[yocto-security] [OE-core CVE] branch thud updated. 2018-10-510-g57d30f2

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Tue Oct 15 07:54:20 PDT 2019 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, thud has been updated
       via  57d30f26c3dbba720079e98d429dfcb53d527d54 (commit)
       via  82a9850d6ef8cca816f9e0a53a8d20b056f95320 (commit)
       via  54c6892543319c4b8f7248e95966e956053c97b7 (commit)
       via  85da4ccfff2103815eb3cd9a0b0f1af122b05567 (commit)
       via  d68441ed80fd43f091baf01bfdb47c3ec010c662 (commit)
       via  3b8db95973fc144b00d59c4797adb405a935cd7c (commit)
       via  4972582767a3325d22a16db9a5479c2d0001964b (commit)
      from  e6728a873f1eef335a9e21bdface304f13f0c952 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 57d30f26c3dbba720079e98d429dfcb53d527d54
Author: Muminul Islam <muislam at microsoft.com>
Date:   Sun Oct 13 09:10:35 2019 -0700

    curl: Security fix for CVE-2019-5482
    
    Signed-off-by: Muminul Islam <muislam at microsoft.com>
    [Fixup for thud context]
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 82a9850d6ef8cca816f9e0a53a8d20b056f95320
Author: Muminul Islam <misla011 at fiu.edu>
Date:   Fri Oct 11 19:21:51 2019 +0000

    libsolv: Security fix for CVEs: <CVE-2018-20532, CVE-2018-20533, CVE-2018-20534>
    
    Signed-off-by: Muminul Islam <muislam at microsoft.com>
    
    CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
    
    Upstream-Status: Backport
    
    Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 54c6892543319c4b8f7248e95966e956053c97b7
Author: Dan Tran <dantran at microsoft.com>
Date:   Tue Oct 8 18:20:02 2019 +0000

    gnutls: Fix CVE-2019-3829 and CVE-2019-3836
    
    Signed-off-by: Dan Tran <dantran at microsoft.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 85da4ccfff2103815eb3cd9a0b0f1af122b05567
Author: c-thaler <christian.thaler at tes-dst.com>
Date:   Tue Sep 24 14:18:53 2019 +0200

    kernel-devsrc: check for localversion files in the kernel source tree
    
    localversion files are ignored. This might lead to a bad version magic when
    building out-of-tree modules via SDK.
    (Backport from master https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-kernel/linux/kernel-devsrc.bb?id=59fcee90de0cbb5b6b8333ab2b0e36214b174e52)
    
    Signed-off-by: Christian Thaler <christian.thaler at tes-dst.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit d68441ed80fd43f091baf01bfdb47c3ec010c662
Author: Muminul Islam <misla011 at fiu.edu>
Date:   Mon Oct 7 21:50:40 2019 +0000

    glibc: Security fix for cve <CVE-2019-6488, CVE-2019-7309>
    
    Signed-off-by: Muminul Islam <muislam at microsoft.com>
    
    CVE: CVE-2019-6488, CVE-2019-7309
    
    Upstream-Status: Backport
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 3b8db95973fc144b00d59c4797adb405a935cd7c
Author: Peter Kjellerstedt <peter.kjellerstedt at axis.com>
Date:   Tue Apr 2 21:31:03 2019 +0200

    arch-arm64.inc: Lower the priority of aarch64 in MACHINEOVERRIDES
    
    This makes sure, e.g., ${SOC_FAMILY} and ${MACHINE} have higher
    priorities than aarch64.
    
    Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt at axis.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 4972582767a3325d22a16db9a5479c2d0001964b
Author: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
Date:   Fri Oct 11 10:16:49 2019 +0200

    kernel.bbclass: fix installation of modules signing certificates
    
    If one has provided external key/certificate for modules signing, Kbuild
    will skip creating signing_key.pem and will write only signing_key.x509
    certificate. Thus we have to check for .x509 file existence rather than
    .pem one.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    (cherry picked from commit 2527e731eba43bd36d0ea268aca6b03155376134)
    Signed-off-by: Nicolas Dechesne <nicolas.dechesne at linaro.org>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

-----------------------------------------------------------------------

Summary of changes:
 meta/classes/kernel.bbclass                        |   2 +-
 meta/conf/machine/include/arm/arch-arm64.inc       |   2 +-
 meta/recipes-core/glibc/glibc/CVE-2019-6488.patch  | 274 +++++++
 meta/recipes-core/glibc/glibc/CVE-2019-7309.patch  | 207 +++++
 meta/recipes-core/glibc/glibc_2.28.bb              |   2 +
 .../0003-Fix-Dereference-of-null-pointer.patch     |  33 +
 .../0004-Fix-Add-va_end-before-return.patch        |  36 +
 .../libsolv/libsolv/0005-Fix-Memory-leaks.patch    | 158 ++++
 .../libsolv/0006-Fix-testsolv-segfault.patch       |  41 +
 .../libsolv/0007-Fix-testsolv-segfaults.patch      |  47 ++
 .../0008-Fix-Be-sure-that-NONBLOCK-is-set.patch    |  37 +
 ...0009-Don-t-set-values-that-are-never-read.patch | 113 +++
 meta/recipes-extended/libsolv/libsolv_0.6.35.bb    |   7 +
 meta/recipes-kernel/linux/kernel-devsrc.bb         |   9 +
 meta/recipes-support/curl/curl/CVE-2019-5482.patch |  68 ++
 meta/recipes-support/curl/curl_7.61.0.bb           |   1 +
 .../gnutls/gnutls/CVE-2019-3829_p1.patch           |  39 +
 .../gnutls/gnutls/CVE-2019-3829_p2.patch           | 871 +++++++++++++++++++++
 .../gnutls/gnutls/CVE-2019-3829_p3.patch           |  36 +
 .../gnutls/gnutls/CVE-2019-3836.patch              |  35 +
 meta/recipes-support/gnutls/gnutls_3.6.4.bb        |   4 +
 21 files changed, 2020 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-6488.patch
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-7309.patch
 create mode 100644 meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch
 create mode 100644 meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch
 create mode 100644 meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch
 create mode 100644 meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch
 create mode 100644 meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch
 create mode 100644 meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch
 create mode 100644 meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2019-5482.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch


hooks/post-receive
--

More information about the yocto-security mailing list