diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2022-07-29 18:24:38 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2022-07-29 18:26:37 +0300 |
commit | cb2a94c39eddda6e0df65f98fff97cce711c9134 (patch) | |
tree | 0233c00d99735de440f920eb45ef10d47e14c00a /meta-openembedded/meta-networking | |
parent | 322e9fc9c6aafb1be6757915ca920b5170642aa7 (diff) | |
download | openbmc-cb2a94c39eddda6e0df65f98fff97cce711c9134.tar.xz |
subtree updates2.12.0-rc1
meta-openembedded: 5357c7a40e..a47ef04661:
Adrian Fiergolski (1):
python3-matplotlib: add missing dependency
Adrian Freihofer (2):
conntrack-tools: fix postinst script
modemmanager: update to 1.18.8
Akash Hadke (2):
ntfs-3g-ntfsprogs: Set CVE_PRODUCT to "tuxera:ntfs-3g"
iperf: Set CVE_PRODUCT to "iperf_project:iperf"
Armin Kuster (5):
meta-oe-image: fix build depends
meta-python-image: Fix build depends
meta-gnome: fix layer depends.
mariadb: update to 10.7.4
mariadb: Fix i386 Clang builds
Ashish Sharma (1):
netserver: don't change permissions on /dev/null
Aurélien Bertron (1):
fix(syslog-ng): warning about conf version
Bartosz Golaszewski (2):
python3-speedtest-cli: fix RDEPENDS
python3-pybluez: fix a runtime issue with python 3.10
Bassem Boubaker (1):
conntrack-tools: Fix missing capability
Changqing Li (5):
chrony: create /var/lib/chrony by systemd-tmpfiles
redis: upgrade 6.2.6 -> 6.2.7
redis: upgrade 7.0-rc3 -> 7.0.2
apache2: upgrade 2.4.53 -> 2.4.54
zabbix: upgrade 5.2.6 -> 5.4.12
Chen Qi (1):
ntfs-3g-ntfsprogs: upgrade to 2022.5.17
Davide Gardenal (11):
emlog: ignore unrelated CVEs
imagemagick: upgrade 7.0.10-25 -> 7.0.10-62
usrsctp: add CVE_VERSION to correctly check for CVEs
openflow: ignore CVE-2018-1078
ntp: ignore many CVEs
wireshark: upgrade 3.4.11 -> 3.4.12
thrift: add CVE_PRODUCT to fix CVE reporting
spice: ignore patched CVEs
quagga: ignore CVE-2016-4049
freeradius: ignore patched CVEs
openflow: ignore unrelated CVEs
Denys Dmytriyenko (3):
devmem2: reinstate previous patches, removed by mistake
devmem2: add support for different page sizes
devmem2: the source and patches moved to github repo
Diego Sueiro (1):
bats: upgrade 1.6.0 -> 1.6.1
Gianfranco (2):
sdbus-c++-libsystemd: Bump SRCREV to last commit of 250-stable branch
libmtp: Add doxygen-native dependency in case documentation build is enabled in PACKAGECONFIG. This fixes a FTBFS due to missing dependency.
Gianfranco Costamagna (1):
vboxguestdrivers: upgrade 6.1.32 -> 6.1.34
Hitendra Prajapati (1):
cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands
Javier Viguera (1):
networkmanager: fix build with enabled ppp
Jeremy Puhlman (1):
freeradius: mutlilib fixes
Jiaqing Zhao (2):
openldap: Remove libgcrypt dependency
openldap: Upgrade 2.5.9 -> 2.5.12
Joerg Vehlow (1):
jq: Fix typo OE_EXTRACONF -> EXTRA_OECONF
Julien STEPHAN (1):
libcamera: fix packaging
Kai Kang (4):
conntrack-tools: fix postinst script
python3-wxgtk4: backport patch to fix svg issue
libportal: add distro features check
graphviz: rrecommends on liberation-fonts
Khem Raj (11):
ufw: Fix packaging errors found with ppc64
libcereal: Enable for glibc/ppc
mimic: Use special rateconv.c license
makedumpfile: Use right TARGET for ppc32
evince: Add dbus to depnedencies on non-x11 builds
evolution-data-server: Do not pass --library-path to gir compiler
python3-wxgtk4: Needs x11 for sip module
unattended-upgrades: Disable auto-detecting modules
sdbus-c++: Link with libatomic on mips/ppc32
sdbus-c++: Link with libatomic for rv32
sdbus-c++-libsystemd: Fix patch fuzz
Markus Volk (1):
minidlna: fix obsolete license warning
Martin Jansa (3):
ostree: prevent ostree-native depending on target virtual/kernel to provide kernel-module-overlay
leveldb: switch from master branch to main
tesseract-lang: switch from master branch to main
Michael Opdenacker (1):
devmem2: update SRC_URI according to redirect
Mingli Yu (1):
s-nail: Set VAL_MTA
Nicolas Dechesne (1):
imlib2: update SRC_URI
Peter Marko (1):
libgpiod: move test dependencies to ptest package
Richard Neill (1):
bats: Add patch to fix false-negatives caused by teardown code
Wentao Zhang (1):
protobuf-c: update to 1.4.1 fix CVE-2022-33070
Xu Huan (1):
python3-astroid: upgrade 2.11.2 -> 2.11.3
Yi Zhao (4):
frr: inherit autotools-brokensep instead of autotools
networkmanager: fix parallel build failure
dnsmasq: Security fix CVE-2022-0934
strongswan: upgrade 5.9.5 -> 5.9.6
Yue Tao (2):
exo: upgrade 4.16.3 -> 4.16.4
dlt-daemon: upgrade to commit 6a3bd901d8 to fix CVE-2022-31291
wangmy (5):
php: upgrade 8.1.4 -> 8.1.5
php: upgrade 8.1.5 -> 8.1.6
postgresql: upgrade 14.2 -> 14.3
postgresql: upgrade 14.3 -> 14.4
php: upgrade 8.1.6 -> 8.1.7
meta-security: 93f2146211..c79262a30b:
Anton Antonov (1):
Parsec-service: Update installation procedure
Armin Kuster (5):
fscrypt: add distro_check on pam
aide: Update 01.17.4
tpm2-pkcs11: tpm2-pkcs11 module missing
tpm2-tools: Add missing rdepends
oeqa/cases/tpm2: fix and enhance test suite
Davide Gardenal (1):
sssd: ignore CVE-2018-16838
Jeremy A. Puhlman (5):
aide: Add depend on audit when audit is enabled.
lib-perl: prefix man pages to avoid conflicting with base perl
libmhash: add multilib header
python3-privacyidea: add correct path to lib/privacyidea
clamav: make install owner match the added user name
Jose Quaresma (1):
meta-integrity: kernel-modsign: prevents splitting out debug symbols
poky: d84c73d1ef..e4b5c35fd4:
Ahmed Hossam (1):
insane.bbclass: host-user-contaminated: Correct per package home path
Alejandro Hernandez Samaniego (2):
package.bbclass: Fix base directory for debugsource files when using externalsrc
package.bbclass: Fix kernel source handling when not using externalsrc
Alex Kiernan (1):
pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
Alexander Kanavin (41):
systemd: upgrade 250.4 -> 250.5
mesa: upgrade 22.0.0 -> 22.0.2
bind: upgrade 9.18.1 -> 9.18.2
cronie: upgrade 1.6.0 -> 1.6.1
epiphany: upgrade 42.0 -> 42.2
ffmpeg: upgrade 5.0 -> 5.0.1
fribidi: upgrade 1.0.11 -> 1.0.12
libinput: upgrade 1.19.3 -> 1.19.4
sqlite3: upgrade 3.38.2 -> 3.38.3
webkitgtk: upgrade 2.36.0 -> 2.36.1
xwayland: upgrade 22.1.0 -> 22.1.1
mmc-utils: upgrade to latest revision
gst-devtools: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-libav: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-omx: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-bad: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-base: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-good: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-ugly: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-python: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-rtsp-server: upgrade 1.20.1 -> 1.20.2
gstreamer1.0: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-vaapi: upgrade 1.20.1 -> 1.20.2
libcgroup: upgrade 2.0.1 -> 2.0.2
mesa: upgrade 22.0.2 -> 22.0.3
mobile-broadband-provider-info: upgrade 20220315 -> 20220511
sqlite3: upgrade 3.38.3 -> 3.38.5
bash: submit patch upstream
valgrind: submit arm patches upstream
zip/unzip: mark all submittable patches as Inactive-Upstream
python3: use built-in distutils for ptest, rather than setuptools' 'fork'
wireless-regdb: upgrade 2022.04.08 -> 2022.06.06
oeqa/sdk: drop the nativesdk-python 2.x test
at: take tarballs from debian
openssl: update 3.0.4 -> 3.0.5
gstreamer1.0: upgrade 1.20.2 -> 1.20.3
weston: update 10.0.0 -> 10.0.1
glib-2.0: upgrade 2.72.2 -> 2.72.3
glib-networking: upgrade 2.72.0 -> 2.72.1
libsoup: upgrade 3.0.6 -> 3.0.7
waffle: correctly request wayland-scanner executable
Aryaman Gupta (1):
e2fsprogs: update upstream status
Bruce Ashfield (48):
linux-yocto/5.10: update to v5.10.110
linux-yocto/5.10: base: enable kernel crypto userspace API
linux-yocto/5.10: update to v5.10.112
linux-yocto/5.15: arm: poky-tiny cleanup and fixes
linux-yocto/5.15: update to v5.15.33
linux-yocto/5.15: base: enable kernel crypto userspace API
linux-yocto/5.15: kasan: fix BUG: sleeping function called from invalid context
linux-yocto/5.15: fix ppc boot
linux-yocto/5.15: netfilter: conntrack: avoid useless indirection during conntrack destruction
linux-yocto/5.15: update to v5.15.35
linux-yocto/5.15: Fix CVE-2022-28796
linux-yocto: enable powerpc debug fragment
linux-yocto/5.15: fix -standard kernel build issue
linux-yocto/5.15: update to v5.15.36
linux-yocto/5.15: fix qemuarm graphical boot
strace: fix ptest failure in landlock
yocto-bsps: update to v5.15.36
linux-yocto/5.15: update to v5.15.37
linux-yocto/5.10: update to v5.10.113
linux-yocto/5.15: update to v5.15.38
linux-yocto/5.10: update to v5.10.114
linux-yocto/5.15: bpf: explicitly disable unpriv eBPF by default
linux-yocto/5.15: update to v5.15.43
linux-yocto/5.10: update to v5.10.118
linux-yocto/5.15: Enable MDIO bus config
linux-yocto/5.15: cfg/xen: Move x86 configs to separate file
linux-yocto/5.15: update to v5.15.44
linux-yocto/5.10: update to v5.10.119
lttng-modules: fix build against 5.18-rc7+
linux-yocto/5.10: update to v5.10.121
linux-yocto/5.10: update to v5.10.123
linux-yocto/5.10: update to v5.10.128
linux-yocto/5.10: fix build_OID_registry/conmakehash buildpaths warning
linux-yocto/5.10: fix buildpaths issue with gen-mach-types
linux-yocto/5.10: update to v5.10.130
linux-yocto/5.10: fix buildpaths issue with pnmtologo
linux-yocto/5.15: update to v5.15.46
linux-yocto/5.15: update to v5.15.48
linux-yocto/5.15: drop obselete GPIO sysfs ABI
linux-yocto/5.15: update to v5.15.52
linux-yocto/5.15: fix qemuppc buildpaths warning
linux-yocto/5.15: fix build_OID_registry buildpaths warning
linux-yocto/5.15: fix buildpaths issue with gen-mach-types
linux-yocto/5.15: update to v5.15.54
linux-yocto/5.15: fix buildpaths issue with pnmtologo
kernel-devsrc: fix reproducibility and buildpaths QA warning
kernel-devsrc: ppc32: fix reproducibility
perf: fix reproducibility in 5.19+
Chanho Park (2):
cargo_common.bbclass: enable bitbake vendoring for externalsrc
externalsrc.bbclass: support crate fetcher on externalsrc
Chen Qi (1):
go-helloworld: remove unused GO_WORKDIR
Christoph Lauer (1):
package.bbclass: Avoid stripping signed kernel modules in splitdebuginfo
Claudius Heine (2):
overlayfs: add docs about skipping QA check & service dependencies
classes: rootfs-postcommands: add skip option to overlayfs_qa_check
David Bagonyi (1):
sanity.bbclass: Add ftps to accepted URI protocols for mirrors sanity
Davide Gardenal (14):
cve-check: add JSON format to summary output
cve-check: fix symlinks where link and output path are equal
rootfs-postcommands: fix symlinks where link and output path are equal
openssl: minor security upgrade 3.0.2 -> 3.0.3
freetype: backport patch for CVE-2022-27404
freetype: backport patch for CVE-2022-27405
freetype: backport patch for CVE-2022-27406
qemu: backport patch for CVE-2021-4206
qemu: backport patch for CVE-2021-4207
base-passwd: Disable shell for default users
libpcre2: upgrade 10.39 -> 10.40
ncurses: update to patchlevel 20220423
baremetal-image: fix broken symlink in do_rootfs
efivar: add musl libc compatibility
Dmitry Baryshkov (6):
linux-firmware: upgrade 20220411 -> 20220509
image.bbclass: allow overriding dependency on virtual/kernel:do_deploy
linux-firmware: package new Qualcomm firmware
linux-firmware: split ath3k firmware
linux-firmware: add support for building snapshots
linux-firmware: upgrade 20220509 -> 20220610
Ernst Sjöstrand (2):
cve-check: Add helper for symlink handling
cve-check: Only include installed packages for rootfs manifest
Felix Moessbauer (1):
wic/plugins/rootfs: Fix permissions when splitting rootfs folders across partitions
Gunjan Gupta (1):
bitbake: fetch2/osc: Small fixes for osc fetcher
He Zhe (1):
lttng-modules: Fix build failure for 5.10.119+ and 5.15.44+ kernel
Hitendra Prajapati (1):
pcre2: CVE-2022-1586 Out-of-bounds read
Jack Mitchell (1):
meson.bbclass: add cython binary to cross/native toolchain config
Jeremy Puhlman (1):
gcc: depend on zstd-native
Jiaqing Zhao (8):
libxml2: Upgrade 2.9.13 -> 2.9.14
sed: Specify shell for "nobody" user in run-ptest
strace: Don't run ptest as "nobody"
systemd: Drop 0001-test-parse-argument-Include-signal.h.patch
systemd: Remove __compare_fn_t type in musl-specific patch
systemd: Drop 0002-don-t-use-glibc-specific-qsort_r.patch
systemd: Correct path returned in sd_path_lookup()
systemd: Correct 0001-pass-correct-parameters-to-getdents64.patch
Joerg Vehlow (1):
libseccomp: Add missing files for ptests
Jon Mason (2):
poky-tiny: enable qemuarmv5/qemuarm64 and cleanups
qemuarmv5: use arm-versatile-926ejs KMACHINE
Jose Quaresma (3):
archiver: use bb.note instead of echo
archiver: don't use machine variables in shared recipes
curl: backport openssl fix CN check error code
Justin Bronder (1):
pulseaudio: conditionally depend on alsa-plugins-pulseaudio-conf
Kai Kang (2):
xxhash: fix build with gcc 12
glibc-tests: not clear BBCLASSEXTEND
Khem Raj (11):
kmod: Enable xz support by default
qemu: Add packageconfig for libbpf support
linux-yocto: Enable powerpc-debug fragment for ppc64 LE
systemd: Fix build regression with latest update
ovmf: Fix native build with gcc-12
gcc: Upgrade to 11.3 release
systemd: Drop redundant musl patches
systemd: Document future actions needed for set of musl patches
systemd: Drop 0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
systemd: Update patch status
libmodule-build-perl: Use env utility to find perl interpreter
Konrad Weihmann (1):
linux-firmware: replace mkdir by install
Lee Chee Yang (1):
ghostscript: fix CVE-2022-2085
Lucas Stach (1):
perf: sort-pmuevents: really keep array terminators
Marcel Ziswiler (1):
alsa-plugins: fix libavtp vs. avtp packageconfig
Markus Volk (2):
mesa.inc: package 00-radv-defaults.conf
python3: Backport patch to fix an issue in subinterpreters
Marta Rybczynska (9):
cve-update-db-native: update the CVE database once a day only
cve-update-db-native: let the user to drive the update interval
cve-check: Fix report generation
cve-check: move update_symlinks to a library
cve-check: write empty fragment files in the text mode
cve-check: fix return type in check_cves
cve-update-db-native: make it possible to disable database updates
cve-check: add support for Ignored CVEs
oeqa/selftest/cve_check: add tests for Ignored and partial reports
Martin Jansa (9):
staging.bbclass: process direct dependencies in deterministic order
insane.bbclass: make sure to close .patch files
makedevs: Don't use COPYING.patch just to add license file into ${S}
patch.py: make sure that patches/series file exists before quilt pop
lttng-modules: fix shell syntax
buildhistory.bbclass: fix shell syntax when using dash
rootfs.py: close kernel_abi_ver_file
mesa: backport a patch to support compositors without zwp_linux_dmabuf_v1 again
wic: fix WicError message
Matt Madison (1):
bitbake: providers: use local variable for packages_dynamic pattern
Maxime Roussin-Bélanger (1):
libffi: fix native build being not portable
Michael Opdenacker (4):
rootfs-postcommands.bbclass: correct comments
manuals: switch to the sstate mirror shared between all versions
docs: BB_HASHSERVE_UPSTREAM: update to new host
ref-manual: variables: remove sphinx directive from literal block
Ming Liu (3):
udev-extraconf: let automount base directory configurable
udev-extraconf: fix some systemd automount issues
udev-extraconf:mount.sh: fix path mismatching issues
Mingli Yu (2):
perl: Fix build with gcc-12
oescripts: change compare logic in OEListPackageconfigTests
Muhammad Hamza (6):
initramfs-framework: move storage mounts to actual rootfs
udev-extraconf/mount.sh: add LABELs to mountpoints
udev-extraconf/mount.sh: save mount name in our tmp filecache
udev-extraconf/mount.sh: only mount devices on hotplug
udev-extraconf: force systemd-udevd to use shared MountFlags
udev-extraconf/mount.sh: ignore lvm in automount
Naveen Saini (1):
pciutils: avoid lspci conflict with busybox
Nick Potenski (1):
systemd: systemd-systemctl: Support instance conf files during enable
Pascal Bach (1):
bin_package: install into base_prefix
Paul Eggleton (4):
devtool: ignore pn- overrides when determining SRC_URI overrides
patch: handle if S points to a subdirectory of a git repo
devtool: finish: handle patching when S points to subdir of a git repo
oe-selftest: devtool: test modify git recipe building from a subdir
Paulo Neves (2):
python: Avoid shebang overflow on python-config.py
gtk-doc: Fix potential shebang overflow on gtkdoc-mkhtml2
Pavel Zhukov (3):
bitbake.conf: Make TCLIBC and TCMODE lazy assigned
systemd: update 0008-add-missing-FTW_-macros-for-musl.patch
harfbuzz: Fix compilation with clang
Peter Bergin (1):
rust: fix issue building cross-canadian tools for aarch64 on x86_64
Peter Kjellerstedt (4):
license_image.bbclass: Make QA errors fail the build
libseccomp: Correct LIC_FILES_CHKSUM
license.bbclass: Bound beginline and endline in copy_license_files()
base.bbclass: Correct the test for obsolete license exceptions
Peter Marko (2):
openssl: extract legacy provider module to a separate package
alsa-state: correct license
Pgowda (1):
binutils : CVE-2019-1010204
Portia (1):
volatile-binds: Change DefaultDependencies from false to no
Raju Kumar Pothuraju (1):
kernel-uboot.bbclass: Use vmlinux.initramfs when INITRAMFS_IMAGE_BUNDLE set
Rasmus Villemoes (1):
e2fsprogs: add alternatives handling of lsattr as well
Richard Purdie (79):
bitbake: tests/parse: Fix one test overwriting another
bitbake: server/process: Drop unused import
bitbake: ui/buildinfohelper: Drop unused import
bitbake: cooker: Drop unused loop
bitbake: msg: Drop unused local variable
bitbake: buildinfohelper: Drop unused function
bitbake: fetch2/crate: Drop unused import
bitbake: siggen: Drop pointless break statement
bitbake: ui/knotty: Drop pointless pass statement
bitbake: persist_data: Use a valid exception for missing implementation
bitbake: runqueue: Drop pointless variable assignment
bitbake: buildinfohelper: Drop unused variables
bitbake: fetch2/osc: Add missing parameter
bitbake: runqueue: Fix sig file location when using multiconfig
bitbake: fetch/git : Use cat as pager
lib/sstatesig: Fix find_siginfo to match sstate filename generation
base: Avoid circular references to our own scripts
scripts: Make git intercept global
scripts/git: Ensure we don't have circular references
package: Ensure we track whether PRSERV was active or not
abi_version/sstate: Bump hashequiv and sstate versions due to git changes
build-appliance-image: Update to kirkstone head revision
vim: Upgrade 8.2.4681 -> 8.2.4912
cairo: Add missing GPLv3 license checksum entry
sanity: Don't warn about make 4.2.1 for mint
bitbake: build: Add clean_stamp API function to allow removal of task stamps
staging: Fix rare sysroot corruption issue
selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES
vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
tiff: Add jbig PACKAGECONFIG and clarify CVE-2022-1210
libxslt: Mark CVE-2022-29824 as not applying
cve-extra-exclusions: Add kernel CVEs
cve-check: Allow warnings to be disabled
rust-common: Fix sstate signatures between arm hf and non-hf
rust-common: Drop LLVM_TARGET and simplify
rust-common: Fix native signature dependency issues
lzo: Add further info to a patch and mark as Inactive-Upstream
glib-2.0: upgrade 2.72.1 -> 2.72.2
libxkbcommon: upgrade 1.4.0 -> 1.4.1
gtk+3: upgrade 3.24.33 -> 3.24.34
webkitgtk: upgrade 2.36.1 -> 2.36.3
openssl: Backport fix for ptest cert expiry
gcc-cross-canadian: Add nativesdk-zstd dependency
local.conf.sample: Update sstate url to new 'all' path
sanity: Switch to make 4.0 as a minimum version
perl: Add dependency on make-native to avoid race issues
glibc: Drop make-native dependency
vim: Upgrade 8.2.5034 -> 8.2.5083
uboot-sign: Fix potential index error issues
selftest/multiconfig: Test that multiconfigs in separate layers works
gcc-source: Fix incorrect task dependencies from ${B}
liberror-perl: Update sstate/equiv versions to clean cache
python3: Remove problematic paths from sysroot files
python3: Ensure stale empty python module directories don't break the build
bitbake: server/process: Fix logging issues where only the first message was displayed
build-appliance-image: Update to kirkstone head revision
unzip: Port debian fixes for two CVEs
cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
vim: 8.2.5083 -> 9.0.0005
openssl: Upgrade 3.0.3 -> 3.0.4
coreutils: Tweak packaging variable names for coreutils-dev
oeqa/runtime/scp: Disable scp test for dropbear
packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation
oe-selftest-image: Ensure the image has sftp as well as dropbear
qemu: Avoid accidental librdmacm linkage
glibc-tests: Avoid reproducibility issues
qemu: Fix slirp determinism issue
qemu: Add PACKAGECONFIG for brlapi
gperf: Add a patch to work around reproducibility issues
gperf: Switch to upstream patch
udev-extraconf/initrdscripts/parted: Rename mount.blacklist -> mount.ignorelist
insane: Fix buildpaths test to work with special devices
lua: Fix multilib buildpath reproducibility issues
vala: Fix on target wrapper buildpaths issue
gtk-doc: Remove hardcoded buildpath
kernel-arch: Fix buildpaths leaking into external module compiles
gcc-runtime: Fix build when using gold
gcc-runtime: Fix missing MLPREFIX in debug mappings
selftest/runtime_test/virgl: Disable for all almalinux
Robert Joslyn (3):
powerpc: Remove invalid GLIBC_EXTRA_OECONF
curl: Backport CVE fixes
curl: Fix multiple CVEs
Robert Yang (1):
bitbake: fetch2/ssh.py: decode path back for ssh
Roland Hieber (1):
bitbake: cache: correctly handle file names containing colons
Ross Burton (12):
cve-check: no need to depend on the fetch task
oeqa/selftest: add test for git working correctly inside pseudo
Revert "bitbake.conf: mark all directories as safe for git to read"
oeqa/selftest/cve_check: add tests for recipe and image reports
tiff: mark CVE-2022-1622 and CVE-2022-1623 as invalid
cups: ignore CVE-2022-26691
busybox: fix CVE-2022-30065
cve-check: hook cleanup to the BuildCompleted event, not CookerExit
tiff: backport the fix for CVE-2022-2056, CVE-2022-2057, and CVE-2022-2058
vim: upgrade to 9.0.0021
perl: don't install Makefile.old into perl-ptest
pulseaudio: add m4-native to DEPENDS
Sakib Sajal (1):
u-boot: fix CVE-2022-34835
Samuli Piippo (1):
binutils: Bump to latest 2.38 release branch
Sean Anderson (1):
rootfs.py: find .ko.zst kernel modules
Stefan Wiehler (1):
kernel-yocto.bbclass: Reset to exiting on non-zero return code at end of task
Steve Sakoman (11):
scripts/contrib/oe-build-perf-report-email.py: remove obsolete check for phantomjs and optipng
poky.conf: bump version for 4.0.1 release
virgl: skip headless test on alma 8.6
python3: fix reproducibility issue with python3-core
go: upgrade 1.17.8 -> 1.17.10
poky.conf: bump version for 4.0.2
openssh: break dependency on base package for -dev package
dropbear: break dependency on base package for -dev package
ruby: add PACKAGECONFIG for capstone
qemu: add PACKAGECONFIG for capstone
qemu: Avoid accidental libvdeplug linkage
Sundeep KOKKONDA (4):
rust-common: Ensure sstate signatures have correct dependencues for do_rust_gen_targets
rust-common: Fix for target definitions returning 'NoneType' for arm
glibc: stable 2.35 branch updates
binutils : stable 2.38 branch updates
Thomas Roos (1):
recipetool/devtool: Fix python egg whitespace issues in PACKAGECONFIG
Tomasz Dziendzielski (1):
bitbake: data: Do not depend on vardepvalueexclude flag
Wentao Zhang (1):
harfbuzz: fix CVE-2022-33068
Xiaobing Luo (1):
devtool: Fix _copy_file() TypeError
Yi Zhao (2):
popt: fix override syntax in RDEPENDS
git: fix override syntax in RDEPENDS
leimaohui (1):
cve-check.bbclass: Added do_populate_sdk[recrdeptask].
wangmy (15):
librepo: upgrade 1.14.2 -> 1.14.3
cups: upgrade 2.4.1 -> 2.4.2
logrotate: upgrade 3.19.0 -> 3.20.1
iso-codes: upgrade 4.9.0 -> 4.10.0
lttng-ust: upgrade 2.13.2 -> 2.13.3
gst-devtools: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-libav: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-omx: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-bad: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-base: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-good: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-ugly: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-python: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-rtsp-server: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-vaapi: upgrade 1.20.2 -> 1.20.3
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ie30881bf20846b7311381bed443623fce8912406
Diffstat (limited to 'meta-openembedded/meta-networking')
22 files changed, 407 insertions, 113 deletions
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb index da7e60419e..d6477e340e 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb @@ -34,8 +34,15 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0 file://check-openssl-cmds-in-script-bootstrap.patch \ " +raddbdir="${sysconfdir}/${MLPREFIX}raddb" + SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a" +CVE_CHECK_IGNORE = "\ + CVE-2002-0318 \ + CVE-2011-4966 \ +" + PARALLEL_MAKE = "" S = "${WORKDIR}/git" @@ -48,6 +55,7 @@ EXTRA_OECONF = " --enable-strict-dependencies \ --with-docdir=${docdir}/freeradius-${PV} \ --with-openssl-includes=${STAGING_INCDIR} \ --with-openssl-libraries=${STAGING_LIBDIR} \ + --with-raddbdir=${raddbdir} \ --without-rlm_ippool \ --without-rlm_cache_memcached \ --without-rlm_counter \ @@ -98,7 +106,9 @@ PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl" PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast" PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd" -inherit useradd autotools-brokensep update-rc.d systemd +inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header + +MULTILIB_SCRIPTS = "${PN}:${sbindir}/checkrad" # This is not a cpan or python based package, but it needs some definitions # from cpan-base and python3-dir bbclasses for building rlm_perl and rlm_python @@ -141,7 +151,7 @@ do_install() { oe_runmake install R=${D} INSTALLSTRIP="" # remove unsupported config files - rm -f ${D}/${sysconfdir}/raddb/experimental.conf + rm -f ${D}/${raddbdir}/experimental.conf # remove scripts that required Perl(DBI) rm -rf ${D}/${bindir}/radsqlrelay @@ -153,7 +163,7 @@ do_install() { rm -rf ${D}/${localstatedir}/log/ install -m 0644 ${WORKDIR}/volatiles.58_radiusd ${D}${sysconfdir}/default/volatiles/58_radiusd - chown -R radiusd:radiusd ${D}/${sysconfdir}/raddb/ + chown -R radiusd:radiusd ${D}/${raddbdir} chown -R radiusd:radiusd ${D}/${localstatedir}/lib/radiusd # For systemd @@ -169,6 +179,9 @@ do_install() { install -d ${D}${sysconfdir}/tmpfiles.d/ install -m 0644 ${WORKDIR}/radiusd-volatiles.conf ${D}${sysconfdir}/tmpfiles.d/radiusd.conf fi + oe_multilib_header freeradius/autoconf.h + oe_multilib_header freeradius/missing.h + oe_multilib_header freeradius/radpaths.h } # This is only needed when we install/update on a running target. @@ -183,7 +196,7 @@ pkg_postinst:${PN} () { fi # Fix ownership for /etc/raddb/*, /var/lib/radiusd - chown -R radiusd:radiusd ${sysconfdir}/raddb + chown -R radiusd:radiusd ${raddbdir} chown -R radiusd:radiusd ${localstatedir}/lib/radiusd fi } @@ -204,30 +217,30 @@ PACKAGES =+ "${PN}-utils ${PN}-ldap ${PN}-krb5 ${PN}-perl \ FILES:${PN}-utils = "${bindir}/*" FILES:${PN}-ldap = "${libdir}/rlm_ldap.so* \ - ${sysconfdir}/raddb/mods-available/ldap \ + ${raddbdir}/mods-available/ldap \ " FILES:${PN}-krb5 = "${libdir}/rlm_krb5.so* \ - ${sysconfdir}/raddb/mods-available/krb5 \ + ${raddbdir}/mods-available/krb5 \ " FILES:${PN}-perl = "${libdir}/rlm_perl.so* \ - ${sysconfdir}/raddb/mods-config/perl \ - ${sysconfdir}/raddb/mods-available/perl \ + ${raddbdir}/mods-config/perl \ + ${raddbdir}/mods-available/perl \ " FILES:${PN}-python = "${libdir}/rlm_python3.so* \ - ${sysconfdir}/raddb/mods-config/python3 \ - ${sysconfdir}/raddb/mods-available/python3 \ + ${raddbdir}/mods-config/python3 \ + ${raddbdir}/mods-available/python3 \ " FILES:${PN}-mysql = "${libdir}/rlm_sql_mysql.so* \ - ${sysconfdir}/raddb/mods-config/sql/*/mysql \ - ${sysconfdir}/raddb/mods-available/sql \ + ${raddbdir}/mods-config/sql/*/mysql \ + ${raddbdir}/mods-available/sql \ " FILES:${PN}-postgresql = "${libdir}/rlm_sql_postgresql.so* \ - ${sysconfdir}/raddb/mods-config/sql/*/postgresql \ + ${raddbdir}/mods-config/sql/*/postgresql \ " FILES:${PN}-unixodbc = "${libdir}/rlm_sql_unixodbc.so*" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager/0001-libnm-client-test-add-dependency-libnm_client_public.patch b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager/0001-libnm-client-test-add-dependency-libnm_client_public.patch new file mode 100644 index 0000000000..6be2d4bed1 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager/0001-libnm-client-test-add-dependency-libnm_client_public.patch @@ -0,0 +1,34 @@ +From 7b5dc04e1fcc28dc653fb7bf0e9dda3700d93218 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Tue, 3 May 2022 15:30:37 +0800 +Subject: [PATCH] libnm-client-test: add dependency libnm_client_public_dep + +Fix parallel build error: +| In file included from ../NetworkManager-1.36.0/src/libnm-client-test/nm-test-utils-impl.c:10: +| ../NetworkManager-1.36.0/src/libnm-client-public/NetworkManager.h:47:10: fatal error: nm-enum-types.h: No such file or directory +| 47 | #include "nm-enum-types.h" +| | ^~~~~~~~~~~~~~~~~ + +Upstream-Status: Submitted +[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1206] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/libnm-client-test/meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libnm-client-test/meson.build b/src/libnm-client-test/meson.build +index 8e2fba1130..bcac437702 100644 +--- a/src/libnm-client-test/meson.build ++++ b/src/libnm-client-test/meson.build +@@ -13,6 +13,7 @@ libnm_client_test = static_library( + ], + dependencies: [ + libnm_core_public_dep, ++ libnm_client_public_dep, + glib_dep, + ], + ) +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb index b09ff18bf7..e3b1296a6b 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb @@ -29,6 +29,7 @@ SRC_URI = " \ file://enable-dhcpcd.conf \ file://enable-iwd.conf \ file://0001-do-not-ask-host-for-ifcfg-defaults.patch \ + file://0001-libnm-client-test-add-dependency-libnm_client_public.patch \ " SRC_URI[sha256sum] = "ab855cbe3b41832e9a3b003810e7c7313dfe19e630d29806d14d87fdd1470cab" @@ -82,7 +83,7 @@ PACKAGECONFIG[bluez5] = "-Dbluez5_dun=true,-Dbluez5_dun=false,bluez5" # consolekit is not picked by shlibs, so add it to RDEPENDS too PACKAGECONFIG[consolekit] = "-Dsession_tracking_consolekit=true,-Dsession_tracking_consolekit=false,consolekit,consolekit" PACKAGECONFIG[modemmanager] = "-Dmodem_manager=true,-Dmodem_manager=false,modemmanager mobile-broadband-provider-info" -PACKAGECONFIG[ppp] = "-Dppp=true,-Dppp=false,ppp,ppp" +PACKAGECONFIG[ppp] = "-Dppp=true -Dpppd=/usr/sbin/pppd,-Dppp=false,ppp,ppp" PACKAGECONFIG[dnsmasq] = "-Ddnsmasq=${bindir}/dnsmasq" PACKAGECONFIG[nss] = "-Dcrypto=nss,,nss" PACKAGECONFIG[resolvconf] = "-Dresolvconf=${base_sbindir}/resolvconf,-Dresolvconf=no,,resolvconf" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb index 6dca784bf4..b6a768e08a 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb @@ -63,7 +63,7 @@ INITSCRIPT_PARAMS = "defaults" FILES:${PN} += " \ ${sbindir}/* \ ${datadir}/ufw/* \ - /lib/ufw/* \ + ${nonarch_base_libdir}/ufw/* \ ${sysconfdir}/ufw/* \ ${sysconfdir}/default/ufw \ " diff --git a/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 0000000000..3d67f47414 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,27 @@ +From 078f98ea154475d953ce5b7cd851732f4dc270a7 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 5 Jul 2022 09:31:07 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 6ac81c2f..d90dbac9 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1127,6 +1127,7 @@ static int sql_auxprop_lookup(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb index 98899dfd5e..e344733ef4 100644 --- a/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb +++ b/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas file://saslauthd.service \ file://saslauthd.conf \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.6.bb b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.6.bb index de6a72e78a..8f57e823b8 100644 --- a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.6.bb +++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.6.bb @@ -32,3 +32,9 @@ do_install:append() { sed -i 's!/var/!${localstatedir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample sed -i 's!^export PATH=.*!export PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}/${sysconfdir}/init.d/conntrackd } + +# fix error message: Do not forget that you need *root* or CAP_NET_ADMIN capabilities ;-) +pkg_postinst:${PN} () { + setcap cap_net_admin+ep "$D/${sbindir}/conntrack" +} +PACKAGE_WRITE_DEPS += "libcap-native" diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 91e306f08b..ceb94109de 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.2.2.bb @@ -26,7 +26,7 @@ COMPATIBLE_HOST:armv5 = "null" # Error: PC-relative reference to a different section COMPATIBLE_HOST:mips64 = "null" -inherit autotools python3native pkgconfig useradd systemd +inherit autotools-brokensep python3native pkgconfig useradd systemd DEPENDS:class-native = "bison-native elfutils-native" DEPENDS:class-target = "bison-native json-c readline c-ares libyang frr-native" @@ -63,6 +63,8 @@ EXTRA_OECONF:class-target = "--sbindir=${libdir}/frr \ --with-clippy=${RECIPE_SYSROOT_NATIVE}/usr/lib/clippy \ " +CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl'" + LDFLAGS:append:mips = " -latomic" LDFLAGS:append:mipsel = " -latomic" LDFLAGS:append:powerpc = " -latomic" @@ -77,7 +79,7 @@ do_compile:class-native () { do_install:class-native () { install -d ${D}${libdir} - install -m 755 ${WORKDIR}/build/lib/clippy ${D}${libdir}/clippy + install -m 755 ${S}/lib/clippy ${D}${libdir}/clippy } do_install:append:class-target () { diff --git a/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc index 15eb65ad32..aaad0e00e1 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc @@ -13,6 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2" SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master" +CVE_CHECK_IGNORE = "\ + CVE-2015-1611 \ + CVE-2015-1612 \ +" + DEPENDS = "virtual/libc" PACKAGECONFIG ??= "" @@ -53,3 +58,7 @@ do_install:append() { } FILES:${PN} += "${nonarch_libdir}/tmpfiles.d" + +# This CVE is not for this product but cve-check assumes it is +# because two CPE collides when checking the NVD database +CVE_CHECK_IGNORE = "CVE-2018-1078" diff --git a/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb b/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb index a7697a1ae9..984264a30f 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb @@ -2,3 +2,7 @@ require quagga.inc SRC_URI[md5sum] = "eced21b054d71c9e1b7c6ac43286a166" SRC_URI[sha256sum] = "e364c082c3309910e1eb7b068bf39ee298e2f2f3f31a6431a5c115193bd653d3" + +CVE_CHECK_IGNORE += "\ + CVE-2016-4049 \ +" diff --git a/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb index 4f8e4d4282..dcfa7406d2 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb @@ -23,3 +23,5 @@ PACKAGECONFIG[inet] = "--enable-inet,--disable-inet," PACKAGECONFIG[inet6] = "--enable-inet6,--disable-inet6," EXTRA_OECONF += "--disable-debug" + +CVE_VERSION = "0.9.3.0" diff --git a/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb b/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb index 57dd635dc3..8ce9e1db55 100644 --- a/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb +++ b/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb @@ -126,6 +126,10 @@ do_install() { ${D}${systemd_unitdir}/system/chronyd.service sed -i 's!^PATH=.*!PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}${sysconfdir}/init.d/chronyd sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service + + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/lib/chrony 0755 root root -" > ${D}${sysconfdir}/tmpfiles.d/chronyd.conf + } FILES:${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}" diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..6bd734d756 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,191 @@ +From 3cdecc159e0f417a2f8d43d99632af26beea630f Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 31 Mar 2022 21:35:20 +0100 +Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934 + refers. + +CVE: CVE-2022-0934 + +Upstream-Status: Backport +[https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=03345ecefe] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + CHANGELOG | 3 +++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 30 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 5e54df9..a28da2a 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,4 +1,7 @@ + version 2.86 ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. ++ + Handle DHCPREBIND requests in the DHCPv6 server code. + Thanks to Aichun Li for spotting this omission, and the initial + patch. +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 5c2ff97..6ecfeeb 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb index 31ca51ec60..0f7880ce8c 100644 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb @@ -3,5 +3,6 @@ require dnsmasq.inc SRC_URI[dnsmasq-2.86.sha256sum] = "ef15f608a83ee2b1d1d2c1f11d089a7e0ac401ffb0991de73fc01ce5f290e512" SRC_URI += "\ file://lua.patch \ + file://CVE-2022-0934.patch \ " diff --git a/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch b/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch new file mode 100644 index 0000000000..55316363e0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch @@ -0,0 +1,29 @@ +From 78c9ae7d9a6735575bc72dd28a19b2bc3a251981 Mon Sep 17 00:00:00 2001 +From: Andrew Elble <aweits@rit.edu> +Date: Mon, 8 Oct 2018 14:31:20 -0400 +Subject: [PATCH] netserver: don't change permissions on /dev/null + +the (now default) suppress_debug=1 changes permissions on /dev/null +to 0644. Don't do this. + +Upstream-Status: Pending [https://github.com/HewlettPackard/netperf/pull/27/commits/78c9ae7d9a6735575bc72dd28a19b2bc3a251981] +Signed-off-by: Ashish Sharma <asharma@mvista.com> + +--- + src/netserver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/netserver.c b/src/netserver.c +index 00c8d23..86a1c45 100644 +--- a/src/netserver.c ++++ b/src/netserver.c +@@ -278,7 +278,8 @@ open_debug_file() + + #if !defined(WIN32) + +- chmod(FileName,0644); ++ if (!suppress_debug) ++ chmod(FileName,0644); + + /* redirect stdin to "/dev/null" */ + rd_null_fp = fopen(NETPERF_NULL,"r"); diff --git a/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb index 62ba966d01..06b2eddbb6 100644 --- a/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb +++ b/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=ht file://netserver.service \ file://0001-netlib.c-Move-including-sched.h-out-og-function.patch \ file://0001-nettest_omni-Remove-duplicate-variable-definitions.patch \ + file://netserver_permissions.patch \ " SRCREV = "3bc455b23f901dae377ca0a558e1e32aa56b31c4" diff --git a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index fe2bd0773c..a30f720bb5 100644 --- a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -29,7 +29,31 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" # CVE-2016-9312 is only for windows. -CVE_CHECK_IGNORE += "CVE-2016-9312" +# The other CVEs are not correctly identified because cve-check +# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference) +CVE_CHECK_IGNORE += "\ + CVE-2016-9312 \ + CVE-2015-5146 \ + CVE-2015-5300 \ + CVE-2015-7975 \ + CVE-2015-7976 \ + CVE-2015-7977 \ + CVE-2015-7978 \ + CVE-2015-7979 \ + CVE-2015-8138 \ + CVE-2015-8139 \ + CVE-2015-8140 \ + CVE-2015-8158 \ + CVE-2016-1547 \ + CVE-2016-2516 \ + CVE-2016-2517 \ + CVE-2016-2519 \ + CVE-2016-7429 \ + CVE-2016-7433 \ + CVE-2016-9310 \ + CVE-2016-9311 \ +" + inherit autotools update-rc.d useradd systemd pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb b/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb index d9083bcbe8..1887a5582f 100644 --- a/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb @@ -30,6 +30,12 @@ SRC_URI = " \ S = "${WORKDIR}/git" +CVE_CHECK_IGNORE += "\ + CVE-2016-0749 \ + CVE-2016-2150 \ + CVE-2018-10893 \ +" + inherit autotools gettext python3native python3-dir pkgconfig DEPENDS += "spice-protocol jpeg pixman alsa-lib glib-2.0 python3-pyparsing-native python3-six-native glib-2.0-native" diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch new file mode 100644 index 0000000000..e730fe1cd0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch @@ -0,0 +1,31 @@ +From d23c0ea81e630af3cfda89aeeb52146c0c84c960 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 2 May 2022 09:31:49 +0200 +Subject: [PATCH] enum: Fix compiler warning + +Closes strongswan/strongswan#1025 + +Upstream-Status: Backport +[https://github.com/strongswan/strongswan/commit/d23c0ea81e630af3cfda89aeeb52146c0c84c960] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/libstrongswan/utils/enum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c +index 79da450f0c..1e77489f6f 100644 +--- a/src/libstrongswan/utils/enum.c ++++ b/src/libstrongswan/utils/enum.c +@@ -97,7 +97,7 @@ char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len) + return buf; + } + +- if (snprintf(buf, len, e->names[0]) >= len) ++ if (snprintf(buf, len, "%s", e->names[0]) >= len) + { + return NULL; + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch deleted file mode 100644 index 7da48cd2cf..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <tobias@strongswan.org> -Date: Wed, 23 Feb 2022 17:29:02 +0100 -Subject: [PATCH] openssl: Don't unload providers - -There is a conflict between atexit() handlers registered by OpenSSL and -some executables (e.g. swanctl or pki) to deinitialize libstrongswan. -Because plugins are usually loaded after atexit() has been called, the -handler registered by OpenSSL will run before our handler. So when the -latter destroys the plugins it's a bad idea to try to access any OpenSSL -objects as they might already be invalid. - -Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") -Closes strongswan/strongswan#921 - -Upstream-Status: Backport -[https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - .../plugins/openssl/openssl_plugin.c | 27 +++---------------- - 1 file changed, 3 insertions(+), 24 deletions(-) - -diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c -index 6b4923649..1491d5cf8 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_plugin.c -+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c -@@ -16,7 +16,6 @@ - - #include <library.h> - #include <utils/debug.h> --#include <collections/array.h> - #include <threading/thread.h> - #include <threading/mutex.h> - #include <threading/thread_value.h> -@@ -74,13 +73,6 @@ struct private_openssl_plugin_t { - * public functions - */ - openssl_plugin_t public; -- --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- /** -- * Loaded providers -- */ -- array_t *providers; --#endif - }; - - /** -@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int, - METHOD(plugin_t, destroy, void, - private_openssl_plugin_t *this) - { --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- OSSL_PROVIDER *provider; -- while (array_remove(this->providers, ARRAY_TAIL, &provider)) -- { -- OSSL_PROVIDER_unload(provider); -- } -- array_destroy(this->providers); --#endif /* OPENSSL_VERSION_NUMBER */ -- - /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we - * can't call it as we couldn't re-initialize the library (as required by the - * unit tests and the Android app) */ -@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create() - DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); - return NULL; - } -- array_insert_create(&this->providers, ARRAY_TAIL, fips); - /* explicitly load the base provider containing encoding functions */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "base")); -+ OSSL_PROVIDER_load(NULL, "base"); - } - else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", - TRUE, lib->ns)) - { - /* load the legacy provider for algorithms like MD4, DES, BF etc. */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "legacy")); -+ OSSL_PROVIDER_load(NULL, "legacy"); - /* explicitly load the default provider, as mentioned by crypto(7) */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "default")); -+ OSSL_PROVIDER_load(NULL, "default"); - } - ossl_provider_names_t data = {}; - OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); --- -2.25.1 - diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb index cfb7b41fa4..1b82dceac2 100644 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb @@ -9,10 +9,10 @@ DEPENDS = "flex-native flex bison-native" DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ - file://0001-openssl-Don-t-unload-providers.patch \ + file://0001-enum-Fix-compiler-warning.patch \ " -SRC_URI[sha256sum] = "983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd" +SRC_URI[sha256sum] = "91d0978ac448912759b85452d8ff0d578aafd4507aaf4f1c1719f9d0c7318ab7" UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index f1dba227ac..38fdbce892 100644 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb @@ -19,7 +19,7 @@ SRC_URI += " \ UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "a0e227bce2cc3a51ef3301891a0243231990b52a39b68a84a6e32f69c4e75279" +SRC_URI[sha256sum] = "881a13303e263b7dc7fe337534c8a541d4914552287879bed30bbe76c5bf68ca" PE = "1" |