Fixes several security vulnerabilities:
CVE-2025-49601, CVE-2025-49600, CVE-2025-52496,
CVE-2025-47917, CVE-2025-48965, CVE-2025-52497,
and CVE-2025-49087
The framework directory has been changed into a git submodule.[1][2]
The recipe now uses Git Submodule Fetcher (gitsm)
Changelog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4
[1] 8cf5666a17
[2] c90c6d8ff7
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Tailscale is a mesh VPN built on the WireGuard protocol.
On the client side, it includes a node agent (tailscaled)
and a client application for configuration (tailscale).
These components can be bundled into a single binary for
a more smaller total size, which is done in this recipe.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
Signed-off-by: Mark Bath <mark@baggywrinkle.co.uk>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-pki-Fix-signature-of-help-to-match-that-of-a-callbac.patch
0002-callback-job-Replace-return_false-in-constructors-wi.patch
0003-Cast-uses-of-return_-nop-and-enumerator_create_empty.patch
removed since they're included in 6.0.2
Changelog:
=============
- Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+).
- Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+).
- POSIX regular expressions can be used to match remote identities.
- Switching configs based on EAP-Identities is supported. Setting
'remote.eap_id' now always initiates an EAP-Identity exchange.
- On Linux, sequence numbers from acquires are used when installing SAs. This
allows handling narrowing properly.
- During rekeying, the narrowed traffic selectors are now proposed instead of
the configured ones.
- The default AH/ESP proposals contain all supported key exchange methods plus
'none' to make PFS optional and accept proposals of older peers.
- GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance
if the esp4|6_offload modules are loaded.
- charon-nm sets the VPN connection as persistent, preventing NetworkManager
from tearing down the connection if the network connectivity changes.
- ML-KEM is supported via OpenSSL 3.5+.
- The wolfssl plugin is now compatible to wolfSSL's FIPS module.
- The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported
anymore.
- The long defunct uci plugin has been removed.
- Log messages by watcher_t are now logged in a separate log group ('wch').
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bump minimum cmake dialect to be 3.5+, this is an openwrt
component, which does not get many updates these days. Ideally
the cmake files for the project should be fixed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to mosquitto 2.0.21. Update the patch status for issue 2895 and create a
new patch for an issue introduced in 2.0.19 which causes connections to get down
when the clock is changed.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Appends -Wno-error=vla-cxx-extension to CXXFLAGS as a temporary workaround for the following Clang error:
sctpthread.cpp:95:18: error: variable length arrays in C++ are a Clang extension [-Werror,-Wvla-cxx-extension]
95 | uint8_t buffer[m_linkMtuSize];
| ^~~~~~~~~~~~~
An upstream fix has been proposed: https://github.com/mguentner/cannelloni/pull/82
Please remove this workaround once the upstream patch is merged or fixed in some other way. Make sure it is fixed in the new version.
- Drop 0001-include-bits-stdc-.h-only-when-using-libstdc.patch because already fixed in newer version.
Changelog:
https://github.com/mguentner/cannelloni/compare/v1.1.0...v2.0.0
Fix:
| CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
| Compatibility with CMake < 3.5 has been removed from CMake.
|
| Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
| to tell CMake that the project requires at least <min> but has been updated
| to work with policies introduced by <max> or earlier.
|
| Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
|
|
| -- Configuring incomplete, errors occurred!
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix:
| CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
| Compatibility with CMake < 3.5 has been removed from CMake.
|
| Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
| to tell CMake that the project requires at least <min> but has been updated
| to work with policies introduced by <max> or earlier.
|
| Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
|
|
| -- Configuring incomplete, errors occurred!
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix:
| CMake Error at CMakeLists.txt:27 (cmake_minimum_required):
| Compatibility with CMake < 3.5 has been removed from CMake.
|
| Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
| to tell CMake that the project requires at least <min> but has been updated
| to work with policies introduced by <max> or earlier.
|
| Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
|
|
| -- Configuring incomplete, errors occurred!
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Drop 0001-Fix-build-with-gcc-15.patch because fixed in the newer version.
Changelog:
https://github.com/snort3/snort3/blob/3.9.1.0/ChangeLog.md
Fix:
| CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
| Compatibility with CMake < 3.5 has been removed from CMake.
|
| Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
| to tell CMake that the project requires at least <min> but has been updated
| to work with policies introduced by <max> or earlier.
|
| Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
|
|
| -- Configuring incomplete, errors occurred!
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix:
| CMake Error at CMakeLists.txt:24 (CMAKE_MINIMUM_REQUIRED):
| Compatibility with CMake < 3.5 has been removed from CMake.
|
| Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
| to tell CMake that the project requires at least <min> but has been updated
| to work with policies introduced by <max> or earlier.
|
| Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
|
|
| -- Configuring incomplete, errors occurred!
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=============
- decode: add check for ipv4 fragmentation for decode_ip
- example: added IP configs for other systems
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Make connection notifications transient
- StatusNotifierItem: announce children-display
- Manager: Hide bt status switch when PowerManager is not available
- Handling for new StatusNotifierWatcher
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Rootfs file differs with the same project configure, add preliminary
setting to avoid this.
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===============
- Updated supported versions for 1.11.0
- Add FreeBSD package/port mention into README
- Fixed grammatical issues and corrected spelling errors in README.md
- Refactored timeout.h: added template ctr and removed redundant ctrs
- fix no-revoke.
- Resolve CURLOPT_SSL_OPTIONS issues
- fix: remove duplicate call in Session::prepareCommonDownload()
- Update To The Latest Clang-Tidy Version
- Enhance: Use unordered_map for CURL error mapping
- Public cpr::Session::GetSharedPtrFromThis
- Replace ubuntu:22.04 and ubuntu:23.04 with ubuntu:latest
- [BUG] Fix cpr::ssl:KeyBlob: Copy blob to curl
- Added handling no_proxy override through Proxies
- fix: let bad-host-tests pass when there is DNS error redirection
- Removed 1.9.x from the supported versions
- Replaced the secureStringClear mechanism with a SecureString class
- Clang-Tidy And cppcheck Fixes
- Getter function for Session::header_ to enable the user to read back all headers set and delete select ones
- Status code int32_t -> long
- Fix windows static library build parameter in CMakeLists.txt
- Fix Seg-fault when setting proxy username + password
- Add Session::RemoveContent()
- Cookie expires date is now only 100 days in the future
- add curl's ANY and ANSAFE authorization options
- Fixed memory leak in threadpool
- Add enforced HTTP/3
- Update README.md to add Bazel extension instructions
- feat: Use CMAKE_MSVC_RUNTIME_LIBRARY for runtime selection in MSVC
- Update CMakeLists.txt project version for 1.11.2 release
- Add std::to_string functionality for ErrorCode to ease human meaningful logging
- Make cpr::async and HTTP (Get, Post, Put, etc.) callbacks cancelable
- Refactor AsyncWrapper to make it safer
- Do Not Check For Sanitizers If They Are Not Enabled
- Fix usage for TLS v1.3 cipher
- Changed LowSpeed to use std::chrono
- Better OpenSSL headers include based on headers version.
- Ensure cpr::LowSpeed properties are cased to long for curl
- Implemented cpr::BodyView.
- Add primary_ip primary_port to Response
- Bump stefanzweifel/git-auto-commit-action from 5 to 6
- Load all certs in a CaBuffer
- WIP CURL 8.13 Support
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Issue was related to latest UNPACKDIR changes -> https://git.openembedded.org/openembedded-core/commit/?id=46480a5e66747a673041fe4452a0ab14a1736d5e
ERROR: autossh-1.4g-r0 do_compile: Execution of '/srv/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/autossh/1.4g/temp/run.do_compile.2252' failed with exit code 1
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Issue was related to latest UNPACKDIR changes -> https://git.openembedded.org/openembedded-core/commit/?id=46480a5e66747a673041fe4452a0ab14a1736d5e
WARNING: mdio-netlink-1.3.1-r0 do_populate_lic: Could not copy license file - [Errno 2] No such file or directory: '/srv/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/qemux86_64-poky-linux/mdio-netlink/1.3.1/git/COPYING'
ERROR: mdio-netlink-1.3.1-r0 do_populate_lic: QA Issue: mdio-netlink: LIC_FILES_CHKSUM points to an invalid file: /srv/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/qemux86_64-poky-linux/mdio-netlink/1.3.1/git/COPYING [license-checksum]
WARNING: mdio-tools-1.3.1-r0 do_populate_lic: Could not copy license file - [Errno 2] No such file or directory: '/srv/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/mdio-tools/1.3.1/git/COPYING'
ERROR: mdio-tools-1.3.1-r0 do_populate_lic: QA Issue: mdio-tools: LIC_FILES_CHKSUM points to an invalid file: /srv/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/mdio-tools/1.3.1/git/COPYING [license-checksum]
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
samba-common installs a volatiles configuration file but had not been
calling populate-volatile.sh to apply the configuration. This causes
samba installation to fail on a running target due to missing
directories.
Call "populate-volatile.sh update" in samba-common's postinst which
creates the required directories and enables samba to work.
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@emerson.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current include file that stores the known non-reproducible packages
is layer dependent and that forces the user of the layers to maintain
the list of the files (for example, see AB config[0]).
By moving the exclude list to each layer.conf and extending the common
OEQA_REPRODUCIBLE_EXCLUDED_PACKAGES variable, the known non-reproducible
packages will be automatically excluded for each layer used in the
reproducibility test without any special knowledge in the test
environment.
NB: the empty list for meta-initramfs was just removed not moved.
[0]: https://git.yoctoproject.org/yocto-autobuilder-helper/tree/config.json?id=7d8933e75bdf7fb821a25617cb2dcabf1f3f8700#n322
Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Co-Developed-by: Guillaume Swaenepoel <guillaume.swaenepoel@smile.fr>
Signed-off-by: Guillaume Swaenepoel <guillaume.swaenepoel@smile.fr>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop backport of CVE-2024-0962.
Change summary for version 4.3.5:
* Support for wolfSSL TLS library.
* Support for DTLS1.3 (using wolfSSL).
* Support for Mbed TLS 3.6.0.
* Support for EC-JPAKE (Mbed TLS)
* TinyDTLS version update.
* Support for RIOT using SOCK i/f.
* Support for LwIP 2.2.0.
* Support for LwIP using NO_SYS set to 0.
* Support for (Posix based) Zephyr.
* Support for QNX builds.
* Support for ESP32 xtensa builds.
* Updated Contiki-NG support.
* Support for multi-thread safe libcoap usage.
* Support for defining binary PSK for coap-client and coap-server.
* Support for Connection-ID (CID) (Mbed TLS, wolfSSL and TinyDTLS).
* Added new define types for defining PKI parameters.
* Support for user definable ENGINE for OpenSSL.
* Support for using noTLS and TinyDTLS with WebSockets.
* Support for providing list of compilation #defines.
* Support for proxy code running within lbcoap.
* Cleaned up support for building .h files.
* Additional scan-build and pre-commit checks in build tests.
* Updated CI build tests to use latest action versions.
* Fixes CVE-2023-35862.
* Reported bugs fixed.
* Documentation added and updated (Doxygen and man).
License-Update: Updated years
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This dependency was removed in bridge-utils 1.2 back in 2006[1].
[1] bridge-utils 29cd6d997cacb9191d1f869ec83fc86045885527.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2025
fix-openssl-no-des.patch
refreshed for 5.75
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This reverts commit a8995fc3f3.
The patches for oe-core were re-worked. But I forgot to recall
this patch.
In fact, inheriting qemu is needed because it sets a clear barriar
for people to use qemu user mode. And the QEMU_OPTIONS settings
are also in qemu.bbclass.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Using a string search for Fail is not going to work always e.g.
when all tests are passing it still prints a summary string with string
"Fail" in it which points to 0, however the logic here catches that and
counts it as 1 failure and marks the return value as 1 and ptest runner
interprets that as failure
Pass the return value from unit.test which should be 0 on all passes
or non zero otherwise.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- there is no tarball hosted at gnome anymore -> switch from
gnomebase class to meson + git
- add missing dependencies for uuid and nvme, add pkgconfig class
- dhcpcanon option was removed upstream
- gtkdoc is broken. Disable to unbreak builds if api-documentation
is enabled
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop redundant limit declaration patch. Swap issetugid()/getenv() call for
secure_getenv() on Linux.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop fixes which are upstream (fixed differently):
* 0001-Fix-SIGSEGV-during-DumpStateLog.patch
* 0004-Add-definition-for-MAX.patch
Upstream has significantly reworked the netlink handling, this breaks the
existing patches which:
* Rework the interface handling from a bitbmap into a list
* Include checks for significant changes to interfaces before discarding the
entire set and restarting
* A fix for deleting interfaces
The upstream code appears to handle the latter two cases, the former was
noted as a problem on Android in 2017.
Drop all these changes and hope that they are indeed resolved; the upstream
changes appear to be based on code from the matter-openwrt tree (authored by
Apple):
https://github.com/project-chip/matter-openwrt/tree/main/third_party/mdnsresponder/patches
Refresh all other patches.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Move enabling of openssl 3.0 API from EXTRA_OECMAKE to
PACKAGECONFIG[ssl] so that this package can still be configured
successfully without ssl in PACKAGECONFIG.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop a denied patch and use the suggestion to ignore the warning.
Compile with C++20 std, because gcc-15 has started to warn about
recipe-sysroot/usr/include/c++/15.1.0/ciso646:46:4: error: #warning "<ciso646> is deprecated in C++17, use <version> to detect implementation-specific macros" [-Werror=cpp]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
