Apply patches from the openssl-1.0.1e-51.el7_2.4.src.rpm package
downloaded from the Oracle server.
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method
The patches were taken from openssl-1.0.1e-51.el7_2.2.src.rpm and
apply all CVEs that were not applied yet. Document which patches
were not applied. There should be another openssl version soon as
the next round of fixes was announced for the 1st of March.
After the upgrade "opkg update with https feeds" and "openvpn against
netport" were tested. They seem to work.
Fixes: SYS#2448
Right now we have one "libosmocore" package but if we split it up
the libosmocore package will be renamed to libosmocore6 and then
even a RREPLACE_libosmocore = "libosmocore" will be replaced to
RREPLACE_libosmocore6 = "libosmocore6". Add a HACK to have a
certain start of a dependency not being replaced. This will be
used by the libosmocore upgrade.
We only need this in dora as for other distributions we start
with a fresh slate.
Related: SYS#217
It appears that in latest poky master the CC variable is not automatically
passed to the build. The last good build was 7cd835177a
and now it was failing. Pass CC to the build.
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)
(From OE-Core rev: 1e155330f6cf132997b91a7cfdfe7de319410566)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
(From OE-Core rev: 5a802295d1f40af6f21dd3ed7e4549fe033f03a0)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
(From OE-Core rev: bdfe1e3770aeee9a1a7c65d4834f1a99820d3140)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
(From OE-Core rev: af1f65b57dbfcaf5fc7c254dce80ac55f3a632cb)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch from OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc
by Khem Raj <raj.khem@gmail.com>
(From OE-Core rev: a71680ec6e12c17159336dc34d904cb70155d0d7)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch based on the one from OE-Core master rev
798d833c9d4bd9ab287fa86b85b4d5f128170ed3 by Ross Burton
<ross.burton@intel.com>, with the content replaced from the
appropriate upstream patch.
(From OE-Core rev: 74d45affd5cda2e388d42db3322b4a0d5aff07e8)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
(From OE-Core rev: 1c8f43767c7d78872d38652ea808f30ea825bbef)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
(From OE-Core rev: 05eecceb4d2a5821cd0ca0164610e9e6d68bb22c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix for no-ssl3 configuration option
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 97e7b7a96178cf32411309f3e9e3e3b138d2050b)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix for session tickets memory leak.
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 420a8dc7b84b03a9c0a56280132e15b6c9a8b4df)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix for SRTP Memory Leak
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 6c19ca0d5aa6094aa2cfede821d63c008951cfb7)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE-2014-3566)
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 47633059a8556c03c0eaff2dd310af87d33e2b28)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Symptoms with LCR: nta outgoing create: invalid URI
Take patch posted to the upstream project and carried by Debian
and Ubuntu for this project. Unroll the different fields by hand
to fix undefined behavior.
Exception: OSError: [Errno 36] File name too long: '/home/oebuilds/jenkins/workspace/Yocto-Master/label/OE/build/tmp/deploy/sources/allarch-poky-linux/Firmware-AbilisFirmware-agereFirmware-amd-ucodeFirmware-atheros_firmwareFirmware-broadcom_bcm43xxFirmware-ca0132Firmware-chelsio_firmwareFirmware-cw1200Firmware-dib0700Firmware-ene_firmwareFirmware-fw_sst_0f28Firmware-go7007Firmware-i2400mFirmware-ibt_firmwareFirmware-it913xFirmware-iwlwifi_firmwareFirmware-IntcSST2Firmware-MarvellFirmware-mwl8335Firmware-myri10ge_firmwareFirmware-OLPCFirmware-phanfwFirmware-qat_dh895xcc_firmwareFirmware-qla2xxxFirmware-r8a779x_usb3Firmware-radeonFirmware-ralink_a_mediatek_company_firmwareFirmware-ralink-firmwareFirmware-rtlwifi_firmwareFirmware-tda7706-firmwareFirmware-ti-connectivityFirmware-ueagle-atm4-firmwareFirmware-via_vt6656Firmware-wl1251Firmware-xc4000Firmware-xc5000Firmware-xc5000cFirmware-sianoFirmware-qualcommAthos_ar3kFirmware-qualcommAthos_ath10k'
Our initramfs images are supposed to be small and don't have a
/etc/opkg folder so attempting to put feed config in there will
fail. Reset the FEED_URIS that come from our local.conf.
When restoring the backup the rootfs is mounted in /rootfs/data
and the symlink to the real file would then not work. Attempt to
change the directory first to get a relative symlink.
Untested change and needed for rauc
In dora we do not have autotools-brokensep. Do it the old way
and set the B variable directly. At sysmocom we still use this
layer for the very old Dora release.