| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On aarch64, if the processor doesn't have the Crypto instructions then
OpenSSL will fall back onto the "bit-sliced" assembler routines. When
branch protection (BTI) was enabled in OpenSSL these routines were
missed, so if BTI is available libssl will immediately abort when it
enters this assembler.
Backport a patch submitted upstream to add the required call target
annotations so that BTI doesn't believe the code is being exploited.
(From OE-Core rev: ec555688dbdc87cc695db653201c8d9e20079d22)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes between 3.1.4 and 3.1.5 [30 Jan 2024]
* A file in PKCS12 format can contain certificates and keys and may
come from
an untrusted source. The PKCS12 specification allows certain fields
to be
NULL, but OpenSSL did not correctly check for this case. A fix has
been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted
source
using the OpenSSL APIs then that application will be vulnerable to
this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However
since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
https://www.openssl.org/news/cl31.txt
drop fix_random_labels.patch as fixed in
https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867
(From OE-Core rev: aeac11fa743567e185179b27b4700bbf8fcf06e1)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
PEAP client: Update Phase 2 authentication requirements. Also see
https://www.top10vpn.com/research/wifi-vulnerabilities/
(From OE-Core rev: 7d0e3f31d2193b2b13a9fe3f368a172f4eaa7c48)
Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 57b6a329df897de69ae8b90706d9fe37e0ed6d35)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
=========
9.18.24:
- Fix case insensitive setting for isc_ht hashtable.
[GL #4568]
9.18.23:
- Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
- Change 6315 inadvertently introduced regressions that
could cause named to crash. [GL #4234]
- Under some circumstances, the DoT code in client
mode could process more than one message at a time when
that was not expected. That has been fixed. [GL #4487]
9.18.22:
- Limit isc_task_send() overhead for RBTDB tree pruning.
[GL #4383]
- Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
- Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
- Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234]
- Address race conditions in dns_tsigkey_find().
[GL #4182]
- Conversion from NSEC3 signed to NSEC signed could
temporarily put the zone into a state where it was
treated as unsigned until the NSEC chain was built.
Additionally conversion from one set of NSEC3 parameters
to another could also temporarily put the zone into a
state where it was treated as unsigned until the new
NSEC3 chain was built. [GL #1794] [GL #4495]
- Memory leak in zone.c:sign_zone. When named signed a
zone it could leak dst_keys due to a misplaced
'continue'. [GL #4488]
- Log more details about the cause of "not exact" errors.
[GL #4500]
- The wrong time was being used to determine what RRSIGs
where to be generated when dnssec-policy was in use.
[GL #4494]
- The "trust-anchor-telemetry" statement is no longer
marked as experimental. This silences a relevant log
message that was emitted even when the feature was
explicitly disabled. [GL #4497]
- Fix statistics export to use full 64 bit signed numbers
instead of truncating values to unsigned 32 bits.
[GL #4467]
- NetBSD has added 'hmac' to libc which collides with our
use of 'hmac'. [GL #4478]
(cherry-pick from Oe-Core rev d7f31aba343948dbaadafc8c0c66f78e6ffb46e3)
(From OE-Core rev: 61fa2f52045b7a1553249c33263b5fd32444a305)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bind-ensure-searching-for-json-headers-searches-sysr.patch
refreshed for 9.18.21
Changelog:
==========
-Improve LRU cleaning behaviour.
-The "resolver-nonbackoff-tries" and "resolver-retry-interval" options are
deprecated; a warning will be logged if they are used.
-BIND might sometimes crash after startup or re-configuration when one 'tls'
entry is used multiple times to connect to remote servers due to initialisation
attempts from contexts of multiple threads. That has been fixed.
-Dig +yaml will now report "no servers could be reached" also for UDP setup
failure when no other servers or tries are left.
-Recognize escapes when reading the public key from file.
-Dig +yaml will now report "no servers could be reached" on TCP connection
failure as well as for UDP timeouts.
-Deprecate AES-based DNS cookies.
(cherry-pick from Oe-core rev b750d54622a0fa0a35d83ddc59f07661e903360b)
(From OE-Core rev: 6977b7ac4202a1dd4264a6b4e4e6fd5c3dc07d37)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update Upstream-Status for 0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch.
(From OE-Core rev: 2323086931f2abd9b85fc1ec94b6b0d3efd6364a)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7189d1ea5c066b9ffc52103160bb34945fd779d7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
=========
-The library version numbers have been bumped up for the Kea 2.4.1 stable release.
-Fixed interface redetection which had stopped working since Kea 2.3.6.
-Fixed a race condition in free lease queue allocator
fix-multilib-conflict.patch
fix_pid_keactrl.patch
refreshed for 2.4.
(From OE-Core rev: fcf269bd8fc607882960cebc2c6e2e557517647d)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7afab39fd1c3239df3bb2fa49b79a5efaaaf9db6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Remove backported patch 0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch.
* Add 0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch to fix build with musl
(From OE-Core rev: fcd5623dbeb302b3f2e9043fd66cc000f81d206b)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit ff416e9fd6a1a65cf59ecd662613581b6190e05e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avahi has moved to a new parent organisation on GitHub, so update the
URLs to match.
(From OE-Core rev: b541fbeb99df15a1548f93ddbd654fb629ebc2ce)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 02caef1567186f250e64ae3ef84fcff33d7323e4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bluez 5.69 added a regression. Bluetooth connection for playstation controllers
stopped working. This adds a backport patch for the issue
(From OE-Core rev: a4ba3de4248ee05119ae944a972f88517e4e087b)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be05a177f943e9c8ce6c0fdbd157ee6f9103eef9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
============
-Fix missing newlines in the output of "rndc nta -dump".
-Take into account local authoritative zones when falling back to serve-stale.
-Fix assertion failure when using lock-file configuration option together -X
argument to named.
-The 'lock-file' file was being removed when it shouldn't have been making it
ineffective if named was started 3 or more times.
-Fix a shutdown race in dns__catz_update_cb().
-B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and 2801:1b8:10::b.
-The timeouts for resending zone refresh queries over UDP were lowered to enable
named to more quickly determine that a primary is down.
-Don't schedule resign operations on the raw version of an inline-signing zone.
-Fix a possible assertion failure on an error path in resolver.c:fctx_query(),
when using an uninitialized link.
-Add semantic patch to do an explicit cast from char to unsigned char in ctype.h
class of functions.
-Python system tests have to be executed by invoking pytest directly. Executing
them with the legacy test runner is no longer supported.
-The wrong covered value was being set by dns_ncache_current for RRSIG records
in the returned rdataset structure. This resulted in TYPE0 being reported as
the covered value of the RRSIG when dumping the cache contents.
(From OE-Core rev: 6103a28c3b3df76a679acae577140d4ad2346894)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 9b34124561d926d9273c52163853161515e5666a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
patch file added since Oe-Core rev a9203c46cd64c3ec5e5b00e381bbac85733f85df but not part of SRC_URI.
(From OE-Core rev: c9abf1f8395692080576d0fe9b2f28ea2240741b)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes [YOCTO #15225]
Yocto Bug #15255 is not reproducible. To obtain more useful information
for debugging, the OpenSSL test code is improved so that more detailed
state information in the handshake loop is printed when an error occurs.
(From OE-Core rev: c176229ced6b710b6c44d1090e9e7347d98e4be4)
Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 5bf9a70f580357badd01f39822998985654b0bfc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
import patches from ubuntu to fix
CVE-2023-1981
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f
&
https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24
&
https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
&
https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460
&
https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
&
https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
(From OE-Core rev: a9203c46cd64c3ec5e5b00e381bbac85733f85df)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023
Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363)
(From OE-Core rev: de390034aecb23226a532dad56c821b4edee35bb)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 104ba16de434a08b0c8ba4208be187f0ad1a2cf8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
Potentially incompatible changes
--------------------------------
* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
are very convenient due to their small size. Ed25519 keys are
specified in RFC 8709 and OpenSSH has supported them since version 6.5
(January 2014).
* sshd(8): the Subsystem directive now accurately preserves quoting of
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
New features
------------
* ssh(1): add keystroke timing obfuscation to the client. This attempts
to hide inter-keystroke timings by sending interactive traffic at
fixed intervals (default: every 20ms) when there is only a small
amount of data being sent. It also sends fake "chaff" keystrokes for
a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword.
* ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
* sshd(8): allow override of Subsystem directives in sshd Match blocks.
Bugfixes
--------
* scp(1): fix scp in SFTP mode recursive upload and download of
directories that contain symlinks to other directories. In scp mode,
the links would be followed, but in SFTP mode they were not. bz3611
* ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
sshsig signature files.
* ssh(1): interactive mode for ControlPersist sessions if they
originally requested a tty.
* sshd(8): make PerSourceMaxStartups first-match-wins
* sshd(8): limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.cw
bz3602
* sshd(8): Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
* sshd(8): correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
* ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
multiplexed sessions to ignore SIGINT under some circumstances.
Portability
-----------
* Avoid clang zero-call-used-regs=all bug on Apple compilers, which
for some reason have version numbers that do not match the upstream
clang version numbers. bz#3584
* Fix configure test for zlib 1.3 and later/development versions. bz3604
(From OE-Core rev: 1f7a8aedecae81339d71c40f4cf7f6d1e5e4286c)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tests don't actually need sudo on core-image-ptest-openssh.
Based on logs seen in
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 it seems
that socket errors from sudo are creeping into stderr which are failing
the banner ptest from openssh. Removing sudo should help removing
the stderr messages and possibly cure the banner test failures.
(From OE-Core rev: 47e754f483b674b207bfddcc8d4c5d9a3008e102)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parsing sshd's config file with 'sed' does not work in for example the
case where somebody has made use of the new ability to add a config
fragment in /etc/ssh/sshd_config.d/ with one or more HostKey
stanzas. Also, sshd_config keywords are case-insensitive, but the
current sed pattern only matches the CamelCase spelling of HostKey.
In openssh 9.3, sshd learnt a new command line flag '-G', which causes
sshd to parse the given configuration file and print the resulting
effective configuration on stdout. So use that instead.
Furthermore, since that "effective configuration" includes the default
set of host keys if the configuration file has no HostKey stanzas, we
also avoid the script needing to know what sshd's default is - that
could plausibly change with some future release.
(From OE-Core rev: dd27f9d869b8aa28dfb18de037a24ab0ec735718)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
release notes:
https://downloads.isc.org/isc/bind9/9.18.19/doc/arm/html/notes.html#notes-for-bind-9-18-19
Security Fixes
Previously, sending a specially crafted message over the control channel
could cause the packet-parsing code to run out of available stack
memory, causing named to terminate unexpectedly. This has been fixed.
(CVE-2023-3341)
ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing
this vulnerability to our attention. [GL #4152]
A flaw in the networking code handling DNS-over-TLS queries could cause
named to terminate unexpectedly due to an assertion failure under
significant DNS-over-TLS query load. This has been fixed.
(CVE-2023-4236)
ISC would like to thank Robert Story from USC/ISI Root Server Operations
for bringing this vulnerability to our attention. [GL #4242]
Removed Features
The dnssec-must-be-secure option has been deprecated and will be removed
in a future release. [GL #4263]
Feature Changes
If the server command is specified, nsupdate now honors the nsupdate -v
option for SOA queries by sending both the UPDATE request and the
initial query over TCP. [GL #1181]
Bug Fixes
The value of the If-Modified-Since header in the statistics channel was
not being correctly validated for its length, potentially allowing an
authorized user to trigger a buffer overflow. Ensuring the statistics
channel is configured correctly to grant access exclusively to
authorized users is essential (see the statistics-channels block
definition and usage section). [GL #4124]
This issue was reported independently by Eric Sesterhenn of X41 D-Sec
GmbH and Cameron Whitehead.
The Content-Length header in the statistics channel was lacking proper
bounds checking. A negative or excessively large value could potentially
trigger an integer overflow and result in an assertion failure. [GL
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
Several memory leaks caused by not clearing the OpenSSL error stack were
fixed. [GL #4159]
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs
UPDATE policies accidentally caused named to return SERVFAIL responses
to deletion requests for non-existent PTR and SRV records. This has been
fixed. [GL #4280]
The stale-refresh-time feature was mistakenly disabled when the server
cache was flushed by rndc flush. This has been fixed. [GL #4278]
BIND’s memory consumption has been improved by implementing dedicated
jemalloc memory arenas for sending buffers. This optimization ensures
that memory usage is more efficient and better manages the return of
memory pages to the operating system. [GL #4038]
Previously, partial writes in the TLS DNS code were not accounted for
correctly, which could have led to DNS message corruption. This has been
fixed. [GL #4255]
Known Issues
There are no new known issues with this release. See above for a list of
all known issues affecting this BIND 9 branch.
(From OE-Core rev: 29cc2203b06b12d4c93ffc1fb56f1754f6982e80)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Set CONF_USR_DIR explicitly as upstream hardcodes 'lib' in it.
Fix up iproute2-ip packaging to reflect that, and fix multilib error
where the executable would end up in the main package.
(From OE-Core rev: c88d6e94c0df3079410930abff9af0a08930ec8c)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-312-and-openssl-313-19-sep-2023
Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807)
(From OE-Core rev: eb65fdd971aa30d3fd09a8bc1b33ad2a1197f364)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We've been removing PR values from recipes at upgrade time for a while. In general
anyone maintaining a binary distro would end up having to curate these themselves
so the values in OE-Core aren't really that useful anymore. In many ways it makes
sense to clear out the remaining ones (which are mostly for 'config' recipes that
are unlikely to increase in PV) and leave a clean slate for anyone implementing
a binary distro config.
References are left in meta-selftest since the tests there do involve them and
their removal upon upgrade.
(From OE-Core rev: d4c346e8ab8f3cae25d1b01c7331ed9f6d4f96ef)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Piping results through sed may mask failures that sed isn't catching.
(From OE-Core rev: 2b1b0e9e4d5011e7c2fd1b59fc277a7cfdc41194)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
This brings them from 15 minutes to just over 4.
(From OE-Core rev: 9eeee78aa94aaa441da012aeb904a0f1cbcd4d91)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Drop patch to improve logging since upstream rejected it
but capture failure logs in run-ptests with similar code
as what upstream uses when running the tests via
https://github.com/openssh/openssh-portable/blob/master/.github/run_test.sh#L23
(From OE-Core rev: 5f817f5a3897bca39eb832bb910b032632f275b8)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds `StateDirectory=nfs` for the systemd service. This ensures that 1)
and .mount services required for /var/lib/nfs are started before these
services, and 2) that /var/lib/nfs exists before starting the services.
(From OE-Core rev: ba814211699d40590363b9b80f264218be9d7ad8)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Adds a `ConditionPathExists` to nfs-statsd.service. This allows it to
match the other NFS services and not start if nothing is exported.
(From OE-Core rev: 5fae759ff99ccd6e3473cb8aa638fbb23f7583ff)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Log the input and output banner files. Output seems to
contain more lines than input which fails the test but
it's not clear what is in there from the ssh command
stderr. So print them out to dig deeper into the root
cause.
Upstream rejected previous logging patch so they will likely
do the same for this:
https://github.com/openssh/openssh-portable/pull/437
Reference: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
(From OE-Core rev: 3230378d651ecc53ff5cac1aaa24f35d5cea8665)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream rejected the change:
https://github.com/openssh/openssh-portable/pull/437
(From OE-Core rev: 46c5f3b7a57442b9979ad36b679900cf0b8f74d5)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Services which broadcast an invalid service type will cause the browse
to fail. Instead of failing, replace the service type and continue.
(From OE-Core rev: e581da6c4db21312833395e96b48e868a202f0f9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Drop backports. 0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
is partially dropped, as upstream hasn't included the newly added header
into the tarball (issue addressed after the release).
(From OE-Core rev: eeb686876dc560b5f0fab6f37a2def3d78bb55db)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
This significantly speeds up the build by default.
(From OE-Core rev: 2b5ee583c62dbe381cd429da14ecbba5ea32d506)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When tests fail, capture the sshd and ssh client logs from
the failing test run. These are needed to investigate
the root cause.
Reference: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
(From OE-Core rev: 7c6a0ee7961dc976dddbfd1615f90c2306970626)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Changes:
Update sha256sum
Remove backported patch
(From OE-Core rev: 51a6e56fcb28ec97ba3a4b40bbcd3d64e6d390d5)
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
Fixed missing DBus org.neard.se.conf.
Sync Linux kernel UAPI nfc.h header with newer kernel.
NFC tag: Implement readout of tag UID via DBus interface.
(From OE-Core rev: 02cc07dbdf0dcb52d736f39fc01f406030f8339b)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fix-check-ell-path.patch
removed since it's included in 5.69
Changelog:
=========
Fix issue with BAP enabling state correctly when resuming.
Fix issue with detaching source ASEs only after Stop Ready.
Fix issue with handling VCP audio location and descriptor.
Fix issue with generating IRK for adapter with privacy enabled.
Add support for BAP broadcast sink.
(From OE-Core rev: e964b7f4bbd398bef3f48ec9ddd441a7f5df9987)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
============
Deprecate the 'dialup' and 'heartbeat-interval' options.
Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
Return REFUSED to GSS-API TKEY requests if GSS-API support is not configured.
Mark a primary server as temporarily unreachable if the TCP connection attempt times out.
Don't process detach and close netmgr events when the netmgr has been paused.
(From OE-Core rev: e78ec619beea6e541b2d83a5dc845ce57ff12564)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
glob/ doesn't exist and the other files are copied by autotools.bbclass
(From OE-Core rev: f11fac5430c1308347f673c6e1fb6c5b2c7ff9c0)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fix-disable-ipv6.patch: we don't support uclibc, and most libcs don't
have optional support for IPv6.
inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch and
inetutils-1.8-0003-wchar.patch: these don't appear to be needed anymore.
inetutils-only-check-pam_appl.h-when-pam-enabled.patch: configure.ac
doesn't fail if PAM is disabled anymore.
(From OE-Core rev: abcc8273a788981bd06867d141b78aa0cfedddf4)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
inetutils guesses a lot of target paths in cross builds, and warns that
some of them are known to be wrong (for example, whether /proc/net/dev
exists is guessed as 'no').
Add a post-configure function to check for these warnings, and pass
--with-path-* as appropriate to set the paths explicitly.
This means we can remove the patch which was setting PATH_PROCNET_DEV,
and the autoconf cache value inetutils_cv_path_login.
The downside is that these --with-path-* options are not real autoconf
options, so the "unknown options" warning is emitted. Losing those is
an acceptable compromise, so disable it.
Musl doesn't implement utmp and has stub defines for _PATH_UTMP but not
_PATH_UTMPX, so we need to set the X variants explicitly.
(From OE-Core rev: 91179f89db127063dbdf998e15d63e04d6be53f7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport a patch to fix buffer overflow for strlcpy:
$ dhcpcd enp0s3
dhcpcd-10.0.2 starting
*** buffer overflow detected ***: terminated
dhcpcd_fork_cb: truncated read 0 (expected 4)
(From OE-Core rev: d0bd1c823c10af9a0ef7e5ce05b770c1d8bb247c)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://github.com/NetworkConfiguration/dhcpcd/releases/tag/v10.0.2
(From OE-Core rev: 037fd7c8e772bae0949d6e096c34564eaa2a3858)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
(From OE-Core rev: 5bbcf129b83d2b78cae7ecb1fe19bab72e54b3f7)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
(From OE-Core rev: 211942410ec0fb5ebe906b4fed7f1feb13b7cf39)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nfs-utils recipe creates a nfs-utils-client package, which can be
used if we need to install only the client side of nfs-utils.
Unfortunately, rpc.idmapd is part of this package, and requires the
dynamic library libnfsidmap.so, which is included in the main package
nfs-utils. Therefore, nfs-utils-client has a dependency on nfs-utils, so
the server is installed, and try to be started, even on system where the
appropriate modules are not present, which causes errors.
This patch adds the needed library to the nfs-utils-client package, so
that it is now complete and does not require nfs-utils anymore.
(From OE-Core rev: c04b28ee26ae1ccce1722c4143961ee6fd87b40e)
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-311-and-openssl-312-1-aug-2023
Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
* Do not ignore empty associated data entries with AES-SIV (CVE-2023-2975)
* When building with the enable-fips option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret and the Hash and HMAC DRBGs will not operate with truncated digests.
(From OE-Core rev: e65802383b02df6f502af859a927309d881bbb27)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
Update license checksum: change in copyright year.
Update sha256sum for new version.
An additinal patch to fix the reproducible build failure which is
still under discussion with upstream.
(From OE-Core rev: 99f61d952467076abb68bf50f9220e422ed98e60)
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal of connman-conf in qemu environments is to stop connman from
trying to control the network device, because runqemu will set it up
appropriately.
It currently hardcodes eth0, but 6.2 kernels onwards will rename eth0 to
en* even when the interface is already up[1]. So that this recipe
continues to work as intended, expand the list to "eth,en" so that
connman ignores _all_ ethernet devices with either the new or old names.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?id=bd039b5ea2a91ea707ee8539df26456bd5be80af
(From OE-Core rev: 56baa430f8a577ff280676dc2e8a2debbc85bc21)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
This reverts commit 4048ddf7fdd6859c43aeb82d85ee0851b3a9177b.
2.5.0 is a development series and the upgrade should have been to 2.4.x.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
Update license checksum: change in copyright year.
Update sha256sum for new version.
An additinal patch to fix the reproducible build failure.
(From OE-Core rev: 4048ddf7fdd6859c43aeb82d85ee0851b3a9177b)
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
