America/Caracas switches from -0430 to -04 on 2016-05-01 at 02:30.
(Thanks to Alexander Krivenyshev for the heads-up.)
Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00.
(Thanks to Alexander Krivenyshev and Matt Johnson.)
New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers
Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29
at 02:00. (Thanks to Stepan Golosunov.)
Changes affecting past time stamps
New zone Europe/Kirov, split off from Europe/Volgograd. It covers
Kirov Oblast, Russia, which switched from +04/+05 to +03/+04 on
1989-03-26 at 02:00, roughly a year after Europe/Volgograd made
the same change. (Thanks to Stepan Golosunov.)
Russia and nearby locations had daylight-saving transitions on
1992-03-29 at 02:00 and 1992-09-27 at 03:00, instead of on
1992-03-28 at 23:00 and 1992-09-26 at 23:00. (Thanks to Stepan
Golosunov.)
Many corrections to historical time in Kazakhstan from 1991
through 2005. (Thanks to Stepan Golosunov.) Replace Kazakhstan's
invented time zone abbreviations with numeric abbreviations.
they keep the versions in-sync. changes are all in data.
Changes affecting future time stamps
America/Caracas switches from -0430 to -04 on 2016-05-01 at 02:30.
(Thanks to Alexander Krivenyshev for the heads-up.)
Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00.
(Thanks to Alexander Krivenyshev and Matt Johnson.)
New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers
Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29
at 02:00. (Thanks to Stepan Golosunov.)
Changes affecting past time stamps
New zone Europe/Kirov, split off from Europe/Volgograd. It covers
Kirov Oblast, Russia, which switched from +04/+05 to +03/+04 on
1989-03-26 at 02:00, roughly a year after Europe/Volgograd made
the same change. (Thanks to Stepan Golosunov.)
Russia and nearby locations had daylight-saving transitions on
1992-03-29 at 02:00 and 1992-09-27 at 03:00, instead of on
1992-03-28 at 23:00 and 1992-09-26 at 23:00. (Thanks to Stepan
Golosunov.)
Many corrections to historical time in Kazakhstan from 1991
through 2005. (Thanks to Stepan Golosunov.) Replace Kazakhstan's
invented time zone abbreviations with numeric abbreviations.
Armin Kuster [Thu, 24 Mar 2016 01:21:51 +0000 (18:21 -0700)]
tzdata: update to 2016c
The 2016c release of the tz code and data is available. Its most urgent change is for Asia/Baku, where the update takes effect this weekend.
This release reflects the following changes, which were either circulated on the tz mailing list or are relatively minor technical or administrative changes:
Changes affecting future time stamps
Azerbaijan no longer observes DST. (Thanks to Steffen Thorsen.)
Chile reverts from permanent to seasonal DST. (Thanks to Juan
Correa for the heads-up, and to Tim Parenti for corrections.)
Guess that future transitions are August's and May's second
Saturdays at 24:00 mainland time. Also, call the period from
2014-09-07 through 2016-05-14 daylight saving time instead of
standard time, as that seems more appropriate now.
Changes affecting past time stamps
Europe/Kaliningrad and Europe/Vilnius changed from +03/+04 to
+02/+03 on 1989-03-26, not 1991-03-31. Europe/Volgograd changed
from +04/+05 to +03/+04 on 1988-03-27, not 1989-03-26.
(Thanks to Stepan Golosunov.)
Changes to commentary
Several updates and URLs for historical and proposed Russian changes.
(Thanks to Stepan Golosunov, Matt Johnson, and Alexander Krivenyshev.)
Armin Kuster [Fri, 18 Mar 2016 21:43:17 +0000 (14:43 -0700)]
tzcode: update to 2016b
change SRC_URI http seems more reliable
Changes to code
tzselect's diagnostics and checking, and checktab.awk's checking,
have been improved. (Thanks to J William Piggott.)
tzcode now builds under MinGW. (Thanks to Ian Abbott and Esben Haabendal.)
tzselect now tests Julian-date TZ settings more accurately.
(Thanks to J William Piggott.)
Changes to commentary
Comments in zone tables have been improved. (Thanks to J William Piggott.)
tzselect again limits its menu comments so that menus fit on a
24x80 alphanumeric display.
A new web page tz-how-to.html. (Thanks to Bill Seymour.)
In the Theory file, the description of possible time zone abbreviations in
tzdata has been cleaned up, as the old description was unclear and
inconsistent. (Thanks to Alain Mouette for reporting the problem.)
Armin Kuster [Fri, 18 Mar 2016 21:43:18 +0000 (14:43 -0700)]
tzdata: update to 2016b
updated SRC_URI to http as it seems more stable.
Changes affecting future time stamps
New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and
Ulyanovsk Oblasts, Russia, both of which will switch from +03 to +04 on
2016-03-27 at 02:00 local time. They need distinct zones since their
post-1970 histories disagree. New zone Asia/Barnaul for Altai Krai and
Altai Republic, Russia, which will switch from +06 to +07 on the same date
and local time. Also, Asia/Sakhalin moves from +10 to +11 on 2016-03-27
at 02:00. (Thanks to Alexander Krivenyshev for the heads-up, and to
Matt Johnson and Stepan Golosunov for followup.)
As a trial of a new system that needs less information to be made up,
the new zones use numeric time zone abbreviations like "+04"
instead of invented abbreviations like "ASTT".
Haiti will not observe DST in 2016. (Thanks to Jean Antoine via
Steffen Thorsen.)
Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00.
(Thanks to Hannah Kreitem.) Guess future transitions will be March's last
Saturday at 01:00, not March's last Friday at 24:00.
Changes affecting past time stamps
Europe/Chisinau observed DST during 1990, and switched from +04 to
+03 at 1990-05-06 02:00, instead of switching from +03 to +02.
(Thanks to Stepan Golosunov.)
1991 abbreviations in Europe/Samara should be SAMT/SAMST, not
KUYT/KUYST. (Thanks to Stepan Golosunov.)
Sona Sarmadi [Tue, 12 Apr 2016 11:25:59 +0000 (13:25 +0200)]
bind: CVE-2016-1285 CVE-2016-1286
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure
Brad Mouring [Sat, 26 Mar 2016 02:20:06 +0000 (21:20 -0500)]
busybox_git: Fix SRCREV
The SRCREV in the busybox git recipe did not point to a commit ID
on the master branch. Point the variable to something reachable from
the master branch (which fixes this recipe's fetch()).
Brad Mouring [Sat, 26 Mar 2016 02:20:05 +0000 (21:20 -0500)]
busybox: Backport patch to fix zcip false-conflict
Busybox upstream fixed the issue where an incorrect comparison of
addresses led to bogus renegotiation of a new ll ip in 1.24. Backport
this change to 1.23.1.
Richard Purdie [Fri, 23 Oct 2015 03:30:36 +0000 (20:30 -0700)]
populate_sdk_base: Ensure PKGDATA_DIR exists
The code assumes that PKG_DATADIR exists and will fail if an image has not been
generated which creates it. This occurs when something like buildtools-tarball
is built which doesn't have target packages, only nativesdk ones.
Since this shouldn't be fatal, workaround this by creating the missing
directory.
Ross Burton [Fri, 18 Dec 2015 16:56:18 +0000 (16:56 +0000)]
conf/local.conf.sample: comment out ASSUME_PROVIDED=libsdl-native
Ubuntu 15.10 and Debian testing can't build qemu-native against the host libsdl.
Now that libsdl-native is buildable, comment out the ASSUME_PROVIDED which meant
it wouldn't be used.
Ross Burton [Tue, 22 Dec 2015 22:12:30 +0000 (22:12 +0000)]
xorg-lib: allow native building without x11 DISTRO_FEATURES
The Xorg libraries use REQUIRED_DISTRO_FEATURES to stop building on
distributions without the x11 feature but this stops people building native
tooling that uses libX11, such as libsdl-native.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxcb change removed as it's not valid in fido Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Ross Burton [Fri, 11 Mar 2016 20:54:00 +0000 (20:54 +0000)]
base: check for existing prefix when expanding names in PACKAGECONFIG
When the DEPENDS are added as part of the PACKAGECONFIG logic the list of
packages are expanded so that any required nativesdk-/-native/multilib prefixes
and suffixes are added.
However the special handling of virtual/foo names doesn't check that the prefix
already exists, which breaks under nativesdk as in that situation there's an
explicit nativesdk- prefix *and* MLPREFIX is set to nativesdk-. This results in
the same prefix being applied twice, and virtual packages such as virtual/libx11
ending up as virtual/nativesdk-nativesdk-libx11.
Ross Burton [Mon, 30 Nov 2015 11:31:14 +0000 (11:31 +0000)]
libsdl: expand PACKAGECONFIG and enable native builds
Use PACKAGECONFIG instead of using logic in DEPENDS and EXTRA_OECONF, adding new
options for PulseAudio, tslib, DirectFB, OpenGL and X11. Pass
--disable-x11-shared so that it links to the X libraries instead of using
dlopen().
Disable tslib by default as the kernel event input subsystem is generally used.
SDL's OpenGL support requires X11 so check for both x11 and opengl, and merge
the dependencies.
Finally enable native builds, with a minimal PACKAGECONFIG that will build from
oe-core for native and nativesdk.
Robert Yang [Wed, 16 Sep 2015 02:28:46 +0000 (19:28 -0700)]
libsdl: depends on libglu when both x11 and opengl
The libglu requires both opengl (depends on virtual/libgl) and x11
(needs libGL.so which is provided by mesa when x11 in DISTRO_FEATURES),
so let libsdl depends on libglu when both x11 and opengl in
DISTRO_FEATURES.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
ngutzmann [Wed, 9 Mar 2016 16:17:31 +0000 (09:17 -0700)]
nettle: The variable named p in the patch file was incorrectly named.
The variable in question should have been called ecc->p. The patch has been
updated so that the compilation of the nettle recipe would complete
successfully. The backport originated from this commit
Signed-off-by: Armin Kuster <akuster@mvista.com>
Not required for master, an update to 1.0.2g has been submitted.
Backport from jethro. Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Hongxu Jia [Fri, 13 Nov 2015 11:08:06 +0000 (19:08 +0800)]
wpa-supplicant: Fix CVE-2015-8041
Backport patch from http://w1.fi/security/2015-5/
and rebase for wpa-supplicant 2.4
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Not needed in master since the upgrade to 2.5 Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Armin Kuster [Wed, 24 Feb 2016 01:38:25 +0000 (17:38 -0800)]
git: Security fixes CVE-2015-7545
CVE-2015-7545 git: arbitrary code execution via crafted URLs
Signed-off-by: Armin Kuster <akuster@mvista.com>
Already in Jethro, not needed in master due to shipping a version of git
which is already fixes (> 2.6.1) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
rpcbind: Fix memory corruption in PMAP_CALLIT code
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in
rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of
service (daemon crash) via crafted packets, involving a PMAP_CALLIT
code.
The patch comes from
<http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't
been in rpcbind upstream yet.
Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Markus Lehtonen [Tue, 8 Sep 2015 10:58:14 +0000 (13:58 +0300)]
kernel.bbclass: do not mv/link sources when externalsrc enabled
If externalsrc is enabled the 'do_unpack' task is run if the recipe has
some local source files. In the case of kernel recipe this caused the
(externalsrc) source tree to be moved/symlinked. This patch prevents the
behaviour, making sure the source tree is not moved around when
externalsrc is enabled. Instead of moving the source tree,
STAGING_KERNEL_DIR will be a symlink to it.
Armin Kuster [Fri, 12 Feb 2016 02:41:18 +0000 (18:41 -0800)]
libpcre: Security fixes and package update.
this is related to [Yocto # 9008]
8.38:
The following security fixes are included:
CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() compile_regex()
CVE-2015-3217 pcre: stack overflow in match()
CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain patterns with an unmatched closing parenthesis
CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec
CVE-2015-8381 pcre: Heap Overflow in compile_regex()
CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group
CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference by name within certain group
CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name to certain group
CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion
CVE-2015-8387 pcre: Integer overflow in subroutine calls
CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns
CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns
CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with duplicated named groups
CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary
CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions
CVE-2015-8395 pcre: Buffer overflow caused by certain references
CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS
8.37:
The following security fixes are included:
CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()
LICENSE file changed do to Copyright date updates.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Jethro and master don't require this patch as they have newer libpcre which
contains these fixes.
Martin Jansa [Tue, 9 Feb 2016 14:54:13 +0000 (15:54 +0100)]
tzdata: remove 2015d version
* this is left-over from upgrade to 2016a
* it's safer to remove so that .bbappends in other layers really apply to version
used in build (currently we have bbappend for 2015d and build will use 2016a
without any warning
* the same problem was reported with 2015f upgrade:
http://lists.openembedded.org/pipermail/openembedded-core/2015-August/109708.html
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Not required by other branches as this is removing a leftover file in Fido
only.
Paul Eggleton [Sat, 6 Feb 2016 23:14:58 +0000 (15:14 -0800)]
tzdata: reinstate changes reverted in 2014c upgrade
OE-Core commit 57af3fb9662106f0a65a1b4edf83e2398be0a8f1 upgraded tzdata
but also reverted a couple of changes to SUMMARY and LIC_FILES_CHKSUM.
Reinstate these (with an update to the README md5 value since that has
changed slightly, without any change to the licensing statements
within).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Armin Kuster [Sat, 6 Feb 2016 23:14:57 +0000 (15:14 -0800)]
tzdata: update to 2016a
Changed LIC_CHKSUM_FILES to a new LICENSE file.
Add BSD-3-clause to licenses
Changes affecting future time stamps
America/Cayman will not observe daylight saving this year after all.
Revert our guess that it would. (Thanks to Matt Johnson.)
Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00.
(Thanks to Alexander Krivenyshev.)
Asia/Tehran now has DST predictions for the year 2038 and later,
to be March 21 00:00 to September 21 00:00. This is likely better
than predicting no DST, albeit off by a day every now and then.
Changes affecting past and future time stamps
America/Metlakatla switched from PST all year to AKST/AKDT on
2015-11-01 at 02:00. (Thanks to Steffen Thorsen.)
America/Santa_Isabel has been removed, and replaced with a
backward compatibility link to America/Tijuana. Its contents were
apparently based on a misreading of Mexican legislation.
Changes affecting past time stamps
Asia/Karachi's two transition times in 2002 were off by a minute.
(Thanks to Matt Johnson.)
Armin Kuster [Sat, 6 Feb 2016 23:14:56 +0000 (15:14 -0800)]
tzcode: update to 2016a
Change LIC_CHKSUM_FILES to License. Some files are BSD clause 3
Changes affecting build procedure
An installer can now combine leap seconds with use of the backzone file,
e.g., with 'make PACKRATDATA=backzone REDO=posix_right zones'.
The old 'make posix_packrat' rule is now marked as obsolescent.
(Thanks to Ian Abbott for an initial implementation.)
Changes affecting documentation and commentary
A new file LICENSE makes it easier to see that the code and data
are mostly public-domain. (Thanks to James Knight.) The three
non-public-domain files now use the current (3-clause) BSD license
instead of older versions of that license.
tz-link.htm mentions the BDE library (thanks to Andrew Paprocki),
CCTZ (thanks to Tim Parenti), TimeJones.com, and has a new section
on editing tz source files (with a mention of Sublime zoneinfo,
thanks to Gilmore Davidson).
The Theory and asia files now mention the 2015 book "The Global
Transformation of Time, 1870-1950", and cite a couple of reviews.
The America/Chicago entry now documents the informal use of US
central time in Fort Pierre, South Dakota. (Thanks to Rick
McDermid, Matt Johnson, and Steve Jones.)
Wenzong Fan [Sat, 6 Feb 2016 23:14:49 +0000 (15:14 -0800)]
subversion: fix CVE-2015-3187
The svn_repos_trace_node_locations function in Apache Subversion before
1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used,
allows remote authenticated users to obtain sensitive path information
by reading the history of a node that has been moved from a hidden path.
Patch is from:
http://subversion.apache.org/security/CVE-2015-3187-advisory.txt
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Wenzong Fan [Sat, 6 Feb 2016 23:14:48 +0000 (15:14 -0800)]
subversion: fix CVE-2015-3184
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before
1.8.14, when using Apache httpd 2.4.x, does not properly restrict
anonymous access, which allows remote anonymous users to read hidden
files via the path name.
Patch is from:
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Armin Kuster [Sat, 6 Feb 2016 23:14:45 +0000 (15:14 -0800)]
glibc: CVE-2015-8776
it was found that out-of-range time values passed to the strftime function may
cause it to crash, leading to a denial of service, or potentially disclosure
information.
Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Armin Kuster [Sat, 6 Feb 2016 23:14:44 +0000 (15:14 -0800)]
glibc: CVE-2015-9761
A stack overflow vulnerability was found in nan* functions that could cause
applications which process long strings with the nan function to crash or,
potentially, execute arbitrary code.
Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Armin Kuster [Sat, 6 Feb 2016 23:14:43 +0000 (15:14 -0800)]
glibc: CVE-2015-8779
A stack overflow vulnerability in the catopen function was found, causing
applications which pass long strings to the catopen function to crash or,
potentially execute arbitrary code.
Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Armin Kuster [Sat, 6 Feb 2016 23:14:42 +0000 (15:14 -0800)]
glibc: CVE-2015-8777
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or
libc6) before 2.23 allows local users to bypass a pointer-guarding protection
mechanism via a zero value of the LD_POINTER_GUARD environment variable.
Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Needed to quiet GNU_HASH warnings, and some minor fixes.
...
it explicitly move logrotate to /usr/bin without any reason,
which is against the original Linux location /usr/sbin.
So partly revert the above commit which let logrotate be
kept in the original place /usr/sbin.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Martin Jansa [Fri, 4 Dec 2015 18:44:23 +0000 (19:44 +0100)]
texinfo: don't create dependency on INHERIT variable
* we don't want the do_package signature depending on INHERIT variable
* e.g. just adding the own-mirrors causes texinfo to rebuild:
# bitbake-diffsigs BUILD/sstate-diff/*/*/texinfo/*do_package.sig*
basehash changed from 015df2fd8e396cc1e15622dbac843301 to 9f1d06c4f238c70a99ccb6d8da348b6a
Variable INHERIT value changed from
' rm_work blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'
to
' rm_work own-mirrors blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Sona Sarmadi [Mon, 21 Dec 2015 11:35:20 +0000 (12:35 +0100)]
bind: CVE-2015-8000
Fixes a denial of service in BIND.
An error in the parsing of incoming responses allows some
records with an incorrect class to be accepted by BIND
instead of being rejected as malformed. This can trigger
a REQUIRE assertion failure when those records are subsequently
cached.
When compiling meta-toolchain-qt5 on cortexa8, the compiler throws an
internal compiler error:
...
qttools-opensource-src-5.3.2/src/linguist/shared/po.cpp:
In function 'bool loadPO(Translator&, QIODevice&, ConversionData&)':
qttools-opensource-src-5.3.2/src/linguist/shared/po.cpp:717:1:
internal compiler error: in add_stores, at var-tracking.c:6000
...
Tracking this down led to https://bugs.linaro.org/show_bug.cgi?id=534
It seems the bug is well know and fixed upstream. So backporting from
trunk seems to be the right solution. This fixes the compiler problem
on cortexa8 and does not seem to be very invasive. The original commit
can be found at:
Martin Jansa [Tue, 30 Jun 2015 14:15:00 +0000 (16:15 +0200)]
feature-arm-thumb.inc: Fix ARMPKGSFX_THUMB value
* my previous thumb related commit:
commit 3e760031f91fb87c3e2f62b77a117eb41164f259
Author: Martin Jansa <martin.jansa@gmail.com>
Date: Wed Feb 18 15:40:35 2015 +0100
feature-arm-thumb.inc: respect ARM_INSTRUCTION_SET when adding thumb
suffix
unfortunately removed conditional on "thumb" in TUNE_FEATURES, when
setting ARMPKGSFX_THUMB
* in case we have MACHINE without "thumb" in TUNE_FEATURES and distro
setting ARM_INSTRUCTION_SET to "thumb" we end with:
ARM_INSTRUCTION_SET="thumb"
ARM_THUMB_OPT="thumb"
ARM_M_OPT="thumb"
Mike Crowe [Thu, 29 Oct 2015 12:28:21 +0000 (12:28 +0000)]
allarch: Force TARGET_*FLAGS variable values
TARGET_CPPFLAGS, TARGET_CFLAGS, TARGET_CPPFLAGS and TARGET_LDFLAGS may
differ between MACHINEs. Since they are exported they affect task hashes
even if unused which leads to multiple variants of allarch packages
existing in sstate and bouncing in the sysroot when switching between
MACHINEs.
allarch packages shouldn't be using these variables anyway, so let's
ensure they have a fixed value in order to avoid this problem.
Martin Jansa [Thu, 26 Nov 2015 12:58:13 +0000 (13:58 +0100)]
linux-dtb.inc: drop unused DTB_NAME variable from do_install
* this is causing do_install to depend on KERNEL_IMAGE_BASE_NAME which
in some cases contains something like BUILD_NUMBER from CI, that
caused do_install to be reexecuted every single time, which is very
sad to be caused by unused variable.
* jethro and newer don't need this change, because it's also fixed in
commit 86b3f29f93e3f87903668ea317c6bd97be4cdf62
Author: Marek Vasut <marex@denx.de>
Date: Thu May 14 14:31:11 2015 +0200
Subject: kernel: Build DTBs early
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Bhuvanchandra DV [Thu, 26 Nov 2015 09:12:35 +0000 (14:42 +0530)]
linux-firmware: rtl8192cx: Add latest available firmware
Add latest available firmware binaries for RTL8192CX chipsets.
These new firmwares have been released in 2012, have been used
by the mainline kernel as preferred firmware since 3.13 and
even backported to stable branches.
Armin Kuster [Wed, 11 Nov 2015 22:21:46 +0000 (14:21 -0800)]
libxml2: fix CVE-2015-7942 and CVE-2015-8035
CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled
Aníbal Limón [Fri, 9 Oct 2015 22:21:44 +0000 (17:21 -0500)]
bash: Disable custom memory allocator
Bash is failing trying to allocate memory [1] using the custom
memory allocator if we disable it the issue is fixed.
The major distributions also disabled by default [2], so we
don't have a good reason to use it.
The underlying issue is due to bash’s malloc using brk() calls
to allocate memory, which fail when address randomization is
enabled in kernel. sbrk() based custom allocators are obsolete.
There may be some performance impact of this however correctness
is more important.
Paul Eggleton [Mon, 12 Oct 2015 13:49:11 +0000 (14:49 +0100)]
tzdata: reinstate changes reverted in 2014c upgrade
OE-Core commit 57af3fb9662106f0a65a1b4edf83e2398be0a8f1 upgraded tzdata
but also reverted a couple of changes to SUMMARY and LIC_FILES_CHKSUM.
Reinstate these (with an update to the README md5 value since that has
changed slightly, without any change to the licensing statements
within).
Armin Kuster [Fri, 2 Oct 2015 14:26:49 +0000 (07:26 -0700)]
tzdata: update to 2015g
Resend: typo in version in subject.
Changes affecting future time stamps
Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25.
(Thanks to Fatih.)
Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time.
(Thanks to Alexander Krivenyshev.)
Fiji's 2016 fall-back transition is scheduled for January 17, not 24.
(Thanks to Ken Rylander.)
Fort Nelson, British Columbia will not fall back on 2015-11-01. It has
effectively been on MST (-0700) since it advanced its clocks on 2015-03-08.
New zone America/Fort_Nelson. (Thanks to Matt Johnson.)
Armin Kuster [Fri, 2 Oct 2015 14:24:52 +0000 (07:24 -0700)]
tzcode: update to 2015g
Changes affecting code
localtime no longer mishandles America/Anchorage after 2037.
(Thanks to Bradley White for reporting the bug.)
On hosts with signed 32-bit time_t, localtime no longer mishandles
Pacific/Fiji after 2038-01-16 14:00 UTC.
The localtime module allows the variables 'timezone', 'daylight',
and 'altzone' to be in common storage shared with other modules,
and declares them in case the system <time.h> does not.
(Problems reported by Kees Dekker.)
On platforms with tm_zone, strftime.c now assumes it is not NULL.
This simplifies the code and is consistent with zdump.c.
(Problem reported by Christos Zoulas.)
Changes affecting documentation
The tzfile man page now documents that transition times denote the
starts (not the ends) of the corresponding time periods.
(Ambiguity reported by Bill Seymour.)
