diff options
Diffstat (limited to 'meta-openembedded/meta-networking/recipes-support')
18 files changed, 370 insertions, 139 deletions
diff --git a/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb b/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb index 57dd635dc3..8ce9e1db55 100644 --- a/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb +++ b/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb @@ -126,6 +126,10 @@ do_install() { ${D}${systemd_unitdir}/system/chronyd.service sed -i 's!^PATH=.*!PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}${sysconfdir}/init.d/chronyd sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service + + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/lib/chrony 0755 root root -" > ${D}${sysconfdir}/tmpfiles.d/chronyd.conf + } FILES:${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}" diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..6bd734d756 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,191 @@ +From 3cdecc159e0f417a2f8d43d99632af26beea630f Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 31 Mar 2022 21:35:20 +0100 +Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934 + refers. + +CVE: CVE-2022-0934 + +Upstream-Status: Backport +[https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=03345ecefe] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + CHANGELOG | 3 +++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 30 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 5e54df9..a28da2a 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,4 +1,7 @@ + version 2.86 ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. ++ + Handle DHCPREBIND requests in the DHCPv6 server code. + Thanks to Aichun Li for spotting this omission, and the initial + patch. +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 5c2ff97..6ecfeeb 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb index 31ca51ec60..0f7880ce8c 100644 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb @@ -3,5 +3,6 @@ require dnsmasq.inc SRC_URI[dnsmasq-2.86.sha256sum] = "ef15f608a83ee2b1d1d2c1f11d089a7e0ac401ffb0991de73fc01ce5f290e512" SRC_URI += "\ file://lua.patch \ + file://CVE-2022-0934.patch \ " diff --git a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.7.bb b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.10.bb index 2de32cc1ee..07870bb2c0 100644 --- a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.7.bb +++ b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.10.bb @@ -11,8 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9dcc2d8acdde215fa4bd6ac12bb14f0" SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ " - -SRCREV = "7c0e2d19d30eb0bd2e079febb5a2c31f65e5023d" +SRCREV = "1c31e0e5397646ae3709b1fbfd9c3b47b904f254" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch b/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch new file mode 100644 index 0000000000..55316363e0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch @@ -0,0 +1,29 @@ +From 78c9ae7d9a6735575bc72dd28a19b2bc3a251981 Mon Sep 17 00:00:00 2001 +From: Andrew Elble <aweits@rit.edu> +Date: Mon, 8 Oct 2018 14:31:20 -0400 +Subject: [PATCH] netserver: don't change permissions on /dev/null + +the (now default) suppress_debug=1 changes permissions on /dev/null +to 0644. Don't do this. + +Upstream-Status: Pending [https://github.com/HewlettPackard/netperf/pull/27/commits/78c9ae7d9a6735575bc72dd28a19b2bc3a251981] +Signed-off-by: Ashish Sharma <asharma@mvista.com> + +--- + src/netserver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/netserver.c b/src/netserver.c +index 00c8d23..86a1c45 100644 +--- a/src/netserver.c ++++ b/src/netserver.c +@@ -278,7 +278,8 @@ open_debug_file() + + #if !defined(WIN32) + +- chmod(FileName,0644); ++ if (!suppress_debug) ++ chmod(FileName,0644); + + /* redirect stdin to "/dev/null" */ + rd_null_fp = fopen(NETPERF_NULL,"r"); diff --git a/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb index 62ba966d01..06b2eddbb6 100644 --- a/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb +++ b/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=ht file://netserver.service \ file://0001-netlib.c-Move-including-sched.h-out-og-function.patch \ file://0001-nettest_omni-Remove-duplicate-variable-definitions.patch \ + file://netserver_permissions.patch \ " SRCREV = "3bc455b23f901dae377ca0a558e1e32aa56b31c4" diff --git a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index fe2bd0773c..a30f720bb5 100644 --- a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -29,7 +29,31 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" # CVE-2016-9312 is only for windows. -CVE_CHECK_IGNORE += "CVE-2016-9312" +# The other CVEs are not correctly identified because cve-check +# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference) +CVE_CHECK_IGNORE += "\ + CVE-2016-9312 \ + CVE-2015-5146 \ + CVE-2015-5300 \ + CVE-2015-7975 \ + CVE-2015-7976 \ + CVE-2015-7977 \ + CVE-2015-7978 \ + CVE-2015-7979 \ + CVE-2015-8138 \ + CVE-2015-8139 \ + CVE-2015-8140 \ + CVE-2015-8158 \ + CVE-2016-1547 \ + CVE-2016-2516 \ + CVE-2016-2517 \ + CVE-2016-2519 \ + CVE-2016-7429 \ + CVE-2016-7433 \ + CVE-2016-9310 \ + CVE-2016-9311 \ +" + inherit autotools update-rc.d useradd systemd pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch new file mode 100644 index 0000000000..03b454d625 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch @@ -0,0 +1,48 @@ +From ea179d83b0aa62719d90748cd1fb260f40055f15 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Mon, 13 Jun 2022 22:44:28 +0800 +Subject: [PATCH] configure.ac: eliminate build path from openvpn --version + option + +Before the patch: +$ openvpn --version +OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] +[snip] +Compile time defines: enable_async_push=no enable_comp_stub=no +[snip] +with_crypto_library=openssl with_gnu_ld=yes +with_libtool_sysroot=/buildarea/build/tmp/work/core2-64-poky-linux/openvpn/2.5.7-r0/recipe-sysroot +with_mem_check=no with_openssl_engine=auto + +After the patch: +$ openvpn --version +OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] +[snip] +Compile time defines: enable_async_push=no enable_comp_stub=no +[snip] +with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no +with_openssl_engine=auto + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 2f5f6bc..eddcbc5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1377,7 +1377,7 @@ if test "${enable_async_push}" = "yes"; then + esac + fi + +-CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`" ++CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*=' | grep -v 'libtool_sysroot'`" + AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings]) + + TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID" +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn index e5af4b2301..e5af4b2301 100755..100644 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn-volatile.conf b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn-volatile.conf deleted file mode 100644 index 1205806d52..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn-volatile.conf +++ /dev/null @@ -1 +0,0 @@ -d @LOCALSTATEDIR@/run/openvpn 0755 root root - diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service deleted file mode 100644 index 01dd2e8c25..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I -After=syslog.target network.target - -[Service] -PrivateTmp=true -Type=forking -PIDFile=/var/run/openvpn/%i.pid -ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf - -[Install] -WantedBy=multi-user.target diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb index 3ed90a7c8d..a28c73ab5a 100644 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb @@ -5,12 +5,12 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89" DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" -inherit autotools systemd update-rc.d +inherit autotools systemd update-rc.d pkgconfig SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ file://openvpn \ - file://openvpn@.service \ - file://openvpn-volatile.conf" + " UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" @@ -19,9 +19,6 @@ SRC_URI[sha256sum] = "08340a389905c84196b6cd750add1bc0fa2d46a1afebfd589c24120946 # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" -SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" -SYSTEMD_AUTO_ENABLE = "disable" - INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME:${PN} = "openvpn" INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." @@ -35,31 +32,36 @@ EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-p # Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" +EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ + " + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + " + +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" + do_install:append() { install -d ${D}/${sysconfdir}/init.d install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/server + install -d ${D}/${sysconfdir}/openvpn/client + install -d ${D}/${sysconfdir}/openvpn/sample - install -m 755 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf - install -m 755 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts + install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-server.service - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-client.service - - install -d ${D}/${localstatedir} - install -d ${D}/${localstatedir}/lib - install -d -m 710 ${D}/${localstatedir}/lib/openvpn - - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/openvpn-volatile.conf ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - fi + install -d -m 710 ${D}/${localstatedir}/lib/openvpn } PACKAGES =+ " ${PN}-sample " @@ -67,9 +69,9 @@ PACKAGES =+ " ${PN}-sample " RRECOMMENDS:${PN} = "kernel-module-tun" FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" -FILES:${PN} += "${systemd_unitdir}/system/openvpn@.service \ - ${sysconfdir}/tmpfiles.d \ +FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ + ${systemd_system_unitdir}/openvpn-client@.service \ + ${nonarch_libdir}/tmpfiles.d \ " -FILES:${PN}-sample += "${systemd_unitdir}/system/openvpn@loopback-server.service \ - ${systemd_unitdir}/system/openvpn@loopback-client.service \ - ${sysconfdir}/openvpn/sample/" +FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ + " diff --git a/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_40.0.bb b/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_41.0.bb index c567e3314b..e5ecc5cd62 100644 --- a/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_40.0.bb +++ b/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_41.0.bb @@ -6,7 +6,7 @@ DEPENDS = "libnl" RDEPENDS:${PN} = "bash perl" SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=master;protocol=https" -SRCREV = "a3e69268892bbd5ab30123748e89a26509a25ac5" +SRCREV = "467363efbc0fea706752c1ba7a21c313823017e7" S = "${WORKDIR}/git" #Default Dual License https://github.com/linux-rdma/rdma-core/blob/master/COPYING.md diff --git a/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb b/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb index d9083bcbe8..1887a5582f 100644 --- a/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb @@ -30,6 +30,12 @@ SRC_URI = " \ S = "${WORKDIR}/git" +CVE_CHECK_IGNORE += "\ + CVE-2016-0749 \ + CVE-2016-2150 \ + CVE-2018-10893 \ +" + inherit autotools gettext python3native python3-dir pkgconfig DEPENDS += "spice-protocol jpeg pixman alsa-lib glib-2.0 python3-pyparsing-native python3-six-native glib-2.0-native" diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch new file mode 100644 index 0000000000..e730fe1cd0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch @@ -0,0 +1,31 @@ +From d23c0ea81e630af3cfda89aeeb52146c0c84c960 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 2 May 2022 09:31:49 +0200 +Subject: [PATCH] enum: Fix compiler warning + +Closes strongswan/strongswan#1025 + +Upstream-Status: Backport +[https://github.com/strongswan/strongswan/commit/d23c0ea81e630af3cfda89aeeb52146c0c84c960] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/libstrongswan/utils/enum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c +index 79da450f0c..1e77489f6f 100644 +--- a/src/libstrongswan/utils/enum.c ++++ b/src/libstrongswan/utils/enum.c +@@ -97,7 +97,7 @@ char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len) + return buf; + } + +- if (snprintf(buf, len, e->names[0]) >= len) ++ if (snprintf(buf, len, "%s", e->names[0]) >= len) + { + return NULL; + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch deleted file mode 100644 index 7da48cd2cf..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <tobias@strongswan.org> -Date: Wed, 23 Feb 2022 17:29:02 +0100 -Subject: [PATCH] openssl: Don't unload providers - -There is a conflict between atexit() handlers registered by OpenSSL and -some executables (e.g. swanctl or pki) to deinitialize libstrongswan. -Because plugins are usually loaded after atexit() has been called, the -handler registered by OpenSSL will run before our handler. So when the -latter destroys the plugins it's a bad idea to try to access any OpenSSL -objects as they might already be invalid. - -Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") -Closes strongswan/strongswan#921 - -Upstream-Status: Backport -[https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - .../plugins/openssl/openssl_plugin.c | 27 +++---------------- - 1 file changed, 3 insertions(+), 24 deletions(-) - -diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c -index 6b4923649..1491d5cf8 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_plugin.c -+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c -@@ -16,7 +16,6 @@ - - #include <library.h> - #include <utils/debug.h> --#include <collections/array.h> - #include <threading/thread.h> - #include <threading/mutex.h> - #include <threading/thread_value.h> -@@ -74,13 +73,6 @@ struct private_openssl_plugin_t { - * public functions - */ - openssl_plugin_t public; -- --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- /** -- * Loaded providers -- */ -- array_t *providers; --#endif - }; - - /** -@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int, - METHOD(plugin_t, destroy, void, - private_openssl_plugin_t *this) - { --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- OSSL_PROVIDER *provider; -- while (array_remove(this->providers, ARRAY_TAIL, &provider)) -- { -- OSSL_PROVIDER_unload(provider); -- } -- array_destroy(this->providers); --#endif /* OPENSSL_VERSION_NUMBER */ -- - /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we - * can't call it as we couldn't re-initialize the library (as required by the - * unit tests and the Android app) */ -@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create() - DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); - return NULL; - } -- array_insert_create(&this->providers, ARRAY_TAIL, fips); - /* explicitly load the base provider containing encoding functions */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "base")); -+ OSSL_PROVIDER_load(NULL, "base"); - } - else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", - TRUE, lib->ns)) - { - /* load the legacy provider for algorithms like MD4, DES, BF etc. */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "legacy")); -+ OSSL_PROVIDER_load(NULL, "legacy"); - /* explicitly load the default provider, as mentioned by crypto(7) */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "default")); -+ OSSL_PROVIDER_load(NULL, "default"); - } - ossl_provider_names_t data = {}; - OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); --- -2.25.1 - diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb index cfb7b41fa4..1b82dceac2 100644 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb @@ -9,10 +9,10 @@ DEPENDS = "flex-native flex bison-native" DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ - file://0001-openssl-Don-t-unload-providers.patch \ + file://0001-enum-Fix-compiler-warning.patch \ " -SRC_URI[sha256sum] = "983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd" +SRC_URI[sha256sum] = "91d0978ac448912759b85452d8ff0d578aafd4507aaf4f1c1719f9d0c7318ab7" UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index f1dba227ac..38fdbce892 100644 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb @@ -19,7 +19,7 @@ SRC_URI += " \ UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "a0e227bce2cc3a51ef3301891a0243231990b52a39b68a84a6e32f69c4e75279" +SRC_URI[sha256sum] = "881a13303e263b7dc7fe337534c8a541d4914552287879bed30bbe76c5bf68ca" PE = "1" |