* [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check
@ 2021-06-02 7:25 Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 2/7] bind: upgrade 9.16.12 -> 9.16.13 Richard Purdie
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Richard Purdie @ 2021-06-02 7:25 UTC (permalink / raw)
To: openembedded-core
We use the SUSE mirror of xinetd. The CVE fix was added to the main repo
after the latest release but is included in the version from the SUSE repo.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index 2787b270fac..69d5b2f83b7 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -19,6 +19,9 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
S = "${WORKDIR}/git"
+# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
+CVE_CHECK_WHITELIST += "CVE-2013-4342"
+
inherit autotools update-rc.d systemd pkgconfig
SYSTEMD_SERVICE_${PN} = "xinetd.service"
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [hardknott] [PATCH 2/7] bind: upgrade 9.16.12 -> 9.16.13
2021-06-02 7:25 [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check Richard Purdie
@ 2021-06-02 7:25 ` Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 3/7] bind: upgrade 9.16.13 -> 9.16.15 Richard Purdie
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Richard Purdie @ 2021-06-02 7:25 UTC (permalink / raw)
To: openembedded-core; +Cc: Alexander Kanavin
From: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
.../0001-avoid-start-failure-with-bind-user.patch | 0
.../0001-named-lwresd-V-and-start-log-hide-build-options.patch | 0
| 0
.../bind/{bind-9.16.12 => bind-9.16.13}/bind9 | 0
.../bind/{bind-9.16.12 => bind-9.16.13}/conf.patch | 0
.../bind/{bind-9.16.12 => bind-9.16.13}/generate-rndc-key.sh | 0
.../init.d-add-support-for-read-only-rootfs.patch | 0
.../make-etc-initd-bind-stop-work.patch | 0
.../bind/{bind-9.16.12 => bind-9.16.13}/named.service | 0
.../bind/{bind_9.16.12.bb => bind_9.16.13.bb} | 2 +-
10 files changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/0001-avoid-start-failure-with-bind-user.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/bind9 (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/conf.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/generate-rndc-key.sh (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/init.d-add-support-for-read-only-rootfs.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/make-etc-initd-bind-stop-work.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.12 => bind-9.16.13}/named.service (100%)
rename meta/recipes-connectivity/bind/{bind_9.16.12.bb => bind_9.16.13.bb} (98%)
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind-9.16.13/0001-avoid-start-failure-with-bind-user.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch
rename to meta/recipes-connectivity/bind/bind-9.16.13/0001-avoid-start-failure-with-bind-user.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind-9.16.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch
rename to meta/recipes-connectivity/bind/bind-9.16.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind-9.16.13/bind-ensure-searching-for-json-headers-searches-sysr.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch
rename to meta/recipes-connectivity/bind/bind-9.16.13/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/bind9 b/meta/recipes-connectivity/bind/bind-9.16.13/bind9
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/bind9
rename to meta/recipes-connectivity/bind/bind-9.16.13/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/conf.patch b/meta/recipes-connectivity/bind/bind-9.16.13/conf.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/conf.patch
rename to meta/recipes-connectivity/bind/bind-9.16.13/conf.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind-9.16.13/generate-rndc-key.sh
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh
rename to meta/recipes-connectivity/bind/bind-9.16.13/generate-rndc-key.sh
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.16.13/init.d-add-support-for-read-only-rootfs.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch
rename to meta/recipes-connectivity/bind/bind-9.16.13/init.d-add-support-for-read-only-rootfs.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind-9.16.13/make-etc-initd-bind-stop-work.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch
rename to meta/recipes-connectivity/bind/bind-9.16.13/make-etc-initd-bind-stop-work.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.12/named.service b/meta/recipes-connectivity/bind/bind-9.16.13/named.service
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.12/named.service
rename to meta/recipes-connectivity/bind/bind-9.16.13/named.service
diff --git a/meta/recipes-connectivity/bind/bind_9.16.12.bb b/meta/recipes-connectivity/bind/bind_9.16.13.bb
similarity index 98%
rename from meta/recipes-connectivity/bind/bind_9.16.12.bb
rename to meta/recipes-connectivity/bind/bind_9.16.13.bb
index 09f77038fa7..6127b13e8dc 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.12.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.13.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "9914af9311fd349cab441097898d94fb28d0bfd9bf6ed04fe1f97f042644da7f"
+SRC_URI[sha256sum] = "a54cc793fa5b69b35f610f2095760f8238dff5cfd52419f7ee1c9c227da4cc08"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.16 follow the ESV versions divisible by 4
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [hardknott] [PATCH 3/7] bind: upgrade 9.16.13 -> 9.16.15
2021-06-02 7:25 [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 2/7] bind: upgrade 9.16.12 -> 9.16.13 Richard Purdie
@ 2021-06-02 7:25 ` Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 4/7] bind: upgrade 9.16.15 -> 9.16.16 Richard Purdie
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Richard Purdie @ 2021-06-02 7:25 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
.../0001-avoid-start-failure-with-bind-user.patch | 0
.../0001-named-lwresd-V-and-start-log-hide-build-options.patch | 0
| 0
.../bind/{bind-9.16.13 => bind-9.16.15}/bind9 | 0
.../bind/{bind-9.16.13 => bind-9.16.15}/conf.patch | 0
.../bind/{bind-9.16.13 => bind-9.16.15}/generate-rndc-key.sh | 0
.../init.d-add-support-for-read-only-rootfs.patch | 0
.../make-etc-initd-bind-stop-work.patch | 0
.../bind/{bind-9.16.13 => bind-9.16.15}/named.service | 0
.../bind/{bind_9.16.13.bb => bind_9.16.15.bb} | 2 +-
10 files changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/0001-avoid-start-failure-with-bind-user.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/bind9 (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/conf.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/generate-rndc-key.sh (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/init.d-add-support-for-read-only-rootfs.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/make-etc-initd-bind-stop-work.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.13 => bind-9.16.15}/named.service (100%)
rename meta/recipes-connectivity/bind/{bind_9.16.13.bb => bind_9.16.15.bb} (98%)
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind-9.16.15/0001-avoid-start-failure-with-bind-user.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/0001-avoid-start-failure-with-bind-user.patch
rename to meta/recipes-connectivity/bind/bind-9.16.15/0001-avoid-start-failure-with-bind-user.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind-9.16.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch
rename to meta/recipes-connectivity/bind/bind-9.16.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind-9.16.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/bind-ensure-searching-for-json-headers-searches-sysr.patch
rename to meta/recipes-connectivity/bind/bind-9.16.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/bind9 b/meta/recipes-connectivity/bind/bind-9.16.15/bind9
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/bind9
rename to meta/recipes-connectivity/bind/bind-9.16.15/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/conf.patch b/meta/recipes-connectivity/bind/bind-9.16.15/conf.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/conf.patch
rename to meta/recipes-connectivity/bind/bind-9.16.15/conf.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind-9.16.15/generate-rndc-key.sh
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/generate-rndc-key.sh
rename to meta/recipes-connectivity/bind/bind-9.16.15/generate-rndc-key.sh
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.16.15/init.d-add-support-for-read-only-rootfs.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/init.d-add-support-for-read-only-rootfs.patch
rename to meta/recipes-connectivity/bind/bind-9.16.15/init.d-add-support-for-read-only-rootfs.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind-9.16.15/make-etc-initd-bind-stop-work.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/make-etc-initd-bind-stop-work.patch
rename to meta/recipes-connectivity/bind/bind-9.16.15/make-etc-initd-bind-stop-work.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.13/named.service b/meta/recipes-connectivity/bind/bind-9.16.15/named.service
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.13/named.service
rename to meta/recipes-connectivity/bind/bind-9.16.15/named.service
diff --git a/meta/recipes-connectivity/bind/bind_9.16.13.bb b/meta/recipes-connectivity/bind/bind_9.16.15.bb
similarity index 98%
rename from meta/recipes-connectivity/bind/bind_9.16.13.bb
rename to meta/recipes-connectivity/bind/bind_9.16.15.bb
index 6127b13e8dc..e362b21294d 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.15.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "a54cc793fa5b69b35f610f2095760f8238dff5cfd52419f7ee1c9c227da4cc08"
+SRC_URI[sha256sum] = "98b6f432d878a7bf8f57eb7b3c28be27278cf6b9989154bfe6c81104b38e7839"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.16 follow the ESV versions divisible by 4
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [hardknott] [PATCH 4/7] bind: upgrade 9.16.15 -> 9.16.16
2021-06-02 7:25 [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 2/7] bind: upgrade 9.16.12 -> 9.16.13 Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 3/7] bind: upgrade 9.16.13 -> 9.16.15 Richard Purdie
@ 2021-06-02 7:25 ` Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 5/7] qemu: Exclude CVE-2020-3550[4/5/6] from cve-check Richard Purdie
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Richard Purdie @ 2021-06-02 7:25 UTC (permalink / raw)
To: openembedded-core; +Cc: Trevor Gamblin
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
.../0001-avoid-start-failure-with-bind-user.patch | 0
.../0001-named-lwresd-V-and-start-log-hide-build-options.patch | 0
| 0
.../bind/{bind-9.16.15 => bind-9.16.16}/bind9 | 0
.../bind/{bind-9.16.15 => bind-9.16.16}/conf.patch | 0
.../bind/{bind-9.16.15 => bind-9.16.16}/generate-rndc-key.sh | 0
.../init.d-add-support-for-read-only-rootfs.patch | 0
.../make-etc-initd-bind-stop-work.patch | 0
.../bind/{bind-9.16.15 => bind-9.16.16}/named.service | 0
.../bind/{bind_9.16.15.bb => bind_9.16.16.bb} | 2 +-
10 files changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/0001-avoid-start-failure-with-bind-user.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/bind9 (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/conf.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/generate-rndc-key.sh (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/init.d-add-support-for-read-only-rootfs.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/make-etc-initd-bind-stop-work.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.16.15 => bind-9.16.16}/named.service (100%)
rename meta/recipes-connectivity/bind/{bind_9.16.15.bb => bind_9.16.16.bb} (98%)
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind-9.16.16/0001-avoid-start-failure-with-bind-user.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/0001-avoid-start-failure-with-bind-user.patch
rename to meta/recipes-connectivity/bind/bind-9.16.16/0001-avoid-start-failure-with-bind-user.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind-9.16.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
rename to meta/recipes-connectivity/bind/bind-9.16.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind-9.16.16/bind-ensure-searching-for-json-headers-searches-sysr.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
rename to meta/recipes-connectivity/bind/bind-9.16.16/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/bind9 b/meta/recipes-connectivity/bind/bind-9.16.16/bind9
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/bind9
rename to meta/recipes-connectivity/bind/bind-9.16.16/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/conf.patch b/meta/recipes-connectivity/bind/bind-9.16.16/conf.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/conf.patch
rename to meta/recipes-connectivity/bind/bind-9.16.16/conf.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind-9.16.16/generate-rndc-key.sh
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/generate-rndc-key.sh
rename to meta/recipes-connectivity/bind/bind-9.16.16/generate-rndc-key.sh
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.16.16/init.d-add-support-for-read-only-rootfs.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/init.d-add-support-for-read-only-rootfs.patch
rename to meta/recipes-connectivity/bind/bind-9.16.16/init.d-add-support-for-read-only-rootfs.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind-9.16.16/make-etc-initd-bind-stop-work.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/make-etc-initd-bind-stop-work.patch
rename to meta/recipes-connectivity/bind/bind-9.16.16/make-etc-initd-bind-stop-work.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.16.15/named.service b/meta/recipes-connectivity/bind/bind-9.16.16/named.service
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.15/named.service
rename to meta/recipes-connectivity/bind/bind-9.16.16/named.service
diff --git a/meta/recipes-connectivity/bind/bind_9.16.15.bb b/meta/recipes-connectivity/bind/bind_9.16.16.bb
similarity index 98%
rename from meta/recipes-connectivity/bind/bind_9.16.15.bb
rename to meta/recipes-connectivity/bind/bind_9.16.16.bb
index e362b21294d..27aa6221ba1 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.15.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.16.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "98b6f432d878a7bf8f57eb7b3c28be27278cf6b9989154bfe6c81104b38e7839"
+SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.16 follow the ESV versions divisible by 4
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [hardknott] [PATCH 5/7] qemu: Exclude CVE-2020-3550[4/5/6] from cve-check
2021-06-02 7:25 [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check Richard Purdie
` (2 preceding siblings ...)
2021-06-02 7:25 ` [hardknott] [PATCH 4/7] bind: upgrade 9.16.15 -> 9.16.16 Richard Purdie
@ 2021-06-02 7:25 ` Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 6/7] curl: fix CVE-2021-22890 Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 7/7] curl: fix CVE-2021-22876 Richard Purdie
5 siblings, 0 replies; 7+ messages in thread
From: Richard Purdie @ 2021-06-02 7:25 UTC (permalink / raw)
To: openembedded-core; +Cc: Sakib Sajal
From: Sakib Sajal <sakib.sajal@windriver.com>
CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O).
On Sparc32 it is the NCR89C100 part of the chip.
On Macintosh Quadra it is NCR53C96.
Both are not supported by yocto.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
meta/recipes-devtools/qemu/qemu.inc | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index fbda0c91741..3921546df75 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -76,6 +76,15 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998"
# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
CVE_CHECK_WHITELIST += "CVE-2018-18438"
+# Following CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O).
+# On Sparc32 it is the NCR89C100 part of the chip.
+# On Macintosh Quadra it is NCR53C96.
+# Both are not supported by yocto.
+# Reference: https://www.openwall.com/lists/oss-security/2021/04/16/3
+CVE_CHECK_WHITELIST += "CVE-2020-35504"
+CVE_CHECK_WHITELIST += "CVE-2020-35505"
+CVE_CHECK_WHITELIST += "CVE-2020-35506"
+
COMPATIBLE_HOST_mipsarchn32 = "null"
COMPATIBLE_HOST_mipsarchn64 = "null"
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [hardknott] [PATCH 6/7] curl: fix CVE-2021-22890
2021-06-02 7:25 [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check Richard Purdie
` (3 preceding siblings ...)
2021-06-02 7:25 ` [hardknott] [PATCH 5/7] qemu: Exclude CVE-2020-3550[4/5/6] from cve-check Richard Purdie
@ 2021-06-02 7:25 ` Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 7/7] curl: fix CVE-2021-22876 Richard Purdie
5 siblings, 0 replies; 7+ messages in thread
From: Richard Purdie @ 2021-06-02 7:25 UTC (permalink / raw)
To: openembedded-core; +Cc: Trevor Gamblin
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make
it apply cleanly on 7.75.
CVE: CVE-2021-22890
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
...-argument-to-Curl_ssl_get-addsession.patch | 517 ++++++++++++++++++
meta/recipes-support/curl/curl_7.75.0.bb | 1 +
2 files changed, 518 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
new file mode 100644
index 00000000000..a0c7d68f333
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
@@ -0,0 +1,517 @@
+From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Tue, 1 Jun 2021 09:50:20 -0400
+Subject: [PATCH 1/2] vtls: add 'isproxy' argument to
+ Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+
+CVE-2021-22890
+
+Upstream-Status: Backport
+(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ lib/vtls/bearssl.c | 8 +++++--
+ lib/vtls/gtls.c | 12 ++++++----
+ lib/vtls/mbedtls.c | 12 ++++++----
+ lib/vtls/mesalink.c | 14 ++++++++----
+ lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++-----------
+ lib/vtls/schannel.c | 10 ++++----
+ lib/vtls/sectransp.c | 10 ++++----
+ lib/vtls/vtls.c | 12 +++++++---
+ lib/vtls/vtls.h | 2 ++
+ lib/vtls/wolfssl.c | 28 +++++++++++++----------
+ 10 files changed, 111 insertions(+), 51 deletions(-)
+
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 29b08c0e6..0432dfadc 100644
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
+ void *session;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &session, NULL, sockindex)) {
+ br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
+ infof(data, "BearSSL: re-using session ID\n");
+ }
+@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data,
+ br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
+ &oldsession, NULL, sockindex));
+ if(incache)
+ Curl_ssl_delsessionid(data, oldsession);
+- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
++ ret = Curl_ssl_addsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ session, 0, sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(ret) {
+ free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 3ddee1974..28ca528a6 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data,
+
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, &ssl_idsize, sockindex)) {
+ /* we got a session id, use it! */
+ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data,
+ gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+
+ Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
+- sockindex));
++ incache = !(Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex));
+ if(incache) {
+ /* there was one before in the cache, so instead of risking that the
+ previous one was rejected, we just kill that and store the new */
+@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data,
+ }
+
+ /* store this session id */
+- result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
+- connect_idsize, sockindex);
++ result = Curl_ssl_addsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ connect_sessionid, connect_idsize,
++ sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(result) {
+ free(connect_sessionid);
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index fc3a948d1..bd0e0802e 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ void *old_session = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &old_session, NULL, sockindex)) {
+ ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
+ if(ret) {
+ Curl_ssl_sessionid_unlock(data);
+@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ int ret;
+ mbedtls_ssl_session *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+ if(!our_ssl_sessionid)
+@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+
+ /* If there's already a matching session in the cache, delete it */
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++ sockindex))
+ Curl_ssl_delsessionid(data, old_ssl_sessionid);
+
+- retcode = Curl_ssl_addsessionid(data, conn,
+- our_ssl_sessionid, 0, sockindex);
++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++ 0, sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(retcode) {
+ mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index b6d1005ec..ad807d3ba 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data,
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(data);
+@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ bool incache;
+ SSL_SESSION *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+
+ Curl_ssl_sessionid_lock(data);
+ incache =
+- !(Curl_ssl_getsessionid(data, conn,
+- &old_ssl_sessionid, NULL, sockindex));
++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++ sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != our_ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ }
+
+ if(!incache) {
+- result = Curl_ssl_addsessionid(
+- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++ result =
++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0,
++ sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(data);
+ failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 784d9f70e..8304264d3 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void)
+ */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+- static int ssl_ex_data_sockindex_index = -1;
+- if(ssl_ex_data_sockindex_index < 0) {
+- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+- NULL);
++ static int sockindex_index = -1;
++ if(sockindex_index < 0) {
++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ }
+- return ssl_ex_data_sockindex_index;
++ return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++ static int proxy_index = -1;
++ if(proxy_index < 0) {
++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++ }
++ return proxy_index;
+ }
+
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1172,7 +1183,7 @@ static int ossl_init(void)
+
+ /* Initialize the extra data indexes */
+ if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
+- ossl_get_ssl_sockindex_index() < 0)
++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
+ return 0;
+
+ return 1;
+@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ int data_idx = ossl_get_ssl_data_index();
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
++ bool isproxy;
+
+- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+ return 0;
+
+ conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+ sockindex = (int)(sockindex_ptr - conn->sock);
+
++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ bool incache;
+ void *old_ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+- sockindex));
++ if(isproxy)
++ incache = FALSE;
++ else
++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++ &old_ssl_sessionid, NULL, sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ }
+
+ if(!incache) {
+- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
+- 0 /* unknown size */, sockindex)) {
++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
++ 0 /* unknown size */, sockindex)) {
+ /* the session has been put into the session cache */
+ res = 1;
+ }
+@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ int data_idx = ossl_get_ssl_data_index();
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
+
+- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++ proxy_idx >= 0) {
+ /* Store the data needed for the "new session" callback.
+ * The sockindex is stored as a pointer to an array element. */
+ SSL_set_ex_data(backend->handle, data_idx, data);
+ SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++ NULL);
++#else
++ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
++
+ }
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(data);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 0668f98f2..bd27ba0bf 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
+ (void **)&old_cred, NULL, sockindex)) {
+ BACKEND->cred = old_cred;
+ DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ SECURITY_STATUS sspi_status = SEC_E_OK;
+ CERT_CONTEXT *ccert_context = NULL;
++ bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ struct Curl_schannel_cred *old_cred = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
+- sockindex));
++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred,
++ NULL, sockindex));
+ if(incache) {
+ if(old_cred != BACKEND->cred) {
+ DEBUGF(infof(data,
+@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ }
+ }
+ if(!incache) {
+- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred,
+ sizeof(struct Curl_schannel_cred),
+ sockindex);
+ if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 9a8f7de8d..6d1ea7e7b 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+ #ifndef CURL_DISABLE_PROXY
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ bool isproxy = SSL_IS_PROXY();
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #else
++ const isproxy = FALSE;
+ const char * const hostname = conn->host.name;
+ const long int port = conn->remote_port;
+ #endif
+@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ #ifdef USE_NGHTTP2
+ if(data->set.httpversion >= CURL_HTTP_VERSION_2
+ #ifndef CURL_DISABLE_PROXY
+- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
++ && (!isproxy || !conn->bits.tunnel_proxy)
+ #endif
+ ) {
+ CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ size_t ssl_sessionid_len;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid,
+ &ssl_sessionid_len, sockindex)) {
+ /* we got a session id, use it! */
+ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
+ ssl_sessionid_len, sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index b8ab7494f..8ccc1f2e4 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
+ */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ const bool isProxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex)
+@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ bool no_match = TRUE;
+
+ #ifndef CURL_DISABLE_PROXY
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct ssl_primary_config * const ssl_config = &conn->ssl_config;
+ const char * const name = conn->host.name;
+ int port = conn->remote_port;
+- (void)sockindex;
+ #endif
++ (void)sockindex;
+ *ssl_sessionid = NULL;
+
++#ifdef CURL_DISABLE_PROXY
++ if(isProxy)
++ return TRUE;
++#endif
++
+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ if(!SSL_SET_OPTION(primary.sessionid))
+@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
+ */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex)
+@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ int conn_to_port;
+ long *general_age;
+ #ifndef CURL_DISABLE_PROXY
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ const char *hostname = conn->host.name;
+ (void)sockindex;
+ #endif
++ (void)sockindex;
+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ clone_host = strdup(hostname);
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index 9666682ec..4dc29794c 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
+ */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ const bool isproxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex);
+@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ const bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index e1fa45926..e4c70877f 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+ char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ void *old_ssl_sessionid = NULL;
+
+ our_ssl_sessionid = SSL_get_session(backend->handle);
+-
+- Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+- sockindex));
+- if(incache) {
+- if(old_ssl_sessionid != our_ssl_sessionid) {
+- infof(data, "old SSL session ID is stale, removing\n");
+- Curl_ssl_delsessionid(data, old_ssl_sessionid);
+- incache = FALSE;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
++
++ if(our_ssl_sessionid) {
++ Curl_ssl_sessionid_lock(data);
++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++ &old_ssl_sessionid, NULL, sockindex));
++ if(incache) {
++ if(old_ssl_sessionid != our_ssl_sessionid) {
++ infof(data, "old SSL session ID is stale, removing\n");
++ Curl_ssl_delsessionid(data, old_ssl_sessionid);
++ incache = FALSE;
+ }
+ }
+
+ if(!incache) {
+- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
+- 0 /* unknown size */, sockindex);
++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++ 0, sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(data);
+ failf(data, "failed to store ssl session");
+--
+2.31.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index 7666c7b6080..428b8cd9e37 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
+ file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \
"
SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [hardknott] [PATCH 7/7] curl: fix CVE-2021-22876
2021-06-02 7:25 [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check Richard Purdie
` (4 preceding siblings ...)
2021-06-02 7:25 ` [hardknott] [PATCH 6/7] curl: fix CVE-2021-22890 Richard Purdie
@ 2021-06-02 7:25 ` Richard Purdie
5 siblings, 0 replies; 7+ messages in thread
From: Richard Purdie @ 2021-06-02 7:25 UTC (permalink / raw)
To: openembedded-core; +Cc: Trevor Gamblin
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Backport and modify the patch for CVE-2021-22876 from curl 7.76 to
make it apply cleanly on 7.75.
CVE: CVE-2021-22876
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
...redentials-from-the-auto-referer-hea.patch | 152 ++++++++++++++++++
meta/recipes-support/curl/curl_7.75.0.bb | 1 +
2 files changed, 153 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
diff --git a/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
new file mode 100644
index 00000000000..6c4f6f2f48a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
@@ -0,0 +1,152 @@
+From 21f6cf63939111d8d76d3a4c07f2cd2fe6cb78f8 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Tue, 1 Jun 2021 09:59:20 -0400
+Subject: [PATCH 2/2] transfer: strip credentials from the auto-referer header
+ field
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ lib/transfer.c | 25 ++++++++++++++--
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 90 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test2081
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 2f29b29d8..c641a1d47 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1565,6 +1565,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->set.followlocation++; /* count location-followers */
+
+ if(data->set.http_auto_referer) {
++ CURLU *u;
++ char *referer;
++
+ /* We are asked to automatically set the previous URL as the referer
+ when we get the next URL. We pick the ->url field, which may or may
+ not be 100% correct */
+@@ -1574,9 +1577,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->change.referer_alloc = FALSE;
+ }
+
+- data->change.referer = strdup(data->change.url);
+- if(!data->change.referer)
++ /* Make a copy of the URL without crenditals and fragment */
++ u = curl_url();
++ if(!u)
++ return CURLE_OUT_OF_MEMORY;
++
++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++ curl_url_cleanup(u);
++
++ if(uc || referer == NULL)
+ return CURLE_OUT_OF_MEMORY;
++
++ data->change.referer = referer;
+ data->change.referer_alloc = TRUE; /* yes, free this later */
+ }
+ }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 5ebf049b8..e08cfc7ee 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -223,7 +223,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \
+ test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
+ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
+ test2078 \
+-test2080 \
++test2080 test2081\
+ test2100 \
+ \
+ test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \
+diff --git a/tests/data/test2081 b/tests/data/test2081
+new file mode 100644
+index 000000000..7e74f5766
+--- /dev/null
++++ b/tests/data/test2081
+@@ -0,0 +1,66 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++referer
++followlocation
++--write-out
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++This server reply is for testing a simple Location: following
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Automatic referrer credential and anchor stripping check
++ </name>
++ <command>
++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++52
++</errorcode>
++<protocol>
++GET /we/want/our/%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++
++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++
++</protocol>
++<stdout>
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++</stdout>
++</verify>
++</testcase>
+--
+2.31.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index 428b8cd9e37..7c7b363ae38 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \
+ file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \
"
SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-02 7:25 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-02 7:25 [hardknott] [PATCH 1/7] xinetd: Exclude CVE-2013-4342 from cve-check Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 2/7] bind: upgrade 9.16.12 -> 9.16.13 Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 3/7] bind: upgrade 9.16.13 -> 9.16.15 Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 4/7] bind: upgrade 9.16.15 -> 9.16.16 Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 5/7] qemu: Exclude CVE-2020-3550[4/5/6] from cve-check Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 6/7] curl: fix CVE-2021-22890 Richard Purdie
2021-06-02 7:25 ` [hardknott] [PATCH 7/7] curl: fix CVE-2021-22876 Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.