diff options
Diffstat (limited to 'meta-openembedded/meta-networking')
26 files changed, 460 insertions, 82 deletions
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb b/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb index d36646c0d7..e5f7e0334f 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb @@ -34,7 +34,14 @@ SYSTEMD_AUTO_ENABLE:${PN} = "disable" CFLAGS += "-D_GNU_SOURCE -fcommon" LDFLAGS:append = " -pthread" -EXTRA_OECONF = "--enable-paranoia \ +BIND_EXTRA_CONFIG = "\ + --build=${BUILD_SYS} \ + --host=${HOST_SYS} \ + --target=${TARGET_SYS} \ +" + +EXTRA_OECONF = "--with-bind-extra-config="${BIND_EXTRA_CONFIG}" \ + --enable-paranoia \ --disable-static \ --enable-libtool \ --with-randomdev=/dev/random \ diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch new file mode 100644 index 0000000000..d98d8fa575 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch @@ -0,0 +1,33 @@ +From 2246925e3cb16183e25d4e2cfd13fb800df86270 Mon Sep 17 00:00:00 2001 +From: Beniamin Sandu <beniaminsandu@gmail.com> +Date: Sun, 25 Jun 2023 19:58:08 +0300 +Subject: [PATCH] aesce: do not specify an arch version when enabling crypto + instructions + +Building mbedtls with different aarch64 tuning variations revealed +that we should use the crypto extensions without forcing a particular +architecture version or core, as that can create issues. + +Upstream-Status: Submitted [https://github.com/Mbed-TLS/mbedtls/pull/7834] + +Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> +--- + library/aesce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/library/aesce.c b/library/aesce.c +index fe056dc4c..843de3973 100644 +--- a/library/aesce.c ++++ b/library/aesce.c +@@ -60,7 +60,7 @@ + # error "A more recent GCC is required for MBEDTLS_AESCE_C" + # endif + # pragma GCC push_options +-# pragma GCC target ("arch=armv8-a+crypto") ++# pragma GCC target ("+crypto") + # define MBEDTLS_POP_TARGET_PRAGMA + # else + # error "Only GCC and Clang supported for MBEDTLS_AESCE_C" +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch new file mode 100644 index 0000000000..4775c8ddb7 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch @@ -0,0 +1,34 @@ +From 03d3523f974536f2358047382aadb0d4cc762f8a Mon Sep 17 00:00:00 2001 +From: Beniamin Sandu <beniaminsandu@gmail.com> +Date: Mon, 26 Jun 2023 12:07:21 +0300 +Subject: [PATCH] aesce: use correct target attribute when building with clang + +Seems clang has its own issues when it comes to crypto extensions, +and right now the best way to avoid them is to accurately enable +the needed instructions instead of the broad crypto feature. + +E.g.: https://github.com/llvm/llvm-project/issues/61645 + +Upstream-Status: Pending + +Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> +--- + library/aesce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/library/aesce.c b/library/aesce.c +index 843de3973..7bea088ba 100644 +--- a/library/aesce.c ++++ b/library/aesce.c +@@ -53,7 +53,7 @@ + # if __clang_major__ < 4 + # error "A more recent Clang is required for MBEDTLS_AESCE_C" + # endif +-# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) ++# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function) + # define MBEDTLS_POP_TARGET_PRAGMA + # elif defined(__GNUC__) + # if __GNUC__ < 6 +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb index 242495e941..ce094d5afb 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb @@ -23,7 +23,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" SECTION = "libs" S = "${WORKDIR}/git" -SRCREV = "89f040a5c938985c5f30728baed21e49d0846a53" +SRCREV = "981743de6fcdbe672e482b6fd724d31d0a0d2476" SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28 \ file://run-ptest \ " @@ -62,6 +62,12 @@ CVE_CHECK_IGNORE += "CVE-2021-43666" # Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c CVE_CHECK_IGNORE += "CVE-2021-45451" +# Strip host paths from autogenerated test files +do_compile:append() { + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : +} + # Export source files/headers needed by Arm Trusted Firmware sysroot_stage_all:append() { sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb index ebc6ba5737..b8c9662de7 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb @@ -25,8 +25,9 @@ SECTION = "libs" S = "${WORKDIR}/git" SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ - file://run-ptest \ - " + file://0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch \ + file://0002-aesce-use-correct-target-attribute-when-building-wit.patch \ + file://run-ptest" inherit cmake update-alternatives ptest @@ -41,9 +42,6 @@ PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" -# Needs crypto instructions on aarch64 -TUNE_CCARGS_MARCH_OPTS:append:aarch64 = "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" - # For now the only way to enable PSA is to explicitly pass a -D via CFLAGS CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.6.bb b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.8.bb index 3196b0c244..5d9c6f4274 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.6.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.8.bb @@ -32,7 +32,7 @@ SRC_URI = " \ file://enable-iwd.conf \ " -SRC_URI[sha256sum] = "8c388ac3775ac6bceb605fae21be2c3e261cafe6067994a89f0dfa4610ed0279" +SRC_URI[sha256sum] = "0337e7583d2ec5ade2ba2e8c625d2f09eeccda1d22836ee29aa72925d399c353" S = "${WORKDIR}/NetworkManager-${PV}" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.3.bb b/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.5.bb index bfd51f7f70..bcfe646913 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.3.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.5.bb @@ -3,7 +3,7 @@ LICENSE = "GPL-3.0-or-later" LIC_FILES_CHKSUM = "file://LICENSE;md5=3d575262a651a6f1a17210ce41bf907d" SRC_URI = "git://github.com/adrienverge/openfortivpn.git;protocol=https;branch=master" -SRCREV = "45cb8e0f9984f1d54b648e499bda637d96568908" +SRCREV = "1ccb8ee682af255ae85fecd5fcbab6497ccb6b38" DEPENDS = "openssl" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.3.bb b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb index ee3665ca15..66089edad5 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.3.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb @@ -32,7 +32,7 @@ SRC_URI:append:libc-musl = " \ file://cmocka-uintptr_t.patch \ " -SRC_URI[sha256sum] = "c67e1453165a3918ffffad600236ca3966b47bde4798e89ae600ae3903ccc32c" +SRC_URI[sha256sum] = "6ba7b3503cc59c9ff4f6fcb1b510c2c855fff93e0b366ab891a32a4732e88e53" UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.18(\.\d+)+).tar.gz" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.default b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.default new file mode 100644 index 0000000000..f1f67c55c0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.default @@ -0,0 +1 @@ +INTERFACES="eth0" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.service b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.service new file mode 100644 index 0000000000..487328c1b0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.service @@ -0,0 +1,12 @@ +[Unit] +Description=Snort NIDS Daemon +After=syslog.target network.target + +[Service] +Type=simple +EnvironmentFile=/etc/default/snort +ExecStartPre=/bin/mkdir -p /var/log/snort +ExecStart=/usr/bin/snort -q -c /etc/snort/snort.conf -l /var/log/snort -i $INTERFACES + +[Install] +WantedBy=multi-user.target diff --git a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb index c15c20443d..8b9092b418 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb @@ -8,6 +8,8 @@ DEPENDS = "xz libpcap libpcre daq libdnet util-linux daq-native libtirpc bison-n SRC_URI = "https://www.snort.org/downloads/archive/snort/${BP}.tar.gz \ file://snort.init \ + file://snort.service \ + file://snort.default \ file://volatiles.99_snort \ file://0001-libpcap-search-sysroot-for-headers.patch \ file://fix-host-contamination-when-enable-static-daq.patch \ @@ -19,11 +21,15 @@ SRC_URI[sha256sum] = "29400e13f53b1831e0b8b10ec1224a1cbaa6dc1533a5322a20dd80bb84 UPSTREAM_CHECK_URI = "https://www.snort.org/downloads" UPSTREAM_CHECK_REGEX = "snort-(?P<pver>\d+(\.\d+)+)\.tar" -inherit autotools gettext update-rc.d pkgconfig +inherit autotools gettext update-rc.d pkgconfig systemd INITSCRIPT_NAME = "snort" INITSCRIPT_PARAMS = "defaults" +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "snort.service" +SYSTEMD_AUTO_ENABLE = "disable" + EXTRA_OECONF = " \ --enable-gre \ --enable-linux-smp-stats \ @@ -69,8 +75,17 @@ do_install:append() { ${D}${sysconfdir}/snort/snort.conf cp ${S}/preproc_rules/*.rules ${D}${sysconfdir}/snort/preproc_rules/ - install -m 755 ${WORKDIR}/snort.init ${D}${sysconfdir}/init.d/snort + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -m 755 ${WORKDIR}/snort.init ${D}${sysconfdir}/init.d/snort + fi + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}/${systemd_system_unitdir} + install -m 644 ${WORKDIR}/snort.service ${D}/${systemd_system_unitdir} + # Install default environment file + install -d ${D}/${sysconfdir}/default + install -m 0644 ${WORKDIR}/snort.default ${D}${sysconfdir}/default/snort + fi install -d ${D}${sysconfdir}/default/volatiles install -m 0644 ${WORKDIR}/volatiles.99_snort ${D}${sysconfdir}/default/volatiles/99_snort @@ -87,6 +102,7 @@ FILES:${PN} += " \ ${libdir}/snort_dynamicengine/*.so.* \ ${libdir}/snort_dynamicpreprocessor/*.so.* \ ${libdir}/snort_dynamicrules/*.so.* \ + ${systemd_system_unitdir}/snort.service \ " FILES:${PN}-dbg += " \ ${libdir}/snort_dynamicengine/.debug \ diff --git a/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb b/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb index 0fc342560a..efea3fab74 100644 --- a/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb +++ b/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb @@ -16,6 +16,8 @@ S = "${WORKDIR}/git" inherit autotools manpages pkgconfig ptest +DEPENDS += "ctags-native" + PACKAGECONFIG ?= "\ async openssl tcp \ ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \ @@ -42,6 +44,10 @@ python () { export SGML_CATALOG_FILES="file://${STAGING_ETCDIR_NATIVE}/xml/catalog" +do_compile:prepend() { + oe_runmake update-map-file +} + do_install_ptest () { install -d ${D}${PTEST_PATH} install -m 0755 ${WORKDIR}/run-ptest ${D}${PTEST_PATH}/run-ptest diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Disable-annobin-plugin.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Disable-annobin-plugin.patch new file mode 100644 index 0000000000..6302829267 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Disable-annobin-plugin.patch @@ -0,0 +1,31 @@ +From 5a0799d0bacc0cf93e15febdac7d8c50b21e7234 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 15 Jul 2023 13:13:12 -0700 +Subject: [PATCH] Disable annobin plugin + +OE gcc does not build this plugin, moreover there are non gcc compilers +which can be used with OE as well e.g. clang which might not have it +either + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + dlm_controld/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dlm_controld/Makefile b/dlm_controld/Makefile +index 8802d88..0380ec9 100644 +--- a/dlm_controld/Makefile ++++ b/dlm_controld/Makefile +@@ -47,7 +47,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ + + BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE + BIN_CFLAGS += -I../include -I../libdlm +-LIB_CFLAGS += $(CFLAGS) -fPIC -fplugin=annobin ++LIB_CFLAGS += $(CFLAGS) -fPIC + + BIN_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,now -pie + BIN_LDFLAGS += -lpthread -lrt -lcpg -lcmap -lcfg -lquorum -luuid +-- +2.41.0 + diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Remove-fcf-protection-full.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Remove-fcf-protection-full.patch new file mode 100644 index 0000000000..6290aa4c7a --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Remove-fcf-protection-full.patch @@ -0,0 +1,64 @@ +From e4ae70ae71f88d48cf1ab63810c9f7b4177af3a5 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 15 Jul 2023 19:05:54 -0700 +Subject: [PATCH] Remove -fcf-protection=full + +This option is not available on all architectures e.g. RISC-V +Fixes +| cc1: error: '-fcf-protection=full' is not supported for this target + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + dlm_controld/Makefile | 1 - + dlm_tool/Makefile | 1 - + fence/Makefile | 1 - + libdlm/Makefile | 4 ++-- + 4 files changed, 2 insertions(+), 5 deletions(-) + +--- a/dlm_controld/Makefile ++++ b/dlm_controld/Makefile +@@ -43,7 +43,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ + -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \ + -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \ + -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \ +- -fstack-clash-protection -fcf-protection=full ++ -fstack-clash-protection + + BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE + BIN_CFLAGS += -I../include -I../libdlm +--- a/dlm_tool/Makefile ++++ b/dlm_tool/Makefile +@@ -15,7 +15,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ + -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \ + -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \ + -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \ +- -fstack-clash-protection -fcf-protection=full ++ -fstack-clash-protection + + CFLAGS += -fPIE -DPIE + CFLAGS += -I../include -I../libdlm -I../dlm_controld +--- a/fence/Makefile ++++ b/fence/Makefile +@@ -15,7 +15,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ + -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \ + -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \ + -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \ +- -fstack-clash-protection -fcf-protection=full ++ -fstack-clash-protection + + CFLAGS += -fPIE -DPIE + CFLAGS += -I../include +--- a/libdlm/Makefile ++++ b/libdlm/Makefile +@@ -80,8 +80,8 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ + -fdiagnostics-show-option \ + -fPIC + +-LIB_CFLAGS += $(CFLAGS) -D_REENTRANT -fcf-protection=full +-LLT_CFLAGS += $(CFLAGS) -fcf-protection=full ++LIB_CFLAGS += $(CFLAGS) -D_REENTRANT ++LLT_CFLAGS += $(CFLAGS) + + LIB_LDFLAGS += $(LDFLAGS) -lpthread -Wl,-z,now + LLT_LDFLAGS += $(LDFLAGS) -Wl,-z,now diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch deleted file mode 100644 index 3d1551574e..0000000000 --- a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch +++ /dev/null @@ -1,35 +0,0 @@ -From da08f5ec5e553bd43f92a0b0f7476179b0b74502 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Wed, 26 Jun 2019 11:49:33 +0800 -Subject: [PATCH] dlm: fix compile error since xml2-config should not be used - -xml2-config is disabled, so change Makefile to use pkgconfig -to find libxml2. - -Upstream-Status: Inappropriate [oe-specific] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> - ---- - fence/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fence/Makefile b/fence/Makefile -index 2b080468..ff2eda3f 100644 ---- a/fence/Makefile -+++ b/fence/Makefile -@@ -18,12 +18,12 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ - -fstack-clash-protection -Wl,-z,now - - CFLAGS += -fPIE -DPIE --CFLAGS += `xml2-config --cflags` -+CFLAGS += `pkg-config libxml-2.0 --cflags` - CFLAGS += -I../include - CFLAGS += $(shell pkg-config --cflags pacemaker-fencing) - - LDFLAGS += -Wl,-z,relro -Wl,-z,defs -pie --LDFLAGS += `xml2-config --libs` -+LDFLAGS += `pkg-config libxml-2.0 --libs` - LDFLAGS += -ldl - - all: $(BIN_TARGET) diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm_controld-remove-unnecessary-header-include.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm_controld-remove-unnecessary-header-include.patch new file mode 100644 index 0000000000..55efcea184 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm_controld-remove-unnecessary-header-include.patch @@ -0,0 +1,35 @@ +From 4c40289eb9e47cfd272a8cc402fd2ddb29e2a3dc Mon Sep 17 00:00:00 2001 +From: Alexander Aring <aahringo@redhat.com> +Date: Wed, 24 May 2023 13:50:59 +0000 +Subject: [PATCH] dlm_controld: remove unnecessary header include + +The timewarn netlink functionality got dropped and will be removed by +kernel v6.4. The user space part was already dropped by commit 34ea31e7 +("controld: remove timewarn handling"). This is just a left over of this +commit. Recent builds fails now because the UAPI header in the Linux +kernel was removed. This means older dlm sources cannot be build with +newer kernel-headers, however it is not recommended to use older dlm +sources and all existing users should upgrade anyway. + +Upstream-Status: Backport [https://pagure.io/dlm/c/ddbba6608896f81bfce8f8edf3d0f507714cfc43?branch=main] +Reported-by: Fabio M. Di Nitto <fdinitto@redhat.com> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + dlm_controld/main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/dlm_controld/main.c b/dlm_controld/main.c +index 7cf6348..e70e96a 100644 +--- a/dlm_controld/main.c ++++ b/dlm_controld/main.c +@@ -12,7 +12,6 @@ + #include <pthread.h> + #include <linux/netlink.h> + #include <linux/genetlink.h> +-#include <linux/dlm_netlink.h> + #include <uuid/uuid.h> + + #ifdef USE_SD_NOTIFY +-- +2.41.0 + diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0004-include-string.h-for-memset-prototype.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0004-include-string.h-for-memset-prototype.patch deleted file mode 100644 index 257c5d02ff..0000000000 --- a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0004-include-string.h-for-memset-prototype.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 9652e6b3c43b4c051f2ff0e000d7ebf5fbab418e Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 29 Aug 2022 10:54:51 -0700 -Subject: [PATCH] include string.h for memset prototype - -Upstream-Status: Submitted [https://pagure.io/dlm/pull-request/3] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - dlm_controld/lib.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/dlm_controld/lib.c b/dlm_controld/lib.c -index 8cbdd27f..a7502fcd 100644 ---- a/dlm_controld/lib.c -+++ b/dlm_controld/lib.c -@@ -10,6 +10,7 @@ - #include <stdlib.h> - #include <unistd.h> - #include <stdint.h> -+#include <string.h> - #include <errno.h> - #include <time.h> - #include <sys/types.h> diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.1.1.bb b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.2.0.bb index bb33890ec9..094dbb1ad0 100644 --- a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.1.1.bb +++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.2.0.bb @@ -6,13 +6,14 @@ HOMEPAGE = "https://fedorahosted.org/cluster/wiki/HomePage" REQUIRED_DISTRO_FEATURES = "systemd" SRC_URI = "https://pagure.io/dlm/archive/dlm-${PV}/dlm-dlm-${PV}.tar.gz \ - file://0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch \ file://0001-Include-sys-sysmacros.h-for-major-minor-macros-in-gl.patch \ file://0001-make-Replace-cp-a-with-mode-preserving-options.patch \ - file://0004-include-string.h-for-memset-prototype.patch \ + file://0001-dlm_controld-remove-unnecessary-header-include.patch \ + file://0001-Disable-annobin-plugin.patch \ + file://0001-Remove-fcf-protection-full.patch \ " -SRC_URI[sha256sum] = "f12c0056b9196dfcecbec2fa8930feb87c605a86ef0f3d7bd6fb0b77cd7f45ca" +SRC_URI[sha256sum] = "90237e18af7422ac15fc756899b3bb6932597b13342296de8e0e120e6d8729ab" UPSTREAM_CHECK_URI = "https://pagure.io/dlm/releases" UPSTREAM_CHECK_REGEX = "dlm-(?P<pver>\d+(\.\d+)+)" @@ -35,11 +36,15 @@ SYSTEMD_AUTO_ENABLE = "enable" export EXTRA_OEMAKE = "" -DONTBUILD = "${@bb.utils.contains('PACKAGECONFIG', 'pacemaker', '', 'fence', d)}" +CFPROTECTION ?= "-fcf-protection=full" +CFPROTECTION:riscv64 = "" +CFPROTECTION:arm = "" -do_compile:prepend:toolchain-clang() { - sed -i -e "s/-fstack-clash-protection//g" ${S}/*/Makefile -} +CFLAGS += "${CFPROTECTION}" + +PARALLEL_MAKE = "" + +DONTBUILD = "${@bb.utils.contains('PACKAGECONFIG', 'pacemaker', '', 'fence', d)}" do_compile() { sed -i "s/libsystemd-daemon/libsystemd/g" ${S}/dlm_controld/Makefile @@ -57,4 +62,3 @@ do_install() { install -Dm 0644 ${S}/init/dlm.service ${D}${systemd_unitdir}/system/dlm.service fi } - diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb index 8b47ceb1c0..0c6fd90d34 100644 --- a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb +++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb @@ -11,6 +11,7 @@ EXTRA_OECONF += "LIBS=-ltirpc CPPFLAGS=-I${STAGING_INCDIR}/tirpc" SRC_URI = "http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-${PV}.tar.bz2 \ file://conntrack-failover \ file://init \ + file://conntrackd.service \ " SRC_URI[sha256sum] = "099debcf57e81690ced57f516b493588a73518f48c14d656f823b29b4fc24b5d" @@ -25,6 +26,10 @@ PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" INITSCRIPT_NAME = "conntrackd" +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "conntrackd.service" +SYSTEMD_AUTO_ENABLE = "disable" + do_install:append() { install -d ${D}/${sysconfdir}/conntrackd install -d ${D}/${sysconfdir}/init.d @@ -37,6 +42,11 @@ do_install:append() { sed -i 's!/etc/!${sysconfdir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd sed -i 's!/var/!${localstatedir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample sed -i 's!^export PATH=.*!export PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}/${sysconfdir}/init.d/conntrackd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}/${systemd_system_unitdir} + install -m 644 ${WORKDIR}/conntrackd.service ${D}/${systemd_system_unitdir} + fi } # fix error message: Do not forget that you need *root* or CAP_NET_ADMIN capabilities ;-) @@ -44,3 +54,7 @@ pkg_postinst:${PN} () { setcap cap_net_admin+ep "$D/${sbindir}/conntrack" } PACKAGE_WRITE_DEPS += "libcap-native" + +RRECOMMENDS:${PN} = "kernel-module-nf-conntrack kernel-module-nfnetlink \ + kernel-module-nf-conntrack-netlink \ + " diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrackd.service b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrackd.service new file mode 100644 index 0000000000..b3b0f1d216 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrackd.service @@ -0,0 +1,11 @@ +[Unit] +Description=Conntrack Daemon +Documentation=man:conntrackd(8) man:conntrackd.conf(5) + +[Service] +Type=notify +ExecStartPre=-/bin/rm -f /var/lock/conntrackd.lock +ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf + +[Install] +WantedBy=multi-user.target diff --git a/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_3.8.bb b/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_4.0.1.bb index 8c770938af..00472e21eb 100644 --- a/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_3.8.bb +++ b/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_4.0.1.bb @@ -10,7 +10,7 @@ SRC_URI = "https://weechat.org/files/src/weechat-${PV}.tar.xz \ file://0001-use-pkg-config-for-gcrypt-instead.patch \ " -SRC_URI[sha256sum] = "f7cb65c200f8c090c56f2cf98c0b184051e516e5f7099a4308cacf86f174bf28" +SRC_URI[sha256sum] = "1b9533123af427922b3d7fabede958dc85392d50881d97d0b7986d8f514556e9" inherit cmake pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb index 9669260945..b87c3e78b0 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb @@ -14,7 +14,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ " -SRCREV = "62ac43de9f3bc470586cf4f51fadf013bf542b32" +SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d" UPSTREAM_CHECK_GITTAGREGEX = "frr-(?P<pver>\d+(\.\d+)+)$" diff --git a/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc b/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc index 7afe1c56bd..46d0c1b4f1 100644 --- a/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc +++ b/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc @@ -5,4 +5,4 @@ LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://${WORKDIR}/git/COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "git://github.com/wkz/mdio-tools.git;protocol=https;branch=master" -SRCREV = "ee47c32d958ae0dcb9900b3b06654a8c08001331" +SRCREV = "0dbfca13a094d20d736153c63161cf11b9ccf2d3" diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch new file mode 100644 index 0000000000..170dddf688 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch @@ -0,0 +1,163 @@ +From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwolfe@vmware.com> +Date: Mon, 8 May 2023 19:04:57 -0700 +Subject: [PATCH] Remove some dead code. + +Address CVE-2023-20867. +Remove some authentication types which were deprecated long +ago and are no longer in use. These are dead code. + +CVE: CVE-2023-20867 + +Upstream-Status: Backport +[https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + open-vm-tools/services/plugins/vix/vixTools.c | 102 -------------------------- + 1 file changed, 102 deletions(-) + +diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c +index 9f376a7..85c5ba7 100644 +--- a/open-vm-tools/services/plugins/vix/vixTools.c ++++ b/open-vm-tools/services/plugins/vix/vixTools.c +@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL; + #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" + #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" + +-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE +- + /* + * The switch that controls all APIs + */ +@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( + + void GuestAuthUnimpersonate(); + +-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, +- const char *typeName); +- + #if SUPPORT_VGAUTH + + VGAuthError TheVGAuthContext(VGAuthContext **ctx); +@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN + userToken); + break; + } +- case VIX_USER_CREDENTIAL_ROOT: +- { +- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && +- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, +- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { +- /* +- * Don't accept hashed shared secret if disabled. +- */ +- g_message("%s: Requested authentication type has been disabled.\n", +- __FUNCTION__); +- err = VIX_E_GUEST_AUTHTYPE_DISABLED; +- goto done; +- } +- } +- // fall through +- +- case VIX_USER_CREDENTIAL_CONSOLE_USER: +- err = VixToolsImpersonateUserImplEx(NULL, +- credentialType, +- NULL, +- loadUserProfile, +- userToken); +- break; + case VIX_USER_CREDENTIAL_NAME_PASSWORD: + case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: + case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: +@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN + } + + /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- */ +- if ((VIX_USER_CREDENTIAL_ROOT == credentialType) +- && (thisProcessRunsAsRoot)) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- * +- * XXX This has been deprecated XXX +- */ +- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) +- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* + * If the VMX asks us to run commands in the context of the current + * user, make sure that the user who requested the command is the + * same as the current user. +@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN + /* + *----------------------------------------------------------------------------- + * +- * VixToolsCheckIfAuthenticationTypeEnabled -- +- * +- * Checks to see if a given authentication type has been +- * disabled via the tools configuration. +- * +- * Return value: +- * TRUE if enabled, FALSE otherwise. +- * +- * Side effects: +- * None +- * +- *----------------------------------------------------------------------------- +- */ +- +-static Bool +-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN +- const char *typeName) // IN +-{ +- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled +- gboolean disabled; +- +- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), +- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", +- typeName); +- +- ASSERT(confDictRef != NULL); +- +- /* +- * XXX Skip doing the strcmp() to verify the auth type since we only +- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default +- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. +- */ +- disabled = VMTools_ConfigGetBoolean(confDictRef, +- VIX_TOOLS_CONFIG_API_GROUPNAME, +- authnDisabledName, +- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); +- +- return !disabled; +-} +- +- +-/* +- *----------------------------------------------------------------------------- +- * + * VixTools_ProcessVixCommand -- + * + * +-- +2.6.2 + diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb index d389d2450c..e12e4be7f8 100644 --- a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb @@ -43,6 +43,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=stabl file://0012-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0013-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \ file://0001-timeSync-Portable-way-to-print-64bit-time_t.patch;patchdir=.. \ + file://CVE-2023-20867.patch;patchdir=.. \ " UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb index d461c8d3dc..c7d14e2ab6 100644 --- a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb +++ b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb @@ -11,7 +11,7 @@ SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcprepl file://0001-libopts.m4-set-POSIX_SHELL-to-bin-sh.patch \ " -SRC_URI[sha256sum] = "216331692e10c12d7f257945e777928d79bd091117f3e4ffb5b312eb2ca0bf7c" +SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf" UPSTREAM_CHECK_URI = "https://github.com/appneta/tcpreplay/releases" |