[yocto-security] [OE-core CVE] branch master-next updated. uninative-2.7-129-g27cce25

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Sat Oct 19 00:53:36 PDT 2019


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, master-next has been updated
  discards  5cfaaed25cdde42949042e63abf180b570f9797e (commit)
  discards  f8afc2e6333cdbfcc585d715a58dd0aa6de6217c (commit)
  discards  f5f8e6eb1a22aacb109432970bb67e17cea36777 (commit)
  discards  c41993053056f7adf14d31c02fe4f8b6387f02f2 (commit)
  discards  17ddb884fd278b3b1200bda2bec149c2291353c7 (commit)
  discards  53263b4d0632cfbc9377e7e2b14585e997d229a1 (commit)
  discards  e2b9db317699de8b4977d6b9c2bdcf4ab5a62208 (commit)
  discards  9122f9a68c827952fd66c765e5949120b6f5fc69 (commit)
  discards  fa951dcba8ac6231063aa754de0bd2bdacc08db0 (commit)
  discards  de66550650251f46478dd8a6e891d296fc3944af (commit)
  discards  109b183c9a71ae08f6edd7a0d92a927c290436c7 (commit)
  discards  5bed093ee9be11608c438410dc8042fe639cee23 (commit)
  discards  164b2708c507edadfcd062fef6540806c07abc42 (commit)
  discards  2cd2fbfe1af45af77254705cb799a029833c7a12 (commit)
       via  27cce2546deff7ec042d22695d7b06046d799e34 (commit)
       via  c2a2fe251b986ab12749842817a2efb1356dd8d5 (commit)
       via  aeb721b5fe5ddfdd997d23f243dbdafd85223d6f (commit)
       via  ac65d591af5d382fa2ad6d9338486d8b9cdda355 (commit)
       via  ae5faad5d09668b780da44628e94d10520b05a94 (commit)
       via  369469f184344323c80bff3cd6bc80b27485010e (commit)
       via  779a016408597c93cdbe81dde0b9c14c267444ca (commit)
       via  f86aca40dcc72f6268228a094a953c5cf1eb5114 (commit)
       via  b95f84ace9efce1857502d6ed234dcf776026b41 (commit)
       via  4716ccb526357172a67a452da2ce091e6a95692c (commit)
       via  0ae25a91fffa294bc549716474215667e70d676a (commit)
       via  9517dc1746f3ddfafd914350f9e41c2b9436fb24 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (5cfaaed25cdde42949042e63abf180b570f9797e)
            \
             N -- N -- N (27cce2546deff7ec042d22695d7b06046d799e34)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 27cce2546deff7ec042d22695d7b06046d799e34
Author: Max Tomago <max.tomago at codethink.co.uk>
Date:   Tue Oct 15 17:37:44 2019 +0100

    python-native: Remove debug.patch
    
    It doesn't look like it should be there.
    
    Signed-off-by: Max Tomago <max.tomago at codethink.co.uk>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit c2a2fe251b986ab12749842817a2efb1356dd8d5
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date:   Wed Oct 16 06:23:21 2019 -0700

    aspell: upgrade from 0.60.7 to 0.60.8
    
    New version fixes CVE-2019-17544 as well as various other bugs.
    
    CVE: CVE-2019-17544
    
    Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit aeb721b5fe5ddfdd997d23f243dbdafd85223d6f
Author: Mikko Rapeli <mikko.rapeli at bmw.de>
Date:   Thu Oct 17 10:31:58 2019 +0300

    systemd.bbclass: enable all services specified in ${SYSTEMD_SERVICE}
    
    This has been the traditional way of enabling systemd services.
    It may conflict with presets feature, but other layers, image classes
    and recipes add services to be enabled using SYSTEMD_SERVICE
    variable also with read-only rootfs, e.g. IMAGE_FEATURES has
    stateless-rootfs and systemd_preset_all task is not executed.
    
    Fixes startup of custom services from our recipes using custom
    image classes with various BSP layers. In the worst case even
    serial console getty service wasn't starting due to dependency
    no not enabled services.
    
    Signed-off-by: Mikko Rapeli <mikko.rapeli at bmw.de>
    Cc: Peter Kjellerstedt <peter.kjellerstedt at axis.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit ac65d591af5d382fa2ad6d9338486d8b9cdda355
Author: Changqing Li <changqing.li at windriver.com>
Date:   Thu Oct 17 10:52:27 2019 +0800

    qemu: Fix CVE-2019-12068
    
    Signed-off-by: Changqing Li <changqing.li at windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit ae5faad5d09668b780da44628e94d10520b05a94
Author: André Draszik <git at andred.net>
Date:   Thu Oct 17 10:28:02 2019 +0100

    oeqa/runtime/systemd: skip unit enable/disable on read-only-rootfs
    
    This doesn't work on read-only-rootfs:
        AssertionError: 1 != 0 : SYSTEMD_BUS_TIMEOUT=240s systemctl disable avahi-daemon.service
        Failed to disable unit: File /etc/systemd/system/multi-user.target.wants/avahi-daemon.service: Read-only file system
    
    This patch does two things:
    1) Decorate the existing test to be skipped if the rootfs is
       read-only
    2) add a new test to be executed only if the rootfs is
       read-only. This new test remounts the rootfs read-write
       before continuing to execute the existing test, making
       sure to clean up correctly after itself (remount r/o
       again).
    
    Signed-off-by: André Draszik <git at andred.net>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 369469f184344323c80bff3cd6bc80b27485010e
Author: André Draszik <git at andred.net>
Date:   Wed Oct 16 10:18:24 2019 +0100

    oeqa/runtime/opkg: skip install on read-only-rootfs
    
    Images can have package management enabled, but be
    generally running as read-only. In this case, the
    test fails at the moment with various errors due to
    that.
    
    Use the new @skipIfFeature decorator to also skip
    this test in that case.
    
    Signed-off-by: André Draszik <git at andred.net>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 779a016408597c93cdbe81dde0b9c14c267444ca
Author: André Draszik <git at andred.net>
Date:   Wed Oct 16 10:18:23 2019 +0100

    oeqa/core/decorator: add skipIfFeature
    
    skipIfFeature will skip a test if a given DIST_FEATURE
    or IMAGE_FEATURE is enabled.
    
    Signed-off-by: André Draszik <git at andred.net>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit f86aca40dcc72f6268228a094a953c5cf1eb5114
Author: André Draszik <git at andred.net>
Date:   Wed Oct 16 10:18:22 2019 +0100

    oeqa/runtime/df: don't fail on long device names
    
    When device names are long (more than 20 characters), the
    df test will fail with an exception:
        self.assertTrue(int(output)>5120, msg=msg)
        ValueError: invalid literal for int() with base 10: ''
    at least when busybox is in use.
    
    The reason is that busybox breaks the line in that case:
        Filesystem           1K-blocks      Used Available Use% Mounted on
        /dev/disk/by-partuuid/8e991e5a-cebd-4f88-9494-c9db4f30cb02
                               1998672     87024   1790408   5% /
    and the code tries to extract the fourth field from the
    second line, which is empty of course.
    
    df can be told not to break lines, though, using the -P
    flag, which turns on the POSIX output format, and is
    supported by busybox df and coreutils df:
        Filesystem           1024-blocks    Used Available Capacity Mounted on
        /dev/disk/by-partuuid/8e991e5a-cebd-4f88-9494-c9db4f30cb02   1998672     87024   1790408   5% /
    
    Signed-off-by: André Draszik <git at andred.net>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit b95f84ace9efce1857502d6ed234dcf776026b41
Author: André Draszik <git at andred.net>
Date:   Wed Oct 16 10:18:21 2019 +0100

    testimage.bbclass: enable ssh agent forwarding
    
    Some targets might use ssh to do their power- or serial-
    control. In that case, ssh might need access to the
    ssh agent, or otherwise won't work.
    
    So export it into the environment.
    
    Note that the (old) oeqa/controllers/masterimage.py
    tries to do that as well by exporting all of BB_ORIGENV
    into the test environment. Here in testimage.bbclass we
    are a bit more strict and only pass the ssh related
    environment variables.
    
    Signed-off-by: André Draszik <git at andred.net>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 4716ccb526357172a67a452da2ce091e6a95692c
Author: André Draszik <andre.draszik at jci.com>
Date:   Wed Oct 16 10:18:20 2019 +0100

    testimage.bbclass: support hardware-controlled targets
    
    Since the introduction of the new runtime framework for target
    testing in commit 2aa5a4954d76
    ("testimage.bbclass: Migrate class to use new runtime framework")
    commit 3857e5c91da6 in poky.git, target controllers have no
    access to the global datastore 'd' anymore.
    
    This makes it impossible for a specific OEQA (hardware)
    controller to access documented properties like
    TEST_POWERCONTROL_CMD, TEST_SERIALCONTROL_CMD, etc,
    meaning it's impossible for those controllers to actually
    control the hardware.
    
    To solve this, simply add those documented variables into
    the target_kwargs[].
    
    Signed-off-by: André Draszik <andre.draszik at jci.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 0ae25a91fffa294bc549716474215667e70d676a
Author: Ross Burton <ross.burton at intel.com>
Date:   Thu Oct 17 12:29:45 2019 +0100

    gawk: add PACKAGECONFIG for readline
    
    Add a PACKAGECONFIG so that readline can be disabled if desired.
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

commit 9517dc1746f3ddfafd914350f9e41c2b9436fb24
Author: Ross Burton <ross.burton at intel.com>
Date:   Thu Oct 17 12:29:44 2019 +0100

    python3: -dev should depend on distutils
    
    python3-config uses distutils:
    
    Traceback (most recent call last):
      File "/usr/bin/python3-config", line 9, in <module>
        from distutils import sysconfig
    ModuleNotFoundError: No module named 'distutils'
    
    Add the dependency so that distutils is always present.
    
    [ YOCTO #13592 ]
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

-----------------------------------------------------------------------

Summary of changes:
 meta/recipes-devtools/python/python3/python3-manifest.json |  6 ++----
 meta/recipes-devtools/python/python3_3.7.4.bb              | 11 ++++-------
 2 files changed, 6 insertions(+), 11 deletions(-)


hooks/post-receive
-- 



More information about the yocto-security mailing list