[yocto-security] [OE-core CVE] branch pyro-next updated. uninative-1.6-660-ga70a817

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Sun Jan 14 08:06:38 PST 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, pyro-next has been updated
  discards  af9c1b4f8ca7fc9792556f2299fdd948b2d51002 (commit)
  discards  53847bf78eff4b960033b23b15a73676e480ab09 (commit)
  discards  722821533249a976b5bc03e8c0642bcf352dd6b5 (commit)
  discards  b93a6448a9a2e6eeea37ef70a939efbafa57b3f0 (commit)
  discards  7f0cba9996e5038a71e6cde39191833e7bcd4264 (commit)
  discards  393c9f7f74e850b6cb0bb8daf77cb092fec1f576 (commit)
  discards  7837111b24d36dbe96fb1013e65632b580077bff (commit)
  discards  9ba82bc5c019d2dc2fcff638100b5081aa28dc15 (commit)
  discards  97e907b82bcf5bb5f895e772952881ccf79d37b4 (commit)
  discards  4d6cfb3686f5c9d29368cc28da91249adc3e75d2 (commit)
  discards  8941140c8aea22eecc18082ef18a56605f40702d (commit)
  discards  03fb17b4abc2f12ad745d8da9c7ac5f972b92d05 (commit)
  discards  9dcc089ba058576d61e2c95defa3695287bf8609 (commit)
       via  a70a8179eb8b8ebb6c9f9dc8fa6f26bb271b2954 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (af9c1b4f8ca7fc9792556f2299fdd948b2d51002)
            \
             N -- N -- N (a70a8179eb8b8ebb6c9f9dc8fa6f26bb271b2954)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a70a8179eb8b8ebb6c9f9dc8fa6f26bb271b2954
Author: Khem Raj <raj.khem at gmail.com>
Date:   Fri Jan 12 13:47:02 2018 +0200

    webkitgtk: update to 2.18.5 (includes Spectre mitigations; see commit description)
    
    This is the only available stable version with mitigation fixes for Spectre.
    Webkit upstream developers do not port CVE fixes to earlier stable series,
    no exception was made in this case.
    
    More information:
    
    https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/
    https://webkitgtk.org/security/WSA-2018-0001.html
    https://webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html
    
    This commit also contains the following commits added in master branch after pyro release:
    
    ===
    webkitgtk: Upgrade to 2.16.1
    
    Fix build with gcc7
    Move all patches to webkit folder
    Drop patches that were backports or have been upstreamed
    
    (From OE-Core rev: bfbdd1a2069f199be9ba0909dd512469ff17b65e)
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: remove native python dependency
    
    Using host python seems to be fine.
    
    (From OE-Core rev: 7cf80640f53bd8faa4874c2dad5f630a935475f6)
    
    Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: Fix build for armv5
    
    Detect atomics during configure
    
    (From OE-Core rev: 424ffbde2111130137e307eb9e598ad50451c865)
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: Upgrade to 2.16.3
    
    Use bfd linker on ppc, this is because gold fails to link
    webkit libraries when PIE is enabled
    
    (From OE-Core rev: 8808d4b13a946499bc6e84a1be15f53d8ab3f673)
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: Upgrade to 2.16.5
    
    Adjust some dependencies: libgcrypt is now required (instead of gnutls)
    and the following build deps where missing: gettext-native, glib-2.0
    and glib-2.0-native.
    
    Also the CMake argument ENABLE_CREDENTIAL_STORAGE has been renamed to
    USE_LIBSECRET.
    
    This new upstream release (2.16.4 actually) includes security fixes for
    CVE: CVE-2017-2538
    
    (From OE-Core rev: ef68005a8c527e9b1d05b7769f0ec8ebe9ec3f91)
    
    Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: update to 2.16.6
    
    (From OE-Core rev: 198ccdbefa481f725492b5d8834213fe26431be5)
    
    Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: Do not use -isystem forcibly
    
    this causes include_next <stdlib.h> to not find
    this header since -isystem <sysroot> is added via
    cmake, we alrady are using --sysroot so rely on that
    
    (From OE-Core rev: a0f2d1389a7e76b64003fea391a0cd485ff5fe77)
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: Add a recommends on shared-mime-info.
    
     * without this package installed any WebKitGTK+ based browser
       will fail to correctly open html files (and other files)
       from disk (file:// URIs). It will open them as plain txt files.
    
    (From OE-Core rev: b708cb53b46d9d82a7853bcd0f25ef6bc417bd10)
    
    Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: disable gobject-introspection on armv7a
    
    Disable gobject-introspection on armv7a and armv7ve
    to avoid do_compile failure:
    
    | qemu: uncaught target signal 11 (Segmentation fault) - core dumped
    | Segmentation fault
    
    (From OE-Core rev: bdddd81c8b4eab6bbf7a8697992b48cb5a30ae4a)
    
    Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    
    ===
    webkitgtk: update to 2.18.3
    
    gcc7.patch, musl-fixes.patch, and ppc-musl-fix.patch all change code that is no
    longer present in upstream tree. However, a patch with different musl fixes
    has been added.
    
    The rest of the patches are rebased to the new tree.
    
    Libtasn is a new dependency.
    
    Disable Gstreamer GL support on x86 due to clashing headers problem.
    
    (From OE-Core rev: 3acae2dcd130122fe76504ec855af78db829d6ec)
    ===
    webkitgtk: fix build with musl and x32
    
    Make the x32 check generic to make it work with musl as well.
    
    Fixes [YOCTO #12118]
    
    (From OE-Core rev: dbd604ccf34e304769937b15051c047561de47f7)
    ===
    
    Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

-----------------------------------------------------------------------

Summary of changes:
 .../linux-firmware/linux-firmware_git.bb           | 152 ++-------------------
 1 file changed, 8 insertions(+), 144 deletions(-)


hooks/post-receive
--

More information about the yocto-security mailing list