cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.
The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.
The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says
Note this can break programs that expect sizeof(TAR) to be fixed.
The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.
The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].
libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.
The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.
*) The patch also contains the changes split to the libtar commits
495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
("Added stdlib.h for malloc() in lib/decode.c"))
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c
Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Many netdata plugins are written in go, add a PACKAGECONFIG to enable
them.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Our provided netdata.conf contained a lot of keys which are no longer
supported by netdata. Netdata allows to regenerate the configuration
file and present all possible keys with their default values. This
refreshed file will be more easy to configure by our users.
To generate this file, I basically ran the documented command and
replaced the file paths with our variables when applicable.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Netdata now provides its own systemd service files. They provide better
hardening than the one we were defining in the recipe.
Unfortunately, the CMakeLists.txt file wants to install them into /lib
rather than /usr/lib. I added mv commands to put them in the expected
location depending on usrmerge.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Some netdata plugins like cgroups or docker require permissions to
access the docker socket in order to label data properly.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Minidlna configuration puts os name & version in the binary which lead
to non-reproducibility. Fix this by forcing those variables to constant
values.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Build checks for this during configure but the test is a runtime
test, which does not work when cross-compiling, therefore
prescribe this by caching it for architecture/compiler options
where it will work ok.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ENABLE_STTD is a typo, correct option is ENABLE_ZSTD.
This patches the following CMake warning in do_configure:
Manually-specified variables were not used by the project: ENABLE_STTD
After, do_configure does not show the warning.
Github issue: https://github.com/openembedded/meta-openembedded/issues/845
Reported-by: Ludovic Jozeau <ludovic.jozeau@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Ghislain Mangé <ghislain.mange@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Detect active network interface to use, instead of asking user, this needs
to run in automation
- Find the location of ppp_null.so with find instead of rpm, rpm is a distro choice
it can be assumed to be always there.
- Add missing runtime deps for ptests
- Kill openl2tpd started by run-ptest script before exiting, otherwise
ptest runner hangs forever.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe depends on meta-python2, master branch of which has not
been updated sine February 2022, see
https://git.openembedded.org/meta-python2/log/?h=master
Also, the SRC_URI address leads to fedorahosted.org retirement
announcement page, HOMEPAGE does not seem to work, and
https://pypi.org/project/openlmi-tools/ declares the programming
language as Python 2.7.
Thus, remove the obsolete recipe, along with associated packagegroup
declarations/references.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe depends on meta-python2, master branch of which has not
been updated sine February 2022, see
https://git.openembedded.org/meta-python2/log/?h=master
Also, master branch of lio-utils has not been updated since May 2014,
see https://github.com/Datera/lio-utils/commits/master/
Thus, remove the obsolete recipe, along with associated packagegroup
declarations/references.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe depends on meta-python2, master branch of which has not
been updated sine February 2022, see
https://git.openembedded.org/meta-python2/log/?h=master
Also, master branch of telepathy has not been updated since June 2016,
see https://cgit.freedesktop.org/wiki/telepathy/log/?h=master
Thus, remove the obsolete recipe, along with associated packagegroup
declarations/references.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe depends on meta-python2, master branch of which has not
been updated sine February 2022, see
https://git.openembedded.org/meta-python2/log/?h=master
Also, master branch of the associated source code repository has not
been updated since January 2014, see
https://github.com/farcepest/MySQLdb1/commits/master/
Thus, remove the obsolete recipe, along with associated packagegroup
declarations/references.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The -Wnon-virtual-dtor flag was unintentionally added to the .pc files,
which causes problems when abseil is used by C code:
cc1: error: command-line option '-Wnon-virtual-dtor' is valid for
C++/ObjC++ but not for C [-Werror]
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe depends on meta-python2, master branch of which has not
been updated sine February 2022, see
https://git.openembedded.org/meta-python2/log/?h=master
Also, https://cherokee-project.com/doc/basics_requirements.html states
The main Python releases targeted by our developers are 2.4, 2.5 and 2.6.
Anything other than that is not guaranteed to work at the moment.
Also, master branch of cherokee has not been updated since January
2023, see https://github.com/cherokee/webserver/commits/master/
Thus, remove the obsolete recipe and the associated packagegroup
reference.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
-Added :attr:~yarl.URL.path_safe to be able to fetch the path without %2F and %25 decoded
-Restore decoding %2F (/) in URL.path
-Improved performance of processing paths
-Added :attr:~yarl.URL.host_subcomponent which returns the :rfc:3986#section-3.2.2 host subcomponent
-Started rejecting ASCII hostnames with invalid characters. For host strings that
-look like authority strings, the exception message includes advice on what to do instead
-Fixed IPv6 addresses missing brackets when the :class:~yarl.URL was converted to a string
-Improved performance of calling :py:meth:~yarl.URL.build with authority
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Fix other failing URL normalization tests
- Avoid the use of sys.version_info for checking results, better to extend the check to more values.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Handle matrices of zero columns correctly in the Matrix constructor.
- NumPy numbers can be used with clebsch_gordan.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Client-side caching
- Timeseries insertion filters for close samples
- Enhanced classes string representation
- Partial clean up of Python 3.7 compatibility
- Handle RESP3 sets as Python lists
- Prevent async ClusterPipeline instances from becoming "false-y"
- Add hostname field to _parse_node_line
- Delete the first-defined (and thus "duplicate") Script class
- Catch a known DeprecationWarning when calling .close()
- Add missed redismod at test_commands.py
- Update README.md - mentioning redis 7.4 support
- Update PyPy 3.8 to 3.10 in CI
- Updated commands from docker-compose to docker compose
- Added version restrictions for pytest-asyncio
- Documentation examples
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Improve performance, especially in data with many CR-LF
- Handle invalid CRLF in header name
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Added support for MongoDB 8.0 and Python 3.13.
- A new asynchronous API 19 with full asyncio support.
- Added support for In-Use Encryption range queries with MongoDB 8.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Typing improvements:
* Add '@overload' to 'contrib.regular_languages.compiler.Variables.get'.
* Use 'Sequence' instead of 'list' for 'words' argument in completers.
- Improve 'ModalCursorShapeConfig':
* Display an "underscore" cursor in Vi's "replace single" mode, like
"replace" mode.
* Display an "beam" cursor in Emacs (insert) mode.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Update license file so it is recognized by GH
Changelog:
==========
- The combine method of an IntervalDict accepts a missing parameter to fill
values for non-overlapping keys
- A recipe to combine more than two IntervalDict
- Drop official support for Python 3.7.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Prevent bad task serialization in schedule from causing a batch of tasks to be lost
- Ensure we catch ResultTimeout which may occur when used with Sentinel
- Remove junk SQS implementation I was testing out.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Fix#117: Add WKD (Web Key Directory) support for auto-locating keys. Thanks to Myzel394 for the patch.
- Fix#237: Ensure local variable is initialized even when an exception occurs.
- Fix#239: Remove logging of decryption result.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- further skip BufferedRandomType if does not exist
- remove stray import of dbm in objects
- Add UnpicklingError import for dill.load_session() to fix#648
- Bump idna from 3.4 to 3.7 in /docs
- Bump jinja2 from 3.1.3 to 3.1.4 in /docs
- Bump requests from 2.31.0 to 2.32.0 in /docs
- Bump tornado from 6.3.3 to 6.4.1 in /docs
- update docs requirements to rtfd 10.27.0
- Bump certifi from 2024.2.2 to 2024.7.4 in /docs
- fix fencepost error when getting source inside decorator in interpreter (fixes#603)
- type check for Integral, bool by value
- diff USE_NUMPY imports numpy.ma
- adjust testing to account for frame.f_locals as a proxy in 3.13
- better handle import strings of numpy scalars
- handle a ThreadHandleType
- more extensive testing for dill.source
- add formal support for python 3.13
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Drop extra '2014' in LICENSE file.
Changelog:
===========
- Address CVE-2023-26112 ReDoS
- Drop Python 2 support and compatibility code
- Extra 2014
- setup.py: fix license tag
- Update minimum python to 3.7 everywhere, and add 3.12
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Enable cache via env variable and improve cache key
- Add test and type annotations for LongNamesConverter
- monitor: case insensitive filtering
- fix ruff linter errors
- Skip dumping KCD version if unset
- Update ruff config
- fix errors raised by recent versions of ruff
- Fix bug in DBC short names conversion
- monitor: fix crash while decoding message with bad length
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- Bump docker/build-push-action from 5.4.0 to 6.0.0
- Suggested small refactors in assignments
- Performance improvement in blacklist function
- Add test for usage of FTP_TLS
- New check: B113: TrojanSource - Bidirectional control characters
- Bump docker/build-push-action from 6.0.0 to 6.1.0
- feat(plugins): add support for httpx in B113
- Nit: remove unused variable
- Add recent releases to version choice in bug report
- Bump docker/build-push-action from 6.1.0 to 6.2.0
- Bump docker/build-push-action from 6.2.0 to 6.3.0
- Bump docker/setup-buildx-action from 3.3.0 to 3.4.0
- Bump docker/setup-buildx-action from 3.4.0 to 3.5.0
- Bump docker/login-action from 3.2.0 to 3.3.0
- Bump docker/build-push-action from 6.3.0 to 6.5.0
- Bump docker/setup-buildx-action from 3.5.0 to 3.6.1
- Bump docker/build-push-action from 6.5.0 to 6.6.1
- Bump sigstore/cosign-installer from 3.5.0 to 3.6.0
- Bump docker/build-push-action from 6.6.1 to 6.7.0
- Use consistent file naming of docs
- Pytorch Load / Save Plugin
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Fix regression with f-string inference.
- Fix bug with manager.clear_cache() not fully clearing cache
- Fix a crash from inferring empty format specs.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
