summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* can-utils: fix printing / reading timestampsJeroen Hofstee2025-05-172-1/+425
| | | | | | | Backport a patch to correctly handle 64bit timestamps. Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nodejs: backport a patch to prevent brotli crashing nodejsJeroen Hofstee2025-05-172-0/+65
| | | | | | | | | | | Brotli can crash nodejs (on ARM), because the memory allocated for brotli wasn't properly aligned. https://github.com/google/brotli/issues/1159 https://github.com/nodejs/node/commit/dc035bbc9b310ff8067bc0dad22230978489c061 Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-posix-ipc: switch to PEP-517 build backendKhem Raj2025-05-171-1/+1
| | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-posix-ipc: upgrade 1.1.1 -> 1.2.0Wang Mingyu2025-05-171-2/+2
| | | | | | | | | | | | 0001-Use-default-cc-from-environment-variable.patch removed since it's not available in 1.2.0 License-Update: Reorg and rename files; add pyproject.toml Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tftpy: fix CVE-2023-46566Archana Polampalli2025-04-262-0/+28
| | | | | | | | Buffer Overflow vulnerability in msoulier tftpy commit 467017b844bf6e31745138a30e2509145b0c529c allows a remote attacker to cause a denial of service via the parse function in the TftpPacketFactory class. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* pipewire: Install missing ALSA config filesAriel D'Alessandro2025-04-261-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | As detailed in Pipewire documentation [0], the ALSA plugin requires config files to be symlinked as follow: ``` The plugin will be picked up by alsa when the following files are in /etc/alsa/conf.d/: /etc/alsa/conf.d/50-pipewire.conf -> /usr/share/alsa/alsa.conf.d/50-pipewire.conf /etc/alsa/conf.d/99-pipewire-default.conf ``` The above symlinks are missing, thus the pipewire device is not properly detected. Fix this by creating the required symlinks and installing them in the pipewire-alsa package. [0] https://github.com/PipeWire/pipewire/blob/master/INSTALL.md#alsa-plugin Link: https://github.com/openembedded/meta-openembedded/issues/704 Signed-off-by: Ariel D'Alessandro <ariel.dalessandro@collabora.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* iniparser: Fix CVE-2025-0633Soumya Sambu2025-04-262-0/+38
| | | | | | | | | | | | | | | Heap-based Buffer Overflow vulnerability in iniparser_dumpsection_ini() in iniparser allows attacker to read out of bound memory References: https://nvd.nist.gov/vuln/detail/CVE-2025-0633 https://ubuntu.com/security/CVE-2025-0633 Upstream patch: https://gitlab.com/iniparser/iniparser/-/commit/072a39a772a38c475e35a1be311304ca99e9de7f Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lmsensors: Clean stale files for sensord to avoid incorrect GCC header ↵Haixiao Yan2025-04-161-1/+4
| | | | | | | | | | | | | | | | | | | | | | dependencies After upgrading GCC—for example, from 14.1.0 to 14.2.0—building lmsensors that was previously compiled with GCC 14.1.0 may fail with an error like: lmsensors/3.6.0/recipe-sysroot-native/usr/lib/x86_64-wrs-linux/gcc/x86_64-wrs-linux/ 14.1.0/include/stddef.h can't find, which is needed by 'prog/sensord/args.rd'. This occurs because prog/sensord/args.rd still references stale headers from the older GCC version. The root cause is that stale *.rd and *.ro files under prog/sensord are not properly cleaned during do_configure. This patch ensures those files are removed to prevent broken dependencies when GCC is upgraded. Also remove the same statement in do_compile. (master rev: 86b20b84ec278cacf4975b7933d46b894d74796e) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* php: Upgrade 8.2.26 -> 8.2.28Soumya Sambu2025-04-161-1/+1
| | | | | | | | | | | Includes fix for - CVE-2025-1219, CVE-2025-1736, CVE-2025-1861, CVE-2025-1734 and CVE-2025-1217 Changelog: https://www.php.net/ChangeLog-8.php#8.2.28 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openvpn: upgrade 2.6.12 -> 2.6.14Divya Chellam2025-04-161-1/+1
| | | | | | | | | | | | | | This includes CVE-fix for CVE-2025-2704 Changelog: ========== https://github.com/OpenVPN/openvpn/releases For full details, refer to: https://github.com/OpenVPN/openvpn/compare/v2.6.12...v2.6.14 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mbedtls: 3.6.2 -> 3.6.3Yi Zhao2025-04-161-5/+2
| | | | | | | | | | | | | | | | ChangeLog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.3 Remove mbedtls-framework repository, as the framework is now added as a flat directory rather than a submodule[1][2]. [1] https://github.com/Mbed-TLS/mbedtls/commit/b41194ce7f2fda63bf5959588631eba73c5c621e [2] https://github.com/Mbed-TLS/mbedtls/commit/2c824b4fe5dab7e1526560be203bf705857e372a Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mbedtls: upgrade 2.28.9 -> 2.28.10Yi Zhao2025-04-161-1/+1
| | | | | | | | | | ChangeLog https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* sharutils: Let POSIX_SHELL be overridable from environmentKhem Raj2025-04-162-0/+50
| | | | | | | | This helps fix WARNING: sharutils-4.15.2-r0 do_package_qa: QA Issue: File /usr/bin/shar in package sharutils contains reference to TMPDIR Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* e2tools: Fix buildpaths QA warning in config.status in ptestKhem Raj2025-04-161-1/+1
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* fwknop: Specify target locations of gpg and wgetKhem Raj2025-04-161-1/+3
| | | | | | | | | This fixes emitting buildpaths into binary and also fixes the issue where these tools wont exist on the paths they were found on build machine Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* fetchmail: disable rpath to fix buildpaths warning.Wang Mingyu2025-04-161-4/+1
| | | | | | | | | | | There was an error with the last modification to the buildpaths warning, which could cause segment error. fix the following warning about buildpath: WARNING: fetchmail-6.4.38-r0 do_package_qa: QA Issue: File /usr/bin/fetchmail in package fetchmail contains reference to TMPDIR [buildpaths] Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* fetchmail: Fix buildpaths warning.Wang Mingyu2025-04-161-0/+3
| | | | | | | | WARNING: fetchmail-6.4.38-r0 do_package_qa: QA Issue: File /usr/bin/fetchmail in package fetchmail contains reference to TMPDIR [buildpaths] Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* gcab: fix buildpaths QA issueMartin Jansa2025-04-162-0/+38
| | | | | | Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* nana: Fix buildpaths warning.Wang Mingyu2025-04-161-0/+6
| | | | | | | | | | WARNING: nana-2.5+git-r0 do_package_qa: QA Issue: File /usr/bin/nana-c++lg in package nana contains reference to TMPDIR File /usr/bin/nana-clg in package nana contains reference to TMPDIR File /usr/bin/nana in package nana contains reference to TMPDIR [buildpaths] Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* lprng: Specify target paths for needed utilitiesKhem Raj2025-04-161-1/+3
| | | | | | | | | | | | | pr,openssl,chown,chgrp are guessed during configure and they are found on host, sometimes under native sysroot and some under HOSTTOOLS which is not right, therefore point to target locations of these tools Fixes all errors like below File /usr/sbin/lprng_certs in package lprng contains reference to TMPDIR Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* boinc-client: Fix contains reference to TMPDIR [buildpaths] warningalperak2025-04-161-0/+4
| | | | | | | | WARNING: boinc-client-7.20.5-r0 do_package_qa: QA Issue: File /usr/include/boinc/svn_version.h in package boinc-client-dev contains reference to TMPDIR [buildpaths] Signed-off-by: alperak <alperyasinak1@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* hplip: Fix contains reference to TMPDIR [buildpaths] warningalperak2025-04-161-1/+1
| | | | | | | | | | Make sure that the OE provided CFLAGS are passed to the compiler. WARNING: hplip-3.22.10-r0 do_package_qa: QA Issue: File /usr/lib/python3.12/site-packages/cupsext.so in package hplip contains reference to TMPDIR [buildpaths] Signed-off-by: alperak <alperyasinak1@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-pycocotools: Remove absolute paths from commentsKhem Raj2025-04-161-0/+4
| | | | | | | | | | _mask.c is generated by cython and encodes sourcepaths into comments which are absolute. Edit them out. Fixes buildpaths QA errors Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-pyproj: Remove absolute paths from cython generated .c filesKhem Raj2025-04-161-0/+8
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-pyproj: Fix buildpaths QA ErrorKhem Raj2025-04-162-0/+20
| | | | | | | | | | | | This error is due to absolute paths leaking into ELF files due to -rpath option in compiler cmdline, therefore patch them out. Apply patch [1] from Debian [1] https://sources.debian.org/data/main/p/python-pyproj/3.6.1-4/debian/patches/rpath.patch Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-kivy: Remove buildpaths from comments in generated C sourcesKhem Raj2025-04-161-0/+7
| | | | | | | | | | | | | | Cython does not provide a direct option to disable or customize the metadata written in the generated C files. The metadata includes information like the Cython version and absolute paths to the original Cython files, which can be problematic for doing reproducible builds Therefore edit out these comments from the cython generated C files they are nicely tucked between two known tags at the top of file. Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* perfetto: Fix contains reference to TMPDIR [buildpaths] warningalperak2025-04-161-2/+2
| | | | | | | | WARNING:perfetto-31.0-r0 do_package_qa: QA Issue: File /usr/bin/.debug/tracebox in package perfetto-dbg contains reference to TMPDIR [buildpaths] Signed-off-by: alperak <alperyasinak1@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* ldns: Fix buildpaths QA issuesKhem Raj2025-04-161-1/+2
| | | | | | | | | | MJ: Backported from 'ldns: Upgrade to 1.8.4' commit without the upgrade. Fix buildpaths QA errors while here Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* keepalived: Make build reproducibleKhem Raj2025-04-162-0/+34
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* botan: Make it reproducibleKhem Raj2025-04-161-4/+4
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* rdist: Fix contains reference to TMPDIR [buildpaths] warningalperak2025-04-161-1/+1
| | | | | | | | | | | Pass OE cflags to makefile WARNING: rdist-6.1.5-r0 do_package_qa: QA Issue: File /usr/bin/.debug/rdistd in package rdist-dbg contains reference to TMPDIR File /usr/bin/.debug/rdist in package rdist-dbg contains reference to TMPDIR [buildpaths] Signed-off-by: alperak <alperyasinak1@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* blueman: Fix buildpathe issue with cython generated codeKhem Raj2025-04-162-0/+39
| | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Markus Volk <f_l_k@t-online.de> Signed-off-by: Armin Kuster <akuster@mvista.com>
* wolfssl: Add packageconfig for reproducible buildKhem Raj2025-04-161-0/+3
| | | | | | | | | | Make this option turned on by default Fixes WARNING: wolfssl-5.7.2-r0 do_package_qa: QA Issue: File /usr/lib/libwolfssl.so.42.2.0 in package wolfssl contains reference to TMPDIR [buildpaths] Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* mongodb: update to 4.4.29Awais Belal2025-03-272-32/+3
| | | | | | | Move on to 4.4.29 and drop a patch that is not applicable anymore. Signed-off-by: Awais Belal <awais.belal@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* krb5: fix CVE-2025-24528Divya Chellam2025-03-272-0/+69
| | | | | | | | | | | | | | | | In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash. Reference: https://security-tracker.debian.org/tracker/CVE-2025-24528 Upstream-patch: https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* netplan: Fix CVE-2022-4968Jinfeng Wang2025-03-232-0/+453
| | | | | | | | | | | Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-4968 Upstream-patch: https://github.com/canonical/netplan/commit/4c39b75b5c6ae7d976bda6da68da60d9a7f085ee Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: upgrade 4.2.7 -> 4.2.9Vijay Anusuri2025-03-232-135/+1
| | | | | | | | | | | | | | | | | Fixes CVE-2024-11595 CVE-2024-11596 Removed CVE-2024-9781.patch which is already fixed in 4.2.8 version Release notes: https://www.wireshark.org/docs/relnotes/wireshark-4.2.8.html https://www.wireshark.org/docs/relnotes/wireshark-4.2.9.html Reference: https://www.wireshark.org/security/wnpa-sec-2024-15.html https://www.wireshark.org/security/wnpa-sec-2024-14.html https://www.wireshark.org/security/wnpa-sec-2024-13.html Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libgpiod: fix gpiod-cxx-test failed test caseLibo Chen2025-03-232-0/+40
| | | | | | | | Patch from: https://web.git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git/commit/?id=3e224d885b1de54fe5510b9c5e7296260a1a4507 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wolfssl: Upgrade 5.7.0 -> 5.7.2Sofiane HAMAM2025-03-231-1/+1
| | | | | | | | | The upgrade includes many vulnerability fixes, new features and inhancements, refer to: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable Signed-off-by: Sofiane HAMAM <sofiane.hamam@smile.fr> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Wolfssl: add ptestSofiane HAMAM2025-03-234-2/+47
| | | | | | | | | | | | | | | | | Add ptest for Wolfssl package. Set IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-wolfssl to 700M enough to avoid a "No space left on device". BEGIN: /usr/lib/wolfssl/ptest Wolfssl ptest logs are stored in /tmp/wolfss_temp.qvuQ9h/ptest.log Test script returned: 0 unit_test: Success for all configured tests. PASS: Wolfssl DURATION: 7 END: /usr/lib/wolfssl/ptest Signed-off-by: Sofiane HAMAM <sofiane.hamam@smile.fr> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: upgrade 16.5 -> 16.8Vijay Anusuri2025-03-232-3/+3
| | | | | | | | | | | | | | | License-Update: Update license year to 2025 Includes fix for CVE-2025-1094 Changelog: https://www.postgresql.org/docs/release/16.8/ Refreshed 0003-configure.ac-bypass-autoconf-2.69-version-check.patch for 16.8 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lcov: Add missing RDEPENDSClaus Stovgaard2025-03-231-0/+4
| | | | | | | | | | | | | | | | | | | | Found by just adding lcov to core-image-minimal, running geninfo and getting errors like. Can't locate Module/Load.pm in @INC (you may need to install the Module::Load module) ... at /usr/bin/geninfo line 63. BEGIN failed--compilation aborted at /usr/bin/geninfo line 63. Can't locate Module/Metadata.pm in @INC (you may need to install the Module::Metadata module) ... at /usr/lib/perl5/5.38.2/Module/Load/Conditional.pm line 14. BEGIN failed--compilation aborted at /usr/lib/perl5/5.38.2/Module/Load/Conditional.pm line 14. Compilation failed in require at /usr/bin/geninfo line 64. Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e7f560b9b8dacf7aadf59d6321c2e869dcd5831e) Signed-off-by: Akash Hadke <akash.hadke27@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lcov: sort RDEPENDS alphabeticalClaus Stovgaard2025-03-231-5/+5
| | | | | | | | | | | It is easier to get an overview of the perl modules needed for running lcov if they are sorted alphabetically Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 7ec1c9afdf45a3ee47bfff0470d90cf215ba4da5) Signed-off-by: Akash Hadke <akash.hadke27@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lcov: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN statusAlexandre Truong2025-03-231-0/+3
| | | | | | | | | | | | | | Adding UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX fix UNKNOWN_BROKEN status from running devtool check-upgrade-status. The next version of the package can be found from upstream sources. Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr> Reviewed-by: Yoann Congal <yoann.congal@smile.fr> (cherry picked from commit e71a678f4d769da2f7f465bfcaa1ab614f9d0d1a) Signed-off-by: Akash Hadke <akash.hadke27@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mongodb: fix build with python 3.12Awais Belal2025-03-072-2/+58
| | | | | | | | | | The moduleconfig.py build script uses the 'imp' module which is deprecated in favor of 'importlib' in python 3.12. This fixes the build issue by replacing the affected portion of the code and the package now builds fine on hosts with python 3.12. Signed-off-by: Awais Belal <awais.belal@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libmodbus: patch CVE-2024-10918Peter Marko2025-03-075-1/+628
| | | | | | | | | | Pick commit mentioning the bug and two follow-up commits mentioning the first commit as well as commit to adapt tests for these. Tested by running the test-suite. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* unbound: Fix CVE-2024-8508Virendra Thakur2025-03-072-1/+250
| | | | | | | | | | | | Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. Reference: https://nvd.nist.gov/vuln/detail/cve-2024-8508 Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: fix CVE-2025-23419Changqing Li2025-03-032-1/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2025-23419: When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-23419 This partially cherry picked from commit 13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2 parts. One fixed problem in `http/ngx_http_request` module and the second fixed problem in `stream/ngx_stream_ssl_module` module. The fix for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream virtual servers' funcionality was added later in this commit: https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. Therefore only `http/ngx_http_request` part was backported. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-grpcio(-tools): fix build concurrency issuePeter Marko2025-03-032-0/+8
| | | | | | | | | | | | | | | | | | | Set GRPC_PYTHON_BUILD_EXT_COMPILER_JOBS to limit spawned compiler processes. Without this it uses all available CPUs (via multiprocessing.cpu_count()) and can exhaust build host since there are lot of files to compile (e.g. with 128 cores it manages to spawn 128 gcc processes) Note that this is a general problem for all setuptools based builds with build_ext compilation which can either compile with 1 thread or cpu_count threads. grpcio hot-patches setuptools and allows to set specific build concurrency value. (From master rev: fe582374d3ba474164005942799eb2bddc52a080) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* iperf3: throughput fixTrevor Woerner2025-03-032-0/+31
| | | | | | | | | This is a backport of a fix to iperf3. The author saw a 40% improvement in their network throughput, we've seen around a 55% improvement in our tests. Link: https://github.com/esnet/iperf/pull/1708/commits/ac6b9f7fd335ddebc5212eed40083ef4cd3cb86d Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-09-08 12:03:01 +0000