* Includes security fix for CVE-2023-43615 - Buffer overread in TLS stream cipher suites
* Includes security fix for CVE-2023-45199 - Buffer overflow in TLS handshake parsing with ECDH
* Includes aesce compilation fixes
Full changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0
The extra patch fixes x86 32-bit builds.
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
OpenBMC enables SPDX SBOM generation by default. For Meta's Bletchley
platform we found that mdio-tools and its relationships with both
mdio-netlink and the mdio-netlink kernel module break SPDX processing
while generating the rootfs after a kernel bump. For example, the
following output was generated by `bitbake obmc-phosphor-image`:
ERROR: obmc-phosphor-image-1.0-r0 do_rootfs: Cannot find any SPDX file for document http://spdx.org/spdxdoc/kernel-module-mdio-netlink-6.5.4-da279e9-00089-gda279e98c07f-89187488-3164-50cb-94c5-8b76a30ea093
The error occurred after the following patch was applied (again, in the
context of OpenBMC):
diff --git a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
index e6f98297c540..b852e993f0f6 100644
--- a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
+++ b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
@@ -1,6 +1,6 @@
KBRANCH ?= "dev-6.5"
-LINUX_VERSION ?= "6.5.4"
+LINUX_VERSION ?= "6.5.9"
-SRCREV="da279e98c07f9c948c60a434ab0043a55c26ea1d"
+SRCREV="fc8d4fdba5bd2b9b1cea2aa8a731531943c45aa7"
require linux-aspeed.inc
With the lack of a dependency the mdio-tools package is not rebuilt
subsequent to the kernel bump and the package information remains stale,
leading to an incorrect SPDX path being generated.
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Support for building from native was removed in commit e1b332f2e
(meta-networking: Drop broken BBCLASSEXTEND variants), most likely due
to no support for building libwebsockets-native. That support has now
been added, so it is now possible to build mosquitto-native again.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The command "bitbake universe -c fetch" currently throws a ton of warnings
as there are many 'impossible' dependencies.
In some cases these variants may never have worked and were just added by copy
and paste of recipes. In some cases they once clearly did work but became
broken somewhere along the way. Users may also be carrying local bbappend files
which add further BBCLASSEXTEND.
Having universe fetch work without warnings is desireable so clean up the broken
variants. Anyone actually needing something dropped here can propose adding it
and the correct functional dependencies back quite easily. This also then
ensures we're not carrying or fixing things nobody uses.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bugfix:
Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This release fixes several regressions in 1.4.7 with the -U/--update and
-D/--delete commands.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
* Clean up use of tags.
* Support for MacOS with Contiki-NG builds.
* Support for Windows with OpenSSL 3.x builds.
* Reported bugs fixed.
* Documentation updated.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When this feature is enabled by default in packageconfig
this implies a dependency to python3-dnspython which is in meta-python.
Disable ac-dc PACKAGECONFIG by default to avoid adding a layer
dependency only for this feature.
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libexosip2 extends the capabilities of the osip2 library. It can be a
useful building block for an embedded device application.
Signed-off-by: Charles Perry <charles.perry@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The GNU oSIP library is an implementation of SIP - rfc3261. It can be a
useful building block for an embedded device application.
Signed-off-by: Charles Perry <charles.perry@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Do not use bundled cmocka to get rid of bundled library
libcmocka-samba4.so.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
In order to pass reproducible tests, recipes that use the
useradd class must have static ids configured.
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These are test images to build all recipes in layer. Renaming them makes
them refect what they are. Moreover we can rename the ptest images to
match OE-Core naming conventions for meta-oe/meta-perl/meta-python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These were essentially duplicates of core-image-minimal, however
core-image-base is a better baseline for upper layers, so switched the
consumers of these images to use core-image-base
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Recipe for TAYGA - an out-of-kernel stateless NAT64 implementation for Linux
Signed-off-by: Pawel Langowski <pawel.langowski@3mdeb.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Accepted was replaced with Backport in gatesgarth:
https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes
* as detected with oe-core/scripts/contrib/patchreview.py:
meta-openembedded $ grep -A 3 Malformed *qa-patches
meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch
meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch
meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status :
meta-gnome.qa-patches-Upstream-Status: Accepted [dc9701e187]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add two patches from Debian, pull requests proposed upstream as 2894 and 2895
to make it start only when board is online, and to fix dynamic websockets link failure
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix a crash in ntpd if NTS is disabled and an NTS-enabled client request
(mode 3) is received. (CVE-2023-4012) #794https://gitlab.com/NTPsec/ntpsec/-/releases/NTPsec_1_2_2a
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* it has runtime dependency on mdio-netlink to satisfy:
RDEPENDS:${PN} = "kernel-module-mdio-netlink"
and mdio-netlink is MACHINE_ARCH because inherits module.bbclass
* fixes:
bitbake-diffsigs \
sstate-before/hammerhead-halium/cortexa8t2hf-neon-halium-webos-linux-gnueabi/mdio-tools/1.3.0.do_package_write_ipk.sigdata.1c175d042bd09e59c1329c51fba2569376f395ba79ee9adc62157ee91ad99e80 \
sstate-before/mako/cortexa8t2hf-neon-halium-webos-linux-gnueabi/mdio-tools/1.3.0.do_package_write_ipk.sigdata.4ad94062582b2cbbff07167598c1243aa18ff6c5cc23b3de8bce99081da500d8
Hash for task dependency mdio-netlink:do_packagedata changed from 759076223ccea58a05414b33bcc55c8d4b41a85c75ce56f2ba965004c422fd4c to b3c2ceee91dedb3b40f298d2efe09bbb7d3024f9ae93e83204233dcfd0a66459
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update:
Copyright: Update copyright date to end 2023 as appropriate
Add in OSCORE support
RIOT: Update to support latest libcoap code
Add BSD-3-Clause
Changelog:
===========
* Source files reformatted according to pre-commit rules.
* Support for RFC8613 (OSCORE).
* Support for RFC8974 (Extended Tokens).
* Support for RFC9177 (Q-Block).
* Support for latest RIOT code and new examples.
* Support for MinGW builds.
* Support for AF_UNIX sockets.
* Support for WebSockets (RFC8323).
* Support for IPv4 only and IPv6 only libcoap builds.
* Support for defining maximum logging level.
* Support for maintaining Observer requests over server restarts.
* Support for Contiki-NG.
* Support for latest LwIP, including using TinyDTLS.
* libcoap now has protocol layered support, separating out the
logical layers. Stack now is:-
- Application
- libcoap - CoAP
- libcoap - CoAP-Session
- libcoap - (D)TLS I/F using external (D)TLS Library
- libcoap - Netif
- libcoap - Sockets
- Kernel Network Stack
* Fixes CVE-2023-30362 and CVE-2023-35862.
* Reported bugs fixed.
* Examples now support separate logging levels for libcoap and (D)TLS.
* syslog LOG_ logging levels replaced with COAP_LOG_ logging levels.
* New public API functions to aid / reduce application coding.
* Remove requirement for applications to have sockaddr knowledge.
* Support for clients sending IPv4 broadcast requests.
* Documentation added and updated (Doxygen and man).
* Fix ABI version.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* lib-oauth2: Allow JWT tokens to be validated with missing typ field.
+ auth: Auth passdb and userdb reply can contain "event_<name>=value"
which will be added to login event and mail user event respectively.
+ lib-master: Set process title during various initialization stages to
clearly describe what the process is waiting on.
+ lib-storage: The mail_temp_scan_interval is now fuzzed incrementing it
by 0..30% based on username's hash to reduce the chance of load spikes.
+ lib-storage: The temp file scan has been moved from the open of the
mailbox to the close, to reduce the latency perceived by users.
+ stats: If metric has fields specified, all these fields are
exported as counters to prometheus exposition.
- *-login: Processes might have crashed when a SSL connection disconnects
uncleanly.
- acl: When plugin was loaded \HasChildren and \HasNoChildren flags
were calculated incorrectly for mailboxes containing '*' and '%'
in their names.
- auth: Crash occured if a connection to PostgreSQL database server
failed during startup.
- auth: Logins with invalid passwords (e.g. unknown scheme) in passdb
were failing with "password mismatch" instead of "internal error".
- auth: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol
specific error message on all errors. This especially broke OIDC
discovery.
- dbox: When last_temp_file_scan header wasn't set (especially after
dsync migration), the next mailbox open always triggers the temp file
scan.
- dict-redis: A crash would occur on transaction rollback.
- dsync: Infinite loop causing out of memory would occur when handling
mailbox deletion from remote end and hierarchy separators would differ.
- dsync: Incremental dsync failed for folder names ending with '%',
unless BROKENCHAR was set. Also folder names with '%' elsewhere in
them caused each incremental dsync to unnecessarily rename the folder
to a temporary name and back. v2.3.19 regression.
- imap-hibernate: If an IMAP client unhibernation timed out with
"(version received)", the unhibernation could still have successfully
finished later on and continued working normally. This was rather
confusing, because imap-hibernate already logged that the client got
disconnected.
- imapc: Crashed when a folder mapped through the virtual plugin
disappears from the storage.
- imapc: EXPUNGE, EXISTS or FETCH replies from a server for a previously
selected mailbox could have been processed as if they belonged to the
new mailbox currently being selected.
- lib-http: Dovecot HTTP server (doveadm, stats/openmetrics) may have
disconnected HTTP clients before the response is fully sent. This
happened only on busy servers where kernel's socket buffers were
rather full.
- lib-http: Fixed a potential crash on http-server if a client
disconnected early. v2.3.18 regression.
- lib-index: Index file corruption could have caused a crash. Fixes:
Panic: file mail-transaction-log-view.c: line 165 (mail_transaction_log_view_set):
assertion failed: (min_file_seq <= max_file_seq).
- lib-index: Purging an existing >1GB cache file can crash. Now cache
files still above 1GB after purging are removed. Fixes:
Panic: file mail-index-util.c: line 10 (mail_index_uint32_to_offset):
assertion failed: (offset < 0x40000000)
- lib-lua: A HTTP client could not resolve DNS names in mail processes,
because it expected "the dns-client" socket to exist in the current
directory.
- lib-oauth2: Dovecot would send client_id and client_secret as POST
parameters to the introspection server. These need to be optionally in
Basic auth instead.
- lib-oauth2: JWT aud validation was not performed if aud was missing
from a token, but was configured on Dovecot.
- lib-oauth2: JWT key type check was too strict.
- lib-oauth2: JWT token audience was not validated against client_id as
required by the specification.
- lib-ssl-iostream: Using the ssl_require_crl=yes setting may have caused
CRL check failures for outgoing SSL/TLS connections, although it was
supposed to affect checking CRLs only for client-side SSL
certificates. v2.3.17 regression.
- lib-sql: MySQL driver leaked memory when connection failed.
- lib-storage: Various fixes when running into out of disk space.
- master: Service idle_kill setting didn't work properly on busy
servers.
- mdbox: Temp file scan was done for always empty directories.
- mdbox: The fdatasync() call was done in wrong parent directory when
writing mails. Also on a failure it crashed instead of logging an error.
- notify_status: The plugin crashes if any user initialization fails.
- pop3: Sending command with the ':' character caused an assert-crash.
v2.3.18 regression. Fixes: Panic: event_reason_code_prefix(): name has ':'
- stats: Fix panic when a nonexistent event exporter was referenced while
adding a new metric dynamically via doveadm stats add.
- stats: If process exported a lot of events and then exited, some of
the last events may have become lost.
- stats: Invalid Prometheus label names were created with specific
histogram group_by configurations. Prometheus rejected these labels.
- welcome: The plugin didn't execute in some situations that created
INBOX but didn't open it.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
add EXTRA_CFLAGS to Fix reproducibility.
upstream fixed compilation on RHEL 9, which should be same problem fixed
with 0001-layer4-Change-order-of-include-files.patch. hence drop the
patch file.
3fd0c21e4f
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
The following vulnerabilities have been fixed:
wnpa-sec-2023-23 CBOR dissector crash. Issue 19144.
wnpa-sec-2023-24 BT SDP dissector infinite loop. Issue 19258.
wnpa-sec-2023-25 BT SDP dissector memory leak. Issue 19259.
wnpa-sec-2023-26 CP2179 dissector crash. Issue 19229.
The following bugs have been fixed:
TShark cannot capture to pipe on Windows correctly. Issue 17900.
Wireshark wrongly blames group membership when pcap capabilities are removed. Issue 18279.
Packet bytes window broken layout. Issue 18326.
RTP Player only shows waveform until sequence rollover. Issue 18829.
Valid Ethernet CFM DMM packets are shown as malformed. Issue 19198.
Crash on DICOM Export Objects window close. Issue 19207.
The QUIC dissector is reporting the quic_transport_parameters max_ack_delay with the title \"GREASE\" Issue 19209.
Preferences: Folder name editing behaves weirdly, cursor jumps. Issue 19213.
DHCPFO: Expert info list does not show all expert infos. Issue 19216.
Websocket packets not decoded and displayed for Field type=Custom and Field name websocket.payload.text. Issue 19220.
Cannot read pcapng file captured on OpenBSD and read on FreeBSD. Issue 19230.
UI: While capturing the Wireshark icon changes from green to blue when new file is created. Issue 19252.
Conversation: heap-use-after-free after wmem_leave_file_scope. Issue 19265.
IP Packets with DSCP 44 does not indicate "Voice-Admit" Issue 19270.
NAS 5GS Malformed Packet Decoding SOR transparent container PLMN ID and access technology list. Issue 19273.
UI: Auto scroll button in the toolbar is turned on when manually scrolling to the end of packet list. Issue 19274.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Some perl modules are required by ntptrace:
$ ntptrace
Can't locate lib.pm in @INC (you may need to install the lib module)
(@INC contains: /usr/lib/perl5/site_perl/5.36.0/x86_64-linux
/usr/lib/perl5/site_perl/5.36.0
/usr/lib/perl5/vendor_perl/5.36.0/x86_64-linux
/usr/lib/perl5/vendor_perl/5.36.0 /usr/lib/perl5/5.36.0/x86_64-linux
/usr/lib/perl5/5.36.0) at /usr/sbin/ntptrace line 10.
BEGIN failed--compilation aborted at /usr/sbin/ntptrace line 10.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The vsomeip stack implements the http://some-ip.com/ (Scalable
service-Oriented MiddlewarE over IP (SOME/IP)) protocol.
The stack consists out of:
a shared library for SOME/IP (libvsomeip3.so)
a shared library for SOME/IP's configuration module
(libvsomeip3-cfg.so)
a shared library for SOME/IP's service discovery
(libvsomeip3-sd.so)
a shared library for SOME/IP's E2E protection module
(libvsomeip3-e2e.so)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* use BPN, BP where useful
* use prefix instead of hardcoding /usr
* add patch to search also in lib32 subdir of --with-libpcap value
to fix:
checking for libpcap... configure: error: "Unable to find matching library for header file in TOPDIR/BUILD/work/raspberrypi4_64-oemllib32-linux-gnueabi/lib32-tcpreplay/4.4.4-r0/lib32-recipe-sysroot/usr"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
musl does not need _IO_stdin_used, since its not provided by toolchain
runtime ( crt files ) lld linker complains about undefined global symbol
on musl
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* fixes installed-vs-shipped QA issue with multilib:
ERROR: lib32-phodav-3.0-r0 do_package: QA Issue: lib32-phodav: Files/directories were installed but not shipped in any package:
/usr/lib/systemd
/usr/lib/systemd/system
/usr/lib/systemd/system/spice-webdavd.service
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
lib32-phodav: 3 installed and not shipped files. [installed-vs-shipped]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2023-3748:
A flaw was found in FRRouting when parsing certain babeld unicast hello
messages that are intended to be ignored. This issue may allow an
attacker to send specially crafted hello messages with the unicast flag
set, the interval field set to 0, or any TLV that contains a sub-TLV
with the Mandatory flag set to enter an infinite loop and cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3748
Patch from:
ae1e0e1fed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
spice depends on spice-protocol, when IMAGE_INSTALL contains spice,
do_populate_sdk fails with the following error:
Error:
Problem: package libspice-server-dev-0.14.2+git0+7cbd70b931_4fc4c2db36-r0.core2_64 requires spice-protocol-dev, but none of the providers can be installed
- conflicting requests
- nothing provides spice-protocol = 0.14.4-r0 needed by spice-protocol-dev-0.14.4-r0.core2_64
(try to add '--skip-broken' to skip uninstallable packages)
For spice-protocol, it's a development package and all things are in
the dev package, so set ALLOW_EMPTY to fix the above error.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The spice-vdagent needs to be running alongside qemu-guest-agent on
virtualizationguest systems that are using the spice protocol to
get seamless integration.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
phodav is a small webdav server, that was originally created as a tool to
provide folder sharing for spice but it can be used on a wider range
of applications.
It is usable e.g. in virt-viewer or gnome-boxes
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
Bug fixes::
-----------
* core: fix integer overflow when setting integer option with '++N' or '--N'
* core: fix increment/decrement of options weechat.notify.*
* irc: add missing tags on multiline messages (issue #1987)
* irc: fix redirection of command '/list' when the reply doesn't start with message 321 (start of /list)
* irc: fix wrong time displayed for CTCP messages received from self nick (issue #2000)
* logger: remove trailing empty line in display of backlog (issue #2002)
* perl: fix display of non-ASCII chars after load of a script with Perl >= 5.38 (issue #1996)
* script: adjust scroll after command '/script go N'
* scripts: fix function string_parse_size on 32-bit systems (python and ruby) (issue #1999)
* xfer: fix conversion of string to IPv4 on 32-bit systems (issue #1999)
Tests::
------------
* irc: fix tests on function irc_join_compare_join_channel (issue #1997)
* scripts: fix tests of functions print_date_tag, print_y_date_tags and hook_timer on 32-bit systems
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- add support for smartcard
- add missing rdepend on usbids
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-switch to meson buildsystem
-remove patches
-update dependencies
-fetch spice-common as a submodule
Major Changes in 0.15.2:
Really minor fix release, mainly to fix a distribution issue
Add missing file to distribution
Fix sound recording fix in case of buffer wrapping
Major Changes in 0.15.1:
Fix some compatibility issues with FreeBSD
Fix some minor issue with build
Improve packaging with Meson
Lot of C++ improves (clang-tidy)
Fix some compatibility with no-Glibc libraries (like Musl)
Fix minor leaks shutting down library
Add Doxygen file to distribution
Fix a longstanding issue related to surface updates where wrong surfaces were possibly used
Fix compatibility with OpenSSL 3
Updates and fixes for CI
Use more random connection IDs to fix possible issues with proxies
Major Changes in 0.15:
This is the first release in the new 0.15.x stable series. This release should
be ready for production use.
Minor updates to CI
Some compatibility with OpenSSL
Change the behavior of handle_dev_start ignoring multiple start requests
Ignore multiple calls to handle_dev_stop
Pick up newer spice-common to fix a buffer overflow issue
Major Changes in 0.14.91:
IMPORTANT
0.14.91 is the first release candidate for the stable 0.15.x series. While some
bugs might still be present, it should be reasonably stable. If you are looking
for stability for daily use, please keep using the latest 0.14.x release.
Support UNIX abstract sockets
Fix some potential thread race condition in RedClient
Many cleanups in the code
Improve migration test script
Update in protocol documentation
Improve Meson build
Removed CELT support
Update CI
Removed QXLWorker definition, it was deprecated 6 years ago
Fix some compatibility with MacOS
Fix some compatibility with Windows
Move the project to C++
Some fixes for SASL dealing with WebDAV
Fix minor Coverity reports
Add Doxygen support, manually built with "make doxy"
Support more mouse buttons (up to 16 buttons)
CVE-2020-14355 multiple buffer overflow vulnerabilities in QUIC decoding
code
Major Changes in 0.14.3:
Main changes are WebSocket and support for Windows.
Add support for WebSocket, this will allow to use spice-html5 without proxy
Support Windows, now Qemu Windows can be build enabling Spice
Fix some alignment problem
Converted some documentation to Asciidoc format to make easier to update,
updated some
Minor compatibility fix for PPC64EL and ARMHF
Minor fixes for big endian machines like MIPS
Avoid some crashes with some buggy guest drivers, simply ignore the invalid
request
Fix for old OpenSSL versions
Minor fix for Windows clients and brushes, fixed an issue with Photoshop
under Windows 7
Add ability to query video-codecs
Small use-after-free fix
Fix for debugging recording/replaying using QUIC images
Fix a regression where spice reported no monitors to the client
Fix DoS in spicevmc if WebDAV used
Updated and improved test migration script
Some minor fixes to smartcard support
Avoid possible disconnection using proxies using a in-flow keepalive
mechanism
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libcacard is a library that adds smartcard support to qemu and/or spice
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
Bug fixes::
----------
* core: fix input length and crash after delete of line
* irc: fix display of self CTCP message containing bold attribute
* irc: fix memory leak in IRC message parser
* irc: fix switch to channel manually joined when server option
autojoin_dynamic is on and option irc.look.buffer_switch_autojoin is off
* irc: fix display of outgoing notice with channel when capability
"echo-message" is enabled
* relay: fix display of IRC CTCP messages received from client
Build::
-----------
* doc: display a warning if a locale is missing with fallback to English
for auto-generated content
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Introduce a new "link" setting that holds properties related to the
kernel link such as "tx-queue-length", "gso-max-size",
"gso-max-segments", "gro-max-size".
* Support sending a DHCPv6 prefix delegation hint via the
"ipv6.dhcp-pd-hint" connection property.
* Support new bond options: "arp_missed_max", "lacp_active",
"ns_ip6_target".
* Add new "initial-eps-bearer-configure" and "initial-eps-bearer-apn"
properties in the GSM setting.
* Setting "connection.stable-id=default${CONNECTION}" changed behavior to
be identical to the built-in default value when the stable-id is not set.
* Add a "[keyfile].rename" option to NetworkManager.conf to force renaming
profiles on disk when their name changes.
* The ifcfg-rh plugin is deprecated; it will only receive bugfixes and
no new features. A warning is emitted the log when a connection in
ifcfg-rh format is found.
* To automatically migrate existing ifcfg-rh connections to the
keyfile format, a new configuration option "main.migrate-ifcfg-rh"
is provided. Migration is disabled by default, but the default value
can be changed at build time via
"--with-config-migrate-ifcfg-rh-default=yes".
* When configuring hostnames in non-public TLD (like "example.local"), use
the TLD as default search domain instead of the full hostname.
* Always apply DNS options from the [global-dns] configuration section
* The NetworkManager daemon now acquires the D-Bus name only after
populating the D-Bus tree. This can add a delay during startup but
it is required to avoid race conditions with other services
depending on NM.
* Add a "version-id" argument to the Update2() D-Bus call to guard
against concurrent modifications of profiles.
* Don't use tentative IPv6 addresses to resolve the system hostname
via DNS.
* Track the number of autoconnect retries left for each device and
connection. Previously it was tracked only per connection and this
lead to unexpected behaviors in case of multiconnect profiles.
* Set VLAN filtering options on bridge via netlink instead of sysfs.
* nm-cloud-setup now supports IMDSv2 on Amazon EC2.
* nmtui now allows to enable or disable Wi-Fi and WWAN radios.
* Honor ignore-carrier=no for bond/bridge/team devices.
* Add version mismatch warning when running nmcli commands.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
arm_eabi.patch
refreshed for 4.4
Changelog:
===========
* Add support for AES-GCM-SIV with Nettle >= 3.9 to shorten NTS
cookies to avoid some length-specific blocking of NTP on Internet
* Add support for multiple refclocks using extpps option on one PHC
* Add maxpoll option to hwtimestamp directive to improve PHC tracking
with low packet rates
* Add hwtstimeout directive to configure timeout for late timestamps
* Handle late hardware transmit timestamps of NTP requests on all sockets
* Handle mismatched 32/64-bit time_t in SOCK refclock samples
* Improve source replacement
* Log important changes made by command requests (chronyc)
* Refresh address of NTP sources periodically
* Request nanosecond kernel RX timestamping on FreeBSD
* Set DSCP for IPv6 packets
* Shorten NTS-KE retry interval when network is down
* Update seccomp filter for musl
* Warn if loading keys from file with unexpected permissions
* Warn if source selection fails or falseticker is detected
* Add selectopts command to modify source-specific selection options
* Add timestamp sources to serverstats report and make its fields 64-bit
* Add -e option to chronyc to indicate end of response
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
vmware:tools is also a valid CVE_PRODUCT for open-vm-tools,
e.g., https://nvd.nist.gov/vuln/detail/CVE-2023-20867.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch fixes warnings when useradd-staticids.bbclass is used and
USERADD_PARAM is used to add the user to a group that has not been
explicitly created yet. By adding the GROUPADD_PARAM for the new group
being used the warnings for changing the gid from GID-OLD to GID-NEW
is eliminated.
Warning fixed:
radvd: Changing groupname nogroup's gid from (WXYZ) to (JKLM), verify configuration files!
Signed-off-by: JD Schroeder <sweng5080@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
No longer used in generating packages
Also creates a possible confusion with the recipe maintainer
name.
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
Primarily widen the gamut of supported kernel versions, now supporting
all kernels from 5.2 and onwards.
Added
------
mvls: Support for 88E6320/88E6321
Changed
--------
mdio-netlink: Adapt to the upstream C22/C45 refactor.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Implemented the per-interface option "probe-mtu", which automatically
discards links with a mis-configured MTU.
* Fixed a typo in the handing of the option "v4viav6".
* Removed diversity support and related configuration file directives.
* Optimised route redistribution. We now install just the route that the
kernel sent us rather than doing a full route dump on every change.
* Added optional delay to daemon shutdown; see the configuration option
"shutdown-delay-ms".
* Fixed compilation under BSD.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Conversion from CVE_CHECK_IGNORE to CVE_STATUS had some copy+paste
issues.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NFQ is the new and improved way to process iptables packets. Snort IPS
mode requires this module in some cases.
Before the patch:
$ snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
After the patch:
$ snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
Also update 0001-correct-the-location-of-unistd.h.patch to fix build
with musl.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a security release in order to address the following defects:
CVE-2022-2127
CVE-2023-3347
CVE-2023-34966
CVE-2023-34967
CVE-2023-34968
Release Notes:
https://www.samba.org/samba/history/samba-4.18.5.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
The following vulnerabilities have been fixed:
wnpa-sec-2023-21[3] Kafka dissector crash. Issue 19105[4].
wnpa-sec-2023-22[5] iSCSI dissector crash. Issue 19164[6].
The following bugs have been fixed:
-Crash when (re)loading a capture file after renaming a dfilter
macro. Issue 13753[7].
- Moving a column deselects selected packet and moves to beginning
of packet list. Issue 16251[8].
-If you set the default interface in the preferences, it doesn't
work with TShark. Issue 16593[9].
-Severe performance issues in Follow → Save As raw workflow. Issue
17313[10].
-TShark doesn't support the tab character as an aggregator
character in \"-T fields\" Issue 18002[11].
-On Windows clicking on a link in the 'Software Update' window
launches, now unsupported, MS Internet Explorer. Issue 18488[12].
-Wireshark 4.x.x on Win10-x64 crashes after saving a file with a
name already in use. Issue 18679[13].
-NAS-5GS Operator-defined Access Category: Multiple Criteria
values not displayed in dissected packet display. Issue
18941[14].
-Server Hello Packet Invisible - during 802.1x Authentication-
from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) &
above. Issue 19071[15].
-TShark reassembled data is incomplete/truncated. Issue 19107[16].
CQL protocol parsing issues with 'Result' frames from open source
Cassandra. Issue 19119[17].
-TLS 1.3 second Key Update doesn't work. Issue 19120[18].
-HTTP2 dissector reports an assertion error on large data frames.
Issue 19121[19].
-epan: Single letter hostnames aren't displayed correctly. Issue
19137[20].
-BLF: CAN-FD-Message format is missing a field. Issue 19146[21].
-BLF: last parameter of LIN-Message is not mandatory (BUGFIX)
Issue 19147[22].
-PPP IPv6CP: Incorrect payload length warning. Issue 19149[23].
-INSTALL file needs to be updated for Debian. Issue 19167[24].
-Some RTP streams make Wireshark crash when trying to play stream.
Issue 19170[25].
-Wrong ordering in OpenFlow 1.0 Datapath unique ID. Issue
19172[26].
-Incorrect mask in RTCP slice picture ID. Issue 19182[27].
-Dissection error in AMQP 1.0. Issue 19191[28].
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
Bug fixes::
* core: fix renaming of options with command '/item rename'
* core: don't send "key_pressed" signal again for the same key press
* core: don't send "key_combo_*" signals for incomplete keys
* core: add key ctrl-backspace in /help key
* core: keep keys ctrl-H and ctrl-? (in lower case) if they were manually bound to custom commands in a previous version
Tests::
* core: fix hdata tests failure on Alpine 3.18
* relay: fix crash in tests on Alpine 3.18
Build::
* php: fix detection of PHP 8.2 on Alpine 3.18
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This ensures that host tools like 'gen' are built for build host and not
target. internal bind build supplies its own options to configuring it,
where it does not pass --host option and as a result it does not deduce
it to be a cross compile and hence these variables are not set property
inside bind build
Fixes
| ./gen: /usr/lib/libc.so.6: version `GLIBC_2.38' not found (required by ./gen)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Pass it via cflags from environment, so it can be controlled for
platforms where it is not supported
Pass -fstack-clash-protection for clang too, it is available now a days
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bug fixes
=========
* core: force key "return" to command "/input return" when migrating
legacy keys
* core: display actual key name and command with key kbd:[Alt+k],
remove key kbd:[Alt+K] (grab raw key) and associated commands
'/input grab_raw_key' and '/input grab_raw_key_command'
* core: check for newline characters in string_is_whitespace_char
* api: do not convert option name to lower case in API functions
config_set_plugin and config_set_desc_plugin
* guile: fix crash on quit with Guile < 3 (issue #1965)
* irc: reply to a CTCP request sent to self nick (issue #1966)
* irc: sent "QUIT" message to servers connected with TLS on '/upgrade'
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Add support for ppp 2.5.0.
* Fix nft rules for balance-slb bonding.
* Support port priority for bonding.
* Fix regression handling the PKEY_ID for infiniband profiles
in ifcfg-rh format.
* Fix race in nm-cloud-setup that caused partial configuration
and loss of connectivity with multiple interfaces.
* Don't touch "net.ipv6.conf.$IFACE.forwarding" unless explicitly
required for IPv6 sharing.
* Various bugfixes related to team, Wi-Fi P2P, IPv6LL.
* Automatically unblock autoconnect of profiles during reapply.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since we autoreconf, it should be better to build the linker map file
too, which requires ctags during build. This is otherwise flagged as
error by lld linker where we specify a linker symbol file on cmdline
but the file is not there.
Fixes
| libtool: error: symbol file './libcoap-3.sym' does not exist
Signed-off-by: Khem Raj <raj.khem@gmail.com>
