openembedded-core.git/meta/recipes-support, branch jethro Mirror of openembedded-core gnutils: Security fix CVE-2016-7444 2016-12-06T13:19:39+00:00 Armin Kuster akuster808@gmail.com 2016-10-03T00:11:14+00:00 c0a682cfeedfc8976324a3bba863f1d9b0127d76 affects gnutls < 3.3.24 Signed-off-by: Armin Kuster <akuster808@gmail.com> 
affects gnutls < 3.3.24

Signed-off-by: Armin Kuster <akuster808@gmail.com>
gnupg: fix find-version for beta checking 2016-11-03T17:40:52+00:00 Wenzong Fan wenzong.fan@windriver.com 2015-10-28T05:53:37+00:00 d39e7ca717b67ad9f2f78b83d90d91e410e52965 find-version always assumes that gnupg is beta if autogen.sh is run out of git-repo. This doesn't work for users whom just take release tarball and re-run autoconf in their local build dir. This fixes runtime issue: $gpg --list-sigs gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
find-version always assumes that gnupg is beta if autogen.sh is run
out of git-repo. This doesn't work for users whom just take release
tarball and re-run autoconf in their local build dir.

This fixes runtime issue:

  $gpg --list-sigs
  gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
  gpg: It is only intended for test purposes and should NOT be
  gpg: used in a production environment or with production keys!

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libpcre: Fix CVE-2016-3191 2016-09-23T22:21:43+00:00 Ismo Puustinen ismo.puustinen@intel.com 2016-05-04T13:06:46+00:00 249cc163e7a16f307e8b94a7b449cd3e93cc6b15 Fix workspace overflow for (*ACCEPT) with deeply nested parentheses. The patch is from libpcre version control at http://vcs.pcre.org/pcre?view=revision&revision=1631 with the ChangeLog part removed. Original author is Philip Hazel. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 386534f968f4da376ba7778b5d436bad4ce8355b) Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Fix workspace overflow for (*ACCEPT) with deeply nested parentheses.

The patch is from libpcre version control at
http://vcs.pcre.org/pcre?view=revision&revision=1631 with the ChangeLog
part removed. Original author is Philip Hazel.

Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 386534f968f4da376ba7778b5d436bad4ce8355b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
curl: security fix for CVE-2016-5421 2016-09-02T07:48:20+00:00 Maxin B. John maxin.john@intel.com 2016-08-22T08:39:33+00:00 f6999fa952c7db980cfc97f6e5a971e4f34cc0a3 Affected versions: libcurl 7.32.0 to and including 7.50.0 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Affected versions: libcurl 7.32.0 to and including 7.50.0

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: security fix for CVE-2016-5420 2016-09-02T07:48:20+00:00 Maxin B. John maxin.john@intel.com 2016-08-22T08:39:32+00:00 6b732a392289a7bb50b0e3716c066c62fa32a14d Affected versions: libcurl 7.1 to and including 7.50.0 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Affected versions: libcurl 7.1 to and including 7.50.0

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: security fix for CVE-2016-5419 2016-09-02T07:48:20+00:00 Maxin B. John maxin.john@intel.com 2016-08-22T08:39:31+00:00 d1d6c93b491056b18b528216303047e353956e34 Affected versions: libcurl 7.1 to and including 7.50.0 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Affected versions: libcurl 7.1 to and including 7.50.0

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
boost: ensure boost to remain an empty metapackage 2016-04-11T21:01:54+00:00 Lukas Bulwahn lukas.bulwahn@oss.bmw-carit.de 2016-04-11T07:29:13+00:00 90dcc9838e5be74f5ec7a8380cf6da3bddb1c955 To ensure that boost remains an empty metapackage after version updates, we explicitly require boost files to be empty. If new libraries exist after a version update of the boost recipe, bitbake will emit a warning at the do_package task. For example, at the version update from 1.58.0 to 1.59.0, the new timer library is indicated with: WARNING: QA Issue: boost: Files/directories were installed but not shipped in any package: /usr/lib/libboost_timer.so.1.59.0 Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install. boost: 1 installed and not shipped files. [installed-vs-shipped] Ross Burton suggested this improvement on the openembedded-core mailing list during review of the boost recipe version update [1]. [1] http://lists.openembedded.org/pipermail/openembedded-core/2015-December/114314.html (From OE-Core master rev: c4e33232db2da3594cc4ba38eea56ee1acb54d3a) Signed-off-by: Lukas Bulwahn <lukas.bulwahn@oss.bmw-carit.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
To ensure that boost remains an empty metapackage after version
updates, we explicitly require boost files to be empty. If new
libraries exist after a version update of the boost recipe,
bitbake will emit a warning at the do_package task. For example,
at the version update from 1.58.0 to 1.59.0, the new timer
library is indicated with:

WARNING: QA Issue: boost: Files/directories were installed but not shipped in any package:
  /usr/lib/libboost_timer.so.1.59.0
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
boost: 1 installed and not shipped files. [installed-vs-shipped]

Ross Burton suggested this improvement on the openembedded-core
mailing list during review of the boost recipe version update [1].

[1] http://lists.openembedded.org/pipermail/openembedded-core/2015-December/114314.html

(From OE-Core master rev: c4e33232db2da3594cc4ba38eea56ee1acb54d3a)

Signed-off-by: Lukas Bulwahn <lukas.bulwahn@oss.bmw-carit.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libgcrypt: Security fix CVE-2015-7511 2016-02-21T09:37:22+00:00 Armin Kuster akuster@mvista.com 2016-02-13T17:34:00+00:00 c691ce99bd2d249d6fdc4ad58300719488fea12c CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves affects libgcrypt < 1.6.5 Patch 1 is a dependancy patch. simple macro name change. Patch 2 is the cve fix. Signed-off-by: Armin Kuster <akuster@mvista.com> 
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves

affects libgcrypt < 1.6.5

Patch 1 is a dependancy patch. simple macro name change.
Patch 2 is the cve fix.

Signed-off-by: Armin Kuster <akuster@mvista.com>
libbsd: Security fix CVE-2016-2090 2016-02-18T10:57:06+00:00 Armin Kuster akuster@mvista.com 2016-02-12T00:20:34+00:00 e56aba3a822f072f8ed2062a691762a4a970a3f0 CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd affects libbsd <= 0.8.1 (and therefore not needed in master) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd

affects libbsd <= 0.8.1 (and therefore not needed in master)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: Secuirty fix CVE-2016-0755 2016-02-07T22:47:12+00:00 Armin Kuster akuster@mvista.com 2016-02-05T16:58:42+00:00 8322814c7f657f572d5c986652e708d6bd774378 CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use Signed-off-by: Armin Kuster <akuster@mvista.com> 
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use

Signed-off-by: Armin Kuster <akuster@mvista.com>