* [hardknott 00/11] Patch review: Jan 15th
@ 2022-01-15 14:27 Armin Kuster
2022-01-15 14:27 ` [hardknott 01/11] syslog-ng: adjust control socket location Armin Kuster
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
Please have comments back by Monday
The following changes since commit 4932616b69b957e3a876541a579b79cb3f83306f:
sdbus-c++-libsystemd: Avoid hard dependency on rsync (2021-11-18 08:05:44 -0800)
are available in the Git repository at:
git://git.openembedded.org/meta-openembedded-contrib stable/hardknott-nut
http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/hardknott-nut
Armin Kuster (1):
wireshark: update to latest stable 3.4.11
Changqing Li (2):
syslog-ng: adjust control socket location
redis: add back missing patch
Chen Qi (1):
udisks2: upgrade from 2.9.2 to 2.9.4
Jeremy Puhlman (1):
ifenslave: Add branch=main
Mingli Yu (1):
libteam: switch to python3
Peter Kjellerstedt (1):
googletest: Switch branch from master to main
Sakib Sajal (1):
nss: fix CVE-2021-43527
Yi Zhao (2):
postfix: fix build with glibc 2.34
postfix: upgrade 3.4.12 -> 3.4.23
wangmy (1):
apache2: upgrade 2.4.51 -> 2.4.52
.../0001-fix-build-with-glibc-2.34.patch | 46 +++
.../{postfix_3.4.12.bb => postfix_3.4.23.bb} | 5 +-
.../ifenslave/ifenslave_2.11.bb | 2 +-
.../0004-lemon-Remove-line-directives.patch | 15 +-
...wireshark_3.4.8.bb => wireshark_3.4.11.bb} | 2 +-
meta-oe/recipes-extended/redis/redis_6.2.6.bb | 4 +
...team_basic_test.py-switch-to-python3.patch | 101 ++++++
...asic_test.py-use-python3-interpreter.patch | 28 --
.../recipes-support/libteam/libteam_1.31.bb | 2 +-
...re-DER-encoded-signatures-are-within.patch | 297 ++++++++++++++++++
meta-oe/recipes-support/nss/nss_3.64.bb | 1 +
...log-ng.service-the-syslog-ng-service.patch | 2 +-
.../{udisks2_2.9.2.bb => udisks2_2.9.4.bb} | 4 +-
.../recipes-test/googletest/googletest_git.bb | 2 +-
.../{apache2_2.4.51.bb => apache2_2.4.52.bb} | 2 +-
15 files changed, 466 insertions(+), 47 deletions(-)
create mode 100644 meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch
rename meta-networking/recipes-daemons/postfix/{postfix_3.4.12.bb => postfix_3.4.23.bb} (75%)
rename meta-networking/recipes-support/wireshark/{wireshark_3.4.8.bb => wireshark_3.4.11.bb} (97%)
create mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
delete mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch
create mode 100644 meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch
rename meta-oe/recipes-support/udisks/{udisks2_2.9.2.bb => udisks2_2.9.4.bb} (89%)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.51.bb => apache2_2.4.52.bb} (99%)
--
2.25.1
^ permalink raw reply [flat|nested] 11+ messages in thread
* [hardknott 01/11] syslog-ng: adjust control socket location
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 02/11] libteam: switch to python3 Armin Kuster
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Changqing Li <changqing.li@windriver.com>
Commit [1] changed the pidfile dir to /var/run/syslog-ng. This also changed
the location where the control socket is searched for, causing the following
error with systemd:
root@qemux86-64:~# syslog-ng-ctl config
Error connecting control socket, socket='/var/run/syslog-ng/syslog-ng.ctl',
error='No such file or directory'
Update the systemd service file to point to the new location.
[1] 00d1d63e4f7f ("syslog-ng: provide correct PID directory location to
restart/stop syslog-ng daemon")
(master rev: b57d824fdf822a4c3fdb153b92063f88705e3a6b)
Signed-off-by: lmorales <luisalejandro.moralespena@windriver.com>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../files/syslog-ng.service-the-syslog-ng-service.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
index 0e1d09492b..7334800304 100644
--- a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
+++ b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
@@ -38,7 +38,7 @@ index 0ccc2b9..7f08c0e 100644
-CONTROL_FILE=/var/run/syslog-ng.ctl
-PID_FILE=/var/run/syslog-ng.pid
+PERSIST_FILE=@LOCALSTATEDIR@/lib/syslog-ng/syslog-ng.persist
-+CONTROL_FILE=@LOCALSTATEDIR@/lib/syslog-ng/syslog-ng.ctl
++CONTROL_FILE=@LOCALSTATEDIR@/run/syslog-ng/syslog-ng.ctl
+PID_FILE=@LOCALSTATEDIR@/run/syslog-ng.pid
OTHER_OPTIONS="--enable-core"
--
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 02/11] libteam: switch to python3
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
2022-01-15 14:27 ` [hardknott 01/11] syslog-ng: adjust control socket location Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 03/11] redis: add back missing patch Armin Kuster
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Mingli Yu <mingli.yu@windriver.com>
The original fix for team_basic_test.py only change the interpreter
to python3, but still some error as below:
# ./run-ptest
File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 35
print "Usage: team_basic_test.py [OPTION...]"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
# ./run-ptest
RUN #1
# "ip link add testteamx type team"
# "teamnl testteamx getoption mode"
# "ip link del testteamx"
# "modprobe -r team_mode_loadbalance team_mode_roundrobin team_mode_activebackup team_mode_broadcast team"
Traceback (most recent call last):
File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 206, in <module>
main()
File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 203, in main
btest.run()
File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 180, in run
self._run_one_loop(i + 1)
File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 173, in _run_one_loop
self._run_one_mode(mode_name)
File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 101, in _run_one_mode
cmd_exec("teamnl %s getoption mode" % team_name, "*NOMODE*")
File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 80, in cmd_exec
raise CmdExecUnexpectedOutputException(output, expected_output)
__main__.CmdExecUnexpectedOutputException: Command execution output unexpected: "b'*NOMODE*'" != "*NOMODE*"
So rework team_basic_test.py to fix the above issue.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...team_basic_test.py-switch-to-python3.patch | 101 ++++++++++++++++++
...asic_test.py-use-python3-interpreter.patch | 28 -----
.../recipes-support/libteam/libteam_1.31.bb | 2 +-
3 files changed, 102 insertions(+), 29 deletions(-)
create mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
delete mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch
diff --git a/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch b/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
new file mode 100644
index 0000000000..69276aba91
--- /dev/null
+++ b/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
@@ -0,0 +1,101 @@
+From 06050e79655f0fa7d9daeda1fbd3a9a2c7736841 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Thu, 2 Dec 2021 15:08:25 +0800
+Subject: [PATCH] team_basic_test.py: switch to python3
+
+Switch the script team_basic_test.py to python3
+
+Upstream-Status: Submitted [https://github.com/jpirko/libteam/pull/63]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ scripts/team_basic_test.py | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/scripts/team_basic_test.py b/scripts/team_basic_test.py
+index faabd18..0b64af2 100755
+--- a/scripts/team_basic_test.py
++++ b/scripts/team_basic_test.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ """
+ Basic test.
+
+@@ -32,11 +32,11 @@ def usage():
+ """
+ Print usage of this app
+ """
+- print "Usage: team_basic_test.py [OPTION...]"
+- print ""
+- print " -h, --help print this message"
+- print " -c, --loop-count=NUMBER number of loops (default 1)"
+- print " -p, --port=NETDEV port device (can be defined multiple times)"
++ print("Usage: team_basic_test.py [OPTION...]")
++ print("")
++ print(" -h, --help print this message")
++ print(" -c, --loop-count=NUMBER number of loops (default 1)")
++ print(" -p, --port=NETDEV port device (can be defined multiple times)")
+ sys.exit()
+
+ class CmdExecFailedException(Exception):
+@@ -55,15 +55,15 @@ class CmdExecUnexpectedOutputException(Exception):
+ return "Command execution output unexpected: \"%s\" != \"%s\"" % (self.__output, self.__expected_output)
+
+ def print_output(out_type, string):
+- print("%s:\n"
++ print(("%s:\n"
+ "----------------------------\n"
+ "%s"
+- "----------------------------" % (out_type, string))
++ "----------------------------" % (out_type, string)))
+
+ def cmd_exec(cmd, expected_output=None, cleaner=False):
+ cmd = cmd.rstrip(" ")
+ if not cleaner:
+- print("# \"%s\"" % cmd)
++ print(("# \"%s\"" % cmd))
+ subp = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ (data_stdout, data_stderr) = subp.communicate()
+@@ -74,7 +74,7 @@ def cmd_exec(cmd, expected_output=None, cleaner=False):
+ if data_stderr:
+ print_output("Stderr", data_stderr)
+ raise CmdExecFailedException(subp.returncode)
+- output = data_stdout.rstrip()
++ output = (data_stdout.rstrip()).decode()
+ if expected_output:
+ if output != expected_output:
+ raise CmdExecUnexpectedOutputException(output, expected_output)
+@@ -166,7 +166,7 @@ TEAM_PORT_CONFIG='{"prio": 10}'
+ os.removedirs("/tmp/team_test/")
+
+ def _run_one_loop(self, run_nr):
+- print "RUN #%d" % (run_nr)
++ print("RUN #%d" % (run_nr))
+ self._created_teams = []
+ try:
+ for mode_name in self._team_modes:
+@@ -176,7 +176,7 @@ TEAM_PORT_CONFIG='{"prio": 10}'
+ cmd_exec("modprobe -r team_mode_loadbalance team_mode_roundrobin team_mode_activebackup team_mode_broadcast team");
+
+ def run(self):
+- for i in xrange(self._loop_count):
++ for i in range(self._loop_count):
+ self._run_one_loop(i + 1)
+
+ def main():
+@@ -186,8 +186,8 @@ def main():
+ "hc:p:",
+ ["help", "loop-count=", "port="]
+ )
+- except getopt.GetoptError, err:
+- print str(err)
++ except getopt.GetoptError as err:
++ print(str(err))
+ usage()
+
+ btest = TeamBasicTest()
+--
+2.17.1
+
diff --git a/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch b/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch
deleted file mode 100644
index e27e4f3291..0000000000
--- a/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 571c141b434dff13494c6a3afe621f63a8e610e9 Mon Sep 17 00:00:00 2001
-From: Andrey Zhizhikin <andrey.z@gmail.com>
-Date: Mon, 27 Jan 2020 14:29:34 +0000
-Subject: [PATCH] team_basic_test.py: use python3 interpreter
-
-Use python3 since python2 is EOL and has been removed from several
-distributions.
-
-Upstream-Status: Pending
-
-Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
----
- scripts/team_basic_test.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/team_basic_test.py b/scripts/team_basic_test.py
-index b05be9e..ad980e8 100755
---- a/scripts/team_basic_test.py
-+++ b/scripts/team_basic_test.py
-@@ -1,4 +1,4 @@
--#! /usr/bin/env python
-+#! /usr/bin/env python3
- """
- Basic test.
-
---
-2.17.1
-
diff --git a/meta-oe/recipes-support/libteam/libteam_1.31.bb b/meta-oe/recipes-support/libteam/libteam_1.31.bb
index eb59c1e3e9..764eb6fb74 100644
--- a/meta-oe/recipes-support/libteam/libteam_1.31.bb
+++ b/meta-oe/recipes-support/libteam/libteam_1.31.bb
@@ -11,7 +11,7 @@ SRC_URI = "git://github.com/jpirko/libteam;branch=master;protocol=https \
file://0001-include-sys-select.h-for-fd_set-definition.patch \
file://0002-teamd-Re-adjust-include-header-order.patch \
file://0001-team_basic_test.py-disable-RedHat-specific-test.patch \
- file://0001-team_basic_test.py-use-python3-interpreter.patch \
+ file://0001-team_basic_test.py-switch-to-python3.patch \
file://run-ptest \
"
SRCREV = "3ee12c6d569977cf1cd30d0da77807a07aa77158"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 03/11] redis: add back missing patch
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
2022-01-15 14:27 ` [hardknott 01/11] syslog-ng: adjust control socket location Armin Kuster
2022-01-15 14:27 ` [hardknott 02/11] libteam: switch to python3 Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 04/11] googletest: Switch branch from master to main Armin Kuster
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-extended/redis/redis_6.2.6.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.6.bb b/meta-oe/recipes-extended/redis/redis_6.2.6.bb
index c129e61988..202fce16bb 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.6.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.6.bb
@@ -13,7 +13,11 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://hiredis-use-default-CC-if-it-is-set.patch \
file://lua-update-Makefile-to-use-environment-build-setting.patch \
file://oe-use-libc-malloc.patch \
+ file://0001-src-Do-not-reset-FINAL_LIBS.patch \
+ file://GNU_SOURCE.patch \
+ file://0006-Define-correct-gregs-for-RISCV32.patch \
"
+
SRC_URI[sha256sum] = "5b2b8b7a50111ef395bf1c1d5be11e6e167ac018125055daa8b5c2317ae131ab"
inherit autotools-brokensep update-rc.d systemd useradd
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 04/11] googletest: Switch branch from master to main
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
` (2 preceding siblings ...)
2022-01-15 14:27 ` [hardknott 03/11] redis: add back missing patch Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 05/11] nss: fix CVE-2021-43527 Armin Kuster
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
The master branch has been renamed to main in the github repo.
Change-Id: I19e9ea3998cf22508425d87fceb64ae68fbff166
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-test/googletest/googletest_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-test/googletest/googletest_git.bb b/meta-oe/recipes-test/googletest/googletest_git.bb
index 898f23fafb..35fe1bed00 100644
--- a/meta-oe/recipes-test/googletest/googletest_git.bb
+++ b/meta-oe/recipes-test/googletest/googletest_git.bb
@@ -11,7 +11,7 @@ PROVIDES += "gmock gtest"
S = "${WORKDIR}/git"
SRCREV = "703bd9caab50b139428cea1aaff9974ebee5742e"
-SRC_URI = "git://github.com/google/googletest.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/google/googletest.git;branch=main;protocol=https"
inherit cmake
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 05/11] nss: fix CVE-2021-43527
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
` (3 preceding siblings ...)
2022-01-15 14:27 ` [hardknott 04/11] googletest: Switch branch from master to main Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 06/11] ifenslave: Add branch=main Armin Kuster
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Sakib Sajal <sakib.sajal@windriver.com>
Backport patch to fix CVE-2021-43527.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...re-DER-encoded-signatures-are-within.patch | 297 ++++++++++++++++++
meta-oe/recipes-support/nss/nss_3.64.bb | 1 +
2 files changed, 298 insertions(+)
create mode 100644 meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch
diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch
new file mode 100644
index 0000000000..dff07de92f
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch
@@ -0,0 +1,297 @@
+From 7c6fb56c3bcafa96c0bc87350f0f9e85f002a254 Mon Sep 17 00:00:00 2001
+From: Dennis Jackson <djackson@mozilla.com>
+Date: Mon, 22 Nov 2021 10:40:42 +0000
+Subject: [PATCH] Bug 1737470 - Ensure DER encoded signatures are within size
+ limits. r=jschanck,mt,bbeurdouche,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D129514
+
+--HG--
+branch : NSS_3_68_1_BRANCH
+
+Upstream-Status: Backport [7c6fb56c3bcafa96c0bc87350f0f9e85f002a254]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ lib/cryptohi/secvfy.c | 192 ++++++++++++++++++++++++++----------------
+ 1 file changed, 121 insertions(+), 71 deletions(-)
+
+diff --git a/nss/lib/cryptohi/secvfy.c b/nss/lib/cryptohi/secvfy.c
+index 2540a544c..17545848c 100644
+--- a/nss/lib/cryptohi/secvfy.c
++++ b/nss/lib/cryptohi/secvfy.c
+@@ -164,6 +164,37 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++ unsigned int sigLen = SECKEY_SignatureLen(pubk);
++ if (sigLen == 0) {
++ /* Error set by SECKEY_SignatureLen */
++ return sigLen;
++ }
++ unsigned int maxSigLen;
++ switch (pubk->keyType) {
++ case rsaKey:
++ case rsaPssKey:
++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++ break;
++ case dsaKey:
++ maxSigLen = DSA_MAX_SIGNATURE_LEN;
++ break;
++ case ecKey:
++ maxSigLen = 2 * MAX_ECKEY_LEN;
++ break;
++ default:
++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++ return 0;
++ }
++ if (sigLen > maxSigLen) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return 0;
++ }
++ return sigLen;
++}
++
+ /*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
+ unsigned int len)
+ {
+ SECItem *dsasig = NULL; /* also used for ECDSA */
+- SECStatus rv = SECSuccess;
+
+- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+- if (sig->len != len) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++ if (len > DSA_MAX_SIGNATURE_LEN) {
++ goto loser;
+ }
+-
+- PORT_Memcpy(dsig, sig->data, sig->len);
+- return SECSuccess;
+- }
+-
+- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+ if (len > MAX_ECKEY_LEN * 2) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ goto loser;
+ }
+- }
+- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+- if ((dsasig == NULL) || (dsasig->len != len)) {
+- rv = SECFailure;
+ } else {
+- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++ goto loser;
+ }
+
+- if (dsasig != NULL)
++ /* Decode and pad to length */
++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++ if (dsasig == NULL) {
++ goto loser;
++ }
++ if (dsasig->len != len) {
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+- if (rv == SECFailure)
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return rv;
++ goto loser;
++ }
++
++ PORT_Memcpy(dsig, dsasig->data, len);
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++
++ return SECSuccess;
++
++loser:
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ return SECFailure;
+ }
+
+ const SEC_ASN1Template hashParameterTemplate[] =
+@@ -281,7 +312,7 @@ SECStatus
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+ {
+- int len;
++ unsigned int len;
+ PLArenaPool *arena;
+ SECStatus rv;
+ SECItem oid;
+@@ -466,48 +497,52 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
+ cx->pkcs1RSADigestInfo = NULL;
+ rv = SECSuccess;
+ if (sig) {
+- switch (type) {
+- case rsaKey:
+- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+- &cx->pkcs1RSADigestInfo,
+- &cx->pkcs1RSADigestInfoLen,
+- cx->key,
+- sig, wincx);
+- break;
+- case rsaPssKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
++ rv = SECFailure;
++ if (type == rsaKey) {
++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++ &cx->pkcs1RSADigestInfo,
++ &cx->pkcs1RSADigestInfoLen,
++ cx->key,
++ sig, wincx);
++ } else {
++ sigLen = checkedSignatureLen(key);
++ /* Check signature length is within limits */
++ if (sigLen == 0) {
++ /* error set by checkedSignatureLen */
++ rv = SECFailure;
++ goto loser;
++ }
++ if (sigLen > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ switch (type) {
++ case rsaPssKey:
++ if (sig->len != sigLen) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++ rv = SECSuccess;
+ break;
+- }
+- if (sig->len != sigLen) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- rv = SECFailure;
++ case ecKey:
++ case dsaKey:
++ /* decodeECorDSASignature will check sigLen == sig->len after padding */
++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+ break;
+- }
+- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+- break;
+- case dsaKey:
+- case ecKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
++ default:
++ /* Unreachable */
+ rv = SECFailure;
+- break;
+- }
+- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+- break;
+- default:
+- rv = SECFailure;
+- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+- break;
++ goto loser;
++ }
++ }
++ if (rv != SECSuccess) {
++ goto loser;
+ }
+ }
+
+- if (rv)
+- goto loser;
+-
+ /* check hash alg again, RSA may have changed it.*/
+ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+ /* error set by HASH_GetHashTypeByOidTag */
+@@ -650,11 +685,16 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
+ switch (cx->key->keyType) {
+ case ecKey:
+ case dsaKey:
+- dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
+ return SECFailure;
+ }
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++ dsasig.data = cx->u.buffer;
++
+ if (sig) {
+ rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+ dsasig.len);
+@@ -686,8 +726,13 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
+ }
+
+ rsasig.data = cx->u.buffer;
+- rsasig.len = SECKEY_SignatureLen(cx->key);
++ rsasig.len = checkedSignatureLen(cx->key);
+ if (rsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ return SECFailure;
++ }
++ if (rsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ if (sig) {
+@@ -749,7 +794,6 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
+ SECStatus rv;
+ VFYContext *cx;
+ SECItem dsasig; /* also used for ECDSA */
+-
+ rv = SECFailure;
+
+ cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+@@ -757,19 +801,25 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
+ switch (key->keyType) {
+ case rsaKey:
+ rv = verifyPKCS1DigestInfo(cx, digest);
++ /* Error (if any) set by verifyPKCS1DigestInfo */
+ break;
+- case dsaKey:
+ case ecKey:
++ case dsaKey:
+ dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ rv = SECFailure;
+ break;
+ }
+- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+- SECSuccess) {
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ break;
++ }
++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- } else {
+- rv = SECSuccess;
+ }
+ break;
+ default:
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/nss/nss_3.64.bb b/meta-oe/recipes-support/nss/nss_3.64.bb
index 97193aff5c..ccb5201d49 100644
--- a/meta-oe/recipes-support/nss/nss_3.64.bb
+++ b/meta-oe/recipes-support/nss/nss_3.64.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
file://system-pkcs11.txt \
file://nss-fix-nsinstall-build.patch \
file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
+ file://0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch \
"
SRC_URI[sha256sum] = "d3175427172e9c3a6f1ebc74452cb791590f28191c6a1a443dbc0d87c9df1126"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 06/11] ifenslave: Add branch=main
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
` (4 preceding siblings ...)
2022-01-15 14:27 ` [hardknott 05/11] nss: fix CVE-2021-43527 Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 08/11] postfix: upgrade 3.4.12 -> 3.4.23 Armin Kuster
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Jeremy Puhlman <jpuhlman@mvista.com>
master branch has been removed upstream
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
[tweeked to apply to previous branch define]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb
index d2a6d02d2f..5e547a4621 100644
--- a/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb
+++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb
@@ -9,7 +9,7 @@ inherit manpages
MAN_PKG = "${PN}"
SRCREV = "c26e9310f552e69d0d44eb48746e02c9ae4b4f6f"
-SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master"
+SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=main"
S = "${WORKDIR}/git"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 08/11] postfix: upgrade 3.4.12 -> 3.4.23
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
` (5 preceding siblings ...)
2022-01-15 14:27 ` [hardknott 06/11] ifenslave: Add branch=main Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 09/11] apache2: upgrade 2.4.51 -> 2.4.52 Armin Kuster
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Yi Zhao <yi.zhao@windriver.com>
Changelog:
http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.3.20.HISTORY
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../postfix/{postfix_3.4.12.bb => postfix_3.4.23.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-networking/recipes-daemons/postfix/{postfix_3.4.12.bb => postfix_3.4.23.bb} (82%)
diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
similarity index 82%
rename from meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb
rename to meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
index e7bb3e9d32..bb66345805 100644
--- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb
+++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
@@ -15,5 +15,5 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P
file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \
file://0001-fix-build-with-glibc-2.34.patch \
"
-SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec"
-UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz"
+SRC_URI[sha256sum] = "1759e953bf7baccb533899845c17753bf57a99ebac9c21717626262966a122f9"
+UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 09/11] apache2: upgrade 2.4.51 -> 2.4.52
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
` (6 preceding siblings ...)
2022-01-15 14:27 ` [hardknott 08/11] postfix: upgrade 3.4.12 -> 3.4.23 Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 10/11] wireshark: update to latest stable 3.4.11 Armin Kuster
2022-01-15 14:27 ` [hardknott 11/11] udisks2: upgrade from 2.9.2 to 2.9.4 Armin Kuster
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
Changelog:
==========
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
specified openssl path.
*) mod_proxy_connect, mod_proxy: Do not change the status code after we
already sent it to the client.
*) mod_http: Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request. PR 65725
*) mod_dav: Some DAV extensions, like CalDAV, specify both document
elements and property elements that need to be taken into account
when generating a property. The document element and property element
are made available in the dav_liveprop_elem structure by calling
dav_get_liveprop_element().
*) mod_dav: Add utility functions dav_validate_root_ns(),
dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
dav_find_attr() so that other modules get to play too.
*) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
*) mod_http2: fixes 2 regressions in server limit handling.
1. When reaching server limits, such as MaxRequestsPerChild, the
HTTP/2 connection send a GOAWAY frame much too early on new
connections, leading to invalid protocol state and a client
failing the request. See PR65731.
The module now initializes the HTTP/2 protocol correctly and
allows the client to submit one request before the shutdown
via a GOAWAY frame is being announced.
2. A regression in v1.15.24 was fixed that could lead to httpd
child processes not being terminated on a graceful reload or
when reaching MaxConnectionsPerChild. When unprocessed h2
requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
*) mod_ssl: Add build support for OpenSSL v3.
*) mod_proxy_connect: Honor the smallest of the backend or client timeout
while tunneling.
*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
half-close forwarding when tunneling protocols.
*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
a third-party module. PR 65627.
*) mod_md: Fix memory leak in case of failures to load the private key.
PR 65620
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
PR 65616.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc643713915a1618597be8bdbe0e4a3d993e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../apache2/{apache2_2.4.51.bb => apache2_2.4.52.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.51.bb => apache2_2.4.52.bb} (99%)
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.52.bb
similarity index 99%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.52.bb
index d6e736d31d..10123aa2bb 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.52.bb
@@ -26,7 +26,7 @@ SRC_URI_append_class-target = " \
"
LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[sha256sum] = "20e01d81fecf077690a4439e3969a9b22a09a8d43c525356e863407741b838f4"
+SRC_URI[sha256sum] = "0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9"
S = "${WORKDIR}/httpd-${PV}"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 10/11] wireshark: update to latest stable 3.4.11
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
` (7 preceding siblings ...)
2022-01-15 14:27 ` [hardknott 09/11] apache2: upgrade 2.4.51 -> 2.4.52 Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
2022-01-15 14:27 ` [hardknott 11/11] udisks2: upgrade from 2.9.2 to 2.9.4 Armin Kuster
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
For more infromation, see:
https://www.wireshark.org/docs/relnotes/wireshark-3.4.11.html
refresh 0004-lemon-Remove-line-directives.patch
Includes CVEs:
3.4.11:
wnpa-sec-2021-16 Gryphon dissector crash. Issue 17737. CVE-2021-4186.
wnpa-sec-2021-17 RTMPT dissector infinite loop. Issue 17745. CVE-2021-4185.
wnpa-sec-2021-18 BitTorrent DHT dissector infinite loop. Issue 17754. CVE-2021-4184.
wnpa-sec-2021-20 RFC 7468 file parser infinite loop. Issue 17801. CVE-2021-4182.
wnpa-sec-2021-21 Sysdig Event dissector crash. CVE-2021-4181.
3.4.10:
wnpa-sec-2021-07 Bluetooth DHT dissector crash. Issue 17651. CVE-2021-39929.
wnpa-sec-2021-08 Bluetooth HCI_ISO dissector crash. Issue 17649. CVE-2021-39926.
wnpa-sec-2021-09 Bluetooth SDP dissector crash. Issue 17635. CVE-2021-39925.
wnpa-sec-2021-10 Bluetooth DHT dissector large loop. Issue 17677. CVE-2021-39924.
wnpa-sec-2021-11 PNRP dissector large loop. Issue 17684.
wnpa-sec-2021-12 C12.22 dissector crash. Issue 17636. CVE-2021-39922.
wnpa-sec-2021-13 IEEE 802.11 dissector crash. Issue 17704. CVE-2021-39928.
wnpa-sec-2021-14 Modbus dissector crash. Issue 17703. CVE-2021-39921.
wnpa-sec-2021-15 IPPUSB dissector crash. Issue 17705. CVE-2021-39920.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 89bf10d0cb8af495de02ba7a02c487a8b5592cc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../files/0004-lemon-Remove-line-directives.patch | 15 ++++++---------
.../{wireshark_3.4.8.bb => wireshark_3.4.11.bb} | 2 +-
2 files changed, 7 insertions(+), 10 deletions(-)
rename meta-networking/recipes-support/wireshark/{wireshark_3.4.8.bb => wireshark_3.4.11.bb} (97%)
diff --git a/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch b/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch
index c1a528f90d..134633f668 100644
--- a/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch
+++ b/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch
@@ -12,11 +12,11 @@ Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
cmake/modules/UseLemon.cmake | 49 +++++++++++++++++++++++++-----------
1 file changed, 34 insertions(+), 15 deletions(-)
-diff --git a/cmake/modules/UseLemon.cmake b/cmake/modules/UseLemon.cmake
-index 849ffc1..ca38ab7 100644
---- a/cmake/modules/UseLemon.cmake
-+++ b/cmake/modules/UseLemon.cmake
-@@ -7,21 +7,40 @@ MACRO(ADD_LEMON_FILES _source _generated)
+Index: wireshark-3.4.11/cmake/modules/UseLemon.cmake
+===================================================================
+--- wireshark-3.4.11.orig/cmake/modules/UseLemon.cmake
++++ wireshark-3.4.11/cmake/modules/UseLemon.cmake
+@@ -7,21 +7,40 @@ MACRO(ADD_LEMON_FILES _source _generated
SET(_out ${CMAKE_CURRENT_BINARY_DIR}/${_basename})
@@ -26,7 +26,7 @@ index 849ffc1..ca38ab7 100644
- # These files are generated as side-effect
- ${_out}.h
- ${_out}.out
-- COMMAND lemon
+- COMMAND $<TARGET_FILE:lemon>
- -T${_lemonpardir}/lempar.c
- -d.
- ${_in}
@@ -72,6 +72,3 @@ index 849ffc1..ca38ab7 100644
LIST(APPEND ${_source} ${_in})
LIST(APPEND ${_generated} ${_out}.c)
---
-2.26.2.Cisco
-
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb
similarity index 97%
rename from meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb
rename to meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb
index 73ccfc5f30..df1fb89f0a 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb
@@ -19,7 +19,7 @@ SRC_URI += " \
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
-SRC_URI[sha256sum] = "58a7fa8dfe2010a8c8b7dcf66438c653e6493d47eb936ba48ef49d4aa4dbd725"
+SRC_URI[sha256sum] = "a0e227bce2cc3a51ef3301891a0243231990b52a39b68a84a6e32f69c4e75279"
PE = "1"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [hardknott 11/11] udisks2: upgrade from 2.9.2 to 2.9.4
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
` (8 preceding siblings ...)
2022-01-15 14:27 ` [hardknott 10/11] wireshark: update to latest stable 3.4.11 Armin Kuster
@ 2022-01-15 14:27 ` Armin Kuster
9 siblings, 0 replies; 11+ messages in thread
From: Armin Kuster @ 2022-01-15 14:27 UTC (permalink / raw)
To: openembedded-devel
From: Chen Qi <Qi.Chen@windriver.com>
Upgrade udisks2 from 2.9.2 to 2.9.4. This upgrade will solves
CVE-2021-3802.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../udisks/{udisks2_2.9.2.bb => udisks2_2.9.4.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-oe/recipes-support/udisks/{udisks2_2.9.2.bb => udisks2_2.9.4.bb} (89%)
diff --git a/meta-oe/recipes-support/udisks/udisks2_2.9.2.bb b/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
similarity index 89%
rename from meta-oe/recipes-support/udisks/udisks2_2.9.2.bb
rename to meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
index 4c64f91a9e..a25860fd92 100644
--- a/meta-oe/recipes-support/udisks/udisks2_2.9.2.bb
+++ b/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
@@ -17,8 +17,8 @@ DEPENDS += "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
RDEPENDS_${PN} = "acl"
-SRC_URI = "git://github.com/storaged-project/udisks.git;branch=master;protocol=https"
-SRCREV = "da6d9480fefeb0ffdf8a84626b5096827d8d7030"
+SRC_URI = "git://github.com/storaged-project/udisks.git;branch=2.9.x-branch;protocol=https"
+SRCREV = "001c486e6d099ed33e2de4f5c73c03e3ee180f81"
S = "${WORKDIR}/git"
CVE_PRODUCT = "udisks"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-01-15 14:28 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-15 14:27 [hardknott 00/11] Patch review: Jan 15th Armin Kuster
2022-01-15 14:27 ` [hardknott 01/11] syslog-ng: adjust control socket location Armin Kuster
2022-01-15 14:27 ` [hardknott 02/11] libteam: switch to python3 Armin Kuster
2022-01-15 14:27 ` [hardknott 03/11] redis: add back missing patch Armin Kuster
2022-01-15 14:27 ` [hardknott 04/11] googletest: Switch branch from master to main Armin Kuster
2022-01-15 14:27 ` [hardknott 05/11] nss: fix CVE-2021-43527 Armin Kuster
2022-01-15 14:27 ` [hardknott 06/11] ifenslave: Add branch=main Armin Kuster
2022-01-15 14:27 ` [hardknott 08/11] postfix: upgrade 3.4.12 -> 3.4.23 Armin Kuster
2022-01-15 14:27 ` [hardknott 09/11] apache2: upgrade 2.4.51 -> 2.4.52 Armin Kuster
2022-01-15 14:27 ` [hardknott 10/11] wireshark: update to latest stable 3.4.11 Armin Kuster
2022-01-15 14:27 ` [hardknott 11/11] udisks2: upgrade from 2.9.2 to 2.9.4 Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.