[yocto-security] [OE-core CVE] branch thud updated. 446bd615fd7cb9bc7a159fe5c2019ed08d1a7a93

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Sat Oct 26 02:37:28 PDT 2019


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, thud has been updated
       via  446bd615fd7cb9bc7a159fe5c2019ed08d1a7a93 (commit)
       via  eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f (commit)
       via  436cf0aa2b2802da706588d4daa1a8240d172df8 (commit)
      from  2d088d252624b19df384aecc434d23afb636178f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 446bd615fd7cb9bc7a159fe5c2019ed08d1a7a93
Author: Peiran Hong <peiran.hong at windriver.com>
Date:   Mon Sep 16 13:41:59 2019 -0400

    tcpdump: Fix CVE-2017-16808
    
    Backport selected parts of three upstream commits to fix
    CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read.
    
    Upstream-Status: Backport
    [ several ]
    
    Upstream commits fully backported:
    46aead6  [CVE-2017-16808/AoE: Add a missing bounds check]
    
    Upstream commits partially backported:
    7068209  [Use nd_ types in 802.x and FDDI headers.]
    84ef17a  [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using
    pointers (1/n)]
    
    46aead6 fixes the vulnerability and requires two macros defined in
    7068209 and 84ef17a, which are committed after the release of 4.9.2.
    Only the definition of the macros are taken from the two commits
    as they impact a wide range of code and are difficult to integrate.
    
    CVE: CVE-2017-16808
    
    Signed-off-by: Peiran Hong <peiran.hong at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f
Author: Dan Tran <dantran at microsoft.com>
Date:   Wed Sep 25 17:12:49 2019 +0000

    polkit: Fix CVE-2018-19788
    
    Signed-off-by: Dan Tran <dantran at microsoft.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 436cf0aa2b2802da706588d4daa1a8240d172df8
Author: Denys Dmytriyenko <denys at ti.com>
Date:   Fri Sep 27 20:56:39 2019 -0400

    mariadb: update SRC_URI, as 5.5.64 has moved to archive
    
    The old URL now gives 404 Not Found
    
    Signed-off-by: Denys Dmytriyenko <denys at ti.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

-----------------------------------------------------------------------

Summary of changes:
 ...2017-16808-AoE-Add-a-missing-bounds-check.patch |  61 +++++++
 .../recipes-support/tcpdump/tcpdump_4.9.2.bb       |   1 +
 meta-oe/recipes-dbs/mysql/mariadb.inc              |   2 +-
 .../polkit/polkit/CVE-2018-19788_p1.patch          | 194 +++++++++++++++++++++
 .../polkit/polkit/CVE-2018-19788_p2.patch          | 153 ++++++++++++++++
 .../polkit/polkit/CVE-2018-19788_p3.patch          |  53 ++++++
 meta-oe/recipes-extended/polkit/polkit_0.115.bb    |   3 +
 7 files changed, 466 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
 create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
 create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
 create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch


hooks/post-receive
-- 



More information about the yocto-security mailing list