Add a missing runtime dependency on python3-ctypes
Add a polkit rule to allow users of group wheel to use blueman without authentification
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fails to link otherwise
ld: cannot find -lhiredis: No such file or directory
collect2: error: ld returned 1 exit status
Signed-off-by: Khem Raj <raj.khem@gmail.com>
configure uses AC_PREPROC_IFELSE to check for certain errors from getaddrinfo()
it user search operation in a preprocessed file
UNIQUEVALS=`sort $ERRVALFILE | uniq | wc -l | awk '{ print $1 }'`
However, line numbers are generated into the preprocesser files and they
get sorted higher than numbers
gaierrval:
# 130 "conftest.c" 3 4
-3
-P ensures that line numbers are not generated into preprocessed files,
so these checks can succeed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It uses python3-config during build to grok the python specific
includedirs, therefore its important to ensure that target specific
python3-config is used, otherwise currently it defaults to native
python3-config which ends up adding native python3 include paths
which might work out ok but is exposed when target is 32bit + lfs
enabled, the headers don't match between native and target python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It uses python3-config during build to grok the python specific
includedirs, therefore its important to ensure that target specific
python3-config is used, otherwise currently it defaults to native
python3-config which ends up adding native python3 include paths
which might work out ok but is exposed when target is 32bit + lfs
enabled, the headers don't match between native and target python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Release Notes:
https://www.samba.org/samba/history/samba-4.17.5.html
Drop 0007-waf-Fix-errors-with-Werror-implicit-function-declara.patch
as the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0.
An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) can recover an RSA private key after observing the victim
performing a single private-key operation, if the window size
(MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0.
There is a potential heap-based buffer overflow and heap-based buffer
over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46392https://nvd.nist.gov/vuln/detail/CVE-2022-46393
Upstream patches:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Mitigate occurence where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop backported patches, drop `wscript: Widen the search for tags` as
upstream has merged something similar which means devtool builds now
work.
Add BISONFLAGS support to fix build reproducbility issue.
Drop `--debug` which generates internal debug info.
License-Update: License files moved to separate directory
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Expose all current dnsmasq configuration options in PACKAGECONFIG,
enable i18n generation, filter supplementary systemd files against
DISTRO_FEATURES.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add an option to use Platform Security Architecture for the X.509 and TLS
operations.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Updated printers:
PTP: Use the proper values for the control field and print un-allocated
values for the message field as "Reserved" instead of "none".
Source code:
smbutil.c: Replace obsolete function call (asctime)
Building and testing:
cmake: Update the minimum required version to 2.8.12 (except Windows).
CI: Introduce and use TCPDUMP_CMAKE_TAINTED.
Makefile.in: Add the releasecheck target.
Makefile.in: Add "make -s install" in the releasecheck target.
Cirrus CI: Run the "make releasecheck" command in the Linux task.
Makefile.in: Add the whitespacecheck target.
Cirrus CI: Run the "make whitespacecheck" command in the Linux task.
Address all shellcheck warnings in update-test.sh.
Makefile.in: Get rid of a remain of gnuc.h.
Documentation:
Reformat the installation notes (INSTALL.txt) in Markdown.
Convert CONTRIBUTING to Markdown.
CONTRIBUTING.md: Document the use of "protocol: " in a commit summary.
Add a README file for NetBSD.
Fix CMake build to set man page section numbers in tcpdump.1
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Fix the evaluation of the autoconnect retries.
* nm-cloud-setup now preserves addresses added externally.
* Ensure that dnsmasq is stopped after changing the dns backend and
restarting the service.
* Fix honoring an explicit DHCPv6 DUID with dhclient.
* Other various fixes.
* Fixed a bug that caused devices (MACsec in particular) to be stuck in
UNAVAILABLE state and not transition to DISCONNECTED if the carrier was
ready too early.
* Improved interoperability of MACsec with some Aruba switches by allowing
CKN shorter than 64 characters.
* Fixed an assertion failure when restarting NetworkManager with MACsec
links configured.
* Fixed a possible DHCP helper crash when handling failure to connect to
D-Bus.
* Corrected calculation of expiration time for items configured from IPv6
neighbor discovery messages.
* Various fixes for platforms that don't allow unaligned memory access.
* team: also set empty port configuration so teamd
knows about the port.
* team: restore port configuration after teamd respawn.
* dhcp: revert restarting DHCP when MAC address changes,
for example during a bond fail over.
* various documentation fixes.
* fix non-exported ABI in libnm which was wrongly present
in the header files but unusable so far.
* ifcfg-rh: fix writing ethtool pause settings to file.
* core: set "proto static" for manual routing rules configured
by NetworkManager.
* Various minor bugfixes.
* Ensure that resolv.conf gets updated when the configuration changes.
* Fix setting as bond primary an interface that doesn't exist yet when the
bond is activated.
* The number of autoconnect retries is now accounted independently for each
device when there are profiles with multi-connect=multiple.
* Don't print duplicate entries in the output of "NetworkManager
--print-config"
* Fix the ifcfg-rh plugin to properly read infiniband P-Key connection
profiles without an explicit interface name.
* Allow the removal of a bond port connection profile from the bond via
nmcli.
* Fix race condition during the activation of veth profiles when the peer
already exists.
* Decline the DHCPv6 lease if all addresses fail IPv6 duplicate address
detection (DAD).
* Wait that devices get carrier before trying to resolve the system hostname
on them via DNS.
* Fix race condition during the initial activation of OVS interfaces.
* Profiles generated by nm-initrd-generator now have lower than default
priority.
* Fix error when adding many SR-IOV virtual functions (VFs).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update crda from 3.18 to 4.15:
* use git repo in SRC_URI that no tar archive found for recent releases
* drop fix-gcc-6-unused-variables.patch and make.patch
* rebase patches
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Clang also warns about offsetof use to emulate _Alignof
register keyword is no longer available so pre-empt it
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Weechat now requires an extra zstd dependency during
compilation.
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Release Notes:
https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_26
* Refresh patches
* Add autogen.sh as we still need it in do_configure
* Backport a patch to fix configure error for rlm_python3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Using a private module from setuptools is not a good idea and
no longer works with latest setuptools.
it's actually better to revert to official distutils even if
it is going away in the next python release. Hopefully by
then upstream will transition to something supported.
TMPDIR in .pyc can be addressed by simply not installing the .pyc.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Updated printers:
-----------------
BGP: Update cease notification decoding to RFC 9003.
BGP: decode BGP link-bandwidth extended community properly.
BGP: Fix parsing the AIGP attribute
BGP: make sure the path attributes don't go past the end of the packet.
BGP: Shutdown message can be up to 255 bytes length according to rfc9003
DSA: correctly determine VID.
EAP: fix some length checks and output issues.
802.11: Fix the misleading comment regarding "From DS", "To DS" Frame Control Flags.
802.11: Fetch the CF and TIM IEs a field at a time.
802.15.4, BGP, LISP: fix some length checks, compiler warnings,
and undefined behavior warnings.
PFLOG: handle LINKTYPE_PFLOG/DLT_PFLOG files from all OSes on all OSes.
RRCP: support more Realtek protocols than just RRCP.
MPLS: show the EXP field as TC, as per RFC 5462.
ICMP: redo MPLS Extension code as general ICMP Extension code.
VQP: Do not print unknown error codes twice.
Juniper: Add some bounds checks.
Juniper: Don't treat known DLT_ types as "Unknown".
lwres: Fix a length check, update a variable type.
EAP: Fix some undefined behaviors at runtime.
Ethernet: Rework the length checks, add a length check.
IPX: Add two length checks.
Zephyr: Avoid printing non-ASCII characters.
VRRP: Print the protocol name before any GET_().
DCCP: Get rid of trailing commas in lists.
Juniper: Report invalid packets as invalid, not truncated.
IPv6: Remove an obsolete code in an always-false #if wrapper.
ISAKMP: Use GET_U_1() to replace a direct dereference.
RADIUS: Use GET_U_1() to replace a direct dereference.
TCP: Fix an invalid check.
RESP: Fix an invalid check.
RESP: Remove an unnecessary test.
Arista: Refine the output format and print HwInfo.
sFlow: add support for IPv6 agent, add a length check.
VRRP: add support for IPv6.
OSPF: Update to match the Router Properties registry.
OSPF: Remove two unnecessary dereferences.
OSPF: Add support bit Nt RFC3101.
OSPFv3: Remove two unnecessary dereferences.
ICMPv6: Fix output for Router Renumbering messages.
ICMPv6: Fix the Node Information flags.
ICMPv6: Remove an unused macro and extra blank lines.
ICMPv6: Add a length check in the rpl_dio_print() function.
ICMPv6: Use GET_IP6ADDR_STRING() in the rpl_dio_print() function.
IPv6: Add some checks for the Hop-by-Hop Options header
IPv6: Add a check for the Jumbo Payload Hop-by-Hop option.
NFS: Fix the format for printing an unsigned int
PTP: fix printing of the correction fields
PTP: Use ND_LCHECK_U for checking invalid length.
WHOIS: Add its own printer source file and printer function
MPTCP: print length before subtype inside MPTCP options
ESP: Add a workaround to a "use-of-uninitialized-value".
PPP: Add tests to avoid incorrectly re-entering ppp_hdlc().
PPP: Don't process further if protocol is unknown (-e option).
PPP: Change the pointer to packet data.
ZEP: Add three length checks.
Add some const qualifiers.
Building and testing:
----------------------
Update config.guess and config.sub.
Use AS_HELP_STRING macro instead of AC_HELP_STRING.
Handle some Autoconf/make errors better.
Fix an error when cross-compiling.
Use "git archive" for the "make releasetar" process.
Remove the release candidate rcX targets.
Mend "make check" on Solaris 9 with Autoconf.
Address assorted compiler warnings.
Fix auto-enabling of Capsicum on FreeBSD with Autoconf.
Treat "msys" as Windows for test exit statuses.
Clean up some help messages in configure.
Use unified diff by default.
Remove awk code from mkdep.
Fix configure test errors with Clang 15
CMake: Prevent stripping of the RPATH on installation.
AppVeyor CI: update Npcap site, update to 1.12 SDK.
Cirrus CI: Use the same configuration as for the main branch.
CI: Add back running tcpdump -J/-L and capture, now with Cirrus VMs.
Remove four test files (They are now in the libpcap tests directory).
On Solaris, for 64-bit builds, use the 64-bit pcap-config.
Tell CMake not to check for a C++ compiler.
CMake: Add a way to request -Werror and equivalents.
configure: Special-case macOS /usr/bin/pcap-config as we do in CMake.
configure: Use pcap-config --static-pcap-only if available.
configure: Use ac_c_werror_flag to force unknown compiler flags to fail.
configure: Use AC_COMPILE_IFELSE() and AC_LANG_SOURCE() for testing flags.
Run the test that fails on OpenBSD only if we're not on OpenBSD.
Source code:
-------------
Fix some snapend-changing routines to protect against pointer underflow.
Use __func__ from C99 in some function calls.
Memory allocator: Update nd_add_alloc_list() to a static function.
addrtoname.c: Fix two invalid tests.
Use more S_SUCCESS and S_ERR_HOST_PROGRAM in main().
Add some comments about "don't use GET_IP6ADDR_STRING()".
Assign ndo->ndo_packetp in pretty_print_packet().
Add ND_LCHECKMSG_U, ND_LCHECK_U, ND_LCHECKMSG_ZU and ND_LCHECK_ZU macros.
Update tok2strbuf() to a static function.
netdissect.h: Keep the link-layer dissectors names sorted.
setsignal(): Set SA_RESTART on non-lethal signals (REQ_INFO, FLUSH_PCAP)
to avoid corrupting binary pcap output.
Use __builtin_unreachable().
Fail if nd_push_buffer() or nd_push_snaplen() fails.
Improve code style and fix many typos.
Documentation:
---------------
Some man page cleanups.
Update the print interface for the packet count to stdout.
Note that we require compilers to support at least some of C99.
Update AIX and Solaris-related specifics.
INSTALL.txt: Add doc/README.*, delete the deleted win32 directory.
Update README.md and README.Win32.md.
Update some comments with new RFC numbers.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The size on glibc depends on time_t size which is 64bit on newer
architectures like rv32 while on musl it is indicated by _FILE_OFFSET_BITS
therefore check for both
Signed-off-by: Khem Raj <raj.khem@gmail.com>
With export PYTHONHASHSEED="1" there will be no need for patching samba and its related libs
So easier maintenance and a cleaner OE
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current handling of /etc/resolv.conf by NM has some problems.
When networkd is not configuring network, and there's 'ip=dhcp'
in kernel command line, the /run/NetworkManager/resolv.conf file
is not created, resulting in /etc/resolv.conf being a dead symlink.
This is because NM is treating the network interface as externally
configured and will not try to reconfigure it again.
This means if we want NM to work properly with /etc/resolv.conf,
we've got to either ensure there's no 'ip=dhcp' in kernel command
line, or we've got to ensure networkd is configuring network. This
is weird because normally we should not enable two network managers
at the same time. Note that NM syncs part of its codes with networkd,
which is the reason I think it happens to work when these two network
configuration tools are configuring the same interface at the same
time.
In fact, NM now works well with resolved. It sends the DNS info it
gets to resolved unconditionally by default (the behavior could be
disabled in configuration file).
Looking at the original commit that sets up the update-alternatives
mechanism, it says:
"""
This brings the networkmanager in sync with how systemd-resolved and connman
work. Additionally this allows it to function with a read-only rootFS.
"""
I guess the author was using systemd but disabling resolved, and the author
wanted to use read-only rootFS. In order to keep such combination still works,
change to use PACKAGECONFIG to handle things, and when 'man-resolv-conf' is
enabled, the above combination could still work.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
MDNS_VERSIONSTR_NODTS disables __DATE__ and __TIME__ in the version string,
which are fixed anyway for build reproducibility.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
Fix bug in --dynamic-host when an interface has /16 IPv4
address.
Add --fast-dns-retry option.
Add --use-stale-cache option.
Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
handle removal of whole files or entries within files.
Add --no-round-robin option.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current location has no effect, because NetworkManager
is not looking for config files there.
In meson.build, we have:
nm_pkglibdir = join_paths(nm_prefix, 'lib', nm_name)
config_extra_h.set_quoted('NMLIBDIR', nm_pkglibdir)
It's clear that the configuration directory should be
nonarch_libdir instead of libdir.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Without this patch, even if dhcpcd is enabled, the NetworkManager
cannot find it. Below are the messages from NetworkMananger:
dhcp: init: DHCP client 'dhcpcd' not available
dhcp: init: Using DHCP client 'internal'
The problem is that dhcpcd needs to be specified as a path, otherwise
NetworkManager tries to find it in /usr/sbin/dhcpcd.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Reinstate and rework patches from @garmin.com dropped in 21afab4609
("mdns: update to version 1096.40.7") as these were the functional
pieces of this series; we should either maintain it as a whole or drop
it in its entirety. With this update and without this series,
steady-state operation is a constant churn of all names being removed
and re-added every few seconds. These were refactored to handle the move
to getifaddrs() from get_ifi_info().
Check and cleanup all the other patches, much of which was redundant.
Move source releases to github which is where the Apple site now
redirects to (though these are still effectively just tarball dumps into
git).
Cleanup the recipe so it doesn't override all the packaging defaults.
Fixup musl installs so they don't fail attempting to patch a
non-existent /etc/nsswitch.conf.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It fails to install postfix and lib32-postfix at same time:
| Error: Transaction test error:
| file /etc/postfix/sample-main.cf conflicts between attempted installs of
lib32-postfix-cfg-3.7.3-r0.i586 and postfix-cfg-3.7.3-r0.core2_64
Rename sample-main.cf with ${MLPREFIX}.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Add smcroutectl batch support, issue #189. Based on the IPC support added in issue #185
- Fix#178: invalid systemd daemon type Simple/Notify vs simple/notify
- Fix#179: typo in wildcard routes section of README
- Fix#180: minor typo in file and directory names in documentation
- Fix#183: casting in IPC code hides error handling of recv()
- Fix#186: NULL pointer dereference in utimensat() replacement function.
Found accidentally by Alexey Smirnov. Only triggered on systems that don't
have a native utimensat() in their C-library, or if you try to build
SMCRoute without using its own build system ...
- Fix#187: strange behavior joining/leaving the same group
- Fix#192: typo in README
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The checksum was not updated when the recipe version was stepped.
Also simplify the SRC_URI by replacing "${BPN}-${PV}" with "${BP}".
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This reverts commit e154914718.
The change of SRC_URI was probably triggered by the checksum for the
tarball not having been updated when the recipe version was stepped.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes a nasty bug where the shown device list doesnt match the underlying
MAC list, resulting in connecting to a different device than selected.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix:
--------
Do not use 00:00:00:00:00:00 as chassis ID.
Do not busy loop when an interface with a neighbor disappears.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
* IP condfiguration is no longer required in TAP mode.
* Fix initialization of secret flags.
* Add support for DOMAIN-SEARCH option.
* Set data-ciphers option with chosen cipher.
* Update Brazilian Portuguese, Croatian, Danish, Georgian, Polish, Serbian,
Slovenian, Swedish, Turkish and Ukrainian translations.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It fails to start radiusd.service from lib32-freeradius that the
configure directory is /etc/lib32-raddb rather than /etc/raddb. So add
an environment file to export a variable MLPREFIX for the service file
to make it start successfully.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It depends on it, but it was being pulled in via glib-2.0
which now uses libpcre2
Fixes
TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/ettercap/0.8.3.1-r0/recipe-sysroot-native/usr/lib/libpcre.so: file not recognized: file format not recognized
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is no need for these configs on their own and they would only mess
up the sechash and privdrop configs. To actually enable sechash one also
had to enable nss, and to enable privdrop one also had to enable libcap.
This also avoids passing --with-libcap if privdrop is enabled since the
option does not exist.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Support for readline was dropped in Chrony 4.2. However, the
--disable-readline option still remains (it is used to completely ignore
all forms of command line editing, even though the only remaining
variant is editline). So keeping the readline PACKAGECONFIG and making
it pass --disable-readline when it is not enabled disabled support for
editline, and if it was enabled it instead passed --without-editline,
which also disabled support for editline. Thus there was no way to
enable editline support.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
After updating current poky master python3-fcntl is not installed
into my image anymore. Blueman-applet fails to run with
Error: No module named 'fcntl''Module fcntl not found'
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes
---------
Fix for possible buffer zeroization overrun introduced at the end of
v5.5.2 release cycle in GitHub pull request 5743 (#5743) and fixed in
pull request 5757 (#5757). In the case where a specific memory allocation
failed or a hardware fault happened there was the potential for an overrun
of 0's when masking the buffer used for (D)TLS 1.2 and lower operations.
(D)TLS 1.3 only and crypto only users are not affected by the issue.
This is not related in any way to recent issues reported in OpenSSL.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Security bugfixes
-----------------
OpenSSL DLLs updated to version 3.0.7.
New features
------------
Provided a logging callback to custom engines.
Bugfixes
---------
OpenSSL DLLs updated to version 3.0.6.
Fixed "make cert" with OpenSSL older than 3.0.
Fixed the code and the documentation to use concious language for SNI servers (thx to Clemens Lang).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
tls-crypt-v2: bail out if the client key is too small
Remove useless empty line from CR_RESPONSE message
Allow running a default configuration with TLS libraries without BF-CBC
Change command help to match man page and implementation
Fix OpenVPN querying user/password if auth-token with user expires
t_client: Allow to force FAIL on prerequisite fails
t_client.sh: do not require fping6
Preparing release 2.5.8
msvc: add branch name and commit hash to version output
Update the replay-window backtrack log message
Do not skip ERROR:/SUCCESS: response from management interface
Fix auth-token usage with management-def-auth
Allow a few levels of recursion in virtual_output_callback()
Ensure --auth-nocache is handled during renegotiation
Purge auth-token as well while purging passwords
Do not copy auth_token username to itself
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Make run-ptest use the correct libdir for multilib builds.
Log the ptest output to a date stamped file and append a test summary
to the end of the log.
Munge the log as it is produced to:
- insert the expected automake keywords: PASS and FAIL.
- remove escape sequences used for ANSI colours as well as movement commands
Add additional discrete tool dependencies to the nftables-ptest list since
the test suite does not work with the busybox versions.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Call pcap_dump_close() on the output file.
- Implement new flags in ./configure: --enable-instrument-functions,
--without-libnids, --without-libosipparser2 and --without-libooh323c.
- autoconf: Add the option to print functions and files names
- Update config.{guess,sub}, timestamps 2022-01-09,2022-01-03
- configure: use pcap-config --static-pcap-only if available
- Remove awk code from mkdep.
- Refine the man page.
- Refine the documentation files.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add github-releases to make new releases discoverable.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bugs fixed
==========
Errors when connected to a device with the DisconnectItems plugin enabled
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Switch from using tarball to git because the 2.3.2 tarball lacks the
meson_options.txt file.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2022-37032:
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may
lead to a segmentation fault and denial of service. This occurs in
bgp_capability_msg_parse in bgpd/bgp_packet.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37032
Patch from:
066770ac1c
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Need the targets file to enable the mctpd.service on systemd.
Signed-off-by: Hao Jiang <jianghao@google.com>
Change-Id: I8d48d3767760dc1f34ae7e1266600d350ac93281
Changes since 4.4.3 (Bug Fixes)
Corrected a reference count leak that occurs when the server builds
responses to leasequery packets. Thanks to VictorV of Cyber Kunlun
Lab for reporting the issue.
[Gitlab #253]
CVE: CVE-2022-2928
Corrected a memory leak that occurs when unpacking a packet that has an
FQDN option (81) that contains a label with length greater than 63
bytes.
Thanks to VictorV of Cyber Kunlun Lab for reporting the issue.
[Gitlab #254]
CVE: CVE-2022-2929
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Allow spice to be built on ARM64 as well, so add aarch64
entry to COMPATIBLE_HOST.
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Drop 0001-Make-HgfsConvertFromNtTimeNsec-aware-of-64-bit-time_.patch
and 0013-misc-Do-not-print-NULL-string-into-logs.patch which have been
merged upstream.
* Refresh patches.
* Do not build containerinfo plugin as it requries containerd.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
New features
OpenSSL 3.0 FIPS Provider support for Windows.
Bugfixes
Fixed building on machines without pkg-config.
Added the missing "environ" declaration for BSD-based operating systems.
Fixed the passphrase dialog with OpenSSL 3.0.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/strongswan/strongswan/releases/tag/5.9.8
* Drop PACKAGECONFIG[scep] as scepclient has been removed.
* Add plugin-gcm to RDEPENDS as gcm plugin has been added to the default
plugins.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The correct parameter to disable readline usage is --disable-readline
and not --without-readline.
See also chrony source at:
https://github.com/mlichvar/chrony/blob/master/configure#L110
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The configure script present in chrony will explicitly look for
pkg-config and without the pkgconfig class it will fail:
Checking for pkg-config : No
This then affects the possibility (via image features or bbappend)
to use features based on nettle/gnutls/nss which strictly require
pkgconfig to be present and working.
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
clang errors out linking lto objects
riscv64-yoe-linux-musl-ld: /tmp/lto-llvm-d497c5.o: can't link soft-float modules with double-float modules
This is something needs to be addressed in clang for riscv
as of now disable lto for rv32/rv64 when using clang
Signed-off-by: Khem Raj <raj.khem@gmail.com>
open62541 (http://open62541.org) is an open source and free implementation
of OPC Unified Architecture according to IEC62541 standard
The patch exclude git-related files from installation directory
Upstream-Status: Accepted
a0328d4cb5
Signed-off-by: Vyacheslav Yurkov <v.yurkov@precitec.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop 0001-avoid-naming-local-function-as-one-of-printf-family.patch as
the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport patches to fix build error with --disable-ospfapi and
CVE-2022-37035.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update : format of License file changed.
CVE-2022-0934.patch
deleted since it's included in 2.87.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This runtime dependency was already added for ntpd but not yet for the
sntp binary. This will result in an error when pthread_exit() is called:
"libgcc_s.so.1 must be installed for pthread_cancel to work"
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
brings in
Added
mdio: A new addressing mode "mmd-c22": Used to access MMDs attached
to MDIO controllers without Clause 45 support by using registers 13
and 14 in the device's Clause 22 register space
mdio: Pretty print gigabit link capability information from a PHY's
extended status register
mdio: Pretty print lots of status information from MMDs (C45 PHYs)
mvls: Decode priority override information of ATU entries
Changed
mvls: Table listings now always prints out the device information,
even on single chip systems.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop merged backport of 7e20aa9ef172 ("coap_session.c: Balance
SESSIONS_ADD and SESSIONS_DELETE usage").
c694baead2f9 Update version to release 4.3.1
ab9488559f5e Doxygen: Fix missing links for later versions of asciidoc
144f9c4381c1 Manual pages: Update NAME section to contain all of the alternative names
707aed35d39b Doxygen: Hyperlink man page functions
46feac2455ab Misc: Tidy up documentation and space usage
d09204e24aba Doxygen: Add in individual man pages for the ease of finding the functions
09aab40d14f9 Tag release candidate 2 for version 4.3.1
2755af4d1a16 block.c: Clarify ignored result from coap_get_data()
5f0eea8dbbc4 coap_session.c: Fix adding NULL pointer on error in coap_new_server_session()
ea89cb842cf6 coap_cache.txt.in: Fix typo in function name
922e81a0d21f Doc: Include statement about upgrading to 4.3.1
5c498249e7e7 ChangeLog: Add summary for version update to 4.3.1
4f12b9be1b7b coap_event.h: Clean up Doxygen documentation for coap_event_t
43bfbea924e0 Copyright: Update dates to 2022 where appropriate
37731524a0ad RFC8516: Document support
a7b2f2b4901b block.c: Timeout coap_lg_crcv_t structures correctly
f4507e6e9adb Block: Report event on large xmit failures
3d387a5be485 block.c: Correct size of allocated PDU buffer
6a9a787503ec Observe: Clean up server timing out after observe failures
725e464421e0 mcast: Tidy up logging
381ff3d94da2 PDU Data: Clean up internal usage of PDU data
0f0cac71f5e5 Observe: Support disabling observe cancellation on session close
bc4c75060b86 coap_mbedtls.c: Fix output type of a log message
b8f01cef06f0 net.c: Move variable into correct block
58a8b338045b net.c: Send appropriate delayqueue entries in coap_cancel_all_messages()
b4306bb79162 observe: Make sure the correct token in used for cancellation
c68d1e9fe785 mutex: Do not output mutex warnings for LwIP and Contiki
7f551fcea56b coap_mbedtls.c: Upgrade to mbedTLS v3.2.1 - Updated the deprecated APIs with the respective alternatives - `mbedtls_ssl_conf_min_version` => `mbedtls_ssl_conf_min_tls_version` - Updated fields for `mbedtls_ssl_ciphersuite_t` - `max_major_version`/`max_minor_version` => `max_tls_version` - Added macros for backward compatibility
8c15b896ef30 esp-idf: Stop -Wformat errors for uint32_t variables
0ca2fd4a90b5 Tag release candidate 1 for version 4.3.1
9962bab56f6b Updated tinydtls to current develop HEAD
8fbe440f8aaa coap_io.c: Updates for esp-idf port
d2306569d16a proxy: Make proxy requests separate responses
98ecf5a2a166 tinydtls: Update submodule to latest version
8c973a454e73 mid_duplicates: Drop general responses duplicates
dc92fe5e1ea6 coap.h.windows.in: Fix missing file renames
347270b9abc4 file naming: Rename files to have coap_ prefix
8b9377ef2ad4 coap_mbedtls.c: Fix memory leak
e8052b3988ec resource.c: Further fix making subscribers iteration safe
f93b9a3e37cf coap_mbedtls.c: Catch connection reset in coap_tls_write
d5bcb8159b73 resource.c: Make subscribers iteration safe in coap_notify_observers
0d9f2531e5dd coap_session.c: Free off session's last_token on session deletion
415fbdb7cddf RFC9175: Add in support for the Echo and Request-Tag options
88ae9563e665 mcast support: Support multicast granular to the resource level
73565196a8f3 block.c: Fix error handling with Block transfers
132c72619032 net.c: Handle multiple same token request/responses
d68f5d6f5713 net.c: Handle well_known requests when there is no libcoap block support
fe51d3335e81 lwip: Fix minor issues
6046dcbd5589 net.c: Fix broken client only build
20f15a17d698 Large Observes: Prevent server sending new response if active response
5a10ce4890ff Congestion Control: add in RFC7252 configuration flexibility
41afb92141c5 net.c: Update .well-known/core handling to use common logic
6b32ed3de2fb coap_io.c: Track ICMP Host Administravely Prohibited error
279755b1df9e coap_send: Make error checks for coap_send() more rigorous
925d39fd8cfb coap-server.c: Cleanup misplaced comment
c77176714770 coap_gnutls.c: Handle another error in do_gnutls_handshake()
801e5492f2e6 CSM: Move coap_client_delay_first() to later in code processing
346a831cd604 block.c: Correctly preset updated_block variable
56db248daba6 async.c: Remove white space
256a758e0273 TLS SIGPIPE: Stop programs exiting with code 141 (128 + 13:SIGPIPE)
6649bdef39db net.c: fix null pointer exception
03a9059439d0 BERT: Support block BERT szx of 7 for reliable protocols
445a9481deca RFC7390: Update support for RFC7390
428f759659a4 coap_mbedtls.c: Fix coap_rng() return for 3.x code
1b2668f562e9 CMakeLists.txt: Correctly determine cmsghdr support for determining addresses
21fd838dc781 coap_io_prepare_io: Re-order function code for correctly updating sockets[]
cfbf3ab617f8 doc/main.md: Update copyright year
f28044303abe net.c: Make sure separate response is CON for CON requests
069a0786ce85 CSM: Support different XMT and RCV Max-Message-Size
9cbe5757cb69 recursive mutex: Stop recursive Mutex when doing handler callbacks
d9c19c378f3f event.h: Add events for server session state management
7e20aa9ef172 coap_session.c: Balance SESSIONS_ADD and SESSIONS_DELETE usage
806861359b81 configure.ac: Allow using non-vendored TinyDTLS with autotools build
6c8b76d534a0 tinydtls: Update to latest version
aa391b5b7601 async: Handle changes to delay when using epoll
65cba25cc7e5 coap-client.c: Delay sending each request using -G by 1 second
d57d44aa142a block.c: Fix data leak in coap_add_data_large_internal
eb7656850f1c pdu.h: Add Content-Format for application/ace+cbor
c8458f262ab8 coap_mbedtls.c: Fix return brace location
583c29fd47d9 coap_mbedtls.c: Make TLS error recovery more rigorous
02deef8da6ac coap_prng.c: Added alternate RNG implementation - For targets having their own hardware entropy/RNG implementation using mbedtls_hardware_poll() - This change was made as since mbedtls-3.x, passing a RNG function to all functions that accept a f_rng parameter is mandatory
916a534e170b coap_mbedtls.c: Upgrade to mbedTLS v3.x - Added MBEDTLS_ALLOW_PRIVATE_ACCESS to access private struct members wherever required - Updated deprecated functions from hashing module (E.g. mbedtls_sha256_starts_ret() -> mbedtls_sha256_starts()) - Added mandatory RNG parameter for some functions (mbedtls_pk_parse_keyfile(), mbedtls_pk_parse_key()) - Remove support for parsing SSLv2 ClientHello
b42c184f74a6 block.c: Fix possible null-pointer dereference
df72a53f2d66 coap_openssl.c: Support Microsoft VS builds
0f76881802af autogen.sh: Fix missing file ar-lib
19928e81bd42 builds: Set CFLAGS += -Werror in all linux subdirectory compilations
b2ad43319a0f doc/Makefile.am: Include module_api_wrap.h in a distribution
dfc678c33bd1 Proxy: Support unknown Critical but Safe-To-Forward options
93f2738c451d coap_pdu_setup.txt.in: Clarify / more make readable the pdu setup information
5b32d716fa03 github workflow: Support windows-2022
bd9ced550e07 pdu.c: Fix coap_insert_option with delta = 269
ba585f848ff5 [OSS-Fuzz] pdu_parse_target.c: Check result of coap_pdu_parse()
a2e0046c802f [OSS-Fuzz] pdu_parse_target.c: Fix compiler warning
b3d503cbff07 sessions: Prevent multiple client session confusion
726b9630e51f coap_block.txt.in: Clarify / more make readable the block handling information
756bb042395d pdu building: Enforce the application order of building a PDU
c02ca5f097d6 coap_pdu_access.txt.in: Add in documentation for coap_get_uri_path()
aaf611559482 proxy_uri: Fix handling the resource for uri path in Proxy-Uri
a8c00f2af9c6 coap_pdu_setup.txt.in: Better document coap_encode_var_safe8()
64e56410177b versioning: Make current git describe available
0a16d790ce53 cmake_coap_config.h.in: Fix definitions for when building with tinydtls
17aaa81b5ad3 Caching: Highlight requirements ignoring certain CoAP Options
74582eddde28 resource.c: Support deleting resources that have not yet been added
32d2d0e1c62b request_handler: Report only when app's request handler is actually called
5dc2dfca86ec block.c: Do not match large response if no Block2 option in request
18888cd0dde3 cmake: Install example programs if examples enabled
c0e032ffad0b block: Check block size space correctly
693a4e231386 net.c: correct return value in coap_send_internal()
38bffb7f99d9 configure.ac: Fix have mbedtls lib, but no mbedtls-dev issue
694a205f28dc coap-server.c: Fix proxy response type and code
e8e33f0424ad coap-server: Add in POST support for unknown request handler
3f5ec5467a1d coap_cache.c: Correctly build cache key
e43cf9369ac5 RFC7959: Handle both client and server initiating requests
bdf7686613ec coap_write_session: Account correctly for partial TCP writes
76194be8cd3f coap-client.c: Allow time for all server responses to mcast
d395df1a812f coap_session.c: Do not check for duplicate mids if reliable protocol
73389b8192e8 handlers: Clarify which handlers are client only, server only or both
df9071c93eff coap_session.[hc]: Added function to retrieve PSK identity from session
7791897e8f4c api-version-bump.sh: Added missing changes for win32
4834b86067ae pkg-config: Don't use hard coded binary
d139beab67ff pkg-config: Don't use hard coded binary
166ef51ed155 Windows: Update libcoap-2 objects to libcoap-3
31722c208ac9 PSK: Make PSK hint / key / identity retrieval simpler
d746fc24e5a7 coap_pdu_parse: Add to public API
0aeb0d624797 doxygen: Tidy up Modules and Files tab information
f026f5701ece client+server: Reduce code size by building libcoap for client or server only
a7f53b4d6b0a coap_debug.h: Allow <syslog.h> to be included before and after <coap3/coap.h>
77f8cf59702e DTLS/TLS: Support TLS when DTLS is not enabled
587de900c2cc coap_mbedtls.c: Add in TLS support
94b297aae7a5 coap_mbedtls.c: Fix build fail for client only mbedtls
cc2648aef685 net.c: Protect against session release in coap_io_do_io()
ca44071b8afe net.h: do not include sys/select.h in Windows builds
e984f38b8fd6 [DTLS] make buffer sizes for psk and psk_identity configurable
54dbc3eeb815 [RIOT] coap_time.h: fix COAP_TICKS_PER_SECOND for undefined XTIMER_HZ
05e7f12d7ca8 net.h: Include sys/select.h for fd_set
25a59905792f doxygen: Fix summary output for manual pages
a5c0d12354ed doc: Document the coap_can_exit() function
a1d78d505d98 tiny.c: Fix message id generation
67f189f134a2 CMakeLists.txt: Fix macOS builds by checking for if_nametoindex support
8ce139d349bc coap_event.h: Make coap_event_t an enum
b0ca3ae643d1 resource.c: Delete previous subscription correctly
98b9179d5666 async: Correct MID usage in response
c61748f4dd33 RFC7959: session->lg_xmit not being released for a server
482be755fe29 gnutls: GNUTLS_CRT_RAW not defined
e0d6477b5ec9 man: Update man page documentation
d52986f00459 coap_resource_init: Leading '/' is not required for uri_path
60c69557f3d5 pdu.h: Remove unassigned response code COAP_RESPONSE_CODE_OK
87fab6d573cf coap_mbedtls.c: Allow ESP-IDF systems to be compiled without PSK support
77d1aae06b17 Fix condition for MBEDTLS_INCLUDE_DIRS
4bbf25ba338a coap-client: Add in support for generating multiple requests
50530704df9a tinydtls: update to latest version
License-Update: Update year
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- drop included patches
- refresh remaining patches
- update to new ptest
Licence change: update year
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Switch from using DISTUTILS_*_ARGS to SETUPTOOLS_*_ARGS to correspond
with the earlier change to use setuptools3_legacy instead of distutils3.
Without this change, you will get the following error if your build host
does not have iptables installed:
Fixes:
ERROR: ufw-0.36.1-r0 do_compile: 'python3 setup.py build ' execution failed.
Log data follows:
| DEBUG: Executing shell function do_compile
| ERROR: could not find required binary 'iptables'
| ERROR: 'python3 setup.py build ' execution failed.
| WARNING: exit code 1 from a shell command.
ERROR: Task ([snip]/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb:do_compile) failed with exit code '1'
Also, although the build will not fail on a host that has iptables, it
could cause a problem if it is installed at a different path than where
OpenEmbedded's iptables will be installed on the target.
Fixes: 3e2ed1dcc0 ("ufw: port to setuptools, use setuptools_legacy")
Signed-off-by: Howard Cochran <howard_cochran@jabil.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Enable meson for building open-isns, deprecating autoconf/make (though the current build system still works)
Add a package config file for libisns, so other software can find it
Fix some compiler warnings and spelling errors
Make IPv6 default socket type
Fix isnsadm parsing of some arguments
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=============
* Add support for "allow-compression" parameter.
* Fix a regression in preserving the "tls-auth" settings.
* Add support for "tls-min" and "tls-cipher" parameters.
* Include the new gnome-control-center name in the AppData file.
* Drop libnm-glib support, nobody is likely using it anymore.
* Fix importing profiles with a PKCS#12 CA.
* Make sure the plugin object links with glib.
* Dropped dependency on intltool.
* Updated Basque, Brazilian Portuguese, Chinese (China), Croatian, Czech,
Danish, Dutch, Georgian, Indonesian, Polish, Serbian, Spanish, Swedish,
Turkish and Ukrainian translations.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libatm uses res_search which is provided by libc now a days in both
glibc and musl, we dont need to error out if libresolv is not found
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These were missing a comma so were being added as RRECOMMENDS.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
POSIX_SHELL is specified a host tool path as it searches path on build
host using `which` when configure. Set it to a fixed path '/bin/sh'.
Fixes:
QA Issue: File /usr/bin/tcpbridge in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpliveplay in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcprewrite in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpcapinfo in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpreplay in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpprep in package tcpreplay contains reference to TMPDIR
File /usr/bin/tcpreplay-edit in package tcpreplay contains reference to TMPDIR [buildpaths]
QA Issue: File /usr/src/debug/tcpreplay/4.4.2-r0/src/defines.h in package tcpreplay-src contains reference to TMPDIR [buildpaths]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This ensures that it can use the sed provided by build environment, as
we poison host sysroots, we wont be able to get it from /usr/bin anyway
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport a patch from upstream to fix musl builds
Merged inc file into bb file, makes it easy to use devtool
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Disable on musl since its using some non-portable glibc only constructs
Drop gettid patch its applied upstream
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Dates and address changed
Link with libtirpc for bindresvport() implementation
Drop krb5 packageconfig, its gone from this version
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NetworkManager:
* Drop unused, internal systemd DHCPv4 client. This is long
replaced by nettools' n-dhcp4 implementation.
* The nmcli command now supports --offline argument with "add" and
"modify" commands, allowing operation on keyfile-formatted connection
profiles without the service running (e.g. during system provisioning).
* The device state file /run/NetworkManager/devices/$ifindex now has
new sections [dhcp4] and [dhcp6] containing the DHCP options for the
current lease.
* Add multipath TCP (MPTCP) support. NetworkManager can now configure IP addresses
as MPTCP endpoints. This is configurable via the "connection.mptcp-flags"
property. The default setting is such that MPTCP handling is automatically
enabled if the kernel sysctl "/proc/sys/net/mptcp/enabled" indicates so.
NetworkManager does not enable the MPTCP sysctl or adjust the limits (ip mptcp limits).
The administrator or the distribution is supposed to configure the desired system
settings.
Note that strict reverse path filtering (rp_filter) breaks many MPTCP use cases.
With MPTCP handling enabled, NetworkManager will relax a strict (1) rp_filter
to loose (2). Otherwise rp_filter is untouched by NetworkManager.
* NetworkManager expanded log messages for invalid DHCP options.
* Fix the requirement of hardware address for DHCPv6, by dropping it.
* Increase the PMK lifetime for Wi-Fi connections using WPA-EAP.
* "nmcli networking off" now waits for deactivations to complete.
* Improve the appearance of nm-settings-nmcli man page by preserving
paragraphs.
* Support enabling ipv4ll alongside DHCPv4 and static addressing.
* Support configuring "ipv6.mtu".
* Honor "nm.debug" kernel command line to enable debug logging of
NetworkManager.
* NetworkManager reads the kernel command line "/proc/cmdline" for several
purposes, including "nm.debug" for enabling debugging and the
"match.kernel-command-line" setting in the profile. NetworkManager now
first looks now for "/run/NetworkManager/proc-cmdline", which allows to
overwrite the command line.
* Improve the reapply of non-bridge properties.
* Honor adding a Bluetooth NAP connection with all available methods.
* Improve carrier detection.
* During the build, stop relying on intltool for i18n and use gettext only.
* Undeprecate nm_remote_connection_get_secrets() in libnm.
* NetworkManager now will restart DHCP if the MAC changes on a device.
* Several internal improvements.
Recipe:
* Drop the last patch :-). -Difcfg_rh=false is now honored and the
distro detection patch is no longer needed.
* Fix: move /etc/resolv-conf.NetworkManager to daemon package
* Fix: remove ppp rdepends from daemon. The ppp plugin rdepends on ppp.
* ifupdown plugin requires now bash not sh. But the ifupdown is an
optional plugin anyway.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a patch to avoid implicit-function-declaration warnings, they will
soon become errors with clang 15+
set path for privatelibdir
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The test case tfork_cmd_send in smbtorture fails on target as it
requries a script located in the source directory:
$ smbtorture ncalrpc:localhost local.tfork.tfork_cmd_send
test: tfork_cmd_send
/buildarea/build/tmp/work/core2-64-poky-linux/samba/4.14.14-r0/samba-4.14.14/testprogs/blackbox/tfork.sh:
Failed to exec child - No such file or directory
This also triggers the buildpaths warning:
QA Issue: File /usr/bin/smbtorture in package samba-testsuite contains reference to TMPDIR [buildpaths]
Skip this test case in smbtorture to avoid the warning.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use _GNU_SOURCE to compile which helps fixing build with musl
add a header reordering patch to again fix another issue with musl
builds
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This makes it simpler to set specific config options or custom sources
by adding snippet files to /etc/chrony/conf.d/ or /etc/chrony/sources.d/
instead of modifying a copy of the full configuration file. As new
snippets can be added from separate recipes, targeted changes can be
done in multiple layers.
These specific directories are also used in Debian's default
configuration. It is not an error if they are missing.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The pass-ptest-env.patch uses ${B}/extensions as the EXTENSIONS_DIR at build
time and pass the env variable EXTENSIONS_DIR as ${libdir}/${fd_pkgname} at
run time to fix the run time error. But there still exists buildpaths issue.
So rework the pass-ptest-env.patch to make sure EXTENSIONS_DIR to be
${libdir}/${fd_pkgname} both in build and run time.
Fixes:
WARNING: freediameter-1.4.0-r0 do_package_qa: QA Issue: File /usr/lib/freeDiameter/ptest/testloadext in package freediameter-ptest contains reference to TMPDIR
File /usr/lib/freeDiameter/ptest/testmesg_stress in package freediameter-ptest contains reference to TMPDIR
File /usr/lib/freeDiameter/ptest/CTestTestfile.cmake in package freediameter-ptest contains reference to TMPDIR [buildpaths]
WARNING: freediameter-1.4.0-r0 do_package_qa: QA Issue: File /usr/src/debug/freediameter/1.4.0-r0/build/libfdcore/fdd.tab.c in package freediameter-src contains reference to TMPDIR
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
Features
- Merge #718: Introduce infra-cache-max-rtt option to config max
retransmit timeout.
Bug Fixes
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets.
- Fix verbose EDE error printout.
- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
- For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest
cross-compiler versions.
- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
And fixup the lock code.
- iana portlist update.
- Update documentation for 'outbound-msg-retry:'.
- Tests for ghost domain fixes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
wscript detects .git directory and if its present them invokes git
describe --dirty which does not work on the devtool created git
repository, since its synthesized.
Add GNU_SOURCE define to get strptime() definition
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- This will move the dependencie of bash to wg-quick
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Also change the git protocol to https.
Relevant changes:
- 18fbcd6 version: bump
- 3ec3e82 compat: handle backported rng and blake2s
- ba45dd6 qemu: give up on RHEL8 in CI
- c7560fd qemu: set panic_on_warn=1 from cmdline
- 33c87a1 qemu: use vports on arm
- 894152a netns: limit parallelism to $(nproc) tests at once
- f888673 netns: make routing loop test non-fatal
- f9d9b4d device: check for metadata_dst with skb_valid_dst()
- f909532 qemu: enable ACPI for SMP
- ec89ca6 socket: ignore v6 endpoints when ipv6 is disabled
- fa32671 socket: free skb in send6 when ipv6 is disabled
- ffb8cd6 qemu: simplify RNG seeding
- 4eff63d queueing: use CFI-safe ptr_ring cleanup function
- 273018b crypto: curve25519-x86_64: use in/out register constraints more precisely
- 4f4c019 compat: drop Ubuntu 14.04
- 743eef2 version: bump
- 3c9f3b6 crypto: curve25519-x86_64: solve register constraints with reserved registers
- 8e40dd6 compat: udp_tunnel: don't take reference to non-init namespace
- ea6b8e7 compat: siphash: use _unaligned version by default
- 5325bc8 ratelimiter: use kvcalloc() instead of kvzalloc()
- e44c78c receive: drop handshakes if queue lock is contended
- 5707d38 receive: use ring buffer for incoming handshakes
- 68abb1b device: reset peer src endpoint when netns exits
- ea3f5fb main: rename 'mod_init' & 'mod_exit' functions to be module-specific
- cb001d4 netns: actually test for routing loops
- 2715e64 compat: update for RHEL 8.5
- 2974725 compat: account for grsecurity backports and changes
- 50dda8c compat: account for latest c8s backports
- d378f93 version: bump
- fb4a0da qemu: increase default dmesg log size
- 8f4414d qemu: add disgusting hacks for RHEL 8
- fd7a462 allowedips: add missing __rcu annotation to satisfy sparse
- 383461d allowedips: free empty intermediate nodes when removing single node
- 03add82 allowedips: allocate nodes in kmem_cache
- b56d48c allowedips: remove nodes in O(1)
- 3c14c4b allowedips: initialize list head in selftest
- 4d8b7ed peer: allocate in kmem_cache
- 6fbc0e6 global: use synchronize_net rather than synchronize_rcu
- 405caf0 kbuild: do not use -O3
- b50ef4d netns: make sure rp_filter is disabled on vethc
- e67b722 version: bump
- 1edffe2 Revert "compat: skb_mark_not_on_list will be backported to Ubuntu 18.04"
- 2cf9543 compat: update and improve detection of CentOS Stream 8
- 122f06b compat: icmp_ndo_send functions were backported extensively
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Self-description from the README: mdio-tools is a low-level debug tool
for communicating with devices attached to an MDIO bus.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
-On very low speed transfers (<10Kbps) sessions would time out due to a very
large interpacket transmission interval. Fixed by putting a lower limit
on the advertised GRTT of of the interpacket transmission interval.
-Sending of ABORT messages on early shutdown would sometimes fail due to
OpenSSL cleanup functions running before application cleanup. Changed the
ordering of atexit() handlers to ensure OpenSSL cleanup happens last.
-Fixed missing timestamp update when clients read CONG_CTRL messages
-Fix to GRTT handling on server to ensure it doesn't fall below minumim.
-Fixed bypassed checking of existing files on client for backup
-Various logging fixes
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix when correcting large time offsets (bug introduced in 1.3.5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When largefile distro feature is enabled the relevant flags are needed
to be passed, otherwise large file support wont work, since we are cross
compiling and runtime checks will fail.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade summary:
----------------
- drop 0002-configure-fix-a-cc-check-issue.patch, as it was replaced with
upstream commit https://github.com/net-snmp/net-snmp/commit/dbb49acfa2af
- drop 0001-snmpd-always-exit-after-displaying-usage.patch backport
- rebase net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch manually
- refresh patches with devtool to get rid of fuzz
Changelog:
----------
*5.9.3*:
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Windows:
- WinExtDLL: Fix multiple compiler warnings
- WinExtDLL: Make long strings occupy a single line Make it easier to
look up error messages in the source code by making long strings
occupy a single source code line.
- WinExtDLL: Restore MIB-II support Make winExtDLL work on 64-bit
Windows systems") caused snmpd to skip MIB-II on 64-bit systems.
IF-MIB: Update ifTable entries even if the interface name has changed
At least on Linux a network interface index may be reused for a
network interface with a different name. Hence this patch that
enables replacing network interface information even if the network
interface name has changed.
unspecified:
- Moved transport code into a separate subdirectory in snmplib
- Snmplib: remove inline versions of container funcs".
misc:
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
*5.9.2*:
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The NetworkManager meson.build is searching for iptables and nft by
passing absolute paths to meson's find_program. The result is that it
locates tools on the host machine when they exist at those locations. If
they don't, it uses default locations. This often works out, but in some
cases, such as when the host uses a merged usr scheme and the build
target does not, the paths will be incorrect and the tools won't be
found at runtime.
These could be PACKAGECONFIG options, but since they have fallback
values, completely disabling the use of either iptables or nft would
require patching the meson.build or setting a bogus location.
Note that this meson.build file follows the same pattern elsewhere, but
most cases are already covered by PACKAGECONFIG options.
Signed-off-by: Jim Broadus <jim@thruwave.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/strongswan/strongswan/releases/tag/5.9.7
* Drop backport patch 0001-enum-Fix-compiler-warning.patch.
* Update RDEPENDS to fix strongswan startup failures:
plugin 'mgf1': failed to load - mgf1_plugin_create not found and no plugin file available
plugin 'fips-prf': failed to load - fips_prf_plugin_create not found and no plugin file available
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-Remove-hardcoded-usr-local-includes-from-configure.a.patch
updated for new version.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Needed for automating ssh logins, used in auto-tests.
Co-authored-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Mike Petersen <mike.petersen@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
fix-openssl-no-des.patch
refreshed for version 5.65
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.5.
Bugfixes
Fixed handling globally enabled FIPS.
Fixed the default openssl.cnf path in stunnel.exe.
Fixed a number of MSVC warnings.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2015-1611 and CVE-2015-1612 are not referred to our implementation
of openflow as specified by the NVD database, ignore them.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2002-0318 and CVE-2011-4966 are both patched in our version of
freeradius. The CPE in the NVD database doesn't reflect correctly
the vulnerable versions that's why they are incorrectly picked up.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop backported patch, switch PACKAGECONFIG assignment to ?= (matches
current practice), add in editline, linenoise CLI options and xtables
option. Switch to --disable-python when building without python to avoid
a configure time warning.
We can drop UPSTREAM_CHECK_REGEX as the version no longer gets confused
by the 0.099 version which exists.
Fix buildpaths warning by switching to setuptools and add dependency on
${PN}-python to ${PN}-ptest so that the embedded paths in the compiled
python files are correct.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The openvpn tarball has additional sample config files which are
generally useful to users, and which are typically distributed in other
distros' openvpn packages.
Include these sample configs in the OE recipe.
Signed-off-by: Bill Pittman <bill.pittman@ni.com>
Rebased to openvpn_2.5.7.
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Firewalld:
This is a feature release. It also includes all bug fixes since v1.1.0.
Details are here: https://firewalld.org/2022/07/firewalld-1-2-0-release
Recipe:
Firewalld defaults to create a log file for debug messages. This is
basically an empty file until firewalld's log level is configured to
debug level. Writing log files requies something like log-rotate to
prevent full disks. The default for OE is to not create files and send
all log messages to syslog (journald).
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The systemd support had been integrated to openvpn for a long time. Add
PACKAGECONFIG for it and use its own service files and volatile file.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2016-4049 is not affecting our version, so we can ignore it.
This is caused because the CPE in the NVD database doesn't specify
a vulnerable version range.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The following CVEs are already patched so we can ignore them:
- CVE-2016-0749
- CVE-2016-2150
- CVE-2018-10893
This is caused by inaccurate CPE in the NVD database.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2018-1078 is not for openflow but in the NVD database the
CVE is for a specific implementation that we don't have so we
can ignore it.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
cve-check is not able to correctly identify many of the patched
CVEs because of the non standard version number. All the ignored
CVEs were manually checked with the NVD database and deemed not
applicable to the current version.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current version of usrsctp is not a release so cve-check
is not able to find the product version. CVE_VERSION is now set
to 0.9.3.0 that is the nearest version in the past starting from
the revision we have.
This is done because we don't have the complete 0.9.4.0 release.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The cdra application is looking for the `regulatory.bin` file that is
installed by the `wireless-regdb` package, but that is not installed
because the RDEPENDS lists`wireless-regdb-static` (which conflicts with
`wireless-regdb`).
Changing RDEPENDS to use `wireless-regdb` instead of
`wireless-regdb-static` allows the cdra application to function
properly.
Example output before this fix was applied:
root@yocto:~# COUNTRY=US crda
failed to open db file: No such file or directory
root@yocto:~# COUNTRY=US strace crda
execve("/usr/sbin/crda", ["crda"], 0xbec80d70 /* 17 vars */) = 0
...
openat(AT_FDCWD, "/usr/local/lib/crda/regulatory.bin", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/crda/regulatory.bin", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/crda/regulatory.bin", O_RDONLY) = -1 ENOENT (No such file or directory)
...
write(3, "failed to open db file: No such "..., 50failed to open db file: No such file or directory
) = 50
close(3) = 0
exit_group(-2) = ?
+++ exited with 254 +++
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Drop backport patch 0001-openssl-Don-t-unload-providers.patch
* Backport a patch to fix the build error:
src/libstrongswan/utils/enum.c: In function 'enum_flags_to_string':
src/libstrongswan/utils/enum.c💯9: error: format not a string literal and no format arguments [-Werror=format-security]
100 | if (snprintf(buf, len, e->names[0]) >= len)
| ^~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If 'ppp' packageconfig option is enabled, but the build system does NOT
have pppd binary installed, the build fails with:
| Has header "pppd/pppd.h" : YES
| Program pppd /sbin/pppd /usr/sbin/pppd found: NO
|
| ../NetworkManager-1.36.2/meson.build:570:4: ERROR: Assert failed: pppd required but not found, please provide a valid pppd path or use -Dppp=false to disable it
This is due to meson trying to look for the 'pppd' binary in the build
system when it should not. If the build system does not contain pppd,
the build fails.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Ensure /var/lib/chrony exist to avoid error like:
chronyd.service: Failed to set up mount namespacing: /run/systemd/unit-root/var/lib/chrony: No such>
chronyd.service: Failed at step NAMESPACE spawning /usr/sbin/chronyd: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* src/dynamic-preprocessors/appid/service_plugins/service_ssl.c :
Fixed a scenario where SSL traffic was not detected correctly.
* src/dynamic-preprocessors/smtp/snort_smtp.c :
Fixed a possible memory corruption.
* src/dynamic-preprocessors/imap/imap_util.c
src/dynamic-preprocessors/pop/pop_util.c
src/dynamic-preprocessors/smtp/smtp_util.c
src/preprocessors/spp_httpinspect.c :
Fixed malformed packet debug engine output.
* src/preprocessors/Stream6/snort_stream_tcp.c :
Fixed security zones info in intrusion events.
* src/dynamic-preprocessors/appid/fw_appid.c :
Fixed URL lookup failure.
* src/preprocessors/HttpInspect/server/hi_server.c :
Fixed a possible memory leak.
* src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c
src/dynamic-preprocessors/appid/fw_appid.c
src/dynamic-preprocessors/appid/fw_appid.h
src/dynamic-preprocessors/appid/detector_plugins/service_plugins/service_api.h :
Added support for dns root queries and underflow.
* src/dynamic-preprocessors/smtp/snort_smtp.c
src/Makefile.am
src/dynamic-examples/Makefile.am
src/dynamic-plugins/sf_dynamic_plugins.c
src/dynamic-plugins/sf_dynamic_preprocessor.h
src/dynamic-preprocessors/Makefile.am
src/dynamic-preprocessors/smtp/snort_smtp.h
src/dynamic-preprocessors/smtp/spp_smtp.c
src/smtp_api.h :
Added support to get extra data from SMTP and HTTP into IPS event.
* src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c
src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c :
Added support for login success and failure eventing for IMAP and POP3.
* src/dynamic-preprocessors/appid/hi_server.c :
Added support to handle empty string for SNI/CN/SAN/ORG.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Merge pull request #1178 from yishaih/mlx5_misc
mlx5: Fix check for SQ overflow in bind_mw
mlx5: DR, Add support for modify IP ECN action for CX7
Merge pull request #1175 from zhijianli88/print-style
Merge pull request #1176 from EdwardSro/pr-extend-wqe-class
Merge pull request #1174 from EdwardSro/pr-pyverbs-read-write
Merge pull request #1170 from Hakon-Bugge/rdma_xserver_xclient
Merge pull request #1166 from EdwardSro/pr-tests-fixes
pyverbs/mr.pyx: Make MR and MW print style identical
pyverbs: Extend segments format of WQE class
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update firewalld by 2 major versions, which also includes breaking and
behavioral changes.
Highlights from 0.9 to 1.0:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Details:
- https://firewalld.org/2021/07/firewalld-1-0-0-release
- https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0
From 1.0 to 1.1 is mostly a bug fix release update.
Details:
- https://firewalld.org/2022/02/firewalld-1-1-0-release
- https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0
Improvements on the recipe:
- Add ptest
- Very helpful to get all the kernel modules
- Long running, probably not suitable for any OE autobuilder
- RRECOMMENS kernel modules, document configuration
- Improve package splitting
- firewalld-config and firewalld-applet depend on QT5, pyqt5 and GTK.
The dependencies were not correctly set but the code was ending up
on the target device. Now the code gets into a separate package but
the dependeinces are probably still not complete. Since this is
probably not used anyway it is not tested yet. It's still not
perfect but much better than installing broken stuff to the target
device.
- The dependenices are added to variables instead of rdepends to keep
the meta-qt5 and gnome layers optional also at build-time.
- New packageconfigs: ebtables, ipset. This is mosly required to get the
test suite running but probably also usable otherwise.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Add support for route type "throw".
* Fix bug setting priority for IP addresses.
* Static IPv6 addresses from "ipv6.addresses" are now preferred over
addresses from DHCPv6, which are preferred over addresses from autoconf.
This affects IPv6 source address selection, if the rules from
RFC 6724, section 5 don't give a exhaustive match.
* Static IPv6 addresses from "ipv6.addresses" are now interpreted with
first address being preferred. Their order got inverted. This is now
consistent with IPv4.
* Wi-Fi hotspots will use a (stable) random channel number unless one is
chosen manually.
* Don't use unsupported SAE/WPA3 mode for AP mode.
* NetworkManager will no longer advertise frequencies as supported when
they're disallowed in configured regulatory domain.
* Attempt to connect to WEP-encrypted Wi-Fi network will now fail
gracefully with a recent version of wpa_supplicant when built
without WEP support. As long as wpa_supplicant supports WEP,
NetworkManager will continue to work.
* Disable WPA3 transition mode for wifi.key-mgmt=wpa-psk if the NIC
does not support PMF. This is known to cause problems in some setups. It
is still possible to explicitly configure wifi.key-mgmt=sae for WPA3.
* Add new dummy crypto backend "null" that does nothing. NetworkManager
uses the crypto library when handling certificates for 802.1x profiles.
* Veth devices with name "eth*" are now managed by default via the
udev rule. This is to support managing the network in LXD containers.
* The hostname received from DHCP is now shortened to the first dot
(or to 64 characters, whatever comes first) if it's too long.
* As the insecure WEP encryption for Wi-Fi network is phased out,
nmcli now discourages its use when activating or modifying a
profile.
* Fix connectivity checks in case the check endpoint address resolves to
multiple addresses.
* Workaround libcurl blocking NetworkManager while resolving DNS names.
* nmcli: indicate missing Wi-Fi hardware when showing rfkill setting.
* nmcli: add connection migrate command to move a profile to a specified
settings plugin. This allows to convert profiles in the deprecated ifcfg-rh
format to keyfile.
* Set "src" attribute for routes from DHCPv4 to the leased address. This
helps with source address selection.
* Updated translations.
* Various bugfixes and internal improvements.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
From NEWS file of netowrkmanager 1.32:
firewall: add nftables firewall backend for configuring IPv4 NAT with
shared mode. Now two backends are supported, "iptables" and "nftables".
The default gets detected based on whether /usr/sbin/nft or
/usr/sbin/iptables is installed, with nftables preferred.
With this change nftables is not the prefered backend also with OE. But
it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to
iptables.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The main motivation for this rework is to support compiling the
NetworkManager with many plugins, but to install only a few of them in
a firmware image. This is advantageous when different products with
different network interfaces should be supported by only one binary
distribution. This is more in line with the way NetworkManager is
designed and used by other binary Linux distributions. Basically this
is already supported since the last rework of the networkmanager recipe.
However, the rrecomments from networkmanager to all available plugins is
not straight forward to be used in such a scenario. Installing only a
subset of the compiled plugins required to override the rrecommends
from networkmanager to the plugins in some way. To simplify the usage
the networkmanager package is now an empty meta package and
networkmanager itself gets moved to a new networkmanager-daemon package.
This allows to keep backward compatibility: Installing the
networkmanager package still adds all compiled plugins to the firmware.
But with the new package splitting it's also possible to install for
example only the networkmanager-wifi but not the networkmanager-wwan
package even if networkamanger has been compiled with the modemmanager
PACAKGECONFIG flag enabled as well.
The relation from plugins to services is now a stronger rdepends which
reflects better how NetworkManager is supposed to be used. If a plugin
is installed but the required service is not the plugin periodically
tries to connect to the service and reports error messages to the syslog
if the service is not available. Therefore it's better to make the
installation of the plugin optional but not the installation of the
services.
The bash-completion package adds support for the nmcli command line
utility. This change also moves the bash completion configuration to a
new package networkmanager-nmcli-bash-completion. This is more
consistent anyway but gets even more important when the networkmanager
package gets optional.
To simplify the usage of all these packages a SUMMARY:${PN}-.. for each
packages has been added.
The separation of the doc packages has been removed.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Plugins of networkmanager redpends on related services. If for example
modemmanager or wpa-supplicant is not installed but the related
networkmanager plugin is, the plugin writes error messages to the
syslog.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
This release has EDE support, for extended EDNS error reporting,
it fixes unsupported ZONEMD algorithms to load, and has more bug fixes.
The EDE errors can be turned on by 'ede: yes', it is default disabled.
Validation errors and other errors are then reported. If you also want
stale answers for expired responses to have an error code, the option
'ede-serve-expired: yes' can be used.
Features
- Merge PR #604: Add basic support for EDE (RFC8914).
Bug Fixes
- Fix#412: cache invalidation issue with CNAME+A.
- Fix that TCP interface does not use TLS when TLS is also configured.
- Fix#624: Unable to stop Unbound in Windows console (does not
respond to CTRL+C command).
- Fix#618: enabling interface-automatic disables DNS-over-TLS.
Adds the option to list interface-automatic-ports.
- Remove debug info from #618 fix.
- Fix#628: A rpz-passthru action is not ending RPZ zone processing.
- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
- Fix that address not available is squelched from the logs for
udp connect failures. It is visible on verbosity 4 and more.
- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
ERR_GET_REASON.
- Fix to detect that no IPv6 support means that IPv6 addresses are
useless for delegation point lookups.
- update Makefile dependencies.
- Fix check interface existence for support detection in remote lookup.
- Fix#633: Document unix domain socket support for unbound-control.
- Fix for #633: updated fix with new text.
- Fix edns client subnet to add the option based on the option list,
so that it is not state dependent, after the state fix of #605 for
double EDNS options.
- Fix for edns client subnet option add fix in removal code, from review.
- Fix#630: Unify the RPZ log messages.
- Merge #623 from rex4539: Fix typos.
- Fix pythonmod for change in iter_dp_is_useless function prototype.
- Fix compile warnings for printf ll format on mingw compile.
- Merge PR #632 from scottrw93: Match cnames in ipset.
- Various fixes for #632: variable initialisation, convert the qinfo
to str once, accept trailing dot in the local-zone ipset option.
- Fix#637: Integer Overflow in sldns_str2period function.
- Fix for #637: fix integer overflow checks in sldns_str2period.
- Fix configure for python to use sysutils, because distutils is
deprecated. It uses sysutils when available, distutils otherwise.
- Merge #644: Make 'install-lib' make target install the pkg-config
file.
- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
- Fix to describe auth-zone and other configuration at the local-zone
configuration option, to allow for more broadly view of the options.
- Merge PR #648 from eaglegai: fix -q doesn't work when use with
'unbound-control stats_shm'.
- Fix#651: [FR] Better logging for refused queries.
- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
- Fix zonemd check to allow unsupported algorithms to load.
If there are only unsupported algorithms, or unsupported schemes,
and no failed or successful other ZONEMD records, or malformed
or bad ZONEMD records, the unsupported records allow the zone load.
- Fix zonemd unsupported algo check.
- Fix zonemd unsupported algo check reason to not copy to next record,
and check for success for debug printout.
- Fix zonemd unsupported algo check to print unsupported reason before
zeroing it.
- Fix zonemd unsupported algo check to set reason to NULL before the
check routine, but after malformed checks, to get the correct NULL
output when the digest matches.
- Fix#670: SERVFAIL problems with unbound 1.15.0 running on
OpenBSD 7.1.
- Fix Python build in non-source directory; based on patch by
Michael Tokarev.
- Fix#673: DNS over TLS: error: SSL_handshake syscall: No route to
host.
- Merge #677: Allow using system certificates not only on Windows,
from pemensik.
- For #677: Added tls-system-cert to config parser and documentation.
- Fix#417: prefetch and ECS causing cache corruption when used
together.
- Fix#678: [FR] modify behaviour of unbound-control rpz_enable zone,
by updating unbound-control's documentation.
- Fix typos in config_set_option for the 'num-threads' and
'ede-serve-expired' options.
- Fix to silence test for ede error output to the console from the
test setup script.
- Fix ede test to not use default pidfile, and use local interface.
- Fix some lint type warnings.
- Fix#684: [FTBS] configure script error with libmnl on openSUSE 15.3
(and possibly other distributions)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Refresh disable-documentation.patch for new version.
Changelog:
Fixes issues detected in 1.11.0, add new fnmatch based filtertype.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix error caused by postinst script of conntrack-tools:
do_rootfs: Postinstall scriptlets of ['conntrack-tools'] have failed...
Configuring ... rootfs//var/lib/opkg/info/conntrack-tools.postinst:
line 2: setcap: command not found
conntrack-tools.postinst returned 127, marking as unpacked only...
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
18 May 2022: babeld-1.12.1
* Implement separate PC values for unicast and multicast, which avoids
dropping packets protected by MAC when WiFi powersave is active.
* Schedule an interface check just after adding an interface.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix error caused by postinst script of conntrack-tools:
| /var/tmp/rpm-tmp.or09Iq: line 4: unexpected EOF while looking for matching `"'
| %post(conntrack-tools-1.4.6-r0.core2_64): waitpid(1173) rc 1173 status 200
| warning: %post(conntrack-tools-1.4.6-r0.core2_64) scriptlet failed, exit status 2
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.3.
New features
Updated the pkcs11 engine for Windows.
Bugfixes
Removed the SERVICE_INTERACTIVE_PROCESS flag in "stunnel -install".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
5 May 2022: babeld-1.12
* Implement v4-via-v6 routing (RFC 9229), which allows a router with
IPv4 addresses only to route IPv4.
* Enable extended Netlink acks when available.
* Fix restoring of interface configuration to avoid unbounded memory
consumption.
* Fix handling of deny filters in the install chain.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libcoap implements a lightweight application-protocol for devices that
are constrained their resources such as computing power, RF range,
memory, bandwith, or network packet sizes.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ulogd-2.x provides a flexible, almost universal logging daemon for
netfilter logging. This encompasses both packet-based logging (logging
of policy violations) and flow-based logging, e.g. for accounting
purpose.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add dependency libnm_client_public_dep to libnm-client-test to fix
parallel build error:
| In file included from ../NetworkManager-1.36.0/src/libnm-client-test/nm-test-utils-impl.c:10:
| ../NetworkManager-1.36.0/src/libnm-client-public/NetworkManager.h:47:10: fatal error: nm-enum-types.h: No such file or directory
| 47 | #include "nm-enum-types.h"
| | ^~~~~~~~~~~~~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
With of a bit of pkg shifting to other layers, we can break
the need of this layer to depend on meta-python
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
default baselib in ppc64 is lib64 which catches this latent issue
ERROR: ufw-0.36.1-r0 do_package: QA Issue: ufw: Files/directories were installed but not shipped in any package:
/usr/lib/ufw
/usr/lib/ufw/ufw-init
/usr/lib/ufw/ufw-init-functions
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is a parallel build error in separate build directory:
| /home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/recipe-sysroot-native/usr/lib/clippy ../git/python/clidef.py -o isisd/isis_cli_clippy.c ../git/isisd/isis_cli.c
| Traceback (most recent call last):
| File "../git/python/clidef.py", line 466, in <module>
| clippy.wrdiff(
| File "/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/git/python/clippy/__init__.py", line 78, in wrdiff
| with open(newname, "w") as out:
| FileNotFoundError: [Errno 2] No such file or directory: 'isisd/isis_cli_clippy.c.new-372541'
| make[1]: Leaving directory '/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/build'
| make[1]: *** [Makefile:17386: isisd/isis_cli_clippy.c] Error 1
This is beacuse clidef.py only creates new file but doesn't check if
parent directory exists. Inherit autotools-brokensep can fix this issue
as these parent directories always exist in source directory.
Also set ac_cv_path_PERL to '/usr/bin/env perl' to avoid path too long.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NTLM authentication uses MD4 algorithm which is considered to be
insecure, and some modern systems may drop MD4 support. This patch
adds an 'ntlm' option to this feature, which is disabled by default.
Upstream-Status: Accepted [1c304e7886]
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
adds support for IPv6 and fixes a couple of bugs.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changes in 1.3.4
----------------
- fix small memory leak in strdup
- fix free in case of DNS lookup failure
- other minor updates
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The Forwarding Plane Manager support is optional, make it as
PACKAGECONFIG.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixed when multilib is disabled on intel-x86-64:
MULITLIBS = ""
$ bitbake sssd
ERROR: sssd-2.5.2-r0 do_package: QA Issue: sssd: Files/directories were installed but not shipped in any package:
/usr/lib/ldb
/usr/lib64/ldb/modules/ldb/memberof.so
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
sssd: 2 installed and not shipped files. [installed-vs-shipped]
And also remove bin/ got get a clean rebuild, otherwise, the rebuild result may
be incorrect.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Location of file inside sourcedir fixed but bitbake variable
systemd_unitdir varies depending on usrmerge feature
hence can not be used here
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* fix following error:
systemd-analyze --man=false verify /lib/systemd/system/drbd.service
drbd.service: Command /lib/drbd/scripts/drbd is not executable: No such file or directory
* enhancement for usrmerge
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes
checking for boost/signals2/signal.hpp... no
configure: error: Unable to find a usable implementation of boost::signals2 (not even our internal copy)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Features
- Fix#596: unset the RA bit when a query is blocked by an unbound
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is
authoritatively answered for, so the RPZ zone contents can be
checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces
ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
- Merge #401: RPZ triggers. This add additional RPZ triggers,
unbound supports a full set of rpz triggers, and this now
includes nsdname, nsip and clientip triggers. Also actions
are fully supported, and this now includes the tcp-only action.
- Merge #519: Support for selective enabling tcp-upstream for
stub/forward zones.
- Merge PR #514, from ziollek: Docker environment for run tests.
- Support using system-wide crypto policies.
- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
location of a different openssl version.
- Merged #41 from Moritz Schneider: made outbound-msg-retry
configurable.
- Implement RFC8375: Special-Use Domain 'home.arpa.'.
- Merge PR #555 from fobser: Allow interface names as scop
Bug Fixes
- Fix compile warning for if_nametoindex on windows 64bit.
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
- Fix to pick up other class local zone information before unlock.
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
- Fix#591: Unbound-anchor manpage links to non-existent license file.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix#596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
from the query.
- Fix for #596: fix that rpz return message is returned and not just
the rcode from the iterator return path. This fixes signal unset RA
after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix#598: Fix unbound-checkconf fatal error: module conf
'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
triggered operation.
- Merge #600 from pemensik: Change file mode before changing file
owner.
- Fix prematurely terminated TCP queries when a reply has the same ID.
- For #602: Allow the module-config "subnetcache validator cachedb
iterator".
- Fix EDNS to upstream where the same option could be attached
more than once.
- Add a region to serviced_query for allocations.
- For dnstap, do not wakeupnow right there. Instead zero the timer to
force the wakeup callback asap.
- Fix#610: Undefine-shift in sldns_str2wire_hip_buf.
- Fix#588: Unbound 1.13.2 crashes due to p->pc is NULL in
serviced_udp_callback.
- Merge PR #612: TCP race condition.
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
- Fix#599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
document.
- Fix tls-* and ssl-* documented alternate syntax to also be available
through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
- iana portlist update.
- Fix review comment for use-after-free when failing to send UDP out.
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
internals.
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #617: Update stub/forward-host notation to accept port and
tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
notation.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
- Add test tool readzone to .gitignore.
- Merge #521: Update mini_event.c.
- Merge #523: fix: free() call more than once with the same pointer.
- For #519: note stub-tcp-upstream and forward-tcp-upstream in
the example configuration file.
- For #519: yacc and lex. And fix python bindings, and test program
unbound-dnstap-socket.
- For #519: fix comments for doxygen.
- Fix to print error from unbound-anchor for writing to the key
file, also when not verbose.
- For #514: generate configure.
- Fix for #431: Squelch permission denied errors for udp connect,
and udp send, they are visible at higher verbosity settings.
- Fix zonemd verification of key that is not in DNS but in the zone
and needs a chain of trust.
- zonemd, fix order of bogus printout string manipulation.
- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
static.
- Fix#527: not sending quad9 cert to syslog (and may be more).
- Fix sed script in ssldir split handling.
- Fix#529: Fix: log_assert does nothing if UNBOUND_DEBUG is
undefined.
- Fix#531: Fix: passed to proc after free.
- Fix#536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
to insert into RPZ.
- Fix the stream wait stream_wait_count_lock and http2 buffer locks
setup and desetup from race condition.
- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
zone does not find the zone. Readlock the clientip that is found
for ipbased triggers. Unlock the nsdname zone lock when done.
Unlock zone and ip in rpz nsip and nsdname callback. Unlock
authzone and localzone if clientip found in rpz worker call.
- Fix compile warning in libunbound for listen desetup routine.
- Fix asynclook unit test for setup of lockchecks before log.
- Fix#533: Negative responses get cached even when setting
cache-max-negative-ttl: 1
- Fix tcp fastopen failure when disabled, try normal connect instead.
- Fix#538: Fix subnetcache statistics.
- Small fixes for #41: changelog, conflicts resolved,
processQueryResponse takes an iterator env argument like other
functions in the iterator, no colon in string for set_option,
and some whitespace style, to make it similar to the rest.
- Fix for #41: change outbound retry to int to fix signed comparison
warnings.
- Fix root_anchor test to check with new icannbundle date.
- Fix initialisation errors reported by gcc sanitizer.
- Fix lock debug code for gcc sanitizer reports.
- Fix more initialisation errors reported by gcc sanitizer.
- Fix crosscompile on windows to work with openssl 3.0.0 the
link with ws2_32 needs -l:libssp.a for __strcpy_chk.
Also copy results from lib64 directory if needed.
- For crosscompile on windows, detect 64bit stackprotector library.
- Fix crosscompile shell syntax.
- Fix crosscompile windows to use libssp when it exists.
- For the windows compile script disable gost.
- Fix that on windows, use BIO_set_callback_ex instead of deprecated
BIO_set_callback.
- Fix crosscompile script for the shared build flags.
- Fix to add example.conf note for outbound-msg-retry.
- Fix chaos replies to have truncation for short message lengths,
or long reply strings.
- Fix to protect custom regional create against small values.
- Fix#552: Unbound assumes index.html exists on RPZ host.
- Fix that forward-zone name is documented as the full name of the
zone. It is not relative but a fully qualified domain name.
- Fix analyzer review failure in rpz action override code to not
crash on unlocking the local zone lock.
- Fix to remove unused code from rpz resolve client and action
function.
- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
reclaimed more than once during callbacks.
- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
- Improve EDNS option handling, now also works for synthesised
responses such as local-data and server.id CH TXT responses.
- Merge PR #570 from rex4539: Fix typos.
- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
- Fix to make python module opt_list use opt_list_in.
- Fix#574: unbound-checkconf reports fatal error if interface names
are used as value for interfaces:
- Fix#574: Review fixes for it.
- Fix#576: [FR] UB_* error codes in unbound.h
- Fix#574: Review fix for spelling.
- Fix to remove git tracking and ci information from release tarballs.
- iana portlist update.
- Merge PR #511 from yan12125: Reduce unnecessary linking.
- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
- Merge PR #562 from Willem: Reset keepalive per new tcp session.
- Merge PR #522 from sibeream: memory management violations fixed.
- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
- Fix#454: listen_dnsport.c:825: error: 'IPV6_TCLASS' undeclared.
- Fix#574: Review fixes for size allocation.
- Fix doc/unbound.doxygen to remove obsolete tag warning.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
### Changes
- Revert extraction of version from GIT tag. Incompatible with systems
that do 'autoreconf' on a dist. tarball
### Fixes
- Fix#175: Parse error in '/etc/smcroute.conf'. SMCRoute fails to
start on interfaces with 'mrdisc' disabled, when built with mrdisc
support and '-N' passed on command line
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a bugfix release of the Samba 4.14 release series.
ChangeLog:
https://www.samba.org/samba/history/samba-4.14.13.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Note that (like for nftables itself), the ptests will require the
following added to local.conf (or the kernel configuration):
KERNEL_FEATURES:append = " features/nf_tables/nf_tables.scc"
Current pass/fail results:
I: results: [OK] 271 [FAILED] 29 [TOTAL] 300
I've been investigating the failing tests under the assumption that they
fail because of missing kernel modules, but there are some that suggest
syntax problems (possibly problems with the tests themselves). Example:
W: [FAILED] ./tests/shell/testcases/listing/0020flowtable_0: got 1
/dev/stdin:2:12-12: Error: Could not process rule: No such file or
directory
flowtable f {
^
/dev/stdin:6:11-12: Error: Could not process rule: No such file or
directory
flowtable f2 {
^^
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
FRRouting (FRR) is a free and open source Internet routing protocol
suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS,
PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for
EIGRP and NHRP.
FRRouting is a fork of Quagga. The main git lives on
https://github.com/frrouting/frr.git
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Dropped patch which is merged upstream:
0001-v84-Make-setup_options-definitions-as-extern.patch
Refreshed patch:
0001-drbd-utils-support-usrmerge.patch
The compiled binaries are not linked to LDFLAGS options provided
by the build system cause QA issue:
do_package_qa: QA Issue: File /usr/sbin/drbdmon in package
drbd-utils doesn't have GNU_HASH (didn't pass LDFLAGS?)
Add LDFLAGS when linking drmdmon binary.
Suppress new Clang warning -Wdefaulted-function-deleted and -Wunused-private-field
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
No need to put the pressure of this also on Khem. I am actively working
on this for Oniro and will support this work also upstream here.
Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Wpantund is part of the OpenThread project. It is used in a scenario
where the Thread radio operates as a network co-processor (NCP) that is
connected over SPI/UART/USB to the host.
The project itself is in maintenance-only mode right now as the NCP
architecture has been replaced with radio co-processor (RCP) which is
implemented directly in openthread and ot-br-posix. None the less there
might still be project and products out there using it.
Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The OpenThread daemon allows Linuxes devices to participate in a Thread
mesh network without acting as a full border router. The device
participates like any other child or router devices within the network.
This same repo is used for range of different modes to run the
OpenThread code. From bare metal over vendor SDKs to posix platforms.
For this recipe the focus is on the Linux posix implementation and we do
not pull in all the git submodules on purpose.
There are openthread enabled recipes in meta-zephyr for people who want
to also use OpenThread on MCU based platforms on top of Zephyr.
Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The OpenThread project is an open source implementation of the Thread
low-power mesh network protocol. In a Thread network devices can have
different roles, and of of these roles is a Border Router that allows a
Thread network to be connected with other IP networks.
Ot-br-posix runs as a systemd service on a standard Linux system to
handle the connection to a Thread network.
In terms of patches we need a fix to allow building on musl + clang
(CMSG_NXTHDR macro triggers a -Wsign-compare warning) and a systemd
unit file change is OE specific and avoids having service dependencies
implemented as pre exec hooks.
Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Patch for CVE-2018-1050 is applied in version 4.5.15, 4.6.13, 4.7.5.
Patch for CVE-2018-1057 is applied in version 4.3.13, 4.4.16.
Signed-off-by: matsunaga-shinji <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The blueman is relying on host python to determine the target
python site-packages directory which is not correct. Add a new
option to fix this issue.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Backport a patch to fix the segfault with swanctl:
$ /usr/sbin/charon-systemd &
$ /usr/sbin/swanctl --load-all --noprompt
no files found matching '/etc/swanctl/conf.d/*.conf'
no authorities found, 0 unloaded
no pools found, 0 unloaded
no connections found, 0 unloaded
Segmentation fault
* Drop fix-funtion-parameter.patch and
0001-memory.h-Include-stdint.h-for-uintptr_t.patch as the issues have
been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License checksum changed due to copyright year update. The license is
GPLv2+ with an OpenSSL exception.
Switch fetch from ftp to https. This works better with proxies that
frequently block traffic like ftp.
stunnel added bash completion support in version 5.62, use the class to
package the files properly.
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: The ISC DHCP is licensed under the Mozilla Public
License, MPL 2.0 rather than ISC License now[1][2].
[1] https://www.isc.org/licenses/
[2] https://downloads.isc.org/isc/dhcp/4.4.3/dhcp-4.4.3-RELNOTES
The bundled BIND has been updated to 9.11.36. We don't need to download
it from external anymore.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://www.postfix.org/announcements/postfix-3.6.5.html
* Drop 0006-correct-signature-of-closefrom-API.patch as the issue has
been fixed upstream.
* Update main.cf to eliminate startup warning:
postfix: Postfix is running with backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=3.6" and "postfix reload"
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport a patch to fix build error:
../../nftables-1.0.2/examples/nft-buffer.c:3:10: fatal error: nftables/libnftables.h: No such file or directory
3 | #include <nftables/libnftables.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Liense-Update : year updated to 2022.
Changelog:
=========
GitHub Actions: update script to same version as master
update copyright year to 2022
keyingmaterialexporter.c: include strings.h
remove unused sitnl.h file
sample-plugin: New plugin for testing multiple auth plugins
plug-ins: Disallow multiple deferred authentication plug-ins
doc/Makefile: rebuild rst docs if input files change
doc/options: clean up documentation for --proto and related options
fix Changes.rst errors in 2.5.3 and 2.5.5 announcement
Repair --inactive with 'bytes' argument larger 2Gbytes.
Fix --mtu-disc maybe|yes on Linux.
Preparing release 2.5.6
CI: github actions: keep "pdb" in artifacts
auth_token.c: add NULL initialization
vcpkg-ports/pkcs11-helper: bump to release 1.28
vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support
msvc: cleanup
vcpkg: link lzo statically
vcpkg-ports/pkcs11-helper: adapt to new upstream URL
vcpkg-ports: add openssl 1.1.1n
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
LIBDIR is otherwise hardcoded to PREFIX/lib which is not correct for all
platforms. define PLATFORM explicitly, otherwise it pokes at build
system for it
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport a patch to fix the parallel build failure:
src/dbus.c:17:10: fatal error: _features.h: No such file or directory
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- core: set again TLS verification functions after options
weechat.network.gnutls_ca_system and weechat.network.gnutls_ca_user
are changed
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-do-not-ask-host-for-ifcfg-defaults.patch refreshed for new version
Changelog:
==========
* When the list of plugins is not specified via "main.plugins" in
NetworkManager.conf and no build-time default is set with
"--with-config-plugins-default" configure argument, now all known
plugins found in the plugin directory are loaded (and the built-in
"keyfile" plugin is preferred over others).
* Preserve external ports during checkpoint rollback
* Fix removal of ovsdb entry when an OVS interface goes away
* Fix DNS configuration for WWAN connections
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Gtk4 version of the editor plugin is now available (for use with Control
Center of GNOME 42 or later).
* Update Catalan, Croatian, Czech, Hebrew and Slovenian translations.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These variables are no longer used by pip_install_wheel, so remove them
from all recipes that set them.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Rebuilding net-snmp may cause autotools_preconfigure() to run `make
clean`, which in turn can cause `configure`to be run. However, since
CACHED_CONFIGUREVARS is not set under those circumstances, `configure`
will run with an incorrect configuration and the build will fail with:
checking for /etc/printcap... configure: error: cannot check for
file existence when cross compiling
Avoid the problem by setting CLEANBROKEN = "1".
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix installed-vs-shipped error of networkmanager:
| ERROR: networkmanager-1.36.0-r0 do_package: QA Issue: networkmanager:
Files/directories were installed but not shipped in any package:
| /usr/lib/firewalld
| /usr/lib/firewalld/zones
| /usr/lib/firewalld/zones/nm-shared.xml
| Please set FILES such that these items are packaged. Alternatively if they
are unneeded, avoid installing them or delete them with in do_install.
| networkmanager: 3 installed and not shipped files. [installed-vs-shipped]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This package has a traditional setup.py which has a custom install command,
which isn't supported with the modern wheel/pip installation method.
Until upstream has moved away from distutils, use setuptools_legacy so
the installation is correct.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NetworkManager should only be licensed under LGPL 2.1 or higher. But as far as
I understand, the process is not finished yet and some codes are still under
GPL-2.0.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/RELICENSE.md
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since libesmtp-1.1.0, libesmtp-config is removed, use pkg-config to
check for existence instead.
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Allow to compile nmcli with libedit (alternative to gplv3 readline)
- Support iwd as well as wpa-supplicant for wifi
- Make vala build-time dependency optional
- Split all plugins into packages. By default all packages are installed
acc. to features in the PACKAGECONFIG but it's now possible to build
images where only some plugins are installed.
- Move FILES:networkmanager to last position to increase the FILES
priority of other packages.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Switch to meson build-system
- Removed 0003-install-firewalld-to-var-libdir-rather-than-hardcod-.patch
nm-shared.xml gets installed into /usr/lib/firewalld/zones where also
firewalld installs its xml files. Not 100% sure this is as it was
before but it seams to be consistent with firewalld.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Forward port 0002-add-an-option-to-specify-iptables-location.patch
Use distutils3, since it still needs it [1]
[1] https://git.launchpad.net/ufw/tree/setup.py#n28
Signed-off-by: Khem Raj <raj.khem@gmail.com>
