Overview of changes in bind 9.20.9
==================================
Security Fixes:
1. Prevent an assertion failure when processing TSIG algorithm.
2. DNS messages that included a Transaction Signature (TSIG) containing
an invalid value in the algorithm field caused named to crash with an
assertion failure. This has been fixed. (CVE-2025-40775) [GL #5300]
For additional feature changes and bug fixes, please see:
https://downloads.isc.org/isc/bind9/9.20.9/doc/arm/html/notes.html#notes-for-bind-9-20-9
(From OE-Core rev: c9d59ba50a102ace907779612e74646dec133271)
(From OE-Core rev: 8131a878c2d3c5e8b48a1b33a70f8eae90d3e5ca)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since Linux v2.4 it has been possible to stop all NFS server by running
rpc.nfsd 0
i.e. by requesting that zero threads be running. This is preferred as
it doesn't risk killing some other process which happens to be called
"nfsd".
Since Linux v6.6 - and other stable kernels to which
Commit: 390390240145 ("nfsd: don't allow nfsd threads to be
signalled.")
has been backported - sending a signal no longer works to stop nfs server
threads.
This patch changes the nfsserver script to use "rpc.nfsd 0" to stop
server threads.
(From OE-Core rev: b530827b938bcae33da08b65bab96d2549056f2e)
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7b09ad289a36)
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the
documentation stating that it disables X11 and agent forwarding.
(From OE-Core rev: fff41e824bb56d4879c65d6dec3605fabb406071)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen) without a check for whether
the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be
larger than the amount of remaining packet data in the current state
of parsing. Values of stack memory locations may be sent over the
network in a response.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32366
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
(From OE-Core rev: 1c908b1c44a006b6707a1f0da59781a6750cf8ce)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 0d5f241eee19c0dff9f9f59949485414935edaa2)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5c915fcada5868bdbb8aa3e28c18a26cfc41914f)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This change will prevent these tools from being installed if the image doesn't install bluez5-noinst-tools package.
BlueZ 5.66: tools/mesh-tester
BlueZ 5.66: tools/ioctl-tester
BlueZ 5.65: tools/iso-tester
BlueZ 5.56: tools/btpclientctl
BlueZ 5.51: tools/bcmfw
BlueZ 5.49: tools/rtlfw
BlueZ 5.47: tools/btconfig (not a new tool, but it was moved from bin_PROGRAMS to noinst_PROGRAMS)
(From OE-Core rev: 5f7c43913812bcb80d6dba67da3fc62a8efecfb8)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32743
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
(From OE-Core rev: 61610f57c6b9ee2b6002decc037db049e9ddfe51)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
iproute2 detects presence of iptables during building and can also
be built without it. Add PACKAGECONFIG option which allows user to
optionally leave it out, and enable it by default to keep current
recipe behavior.
(From OE-Core rev: 07ddaeaacaab4c3e264816dea6de32378617bf4e)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Honor WIRELESS_DAEMON when wifi is enable for DISTRO_FEATURE.
(From OE-Core rev: 86b408919d9506b6f1ba69c96f1bc6212e724bbc)
Signed-off-by: João Henrique Ferreira de Freitas <joaohf@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GCC-15 patch is not sufficient when shadow is enabled, therefore fix
the remaining issues.
(From OE-Core rev: 9143b23cecb505f130f86b03039c6c0aba5dcc2b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gcc-15 switched to -std=c23 by default:
https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=55e3bd376b2214e200fa76d12b67ff259b06c212
As a result `bluez` fails the build as:
src/shared/ad.c:1090:24: error: incompatible types when returning type '_Bool' but 'const char *' was expected
1090 | return false;
| ^~~~~
(From OE-Core rev: 5afef9ba63364c6c93c8a1359020f038d06881fa)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are conflict of config files between kea and lib32-kea:
| Error: Transaction test error:
| file /etc/kea/kea-dhcp6.conf conflicts between attempted installs of lib32-kea-2.6.1-r0.core2_32 and kea-2.6. 1-r0.core2_64
Similar to:
| 8cc65e7eb0 kea: fix conflict between multilibs
(From OE-Core rev: 0fe8ec57f19d79e94f02e3c710a1b76c04b34143)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ppp-2.5.2 tarball ships a generated header with various
configuration settigns that takes precedence over the same
header generated into the build directory during the actual build.
This resulted in various linking fails that were worked around
by enabling multilink in 2.5.2 version update. The correct fix
that removes all contamination is to remove the bogus header first.
(From OE-Core rev: 87863ce4530cf08fd28b1bde13e3f7142001b54d)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This recipe has a configure script that isn't actually autoconf but
tries hard to look like it is. Instead of trying to run autoreconf,
change do_configure to just run the configure script directly.
(From OE-Core rev: e80d2ec5cda1121ba6b3d299fb2e79c194c7f30e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: Copyright years change only
Drop a backported patch
(From OE-Core rev: 718e4efa4f6f595b17e2438a15fc57c2c88ae9f1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GCC uses C23 standard by default which does not allow
K&R style declarations
(From OE-Core rev: acc41d7f912bf9d3ee142a02d0b64cf9ff6f226e)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Current dhcpcd (version 10.1.0) service crashes on the WiFi (wlan0)
interface with the following error:
"ps_seccomp_violation: unexpected syscall 135"
This update pulls in fix#421 for dhcpcd 10.1.0 to address this issue.
(From OE-Core rev: 2bb20f49ada56f1c7707565e475051174feba945)
Signed-off-by: Balaji Pothunoori <quic_bpothuno@quicinc.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
New Features
--------------
- Adds support for EDE code 1 and 2.
- Add a rndc command to toggle jemalloc profiling.
- Add support for multiple extended DNS errors.
- Print the expiration time of the stale records.
Feature Changes
---------------
- Refactor reference counting in both QPDB and RBTDB.
- Shutdown the fetch context after canceling the last fetch.
Bug Fixes
----------
- Fix possible truncation in dns_keymgr_status()
- Recently expired records could be returned with timestamp in future.
- Yaml string not terminated in negative response in delv.
- Fix a bug in dnssec-signzone related to keys being offline.
- Apply the memory limit only to ADB database items.
- Avoid unnecessary locking in the zone/cache database.
- Fix EDE 22 time out detection.
- Split and simplify the use of EDE list implementation.
- Fix the cache findzonecut() implementation.
- DNSSEC EDE system tests on FIPS platform.
- Reduce the false sharing the dns_qpcache and dns_qpzone.
(From OE-Core rev: 1394e8befb305106695c91e2fe16c55483bf467f)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Long ago, in the OpenSSL 1.1 days changing CFLAGS worked to override
hard-coded paths in the OpenSSL libraries. Even as far back as
kirkstone this was no longer working.
Override make variables instead to poision the paths that get built
into the native (and nativesdk) libraries so they become relocatable
again.
While here, remove the -isystem<foo> compiler argument from the compiler
command line stored in the library, just like we already remove the
prefix-map and sysroot arguments.
(From OE-Core rev: d1b29222ad6243c15275a04f9de5989cf158cb2e)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The location of rpc.statd is /usr/sbin instead of /sbin.
(From OE-Core rev: 19494e414429b74d2a15b32f21b1b3067d3a41b2)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When using openssl with some pkcs#11 plugin module, one (usually)
needs to set the OPENSSL_CONF environment variable
appropriately, and e.g. invoke openssl as
openssl dgst -engine pkcs11 -keyform engine ...
However, when putting that logic in a bitbake recipe and depending on
openssl-native (and the recipe providing the pkcs#11 engine and the
associated configuration file), the value of OPENSSL_CONF is
unconditionally overridden by the wrapper script.
If openssl was invoked directly in the task function, I could probably
call "openssl.real" instead, but then I miss the proper settings of
the other four variables, which I'd then also have to repeat in my
recipe. Moreover, sometimes openssl is only called via some helper
script (for example rpi-eeprom-digest for signing bootloader images
for RPi), and it's not reasonable to patch every such script to call
openssl.real.
So rewrite the wrapper such that if a variable is already set in the
environment before openssl is invoked, preserve its value.
(From OE-Core rev: 5582ec9d3a21c546b799d2f6d4928f5e1d19eb0a)
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A long time ago, the environment.d-openssl.sh file was shared between
openssl 1.0 and openssl 1.1 recipes, and sed was used to make the path
right for the 1.1 version. Nowadays, with only a single recipe, this
is a bit roundabout, so just use the proper path in the file directly.
(From OE-Core rev: 291fe7db623b0974e7831e908e91b1f1259e0506)
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bulk of these recipes used acpaths to work around argument list
limits as we passed the full path to every directory. As this behaviour
no longer happens we can remove these workarounds.
(From OE-Core rev: c4336f1b0da981b3ea396b17779b67898bceccef)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
According to [1]:
2025-02-21: Socat version 1.8.0.3 has been released. It fixes a lot of minor
issues and provides some minor improvements, see file CHANGES [2]. The
experimental POSIXMQ feature has been improved, got a few new options,
and is now considered stable.
License in README has no change
[1] http://www.dest-unreach.org/socat/
[2] http://www.dest-unreach.org/socat/CHANGES:
(From OE-Core rev: 650e9b72ded376ef5974cb7a71ade00a93e4612f)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When kea is built with "-D_GLIBCXX_ASSERTIONS " set in SECURITY_CFLAGS,
an assertion occurs if the kea server receives an empty DHCPDISCOVER
packet:
kea-dhcp4[596]: /usr/include/c++/13.3.0/bits/stl_vector.h:1128:
std::vector<Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](size_type)
[with _Tp = unsigned char; _Alloc = std::allocator<unsigned char>; reference = unsigned char&;
size_type = long unsigned int]: Assertion '_n < this->size()' failed.
Backport patches to fix this issue[1].
[1] 0b98eae16d16306026e3
(From OE-Core rev: 17c67a47ec9c6e90a339f32c35f80ca4c908a254)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If the location of the log lock file is changed using the environment
variable KEA_LOCKFILE_DIR, the kea-dhcp process will work properly, but
the lfc (lease file cleanup) process spawned by it will not inherit this
value and use the default path[1], which will cause the kea server to
print the following message when running:
kea-dhcp4[6767]: Unable to use interprocess sync lockfile (No such file or directory): /var/run/kea/logger_lockfile
Backport a patch to fix this issue[2].
[1] https://gitlab.isc.org/isc-projects/kea/-/issues/3450
[2] f477e8ebcc
(From OE-Core rev: 34f1392aef4d5fa402600b21f6d7a47cd735cfd4)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes since version 1.49.2:
==============================
* ci: run macOS and iOS tests also on macOS 14
* unix,win: map ENOEXEC errno
* test: skip multicast join test on ENOEXEC
* ci: make sure the macOS firewall is disabled
* darwin,test: squelch EBUSY error on multicast join
* build: update minimum cmake to 3.10
* kqueue: use EVFILT_USER for async if available
* unix,win: fix off-by-one in uv_wtf8_to_utf16()
* doc: add scala-native-loop to LINKS.md
* unix: fix build breakage on haiku, openbsd, etc
* kqueue: lower overhead in uv__io_check_fd
* doc: move cjihrig back to active maintainers
* build(deps): bump actions/checkout from 3 to 4
* unix,pipe: fix handling null buffer in uv_pipe_get{sock,peer}name
* unix,win: harmonize buffer checking
* unix,win: add support for detached threads
* src: add uv_thread_set/getname() methods
* build: fix qemu builds
* win: drop support for windows 8
* linux: fix uv_cpu_info() arm cpu model detection
* linux: always use io_uring for epoll batching
* doc: clarify repeating timer behavior more
* unix,win: handle nbufs=0 in uv_udp_try_send
* win: use GetQueuedCompletionStatusEx directly
* win: enable uv_thread_{get,set}name on MinGW
* win: drop support for the legacy MinGW
* win,fs: get (most) fstat when no permission
* win: plug uv_fs_event_start memory leak
* test: address FreeBSD kernel bug causing NULL path in fsevents
* unix: refactor udp sendmsg code
* unix,win: add uv_udp_try_send2
* build: enable fdsan in Android
* test: fix udp-multicast-join for FreeBSD
* win: fix leak processing fs event
* src: set a default thread name for workers
* misc: implement uv_getrusage_thread
(From OE-Core rev: 0a941918275ea089fa94d05129a2b88858aec8bd)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rewrite the nfs sysvinit scripts to start the services required
by nfsv4: gssd, idmapd, and statd.
(From OE-Core rev: 2cca2dfb6acc25f1a6a25dc60423708a78cef85d)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add support for the nfsv4 user ID mapping daemon, configured with
a sensible default, and add a packageconfig for Kerberos support.
This is reasonably tested in production in our environment, but only
systemd support. There'll be some more work to do to get GSSAPI and
NFS idmapd support integreated into that.
(From OE-Core rev: a7ea135108e445197a58b19601d77eb9d287af69)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reduce diffs against upstream by using the service files provided
by them. This reduces our dependence on patches that simply change
the names of a service.
This also changes the way some nfs options get set for systemd, it
introduces the nfs.conf file for configuration, which all daemons
already support.
(From OE-Core rev: eeab3fa1423d499f9b39fda7a7514e619a3ac010)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Change the sysvinit script to start at the S runlevel, this matches
Debian, and prevents systemd from generating a unit file for it.
Also have the nfsd systemd service request the nfsd kernel filesystem
mountpoint. This avoids startup failures in unpriviled containers
or other setups that don't support the filesystem.
(From OE-Core rev: 6110687d199bf390380fe84c330858e3b03f681d)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Release information:
https://github.com/openssl/openssl/blob/openssl-3.4/NEWS.md#major-changes-between-openssl-340-and-openssl-341-11-feb-2025
Handles CVE-2024-12797 and CVE-2024-13176.
Remove two patches included in the new version.
(From OE-Core rev: d7ac886d91ccf6b91f67fb0c843fc1765d9dafb1)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As this recipe builds the tagged releases we can put the PV in the
filename.
(From OE-Core rev: 2c7c9eb6ff996639a632059102de4d1168958eb6)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a patch from upstream to fix register tramping on aarch64.
(From OE-Core rev: 9005321e37030d916f4f26e7201e2f86c85ebdbd)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These were replaced with python3 in 2.5.2 (commit d1683f).
(From OE-Core rev: 85ae456a12bccabc62cb0906b92d6705f88c932f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rather than using the RPROVIDES on libnss-mdns which comes from
avahi-libnss-mdns, RRECOMMENDS avahi-libnss-mdns directly to avoid
picking any other version.
(From OE-Core rev: 61f44f8b817738c0e220b3d461952816ef7f1449)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta-networking has Apple's mDNSResponder which also delivers libnss-mdns
nsswitch plugin. Rename this recipe to avahi-libss-mdns and add an RPROVIDE so
that either than be chosen.
(From OE-Core rev: f9d10d6ac4b2a081d110ab58e7137aedddd960cb)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recipes are much more readable with whitespace around the assignment operators.
Fix various assignments in OE-Core to show this is definitely the preferred
formatting.
(From OE-Core rev: 30ea609d3357fb3de911f2f6a5e6856c151b976a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
