[yocto-security] [OE-core CVE] branch morty-next updated. 2016-10-525-g62c8fab

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Wed Mar 14 20:04:57 PDT 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, morty-next has been updated
  discards  f4ee384ad399ca88dcb00a563ead7438eb45793b (commit)
  discards  841187cdd489868555070027b423adc8171c8829 (commit)
  discards  e88b155119c4aded5b3e15b820377a0b12139da3 (commit)
  discards  b2ca1e261a2bba051d5f1652816aad2c8fb09760 (commit)
       via  62c8fabacd373fdec34a918be46152f72d0c483b (commit)
       via  312568a49879a2a46ebac9d2f9b53ff62dca7ac1 (commit)
       via  ee046d0c8ddfb26b211363950a50b13c5ad49629 (commit)
       via  2567af8f80d0530096a2f405a595f34fe2507eaa (commit)
       via  9d915638da65ddf5afbc19a837d3f8a57a9807ac (commit)
       via  c8f5c67a6caf5a88bc85a745569bc21cbe51eb3b (commit)
       via  8611013b03ad7738a3a56bf67cab07975c5e7808 (commit)
       via  c1dd2d8361cec75a41bbdc67278f0f5b4b91d498 (commit)
       via  15e86bb4a4156b0ab211023783ad3190c1104599 (commit)
       via  4357ed26d8e58c661b47319f78826eacbce3b824 (commit)
       via  cd25099c22e915d61bf991e1a637b836a494672d (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (f4ee384ad399ca88dcb00a563ead7438eb45793b)
            \
             N -- N -- N (62c8fabacd373fdec34a918be46152f72d0c483b)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 62c8fabacd373fdec34a918be46152f72d0c483b
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date:   Wed Mar 14 09:52:18 2018 -0700

    uninative: Add compatiblity version check
    
    If glibc is newer on the host than in uninative, the failure mode is
    pretty nasty for clusters where the sstate is shared, including the Yocto
    Project autobuilder.
    
    This check aborts the use of uninative in such scenarios where a newer
    glibc version appears and avoids corruption of sstate caches.
    
    We use ldd to check the glibc version since that is included in libc-bin
    (or equivalent) which locales use so it should always be present.
    
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 312568a49879a2a46ebac9d2f9b53ff62dca7ac1
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date:   Fri Mar 9 19:46:00 2018 -0800

    yocto-uninative: Upgrade to 1.8 version with glibc 2.27
    
    Now distros are starting to ship glibc 2.27 we need a uninatve version
    which contains glibc 2.27 which is in the 1.8 version.
    
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit ee046d0c8ddfb26b211363950a50b13c5ad49629
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date:   Mon Mar 12 15:23:53 2018 -0700

    unfs3: Fix libtirpc usage for unfs3-native version
    
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 2567af8f80d0530096a2f405a595f34fe2507eaa
Author: Khem Raj <raj.khem at gmail.com>
Date:   Sun Mar 11 21:40:52 2018 -0700

    libtirpc: Extend to native and nativesdk recipes
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 9d915638da65ddf5afbc19a837d3f8a57a9807ac
Author: Ross Burton <ross.burton at intel.com>
Date:   Tue Feb 20 00:39:57 2018 +0000

    libtirpc: stop dropping in NIS headers
    
    libtirpc prior to 1.0.2 assumed that the system provided nis.h but this isn't
    always true.  Until now we've been using a tarball of the missing files from
    Gentoo, but libtirpc 1.0.2 added a copy of nis.h to the sources so this isn't
    required anymore.
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit c8f5c67a6caf5a88bc85a745569bc21cbe51eb3b
Author: Maxin B. John <maxin.john at intel.com>
Date:   Wed Jul 19 18:01:25 2017 +0300

    libtirpc: upgrade to 1.0.2
    
    1.0.1 -> 1.0.2
    
    Remove these Backported and upstreamed patches:
            1. 0001-Fix-for-CVE-2017-8779.patch
            2. libtirpc-0.2.1-fortify.patch
            3. libtirpc-1.0.2-rc3.patc
    
    Signed-off-by: Maxin B. John <maxin.john at intel.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 8611013b03ad7738a3a56bf67cab07975c5e7808
Author: Fan Xin <fan.xin at jp.fujitsu.com>
Date:   Wed Jun 7 17:29:03 2017 +0900

    libtirpc: Fix CVE-2017-8779
    
    This vulnerability is also called "rpcbomb".
    Backport upstream patch to fix this vulnerability.
    CVE: CVE-2017-8779
    
    Signed-off-by: Fan Xin<fan.xin at jp.fujitsu.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit c1dd2d8361cec75a41bbdc67278f0f5b4b91d498
Author: Khem Raj <raj.khem at gmail.com>
Date:   Sun May 21 22:00:41 2017 -0700

    libtirpc: Fix build error due to missing stdint.h> include
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 15e86bb4a4156b0ab211023783ad3190c1104599
Author: Khem Raj <raj.khem at gmail.com>
Date:   Tue Apr 18 09:40:13 2017 -0700

    libtirpc: Enable des APIs for musl
    
    Use memset() API instead of __bzero()
    Drop the patch removing des_* functions for musl
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 4357ed26d8e58c661b47319f78826eacbce3b824
Author: Khem Raj <raj.khem at gmail.com>
Date:   Wed Apr 19 09:45:45 2017 -0700

    libtirpc: Expose key_secretkey_is_set API
    
    libnsl needs this API
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit cd25099c22e915d61bf991e1a637b836a494672d
Author: Khem Raj <raj.khem at gmail.com>
Date:   Tue Apr 18 18:58:35 2017 -0700

    libtirpc: Backport fixes from 1.0.2rc3
    
    These fixes are needed for it to work with gcc7
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

-----------------------------------------------------------------------

Summary of changes:
 ...d-missing-rwlock_unlocks-in-xprt_register.patch |  62 ---------
 .../0001-include-stdint.h-for-uintptr_t.patch      |  32 +++++
 .../0001-replace-__bzero-with-memset-API.patch     |  30 +++++
 .../libtirpc/export_key_secretkey_is_set.patch     |  24 ++++
 .../libtirpc/libtirpc/libtirpc-0.2.1-fortify.patch |  26 ----
 .../libtirpc/remove-des-functionality.patch        | 144 ---------------------
 .../{libtirpc_1.0.1.bb => libtirpc_1.0.2.bb}       |  22 ++--
 7 files changed, 94 insertions(+), 246 deletions(-)
 delete mode 100644 meta/recipes-extended/libtirpc/libtirpc/0001-Add-missing-rwlock_unlocks-in-xprt_register.patch
 create mode 100644 meta/recipes-extended/libtirpc/libtirpc/0001-include-stdint.h-for-uintptr_t.patch
 create mode 100644 meta/recipes-extended/libtirpc/libtirpc/0001-replace-__bzero-with-memset-API.patch
 create mode 100644 meta/recipes-extended/libtirpc/libtirpc/export_key_secretkey_is_set.patch
 delete mode 100644 meta/recipes-extended/libtirpc/libtirpc/libtirpc-0.2.1-fortify.patch
 delete mode 100644 meta/recipes-extended/libtirpc/libtirpc/remove-des-functionality.patch
 rename meta/recipes-extended/libtirpc/{libtirpc_1.0.1.bb => libtirpc_1.0.2.bb} (54%)


hooks/post-receive
--

More information about the yocto-security mailing list