[yocto-security] [OE-core CVE] branch thud updated. 446bd615fd7cb9bc7a159fe5c2019ed08d1a7a93
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Sat Oct 26 02:37:28 PDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, thud has been updated
via 446bd615fd7cb9bc7a159fe5c2019ed08d1a7a93 (commit)
via eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f (commit)
via 436cf0aa2b2802da706588d4daa1a8240d172df8 (commit)
from 2d088d252624b19df384aecc434d23afb636178f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 446bd615fd7cb9bc7a159fe5c2019ed08d1a7a93
Author: Peiran Hong <peiran.hong at windriver.com>
Date: Mon Sep 16 13:41:59 2019 -0400
tcpdump: Fix CVE-2017-16808
Backport selected parts of three upstream commits to fix
CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read.
Upstream-Status: Backport
[ several ]
Upstream commits fully backported:
46aead6 [CVE-2017-16808/AoE: Add a missing bounds check]
Upstream commits partially backported:
7068209 [Use nd_ types in 802.x and FDDI headers.]
84ef17a [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using
pointers (1/n)]
46aead6 fixes the vulnerability and requires two macros defined in
7068209 and 84ef17a, which are committed after the release of 4.9.2.
Only the definition of the macros are taken from the two commits
as they impact a wide range of code and are difficult to integrate.
CVE: CVE-2017-16808
Signed-off-by: Peiran Hong <peiran.hong at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f
Author: Dan Tran <dantran at microsoft.com>
Date: Wed Sep 25 17:12:49 2019 +0000
polkit: Fix CVE-2018-19788
Signed-off-by: Dan Tran <dantran at microsoft.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 436cf0aa2b2802da706588d4daa1a8240d172df8
Author: Denys Dmytriyenko <denys at ti.com>
Date: Fri Sep 27 20:56:39 2019 -0400
mariadb: update SRC_URI, as 5.5.64 has moved to archive
The old URL now gives 404 Not Found
Signed-off-by: Denys Dmytriyenko <denys at ti.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
-----------------------------------------------------------------------
Summary of changes:
...2017-16808-AoE-Add-a-missing-bounds-check.patch | 61 +++++++
.../recipes-support/tcpdump/tcpdump_4.9.2.bb | 1 +
meta-oe/recipes-dbs/mysql/mariadb.inc | 2 +-
.../polkit/polkit/CVE-2018-19788_p1.patch | 194 +++++++++++++++++++++
.../polkit/polkit/CVE-2018-19788_p2.patch | 153 ++++++++++++++++
.../polkit/polkit/CVE-2018-19788_p3.patch | 53 ++++++
meta-oe/recipes-extended/polkit/polkit_0.115.bb | 3 +
7 files changed, 466 insertions(+), 1 deletion(-)
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
hooks/post-receive
--
More information about the yocto-security
mailing list