Kindly ignore this patch. This CVE will be fixed with php upgradation -
https://lore.kernel.org/openembedded-devel/20240626085038.2951548-1-soumya.sa...@windriver.com/
Regards,
Soumya
From: openembedded-devel@lists.openembedded.org
on behalf of Soumya via
From: Soumya Sambu
Includes fix for CVE-2024-5458, CVE-2024-2408 and other bugs
Changelog:
https://www.php.net/ChangeLog-8.php#PHP_8_2
Signed-off-by: Soumya Sambu
---
meta-oe/recipes-devtools/php/{php_8.2.18.bb => php_8.2.20.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Soumya Sambu
Includes fix for CVE-2024-5458, CVE-2024-2408 and other bugs
Changelog:
https://www.php.net/ChangeLog-8.php#8.1.29
Signed-off-by: Soumya Sambu
---
meta-oe/recipes-devtools/php/{php_8.1.28.bb => php_8.1.29.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Soumya Sambu
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8,
due to a code logic error, filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function
will result in invalid user information (username +
From: Soumya Sambu
Includes fix for CVE-2024-5458 and other bugs
Changelog:
https://www.php.net/ChangeLog-8.php#PHP_8_2
Signed-off-by: Soumya Sambu
---
meta-oe/recipes-devtools/php/{php_8.2.18.bb => php_8.2.20.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Soumya Sambu
An out-of-bounds stack write flaw was found in unixODBC on 64-bit
architectures where the caller has 4 bytes and callee writes 8 bytes.
This issue may go unnoticed on little-endian architectures, while
big-endian architectures can be broken.
References:
From: Soumya Sambu
An out-of-bounds stack write flaw was found in unixODBC on 64-bit
architectures where the caller has 4 bytes and callee writes 8 bytes.
This issue may go unnoticed on little-endian architectures, while
big-endian architectures can be broken.
References:
From: Soumya Sambu
Includes fixes for CVE-2024-3096, CVE-2024-2756 and other bugs.
Changelog:
https://www.php.net/ChangeLog-8.php#8.2.18
Rebase 0001-ext-opcache-config.m4-enable-opcache.patch to new version
Signed-off-by: Soumya Sambu
---
...ext-opcache-config.m4-enable-opcache.patch | 21
From: Soumya Sambu
Upgrade php to 8.1.28
Security fixes:
CVE-2024-3096
CVE-2024-2756
https://www.php.net/ChangeLog-8.php#8.1.28
Signed-off-by: Soumya Sambu
---
meta-oe/recipes-devtools/php/{php_8.1.22.bb => php_8.1.28.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Soumya Sambu
Includes fixes for CVE-2024-3096, CVE-2024-2756 and other bugs.
Changelog:
https://www.php.net/ChangeLog-8.php#8.2.18
Rebase 0001-ext-opcache-config.m4-enable-opcache.patch to new version
Signed-off-by: Soumya Sambu
---
...ext-opcache-config.m4-enable-opcache.patch | 21
From: Soumya Sambu
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
From: Soumya Sambu
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
From: Soumya Sambu
iniparser v4.1 is vulnerable to NULL Pointer Dereference
in function iniparser_getlongint which misses check NULL
for function iniparser_getstring's return.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-33461
Signed-off-by: Soumya Sambu
---
From: Soumya Sambu
Fixes CVE-2023-50387 and CVE-2023-50868
Remove backported CVE patch.
Remove patch for lua as hardcoding lua version was removed.
Changelog:
===
https://thekelleys.org.uk/dnsmasq/CHANGELOG
Signed-off-by: Soumya Sambu
---
.../recipes-support/dnsmasq/dnsmasq.inc
From: Soumya Sambu
An out-of-bounds stack write flaw was found in unixODBC on 64-bit
architectures where the caller has 4 bytes and callee writes 8 bytes.
This issue may go unnoticed on little-endian architectures, while
big-endian architectures can be broken.
References:
From: Soumya Sambu
Addresses CVEs and other bug fixes. Remove patches that are fixed
in this release. Release notes are available at:
https://www.postgresql.org/docs/release/14.10/
https://www.postgresql.org/docs/release/14.11/
0001-configure.ac-bypass-autoconf-2.69-version-check.patch
: Re: [oe][meta-oe][kirkstone][PATCH 1/1] postgresql: Fix CVE-2024-0985
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Thu, 2024-03-07 at 03:39 -0800, Soumya via
From: Soumya Sambu
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL
allows an object creator to execute arbitrary SQL functions as the command
issuer. The command intends to run SQL functions as the owner of the
materialized view, enabling safe refresh of untrusted
From: Soumya Sambu
This CVE is related to OpenVPN 2.x GUI on Windows.
References:
https://community.openvpn.net/openvpn/wiki/CVE-2023-7235
https://security-tracker.debian.org/tracker/CVE-2023-7235
Signed-off-by: Soumya Sambu
---
meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb | 3
From: Soumya Sambu
* Includes security fix for CVE-2024-23170 - Timing side channel in private key
RSA operations
* Includes security fix for CVE-2024-23775 - Buffer overflow in
mbedtls_x509_set_extension()
Use canonical URL, add UPSTREAM_CHECK_GITTAGREGEX.
License-update: Upstream clarified
From: Soumya Sambu
Includes security fixes for:
CVE-2024-23170 - Timing side channel in private key RSA operations
CVE-2024-23775 - Buffer overflow in mbedtls_x509_set_extension()
License updated to dual Apache-2.0 OR GPL-2.0-or-later.
Changelog:
Gentle Reminder for kirkstone branch.
Regards,
Soumya
From: openembedded-devel@lists.openembedded.org
on behalf of Soumya via
lists.openembedded.org
Sent: Friday, August 18, 2023 8:08 PM
To: openembedded-devel@lists.openembedded.org
Subject: [oe][meta-oe
From: Soumya Sambu
An issue was discovered in the C AMQP client library (aka rabbitmq-c) through
0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g.,
for amqp-publish or amqp-consume) and are thus visible to local attackers by
listing a process and its arguments.
From: Soumya Sambu
An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause
a denial of service or other unspecified impacts via glibc-cpuset in
topology-linux.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-47022
https://github.com/open-mpi/hwloc/issues/544
From: Soumya Sambu
Upgrade iperf3 to 3.14
Fix CVE-2023-38403 and other bugs.
The iperf3 release notes are available at:
https://github.com/esnet/iperf/blob/99d738f496c96fd4fb50f45142e0bbc96bf71698/RELNOTES.md
The only change in the LICENSE file was the year update:
Fri, 2023-08-25 at 07:39 +0000, Soumya via lists.openembedded.org
wrote:
> From: Soumya Sambu
>
> lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
> and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
> authenticated user can trigger a kadmind crash. T
From: Soumya Sambu
Release Notes:
https://web.mit.edu/kerberos/krb5-1.20/krb5-1.20.2.html
- Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054].
- Fix read overruns in SPNEGO parsing.
- Compatibility fix for autoconf 2.72.
License-Update: Update copyright years to
From: Wang Mingyu
Signed-off-by: Wang Mingyu
Signed-off-by: Khem Raj
Signed-off-by: Soumya Sambu
---
.../recipes-benchmark/iperf3/{iperf3_3.13.bb => iperf3_3.14.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta-oe/recipes-benchmark/iperf3/{iperf3_3.13.bb =>
From: Soumya Sambu
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
authenticated user can trigger a kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not validate the relationship
between
From: Soumya Sambu
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
authenticated user can trigger a kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not validate the relationship
between
From: Soumya
Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c
and /elf/elf.c, which allows the attacker to cause a denial of service via a
crafted file.
References:
https://github.com/yasm/yasm/issues/233
https://nvd.nist.gov/vuln/detail/CVE-2023-37732
A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun
vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply
a smart card package with malformed ASN1 context. The
cardos_have_verifyrc_package
function scans the ASN1 buffer for 2 tags, where remaining
A vulnerability classified as problematic was found in OpenCV
wechat_qrcode Module up to 4.7.0. Affected by this vulnerability
is the function DecodedBitStreamParser::decodeByteSegment of the
file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation
leads to null pointer dereference. The
A vulnerability classified as problematic was found in OpenCV
wechat_qrcode Module up to 4.7.0. Affected by this vulnerability
is the function DecodedBitStreamParser::decodeByteSegment of the
file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation
leads to null pointer dereference. The
A vulnerability classified as problematic was found in OpenCV
wechat_qrcode Module up to 4.7.0. Affected by this vulnerability
is the function DecodedBitStreamParser::decodeByteSegment of the
file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation
leads to null pointer dereference. The
35 matches
Mail list logo