Apply patches from the openssl-1.0.1e-51.el7_2.4.src.rpm package
downloaded from the Oracle server.
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method
The patches were taken from openssl-1.0.1e-51.el7_2.2.src.rpm and
apply all CVEs that were not applied yet. Document which patches
were not applied. There should be another openssl version soon as
the next round of fixes was announced for the 1st of March.
After the upgrade "opkg update with https feeds" and "openvpn against
netport" were tested. They seem to work.
Fixes: SYS#2448
This will allow us to have multiple versions installed at the
same time. Use a HACK to not have package.bbclass renamed the
RREPLACE we need for the upgrade.
Fixes: SYS#217
Right now we have one "libosmocore" package but if we split it up
the libosmocore package will be renamed to libosmocore6 and then
even a RREPLACE_libosmocore = "libosmocore" will be replaced to
RREPLACE_libosmocore6 = "libosmocore6". Add a HACK to have a
certain start of a dependency not being replaced. This will be
used by the libosmocore upgrade.
We only need this in dora as for other distributions we start
with a fresh slate.
Related: SYS#217
Disabling the new "binfmt" doesn't work and breaks the build. I have
sent an email to the mailinglist and this might be fixed but at the
same time binfmt is split into a new package anyway. At the same time
we should enable some items we have now switched off. Once we start
to use/stabilize this build we need to check what we need and what the
cost is.
It appears that in latest poky master the CC variable is not automatically
passed to the build. The last good build was 7cd835177a
and now it was failing. Pass CC to the build.
Yocto is now using iproute2 4.4 and the tools we packaged into
the main package are now available as extra packages and we can
just drop our extension for master.
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)
(From OE-Core rev: 1e155330f6cf132997b91a7cfdfe7de319410566)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
(From OE-Core rev: 5a802295d1f40af6f21dd3ed7e4549fe033f03a0)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
(From OE-Core rev: bdfe1e3770aeee9a1a7c65d4834f1a99820d3140)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
(From OE-Core rev: af1f65b57dbfcaf5fc7c254dce80ac55f3a632cb)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch from OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc
by Khem Raj <raj.khem@gmail.com>
(From OE-Core rev: a71680ec6e12c17159336dc34d904cb70155d0d7)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch based on the one from OE-Core master rev
798d833c9d4bd9ab287fa86b85b4d5f128170ed3 by Ross Burton
<ross.burton@intel.com>, with the content replaced from the
appropriate upstream patch.
(From OE-Core rev: 74d45affd5cda2e388d42db3322b4a0d5aff07e8)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
(From OE-Core rev: 1c8f43767c7d78872d38652ea808f30ea825bbef)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
(From OE-Core rev: 05eecceb4d2a5821cd0ca0164610e9e6d68bb22c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix for no-ssl3 configuration option
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 97e7b7a96178cf32411309f3e9e3e3b138d2050b)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix for session tickets memory leak.
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 420a8dc7b84b03a9c0a56280132e15b6c9a8b4df)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix for SRTP Memory Leak
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 6c19ca0d5aa6094aa2cfede821d63c008951cfb7)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE-2014-3566)
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 47633059a8556c03c0eaff2dd310af87d33e2b28)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libexecdir is now a dedicated directory and empty in our ntpd
build. Avoid QA issue of an empty directory not belonging to
anyone. Clean it if it is empty
Symptoms with LCR: nta outgoing create: invalid URI
Take patch posted to the upstream project and carried by Debian
and Ubuntu for this project. Unroll the different fields by hand
to fix undefined behavior.
Exception: OSError: [Errno 36] File name too long: '/home/oebuilds/jenkins/workspace/Yocto-Master/label/OE/build/tmp/deploy/sources/allarch-poky-linux/Firmware-AbilisFirmware-agereFirmware-amd-ucodeFirmware-atheros_firmwareFirmware-broadcom_bcm43xxFirmware-ca0132Firmware-chelsio_firmwareFirmware-cw1200Firmware-dib0700Firmware-ene_firmwareFirmware-fw_sst_0f28Firmware-go7007Firmware-i2400mFirmware-ibt_firmwareFirmware-it913xFirmware-iwlwifi_firmwareFirmware-IntcSST2Firmware-MarvellFirmware-mwl8335Firmware-myri10ge_firmwareFirmware-OLPCFirmware-phanfwFirmware-qat_dh895xcc_firmwareFirmware-qla2xxxFirmware-r8a779x_usb3Firmware-radeonFirmware-ralink_a_mediatek_company_firmwareFirmware-ralink-firmwareFirmware-rtlwifi_firmwareFirmware-tda7706-firmwareFirmware-ti-connectivityFirmware-ueagle-atm4-firmwareFirmware-via_vt6656Firmware-wl1251Firmware-xc4000Firmware-xc5000Firmware-xc5000cFirmware-sianoFirmware-qualcommAthos_ar3kFirmware-qualcommAthos_ath10k'
Our initramfs images are supposed to be small and don't have a
/etc/opkg folder so attempting to put feed config in there will
fail. Reset the FEED_URIS that come from our local.conf.