The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.
This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.
(From OE-Core rev: 065ebeb3e15311d0d45385e15bf557b1c95b1669)
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x
and possibly other products, allows local users to obtain private RSA
keys via a cache side-channel attack involving the L3 cache, aka
Flush+Reload.
Patch from commit e2202ff2b704623efc6277fb5256e4e15bac5676 in
git://git.gnupg.org/libgcrypt.git
(From OE-Core rev: d1e0f3e71ce9978ff0fc94d71e67b528dad84c5c)
Signed-off-by: Yong Zhang <yong.zhang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions
with certain patterns that introduce a side channel, which allows physically
proximate attackers to extract RSA keys via a chosen-ciphertext attack and
acoustic cryptanalysis during decryption. NOTE: applications are not typically
expected to protect themselves from acoustic side-channel attacks, since this
is arguably the responsibility of the physical device. Accordingly, issues of
this type would not normally receive a CVE identifier. However, for this
issue, the developer has specified a security policy in which GnuPG should
offer side-channel resistance, and developer-specified security-policy
violations are within the scope of CVE.
(From OE-Core rev: 46b80c80b0e008820b34f4360054e1697df2650d)
Signed-off-by: Yong Zhang <yong.zhang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits
cleared (no usage permitted) as if it has all bits set (all usage permitted),
which might allow remote attackers to bypass intended cryptographic protection
mechanisms by leveraging the subkey.
(From OE-Core rev: 259aebc9dbcaeb1587aaaab849942f55fa321724)
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Seems the wrong commit was grabbed and missed this patch
(From OE-Core rev: 347426ca3dbe06df1d1b0976a81e96cf6238af21)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This recipe was added, but did not have the correct
checksum information for the LIC_FILES_CHKSUM or the
SRC_URI. Also disable Documetnation for now due to
older autotools issue.
[YOCTO #1966]
(From OE-Core rev: e8c02ead5ce130492eb11457f58cc4d28a330132)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Mariano Lopez
Kai Kang
Yong Zhang
Ming Liu
Saul Wold