summaryrefslogtreecommitdiffstats
path: root/meta-networking
Commit message (Collapse)AuthorAgeFilesLines
* quagga: CVE-2021-44038 unsafe chown/chmod operations may lead to privileges ↵Hitendra Prajapati2023-07-142-1/+118
| | | | | | | | | escalation Upstream-Status: Backport from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntp: backport patch for 5 CVEs CVE-2023-26551/2/3/4/5Hitendra Prajapati2023-07-142-1/+349
| | | | | | | | | | | | | | | | | | | | | Upstream-Status: Backport from https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch Patch taken from https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch It is linked as official patch for p15 in: - https://www.ntp.org/support/securitynotice/ntpbug3807/ - https://www.ntp.org/support/securitynotice/ntpbug3806/ Small adaptation to build is needed because of how tests are built. Backport fixes for: CVE: CVE-2023-26551 CVE: CVE-2023-26552 CVE: CVE-2023-26553 CVE: CVE-2023-26554 CVE: CVE-2023-26555 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Fix CVE-2023-0667 & CVE-2023-0668Hitendra Prajapati2023-07-144-0/+255
| | | | | | | | | Backport fixes for: * CVE-2023-0667 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/35418a73f7c9cefebe392b1ea0f012fccaf89801 && https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a * CVE-2023-0668 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Fix Multiple CVEsHitendra Prajapati2023-07-145-2/+382
| | | | | | | | | | | Backport fixes for: * CVE-2023-2855 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb * CVE-2023-2856 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca * CVE-2023-2858 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105 * CVE-2023-2952 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openvpn: upgrade 2.4.9 -> 2.4.12Hugo SIMELIERE2023-05-031-2/+2
| | | | | | | | | Fixes below CVEs: * CVE-2022-0547 * CVE-2020-15078 Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openvpn: add CVE-2020-7224 and CVE-2020-27569 to allowlistHugo SIMELIERE2023-05-031-0/+3
| | | | | | | | | | | CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. Signed-off-by: Akifumi Chikazawa <chikazawa.akifu@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (upstream from commit d49e96aac4616c439a2d778b95a793037dac884e) Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: fix CVE-2023-28450 default maximum EDNS.0 UDP packet size was set ↵vkumbhar2023-04-062-0/+64
| | | | | | | | | | | to 4096 but should be 1232 Set the default maximum DNS UDP packet size to 1232. http://www.dnsflagday.net/2020/ refers. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer ExceptionHitendra Prajapati2023-02-222-0/+117
| | | | | | | Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postfix: upgrade 3.4.23 -> 3.4.27Yi Zhao2023-01-191-1/+1
| | | | | | | | Changelog: http://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.4.27.HISTORY Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* proftpd: CVE-2021-46854 memory disclosure to radius serverHitendra Prajapati2023-01-192-0/+52
| | | | | | Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
* strongswan: Fix CVE-2022-40617Ranjitsinh Rathod2022-11-252-0/+211
| | | | | | | | | | | | | Add a patch to fix CVE-2022-40617 issue which allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* [dunfell] wireguard: Upgrade to 1.0.20220627 (module) and 1.0.20210914 (tools)Colin Finck2022-10-305-93/+25
| | | | | | | | | | | | Quoting Jason A. Donenfeld on IRC: <zx2c4> Colin_Finck: you should never, ever use old versions <zx2c4> Notice that neither the major nor minor version numbers change <zx2c4> Use the latest versions on your LTS With that definite answer, I'd like to fix the problem described in https://lore.kernel.org/yocto/CswA.1659543156268567471.pbrp@lists.yoctoproject.org/ by importing the latest versions instead of maintaining our own fork of wireguard 1.0.20200401. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* networkmanager: Update to 1.22.16Mathieu Dubois-Briand2022-10-301-1/+2
| | | | | | | | Update network manager stable branch to last version, allowing to fix CVE-2020-10754. Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: CVE-2022-0934 Heap use after free in dhcp6_no_relayHitendra Prajapati2022-10-302-0/+189
| | | | | | | | | | | | Source: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git MR: 121726 Type: Security Fix Disposition: Backport from https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39 ChangeID: be554ef6ebedd7148404ea3cc280f2e42e17dc8c Description: CVE-2022-0934 dnsmasq: Heap use after free in dhcp6_no_relay. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
* cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an ↵Hitendra Prajapati2022-07-162-0/+84
| | | | | | | | | | | | | | | attacker to execute arbitrary SQL commands Source: https://github.com/cyrusimap/cyrus-sasl MR: 118501 Type: Security Fix Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51 Description: CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* bridge-utils: Switch to use the main branchMingli Yu2022-06-151-1/+1
| | | | | | | | | Fix the below do_fetch warning: WARNING: bridge-utils-1.7-r0 do_fetch: Failed to fetch URL git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git, attempting MIRRORS if available Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpdump: Add fix for CVE-2018-16301Riyaz Ahmed Khan2022-05-252-0/+112
| | | | | | | | | | | | | Add patch for CVE issue: CVE-2018-16301 Link: https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Upstream-Status: Pending Issue: MGUBSYS-5370 Change-Id: I2aac084e61ba9d71ae614a97b4924eaa60328b79 Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* atftp: Add fix for CVE-2021-41054 and CVE-2021-46671Ranjitsinh Rathod2022-05-253-0/+161
| | | | | | | | | | Add patches to fix CVE-2021-41054 and CVE-2021-46671 issues Link: https://nvd.nist.gov/vuln/detail/CVE-2021-41054 Link: https://nvd.nist.gov/vuln/detail/CVE-2021-46671 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* geoip: Switch to use the main branchMingli Yu2022-04-181-1/+1
| | | | | | | | | | | Fix the below do_fetch warning: WARNING: geoip-1.6.12-r0 do_fetch: Failed to fetch URL git://github.com/maxmind/geoip-api-c.git, attempting MIRRORS if available Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit df3ef158347072a409b4e276a9dab8c2e89350ec) [Fix up for dunfell context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpreplay: Add fix for CVE-2020-24265 and CVE-2020-24266Akash Hadke2022-03-272-1/+39
| | | | | | | | | | Add below patch to fix CVE-2020-24265 and CVE-2020-24266 CVE-2020-24265-and-CVE-2020-24266.patch Link: https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d Signed-off-by: Akash Hadke <akash.hadke@kpit.com> Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: Add fix of CVE-2021-45079Ranjitsinh Rathod2022-02-132-0/+157
| | | | | | | | Add a patch to fix CVE-2021-45079 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireshark: Update to 3.2.18Armin Kuster2022-01-262-2/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Source: wireshark.org MR: 114425, 114409, 114441, 114269, 114417, 114311, 114449 Type: Security Fix Disposition: Backport from wireshark.org ChangeID: 8663cdebb2f10ee84817e5199fa3be0acb715af9 Description: This is a bugfix only update. Addresses these CVES: wnpa-sec-2021-07 Bluetooth DHT dissector crash. Issue 17651. CVE-2021-39929. wnpa-sec-2021-09 Bluetooth SDP dissector crash. Issue 17635. CVE-2021-39925. wnpa-sec-2021-10 Bluetooth DHT dissector large loop. Issue 17677. CVE-2021-39924. wnpa-sec-2021-11 PNRP dissector large loop. Issue 17684. CVE-2021-39920, CVE-2021-39923. wnpa-sec-2021-12 C12.22 dissector crash. Issue 17636. CVE-2021-39922. wnpa-sec-2021-13 IEEE 802.11 dissector crash. Issue 17704. CVE-2021-39928. wnpa-sec-2021-14 Modbus dissector crash. Issue 17703. CVE-2021-39921. Signed-off-by: Armin Kuster <akuster@mvista.com> --- V2] Fixes: /build/run/lemon: Exec format error revert "cmake: lemon: fix path to internal lemon tool" so the wireshark-native version is instead. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: Fix for CVE-2021-41990 and CVE-2021-41991Virendra Thakur2022-01-223-0/+105
| | | | | | | Add patch to fix CVE-2021-41990 and CVE-2021-41991 Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* netcat: Set CVE_PRODUCTAndre Carvalho2022-01-111-0/+2
| | | | | | | | | | | | | | | | | | | | | | | This way yocto cve-check can find open CVE's. See also: http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html "Results from cve-check are not very good at the moment. One of the reasons for this is that component names used in CVE database differ from yocto recipe names. This series fixes several of those name mapping problems by setting the CVE_PRODUCT correctly in the recipes. To check this mapping with after a build, I'm exporting LICENSE and CVE_PRODUCT variables to buildhistory for recipes and packages." Value added is based on: https://nvd.nist.gov/products/cpe/search/results?keyword=netcat&status=FINAL&orderBy=CPEURI&namingFormat=2.3 Signed-off-by: Andre Carvalho <andrestc@fb.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postfix: upgrade 3.4.12 -> 3.4.23Yi Zhao2021-12-311-2/+2
| | | | | | | Changelog: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.3.20.HISTORY Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* postfix: fix build with glibc 2.34Yi Zhao2021-12-312-0/+47
| | | | | | | | | | | | | | | | | | Backport a patch to fix build against glibc 2.34 (e.g. on Fedora 35) Fixes: | In file included from attr_clnt.c:88: | /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’ | 363 | extern void closefrom (int __lowfd) __THROW; | | ^~~~~~~~~ | In file included from attr_clnt.c:87: | ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’ | 1506 | extern int closefrom(int); | | ^~~~~~~~~ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* dovecot: refresh patchesstable/dufell-nutArmin kuster2021-12-273-22/+18
| | | | Signed-off-by: Armin kuster <akuster808@gamil.com>
* dovecot: Fix CVE-2020-12674sana kazi2021-12-032-0/+31
| | | | | | | | | | Added patch for CVE-2020-12674 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dovecot: Fix CVE-2020-12673sana kazi2021-12-032-0/+38
| | | | | | | | | | Added patch for CVE-2020-12673 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dovecot: Fix CVE-2020-12100sana kazi2021-12-0315-0/+1264
| | | | | | | | | | Added patches to fix CVE-2020-12100 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: Update SRC_URI branch and protocolsArmin Kuster2021-11-1753-56/+56
| | | | | | | | This patch updates SRC_URIs using git to include branch=master if no branch is set and also to use protocol=https for github urls as generated by the conversion script in OE-Core. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* drdb-utils: Define SRCREV_FORMATAndreas Weger2021-11-021-0/+1
| | | | | | | | | Since it uses multiple fetch URIs make it explicit to define SRCREV_FORMAT Signed-off-by: Andreas Weger <weger@hs-mittweida.de> Change-Id: Id1d0a1062d09f690123b2a1c06137ae5c04d7b20 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpdump: Update CVE-2020-8037 tagPurushottam Choudhary2021-10-011-0/+1
| | | | | | | | | | CVE tag was missing inside the patch file which is the remedy for CVE-2020-8037 and tracked by cve-check. Signed-off-by: Purushottam Choudhary <purushottam.Choudhary@kpit.com> Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: Security fix CVE-2021-3448Armin Kuster2021-09-102-0/+1041
| | | | | | | | | | | | | Source: https://thekelleys.org.uk/dnsmasq.git MR: 110238 Type: Security Fix Disposition: Backport from https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 ChangeID: 3365bcc47b0467b487f14fc6bfad89bc560cd818 Description: A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity. Signed-off-by: Armin Kuster <akuster@mvista.com>
* stunnel: upgrade 5.56 -> 5.57Pierre-Jean Texier2021-09-101-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Source: https://git.openembedded.org/meta-openembedded MR: 109039 Type: Security Fix Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/stunnel?h=gatesgarth&id=b76712700c79e4627028787ae65ab306c21eed02 ChangeID: 2543a2516b0f00024ed117a1fe33d1157b3d725f Description: Affects < 5.57 License-Update: copyright years updated. This is a bug fix release: - X.509 v3 extensions required by modern versions of OpenSSL are added to generated self-signed test certificaes. - Fixed a tiny memory leak in configuration file reload error handling (thx to Richard Könning). - Merged Debian 05-typos.patch (thx to Peter Pentchev). - Merged with minor changes Debian 06-hup-separate.patch (thx to Peter Pentchev). - Merged Debian 07-imap-capabilities.patch (thx to Ansgar). - Merged Debian 08-addrconfig-workaround.patch (thx to Peter Pentchev). - Fixed tests on the WSL2 platform. Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b76712700c79e4627028787ae65ab306c21eed02) [Includes CVE-2021-20230 per changelog Full commit https://github.com/mtrojnar/stunnel/commit/ebad9ddc4efb2635f37174c9d800d06206f1edf9 ] Signed-off-by: Armin Kuster <akuster@mvista.com>
* tcpdump: Exclude CVE-2020-8036 from checkArmin Kuster2021-08-241-0/+5
| | | | | | | This issue was introduce in 4.9 by 246ca110 Autosar SOME/IP protocol support which is after 4.9.3 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ufw: Fix interpreter for installed ufw and test ufwJate Sujjavanich2021-08-152-16/+6
| | | | | | | | | Revert patch to setup-only-make-one-reference-to-env.patch and make patch for python3 interpreter fix apply to runs of setup.py during self test as well as installs. Reported-by: Kenta Nakamura <Nakamura.Kenta@bp.MitsubishiElectric.co.jp> Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
* wireshark: update to 3.2.15Armin Kuster2021-07-251-1/+1
| | | | | | | | | | | | | | | | | | | | | Source: Wireshark.org MR: 109612, 110462, 112069 Type: Security Fix Disposition: Backport from wireshark.org ChangeID: 40f9f8ac2431f32680d4817607badbbe44875260 Description: Bug fix only update: see: https://www.wireshark.org/docs/relnotes/wireshark-3.2.15.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.14.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.13.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.12.html https://www.wireshark.org/docs/relnotes/wireshark-3.2.11.html includes: CVE-2021-22191, CVE-2021-22207, CVE-2021-22235 Signed-off-by: Armin Kuster <akuster@mvista.com>
* ufw: backport patches, update RRECOMMENDS, python3 support, testsJate Sujjavanich2021-07-249-7/+18155
| | | | | | | | | | | | | | | | | Backport patches: using conntrack instead of state eliminating warning support setup.py build (python 3) adjust runtime tests to use daytime port (netbase changes) empty out IPT_MODULES (nf conntrack warning) check-requirements patch for python 3.8 Update, add patches for python 3 interpreter Add ufw-test package. Backport fixes for check-requirements script Update kernel RRECOMMENDS for linux-yocto 5.4 in dunfell For dunfell Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ntp: fix ntpdate to wait for subprocessesAdrian Zaharia2021-07-101-0/+5
| | | | | | | | | | | | | | | | | | | When using systemd, ntpdate-sync script will start in background triggering the start of ntpd without actually exiting. This results in an bind error in ntpd startup. Add wait at the end of ntpdate script to ensure that when the ntpdate.service is marked as finished the oneshot script ntpdate-sync finished and unbind the ntp port Fixes #386 Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 73d5cd5e8d9d8a922b6a8a9d90adf0470a99314e) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit f52ce99b468eff95b6e36caf41fb50808a26f8d5) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dovecot: add CVE-2016-4983 to allowlistkraj/dunfellArmin Kuster2021-07-061-0/+3
| | | | | | | | | | | | CVE-2016-4983 affects only postinstall script on specific distribution, so add it to allowlist. Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3613b50a84559ce771866cd1eef1141fa3e6d238) [mkcert.sh does mask 077 first] Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit d1fb027f894921ea02c984eb581ee1500c613470) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cyrus-sasl: add CVE-2020-8032 to allowlistito-yuichi@fujitsu.com2021-07-051-0/+3
| | | | | | | | | | | This affects only openSUSE, so add it to allowlist. Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 711e932b14de57a5f341124470b2f3f131615a25) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 26819375448077265cd4c9dbb88b6be08b899e3f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* add CVE-2011-2411 to allowlistSekine Shigeki2021-07-051-0/+4
| | | | | | | | | | | This affects only on HP NonStop Server, so add it to allowlist. Signed-off-by: Sekine Shigeki <sekine.shigeki@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bb4a4f0ff8d9926137cb152fd3f2808bd9f961ce) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit d614d160a10b3c5ac36702fbd433f98925a9aa8e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: Add fixes for CVEs reported for dnsmasqSana Kazi2021-05-297-1/+1631
| | | | | | | | | | | | | | | | | | | | | | | | Applied single patch for below listed CVEs: CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 as they are fixed by single commit http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a Link: https://www.openwall.com/lists/oss-security/2021/01/19/1 Also, applied patch for below listed CVEs: CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 all CVEs applicable to v2.81 Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> [Refreshed patches] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ebtables: use bitbake optimization levelsMikko Rapeli2021-05-292-0/+20
| | | | | | | | | | | | | | Don't overwrite with O3 optimization. Reduces ebtables binary package size from 416241 to 412145 bytes, and enables further optimizations with e.g. -Os flags via bitbake distro wide settings. Only ebtables versions up to 2.0.10-4 and dunfell are affected. The version 2.0.11 from hardknott and master branch use system wide flags already. Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* wireguard: fix build issue with updated 5.4 kernelArmin Kuster2021-04-072-1/+34
| | | | | | | | error: static declaration of 'icmp_ndo_send' follows non-static declaration | 959 | static inline void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) | | ^~~~~~~~~~~~~ Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mdns: Whitelisted CVE-2007-0613 for mdnsSana Kazi2021-03-161-0/+13
| | | | | | | | | | | | | | | | | | | | CVE-2007-0613 is not applicable as it only affects Apple products i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, https://www.exploit-db.com/exploits/3230 shows the part of code affected by CVE-2007-0613 which is not preset in upstream source code. Hence, CVE-2007-0613 does not affect other Yocto implementations and is not reported for other distros can be marked whitelisted. Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 https://security-tracker.debian.org/tracker/CVE-2007-0613 https://ubuntu.com/security/CVE-2007-0613 https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f37e5423da984b7dc721d52f04673d3afc0879a1) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nghttp2: Add fix for CVE-2020-11080Rahul Taya2021-03-163-0/+341
| | | | | | | | | | | Added below two patches to fix CVE-2020-11080: 1. CVE-2020-11080-1.patch 2. CVE-2020-11080-2.patch Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> [Refreshed patches to apply] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openipmi: Inherit python3targetconfigKhem Raj2021-02-191-1/+1
| | | | | | | | | | | | | | | | Fixes configure: error: Could not link test program to Python. Maybe the main Python library has been installed in some non-standard library path. If so, pass it to configure, via the LIBS environment variable. Example: ./configure LIBS="-L/usr/non-standard-path/python/lib" Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 59f817bbe374799e4398766c2a444692d932d979) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 59d3d64e902d4d2e7ea9c3d2e1fec442912bcdd5) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dnsmasq: Fix systemd serviceMario Schuknecht2021-02-151-1/+1
| | | | | | | | | | | | | | Systemd service file option 'ExecStopPre' is warned and ignored by systemd. By replacing 'ExecStopPre' with 'ExecStop', the intended behavior is realized. The 'ExecStop' commands are executed one after the other. Signed-off-by: Mario Schuknecht <mario.schuknecht@dresearch-fe.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 55c94cb3196f53d0c1c76bbd74136d1b5d51802d) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 83842c9150fdead52dc7b0913ffac32677720f98) Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-05 20:53:14 +0000