| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the latest stable release of the Samba 4.18 release series.
It contains the security-relevant bugfix CVE-2018-14628:
Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
allow read of object tombstones over LDAP
(Administrator action required!)
https://www.samba.org/samba/security/CVE-2018-14628.html
Release Notes:
https://www.samba.org/samba/history/samba-4.18.9.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f4c3c747d6df6015eb1231f2867ffe43ddb9620e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
- Fixes a regression with handling OCSP error responses and adds a new
option to specify the length of nonces in OCSP requests. Also adds some
other improvements for OCSP handling and fuzzers for OCSP
requests/responses.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5be2e20157f3025f9e2370933267a56fd526c58e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add patches fixing CVE CVE-2023-46752, CVE-2023-46753, CVE-2023-47234,
and CVE-2023-47235 to FRR 9.0.
Patch order is commit order, not CVE numerical order, to avoid fuzz /
need for rebasing of the patches.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46752
https://nvd.nist.gov/vuln/detail/CVE-2023-46753
https://nvd.nist.gov/vuln/detail/CVE-2023-47234
https://nvd.nist.gov/vuln/detail/CVE-2023-47235
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 00e928bcb7e933ada8e67f3bfa887988d1ca9d61)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
- Fixed a vulnerability in charon-tkm related to processing DH public values
that can lead to a buffer overflow and potentially remote code execution.
- The new `pki --ocsp` command produces OCSP responses based on certificate
status information provided by plugins.
- The cert-enroll script handles the initial enrollment of an X.509 host
certificate with a PKI server via the EST or SCEP protocols.
- The --priv argument for charon-cmd allows using any type of private key.
- Support for nameConstraints of type iPAddress has been added (the openssl
plugin previously didn't support nameConstraints at all).
- SANs of type uniformResourceIdentifier can now be encoded in certificates.
- Password-less PKCS#12 and PKCS#8 files are supported.
- A new global option allows preventing peers from authenticating with trusted
end-entity certificates (i.e. local certificates).
- ECDSA public keys that encode curve parameters explicitly are now rejected by
all plugins that support ECDSA.
- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
also use the name in connection.interface-name.
- The resolve plugin tries to maintain the order of installed DNS servers.
- The kernel-libipsec plugin always installs routes even if no address is found
in the local traffic selectors.
- Increased the default receive buffer size for Netlink sockets to 8 MiB and
simplified its configuration.
- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
always generating a hash of the subjectPublicKey.
- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
unrelated traffic selectors.
- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
instead callbacks are always invoked even if only errors are signaled.
- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
handling invalid messages.
- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
CHILD_SA is not found during rekeying.
- The testing environment is now based on Debian 12 (bookworm), by default.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 077489fda8f27336942457da1eaa022804f327c2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ca49f2025e65713811e73e894c60cb78be1ed34c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
License-Update: Added Apache2 linking exception
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 45ad525348569f8f5f694a88bb311dbf83998304)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Includes security fix for CVE-2023-43615 - Buffer overread in TLS stream cipher suites
* Includes security fix for CVE-2023-45199 - Buffer overflow in TLS handshake parsing with ECDH
* Includes aesce compilation fixes
Full changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0
The extra patch fixes x86 32-bit builds.
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ae4e1e70a1493bb657190236122527130da93cb0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenBMC enables SPDX SBOM generation by default. For Meta's Bletchley
platform we found that mdio-tools and its relationships with both
mdio-netlink and the mdio-netlink kernel module break SPDX processing
while generating the rootfs after a kernel bump. For example, the
following output was generated by `bitbake obmc-phosphor-image`:
ERROR: obmc-phosphor-image-1.0-r0 do_rootfs: Cannot find any SPDX file for document http://spdx.org/spdxdoc/kernel-module-mdio-netlink-6.5.4-da279e9-00089-gda279e98c07f-89187488-3164-50cb-94c5-8b76a30ea093
The error occurred after the following patch was applied (again, in the
context of OpenBMC):
diff --git a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
index e6f98297c540..b852e993f0f6 100644
--- a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
+++ b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
@@ -1,6 +1,6 @@
KBRANCH ?= "dev-6.5"
-LINUX_VERSION ?= "6.5.4"
+LINUX_VERSION ?= "6.5.9"
-SRCREV="da279e98c07f9c948c60a434ab0043a55c26ea1d"
+SRCREV="fc8d4fdba5bd2b9b1cea2aa8a731531943c45aa7"
require linux-aspeed.inc
With the lack of a dependency the mdio-tools package is not rebuilt
subsequent to the kernel bump and the package information remains stale,
leading to an incorrect SPDX path being generated.
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 668cf43b21e27faa34b7c3c7133a480a9e4e480f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
versioning patch when using lld only
This patch caused GNU linker to fail linking, therefore limit it to just
lld.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 22889b13f330e4753c5f72440abcfe42830f2f64)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Support for building from native was removed in commit e1b332f2e
(meta-networking: Drop broken BBCLASSEXTEND variants), most likely due
to no support for building libwebsockets-native. That support has now
been added, so it is now possible to build mosquitto-native again.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ad27cdd560fe9947a0e0f822d6a71bac5d2e4a7e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The command "bitbake universe -c fetch" currently throws a ton of warnings
as there are many 'impossible' dependencies.
In some cases these variants may never have worked and were just added by copy
and paste of recipes. In some cases they once clearly did work but became
broken somewhere along the way. Users may also be carrying local bbappend files
which add further BBCLASSEXTEND.
Having universe fetch work without warnings is desireable so clean up the broken
variants. Anyone actually needing something dropped here can propose adding it
and the correct functional dependencies back quite easily. This also then
ensures we're not carrying or fixing things nobody uses.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1b332f2eff7df2336ff87917cd48249edf763a2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Bugfix:
Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7e44aac2fb6a7e9d95cba4341d7fcaf5fa2a0923)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 21db09270d8c05ea1871277dd9899e352915297a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://www.netfilter.org/projects/nftables/files/changes-nftables-1.0.9.txt
Drop configure option --disable-python as it has been removed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a48613d396d30444c7e28fd88c653cef9b17dad0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This release fixes several regressions in 1.4.7 with the -U/--update and
-D/--delete commands.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 67f6c57dcd7bf74c19e8af30df51a8938f2d2e2b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
* Clean up use of tags.
* Support for MacOS with Contiki-NG builds.
* Support for Windows with OpenSSL 3.x builds.
* Reported bugs fixed.
* Documentation updated.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b71cd660fc9083bdfc863f4fd940fa16dc0cba3f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When this feature is enabled by default in packageconfig
this implies a dependency to python3-dnspython which is in meta-python.
Disable ac-dc PACKAGECONFIG by default to avoid adding a layer
dependency only for this feature.
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c817cf55aeb2f7b9cee2281bfff2232be9a5c5e8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
libexosip2 extends the capabilities of the osip2 library. It can be a
useful building block for an embedded device application.
Signed-off-by: Charles Perry <charles.perry@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2b4cb938b043c77f9f12f5cfb84fbc8f1f3fbf4d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The GNU oSIP library is an implementation of SIP - rfc3261. It can be a
useful building block for an embedded device application.
Signed-off-by: Charles Perry <charles.perry@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 03a948375e5e21c8b92123b034176977083de464)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* use external cmocka instead of bundled cmocka
* add run-ptest script
Ptest results:
$ ptest-runner libldb
START: ptest-runner
2023-10-12T11:49
BEGIN: /usr/lib/libldb/ptest
PASS: test_ldb_dn
PASS: test_ldb_qsort
DURATION: 0
END: /usr/lib/libldb/ptest
2023-10-12T11:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4a07ee78c57950aaf2e0858c159ffa6454f7f28a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* use external cmocka instead of bundled cmocka
* add run-ptest script
Ptest results:
$ ./run-ptest
PASS: replace_testsuite
PASS: test_tevent_tag
PASS: test_tevent_trace
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 287386a51f8c2ed5ad3282d9481c56b7f546a4bf)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Do not use bundled cmocka to get rid of bundled library
libcmocka-samba4.so.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 649f63a235a968749ba833476f9acaa7af2e2130)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release in order to address the following defects:
CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html
Release Notes:
https://www.samba.org/samba/history/samba-4.18.8.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f674a9d4f9feb3afecdc81f4bced5469edc3bc71)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit df98f884b9b9aa16e5323d0ce803fcce4148759f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In order to pass reproducible tests, recipes that use the
useradd class must have static ids configured.
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 714156cc42cfc35dbd960e7755866fa257f67090)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0287a38fbcead63a16d8b6d931d5e0e70adfe494)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
These are test images to build all recipes in layer. Renaming them makes
them refect what they are. Moreover we can rename the ptest images to
match OE-Core naming conventions for meta-oe/meta-perl/meta-python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0cb018059499f7531749ee1d5d1cbb02a6cf3f0a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
These were essentially duplicates of core-image-minimal, however
core-image-base is a better baseline for upper layers, so switched the
consumers of these images to use core-image-base
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e88b777cbecd85ff7d2916209774354a6a458101)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
We really do not need to define base images which already exist in core
layer, reuse them here.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ef9d73fced12e7b2dab485f0443cec84e55d016b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Recipe for TAYGA - an out-of-kernel stateless NAT64 implementation for Linux
Signed-off-by: Pawel Langowski <pawel.langowski@3mdeb.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 470b24bc04b15d142714db7de048f1c046123fe1)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
GNU extention is now in use in 6.5 kernel headers sadly
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 29a21223938fedeb4a12c0f8189a99bb11bbd1bc)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Drop the patch fixing an issue already addressed upstream
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 616991508e15a5d8a4faf020ebeb4062dc46c64b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5488a32d90a02c700b596cf8746e04bd3fb88272)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python3-pybluez, python3-pynetlinux, apache2: Fix Malformed Upstream-Status
* Accepted was replaced with Backport in gatesgarth:
https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes
* as detected with oe-core/scripts/contrib/patchreview.py:
meta-openembedded $ grep -A 3 Malformed *qa-patches
meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch
meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch
meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status :
meta-gnome.qa-patches-Upstream-Status: Accepted [https://gitlab.gnome.org/GNOME/gnome-tweaks/-/commit/dc9701e18775c01d0b69fabaa350147f70096da8]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a1c3c7f4e81d24a4d43880222ee184de3c3156b2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8ffef53d6a491e154d9cbc83b766e65825120c80)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Add two patches from Debian, pull requests proposed upstream as 2894 and 2895
to make it start only when board is online, and to fix dynamic websockets link failure
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 79088766c8b82487a58da79f5ba9114c5ad69eaf)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrade FRR to 9.0.1:
* drop all existing patches since they are included in 9.0.1
* add a patch fixing (harmless) error messages in log
* license files moved to doc/licenses
* protobuf-c-native (for protoc) and protobuf-c are now needed
Changelogs:
https://github.com/FRRouting/frr/releases/tag/frr-9.0.1
https://github.com/FRRouting/frr/commit/31ed3dd753d62b5d8916998bc32814007e91364b
https://github.com/FRRouting/frr/releases/tag/frr-9.0
https://github.com/FRRouting/frr/commit/2863e7efbcd0cbfbd41d3be04c660d77df65d0ea
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-39028
https://security-tracker.debian.org/tracker/CVE-2022-39028
Upstream Patch:
https://cgit.freebsd.org/src/commit/?id=6914ffef4e23
- Patch is adopted from FreeBSD, as same vulnerability of
telnetd is applicable to FreeBSD and netkit-telnet packages.
Signed-off-by: Sanjay Chitroda <sanjay.chitroda@einfochips.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix a crash in ntpd if NTS is disabled and an NTS-enabled client request
(mode 3) is received. (CVE-2023-4012) #794
https://gitlab.com/NTPsec/ntpsec/-/releases/NTPsec_1_2_2a
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* ipset is MACHINE_ARCH because inherits module-base.bbclass
* fixes:
bitbake-diffsigs \
sstate-before/hammerhead-halium/cortexa8t2hf-neon-halium-webos-linux-gnueabi/ot-br-posix/0.3.0+git.do_package_write_ipk.sigdata.48e7c1f619a5069d7aef82321e09d5598873d41cf561d3af1cffc94732dcacf0 \
sstate-before/mako/cortexa8t2hf-neon-halium-webos-linux-gnueabi/ot-br-posix/0.3.0+git.do_package_write_ipk.sigdata.9e0988bdeaf607e7de39a2fc307129ef41b57170cd775805eee46f0f5f89b80c
Hash for task dependency ipset:do_packagedata changed from 5d72520e773137ba1d716eeca111fce4355169ed18e4c81b5e5d764abf569f18 to 89ad5bdbdc7bd3fb72625cb963aff2c794da51fe2f70ecbfb34b9cff9b1b9308
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* it has runtime dependency on mdio-netlink to satisfy:
RDEPENDS:${PN} = "kernel-module-mdio-netlink"
and mdio-netlink is MACHINE_ARCH because inherits module.bbclass
* fixes:
bitbake-diffsigs \
sstate-before/hammerhead-halium/cortexa8t2hf-neon-halium-webos-linux-gnueabi/mdio-tools/1.3.0.do_package_write_ipk.sigdata.1c175d042bd09e59c1329c51fba2569376f395ba79ee9adc62157ee91ad99e80 \
sstate-before/mako/cortexa8t2hf-neon-halium-webos-linux-gnueabi/mdio-tools/1.3.0.do_package_write_ipk.sigdata.4ad94062582b2cbbff07167598c1243aa18ff6c5cc23b3de8bce99081da500d8
Hash for task dependency mdio-netlink:do_packagedata changed from 759076223ccea58a05414b33bcc55c8d4b41a85c75ce56f2ba965004c422fd4c to b3c2ceee91dedb3b40f298d2efe09bbb7d3024f9ae93e83204233dcfd0a66459
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
License-Update:
Copyright: Update copyright date to end 2023 as appropriate
Add in OSCORE support
RIOT: Update to support latest libcoap code
Add BSD-3-Clause
Changelog:
===========
* Source files reformatted according to pre-commit rules.
* Support for RFC8613 (OSCORE).
* Support for RFC8974 (Extended Tokens).
* Support for RFC9177 (Q-Block).
* Support for latest RIOT code and new examples.
* Support for MinGW builds.
* Support for AF_UNIX sockets.
* Support for WebSockets (RFC8323).
* Support for IPv4 only and IPv6 only libcoap builds.
* Support for defining maximum logging level.
* Support for maintaining Observer requests over server restarts.
* Support for Contiki-NG.
* Support for latest LwIP, including using TinyDTLS.
* libcoap now has protocol layered support, separating out the
logical layers. Stack now is:-
- Application
- libcoap - CoAP
- libcoap - CoAP-Session
- libcoap - (D)TLS I/F using external (D)TLS Library
- libcoap - Netif
- libcoap - Sockets
- Kernel Network Stack
* Fixes CVE-2023-30362 and CVE-2023-35862.
* Reported bugs fixed.
* Examples now support separate logging levels for libcoap and (D)TLS.
* syslog LOG_ logging levels replaced with COAP_LOG_ logging levels.
* New public API functions to aid / reduce application coding.
* Remove requirement for applications to have sockaddr knowledge.
* Support for clients sending IPv4 broadcast requests.
* Documentation added and updated (Doxygen and man).
* Fix ABI version.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
* lib-oauth2: Allow JWT tokens to be validated with missing typ field.
+ auth: Auth passdb and userdb reply can contain "event_<name>=value"
which will be added to login event and mail user event respectively.
+ lib-master: Set process title during various initialization stages to
clearly describe what the process is waiting on.
+ lib-storage: The mail_temp_scan_interval is now fuzzed incrementing it
by 0..30% based on username's hash to reduce the chance of load spikes.
+ lib-storage: The temp file scan has been moved from the open of the
mailbox to the close, to reduce the latency perceived by users.
+ stats: If metric has fields specified, all these fields are
exported as counters to prometheus exposition.
- *-login: Processes might have crashed when a SSL connection disconnects
uncleanly.
- acl: When plugin was loaded \HasChildren and \HasNoChildren flags
were calculated incorrectly for mailboxes containing '*' and '%'
in their names.
- auth: Crash occured if a connection to PostgreSQL database server
failed during startup.
- auth: Logins with invalid passwords (e.g. unknown scheme) in passdb
were failing with "password mismatch" instead of "internal error".
- auth: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol
specific error message on all errors. This especially broke OIDC
discovery.
- dbox: When last_temp_file_scan header wasn't set (especially after
dsync migration), the next mailbox open always triggers the temp file
scan.
- dict-redis: A crash would occur on transaction rollback.
- dsync: Infinite loop causing out of memory would occur when handling
mailbox deletion from remote end and hierarchy separators would differ.
- dsync: Incremental dsync failed for folder names ending with '%',
unless BROKENCHAR was set. Also folder names with '%' elsewhere in
them caused each incremental dsync to unnecessarily rename the folder
to a temporary name and back. v2.3.19 regression.
- imap-hibernate: If an IMAP client unhibernation timed out with
"(version received)", the unhibernation could still have successfully
finished later on and continued working normally. This was rather
confusing, because imap-hibernate already logged that the client got
disconnected.
- imapc: Crashed when a folder mapped through the virtual plugin
disappears from the storage.
- imapc: EXPUNGE, EXISTS or FETCH replies from a server for a previously
selected mailbox could have been processed as if they belonged to the
new mailbox currently being selected.
- lib-http: Dovecot HTTP server (doveadm, stats/openmetrics) may have
disconnected HTTP clients before the response is fully sent. This
happened only on busy servers where kernel's socket buffers were
rather full.
- lib-http: Fixed a potential crash on http-server if a client
disconnected early. v2.3.18 regression.
- lib-index: Index file corruption could have caused a crash. Fixes:
Panic: file mail-transaction-log-view.c: line 165 (mail_transaction_log_view_set):
assertion failed: (min_file_seq <= max_file_seq).
- lib-index: Purging an existing >1GB cache file can crash. Now cache
files still above 1GB after purging are removed. Fixes:
Panic: file mail-index-util.c: line 10 (mail_index_uint32_to_offset):
assertion failed: (offset < 0x40000000)
- lib-lua: A HTTP client could not resolve DNS names in mail processes,
because it expected "the dns-client" socket to exist in the current
directory.
- lib-oauth2: Dovecot would send client_id and client_secret as POST
parameters to the introspection server. These need to be optionally in
Basic auth instead.
- lib-oauth2: JWT aud validation was not performed if aud was missing
from a token, but was configured on Dovecot.
- lib-oauth2: JWT key type check was too strict.
- lib-oauth2: JWT token audience was not validated against client_id as
required by the specification.
- lib-ssl-iostream: Using the ssl_require_crl=yes setting may have caused
CRL check failures for outgoing SSL/TLS connections, although it was
supposed to affect checking CRLs only for client-side SSL
certificates. v2.3.17 regression.
- lib-sql: MySQL driver leaked memory when connection failed.
- lib-storage: Various fixes when running into out of disk space.
- master: Service idle_kill setting didn't work properly on busy
servers.
- mdbox: Temp file scan was done for always empty directories.
- mdbox: The fdatasync() call was done in wrong parent directory when
writing mails. Also on a failure it crashed instead of logging an error.
- notify_status: The plugin crashes if any user initialization fails.
- pop3: Sending command with the ':' character caused an assert-crash.
v2.3.18 regression. Fixes: Panic: event_reason_code_prefix(): name has ':'
- stats: Fix panic when a nonexistent event exporter was referenced while
adding a new metric dynamically via doveadm stats add.
- stats: If process exported a lot of events and then exited, some of
the last events may have become lost.
- stats: Invalid Prometheus label names were created with specific
histogram group_by configurations. Prometheus rejected these labels.
- welcome: The plugin didn't execute in some situations that created
INBOX but didn't open it.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Fix for CVE-2023-28366, CVE-2023-0809, CVE-2023-3592
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
add EXTRA_CFLAGS to Fix reproducibility.
upstream fixed compilation on RHEL 9, which should be same problem fixed
with 0001-layer4-Change-order-of-include-files.patch. hence drop the
patch file.
https://github.com/acassen/keepalived/commit/3fd0c21e4f63ac0a52b5d7a09575f0f364972e4d
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
| |
logging system
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
* oe-core switched to nanbield in:
https://git.openembedded.org/openembedded-core/commit/?id=f212cb12a0db9c9de5afd3cc89b1331d386e55f6
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
License-Update: Update LGPL text to match original license verbatim [1]
[1] https://git.infradead.org/users/dwmw2/openconnect.git/commit/8c9a353b4930dc081222ae05b3bcd42d0c78b66f
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
