From: "akuster" <akuster808@gmail.com>
To: Martin Jansa <martin.jansa@gmail.com>
Cc: Rahul Taya <Rahul.Taya@kpit.com>,
"Openembedded-core@lists.openembedded.org"
<Openembedded-core@lists.openembedded.org>,
"raj.khem@gmail.com" <raj.khem@gmail.com>,
Nisha Parrakat <Nisha.Parrakat@kpit.com>,
Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
Subject: Re: [OE-core] [meta-openembedded][dunfell][PATCH] nghttp2: Add fix for CVE-2020-11080
Date: Sun, 21 Feb 2021 10:43:50 -0800 [thread overview]
Message-ID: <fe7724f4-8941-fd23-97f0-6d260bdca29d@gmail.com> (raw)
In-Reply-To: <CA+chaQeiJaB2ngYNTsSgnD_MRy1COxUk5ivOfJxF2eLnO4Wi+A@mail.gmail.com>
On 2/20/21 4:07 PM, Martin Jansa wrote:
> Looks like this version of the patch got merged to meta-oe today and
> it fails to apply cleanly, will send update.
it got pushed into dunfell-next which was then removed.
-armin
>
> On Wed, Feb 17, 2021 at 4:20 PM akuster <akuster808@gmail.com
> <mailto:akuster808@gmail.com>> wrote:
>
>
>
> On 2/17/21 12:57 AM, Rahul Taya wrote:
> > Hi,
> >
> > I have backported this patch from Master branch as in
> master(v1.43.0)
> > and Gatesgarth(v1.41.0) the code of this patch is already present in
> > the source code so it is only applicable for Dunfell(v1.40.0) and
> > Zeus(v1.39.1) branch.
> >
> > Yes i will add my signoff in the patch.
> >
> > *Can you please tell which is the correct ML for sending this
> patch ?*
> openembedded-devel@lists.openembedded.org
> <mailto:openembedded-devel@lists.openembedded.org>
>
>
> Also I am seeing this this error.
>
> Applying patch CVE-2020-11080.patch
> patching file doc/CMakeLists.txt
> patching file doc/Makefile.am
> Hunk #1 FAILED at 69.
> 1 out of 1 hunk FAILED -- rejects in file doc/Makefile.am
> patching file lib/includes/nghttp2/nghttp2.h
> patching file lib/nghttp2_helper.c
> patching file lib/nghttp2_option.c
> patching file lib/nghttp2_option.h
> patching file lib/nghttp2_session.c
> Hunk #3 succeeded at 5694 (offset 31 lines).
> Hunk #4 succeeded at 7470 (offset 29 lines).
> patching file lib/nghttp2_session.h
> patching file tests/main.c
> Hunk #1 succeeded at 315 (offset -2 lines).
> patching file tests/nghttp2_session_test.c
> Hunk #1 succeeded at 10558 (offset -56 lines).
> patching file tests/nghttp2_session_test.h
> Patch CVE-2020-11080.patch does not apply (enforce with -f)*
> *
> -armin*
> *
> >
> > Thanks and Regards,
> > Rahul Taya
> >
> ------------------------------------------------------------------------
> > *From:* akuster808 <akuster808@gmail.com
> <mailto:akuster808@gmail.com>>
> > *Sent:* Tuesday, February 16, 2021 9:32 PM
> > *To:* Rahul Taya <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>>;
> > Openembedded-core@lists.openembedded.org
> <mailto:Openembedded-core@lists.openembedded.org>
> > <Openembedded-core@lists.openembedded.org
> <mailto:Openembedded-core@lists.openembedded.org>>;
> raj.khem@gmail.com <mailto:raj.khem@gmail.com>
> > <raj.khem@gmail.com <mailto:raj.khem@gmail.com>>
> > *Cc:* Nisha Parrakat <Nisha.Parrakat@kpit.com
> <mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur Bhandari
> > <Harpritkaur.Bhandari@kpit.com
> <mailto:Harpritkaur.Bhandari@kpit.com>>
> > *Subject:* Re: [OE-core] [meta-openembedded][dunfell][PATCH]
> nghttp2:
> > Add fix for CVE-2020-11080
> >
> >
> >
> > On 2/16/21 12:39 AM, Rahul Taya wrote:
> > > Added patch for CVE-2020-11080 taken from below link:
> > >
> >
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Fcommit%2F336a98feb0d56b9ac54e12736b18785c27f75090&data=04%7C01%7CRahul.Taya%40kpit.com%7C81c7b0a589c54fd9815d08d8d2944b5f%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637490881707290985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LO7%2BKX%2F6ZD4VSi85fOVS%2FydUAFSH1kCUamqOyQcV0Ww%3D&reserved=0
> > >
> > > Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com
> <mailto:Rahul.Taya@kpit.com>>
> > Wrong ML.
> >
> > Is master or Gatesgath affected by this?
> >
> > Also the patch it self is missing your signoff.
> >
> > -armin
> > > ---
> > > .../nghttp2/nghttp2/CVE-2020-11080.patch | 306
> ++++++++++++++++++
> > > .../recipes-support/nghttp2/nghttp2_1.40.0.bb
> <http://nghttp2_1.40.0.bb> | 1 +
> > > 2 files changed, 307 insertions(+)
> > > create mode 100644
> > meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080.patch
> > >
> > > diff --git
> >
> a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080.patch
> >
> b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080.patch
> > > new file mode 100644
> > > index 000000000..a376e5372
> > > --- /dev/null
> > > +++
> >
> b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080.patch
> > > @@ -0,0 +1,306 @@
> > > +From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17
> 00:00:00 2001
> > > +From: James M Snell <jasnell@gmail.com
> <mailto:jasnell@gmail.com>>
> > > +Date: Fri, 17 Apr 2020 16:53:51 -0700
> > > +Subject: [PATCH] Implement max settings option
> > > +
> > > +CVE: CVE-2020-11080
> > > +Upstream-Status: Backport
> >
> [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Fcommit%2F336a98feb0d56b9ac54e12736b18785c27f75090&data=04%7C01%7CRahul.Taya%40kpit.com%7C81c7b0a589c54fd9815d08d8d2944b5f%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637490881707290985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LO7%2BKX%2F6ZD4VSi85fOVS%2FydUAFSH1kCUamqOyQcV0Ww%3D&reserved=0]
> > > +Comment: No hunks refreshed
> > > +---
> > > + doc/CMakeLists.txt | 1 +
> > > + doc/Makefile.am | 1 +
> > > + lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++
> > > + lib/nghttp2_helper.c | 2 ++
> > > + lib/nghttp2_option.c | 5 +++
> > > + lib/nghttp2_option.h | 5 +++
> > > + lib/nghttp2_session.c | 21 ++++++++++++
> > > + lib/nghttp2_session.h | 2 ++
> > > + tests/main.c | 2 ++
> > > + tests/nghttp2_session_test.c | 61
> ++++++++++++++++++++++++++++++++++
> > > + tests/nghttp2_session_test.h | 1 +
> > > + 11 files changed, 124 insertions(+)
> > > +
> > > +diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
> > > +index 34c027929..f3aec84da 100644
> > > +--- a/doc/CMakeLists.txt
> > > ++++ b/doc/CMakeLists.txt
> > > +@@ -42,6 +42,7 @@ set(APIDOCS
> > > + nghttp2_option_set_no_recv_client_magic.rst
> > > + nghttp2_option_set_peer_max_concurrent_streams.rst
> > > + nghttp2_option_set_user_recv_extension_type.rst
> > > ++ nghttp2_option_set_max_settings.rst
> > > + nghttp2_pack_settings_payload.rst
> > > + nghttp2_priority_spec_check_default.rst
> > > + nghttp2_priority_spec_default_init.rst
> > > +diff --git a/doc/Makefile.am b/doc/Makefile.am
> > > +index 4d73cef50..f073bfa4c 100644
> > > +--- a/doc/Makefile.am
> > > ++++ b/doc/Makefile.am
> > > +@@ -69,6 +69,7 @@ APIDOCS= \
> > > + nghttp2_option_set_peer_max_concurrent_streams.rst \
> > > + nghttp2_option_set_user_recv_extension_type.rst \
> > > + nghttp2_option_set_max_outbound_ack.rst \
> > > ++ nghttp2_option_set_max_settings.rst \
> > > + nghttp2_pack_settings_payload.rst \
> > > + nghttp2_priority_spec_check_default.rst \
> > > + nghttp2_priority_spec_default_init.rst \
> > > +diff --git a/lib/includes/nghttp2/nghttp2.h
> > b/lib/includes/nghttp2/nghttp2.h
> > > +index e3aeb9fed..9be6eea5c 100644
> > > +--- a/lib/includes/nghttp2/nghttp2.h
> > > ++++ b/lib/includes/nghttp2/nghttp2.h
> > > +@@ -228,6 +228,13 @@ typedef struct {
> > > + */
> > > + #define NGHTTP2_CLIENT_MAGIC_LEN 24
> > > +
> > > ++/**
> > > ++ * @macro
> > > ++ *
> > > ++ * The default max number of settings per SETTINGS frame
> > > ++ */
> > > ++#define NGHTTP2_DEFAULT_MAX_SETTINGS 32
> > > ++
> > > + /**
> > > + * @enum
> > > + *
> > > +@@ -398,6 +405,11 @@ typedef enum {
> > > + * receives an other type of frame.
> > > + */
> > > + NGHTTP2_ERR_SETTINGS_EXPECTED = -536,
> > > ++ /**
> > > ++ * When a local endpoint receives too many settings entries
> > > ++ * in a single SETTINGS frame.
> > > ++ */
> > > ++ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537,
> > > + /**
> > > + * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the
> library is
> > > + * under unexpected condition and processing was
> terminated (e.g.,
> > > +@@ -2659,6 +2671,17 @@ NGHTTP2_EXTERN void
> > nghttp2_option_set_no_closed_streams(nghttp2_option *option,
> > > + NGHTTP2_EXTERN void
> > nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
> > > +
> size_t val);
> > > +
> > > ++/**
> > > ++ * @function
> > > ++ *
> > > ++ * This function sets the maximum number of SETTINGS entries per
> > > ++ * SETTINGS frame that will be accepted. If more than those
> entries
> > > ++ * are received, the peer is considered to be misbehaving
> and session
> > > ++ * will be closed. The default value is 32.
> > > ++ */
> > > ++NGHTTP2_EXTERN void
> nghttp2_option_set_max_settings(nghttp2_option
> > *option,
> > > ++ size_t val);
> > > ++
> > > + /**
> > > + * @function
> > > + *
> > > +diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
> > > +index 91136a619..0bd541472 100644
> > > +--- a/lib/nghttp2_helper.c
> > > ++++ b/lib/nghttp2_helper.c
> > > +@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int
> error_code) {
> > > + case NGHTTP2_ERR_FLOODED:
> > > + return "Flooding was detected in this HTTP/2 session, and it
> > must be "
> > > + "closed";
> > > ++ case NGHTTP2_ERR_TOO_MANY_SETTINGS:
> > > ++ return "SETTINGS frame contained more than the maximum
> allowed
> > entries";
> > > + default:
> > > + return "Unknown error code";
> > > + }
> > > +diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
> > > +index e53f22d36..34348e660 100644
> > > +--- a/lib/nghttp2_option.c
> > > ++++ b/lib/nghttp2_option.c
> > > +@@ -121,3 +121,8 @@ void
> > nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
> size_t val) {
> > > + option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
> > > + option->max_outbound_ack = val;
> > > + }
> > > ++
> > > ++void nghttp2_option_set_max_settings(nghttp2_option *option,
> > size_t val) {
> > > ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
> > > ++ option->max_settings = val;
> > > ++}
> > > +diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
> > > +index 1f740aaa6..939729fdc 100644
> > > +--- a/lib/nghttp2_option.h
> > > ++++ b/lib/nghttp2_option.h
> > > +@@ -67,6 +67,7 @@ typedef enum {
> > > + NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
> > > + NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
> > > + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
> > > ++ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
> > > + } nghttp2_option_flag;
> > > +
> > > + /**
> > > +@@ -85,6 +86,10 @@ struct nghttp2_option {
> > > + * NGHTTP2_OPT_MAX_OUTBOUND_ACK
> > > + */
> > > + size_t max_outbound_ack;
> > > ++ /**
> > > ++ * NGHTTP2_OPT_MAX_SETTINGS
> > > ++ */
> > > ++ size_t max_settings;
> > > + /**
> > > + * Bitwise OR of nghttp2_option_flag to determine that
> which fields
> > > + * are specified.
> > > +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
> > > +index 563ccd7de..415e34776 100644
> > > +--- a/lib/nghttp2_session.c
> > > ++++ b/lib/nghttp2_session.c
> > > +@@ -458,6 +458,7 @@ static int session_new(nghttp2_session
> > **session_ptr,
> > > +
> > > + (*session_ptr)->max_send_header_block_length =
> > NGHTTP2_MAX_HEADERSLEN;
> > > + (*session_ptr)->max_outbound_ack =
> > NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
> > > ++ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
> > > +
> > > + if (option) {
> > > + if ((option->opt_set_mask &
> NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
> > > +@@ -521,6 +522,11 @@ static int session_new(nghttp2_session
> > **session_ptr,
> > > + if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
> > > + (*session_ptr)->max_outbound_ack =
> option->max_outbound_ack;
> > > + }
> > > ++
> > > ++ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) &&
> > > ++ option->max_settings) {
> > > ++ (*session_ptr)->max_settings = option->max_settings;
> > > ++ }
> > > + }
> > > +
> > > + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
> > > +@@ -5657,6 +5663,16 @@ ssize_t
> > nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t
> *in,
> > > + iframe->max_niv =
> > > + iframe->frame.hd.length /
> > NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1;
> > > +
> > > ++ if (iframe->max_niv - 1 > session->max_settings) {
> > > ++ rv = nghttp2_session_terminate_session_with_reason(
> > > ++ session, NGHTTP2_ENHANCE_YOUR_CALM,
> > > ++ "SETTINGS: too many setting entries");
> > > ++ if (nghttp2_is_fatal(rv)) {
> > > ++ return rv;
> > > ++ }
> > > ++ return (ssize_t)inlen;
> > > ++ }
> > > ++
> > > + iframe->iv = nghttp2_mem_malloc(mem,
> > sizeof(nghttp2_settings_entry) *
> > > +
> iframe->max_niv);
> > > +
> > > +@@ -7425,6 +7441,11 @@ static int
> > nghttp2_session_upgrade_internal(nghttp2_session *session,
> > > + if (settings_payloadlen %
> NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) {
> > > + return NGHTTP2_ERR_INVALID_ARGUMENT;
> > > + }
> > > ++ /* SETTINGS frame contains too many settings */
> > > ++ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH
> > > ++ > session->max_settings) {
> > > ++ return NGHTTP2_ERR_TOO_MANY_SETTINGS;
> > > ++ }
> > > + rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv,
> > settings_payload,
> > > +
> settings_payloadlen,
> > mem);
> > > + if (rv != 0) {
> > > +diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
> > > +index d20827315..07bfbb6c9 100644
> > > +--- a/lib/nghttp2_session.h
> > > ++++ b/lib/nghttp2_session.h
> > > +@@ -267,6 +267,8 @@ struct nghttp2_session {
> > > + /* The maximum length of header block to send. Calculated
> by the
> > > + same way as nghttp2_hd_deflate_bound() does. */
> > > + size_t max_send_header_block_length;
> > > ++ /* The maximum number of settings accepted per SETTINGS
> frame. */
> > > ++ size_t max_settings;
> > > + /* Next Stream ID. Made unsigned int to detect >= (1 <<
> 31). */
> > > + uint32_t next_stream_id;
> > > + /* The last stream ID this session initiated. For client
> session,
> > > +diff --git a/tests/main.c b/tests/main.c
> > > +index 41e0b03eb..67eb4a1c2 100644
> > > +--- a/tests/main.c
> > > ++++ b/tests/main.c
> > > +@@ -317,6 +317,8 @@ int main() {
> > > +
> test_nghttp2_session_set_local_window_size) ||
> > > + !CU_add_test(pSuite,
> "session_cancel_from_before_frame_send",
> > > +
> > test_nghttp2_session_cancel_from_before_frame_send) ||
> > > ++ !CU_add_test(pSuite, "session_too_many_settings",
> > > ++ test_nghttp2_session_too_many_settings) ||
> > > + !CU_add_test(pSuite, "session_removed_closed_stream",
> > > +
> test_nghttp2_session_removed_closed_stream) ||
> > > + !CU_add_test(pSuite, "session_pause_data",
> > > +diff --git a/tests/nghttp2_session_test.c
> > b/tests/nghttp2_session_test.c
> > > +index 6eb8e244d..33ee3ad84 100644
> > > +--- a/tests/nghttp2_session_test.c
> > > ++++ b/tests/nghttp2_session_test.c
> > > +@@ -10614,6 +10614,67 @@ void
> > test_nghttp2_session_cancel_from_before_frame_send(void) {
> > > + nghttp2_session_del(session);
> > > + }
> > > +
> > > ++void test_nghttp2_session_too_many_settings(void) {
> > > ++ nghttp2_session *session;
> > > ++ nghttp2_option *option;
> > > ++ nghttp2_session_callbacks callbacks;
> > > ++ nghttp2_frame frame;
> > > ++ nghttp2_bufs bufs;
> > > ++ nghttp2_buf *buf;
> > > ++ ssize_t rv;
> > > ++ my_user_data ud;
> > > ++ nghttp2_settings_entry iv[3];
> > > ++ nghttp2_mem *mem;
> > > ++ nghttp2_outbound_item *item;
> > > ++
> > > ++ mem = nghttp2_mem_default();
> > > ++ frame_pack_bufs_init(&bufs);
> > > ++
> > > ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
> > > ++ callbacks.on_frame_recv_callback = on_frame_recv_callback;
> > > ++ callbacks.send_callback = null_send_callback;
> > > ++
> > > ++ nghttp2_option_new(&option);
> > > ++ nghttp2_option_set_max_settings(option, 1);
> > > ++
> > > ++ nghttp2_session_client_new2(&session, &callbacks, &ud,
> option);
> > > ++
> > > ++ CU_ASSERT(1 == session->max_settings);
> > > ++
> > > ++ nghttp2_option_del(option);
> > > ++
> > > ++ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
> > > ++ iv[0].value = 3000;
> > > ++
> > > ++ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
> > > ++ iv[1].value = 16384;
> > > ++
> > > ++ nghttp2_frame_settings_init(&frame.settings,
> NGHTTP2_FLAG_NONE,
> > dup_iv(iv, 2),
> > > ++ 2);
> > > ++
> > > ++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
> > > ++
> > > ++ CU_ASSERT(0 == rv);
> > > ++ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0);
> > > ++
> > > ++ nghttp2_frame_settings_free(&frame.settings, mem);
> > > ++
> > > ++ buf = &bufs.head->buf;
> > > ++ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf));
> > > ++
> > > ++ ud.frame_recv_cb_called = 0;
> > > ++
> > > ++ rv = nghttp2_session_mem_recv(session, buf->pos,
> > nghttp2_buf_len(buf));
> > > ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
> > > ++
> > > ++ item = nghttp2_session_get_next_ob_item(session);
> > > ++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
> > > ++
> > > ++ nghttp2_bufs_reset(&bufs);
> > > ++ nghttp2_bufs_free(&bufs);
> > > ++ nghttp2_session_del(session);
> > > ++}
> > > ++
> > > + static void
> > > + prepare_session_removed_closed_stream(nghttp2_session *session,
> > > + nghttp2_hd_deflater
> *deflater) {
> > > +diff --git a/tests/nghttp2_session_test.h
> > b/tests/nghttp2_session_test.h
> > > +index e872c5d0b..818c808d0 100644
> > > +--- a/tests/nghttp2_session_test.h
> > > ++++ b/tests/nghttp2_session_test.h
> > > +@@ -156,6 +156,7 @@ void
> > test_nghttp2_session_repeated_priority_change(void);
> > > + void test_nghttp2_session_repeated_priority_submission(void);
> > > + void test_nghttp2_session_set_local_window_size(void);
> > > + void test_nghttp2_session_cancel_from_before_frame_send(void);
> > > ++void test_nghttp2_session_too_many_settings(void);
> > > + void test_nghttp2_session_removed_closed_stream(void);
> > > + void test_nghttp2_session_pause_data(void);
> > > + void test_nghttp2_session_no_closed_streams(void);
> > > diff --git
> > a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
> <http://nghttp2_1.40.0.bb>
> > b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
> <http://nghttp2_1.40.0.bb>
> > > index 9ed8c5642..b212ede4d 100644
> > > ---
> a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
> <http://nghttp2_1.40.0.bb>
> > > +++
> b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
> <http://nghttp2_1.40.0.bb>
> > > @@ -10,6 +10,7 @@ UPSTREAM_CHECK_URI =
> >
> "https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Freleases&data=04%7C01%7CRahul.Taya%40kpit.com%7C81c7b0a589c54fd9815d08d8d2944b5f%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637490881707290985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=misO%2FSEpB92THW3xVx9%2BWkvFsdI3Z%2FL%2Fy%2FdMcEG88AY%3D&reserved=0"
> > > SRC_URI = "\
> > >
> >
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Freleases%2Fdownload%2Fv%24&data=04%7C01%7CRahul.Taya%40kpit.com%7C81c7b0a589c54fd9815d08d8d2944b5f%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637490881707290985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tq%2BGz4zgfP84bLfqf2UAI384FMhi%2BU4KvPghoPjGR9Y%3D&reserved=0{PV}/nghttp2-${PV}.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Freleases%2Fdownload%2Fv%24&data=04%7C01%7CRahul.Taya%40kpit.com%7C81c7b0a589c54fd9815d08d8d2944b5f%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637490881707290985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tq%2BGz4zgfP84bLfqf2UAI384FMhi%2BU4KvPghoPjGR9Y%3D&reserved=0%7BPV%7D/nghttp2-$%7BPV%7D.tar.xz>
> > \
> > > file://0001-fetch-ocsp-response-use-python3.patch \
> > > + file://CVE-2020-11080.patch \
> > > "
> > > SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c"
> > > SRC_URI[sha256sum] =
> > "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073"
> > > --
> > > 2.17.1
> > >
> > > This message contains information that may be privileged or
> > confidential and is the property of the KPIT Technologies Ltd. It is
> > intended only for the person to whom it is addressed. If you are not
> > the intended recipient, you are not authorized to read, print,
> retain
> > copy, disseminate, distribute, or use this message or any part
> > thereof. If you receive this message in error, please notify the
> > sender immediately and delete all copies of this message. KPIT
> > Technologies Ltd. does not accept any liability for virus
> infected mails.
> > >
> > >
> > >
> >
> > This message contains information that may be privileged or
> > confidential and is the property of the KPIT Technologies Ltd. It is
> > intended only for the person to whom it is addressed. If you are not
> > the intended recipient, you are not authorized to read, print,
> retain
> > copy, disseminate, distribute, or use this message or any part
> > thereof. If you receive this message in error, please notify the
> > sender immediately and delete all copies of this message. KPIT
> > Technologies Ltd. does not accept any liability for virus
> infected mails.
>
>
>
>
next prev parent reply other threads:[~2021-02-21 18:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-16 8:39 [meta-openembedded][dunfell][PATCH] nghttp2: Add fix for CVE-2020-11080 Rahul Taya
2021-02-16 16:02 ` [OE-core] " akuster
2021-02-17 8:57 ` Rahul Taya
2021-02-17 15:18 ` Anuj Mittal
2021-02-17 15:20 ` akuster
2021-02-21 0:07 ` Martin Jansa
2021-02-21 18:43 ` akuster [this message]
2021-02-24 8:11 ` Rahul Taya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe7724f4-8941-fd23-97f0-6d260bdca29d@gmail.com \
--to=akuster808@gmail.com \
--cc=Harpritkaur.Bhandari@kpit.com \
--cc=Nisha.Parrakat@kpit.com \
--cc=Openembedded-core@lists.openembedded.org \
--cc=Rahul.Taya@kpit.com \
--cc=martin.jansa@gmail.com \
--cc=raj.khem@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox