| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/a8586fde3a6512466afb2a660538ef3fe712076b
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
- Fixes a regression with handling OCSP error responses and adds a new
option to specify the length of nonces in OCSP requests. Also adds some
other improvements for OCSP handling and fuzzers for OCSP
requests/responses.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5be2e20157f3025f9e2370933267a56fd526c58e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b135007c8ff43c18dd0593b5115d46dc6362675f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop backport patch 0001-enum-Fix-compiler-warning.patch.
* Drop backport patch CVE-2022-40617.patch
* Update RDEPENDS to fix strongswan startup failures:
plugin 'mgf1': failed to load - mgf1_plugin_create not found and no plugin file available
plugin 'fips-prf': failed to load - fips_prf_plugin_create not found and no plugin file available
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available
* Drop PACKAGECONFIG[scep] as scepclient has been removed.
* Add plugin-gcm to RDEPENDS as gcm plugin has been added to the default
plugins.
ChangeLog:
https://github.com/strongswan/strongswan/releases/tag/5.9.7
https://github.com/strongswan/strongswan/releases/tag/5.9.8
https://github.com/strongswan/strongswan/releases/tag/5.9.9
https://github.com/strongswan/strongswan/releases/tag/5.9.10
https://github.com/strongswan/strongswan/releases/tag/5.9.11
https://github.com/strongswan/strongswan/releases/tag/5.9.12
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
dissector infinite loops
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff5741
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The command "bitbake universe -c fetch" currently throws a ton of warnings
as there are many 'impossible' dependencies.
In some cases these variants may never have worked and were just added by copy
and paste of recipes. In some cases they once clearly did work but became
broken somewhere along the way. Users may also be carrying local bbappend files
which add further BBCLASSEXTEND.
Having universe fetch work without warnings is desireable so clean up the broken
variants. Anyone actually needing something dropped here can propose adding it
and the correct functional dependencies back quite easily. This also then
ensures we're not carrying or fixing things nobody uses.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1b332f2eff7df2336ff87917cd48249edf763a2)
Backport: Adapted modified recipes to the ones generating warnings
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upgrade incorporates the CVE-2023-46316 fix and other bug fixes.
Changelog:
----------
- Interpret ipv4-mapped ipv6 addresses (::ffff:A.B.C.D) as true ipv4.
- Return back more robast poll(2) loop handling.
- Fix unprivileged ICMP tracerouting with Linux kernel >= 6.1 (Eric Dumazet, SF bug #14)
- Fix command line parsing in wrappers.
References:
https://security-tracker.debian.org/tracker/CVE-2023-46316
https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A flaw was found in open-vm-tools. This flaw allows a malicious actor that
has been granted Guest Operation Privileges in a target virtual machine to
elevate their privileges if that target virtual machine has been assigned
a more privileged Guest Alias.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-34058
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
[minor fixup]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A malicious actor that has been granted Guest Operation Privileges
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID
-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine
may be able to elevate their privileges if that target virtual machine
has been assigned a more privileged Guest Alias https://vdc-download.
vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31
e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-20900
https://security-tracker.debian.org/tracker/CVE-2023-20900
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
[Minor fixup]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
A fully compromised ESXi host can force VMware Tools to
fail to authenticate host-to-guest operations, impacting
the confidentiality and integrity of the guest virtual machine.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
Source code:
----------------
Fix spaces before tabs in indentation.
Updated printers:
-----------------
LSP ping: Fix "Unused value" warnings from Coverity.
CVE-2023-1801: Fix an out-of-bounds write in the SMB printer.
DNS: sync resource types with IANA.
ICMPv6: Update the output to show a RPL DAO field name.
Geneve: Fix the Geneve UDP port test.
Building and testing:
----------------------
Require at least autoconf 2.69.
Don't check for strftime(), as it's in C90 and beyond.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Documentation:
-------------
man: Document TCP flag names better.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2e782260d0b6018614dbdea95899a4a0921915e0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
Updated printers:
PTP: Use the proper values for the control field and print un-allocated
values for the message field as "Reserved" instead of "none".
Source code:
smbutil.c: Replace obsolete function call (asctime)
Building and testing:
cmake: Update the minimum required version to 2.8.12 (except Windows).
CI: Introduce and use TCPDUMP_CMAKE_TAINTED.
Makefile.in: Add the releasecheck target.
Makefile.in: Add "make -s install" in the releasecheck target.
Cirrus CI: Run the "make releasecheck" command in the Linux task.
Makefile.in: Add the whitespacecheck target.
Cirrus CI: Run the "make whitespacecheck" command in the Linux task.
Address all shellcheck warnings in update-test.sh.
Makefile.in: Get rid of a remain of gnuc.h.
Documentation:
Reformat the installation notes (INSTALL.txt) in Markdown.
Convert CONTRIBUTING to Markdown.
CONTRIBUTING.md: Document the use of "protocol: " in a commit summary.
Add a README file for NetBSD.
Fix CMake build to set man page section numbers in tcpdump.1
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dab75037cc9c4a5674e08c3a55fff172fd6eba75)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
Updated printers:
-----------------
BGP: Update cease notification decoding to RFC 9003.
BGP: decode BGP link-bandwidth extended community properly.
BGP: Fix parsing the AIGP attribute
BGP: make sure the path attributes don't go past the end of the packet.
BGP: Shutdown message can be up to 255 bytes length according to rfc9003
DSA: correctly determine VID.
EAP: fix some length checks and output issues.
802.11: Fix the misleading comment regarding "From DS", "To DS" Frame Control Flags.
802.11: Fetch the CF and TIM IEs a field at a time.
802.15.4, BGP, LISP: fix some length checks, compiler warnings,
and undefined behavior warnings.
PFLOG: handle LINKTYPE_PFLOG/DLT_PFLOG files from all OSes on all OSes.
RRCP: support more Realtek protocols than just RRCP.
MPLS: show the EXP field as TC, as per RFC 5462.
ICMP: redo MPLS Extension code as general ICMP Extension code.
VQP: Do not print unknown error codes twice.
Juniper: Add some bounds checks.
Juniper: Don't treat known DLT_ types as "Unknown".
lwres: Fix a length check, update a variable type.
EAP: Fix some undefined behaviors at runtime.
Ethernet: Rework the length checks, add a length check.
IPX: Add two length checks.
Zephyr: Avoid printing non-ASCII characters.
VRRP: Print the protocol name before any GET_().
DCCP: Get rid of trailing commas in lists.
Juniper: Report invalid packets as invalid, not truncated.
IPv6: Remove an obsolete code in an always-false #if wrapper.
ISAKMP: Use GET_U_1() to replace a direct dereference.
RADIUS: Use GET_U_1() to replace a direct dereference.
TCP: Fix an invalid check.
RESP: Fix an invalid check.
RESP: Remove an unnecessary test.
Arista: Refine the output format and print HwInfo.
sFlow: add support for IPv6 agent, add a length check.
VRRP: add support for IPv6.
OSPF: Update to match the Router Properties registry.
OSPF: Remove two unnecessary dereferences.
OSPF: Add support bit Nt RFC3101.
OSPFv3: Remove two unnecessary dereferences.
ICMPv6: Fix output for Router Renumbering messages.
ICMPv6: Fix the Node Information flags.
ICMPv6: Remove an unused macro and extra blank lines.
ICMPv6: Add a length check in the rpl_dio_print() function.
ICMPv6: Use GET_IP6ADDR_STRING() in the rpl_dio_print() function.
IPv6: Add some checks for the Hop-by-Hop Options header
IPv6: Add a check for the Jumbo Payload Hop-by-Hop option.
NFS: Fix the format for printing an unsigned int
PTP: fix printing of the correction fields
PTP: Use ND_LCHECK_U for checking invalid length.
WHOIS: Add its own printer source file and printer function
MPTCP: print length before subtype inside MPTCP options
ESP: Add a workaround to a "use-of-uninitialized-value".
PPP: Add tests to avoid incorrectly re-entering ppp_hdlc().
PPP: Don't process further if protocol is unknown (-e option).
PPP: Change the pointer to packet data.
ZEP: Add three length checks.
Add some const qualifiers.
Building and testing:
----------------------
Update config.guess and config.sub.
Use AS_HELP_STRING macro instead of AC_HELP_STRING.
Handle some Autoconf/make errors better.
Fix an error when cross-compiling.
Use "git archive" for the "make releasetar" process.
Remove the release candidate rcX targets.
Mend "make check" on Solaris 9 with Autoconf.
Address assorted compiler warnings.
Fix auto-enabling of Capsicum on FreeBSD with Autoconf.
Treat "msys" as Windows for test exit statuses.
Clean up some help messages in configure.
Use unified diff by default.
Remove awk code from mkdep.
Fix configure test errors with Clang 15
CMake: Prevent stripping of the RPATH on installation.
AppVeyor CI: update Npcap site, update to 1.12 SDK.
Cirrus CI: Use the same configuration as for the main branch.
CI: Add back running tcpdump -J/-L and capture, now with Cirrus VMs.
Remove four test files (They are now in the libpcap tests directory).
On Solaris, for 64-bit builds, use the 64-bit pcap-config.
Tell CMake not to check for a C++ compiler.
CMake: Add a way to request -Werror and equivalents.
configure: Special-case macOS /usr/bin/pcap-config as we do in CMake.
configure: Use pcap-config --static-pcap-only if available.
configure: Use ac_c_werror_flag to force unknown compiler flags to fail.
configure: Use AC_COMPILE_IFELSE() and AC_LANG_SOURCE() for testing flags.
Run the test that fails on OpenBSD only if we're not on OpenBSD.
Source code:
-------------
Fix some snapend-changing routines to protect against pointer underflow.
Use __func__ from C99 in some function calls.
Memory allocator: Update nd_add_alloc_list() to a static function.
addrtoname.c: Fix two invalid tests.
Use more S_SUCCESS and S_ERR_HOST_PROGRAM in main().
Add some comments about "don't use GET_IP6ADDR_STRING()".
Assign ndo->ndo_packetp in pretty_print_packet().
Add ND_LCHECKMSG_U, ND_LCHECK_U, ND_LCHECKMSG_ZU and ND_LCHECK_ZU macros.
Update tok2strbuf() to a static function.
netdissect.h: Keep the link-layer dissectors names sorted.
setsignal(): Set SA_RESTART on non-lethal signals (REQ_INFO, FLUSH_PCAP)
to avoid corrupting binary pcap output.
Use __builtin_unreachable().
Fail if nd_push_buffer() or nd_push_snaplen() fails.
Improve code style and fix many typos.
Documentation:
---------------
Some man page cleanups.
Update the print interface for the packet count to stdout.
Note that we require compilers to support at least some of C99.
Update AIX and Solaris-related specifics.
INSTALL.txt: Add doc/README.*, delete the deleted win32 directory.
Update README.md and README.Win32.md.
Update some comments with new RFC numbers.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 68db0a388005c319784ec3b6ca533d0d9a142554)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
spice depends on spice-protocol, when IMAGE_INSTALL contains spice,
do_populate_sdk fails with the following error:
Error:
Problem: package libspice-server-dev-0.14.2+git0+7cbd70b931_4fc4c2db36-r0.core2_64 requires spice-protocol-dev, but none of the providers can be installed
- conflicting requests
- nothing provides spice-protocol = 0.14.4-r0 needed by spice-protocol-dev-0.14.4-r0.core2_64
(try to add '--skip-broken' to skip uninstallable packages)
For spice-protocol, it's a development package and all things are in
the dev package, so set ALLOW_EMPTY to fix the above error.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Patch taken from https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch
It is linked as official patch for p15 in:
- https://www.ntp.org/support/securitynotice/ntpbug3807/
- https://www.ntp.org/support/securitynotice/ntpbug3806/
Small adaptation to build is needed because of how tests are built.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2023-27783
CVE-2023-27784
CVE-2023-27785
CVE-2023-27786
CVE-2023-27787
CVE-2023-27788
CVE-2023-27789
Changelog:
=========
dlt_jnpr_ether_cleanup: check subctx before cleanup by @Marsman1996 in #781
Bug #780 assert tcpedit dlt cleanup by @fklassen in #800
Fix bugs caused by strtok_r by @Marsman1996 in #783
Bug #782 #784 #785 #786 #787 #788 strtok r isuses by @fklassen in #801
Update en10mb.c by @david-guti in #793
PR #793 ip6 unicast flood by @fklassen in #802
Bug #719 fix overflow check for parse_mpls() by @fklassen in #804
PR #793 - update tests for corrected IPv6 MAC by @fklassen in #805
PR #793 - update tests for vlandel by @fklassen in #806
Feature #773 gh actions ci by @fklassen in #807
Feature #759: Upgrade autogen/libopts to 5.18.16 by @fklassen in #760
Bug #751 don't exit after send error by @fklassen in #761
Bug #750: configure: libpcap version robustness by @fklassen in #764
Bug #749 flow stats: avoid overstating flow packet count by @fklassen in #765
Bug #750 more libpcap version updates by @fklassen in #766
Bug #767 tests: support for out-of-tree tests by @fklassen in #768
Bug #750 - fix macOS test failure by @fklassen in #770
4.4.3 by @fklassen in #769 and #771
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Backport fixes for:
* CVE-2023-0666 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/265cbf15a418b629c3c8f02c0ba901913b1c8fd2
* CVE-2023-0667 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a
* CVE-2023-0668 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Backport fixes for:
* CVE-2023-2858 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105
* CVE-2023-2879 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
(cherry-picked from 795ccdd86cad05c425adae15af27797f42f33c56)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
The patch is modified by removing irrelevant and conflicting
CHANGELOG entry.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Links from https://nvd.nist.gov/vuln/detail/CVE-2019-11331 lead to
conclusion that this is how icurrent ntp protocol is designed.
New RFC is propsed for future but it will not be compatible with current
one.
See https://support.f5.com/csp/article/K09940637
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From ec97a83702704bb02b00358c0d26e78294ad3254 Mon Sep 17 00:00:00 2001
From: Federico Pellegrin <fede@evolware.org>
Date: Thu, 6 Oct 2022 14:17:21 +0200
Subject: [kirkstone][PATCH] chrony: add pkgconfig class as pkg-config is
explicitly searched for
The configure script present in chrony will explicitly look for
pkg-config and without the pkgconfig class it will fail:
Checking for pkg-config : No
This then affects the possibility (via image features or bbappend)
to use features based on nettle/gnutls/nss which strictly require
pkgconfig to be present and working.
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is no need for these configs on their own and they would only mess
up the sechash and privdrop configs. To actually enable sechash one also
had to enable nss, and to enable privdrop one also had to enable libcap.
This also avoids passing --with-libcap if privdrop is enabled since the
option does not exist.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Support for readline was dropped in Chrony 4.2. Enabling the readline
PACKAGECONFIG would result in no suppport for command line editing as
only editline is supported and it would be disabled.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Revocation Checking
Upstream-Status: Backport from https://download.strongswan.org/security/CVE-2022-40617
Affects "strongswan < 5.9.8"
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2022-37049
CVE-2022-37048
CVE-2022-37047
CVE-2022-28487
CVE-2022-25484
CVE-2022-27939
CVE-2022-27940
CVE-2022-27941
CVE-2022-27942
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-31676:
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege
escalation vulnerability. A malicious actor with local
non-administrative access to the Guest OS can escalate privileges as a
root user in the virtual machine.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-31676
Patch from:
https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
License-Update : format of License file changed.
CVE-2022-0934.patch
deleted since it's included in 2.87.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 79ed6782a66590d769a516d8b4c15a4330bf7515)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
MR: 122044
Type: Security Fix
Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
Description:
CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit de66eb0c0dae0930f9e1ba7a358db1ae6b3f2849)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Required by samba 4.14.14.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1cd743f8d8053cc9d34cd1a0204d4d333722e0f5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
wscript detects .git directory and if its present them invokes git
describe --dirty which does not work on the devtool created git
repository, since its synthesized.
Add GNU_SOURCE define to get strptime() definition
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 375be9fd60e22fb60b53d664983cb70d26d8a288)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: openipmi-2.0.32-r0 do_package_qa: QA Issue: File /usr/src/debug/openipmi/2.0.32-r0/OpenIPMI-2.0.32/swig/perl/OpenIPMI_wrap.c in package openipmi-src contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5abd81567d5ed091ed870abf24e51f260747d593)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fix-openssl-no-des.patch
refreshed for version 5.65
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.5.
Bugfixes
Fixed handling globally enabled FIPS.
Fixed the default openssl.cnf path in stunnel.exe.
Fixed a number of MSVC warnings.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 72f84335cb372dbf00d2d07429a595fced0c4f4f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.3.
New features
Updated the pkcs11 engine for Windows.
Bugfixes
Removed the SERVICE_INTERACTIVE_PROCESS flag in "stunnel -install".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6f3b52f4589bfa942e473488f91ecef85d339e78)
[New feature does not affect linux]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
# ndisc6: print NAT64 prefix if present.
# rdnssd: fix timeout calculation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c77bc200813dec8a1317ea6651d0f398a3fa5d65)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The following CVEs are already patched so we can ignore them:
- CVE-2016-0749
- CVE-2016-2150
- CVE-2018-10893
This is caused by inaccurate CPE in the NVD database.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This upgrade includes the following CVE fixes:
- CVE-2021-4190
- CVE-2022-0581
- CVE-2022-0582
- CVE-2022-0583
- CVE-2022-0585
- CVE-2022-0586
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
| |
cve-check is not able to correctly identify many of the patched
CVEs because of the non standard version number. All the ignored
CVEs were manually checked with the NVD database and deemed not
applicable to the current version.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop backport patch 0001-openssl-Don-t-unload-providers.patch
* Backport a patch to fix the build error:
src/libstrongswan/utils/enum.c: In function 'enum_flags_to_string':
src/libstrongswan/utils/enum.c:100:9: error: format not a string literal and no format arguments [-Werror=format-security]
100 | if (snprintf(buf, len, e->names[0]) >= len)
| ^~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 689e8422b836d804d9ab102cb3de0a4f6e1f24c8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Ensure /var/lib/chrony exist to avoid error like:
chronyd.service: Failed to set up mount namespacing: /run/systemd/unit-root/var/lib/chrony: No such>
chronyd.service: Failed at step NAMESPACE spawning /usr/sbin/chronyd: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-0934:
Heap use after free in dhcp6_no_relay
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-0934
Patch from:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=03345ecefe
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: MontaVista Software, LLC
MR: 117141
Type: Defect Fix
Disposition: Backport from [https://github.com/HewlettPackard/netperf/pull/27/commits/78c9ae7d9a6735575bc72dd28a19b2bc3a251981]
ChangeID: 199f8618971de15d177dab9651f82f5696ff1aa1
Description:
the (now default) suppress_debug=1 changes permissions on /dev/null
to 0644. Don't do this.
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes in 1.3.4
----------------
- fix small memory leak in strdup
- fix free in case of DNS lookup failure
- other minor updates
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b82354a2acce0370564426f7f824e628a27df2f8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed when multilib is disabled on intel-x86-64:
MULITLIBS = ""
$ bitbake sssd
ERROR: sssd-2.5.2-r0 do_package: QA Issue: sssd: Files/directories were installed but not shipped in any package:
/usr/lib/ldb
/usr/lib64/ldb/modules/ldb/memberof.so
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
sssd: 2 installed and not shipped files. [installed-vs-shipped]
And also remove bin/ got get a clean rebuild, otherwise, the rebuild result may
be incorrect.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5f6156c0ef842bd39e9eb1f7ce02eb7c7c961d3a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
