[yocto-security] [OE-core CVE] branch master updated. cdd3e9ab99d4ffda673b564ba802b6bd2d40eabf
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Thu Oct 18 23:39:37 PDT 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, master has been updated
via cdd3e9ab99d4ffda673b564ba802b6bd2d40eabf (commit)
via 897c10b7c17c138a85bdeb36cf72e7201daf0e0e (commit)
via a5591f7aee24a4ad792d7dd0dea0f7252a68c7a8 (commit)
via 60a8dedf9a291fecb260a48a14b9c268bc0eb5b4 (commit)
via 998181106813d6d5f44df40e9118668cd9293787 (commit)
via 56fe12af343190f9a79f273f32a026e32b5477df (commit)
via 632a6d1221c063c31e03452a45a1065f0da86979 (commit)
via 104a87a02e1ac810f44bb69be5befc14ee907a81 (commit)
via 3e6226f85cf9076e758cbba934aa411e84c6a510 (commit)
via e499d11f4e4127d6d9db2cf341ae3fb03ea94660 (commit)
via 107eefed37e4af39ec1565c57d03c7f9adea69af (commit)
via df9f15caaaa9280aa7c495cf50d2cd7e242cd8b1 (commit)
via 02fd0518c00e6316e90bef077f55156ebb75eb8d (commit)
via d6bd1edc2be73ce14005a0aa5db68961a1615da4 (commit)
via b461c4047924d3a3e253f7024f024b9a2b27fa76 (commit)
via bc14dcccfd7d048fbd826e571949a521d45fd86c (commit)
via 256de4995c6bf42b82b07f275aa0f9adf43a1db0 (commit)
via 1d7ae7438aecb21f694a9e5a6c38f7833130882f (commit)
via 7023d0f1171725118de3882c78bf64998f4bc697 (commit)
via dd2f7c15ac260bcad18aae6e3d3344507cb0daa7 (commit)
via 7eb7a22f9cf7f864c6c1d21170f50df2a216c3be (commit)
via fc26880654192a77c81a60e4df2b09668c128fef (commit)
via 336242ef27272e2304c2f9e90bee4423d7007b25 (commit)
via e6978e60b6fda4c83eeb400528f16408e80082d7 (commit)
via 5559ea533dd2ee5a6d5f10ec8cb2b244ce7f9e65 (commit)
from d7d0cc5227d0dc7d3ff91ded9da841d65c3f3632 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cdd3e9ab99d4ffda673b564ba802b6bd2d40eabf
Author: Dan McGregor <dan.mcgregor at usask.ca>
Date: Thu Oct 18 09:46:28 2018 -0600
toybox: Fix paths to match OE conventions
Many toybox commands get installed in places that are unexpected
in openembedded-core, causing conflicts. Fix up the paths I identified
that are causing conflicts.
Signed-off-by: Dan McGregor <dan.mcgregor at usask.ca>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 897c10b7c17c138a85bdeb36cf72e7201daf0e0e
Author: Dan McGregor <dan.mcgregor at usask.ca>
Date: Thu Oct 18 09:46:27 2018 -0600
vim: alternatify xxd
toybox also provides xxd.
Signed-off-by: Dan McGregor <dan.mcgregor at usask.ca>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit a5591f7aee24a4ad792d7dd0dea0f7252a68c7a8
Author: Yi Zhao <yi.zhao at windriver.com>
Date: Thu Oct 18 15:20:20 2018 +0800
radvd: remove update-rc.d settings
We don't offer /etc/radvd.conf but only radvd.conf.example which would
cause a startup error:
Starting radvd:
* /etc/radvd.conf does not exist or is empty.
Remove update-rc.d settings to make it doesn't start by default.
Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 60a8dedf9a291fecb260a48a14b9c268bc0eb5b4
Author: Maxime Roussin-Bélanger <maxime.roussinbelanger at gmail.com>
Date: Wed Oct 17 16:33:00 2018 -0400
libeigen: update to 3.3.5
Signed-off-by: Maxime Roussin-Bélanger <maxime.roussinbelanger at gmail.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 998181106813d6d5f44df40e9118668cd9293787
Author: Mark Hatle <mark.hatle at windriver.com>
Date: Wed Oct 17 15:14:13 2018 -0400
gstreamer: Remove machine specific append
If you try to build a system with multiple BSPs, one of which is qemux86
or qemux86-64, the gstreamer package will change. This will trigger
anything using gstream to also be rebuilt.
For a package based system, the PR values will also be incremented each
time. The end result will be an ever growing set of PR values as well as
being unable to tell which configured version of the multimedia components
are really being deployed.
The solution here was to remove the rrecommend for consistency.
Signed-off-by: Mark Hatle <mark.hatle at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 56fe12af343190f9a79f273f32a026e32b5477df
Author: Mingli Yu <mingli.yu at windriver.com>
Date: Wed Oct 17 01:15:36 2018 -0700
udisks2: Upgrade to 2.7.8
This is a bugfix release for UDisks 2.7. Included fixes:
- Fix string format vulnerability
- Fix CVE-2018-17336
Signed-off-by: Mingli Yu <mingli.yu at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 632a6d1221c063c31e03452a45a1065f0da86979
Author: Tim Orling <timothy.t.orling at linux.intel.com>
Date: Tue Oct 16 23:11:41 2018 -0700
libnet-dns-perl: upgrade 1.17 -> 1.18; enable ptest
* Add UPSTREAM_CHECK_REGEX to ignore DEV releases
* Add RDEPENDS that were missing
* Enable ptest and add RDEPENDS for tests
* Add RRECOMMENDS for libnet-dns-sec-perl
* Upstream release notes:
"""
**** 1.18 Sep 21, 2018
Documentation revised to remove ambigous use of "answer" which
has been used to refer to both the answer section of a packet
and the entire reply packet received from a nameserver.
Fix rt.cpan.org #127018
Net::DNS::ZoneFile->parse() fails if include directory specified.
Fix rt.cpan.org #127012
DNS resolution broken when options ndots used in /etc/resolv.conf
"""
Signed-off-by: Tim Orling <timothy.t.orling at linux.intel.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 104a87a02e1ac810f44bb69be5befc14ee907a81
Author: Tim Orling <timothy.t.orling at linux.intel.com>
Date: Tue Oct 16 23:11:40 2018 -0700
libnet-dns-sec-perl: add recipe for 1.10
Net::DNS::SEC is installed as an extension to an existing Net::DNS
installation providing packages to support DNSSEC as specified in
RFC4033, RFC4034, RFC4035 and related documents.
It also provides support for SIG0 which is useful for dynamic updates.
Implements cryptographic signature generation and verification functions
using RSA, DSA, ECDSA, and Edwards curve algorithms.
The extended features are made available by replacing Net::DNS by
Net::DNS::SEC in the use declaration.
Signed-off-by: Tim Orling <timothy.t.orling at linux.intel.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 3e6226f85cf9076e758cbba934aa411e84c6a510
Author: Qi.Chen at windriver.com <Qi.Chen at windriver.com>
Date: Wed Oct 17 13:21:25 2018 +0800
strongswan: upgrade to 5.7.1
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit e499d11f4e4127d6d9db2cf341ae3fb03ea94660
Author: Changqing Li <changqing.li at windriver.com>
Date: Wed Oct 17 11:15:19 2018 +0800
gnulib: Security fix for CVE-2018-17942
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 107eefed37e4af39ec1565c57d03c7f9adea69af
Author: Qi.Chen at windriver.com <Qi.Chen at windriver.com>
Date: Wed Oct 17 10:32:11 2018 +0800
python-requests: fix CVE-2018-18074
Backport two patches to fix the following CVE.
CVE: CVE-2018-18074
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit df9f15caaaa9280aa7c495cf50d2cd7e242cd8b1
Author: Hong Liu <hongl.fnst at cn.fujitsu.com>
Date: Wed Oct 17 08:42:33 2018 +0800
ipc-run: 0.99->20180523.0
1.Upgrade ipc-run from 0.99 to 20180523.0
Signed-off-by: Hong Liu <hongl.fnst at cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 02fd0518c00e6316e90bef077f55156ebb75eb8d
Author: Hong Liu <hongl.fnst at cn.fujitsu.com>
Date: Wed Oct 17 08:42:32 2018 +0800
hwdata:0.315->0.316
1.Upgrade hwdata from 0.315 to 0.316
Signed-off-by: Hong Liu <hongl.fnst at cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit d6bd1edc2be73ce14005a0aa5db68961a1615da4
Author: Hong Liu <hongl.fnst at cn.fujitsu.com>
Date: Wed Oct 17 08:42:31 2018 +0800
dracut: 048->049
Upgrade dracut from 048 to 049.
Signed-off-by: Hong Liu <hongl.fnst at cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit b461c4047924d3a3e253f7024f024b9a2b27fa76
Author: Ankit Navik <ankit.tarot at gmail.com>
Date: Mon Oct 15 19:03:52 2018 +0530
opencl-icd-loader: Initial recipe for OpenCL ICD loader
This patch provides ICD loader library, ICD loader test binary
and some helper library for test.
Signed-off-by: Ankit Navik <ankit.tarot at gmail.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit bc14dcccfd7d048fbd826e571949a521d45fd86c
Author: Sinan Kaya <okaya at kernel.org>
Date: Tue Oct 16 22:18:45 2018 +0000
sharutils: CVE-2018-1000097
*CVE
Sharutils (unshar command) version 4.15.2 contains a Buffer Overflow
vulnerability in Affected component on the file unshar.c at line 75,
function looks_like_c_code. Failure to perform checking of the buffer
containing input line. that can result in Could lead to code execution.
This attack appear to be exploitable via Victim have to run unshar command
on a specially crafted file..
Affects = 4.15.2
CVE: CVE-2018-1000097
Ref: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000097.html?_ga=2.104716162.363845622.1539703460-954328166.1533363715
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 256de4995c6bf42b82b07f275aa0f9adf43a1db0
Author: Ankit Navik <ankit.tarot at gmail.com>
Date: Tue Oct 16 23:19:02 2018 +0530
opencl-headers: Initial recipe for OpenCL headers
Add generic recipe for OpenCL API headers.
Suggested-by: Burton, Ross <ross.burton at intel.com>
Signed-off-by: Ankit Navik <ankit.tarot at gmail.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 1d7ae7438aecb21f694a9e5a6c38f7833130882f
Author: Bartosz Golaszewski <bgolaszewski at baylibre.com>
Date: Tue Oct 16 16:25:19 2018 +0200
catch2: new package
Add a recipe for the catch2 testing framework. There's a bug upstream
which makes it impossible to build with gcc7 so include a patch.
Signed-off-by: Bartosz Golaszewski <bgolaszewski at baylibre.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 7023d0f1171725118de3882c78bf64998f4bc697
Author: Mingli Yu <Mingli.Yu at windriver.com>
Date: Mon Oct 15 22:24:51 2018 -0700
cpupower: Update LIC_FILES_CHKSUM
Update LIC_FILES_CHKSUM for cpupower as
the COPYING file which is used for LIC_FILES_CHKSUM
has been changed in below commit:
commit bf02d491237eea10290bd379bf7fc8c37ac6c3b4
Author: Mauro Carvalho Chehab <mchehab at s-opensource.com>
Date: Fri Mar 23 06:51:06 2018 -0300
COPYING: use the new text with points to the license files
Now that we have a new COPYING file with points to the
Linux license files, replace it with the old content.
This patch does:
1 file changed, 0 insertions(+), 0 deletions(-)
rename COPYING.new => COPYING (100%)
Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
Signed-off-by: Jonathan Corbet <corbet at lwn.net>
Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit dd2f7c15ac260bcad18aae6e3d3344507cb0daa7
Author: Yi Zhao <yi.zhao at windriver.com>
Date: Tue Oct 16 09:18:47 2018 +0800
wireshark: update to 2.6.4
* Update SRC_URI
In https://1.as.dl.wireshark.org/src/, it only keep the latest
release. Switch to https://1.as.dl.wireshark.org/src/all-versions/
to make sure the old release can be found.
* Drop patch fix-fatal-no-names-found-git-error.patch
Actually this piece of code should not be invoked when build from
tarball. But in previous releases the code will be performed when
building native package if host with rpmbuild and git installed, which
will cause a configure error. This issue has been fixed in 2.6.4:
commit 4fbc017e80d6d11f8c26cad12d883fd6da9d3504
CMake: Fix build from tarball under certain conditions
Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 7eb7a22f9cf7f864c6c1d21170f50df2a216c3be
Author: Dan Dedrick <dan.dedrick at gmail.com>
Date: Mon Oct 15 15:48:19 2018 -0400
zlog: fix up library path for multilib
When using multilib the path for libraries might be something other than
/usr/lib. zlog defaults LIBRARY_PATH to 'lib' so we need to set this
appropriately so that cases where this isn't 'lib' it works properly.
Signed-off-by: Dan Dedrick <ddedrick at lexmark.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit fc26880654192a77c81a60e4df2b09668c128fef
Author: Ankit Navik <ankit.tarot at gmail.com>
Date: Mon Oct 15 18:19:20 2018 +0530
Khronos: Add Khronos LICENSE
Suggested-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Ankit Navik <ankit.tarot at gmail.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 336242ef27272e2304c2f9e90bee4423d7007b25
Author: Qi.Chen at windriver.com <Qi.Chen at windriver.com>
Date: Mon Oct 15 16:30:17 2018 +0800
keepalived: remove update-rc.d settings
The recipe wants to install a script under init.d but does not
want to it be started by default. It did so by inheriting update-rc.d
and setting INITSCRIPT_PARAMS to "remove". This is not correct.
We could just not inherit 'update-rc.d' to achieve such effect.
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit e6978e60b6fda4c83eeb400528f16408e80082d7
Author: Martin Jansa <martin.jansa at gmail.com>
Date: Mon Oct 15 11:11:42 2018 +0000
glog: enable building shared library again
* fix the soversion used by libglog as explained bellow:
The preferred default should IMHO be the same as with 0.3.4 version
which was shared library, but that's easy to add with small bbappend
having:
EXTRA_OECMAKE += "-DBUILD_SHARED_LIBS=ON"
but unfortunately the SONAME in the library changed from:
objdump -x usr/lib/libglog.so.0.0.0 | grep SONAME
SONAME libglog.so.0
in 0.3.4 to:
objdump -x usr/lib/libglog.so.0.3.5 | grep SONAME
SONAME libglog.so.0.3.5
Which breaks all our prebuilt binaries which now correctly complain that
there isn't libglog.so.0 provider in dependencies:
QA Issue: /usr/lib/libfoo.so.1.2.3 contained in package libfoo requires
libglog.so.0, but no providers found in RDEPENDS_libfoo
Which is quite unfortunate for minor upgrade. Did they really change the
ABI (and expect to change it in all future minor upgrades) or is this
change just unexpected side-effect of using cmake instead of autotools?
It looks the later, because if I build 0.3.5 version with autotools I
get:
objdump -x usr/lib/libglog.so.0.0.0 | grep SONAME
SONAME libglog.so.0
and there is patch for SOVERSION here as well:
https://github.com/google/or-tools/blob/master/patches/glog.patch
applied in master:
https://github.com/google/glog/blob/master/CMakeLists.txt#L493
https://github.com/google/glog/commit/6b6e38a7d53fe01f42ce34384cf4ba4c50e8cb65#diff-af3b638bc2a3e6c650974192a53c7291
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
commit 5559ea533dd2ee5a6d5f10ec8cb2b244ce7f9e65
Author: Tim Orling <timothy.t.orling at linux.intel.com>
Date: Wed Sep 5 20:48:47 2018 -0700
cpuid: upgrade 20170122 -> 20180519
- Remove upstreamed patch
- Create directory and install file in single install operation
Signed-off-by: Tim Orling <timothy.t.orling at linux.intel.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
-----------------------------------------------------------------------
Summary of changes:
.../recipes-devtools/dracut/dracut_git.bb | 4 +-
.../gstreamer-0.10/gstreamer_0.10.36.bb | 3 -
.../recipes-daemons/keepalived/keepalived_1.4.2.bb | 5 +-
meta-networking/recipes-daemons/radvd/radvd.inc | 7 +-
.../{strongswan_5.6.3.bb => strongswan_5.7.1.bb} | 4 +-
.../fix-fatal-no-names-found-git-error.patch | 23 ---
.../{wireshark_2.6.2.bb => wireshark_2.6.4.bb} | 7 +-
meta-oe/licenses/Khronos | 35 ++++
.../opencl-headers/opencl-headers_git.bb | 17 ++
.../opencl-icd-loader/opencl-icd-loader_git.bb | 45 +++++
.../toybox/toybox/OE-path-changes.patch | 195 +++++++++++++++++++++
meta-oe/recipes-core/toybox/toybox_0.7.5.bb | 4 +-
.../cpuid/{cpuid_20170122.bb => cpuid_20180519.bb} | 12 +-
...ix-Add-sys-sysmacros.h-to-fix-build-issue.patch | 24 ---
.../{ipc-run_0.99.bb => ipc-run_20180523.0.bb} | 2 +-
meta-oe/recipes-extended/zlog/zlog_git.bb | 2 +-
meta-oe/recipes-kernel/cpupower/cpupower.bb | 2 +-
...0001-Rework-CMake-glog-VERSION-management.patch | 71 ++++++++
meta-oe/recipes-support/glog/glog_0.3.5.bb | 3 +
.../gnulib/gnulib/CVE-2018-17942.patch | 88 ++++++++++
.../recipes-support/gnulib/gnulib_2017-08-20.18.bb | 3 +
meta-oe/recipes-support/hwdata/hwdata_git.bb | 4 +-
.../{libeigen_3.3.4.bb => libeigen_3.3.5.bb} | 6 +-
.../sharutils/sharutils/CVE-2018-1000097.patch | 61 +++++++
.../recipes-support/sharutils/sharutils_4.15.2.bb | 1 +
.../udisks/{udisks2_2.7.7.bb => udisks2_2.7.8.bb} | 4 +-
meta-oe/recipes-support/vim/vim_8.1.0347.bb | 6 +-
.../0001-Fix-convert-from-char-on-ARM-build.patch | 46 +++++
meta-oe/recipes-test/catch2/catch2_2.4.1.bb | 24 +++
.../recipes-perl/libnet/libnet-dns-perl_1.17.bb | 27 ---
.../recipes-perl/libnet/libnet-dns-perl_1.18.bb | 66 +++++++
.../libnet/libnet-dns-sec-perl_1.10.bb | 33 ++++
.../recipes-devtools/python/python-requests.inc | 6 +
...rization-header-whenever-root-URL-changes.patch | 62 +++++++
...uthorization-stripping-logic-as-discussed.patch | 118 +++++++++++++
35 files changed, 906 insertions(+), 114 deletions(-)
rename meta-networking/recipes-support/strongswan/{strongswan_5.6.3.bb => strongswan_5.7.1.bb} (97%)
delete mode 100644 meta-networking/recipes-support/wireshark/wireshark/fix-fatal-no-names-found-git-error.patch
rename meta-networking/recipes-support/wireshark/{wireshark_2.6.2.bb => wireshark_2.6.4.bb} (92%)
create mode 100644 meta-oe/licenses/Khronos
create mode 100644 meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb
create mode 100644 meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb
create mode 100644 meta-oe/recipes-core/toybox/toybox/OE-path-changes.patch
rename meta-oe/recipes-devtools/cpuid/{cpuid_20170122.bb => cpuid_20180519.bb} (63%)
delete mode 100644 meta-oe/recipes-devtools/cpuid/files/0001-Fix-Add-sys-sysmacros.h-to-fix-build-issue.patch
rename meta-oe/recipes-devtools/perl/{ipc-run_0.99.bb => ipc-run_20180523.0.bb} (93%)
create mode 100644 meta-oe/recipes-support/glog/glog/0001-Rework-CMake-glog-VERSION-management.patch
create mode 100644 meta-oe/recipes-support/gnulib/gnulib/CVE-2018-17942.patch
rename meta-oe/recipes-support/libeigen/{libeigen_3.3.4.bb => libeigen_3.3.5.bb} (79%)
create mode 100644 meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch
rename meta-oe/recipes-support/udisks/{udisks2_2.7.7.bb => udisks2_2.7.8.bb} (89%)
create mode 100644 meta-oe/recipes-test/catch2/catch2/0001-Fix-convert-from-char-on-ARM-build.patch
create mode 100644 meta-oe/recipes-test/catch2/catch2_2.4.1.bb
delete mode 100644 meta-perl/recipes-perl/libnet/libnet-dns-perl_1.17.bb
create mode 100644 meta-perl/recipes-perl/libnet/libnet-dns-perl_1.18.bb
create mode 100644 meta-perl/recipes-perl/libnet/libnet-dns-sec-perl_1.10.bb
create mode 100644 meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch
create mode 100644 meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch
hooks/post-receive
--
More information about the yocto-security
mailing list