summaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-support
Commit message (Collapse)AuthorAgeFilesLines
* tcpreplay: fix CVE-2024-22654Archana Polampalli2025-07-133-0/+127
| | | | | | | tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: fix CVE-2025-22247Hitendra Prajapati2025-07-132-0/+384
| | | | | | | Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/blob/CVE-2025-22247.patch/CVE-2025-22247-1100-1225-VGAuth-updates.patch Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpdump: patch CVE-2024-2397Ashish Sharma2025-07-022-0/+127
| | | | | | | Upstream-Status: Backport from https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openvpn: renew the sample keysHaixiao Yan2025-03-292-0/+1
| | | | | | | | | | | | | Renew the sample keys to fix the test issue: WARNING: Your certificate has expired! The renewed sample keys from [1] contain binary files which can't be patched by quilt, so archive the files into sample-keys-renew-for-the-next-10-years.tar.gz. [1] https://github.com/OpenVPN/openvpn/commit/98e70e7 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chrony: fix do_fetch errorJiaying Song2025-03-291-1/+1
| | | | | | | | | | | Change the SRC_URI to the correct value due to the following error: WARNING: chrony-4.5-r0.wr2401 do_fetch: Failed to fetch URL https://download.tuxfamily.org/chrony/chrony-4.5.tar.gz, attempting MIRRORS if available Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8ffe8112f733c6812732b0fcfa8db7d3849914d0) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* geoip: fix do_fetch errorWang Mingyu2025-03-291-4/+4
| | | | | | | | | | | Change the SRC_URI to the correct value due to the following error: ERROR: geoip-1.6.12-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'http://sources.openembedded.org/GeoIP.dat.20181205.gz;apply=no;name=GeoIP-dat;') Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit aadc2ac9dc49dfb5a2066401f22e7b553b324313) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openvpn: upgrade 2.5.6 -> 2.5.11Haixiao Yan2024-12-084-272/+2
| | | | | | | | | | | | | | | | | | License-Update: Add Apache2 linking for new commits [1] ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.5.11/Changes.rst Security fixes: CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. [1] https://github.com/OpenVPN/openvpn/commit/4a89a55b8a9d6193957711bef74228796a185179 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: Security fixes CVE-2023-34059Yi Zhao2024-12-082-0/+189
| | | | | | | | | | | | | | | | | | CVE-2023-34059: open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34059 Patch from: https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch/CVE-2023-34059.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openipmi: upgrade 2.0.32->2.0.36Jiaying Song2024-12-084-103/+13
| | | | | | | | | | | | | | 2c4ab4a6c openipmi: fix do_configure error when using dash 03dd014eb openipmi: update 2.0.32 -> 2.0.34 Merge the above commits related to the upgrade, and then upgrade the version of openipmi from 2.0.34 to 2.0.36. Full changelog for openipmi:: https://sourceforge.net/p/openipmi/news/ Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpreplay: Fix CVE-2023-4256Poonam Jadhav2024-07-302-1/+30
| | | | | | | | | | | Add patch to fix tcpreplay CVE-2023-4256 dlt_jnpr_ether_cleanup: check config before cleanup Links: https://github.com/appneta/tcpreplay/pull/851 https://github.com/appneta/tcpreplay/issues/813#issuecomment-2245557093 Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openvpn: fix multiple CVEsMeenali Gupta2024-06-274-1/+272
| | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2024-24974: Previously, the VPN tool’s Windows implementation allowed remote access to its service pipe, posing a security risk. Using compromised credentials, a threat actor could communicate with OpenVPN to orchestrate attacks. CVE-2024-27903: OpenVPN has mitigated the risk by restricting plugin load. Plugins can now only be loaded from the software’s install directory, the Windows system directory, and the plugin_dir directory under the software’s installation. CVE-2024-27459: This vulnerability affects the interactive service component, potentially leading to local privilege escalation when triggered by an oversized message.To mitigate this risk, the VPN solution now terminates connections upon detecting excessively large messages, preventing stack overflow exploits. References: https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/ https://socradar.io/openvpn-fixed-multiple-vulnerabilities-on-windows/ https://community.openvpn.net/openvpn/wiki/CVE-2024-27903 https://community.openvpn.net/openvpn/wiki/CVE-2024-27459 https://community.openvpn.net/openvpn/wiki/CVE-2024-24974 Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: fix CVE-2023-6175Hitendra Prajapati2024-04-282-0/+247
| | | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/3be1c99180a6fc48c34ae4bfc79bfd840b29ae3e Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> [manual fixed up] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Backport fix for CVE-2024-2955Ashish Sharma2024-04-282-0/+53
| | | | | | | Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341] Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: Upgrade 2.87 -> 2.90Soumya Sambu2024-03-255-87/+3
| | | | | | | | | | | | | | Fixes CVE-2023-50387 and CVE-2023-50868 Remove backported CVE patch. Remove patch for lua as hardcoding lua version was removed. Changelog: =========== https://thekelleys.org.uk/dnsmasq/CHANGELOG Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openvpn: ignore CVE-2023-7235Soumya Sambu2024-03-251-0/+3
| | | | | | | | | | | This CVE is related to OpenVPN 2.x GUI on Windows. References: https://community.openvpn.net/openvpn/wiki/CVE-2023-7235 https://security-tracker.debian.org/tracker/CVE-2023-7235 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Fix for CVE-2023-4511Vijay Anusuri2024-02-072-0/+82
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: fix CVE-2024-0208 GVCP dissector crashHitendra Prajapati2024-02-072-0/+43
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/a8586fde3a6512466afb2a660538ef3fe712076b Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: upgrade 5.9.12 -> 5.9.13Wang Mingyu2024-02-051-1/+1
| | | | | | | | | | | | | | | Changelog: - Fixes a regression with handling OCSP error responses and adds a new option to specify the length of nonces in OCSP requests. Also adds some other improvements for OCSP handling and fuzzers for OCSP requests/responses. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5be2e20157f3025f9e2370933267a56fd526c58e) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit b135007c8ff43c18dd0593b5115d46dc6362675f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: upgrade 5.9.6 -> 5.9.12Archana Polampalli2024-01-121-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | * Drop backport patch 0001-enum-Fix-compiler-warning.patch. * Drop backport patch CVE-2022-40617.patch * Update RDEPENDS to fix strongswan startup failures: plugin 'mgf1': failed to load - mgf1_plugin_create not found and no plugin file available plugin 'fips-prf': failed to load - fips_prf_plugin_create not found and no plugin file available plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available * Drop PACKAGECONFIG[scep] as scepclient has been removed. * Add plugin-gcm to RDEPENDS as gcm plugin has been added to the default plugins. ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.7 https://github.com/strongswan/strongswan/releases/tag/5.9.8 https://github.com/strongswan/strongswan/releases/tag/5.9.9 https://github.com/strongswan/strongswan/releases/tag/5.9.10 https://github.com/strongswan/strongswan/releases/tag/5.9.11 https://github.com/strongswan/strongswan/releases/tag/5.9.12 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: fix CVE-2022-4345 multiple (BPv6, OpenFlow, and Kafka protocol) ↵vkumbhar2024-01-122-0/+53
| | | | | | | | | dissector infinite loops Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: fix CVE-2023-1992 RPCoRDMA dissector crashvkumbhar2024-01-122-0/+62
| | | | | | | Upstream-Status: Backport from https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff5741 Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-networking: Drop broken BBCLASSEXTEND variantsRichard Purdie2023-11-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | The command "bitbake universe -c fetch" currently throws a ton of warnings as there are many 'impossible' dependencies. In some cases these variants may never have worked and were just added by copy and paste of recipes. In some cases they once clearly did work but became broken somewhere along the way. Users may also be carrying local bbappend files which add further BBCLASSEXTEND. Having universe fetch work without warnings is desireable so clean up the broken variants. Anyone actually needing something dropped here can propose adding it and the correct functional dependencies back quite easily. This also then ensures we're not carrying or fixing things nobody uses. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e1b332f2eff7df2336ff87917cd48249edf763a2) Backport: Adapted modified recipes to the ones generating warnings Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* traceroute: upgrade 2.1.0 -> 2.1.3Narpat Mali2023-11-141-2/+1
| | | | | | | | | | | | | | | | | | This upgrade incorporates the CVE-2023-46316 fix and other bug fixes. Changelog: ---------- - Interpret ipv4-mapped ipv6 addresses (::ffff:A.B.C.D) as true ipv4. - Return back more robast poll(2) loop handling. - Fix unprivileged ICMP tracerouting with Linux kernel >= 6.1 (Eric Dumazet, SF bug #14) - Fix command line parsing in wrappers. References: https://security-tracker.debian.org/tracker/CVE-2023-46316 https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/ Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: fix CVE-2023-34058Archana Polampalli2023-11-142-0/+242
| | | | | | | | | | | | | | A flaw was found in open-vm-tools. This flaw allows a malicious actor that has been granted Guest Operation Privileges in a target virtual machine to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34058 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> [minor fixup] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: fix CVE-2023-20900Narpat Mali2023-11-142-0/+37
| | | | | | | | | | | | | | | | | | A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID -6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download. vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31 e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . References: https://nvd.nist.gov/vuln/detail/CVE-2023-20900 https://security-tracker.debian.org/tracker/CVE-2023-20900 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> [Minor fixup] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: fix CVE-2023-20867Meenali Gupta2023-10-172-0/+159
| | | | | | | | | A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Fix CVE-2023-2906Hitendra Prajapati2023-09-232-0/+39
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* tcpdump: upgrade 4.99.3 -> 4.99.4Wang Mingyu2023-09-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== Source code: ---------------- Fix spaces before tabs in indentation. Updated printers: ----------------- LSP ping: Fix "Unused value" warnings from Coverity. CVE-2023-1801: Fix an out-of-bounds write in the SMB printer. DNS: sync resource types with IANA. ICMPv6: Update the output to show a RPL DAO field name. Geneve: Fix the Geneve UDP port test. Building and testing: ---------------------- Require at least autoconf 2.69. Don't check for strftime(), as it's in C90 and beyond. Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21. Documentation: ------------- man: Document TCP flag names better. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2e782260d0b6018614dbdea95899a4a0921915e0) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpdump: upgrade 4.99.2 -> 4.99.3Wang Mingyu2023-09-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== Updated printers: PTP: Use the proper values for the control field and print un-allocated values for the message field as "Reserved" instead of "none". Source code: smbutil.c: Replace obsolete function call (asctime) Building and testing: cmake: Update the minimum required version to 2.8.12 (except Windows). CI: Introduce and use TCPDUMP_CMAKE_TAINTED. Makefile.in: Add the releasecheck target. Makefile.in: Add "make -s install" in the releasecheck target. Cirrus CI: Run the "make releasecheck" command in the Linux task. Makefile.in: Add the whitespacecheck target. Cirrus CI: Run the "make whitespacecheck" command in the Linux task. Address all shellcheck warnings in update-test.sh. Makefile.in: Get rid of a remain of gnuc.h. Documentation: Reformat the installation notes (INSTALL.txt) in Markdown. Convert CONTRIBUTING to Markdown. CONTRIBUTING.md: Document the use of "protocol: " in a commit summary. Add a README file for NetBSD. Fix CMake build to set man page section numbers in tcpdump.1 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit dab75037cc9c4a5674e08c3a55fff172fd6eba75) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpdump: upgrade 4.99.1 -> 4.99.2Wang Mingyu2023-09-051-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== Updated printers: ----------------- BGP: Update cease notification decoding to RFC 9003. BGP: decode BGP link-bandwidth extended community properly. BGP: Fix parsing the AIGP attribute BGP: make sure the path attributes don't go past the end of the packet. BGP: Shutdown message can be up to 255 bytes length according to rfc9003 DSA: correctly determine VID. EAP: fix some length checks and output issues. 802.11: Fix the misleading comment regarding "From DS", "To DS" Frame Control Flags. 802.11: Fetch the CF and TIM IEs a field at a time. 802.15.4, BGP, LISP: fix some length checks, compiler warnings, and undefined behavior warnings. PFLOG: handle LINKTYPE_PFLOG/DLT_PFLOG files from all OSes on all OSes. RRCP: support more Realtek protocols than just RRCP. MPLS: show the EXP field as TC, as per RFC 5462. ICMP: redo MPLS Extension code as general ICMP Extension code. VQP: Do not print unknown error codes twice. Juniper: Add some bounds checks. Juniper: Don't treat known DLT_ types as "Unknown". lwres: Fix a length check, update a variable type. EAP: Fix some undefined behaviors at runtime. Ethernet: Rework the length checks, add a length check. IPX: Add two length checks. Zephyr: Avoid printing non-ASCII characters. VRRP: Print the protocol name before any GET_(). DCCP: Get rid of trailing commas in lists. Juniper: Report invalid packets as invalid, not truncated. IPv6: Remove an obsolete code in an always-false #if wrapper. ISAKMP: Use GET_U_1() to replace a direct dereference. RADIUS: Use GET_U_1() to replace a direct dereference. TCP: Fix an invalid check. RESP: Fix an invalid check. RESP: Remove an unnecessary test. Arista: Refine the output format and print HwInfo. sFlow: add support for IPv6 agent, add a length check. VRRP: add support for IPv6. OSPF: Update to match the Router Properties registry. OSPF: Remove two unnecessary dereferences. OSPF: Add support bit Nt RFC3101. OSPFv3: Remove two unnecessary dereferences. ICMPv6: Fix output for Router Renumbering messages. ICMPv6: Fix the Node Information flags. ICMPv6: Remove an unused macro and extra blank lines. ICMPv6: Add a length check in the rpl_dio_print() function. ICMPv6: Use GET_IP6ADDR_STRING() in the rpl_dio_print() function. IPv6: Add some checks for the Hop-by-Hop Options header IPv6: Add a check for the Jumbo Payload Hop-by-Hop option. NFS: Fix the format for printing an unsigned int PTP: fix printing of the correction fields PTP: Use ND_LCHECK_U for checking invalid length. WHOIS: Add its own printer source file and printer function MPTCP: print length before subtype inside MPTCP options ESP: Add a workaround to a "use-of-uninitialized-value". PPP: Add tests to avoid incorrectly re-entering ppp_hdlc(). PPP: Don't process further if protocol is unknown (-e option). PPP: Change the pointer to packet data. ZEP: Add three length checks. Add some const qualifiers. Building and testing: ---------------------- Update config.guess and config.sub. Use AS_HELP_STRING macro instead of AC_HELP_STRING. Handle some Autoconf/make errors better. Fix an error when cross-compiling. Use "git archive" for the "make releasetar" process. Remove the release candidate rcX targets. Mend "make check" on Solaris 9 with Autoconf. Address assorted compiler warnings. Fix auto-enabling of Capsicum on FreeBSD with Autoconf. Treat "msys" as Windows for test exit statuses. Clean up some help messages in configure. Use unified diff by default. Remove awk code from mkdep. Fix configure test errors with Clang 15 CMake: Prevent stripping of the RPATH on installation. AppVeyor CI: update Npcap site, update to 1.12 SDK. Cirrus CI: Use the same configuration as for the main branch. CI: Add back running tcpdump -J/-L and capture, now with Cirrus VMs. Remove four test files (They are now in the libpcap tests directory). On Solaris, for 64-bit builds, use the 64-bit pcap-config. Tell CMake not to check for a C++ compiler. CMake: Add a way to request -Werror and equivalents. configure: Special-case macOS /usr/bin/pcap-config as we do in CMake. configure: Use pcap-config --static-pcap-only if available. configure: Use ac_c_werror_flag to force unknown compiler flags to fail. configure: Use AC_COMPILE_IFELSE() and AC_LANG_SOURCE() for testing flags. Run the test that fails on OpenBSD only if we're not on OpenBSD. Source code: ------------- Fix some snapend-changing routines to protect against pointer underflow. Use __func__ from C99 in some function calls. Memory allocator: Update nd_add_alloc_list() to a static function. addrtoname.c: Fix two invalid tests. Use more S_SUCCESS and S_ERR_HOST_PROGRAM in main(). Add some comments about "don't use GET_IP6ADDR_STRING()". Assign ndo->ndo_packetp in pretty_print_packet(). Add ND_LCHECKMSG_U, ND_LCHECK_U, ND_LCHECKMSG_ZU and ND_LCHECK_ZU macros. Update tok2strbuf() to a static function. netdissect.h: Keep the link-layer dissectors names sorted. setsignal(): Set SA_RESTART on non-lethal signals (REQ_INFO, FLUSH_PCAP) to avoid corrupting binary pcap output. Use __builtin_unreachable(). Fail if nd_push_buffer() or nd_push_snaplen() fails. Improve code style and fix many typos. Documentation: --------------- Some man page cleanups. Update the print interface for the packet count to stdout. Note that we require compilers to support at least some of C99. Update AIX and Solaris-related specifics. INSTALL.txt: Add doc/README.*, delete the deleted win32 directory. Update README.md and README.Win32.md. Update some comments with new RFC numbers. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 68db0a388005c319784ec3b6ca533d0d9a142554) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* spice-protocol: fix populate_sdk error when spice is installedChen Qi2023-09-041-0/+2
| | | | | | | | | | | | | | | | | spice depends on spice-protocol, when IMAGE_INSTALL contains spice, do_populate_sdk fails with the following error: Error: Problem: package libspice-server-dev-0.14.2+git0+7cbd70b931_4fc4c2db36-r0.core2_64 requires spice-protocol-dev, but none of the providers can be installed - conflicting requests - nothing provides spice-protocol = 0.14.4-r0 needed by spice-protocol-dev-0.14.4-r0.core2_64 (try to add '--skip-broken' to skip uninstallable packages) For spice-protocol, it's a development package and all things are in the dev package, so set ALLOW_EMPTY to fix the above error. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntp: backport patch for 5 CVEs CVE-2023-26551/2/3/4/5Peter Marko2023-07-022-0/+332
| | | | | | | | | | | | Patch taken from https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch It is linked as official patch for p15 in: - https://www.ntp.org/support/securitynotice/ntpbug3807/ - https://www.ntp.org/support/securitynotice/ntpbug3806/ Small adaptation to build is needed because of how tests are built. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpreplay: upgrade 4.4.2 -> 4.4.4Polampalli, Archana2023-07-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This release contains bug fixes only. The following CVEs have been addressed: CVE-2023-27783 CVE-2023-27784 CVE-2023-27785 CVE-2023-27786 CVE-2023-27787 CVE-2023-27788 CVE-2023-27789 Changelog: ========= dlt_jnpr_ether_cleanup: check subctx before cleanup by @Marsman1996 in #781 Bug #780 assert tcpedit dlt cleanup by @fklassen in #800 Fix bugs caused by strtok_r by @Marsman1996 in #783 Bug #782 #784 #785 #786 #787 #788 strtok r isuses by @fklassen in #801 Update en10mb.c by @david-guti in #793 PR #793 ip6 unicast flood by @fklassen in #802 Bug #719 fix overflow check for parse_mpls() by @fklassen in #804 PR #793 - update tests for corrected IPv6 MAC by @fklassen in #805 PR #793 - update tests for vlandel by @fklassen in #806 Feature #773 gh actions ci by @fklassen in #807 Feature #759: Upgrade autogen/libopts to 5.18.16 by @fklassen in #760 Bug #751 don't exit after send error by @fklassen in #761 Bug #750: configure: libpcap version robustness by @fklassen in #764 Bug #749 flow stats: avoid overstating flow packet count by @fklassen in #765 Bug #750 more libpcap version updates by @fklassen in #766 Bug #767 tests: support for out-of-tree tests by @fklassen in #768 Bug #750 - fix macOS test failure by @fklassen in #770 4.4.3 by @fklassen in #769 and #771 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Fix Multiple CVEsHitendra Prajapati2023-07-024-0/+224
| | | | | | | | | | Backport fixes for: * CVE-2023-0666 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/265cbf15a418b629c3c8f02c0ba901913b1c8fd2 * CVE-2023-0667 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a * CVE-2023-0668 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: CVE-2023-2952 XRA dissector infinite loopHitendra Prajapati2023-06-172-0/+99
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Fix CVE-2023-2858 & CVE-2023-2879Hitendra Prajapati2023-06-113-0/+134
| | | | | | | | | Backport fixes for: * CVE-2023-2858 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105 * CVE-2023-2879 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: CVE-2023-2856 VMS TCPIPtrace file parser crashHitendra Prajapati2023-06-112-0/+70
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: CVE-2023-2855 Candump log file parser crashHitendra Prajapati2023-06-112-0/+109
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tinyproxy: fix CVE-2022-40468Chee Yang Lee2023-05-092-0/+34
| | | | | | | | (cherry-picked from 795ccdd86cad05c425adae15af27797f42f33c56) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: fix CVE-2023-28450Peter Marko2023-03-252-0/+49
| | | | | | | | The patch is modified by removing irrelevant and conflicting CHANGELOG entry. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntp: whitelist CVE-2019-11331Peter Marko2023-03-161-0/+2
| | | | | | | | | | | | Links from https://nvd.nist.gov/vuln/detail/CVE-2019-11331 lead to conclusion that this is how icurrent ntp protocol is designed. New RFC is propsed for future but it will not be compatible with current one. See https://support.f5.com/csp/article/K09940637 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cifs-utils: fix CVE-2022-27239 CVE-2022-29869Chee Yang Lee2023-03-053-1/+92
| | | | | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chrony: add pkgconfig class as pkg-config is explicitly searched forGary Huband2023-02-111-1/+1
| | | | | | | | | | | | | | | | | | | | | From ec97a83702704bb02b00358c0d26e78294ad3254 Mon Sep 17 00:00:00 2001 From: Federico Pellegrin <fede@evolware.org> Date: Thu, 6 Oct 2022 14:17:21 +0200 Subject: [kirkstone][PATCH] chrony: add pkgconfig class as pkg-config is explicitly searched for The configure script present in chrony will explicitly look for pkg-config and without the pkgconfig class it will fail: Checking for pkg-config : No This then affects the possibility (via image features or bbappend) to use features based on nettle/gnutls/nss which strictly require pkgconfig to be present and working. Signed-off-by: Federico Pellegrin <fede@evolware.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chrony: Remove the libcap and nss PACKAGECONFIGsPeter Kjellerstedt2022-11-121-4/+4
| | | | | | | | | | | | There is no need for these configs on their own and they would only mess up the sechash and privdrop configs. To actually enable sechash one also had to enable nss, and to enable privdrop one also had to enable libcap. This also avoids passing --with-libcap if privdrop is enabled since the option does not exist. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chrony: Remove the readline PACKAGECONFIGPeter Kjellerstedt2022-11-121-9/+4
| | | | | | | | | Support for readline was dropped in Chrony 4.2. Enabling the readline PACKAGECONFIG would result in no suppport for command line editing as only editline is supported and it would be disabled. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: CVE-2022-40617 A possible DoS in Using Untrusted URIs for ↵Hitendra Prajapati2022-11-122-0/+158
| | | | | | | | | | | Revocation Checking Upstream-Status: Backport from https://download.strongswan.org/security/CVE-2022-40617 Affects "strongswan < 5.9.8" Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpreplay: upgrade 4.4.1 -> 4.4.2Wang Mingyu2022-10-131-1/+1
| | | | | | | | | | | | | | | | | | | This release contains bug fixes only. The following CVEs have been addressed: CVE-2022-37049 CVE-2022-37048 CVE-2022-37047 CVE-2022-28487 CVE-2022-25484 CVE-2022-27939 CVE-2022-27940 CVE-2022-27941 CVE-2022-27942 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* open-vm-tools: Security fix CVE-2022-31676Yi Zhao2022-10-132-0/+44
| | | | | | | | | | | | | | | | | CVE-2022-31676: VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-31676 Patch from: https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: upgrade 2.86 -> 2.87wangmy2022-10-044-201/+10
| | | | | | | | | | | | License-Update : format of License file changed. CVE-2022-0934.patch deleted since it's included in 2.87. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 79ed6782a66590d769a516d8b4c15a4330bf7515) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: CVE-2022-3190 Infinite loop in legacy style dissectorHitendra Prajapati2022-10-042-0/+146
| | | | | | | | | | | | | | | Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67 MR: 122044 Type: Security Fix Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67 ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5 Description: CVE-2022-3190 wireshark: Infinite loop in legacy style dissector. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit de66eb0c0dae0930f9e1ba7a358db1ae6b3f2849) Signed-off-by: Armin Kuster <akuster808@gmail.com>