Fixes the following security issues:
- CVE-2020-8696: Description: Improper removal of sensitive information
before storage or transfer in some Intel(R) Processors may allow an
authenticated user to potentially enable information disclosure via local
access
- CVE-2020-8698: Description: Improper isolation of shared resources in some
Intel(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html
License file updated with the new year, so change hash accordingly.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: explain license hash change]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
From the release notes:
================================================================================
Redis 6.2.3 Released Mon May 3 19:00:00 IST 2021
================================================================================
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. LOW otherwise.
Read more on https://github.com/redis/redis/blob/6.2.3/00-RELEASENOTES
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Dick Olsson <hi@senzilla.io>
[yann.morin.1998@free.fr: drop files from patches not applied]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Boot a QEMU sbsa-ref machine with ATF, EDK2, GRUB2 and a minimal
kernel. This is a simple but effective test of a compliant setup.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This introduces a configuration for the SBSA reference machine under
QEMU that is intended for developing and testing firmware. It consists
of ATF that load EDK2 as BL33 which in turn will load GRUB2.
Included with the board files is a minimal kernel configuration, almost
identical to that of board/qemu/aarch64-virt/linux.config. The main
difference is the addition of ACPI which is preferred over DTB for
booting an UEFI system.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
EDK2 is a modern, feature-rich, cross-platform firmware development
environment for the UEFI and PI specifications.
The initial version of this bootloader package makes it possible to
build firmware for the following seven configurations:
* QEMU x86-64 pc machine
* QEMU aarch64 virt machine, booting directly from flash
* QEMU aarch64 virt machine, booting via the kernel protocol
* QEMU aarch64 sbsa-ref machine
* ARM FVP vexpress machine
* Socionext SynQuacer Developerbox
* SolidRun MacchiatoBin
Support the use of EDK2 UEFI payloads as BL33 in ARM Trusted Firmware.
Signed-off-by: Dick Olsson <hi@senzilla.io>
[yann.morin.1998@free.fr:
- duplicate defaults in Config.in
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
EDK2 firmware is usually built from two sources; the core EDK2
environment, and additional platform description files maintained
separately. This package adds the latter set of description files to
staging so that the core EDK2 package can build with these for certain
platforms during the building process.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The riscv support has been added since v7.6.4 release.
137643f141
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
[yann.morin.1998@free.fr:
- split the long line
- reorder the archs alphabetically, and group related ones
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Backport an upstream patch fixing a link issue with libgc.so on RISC-V
riscv64-buildroot-linux-musl/sysroot/usr/lib/libgc.so: undefined reference to `__data_start'
https://gitlab.com/kubu93/buildroot/-/jobs/1229888983
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
lvmetad has been dropped since version 2.03.00 and
117160b27e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Openssl implements lot of algorithms that are not required in some
emdedded devices and cyphers known as weak. Secure embedded systems
shall disable unused algorithms (and weak algo) in order to be
certified.
This patch allows to select weak algorithms and mecanims to enable
such as md5.
To ensure backward compatibility, all items are selected by default.
Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
[yann.morin.1998@free.fr:
- drop help texts that just repeat the prompts
- fix check-package
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When doing analysis it is helpful to be able to view what CVE have
been patched / diagnosed to not apply to Buildroot. This exposes
that list to the reporting and prevents a step where you have to
dig into the .mk's of a pkg to check for sure what has been
ignored.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: only set background if there are ignored CVEs]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
For cases of a CPE having a unknown version or when there hasn't
been a CPE verified, proposed a search criteria to help the
user research an update.
(libcurl has NIST dict entries but not this version)
cpe:2.3🅰️haxx:libcurl:7.76.1:*:*:*:*:*:*:*
CPE identifier unknown in CPE database (Search)
(jitterentropy-library package doesn't have any NIST dict entries)
no verified CPE identifier (Search)
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: fix flake8 issues]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Update wayland to version 1.19.0, which mostly includes bug fixes and is
the minimum version required by wlroots 0.13.0
Patch "0001-build-add-option-to-disable-tests.patch" is updated as an
actual backport from upstream. Since upstream has migrated to meson, and
we've already switched too, drop the autostuff hunks.
Patch "0002-meson-do-not-check-for-c.patch" is replaced by a newer one,
"0002-meson-only-require-cpp-for-tests.patch" which was accepted by
upstream as an improved version of it.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[yann.morin.1998@free.fr:
- do actual backports of upstream patches now they've been merged
- consequently, drop the legacy autostuff hunks from first patch
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
It invokes the recently introduced gen-missing-cpe script.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This script queries the list of CPE IDs for the packages of the
current configuration (based on the "make show-info" output), and:
- for CPE IDs that do not have any matching entry in the CPE
database, it emits a warning
- for CPE IDs that do have a matching entry, but not with the same
version, it generates a snippet of XML that can be used to propose
an updated version to NIST.
Ref: NIST has a group email (cpe_dictionary@nist.gov) used to
recieve these version update and new entry xml files. They do
process the XML and provide feedback. In some cases they will
propose back something different where the vendor or version is
slightly different.
Limitations
- Currently any use of non-number version identifiers isn't
supported by NIST as they use ranges to determine impact
of a CVE
- Any Linux version from a non-upstream is also not supported
without manually adjusting the information as the custom
kernel will more then likely not match the upstream version
used in the dictionary
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr:
- codestyles as spotted by Arnout
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix CVE-2021-21252: The jQuery Validation Plugin provides drop-in
validation for your existing forms. It is published as an npm package
"jquery-validation". jquery-validation before version 1.19.3 contains
one or more regular expressions that are vulnerable to ReDoS (Regular
Expression Denial of Service).
Update hash of README.md due to changes not related to license
https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
