poky: subtree update:52a625582e..7035b4b21e
Adrian Bunk (9):
squashfs-tools: Upgrade to 4.4
screen: Upgrade 4.6.2 -> 4.7.0
stress-ng: Upgrade 0.10.00 -> 0.10.08
nspr: Upgrade 4.21 -> 4.23
gcc: Remove stale gcc 8 patchfile
gnu-efi: Upgrade 3.0.9 -> 3.0.10
python3-numpy: Stop shipping manual config files
coreutils: Move stdbuf into an own package coreutils-stdbuf
gnu-efi: Upgrade 3.0.10 -> 3.0.11
Alessio Igor Bogani (1):
systemtap: support usrmerge
Alexander Hirsch (1):
libksba: Fix license specification
Alexander Kanavin (6):
gcr: update to 3.34.0
btrfs-tools: update to 5.3
libmodulemd-v1: update to 1.8.16
selftest: skip virgl test on centos 7 entirely
nfs-utils: do not depend on bash unnecessarily
selftest: add a test for gpl3-free images
Alistair Francis (4):
opensbi: Bump from 0.4 to 0.5
u-boot: Bump from 2019.07 to 2019.10
qemuriscv64: Build smode U-Boot
libsdl2: Fix build failure when using mesa 19.2.1
Andreas Müller (4):
adwaita-icon-theme: upgrade 3.32.0 -> 3.34.0
gsettings-desktop-schemas: upgrade 3.32.0 -> 3.34.0
IMAGE_LINGUAS_COMPLEMENTARY: auto-add language packages other than locales
libical: add PACKAGECONFIG glib and enable it by default
André Draszik (10):
testimage.bbclass: support hardware-controlled targets
testimage.bbclass: enable ssh agent forwarding
oeqa/runtime/df: don't fail on long device names
oeqa/core/decorator: add skipIfFeature
oeqa/runtime/opkg: skip install on read-only-rootfs
oeqa/runtime/systemd: skip unit enable/disable on read-only-rootfs
ruby: update to v2.6.4
ruby: some ptest fixes
oeqa/runtime/context.py: ignore more files when loading controllers
connman: mark connman-wait-online as SYSTEMD_PACKAGE
Bruce Ashfield (6):
linux-yocto/4.19: update to v4.19.78
linux-yocto/5.2: update to v5.2.20
perf: fix v5.4+ builds
perf: create directories before copying single files
perf: add 'cap' PACKAGECONFIG
perf: drop 'include' copy
Carlos Rafael Giani (12):
gstreamer1.0: upgrade to version 1.16.1
gstreamer1.0-plugins-base: upgrade to version 1.16.1
gstreamer1.0-plugins-good: upgrade to version 1.16.1
gstreamer1.0-plugins-bad: upgrade to version 1.16.1
gstreamer1.0-plugins-ugly: upgrade to version 1.16.1
gstreamer1.0-libav: upgrade to version 1.16.1
gstreamer1.0-vaapi: upgrade to version 1.16.1
gstreamer1.0-omx: upgrade to version 1.16.1
gstreamer1.0-python: upgrade to version 1.16.1
gstreamer1.0-rtsp-server: upgrade to version 1.16.1
gst-validate: upgrade to version 1.16.1
gstreamer: Change SRC_URI to use HTTPS access instead of HTTP
Changqing Li (4):
qemu: Fix CVE-2019-12068
python: Fix CVE-2019-10160
sudo: fix CVE-2019-14287
mdadm: fix do_package failed when changed local.conf but not cleaned
Chee Yang Lee (2):
wic/help: change 'wic write' help description
wic/engine: use 'linux-swap' for swap file system
Chen Qi (3):
go: fix CVE-2019-16276
python3: fix CVE-2019-16935
python: fix CVE-2019-16935
Chris Laplante via bitbake-devel (2):
bitbake: bitbake: contrib/vim: initial commit, with unmodified code from indent/python.vim
bitbake: bitbake: contrib/vim: Modify Python indentation to work with 'python do_task {'
Christopher Larson (2):
bitbake: fetch2/git: fetch shallow revs when needed
bitbake: tests/fetch: add test for fetching shallow revs
Dan Callaghan (1):
elfutils: add PACKAGECONFIG for compression algorithms
Douglas Royds via Openembedded-core (1):
icecc: Export ICECC_CC and friends via wrapper-script
Eduardo Abinader (1):
devtool: add ssh key option to deploy-target param
Eugene Smirnov (1):
wic/rawcopy: Support files in sub-directories
Ferry Toth (1):
sudo: Fix fetching sources
Frazer Leslie Clews (2):
makedevs: fix format strings in makedevs.c in print statements
makedevs: fix invalidScanfFormatWidth to prevent overflowing usr_buf
George McCollister (1):
openssl: make OPENSSL_ENGINES match install path
Haiqing Bai (1):
unfs3: fixed the issue that unfsd consumes 100% CPU
He Zhe (1):
ltp: Fix overcommit_memory failure
Hongxu Jia (1):
openssh: fix CVE-2019-16905
Joe Slater (2):
libtiff: fix CVE-2019-17546
libxslt: fix CVE-2019-18197
Kai Kang (1):
bind: fix CVE-2019-6471 and CVE-2018-5743
Liwei Song (1):
util-linux: fix PKNAME name is NULL when use lsblk [LIN1019-2963]
Mattias Hansson (1):
base.bbclass: add dependency on pseudo from do_prepare_recipe_sysroot
Max Tomago (1):
python-native: Remove debug.patch
Maxime Roussin-Bélanger (2):
meta: update and add missing homepage/bugtracker links
meta: add missing description in recipes-gnome
Michael Ho (1):
cmake.bbclass: add HOSTTOOLS_DIR to CMAKE_FIND_ROOT_PATH
Mike Crowe (2):
kernel-fitimage: Cope with non-standard kernel deploy subdirectory
kernel-devicetree: Cope with non-standard kernel deploy subdirectory
Mikko Rapeli (1):
systemd.bbclass: enable all services specified in ${SYSTEMD_SERVICE}
Nicola Lunghi (1):
ofono: tidy up the recipe
Ola x Nilsson (10):
oeqa/selftest/recipetool: Use with to control file handle lifetime
oe.types.path: Use with to control file handle lifetime
lib/oe/packagedata: Use with to control file handle lifetime
lib/oe/package_manager: Use with to control file handle lifetime
report-error.bbclass: Use with to control file handle lifetime
package.bbclass: Use with to manage file handle lifetimes
devtool-source.bbclass: Use with to manage file handle lifetime
libc-package.bbclass: Use with to manage filehandle in do_spit_gconvs
bitbake: bitbake: prserv/serv: Use with while reading pidfile
bitbake: bitbake: ConfHandler: Use with to manage filehandle lifetime
Oleksandr Kravchuk (4):
ell: update to 0.23
ell: update to 0.25
ell: update to 0.26
ofono: update to 1.31
Ricardo Ribalda Delgado (1):
i2c-tools: Add missing RDEPEND
Richard Leitner (1):
kernel-fitimage: introduce FIT_SIGN_ALG
Richard Purdie (4):
tinderclient: Drop obsolete class
meson: Backport fix to assist meta-oe breakage
nfs-utils: Improve handling when no exported fileysystems
qemu: Avoid potential build configuration contamination
Robert Yang (1):
bluez5: Fix for --enable-btpclient
Ross Burton (29):
sanity: check the format of SDK_VENDOR
file: explicitly disable seccomp
python3: -dev should depend on distutils
gawk: add PACKAGECONFIG for readline
python3: alternative name is python3-config not python-config
python3: ensure that all forms of python3-config are in python3-dev
oeqa/selftest: use specialist assert* methods
bluez5: refresh upstreamed patches
xorgproto: fix summary
libx11: upgrade to 1.6.9
xorgproto: upgrade to 2019.2
llvm: add missing Upstream-Status tags
buildhistory-analysis: filter out -src changes by default
squashfs-tools: remove redundant source checksums
squashfs-tools: clean up compile/install tasks
wpa-supplicant: fix CVE-2019-16275
gcr: remove intltool-native
elfutils: disable bzip
cve-check: ensure all known CVEs are in the report
git: some tools are no longer perl, so move to main recipe
git: cleanup man install
qemu-helper-native: add missing option to getopt() call
qemu-helper-native: showing help shouldn't be an error
qemu-helper-native: pass compiler flags
oeqa/selftest: add test for oe-run-native
cve-check: failure to parse versions should be more visible
gst-examples: rename so PV is in filename
sanity: check for more bits of Python
recipeutils-test: use a small dependency in the dummy recipe
Sai Hari Chandana Kalluri (1):
devtool: Add --remove-work option for devtool reset command
Scott Rifenbark (9):
ref-manual: First pass of 2.8 migration changes (WIP)
poky.ent: Updated the release date to October 2019
dev-manual: Added info to "Selecting an Initialization Manager"
ref-manual: 2nd pass 3.0 migration
documenation: Changed "2.8" to "3.0".
ref-manual: Removed deprecated link to ref-classes-bluetooth
ref-manual, dev-manual: Clean up of a commit
ref-manual: Updated the BUSYBOX_SPLIT_SUID variable.
ref-manual, dev-manual: Added CMake toolchain files.
Stefan Agner (1):
uninative: check .done file instead of tarball
Tom Benn (1):
dbus: update dbus-1.init to reflect new PID file
Trevor Gamblin (5):
aspell: upgrade from 0.60.7 to 0.60.8
binutils: fix CVE-2019-17450
binutils: fix CVE-2019-17451
ncurses: fix CVE-2019-17594, CVE-2019-17595
libgcrypt: upgrade 1.8.4 -> 1.8.5
Trevor Woerner (1):
libcap-ng: undefined reference to `pthread_atfork'
Wenlin Kang (1):
sysstat: fix CVE-2019-16167
Yann Dirson (1):
mesa: fix meson configure fix when 'dri' is excluded from PACKAGECONFIG
Yeoh Ee Peng (1):
scripts/oe-pkgdata-util: Enable list-pkgs to print ordered packages
Yi Zhao (2):
libsdl2: fix CVE-2019-13616
libgcrypt: fix CVE-2019-12904
Zang Ruochen (6):
bison:upgrade 3.4.1 -> 3.4.2
e2fsprogs:upgrade 1.45.3 -> 1.45.4
libxvmc:upgrade 1.0.11 -> 1.0.12
python3-pip:upgrade 19.2.3 -> 19.3.1
python-setuptools:upgrade 41.2.0 -> 41.4.0
libcap-ng:upgrade 0.7.9 -> 0.7.10
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Change-Id: I50bc42f74dffdc406ffc0dea034e41462fe6e06b
diff --git a/poky/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch b/poky/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
new file mode 100644
index 0000000..7b39dbd
--- /dev/null
+++ b/poky/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
@@ -0,0 +1,163 @@
+From 265b691ac440bfb711d8de323346f7d72e620efe Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Thu, 12 Sep 2019 12:37:36 -0400
+Subject: [PATCH] [release-branch.go1.12-security] net/textproto: don't
+ normalize headers with spaces before the colon
+
+RFC 7230 is clear about headers with a space before the colon, like
+
+X-Answer : 42
+
+being invalid, but we've been accepting and normalizing them for compatibility
+purposes since CL 5690059 in 2012.
+
+On the client side, this is harmless and indeed most browsers behave the same
+to this day. On the server side, this becomes a security issue when the
+behavior doesn't match that of a reverse proxy sitting in front of the server.
+
+For example, if a WAF accepts them without normalizing them, it might be
+possible to bypass its filters, because the Go server would interpret the
+header differently. Worse, if the reverse proxy coalesces requests onto a
+single HTTP/1.1 connection to a Go server, the understanding of the request
+boundaries can get out of sync between them, allowing an attacker to tack an
+arbitrary method and path onto a request by other clients, including
+authentication headers unknown to the attacker.
+
+This was recently presented at multiple security conferences:
+https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
+
+net/http servers already reject header keys with invalid characters.
+Simply stop normalizing extra spaces in net/textproto, let it return them
+unchanged like it does for other invalid headers, and let net/http enforce
+RFC 7230, which is HTTP specific. This loses us normalization on the client
+side, but there's no right answer on the client side anyway, and hiding the
+issue sounds worse than letting the application decide.
+
+Fixes CVE-2019-16276
+
+Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719
+Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
+(cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558776
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2019-16276
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/net/http/serve_test.go | 4 ++++
+ src/net/http/transport_test.go | 27 +++++++++++++++++++++++++++
+ src/net/textproto/reader.go | 10 ++--------
+ src/net/textproto/reader_test.go | 13 ++++++-------
+ 4 files changed, 39 insertions(+), 15 deletions(-)
+
+diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
+index 6eb0088a96..89bfdfbb82 100644
+--- a/src/net/http/serve_test.go
++++ b/src/net/http/serve_test.go
+@@ -4748,6 +4748,10 @@ func TestServerValidatesHeaders(t *testing.T) {
+ {"foo\xffbar: foo\r\n", 400}, // binary in header
+ {"foo\x00bar: foo\r\n", 400}, // binary in header
+ {"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large
++ // Spaces between the header key and colon are not allowed.
++ // See RFC 7230, Section 3.2.4.
++ {"Foo : bar\r\n", 400},
++ {"Foo\t: bar\r\n", 400},
+
+ {"foo: foo foo\r\n", 200}, // LWS space is okay
+ {"foo: foo\tfoo\r\n", 200}, // LWS tab is okay
+diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
+index 5c329543e2..5e5438a708 100644
+--- a/src/net/http/transport_test.go
++++ b/src/net/http/transport_test.go
+@@ -5133,3 +5133,30 @@ func TestTransportIgnores408(t *testing.T) {
+ }
+ t.Fatalf("timeout after %v waiting for Transport connections to die off", time.Since(t0))
+ }
++
++func TestInvalidHeaderResponse(t *testing.T) {
++ setParallel(t)
++ defer afterTest(t)
++ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
++ conn, buf, _ := w.(Hijacker).Hijack()
++ buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
++ "Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
++ "Content-Type: text/html; charset=utf-8\r\n" +
++ "Content-Length: 0\r\n" +
++ "Foo : bar\r\n\r\n"))
++ buf.Flush()
++ conn.Close()
++ }))
++ defer cst.close()
++ res, err := cst.c.Get(cst.ts.URL)
++ if err != nil {
++ t.Fatal(err)
++ }
++ defer res.Body.Close()
++ if v := res.Header.Get("Foo"); v != "" {
++ t.Errorf(`unexpected "Foo" header: %q`, v)
++ }
++ if v := res.Header.Get("Foo "); v != "bar" {
++ t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
++ }
++}
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 2c4f25d5ae..1a5e364cf7 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -493,18 +493,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
+ return m, err
+ }
+
+- // Key ends at first colon; should not have trailing spaces
+- // but they appear in the wild, violating specs, so we remove
+- // them if present.
++ // Key ends at first colon.
+ i := bytes.IndexByte(kv, ':')
+ if i < 0 {
+ return m, ProtocolError("malformed MIME header line: " + string(kv))
+ }
+- endKey := i
+- for endKey > 0 && kv[endKey-1] == ' ' {
+- endKey--
+- }
+- key := canonicalMIMEHeaderKey(kv[:endKey])
++ key := canonicalMIMEHeaderKey(kv[:i])
+
+ // As per RFC 7230 field-name is a token, tokens consist of one or more chars.
+ // We could return a ProtocolError here, but better to be liberal in what we
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index f85fbdc36d..b92fdcd3c7 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.T) {
+ }
+ }
+
+-// Test that we read slightly-bogus MIME headers seen in the wild,
+-// with spaces before colons, and spaces in keys.
++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
++// with spaces before colons, and accept spaces in keys.
+ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
+- // Invalid HTTP response header as sent by an Axis security
+- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
++ // These invalid headers will be rejected by net/http according to RFC 7230.
+ r := reader("Foo: bar\r\n" +
+ "Content-Language: en\r\n" +
+ "SID : 0\r\n" +
+@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
+ want := MIMEHeader{
+ "Foo": {"bar"},
+ "Content-Language": {"en"},
+- "Sid": {"0"},
+- "Audio Mode": {"None"},
+- "Privilege": {"127"},
++ "SID ": {"0"},
++ "Audio Mode ": {"None"},
++ "Privilege ": {"127"},
+ }
+ if !reflect.DeepEqual(m, want) || err != nil {
+ t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want)