This patch contains a fix for CVE-2022-46149
Patch backported from :
25d34c6786
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Flatbuffers contains a library and a schema compiler. The package
contains cmake files to discover the libraries and the compiler tool.
Currently, all of these cmake files are installed into the target
sysroot. However, the compiler utility isn't installed into the sysroot
(as it is not runnable on the build machine).
When an application that depends on flatbuffers gets built, it uses
flatbuffers' exported cmake targets to configure the project. One of the
exported targets is FlatcTarget.cmake which expects to see flatc binary
in /usr/bin of the sysroot. Since binaries for target don't end up in
target sysroot, cmake configuration fails.
This patch addresses this problem of flatbuffers' build infrastructure
in cross-compiling environments. By removing FlatcTarget.cmake for
target builds from the sysroot we essentially skip this step of
flatbuffers' configuration.
Signed-off-by: Ivan Stepic <Ivan.Stepic@bmw.de>
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Add a patch to fix CVE-2022-40617 issue which allows remote attackers to
cause a denial of service in the revocation plugin by sending a crafted
end-entity (and intermediate CA) certificate that contains a CRL/OCSP
URL that points to a server (under the attacker's control) that doesn't
properly respond but (for example) just does nothing after the initial
TCP handshake, or sends an excessive amount of application data.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Quoting Jason A. Donenfeld on IRC:
<zx2c4> Colin_Finck: you should never, ever use old versions
<zx2c4> Notice that neither the major nor minor version numbers change
<zx2c4> Use the latest versions on your LTS
With that definite answer, I'd like to fix the problem described in https://lore.kernel.org/yocto/CswA.1659543156268567471.pbrp@lists.yoctoproject.org/ by importing the latest versions instead of maintaining our own fork of wireguard 1.0.20200401.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
c-ares version 1.18.1 - Oct 27 2021
Bug fixes:
ares_getaddrinfo() would return ai_addrlen of 16 for ipv6 adddresses
rather than the sizeof(struct sockaddr_in6)
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e251d7b827)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
Current patch is breaking the library dependencies added by cmake
especially when you are static linking.
Applications need the ws2_32 library to be linked for mingw32
and with the existing patch this is not getting passed to the users.
Current patch seems to address this issue:
https://github.com/c-ares/c-ares/issues/373
Both issues are resolved in 1.17.2:
1.17.2-r0/git $ find . | grep c-ares-config.cmake.in
./c-ares-config.cmake.in
1.17.2-r0/git $ find . | grep libcares.pc.cmake
./libcares.pc.cmake
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 621bdc1993)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.1.bb
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b65f290419)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
Stable security bug-fix release that fixes CVE-2021-4122.
ReleaseNotes:
https://kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5dca16b451)
This is just the rename and SRC_URI hash updates made to apply
to dunfell.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
As per the below release note, it should be a last release for 12.x
stable LTS series.
Link: https://github.com/nodejs/node/releases/tag/v12.22.12
Remove CVE-2021-44532 fix as it already available in this release
v12.22.12
License-Update: src/gtest additional file in the LICENSE
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Set CVE_PRODUCT to 'tuxera:ntfs-3g' for ntfs-3g-ntfsprogs recipe,
cve-check class is setting default CVE_PRODUCT to 'ntfs-3g-ntfsprogs'
which ignores the ntfs-3g-ntfsprogs CVEs from NVD Database.
Reference:
CVE-2019-9755
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9755
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Set CVE_PRODUCT as 'iperf_project:iperf' for iperf2 and iperf3
recipes, cve-check class is setting default CVE_PRODUCT to
'iperf2' and 'iperf3' respectively which ignores the iperf
CVEs from NVD Database.
Reference:
CVE-2016-4303
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-4303
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In order to fix the dependency issue on PIL module, python3-pillow is required.
Signed-off-by: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d4e70a1960)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit fcc7d7eae8)
[fixup for honister context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 44c394f3cbdce8c7297af01c0f5ee030e1e3dacd)
[fixup for dunfell context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
master branch was renamed main on upstream project, so update the URI
Signed-off-by: Julien STEPHAN <jstephan@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
master branch was renamed main, so update the URI
Signed-off-by: Julien STEPHAN <jstephan@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Whitelist CVE-2020-27844 as it is introduced by
4edb8c8337
but the contents of this patch is not present in openjpeg_2.3.1
Link: https://security-tracker.debian.org/tracker/CVE-2020-27844
Whitelist CVE-2015-1239 as the CVE description clearly states that
j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239
but in openjpeg_2.3.1 this function is not present.
Hence, CVE-2015-1239 does not affect openjpeg_2.3.1.
Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* backport the actual code change from
https://github.com/pyca/cryptography/pull/5747
without the docs and CI changes (which aren't applicable on old 2.8
version) and backport 2 older changes to make this fix applicable
on 2.8.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.
https://nvd.nist.gov/vuln/detail/CVE-2022-28805
(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes
objcopy: Unable to recognise the format of the input file `build/opt/mongo/mongos'
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Vincent Prince <vincent.prince.fr@gmail.com.com>
(cherry picked from commit e91940073a)
[Fix up for Dunfell context:
also fixes Please add a conforming MONGO_VERSION=x.y.z[-extra] as an argument to SCons]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Source: Mariadb.org
MR: 115460, 115507, 1115549, 115549, 115488
Type: Security Fix
Disposition: Backport from mariadb.org
ChangeID: 722782cefa6805e907ee377a340f1b8bec174079
Description:
Bug fix only update, includes these CVES:
CVE-2021-46665
CVE-2021-46664
CVE-2021-46661
CVE-2021-46668
CVE-2021-46663
For more information see: https://mariadb.com/kb/en/mariadb-10424-release-notes/
drop mariadb/c11_atomics.patch as its include in the update.
drop mariadb/clang_version_header_conflict.patch different fix applied
Signed-off-by: Armin Kuster <akuster@mvista.com>
