Pass it via cflags from environment, so it can be controlled for
platforms where it is not supported
Pass -fstack-clash-protection for clang too, it is available now a days
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bug fixes
=========
* core: force key "return" to command "/input return" when migrating
legacy keys
* core: display actual key name and command with key kbd:[Alt+k],
remove key kbd:[Alt+K] (grab raw key) and associated commands
'/input grab_raw_key' and '/input grab_raw_key_command'
* core: check for newline characters in string_is_whitespace_char
* api: do not convert option name to lower case in API functions
config_set_plugin and config_set_desc_plugin
* guile: fix crash on quit with Guile < 3 (issue #1965)
* irc: reply to a CTCP request sent to self nick (issue #1966)
* irc: sent "QUIT" message to servers connected with TLS on '/upgrade'
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Add support for ppp 2.5.0.
* Fix nft rules for balance-slb bonding.
* Support port priority for bonding.
* Fix regression handling the PKEY_ID for infiniband profiles
in ifcfg-rh format.
* Fix race in nm-cloud-setup that caused partial configuration
and loss of connectivity with multiple interfaces.
* Don't touch "net.ipv6.conf.$IFACE.forwarding" unless explicitly
required for IPv6 sharing.
* Various bugfixes related to team, Wi-Fi P2P, IPv6LL.
* Automatically unblock autoconnect of profiles during reapply.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since we autoreconf, it should be better to build the linker map file
too, which requires ctags during build. This is otherwise flagged as
error by lld linker where we specify a linker symbol file on cmdline
but the file is not there.
Fixes
| libtool: error: symbol file './libcoap-3.sym' does not exist
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Mbed TLS 2.28 is a long-time support branch. It will be supported with
bug-fixes and security fixes until end of 2024.
ChangeLog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2023-27783
CVE-2023-27784
CVE-2023-27785
CVE-2023-27786
CVE-2023-27787
CVE-2023-27788
CVE-2023-27789
Changelog:
=========
dlt_jnpr_ether_cleanup: check subctx before cleanup by @Marsman1996 in #781
Bug #780 assert tcpedit dlt cleanup by @fklassen in #800
Fix bugs caused by strtok_r by @Marsman1996 in #783
Bug #782#784#785#786#787#788 strtok r isuses by @fklassen in #801
Update en10mb.c by @david-guti in #793
PR #793 ip6 unicast flood by @fklassen in #802
Bug #719 fix overflow check for parse_mpls() by @fklassen in #804
PR #793 - update tests for corrected IPv6 MAC by @fklassen in #805
PR #793 - update tests for vlandel by @fklassen in #806
Feature #773 gh actions ci by @fklassen in #807
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Version 3.4.0 adds a lot of improvements and fixes (a notable one
being initial support for PKCS7 CMS), but since this is a pretty
big jump, let's keep both versions for a while, so the v2.x users
can upgrade to 3.x in a timely manner if needed.
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- A deadlock in the vici plugin has been fixed that could get triggered when
multiple connections were initiated/terminated concurrently and control-log
events were raised by the watcher_t component.
- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
encoded (even if it's a CA), or a CA certificate without keyUsage extension.
- Optional CA labels in EST server URIs are supported by `pki --est/estca`.
- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.
- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
earlier that was introduced with 5.9.10.
- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.
- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
gained support for trap policies.
- The dhcp plugin uses an alternate method to determine the source address
for unicast DHCP requests that's not affected by interface filtering.
- Certificate and trust chain selection as initiator has been improved in case
the local trust chain is incomplete and an unrelated certreq is received.
- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.
- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.
- Stale OCSP responses are now replace in-place in the certificate cache.
- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The READMEs are often viewed from websites markdown format which is
much as readable as text and yet friendlier in browsers.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Type=forking means systemd waits untill the main process, /usr/sbin/ntpd
in this case, has exited. However, the ntpd daemon does not seem to call
fork() or vfork() and runs endlessly untill killed. Eventually, this
causes systemd to trigger a timeout, and the ntpd service is killed. All
the while, "systemctl status ntpd" shows "activating (start)" instead of
"active (running)". This is fixed by switching Type=forking to
Type=simple.
Reading ntpd(8) shows that the "-n" option requests ntpd not to fork, so
also use that to be safe.
Finally, there is no need anymore to keep a pidfile around.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
By default, subscriptions are turned on.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
By default, open62541 is built without multithreading support. Make this
configurable.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- When --no-decorate is given the default output will
include no colors (#28)
- Correctly split networks with /31 (#25)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
lld flags errors when checking for --version-script linker option since
the export file specifies symbols which do not exist during link, so in
a way it is right, however bfd linker works fine and ignores this error.
perhaps the meson check should be improved but until them lets add
--undefined-version option to linker when using lld
Fixes
aarch64-yoe-linux-ld.lld: error: TOPDIR/build/tmp/work/cortexa72-cortexa53-crypto-mx8-yoe-linux/spice-gtk/0.42-r0/git/src/spice-glib-sym-file:1: unknown directive: spice_audio_get
>>> spice_audio_get
>>> ^
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop CVE patch as its included.
Drop 0003-bison-Remove-line-directives.patch as file is not longer there.
refactor 0001-wireshark-src-improve-reproducibility.patch
LIC_FILES_CHKSUM changed do to re-structuring.
Remove TMPDIR found in some files.
Remove c-ares PACKAGECONFIG as its a required pkg
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There's conflict of config.h between dovecot and lib32-dovecot.
The differences of config-64.h and config-32.h are as follows:
@@ -774,7 +774,7 @@
#define MODULE_SUFFIX ".so"
/* Maximum value of off_t */
-#define OFF_T_MAX LONG_MAX
+#define OFF_T_MAX LLONG_MAX
/* Name of package */
#define PACKAGE "dovecot"
@@ -834,7 +834,7 @@
#define PRIdTIME_T "ld"
/* printf() format for uoff_t */
-#define PRIuUOFF_T "lu"
+#define PRIuUOFF_T "llu"
/* printf() fmt for hex time_t */
#define PRIxTIME_T "lx"
@@ -846,19 +846,19 @@
#define SIZEOF_INT 4
/* The size of `long', as computed by sizeof. */
-#define SIZEOF_LONG 8
+#define SIZEOF_LONG 4
/* The size of `long long', as computed by sizeof. */
#define SIZEOF_LONG_LONG 8
/* The size of `void *', as computed by sizeof. */
-#define SIZEOF_VOID_P 8
+#define SIZEOF_VOID_P 4
/* Build SQL drivers as plugins */
/* #undef SQL_DRIVER_PLUGINS */
/* Maximum value of ssize_t */
-#define SSIZE_T_MAX LONG_MAX
+#define SSIZE_T_MAX INT_MAX
/* C99 static array */
#define STATIC_ARRAY static
@@ -887,13 +887,13 @@
/* #undef UOFF_T_INT */
/* Define if off_t is long */
-#define UOFF_T_LONG /**/
+/* #undef UOFF_T_LONG */
/* Define if off_t is long long */
-/* #undef UOFF_T_LONG_LONG */
+#define UOFF_T_LONG_LONG /**/
/* Maximum value of uoff_t */
-#define UOFF_T_MAX ULONG_MAX
+#define UOFF_T_MAX ULLONG_MAX
/* Build with checkpassword userdb support */
#define USERDB_CHECKPASSWORD /**/
@@ -935,7 +935,7 @@
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
-/* #undef _FILE_OFFSET_BITS */
+#define _FILE_OFFSET_BITS 64
/* Define for large files, on AIX-style hosts. */
/* #undef _LARGE_FILES */
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Without any build type specified, open62541 defaults to "Debug".
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
0001-test-Fix-build-with-new-compiler-defaults-to-fno-com.patch
refreshed for new version.
Changelog
=========
- fixes 4 vulnerabilities (3 LOW and 1 None severity),
- fixes 46 bugs
- includes 15 general improvements
- adds support for OpenSSL-3.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This reverts the commit df47d871c7.
The correct DISTRO_FEATURE is gobject-introspection-data,
which shall also be used by firewalld.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes the commit 046ee4bb30.
The correct DISTRO_FEATURE is gobject-introspection-data.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes the commit 1f04864065.
The correct DISTRO_FEATURE is gobject-introspection-data.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since v1.3.4, support for OpenSSL 3.0 has been added.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This helps in avoiding absolute build time paths in binaries debug info
Fixes
WARNING: ipvsadm-1.31-r0 do_package_qa: QA Issue: File /usr/sbin/.debug/ipvsadm in package ipvsadm-dbg contains reference to TMPDIR [buildpaths]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CCFLAGS is used in Make rules which will ensure file remapping options
are used when compiling
Fixes
WARNING: vlan-1.9-r0 do_package_qa: QA Issue: File /usr/sbin/.debug/vconfig.vlan in package vlan-dbg contains reference to TMPDIR [buildpaths]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The build of NM involves running Python that uses PyGObject, so add that
to DEPENDS.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Merge pull request #1327 from haoyue-Xu/bugfixes
libhns: Disable local invalidate operation
Merge pull request #1330 from amzn/change-maintainer
MAINTAINERS: Update EFA provider maintainer
Merge pull request #1329 from selvintxavier/bnxt_update
bnxt_re/lib: Remove deferred arming logic
bnxt_re/lib: Fix the UD completion reported
Merge pull request #1328 from amzn/tests-fix
tests: Skip rc_flush tests if not supported in kernel
tests: Fix get_net_name for cases there is no net device
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Update SSL configure instructions and license info.
Changelog:
===========
- OpenSSL 1.1.1t and 3.0.8 and wolfSSL 5.5.4 (or newer on the respective compatible branches) remain supported.
- updated translations and bumped SSL/TLS library version requirements.
- fixed a critical softbounce bug
- finds both rst2html5 with and without .py suffix when rebuilding the distribution.
- updated the configure script for --with-ssl properly identifying the right
OpenSSL on a system with multiple OpenSSL versions installed, and updates the
manual page and its HTML conversion process, and adds some error checking to the .netrc parser.
- added a wolfSSL compatibility workaround
- updated the manual page and several other documentation files, adds preliminary
wolfSSL 5.0 support on systems that provide a C99 compiler, fixed up a specific
fix for a compatibility issue with the end-of-life OpenSSL 1.0.2 around the
expiry of the DST Root CA X3 certificate which impairs connectivity to
Let's-Encrypt-certified sites. Supported OpenSSL versions 1.1.1 and newer are unaffected.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
firewalld is only enabled when gobject-introspection is in distro
features which is required package to build system-config-printer
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This project uses gobject-introspection, so depend on the DISTRO_FEATURE.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This project uses gobject-introspection, so depend on the DISTRO_FEATURE.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This project uses gobject-introspection, so depend on the DISTRO_FEATURE.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
dhcp-relay contains a bundled bind thus their development packages
conflict each other.
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since multiple crypto provider aren't supported simultaneously, the
mbedtls packageconfig conflicts with the openssl packgeconfig.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
... in anticipation for OpenSSL as crypto provider.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This contains references to source directories used during build, it
will not be useful on target without really editing it properly to
reflect target rootfs install. it perhaps never was used thus far, it
would have failed otherwise.
Fixes
WARNING: dovecot-2.3.20-r0 do_package_qa: QA Issue: File /usr/lib/dovecot/dovecot-config in package dovecot contains reference to TMPDIR [buildpaths]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Re-enable LTO again, it works ok.
- Turn systemd into a packageconfig and enable it when systemd is in
distro features
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These pyc files include references to buildtime TMPDIR, therefore delete
them and let them be regerated during runtime if needed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove intltool-native as it is not used, and add autoconf-archive-native.
Also explicitly disable systemd when not selected to be sure it doesn't
automatically enable.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Compiler invocation and flags are added to SQUID_CONFIGURE_OPTIONS which
is added via generated autoconf.h during configure step. Since OE
encodes sysroot and buildpaths for cross compile, they end up in squid
binary, this patch removes from workdir from them so avoid encoding
build workspace path
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A client for PPP+SSL VPN tunnel services, compatible with Fortinet VPNs.
https://github.com/adrienverge/openfortivpn
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Disabled by default. When enabled, a package 'strongswan-nm' gets created.
The package naming follows Debian/Ubuntu.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When using OpenSSL as the encryption provider, the package does not
build without deprecation warnings, thus breaking the build. Disable
warnings as errors to unbreak the build.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Without "encryption" PACKAGECONFIG, the option UA_ENABLE_ENCRYPTION=OFF
is passed, which disables encryption support altogether and makes it
impossible to override the encryption provider. Since no encryption
support is already the default, we don't have to specify anthing to
disable encryption.
Additionally, explicitly specify MbedTLS as the encryption provider;
this is the preferred way to enable any one of the three supported
providers (LibreSSL, OpenSSL or MbedTLS). The current method prints a
deprecation warning:
CMake Deprecation Warning at CMakeLists.txt:200 (message):
Set UA_ENABLE_ENCRYPTION to the desired encryption library.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* without gobject-introspection-data in DISTRO_FEATURES the bbclass
correctly disables it:
$ bitbake-getvar -r spice-gtk EXTRA_OEMESON
#
# $EXTRA_OEMESON [6 operations]
# :append /OE/build/oe-core/openembedded-core/meta/classes-recipe/meson.bbclass:44
# " ${PACKAGECONFIG_CONFARGS}"
# :prepend[class-target] /OE/build/oe-core/openembedded-core/meta/classes-recipe/gobject-introspection.bbclass:28
# "${@['', '${GIRMESONTARGET}'][d.getVar('GIR_MESON_OPTION') != '']}"
# :prepend[class-native] /OE/build/oe-core/openembedded-core/meta/classes-recipe/gobject-introspection.bbclass:33
# "${@['', '${GIRMESONBUILD}'][d.getVar('GIR_MESON_OPTION') != '']}"
# :prepend[class-nativesdk] /OE/build/oe-core/openembedded-core/meta/classes-recipe/gobject-introspection.bbclass:34
# "${@['', '${GIRMESONBUILD}'][d.getVar('GIR_MESON_OPTION') != '']}"
# set /OE/build/oe-core/meta-openembedded/meta-networking/recipes-support/spice/spice-gtk_0.42.bb:49
# "-Dpie=true -Dvapi=enabled"
# :append[libc-musl] /OE/build/oe-core/meta-openembedded/meta-networking/recipes-support/spice/spice-gtk_0.42.bb:50
# " -Dcoroutine=libucontext"
# pre-expansion value:
# "${@['', '${GIRMESONTARGET}'][d.getVar('GIR_MESON_OPTION') != '']}-Dpie=true -Dvapi=enabled ${PACKAGECONFIG_CONFARGS}"
EXTRA_OEMESON="-Dintrospection=false -Dpie=true -Dvapi=enabled "
and prevents build failure:
http://errors.yoctoproject.org/Errors/Details/702789/
Run-time dependency gobject-introspection-1.0 found: NO (tried pkgconfig)
../git/meson.build:346:0: ERROR: Dependency "gobject-introspection-1.0" not found, tried pkgconfig
* it just needs GIR_MESON_*_FLAG to be set to avoid:
meson.build:4:0: ERROR: Value "false" (of type "string") for combo option "Check for GObject instrospection requirements" is not one of the choices. Possible choices are (as string): "enabled", "disabled", "auto".
* and enable vapi only when introspection is enabled, use PACKAGECONFIG for that to avoid:
meson.build:358:4: ERROR: Problem encountered: VAPI support requested without introspection
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A typo that probably caused a left over from override syntax conversion.
INITSCRIPT_PARAMS$_${PN} --> INITSCRIPT_PARAMS:${PN}
Signed-off-by: Peter Bergin <peter.bergin@windriver.com>
Signed-off-by: Peter Bergin <peter@berginkonsult.se>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This removes the old unused license for netperf as upstream
moved to using the MIT license for netperf.
See: meta-openembedded commit 587fe58777
Signed-off-by: Arsalan H. Awan <arsalan.awan@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Emit the dhcp-change dispatcher event also after a lease renewal.
* Fix assertion failure on DHCP renewal.
* Add support for EC2 IMDSv2 in nm-cloud-setup.
* Allow setting tunnel flags for ip6gre & ip6gretap connection
profiles.
* Improve the Wi-Fi hotspot functionality.
* Fix setting the Wi-Fi roaming policy based on the number of seen
BSSIDs.
* Support the "no-aaaa" resolv.conf option.
* Some oFono fixes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Source code:
----------------
Fix spaces before tabs in indentation.
Updated printers:
-----------------
LSP ping: Fix "Unused value" warnings from Coverity.
CVE-2023-1801: Fix an out-of-bounds write in the SMB printer.
DNS: sync resource types with IANA.
ICMPv6: Update the output to show a RPL DAO field name.
Geneve: Fix the Geneve UDP port test.
Building and testing:
----------------------
Require at least autoconf 2.69.
Don't check for strftime(), as it's in C90 and beyond.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Documentation:
-------------
man: Document TCP flag names better.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
GHA: remove Ubuntu 18.04 builds
vcpkg: request "tools" feature of openssl for MSVC build
doc: run rst2* with --strict to catch warnings
Support of DNS domain for DHCP-less drivers
Bug-fix: segfault in dco_get_peer_stats()
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
https://netfilter.org/projects/nftables/files/changes-nftables-1.0.7.txt
The COPYING text changed to highlight that "New code though is moving to
GPL version 2 or any later which is the preferred license for this project
these days." Although the project itself stays GPLv2 only.
https://netfilter.org/licensing.html#terms
The upstream replaced distutils with setuptools, so the nftables-python
is now built using the standard approach. The coexistence of setuptools
and automake is solved in the same way as in meta-oe/recipes-support/libiio.
The removal of *.pyc is no longer necessary.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* do_populate_lic as well as do_configure fails in multilib builds, because S points to empty:
lib32-restinio/0.6.13-r0/lib32-restinio-0.6.13/dev
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
With the exception of paho-mqtt-cpp, the double protocol= attributes
were added to the SRC_URIs when protocol=https was added to all SRC_URIs
fetching from github.com in commit b402a3076f (recipes: Update SRC_URI
branch and protocols).
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Correct "startline=" to "beginline=" in LIC_FILES_CHKSUM so that the
correct lines from autossh.c and daemon.h are used. Also remove
autossh.spec from LIC_FILES_CHKSUM as it doesn't really contain any
license information.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Release Notes:
https://www.samba.org/samba/history/samba-4.18.1.html
This is a security release in order to address the following defects:
CVE-2023-0225
CVE-2023-0922
CVE-2023-0614
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
dco: don't use NetLink to exchange control packets
dco: print version to log if available
dco-linux: remove M_ERRNO flag when printing netlink error message
multi: don't call DCO APIs if DCO is disabled
dco-freebsd: use m->instances[] instead of m->hash
dco-linux: implement dco_get_peer_stats{, multi} API
Set netlink socket to be non-blocking
Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
Fix memory leaks in open_tun_dco()
Fix memory leaks in HMAC initial packet generation
Use key_state instead of multi for tls_send_payload parameter
Make sending plain text control message session aware
Only update frame calculation if we have a valid link sockets
Improve description of compat-mode
Simplify --compress parsing in options.c
Refuse connection if server pushes an option contradicting allow-compress
Add 'allow-compression stub-only' internally for DCO
Parse compression options and bail out when compression is disabled
tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled
preparing release 2.6.2
dns option: allow up to eight addresses per server
dco: print FreeBSD version
Support --inactive option for DCO
Fix '--inactive <time> 0' behavior for DCO
Print DCO client stats on SIGUSR2
Don't overwrite socket flags when using DCO on Windows
using OpenSSL3 API for EVP PKEY type name reporting
Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
Import some sample certificates into Windows store for testing
Add tests for finding certificates in Windows cert store
Refactor SSL_CTX_use_CryptoAPI_certificate()
Add a test for signing with certificates in Windows store
Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
Improve error message on short read from socks proxy
Make error in setting metric for IPv6 interface non-fatal
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
# Do not ignore multicast advertisements when discovery was sent as unicast
(fix regression from 1.0.5).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The patch is modified by removing irrelevant and conflicting
CHANGELOG entry.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-configure-check-for-ns_get16-and-ns_get32-as-well.patch
Fixed-build-error-on-musl.patch
removed since they're included in 0.9.2.
Changelog:
==========
- adenroll: set password via LDAP instead Kerberos [#27]
- disco: fall back to LDAPS if CLDAP ping was not successful [#31]
- tools: replace getpass() [#10]
- adenroll: write SID before secret to Samba's db [rhbz#1991619]
- doc: add clarification to add-member command on doc/adcli.xml
- tools: Set umask before calling mkdtemp()
- Avoid undefined behaviour in short option parsing
- library: include endian.h for le32toh
- man: Fix typos and use consistent upper case for some keywords
- doc: avoid gnu-make specific usage of $< [#26]
- configure: check for ns_get16 and ns_get32 as well [rhbz#1984891]
- Add setattr and delattr options [rhbz#1690920]
- entry: add passwd-user sub-command [rhbz#1952828]
- Add dont-expire-password option [rhbz#1769644]
- build: add --with-vendor-error-message configure option [rhbz#1889386]
- tools: add show-computer command [rhbz#1737342]
- add description option to join and update [rhbz#1737342]
- Use GSS-SPNEGO if available [rhbz#1762420]
- add option use-ldaps [rhbz#1762420]
- tools: disable SSSD's locator plugin [rhbz#1762633]
- doc: explain required AD permissions [gfo#20]
- computer: add create-msa sub-command [rhbz#1854112}
- Add account-disable option [gfo#21]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update:
"Copyright (C) 2013-2020 Red Hat Inc." changed to "Copyright Red Hat"
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The patch has been applied upstream, so update the Upstream-Status
line accordingly.
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Pgpool-II is a middleware that works between PostgreSQL servers and a PostgreSQL database client. It is distributed under a license similar to BSD and MIT. It provides the following features.
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The combination of ntpd and sntp now implements the functions of
ntpdate, which has been deprecated.
Now we don't need ntpdate anymore, and we can use the following
command 'ntpd -q -g -x' instead.
So drop the related section of ntpdate now.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
53ee89b Merge pull request #1299 from zhuyj/dmabuf
95507d0 Merge pull request #1311 from EdwardSro/pr-pyverbs-tests
087deb5 irdma: Add support for ibv_reg_dmabuf_mr
6644617 Merge pull request #1309 from hz-cheng/master
fe9e480 Merge pull request #1304 from EdwardSro/pr-tests-fixes
5c9f444 Merge pull request #1303 from EdwardSro/pr-mlx5-dr-steering
8f56a83 Merge pull request #1310 from joshuafried/mlx5_dr_bugfix
638ace8 tests: Add test for devx DBR-less mode data path
25a4bf0 tests: Skip CUDA tests if there is no CUDA device
5dad658 tests: Add set and copy modify action of metadata
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-libnm-std-aux-Adjust-signature-of-_nm_assert_fail_in.patch
removed since it's not available in 1.42.4
Changelog:
==========
* Fix a possible crash when [global-dns] is used and improve the
documentation.
* Documentation improvements.
* Add build option to set the mobile-broadband-provider-info database
path.
* Add new "ipv[46].replace-local-rule" setting to control whether to
remove the local route rule that is automatically generated.
* Add the DHCPv6 IAID to the lease information exposed in /run and on
D-Bus.
* Fix assuming team connections at boot.
* Fix race condition when setting the MAC address of an OVS interface.
* Fix constructing the IPv4 name servers variable passed to dispatcher
scripts.
* Don't use tentative IPv6 address to resolve the system hostname via DNS.
* Deprecate the "Master" property of the NMActiveConnection D-Bus object
in favor of the new "Controller" property.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
dont-swallow-errors.patch
configure.in-Error-fix.patch
removed since they're not available in 3.14.
configure_in_cross.patch
refreshed for 3.14.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2023.
Changelog:
==========
* New features
- Improved logging performance with the "output" option.
- Improved file read performance on the WIN32 platform.
- DH and kDHEPSK ciphersuites removed from FIPS defaults.
- Set the LimitNOFILE ulimit in stunnel.service to allow
for up to 10,000 concurrent clients.
- Added the new 'CAengine' service-level option
to load a trusted CA certificate from an engine.
- Added requesting client certificates in server
mode with 'CApath' besides 'CAfile'.
- Improved file read performance.
- Improved logging performance.
* Bugfixes
- Fixed the "CApath" option on the WIN32 platform by
applying https://github.com/openssl/openssl/pull/20312.
- Fixed stunnel.spec used for building rpm packages.
- Fixed tests on some OSes and architectures by merging
Debian 07-tests-errmsg.patch (thx to Peter Pentchev).
- Fixed EWOULDBLOCK errors in protocol negotiation.
- Fixed handling TLS errors in protocol negotiation.
- Prevented following fatal TLS alerts with TCP resets.
- Improved OpenSSL initialization on WIN32.
- Improved testing suite stability.
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.8.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Now frr can support more arches as libyang can be built on all arches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add UPSTREAM_CHECK_GITTAGREGEX to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version frr
INFO: Current version: 8.4.2
INFO: Latest version: 9.0
INFO: Latest version's commit: 16c38045b1a84f899da473398779cc593d82d2bd
Version 9.0 is a development tag[1].
After the patch:
$ devtool latest-version frr
INFO: Current version: 8.4.2
INFO: Latest version: 8.4.2
INFO: Latest version's commit: 9e25d07412e92bdcd1f69c4755dc7564b23023c0
[1] https://github.com/FRRouting/frr/tags
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
As mbedtls installs this rather generically-named /usr/bin/hello binary,
it conflicts with the one provided by lmbench, hence set it up as an
alternative to avoid conflicts when both are installed to rootfs or SDK.
Signed-off-by: Denys Dmytriyenko <denis@denix.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
https://github.com/secdev/scapy/releases/tag/v2.5.0
Also, in this version the UTscapy wrapper gets no longer installed
into /usr/bin, so for ptest we need to install it.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
New features and improvements in 2.6.0 compared to 2.5.8:
- Data Channel Offload (DCO) kernel acceleration support for Windows,
Linux, and FreeBSD.
- OpenSSL 3 support.
- Improved handling of tunnel MTU, including support for pushable MTU.
- Outdated cryptographic algorithms disabled by default, but there are
options to override if necessary.
- Reworked TLS handshake, making OpenVPN immune to replay-packet state
exhaustion attacks.
- Added --peer-fingerprint mode for a more simplistic certificate setup
and verification.
- Added Pre-Logon Access Provider support to OpenVPN GUI for Windows.
- Improved protocol negotiation, leading to faster connection setup.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Convert repo to git
* Remove sig unsafe functions from signal handler (Ticket #22).
* Allow -e to explicitly specify the environment variable to use
(Ticket #5).
* Unset the variable specified with -e before calling subprogram
(Ticket #25).
* Change the logic for setting a controlling TTY. Fixes compatibility
issues with OpenSolaris and MSYS/Cygwin. Thanks Marcin Olszewski for
the fix.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-examples-Include-alloca.h-for-strdupa.patch
removed since it's included in 44.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
__assert_fail signature is assuming glibc which is fine for glibc
systems but we have to consider musl case too.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
* Added support for source load balancing for Ethernet Bonds.
* Allow specifying vhost name (SNI) for a manually DNS-over-TLS server.
Only works with systemd-resolved plugin.
* Connections can now be activated on a loopback interface.
* Added support of IPv4 ECMP routes. The ECMP routes will get merged
automatically but the user need to configure them as single-hop routes
specifying a valid weight.
* Add new "reapply" dispatcher event.
* Added support of VTI and VTI6 ip-tunnels along with a new property,
"ip-tunnel.fwmark".
* VLAN can now support 802.1ad tagging instead of 802.1Q.
* Invocations of iptables now use "--wait 2" to handle races with concurrent
calls. This fixes misbehavior with IPv4 shared mode.
* The DHCP client-id and DHCPv6 DUID are now exposed along with the lease
information.
* Optionally suppress adding direct route to an external VPN gateway
with the new "ipv[46].auto-route-ext-gw" property.
* Open vSwitch support gained new properties: "ovs-dpdk.n-rxq-desc",
"ovs-dpdk.n-txq-desc", "ovs-interface.ofport-request" and
"ovs-port.trunks".
* Added support of "other_config" for OVS bridge, port or interface. This
property is not supported by nmcli.
* nmtui now supports editing Wi-Fi WPA-Enterprise, Ethernet with 802.1X
authentication and MACsec connection profiles.
* nmcli now allows changing "connection.uuid" and "connection.type"
properties in offline mode and setting the UUID when creating a
connection.
* nmcli now accepts abbreviations for the UUID with the connection selector
in `nmcli connection $operator uuid $uuid`.
* DHCPv6 leases are now declined when addresses fail DAD.
* Documentation improvements.
* Many internal improvements and bug fixes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-Add-configure-options-for-packages.patch
refreshed for new version.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Now built with meson
- Update the source git repository and home page
https://github.com/nmav/ipcalc redirects to https://gitlab.com/ipcalc/ipcalc
- USE_GEOIP = "no" not necessary in the recipe, already
set by default in the code.
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0002-iscsiuio-Use-pthread_t-for-INVALID_THREAD.patch
removed since it's included in 2.1.8.
0001-Makefile-Do-not-set-Werror.patch
refreshed for 2.1.8
Changelog:
===========
make: avoid hard-coding path to sed (#357)
etc: install system unit with without executable bit (#354)
Add ability for MGMT IPC to check UID only
Use config for iscsistart and iscsiadm fw login
iscsiuio: Use pthread_t for INVALID_THREAD (#363)
Add a 'distclean' Makefile top-level target
Cleanup fwparam makefile (#360)
Small bug fixes (#364)
Use meson as the main build system (#365)
libopeniscsiusr: cleanup recent reallocarray->realloc change (#369)
Added examples in man file for iscsiadm session commands.
iscsid: fix logout pdu send failure handling
Update README's error handler/timeout section
iscsiuio: fix LDADD
libopeniscsiusr: use realloc instead of reallocarray (#368)
iscsiadm: enable specify iface name-value parameters when creating iface
Fix a possible passing null pointer in usr/iface.c (#356)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- bugfix: wrong default portnumber for proxy was used
- bugfix: https://bugs.launchpad.net/ubuntu/+source/htpdate/+bug/1850740
- improvement: Avoid bouncing between upper/lower limit when (almost) in sync
- improvement: Set SSL server hostname on SSL object
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update to version 0.42:
v0.42
=====
- !115 - Fix compilation on win32 with EGL
- !114 - spice-widget: fix hotspot position on Wayland/HiDPI
- !112 - meson: Allow building on a Wayland-only environment
- !110 - usb-backend: Fix devices not being enumerated
- !108 - spicy: Add keyboard shortcuts for copy/paste sync
- Require meson >= 0.56
The original recipe name was spice-gtk_0.4.1.bb, but the spice-gtk
repo tags the releases as 0.41, not 0.4.1, so update it accordingly.
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Up to now in this recipe the alternative mechanism only worked by accident, so
do like all other recipes and utilize varflags.
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
version 2.89
Fix bug introduced in 2.88 (commit fe91134b) which can result
in corruption of the DNS cache internal data structures and
logging of "cache internal error". This has only been seen
in one place in the wild, and it took considerable effort
to even generate a test case to reproduce it, but there's
no way to be sure it won't strike, and the effect is to break
the cache badly. Installations with DNSSEC enabled are more
likely to see the problem, but not running DNSSEC does not
guarantee that it won't happen. Thanks to Timo van Roermund
for reporting the bug and for his great efforts in chasing
it down.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CRDA is no longer needed as of kernel v4.15 since commit 007f6c5e6eb45
("cfg80211: support loading regulatory database as firmware file") added
support to use the kernel's firmware request API which looks for the
firmware on /lib/firmware. Because of this CRDA is legacy software for
older kernels, remove the recipe.
It could change regulatory domains with iw and wpa_supplicant.
Refs
1. https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/tree/README#n8
2. https://wireless.wiki.kernel.org/en/developers/Regulatory/CRDA
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a missing runtime dependency on python3-ctypes
Add a polkit rule to allow users of group wheel to use blueman without authentification
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fails to link otherwise
ld: cannot find -lhiredis: No such file or directory
collect2: error: ld returned 1 exit status
Signed-off-by: Khem Raj <raj.khem@gmail.com>
configure uses AC_PREPROC_IFELSE to check for certain errors from getaddrinfo()
it user search operation in a preprocessed file
UNIQUEVALS=`sort $ERRVALFILE | uniq | wc -l | awk '{ print $1 }'`
However, line numbers are generated into the preprocesser files and they
get sorted higher than numbers
gaierrval:
# 130 "conftest.c" 3 4
-3
-P ensures that line numbers are not generated into preprocessed files,
so these checks can succeed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It uses python3-config during build to grok the python specific
includedirs, therefore its important to ensure that target specific
python3-config is used, otherwise currently it defaults to native
python3-config which ends up adding native python3 include paths
which might work out ok but is exposed when target is 32bit + lfs
enabled, the headers don't match between native and target python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It uses python3-config during build to grok the python specific
includedirs, therefore its important to ensure that target specific
python3-config is used, otherwise currently it defaults to native
python3-config which ends up adding native python3 include paths
which might work out ok but is exposed when target is 32bit + lfs
enabled, the headers don't match between native and target python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Release Notes:
https://www.samba.org/samba/history/samba-4.17.5.html
Drop 0007-waf-Fix-errors-with-Werror-implicit-function-declara.patch
as the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0.
An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) can recover an RSA private key after observing the victim
performing a single private-key operation, if the window size
(MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0.
There is a potential heap-based buffer overflow and heap-based buffer
over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46392https://nvd.nist.gov/vuln/detail/CVE-2022-46393
Upstream patches:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Mitigate occurence where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop backported patches, drop `wscript: Widen the search for tags` as
upstream has merged something similar which means devtool builds now
work.
Add BISONFLAGS support to fix build reproducbility issue.
Drop `--debug` which generates internal debug info.
License-Update: License files moved to separate directory
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Expose all current dnsmasq configuration options in PACKAGECONFIG,
enable i18n generation, filter supplementary systemd files against
DISTRO_FEATURES.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add an option to use Platform Security Architecture for the X.509 and TLS
operations.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Updated printers:
PTP: Use the proper values for the control field and print un-allocated
values for the message field as "Reserved" instead of "none".
Source code:
smbutil.c: Replace obsolete function call (asctime)
Building and testing:
cmake: Update the minimum required version to 2.8.12 (except Windows).
CI: Introduce and use TCPDUMP_CMAKE_TAINTED.
Makefile.in: Add the releasecheck target.
Makefile.in: Add "make -s install" in the releasecheck target.
Cirrus CI: Run the "make releasecheck" command in the Linux task.
Makefile.in: Add the whitespacecheck target.
Cirrus CI: Run the "make whitespacecheck" command in the Linux task.
Address all shellcheck warnings in update-test.sh.
Makefile.in: Get rid of a remain of gnuc.h.
Documentation:
Reformat the installation notes (INSTALL.txt) in Markdown.
Convert CONTRIBUTING to Markdown.
CONTRIBUTING.md: Document the use of "protocol: " in a commit summary.
Add a README file for NetBSD.
Fix CMake build to set man page section numbers in tcpdump.1
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Fix the evaluation of the autoconnect retries.
* nm-cloud-setup now preserves addresses added externally.
* Ensure that dnsmasq is stopped after changing the dns backend and
restarting the service.
* Fix honoring an explicit DHCPv6 DUID with dhclient.
* Other various fixes.
* Fixed a bug that caused devices (MACsec in particular) to be stuck in
UNAVAILABLE state and not transition to DISCONNECTED if the carrier was
ready too early.
* Improved interoperability of MACsec with some Aruba switches by allowing
CKN shorter than 64 characters.
* Fixed an assertion failure when restarting NetworkManager with MACsec
links configured.
* Fixed a possible DHCP helper crash when handling failure to connect to
D-Bus.
* Corrected calculation of expiration time for items configured from IPv6
neighbor discovery messages.
* Various fixes for platforms that don't allow unaligned memory access.
* team: also set empty port configuration so teamd
knows about the port.
* team: restore port configuration after teamd respawn.
* dhcp: revert restarting DHCP when MAC address changes,
for example during a bond fail over.
* various documentation fixes.
* fix non-exported ABI in libnm which was wrongly present
in the header files but unusable so far.
* ifcfg-rh: fix writing ethtool pause settings to file.
* core: set "proto static" for manual routing rules configured
by NetworkManager.
* Various minor bugfixes.
* Ensure that resolv.conf gets updated when the configuration changes.
* Fix setting as bond primary an interface that doesn't exist yet when the
bond is activated.
* The number of autoconnect retries is now accounted independently for each
device when there are profiles with multi-connect=multiple.
* Don't print duplicate entries in the output of "NetworkManager
--print-config"
* Fix the ifcfg-rh plugin to properly read infiniband P-Key connection
profiles without an explicit interface name.
* Allow the removal of a bond port connection profile from the bond via
nmcli.
* Fix race condition during the activation of veth profiles when the peer
already exists.
* Decline the DHCPv6 lease if all addresses fail IPv6 duplicate address
detection (DAD).
* Wait that devices get carrier before trying to resolve the system hostname
on them via DNS.
* Fix race condition during the initial activation of OVS interfaces.
* Profiles generated by nm-initrd-generator now have lower than default
priority.
* Fix error when adding many SR-IOV virtual functions (VFs).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update crda from 3.18 to 4.15:
* use git repo in SRC_URI that no tar archive found for recent releases
* drop fix-gcc-6-unused-variables.patch and make.patch
* rebase patches
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Clang also warns about offsetof use to emulate _Alignof
register keyword is no longer available so pre-empt it
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Weechat now requires an extra zstd dependency during
compilation.
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Release Notes:
https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_26
* Refresh patches
* Add autogen.sh as we still need it in do_configure
* Backport a patch to fix configure error for rlm_python3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Using a private module from setuptools is not a good idea and
no longer works with latest setuptools.
it's actually better to revert to official distutils even if
it is going away in the next python release. Hopefully by
then upstream will transition to something supported.
TMPDIR in .pyc can be addressed by simply not installing the .pyc.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Updated printers:
-----------------
BGP: Update cease notification decoding to RFC 9003.
BGP: decode BGP link-bandwidth extended community properly.
BGP: Fix parsing the AIGP attribute
BGP: make sure the path attributes don't go past the end of the packet.
BGP: Shutdown message can be up to 255 bytes length according to rfc9003
DSA: correctly determine VID.
EAP: fix some length checks and output issues.
802.11: Fix the misleading comment regarding "From DS", "To DS" Frame Control Flags.
802.11: Fetch the CF and TIM IEs a field at a time.
802.15.4, BGP, LISP: fix some length checks, compiler warnings,
and undefined behavior warnings.
PFLOG: handle LINKTYPE_PFLOG/DLT_PFLOG files from all OSes on all OSes.
RRCP: support more Realtek protocols than just RRCP.
MPLS: show the EXP field as TC, as per RFC 5462.
ICMP: redo MPLS Extension code as general ICMP Extension code.
VQP: Do not print unknown error codes twice.
Juniper: Add some bounds checks.
Juniper: Don't treat known DLT_ types as "Unknown".
lwres: Fix a length check, update a variable type.
EAP: Fix some undefined behaviors at runtime.
Ethernet: Rework the length checks, add a length check.
IPX: Add two length checks.
Zephyr: Avoid printing non-ASCII characters.
VRRP: Print the protocol name before any GET_().
DCCP: Get rid of trailing commas in lists.
Juniper: Report invalid packets as invalid, not truncated.
IPv6: Remove an obsolete code in an always-false #if wrapper.
ISAKMP: Use GET_U_1() to replace a direct dereference.
RADIUS: Use GET_U_1() to replace a direct dereference.
TCP: Fix an invalid check.
RESP: Fix an invalid check.
RESP: Remove an unnecessary test.
Arista: Refine the output format and print HwInfo.
sFlow: add support for IPv6 agent, add a length check.
VRRP: add support for IPv6.
OSPF: Update to match the Router Properties registry.
OSPF: Remove two unnecessary dereferences.
OSPF: Add support bit Nt RFC3101.
OSPFv3: Remove two unnecessary dereferences.
ICMPv6: Fix output for Router Renumbering messages.
ICMPv6: Fix the Node Information flags.
ICMPv6: Remove an unused macro and extra blank lines.
ICMPv6: Add a length check in the rpl_dio_print() function.
ICMPv6: Use GET_IP6ADDR_STRING() in the rpl_dio_print() function.
IPv6: Add some checks for the Hop-by-Hop Options header
IPv6: Add a check for the Jumbo Payload Hop-by-Hop option.
NFS: Fix the format for printing an unsigned int
PTP: fix printing of the correction fields
PTP: Use ND_LCHECK_U for checking invalid length.
WHOIS: Add its own printer source file and printer function
MPTCP: print length before subtype inside MPTCP options
ESP: Add a workaround to a "use-of-uninitialized-value".
PPP: Add tests to avoid incorrectly re-entering ppp_hdlc().
PPP: Don't process further if protocol is unknown (-e option).
PPP: Change the pointer to packet data.
ZEP: Add three length checks.
Add some const qualifiers.
Building and testing:
----------------------
Update config.guess and config.sub.
Use AS_HELP_STRING macro instead of AC_HELP_STRING.
Handle some Autoconf/make errors better.
Fix an error when cross-compiling.
Use "git archive" for the "make releasetar" process.
Remove the release candidate rcX targets.
Mend "make check" on Solaris 9 with Autoconf.
Address assorted compiler warnings.
Fix auto-enabling of Capsicum on FreeBSD with Autoconf.
Treat "msys" as Windows for test exit statuses.
Clean up some help messages in configure.
Use unified diff by default.
Remove awk code from mkdep.
Fix configure test errors with Clang 15
CMake: Prevent stripping of the RPATH on installation.
AppVeyor CI: update Npcap site, update to 1.12 SDK.
Cirrus CI: Use the same configuration as for the main branch.
CI: Add back running tcpdump -J/-L and capture, now with Cirrus VMs.
Remove four test files (They are now in the libpcap tests directory).
On Solaris, for 64-bit builds, use the 64-bit pcap-config.
Tell CMake not to check for a C++ compiler.
CMake: Add a way to request -Werror and equivalents.
configure: Special-case macOS /usr/bin/pcap-config as we do in CMake.
configure: Use pcap-config --static-pcap-only if available.
configure: Use ac_c_werror_flag to force unknown compiler flags to fail.
configure: Use AC_COMPILE_IFELSE() and AC_LANG_SOURCE() for testing flags.
Run the test that fails on OpenBSD only if we're not on OpenBSD.
Source code:
-------------
Fix some snapend-changing routines to protect against pointer underflow.
Use __func__ from C99 in some function calls.
Memory allocator: Update nd_add_alloc_list() to a static function.
addrtoname.c: Fix two invalid tests.
Use more S_SUCCESS and S_ERR_HOST_PROGRAM in main().
Add some comments about "don't use GET_IP6ADDR_STRING()".
Assign ndo->ndo_packetp in pretty_print_packet().
Add ND_LCHECKMSG_U, ND_LCHECK_U, ND_LCHECKMSG_ZU and ND_LCHECK_ZU macros.
Update tok2strbuf() to a static function.
netdissect.h: Keep the link-layer dissectors names sorted.
setsignal(): Set SA_RESTART on non-lethal signals (REQ_INFO, FLUSH_PCAP)
to avoid corrupting binary pcap output.
Use __builtin_unreachable().
Fail if nd_push_buffer() or nd_push_snaplen() fails.
Improve code style and fix many typos.
Documentation:
---------------
Some man page cleanups.
Update the print interface for the packet count to stdout.
Note that we require compilers to support at least some of C99.
Update AIX and Solaris-related specifics.
INSTALL.txt: Add doc/README.*, delete the deleted win32 directory.
Update README.md and README.Win32.md.
Update some comments with new RFC numbers.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The size on glibc depends on time_t size which is 64bit on newer
architectures like rv32 while on musl it is indicated by _FILE_OFFSET_BITS
therefore check for both
Signed-off-by: Khem Raj <raj.khem@gmail.com>
With export PYTHONHASHSEED="1" there will be no need for patching samba and its related libs
So easier maintenance and a cleaner OE
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current handling of /etc/resolv.conf by NM has some problems.
When networkd is not configuring network, and there's 'ip=dhcp'
in kernel command line, the /run/NetworkManager/resolv.conf file
is not created, resulting in /etc/resolv.conf being a dead symlink.
This is because NM is treating the network interface as externally
configured and will not try to reconfigure it again.
This means if we want NM to work properly with /etc/resolv.conf,
we've got to either ensure there's no 'ip=dhcp' in kernel command
line, or we've got to ensure networkd is configuring network. This
is weird because normally we should not enable two network managers
at the same time. Note that NM syncs part of its codes with networkd,
which is the reason I think it happens to work when these two network
configuration tools are configuring the same interface at the same
time.
In fact, NM now works well with resolved. It sends the DNS info it
gets to resolved unconditionally by default (the behavior could be
disabled in configuration file).
Looking at the original commit that sets up the update-alternatives
mechanism, it says:
"""
This brings the networkmanager in sync with how systemd-resolved and connman
work. Additionally this allows it to function with a read-only rootFS.
"""
I guess the author was using systemd but disabling resolved, and the author
wanted to use read-only rootFS. In order to keep such combination still works,
change to use PACKAGECONFIG to handle things, and when 'man-resolv-conf' is
enabled, the above combination could still work.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
MDNS_VERSIONSTR_NODTS disables __DATE__ and __TIME__ in the version string,
which are fixed anyway for build reproducibility.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
Fix bug in --dynamic-host when an interface has /16 IPv4
address.
Add --fast-dns-retry option.
Add --use-stale-cache option.
Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
handle removal of whole files or entries within files.
Add --no-round-robin option.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current location has no effect, because NetworkManager
is not looking for config files there.
In meson.build, we have:
nm_pkglibdir = join_paths(nm_prefix, 'lib', nm_name)
config_extra_h.set_quoted('NMLIBDIR', nm_pkglibdir)
It's clear that the configuration directory should be
nonarch_libdir instead of libdir.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Without this patch, even if dhcpcd is enabled, the NetworkManager
cannot find it. Below are the messages from NetworkMananger:
dhcp: init: DHCP client 'dhcpcd' not available
dhcp: init: Using DHCP client 'internal'
The problem is that dhcpcd needs to be specified as a path, otherwise
NetworkManager tries to find it in /usr/sbin/dhcpcd.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Reinstate and rework patches from @garmin.com dropped in 21afab4609
("mdns: update to version 1096.40.7") as these were the functional
pieces of this series; we should either maintain it as a whole or drop
it in its entirety. With this update and without this series,
steady-state operation is a constant churn of all names being removed
and re-added every few seconds. These were refactored to handle the move
to getifaddrs() from get_ifi_info().
Check and cleanup all the other patches, much of which was redundant.
Move source releases to github which is where the Apple site now
redirects to (though these are still effectively just tarball dumps into
git).
Cleanup the recipe so it doesn't override all the packaging defaults.
Fixup musl installs so they don't fail attempting to patch a
non-existent /etc/nsswitch.conf.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It fails to install postfix and lib32-postfix at same time:
| Error: Transaction test error:
| file /etc/postfix/sample-main.cf conflicts between attempted installs of
lib32-postfix-cfg-3.7.3-r0.i586 and postfix-cfg-3.7.3-r0.core2_64
Rename sample-main.cf with ${MLPREFIX}.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Add smcroutectl batch support, issue #189. Based on the IPC support added in issue #185
- Fix#178: invalid systemd daemon type Simple/Notify vs simple/notify
- Fix#179: typo in wildcard routes section of README
- Fix#180: minor typo in file and directory names in documentation
- Fix#183: casting in IPC code hides error handling of recv()
- Fix#186: NULL pointer dereference in utimensat() replacement function.
Found accidentally by Alexey Smirnov. Only triggered on systems that don't
have a native utimensat() in their C-library, or if you try to build
SMCRoute without using its own build system ...
- Fix#187: strange behavior joining/leaving the same group
- Fix#192: typo in README
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The checksum was not updated when the recipe version was stepped.
Also simplify the SRC_URI by replacing "${BPN}-${PV}" with "${BP}".
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This reverts commit e154914718.
The change of SRC_URI was probably triggered by the checksum for the
tarball not having been updated when the recipe version was stepped.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes a nasty bug where the shown device list doesnt match the underlying
MAC list, resulting in connecting to a different device than selected.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix:
--------
Do not use 00:00:00:00:00:00 as chassis ID.
Do not busy loop when an interface with a neighbor disappears.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
* IP condfiguration is no longer required in TAP mode.
* Fix initialization of secret flags.
* Add support for DOMAIN-SEARCH option.
* Set data-ciphers option with chosen cipher.
* Update Brazilian Portuguese, Croatian, Danish, Georgian, Polish, Serbian,
Slovenian, Swedish, Turkish and Ukrainian translations.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It fails to start radiusd.service from lib32-freeradius that the
configure directory is /etc/lib32-raddb rather than /etc/raddb. So add
an environment file to export a variable MLPREFIX for the service file
to make it start successfully.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It depends on it, but it was being pulled in via glib-2.0
which now uses libpcre2
Fixes
TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/ettercap/0.8.3.1-r0/recipe-sysroot-native/usr/lib/libpcre.so: file not recognized: file format not recognized
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is no need for these configs on their own and they would only mess
up the sechash and privdrop configs. To actually enable sechash one also
had to enable nss, and to enable privdrop one also had to enable libcap.
This also avoids passing --with-libcap if privdrop is enabled since the
option does not exist.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Support for readline was dropped in Chrony 4.2. However, the
--disable-readline option still remains (it is used to completely ignore
all forms of command line editing, even though the only remaining
variant is editline). So keeping the readline PACKAGECONFIG and making
it pass --disable-readline when it is not enabled disabled support for
editline, and if it was enabled it instead passed --without-editline,
which also disabled support for editline. Thus there was no way to
enable editline support.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
After updating current poky master python3-fcntl is not installed
into my image anymore. Blueman-applet fails to run with
Error: No module named 'fcntl''Module fcntl not found'
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes
---------
Fix for possible buffer zeroization overrun introduced at the end of
v5.5.2 release cycle in GitHub pull request 5743 (#5743) and fixed in
pull request 5757 (#5757). In the case where a specific memory allocation
failed or a hardware fault happened there was the potential for an overrun
of 0's when masking the buffer used for (D)TLS 1.2 and lower operations.
(D)TLS 1.3 only and crypto only users are not affected by the issue.
This is not related in any way to recent issues reported in OpenSSL.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Security bugfixes
-----------------
OpenSSL DLLs updated to version 3.0.7.
New features
------------
Provided a logging callback to custom engines.
Bugfixes
---------
OpenSSL DLLs updated to version 3.0.6.
Fixed "make cert" with OpenSSL older than 3.0.
Fixed the code and the documentation to use concious language for SNI servers (thx to Clemens Lang).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
tls-crypt-v2: bail out if the client key is too small
Remove useless empty line from CR_RESPONSE message
Allow running a default configuration with TLS libraries without BF-CBC
Change command help to match man page and implementation
Fix OpenVPN querying user/password if auth-token with user expires
t_client: Allow to force FAIL on prerequisite fails
t_client.sh: do not require fping6
Preparing release 2.5.8
msvc: add branch name and commit hash to version output
Update the replay-window backtrack log message
Do not skip ERROR:/SUCCESS: response from management interface
Fix auth-token usage with management-def-auth
Allow a few levels of recursion in virtual_output_callback()
Ensure --auth-nocache is handled during renegotiation
Purge auth-token as well while purging passwords
Do not copy auth_token username to itself
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Make run-ptest use the correct libdir for multilib builds.
Log the ptest output to a date stamped file and append a test summary
to the end of the log.
Munge the log as it is produced to:
- insert the expected automake keywords: PASS and FAIL.
- remove escape sequences used for ANSI colours as well as movement commands
Add additional discrete tool dependencies to the nftables-ptest list since
the test suite does not work with the busybox versions.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Call pcap_dump_close() on the output file.
- Implement new flags in ./configure: --enable-instrument-functions,
--without-libnids, --without-libosipparser2 and --without-libooh323c.
- autoconf: Add the option to print functions and files names
- Update config.{guess,sub}, timestamps 2022-01-09,2022-01-03
- configure: use pcap-config --static-pcap-only if available
- Remove awk code from mkdep.
- Refine the man page.
- Refine the documentation files.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add github-releases to make new releases discoverable.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bugs fixed
==========
Errors when connected to a device with the DisconnectItems plugin enabled
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Switch from using tarball to git because the 2.3.2 tarball lacks the
meson_options.txt file.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2022-37032:
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may
lead to a segmentation fault and denial of service. This occurs in
bgp_capability_msg_parse in bgpd/bgp_packet.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37032
Patch from:
066770ac1c
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Need the targets file to enable the mctpd.service on systemd.
Signed-off-by: Hao Jiang <jianghao@google.com>
Change-Id: I8d48d3767760dc1f34ae7e1266600d350ac93281
Changes since 4.4.3 (Bug Fixes)
Corrected a reference count leak that occurs when the server builds
responses to leasequery packets. Thanks to VictorV of Cyber Kunlun
Lab for reporting the issue.
[Gitlab #253]
CVE: CVE-2022-2928
Corrected a memory leak that occurs when unpacking a packet that has an
FQDN option (81) that contains a label with length greater than 63
bytes.
Thanks to VictorV of Cyber Kunlun Lab for reporting the issue.
[Gitlab #254]
CVE: CVE-2022-2929
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Allow spice to be built on ARM64 as well, so add aarch64
entry to COMPATIBLE_HOST.
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Drop 0001-Make-HgfsConvertFromNtTimeNsec-aware-of-64-bit-time_.patch
and 0013-misc-Do-not-print-NULL-string-into-logs.patch which have been
merged upstream.
* Refresh patches.
* Do not build containerinfo plugin as it requries containerd.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
New features
OpenSSL 3.0 FIPS Provider support for Windows.
Bugfixes
Fixed building on machines without pkg-config.
Added the missing "environ" declaration for BSD-based operating systems.
Fixed the passphrase dialog with OpenSSL 3.0.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/strongswan/strongswan/releases/tag/5.9.8
* Drop PACKAGECONFIG[scep] as scepclient has been removed.
* Add plugin-gcm to RDEPENDS as gcm plugin has been added to the default
plugins.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The correct parameter to disable readline usage is --disable-readline
and not --without-readline.
See also chrony source at:
https://github.com/mlichvar/chrony/blob/master/configure#L110
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The configure script present in chrony will explicitly look for
pkg-config and without the pkgconfig class it will fail:
Checking for pkg-config : No
This then affects the possibility (via image features or bbappend)
to use features based on nettle/gnutls/nss which strictly require
pkgconfig to be present and working.
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
clang errors out linking lto objects
riscv64-yoe-linux-musl-ld: /tmp/lto-llvm-d497c5.o: can't link soft-float modules with double-float modules
This is something needs to be addressed in clang for riscv
as of now disable lto for rv32/rv64 when using clang
Signed-off-by: Khem Raj <raj.khem@gmail.com>
open62541 (http://open62541.org) is an open source and free implementation
of OPC Unified Architecture according to IEC62541 standard
The patch exclude git-related files from installation directory
Upstream-Status: Accepted
a0328d4cb5
Signed-off-by: Vyacheslav Yurkov <v.yurkov@precitec.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop 0001-avoid-naming-local-function-as-one-of-printf-family.patch as
the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport patches to fix build error with --disable-ospfapi and
CVE-2022-37035.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update : format of License file changed.
CVE-2022-0934.patch
deleted since it's included in 2.87.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This runtime dependency was already added for ntpd but not yet for the
sntp binary. This will result in an error when pthread_exit() is called:
"libgcc_s.so.1 must be installed for pthread_cancel to work"
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
brings in
Added
mdio: A new addressing mode "mmd-c22": Used to access MMDs attached
to MDIO controllers without Clause 45 support by using registers 13
and 14 in the device's Clause 22 register space
mdio: Pretty print gigabit link capability information from a PHY's
extended status register
mdio: Pretty print lots of status information from MMDs (C45 PHYs)
mvls: Decode priority override information of ATU entries
Changed
mvls: Table listings now always prints out the device information,
even on single chip systems.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop merged backport of 7e20aa9ef172 ("coap_session.c: Balance
SESSIONS_ADD and SESSIONS_DELETE usage").
c694baead2f9 Update version to release 4.3.1
ab9488559f5e Doxygen: Fix missing links for later versions of asciidoc
144f9c4381c1 Manual pages: Update NAME section to contain all of the alternative names
707aed35d39b Doxygen: Hyperlink man page functions
46feac2455ab Misc: Tidy up documentation and space usage
d09204e24aba Doxygen: Add in individual man pages for the ease of finding the functions
09aab40d14f9 Tag release candidate 2 for version 4.3.1
2755af4d1a16 block.c: Clarify ignored result from coap_get_data()
5f0eea8dbbc4 coap_session.c: Fix adding NULL pointer on error in coap_new_server_session()
ea89cb842cf6 coap_cache.txt.in: Fix typo in function name
922e81a0d21f Doc: Include statement about upgrading to 4.3.1
5c498249e7e7 ChangeLog: Add summary for version update to 4.3.1
4f12b9be1b7b coap_event.h: Clean up Doxygen documentation for coap_event_t
43bfbea924e0 Copyright: Update dates to 2022 where appropriate
37731524a0ad RFC8516: Document support
a7b2f2b4901b block.c: Timeout coap_lg_crcv_t structures correctly
f4507e6e9adb Block: Report event on large xmit failures
3d387a5be485 block.c: Correct size of allocated PDU buffer
6a9a787503ec Observe: Clean up server timing out after observe failures
725e464421e0 mcast: Tidy up logging
381ff3d94da2 PDU Data: Clean up internal usage of PDU data
0f0cac71f5e5 Observe: Support disabling observe cancellation on session close
bc4c75060b86 coap_mbedtls.c: Fix output type of a log message
b8f01cef06f0 net.c: Move variable into correct block
58a8b338045b net.c: Send appropriate delayqueue entries in coap_cancel_all_messages()
b4306bb79162 observe: Make sure the correct token in used for cancellation
c68d1e9fe785 mutex: Do not output mutex warnings for LwIP and Contiki
7f551fcea56b coap_mbedtls.c: Upgrade to mbedTLS v3.2.1 - Updated the deprecated APIs with the respective alternatives - `mbedtls_ssl_conf_min_version` => `mbedtls_ssl_conf_min_tls_version` - Updated fields for `mbedtls_ssl_ciphersuite_t` - `max_major_version`/`max_minor_version` => `max_tls_version` - Added macros for backward compatibility
8c15b896ef30 esp-idf: Stop -Wformat errors for uint32_t variables
0ca2fd4a90b5 Tag release candidate 1 for version 4.3.1
9962bab56f6b Updated tinydtls to current develop HEAD
8fbe440f8aaa coap_io.c: Updates for esp-idf port
d2306569d16a proxy: Make proxy requests separate responses
98ecf5a2a166 tinydtls: Update submodule to latest version
8c973a454e73 mid_duplicates: Drop general responses duplicates
dc92fe5e1ea6 coap.h.windows.in: Fix missing file renames
347270b9abc4 file naming: Rename files to have coap_ prefix
8b9377ef2ad4 coap_mbedtls.c: Fix memory leak
e8052b3988ec resource.c: Further fix making subscribers iteration safe
f93b9a3e37cf coap_mbedtls.c: Catch connection reset in coap_tls_write
d5bcb8159b73 resource.c: Make subscribers iteration safe in coap_notify_observers
0d9f2531e5dd coap_session.c: Free off session's last_token on session deletion
415fbdb7cddf RFC9175: Add in support for the Echo and Request-Tag options
88ae9563e665 mcast support: Support multicast granular to the resource level
73565196a8f3 block.c: Fix error handling with Block transfers
132c72619032 net.c: Handle multiple same token request/responses
d68f5d6f5713 net.c: Handle well_known requests when there is no libcoap block support
fe51d3335e81 lwip: Fix minor issues
6046dcbd5589 net.c: Fix broken client only build
20f15a17d698 Large Observes: Prevent server sending new response if active response
5a10ce4890ff Congestion Control: add in RFC7252 configuration flexibility
41afb92141c5 net.c: Update .well-known/core handling to use common logic
6b32ed3de2fb coap_io.c: Track ICMP Host Administravely Prohibited error
279755b1df9e coap_send: Make error checks for coap_send() more rigorous
925d39fd8cfb coap-server.c: Cleanup misplaced comment
c77176714770 coap_gnutls.c: Handle another error in do_gnutls_handshake()
801e5492f2e6 CSM: Move coap_client_delay_first() to later in code processing
346a831cd604 block.c: Correctly preset updated_block variable
56db248daba6 async.c: Remove white space
256a758e0273 TLS SIGPIPE: Stop programs exiting with code 141 (128 + 13:SIGPIPE)
6649bdef39db net.c: fix null pointer exception
03a9059439d0 BERT: Support block BERT szx of 7 for reliable protocols
445a9481deca RFC7390: Update support for RFC7390
428f759659a4 coap_mbedtls.c: Fix coap_rng() return for 3.x code
1b2668f562e9 CMakeLists.txt: Correctly determine cmsghdr support for determining addresses
21fd838dc781 coap_io_prepare_io: Re-order function code for correctly updating sockets[]
cfbf3ab617f8 doc/main.md: Update copyright year
f28044303abe net.c: Make sure separate response is CON for CON requests
069a0786ce85 CSM: Support different XMT and RCV Max-Message-Size
9cbe5757cb69 recursive mutex: Stop recursive Mutex when doing handler callbacks
d9c19c378f3f event.h: Add events for server session state management
7e20aa9ef172 coap_session.c: Balance SESSIONS_ADD and SESSIONS_DELETE usage
806861359b81 configure.ac: Allow using non-vendored TinyDTLS with autotools build
6c8b76d534a0 tinydtls: Update to latest version
aa391b5b7601 async: Handle changes to delay when using epoll
65cba25cc7e5 coap-client.c: Delay sending each request using -G by 1 second
d57d44aa142a block.c: Fix data leak in coap_add_data_large_internal
eb7656850f1c pdu.h: Add Content-Format for application/ace+cbor
c8458f262ab8 coap_mbedtls.c: Fix return brace location
583c29fd47d9 coap_mbedtls.c: Make TLS error recovery more rigorous
02deef8da6ac coap_prng.c: Added alternate RNG implementation - For targets having their own hardware entropy/RNG implementation using mbedtls_hardware_poll() - This change was made as since mbedtls-3.x, passing a RNG function to all functions that accept a f_rng parameter is mandatory
916a534e170b coap_mbedtls.c: Upgrade to mbedTLS v3.x - Added MBEDTLS_ALLOW_PRIVATE_ACCESS to access private struct members wherever required - Updated deprecated functions from hashing module (E.g. mbedtls_sha256_starts_ret() -> mbedtls_sha256_starts()) - Added mandatory RNG parameter for some functions (mbedtls_pk_parse_keyfile(), mbedtls_pk_parse_key()) - Remove support for parsing SSLv2 ClientHello
b42c184f74a6 block.c: Fix possible null-pointer dereference
df72a53f2d66 coap_openssl.c: Support Microsoft VS builds
0f76881802af autogen.sh: Fix missing file ar-lib
19928e81bd42 builds: Set CFLAGS += -Werror in all linux subdirectory compilations
b2ad43319a0f doc/Makefile.am: Include module_api_wrap.h in a distribution
dfc678c33bd1 Proxy: Support unknown Critical but Safe-To-Forward options
93f2738c451d coap_pdu_setup.txt.in: Clarify / more make readable the pdu setup information
5b32d716fa03 github workflow: Support windows-2022
bd9ced550e07 pdu.c: Fix coap_insert_option with delta = 269
ba585f848ff5 [OSS-Fuzz] pdu_parse_target.c: Check result of coap_pdu_parse()
a2e0046c802f [OSS-Fuzz] pdu_parse_target.c: Fix compiler warning
b3d503cbff07 sessions: Prevent multiple client session confusion
726b9630e51f coap_block.txt.in: Clarify / more make readable the block handling information
756bb042395d pdu building: Enforce the application order of building a PDU
c02ca5f097d6 coap_pdu_access.txt.in: Add in documentation for coap_get_uri_path()
aaf611559482 proxy_uri: Fix handling the resource for uri path in Proxy-Uri
a8c00f2af9c6 coap_pdu_setup.txt.in: Better document coap_encode_var_safe8()
64e56410177b versioning: Make current git describe available
0a16d790ce53 cmake_coap_config.h.in: Fix definitions for when building with tinydtls
17aaa81b5ad3 Caching: Highlight requirements ignoring certain CoAP Options
74582eddde28 resource.c: Support deleting resources that have not yet been added
32d2d0e1c62b request_handler: Report only when app's request handler is actually called
5dc2dfca86ec block.c: Do not match large response if no Block2 option in request
18888cd0dde3 cmake: Install example programs if examples enabled
c0e032ffad0b block: Check block size space correctly
693a4e231386 net.c: correct return value in coap_send_internal()
38bffb7f99d9 configure.ac: Fix have mbedtls lib, but no mbedtls-dev issue
694a205f28dc coap-server.c: Fix proxy response type and code
e8e33f0424ad coap-server: Add in POST support for unknown request handler
3f5ec5467a1d coap_cache.c: Correctly build cache key
e43cf9369ac5 RFC7959: Handle both client and server initiating requests
bdf7686613ec coap_write_session: Account correctly for partial TCP writes
76194be8cd3f coap-client.c: Allow time for all server responses to mcast
d395df1a812f coap_session.c: Do not check for duplicate mids if reliable protocol
73389b8192e8 handlers: Clarify which handlers are client only, server only or both
df9071c93eff coap_session.[hc]: Added function to retrieve PSK identity from session
7791897e8f4c api-version-bump.sh: Added missing changes for win32
4834b86067ae pkg-config: Don't use hard coded binary
d139beab67ff pkg-config: Don't use hard coded binary
166ef51ed155 Windows: Update libcoap-2 objects to libcoap-3
31722c208ac9 PSK: Make PSK hint / key / identity retrieval simpler
d746fc24e5a7 coap_pdu_parse: Add to public API
0aeb0d624797 doxygen: Tidy up Modules and Files tab information
f026f5701ece client+server: Reduce code size by building libcoap for client or server only
a7f53b4d6b0a coap_debug.h: Allow <syslog.h> to be included before and after <coap3/coap.h>
77f8cf59702e DTLS/TLS: Support TLS when DTLS is not enabled
587de900c2cc coap_mbedtls.c: Add in TLS support
94b297aae7a5 coap_mbedtls.c: Fix build fail for client only mbedtls
cc2648aef685 net.c: Protect against session release in coap_io_do_io()
ca44071b8afe net.h: do not include sys/select.h in Windows builds
e984f38b8fd6 [DTLS] make buffer sizes for psk and psk_identity configurable
54dbc3eeb815 [RIOT] coap_time.h: fix COAP_TICKS_PER_SECOND for undefined XTIMER_HZ
05e7f12d7ca8 net.h: Include sys/select.h for fd_set
25a59905792f doxygen: Fix summary output for manual pages
a5c0d12354ed doc: Document the coap_can_exit() function
a1d78d505d98 tiny.c: Fix message id generation
67f189f134a2 CMakeLists.txt: Fix macOS builds by checking for if_nametoindex support
8ce139d349bc coap_event.h: Make coap_event_t an enum
b0ca3ae643d1 resource.c: Delete previous subscription correctly
98b9179d5666 async: Correct MID usage in response
c61748f4dd33 RFC7959: session->lg_xmit not being released for a server
482be755fe29 gnutls: GNUTLS_CRT_RAW not defined
e0d6477b5ec9 man: Update man page documentation
d52986f00459 coap_resource_init: Leading '/' is not required for uri_path
60c69557f3d5 pdu.h: Remove unassigned response code COAP_RESPONSE_CODE_OK
87fab6d573cf coap_mbedtls.c: Allow ESP-IDF systems to be compiled without PSK support
77d1aae06b17 Fix condition for MBEDTLS_INCLUDE_DIRS
4bbf25ba338a coap-client: Add in support for generating multiple requests
50530704df9a tinydtls: update to latest version
License-Update: Update year
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- drop included patches
- refresh remaining patches
- update to new ptest
Licence change: update year
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Switch from using DISTUTILS_*_ARGS to SETUPTOOLS_*_ARGS to correspond
with the earlier change to use setuptools3_legacy instead of distutils3.
Without this change, you will get the following error if your build host
does not have iptables installed:
Fixes:
ERROR: ufw-0.36.1-r0 do_compile: 'python3 setup.py build ' execution failed.
Log data follows:
| DEBUG: Executing shell function do_compile
| ERROR: could not find required binary 'iptables'
| ERROR: 'python3 setup.py build ' execution failed.
| WARNING: exit code 1 from a shell command.
ERROR: Task ([snip]/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb:do_compile) failed with exit code '1'
Also, although the build will not fail on a host that has iptables, it
could cause a problem if it is installed at a different path than where
OpenEmbedded's iptables will be installed on the target.
Fixes: 3e2ed1dcc0 ("ufw: port to setuptools, use setuptools_legacy")
Signed-off-by: Howard Cochran <howard_cochran@jabil.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Enable meson for building open-isns, deprecating autoconf/make (though the current build system still works)
Add a package config file for libisns, so other software can find it
Fix some compiler warnings and spelling errors
Make IPv6 default socket type
Fix isnsadm parsing of some arguments
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=============
* Add support for "allow-compression" parameter.
* Fix a regression in preserving the "tls-auth" settings.
* Add support for "tls-min" and "tls-cipher" parameters.
* Include the new gnome-control-center name in the AppData file.
* Drop libnm-glib support, nobody is likely using it anymore.
* Fix importing profiles with a PKCS#12 CA.
* Make sure the plugin object links with glib.
* Dropped dependency on intltool.
* Updated Basque, Brazilian Portuguese, Chinese (China), Croatian, Czech,
Danish, Dutch, Georgian, Indonesian, Polish, Serbian, Spanish, Swedish,
Turkish and Ukrainian translations.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libatm uses res_search which is provided by libc now a days in both
glibc and musl, we dont need to error out if libresolv is not found
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These were missing a comma so were being added as RRECOMMENDS.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
POSIX_SHELL is specified a host tool path as it searches path on build
host using `which` when configure. Set it to a fixed path '/bin/sh'.
Fixes:
QA Issue: File /usr/bin/tcpbridge in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpliveplay in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcprewrite in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpcapinfo in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpreplay in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpprep in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpreplay-edit in package tcpreplay contains reference to TMPDIR [buildpaths]
QA Issue: File /usr/src/debug/tcpreplay/4.4.2-r0/src/defines.h in package tcpreplay-src contains reference to TMPDIR [buildpaths]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This ensures that it can use the sed provided by build environment, as
we poison host sysroots, we wont be able to get it from /usr/bin anyway
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport a patch from upstream to fix musl builds
Merged inc file into bb file, makes it easy to use devtool
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Disable on musl since its using some non-portable glibc only constructs
Drop gettid patch its applied upstream
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Dates and address changed
Link with libtirpc for bindresvport() implementation
Drop krb5 packageconfig, its gone from this version
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NetworkManager:
* Drop unused, internal systemd DHCPv4 client. This is long
replaced by nettools' n-dhcp4 implementation.
* The nmcli command now supports --offline argument with "add" and
"modify" commands, allowing operation on keyfile-formatted connection
profiles without the service running (e.g. during system provisioning).
* The device state file /run/NetworkManager/devices/$ifindex now has
new sections [dhcp4] and [dhcp6] containing the DHCP options for the
current lease.
* Add multipath TCP (MPTCP) support. NetworkManager can now configure IP addresses
as MPTCP endpoints. This is configurable via the "connection.mptcp-flags"
property. The default setting is such that MPTCP handling is automatically
enabled if the kernel sysctl "/proc/sys/net/mptcp/enabled" indicates so.
NetworkManager does not enable the MPTCP sysctl or adjust the limits (ip mptcp limits).
The administrator or the distribution is supposed to configure the desired system
settings.
Note that strict reverse path filtering (rp_filter) breaks many MPTCP use cases.
With MPTCP handling enabled, NetworkManager will relax a strict (1) rp_filter
to loose (2). Otherwise rp_filter is untouched by NetworkManager.
* NetworkManager expanded log messages for invalid DHCP options.
* Fix the requirement of hardware address for DHCPv6, by dropping it.
* Increase the PMK lifetime for Wi-Fi connections using WPA-EAP.
* "nmcli networking off" now waits for deactivations to complete.
* Improve the appearance of nm-settings-nmcli man page by preserving
paragraphs.
* Support enabling ipv4ll alongside DHCPv4 and static addressing.
* Support configuring "ipv6.mtu".
* Honor "nm.debug" kernel command line to enable debug logging of
NetworkManager.
* NetworkManager reads the kernel command line "/proc/cmdline" for several
purposes, including "nm.debug" for enabling debugging and the
"match.kernel-command-line" setting in the profile. NetworkManager now
first looks now for "/run/NetworkManager/proc-cmdline", which allows to
overwrite the command line.
* Improve the reapply of non-bridge properties.
* Honor adding a Bluetooth NAP connection with all available methods.
* Improve carrier detection.
* During the build, stop relying on intltool for i18n and use gettext only.
* Undeprecate nm_remote_connection_get_secrets() in libnm.
* NetworkManager now will restart DHCP if the MAC changes on a device.
* Several internal improvements.
Recipe:
* Drop the last patch :-). -Difcfg_rh=false is now honored and the
distro detection patch is no longer needed.
* Fix: move /etc/resolv-conf.NetworkManager to daemon package
* Fix: remove ppp rdepends from daemon. The ppp plugin rdepends on ppp.
* ifupdown plugin requires now bash not sh. But the ifupdown is an
optional plugin anyway.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a patch to avoid implicit-function-declaration warnings, they will
soon become errors with clang 15+
set path for privatelibdir
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The test case tfork_cmd_send in smbtorture fails on target as it
requries a script located in the source directory:
$ smbtorture ncalrpc:localhost local.tfork.tfork_cmd_send
test: tfork_cmd_send
/buildarea/build/tmp/work/core2-64-poky-linux/samba/4.14.14-r0/samba-4.14.14/testprogs/blackbox/tfork.sh:
Failed to exec child - No such file or directory
This also triggers the buildpaths warning:
QA Issue: File /usr/bin/smbtorture in package samba-testsuite contains reference to TMPDIR [buildpaths]
Skip this test case in smbtorture to avoid the warning.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use _GNU_SOURCE to compile which helps fixing build with musl
add a header reordering patch to again fix another issue with musl
builds
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This makes it simpler to set specific config options or custom sources
by adding snippet files to /etc/chrony/conf.d/ or /etc/chrony/sources.d/
instead of modifying a copy of the full configuration file. As new
snippets can be added from separate recipes, targeted changes can be
done in multiple layers.
These specific directories are also used in Debian's default
configuration. It is not an error if they are missing.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The pass-ptest-env.patch uses ${B}/extensions as the EXTENSIONS_DIR at build
time and pass the env variable EXTENSIONS_DIR as ${libdir}/${fd_pkgname} at
run time to fix the run time error. But there still exists buildpaths issue.
So rework the pass-ptest-env.patch to make sure EXTENSIONS_DIR to be
${libdir}/${fd_pkgname} both in build and run time.
Fixes:
WARNING: freediameter-1.4.0-r0 do_package_qa: QA Issue: File /usr/lib/freeDiameter/ptest/testloadext in package freediameter-ptest contains reference to TMPDIR
File /usr/lib/freeDiameter/ptest/testmesg_stress in package freediameter-ptest contains reference to TMPDIR
File /usr/lib/freeDiameter/ptest/CTestTestfile.cmake in package freediameter-ptest contains reference to TMPDIR [buildpaths]
WARNING: freediameter-1.4.0-r0 do_package_qa: QA Issue: File /usr/src/debug/freediameter/1.4.0-r0/build/libfdcore/fdd.tab.c in package freediameter-src contains reference to TMPDIR
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
Features
- Merge #718: Introduce infra-cache-max-rtt option to config max
retransmit timeout.
Bug Fixes
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets.
- Fix verbose EDE error printout.
- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
- For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest
cross-compiler versions.
- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
And fixup the lock code.
- iana portlist update.
- Update documentation for 'outbound-msg-retry:'.
- Tests for ghost domain fixes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
wscript detects .git directory and if its present them invokes git
describe --dirty which does not work on the devtool created git
repository, since its synthesized.
Add GNU_SOURCE define to get strptime() definition
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- This will move the dependencie of bash to wg-quick
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Also change the git protocol to https.
Relevant changes:
- 18fbcd6 version: bump
- 3ec3e82 compat: handle backported rng and blake2s
- ba45dd6 qemu: give up on RHEL8 in CI
- c7560fd qemu: set panic_on_warn=1 from cmdline
- 33c87a1 qemu: use vports on arm
- 894152a netns: limit parallelism to $(nproc) tests at once
- f888673 netns: make routing loop test non-fatal
- f9d9b4d device: check for metadata_dst with skb_valid_dst()
- f909532 qemu: enable ACPI for SMP
- ec89ca6 socket: ignore v6 endpoints when ipv6 is disabled
- fa32671 socket: free skb in send6 when ipv6 is disabled
- ffb8cd6 qemu: simplify RNG seeding
- 4eff63d queueing: use CFI-safe ptr_ring cleanup function
- 273018b crypto: curve25519-x86_64: use in/out register constraints more precisely
- 4f4c019 compat: drop Ubuntu 14.04
- 743eef2 version: bump
- 3c9f3b6 crypto: curve25519-x86_64: solve register constraints with reserved registers
- 8e40dd6 compat: udp_tunnel: don't take reference to non-init namespace
- ea6b8e7 compat: siphash: use _unaligned version by default
- 5325bc8 ratelimiter: use kvcalloc() instead of kvzalloc()
- e44c78c receive: drop handshakes if queue lock is contended
- 5707d38 receive: use ring buffer for incoming handshakes
- 68abb1b device: reset peer src endpoint when netns exits
- ea3f5fb main: rename 'mod_init' & 'mod_exit' functions to be module-specific
- cb001d4 netns: actually test for routing loops
- 2715e64 compat: update for RHEL 8.5
- 2974725 compat: account for grsecurity backports and changes
- 50dda8c compat: account for latest c8s backports
- d378f93 version: bump
- fb4a0da qemu: increase default dmesg log size
- 8f4414d qemu: add disgusting hacks for RHEL 8
- fd7a462 allowedips: add missing __rcu annotation to satisfy sparse
- 383461d allowedips: free empty intermediate nodes when removing single node
- 03add82 allowedips: allocate nodes in kmem_cache
- b56d48c allowedips: remove nodes in O(1)
- 3c14c4b allowedips: initialize list head in selftest
- 4d8b7ed peer: allocate in kmem_cache
- 6fbc0e6 global: use synchronize_net rather than synchronize_rcu
- 405caf0 kbuild: do not use -O3
- b50ef4d netns: make sure rp_filter is disabled on vethc
- e67b722 version: bump
- 1edffe2 Revert "compat: skb_mark_not_on_list will be backported to Ubuntu 18.04"
- 2cf9543 compat: update and improve detection of CentOS Stream 8
- 122f06b compat: icmp_ndo_send functions were backported extensively
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Self-description from the README: mdio-tools is a low-level debug tool
for communicating with devices attached to an MDIO bus.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
-On very low speed transfers (<10Kbps) sessions would time out due to a very
large interpacket transmission interval. Fixed by putting a lower limit
on the advertised GRTT of of the interpacket transmission interval.
-Sending of ABORT messages on early shutdown would sometimes fail due to
OpenSSL cleanup functions running before application cleanup. Changed the
ordering of atexit() handlers to ensure OpenSSL cleanup happens last.
-Fixed missing timestamp update when clients read CONG_CTRL messages
-Fix to GRTT handling on server to ensure it doesn't fall below minumim.
-Fixed bypassed checking of existing files on client for backup
-Various logging fixes
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix when correcting large time offsets (bug introduced in 1.3.5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When largefile distro feature is enabled the relevant flags are needed
to be passed, otherwise large file support wont work, since we are cross
compiling and runtime checks will fail.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade summary:
----------------
- drop 0002-configure-fix-a-cc-check-issue.patch, as it was replaced with
upstream commit https://github.com/net-snmp/net-snmp/commit/dbb49acfa2af
- drop 0001-snmpd-always-exit-after-displaying-usage.patch backport
- rebase net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch manually
- refresh patches with devtool to get rid of fuzz
Changelog:
----------
*5.9.3*:
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Windows:
- WinExtDLL: Fix multiple compiler warnings
- WinExtDLL: Make long strings occupy a single line Make it easier to
look up error messages in the source code by making long strings
occupy a single source code line.
- WinExtDLL: Restore MIB-II support Make winExtDLL work on 64-bit
Windows systems") caused snmpd to skip MIB-II on 64-bit systems.
IF-MIB: Update ifTable entries even if the interface name has changed
At least on Linux a network interface index may be reused for a
network interface with a different name. Hence this patch that
enables replacing network interface information even if the network
interface name has changed.
unspecified:
- Moved transport code into a separate subdirectory in snmplib
- Snmplib: remove inline versions of container funcs".
misc:
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
*5.9.2*:
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The NetworkManager meson.build is searching for iptables and nft by
passing absolute paths to meson's find_program. The result is that it
locates tools on the host machine when they exist at those locations. If
they don't, it uses default locations. This often works out, but in some
cases, such as when the host uses a merged usr scheme and the build
target does not, the paths will be incorrect and the tools won't be
found at runtime.
These could be PACKAGECONFIG options, but since they have fallback
values, completely disabling the use of either iptables or nft would
require patching the meson.build or setting a bogus location.
Note that this meson.build file follows the same pattern elsewhere, but
most cases are already covered by PACKAGECONFIG options.
Signed-off-by: Jim Broadus <jim@thruwave.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/strongswan/strongswan/releases/tag/5.9.7
* Drop backport patch 0001-enum-Fix-compiler-warning.patch.
* Update RDEPENDS to fix strongswan startup failures:
plugin 'mgf1': failed to load - mgf1_plugin_create not found and no plugin file available
plugin 'fips-prf': failed to load - fips_prf_plugin_create not found and no plugin file available
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-Remove-hardcoded-usr-local-includes-from-configure.a.patch
updated for new version.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Needed for automating ssh logins, used in auto-tests.
Co-authored-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Mike Petersen <mike.petersen@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
fix-openssl-no-des.patch
refreshed for version 5.65
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.5.
Bugfixes
Fixed handling globally enabled FIPS.
Fixed the default openssl.cnf path in stunnel.exe.
Fixed a number of MSVC warnings.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2015-1611 and CVE-2015-1612 are not referred to our implementation
of openflow as specified by the NVD database, ignore them.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2002-0318 and CVE-2011-4966 are both patched in our version of
freeradius. The CPE in the NVD database doesn't reflect correctly
the vulnerable versions that's why they are incorrectly picked up.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop backported patch, switch PACKAGECONFIG assignment to ?= (matches
current practice), add in editline, linenoise CLI options and xtables
option. Switch to --disable-python when building without python to avoid
a configure time warning.
We can drop UPSTREAM_CHECK_REGEX as the version no longer gets confused
by the 0.099 version which exists.
Fix buildpaths warning by switching to setuptools and add dependency on
${PN}-python to ${PN}-ptest so that the embedded paths in the compiled
python files are correct.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The openvpn tarball has additional sample config files which are
generally useful to users, and which are typically distributed in other
distros' openvpn packages.
Include these sample configs in the OE recipe.
Signed-off-by: Bill Pittman <bill.pittman@ni.com>
Rebased to openvpn_2.5.7.
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Firewalld:
This is a feature release. It also includes all bug fixes since v1.1.0.
Details are here: https://firewalld.org/2022/07/firewalld-1-2-0-release
Recipe:
Firewalld defaults to create a log file for debug messages. This is
basically an empty file until firewalld's log level is configured to
debug level. Writing log files requies something like log-rotate to
prevent full disks. The default for OE is to not create files and send
all log messages to syslog (journald).
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The systemd support had been integrated to openvpn for a long time. Add
PACKAGECONFIG for it and use its own service files and volatile file.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2016-4049 is not affecting our version, so we can ignore it.
This is caused because the CPE in the NVD database doesn't specify
a vulnerable version range.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The following CVEs are already patched so we can ignore them:
- CVE-2016-0749
- CVE-2016-2150
- CVE-2018-10893
This is caused by inaccurate CPE in the NVD database.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2018-1078 is not for openflow but in the NVD database the
CVE is for a specific implementation that we don't have so we
can ignore it.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
cve-check is not able to correctly identify many of the patched
CVEs because of the non standard version number. All the ignored
CVEs were manually checked with the NVD database and deemed not
applicable to the current version.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current version of usrsctp is not a release so cve-check
is not able to find the product version. CVE_VERSION is now set
to 0.9.3.0 that is the nearest version in the past starting from
the revision we have.
This is done because we don't have the complete 0.9.4.0 release.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The cdra application is looking for the `regulatory.bin` file that is
installed by the `wireless-regdb` package, but that is not installed
because the RDEPENDS lists`wireless-regdb-static` (which conflicts with
`wireless-regdb`).
Changing RDEPENDS to use `wireless-regdb` instead of
`wireless-regdb-static` allows the cdra application to function
properly.
Example output before this fix was applied:
root@yocto:~# COUNTRY=US crda
failed to open db file: No such file or directory
root@yocto:~# COUNTRY=US strace crda
execve("/usr/sbin/crda", ["crda"], 0xbec80d70 /* 17 vars */) = 0
...
openat(AT_FDCWD, "/usr/local/lib/crda/regulatory.bin", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/crda/regulatory.bin", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/crda/regulatory.bin", O_RDONLY) = -1 ENOENT (No such file or directory)
...
write(3, "failed to open db file: No such "..., 50failed to open db file: No such file or directory
) = 50
close(3) = 0
exit_group(-2) = ?
+++ exited with 254 +++
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Drop backport patch 0001-openssl-Don-t-unload-providers.patch
* Backport a patch to fix the build error:
src/libstrongswan/utils/enum.c: In function 'enum_flags_to_string':
src/libstrongswan/utils/enum.c💯9: error: format not a string literal and no format arguments [-Werror=format-security]
100 | if (snprintf(buf, len, e->names[0]) >= len)
| ^~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If 'ppp' packageconfig option is enabled, but the build system does NOT
have pppd binary installed, the build fails with:
| Has header "pppd/pppd.h" : YES
| Program pppd /sbin/pppd /usr/sbin/pppd found: NO
|
| ../NetworkManager-1.36.2/meson.build:570:4: ERROR: Assert failed: pppd required but not found, please provide a valid pppd path or use -Dppp=false to disable it
This is due to meson trying to look for the 'pppd' binary in the build
system when it should not. If the build system does not contain pppd,
the build fails.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Ensure /var/lib/chrony exist to avoid error like:
chronyd.service: Failed to set up mount namespacing: /run/systemd/unit-root/var/lib/chrony: No such>
chronyd.service: Failed at step NAMESPACE spawning /usr/sbin/chronyd: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* src/dynamic-preprocessors/appid/service_plugins/service_ssl.c :
Fixed a scenario where SSL traffic was not detected correctly.
* src/dynamic-preprocessors/smtp/snort_smtp.c :
Fixed a possible memory corruption.
* src/dynamic-preprocessors/imap/imap_util.c
src/dynamic-preprocessors/pop/pop_util.c
src/dynamic-preprocessors/smtp/smtp_util.c
src/preprocessors/spp_httpinspect.c :
Fixed malformed packet debug engine output.
* src/preprocessors/Stream6/snort_stream_tcp.c :
Fixed security zones info in intrusion events.
* src/dynamic-preprocessors/appid/fw_appid.c :
Fixed URL lookup failure.
* src/preprocessors/HttpInspect/server/hi_server.c :
Fixed a possible memory leak.
* src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c
src/dynamic-preprocessors/appid/fw_appid.c
src/dynamic-preprocessors/appid/fw_appid.h
src/dynamic-preprocessors/appid/detector_plugins/service_plugins/service_api.h :
Added support for dns root queries and underflow.
* src/dynamic-preprocessors/smtp/snort_smtp.c
src/Makefile.am
src/dynamic-examples/Makefile.am
src/dynamic-plugins/sf_dynamic_plugins.c
src/dynamic-plugins/sf_dynamic_preprocessor.h
src/dynamic-preprocessors/Makefile.am
src/dynamic-preprocessors/smtp/snort_smtp.h
src/dynamic-preprocessors/smtp/spp_smtp.c
src/smtp_api.h :
Added support to get extra data from SMTP and HTTP into IPS event.
* src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c
src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c :
Added support for login success and failure eventing for IMAP and POP3.
* src/dynamic-preprocessors/appid/hi_server.c :
Added support to handle empty string for SNI/CN/SAN/ORG.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Merge pull request #1178 from yishaih/mlx5_misc
mlx5: Fix check for SQ overflow in bind_mw
mlx5: DR, Add support for modify IP ECN action for CX7
Merge pull request #1175 from zhijianli88/print-style
Merge pull request #1176 from EdwardSro/pr-extend-wqe-class
Merge pull request #1174 from EdwardSro/pr-pyverbs-read-write
Merge pull request #1170 from Hakon-Bugge/rdma_xserver_xclient
Merge pull request #1166 from EdwardSro/pr-tests-fixes
pyverbs/mr.pyx: Make MR and MW print style identical
pyverbs: Extend segments format of WQE class
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update firewalld by 2 major versions, which also includes breaking and
behavioral changes.
Highlights from 0.9 to 1.0:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Details:
- https://firewalld.org/2021/07/firewalld-1-0-0-release
- https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0
From 1.0 to 1.1 is mostly a bug fix release update.
Details:
- https://firewalld.org/2022/02/firewalld-1-1-0-release
- https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0
Improvements on the recipe:
- Add ptest
- Very helpful to get all the kernel modules
- Long running, probably not suitable for any OE autobuilder
- RRECOMMENS kernel modules, document configuration
- Improve package splitting
- firewalld-config and firewalld-applet depend on QT5, pyqt5 and GTK.
The dependencies were not correctly set but the code was ending up
on the target device. Now the code gets into a separate package but
the dependeinces are probably still not complete. Since this is
probably not used anyway it is not tested yet. It's still not
perfect but much better than installing broken stuff to the target
device.
- The dependenices are added to variables instead of rdepends to keep
the meta-qt5 and gnome layers optional also at build-time.
- New packageconfigs: ebtables, ipset. This is mosly required to get the
test suite running but probably also usable otherwise.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Add support for route type "throw".
* Fix bug setting priority for IP addresses.
* Static IPv6 addresses from "ipv6.addresses" are now preferred over
addresses from DHCPv6, which are preferred over addresses from autoconf.
This affects IPv6 source address selection, if the rules from
RFC 6724, section 5 don't give a exhaustive match.
* Static IPv6 addresses from "ipv6.addresses" are now interpreted with
first address being preferred. Their order got inverted. This is now
consistent with IPv4.
* Wi-Fi hotspots will use a (stable) random channel number unless one is
chosen manually.
* Don't use unsupported SAE/WPA3 mode for AP mode.
* NetworkManager will no longer advertise frequencies as supported when
they're disallowed in configured regulatory domain.
* Attempt to connect to WEP-encrypted Wi-Fi network will now fail
gracefully with a recent version of wpa_supplicant when built
without WEP support. As long as wpa_supplicant supports WEP,
NetworkManager will continue to work.
* Disable WPA3 transition mode for wifi.key-mgmt=wpa-psk if the NIC
does not support PMF. This is known to cause problems in some setups. It
is still possible to explicitly configure wifi.key-mgmt=sae for WPA3.
* Add new dummy crypto backend "null" that does nothing. NetworkManager
uses the crypto library when handling certificates for 802.1x profiles.
* Veth devices with name "eth*" are now managed by default via the
udev rule. This is to support managing the network in LXD containers.
* The hostname received from DHCP is now shortened to the first dot
(or to 64 characters, whatever comes first) if it's too long.
* As the insecure WEP encryption for Wi-Fi network is phased out,
nmcli now discourages its use when activating or modifying a
profile.
* Fix connectivity checks in case the check endpoint address resolves to
multiple addresses.
* Workaround libcurl blocking NetworkManager while resolving DNS names.
* nmcli: indicate missing Wi-Fi hardware when showing rfkill setting.
* nmcli: add connection migrate command to move a profile to a specified
settings plugin. This allows to convert profiles in the deprecated ifcfg-rh
format to keyfile.
* Set "src" attribute for routes from DHCPv4 to the leased address. This
helps with source address selection.
* Updated translations.
* Various bugfixes and internal improvements.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
From NEWS file of netowrkmanager 1.32:
firewall: add nftables firewall backend for configuring IPv4 NAT with
shared mode. Now two backends are supported, "iptables" and "nftables".
The default gets detected based on whether /usr/sbin/nft or
/usr/sbin/iptables is installed, with nftables preferred.
With this change nftables is not the prefered backend also with OE. But
it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to
iptables.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The main motivation for this rework is to support compiling the
NetworkManager with many plugins, but to install only a few of them in
a firmware image. This is advantageous when different products with
different network interfaces should be supported by only one binary
distribution. This is more in line with the way NetworkManager is
designed and used by other binary Linux distributions. Basically this
is already supported since the last rework of the networkmanager recipe.
However, the rrecomments from networkmanager to all available plugins is
not straight forward to be used in such a scenario. Installing only a
subset of the compiled plugins required to override the rrecommends
from networkmanager to the plugins in some way. To simplify the usage
the networkmanager package is now an empty meta package and
networkmanager itself gets moved to a new networkmanager-daemon package.
This allows to keep backward compatibility: Installing the
networkmanager package still adds all compiled plugins to the firmware.
But with the new package splitting it's also possible to install for
example only the networkmanager-wifi but not the networkmanager-wwan
package even if networkamanger has been compiled with the modemmanager
PACAKGECONFIG flag enabled as well.
The relation from plugins to services is now a stronger rdepends which
reflects better how NetworkManager is supposed to be used. If a plugin
is installed but the required service is not the plugin periodically
tries to connect to the service and reports error messages to the syslog
if the service is not available. Therefore it's better to make the
installation of the plugin optional but not the installation of the
services.
The bash-completion package adds support for the nmcli command line
utility. This change also moves the bash completion configuration to a
new package networkmanager-nmcli-bash-completion. This is more
consistent anyway but gets even more important when the networkmanager
package gets optional.
To simplify the usage of all these packages a SUMMARY:${PN}-.. for each
packages has been added.
The separation of the doc packages has been removed.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Plugins of networkmanager redpends on related services. If for example
modemmanager or wpa-supplicant is not installed but the related
networkmanager plugin is, the plugin writes error messages to the
syslog.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
This release has EDE support, for extended EDNS error reporting,
it fixes unsupported ZONEMD algorithms to load, and has more bug fixes.
The EDE errors can be turned on by 'ede: yes', it is default disabled.
Validation errors and other errors are then reported. If you also want
stale answers for expired responses to have an error code, the option
'ede-serve-expired: yes' can be used.
Features
- Merge PR #604: Add basic support for EDE (RFC8914).
Bug Fixes
- Fix#412: cache invalidation issue with CNAME+A.
- Fix that TCP interface does not use TLS when TLS is also configured.
- Fix#624: Unable to stop Unbound in Windows console (does not
respond to CTRL+C command).
- Fix#618: enabling interface-automatic disables DNS-over-TLS.
Adds the option to list interface-automatic-ports.
- Remove debug info from #618 fix.
- Fix#628: A rpz-passthru action is not ending RPZ zone processing.
- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
- Fix that address not available is squelched from the logs for
udp connect failures. It is visible on verbosity 4 and more.
- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
ERR_GET_REASON.
- Fix to detect that no IPv6 support means that IPv6 addresses are
useless for delegation point lookups.
- update Makefile dependencies.
- Fix check interface existence for support detection in remote lookup.
- Fix#633: Document unix domain socket support for unbound-control.
- Fix for #633: updated fix with new text.
- Fix edns client subnet to add the option based on the option list,
so that it is not state dependent, after the state fix of #605 for
double EDNS options.
- Fix for edns client subnet option add fix in removal code, from review.
- Fix#630: Unify the RPZ log messages.
- Merge #623 from rex4539: Fix typos.
- Fix pythonmod for change in iter_dp_is_useless function prototype.
- Fix compile warnings for printf ll format on mingw compile.
- Merge PR #632 from scottrw93: Match cnames in ipset.
- Various fixes for #632: variable initialisation, convert the qinfo
to str once, accept trailing dot in the local-zone ipset option.
- Fix#637: Integer Overflow in sldns_str2period function.
- Fix for #637: fix integer overflow checks in sldns_str2period.
- Fix configure for python to use sysutils, because distutils is
deprecated. It uses sysutils when available, distutils otherwise.
- Merge #644: Make 'install-lib' make target install the pkg-config
file.
- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
- Fix to describe auth-zone and other configuration at the local-zone
configuration option, to allow for more broadly view of the options.
- Merge PR #648 from eaglegai: fix -q doesn't work when use with
'unbound-control stats_shm'.
- Fix#651: [FR] Better logging for refused queries.
- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
- Fix zonemd check to allow unsupported algorithms to load.
If there are only unsupported algorithms, or unsupported schemes,
and no failed or successful other ZONEMD records, or malformed
or bad ZONEMD records, the unsupported records allow the zone load.
- Fix zonemd unsupported algo check.
- Fix zonemd unsupported algo check reason to not copy to next record,
and check for success for debug printout.
- Fix zonemd unsupported algo check to print unsupported reason before
zeroing it.
- Fix zonemd unsupported algo check to set reason to NULL before the
check routine, but after malformed checks, to get the correct NULL
output when the digest matches.
- Fix#670: SERVFAIL problems with unbound 1.15.0 running on
OpenBSD 7.1.
- Fix Python build in non-source directory; based on patch by
Michael Tokarev.
- Fix#673: DNS over TLS: error: SSL_handshake syscall: No route to
host.
- Merge #677: Allow using system certificates not only on Windows,
from pemensik.
- For #677: Added tls-system-cert to config parser and documentation.
- Fix#417: prefetch and ECS causing cache corruption when used
together.
- Fix#678: [FR] modify behaviour of unbound-control rpz_enable zone,
by updating unbound-control's documentation.
- Fix typos in config_set_option for the 'num-threads' and
'ede-serve-expired' options.
- Fix to silence test for ede error output to the console from the
test setup script.
- Fix ede test to not use default pidfile, and use local interface.
- Fix some lint type warnings.
- Fix#684: [FTBS] configure script error with libmnl on openSUSE 15.3
(and possibly other distributions)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Refresh disable-documentation.patch for new version.
Changelog:
Fixes issues detected in 1.11.0, add new fnmatch based filtertype.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix error caused by postinst script of conntrack-tools:
do_rootfs: Postinstall scriptlets of ['conntrack-tools'] have failed...
Configuring ... rootfs//var/lib/opkg/info/conntrack-tools.postinst:
line 2: setcap: command not found
conntrack-tools.postinst returned 127, marking as unpacked only...
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
18 May 2022: babeld-1.12.1
* Implement separate PC values for unicast and multicast, which avoids
dropping packets protected by MAC when WiFi powersave is active.
* Schedule an interface check just after adding an interface.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix error caused by postinst script of conntrack-tools:
| /var/tmp/rpm-tmp.or09Iq: line 4: unexpected EOF while looking for matching `"'
| %post(conntrack-tools-1.4.6-r0.core2_64): waitpid(1173) rc 1173 status 200
| warning: %post(conntrack-tools-1.4.6-r0.core2_64) scriptlet failed, exit status 2
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.3.
New features
Updated the pkcs11 engine for Windows.
Bugfixes
Removed the SERVICE_INTERACTIVE_PROCESS flag in "stunnel -install".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
5 May 2022: babeld-1.12
* Implement v4-via-v6 routing (RFC 9229), which allows a router with
IPv4 addresses only to route IPv4.
* Enable extended Netlink acks when available.
* Fix restoring of interface configuration to avoid unbounded memory
consumption.
* Fix handling of deny filters in the install chain.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libcoap implements a lightweight application-protocol for devices that
are constrained their resources such as computing power, RF range,
memory, bandwith, or network packet sizes.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ulogd-2.x provides a flexible, almost universal logging daemon for
netfilter logging. This encompasses both packet-based logging (logging
of policy violations) and flow-based logging, e.g. for accounting
purpose.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add dependency libnm_client_public_dep to libnm-client-test to fix
parallel build error:
| In file included from ../NetworkManager-1.36.0/src/libnm-client-test/nm-test-utils-impl.c:10:
| ../NetworkManager-1.36.0/src/libnm-client-public/NetworkManager.h:47:10: fatal error: nm-enum-types.h: No such file or directory
| 47 | #include "nm-enum-types.h"
| | ^~~~~~~~~~~~~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
With of a bit of pkg shifting to other layers, we can break
the need of this layer to depend on meta-python
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
default baselib in ppc64 is lib64 which catches this latent issue
ERROR: ufw-0.36.1-r0 do_package: QA Issue: ufw: Files/directories were installed but not shipped in any package:
/usr/lib/ufw
/usr/lib/ufw/ufw-init
/usr/lib/ufw/ufw-init-functions
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is a parallel build error in separate build directory:
| /home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/recipe-sysroot-native/usr/lib/clippy ../git/python/clidef.py -o isisd/isis_cli_clippy.c ../git/isisd/isis_cli.c
| Traceback (most recent call last):
| File "../git/python/clidef.py", line 466, in <module>
| clippy.wrdiff(
| File "/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/git/python/clippy/__init__.py", line 78, in wrdiff
| with open(newname, "w") as out:
| FileNotFoundError: [Errno 2] No such file or directory: 'isisd/isis_cli_clippy.c.new-372541'
| make[1]: Leaving directory '/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/build'
| make[1]: *** [Makefile:17386: isisd/isis_cli_clippy.c] Error 1
This is beacuse clidef.py only creates new file but doesn't check if
parent directory exists. Inherit autotools-brokensep can fix this issue
as these parent directories always exist in source directory.
Also set ac_cv_path_PERL to '/usr/bin/env perl' to avoid path too long.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NTLM authentication uses MD4 algorithm which is considered to be
insecure, and some modern systems may drop MD4 support. This patch
adds an 'ntlm' option to this feature, which is disabled by default.
Upstream-Status: Accepted [1c304e7886]
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
adds support for IPv6 and fixes a couple of bugs.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changes in 1.3.4
----------------
- fix small memory leak in strdup
- fix free in case of DNS lookup failure
- other minor updates
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The Forwarding Plane Manager support is optional, make it as
PACKAGECONFIG.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixed when multilib is disabled on intel-x86-64:
MULITLIBS = ""
$ bitbake sssd
ERROR: sssd-2.5.2-r0 do_package: QA Issue: sssd: Files/directories were installed but not shipped in any package:
/usr/lib/ldb
/usr/lib64/ldb/modules/ldb/memberof.so
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
sssd: 2 installed and not shipped files. [installed-vs-shipped]
And also remove bin/ got get a clean rebuild, otherwise, the rebuild result may
be incorrect.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
