[yocto-security] [OE-core CVE] branch warrior updated. a24acf94d48d635eca668ea34598c6e5c857e3f8

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Sat Oct 26 02:11:33 PDT 2019 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, warrior has been updated
       via  a24acf94d48d635eca668ea34598c6e5c857e3f8 (commit)
       via  fea53271d1fcd482ed1003e40f2cf5573cdb37a3 (commit)
       via  b71e3bb1db813bf4bfdf45492ed5f69b643d9587 (commit)
       via  7f011d0ba2e0dd31f3f07d03730974ea862e926b (commit)
       via  b0478316a19814a79c030640e7d45eca6971d0a8 (commit)
       via  f59d83d7c51a1d93dfcade6c863a35c67df106f6 (commit)
       via  59475ff3927faad212816c1894c140ffae1eeabf (commit)
       via  cba875fdac3081137d8b33ee7fb5dc9e8d7818da (commit)
       via  626364981cd1ee5facf600b4b5bb9d083971e151 (commit)
       via  9949bbf7deee741297e79850b4a22bf29a579157 (commit)
      from  f4ccdf2bc3fe4f00778629088baab840c868e36b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a24acf94d48d635eca668ea34598c6e5c857e3f8
Author: Peiran Hong <peiran.hong at windriver.com>
Date:   Wed Oct 9 10:43:15 2019 -0400

    tcpdump: Delete unused patch
    
    Delete patch "0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch"
    since it is not used in the tcpdump recipe anymore.
    
    Signed-off-by: Peiran Hong <peiran.hong at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit 01b55a8a552d460acbe3673268733a78b47c5c03)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit fea53271d1fcd482ed1003e40f2cf5573cdb37a3
Author: Peiran Hong <peiran.hong at windriver.com>
Date:   Mon Oct 7 09:43:40 2019 -0400

    tcpdump: upgrade 4.9.2 -> 4.9.3
    
    This upgrade adds some new features and fixes numerous bugs including
    the following CVEs:
    CVE: CVE-2017-16808 (AoE)
    CVE: CVE-2018-14468 (FrameRelay)
    CVE: CVE-2018-14469 (IKEv1)
    CVE: CVE-2018-14470 (BABEL)
    CVE: CVE-2018-14466 (AFS/RX)
    CVE: CVE-2018-14461 (LDP)
    CVE: CVE-2018-14462 (ICMP)
    CVE: CVE-2018-14465 (RSVP)
    CVE: CVE-2018-14881 (BGP)
    CVE: CVE-2018-14464 (LMP)
    CVE: CVE-2018-14463 (VRRP)
    CVE: CVE-2018-14467 (BGP)
    CVE: CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
    CVE: CVE-2018-10105 (SMB - too unreliably reproduced,
                               SMB printing disabled)
    CVE: CVE-2018-14880 (OSPF6)
    CVE: CVE-2018-16451 (SMB)
    CVE: CVE-2018-14882 (RPL)
    CVE: CVE-2018-16227 (802.11)
    CVE: CVE-2018-16229 (DCCP)
    CVE: CVE-2018-16301 (was fixed in libpcap)
    CVE: CVE-2018-16230 (BGP)
    CVE: CVE-2018-16452 (SMB)
    CVE: CVE-2018-16300 (BGP)
    CVE: CVE-2018-16228 (HNCP)
    CVE: CVE-2019-15166 (LMP)
    CVE: CVE-2019-15167 (VRRP)
    CVE: CVE-2018-14879 (tcpdump -V)
    
    Deleted patch "0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch"
    since the fix is included in the upgrade.
    
    Modified patches "avoid-absolute-path-when-searching-for-libdlpi.patch",
    "unnecessary-to-check-libpcap.patch", and "add-ptest.path" since
    the upgrade renamed configure.in to configure.ac and made changes
    to the file.
    
    Added PACKAGECONFIG for smb. It is disabled by default in
    the upgraded version in both the package's configure script and this
    bitbake recipe since it is insecure.
    
    Modified the parsing of ptest result to align with the new output
    format.
    
    With core-image-minimal on qemux86-64/kvm:
    Recipe         | Passed      | Failed   | Skipped   | Time(s)
    Before         | 408         | 0        | 2         | 4
    After          | 431         | 11       | 2         | 10
    
    11 test failed after the upgrade since libpcap is not upgraded
    alongside with tcpdump.
    
    Signed-off-by: Peiran Hong <peiran.hong at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit 71535e2f0ea76d39d2911e022905ec8ee9843872)
    [Upgrade is a resonable path do to the # of patches needed to address
     all this issues]
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit b71e3bb1db813bf4bfdf45492ed5f69b643d9587
Author: Khem Raj <raj.khem at gmail.com>
Date:   Sat Oct 5 08:33:45 2019 -0700

    xorg-fonts-100dpi: Change License Custom -> MIT
    
    This is a meta package which collects a bunch of 100dpi font packages
    together which all are also under MIT license, Custom is not a known
    type moreover MIT is well suited for this recipe for compatibility
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit c95c94d689f3b4972db72f511a60bcef52b8080d)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 7f011d0ba2e0dd31f3f07d03730974ea862e926b
Author: Qi.Chen at windriver.com <Qi.Chen at windriver.com>
Date:   Thu Oct 17 20:45:24 2019 +0000

    protobuf-c: fix race condition
    
    Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Sinan Kaya <okaya at kernel.org>
    (cherry picked from commit 489d3b4b932ee8016d792341f8ea5836a9522cd4)
    Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit b0478316a19814a79c030640e7d45eca6971d0a8
Author: Peter Kjellerstedt <peter.kjellerstedt at axis.com>
Date:   Wed Oct 16 18:46:50 2019 +0200

    kconfig-frontends: Retrieve the Git repository from GitLab
    
    The ymorin.is-a-geek.org site has been down since September and there
    is no indication of when, if ever, it will be back. Retrieve the
    repository from GitLab instead, recommended by the maintainer, Yann E
    Morin.
    
    Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt at axis.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit f59d83d7c51a1d93dfcade6c863a35c67df106f6
Author: Pavel Modilaynen <pavelmn at axis.com>
Date:   Wed Oct 16 18:46:49 2019 +0200

    jsoncpp: add native BBCLASSEXTEND
    
    Extend to native builds, this is useful for unit tests.
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 59475ff3927faad212816c1894c140ffae1eeabf
Author: Martin Jansa <martin.jansa at gmail.com>
Date:   Tue Oct 15 08:53:23 2019 +0000

    python3-twofish: Fix missing return statements in module stubs
    
    * fixes build with -Werror=return-type
      twofish.c: In function 'init_twofish':
      twofish.c:45:1: error: control reaches end of non-void function [-Werror=return-type]
         45 | PyMODINIT_FUNC init_twofish(void) { }
            | ^~~~~~~~~~~~~~
      twofish.c: In function 'PyInit__twofish':
      twofish.c:46:1: error: control reaches end of non-void function [-Werror=return-type]
         46 | PyMODINIT_FUNC PyInit__twofish(void) { }
            | ^~~~~~~~~~~~~~
      cc1: some warnings being treated as errors
    
    Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit cba875fdac3081137d8b33ee7fb5dc9e8d7818da
Author: Andreas Müller <schnitzeltony at gmail.com>
Date:   Fri Oct 11 10:06:29 2019 +0200

    vlc: rework qt PACKAGECONFIG
    
    * qt4 support is gone -> move to qt5
    * while at it remove noop libtool copy
    
    Signed-off-by: Andreas Müller <schnitzeltony at gmail.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit a086334bce809327a9ca6fe1006ae63861116349)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 626364981cd1ee5facf600b4b5bb9d083971e151
Author: Andreas Müller <schnitzeltony at gmail.com>
Date:   Fri Oct 11 10:06:28 2019 +0200

    polkit-group-rules: Fix error in do_rootfs for rpm package-manager
    
    * An issue in meta-mortsgna was reported. Discussion is found at [1]
    * We do similar in meta-gnome's gvfs for same reason [2]
    * This is a bugfix which should apply and work for many release-branches
    
    Fixes:
    | Error: Transaction check error:
    |   file /etc/polkit-1/rules.d conflicts between attempted installs of polkit-group-rule-datetime-1.0-r0.cortexa7t2hf_neon_vfpv4 and polkit-0.115-r0.cortexa7t2hf_neon_vfpv4
    
    [1] https://github.com/schnitzeltony/meta-mortsgna/issues/11
    [2] https://github.com/openembedded/meta-openembedded/blob/fd1a0c9210b162ccb147e933984c755d32899efc/meta-gnome/recipes-gnome/gvfs/gvfs_1.41.2.bb#L72
    
    Signed-off-by: Andreas Müller <schnitzeltony at gmail.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit a47d38561249411449cc62ba878eb7c36916fe55)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 9949bbf7deee741297e79850b4a22bf29a579157
Author: Andreas Müller <schnitzeltony at gmail.com>
Date:   Fri Oct 11 10:06:27 2019 +0200

    xfce4-panel: Draw icons/background properly when compositing is disabled
    
    A similar patch was sent for master [1] but that was superseded by upgrade of
    xfce4-panel 4.14.0 -> 4.14.1 [2]
    
    [1] http://lists.openembedded.org/pipermail/openembedded-devel/2019-September/201966.html
    [2] http://lists.openembedded.org/pipermail/openembedded-devel/2019-September/201986.html
    
    Signed-off-by: Andreas Müller <schnitzeltony at gmail.com>
    Acked-by: Kai Kang <kai.kang at windriver.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

-----------------------------------------------------------------------

Summary of changes:
 meta-multimedia/recipes-multimedia/vlc/vlc.inc     | 24 ++++---
 ...2017-16808-AoE-Add-a-missing-bounds-check.patch | 61 -----------------
 .../tcpdump/tcpdump/add-ptest.patch                |  9 +--
 ...-absolute-path-when-searching-for-libdlpi.patch | 19 ++---
 .../recipes-support/tcpdump/tcpdump/run-ptest      |  4 +-
 .../tcpdump/unnecessary-to-check-libpcap.patch     | 15 ++--
 .../tcpdump/{tcpdump_4.9.2.bb => tcpdump_4.9.3.bb} | 12 +++-
 meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.8.4.bb  |  2 +
 .../kconfig-frontends_4.11.0.1.bb                  |  4 +-
 .../protobuf-c/0001-avoid-race-condition.patch     | 36 ++++++++++
 .../recipes-devtools/protobuf/protobuf-c_1.3.1.bb  |  3 +-
 .../recipes-extended/polkit/polkit-group-rule.inc  |  2 +-
 .../xorg-font/xorg-fonts-100dpi.bb                 |  2 +-
 ...missing-return-statements-in-module-stubs.patch | 38 ++++++++++
 .../python/python3-twofish_0.3.0.bb                |  2 +
 ...y-Fix-icons-without-compositing-Bug-14577.patch | 80 ++++++++++++++++++++++
 .../recipes-xfce/xfce4-panel/xfce4-panel_4.13.4.bb |  1 +
 17 files changed, 214 insertions(+), 100 deletions(-)
 delete mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
 rename meta-networking/recipes-support/tcpdump/{tcpdump_4.9.2.bb => tcpdump_4.9.3.bb} (74%)
 create mode 100644 meta-oe/recipes-devtools/protobuf/protobuf-c/0001-avoid-race-condition.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-twofish/0001-Fix-missing-return-statements-in-module-stubs.patch
 create mode 100644 meta-xfce/recipes-xfce/xfce4-panel/files/0002-systray-Fix-icons-without-compositing-Bug-14577.patch


hooks/post-receive
--

More information about the yocto-security mailing list