Changelog:
===========
- add OpenSSL 3.0+ PKCS#11 support using OSSL_STORE API
- add OpenSSL Engine support (with OpenSSL < 3.0)
- update package links for distros in README
- remove deprecated option --plugin
- increase the maximum size of the proxy response
- route: always remove wrong pppd route to self
- fix several Coverity warnings
- fix a memory leak in new ipv4_drop_wrong_route method
- HTTP: fixes missing '\0' in debug
- IO: fixes a RC use after free
- SSL: Avoid leaking SSL context
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The recipe splits python code to nftables-python package, however
setuptools classes add the dependency to main package.
Since nftables-python package already has python3-core explicit
dependency, remove it from the main package.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog [1]:
* Fixes the following CVEs
CVE-2025-59391
CVE-2025-65494
CVE-2025-65495
CVE-2025-65496
CVE-2025-65497
CVE-2025-65498
CVE-2025-65499
CVE-2025-65500
CVE-2025-65501
* CVE-2025-50518 not fixed as user application error.
* Support for Mbed TLS 3.6.3.
* Support for RIOT update changes.
* Fixes for later CI environment builds.
* Critical reported bugs fixed.
Add tag to SRC_URI for hash verification.
License-Update: copyright years refreshed [2]
[1] https://github.com/obgm/libcoap/blob/v4.3.5a/ChangeLog
[2] 993c12ac92
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop 0001-snprintf-Add-math.h-to-ensure-isnan-and-isinf-are-de.patch and
v1-0001-Make-time-calculations-always-long-long.patch as those were merged upstream.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A version newer than 1.195 is required for certain features of newer
versions of cloud-init. May as well bump to the version in Debian
Testing.
I also noticed it appears the licence was incorrectly specified, and is
indeed BSD-3-Clause.
License-update: Added copyright holders and clarified man page licence
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Code maintenance / Compat changes
---------------------------------
- adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these
need special handling which we don't do, so the t_lpback self-test
failed on them. Exclude from list of allowed ciphers, as there is no
strong reason today to make OpenVPN use these.
- fix various compile-time warnings
Documentation updates
---------------------
- fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings,
manpage, ...)
Bugfixes
--------
- Fix memcmp check for the hmac verification in the 3way handshake.
This bug renders the HMAC based protection against state exhaustion on
receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
CVE: 2025-13086
- fix invalid pointer creation in tls_pre_decrypt() - technically this is
a memory over-read issue, in practice, the compilers optimize it away
so no negative effects could be observed.
- Windows: in the interactive service, fix the "undo DNS config" handling.
- Windows: in the interactive service, disallow using of "stdin" for the
config file, unless the caller is authorized OpenVPN Administrator
- Windows: in the interactive service, change all netsh calls to use
interface index and not interface name - sidesteps all possible attack
avenues with special characters in interface names.
- Windows: in the interactive service, improve error handling in
some "unlikely to happen" paths.
- auth plugin/script handling: properly check for errors in creation on
$auth_failed_reason_file (arf).
- for incoming TCP connections, close-on-exec option was applied to
the wrong socket fd, leaking socket FDs to child processes.
- sitnl: set close-on-exec flag on netlink socket
- ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Implement support for CURLOPT_CAINFO_BLOB
- Added support for CURLOPT_SSLCERT_BLOB
- Refactor: Pass std::string_view by value instead of by const reference
- Add connection pool option (V3)
- fix: Calling empty callbacks
- fix: callback function pointer type mismatch in writeFunction
- 1.12.0 CI Fixes
- fix: Cmake config file
- fix: make is_same_v check constexpr in set_option_internal
- cpr::MultiPerform fixes - #1047 and #1186
- Bump actions/setup-python from 5 to 6
- Bump actions/checkout from 3 to 5
- Allow disabling PSL
- Make curl dependency management optional
- curl_container: allow calling GetContent without CurlHolder
- Bump stefanzweifel/git-auto-commit-action from 6 to 7
- Bump actions/upload-artifact from 4 to 5
- Bump actions/setup-python from 1 to 5
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2025-30472.patch
removed since it's included in 3.1.10
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since commit 3200122d68 (chrony: create /var/lib/chrony by systemd-tmpfiles)
tmpfiles.d mechanism already ensures populating /var/lib/chrony at runtime.
Introduce volatiles mechanism to make sure the directory is created
at runtime for sysvinit as well.
Since /var/lib/chrony is populated at runtime, stop packaging at build time.
this helps to align towards stateless system expectations
or when updates are done via meta-updater.
Signed-off-by: Vishwas Udupa <vudupa@qti.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The libtalloc recipe did not properly populate the pytalloc package
because pytalloc was listed after the main libtalloc package in the
PACKAGES variable. As a result, the pytalloc package contained only
talloc.so and was missing other required files.
Signed-off-by: Moraless Philius <moraless.philius5@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit sourceforge-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version tunctl
INFO: Current version: 1.5
INFO: Latest version:
After the patch:
$ devtool latest-version tunctl
INFO: Current version: 1.5
INFO: Latest version: 1.5
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version radvd
INFO: Current version: 2.20
INFO: Latest version:
After the patch:
$ devtool latest-version radvd
INFO: Current version: 2.20
INFO: Latest version: 2.20
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit sourceforge-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version ptpd
INFO: Current version: 2.3.1
INFO: Latest version:
After the patch:
$ devtool latest-version ptpd
INFO: Current version: 2.3.1
INFO: Latest version: 2.3.1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version postfix
INFO: Current version: 3.10.5
INFO: Latest version:
After the patch:
$ devtool latest-version postfix
INFO: Current version: 3.10.5
INFO: Latest version: 3.10.5
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit sourceforge-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version openipmi
INFO: Current version: 2.0.36
INFO: Latest version:
After the patch:
$ devtool latest-version openipmi
INFO: Current version: 2.0.36
INFO: Latest version: 2.0.37
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit sourceforge-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version netcat
INFO: Current version: 0.7.1
INFO: Latest version:
After the patch:
$ devtool latest-version netcat
INFO: Current version: 0.7.1
INFO: Latest version: 0.7.1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version ipset
INFO: Current version: 7.24
INFO: Latest version:
After the patch:
$ devtool latest-version ipset
INFO: Current version: 7.24
INFO: Latest version: 7.24
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Source branch was renamed from master to main.
Drop patch that was incorporated in this release.
Changelog:
Use GitHub actions for CI
Allow to manually define CPUs for trafgen
Fix make install and output netsniff-ng stats on stderr
trafgen: Fix for ipv6 header generation when L3-only devices are present
mausezahn: use getopt_long instead of getopt
build: fix install dependencies in Makefile template
trafgen: move cpu stats temp file to /tmp
ring_tx: handle EINTR from sendto
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The used version was moved to another folder - and was also repackaged
with gzip compression.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix following conflicts when enabling multilib.
Error: Transaction test error:
file /usr/include/freeradius/features.h conflicts between attempted installs of freeradius-dev-3.2.8-r0.x86_64_v3 and lib32-freeradius-dev-3.2.8-r0.core2_32
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fixes for CVE-2025-54764 and CVE-2025-59438
Also, add the recipe to the ptest image list, because it was missing.
Ptests passed successfully.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.5
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
