netoprintf() was not handling a case where
return value of vsnprintf is greater than
"size"(2nd argument), results in buffer overflow
while adjusting "nfrontp" pointer to point
beyond "netobuf" buffer.
Here is one such case where "nfrontp"
crossed boundaries of "netobuf", and
pointing to another global variable.
(gdb) p &netobuf[8255]
$5 = 0x55c93afe8b1f <netobuf+8255> ""
(gdb) p nfrontp
$6 = 0x55c93afe8c20 <terminaltype> "\377"
(gdb) p &terminaltype
$7 = (char **) 0x55c93afe8c20 <terminaltype>
(gdb)
This resulted in crash of telnetd service
with segmentation fault.
Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When starting radvd without any configuration the following errors would
be triggered.
"""
root@intel-x86-64:~# systemctl status radvd
● radvd.service - Router advertisement daemon for IPv6
Loaded: loaded (/lib/systemd/system/radvd.service; enabled; vendor preset:
enabled)
Active: inactive (dead)
Condition: start condition failed at Tue 2019-09-24 13:29:36 UTC; 3s ago
└─ ConditionPathExists=/etc/radvd.conf was not met
"""
Normally the user should create and configrue the /etc/radvd.conf
manually. However the radvd provide a example file for redhad located
at "radvd/redhat/radvd.conf.empty". When installing, it would copy
radvd/redhat/radvd.conf.empty to /etc/radvd.conf. Also add this empty
conf here to used as an example of configuration
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nmcli depends on libreadline which is licensed under GPLv3.
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes the occasional error:
# cd /etc/raddb/certs
# ./bootstrap
[snip]
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
The matching entry has the following details
Type :Valid
Expires on :200908024833Z
Serial Number :02
File name :unknown
Subject Name :/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
make: *** [Makefile:128: client.crt] Error 1
Add the check to fix the above error and it does the same for server.crt.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixed when rebuild:
DEBUG: Executing shell function autotools_preconfigure
NOTE: make clean
aclocal
autoheader
autoconf
You need to call ./configure with appropriate arguments (again).
make: *** [Makefile:287: config.status] Error 1
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since networkmanager: upgrade 1.22.10 -> 1.22.14, it added a new
build option 'firewalld-zone', while enabling multilib, there is
a QA issue
...
ERROR: QA Issue: networkmanager: Files/directories were installed but not shipped in any package:
/usr/lib/firewalld
/usr/lib/firewalld/zones
/usr/lib/firewalld/zones/nm-shared.xml
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- removed B = "${S}", which is the default anyway
- removed FILES_${PN} =+ "${bindir}",
as it's already covered by ${PN}-bin package
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This way yocto cve-check can find open CVE's. See also:
http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html
"Results from cve-check are not very good at the moment.
One of the reasons for this is that component names used in CVE
database differ from yocto recipe names. This series fixes several
of those name mapping problems by setting the CVE_PRODUCT correctly
in the recipes. To check this mapping with after a build, I'm exporting
LICENSE and CVE_PRODUCT variables to buildhistory for recipes and
packages."
Value added is based on:
https://nvd.nist.gov/products/cpe/search/results?keyword=netcat&status=FINAL&orderBy=CPEURI&namingFormat=2.3
Signed-off-by: Andre Carvalho <andrestc@fb.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2.1.3
Changes
* Force cython to use python language version 3
Bugs fixed
* Fix tooltip not updating when bluetooth is disabled
* Fix dbus timeout in DhcClient
* Call the right method when pulseaudio crashes
* Handle os.remove failing
2.1.2
Bugs fixed
* Signal bar updates with multiple adapters
* Pairing with pincode
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
================================================
NetworkManager-1.22.14
Overview of changes since NetworkManager-1.22.12
================================================
This is a new stable release of NetworkManager. Notable changes include:
* ifcfg-rh: handle "802-1x.{,phase2-}ca-path". Otherwise setting this
property silently fails and a profile might accidentally not perform
any authentication (CVE-2020-10754).
* ifcfg-rh: handle 802-1x.pin properties.
================================================
NetworkManager-1.22.12
Overview of changes since NetworkManager-1.22.10
================================================
This is a new stable release of NetworkManager. Notable changes include:
* Fix a bug preventing lease renewal in the internal DHCP client.
* Add a new build option 'firewalld-zone'; when enabled,
NetworkManager installs a firewalld zone for connection sharing and
puts interfaces using IPv4 or IPv6 shared mode in this zone during
activation. The option is enabled by default.
Note that NetworkManager still calls to iptables to enable
masquerading and open needed ports for DHCP and DNS. The new option
is useful on systems using firewalld with the nftables backend,
where the iptables rules would not be sufficient.
* Support changing the MTU of OVS interfaces.
* Better handle a restart of ovsdb process.
* Support the 'no-reload' and 'trust-ad' resolv.conf options.
* Various minor bug fixes and improvements.
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Source: net-snmp.org
MR: 104509
Type: Security Fix
Disposition: Backport from 5f881d3bf2
ChangeID: 206d822029d48d904864f23fd1b1af69dffc26c8
Description:
Fixes CVE-2019-20892 which affect net-snmp <= 5.8pre1
Had to fix up some file do to later code restructioning.
"int refcnt;" addition was done in include/net-snmp/library/snmpusm.h
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Main new features of netplan release 0.99:
- YAML parser is now in a separate library named libnetplan
- Systemd unit file for launching WPA Supplicant with netplan
configuration is now generated at runtime
See here for a full comparison:
https://github.com/CanonicalLtd/netplan/compare/0.98...0.99
Signed-off-by: Jacopo Dall'Aglio <jacopo.dallaglio@kynetics.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
>From [1]
* Increase cache buffers size to accomodate VLAN edits (#594)
* Correct L2 header length to correct IP header offset (#583)
* Fix warnings from gcc version 10 (#580)
* Heap Buffer Overflow in randomize_iparp (#579)
* Use after free in get_ipv6_next (#578)
* Heap Buffer Overflow in git_ipv6_next (#576)
* Call pcap_freecode() on pcap_compile() (#572)
* Increase max snaplen to 262144 (#571)
* Fix divide by zero in fuzzing (#570)
* Unique IP repeats at very high iteration counts (#566)
* Fails to compile on FreeBSD amd64 13.0 (#558)
* Heap Buffer Overflow in do_checksum (#556) (#577)
* Attempt to correct corrupt pcap files, if possible (#557)
* Fix GCC v10 warnings (#555)
* Remove some duplicated SOURCES entries (#551)
* Expand /dev/bpfX hard limit to fix macOS Mojave (#550)
* Implement --loopdelay-ms when using --loop=0 (#546)
* Heap overflow packet2tree and get_l2len (#530)
[1] https://github.com/appneta/tcpreplay/releases
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
https://samba.org seems to be gone, switch to https://www.samba.org
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The "ssl" PACKAGECONFIG setting contains WITH_EC_OFF instead of
WITH_EC=OFF, resulting in a build break when "ssl" is not set.
Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
As ??= assignment will be overwritten by += in any case,
one can't define a default of PACKAGECONFIG in this recipe.
Using _append instead mitigates chances of accidental overwriting
the default
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-0001-chdeck-for-gettid-API-during-configure.patch
Removed since this is included in 2.9.16
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Refreshed patches for 5.8 due to the following:
ERROR: net-snmp-5.8-r0 do_patch: Command Error: 'quilt --quiltrc .../net-snmp/5.8-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output:
Applying patch 0001-Add-pkg-config-support-for-building-applications-and.patch
patching file configure
...
Hunk #1 succeeded at 32248 with fuzz 2 (offset 1826 lines).
Hunk #2 FAILED at 31447.
1 out of 2 hunks FAILED -- rejects in file configure
...
Patch 0001-Add-pkg-config-support-for-building-applications-and.patch does not apply (enforce with -f)
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Full changelog:
Version 5.0 - 4/22/2020
Major security updates. The key exchange and key derivation algorithms
were modified and supported algorithms were pruned using TLS 1.3 as a
basis. This includes:
- HKDF used in multiple stages for key derivation from raw shared secrets.
- Included addtional context in key derivation and signatures to protect
against replay attacks and downgrade attacks.
- Reduced set of supported EC curves to those supported by TLS 1.3
- Removed RSA key exchange which does not provide perfect forward secrecy.
All key exchanges now use ECDH.
- Removed support for SHA-1 hashes in key exchanges.
- Supported symmetric ciphers are AES in AEAD mode (GCM or CCM).
- Increased supported RSA key sizes
Encrypted sessions are now enabled by default. It can be disabled by
specifying "none" for the key type in the server's -Y option.
Backward compatibility retained for version 4.x in clients and proxies.
When communicating with a 4.x server, only allow algorithms and key
exchange modes permitted in the new version.
Clients and proxies no longer need to use signature keys that match the
type and size used by the server. As a result, the -k and -K options to
the client now only accept a single key instead of multiple. The proxy
still supports multiple keys for 4.x compatibility, however only the first
key listed is used for any version 5.x session.
Proxies now send their keys in a separate message instead of injecting them
in the ANNOUNCE sent by the server. This allows clients to be fully
aware of proixes and allows them to authenticate servers and proxies
separately.
Format of client's server list modified to specify the proxy that a server
communicates through. Fingerprints listed in this file now always
specify the server as opposed to having the proxy's key in some cases.
Added -R option to client to specify a list of proxies along with their
public key fingerprints. The old use of -R to specify a version 4.x
response proxy has moved to -r.
Previously, using -S in the client or proxy to specify a server list would
automatically enable source specific multicast (SSM). The use of SSM is
now enabled separately via the -o option on both the client and proxy.
Fixed a bug that caused ECDSA signatures created on Linux with curve
secp521r1 from being verified successfully on Windows.
Fixed cleanup on clients and proxies to prevent occasional crashes on
shutdown under Windows.
Update timstamps in messages to use 64-bit microseconds since the epoch,
addressing Y2038 issues.
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Make sure PNBLACKLIST assignments in recipe files use weak assignment,
so they can be overridden in, for example, local.conf files.
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-dnsmasq/0001-dnsmasq-fix-build-against-5.2-headers.patch
-dnsmasq/0001-dnsmasq-fix-memory-leak-in-helper-c.patch
Removed since these are included in 2.81
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
