The VSCode extension is now officially maintained and published by the
Yocto Project so it should be referenced in the manuals to help users
discover it.
I located the most relevant places to reference the extension by looking
at how the old Eclipse plugin was documented in the 2.6 manuals as well
as the current Toaster references.
(From yocto-docs rev: 21ec0d3b52069dfc85ff47fb4f913a26a092c480)
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
insserv.bbclass was removed from oe-core:
commit e6bb5dbb62
Author: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Sun May 10 12:30:49 2015 +0100
insserv: Remove
(From yocto-docs rev: eddb6c4e36e298218c23bf688cb1c9c06f32b0d6)
Signed-off-by: Maxin John <maxin.john@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The yocto website has changed its structure. Update the section for
Accessing the Downloads page to match the new structure.
(From yocto-docs rev: c67d471145cf09162059368ffd99f0c80df92520)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As used in the rest of the manual.
(From yocto-docs rev: c68954d905f01f6cc4f7c8ceb90e77cf9068e639)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVE-2024-0567
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
Upstream-Status: Backport
[40dbbd8de4
&
9edbdaa84e]
Reference: https://ubuntu.com/security/CVE-2024-0553https://ubuntu.com/security/CVE-2024-0567
(From OE-Core rev: de74fd5dea8cc71af1d457b4e688cfbe0f39e4d8)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2023-6228:
An issue was found in the tiffcp utility distributed by the
libtiff package where a crafted TIFF file on processing may
cause a heap-based buffer overflow leads to an application
crash.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-6228https://gitlab.com/libtiff/libtiff/-/issues/606
(From OE-Core rev: 0730806ae39093b05ce943df1f9f5d0a25a8a673)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Documentation for this patch is under
66bc1fcdee
(From OE-Core rev: 626711a95f387090a4705401d2f9406909821f95)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
scripts/pybootchartgui/pybootchartgui/draw.py:820: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if (OPTIONS.show_pid or OPTIONS.show_all) and ipid is not 0:
scripts/pybootchartgui/pybootchartgui/draw.py:918: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if i is not 0:
(From OE-Core rev: ebd61290a644a6d9f2b3701e0e7ea050636da76c)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 8d996616f0ca57220d939a41ca9ba6d696ea2a4f)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes fix for CVE-2023-7207.
Drop all submitted patches.
Apply a patch from git to fix the build with clang.
[ YOCTO #11674 ]
$git log --oneline release_2_13..v2.14
4a41909 (HEAD, tag: v2.14) Version 2.14
6f9e5d3 Update NEWS
807b3ea Use GNU ls algorithm for deciding timestamp format
19219d1 Fix integer overflows in timestamp output
ed28f14 Whitespace cleanup
4ab2813 Update version of gnulib
0987d63 Fix appending to archives bigger than 2G
1df0062 Fix combination of --create, --append, --directory
6a94d5e New option --ignore-dirnlink
376d663 Fix 45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca.
beba8c0 Require automake 1.16.5
70fffa7 Update for newer autotools
a1b2f78 Fix calculation of CRC in copy-out mode.
18ea636 Upgrade gnulib
1a61f62 Update copyright years
a1c97c8 Fix wording in the manpage
97fab48 Update copyright years
86dacfe Remove redundant condition check
4d16930 Use inttostr to represent integer values as strings
236684f Fix dynamic string reallocations
dfc801c Fix previous commit
dd96882 Rewrite dynamic string support.
269d204 Improve online version of the documentation.
7dd8ba9 Update gnulib
905907c Update copyright years
4a78d77 Formatting changes in the documentation.
9fe8494 Update copyright years
641d3f4 Minor fix * src/global.c: Remove superfluous declaration of program_name
0c4ffde Fix handling of device numbers (part 2)
df55fb1 Fix handling of device numbers on copy out.
b1c8583 Improve 684b7ac5
684b7ac Fix cpio header verification.
(From OE-Core rev: 203804370997eeb015ef9da90b567ea2c2f9f3a6)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
(From OE-Core rev: f46c9105d4253153a5986f2b307273e43ee98c33)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport https://sqlite.org/src/info/0e4e7a05c4204b47
(From OE-Core rev: 31fb83ac3dcd2dd55b184de22a296ab4dc150d2e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit 5eab65275d.
CVE-2023-32001 has been marked "REJECT" in the NVD CVE List as
there is no safe measure against it.
These CVEs are stored in the NVD, but do not show up in search results.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-32001
(From OE-Core rev: a3b6216bcb3425b6e30ca73488a5eb6ba58e4836)
Signed-off-by: Poonam Jadhav poonam.jadhav@kpit.com
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Sometimes NVD servers are unstable and return too many errors.
There is an option to have higher fetch attempts to increase the chances
of successfully fetching the CVE data.
Additionally, it also makes sense to progressively increase the delay
after a failed request to an already unstable or busy server.
The increase in delay is reset after every successful request and
the maximum delay is limited to 30 seconds.
Also, the logs are improved to give more clarity.
(From OE-Core rev: f2e30f54e1dbb36d7527d0117eb2435f25e7e154)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7101d654635b707e56b0dbae8c2146b312d211ea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As per NVD, the public rate limit is 5 requests in 30s (6s delay).
Using an API key increases the limit to 50 requests in 30s (0.6s delay).
However, NVD still recommends sleeping for several seconds so that the
other legitimate requests are serviced without denial or interruption.
Keeping the default sleep at 6 seconds and 2 seconds with an API key.
For failures, the wait time is unchanged (6 seconds).
Reference: https://nvd.nist.gov/developers/start-here#RateLimits
(From OE-Core rev: 4f7e40652cdf647c28f7dc6052bfa5db6bc9d8fb)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 5c32e2941d1dc3d04a799a1b7cbd275c1ccc9e79)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Sometimes NVD servers are unstable and return too many errors.
Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.
Keep retries low as default and allow to increase as needed.
(From OE-Core rev: 036969937e7c84cc068efe0355dd26281cf89f03)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6b6fd8043d83b99000054ab6ad2c745d07c6bcc1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This variable is not referenced in oe-core anymore.
(From OE-Core rev: 15a79302aa46c58f962e12956aa4fcd0a178cf58)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 905b45a814cb33327503b793741c19b44c8550b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
According to currently active workers
https://autobuilder.yoctoproject.org/typhoon/#/workers
and to the "workers_prev_releases" definition
in https://git.yoctoproject.org/yocto-autobuilder2/tree/config.py
Also correct the text saying that SANITY_TESTED_DISTROS
lists currently tested distros.
Also replace AlmaLinux 8.8 and 9.2 by just AlmaLinux 8 and 9,
as we update our workers anyway.
(From yocto-docs rev: 79a6ec6847cdfc40d75def36993a40fec853a7a1)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Adds context manager API for the asyncrcp client class which allow
writing code that will automatically close the connection like so:
with hashserv.create_client(address) as client:
...
Rework the bitbake-hashclient tool and PR server to use this new API to
fix warnings about unclosed event loops when exiting
(Bitbake rev: ee090484cc25d760b8c20f18add17b5eff485b40)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d01d684a0f6398270fe35ed59b7d28f3fd9b7e41)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The target_dumper code is basically broken. It has been reading binary files
over the text base serial communication and runs at every command failure which
makes no sense. Each run might overwrite files from the previous run and the
output appears corrupted due to confusion from the binary data.
It isn't possible to cherry-pick "testimage: Drop target_dumper and most of monitor_dumper"
from master, so just make target_dumper, host_dumper, and monitor_dumper empty
functions.
For further details see:
https://lists.openembedded.org/g/openembedded-architecture/message/1888
(From OE-Core rev: 960e7e3dffa22c2142cb672c68cd9a8f0e3998a3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Some distributions shipping gcc12 end up with stringop-overflow warnings
e.g.
/usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ specified size between 9223372036854775813 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]
74 | return __glibc_fortify (pread, __nbytes, sizeof (char),
| ^~~~~~~~~~~~~~~
Until fixed, lets not treat this warning as hard error
MJ: this is needed e.g. on ubuntu 24.04 after gcc was upgraded
from 13.2.0-8ubuntu1 to 13.2.0-9ubuntu1 which includes
switch _FORTIFY_SOURCE to 3:
https://changelogs.ubuntu.com/changelogs/pool/main/g/gcc-13/gcc-13_13.2.0-9ubuntu1/changelog
elfutils config.log then shows:
configure:6762: checking whether to add -D_FORTIFY_SOURCE=2 to CFLAGS
configure:6779: gcc -c -D_FORTIFY_SOURCE=2 -isystem/work/x86_64-linux/elfutils-native/0.186-r0/recipe-sysroot-native/usr/include -O2 -pipe -Werror -isystem/work/x86_64-linux/elfutils-native/0.186-r0/recipe-sysroot-native/usr/include conftest.c >&5
<command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
<built-in>: note: this is the location of the previous definition
cc1: all warnings being treated as errors
configure:6786: result: no
and -D_FORTIFY_SOURCE=2 missing in CFLAGS later causes the above error
in do_compile
(From OE-Core rev: 94d1640d374c9a8827957cba8dbc1c1f978701b5)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or
host name has shell metacharacters, and this name is referenced by an expansion
token in certain situations. For example, an untrusted Git repository can have a
submodule with shell metacharacters in a user name or host name.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51385
Upstream patches:
7ef3787c84
(From OE-Core rev: 617640bd045f07b0870dc9f3bc838b3a9fbc3de7)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be
incompletely applied. When destination constraints are specified during
addition of PKCS#11-hosted private keys, these constraints are only applied
to the first key, even if a PKCS#11 token returns multiple keys.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51384
Upstream patches:
881d9c6af9
(From OE-Core rev: 7a745dd1aa13fbf110cc4d86ddbc86617975d6ad)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
With python 3.8 and 3.9, we see intermittent errors of:
libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted (core dumped)
which seem related to:
https://stackoverflow.com/questions/64797838/libgcc-s-so-1-must-be-installed-for-pthread-cancel-to-workhttps://bugs.ams1.psf.io/issue42888
These tend to occur on debian 11 and ubuntu 20.04.
Workaround this by ensuring libgcc is preloaded in all cases.
(Bitbake rev: 2c6183594279e2e9d03f11155ad969448869c863)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A recipe variable handles its dependencies even on the "contains"
variables within the "inline Python expressions" like bb.utils.filter().
And it also handles those in the append operator correctly, but the
problem is that it does not so in the remove operator.
Fix it by adding the missing dependencies every time the remove
operator has been handled.
Also add a test case to check if the override operators handle
dependencies correctly.
(Bitbake rev: 23639edfbbb3fced7606dce211db8a31c5766585)
Signed-off-by: Insu Park <insu0.park@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Cherry-picked from master: b90520eedb1dbc7f6a3928d089fe74fafb864eb5
- Conflicts in data.py are resolved as the master branch moved
handle_contains() and handle_remove() out of the try block.
- The test code in codeparser.py are modified as the master branch
added three more arguments to the build_dependencies().
Signed-off-by: Insu Park <insu0.park@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
wtmp is filled with binary data which the run_serial command can't cope with.
Catting this results in confusion of the serial interface and potentially large
backlogs of data in the buffers which can hang qemu.
Exclude the problematic files from the command.
(From OE-Core rev: 2afd9a6002cba2a23dd62a1805b4be04083c041b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 599ac08a6f6fb3f6a89a897c8e06367c63c2f979)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
[YOCTO #14933]
test_storlines is yet another Python ptest that fails intermittently on
the Yocto AB, so disable it during ptests for now.
(From OE-Core rev: b71d5ec10f8e64fc6102c66dfc36151f2b0b3c86)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d7b9f8157e6214a83b5495e8a32e11540ae65ff8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When SRCREV is used, call bb.fetch.get_srcrev() before accessing
SRC_URI. Without this new bb.fetch.get_srcrev() call, SRC_URI might be
accessed before SRCREV had a chance to be processed.
In master, this is fixed by https://git.yoctoproject.org/poky/commit/?id=62afa02d01794376efab75623f42e7e08af08526
However, this commit is not suited for backport since it is quite invasive.
The part of the commit that fix the bug is:
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -63,6 +63,7 @@ python () {
else:
d.setVar('B', '${WORKDIR}/${BPN}-${PV}')
+ bb.fetch.get_hashvalue(d)
local_srcuri = []
fetch = bb.fetch2.Fetch((d.getVar('SRC_URI') or '').split(), d)
for url in fetch.urls:
NB: bb.fetch.get_hashvalue() does not exist in kirkstone but is
equivalent to bb.fetch.get_srcrev().
Fixes [YOCTO #14918]
(From OE-Core rev: f6563cca6c4bf627e904d81fbe5b0b0f2b16a107)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Suggested-by: Chris Wyse <chris.wyse@wysechoice.net>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes security fix for CVE-2023-47038
Changes:
https://metacpan.org/release/PEVANS/perl-5.34.3/changes
(From OE-Core rev: d1bc5fb1d090cf93b9014a050b418499c0209080)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326https://security-tracker.debian.org/tracker/CVE-2023-39326
(From OE-Core rev: 448df3bb9277287dd8586987199223b7314fdd01)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Without a CVE tag, It will be recognised as Unpatched by cve_check task.
(From OE-Core rev: afc21d7fe86d26bf62e56fc611750f89fe73aa1a)
Signed-off-by: mark.yang <mark.yang@lge.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Without a CVE tag, It will be recognised as Unpatched by cve_check task.
(From OE-Core rev: ce4ac3d167496d2f3a3029ef83dc418a0794c2fb)
Signed-off-by: mark.yang <mark.yang@lge.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A bug in QEMU could cause a guest I/O operation otherwise
addressed to an arbitrary disk offset to be targeted to
offset 0 instead (potentially overwriting the VM's boot code).
This change is to fix CVE-2023-5088.
Link: 7d7512019f
(From OE-Core rev: aa84c668bfe2436d36f49a422c775119e2412c8b)
Signed-off-by: Sourav Pramanik <sourav.pramanik@kpit.com>
Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From yocto-docs rev: b6e13990229baa91d8b9b885848230d40cb9e045)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Align the order from `BB_SIGNATURE_HANDLER` to `SSTATE_MIRRORS` in Quick Build
with the order in the default local conf. While trivial it is easier to find,
if the order matches.
(From yocto-docs rev: 2ab0bdc7ff74aaddd8a556046de3410300ba560a)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
