[yocto-security] [OE-core CVE] branch master-next updated. uninative-2.7-129-ga7d8fdf
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Sat Oct 19 10:14:03 PDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, master-next has been updated
discards 18a33314a844c8ed693aba1086f5458c05a4c06c (commit)
discards 27cce2546deff7ec042d22695d7b06046d799e34 (commit)
discards c2a2fe251b986ab12749842817a2efb1356dd8d5 (commit)
discards aeb721b5fe5ddfdd997d23f243dbdafd85223d6f (commit)
discards ac65d591af5d382fa2ad6d9338486d8b9cdda355 (commit)
discards ae5faad5d09668b780da44628e94d10520b05a94 (commit)
discards 369469f184344323c80bff3cd6bc80b27485010e (commit)
discards 779a016408597c93cdbe81dde0b9c14c267444ca (commit)
discards f86aca40dcc72f6268228a094a953c5cf1eb5114 (commit)
discards b95f84ace9efce1857502d6ed234dcf776026b41 (commit)
discards 4716ccb526357172a67a452da2ce091e6a95692c (commit)
discards 0ae25a91fffa294bc549716474215667e70d676a (commit)
discards 9517dc1746f3ddfafd914350f9e41c2b9436fb24 (commit)
discards 879baa838069747cf7f2bc2d5ad6547a1b0dac2b (commit)
discards 05c8e410ea0589f63663c3a5750634518176689a (commit)
discards d4d90f4f5bb34792a533608003b80225393dbbe5 (commit)
discards 5a29bdb1d7d4a126a3cf888a20e00dcb04fdb769 (commit)
discards 9e783ed82a0d59ee184cc81e75b12de6cdede203 (commit)
discards f8f6359a9f85c8ddd2dfd3af086e72b8569e3e16 (commit)
discards 2b86d53d03fe35e910692633217c1566eb39660a (commit)
discards 6fa446769232cef5181662714f44313bd81c033a (commit)
via a7d8fdfef7588ba02ee19f251e9d9c97a06d933c (commit)
via 7f9e2497d65032d1bbd7eea8a0e82976895f7b40 (commit)
via 26decb3fbcd5e4f60445b419b8812469e82b22c8 (commit)
via 68a10763e64764a0d43be9162e7b99833f5296db (commit)
via 81b375ac7851088a671317468a8e2eed69d4a827 (commit)
via ec856301887b1139f93aa54d04bed9b842357b4f (commit)
via 84640e2b4daf4cf22c5b0324c22332f59e4d51e3 (commit)
via ff2218f7cc3992725dd35499c14ec3396120dcc5 (commit)
via 8c23c1476d0c64b9bc8806db03414fa914c1e658 (commit)
via d99617b8f2a9354b7357524fcd2eee16af0677b7 (commit)
via 0ab7e3b573a58cc3a869ef33fd8737ca7fe04550 (commit)
via 6958f7e4c6a1c27e823ae0a74c1642d78ca7a45e (commit)
via 04136dbac48986dce5b2b872b2c0b46c673c44f2 (commit)
via c73d2a2c0ecc99f0d6d7e6a1861ecce7a2312a57 (commit)
via a752faa152df031df5acaa40491299ac115109a4 (commit)
via 073c435644091c2801e45c6d02afa917de575082 (commit)
via 8bd4b87071c073a0e4d265bc00df34684a355eff (commit)
via a1c95580549cb4f77601e62c7f026b19c752d853 (commit)
via b0efd8d4d0dbc30e6505b42f5603f18fa764d732 (commit)
via 70b9cdf86b9c5ed14937500619387a890a57ef20 (commit)
This update added new revisions after undoing existing revisions. That is
to say, the old revision is not a strict subset of the new revision. This
situation occurs when you --force push a change and generate a repository
containing something like this:
* -- * -- B -- O -- O -- O (18a33314a844c8ed693aba1086f5458c05a4c06c)
\
N -- N -- N (a7d8fdfef7588ba02ee19f251e9d9c97a06d933c)
When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a7d8fdfef7588ba02ee19f251e9d9c97a06d933c
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Sat Oct 19 09:00:31 2019 +0100
aspell: Fix
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 7f9e2497d65032d1bbd7eea8a0e82976895f7b40
Author: Max Tomago <max.tomago at codethink.co.uk>
Date: Tue Oct 15 17:37:44 2019 +0100
python-native: Remove debug.patch
It doesn't look like it should be there.
Signed-off-by: Max Tomago <max.tomago at codethink.co.uk>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 26decb3fbcd5e4f60445b419b8812469e82b22c8
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date: Wed Oct 16 06:23:21 2019 -0700
aspell: upgrade from 0.60.7 to 0.60.8
New version fixes CVE-2019-17544 as well as various other bugs.
CVE: CVE-2019-17544
Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 68a10763e64764a0d43be9162e7b99833f5296db
Author: Mikko Rapeli <mikko.rapeli at bmw.de>
Date: Thu Oct 17 10:31:58 2019 +0300
systemd.bbclass: enable all services specified in ${SYSTEMD_SERVICE}
This has been the traditional way of enabling systemd services.
It may conflict with presets feature, but other layers, image classes
and recipes add services to be enabled using SYSTEMD_SERVICE
variable also with read-only rootfs, e.g. IMAGE_FEATURES has
stateless-rootfs and systemd_preset_all task is not executed.
Fixes startup of custom services from our recipes using custom
image classes with various BSP layers. In the worst case even
serial console getty service wasn't starting due to dependency
no not enabled services.
Signed-off-by: Mikko Rapeli <mikko.rapeli at bmw.de>
Cc: Peter Kjellerstedt <peter.kjellerstedt at axis.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 81b375ac7851088a671317468a8e2eed69d4a827
Author: Changqing Li <changqing.li at windriver.com>
Date: Thu Oct 17 10:52:27 2019 +0800
qemu: Fix CVE-2019-12068
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit ec856301887b1139f93aa54d04bed9b842357b4f
Author: André Draszik <git at andred.net>
Date: Thu Oct 17 10:28:02 2019 +0100
oeqa/runtime/systemd: skip unit enable/disable on read-only-rootfs
This doesn't work on read-only-rootfs:
AssertionError: 1 != 0 : SYSTEMD_BUS_TIMEOUT=240s systemctl disable avahi-daemon.service
Failed to disable unit: File /etc/systemd/system/multi-user.target.wants/avahi-daemon.service: Read-only file system
This patch does two things:
1) Decorate the existing test to be skipped if the rootfs is
read-only
2) add a new test to be executed only if the rootfs is
read-only. This new test remounts the rootfs read-write
before continuing to execute the existing test, making
sure to clean up correctly after itself (remount r/o
again).
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 84640e2b4daf4cf22c5b0324c22332f59e4d51e3
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:24 2019 +0100
oeqa/runtime/opkg: skip install on read-only-rootfs
Images can have package management enabled, but be
generally running as read-only. In this case, the
test fails at the moment with various errors due to
that.
Use the new @skipIfFeature decorator to also skip
this test in that case.
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit ff2218f7cc3992725dd35499c14ec3396120dcc5
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:23 2019 +0100
oeqa/core/decorator: add skipIfFeature
skipIfFeature will skip a test if a given DIST_FEATURE
or IMAGE_FEATURE is enabled.
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 8c23c1476d0c64b9bc8806db03414fa914c1e658
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:22 2019 +0100
oeqa/runtime/df: don't fail on long device names
When device names are long (more than 20 characters), the
df test will fail with an exception:
self.assertTrue(int(output)>5120, msg=msg)
ValueError: invalid literal for int() with base 10: ''
at least when busybox is in use.
The reason is that busybox breaks the line in that case:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/disk/by-partuuid/8e991e5a-cebd-4f88-9494-c9db4f30cb02
1998672 87024 1790408 5% /
and the code tries to extract the fourth field from the
second line, which is empty of course.
df can be told not to break lines, though, using the -P
flag, which turns on the POSIX output format, and is
supported by busybox df and coreutils df:
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/disk/by-partuuid/8e991e5a-cebd-4f88-9494-c9db4f30cb02 1998672 87024 1790408 5% /
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit d99617b8f2a9354b7357524fcd2eee16af0677b7
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:21 2019 +0100
testimage.bbclass: enable ssh agent forwarding
Some targets might use ssh to do their power- or serial-
control. In that case, ssh might need access to the
ssh agent, or otherwise won't work.
So export it into the environment.
Note that the (old) oeqa/controllers/masterimage.py
tries to do that as well by exporting all of BB_ORIGENV
into the test environment. Here in testimage.bbclass we
are a bit more strict and only pass the ssh related
environment variables.
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 0ab7e3b573a58cc3a869ef33fd8737ca7fe04550
Author: André Draszik <andre.draszik at jci.com>
Date: Wed Oct 16 10:18:20 2019 +0100
testimage.bbclass: support hardware-controlled targets
Since the introduction of the new runtime framework for target
testing in commit 2aa5a4954d76
("testimage.bbclass: Migrate class to use new runtime framework")
commit 3857e5c91da6 in poky.git, target controllers have no
access to the global datastore 'd' anymore.
This makes it impossible for a specific OEQA (hardware)
controller to access documented properties like
TEST_POWERCONTROL_CMD, TEST_SERIALCONTROL_CMD, etc,
meaning it's impossible for those controllers to actually
control the hardware.
To solve this, simply add those documented variables into
the target_kwargs[].
Signed-off-by: André Draszik <andre.draszik at jci.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 6958f7e4c6a1c27e823ae0a74c1642d78ca7a45e
Author: Ross Burton <ross.burton at intel.com>
Date: Thu Oct 17 12:29:45 2019 +0100
gawk: add PACKAGECONFIG for readline
Add a PACKAGECONFIG so that readline can be disabled if desired.
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 04136dbac48986dce5b2b872b2c0b46c673c44f2
Author: Ross Burton <ross.burton at intel.com>
Date: Thu Oct 17 12:29:44 2019 +0100
python3: -dev should depend on distutils
python3-config uses distutils:
Traceback (most recent call last):
File "/usr/bin/python3-config", line 9, in <module>
from distutils import sysconfig
ModuleNotFoundError: No module named 'distutils'
Add the dependency so that distutils is always present.
[ YOCTO #13592 ]
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit c73d2a2c0ecc99f0d6d7e6a1861ecce7a2312a57
Author: Ricardo Ribalda Delgado <ricardo at ribalda.com>
Date: Thu Oct 17 16:16:19 2019 +0200
i2c-tools: Add missing RDEPEND
Fixes:
# decode-dimms
Can't locate Carp.pm in @INC (you may need to install the Carp module) (@INC contains: /usr/lib/perl5/site_perl/5.28.1/x86_64-linux /usr/lib/perl5/site_perl/5.28.1 /usr/lib/perl5/vendor_perl/5.28.1/x86_64-linux /usr/lib/perl5/vendor_perl/5.28.1 /usr/lib/perl5/5.28.1/x86_64-linux /usr/lib/perl5/5.28.1 .) at /usr/lib/perl5/5.28.1/Tie/Hash.pm line 190.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.28.1/Tie/Hash.pm line 190.
Compilation failed in require at /usr/lib/perl5/5.28.1/x86_64-linux/POSIX.pm line 505.
Compilation failed in require at /usr/bin/decode-dimms line 41.
BEGIN failed--compilation aborted at /usr/bin/decode-dimms line 41.
root at qt5222:~# apt-get install perl-module-carp
Signed-off-by: Ricardo Ribalda Delgado <ricardo at ribalda.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit a752faa152df031df5acaa40491299ac115109a4
Author: Ross Burton <ross.burton at intel.com>
Date: Fri Oct 18 12:28:19 2019 +0100
file: explicitly disable seccomp
file will automatically enable seccomp if the seccomp headers are available, but
the build will fail on Opensuse Tumbleweed because the include paths are wrong.
Enabling seccomp is a bad idea because it interacts badly with pseudo (causing
build failures), so explicitly and globally disable seccomp.
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 073c435644091c2801e45c6d02afa917de575082
Author: Eugene Smirnov <eu.smirnoff at gmail.com>
Date: Fri Oct 18 13:16:14 2019 +0200
wic/rawcopy: Support files in sub-directories
If the source file is located in a subdirectory of DEPLOY_DIR
rawcopy will currently fail in sparse_copy function on
open(dst_fname, 'wb'), as the parent directory for destination
file does not exist.
This patch helps to avoid that by recursively creating
parent directories.
Signed-off-by: Eugene Smirnov <evgenii.smirnov at here.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 8bd4b87071c073a0e4d265bc00df34684a355eff
Author: Hongxu Jia <hongxu.jia at windriver.com>
Date: Fri Oct 18 15:10:01 2019 +0800
openssh: fix CVE-2019-16905
Backport a patch from upstream to fix CVE-2019-16905
https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit a1c95580549cb4f77601e62c7f026b19c752d853
Author: Stefan Agner <stefan.agner at toradex.com>
Date: Fri Oct 11 11:06:59 2019 +0200
uninative: check .done file instead of tarball
In case multiple builds share UNINATIVE_DLDIR's location, one build
might be in the process of downloading the tarball while another is
just checking whether the tarball exists. Check for the done file
instead and rely on the fetchers lockfile mechanism in case two
builds are running.
Signed-off-by: Stefan Agner <stefan.agner at toradex.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit b0efd8d4d0dbc30e6505b42f5603f18fa764d732
Author: Ross Burton <ross.burton at intel.com>
Date: Mon Oct 14 12:42:57 2019 +0100
sanity: check the format of SDK_VENDOR
If SDK_VENDOR isn't formatted as -foosdk and is instead for example -foo-sdk
then the triple that are constructed are not in fact triples, which results in
mysterious compile errors.
Check in sanity.bbclass so this failure is detected early.
[ YOCTO #13573 ]
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 70b9cdf86b9c5ed14937500619387a890a57ef20
Author: Yi Zhao <yi.zhao at windriver.com>
Date: Mon Oct 14 14:43:15 2019 +0800
libsdl2: fix CVE-2019-13616
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2019-13616
Patch from:
https://hg.libsdl.org/SDL/rev/e7ba650a643a
Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
-----------------------------------------------------------------------
Summary of changes:
...esktop-schemas_3.34.0.bb => gsettings-desktop-schemas_3.32.0.bb} | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
rename meta/recipes-gnome/gsettings-desktop-schemas/{gsettings-desktop-schemas_3.34.0.bb => gsettings-desktop-schemas_3.32.0.bb} (70%)
hooks/post-receive
--
More information about the yocto-security
mailing list