According to the NVD entry, it is only applicable when built
for native Windows (MinGW-w64 or MSVC).
(From OE-Core rev: 04ce4704e603cd66f30ffc001541c6497d84050e)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Based on Debian patch for this CVE, pick the same commits as mentioned
in kirkstone for this CVE except those already included in 2022.83.
7f48e75892
(From OE-Core rev: 6d287785611c344aa0c97048c3bfc280b1787ff5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
check_cves may raise the cve_status_not_in_db QA check. Call
exit_if_errors to make sure that the task is marked as failed when the
check is categorized as an error.
cve_status_not_in_db was in the meantime dropped in OE-Core
452e605b55ad61c08f4af7089a5a9c576ca28f7d so this change is only required
on scarthgap.
(From OE-Core rev: b3d12589c26f4e86b153bbdcda774985e4e046bd)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This class has been in OE-Core for a while but never documented in the
reference manual. Add some description for it and link to the existing
documentation on it.
(From yocto-docs rev: dd665216fa578a1f2f268790d708c6a5d2912ecf)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 362a331255525fc853dab3af4ec905c417fabb0b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This variable is part of uboot-sign but not documented.
(From yocto-docs rev: 999e81f17bf60e187e709368ede3965df19bee59)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 05eb461cb1da76ad9cbaf634da7f47447b3f6765)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update the distributions to match the list of workers on the
Autobuilder. This list was generated with the help of
yocto-autobuilder-helper/scripts/yocto-supported-distros.
Also:
- Sort the lists alphabetically.
- Decrease spacing between entries for readability.
(From yocto-docs rev: e99a9283e30ae2b844018d1ffb88560ab6877ab7)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The example repo doesn't seem to have ever been under MIT to begin with
but rather Apache-2.0. It was then changed to the license used by the
goland projectm that is BSD-3-Clause, 2 years ago in commit 00c7068f9d83
("all: update to Go license").
The license file exists in the sources, so use that one instead of
taking it from the OE-Core license directory.
License-Update: Incorrect license is now proper
(From OE-Core rev: fa45d6d5bec8fe503ff6b9166a3b4af31ea95369)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Starting from CMake version 2.27 support for interactive debugging of CMake
scripts and configurations was added. However, by default the `nativesdk-cmake`
is compiled with debugger support turned off.
This change adds debugger support for cmake
(From OE-Core rev: 8acfca456c3502f0d097ba01a2d08f83fb75ab60)
(From OE-Core rev: 776846eb8aa2f5f8c1ec8842cdbaff6b6bcdfa65)
Signed-off-by: Nikhil R <nikhilr5@kpit.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It was added by original commit for CVE-2025-6020-01.patch
475bd60c55 (diff-05f443e6acbe32a148a45648148739bf6f02f13acc5c20c6037bf933223d4d77)
but removed here in the rebase, causing:
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:11: error: call to undeclared function 'dirname'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
326 | parent = dirname(buf);
| ^
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:9: error: incompatible integer to pointer conversion assigning to 'char*' from 'int' [-Wint-conversion]
326 | parent = dirname(buf);
| ^ ~~~~~~~~~~~~
(From OE-Core rev: 6d88a28ac7b6ff61808eb46e5c85dabd17c77f2e)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is problem on Windows platform only.
Per NVD report [1], CPE has "and" clause
Running on/with
cpe:2.3⭕microsoft:windows:-:*:*:*:*:*:*:*
Also linked patch [2] changes Windows files only (and tests).
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-0913
[2] https://go-review.googlesource.com/c/go/+/672396
(From OE-Core rev: ec1c6ab989b298773e8df8a6a4532f88b93617ff)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 3.12 branch mentioned in NVD report.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194
(From OE-Core rev: 34f1b4877a0601d2057453c159c76a54754f229a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area
DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-52615]
[https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g]
Upstream patches:
[4e2e1ea090]
(From OE-Core rev: ec22ec26b3f40ed5e0d84d60c29d8c315cf72e23)
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The tar packaging format was removed some time ago. Also, add some
minor grammatical tweaking.
(From yocto-docs rev: 0c154c1f431be918c4c9ce3047c12099925a9c53)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 8e9fd1ca232f3c1e8be51cb881a68b4745ee548a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to the 5.0.11 release of the 5.0 series for buildtools
(From OE-Core rev: 3b3a672ae6c024096cc263a669b1131e3f653b79)
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is a single commit bump containing only CVE fix
$ git log --oneline cff1042cceec3502269947e96cf7023451af22f3..b027d5b145f1b2908f370bdb96dfe40180d0fcb6
b027d5b145 posix: Fix double-free after allocation failure in regcomp (bug 33185)
Test results didn't change except newly added test succeeding.
(tst-regcomp-bracket-free)
(From OE-Core rev: c2b63f171719e2b1c12ba049cbe776adf9e0244b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit referencing this CVE from 2.13 branch.
(From OE-Core rev: 061610dfca8a72b71e1baca3ad4aa2c9fb64449b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick relevant part of snapshot commit 20250329, see [1].
That has:
add a buffer-limit check in postprocess_termcap (report/testcase by
Yifan Zhang).
[1] https://invisible-island.net/ncurses/NEWS.html#index-t20250329
(From OE-Core rev: 79b080eb93918431c97edbbc80de5f70a2b09a4a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick relevant commit from 3.8.10 release MR [1].
The MR contains referece to undiscoled issue, so any security relevant
patch should be picked.
Binary test file was added as separate file as binary diffs are not
supported.
[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979
(From OE-Core rev: d1aaef9bbaa240c83cc7d485b55570449203da0b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick relevant commit from 3.8.10 release MR [1].
The ME contains referece to undiscoled issue, so any security relevant
patch should be picked.
Binary test file was added as separate file as binary diffs are not
supported.
[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979
(From OE-Core rev: 8f825e7f4ca36d7ac62062e452cea256f3c058aa)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick relevant commit from 3.8.10 release MR [1].
Binary test file was added as separate file as binary diffs are not
supported.
[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979
(From OE-Core rev: 9d9ce14e2edceb211c3193cef88715d9c67fd3e0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Running "time bitbake -pP idle" with a valid cache shows around 800,000
calls to enum creation from python's signal.py. We don't care about this
overhead and it adversely affects cache load time quite badly.
Try and use _signal directly, falling back to signal, which avoids
this overhead we don't need and makes cache loading much faster.
(Bitbake rev: 982645110a19ebb94d519926a4e14c8a2a205cfd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee5fce67ce35b025c68aa61e2e758903269ee346)
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In order to avoid a potentially confusing backtrace, check that the mcdepend
is valid when we add it.
Add a test case to ensure invalid configurations are caught and trigger an
error.
[RP: Reworked test case to simplify and improve code]
(Bitbake rev: 9f6f049870e0ec829e171fe91ec8f7a092ddd2ab)
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
New version includes check for overlong file names, see [1].
[1] https://lists.gnu.org/archive/html/info-mtools/2025-06/msg00005.html
(From OE-Core rev: c374e6cfcdd2c8ba17d82ffcfdeb97d21144e2bf)
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(From OE-Core rev: 044c2bceefcc12262cb2421e8f1da5f6c2ed9f72)
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
xorg-server 21.1.17
This release contains the fixes for the issues reported in today's security
advisory: https://lists.x.org/archives/xorg/2025-June/062055.html
* CVE-2025-49175
* CVE-2025-49176
* CVE-2025-49177
* CVE-2025-49178
* CVE-2025-49179
* CVE-2025-49180
Additionally, this release includes a fix for CVE-2022-49737 which was
issued after the fix was merged back in 2022 and several other various fixes.
Ref: https://lists.x.org/archives/xorg-announce/2025-June/003609.html
xorg-server 21.1.18
This release contains an additional fix for CVE-2025-49176 from June 17
security advisory: https://lists.x.org/archives/xorg/2025-June/062055.html
Ref: https://lists.x.org/archives/xorg-announce/2025-June/003612.html
(From OE-Core rev: 2ab7c45631f78ac8f6d19889fa8526d062329992)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a59b385184fb3a548dc27310fd04d64351d8dfba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commits for Minerva fix between 3.2.4 and 3.2.5 release.
Update to 3.2.5 is blocked due to problem with python ptest errors, so
use patch instead of upgrade for now.
(From OE-Core rev: 57c04a32997c1b045121aff045f3ffaa7bb0b5f5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As discussed in [1], this commit fixes CVE-2024-41996.
Although openssl project does not consider this a vulnerability, it got
CVE number assigned so it deserves attention.
[1] https://github.com/openssl/openssl/pull/25088
(From OE-Core rev: cb49b9e49b4561ccea4c231cac591af557b9749c)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are new CVEs reported for this recipe which are not for this
componene, but for a component with same name from apache.
sqlite> select vendor, product, id, count(*) from products where product like 'orc' group by vendor, product, id;
apache|orc|CVE-2018-8015|1
apache|orc|CVE-2025-47436|4
gstreamer|orc|CVE-2024-40897|1
(From OE-Core rev: f5e320c0ea57ce1813ed09da703fe2b33f4976e6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There exists a vulnerability in SQLite versions before 3.50.2 where the
number of aggregate terms could exceed the number of columns available.
This could lead to a memory corruption issue.
(From OE-Core rev: 52499a5ea3b4ba145914aca873844ab718953289)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
objcopy: Don't extend the output section size
Since the output section contents are copied from the input, don't
extend the output section size beyond the input section size.
Backport a patch from upstream to fix CVE-2025-7545
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]
(From OE-Core rev: 128e40c39d8eafdd32fea71b902b38801afec202)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A NULL pointer dereference vulnerability was found in libxml2 when processing
XPath XML expressions. This flaw allows an attacker to craft a malicious XML
input to libxml2, leading to a denial of service.
(From OE-Core rev: b144c3ef3ba1797d925ea44d9450a6ec0fe32047)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The upstream servers are having issues so switch to our own shadow copy
of the repo.
(Bitbake rev: 86e7a58c0e9904c33b1b94dddc3d683c2da22d1a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
