The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1
and 4.5.x before 4.5.1 allows remote attackers to spoof content via the
url parameter.
Backport upstream commit to fix it:
cd09765675
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
It shows warnings when build apache2 such as:
| WARNING: QA Issue: apache2: /apache2-dev/usr/share/apache2/icons/small/movie.gif
| is owned by uid 1785, which is the same as the user running bitbake.
| This may be due to host contamination [host-user-contaminated]
Set the owner and group to root to fix it.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* see:
http://lists.openembedded.org/pipermail/openembedded-devel/2015-September/103271.html
* fixes:
ERROR: phpmyadmin different signature for task do_package_write_ipk.sigdata between qemux86copy and qemuarm
runtaskdeps changed from ['bashbash_4.3.30.bb.do_packagedata', 'opkg-utilsopkg-utils_git.bb.do_populate_sysroot:virtual:native', 'phpmyadminphpmyadmin_4.4.9.bb.do_package', 'phpmyadminphpmyadmin_4.4.9.bb.do_packagedata', 'pseudopseudo_1.7.4.bb.do_populate_sysroot:virtual:native'] to ['bashbash_4.3.30.bb.do_packagedata', 'opkg-utilsopkg-utils_git.bb.do_populate_sysroot:virtual:native', 'phpmyadminphpmyadmin_4.4.9.bb.do_package', 'phpmyadminphpmyadmin_4.4.9.bb.do_packagedata', 'pseudopseudo_1.7.4.bb.do_populate_sysroot:virtual:native']
openembedded-core/meta/recipes-extended/bash/bash_4.3.30.bb.do_packagedata with hash c08b791d0f860a835a911f5a4c9a32d9
changed to
openembedded-core/meta/recipes-extended/bash/bash_4.3.30.bb.do_packagedata with hash 91674ffdfc796e4ab503093d2c8379da
Hash for dependent task bashbash_4.3.30.bb.do_packagedata changed from c08b791d0f860a835a911f5a4c9a32d9 to 91674ffdfc796e4ab503093d2c8379da
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
systemd service file expects full path of the executatbles.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Passing EXTRA_OECONF to ./configure, this allows to alter build
configure
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Replace contaminated paths with staging paths so apxs can be successfully used
in other recipes to build modules when host and target arch differ.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Remove 'perl-module-sdbm' from RDEPENDS as perl don't build out this module.
This also fixes the following warning.
WARNING: QA Issue: webmin rdepends on perl-module-sdbm, but it isn't a build dependency? [build-deps]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Upgrade phpmyadmin from 4.4.9 to 4.5.0.2 and SRC_URI is updated.
Accoring to release note, there is NO API changes for 4.5.0.x serial. So
upgrade to 4.5.0.2 rather than 4.4.15 which will only support for
security fixes only.
And license file has some text update. See:
9d080a482f
Change files owner to fix [host-user-contaminated] warnings.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Due to the way most files were installed, using cp ..., during packaging we got spammed
with messages like:
WARNING: QA Issue: webmin: /webmin-module-fail2ban/usr/lib/webmin/webmin/fail2ban/lang/no is owned by gid 100, which is the same as the user running bitbake. This may be due to host contamination [host-user-contaminated]
WARNING: QA Issue: webmin: /webmin-module-system-status/usr/lib/webmin/webmin/system-status/lang/no is owned by gid 100, which is the same as the user running bitbake. This may be due to host contamination [host-user-contaminated]
Do the install in a similar way as is done in bin_package.bbclass.
By doing that, we're not getting any QA-errors from host-user-contaminated.
Signed-off-by: Anders Darander <anders@chargestorm.se>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Those buildpaths were generated from configure substitutions, they are
required for cross-compiling, but obviously they should be cleaned up
from target stuffs.
Cleanup buildpaths from config_vars.mk and config.nice:
* remove ${STAGING_DIR_HOST} from CC, CFLAGS ...
* set APU_INCLUDEDIR, APU_CONFIG as empty
* remove buildpath from configure line
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Change start, stop, and restart functions in apache2 init script to return only
after completion (i.e. the server has started/stopped, not just received a kill
signal). Starting and stopping the server in quick sucession results in an error
because the server will attempt to stop before it has had time to start and vice
versa.
Signed-off-by: Adam Chappell <adam.chappell@ni.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2.4.16 includes fixes for CVE-2015-3185, CVE-2015-0253 and CVE-2015-3183
remove a backport patch 0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
after cmake is upgrade to 3.2.2, the /var/run dir is not created, so
not need to remove it.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
WARNING: QA Issue: /usr/bin/apxs_apache2-dev contained in package apache2-dev requires /usr/bin/perl, but no providers found in its RDEPENDS [file-rdeps]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
upgrade to include CVE fixes:
CVE-2015-3903
CVE-2015-3902
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Adds support for systemd, creates a service for nginx and installs it if required
Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Remove apache-CVE-2014-0117.patch which apache2 2.4.12 has it
Update the apache-ssl-ltmain-rpath.patch
Backport the patch to fix CVE-2015-0228
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the new Monkey HTTP Server v1.5.6.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.6
=== Build Tests ==
This version have been tested on Yocto/Dizzy based on RPM.
monkey-yocto/5aee7684cd66f78fb51f78138603a4dde4ef2484
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Fixed:
cherokee/rule_geoip.h:34:19: fatal error: GeoIP.h: No such file or directory
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
fix a typos to remove a warning:
systemd[1]: [/lib/systemd/system/apache2.service:2] Unknown lvalue
'Decription' in section 'Unit'
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Add PACKAGECONFIG for 'selinux', otherwise there would be warnings like
below:
WARN: apache2: apache2 rdepends on libselinux, but it isn't a build dependency?
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The configure.initd.gentoo script is used for gentoo, it is invalid for oe. So
remove it to solve the following warning:
webmin-1.700: webmin-module-ajaxterm requires /sbin/runscript, but no providers
in its RDEPENDS [file-rdeps]
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before
4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote
authenticated users to inject arbitrary web script or HTML via a crafted ENUM
value that is improperly handled during rendering of the (1) table search or (2)
table structure page, related to
libraries/TableSearch.class.php and libraries/Util.class.php.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7217
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Cross-site scripting (XSS) vulnerability in the view operations page in
phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote
authenticated users to inject arbitrary web script or HTML via a crafted
view name, related to js/functions.js.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5274
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow
remote authenticated users to inject arbitrary web script or HTML via the
(1) browse table page, related to js/sql.js; (2) ENUM editor page, related
to js/functions.js; (3) monitor page, related to js/server_status_monitor.js;
(4) query charts page, related to js/tbl_chart.js; or (5) table relations
page, related to libraries/tbl_relation.lib.php.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5273
Signed-off-by: Roy Li <rongqing.li@windriver.com>
The patch comes from upstream:
http://svn.apache.org/viewvc?view=revision&revision=1610674
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse proxy
configuration, a remote attacker could send a carefully crafted request which
could crash a server process, resulting in denial of service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for reporting
this issue.
Submitted by: Edward Lu, breser, covener
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted DNS record, related to the
dns_get_record function and the dn_expand function. NOTE: this issue
exists because of an incomplete fix for CVE-2014-4049.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3597
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Integer overflow in the cdf_read_property_info function in cdf.c in file
through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and
5.5.x before 5.5.16, allows remote attackers to cause a denial of
service (application crash) via a crafted CDF file. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2012-1571.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3587
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before
5.5.16 does not ensure that pathnames lack %00 sequences, which might
allow remote attackers to overwrite arbitrary files via crafted input to
an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif,
(4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the new Monkey HTTP Server v1.5.4.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.4
=== Build Tests ==
This version have been tested on Yocto/Daisy based on RPM.
monkey-yocto/a617991e40bd5c3779ad7b3689f78857d3e45248
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Split apache2-scripts subpkg to put the perl script dbmmanage, so that
apache2 doesn't have to RDEPEND on perl.
Add another perl script apxs to apache2-dev pkg as Olof Johansson
suggested.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Bashism:
possible bashism in plugins/transformations/generator_plugin.sh line 16 (echo -e):
echo -e "Usage: ./generator_plugin.sh MIMEType MIMESubtype TransformationName [Description]\n"
possible bashism in plugins/transformations/generator_plugin.sh line 28 (${parm,[,][pat]} or ${parm^[^][pat]}):
MT="${MT^}"
possible bashism in plugins/transformations/generator_plugin.sh line 29 (${parm,[,][pat]} or ${parm^[^][pat]}):
MS="${MS^}"
possible bashism in plugins/transformations/generator_plugin.sh line 30 (${parm,[,][pat]} or ${parm^[^][pat]}):
TN="${TN^}"
possible bashism in plugins/transformations/generator_plugin.sh line 51 (should be 'b = a'):
if [ "$4" == "--generate_only_main_class" ]; then
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
This patch add the new Monkey HTTP Server v1.5.3.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.3
=== Build Tests ==
This version have been tested on Yocto/Daisy being packaged and
deployed on images based on RPM successfully.
monkey-yocto/672eadb254e754b91efe691a6594985ee6d9a22e
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Changed:
- Adjust or remake the following patches based on 1.700:
init-exclude.patch
exports-lib.pl.patch
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
