* [OE-core][kirkstone 0/4] Patch review
@ 2024-03-07 18:38 Steve Sakoman
2024-03-07 18:38 ` [OE-core][kirkstone 1/4] u-boot: Move UBOOT_INITIAL_ENV back to u-boot.inc Steve Sakoman
` (3 more replies)
0 siblings, 4 replies; 15+ messages in thread
From: Steve Sakoman @ 2024-03-07 18:38 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Monday, March 11
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6658
The following changes since commit d63af11e92094487d6e358f27283e5385937e7a8:
kernel.bbclass: Set pkg-config variables for building modules (2024-03-03 11:56:20 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Chen Qi (1):
useradd-example: do not use unsupported clear text password
Fabio Estevam (1):
u-boot: Move UBOOT_INITIAL_ENV back to u-boot.inc
Hitendra Prajapati (1):
golang: Fix CVE-2023-45289 & CVE-2023-45290
Steve Sakoman (1):
selftest: skip virgl gtk/sdl test on ubuntu 18.04
.../useradd/useradd-example.bb | 4 +-
meta/classes/uboot-config.bbclass | 4 -
meta/lib/oeqa/selftest/cases/runtime_test.py | 2 +
meta/recipes-bsp/u-boot/u-boot.inc | 4 +
meta/recipes-devtools/go/go-1.17.13.inc | 2 +
.../go/go-1.21/CVE-2023-45289.patch | 121 ++++++++
.../go/go-1.21/CVE-2023-45290.patch | 270 ++++++++++++++++++
7 files changed, 401 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch
--
2.34.1
^ permalink raw reply [flat|nested] 15+ messages in thread* [OE-core][kirkstone 1/4] u-boot: Move UBOOT_INITIAL_ENV back to u-boot.inc 2024-03-07 18:38 [OE-core][kirkstone 0/4] Patch review Steve Sakoman @ 2024-03-07 18:38 ` Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 2/4] useradd-example: do not use unsupported clear text password Steve Sakoman ` (2 subsequent siblings) 3 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2024-03-07 18:38 UTC (permalink / raw) To: openembedded-core From: Fabio Estevam <festevam@denx.de> Commit cc6c3e31526d ("u-boot: Move definitions to common locations") moved UBOOT_INITIAL_ENV to uboot-config.bbclass, but it should be kept at u-boot.inc because it encodes ${PN} in it, which should be set by the U-Boot recipe. Currently, whatever inherits uboot-config bbclass will fill-in its own PN, which would change the content of UBOOT_INITIAL_ENV per-package. Cc: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> Cc: Marek Vasut <marex@denx.de> Fixes: cc6c3e31526d ("u-boot: Move definitions to common locations") Signed-off-by: Fabio Estevam <festevam@denx.de> Backported from master: 0b0c4b37d318b86f100512476ffd861e0ce1f47e Signed-off-by: Fabio Estevam <festevam@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/classes/uboot-config.bbclass | 4 ---- meta/recipes-bsp/u-boot/u-boot.inc | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/classes/uboot-config.bbclass b/meta/classes/uboot-config.bbclass index b9ad35821a..fe85521877 100644 --- a/meta/classes/uboot-config.bbclass +++ b/meta/classes/uboot-config.bbclass @@ -59,10 +59,6 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}" UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}" UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}" -# Default name of u-boot initial env, but enable individual recipes to change -# this value. -UBOOT_INITIAL_ENV ?= "${PN}-initial-env" - # U-Boot EXTLINUX variables. U-Boot searches for /boot/extlinux/extlinux.conf # to find EXTLINUX conf file. UBOOT_EXTLINUX_INSTALL_DIR ?= "/boot/extlinux" diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc index b2f33e3826..54ea2e9e50 100644 --- a/meta/recipes-bsp/u-boot/u-boot.inc +++ b/meta/recipes-bsp/u-boot/u-boot.inc @@ -24,6 +24,10 @@ PACKAGECONFIG[openssl] = ",,openssl-native" # file already exists it will not be overwritten. UBOOT_LOCALVERSION ?= "" +# Default name of u-boot initial env, but enable individual recipes to change +# this value. +UBOOT_INITIAL_ENV ?= "${PN}-initial-env" + require u-boot-configure.inc do_compile () { -- 2.34.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 2/4] useradd-example: do not use unsupported clear text password 2024-03-07 18:38 [OE-core][kirkstone 0/4] Patch review Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 1/4] u-boot: Move UBOOT_INITIAL_ENV back to u-boot.inc Steve Sakoman @ 2024-03-07 18:38 ` Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 3/4] selftest: skip virgl gtk/sdl test on ubuntu 18.04 Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 4/4] golang: Fix CVE-2023-45289 & CVE-2023-45290 Steve Sakoman 3 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2024-03-07 18:38 UTC (permalink / raw) To: openembedded-core From: Chen Qi <Qi.Chen@windriver.com> The clear text password support has been dropped. So let's just use a normal ecrypted one. The password remains to be 'user3'. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cd8232f9c58980d95180ad320b7b0bb0fcfd9ff5) Signed-off-by: Fabio Berton <fabio.berton@criticaltechworks.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta-skeleton/recipes-skeleton/useradd/useradd-example.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb b/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb index 3f4c42d714..cff624e2f9 100644 --- a/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb +++ b/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb @@ -33,8 +33,8 @@ USERADD_PACKAGES = "${PN} ${PN}-user3" USERADD_PARAM:${PN} = "-u 1200 -d /home/user1 -r -s /bin/bash user1; -u 1201 -d /home/user2 -r -s /bin/bash user2" # user3 will be managed in the useradd-example-user3 pacakge: -# As an example, we use the -P option to set clear text password for user3 -USERADD_PARAM:${PN}-user3 = "-u 1202 -d /home/user3 -r -s /bin/bash -P 'user3' user3" +# As an example, we use the -p option to set password ('user3') for user3 +USERADD_PARAM:${PN}-user3 = "-u 1202 -d /home/user3 -r -s /bin/bash -p '\$6\$XAWr.8nc\$bUE4pYYaVb8n6BbnBitU0zeJMtfhTpFpiOBLL9zRl4e4YQo88UU4r/1kjRzmTimCy.BvDh4xoFwVqcO.pihLa1' user3" # GROUPADD_PARAM works the same way, which you set to the options # you'd normally pass to the groupadd command. This will create -- 2.34.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 3/4] selftest: skip virgl gtk/sdl test on ubuntu 18.04 2024-03-07 18:38 [OE-core][kirkstone 0/4] Patch review Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 1/4] u-boot: Move UBOOT_INITIAL_ENV back to u-boot.inc Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 2/4] useradd-example: do not use unsupported clear text password Steve Sakoman @ 2024-03-07 18:38 ` Steve Sakoman 2024-03-07 18:51 ` Patchtest results for " patchtest 2024-03-07 18:38 ` [OE-core][kirkstone 4/4] golang: Fix CVE-2023-45289 & CVE-2023-45290 Steve Sakoman 3 siblings, 1 reply; 15+ messages in thread From: Steve Sakoman @ 2024-03-07 18:38 UTC (permalink / raw) To: openembedded-core Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/lib/oeqa/selftest/cases/runtime_test.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index d06d480c2b..7dcdfd0ab2 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -221,6 +221,8 @@ class TestImage(OESelftestTestCase): self.skipTest('virgl isn\'t working with Centos 7') if distro and distro == 'opensuseleap-15.0': self.skipTest('virgl isn\'t working with Opensuse 15.0') + if distro and distro == 'ubuntu-18.04': + self.skipTest('virgl isn\'t working with Ubuntu 18.04') qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native') qemu_distrofeatures = get_bb_var('DISTRO_FEATURES', 'qemu-system-native') -- 2.34.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Patchtest results for [OE-core][kirkstone 3/4] selftest: skip virgl gtk/sdl test on ubuntu 18.04 2024-03-07 18:38 ` [OE-core][kirkstone 3/4] selftest: skip virgl gtk/sdl test on ubuntu 18.04 Steve Sakoman @ 2024-03-07 18:51 ` patchtest 0 siblings, 0 replies; 15+ messages in thread From: patchtest @ 2024-03-07 18:51 UTC (permalink / raw) To: Steve Sakoman; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 3078 bytes --] Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/kirkstone-3-4-selftest-skip-virgl-gtk-sdl-test-on-ubuntu-18.04.patch FAIL: test commit message presence: Please include a commit message on your patch explaining the change (test_mbox.TestMbox.test_commit_message_presence) PASS: pretest pylint (test_python_pylint.PyLint.pretest_pylint) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test pylint (test_python_pylint.PyLint.test_pylint) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) SKIP: pretest src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.pretest_src_uri_left_files) SKIP: test CVE check ignore: No modified recipes or older target branch, skipping test (test_metadata.TestMetadata.test_cve_check_ignore) SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format) SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence) SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum modified not mentioned: No modified recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.test_src_uri_left_files) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) SKIP: test target mailing list: Series merged, no reason to check other mailing lists (test_mbox.TestMbox.test_target_mailing_list) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you! ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 4/4] golang: Fix CVE-2023-45289 & CVE-2023-45290 2024-03-07 18:38 [OE-core][kirkstone 0/4] Patch review Steve Sakoman ` (2 preceding siblings ...) 2024-03-07 18:38 ` [OE-core][kirkstone 3/4] selftest: skip virgl gtk/sdl test on ubuntu 18.04 Steve Sakoman @ 2024-03-07 18:38 ` Steve Sakoman 3 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2024-03-07 18:38 UTC (permalink / raw) To: openembedded-core From: Hitendra Prajapati <hprajapati@mvista.com> Backport fixes for: CVE-2023-45289 - Upstream-Status: Backport from https://github.com/golang/go/commit/3a855208e3efed2e9d7c20ad023f1fa78afcc0be CVE-2023-45290 - Upstream-Status: Backport from https://github.com/golang/go/commit/041a47712e765e94f86d841c3110c840e76d8f82 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-devtools/go/go-1.17.13.inc | 2 + .../go/go-1.21/CVE-2023-45289.patch | 121 ++++++++ .../go/go-1.21/CVE-2023-45290.patch | 270 ++++++++++++++++++ 3 files changed, 393 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c02da60f68..e635445579 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -51,6 +51,8 @@ SRC_URI += "\ file://CVE-2023-39326.patch \ file://CVE-2023-45285.patch \ file://CVE-2023-45287.patch \ + file://CVE-2023-45289.patch \ + file://CVE-2023-45290.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch new file mode 100644 index 0000000000..f8ac64472f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch @@ -0,0 +1,121 @@ +From 3a855208e3efed2e9d7c20ad023f1fa78afcc0be Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 11 Jan 2024 11:31:57 -0800 +Subject: [PATCH] [release-branch.go1.22] net/http, net/http/cookiejar: avoid + subdomain matches on IPv6 zones + +When deciding whether to forward cookies or sensitive headers +across a redirect, do not attempt to interpret an IPv6 address +as a domain name. + +Avoids a case where a maliciously-crafted redirect to an +IPv6 address with a scoped addressing zone could be +misinterpreted as a within-domain redirect. For example, +we could interpret "::1%.www.example.com" as a subdomain +of "www.example.com". + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes CVE-2023-45289 +Fixes #65859 +For #65065 + +Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174344 +Reviewed-by: Carlos Amedee <amedee@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569236 +Reviewed-by: Carlos Amedee <carlos@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/3a855208e3efed2e9d7c20ad023f1fa78afcc0be] +CVE: CVE-2023-45289 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/net/http/client.go | 6 ++++++ + src/net/http/client_test.go | 1 + + src/net/http/cookiejar/jar.go | 7 +++++++ + src/net/http/cookiejar/jar_test.go | 10 ++++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/src/net/http/client.go b/src/net/http/client.go +index 22db96b..b2dd445 100644 +--- a/src/net/http/client.go ++++ b/src/net/http/client.go +@@ -1015,6 +1015,12 @@ func isDomainOrSubdomain(sub, parent string) bool { + if sub == parent { + return true + } ++ // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). ++ // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. ++ // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". ++ if strings.ContainsAny(sub, ":%") { ++ return false ++ } + // If sub is "foo.example.com" and parent is "example.com", + // that means sub must end in "."+parent. + // Do it without allocating. +diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go +index 9788c7a..7a0aa53 100644 +--- a/src/net/http/client_test.go ++++ b/src/net/http/client_test.go +@@ -1729,6 +1729,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) { + {"cookie2", "http://foo.com/", "http://bar.com/", false}, + {"authorization", "http://foo.com/", "http://bar.com/", false}, + {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, ++ {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, + + // But subdomains should work: + {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, +diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go +index e6583da..f2cf9c2 100644 +--- a/src/net/http/cookiejar/jar.go ++++ b/src/net/http/cookiejar/jar.go +@@ -362,6 +362,13 @@ func jarKey(host string, psl PublicSuffixList) string { + + // isIP reports whether host is an IP address. + func isIP(host string) bool { ++ if strings.ContainsAny(host, ":%") { ++ // Probable IPv6 address. ++ // Hostnames can't contain : or %, so this is definitely not a valid host. ++ // Treating it as an IP is the more conservative option, and avoids the risk ++ // of interpeting ::1%.www.example.com as a subtomain of www.example.com. ++ return true ++ } + return net.ParseIP(host) != nil + } + +diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go +index 47fb1ab..fd8d40e 100644 +--- a/src/net/http/cookiejar/jar_test.go ++++ b/src/net/http/cookiejar/jar_test.go +@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{ + "127.0.0.1": true, + "1.2.3.4": true, + "2001:4860:0:2001::68": true, ++ "::1%zone": true, + "example.com": false, + "1.1.1.300": false, + "www.foo.bar.net": false, +@@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{ + {"http://www.host.test:1234/", "a=1"}, + }, + }, ++ { ++ "IPv6 zone is not treated as a host.", ++ "https://example.com/", ++ []string{"a=1"}, ++ "a=1", ++ []query{ ++ {"https://[::1%25.example.com]:80/", ""}, ++ }, ++ }, + } + + func TestBasics(t *testing.T) { +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch new file mode 100644 index 0000000000..81f2123f34 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch @@ -0,0 +1,270 @@ +From 041a47712e765e94f86d841c3110c840e76d8f82 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 16 Jan 2024 15:37:52 -0800 +Subject: [PATCH] [release-branch.go1.22] net/textproto, mime/multipart: avoid + unbounded read in MIME header + +mime/multipart.Reader.ReadForm allows specifying the maximum amount +of memory that will be consumed by the form. While this limit is +correctly applied to the parsed form data structure, it was not +being applied to individual header lines in a form. + +For example, when presented with a form containing a header line +that never ends, ReadForm will continue to read the line until it +runs out of memory. + +Limit the amount of data consumed when reading a header. + +Fixes CVE-2023-45290 +Fixes #65850 +For #65383 + +Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174345 +Reviewed-by: Carlos Amedee <amedee@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569237 +Reviewed-by: Carlos Amedee <carlos@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/041a47712e765e94f86d841c3110c840e76d8f82] +CVE: CVE-2023-45290 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>--- + src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++ + src/net/textproto/reader.go | 48 ++++++++++++++++++++--------- + src/net/textproto/reader_test.go | 12 ++++++++ + 3 files changed, 87 insertions(+), 15 deletions(-) + +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index c78eeb7..f729da6 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -421,6 +421,48 @@ func TestReadFormLimits(t *testing.T) { + } + } + ++func TestReadFormEndlessHeaderLine(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ prefix string ++ }{{ ++ name: "name", ++ prefix: "X-", ++ }, { ++ name: "value", ++ prefix: "X-Header: ", ++ }, { ++ name: "continuation", ++ prefix: "X-Header: foo\r\n ", ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ const eol = "\r\n" ++ s := `--boundary` + eol ++ s += `Content-Disposition: form-data; name="a"` + eol ++ s += `Content-Type: text/plain` + eol ++ s += test.prefix ++ fr := io.MultiReader( ++ strings.NewReader(s), ++ neverendingReader('X'), ++ ) ++ r := NewReader(fr, "boundary") ++ _, err := r.ReadForm(1 << 20) ++ if err != ErrMessageTooLarge { ++ t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err) ++ } ++ }) ++ } ++} ++ ++type neverendingReader byte ++ ++func (r neverendingReader) Read(p []byte) (n int, err error) { ++ for i := range p { ++ p[i] = byte(r) ++ } ++ return len(p), nil ++} ++ + func BenchmarkReadForm(b *testing.B) { + for _, test := range []struct { + name string +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index c6569c8..3ac4d4d 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -16,6 +16,10 @@ import ( + "sync" + ) + ++// TODO: This should be a distinguishable error (ErrMessageTooLarge) ++// to allow mime/multipart to detect it. ++var errMessageTooLarge = errors.New("message too large") ++ + // A Reader implements convenience methods for reading requests + // or responses from a text protocol network connection. + type Reader struct { +@@ -37,13 +41,13 @@ func NewReader(r *bufio.Reader) *Reader { + // ReadLine reads a single line from r, + // eliding the final \n or \r\n from the returned string. + func (r *Reader) ReadLine() (string, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + return string(line), err + } + + // ReadLineBytes is like ReadLine but returns a []byte instead of a string. + func (r *Reader) ReadLineBytes() ([]byte, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -52,7 +56,10 @@ func (r *Reader) ReadLineBytes() ([]byte, error) { + return line, err + } + +-func (r *Reader) readLineSlice() ([]byte, error) { ++// readLineSlice reads a single line from r, ++// up to lim bytes long (or unlimited if lim is less than 0), ++// eliding the final \r or \r\n from the returned string. ++func (r *Reader) readLineSlice(lim int64) ([]byte, error) { + r.closeDot() + var line []byte + for { +@@ -60,6 +67,9 @@ func (r *Reader) readLineSlice() ([]byte, error) { + if err != nil { + return nil, err + } ++ if lim >= 0 && int64(len(line))+int64(len(l)) > lim { ++ return nil, errMessageTooLarge ++ } + // Avoid the copy if the first call produced a full line. + if line == nil && !more { + return l, nil +@@ -92,7 +102,7 @@ func (r *Reader) readLineSlice() ([]byte, error) { + // Empty lines are never continued. + // + func (r *Reader) ReadContinuedLine() (string, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + return string(line), err + } + +@@ -113,7 +123,7 @@ func trim(s []byte) []byte { + // ReadContinuedLineBytes is like ReadContinuedLine but + // returns a []byte instead of a string. + func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -126,13 +136,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { + // returning a byte slice with all lines. The validateFirstLine function + // is run on the first read line, and if it returns an error then this + // error is returned from readContinuedLineSlice. +-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) { ++// It reads up to lim bytes of data (or unlimited if lim is less than 0). ++func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) { + if validateFirstLine == nil { + return nil, fmt.Errorf("missing validateFirstLine func") + } + + // Read the first line. +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(lim) + if err != nil { + return nil, err + } +@@ -160,13 +171,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([ + // copy the slice into buf. + r.buf = append(r.buf[:0], trim(line)...) + ++ if lim < 0 { ++ lim = math.MaxInt64 ++ } ++ lim -= int64(len(r.buf)) ++ + // Read continuation lines. + for r.skipSpace() > 0 { +- line, err := r.readLineSlice() ++ r.buf = append(r.buf, ' ') ++ if int64(len(r.buf)) >= lim { ++ return nil, errMessageTooLarge ++ } ++ line, err := r.readLineSlice(lim - int64(len(r.buf))) + if err != nil { + break + } +- r.buf = append(r.buf, ' ') + r.buf = append(r.buf, trim(line)...) + } + return r.buf, nil +@@ -511,7 +530,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + // The first line cannot start with a leading space. + if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') { +- line, err := r.readLineSlice() ++ const errorLimit = 80 // arbitrary limit on how much of the line we'll quote ++ line, err := r.readLineSlice(errorLimit) + if err != nil { + return m, err + } +@@ -519,7 +539,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + + for { +- kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon) ++ kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon) + if len(kv) == 0 { + return m, err + } +@@ -540,7 +560,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + maxHeaders-- + if maxHeaders < 0 { +- return nil, errors.New("message too large") ++ return nil, errMessageTooLarge + } + + // backport 5c55ac9bf1e5f779220294c843526536605f42ab +@@ -567,9 +587,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + maxMemory -= int64(len(value)) + if maxMemory < 0 { +- // TODO: This should be a distinguishable error (ErrMessageTooLarge) +- // to allow mime/multipart to detect it. +- return m, errors.New("message too large") ++ return m, errMessageTooLarge + } + if vv == nil && len(strs) > 0 { + // More than likely this will be a single-element key. +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 3ae0de1..db1ed91 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) { + } + } + ++func TestReadLineLongLine(t *testing.T) { ++ line := strings.Repeat("12345", 10000) ++ r := reader(line + "\r\n") ++ s, err := r.ReadLine() ++ if err != nil { ++ t.Fatalf("Line 1: %v", err) ++ } ++ if s != line { ++ t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line)) ++ } ++} ++ + func TestReadContinuedLine(t *testing.T) { + r := reader("line1\nline\n 2\nline3\n") + s, err := r.ReadContinuedLine() +-- +2.25.1 + -- 2.34.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 0/4] Patch review
@ 2025-12-29 23:03 Steve Sakoman
0 siblings, 0 replies; 15+ messages in thread
From: Steve Sakoman @ 2025-12-29 23:03 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, December 31
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2953
The following changes since commit c15faee8854e85e02693a041d88326f30b24ee92:
cross.bbclass: Propagate dependencies to outhash (2025-12-29 08:40:22 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Jiaying Song (1):
grub: fix CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664
Vijay Anusuri (3):
go: Update CVE-2025-58187
go: Fix CVE-2025-61727
go: Fix CVE-2025-61729
.../grub/files/CVE-2025-61661.patch | 40 ++
.../grub/files/CVE-2025-61662.patch | 72 +++
.../grub/files/CVE-2025-61663_61664.patch | 64 +++
meta/recipes-bsp/grub/grub2.inc | 3 +
meta/recipes-devtools/go/go-1.17.13.inc | 5 +-
...025-58187.patch => CVE-2025-58187-1.patch} | 0
.../go/go-1.18/CVE-2025-58187-2.patch | 516 ++++++++++++++++++
.../go/go-1.18/CVE-2025-61727.patch | 229 ++++++++
.../go/go-1.18/CVE-2025-61729.patch | 172 ++++++
9 files changed, 1100 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61661.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61662.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
rename meta/recipes-devtools/go/go-1.18/{CVE-2025-58187.patch => CVE-2025-58187-1.patch} (100%)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58187-2.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61727.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61729.patch
--
2.43.0
^ permalink raw reply [flat|nested] 15+ messages in thread* [OE-core][kirkstone 0/4] Patch review @ 2025-12-09 21:53 Steve Sakoman 0 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2025-12-09 21:53 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Thursday, December 11 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2836 The following changes since commit 80c7fd87fd95a79c6eb5f41b95cf70ccc70d9615: systemd-bootchart: update SRC_URI branch (2025-12-01 07:13:56 -0800) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Hitendra Prajapati (2): libxml2: Security fix for CVE-2025-7425 openssh: fix CVE-2025-61984 Peter Marko (2): libpng: patch CVE-2025-66293 libmicrohttpd: disable experimental code by default .../openssh/openssh/CVE-2025-61984.patch | 98 +++ .../openssh/openssh_8.9p1.bb | 1 + .../libxml/libxml2/CVE-2025-7425.patch | 802 ++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + .../libpng/files/CVE-2025-66293-01.patch | 60 ++ .../libpng/files/CVE-2025-66293-02.patch | 125 +++ .../libpng/libpng_1.6.39.bb | 2 + .../libmicrohttpd/libmicrohttpd_0.9.76.bb | 3 + 8 files changed, 1092 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 0/4] Patch review @ 2025-10-29 2:54 Steve Sakoman 0 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2025-10-29 2:54 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Thursday, October 30 Passed a-full on the autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2650 The following changes since commit 9b3dbd691f6ebdbdfe88cef3d3a676ddd1399c63: python3: upgrade 3.10.18 -> 3.10.19 (2025-10-17 07:39:27 -0700) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Hitendra Prajapati (1): git: fix CVE-2025-48386 Peter Marko (1): lz4: patch CVE-2025-62813 Yash Shinde (2): binutils: fix CVE-2025-11081 binutils: fix CVE-2025-8225 .../binutils/binutils-2.38.inc | 2 + .../binutils/0046-CVE-2025-11081.patch | 84 ++++++++++++++++ .../binutils/0047-CVE-2025-8225.patch | 47 +++++++++ .../git/git/CVE-2025-48386.patch | 97 +++++++++++++++++++ meta/recipes-devtools/git/git_2.35.7.bb | 1 + .../lz4/files/CVE-2025-62813.patch | 69 +++++++++++++ meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- 7 files changed, 303 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48386.patch create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 0/4] Patch review @ 2025-08-05 16:43 Steve Sakoman 0 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2025-08-05 16:43 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Thursday, August 7 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2150 The following changes since commit b4a2f74ba0b40abcdf56c4b58cae5f7ce145d511: sqlite3: Fix CVE-2025-6965 (2025-07-29 06:39:06 -0700) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Peter Marko (3): sqlite3: patch CVE-2025-7458 sqlite3: ignore CVE-2025-3277 glibc: stable 2.35 branch updates Zhang Peng (1): avahi: fix CVE-2024-52615 meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 + .../avahi/files/CVE-2024-52615.patch | 228 ++++++++++++++++ meta/recipes-core/glibc/glibc-version.inc | 2 +- .../glibc/glibc/0025-CVE-2025-4802.patch | 250 ------------------ meta/recipes-core/glibc/glibc_2.35.bb | 2 +- ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++ .../sqlite/files/CVE-2025-7458.patch | 32 +++ meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 4 + 8 files changed, 358 insertions(+), 252 deletions(-) create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch delete mode 100644 meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 0/4] Patch review @ 2025-04-15 20:52 Steve Sakoman 0 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2025-04-15 20:52 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Thursday, April 17 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1401 The following changes since commit 7399cf17590204f8289f356cce4575592d6e3536: ghostscript: Fix CVE-2025-27836 (2025-04-08 08:36:03 -0700) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Divya Chellam (1): ruby: fix CVE-2024-43398 Hitendra Prajapati (1): go: fix CVE-2025-22871 Peter Marko (2): cve-update-nvd2-native: add workaround for json5 style list systemd: ignore CVEs which reappeared after upgrade to 250.14 .../meta/cve-update-nvd2-native.bb | 5 + meta/recipes-core/systemd/systemd.inc | 3 + meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2025-22871.patch | 172 ++++++++++++++++++ .../ruby/ruby/CVE-2024-43398.patch | 81 +++++++++ meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 + 6 files changed, 263 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-22871.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 0/4] Patch review @ 2025-03-27 14:43 Steve Sakoman 0 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2025-03-27 14:43 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirktone and have comments back by end of day Monday, March 31 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1277 The following changes since commit 1172a71f2104454a13e64886adbdb381aa8d6e0e: libxcrypt-compat: Remove libcrypt.so to fix conflict with libcrypt (2025-03-21 06:48:11 -0700) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Bruce Ashfield (2): linux-yocto/5.15: update to v5.15.179 linux-yocto/5.10: update to v5.10.234 Peter Marko (1): python3: patch CVE-2025-0938 Vijay Anusuri (1): vim: Upgrade 9.1.1115 -> 9.1.1198 .../python/python3/CVE-2025-0938.patch | 131 ++++++++++++++++++ .../python/python3_3.10.16.bb | 1 + .../linux/linux-yocto-rt_5.10.bb | 6 +- .../linux/linux-yocto-rt_5.15.bb | 6 +- .../linux/linux-yocto-tiny_5.10.bb | 8 +- .../linux/linux-yocto-tiny_5.15.bb | 6 +- meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 ++-- meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 ++-- meta/recipes-support/vim/vim.inc | 4 +- 9 files changed, 172 insertions(+), 40 deletions(-) create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-0938.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 0/4] Patch review @ 2025-01-31 14:15 Steve Sakoman 0 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2025-01-31 14:15 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Tuesday, February 3 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/911 The following changes since commit 077aab43f2c928eb8da71934405c62327010f552: classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package architecture (2025-01-20 06:06:07 -0800) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Deepesh Varatharajan (1): glibc: stable 2.35 branch updates Peter Marko (1): openssl: patch CVE-2024-13176 Yash Shinde (2): binutils: internal gdb: Fix CVE-2024-53589 gdb: Fix CVE-2024-53589 .../openssl/openssl/CVE-2024-13176.patch | 125 ++++++++++++++++++ .../openssl/openssl_3.0.15.bb | 1 + meta/recipes-core/glibc/glibc-version.inc | 2 +- .../binutils/binutils-2.38.inc | 1 + .../binutils/0037-CVE-2024-53589.patch | 92 +++++++++++++ meta/recipes-devtools/gdb/gdb.inc | 1 + .../gdb/gdb/0014-CVE-2024-53589.patch | 92 +++++++++++++ 7 files changed, 313 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0037-CVE-2024-53589.patch create mode 100644 meta/recipes-devtools/gdb/gdb/0014-CVE-2024-53589.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][kirkstone 0/4] Patch review
@ 2024-02-01 19:37 Steve Sakoman
0 siblings, 0 replies; 15+ messages in thread
From: Steve Sakoman @ 2024-02-01 19:37 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Monday, February 5
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6513
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6513
The following changes since commit a744a897f0ea7d34c31c024c13031221f9a85f24:
build-appliance-image: Update to kirkstone head revision (2024-01-25 04:06:50 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
python3-jinja2: upgrade 3.1.1 -> 3.1.2
Lee Chee Yang (1):
xwayland: Fix CVE-2023-6377 CVE-2023-6478
Ludovic Jozeau (1):
image-live.bbclass: LIVE_ROOTFS_TYPE support compression
Wang Mingyu (1):
python3-jinja2: upgrade 3.1.2 -> 3.1.3
meta/classes/image-live.bbclass | 2 +-
...inja2_3.1.1.bb => python3-jinja2_3.1.3.bb} | 2 +-
.../xwayland/xwayland/CVE-2023-6377.patch | 82 +++++++++++++++++++
.../xwayland/xwayland/CVE-2023-6478.patch | 66 +++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 2 +
5 files changed, 152 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/python/{python3-jinja2_3.1.1.bb => python3-jinja2_3.1.3.bb} (92%)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch
--
2.34.1
^ permalink raw reply [flat|nested] 15+ messages in thread* [OE-core][kirkstone 0/4] Patch review @ 2023-12-29 16:07 Steve Sakoman 0 siblings, 0 replies; 15+ messages in thread From: Steve Sakoman @ 2023-12-29 16:07 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Wednesday, January 3 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6384 The following changes since commit 2afd9a6002cba2a23dd62a1805b4be04083c041b: testimage: Exclude wtmp from target-dumper commands (2023-12-20 11:40:13 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Archana Polampalli (2): openssh: fix CVE-2023-51384 openssh: fix CVE-2023-51385 Khem Raj (1): elfutils: Disable stringop-overflow warning for build host Steve Sakoman (1): testimage: drop target_dumper, host_dumper, and monitor_dumper meta/classes/testimage.bbclass | 24 --- .../openssh/openssh/CVE-2023-51384.patch | 171 ++++++++++++++++++ .../openssh/openssh/CVE-2023-51385.patch | 97 ++++++++++ .../openssh/openssh_8.9p1.bb | 2 + .../elfutils/elfutils_0.186.bb | 2 + 5 files changed, 272 insertions(+), 24 deletions(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2025-12-29 23:03 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-03-07 18:38 [OE-core][kirkstone 0/4] Patch review Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 1/4] u-boot: Move UBOOT_INITIAL_ENV back to u-boot.inc Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 2/4] useradd-example: do not use unsupported clear text password Steve Sakoman 2024-03-07 18:38 ` [OE-core][kirkstone 3/4] selftest: skip virgl gtk/sdl test on ubuntu 18.04 Steve Sakoman 2024-03-07 18:51 ` Patchtest results for " patchtest 2024-03-07 18:38 ` [OE-core][kirkstone 4/4] golang: Fix CVE-2023-45289 & CVE-2023-45290 Steve Sakoman -- strict thread matches above, loose matches on Subject: below -- 2025-12-29 23:03 [OE-core][kirkstone 0/4] Patch review Steve Sakoman 2025-12-09 21:53 Steve Sakoman 2025-10-29 2:54 Steve Sakoman 2025-08-05 16:43 Steve Sakoman 2025-04-15 20:52 Steve Sakoman 2025-03-27 14:43 Steve Sakoman 2025-01-31 14:15 Steve Sakoman 2024-02-01 19:37 Steve Sakoman 2023-12-29 16:07 Steve Sakoman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox