[yocto-security] [OE-core CVE] branch master-next updated. uninative-2.2-928-gad5753e

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Fri Oct 19 06:53:50 PDT 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, master-next has been updated
       via  ad5753e860abfe949a1771b66b47fe63e412d10d (commit)
       via  074bd758110c11dc06f4accadc261ebc5f36468a (commit)
       via  393e5e060bf3fca6dfbc35545711f67bb57d0ccd (commit)
       via  35c5bb4f2ea752d5505675df420cd0a91adca9e4 (commit)
       via  0534539c3127547f6aa54db4e41470d5d4a6fec5 (commit)
       via  04137b42a83fa8517f74ac0c44d387caf6e1fdfb (commit)
       via  82de44035f6c24cfd0d4cb9b5bedd5299c61ae3e (commit)
      from  040754fa27ee77809ef8851437ac6909c1ec2d79 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ad5753e860abfe949a1771b66b47fe63e412d10d
Author: Mingli Yu <Mingli.Yu at windriver.com>
Date:   Fri Oct 19 10:37:23 2018 +0800

    buildtools-tarball: add nativesdk-rpcsvc-proto
    
    Fedora28 repackages rpcgen program to rpcgen
    package and the program will no longer be
    part of the glibc-common package.
    fedora 28:
    $ rpm -qf /usr/bin/rpcgen
    rpcgen-1.3.1-4.fc28.x86_64
    
    fedora 27:
    $ rpm -qf /usr/bin/rpcgen
    glibc-common-2.26-27.fc27.x86_64
    
    Once build a project on fedora28 host without
    installing the extra rpcgen package, there
    comes below error:
    ERROR: Unable to start bitbake server
    ERROR: Last 10 lines of server log for this session (/yocto/builds/upgrade2/bitbake-cookerdaemon.log):
        self.cooker = bb.cooker.BBCooker(self.configuration, self.featureset)
      File "/yocto/poky/bitbake/lib/bb/cooker.py", line 197, in __init__
        self.initConfigurationData()
      File "/yocto/poky/bitbake/lib/bb/cooker.py", line 356, in initConfigurationData
        self.databuilder.parseBaseConfiguration()
      File "/yocto/poky/bitbake/lib/bb/cookerdata.py", line 317, in parseBaseConfiguration
        raise bb.BBHandledException
    bb.BBHandledException
    ERROR: The following required tools (as specified by HOSTTOOLS) appear to be unavailable in PATH, please install them in order to proceed:
      rpcgen
    
    So add nativesdk-rpcsvc-proto to provide the
    program rpcgen to fix the gap.
    
    Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 074bd758110c11dc06f4accadc261ebc5f36468a
Author: Khem Raj <raj.khem at gmail.com>
Date:   Thu Oct 18 18:31:48 2018 -0700

    tcmode-default: Drop pinning go to 1.9
    
    This ensures that we default to latest go recipes
    1.9 is not supported anymore
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 393e5e060bf3fca6dfbc35545711f67bb57d0ccd
Author: Khem Raj <raj.khem at gmail.com>
Date:   Thu Oct 18 18:31:47 2018 -0700

    go: Upgrade to 1.11.1
    
    Drop 1.10 recipes in favor of 1.11
    we have had reports of 1.10 not being quite
    functional wth OE
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 35c5bb4f2ea752d5505675df420cd0a91adca9e4
Author: Chen Qi <Qi.Chen at windriver.com>
Date:   Fri Oct 19 13:19:53 2018 +0800

    systemd: add back alternatives for init utitilies
    
    Add back alternatives for init utilities to avoid regression.
    
    These alternatives were removed when upgradeing systemd to 239.
    They were removed out of the logic that init utitilies should be
    bound to init manager. However, it turned out that two use cases
    were not covered.
    
    1) initramfs using commands like 'reboot' from busybox.
    2) Users use customized busybox defconfig which enables init utilities.
    
    The first use case caused a regression bug in yocto.
      https://bugzilla.yoctoproject.org/show_bug.cgi?id=12914
    Patches were sent to fix the reboot problem.
    
    But this is not enough. As we may have the second use case. In such
    situation, users will find themselves having regression error when
    using 'busybox + systemd' (and busybox is installed after systemd,
    overriding the systemd symlinks).
    
    So in order to avoid regression, add back these alternatives.
    
    Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 0534539c3127547f6aa54db4e41470d5d4a6fec5
Author: Chen Qi <Qi.Chen at windriver.com>
Date:   Fri Oct 19 10:43:15 2018 +0800

    python: backport patch to fix CVE-2018-14647
    
    Backport patch to fix the following CVE.
    
    CVE: CVE-2018-14647
    
    Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 04137b42a83fa8517f74ac0c44d387caf6e1fdfb
Author: Chen Qi <Qi.Chen at windriver.com>
Date:   Fri Oct 19 10:43:14 2018 +0800

    python: backport patch to fix CVE-2018-1000802
    
    Backport a patch to fix the following CVE.
    
    CVE: CVE-2018-1000802
    
    Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 82de44035f6c24cfd0d4cb9b5bedd5299c61ae3e
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date:   Fri Oct 19 14:51:14 2018 +0100

    Revert "os-release: avoid multilib expand"
    
    This reverts commit 591a11ba58ce3c2c147bb1f8202bc6a0092b70eb.
    
    This is not needed after the recent os-release fix.

-----------------------------------------------------------------------

Summary of changes:
 meta/conf/distro/include/tcmode-default.inc        |  2 +-
 meta/conf/multilib.conf                            |  2 +-
 meta/recipes-core/meta/buildtools-tarball.bb       |  1 +
 meta/recipes-core/systemd/systemd_239.bb           | 27 +++++-
 ...OLDIR-to-be-overridden-in-the-environment.patch | 64 --------------
 ...l-obj-arm64-fix-branch-too-far-with-TBZ-l.patch | 58 -------------
 .../go/{go-1.10.inc => go-1.11.inc}                |  9 +-
 ...1-allow-CC-and-CXX-to-have-multiple-words.patch | 12 ++-
 ...-content-based-hash-generation-less-pedan.patch | 46 +++++-----
 ...OLDIR-to-be-overridden-in-the-environment.patch | 48 +++++++++++
 .../0004-ld-add-soname-to-shareable-objects.patch  | 16 ++--
 ...verride-CC-when-building-dist-and-go_boot.patch | 15 ++--
 ...-cmd-dist-separate-host-and-target-builds.patch | 67 ++++++++-------
 ...07-cmd-go-make-GOROOT-precious-by-default.patch | 50 ++++++-----
 ...ld-replace-glibc-dynamic-linker-with-musl.patch | 24 +++---
 ...-canadian_1.10.bb => go-cross-canadian_1.11.bb} |  0
 .../go/{go-cross_1.10.bb => go-cross_1.11.bb}      |  0
 .../{go-crosssdk_1.10.bb => go-crosssdk_1.11.bb}   |  0
 .../go/{go-native_1.10.bb => go-native_1.11.bb}    |  0
 .../go/{go-runtime_1.10.bb => go-runtime_1.11.bb}  |  0
 .../recipes-devtools/go/{go_1.10.bb => go_1.11.bb} |  0
 ...23-Use-XML_SetHashSalt-in-_elementtree-GH.patch | 98 ++++++++++++++++++++++
 ...34540-Convert-shutil._call_external_zip-t.patch | 69 +++++++++++++++
 meta/recipes-devtools/python/python_2.7.15.bb      |  2 +
 24 files changed, 359 insertions(+), 251 deletions(-)
 delete mode 100644 meta/recipes-devtools/go/go-1.10/0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch
 delete mode 100644 meta/recipes-devtools/go/go-1.10/0008-cmd-internal-obj-arm64-fix-branch-too-far-with-TBZ-l.patch
 rename meta/recipes-devtools/go/{go-1.10.inc => go-1.11.inc} (74%)
 rename meta/recipes-devtools/go/{go-1.10 => go-1.11}/0001-allow-CC-and-CXX-to-have-multiple-words.patch (79%)
 rename meta/recipes-devtools/go/{go-1.10 => go-1.11}/0002-cmd-go-make-content-based-hash-generation-less-pedan.patch (85%)
 create mode 100644 meta/recipes-devtools/go/go-1.11/0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch
 rename meta/recipes-devtools/go/{go-1.10 => go-1.11}/0004-ld-add-soname-to-shareable-objects.patch (79%)
 rename meta/recipes-devtools/go/{go-1.10 => go-1.11}/0005-make.bash-override-CC-when-building-dist-and-go_boot.patch (80%)
 rename meta/recipes-devtools/go/{go-1.10 => go-1.11}/0006-cmd-dist-separate-host-and-target-builds.patch (88%)
 rename meta/recipes-devtools/go/{go-1.10 => go-1.11}/0007-cmd-go-make-GOROOT-precious-by-default.patch (64%)
 rename meta/recipes-devtools/go/{go-1.10 => go-1.11}/0009-ld-replace-glibc-dynamic-linker-with-musl.patch (91%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.10.bb => go-cross-canadian_1.11.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.10.bb => go-cross_1.11.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.10.bb => go-crosssdk_1.11.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.10.bb => go-native_1.11.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.10.bb => go-runtime_1.11.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.10.bb => go_1.11.bb} (100%)
 create mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch
 create mode 100644 meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch


hooks/post-receive
--

More information about the yocto-security mailing list