openembedded-core.git/meta/recipes-support, branch fido Mirror of openembedded-core nettle: The variable named p in the patch file was incorrectly named. 2016-03-11T10:03:50+00:00 ngutzmann nathangutzmann@gmail.com 2016-03-09T16:17:31+00:00 7f4d3b90840a14d660a56d23e1fe79f4fb633d59 The variable in question should have been called ecc->p. The patch has been updated so that the compilation of the nettle recipe would complete successfully. The backport originated from this commit https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d Signed-off-by: ngutzmann <nathangutzmann@gmail.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
The variable in question should have been called ecc->p. The patch has been
updated so that the compilation of the nettle recipe would complete
successfully. The backport originated from this commit

https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d

Signed-off-by: ngutzmann <nathangutzmann@gmail.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
nettle: Security fix CVE-2015-8804 2016-02-29T15:05:16+00:00 Armin Kuster akuster@mvista.com 2016-02-05T16:41:24+00:00 d1903e264ab62d34daeb652c89c6fb67e7c9b42d (From OE-Core master rev: 7474c7dbf98c1a068bfd9b14627b604da5d79b67) minor tweak to get x86_64/ecc-384-modp.asm to apply Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
(From OE-Core master rev: 7474c7dbf98c1a068bfd9b14627b604da5d79b67)

minor tweak to get x86_64/ecc-384-modp.asm to apply

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
nettle: Security fix CVE-2015-8803 and CVE-2015-8805 2016-02-29T15:05:16+00:00 Armin Kuster akuster@mvista.com 2016-02-05T16:37:29+00:00 cb03397ac97bfa99df6b72c80e1e03214e059e6e (From OE-Core master rev: f62eb452244c3124cc88ef01c14116dac43f377a) hand applied changes for ecc-256.c Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
(From OE-Core master rev: f62eb452244c3124cc88ef01c14116dac43f377a)

hand applied changes for ecc-256.c

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
curl: Secuirty fix CVE-2016-0755 2016-02-29T15:05:16+00:00 Armin Kuster akuster@mvista.com 2016-02-05T16:58:42+00:00 e479ec9e6cbd34f3a7a56a170aaabcc4229f1959 CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use (From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378) hand applied changed to url.c Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use

(From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378)

hand applied changed to url.c

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
curl: Security fix CVE-2016-0754 2016-02-29T15:05:16+00:00 Armin Kuster akuster@mvista.com 2016-02-05T16:57:11+00:00 b8df558ece47e51653e1fc0fb0637ec2cdf2907b CVE-2016-0754 curl: remote file name path traversal in curl tool for Windows (From OE-Core master rev: b2c9b48dea2fd968c307a809ff95f2e686435222) minor tweak to tool_operate.c to get it to apply Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
CVE-2016-0754 curl: remote file name path traversal in curl tool for Windows

(From OE-Core master rev: b2c9b48dea2fd968c307a809ff95f2e686435222)

minor tweak to tool_operate.c to get it to apply

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
libgcrypt: Security fix CVE-2015-7511 2016-02-29T15:05:16+00:00 Armin Kuster akuster@mvista.com 2016-02-13T17:34:00+00:00 88ba5ea3f3a421ac91d670e450f4b0645a53d733 CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves affects libgcrypt < 1.6.5 adjust SRC_URI + for this version. Patch 1 is a dependancy patch. simple macro name change. Patch 2 is the cve fix. (From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves

affects libgcrypt < 1.6.5

adjust SRC_URI + for this version.

Patch 1 is a dependancy patch. simple macro name change.
Patch 2 is the cve fix.

(From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
libbsd: Security fix CVE-2016-2090 2016-02-18T10:54:22+00:00 Armin Kuster akuster@mvista.com 2016-02-12T00:20:34+00:00 ab29efb8e85020a3621079c7fde217c1bfaa5289 CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd affects libbsd <= 0.8.1 (and therefore not needed in master) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd

affects libbsd <= 0.8.1 (and therefore not needed in master)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
libpcre: Security fixes and package update. 2016-02-16T14:02:36+00:00 Armin Kuster akuster@mvista.com 2016-02-12T02:41:18+00:00 3bbd53035fb62793f1e44b24b18eb275bd860ed1 this is related to [Yocto # 9008] 8.38: The following security fixes are included: CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() compile_regex() CVE-2015-3217 pcre: stack overflow in match() CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain patterns with an unmatched closing parenthesis CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec CVE-2015-8381 pcre: Heap Overflow in compile_regex() CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference by name within certain group CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name to certain group CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion CVE-2015-8387 pcre: Integer overflow in subroutine calls CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with duplicated named groups CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions CVE-2015-8395 pcre: Buffer overflow caused by certain references CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS 8.37: The following security fixes are included: CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions CVE-2015-2325 pcre: heap buffer overflow in compile_branch() CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2() LICENSE file changed do to Copyright date updates. Signed-off-by: Armin Kuster <akuster@mvista.com> Jethro and master don't require this patch as they have newer libpcre which contains these fixes. Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> 
this is related to [Yocto # 9008]

8.38:
The following security fixes are included:
CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2()  compile_regex()
CVE-2015-3217 pcre: stack overflow in match()
CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain patterns with an unmatched closing parenthesis
CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec
CVE-2015-8381 pcre: Heap Overflow in compile_regex()
CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group
CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference by name within certain group
CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name to certain group
CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion
CVE-2015-8387 pcre: Integer overflow in subroutine calls
CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns
CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns
CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with duplicated named groups
CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary
CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions
CVE-2015-8395 pcre: Buffer overflow caused by certain references
CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS

8.37:
The following security fixes are included:
CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()

LICENSE file changed do to Copyright date updates.

Signed-off-by: Armin Kuster <akuster@mvista.com>

Jethro and master don't require this patch as they have newer libpcre which
contains these fixes.

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
libiconv_1.11.1: fix LICENSE declaration, LGPL -> LGPLv2.0 2015-11-05T22:04:15+00:00 Andre McCurdy armccurdy@gmail.com 2015-08-06T00:52:34+00:00 dde08a4ba4a12a81b780b69c6ec395508b0a030f Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core master rev: 7d2da0e) Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk> 
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

(From OE-Core master rev: 7d2da0e)

Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
libiconv_1.11.1: merge build and packaging fixes from libiconv_1.14 2015-11-05T22:04:15+00:00 Andre McCurdy armccurdy@gmail.com 2015-08-06T00:52:35+00:00 3f5b2da748bbb0417a63c69393cdd024623074a2 054151c libiconv: Fix B != S with uclibc builds 273c437 libiconv: Remove RPATH from binaries fcb8d6f libiconv_1.14.bb: Fix build failure [partial-merge] Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core master rev: 898e9d7) Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk> 
  054151c libiconv: Fix B != S with uclibc builds
  273c437 libiconv: Remove RPATH from binaries
  fcb8d6f libiconv_1.14.bb: Fix build failure [partial-merge]

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

(From OE-Core master rev: 898e9d7)

Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>