[yocto-security] [OE-core CVE] branch thud updated. 2018-10-503-ge6728a8
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Thu Oct 10 08:52:49 PDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, thud has been updated
via e6728a873f1eef335a9e21bdface304f13f0c952 (commit)
via e40c38afc1747d1ed71c9bd2ab3189bbb1efcee9 (commit)
via ff3b021136d7af66f05475da8475495fe7c653ee (commit)
via 5b5ca76cc5dd424248c7e687e562597a2c85df57 (commit)
via c901bc8cd9de5853185af2059c6f1efeb4ccdd60 (commit)
via c0c66d213b4b6deb0a5e9a688810d2e9674d3ecf (commit)
via cffd085ef77d055e5e837887b0eaf820aa982f00 (commit)
via fad633eb5c464d4e2a984b9259625bcd150ee357 (commit)
via 7857d85db69bcb2cb94399a22de6903263e52965 (commit)
via 8ca80002aa21897834b8c9869137461221e50225 (commit)
via e4b6a39bdf1b660233a7145599cd4fc3e971fc8f (commit)
via c54411d0e03fe1cea8b6bb0c80dea029dd264f36 (commit)
from f5be8c8309a932cde507ba24d042880a922df0b6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e6728a873f1eef335a9e21bdface304f13f0c952
Author: Michael Halstead <mhalstead at linuxfoundation.org>
Date: Mon Oct 7 09:47:57 2019 -0700
uninative: Update to 2.7 release
The 2.7 release updates glibc to version 2.30. Recently added to openSUSE
Tumbleweed and needed for Fedora Core 31.
Signed-off-by: Michael Halstead <mhalstead at linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit e40c38afc1747d1ed71c9bd2ab3189bbb1efcee9
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Dec 26 12:09:47 2018 -0800
gnupg: Do not apply -Woverride-init guard for gcc >= 9
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit ff3b021136d7af66f05475da8475495fe7c653ee
Author: Sean Nyekjaer <sean at geanix.com>
Date: Mon Sep 9 20:29:13 2019 +0200
libgpg-error: Fix build with gawk 5.x
Based on poky master, but for version 1.35
Signed-off-by: Sean Nyekjaer <sean at geanix.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
[backported to thud
yocto# 13580]
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 5b5ca76cc5dd424248c7e687e562597a2c85df57
Author: Armin Kuster <akuster808 at gmail.com>
Date: Sat Oct 5 21:30:56 2019 -0700
qemu: fix build issue on new hosts with glibc 2.30
This fixes the following error:
TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:254:16: error: static declaration of ‘gettid’ follows non-static declaration
254 | _syscall0(int, gettid)
| ^~~~~~
TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:185:13: note: in definition of macro ‘_syscall0’
185 | static type name (void) \
| ^~~~
In file included from /usr/include/unistd.h:1170,
from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/include/qemu/osdep.h:90,
from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:20:
/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
34 | extern __pid_t gettid (void) __THROW;
| ^~~~~~
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit c901bc8cd9de5853185af2059c6f1efeb4ccdd60
Author: Andrii Bordunov via Openembedded-core <openembedded-core at lists.openembedded.org>
Date: Wed Oct 2 23:07:35 2019 -0700
wget: Security fixes CVE-2018-20483
Source: http://git.savannah.gnu.org/cgit/wget.git/
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/
Description:
Fixes CVE-2018-20483
Signed-off-by: Aviraj CJ <acj at cisco.com>
[Affects Wget before 1.20.1]
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit c0c66d213b4b6deb0a5e9a688810d2e9674d3ecf
Author: Shubham Agrawal <shuagr at microsoft.com>
Date: Tue Oct 1 18:12:49 2019 +0000
sqlite3: Security fix for CVE-2019-8457
Signed-off-by: Shubham Agrawal <shuagr at microsoft.com>
[Cleaned up patch]
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit cffd085ef77d055e5e837887b0eaf820aa982f00
Author: Dan Tran <dantran at microsoft.com>
Date: Mon Sep 30 23:11:08 2019 +0000
perl: Fix CVE-2018-18311 to 18314
Signed-off-by: Dan Tran <dantran at microsoft.com>
[Perl before 5.26.3 and 5.28.x before 5.28.1]
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit fad633eb5c464d4e2a984b9259625bcd150ee357
Author: Adrian Bunk <bunk at stusta.de>
Date: Sun Sep 29 23:46:25 2019 +0300
json-c: Don't --enable-rdrand
In recent years AMD CPUs have had various problems with RDRAND
giving either non-random data or no result at all, which is
problematic if either build or target machine has a CPU with
this problem.
The fallback is /dev/urandom, and I'd trust the kernel here.
--enable-rdrand was added in an upgrade to a new upstream
version without mentioning any reason.
[YOCTO #13534]
Signed-off-by: Adrian Bunk <bunk at stusta.de>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 7857d85db69bcb2cb94399a22de6903263e52965
Author: Dan Tran <dantran at microsoft.com>
Date: Wed Sep 25 23:30:12 2019 +0000
unzip: fix CVE-2019-13232
Signed-off-by: Dan Tran <dantran at microsoft.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 8ca80002aa21897834b8c9869137461221e50225
Author: Shubham Agrawal <shuagr at microsoft.com>
Date: Mon Sep 23 21:26:16 2019 +0000
elfutils: CVE fix for elfutils
CVE: CVE-2019-7664.patch
CVE: CVE-2019-7665.patch
Sign off: Shubham Agrawal <shuagr at microsoft.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit e4b6a39bdf1b660233a7145599cd4fc3e971fc8f
Author: Dan Tran <dantran at microsoft.com>
Date: Fri Sep 20 18:46:57 2019 +0000
qemu: Fix 4 CVEs
Fixes CVE-2018-18954, CVE-2019-3812, CVE-2019-6778, and CVE-2019-8934.
Also deleted duplicated patch and cleanup.
Signed-off-by: Dan Tran <dantran at microsoft.com>
[fixup for thud-next]
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit c54411d0e03fe1cea8b6bb0c80dea029dd264f36
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Fri Dec 7 14:43:07 2018 +0800
oeqa/selftest/context: ensure log directory exists
Ensure log directory exists to avoid the following error.
FileNotFoundError: [Errno 2] No such file or directory: '/.../build-selftest/tmp/log/oe-selftest-results-20181207043431.log'
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
-----------------------------------------------------------------------
Summary of changes:
meta/conf/distro/include/yocto-uninative.inc | 10 +-
meta/lib/oeqa/selftest/context.py | 1 +
meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
.../elfutils/files/CVE-2019-7664.patch | 65 ++++
.../elfutils/files/CVE-2019-7665.patch | 154 +++++++++
meta/recipes-devtools/json-c/json-c_0.13.1.bb | 2 -
.../perl/perl/CVE-2018-18311.patch | 183 +++++++++++
.../perl/perl/CVE-2018-18312.patch | Bin 0 -> 2125 bytes
.../perl/perl/CVE-2018-18313.patch | 60 ++++
.../perl/perl/CVE-2018-18314.patch | 271 ++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.4.bb | 4 +
...nux-user-assume-__NR_gettid-always-exists.patch | 49 +++
...rename-gettid-to-sys_gettid-to-avoid-clas.patch | 95 ++++++
.../qemu/qemu/CVE-2018-10839.patch | 2 +-
.../qemu/qemu/CVE-2018-17958.patch | 52 ---
.../qemu/qemu/CVE-2018-18954.patch | 50 +++
.../recipes-devtools/qemu/qemu/CVE-2019-3812.patch | 39 +++
.../recipes-devtools/qemu/qemu/CVE-2019-6778.patch | 41 +++
.../recipes-devtools/qemu/qemu/CVE-2019-8934.patch | 215 +++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 8 +-
.../unzip/unzip/CVE-2019-13232_p1.patch | 33 ++
.../unzip/unzip/CVE-2019-13232_p2.patch | 356 +++++++++++++++++++++
.../unzip/unzip/CVE-2019-13232_p3.patch | 121 +++++++
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +
.../wget/wget/CVE-2018-20483_p1.patch | 73 +++++
.../wget/wget/CVE-2018-20483_p2.patch | 127 ++++++++
meta/recipes-extended/wget/wget_1.19.5.bb | 2 +
...1-Woverride-init-is-not-needed-with-gcc-9.patch | 31 ++
...c-use-a-custom-value-for-the-location-of-.patch | 6 +-
meta/recipes-support/gnupg/gnupg/relocate.patch | 2 +-
meta/recipes-support/gnupg/gnupg_2.2.12.bb | 3 +-
.../libgpg-error-1.35-gawk5-support.patch | 161 ++++++++++
.../libgpg-error/libgpg-error_1.32.bb | 1 +
.../sqlite/files/CVE-2019-8457.patch | 126 ++++++++
meta/recipes-support/sqlite/sqlite3_3.23.1.bb | 1 +
35 files changed, 2283 insertions(+), 66 deletions(-)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18312.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18313.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18314.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
create mode 100644 meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
create mode 100644 meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch
create mode 100644 meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-8457.patch
hooks/post-receive
--
More information about the yocto-security
mailing list