There is currently no recipe for bluez4 in openembedded-core.
BlueZ 4 hasn't had any updates/support since it's last point release 4.101 back
in 2012.
(From OE-Core rev: d2de6ae13cbd3f4ade218037ebcfd55d86961a5a)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set the permissions of /var/run/kea to 750 to fix kea server startup
error:
ERROR [kea-dhcp4.dhcp4/445.140718820303936] DHCP4_INIT_FAIL failed to
initialize Kea server: configuration error using file
'/etc/kea/kea-dhcp4.conf': 'socket-name' is invalid: socket
path:/var/run/kea does not exist or does not have permssions = 750
This permission check was introduced by commit[1] in kea 2.6.3.
[1] 43bba7799f
(From OE-Core rev: 7254a27cdf16a51b5247585d417f2e6afaf84b76)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since d1b29222 ("openssl-native(sdk): poision built in paths") the
workaround for host path contamination in native(sdk) openssl is fixed.
But an unfortunate side-effect of forcing the directory variables
(OPENSSLDIR, ENGINESDIR, MODULESDIR) to be invalid is that it renders
the generated native pkg-config file (libcrypto.pc) unusable:
[..]
includedir=${prefix}/include
enginesdir=${libdir}/../../../../../../../../../../../../../../../../not/builtin
modulesdir=${libdir}/../../../../../../../../../../../../../../../../not/builtin
Name: OpenSSL-libcrypto
[..]
This will prevent other native tools (like libp11-native) from
installing their (.so) files into valid OpenSSL directories.
The strange paths are a result of OpenSSL's build system attempting to
resolve the dummy path "/not/builtin" relative to ${libdir} for
libcrypto.pc.in:
| enginesdir=${libdir}/{- $OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR[0] -}
There doesn't appear to be a straightforward way to avoid embedding a
built-in host path while still generating a valid libcrypto.pc file.
This workaround now post-fixes the .pc files for openssl-native by using
two sed calls to replace the invalid paths with the valid ones.
(To prevent bitbake from early expanding the libdir variables, use a
group as a simple hack.)
(From OE-Core rev: 4d4af8d1cb272369eb4ddcc489e90831c9c2c8c7)
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enhance security by limiting read access for /etc/sshd_config to user root as it
may reveal unsecure configurations.
Reading access is limited in the install append as the default value 0644 is
hardcoded in the openssh makefile and is not configurable. Therefore the
permissions are modified in the install append.
(From OE-Core rev: 99c09d29d56cb98f749c2283b5b800de9af98745)
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some of them were introduced by mass-removal of S = WORKDIR/git assignments;
rather than try to fix up (or redo) just these, I've run this sed command over
the whole tree:
sed -i -z -E 's/([ \t\f\v\r]*\n){3,}/\n\n/g' `find . -name *.bb -o -name *.inc`
The rationale is that more than one empty line is wasting vertical screen space, and
does nothing for readability.
(From OE-Core rev: cedc4ff7c9bcfb22a20e43e47f9759f4007a4f1a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is no need to have two assignments; also setting S from
UNPACKDIR (and not vice versa) is more logical as unpack
task comes first, and tasks that come after unpack use S to access
unpack results.
Also adjust reference test data in selftest/recipeutils to reflect changes in test recipes.
(From OE-Core rev: f64b7e5fb3181734c8dde87b27e872a026261a74)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removing all the S = ${WORKDIR}/git assignments works because BB_GIT_DEFAULT_DESTSUFFIX
is set to match S from bitbake.conf (which itself is set to match typical tarball
releases).
A few recipes are setting S to a sub-directory of the git tree and need
to be adjusted accordingly.
bzip2 recipe is fetching a tarball and separately cloning tests;
adjust the recipe to put the latter into 'bzip2-tests', instead of 'git'.
devupstream.bbclass no longer needs to rewrite S, and is adjusted accordingly.
Adjust scripts/lib/recipetool/append.py to not hardcode 'git' as unpack
destination.
Adjust kernel-yocto.bbclass to use the git unpack variable instead
of hardcoding 'git' (there's also removal of repetition of
string constants and a correction of workdir/unpackdir mismatch in
one of the if-else branches).
Ensure build-appliance-image recipe does not use 'git' as checkout directory for
poky repo, but rather explicitly name it 'poky'.
Ensure reproducible.py code that looks for git repositories does not
hardcode 'git' but uses the destination set by BB_GIT_DEFAULT_DESTSUFFIX.
Ensure recipetool does not write out unneeded S settings into newly
created recipes that fetch from git.
Adjust selftest to not hardcode 'git' as unpack directory.
(From OE-Core rev: f80c07019ddadaf9c5fb890faabfda7920ecd15e)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
Fix issue with handling BAP and removal of PAC.
Fix issue with handling SID for broadcast receiver.
Fix issue with handling HSP/HFP reconnection policy.
Fix issue with handling cable pairing and Sixaxis controllers.
Fix issue with handling virtual cable unplug for HID devices.
Fix issue with handling service records for HID devices.
Add support for AVDTP and TX timestamps.
Full changelog:
https://github.com/bluez/bluez/compare/5.82...5.83
(From OE-Core rev: 83d217503d565ba60dcec9382afb828deefa962b)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A recipe that fetches from git but is otherwise a released version
should not be using _git.bb recipe names.
Put the version in the filename and drop the explicit PV.
(From OE-Core rev: 9ffe55ae643fb606a8bec7e6ec7d15ca95cf9e2d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Only the ${B} part should be trimmed, not what follows
(which is subject to change, depending on where the sources are).
(From OE-Core rev: 1e3fc9b7592956af9bd93e0a077c5b9f3fd9ca2e)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Commit bec0cfc9b215 ("connman: Set dns-backend automatically") introduced
support for using systemd-resolved as the DNS backend. However,
connman's resolv.conf was assigned a higher update-alternatives
priority. This caused connman's configuration to override
systemd-resolved, resulting in a broken DNS setup.
/etc/resolv.conf -> /etc/resolv-conf.connman
This commit corrects the issue by lowering the priority for connman's
resolv.conf when systemd-resolved is enabled, ensuring it acts as
a fallback. The higher priority is now only applied when
systemd-resolved is not used.
Fixes: bec0cfc9b215 ("connman: Set dns-backend automatically")
(From OE-Core rev: bea9ea64820a86c4d01671087b706beca1ccdf26)
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Signed-off-by: Hiago De Franco <hiago.franco@toradex.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Overview of changes in bind 9.20.9
==================================
Security Fixes:
1. Prevent an assertion failure when processing TSIG algorithm.
2. DNS messages that included a Transaction Signature (TSIG) containing
an invalid value in the algorithm field caused named to crash with an
assertion failure. This has been fixed. (CVE-2025-40775) [GL #5300]
For additional feature changes and bug fixes, please see:
https://downloads.isc.org/isc/bind9/9.20.9/doc/arm/html/notes.html#notes-for-bind-9-20-9
(From OE-Core rev: c9d59ba50a102ace907779612e74646dec133271)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since Linux v2.4 it has been possible to stop all NFS server by running
rpc.nfsd 0
i.e. by requesting that zero threads be running. This is preferred as
it doesn't risk killing some other process which happens to be called
"nfsd".
Since Linux v6.6 - and other stable kernels to which
Commit: 390390240145 ("nfsd: don't allow nfsd threads to be
signalled.")
has been backported - sending a signal no longer works to stop nfs server
threads.
This patch changes the nfsserver script to use "rpc.nfsd 0" to stop
server threads.
(From OE-Core rev: 7b09ad289a36e388ee4244b574ed32b66b654286)
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen) without a check for whether
the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be
larger than the amount of remaining packet data in the current state
of parsing. Values of stack memory locations may be sent over the
network in a response.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32366
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
(From OE-Core rev: 548eddd84f23c6cb0352b9a692144050da8ba37a)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix sshd by ensuring the agent daemon is included.
Internally, this release is versioned as 10.0p2 but upstream don't plan to
change this or re-release.
(From OE-Core rev: 2a4dd93e98ca9e61644213aa00c1cb837fb27316)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Add PACKAGECONFIG[fips] to enable fips build.
* Split a new package openssl-ossl-module-fips for fips.so.
* Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the
config file fipsmodule.cnf is created on target. This is because we
should not use the same fipsmodule.cnf on different machines.
The 'openssl fipsinstall' commandline in pkg_postinst_ontarget will do
the following things:
1. Run the FIPS module self tests on target.
2. Generate config file fipsmodule.conf containing information about
the FIPS module such as the calculated MAC of the module.
(From OE-Core rev: 29979937e2d40885e7e91bb9a7e7dca6763e3d52)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
* win: fix leak in uv_os_tmpdir
* docs: fix RTD build
* win: lazy-load [GS]etThreadDescription symbols
* linux: try preadv64/pwritev64 before preadv/pwritev
* win: check cwd length before spawning a child process
* macos,bsd: handle missing /dev/null in chroot env
* doc: fix README link text
* win: fix order of FILE_STAT_BASIC_INFORMATION struct fields
* macos: increase child process stdio buffer size
* doc: add C3 bindings to LINKS.md
* unix: remove unnecessary errno.h include in poll.c
* win: fix the inconsistency in volume serial number
* unix: add thread affinity support on openharmony
* unix: enable getrusage for SunOS
* unix,win: accept NAN/INFINITY as file timestamps
* win: add ENABLE_VIRTUAL_TERMINAL_INPUT raw tty mode
* test: handle UV_ENOTSUP in platform_output
* doc: fix rendering of threading.html
* unix,sunos: enable use of sendmmsg on Solaris and Illumos
* unix: handle out of memory in iface name copy
* openbsd: do not error out if cpuspeed is not available
* test: skip thread_name_threadpool on AIX/IBMi
* aix,ibmi: fix undeclared identifiers
* unix,sunos: prefer SO_REUSEPORT for load balancing
* doc: free lib pointer before function return
* test: link with libm
* style: rename parameter to match definition
* test: support partial output lines in test runner
* build: switch from c90 to c11
* linux: allow nul bytes in abstract socket address
* sunos: use pipe2 on solaris and illumos
* unix: remove TOCTOU issues from uv_pipe_chmod
* unix: use pipe_fname if getsockname returns nothing
* haiku: use uint32 instead of uint32_t
* doc: update thread pool stack size comment
* unix: improve uv_loop_init OOM handling
* test: merge uv_tcp_connect callbacks
* test: skip multievent tests on macOS with TSAN enabled
* linux: align CPU quota calculation with Rust
* kqueue: improve fs event watcher OOM handling
* sunos: improve fs event watcher OOM handling
* build: shorten instructions for cmake build
(From OE-Core rev: d79b2a4cfcc439d430790500d46ad8966502e7b6)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32743
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
(From OE-Core rev: 610056dccc7144a70bcf69aec720b44bc7de7557)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 8a7ec52e9b35654bee48cd948c6c34c63db3e265)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
connman supports systemd-resolved as a resolver, select it automatically when
DISTRO_FEATURES includes systemd-resolved support, then drop the patch which
disables connman when systemd-resolved is active.
(From OE-Core rev: bec0cfc9b21566348886a8122c9b0756539b416d)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Only one of iptables or nftables can be specified, mark them mutually
incompatible. Drop the RDEPENDS on iptables from PACKAGECONFIG as its
libraries are automatically discovered on the main package, with only the
scripts required as part of iptables/ip6tables-test.
(From OE-Core rev: fa6772414b065f3f5481e328f182eecc971d2605)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set the paths for iptables/ip6tables so that they are correct for the target
install and not discovered on the host filesystem.
(From OE-Core rev: aa60cc7e65d3964d6eedea97246f1ebc24fe66e2)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Depending on what set of PACKAGECONFIG options you have, ${sysconfdir} may not
have been created.
(From OE-Core rev: ac582cb1f2b5b75695b69b07925257c335a76861)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We have ${runtimedir} for /run, use it here.
(From OE-Core rev: 0e505e1cc48132cfaab18120666abee34d185a6c)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 9d8ebfcd55ad274e79cb81f162397c8f39f4287b)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The now-removed patch was added for clang compatibility, but over time
started fixing problems that do not exist, and got its description
to mismatch the content.
The new patch is fixing the only problem with clang that still
occurs. I verified that all files that were patched before still
build without errors.
If you find other issues (this would be with non-default
options probably), please fix them similarly.
(From OE-Core rev: 6b8bd203180375a6b97345ddaa5fef7f68219ea6)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The issue is no longer present. Tested BlueZ 5.80 and 5.82
The issue has likely been gone for quite a while.
(From OE-Core rev: 87ab9c39c497c2a8b558e8d6ce673a931a5887b2)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
Fix issue with handling BAP state transitions.
Fix issue with handling D-Bus interface removal.
Fix issue with handling MAP and supported features.
Fix issue with handling SDP record for Phonebook Access Client.
Fix issue with handling AVRCP PDU parameters length mismatch.
Fix issue with handling AVRCP PDU for SetAbsoluteVolume.
Fix issue with handling AVDTP bad media transport format.
Fix issue with handling support for LL Privacy setting.
Full Changelog: https://github.com/bluez/bluez/compare/5.80...5.82
(From OE-Core rev: f42ee87abcfca80a803bf44fb91b41f29a2c7d70)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ppp is only required by connman when building the L2TP or PPTP plugins. Move it
from DEPENDS to PACKAGECONFIG so it's only there when required.
(From OE-Core rev: c65180bb677d8dae1992445cd378119d8cbed424)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gold is no longer built/supported. The workaround for binutils on MIPS no
longer appears to be required.
Also fix up tabs/whitespace in shell functions, correct HOMEPAGE, drop broken
BUGTRACKER link.
(From OE-Core rev: 5c269ba9a396832af3f8139ecaa0cfd9f7d4d1b5)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
No functional changes.
(From OE-Core rev: dc0540aaad680b495c5e51f3926db26028c00a42)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
