Re: [OE-core] [bitbake-devel] 'vendor' fetching discussion cont.

Am 13.02.2025 um 21:32 schrieb Richard Purdie: On Thu, 2025-02-13 at 17:33 +0100, Stefan Herbrechtsmeier wrote:  Am 13.02.2025 um 11:43 schrieb Richard Purdie via lists.openembedded.org: Most of the concerns I've seen are about how easy it is to understand what is going on behind the scenes.

Re: [OE-core] [PATCH 4/5] cve-check.bbclass: Cease forced symlink creation

I have submitted this particular commit as v2: https://lists.openembedded.org/g/openembedded-core/message/211391 as it fixes an issue that, according to my understanding, prevents using the bbclass in fashion that is compliant with Yocto reference manual. -Niko On 14.1.2025 17.37, Niko Mauno v

[OE-core] [PATCH v2] cve-check.bbclass: Mitigate symlink related error

From: Niko Mauno According to Yocto reference manual, in description of the IMAGE_LINK_NAME variable, it is said that It is possible to set this to "" to disable symlink creation, however, you also need to set :term:`IMAGE_NAME` to still have a reasonable value e.g.:: IMAGE_LINK_NAME

[OE-core] [scarthgap] [PATCH] qemu 8.2.7: Fix CVE-2024-8354

Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-8354 Type: Security Fix CVE: CVE-2024-8354 Score: 5.5 Signed-off-by: Madhu Marri --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-8354.patch

Patchtest results for [OE-core] [scarthgap] [PATCH] qemu 8.2.7: Fix CVE-2024-8354

Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/scarthgap-qemu-8.2.7-Fix-CVE-2024-8354.patch FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in

[OE-core] [scarthgap] [PATCH] qemu 8.2.7: Fix CVE-2024-8354

Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-8354 Type: Security Fix CVE: CVE-2024-8354 Score: 5.5 Signed-off-by: Madhu Marri --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-8354.patch

Re: [OE-core] 'vendor' fetching discussion cont.

Am 13.02.2025 um 18:34 schrieb Bruce Ashfield: I did some replies to the other threads before seeing this, we can feel free to let those other threads go unanswered, to unify things here. Okay On Thu, Feb 13, 2025 at 5:43 AM Richard Purdie wrote: I've pulled this to a separate email/thr

Patchtest results for [OE-core] [scarthgap] [PATCH] qemu 8.2.7: Fix CVE-2024-8354

Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/scarthgap-qemu-8.2.7-Fix-CVE-2024-8354.patch FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in

[OE-core] [scarthgap] [PATCH] qemu 8.2.7: Fix CVE-2024-8354

Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-8354 Type: Security Fix CVE: CVE-2024-8354 Score: 5.5 Signed-off-by: Madhu Marri --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-8354.patch

[oe-core][kirkstone][PATCH 5/5] ffmpeg: fix CVE-2024-36617

From: Archana Polampalli FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36617.patch| 38 +++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 39 insert

[oe-core][kirkstone][PATCH 4/5] ffmpeg: fix CVE-2024-36616

From: Archana Polampalli An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36616.patch| 37 +++

[oe-core][kirkstone][PATCH 2/5] ffmpeg: CVE-2025-0518

From: Archana Polampalli Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1

[oe-core][kirkstone][PATCH 3/5] ffmpeg: fix CVE-2024-36613

From: Archana Polampalli FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024

[oe-core][kirkstone][PATCH 1/5] gnutls: fix CVE-2024-12243

From: Archana Polampalli A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attack

Re: [OE-core] [PATCH 1/4] systemd: if getty generator is disabled remove the generator, not the units

On Thu Feb 13, 2025 at 9:02 PM CET, Ross Burton via lists.openembedded.org wrote: > If the getty generator is disabled then it's neater to remove just the > generator tool instead of the unit files as the unit files are still > useful. > > Signed-off-by: Ross Burton > --- Hi Ross, Sorry, but I

Re: [OE-core] [scarthgap][styhead][PATCH] subversion: ignore CVE-2024-45720

Hi, I also worked on this one Reviewed-by: Sofiane Hamam -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211378): https://lists.openembedded.org/g/openembedded-core/message/211378 Mute This Topic: https://lists.openembedded.org/mt/47177/21656 G

[OE-core][PATCH V2] util-linux/util-linux-libuuid: upgrade from 2.40.2 to 2.40.4

From: Chen Qi The following patch dropped because it is in the new version: - 0001-autotools-fix-securedir-and-pam_lastlog2-install.patch libfdisk-cfdisk-and-sfdisk-sector-size-improvements.patch is replaced by two new patches: - 0001-cfdisk-add-sector-size-commanand-line-option.patch - 0002-sfd