diff options
Diffstat (limited to 'meta-openembedded/meta-networking')
37 files changed, 834 insertions, 301 deletions
diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb index 9abfd61cf2..a616557e7c 100644 --- a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb @@ -36,4 +36,4 @@ do_install() { oe_runmake SBINDIR=${sbindir}/ install } -RDEPENDS:${PN} = "udev wireless-regdb-static" +RDEPENDS:${PN} = "udev wireless-regdb" diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest new file mode 100644 index 0000000000..9d3ec79042 --- /dev/null +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest @@ -0,0 +1,21 @@ +#!/bin/sh + +ret_val=0 + +# Check if all the kernel modules are available +FIREWALLD_KERNEL_MODULES="@@FIREWALLD_KERNEL_MODULES@@" +for m in $FIREWALLD_KERNEL_MODULES; do + if modprobe $m; then + echo "PASS: loading $m" + else + echo "FAIL: loading $m" + ret_val=1 + fi +done + +# Run the test suite from firewalld +# Failing testsuites: 203 226 241 250 270 280 281 282 285 286 +# Problem icmpv6 compared against ipv6-icmptype? +/usr/share/firewalld/testsuite/testsuite -C /tmp -A || ret_val=1 + +exit $ret_val diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb deleted file mode 100644 index 1dea339535..0000000000 --- a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb +++ /dev/null @@ -1,92 +0,0 @@ -SUMMARY = "Dynamic firewall daemon with a D-Bus interface" -HOMEPAGE = "https://firewalld.org/" -BUGTRACKER = "https://github.com/firewalld/firewalld/issues" -UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" -LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ - file://firewalld.init \ -" -SRC_URI[sha256sum] = "52c5e3d5b1e2efc0e86c22b2bc1f7fd80908cc2d8130157dc2a3517a59b0a760" - -# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 -DEPENDS = "intltool-native glib-2.0-native nftables" - -inherit gettext autotools bash-completion pkgconfig python3native gsettings systemd update-rc.d - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" -PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" -PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" - -PACKAGES += "${PN}-zsh-completion" - -# iptables, ip6tables, ebtables, and ipset *should* be unnecessary -# when the nftables backend is available, because nftables supersedes all of them. -# However we still need iptables and ip6tables to be available otherwise any -# application relying on "direct passthrough" rules (such as docker) will break. -# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by -# the Red Hat-specific init script which we aren't using, so we disable that. -EXTRA_OECONF = "\ - --without-ipset \ - --with-iptables=${sbindir}/iptables \ - --with-iptables-restore=${sbindir}/iptables-restore \ - --with-ip6tables=${sbindir}/ip6tables \ - --with-ip6tables-restore=${sbindir}/ip6tables-restore \ - --without-ebtables \ - --without-ebtables-restore \ - --disable-sysconfig \ -" - -INITSCRIPT_NAME = "firewalld" -SYSTEMD_SERVICE:${PN} = "firewalld.service" - -do_install:append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - : - else - # firewalld ships an init script but it contains Red Hat-isms, replace it with our own - rm -rf ${D}${sysconfdir}/rc.d/ - install -d ${D}${sysconfdir}/init.d - install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld - fi - - # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE - # so now we need to fix up any references to point at the proper path in the image. - # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. - if [ ${PN} != "${BPN}-native" ]; then - sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ - ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml - fi - sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ - ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml - - # This file contains Red Hat-isms. Modules get loaded without it. - rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf -} - -FILES:${PN} += "\ - ${PYTHON_SITEPACKAGES_DIR}/firewall \ - ${nonarch_libdir}/firewalld \ - ${datadir}/dbus-1 \ - ${datadir}/polkit-1 \ - ${datadir}/metainfo \ -" -FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" - -RDEPENDS:${PN} = "\ - nftables-python \ - iptables \ - python3-core \ - python3-io \ - python3-fcntl \ - python3-shell \ - python3-syslog \ - python3-xml \ - python3-dbus \ - python3-slip-dbus \ - python3-decorator \ - python3-pygobject \ - python3-json \ - python3-ctypes \ -" diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb new file mode 100644 index 0000000000..987cc640e1 --- /dev/null +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb @@ -0,0 +1,310 @@ +SUMMARY = "Dynamic firewall daemon with a D-Bus interface" +HOMEPAGE = "https://firewalld.org/" +BUGTRACKER = "https://github.com/firewalld/firewalld/issues" +UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +SRC_URI = "\ + https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ + file://firewalld.init \ + file://run-ptest \ +" +SRC_URI[sha256sum] = "28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7" + +# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 +DEPENDS = "intltool-native glib-2.0-native nftables" + +inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" +PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" +PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset" +PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables" + +# Default logging configuration: mixed syslog file console +FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog" + +# The UIs are not yet tested and the dependencies are probably not quite correct yet. +# Splitting into separate packages is beneficial so that no dead code is transferred +# to the target device. +# Without enabling qt5, the firewalld-config package is not usable. +# Without enabling qt5 and gtk, the firewalld-applet package is not usable. +PACKAGECONFIG[qt5] = "" +PACKAGECONFIG[gtk] = "" + +PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate" + +# iptables, ip6tables, ebtables, and ipset *should* be unnecessary +# when the nftables backend is available, because nftables supersedes all of them. +# However we still need iptables and ip6tables to be available otherwise any +# application relying on "direct passthrough" rules (such as docker) will break. +# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by +# the Red Hat-specific init script which we aren't using, so we disable that. +EXTRA_OECONF = "\ + --with-iptables=${sbindir}/iptables \ + --with-iptables-restore=${sbindir}/iptables-restore \ + --with-ip6tables=${sbindir}/ip6tables \ + --with-ip6tables-restore=${sbindir}/ip6tables-restore \ + --disable-sysconfig \ +" + +INITSCRIPT_NAME = "firewalld" +SYSTEMD_SERVICE:${PN} = "firewalld.service" + +# kernel modules loaded after ptest execution (linux-yocto 5.15) +FIREWALLD_KERNEL_MODULES ?= "\ + xt_tcpudp \ + xt_TCPMSS \ + xt_set \ + xt_sctp \ + xt_REDIRECT \ + xt_pkttype \ + xt_NFLOG \ + xt_nat \ + xt_MASQUERADE \ + xt_mark \ + xt_mac \ + xt_LOG \ + xt_limit \ + xt_dccp \ + xt_CT \ + xt_conntrack \ + xt_CHECKSUM \ + nft_redir \ + nft_objref \ + nft_nat \ + nft_masq \ + nft_log \ + nfnetlink_log \ + nf_nat_tftp \ + nf_nat_sip \ + nf_nat_ftp \ + nf_log_syslog \ + nf_conntrack_tftp \ + nf_conntrack_sip \ + nf_conntrack_netbios_ns \ + nf_conntrack_ftp \ + nf_conntrack_broadcast \ + ipt_REJECT \ + ip6t_rpfilter \ + ip6t_REJECT \ + ip_set_hash_netport \ + ip_set_hash_netnet \ + ip_set_hash_netiface \ + ip_set_hash_net \ + ip_set_hash_mac \ + ip_set_hash_ipportnet \ + ip_set_hash_ipport \ + ip_set_hash_ipmark \ + ip_set_hash_ip \ + ebt_ip6 \ + nft_fib_inet \ + nft_fib_ipv4 \ + nft_fib_ipv6 \ + nft_fib \ + nft_reject_inet \ + nf_reject_ipv4 \ + nf_reject_ipv6 \ + nft_reject \ + nft_ct \ + nft_chain_nat \ + ebtable_nat \ + ebtable_broute \ + ip6table_nat \ + ip6table_mangle \ + ip6table_raw \ + ip6table_security \ + iptable_nat \ + nf_nat \ + nf_conntrack \ + nf_defrag_ipv6 \ + nf_defrag_ipv4 \ + iptable_mangle \ + iptable_raw \ + iptable_security \ + ip_set \ + ebtable_filter \ + ebtables \ + ip6table_filter \ + ip6_tables \ + iptable_filter \ + ip_tables \ + x_tables \ + sch_fq_codel \ +" + +do_configure:prepend() { + export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET} +} + +do_install:append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then + # firewalld ships an init script but it contains Red Hat-isms, replace it with our own + rm -rf ${D}${sysconfdir}/rc.d/ + install -d ${D}${sysconfdir}/init.d + install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then + # Delete polkit profiles if polkit is not available + rm -rf ${D}${datadir}/polkit-1 + fi + + # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE + # so now we need to fix up any references to point at the proper path in the image. + # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. + if [ ${PN} != "${BPN}-native" ]; then + sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ + ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml + fi + sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ + ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml + + # This file contains Red Hat-isms. Modules get loaded without it. + rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf +} + +do_install_ptest:append() { + # Add kernel modules to the ptest script + if [ ${PTEST_ENABLED} = "1" ]; then + sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \ + ${D}${PTEST_PATH}/run-ptest + fi +} + +SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)" +FILES:python3-firewall = "\ + ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \ +" +RDEPENDS:python3-firewall = "\ + python3-dbus \ + nftables-python \ + python3-pygobject \ +" + +# Do not depend on QT5 layer and GTK deps if not explicitely required. +FIREWALLD_QT5_RDEPENDS = "\ + ${PN}-config \ + hicolor-icon-theme \ + python3-pyqt5 \ + python3-pygobject \ + libnotify \ + networkmanager \ +" +FIREWALLD_GTK_RDEPENDS = "\ + gtk3 \ +" + +# A QT5 based UI +SUMMARY:${PN}-config = "${SUMMARY} (configuration application)" +FILES:${PN}-config = "\ + ${bindir}/firewall-config \ + ${datadir}/firewalld/firewall-config.glade \ + ${datadir}/firewalld/gtk3_chooserbutton.py* \ + ${datadir}/firewalld/gtk3_niceexpander.py* \ + ${datadir}/applications/firewall-config.desktop \ + ${datadir}/metainfo/firewall-config.appdata.xml \ + ${datadir}/icons/hicolor/*/apps/firewall-config*.* \ +" +RDEPENDS:${PN}-config += "\ + python3-core \ + python3-ctypes \ + ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ +" + +# A GTK3 applet depending on the QT5 firewall-config UI +SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)" +FILES:${PN}-applet += "\ + ${bindir}/firewall-applet \ + ${sysconfdir}/xdg/autostart/firewall-applet.desktop \ + ${sysconfdir}/firewall/applet.conf \ + ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \ +" +RDEPENDS:${PN}-applet += "\ + python3-core \ + python3-ctypes \ + ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \ +" + +SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)" +FILES:${PN}-offline-cmd += " \ + ${bindir}/firewall-offline-cmd \ +" +RDEPENDS:${PN}-offline-cmd += "python3-core" + +SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)" +FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d" + +# To get allmost all tests passing +# - Enable PACKAGECONFIG ipset, ebtable +# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests) +FILES:${PN}-ptest += "\ + ${datadir}/firewalld/testsuite \ +" +RDEPENDS:${PN}-ptest += "\ + python3-unittest \ + ${PN}-offline-cmd \ + procps-ps \ + iproute2 \ +" +RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us" + +FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" + +FILES:${PN} += "\ + ${PYTHON_SITEPACKAGES_DIR}/firewall \ + ${nonarch_libdir}/firewalld \ + ${datadir}/dbus-1 \ + ${datadir}/polkit-1 \ + ${datadir}/metainfo \ + ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \ +" +RDEPENDS:${PN} += "\ + python3-firewall \ + iptables \ + python3-core \ + python3-io \ + python3-fcntl \ + python3-syslog \ + python3-xml \ + python3-json \ + python3-ctypes \ + python3-pprint \ +" +# If firewalld writes a log file rotation is needed +RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}" + +# Add required kernel modules. With Yocto kernel 5.15 this currently means: +# - features/nf_tables/nf_tables.scc +# - features/netfilter/netfilter.scc +# - cgl/features/audit/audit.scc +# - cfg/net/ip6_nf.scc +# - Plus: +# - ebtables +# - ipset +# - CONFIG_IP6_NF_SECURITY=m +# - CONFIG_IP6_NF_MATCH_RPFILTER=m +# - CONFIG_IP6_NF_TARGET_REJECT=m +# - CONFIG_NFT_OBJREF=m +# - CONFIG_NFT_FIB=m +# - CONFIG_NFT_FIB_INET=m +# - CONFIG_NFT_FIB_IPV4=m +# - CONFIG_NFT_FIB_IPV6=m +# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m +# - CONFIG_NETFILTER_XT_SET=m +def get_kernel_deps(d): + kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split() + return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ]) +RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/blueman/blueman_2.2.4.bb b/meta-openembedded/meta-networking/recipes-connectivity/blueman/blueman_2.2.4.bb index d5aeceeb42..119752086e 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/blueman/blueman_2.2.4.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/blueman/blueman_2.2.4.bb @@ -19,7 +19,7 @@ EXTRA_OEMESON = "-Druntime_deps_check=false -Dappindicator=false -Dpythoninstall SYSTEMD_SERVICE:${PN} = "${BPN}-mechanism.service" SYSTEMD_AUTO_ENABLE:${PN} = "disable" -RRECOMENDS_${PN} += "adwaita-icon-theme" +RRECOMMENDS:${PN} += "adwaita-icon-theme" RDEPENDS:${PN} += " \ python3-core \ python3-dbus \ diff --git a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb index da7e60419e..453e514b67 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb @@ -34,6 +34,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0 file://check-openssl-cmds-in-script-bootstrap.patch \ " +raddbdir="${sysconfdir}/${MLPREFIX}raddb" + SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a" PARALLEL_MAKE = "" @@ -48,6 +50,7 @@ EXTRA_OECONF = " --enable-strict-dependencies \ --with-docdir=${docdir}/freeradius-${PV} \ --with-openssl-includes=${STAGING_INCDIR} \ --with-openssl-libraries=${STAGING_LIBDIR} \ + --with-raddbdir=${raddbdir} \ --without-rlm_ippool \ --without-rlm_cache_memcached \ --without-rlm_counter \ @@ -98,7 +101,9 @@ PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl" PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast" PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd" -inherit useradd autotools-brokensep update-rc.d systemd +inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header + +MULTILIB_SCRIPTS = "${PN}:${sbindir}/checkrad" # This is not a cpan or python based package, but it needs some definitions # from cpan-base and python3-dir bbclasses for building rlm_perl and rlm_python @@ -141,7 +146,7 @@ do_install() { oe_runmake install R=${D} INSTALLSTRIP="" # remove unsupported config files - rm -f ${D}/${sysconfdir}/raddb/experimental.conf + rm -f ${D}/${raddbdir}/experimental.conf # remove scripts that required Perl(DBI) rm -rf ${D}/${bindir}/radsqlrelay @@ -153,7 +158,7 @@ do_install() { rm -rf ${D}/${localstatedir}/log/ install -m 0644 ${WORKDIR}/volatiles.58_radiusd ${D}${sysconfdir}/default/volatiles/58_radiusd - chown -R radiusd:radiusd ${D}/${sysconfdir}/raddb/ + chown -R radiusd:radiusd ${D}/${raddbdir} chown -R radiusd:radiusd ${D}/${localstatedir}/lib/radiusd # For systemd @@ -169,6 +174,9 @@ do_install() { install -d ${D}${sysconfdir}/tmpfiles.d/ install -m 0644 ${WORKDIR}/radiusd-volatiles.conf ${D}${sysconfdir}/tmpfiles.d/radiusd.conf fi + oe_multilib_header freeradius/autoconf.h + oe_multilib_header freeradius/missing.h + oe_multilib_header freeradius/radpaths.h } # This is only needed when we install/update on a running target. @@ -183,7 +191,7 @@ pkg_postinst:${PN} () { fi # Fix ownership for /etc/raddb/*, /var/lib/radiusd - chown -R radiusd:radiusd ${sysconfdir}/raddb + chown -R radiusd:radiusd ${raddbdir} chown -R radiusd:radiusd ${localstatedir}/lib/radiusd fi } @@ -204,30 +212,30 @@ PACKAGES =+ "${PN}-utils ${PN}-ldap ${PN}-krb5 ${PN}-perl \ FILES:${PN}-utils = "${bindir}/*" FILES:${PN}-ldap = "${libdir}/rlm_ldap.so* \ - ${sysconfdir}/raddb/mods-available/ldap \ + ${raddbdir}/mods-available/ldap \ " FILES:${PN}-krb5 = "${libdir}/rlm_krb5.so* \ - ${sysconfdir}/raddb/mods-available/krb5 \ + ${raddbdir}/mods-available/krb5 \ " FILES:${PN}-perl = "${libdir}/rlm_perl.so* \ - ${sysconfdir}/raddb/mods-config/perl \ - ${sysconfdir}/raddb/mods-available/perl \ + ${raddbdir}/mods-config/perl \ + ${raddbdir}/mods-available/perl \ " FILES:${PN}-python = "${libdir}/rlm_python3.so* \ - ${sysconfdir}/raddb/mods-config/python3 \ - ${sysconfdir}/raddb/mods-available/python3 \ + ${raddbdir}/mods-config/python3 \ + ${raddbdir}/mods-available/python3 \ " FILES:${PN}-mysql = "${libdir}/rlm_sql_mysql.so* \ - ${sysconfdir}/raddb/mods-config/sql/*/mysql \ - ${sysconfdir}/raddb/mods-available/sql \ + ${raddbdir}/mods-config/sql/*/mysql \ + ${raddbdir}/mods-available/sql \ " FILES:${PN}-postgresql = "${libdir}/rlm_sql_postgresql.so* \ - ${sysconfdir}/raddb/mods-config/sql/*/postgresql \ + ${raddbdir}/mods-config/sql/*/postgresql \ " FILES:${PN}-unixodbc = "${libdir}/rlm_sql_unixodbc.so*" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.38.0.bb b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.38.0.bb index d52ad6e6ce..c8fea5dbb7 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.38.0.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.38.0.bb @@ -86,7 +86,7 @@ PACKAGECONFIG[bluez5] = "-Dbluez5_dun=true,-Dbluez5_dun=false,bluez5" # consolekit is not picked by shlibs, so add it to RDEPENDS too PACKAGECONFIG[consolekit] = "-Dsession_tracking_consolekit=true,-Dsession_tracking_consolekit=false,consolekit,consolekit" PACKAGECONFIG[modemmanager] = "-Dmodem_manager=true,-Dmodem_manager=false,modemmanager mobile-broadband-provider-info" -PACKAGECONFIG[ppp] = "-Dppp=true,-Dppp=false,ppp" +PACKAGECONFIG[ppp] = "-Dppp=true -Dpppd=${sbindir}/pppd,-Dppp=false,ppp,ppp" PACKAGECONFIG[dnsmasq] = "-Ddnsmasq=${bindir}/dnsmasq" PACKAGECONFIG[nss] = "-Dcrypto=nss,,nss" PACKAGECONFIG[resolvconf] = "-Dresolvconf=${base_sbindir}/resolvconf,-Dresolvconf=no,,resolvconf" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/openconnect/openconnect_8.20.bb b/meta-openembedded/meta-networking/recipes-connectivity/openconnect/openconnect_9.01.bb index 022ba85a26..afdbdca4e3 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/openconnect/openconnect_8.20.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/openconnect/openconnect_9.01.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=8c2e1ec1540fb3e0beb68361344cba7e" SRC_URI = " \ git://git.infradead.org/users/dwmw2/openconnect.git;branch=master \ " -SRCREV = "03a3b9c76a9b6d0a65073b6bebbc1192e3445507" +SRCREV = "5695cd6b0c7d42ca293ce0f00abcbe3d1ec4e609" DEPENDS = "vpnc libxml2 krb5 gettext-native" RDEPENDS:${PN} = "bash python3-core vpnc-script" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.19.bb b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb index 26b335dbd5..c15c20443d 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.19.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb @@ -14,7 +14,7 @@ SRC_URI = "https://www.snort.org/downloads/archive/snort/${BP}.tar.gz \ file://disable-run-test-program-while-cross-compiling.patch \ file://configure.in-disable-tirpc-checking-for-fedora.patch \ " -SRC_URI[sha256sum] = "b12fc6db72afb58987a2bf1954b8f45bde02047c235513c7663857b9506369c7" +SRC_URI[sha256sum] = "29400e13f53b1831e0b8b10ec1224a1cbaa6dc1533a5322a20dd80bb84b4981c" UPSTREAM_CHECK_URI = "https://www.snort.org/downloads" UPSTREAM_CHECK_REGEX = "snort-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.14.bb index cf2b156fe7..eda0129feb 100644 --- a/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb +++ b/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.14.bb @@ -11,8 +11,7 @@ SRC_URI = "\ file://lldpd.default \ " -SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba" -SRC_URI[sha256sum] = "98d200e76e30f6262c4a4493148c1840827898329146a57a34f8f0f928ca3def" +SRC_URI[sha256sum] = "a74819214f116a5dbc407a3d490caa01ba401a249517ac826a374059c12d12e8" inherit autotools update-rc.d useradd systemd pkgconfig bash-completion diff --git a/meta-openembedded/meta-networking/recipes-extended/kronosnet/kronosnet/0001-links.c-Fix-build-with-gcc-12.patch b/meta-openembedded/meta-networking/recipes-extended/kronosnet/kronosnet/0001-links.c-Fix-build-with-gcc-12.patch new file mode 100644 index 0000000000..e59501cc49 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-extended/kronosnet/kronosnet/0001-links.c-Fix-build-with-gcc-12.patch @@ -0,0 +1,40 @@ +From a8aac8f3fd8b07fde8f5dc0aa9ece54a46d24425 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Thu, 9 Jun 2022 16:03:06 +0800 +Subject: [PATCH] links.c: Fix build with gcc-12 + +Fixes: + | /build/tmp-glibc/work/corei7-64-wrs-linux/kronosnet/1.22-r0/recipe-sysroot/usr/include/bits/string_fortified.h:59:10: error: 'link' may be used uninitialized [-Werror=maybe-uninitialized] + | 59 | return __builtin___memset_chk (__dest, __ch, __len, + | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | 60 | __glibc_objsize0 (__dest)); + | | ~~~~~~~~~~~~~~~~~~~~~~~~~~ + | ../../git/libknet/links.c: In function 'knet_link_set_config': + | ../../git/libknet/links.c:108:27: note: 'link' was declared here + | 108 | struct knet_link *link; + | | ^~~~ + | cc1: all warnings being treated as errors + +Upstream-Status: Submitted[https://github.com/kronosnet/kronosnet/pull/382] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + libknet/links.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libknet/links.c b/libknet/links.c +index 8cb1621b..0ef42b79 100644 +--- a/libknet/links.c ++++ b/libknet/links.c +@@ -105,7 +105,7 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l + { + int savederrno = 0, err = 0, i, wipelink = 0, link_idx; + struct knet_host *host, *tmp_host; +- struct knet_link *link; ++ struct knet_link *link = NULL; + + if (!_is_valid_handle(knet_h)) { + return -1; +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-extended/kronosnet/kronosnet_1.22.bb b/meta-openembedded/meta-networking/recipes-extended/kronosnet/kronosnet_1.22.bb index ad0a00e78a..0b0bc29452 100644 --- a/meta-openembedded/meta-networking/recipes-extended/kronosnet/kronosnet_1.22.bb +++ b/meta-openembedded/meta-networking/recipes-extended/kronosnet/kronosnet_1.22.bb @@ -14,6 +14,7 @@ DEPENDS = "doxygen-native libqb-native libxml2-native bzip2 libqb libxml2 libnl SRCREV = "0123ecebce0ad6aba3cdb320027192e15fd71e23" SRC_URI = "git://github.com/kronosnet/kronosnet;protocol=https;branch=stable1 \ file://0001-libknet-tests-Correct-include-path-for-poll.h.patch \ + file://0001-links.c-Fix-build-with-gcc-12.patch \ " UPSTREAM_CHECK_URI = "https://github.com/kronosnet/kronosnet/releases" diff --git a/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.2.1.bb b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.2.2.bb index 44479638f1..3eca92dcec 100644 --- a/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.2.1.bb +++ b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.2.2.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=79808397c3355f163c012616125c9e26" SECTION = "libs" DEPENDS = "libmnl" -SRCREV = "09456c720e9c00eecc08e41ac6b7c291b3821ee5" +SRCREV = "f6575131e60ab10f131ea3ff36f69af2b6c3f614" SRC_URI = "git://git.netfilter.org/libnftnl;branch=master \ file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \ file://0001-configure.ac-Add-serial-tests.patch \ diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/nftables/0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/nftables/0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch deleted file mode 100644 index 65ab2dfd8c..0000000000 --- a/meta-openembedded/meta-networking/recipes-filter/nftables/nftables/0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 18a08fb7f0443f8bde83393bd6f69e23a04246b3 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Tue, 22 Feb 2022 00:56:36 +0100 -Subject: [PATCH] examples: compile with `make check' and add AM_CPPFLAGS - -Compile examples via `make check' like libnftnl does. Use AM_CPPFLAGS to -specify local headers via -I. - -Unfortunately, `make distcheck' did not catch this compile time error in -my system, since it was using the nftables/libnftables.h file of the -previous nftables release. - -Fixes: 5b364657a35f ("build: missing SUBIRS update") -Fixes: caf2a6ad2d22 ("examples: add libnftables example program") -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> - -Upstream-Status: Backport -[http://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - examples/Makefile.am | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/examples/Makefile.am b/examples/Makefile.am -index c972170d..3b8b0b67 100644 ---- a/examples/Makefile.am -+++ b/examples/Makefile.am -@@ -1,4 +1,6 @@ --noinst_PROGRAMS = nft-buffer \ -+check_PROGRAMS = nft-buffer \ - nft-json-file - -+AM_CPPFLAGS = -I$(top_srcdir)/include -+ - LDADD = $(top_builddir)/src/libnftables.la --- -2.25.1 - diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/nftables/0001-nftables-python-Split-root-from-prefix.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/nftables/0001-nftables-python-Split-root-from-prefix.patch new file mode 100644 index 0000000000..377b29fff8 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/nftables/0001-nftables-python-Split-root-from-prefix.patch @@ -0,0 +1,44 @@ +From c7513195a72b2e5be5c9c439cc606eb5dcc3fb7a Mon Sep 17 00:00:00 2001 +From: Alex Kiernan <alex.kiernan@gmail.com> +Date: Tue, 12 Jul 2022 17:44:34 +0100 +Subject: [PATCH] nftables: python: Split root from prefix + +The buildpaths QA check fails when python is enabled: + + WARNING: nftables-1.0.4-r0 do_package_qa: QA Issue: File /usr/lib/python3.10/site-packages/nftables/__pycache__/nftables.cpython-310.pyc in package nftables-python contains reference to TMPDIR + File /usr/lib/python3.10/site-packages/nftables/__pycache__/__init__.cpython-310.pyc in package nftables-python contains reference to TMPDIR [buildpaths] + +Upstream-Status: Pending +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> +--- + py/Makefile.am | 2 +- + py/setup.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/py/Makefile.am b/py/Makefile.am +index 215ecd9e4751..a827cca10135 100644 +--- a/py/Makefile.am ++++ b/py/Makefile.am +@@ -7,7 +7,7 @@ all-local: + install-exec-local: + cd $(srcdir) && \ + $(PYTHON_BIN) setup.py build --build-base $(abs_builddir) \ +- install --prefix $(DESTDIR)$(prefix) ++ install --root $(DESTDIR) --prefix $(prefix) + + uninstall-local: + rm -rf $(DESTDIR)$(prefix)/lib*/python*/site-packages/nftables +diff --git a/py/setup.py b/py/setup.py +index 72fc8fd98b26..976aec583b71 100755 +--- a/py/setup.py ++++ b/py/setup.py +@@ -1,5 +1,5 @@ + #!/usr/bin/env python +-from distutils.core import setup ++from setuptools._distutils.core import setup + from nftables import NFTABLES_VERSION + + setup(name='nftables', +-- +2.35.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_1.0.2.bb b/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_1.0.4.bb index e078be79a1..3466e16a62 100644 --- a/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_1.0.2.bb +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_1.0.4.bb @@ -6,26 +6,27 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d1a78fdd879a263a5e0b42d1fc565e79" DEPENDS = "libmnl libnftnl bison-native \ ${@bb.utils.contains('PACKAGECONFIG', 'mini-gmp', '', 'gmp', d)}" -# Ensure we reject the 0.099 version by matching at least two dots -UPSTREAM_CHECK_REGEX = "nftables-(?P<pver>\d+(\.\d+){2,}).tar.bz2" - SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.bz2 \ - file://0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch \ + file://0001-nftables-python-Split-root-from-prefix.patch \ file://run-ptest \ " -SRC_URI[sha256sum] = "0b28a36ffcf4567b841de7bd3f37918b1fed27859eb48bdec51e1f7a83954c02" +SRC_URI[sha256sum] = "927fb1fea1f685a328c10cf791eb655d7e1ed49d310eea5cb3101dfd8d6cba35" inherit autotools manpages pkgconfig ptest -PACKAGECONFIG ??= "python readline json" +PACKAGECONFIG ?= "python readline json" +PACKAGECONFIG[editline] = "--with-cli=editline, , libedit, , , linenoise readline" PACKAGECONFIG[json] = "--with-json, --without-json, jansson" +PACKAGECONFIG[linenoise] = "--with-cli=linenoise, , linenoise, , , editline readline" PACKAGECONFIG[manpages] = "--enable-man-doc, --disable-man-doc, asciidoc-native" PACKAGECONFIG[mini-gmp] = "--with-mini-gmp, --without-mini-gmp" -PACKAGECONFIG[python] = "--enable-python --with-python-bin=${PYTHON}, --with-python-bin="", python3" -PACKAGECONFIG[readline] = "--with-cli=readline, --without-cli, readline" +PACKAGECONFIG[python] = "--enable-python --with-python-bin=${PYTHON}, --disable-python, python3-setuptools-native" +PACKAGECONFIG[readline] = "--with-cli=readline, , readline, , , editline linenoise" PACKAGECONFIG[xtables] = "--with-xtables, --without-xtables, iptables" +EXTRA_OECONF = "${@bb.utils.contains_any('PACKAGECONFIG', 'editline linenoise readline', '', '--without-cli', d)}" + inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3native', '', d)} RRECOMMENDS:${PN} += "kernel-module-nf-tables" @@ -34,7 +35,7 @@ PACKAGES =+ "${PN}-python" FILES:${PN}-python = "${nonarch_libdir}/${PYTHON_DIR}" RDEPENDS:${PN}-python = "python3-core python3-json ${PN}" -RDEPENDS:${PN}-ptest += " make bash python3-core python3-ctypes python3-json python3-misc util-linux" +RDEPENDS:${PN}-ptest += " ${PN}-python make bash python3-core python3-ctypes python3-json python3-misc util-linux" TESTDIR = "tests" @@ -46,7 +47,6 @@ do_install_ptest() { mkdir -p ${D}${PTEST_PATH}/src/.libs cp -rf ${B}/src/.libs/* ${D}${PTEST_PATH}/src/.libs cp -rf ${B}/src/.libs/nft ${D}${PTEST_PATH}/src/ - cp -rf ${S}/py ${D}${PTEST_PATH} cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH}/${TESTDIR} sed -i 's#/usr/bin/python#/usr/bin/python3#' ${D}${PTEST_PATH}/${TESTDIR}/json_echo/run-test.py sed -i 's#/usr/bin/env python#/usr/bin/env python3#' ${D}${PTEST_PATH}/${TESTDIR}/py/nft-test.py diff --git a/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc index 15eb65ad32..ccafaf0de4 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-openembedded/meta-networking/recipes-protocols/openflow/openflow.inc @@ -53,3 +53,7 @@ do_install:append() { } FILES:${PN} += "${nonarch_libdir}/tmpfiles.d" + +# This CVE is not for this product but cve-check assumes it is +# because two CPE collides when checking the NVD database +CVE_CHECK_IGNORE = "CVE-2018-1078" diff --git a/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb b/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb index a7697a1ae9..984264a30f 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb @@ -2,3 +2,7 @@ require quagga.inc SRC_URI[md5sum] = "eced21b054d71c9e1b7c6ac43286a166" SRC_URI[sha256sum] = "e364c082c3309910e1eb7b068bf39ee298e2f2f3f31a6431a5c115193bd653d3" + +CVE_CHECK_IGNORE += "\ + CVE-2016-4049 \ +" diff --git a/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb index 4f8e4d4282..dcfa7406d2 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb @@ -23,3 +23,5 @@ PACKAGECONFIG[inet] = "--enable-inet,--disable-inet," PACKAGECONFIG[inet6] = "--enable-inet6,--disable-inet6," EXTRA_OECONF += "--disable-debug" + +CVE_VERSION = "0.9.3.0" diff --git a/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb b/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb index 57dd635dc3..8ce9e1db55 100644 --- a/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb +++ b/meta-openembedded/meta-networking/recipes-support/chrony/chrony_4.2.bb @@ -126,6 +126,10 @@ do_install() { ${D}${systemd_unitdir}/system/chronyd.service sed -i 's!^PATH=.*!PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}${sysconfdir}/init.d/chronyd sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service + + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/lib/chrony 0755 root root -" > ${D}${sysconfdir}/tmpfiles.d/chronyd.conf + } FILES:${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}" diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..6bd734d756 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,191 @@ +From 3cdecc159e0f417a2f8d43d99632af26beea630f Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 31 Mar 2022 21:35:20 +0100 +Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934 + refers. + +CVE: CVE-2022-0934 + +Upstream-Status: Backport +[https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=03345ecefe] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + CHANGELOG | 3 +++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 30 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 5e54df9..a28da2a 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,4 +1,7 @@ + version 2.86 ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. ++ + Handle DHCPREBIND requests in the DHCPv6 server code. + Thanks to Aichun Li for spotting this omission, and the initial + patch. +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 5c2ff97..6ecfeeb 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb index 31ca51ec60..0f7880ce8c 100644 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb @@ -3,5 +3,6 @@ require dnsmasq.inc SRC_URI[dnsmasq-2.86.sha256sum] = "ef15f608a83ee2b1d1d2c1f11d089a7e0ac401ffb0991de73fc01ce5f290e512" SRC_URI += "\ file://lua.patch \ + file://CVE-2022-0934.patch \ " diff --git a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.7.bb b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.10.bb index 2de32cc1ee..07870bb2c0 100644 --- a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.7.bb +++ b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.31.10.bb @@ -11,8 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9dcc2d8acdde215fa4bd6ac12bb14f0" SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ " - -SRCREV = "7c0e2d19d30eb0bd2e079febb5a2c31f65e5023d" +SRCREV = "1c31e0e5397646ae3709b1fbfd9c3b47b904f254" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch b/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch new file mode 100644 index 0000000000..55316363e0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/netperf/files/netserver_permissions.patch @@ -0,0 +1,29 @@ +From 78c9ae7d9a6735575bc72dd28a19b2bc3a251981 Mon Sep 17 00:00:00 2001 +From: Andrew Elble <aweits@rit.edu> +Date: Mon, 8 Oct 2018 14:31:20 -0400 +Subject: [PATCH] netserver: don't change permissions on /dev/null + +the (now default) suppress_debug=1 changes permissions on /dev/null +to 0644. Don't do this. + +Upstream-Status: Pending [https://github.com/HewlettPackard/netperf/pull/27/commits/78c9ae7d9a6735575bc72dd28a19b2bc3a251981] +Signed-off-by: Ashish Sharma <asharma@mvista.com> + +--- + src/netserver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/netserver.c b/src/netserver.c +index 00c8d23..86a1c45 100644 +--- a/src/netserver.c ++++ b/src/netserver.c +@@ -278,7 +278,8 @@ open_debug_file() + + #if !defined(WIN32) + +- chmod(FileName,0644); ++ if (!suppress_debug) ++ chmod(FileName,0644); + + /* redirect stdin to "/dev/null" */ + rd_null_fp = fopen(NETPERF_NULL,"r"); diff --git a/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb index 62ba966d01..06b2eddbb6 100644 --- a/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb +++ b/meta-openembedded/meta-networking/recipes-support/netperf/netperf_git.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=ht file://netserver.service \ file://0001-netlib.c-Move-including-sched.h-out-og-function.patch \ file://0001-nettest_omni-Remove-duplicate-variable-definitions.patch \ + file://netserver_permissions.patch \ " SRCREV = "3bc455b23f901dae377ca0a558e1e32aa56b31c4" diff --git a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index fe2bd0773c..a30f720bb5 100644 --- a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -29,7 +29,31 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" # CVE-2016-9312 is only for windows. -CVE_CHECK_IGNORE += "CVE-2016-9312" +# The other CVEs are not correctly identified because cve-check +# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference) +CVE_CHECK_IGNORE += "\ + CVE-2016-9312 \ + CVE-2015-5146 \ + CVE-2015-5300 \ + CVE-2015-7975 \ + CVE-2015-7976 \ + CVE-2015-7977 \ + CVE-2015-7978 \ + CVE-2015-7979 \ + CVE-2015-8138 \ + CVE-2015-8139 \ + CVE-2015-8140 \ + CVE-2015-8158 \ + CVE-2016-1547 \ + CVE-2016-2516 \ + CVE-2016-2517 \ + CVE-2016-2519 \ + CVE-2016-7429 \ + CVE-2016-7433 \ + CVE-2016-9310 \ + CVE-2016-9311 \ +" + inherit autotools update-rc.d useradd systemd pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch new file mode 100644 index 0000000000..03b454d625 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch @@ -0,0 +1,48 @@ +From ea179d83b0aa62719d90748cd1fb260f40055f15 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Mon, 13 Jun 2022 22:44:28 +0800 +Subject: [PATCH] configure.ac: eliminate build path from openvpn --version + option + +Before the patch: +$ openvpn --version +OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] +[snip] +Compile time defines: enable_async_push=no enable_comp_stub=no +[snip] +with_crypto_library=openssl with_gnu_ld=yes +with_libtool_sysroot=/buildarea/build/tmp/work/core2-64-poky-linux/openvpn/2.5.7-r0/recipe-sysroot +with_mem_check=no with_openssl_engine=auto + +After the patch: +$ openvpn --version +OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] +[snip] +Compile time defines: enable_async_push=no enable_comp_stub=no +[snip] +with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no +with_openssl_engine=auto + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 2f5f6bc..eddcbc5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1377,7 +1377,7 @@ if test "${enable_async_push}" = "yes"; then + esac + fi + +-CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`" ++CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*=' | grep -v 'libtool_sysroot'`" + AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings]) + + TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID" +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn index e5af4b2301..e5af4b2301 100755..100644 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn-volatile.conf b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn-volatile.conf deleted file mode 100644 index 1205806d52..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn-volatile.conf +++ /dev/null @@ -1 +0,0 @@ -d @LOCALSTATEDIR@/run/openvpn 0755 root root - diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service deleted file mode 100644 index 01dd2e8c25..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I -After=syslog.target network.target - -[Service] -PrivateTmp=true -Type=forking -PIDFile=/var/run/openvpn/%i.pid -ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf - -[Install] -WantedBy=multi-user.target diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb index 3ed90a7c8d..a28c73ab5a 100644 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.7.bb @@ -5,12 +5,12 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89" DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" -inherit autotools systemd update-rc.d +inherit autotools systemd update-rc.d pkgconfig SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ file://openvpn \ - file://openvpn@.service \ - file://openvpn-volatile.conf" + " UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" @@ -19,9 +19,6 @@ SRC_URI[sha256sum] = "08340a389905c84196b6cd750add1bc0fa2d46a1afebfd589c24120946 # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" -SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" -SYSTEMD_AUTO_ENABLE = "disable" - INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME:${PN} = "openvpn" INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." @@ -35,31 +32,36 @@ EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-p # Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" +EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ + " + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + " + +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" + do_install:append() { install -d ${D}/${sysconfdir}/init.d install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/server + install -d ${D}/${sysconfdir}/openvpn/client + install -d ${D}/${sysconfdir}/openvpn/sample - install -m 755 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf - install -m 755 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts + install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-server.service - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-client.service - - install -d ${D}/${localstatedir} - install -d ${D}/${localstatedir}/lib - install -d -m 710 ${D}/${localstatedir}/lib/openvpn - - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/openvpn-volatile.conf ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - fi + install -d -m 710 ${D}/${localstatedir}/lib/openvpn } PACKAGES =+ " ${PN}-sample " @@ -67,9 +69,9 @@ PACKAGES =+ " ${PN}-sample " RRECOMMENDS:${PN} = "kernel-module-tun" FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" -FILES:${PN} += "${systemd_unitdir}/system/openvpn@.service \ - ${sysconfdir}/tmpfiles.d \ +FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ + ${systemd_system_unitdir}/openvpn-client@.service \ + ${nonarch_libdir}/tmpfiles.d \ " -FILES:${PN}-sample += "${systemd_unitdir}/system/openvpn@loopback-server.service \ - ${systemd_unitdir}/system/openvpn@loopback-client.service \ - ${sysconfdir}/openvpn/sample/" +FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ + " diff --git a/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_40.0.bb b/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_41.0.bb index c567e3314b..e5ecc5cd62 100644 --- a/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_40.0.bb +++ b/meta-openembedded/meta-networking/recipes-support/rdma-core/rdma-core_41.0.bb @@ -6,7 +6,7 @@ DEPENDS = "libnl" RDEPENDS:${PN} = "bash perl" SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=master;protocol=https" -SRCREV = "a3e69268892bbd5ab30123748e89a26509a25ac5" +SRCREV = "467363efbc0fea706752c1ba7a21c313823017e7" S = "${WORKDIR}/git" #Default Dual License https://github.com/linux-rdma/rdma-core/blob/master/COPYING.md diff --git a/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb b/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb index d9083bcbe8..1887a5582f 100644 --- a/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-openembedded/meta-networking/recipes-support/spice/spice_git.bb @@ -30,6 +30,12 @@ SRC_URI = " \ S = "${WORKDIR}/git" +CVE_CHECK_IGNORE += "\ + CVE-2016-0749 \ + CVE-2016-2150 \ + CVE-2018-10893 \ +" + inherit autotools gettext python3native python3-dir pkgconfig DEPENDS += "spice-protocol jpeg pixman alsa-lib glib-2.0 python3-pyparsing-native python3-six-native glib-2.0-native" diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch new file mode 100644 index 0000000000..e730fe1cd0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch @@ -0,0 +1,31 @@ +From d23c0ea81e630af3cfda89aeeb52146c0c84c960 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 2 May 2022 09:31:49 +0200 +Subject: [PATCH] enum: Fix compiler warning + +Closes strongswan/strongswan#1025 + +Upstream-Status: Backport +[https://github.com/strongswan/strongswan/commit/d23c0ea81e630af3cfda89aeeb52146c0c84c960] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/libstrongswan/utils/enum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c +index 79da450f0c..1e77489f6f 100644 +--- a/src/libstrongswan/utils/enum.c ++++ b/src/libstrongswan/utils/enum.c +@@ -97,7 +97,7 @@ char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len) + return buf; + } + +- if (snprintf(buf, len, e->names[0]) >= len) ++ if (snprintf(buf, len, "%s", e->names[0]) >= len) + { + return NULL; + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch deleted file mode 100644 index 7da48cd2cf..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <tobias@strongswan.org> -Date: Wed, 23 Feb 2022 17:29:02 +0100 -Subject: [PATCH] openssl: Don't unload providers - -There is a conflict between atexit() handlers registered by OpenSSL and -some executables (e.g. swanctl or pki) to deinitialize libstrongswan. -Because plugins are usually loaded after atexit() has been called, the -handler registered by OpenSSL will run before our handler. So when the -latter destroys the plugins it's a bad idea to try to access any OpenSSL -objects as they might already be invalid. - -Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") -Closes strongswan/strongswan#921 - -Upstream-Status: Backport -[https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - .../plugins/openssl/openssl_plugin.c | 27 +++---------------- - 1 file changed, 3 insertions(+), 24 deletions(-) - -diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c -index 6b4923649..1491d5cf8 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_plugin.c -+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c -@@ -16,7 +16,6 @@ - - #include <library.h> - #include <utils/debug.h> --#include <collections/array.h> - #include <threading/thread.h> - #include <threading/mutex.h> - #include <threading/thread_value.h> -@@ -74,13 +73,6 @@ struct private_openssl_plugin_t { - * public functions - */ - openssl_plugin_t public; -- --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- /** -- * Loaded providers -- */ -- array_t *providers; --#endif - }; - - /** -@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int, - METHOD(plugin_t, destroy, void, - private_openssl_plugin_t *this) - { --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- OSSL_PROVIDER *provider; -- while (array_remove(this->providers, ARRAY_TAIL, &provider)) -- { -- OSSL_PROVIDER_unload(provider); -- } -- array_destroy(this->providers); --#endif /* OPENSSL_VERSION_NUMBER */ -- - /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we - * can't call it as we couldn't re-initialize the library (as required by the - * unit tests and the Android app) */ -@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create() - DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); - return NULL; - } -- array_insert_create(&this->providers, ARRAY_TAIL, fips); - /* explicitly load the base provider containing encoding functions */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "base")); -+ OSSL_PROVIDER_load(NULL, "base"); - } - else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", - TRUE, lib->ns)) - { - /* load the legacy provider for algorithms like MD4, DES, BF etc. */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "legacy")); -+ OSSL_PROVIDER_load(NULL, "legacy"); - /* explicitly load the default provider, as mentioned by crypto(7) */ -- array_insert_create(&this->providers, ARRAY_TAIL, -- OSSL_PROVIDER_load(NULL, "default")); -+ OSSL_PROVIDER_load(NULL, "default"); - } - ossl_provider_names_t data = {}; - OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); --- -2.25.1 - diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb index cfb7b41fa4..1b82dceac2 100644 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb @@ -9,10 +9,10 @@ DEPENDS = "flex-native flex bison-native" DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ - file://0001-openssl-Don-t-unload-providers.patch \ + file://0001-enum-Fix-compiler-warning.patch \ " -SRC_URI[sha256sum] = "983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd" +SRC_URI[sha256sum] = "91d0978ac448912759b85452d8ff0d578aafd4507aaf4f1c1719f9d0c7318ab7" UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index f1dba227ac..38fdbce892 100644 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb @@ -19,7 +19,7 @@ SRC_URI += " \ UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "a0e227bce2cc3a51ef3301891a0243231990b52a39b68a84a6e32f69c4e75279" +SRC_URI[sha256sum] = "881a13303e263b7dc7fe337534c8a541d4914552287879bed30bbe76c5bf68ca" PE = "1" |