inter
From: Peter Marko
Single executable ttyrun is taken ouf of s390-tools repository
containing ton of other helper tools.
CVEs are not assigned to executables, but to whole components.
Historically there also already exists one CVE for s390-tools.
Most of the CVEs will not be for ttyrun, but this i
I think that sending this patch was correct, see comments below.
Peter
From: openembedded-core@lists.openembedded.org
On Behalf Of Tim Orling via
lists.openembedded.org
Sent: Sunday, April 14, 2024 6:45
To: Marko, Peter (ADV D EU SK BFS1)
Cc: openembedded-core@lists.openembedded.org
Subject: R
From: Peter Marko
Patch:
https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
News:
https://github.com/openssl/openssl/commit/b7acb6731a96b073d6150465bd090e2052a595c2
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-2511.patch | 120
From: Peter Marko
Patch:
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
News:
https://github.com/openssl/openssl/commit/daee101e39073d4b65a68faeb2f2de5ad7b05c36
Signed-off-by: Peter Marko
---
.../openssl/openssl/CVE-2024-2511.patch | 122
-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts
> On Fri, Apr 12, 2024 at 10:02 AM Peter Marko via lists.openembedded.org
> wrote:
> >
> > I know that binary patches are problematic over mailing list.
> > Here the patch as z
From: Peter Marko
backport relevant parts from
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
Signed-off-by: Peter Marko
---
.../ncurses/files/CVE-2023-50495.patch| 81 +++
.../ncurses/ncurses_6.3+20220423.bb | 1 +
2 files ch
1 - 100 of 223 matches
Mail list logo