| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Enabling additional warning tightens the function prototype checks
and clang goes a step ahead to flag void foo() as well it should be
void foo(void)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Martin Jansa <martin.jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* fixes:
http://errors.yoctoproject.org/Errors/Details/848727/
ss_internal.h:88:6: error: conflicting types for 'ss_delete_info_dir'; have 'void(void)'
88 | void ss_delete_info_dir();
| ^~~~~~~~~~~~~~~~~~
...
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-24528
Upstream-patch:
https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2024-26458:
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in
/krb5/src/lib/rpc/pmap_rmt.c.
CVE-2024-26461:
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak
vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-26458
https://nvd.nist.gov/vuln/detail/CVE-2024-26461
Upstream Patch:
https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
CVEs Fixed
CVE-2024-37370, CVE-2024-37371
Release Notes:
https://web.mit.edu/kerberos/krb5-1.21/krb5-1.21.3.html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
License-Update: Update copyright years to 2023
Release Notes:
https://web.mit.edu/kerberos/krb5-1.21/README-1.21.2.txt
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The 'krb5-config' tool should be in ${PN}-dev (as intented by
binconfig class).
Use PACKAGE_BEFORE_PN for extra packages so that -dev is handled
before -user.
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release Notes:
https://web.mit.edu/kerberos/krb5-1.20/krb5-1.20.2.html
- Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054].
- Fix read overruns in SPNEGO parsing.
- Compatibility fix for autoconf 2.72.
License-Update: Update copyright years to 2023
[https://github.com/krb5/krb5/commit/a273d4d1987dba088e51001d4119759b32b89190]
Removed patch - 0001-Fix-aclocal.m4-syntax-error-for-autoconf-2.72.patch as it is fixed in upgraded version.
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Fixes
checking for IPv6 compile-time support without -DINET6... ./configure: line 10004: syntax error near unexpected token `;;'
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Error: Transaction test error:
file /usr/bin/krb5-config conflicts between attempted installs of lib32-krb5-user-1.17.2-r0.armv7ahf_neon and krb5-user-1.17.2-r0.aarch64
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release Notes:
https://web.mit.edu/kerberos/krb5-1.20/krb5-1.20.1.html
License-Update: Update AES algorithm copyright [1]
Update copyright years [2]
[1] https://github.com/krb5/krb5/commit/cb5f190056ef4d123c5fe5d4923982b830288438
[2] https://github.com/krb5/krb5/commit/f1535bf6b47e8dc03d69fcfb98e798546ff7c272
* Update PACKAGECONFIG[keyutils] and drop the local patch.
* Drop backport CVE patches.
* Inherit pkgconfig bbclass to find com_err library correctly.
* Drop --without-tcl option as it has been removed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2021-37750:
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before
1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in
kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-37750
Patches from:
https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2021-36222:
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC)
in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2
allows remote attackers to cause a NULL pointer dereference and daemon
crash. This occurs because a return value is not properly managed in a
certain situation.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-36222
Patches from:
https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Remove -f*-prefix-map from LDFLAGS in krb5-config to fix reproducibility
issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
| |
License-Update: Update copyright year to 2020.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
License-Update: Copyright year updated to 2019.
Remove one backported patch.
Fix below do_package issue:
ERROR: krb5-1.17-r0 do_package: QA Issue: krb5: Files/directories were installed but not shipped in any package:
/usr/lib/krb5/plugins/preauth/spake.so
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Fix CVE-2018-20217
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Update LIC_FILES_CHKSUM as license file NOTICE
update copyright years to 2018
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bison-native is required for the build:
| yacc getdate.y
| make[2]: yacc: Command not found
| make[2]: *** [<builtin>: getdate.c] Error 127
In most cases, this dependency comes indirectly via toolchain
dependencies, specifically binutils-cross, which pulls
bison-native.
Different setups, such as with external toolchains, or an
upcoming change to OE-core for avoiding exactly this
unnoticed dependency expose this problem, since the correct
dependency is not marked explicitly.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let krb5 support environment setting on systemd startup.
Here is one requirement of environment setting from upstream krb5
...
https://web.mit.edu/kerberos/krb5-1.16/doc/admin/conf_files/kdc_conf.html
|Normally, the kdc.conf file is found in the KDC state directory,
LOCALSTATEDIR/krb5kdc. You can override the default location by
setting the environment variable KRB5_KDC_PROFILE.
...
The fix of (krb5-admin-server.service/krb5-kdc.service) refers ubuntu 1604
Variable RUN_KADMIND is sysvinit, move it out from default/krb5-admin-server
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fixes
QA Issue: krb5: configure was passed unrecognised options: --with-pkinit-crypto-impl [unknown-configure-option]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
This is not defined by gcc for risc-v, probably a bug in
gcc but until then insulate ourselves
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
* --with-pkinit-crypto-impl option was removed in 1.16 by this commit;
https://github.com/krb5/krb5/commit/3e2344a14fad828dee624af0ae7ba2d12aec2c81#diff-f543b6d8715dcf859ebec297c750c370
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
1.Upgrade krb5 from 1.15.1 to 1.16
2.Update the checksum of LIC_FILES_CHKSUM, since krb5 has been changed. But lincese remains the same.just modify the following.
-Copyright (C) 1985-2016 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2017 by the Massachusetts Institute of Technology.
-The KCM Mach RPC definition file used on OS X has the following
+The KCM Mach RPC definition file used on macOS has the following
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to
have unspecified impact via vectors involving automatic deletion of
security contexts on error.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-11462
Upstream patch:
https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
| |
Backport patch to fix CVE-2017-11368 for krb5.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
It is used in NVD database for CVE's like:
https://nvd.nist.gov/vuln/detail/CVE-2016-3120
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
1) Upgrade krb5 from 1.13.6 to 1.15.1.
2) License checksum changed,since the copyright years were updated.
3) Fix error in the step of do_configure.
| ERROR: krb5-1.15.1-r0 do_package: QA Issue: krb5: Files/directories were installed but not shipped in any package:
| /usr/lib/krb5/plugins/preauth/test.so
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Split libraries and plugins into their own packages. Create packages
for admin-server, kdc, user and examples. Remove some unneeded binaries.
Enable daemons on boot.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fixes errors on x86_64 e.g.
errors.so: relocation R_X86_64_PC32 against symbol `k5_vset_error' can not be used when making a shared object; recompile with -fPIC
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix CVEs: CVE-2015-8629, CVE-2015-8630, CVE-2015-8631
* update LIC_FILES_CHKSUM, only Copyright changed in NOTICE file:
-Copyright (C) 1985-2015 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2016 by the Massachusetts Institute of Technology.
* remove useless functions: krb5_do_unpack(), do_unpack()
* remove patches that included by new release:
- 0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch
- Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
- Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
- Fix-build_principal-memory-bug-CVE-2015-2697.patch
- Fix-IAKERB-context-export-import-CVE-2015-2698.patch
- krb5-CVE-2016-3119.patch
- krb5-CVE-2016-3120.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is CVE-2016-3120
The validate_as_request function in kdc_util.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before
1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect
client data structure, which allows remote authenticated users to cause
a denial of service (NULL pointer dereference and daemon crash) via an
S4U2Self request.
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
| |
Remove superfluous "+=", then manually add necessary leading space.
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
| |
On some targets clang erroniously detects an uninitialized variable.
Backport the fix from upstream.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Backport <commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99> from krb5
upstream <https://github.com/krb5/krb5> to fix CVE-2016-3119
avoid remote authenticated users to cause a denial of service (NULL pointer
dereference and daemon crash) via a crafted request to modify a principal.
Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
| |
base_contains() is a compatibility wrapper and may warn in the future, so
replace all instances with bb.utils.contains().
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
| |
add native and nativesdk extend, curl-native/nativesdk need them.
replace the hardcode /etc with ${sysconfdir}, /var with ${localstatedir}
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value
remove extra "/"
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c
in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly
accesses a certain pointer, which allows remote authenticated users
to cause a denial of service (memory corruption) or possibly have
unspecified other impact by interacting with an application that calls
the gss_export_sec_context function. NOTE: this vulnerability exists
because of an incorrect fix for CVE-2015-2696.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT
Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users
to cause a denial of service (out-of-bounds read and KDC crash) via
an initial '\0' character in a long realm field within a TGS request.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14
relies on an inappropriate context handle, which allows remote
attackers to cause a denial of service (incorrect pointer read and
process crash) via a crafted IAKERB packet that is mishandled during
a gss_inquire_context call.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
