[PATCH 1/2] vim: Upgrade 8.2.4681 -> 8.2.4912

[PATCH 1/2] vim: Upgrade 8.2.4681 -> 8.2.4912

[Richard Purdie]

Includes fixes for CVE-2022-1381, CVE-2022-1420.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 21ff036cf4cf..c5922b7fcd71 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -21,8 +21,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://racefix.patch \
            "
 
-PV .= ".4681"
-SRCREV = "15f74fab653a784548d5d966644926b47ba2cfa7"
+PV .= ".4912"
+SRCREV = "a7583c42cd6b64fd276a5d7bb0db5ce7bfafa730"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.34.1

[PATCH 2/2] freetype: Upgrade 2.12.0 -> 2.12.1

[Richard Purdie]

Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../freetype/{freetype_2.12.0.bb => freetype_2.12.1.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/freetype/{freetype_2.12.0.bb => freetype_2.12.1.bb} (95%)

diff --git a/meta/recipes-graphics/freetype/freetype_2.12.0.bb b/meta/recipes-graphics/freetype/freetype_2.12.1.bb
similarity index 95%
rename from meta/recipes-graphics/freetype/freetype_2.12.0.bb
rename to meta/recipes-graphics/freetype/freetype_2.12.1.bb
index 3034977cd47c..46c6182630a1 100644
--- a/meta/recipes-graphics/freetype/freetype_2.12.0.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.12.1.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=a5927784d823d443c6cae55701d01553 \
                     file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec"
 
 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "ef5c336aacc1a079ff9262d6308d6c2a066dd4d2a905301c4adda9b354399033"
+SRC_URI[sha256sum] = "4766f20157cc4cf0cd292f80bf917f92d1c439b243ac3018debf6b9140c41a7f"
 
 UPSTREAM_CHECK_REGEX = "freetype-(?P<pver>\d+(\.\d+)+)"
 
-- 
2.34.1

Re: [OE-core] [PATCH 2/2] freetype: Upgrade 2.12.0 -> 2.12.1

[richard.purdie]

On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via
lists.openembedded.org wrote:
> Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406.
> 
> 

I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022-
27405 and CVE-2022-27406 were already in 2.12.0.

I don't think the CVE checker is going to like these as they're using
dates for these for reasons I don't understand.

Cheers,

Richard

Re: [OE-core] [PATCH 2/2] freetype: Upgrade 2.12.0 -> 2.12.1

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On Sun, May 8, 2022 at 6:45 PM Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via
> lists.openembedded.org wrote:
> > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406.
> >
> >
>
> I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022-
> 27405 and CVE-2022-27406 were already in 2.12.0.
>
> I don't think the CVE checker is going to like these as they're using
> dates for these for reasons I don't understand.
>
>
They also include versions in the NVD, but there is no version "non-afected"
as of today for CVE-2022-27404. I'll figure out the exact versions for those
CVEs and update the NVD in the next hours.

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 1388 bytes --]

Re: [OE-core] [PATCH 2/2] freetype: Upgrade 2.12.0 -> 2.12.1

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 976 bytes --]

On Mon, May 9, 2022 at 12:40 PM Marta Rybczynska <rybczynska@gmail.com>
wrote:

>
>
> On Sun, May 8, 2022 at 6:45 PM Richard Purdie <
> richard.purdie@linuxfoundation.org> wrote:
>
>> On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via
>> lists.openembedded.org wrote:
>> > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406.
>> >
>> >
>>
>> I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022-
>> 27405 and CVE-2022-27406 were already in 2.12.0.
>>
>> I don't think the CVE checker is going to like these as they're using
>> dates for these for reasons I don't understand.
>>
>>
> They also include versions in the NVD, but there is no version "
> non-afected"
> as of today for CVE-2022-27404. I'll figure out the exact versions for
> those
> CVEs and update the NVD in the next hours.
>
> Kind regards,
> Marta
>

Update: the message to NVD has been sent. According to my analysis all three
CVEs have been fixed in 2.12.0.

Regards,
Marta

[-- Attachment #2: Type: text/html, Size: 1966 bytes --]

Re: [OE-core] [PATCH 2/2] freetype: Upgrade 2.12.0 -> 2.12.1

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1221 bytes --]

On Mon, May 9, 2022 at 4:42 PM Marta Rybczynska via lists.openembedded.org
<rybczynska=gmail.com@lists.openembedded.org> wrote:

>
>
> On Mon, May 9, 2022 at 12:40 PM Marta Rybczynska <rybczynska@gmail.com>
> wrote:
>
>>
>>
>> On Sun, May 8, 2022 at 6:45 PM Richard Purdie <
>> richard.purdie@linuxfoundation.org> wrote:
>>
>>> On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via
>>> lists.openembedded.org wrote:
>>> > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406.
>>> >
>>> >
>>>
>>> I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022-
>>> 27405 and CVE-2022-27406 were already in 2.12.0.
>>>
>>> I don't think the CVE checker is going to like these as they're using
>>> dates for these for reasons I don't understand.
>>>
>>>
>> They also include versions in the NVD, but there is no version "
>> non-afected"
>> as of today for CVE-2022-27404. I'll figure out the exact versions for
>> those
>> CVEs and update the NVD in the next hours.
>>
>> Kind regards,
>> Marta
>>
>
> Update: the message to NVD has been sent. According to my analysis all
> three
> CVEs have been fixed in 2.12.0.
>

The change is up in NVD. The next run of the cve-check should see it.

Regards,
Marta

[-- Attachment #2: Type: text/html, Size: 2567 bytes --]

Re: [OE-core] [PATCH 2/2] freetype: Upgrade 2.12.0 -> 2.12.1

[richard.purdie]

On Tue, 2022-05-10 at 17:02 +0200, Marta Rybczynska wrote:
> On Mon, May 9, 2022 at 4:42 PM Marta Rybczynska via
> lists.openembedded.org <rybczynska=gmail.com@lists.openembedded.org>
> wrote:
> > On Mon, May 9, 2022 at 12:40 PM Marta Rybczynska
> > <rybczynska@gmail.com> wrote:
> > > On Sun, May 8, 2022 at 6:45 PM Richard Purdie
> > > <richard.purdie@linuxfoundation.org> wrote:
> > > > On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via
> > > > lists.openembedded.org wrote:
> > > > > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-
> > > > > 27406.
> > > > > 
> > > > > 
> > > > 
> > > > I'm amending this to "Include fix for CVE-2022-27404" since
> > > > CVE-2022-
> > > > 27405 and CVE-2022-27406 were already in 2.12.0.
> > > > 
> > > > I don't think the CVE checker is going to like these as they're
> > > > using
> > > > dates for these for reasons I don't understand.
> > > > 
> > > > 
> > > 
> > > 
> > > They also include versions in the NVD, but there is no version
> > > "non-afected"
> > > as of today for CVE-2022-27404. I'll figure out the exact
> > > versions for those
> > > CVEs and update the NVD in the next hours.
> > > 
> > > Kind regards,
> > > Marta
> > > 
> > 
> > 
> > Update: the message to NVD has been sent. According to my analysis
> > all three
> > CVEs have been fixed in 2.12.0.
> > 
> 
> 
> The change is up in NVD. The next run of the cve-check should see it.

Great, thanks for sorting that one out, the reports will be much better
for it!

Cheers,

Richard