summaryrefslogtreecommitdiff
path: root/meta
AgeCommit message (Collapse)AuthorFiles
2016-01-30qemu: Security fix CVE-2015-7512Armin Kuster2
CVE-2015-7512 Qemu: net: pcnet: buffer overflow in non-loopback mod Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-30qemu: Security fix CVE-2015-7504Armin Kuster2
CVE-2015-7504 Qemu: net: pcnet: heap overflow vulnerability in loopback mode Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-30qemu: Security fix CVE-2015-8504Armin Kuster2
CVE-2015-8504 Qemu: ui: vnc: avoid floating point exception Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-30openssl: Security fix CVE-2016-0701Armin Kuster3
CVE-2016-0701 OpenSSL: DH small subgroups Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-30openssl: Security fix CVE-2015-3197Armin Kuster2
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-30tiff: Security fix CVE-2015-8784Armin Kuster2
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode() Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-30tiff: Security fix CVE-2015-8781Armin Kuster2
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-30bind: CVE-2015-8704 and CVE-2015-8705Derek Straka3
CVE-2015-8704: Allows remote authenticated users to cause a denial of service via a malformed Address Prefix List record CVE-2015-8705: When debug logging is enabled, allows remote attackers to cause a denial of service or have possibly unspecified impact via OPT data or ECS option [YOCTO 8966] References: https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705 Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-01-30rpmresolve.c: Fix unfreed pointers that keep DB openedMariano Lopez1
There are some unfreed rpmmi pointers in printDepList() function; this happens when the package have null as the requirement. This patch fixes these unfreed pointers and add small changes to keep consistency with some variables. [YOCTO #8028] (From OE-Core master rev: da7aa183f94adc1d0fff5bb81e827c584f9938ec) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-01-30openssh: CVE-2016-1907Armin Kuster4
This issue requires three commits: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0 (From OE-Core master rev: a42229df424552955c0ac62da1063461f97f5938) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-01-30glibc: CVE-2015-8776Armin Kuster2
it was found that out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-01-30glibc: CVE-2015-9761Armin Kuster3
A stack overflow vulnerability was found in nan* functions that could cause applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-01-30glibc: CVE-2015-8779Armin Kuster2
A stack overflow vulnerability in the catopen function was found, causing applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-01-30glibc: CVE-2015-8777.patchArmin Kuster2
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-01-21nativesdk-buildtools-perl-dummy: Bump PRRichard Purdie1
Recent changes to this recipe caused automated PR increments to break, regressing package feeds. The only way to recover is to bump PR, so do this centrally to fix anyone affected. (From OE-Core rev: dacdb499d31cb2e80cca33cba9d599c8ee983dc4) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-21nativesdk-buildtools-perl-dummy: properly set PACKAGE_ARCHPaul Eggleton1
Turns out I did a silly thing in OE-Core revision 9b1831cf4a2940dca1d23f14dff460ff5a50a520 and forgot to remove the explicit setting of PACKAGE_ARCH outside of the anonymous python function; the original bug was apparently fixed but the functionality of allarch.bbclass was being disabled because it was able to see that PACKAGE_ARCH was not set to "all" - which was what I was trying to ensure. (From OE-Core rev: a25ab5449825315d4f51b31a634fe6cd8f908526) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-21nativesdk-buildtools-perl-dummy: fix rebuilding when SDKMACHINE changesPaul Eggleton1
This recipe produces an empty dummy package (in order to satisfy dependencies on perl so we don't have perl within buildtools-tarball). Because we were inheriting nativesdk here the recipe was being rebuilt, but having forced PACKAGE_ARCH to a particular value the packages for each architecture were stepping on eachother. Since the packages are empty they can in fact be allarch (even though they won't actually go into the "all" package feed). It turns out that nheriting nativesdk wasn't actually necessary either, so drop that. Fixes [YOCTO #8509]. (From OE-Core rev: 9b1831cf4a2940dca1d23f14dff460ff5a50a520) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-20Revert "gstreamer1.0-plugins-good.inc: add gudev back to PACKAGECONFIG"Richard Purdie1
This reverts commit 5c90b561930aac1783485d91579d313932273e92. The original change was intentional so back out 'fixes'.
2016-01-20Revert "gstreamer: Deal with merge conflict which breaks systemd builds"Richard Purdie1
This reverts commit bc458ae9586b45b11b6908eadb31e94d892e698f. The original change was intentional so back out 'fixes'.
2016-01-17build-appliance-image: Update to jethro head revisionRichard Purdie1
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-17gstreamer: Deal with merge conflict which breaks systemd buildsRichard Purdie1
In jethro, the dependency is "udev", the change to libgudev happened in master after the release and this was a mistake during backporting of gstreamer fixes. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15build-appliance-image: Update to jethro head revisionRichard Purdie1
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15kernel/kernel-arch: Explicitly mapping between i386/x86_64 and x86 for ↵Jianxun Zhang2
kernel ARCH For a bare-bone kernel recipe which specifies 32 bit x86 target, a 64 bit .config will be generated from do_configure task when building 32-bit qemux86, once all of these conditions are true: * arch of host is x86_64 * kernel source tree used in build has commit ffee0de41 which actually chooses i386 or x86_64 defconfig by asking host when ARCH is "x86" (arch/x86/Makefile) * bare-bone kernel recipe inherits directly from kernel without other special treatments. Build will fail because of the mismatched kernel architecture. The patch sets ARCH i386 or x86_64 explicitly to configure task to avoid this host contamination. Kernel artifact is also changed so that it can map i386 and x64 back to arch/x86 when needed. Signed-off-by: Jianxun Zhang <jianxun.zhang@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15openssh: update to 7.1p2Alexander Kanavin1
This fixes a number of security issues. Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15classes/populate_sdk_ext: disable signature warningsPaul Eggleton1
The user of the extensible SDK doesn't need to see these. (From OE-Core master rev: 7045fabf73d4eef9c023edb9e0a8b8d1d3f04680) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15classes/populate_sdk_ext: fix cascading from preparation failurePaul Eggleton1
During extensible SDK installtion, if the build system preparation step fails we try to put something at the end of the environment setup script to show an error when it is sourced, in case the user doesn't realise that the partially-installed SDK is broken. However, an apostrophe in the message (actually a single quote) appears to terminate the string and therefore breaks the command. Drop it to avoid that. (From OE-Core master rev: 21e591d182e24c399ae010a8eff9b89947061a46) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15buildhistory: fix not recording SDK informationPaul Eggleton1
After OE-Core revision baa4e43a29e45df17eaa3456acc179b08d571db6 we lost recording SDK the contents in buildhistory. This was due to the SDK_POSTPROCESS_COMMAND variable being set with = in populate_sdk_base.bbclass which overwrote any value set with += in buildhistory.bbclass; to fix it, use _append in buildhistory.bbclass instead. Fixes [YOCTO #8839]. (From OE-Core master rev: 11d1aa82ef4a00051e0a50a87a1efed1c50c73b5) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15classes/populate_sdk_ext: error out of install if buildtools install failsPaul Eggleton1
If the installation of buildtools fails then we should fail the entire installation instead of blindly continuing on. (From OE-Core master rev: 34bb63e6c72fb862e0ef0d2b26e1bfddaf7ddb99) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-15gstreamer1.0-plugins-good.inc: add gudev back to PACKAGECONFIGRobert Yang1
The 66e32244aed8d33f1b49fbe78179f2442545c730 wrongly removed gudev from PACKAGECONFIG, now add it back. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-14libaio: don't disable linking to the system librariesRoss Burton2
For some reason that I don't understand (a decade-old attempt at optimisation?) libaio disables linkage to the system libraries. Enabling fortify means linking to the system libraries, so remove the existing addition of -lc for x86 (the problem also happens on at least PPC) and just link to the system libraries on all platforms. Also remove the sed of src/Makefile as the build not respecting LDFLAGS has been fixed upstream. (From OE-Core rev: f435ac9db0581d8313a38d586b00c2b3de419298) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-14linux-yocto/4.1: update to v4.1.15Bruce Ashfield3
Updating the 4.1 kernel repo to the latest 4.1.x stable. (From OE-Core rev: 1df3a79cf454754e6be6c1ffc91ba8310a880616) Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-13libxml2: security fix CVE-2015-5312Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-8242Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-7500Armin Kuster3
includes a depend fix security issue CVE-2015-7500 Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-7499Armin Kuster3
includes: CVE-2015-7499-1 CVE-2015-7499-2 Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-7497Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-7498Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-8035Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-7942Armin Kuster3
includes: CVE-2015-7942 CVE-2015-7942-2 Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-8317Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13libxml2: security fix CVE-2015-7941Armin Kuster3
includes: CVE-2015-7941-1 CVE-2015-7941-2 Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13openssl: fix for CVE-2015-3195Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13openssl: fix for CVE-2015-3194Armin Kuster3
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-13openssl: fix for CVE-2015-3193Armin Kuster2
Signed-off-by: Armin Kuster <akuster@mvista.com>
2016-01-11logrotate: do not move binary logrotate to /usr/binHongxu Jia1
In oe-core commit a46d3646a3e1781be4423b508ea63996b3cfca8a ... Author: Fahad Usman <fahad_usman@mentor.com> Date: Tue Aug 26 13:16:48 2014 +0500 logrotate: obey our flags Needed to quiet GNU_HASH warnings, and some minor fixes. ... it explicitly move logrotate to /usr/bin without any reason, which is against the original Linux location /usr/sbin. So partly revert the above commit which let logrotate be kept in the original place /usr/sbin. (From OE-Core master rev: 0007436b486fd0bea9e6ef60bf57603e7cfce54b) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2015-12-27cairo: fix license for cairo-script-interpreterAndre McCurdy1
Without an explicit license, cairo-script-interpreter inherits the default LICENSE and isn't packaged in builds which blacklist GPLv3. (From OE-Core master rev: cb8f84218b065fed88a8c36f3c78065e8ab726bf) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2015-12-27glibc: Fix ld.so / prelink interface for ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATAMark Hatle2
A bug in glibc 2.22's ld.so interface for the prelink support causes the displayed values to be incorrect. The included path fixes this issue. Clear ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA for prelink prelink runs ld.so with the environment variable LD_TRACE_PRELINKING set to dump the relocation type class from _dl_debug_bindings. prelink has the following relocation type classes: where ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA has a conflict with RTYPE_CLASS_TLS. Since prelink doesn't use ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA, we should clear the ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA bit when the DL_DEBUG_PRELINK bit is set. (From OE-Core master rev: 12c86bdcc60c54e587a896b0dceb8bb6cc9ff7e3) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2015-12-27gcc: Update default Power GCC settings to use secure-pltMark Hatle3
The gcc default, bss-plt, will cause errors when using the prelinker. All other distributions that I am aware of are using the the secure-plt. For an explanation of the differences, the gcc docs: Current PowerPC GCC accepts a `-msecure-plt' option that generates code capable of using a newer PLT and GOT layout that has the security advantage of no executable section ever needing to be writable and no writable section ever being executable. PowerPC ld will generate this layout, including stubs to access the PLT, if all input files (including startup and static libraries) were compiled with `-msecure-plt'. `--bss-plt' forces the old BSS PLT (and GOT layout) which can give slightly better performance. The security of the new PLT and ability to run the prelinker outweigh any performance penalty. The secure-plt is enabled by default. The old bss-plt can be enabled by selecting 'bssplt' in the DISTRO_FEATURES. (From OE-Core master rev: 70c55aada1101a5c687cdaa79f370fa4530b39d9) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2015-12-27prelink: Fix various prelink issues on IA32, ARM, and MIPS.Mark Hatle1
Fix the following issues: IA32 / ARM - Resync to glibc-2.22, fix a mismatch w/ glibc's ld.so MIPS - Ignore the new SHT_MIPS_ABIFLAGS ARM - Fix missing ARM IFUNC support chunk Also upstream prelink project no longer has a 'trunk' directory. (From OE-Core master rev: c725328f2ab5c9b220c552ed37c0d24b098a218d) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2015-12-27autotools: Allow recipe-individual configure scriptsJens Rehsack1
OpenJDK-8 has it's configure script at common/autotools - which will cause the entire assumption of ${S}/configure is regenerated by autoreconf, intltoolize or alike fails heavily. Also - other configure mechanisms can be supported more similar (see how pkgsrc manages different ones ...) (From OE-Core master rev: fe506eddb0790e37ac1e50f37fa2e32ad81d5493) Signed-off-by: Jens Rehsack <sno@netbsd.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>