The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly,
as exploited in the wild in August through October 2023.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The current SRCREV is not on any branch anymore, switch to the 1.12.4
branch HEAD which is similar and the only change is irrelevant.
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Version 4.2.5 fixes CVE-2023-36053 and CVE-2023-41164.
Version 4.2.7 fixes CVE-2023-46695 and CVE-2023-43665.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
License-Update: Year changed [1]
Remove build directory from include directives in generated sourcecode
via gdbus-codegen
Upgrade includes fix for CVE-2019-6498
[1] 5c87eda925
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
=========
This release contains two security related fixes. One each for VP8 and
VP9.
- Upgrading:
This release is ABI compatible with the previous release.
- Bug fixes:
https://crbug.com/1486441 (CVE-2023-5217)
Fix to a crash related to VP9 encoding (#1642)
Signed-off-by: Benjamin Bara <benjamin.bara@skidata.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Backport 2 patches [1] [2] to fix the build failure under tests dir.
* Fetch the test data during do_fetch phase to avoid internet access
during test as some tests need test data.
# ./run-ptest
PASS: test-algorithms_cpp11
PASS: test-allocator_cpp11
PASS: test-alt-string_cpp11
PASS: test-assert_macro_cpp11
PASS: test-binary_formats_cpp11
[snip]
PASS: test-unicode5_cpp11
PASS: test-user_defined_input_cpp11
PASS: test-windows_h_cpp11
PASS: test-wstring_cpp11
[1] 6cec5aefc9
[2] 660d0b5856
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 013b4d50432a3eba08a9cb54b9edf6b25a6378a8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A flaw was found in open-vm-tools. This flaw allows a malicious actor that
has been granted Guest Operation Privileges in a target virtual machine to
elevate their privileges if that target virtual machine has been assigned
a more privileged Guest Alias.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-34058
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
python3-nacl is in the meta-virtualization layer.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 74e31e51ffbd52b8864fed4debe7711e3ef4d739)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix do_install to make cpuid-doc installed correctly
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The usage of nobranch=1 in SRC_URI allows using unprotected branches.
This change updates the real branch name in place of nobranch=1.
Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit eec3c65b8136fe492f3be81ab62717d7c8922d04)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option. The option is not added to the defaults.
Cherry-pick from master.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e0ac8eec48ddddc93751cfcdef2557998bfe91c8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Some tests in test-inotify.py assume values for watch
descriptors. This is not safe, so we retrieve the
assigned values to compare with event information generated.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0efa5c872f6357f8639310e339d9c5a6f0315f2d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-38802:
FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote
attacker to cause a denial of service via a crafted BGP update with a
corrupted attribute 23 (Tunnel Encapsulation).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-38802
Patch from:
46817adab0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Refer [1], include an urgency SECURITY fix and some bug fixes
[1] https://github.com/redis/redis/releases/tag/7.0.13
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2.5.x is an LTS version per the project.
Drop patch now included.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7a423279cf6afe27cf6abf747f1a2021ee5b6d26)
Signed-off-by: Armin Kuster <akuster@mvista.com>
A vulnerability in Outline.cc for Poppler prior to 23.06.0
allows a remote attacker to cause a Denial of Service (DoS)
(crash) via a crafted PDF file in OutlineItem::open.
Reference:
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update run-ptest script to print the output of python3-appdirs ptest results in
unified format
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When using the image type:
IMAGE_FSTYPES += " wic.sparse"
IMAGE_CLASSES += " image_types_sparse"
The following error arises:
Syntax error: Bad function name
So need to remove function in favor of variable.
Signed-off-by: Chris Dimich <chris.dimich@boundarydevices.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* use BPN, BP where useful
* use prefix instead of hardcoding /usr
* add patch to search also in lib32 subdir of --with-libpcap value
to fix:
checking for libpcap... configure: error: "Unable to find matching library for header file in TOPDIR/BUILD/work/raspberrypi4_64-oemllib32-linux-gnueabi/lib32-tcpreplay/4.4.4-r0/lib32-recipe-sysroot/usr"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* testing ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR} existence
doesn't really work in cross compilation and on some hosts was causing:
ERROR: QA Issue: libcyusbserial: Files/directories were installed but not shipped in any package:
/usr/lib/libcyusbserial.so.1
/usr/lib/libcyusbserial.so
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
libcyusbserial: 2 installed and not shipped files. [installed-vs-shipped]
with multilib using /usr/lib32 or /usr/lib64 when the same didn't
exist on host.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
==========
Source code:
----------------
Fix spaces before tabs in indentation.
Updated printers:
-----------------
LSP ping: Fix "Unused value" warnings from Coverity.
CVE-2023-1801: Fix an out-of-bounds write in the SMB printer.
DNS: sync resource types with IANA.
ICMPv6: Update the output to show a RPL DAO field name.
Geneve: Fix the Geneve UDP port test.
Building and testing:
----------------------
Require at least autoconf 2.69.
Don't check for strftime(), as it's in C90 and beyond.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Documentation:
-------------
man: Document TCP flag names better.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2e782260d0b6018614dbdea95899a4a0921915e0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
authenticated user can trigger a kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not validate the relationship
between n_key_data and the key_data array count.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36054
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c
and /elf/elf.c, which allows the attacker to cause a denial of service via a
crafted file.
References:
https://github.com/yasm/yasm/issues/233https://nvd.nist.gov/vuln/detail/CVE-2023-37732
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause
a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-47022https://github.com/open-mpi/hwloc/issues/544
Upstream patches:
ac1f8db9a0
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-3748:
A flaw was found in FRRouting when parsing certain babeld unicast hello
messages that are intended to be ignored. This issue may allow an
attacker to send specially crafted hello messages with the unicast flag
set, the interval field set to 0, or any TLV that contains a sub-TLV
with the Mandatory flag set to enter an infinite loop and cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3748
Patch from:
ae1e0e1fed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ee1026ab77dcb31b0f5cb723b4d998aab4c00382)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Drop unneeded autotools-brokensep class inherit, this package has
traditional makefile build.
This change also fixes the below buildpaths issue altogether.
WARNING: mcelog-191-r0 do_package_qa: QA Issue: File /usr/sbin/.debug/mcelog in package mcelog-dbg contains reference to TMPDIR [buildpaths]
(cherry picked from commit 29e6c4928cfbfe3a00921b956938781d53563582)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Khronos-cts.inc is used for building vulkan-cts or opengl-es-cts. Even
though vulkan-cts depends on vulkan-loader, which automatically
requires vulkan distro feature, it is more explicitly stated if written
here next to opengl.
Some systems do not support a windowing service (like wayland) but still
might use standard khronos GPU libraries. For these cases, wayland
dependancy is invalid.
Patch replaces the invalid wayland distro feature dependancy with
vulkan for clarity.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
php 8.2.7 is a security release and the php 8.2.8 is a bug fix release
and more details at [1].
[1] https://www.php.net/ChangeLog-8.php#8.2.7
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
