As per gnulib_2018-03-07 recipe information,
SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3"
This revision was committed on "2018-12-18".
There is a discrepancy between SRCREV and the recipe version.
Which reports "CVE-2018-17942" as unpatched.
To report "CVE-2018-17942" as patched,
We need to align a recipe name with SRCREV commit date.
Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9edbe7033c)
Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Chromium 112 needs nodejs-native version 14 or later.
Add the nodejs_14.18.1 recipe from kirkstone:
246b20b92 nodejs: Upgrade to 14.18.1
but, use DEFAULT_PREFERENCE to make sure that the default version of nodejs
remains 12.x.
7 patches which were modified between nodejs 12 & nodejs 14 were renamed by
adding the suffix "-nodejs14". Note there are some common patches used by
nodejs 12 & 14 so, that will require attention during future maintenance.
In addition, there were 3 CVE-2022* patches which applied cleanly to nodejs
14 so, they were added to the nodejs 14 recipe. One patch, CVE-llhttp.patch
conflicted so, it has not been applied in nodejs 14 yet.
Nodejs 14 compile for qemux86-64 but, no run-time testing has been performed.
For chromium, we would either require users to modify the local.conf file or
we may create a dunfell specific branch in meta-browser.
See: https://github.com/OSSystems/meta-browser/pull/709
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
*) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]
New patch:
0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch
Accepted in upstream, expected to be removed at next apache2 2.4.58 update.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0b9305faa2)
[Fixup for Dunfell context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Upstream-Status: Backport from cb57b930fa
dev/shm may have unsafe permissions. Use /run instead.
Use systemd's tmpfiles.d mechanism to create /run/multipath
early during boot.
For backward compatibilty, make the runtime directory configurable
via the "runtimedir" make variable.
QA Issue: non -dev/-dbg/nativesdk- package multipath-tools-libs
contains symlink .so '/usr/lib/libdmmp.so'
...
Fix this by making the new pattern for multipath-tools-libs package
more specific.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes an issue where lcov is using the system Perl rather than the yocto
provided Perl. This causes packages to not be found during runtime such
as PerlIO::gzip.
Signed-off-by: Alex Yao <alexyao1@meraki.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Applying this backported patch from upstream fixes the following
BAT test failure:
jsoncpp.jsoncpp_system_tests.TestJsoncpp.test_run_jsoncpp_test
(from systemtests--bmt--BAT) :
* Detail of EscapeSequenceTest/writeEscapeSequence test failure:
/usr/src/debug/jsoncpp/1.9.2-r0/git/src/test_lib_json/main.cpp(3370): expected == result
Expected: '["\"","\\","\b","\f","\n","\r","\t","\u0278","\ud852\udf62"]
'
Actual : '["\"","\\","\b","\f","\n","\r","\t","ɸ","𤭢"]
This test failure happens because aarch64 uses unsigned char as
default type for char, while x86 uses signed char. Also, there
is another bug in the code that is fixed by this upstream patch:
"static_cast<unsigned char>(*cur) < 0x80" should be:
"static_cast<unsigned char>(*cur) >= 0x80"
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client,
not for openvpn.
Signed-off-by: Akifumi Chikazawa <chikazawa.akifu@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(upstream from commit d49e96aac4)
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The function spider_db_mbase::print_warnings() can potentially result
in a null pointer dereference.
Remove the null pointer dereference by cleaning up the function.
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
==========
- rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated.
- mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
- mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers.
- mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer.
- MDChallengeDns01 can now be configured for individual domains.
- Fixed a bug that caused the challenge
teardown not being invoked as it should.
- mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
- mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2022-45063 ported onto the dunfell baseline introduces two
variables that cause xterm to fail compilation with the error
./fontutils.c:4143:13: error: 'added' undeclared (first use in this function)
These two variables don't appear to be defined at all in findXftGlyph for
xterm_353, so they should be removed.
Fixes: 10148c538ebc("xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063")
Signed-off-by: Chris Rogers <crogers122@gmail.com>
Tested-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This patch contains a fix for CVE-2022-46149
Patch backported from :
25d34c6786
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Flatbuffers contains a library and a schema compiler. The package
contains cmake files to discover the libraries and the compiler tool.
Currently, all of these cmake files are installed into the target
sysroot. However, the compiler utility isn't installed into the sysroot
(as it is not runnable on the build machine).
When an application that depends on flatbuffers gets built, it uses
flatbuffers' exported cmake targets to configure the project. One of the
exported targets is FlatcTarget.cmake which expects to see flatc binary
in /usr/bin of the sysroot. Since binaries for target don't end up in
target sysroot, cmake configuration fails.
This patch addresses this problem of flatbuffers' build infrastructure
in cross-compiling environments. By removing FlatcTarget.cmake for
target builds from the sysroot we essentially skip this step of
flatbuffers' configuration.
Signed-off-by: Ivan Stepic <Ivan.Stepic@bmw.de>
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Add a patch to fix CVE-2022-40617 issue which allows remote attackers to
cause a denial of service in the revocation plugin by sending a crafted
end-entity (and intermediate CA) certificate that contains a CRL/OCSP
URL that points to a server (under the attacker's control) that doesn't
properly respond but (for example) just does nothing after the initial
TCP handshake, or sends an excessive amount of application data.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Quoting Jason A. Donenfeld on IRC:
<zx2c4> Colin_Finck: you should never, ever use old versions
<zx2c4> Notice that neither the major nor minor version numbers change
<zx2c4> Use the latest versions on your LTS
With that definite answer, I'd like to fix the problem described in https://lore.kernel.org/yocto/CswA.1659543156268567471.pbrp@lists.yoctoproject.org/ by importing the latest versions instead of maintaining our own fork of wireguard 1.0.20200401.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
