[yocto-security] [OE-core CVE] branch master-next updated. uninative-2.3-80-g625ce14
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Fri Nov 2 15:53:39 PDT 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, master-next has been updated
via 625ce142a57442eebe3375759c4391c9220a99b4 (commit)
via 2d80bd199fcc3bdb0b7f12d55c1d51e7838eadfa (commit)
via a55fa4a0a54f8d4f3d2a29ca6e3cc14265a1d74d (commit)
via 963de58f19d3118d7bd84ede8c2edbdb2acd7727 (commit)
via e183f6551e3d316b9b2df9bbcc6b99ac26ffe749 (commit)
via 82d686ec7c13262c372a8404befb039c0fcab145 (commit)
via ebf6b688f694ff9145261e470edacef155c65001 (commit)
via 02b4338d10acfd4d0e122dcc63ada325dc3e4bfa (commit)
via de022f3545d7b89c71369f7e58b21b88bc99e6a6 (commit)
via 622b33eedf7e7f82db0dd896fa9045f1d718ebbc (commit)
via 738d8ce29ea7e05809c260b22e54cd3857d3450d (commit)
via 25f6c153b0cafad2e80e4b9e5f92ca69c8504432 (commit)
from 5c5e0423ba9e32b91c5c19b502243a34b0c72847 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 625ce142a57442eebe3375759c4391c9220a99b4
Author: Hongxu Jia <hongxu.jia at windriver.com>
Date: Fri Nov 2 17:52:51 2018 +0800
elfutils: fix CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310
These CVE fixes come from upstream master branch and no
new version released, so backport rather than upgrade.
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 2d80bd199fcc3bdb0b7f12d55c1d51e7838eadfa
Author: Hongxu Jia <hongxu.jia at windriver.com>
Date: Fri Nov 2 17:52:50 2018 +0800
elfutils: 0.173 -> 0.174
- Drop backport fixes
CVE-2018-16062.patch
0001-libdw-Check-end-of-attributes-list-consistently.patch
0002-libelf-Return-error-if-elf_compress_gnu-is-used-on-S.patch
- Rebase 0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit a55fa4a0a54f8d4f3d2a29ca6e3cc14265a1d74d
Author: Serhey Popovych <serhe.popovych at gmail.com>
Date: Thu Nov 1 19:21:10 2018 +0200
libgpg-error: Support build for native on ppc64/ppc64le hosts
Both RHEL and SLES uses ppc64/ppc64le for powerpc 64 bit big/little
endian targets instead of powerpc64/powerpc64le in libgpg-error.
Also libgpg-error provides common target system names in form like
<arch>-unknown-linux-gnu.
Add mapping for ppc64/ppc64le targets to their libgpg-error equivalents
to fix native builds.
Cross build for arm64 tested on IBM Power 8 machine with RHEL7 for
ppc64le variant only, but should work for ppc64 as well.
Signed-off-by: Serhey Popovych <serhe.popovych at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 963de58f19d3118d7bd84ede8c2edbdb2acd7727
Author: Kai Kang <kai.kang at windriver.com>
Date: Fri Nov 2 16:02:14 2018 +0800
openssl: fix CVE-2018-0735 for 1.1.1
Backport patch to fix CVE-2018-0735 for openssl 1.1.1.
Signed-off-by: Kai Kang <kai.kang at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit e183f6551e3d316b9b2df9bbcc6b99ac26ffe749
Author: Kai Kang <kai.kang at windriver.com>
Date: Fri Nov 2 16:02:13 2018 +0800
openssl: fix CVE-2018-0734 for both 1.0.2p and 1.1.1
Backport patches to fix CVE-2018-0734 for both openssl 1.0.2p and 1.1.1
versions.
Signed-off-by: Kai Kang <kai.kang at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 82d686ec7c13262c372a8404befb039c0fcab145
Author: Anuj Mittal <anuj.mittal at intel.com>
Date: Fri Nov 2 14:58:52 2018 +0800
xf86-video-intel: update to latest
For changes, please see:
https://cgit.freedesktop.org/xorg/driver/xf86-video-intel/log/?qt=range&q=e4fe79cf0d9a05ee3f3a027148ef0aeb2b1b34e1...0932a6b37ba6d5c9e916a1cb6ab89c3205b81a0c
Enable sna by default and remove upstreamed patches.
Also include a patch from fedora to fix compile issues when using
qemux86 which doesn't enable sse2 leading to gcc refusing to
inline vertex_emit_2s in emit_vertex because they are defined as:
static __attribute__((always_inline)) void
vertex_emit_2s(struct sna *sna, int16_t x, int16_t y)
__attribute__((target("sse2,fpmath=sse"))) __attribute__((always_inline))
static void emit_vertex(/* omitted */)
leading to errors like:
| In file included from ../../../git/src/sna/gen4_vertex.c:34:
| ../../../git/src/sna/gen4_vertex.c: In function 'emit_vertex':
| ../../../git/src/sna/sna_render_inline.h:40:26: error: inlining failed in call to always_inline 'vertex_emit_2s': target specific option mismatch
| static force_inline void vertex_emit_2s(struct sna *sna, int16_t x, int16_t y)
| ^~~~~~~~~~~~~~
| ../../../git/src/sna/gen4_vertex.c:308:25: note: called from here
| #define OUT_VERTEX(x,y) vertex_emit_2s(sna, x,y) /* XXX assert(!too_large(x, y)); */
| ^~~~~~~~~~~~~~~~~~~~~~~~
| ../../../git/src/sna/gen4_vertex.c:360:2: note: in expansion of macro 'OUT_VERTEX'
| OUT_VERTEX(dstX, dstY);
| ^~~~~~~~~~
Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit ebf6b688f694ff9145261e470edacef155c65001
Author: Changqing Li <changqing.li at windriver.com>
Date: Fri Nov 2 14:08:57 2018 +0800
unzip: fix for CVE-2018-18384
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 02b4338d10acfd4d0e122dcc63ada325dc3e4bfa
Author: Changqing Li <changqing.li at windriver.com>
Date: Fri Nov 2 14:08:45 2018 +0800
qemu: fix for CVE-2018-10839
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit de022f3545d7b89c71369f7e58b21b88bc99e6a6
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Fri Nov 2 12:42:43 2018 +0800
systemd: fix CVE-2018-15688
Backport patch to fix the following CVE.
CVE: CVE-2018-15688
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 622b33eedf7e7f82db0dd896fa9045f1d718ebbc
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Fri Nov 2 12:42:42 2018 +0800
systemd: fix CVE-2018-15687
Backport patch to fix the following CVE.
CVE: CVE-2018-15687
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 738d8ce29ea7e05809c260b22e54cd3857d3450d
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Fri Nov 2 12:42:41 2018 +0800
systemd: fix CVE-2018-15686
Backport patch to fix the following CVE.
CVE: CVE-2018-15686
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 25f6c153b0cafad2e80e4b9e5f92ca69c8504432
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Fri Nov 2 13:13:43 2018 +0000
oeqa/runtime/ptest: Inject results+logs into stored json results file
This allows the ptest results from ptest-runner, run in an image to be
transferred over to the resulting json results output.
Each test is given a pass/skip/fail so individual results can be monitored
and the raw log output from the ptest-runner is also dumped into the
results json file as this means after the fact debugging becomes much easier.
Currently the log output is not split up per test but that would make a good
future enhancement.
I attempted to implement this as python subTests however it failed as the
output was too confusing, subTests don't support any kind of log
output handling, subTest successes aren't logged and it was making things
far more complex than they needed to be.
We mark ptest-runner as "EXPECTEDFAILURE" since its unlikely every ptest
will pass currently and we don't want that to fail the whole image test run.
Its assumed there would be later analysis of the json output to determine
regressions. We do have to change the test runner code so that
'unexpectedsuccess' is not a failure.
Also, the test names are manipuated to remove spaces and brackets with
"_" used as a replacement and any duplicate occurrences truncated.
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
-----------------------------------------------------------------------
Summary of changes:
meta/lib/oeqa/core/runner.py | 8 +
meta/lib/oeqa/runtime/cases/ptest.py | 21 +-
.../openssl/openssl/0002-fix-CVE-2018-0734.patch | 108 +++
.../openssl/openssl/0003-fix-CVE-2018-0735.patch | 50 ++
.../openssl/openssl10/0001-fix-CVE-2018-0734.patch | 33 +
.../openssl/openssl10_1.0.2p.bb | 1 +
meta/recipes-connectivity/openssl/openssl_1.1.1.bb | 2 +
...sive-let-s-rework-the-recursive-logic-to-.patch | 219 ++++++
...eserializing-state-always-use-read_line-L.patch | 250 +++++++
...sure-we-have-enough-space-for-the-DHCP6-o.patch | 39 +
meta/recipes-core/systemd/systemd_239.bb | 3 +
.../{elfutils_0.173.bb => elfutils_0.174.bb} | 10 +-
...01-arlib-Check-that-sh_entsize-isn-t-zero.patch | 36 +
...Check-end-of-attributes-list-consistently.patch | 84 ---
...Sanity-check-partial-core-file-data-reads.patch | 60 ++
.../0001-size-Handle-recursive-ELF-ar-files.patch | 40 +
...rn-error-if-elf_compress_gnu-is-used-on-S.patch | 59 --
...de-alternatives-for-glibc-assumptions-hel.patch | 808 +--------------------
.../elfutils/files/CVE-2018-16062.patch | 79 --
.../{CVE-2018-17958.patch => CVE-2018-10839.patch} | 22 +-
.../unzip/unzip/CVE-2018-18384.patch | 39 +
.../0001-Add-Coffeelake-PCI-IDs-for-S-Skus.patch | 116 ---
.../xf86-video-intel/01_Fix-build-on-i686.patch | 55 ++
.../xorg-driver/xf86-video-intel/glibc.patch | 25 -
.../xorg-driver/xf86-video-intel_git.bb | 8 +-
.../libgpg-error/libgpg-error_1.32.bb | 2 +
26 files changed, 1004 insertions(+), 1173 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch
create mode 100644 meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
create mode 100644 meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch
create mode 100644 meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch
rename meta/recipes-devtools/elfutils/{elfutils_0.173.bb => elfutils_0.174.bb} (89%)
create mode 100644 meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
delete mode 100644 meta/recipes-devtools/elfutils/files/0001-libdw-Check-end-of-attributes-list-consistently.patch
create mode 100644 meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
create mode 100644 meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
delete mode 100644 meta/recipes-devtools/elfutils/files/0002-libelf-Return-error-if-elf_compress_gnu-is-used-on-S.patch
delete mode 100644 meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch
copy meta/recipes-devtools/qemu/qemu/{CVE-2018-17958.patch => CVE-2018-10839.patch} (74%)
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
delete mode 100644 meta/recipes-graphics/xorg-driver/xf86-video-intel/0001-Add-Coffeelake-PCI-IDs-for-S-Skus.patch
create mode 100644 meta/recipes-graphics/xorg-driver/xf86-video-intel/01_Fix-build-on-i686.patch
delete mode 100644 meta/recipes-graphics/xorg-driver/xf86-video-intel/glibc.patch
hooks/post-receive
--
More information about the yocto-security
mailing list