summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
Commit message (Collapse)AuthorAgeFilesLines
* socat: patch CVE-2024-54661Peter Marko2025-01-292-0/+114
| | | | | | | | | | | | | Picked upstream commit https://repo.or.cz/socat.git/commitdiff/4ee1f31cf80019c5907876576d6dfd49368d660f Since this was the only commit in 1.8.0.2 it also contained release changes which were dropped. (From OE-Core rev: 624b91c23559d7d1bc51ec221331513529853cd2) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* connman: Fix restart scriptMichael Nazzareno Trimarchi2025-01-131-1/+1
| | | | | | | | | | | | | | | | The script does not work if the connman service is already stopped. The start-stop-daemon checks for the existence of a specified process. If such a process exists, start-stop-daemon sends it the signal specified by --signal, and exits with error status 0. If such a process does not exist, start-stop-daemon exits with error status 1 (0 if --oknodo is specified). The script uses set -e so we need to add --oknodo option to stop (From OE-Core rev: f32ab69b4caef5ac2f61bb53102d8b08b94d54d5) Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b1c1b67166049181136d5eb68740f3bf98bf670d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: Fix SDK environment script to avoid unbound variableRichard Purdie2024-11-301-1/+1
| | | | | | | | | | | | | | Avoid errors like: buildtools/sysroots/x86_64-pokysdk-linux/environment-setup.d/openssl.sh: line 6: BB_ENV_PASSTHROUGH_ADDITIONS: unbound variable by setting an explicit empty default value. (From OE-Core rev: a57192131cbcb65e17b11f47aa0f90ef63258280) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5a2a4910a22668f25679a47deaa9e2ed28665efa) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bluez: Fix mesh builds on muslKhem Raj2024-10-292-0/+115
| | | | | | | | | | | | When mesh is enabled on musl the build fails with conflicting basename calls. (From OE-Core rev: bab3e883cb770ef9fc28c002a98efd0ca5cbf60d) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2db90c6508e350d35782db973291bbf5ffdfd3a5) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wpa-supplicant: Ignore CVE-2024-5290Peter Marko2024-10-291-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto. Quote: So upstream isn't vulnerable as they only expose the dbus interface to root. Downstreams like Ubuntu and Chromium added a patch that grants access to the netdev group. The patch is the problem, not the upstream code IMHO. There is also a commit [3] associated with this CVE, however that only provides build-time configuration to limit paths which can be accessed but it acts only as a mitigation for distros which allow non-root users to load crafted modules. The patch is included in version 2.11, however NVD has this CVE version-less, so explicit ignore is necessary. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290 [2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613 [3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747 (From OE-Core rev: 617cf25b0f49b732f961f1fa4d1390e8e883f12b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6cb794d44a8624784ec0f76dca764616d81ffbf5) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wpa-supplicant: add patch to check for kernel header version when compiling ↵Jon Mason2024-09-172-0/+54
| | | | | | | | | | | | | | | | | | | | | macsec When using Arm binary toolchain, version 2.11 of wpa-supplicant is failing to compile with the following error: | ../src/drivers/driver_macsec_linux.c:81:29: error: field ‘offload’ has incomplete type | 81 | enum macsec_offload offload; | | Backport a recent patch that corrects the issue by adding a check for the version of kernel headers being used in compilation and disabling that enum if too old a version is being used (or is used by the binary toolchain). (From OE-Core rev: 373d8d4f5316416d70eb2c0733d9838e57419ac3) Signed-off-by: Jon Mason <jdmason@kudzu.us> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bluez5: remove redundant patch for MAX_INPUTGuðni Már Gilbert2024-09-172-27/+0
| | | | | | | | | | | | | The solution to the problem upstream was fixed by the following commit: https://github.com/bluez/bluez/commit/ca6546fe521360fcf905bc115b893f322e706cb2 Now MAX_INPUT is defined for non-glibc systems such as musl. This fix was added in BlueZ 5.67. (From OE-Core rev: fea1bb917ebb1f99c83dbbc87a6f0ffc3627879a) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: Fix build with the `httpstats` package config enabledAlban Bedel2024-09-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | ------C65ED3E1A5DE826CA595746785F6AF6F To: openembedded-core@lists.openembedded.org CC: Alban Bedel <alban.bedel@aerq.com> Subject: [PATCH] bind: Fix build with the `httpstats` package config enabled Date: Wed, 11 Sep 2024 08:26:47 +0200 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0 When the `httpstats` package config is enabled configure fails with the error: > configure: error: Specifying libxml2 installation path is not > supported, adjust PKG_CONFIG_PATH instead Drop the explicit path from `--with-libxml2` to solve this issue. (From OE-Core rev: 9b076fa51f5e6fd685066fb817c47239960778e6) Signed-off-by: Alban Bedel <alban.bedel@aerq.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bluez5: upgrade 5.77 -> 5.78Guðni Már Gilbert2024-09-115-71/+75
| | | | | | | | | | | | | | | | * Fix issue with handling notification of scanned BISes to BASS * Fix issue with handling checking BIS caps against peer caps. * Fix issue with handling MGMT Set Device Flags overwrites. * Fix issue with handling ASE notification order. * Fix issue with handling BIG Info report events. * Fix issue with handling PACS Server role. * Fix issue with registering UHID_START multiple times. * Fix issue with pairing method not setting auto-connect. (From OE-Core rev: 77aa3ecaf6ad7fe777a10655542349a1489b7ad3) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* kea: Replace Name::NameString with vector of uint8_tKhem Raj2024-09-043-0/+128
| | | | | | | | | This will fix build with libc++ from llvm 19.x (From OE-Core rev: e3f74aaf3e8bdc6566c6b881e71cfdd3e4eb2c3f) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ofono: upgrade 2.9 -> 2.10Wang Mingyu2024-09-041-1/+1
| | | | | | | | | | | | Changelog: ========== - Fix issue with SMS and user data length checks. - Add support for QMI and Dual-Stack context activation. (From OE-Core rev: 004572fc7782f1c27a41e9a91b4ed14eee7d1695) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dhcpcd: upgrade 10.0.8 -> 10.0.10Wang Mingyu2024-09-043-11/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | License-Update: Copyright year updated to 2024. 0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch 0001-remove-INCLUDEDIR-to-prevent-build-issues.patch refreshed for 10.0.10 Changelog: ========== - configure: add --enable-ntp - Force dumplease to parse stdin - holmanb authored and rsmarples committed - Improve and document prior. - linux: Prefer local over address when both in netlink RTA - IPv6: DUPLICATED could be announced by RTM_DELADDR - Fix prior patch which might also fix #333 - IPv6: Delay for LL address before delay for start - IPv6: make more readable (nfc) - DHCP6: Don't remove delegated prefix addresses on start or fail - privsep: Sweep ELE_ERROR away for BPF - DHCP6: Add commentary around why we read leases - linux: allow roaming without IFF_DORMANT - DHCP: Remove an assertation in get_lease if ia is NULL - DHCP6: Persist configuration on confirm/rebind failure - DHCP6: Don't remove state in DISCOVER - IPv4LL: Restart ARP probling on address conflict - DHCP: Handle option 108 correctly when receiving 0.0.0.0 OFFER - taoyl-g and rsmarples committed on Jul 25 - DHCP: No longer set interface mtu - IPv4LL: If we are not configuring, abort if address does not exist - IPv4LL: Harden the noconfigure option. - DHCP6: Remove the dhcp6_pd_addr packed struct - Update privsep-linux.c to allow statx (From OE-Core rev: 8d8e0bc93ed4fed5ce40be929976726fe28177ce) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpcap: upgrade 1.10.4 -> 1.10.5Yi Zhao2024-09-031-2/+2
| | | | | | | | | | | ChangeLog: https://git.tcpdump.org/libpcap/blob/HEAD:/CHANGES (From OE-Core rev: 501906c4cdd4eb409bddbb8a4d10c78fbf81d980) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* iw: Fix LICENSENiko Mauno2024-09-011-1/+1
| | | | | | | | | | | | | | The contents of the COPYING file included in the source code match those of ISC license: https://git.kernel.org/pub/scm/linux/kernel/git/jberg/iw.git/tree/COPYING?h=v6.9 which seems to have been in effect since 2008 commit https://git.kernel.org/pub/scm/linux/kernel/git/jberg/iw.git/commit?id=622c36ae94a880fb53f7f051f1b26616f5b553c1 ("license under ISC"). (From OE-Core rev: 87da7445a2a77fe73e3524cd50112842e91235b6) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: Mark CVE-2023-51767 as wont-fixKhem Raj2024-09-011-0/+1
| | | | | | | | (From OE-Core rev: 1b4bada6c003ef743df09283e45953e6d9ea4c5a) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bluez5: Fix build with muslKhem Raj2024-08-292-0/+144
| | | | | | | (From OE-Core rev: e5f9870757bf7ffd009ce4ba999d37e41274982c) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* iproute2: upgrade 6.9.0 -> 6.10.0Alexander Kanavin2024-08-282-2/+28
| | | | | | | (From OE-Core rev: ab979c8cbb698eb1638dd9de562dffff798acad7) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: upgrade 9.20.0 -> 9.20.1Yi Zhao2024-08-281-1/+1
| | | | | | | | | | Release Notes: https://downloads.isc.org/isc/bind9/9.20.1/doc/arm/html/notes.html#notes-for-bind-9-20-1 (From OE-Core rev: 6808ed32cabb00ffb076cb80cf37ad7815815d25) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* wpa-supplicant: Upgrade 2.10 -> 2.11Siddharth Doshi2024-08-235-352/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | License-Update: =============== - README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af - wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af CVE's Fixed: =========== - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation - CVE-2023-52160 wpa_supplicant: potential authorization bypass Changes between 2.10 -> 2.11: ============================ https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Note: ===== Patches 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch, 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch, 0001-Install-wpa_passphrase-when-not-disabled.patch, 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) are already fixed and hence removing them. (From OE-Core rev: 824eb0641dc6001a5e9ad7a685e60c472c9fdce8) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* kea: upgrade 2.4.1 -> 2.6.1Trevor Gamblin2024-08-072-5/+12
| | | | | | | | | | | | | | Refresh patch 'fix_pid_keactrl.patch' to apply on new version. Add an extra sed call to do_install:append() to remove a reference to TMPDIR from ${D}/usr/sbin/kea-admin. License-Update: Update copyright year (From OE-Core rev: 6dbf9466f776eef6513847c5e546e4582203c50e) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: upgrade 9.18.27 -> 9.20.0Trevor Gamblin2024-08-031-2/+2
| | | | | | | | | | | | bind now depends on liburcu, so add it to DEPENDS (this was why the AUH runs were failing at do_compile). Changelog: https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/arm/changelog.rst (From OE-Core rev: 6a450da130e78fd45931c67a9e8255d611ae8711) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: upgrade 9.7p1 -> 9.8p1Jose Quaresma2024-07-267-261/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - drop the CVE-2024-6387 [backported patch] - drop systemd notify [backported patch] - fix musl build [backported patch] - fix ptest regression [submited patch] - sshd now had the sshd-session Release notes at https://www.openssh.com/txt/release-9.8 Security ======== This release contains fixes for two security problems, one critical and one minor. 1) Race condition in sshd(8) A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. We thank the Qualys Security Advisory Team for discovering, reporting and demonstrating exploitability of this problem, and for providing detailed feedback on additional mitigation measures. 2) Logic error in ssh(1) ObscureKeystrokeTiming In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective - a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally. This bug was found by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab. Worse, the unconditional sending of both fake and real keystroke packets broke another long-standing timing attack mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for traffic received on TTYs in echo-off mode, such as when entering a password into su(8) or sudo(8). This bug rendered these fake keystroke echoes ineffective and could allow a passive observer of a SSH session to once again detect when echo was off and obtain fairly limited timing information about keystrokes in this situation (20ms granularity by default). This additional implication of the bug was identified by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and we thank them for their detailed analysis. This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested. Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release, and its deactivation of DSA by default at compile-time, marks the second step in our timeline to finally deprecate DSA. The final step of removing DSA support entirely is planned for the first OpenSSH release of 2025. DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" in Makefile.inc. To enable DSA support in portable OpenSSH, pass the "--enable-dsa-keys" option to configure. Potentially-incompatible changes -------------------------------- * all: as mentioned above, the DSA signature algorithm is now disabled at compile time. * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 * (portable OpenSSH only) Automatically-generated files, such as configure, config.h.in, etc will now be checked in to the portable OpenSSH git release branch (e.g. V_9_8). This should ensure that the contents of the signed release branch exactly match the contents of the signed release tarball. Changes since OpenSSH 9.7 ========================= This release contains mostly bugfixes. New features ------------ * sshd(8): as described above, sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. sshd(8) will now identify situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit bugs in sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum configurable threshold, then all connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range) until the penalty expire. Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. Address ranges may be fully exempted from penalties, e.g. to guarantee access from a set of trusted management addresses, using the new sshd_config(5) PerSourcePenaltyExemptList option. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. This option is enabled by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Bugfixes -------- * misc: fix a number of inaccuracies in the PROTOCOL.* documentation files. GHPR430 GHPR487 * all: switch to strtonum(3) for more robust integer parsing in most places. * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 * sftp(1): flush stdout after writing "sftp>" prompt when not using editline. GHPR480 * sftp-server(8): fix home-directory extension implementation, it previously always returned the current user's home directory contrary to the spec. GHPR477 * ssh-keyscan(1): do not close stdin to prevent error messages when stdin is read multiple times. E.g. echo localhost | ssh-keyscan -f - -f - * regression tests: fix rekey test that was testing the same KEX algorithm repeatedly instead of testing all of them. bz3692 * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive documentation, especially around what is supported vs available. bz3701. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * build: fix OpenSSL ED25519 support detection. An incorrect function signature in configure.ac previously prevented enabling the recently added support for ED25519 private keys in PEM PKCS8 format. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 * build: improve detection of the -fzero-call-used-regs compiler flag. bz3673. * build: relax OpenSSL version check to accept all OpenSSL 3.x versions. * sshd(8): add support for notifying systemd on server listen and reload, using a standalone implementation that doesn't depend on libsystemd. bz2641 (From OE-Core rev: 4e2834f67d32894d1cac5fc9ac5234816765245e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: systemd notification was implemented upstreamJose Quaresma2024-07-264-100/+227
| | | | | | | | | | Drop our sd-notify patch and switch to the upstream standalone implementation that does not depend on libsystemd. (From OE-Core rev: 07522f85a987b673b0a3c98690c3c17ab0c4b608) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ofono: upgrade 2.8 -> 2.9Ross Burton2024-07-211-1/+1
| | | | | | | | | * Add support for QRTR based devices (MHI bus and SoC). (From OE-Core rev: 5f8024cf45f4b8dbaf1134d61c3ba73075dde23f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: rewrite ptest installationRoss Burton2024-07-192-40/+46
| | | | | | | | | | | | | | | | | Rewrite (again) the openssl test suite installation. Depend on and reuse already installed libraries and modules instead of installing them twice. Be more selective when installing from the build tree so we don't install intermediate .c .d .o files. This further reduces the size of openssl-dbg from ~120MB to ~18MB. (From OE-Core rev: 8baa0ce7eae65026cb3a784adaf3a4fc724ce9c9) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: strip the test suiteRoss Burton2024-07-191-0/+10
| | | | | | | | | | | | | | The test suite is huge because every test binary is statically linked to libssl and/or libcrypto. This bloats the size of the -dbg package hugely, so strip the test suite before packaging. This reduces the size of openssl-dbg by 90% from ~1.2GB to ~120MB, and reduces the size of the build tree from ~1.9GB to ~800MB. (From OE-Core rev: 92f09a4269e45e09643a7e7aafd2811cfd47cb68) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: systemd sd-notify patch was rejected upstreamJose Quaresma2024-07-181-1/+1
| | | | | | | | | | | | | | | | | Still side effects of the XZ backdoor. Racional [1]: License incompatibility and library bloatedness were the reasons. Given recent events we're never going to take a dependency on libsystemd, though we might implement the notification protocol ourselves if it isn't too much work. [1] https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 (From OE-Core rev: c3403bb6254d027356b25ce3f00786e2c4545207) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bluez5: cleanup redundant backslashesGuðni Már Gilbert2024-07-181-3/+3
| | | | | | | | | | | Noticed in the installation logs a few paths have double slashes '//'. Doesn't seem to do any harm, though it is good to clean this up for consistency. (From OE-Core rev: 36328d68b712c5267613d495c010c26c88d565f4) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bluez5: drop modifications to Python shebangsGuðni Már Gilbert2024-07-181-4/+0
| | | | | | | | | | | | | | | | | All the test scripts are by now Python 3 compatible and the shebangs are consistently set to #!/usr/bin/env python3 since BlueZ 5.73 See: https://github.com/bluez/bluez/commit/d31f04aa928ae8fb7a4fc5b0876dd17ea65d4513 The source code was inspected to confirm there are no more shebangs which reference 'python' (Python 2) (From OE-Core rev: 110f14b1b1e9abd8c1b8d52e70d0ceec7eab5025) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: disable tests unless ptest is enabledRoss Burton2024-07-181-2/+4
| | | | | | | | | | | | The upstream Makefile always builds the tests unless they're explicitly disabled. Whilst this doesn't make a difference to the final package and sysroot output, disabling the tests for openssl-native reduces the size of the build tree from 659M to 78M and reduces the CPU time used by 30%. (From OE-Core rev: dfaf1cba9f30c6b07836fe217e1ebc83bc6aec8a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: drop rejected patch fixed in 8.6p1 releaseJose Quaresma2024-07-182-112/+0
| | | | | | | | | | | | | | | | | | | | | | The rationale [1] is that C11 6.5.6.9 says: """ When two pointers are subtracted, both shall point to elements of the same array object, or one past the last element of the array object; the result is the difference of the subscripts of the two array elements. """ In these cases the objects are arrays of char so the result is defined, and we believe that the compiler incorrectly trapping on defined behaviour. I also found https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63303 ("Pointer subtraction is broken when using -fsanitize=undefined") which seems to support this position. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2608 (From OE-Core rev: cf193ea67ca852e76b19a7997b62f043b1bca8a1) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bluez5: upgrade 5.72 -> 5.77gudnimg2024-07-166-69/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: * https://github.com/bluez/bluez/releases/tag/5.77 * https://github.com/bluez/bluez/releases/tag/5.76 * https://github.com/bluez/bluez/releases/tag/5.75 * https://github.com/bluez/bluez/releases/tag/5.74 * https://github.com/bluez/bluez/releases/tag/5.73 Changes relevant to the build: * One patch file is dropped. * /etc/bluetooth is now installed with 555 permission bits when systemd is not enabled. The do_install function was edited to change it back to 755. This was causing test failure when testing SDK packaging * Added a few missing PACKAGECONFIGs which are enabled by default. - asha-profiles: new in BlueZ 5.77 - ccp-profiles: new in BlueZ 5.73 - micp-profiles: new in BlueZ 5.70 - csip-profiles: new in BlueZ 5.67 - bass-profiles: new in BlueZ 5.67 - vcp-profiles: new in BlueZ 5.66 - mcp-profiles: new in BlueZ 5.66 - bap-profiles: new in BlueZ 5.66 (From OE-Core rev: ebbdb7cf5c0a3f0e6773704d4c4cc570358ec611) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: factor out sshd hostkey setup to separate functionRasmus Villemoes2024-07-131-22/+26
| | | | | | | | | | | | | | | | | | | | | | | | | Commit 0827c29566 (openssh: allow configuration of hostkey type) broke our setup. We make use of the 'Include /etc/ssh/sshd_config.d/*.conf' and put a hostkeys.conf file in there, configuring the types and locations of the sshd host keys. With that commit, we now get an extra "HostKey /etc/ssh/ssh_host_ecdsa_key" line in the sshd_config. And while we could avoid that by removing all hostkey-* items from PACKAGECONFIG, other people providing their own sshd_config via a .bbappend now have their HostKey settings unconditionally removed by the 'sed' invocations, regardless of PACKAGECONFIG. To make it easier for downstream layers and BSPs to define (and preserve) their own logic for placement and type of sshd host keys, factor out the new logic to a separate shell function. Downstream layers can then simply override that by an empty function and keep the behaviour they used to have. (From OE-Core rev: 09dd5cceecfaa2046f7ed070690b000181723fd2) Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: fix CVE-2024-6387Jose Quaresma2024-07-042-0/+28
| | | | | | | | | | | | | | | | | | | | | sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). Race condition resulting in potential remote code execution. A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) though this makes denial-of service against sshd(8) considerably easier. For more information, please refer to the release notes [1] and the report from the Qualys Security Advisory Team [2] who discovered the bug. [1] https://www.openssh.com/txt/release-9.8 [2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt References: https://www.openssh.com/security.html (From OE-Core rev: 7ba7c96f31bd81c5d1352136e405e99c3df29ea7) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: allow configuration of hostkey typeMatthew Bullock2024-07-021-4/+25
| | | | | | | | | | | | | | | | | Allow selection of host key types used by openssh via PACKAGECONFIG. Any combination of hostkey-rsa, hostkey-ecdsa and hostkey-ed25519 can be specified. Default to just generating ecdsa keys. The current default generates all three keys. This can take a significant amount of time on first boot. Having all three keys does not significantly increase compatability. Also RSA keys are being deprecated as they are no longer considered secure. Using just an ecdsa key reduces key generation time by roughly 75%. (From OE-Core rev: 0827c29566f3ea63715a9f9e4ee2639f4eabe0bd) Signed-off-by: Matthew Bullock <mbullock@thegoodpenguin.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* native/nativesdk: Stop overriding unprefixed *FLAGS variablesRichard Purdie2024-07-012-2/+2
| | | | | | | | | | | | | | | | | | | | We're currently encouraging an "arms race" with the FLAGS variables since a recipe might want to set a specific flag for all variants but to do so, += won't work due to the assignment in the native/nativesdk class files. This means recipes are using append. Since the default variables are constructed out of TARGET_XXX variables and we redefine these, there is no need to re-define the un-prefixed variables. If we drop that, the += appends and similar work and recipes don't have to resort to append. Change the classes and cleanup a number of recipes to adapt to the change. This change will result in some flags appearing to some native/nativesdk variants but that is probably what was originally expected anyway. (From OE-Core rev: a157b2f9d93428ca21265cc860a3b58b3698b3aa) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Remove patch already upstreamedClément Péron2024-06-252-44/+0
| | | | | | | | | | | | | | | | Since the bump to OpenSSL 3.3.1, riscv32 doesn't build anymore due to the folowing error: crypto/riscv32cpuid.s:77: Error: symbol `riscv_vlen_asm' is already defined This is due to the patch beeing already applied upstream: Commit: 8702320db98d1346c230aff1282ade3ecdca681a (From OE-Core rev: 06c4168c7bd6a32cb7de3e003793c8e232714fad) Signed-off-by: Clément Péron <peron.clem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dhcpcd: upgrade 10.0.6 -> 10.0.8Trevor Gamblin2024-06-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog (https://github.com/NetworkConfiguration/dhcpcd/releases): 10.0.8: - Fixed compile without ARP - Fixed closefrom test for glibc - Fixed spelling of ADVERTISEMENT 10.0.7: - DHCP: use request_time, fallback_time and ipv4ll_time rather than reboot timeout - DHCP6: Wait for IRT to elapse before requesting advertisments - DHCPv6: Don't re-INFORM if the RA changes - privsep: Reduce fd use - dhcpcd: Add support for arp persist defence by @pradeep-brightsign in #273 - Move dhcp(v4) packet size check earlier by @pemensik in #295 - Define the Azure Endpoint and other site-specific options by @lparkes in #299 - add RFC4191 support by @goertzenator in #297 - dhcpcd: Respect IPV6_PREFERRED_ONLY flag regardless of state by @taoyl-g in #307 - Fix time_offset to be int to match RFC-2132 by @ColinMcInnes in #319 - hooks/30-hostname: Exit with 0 if setting hostname is not needed by @bdrung in #320 (From OE-Core rev: ab134edc9b7a17a7919f91060f3058467abe011c) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: drop add-test-support-for-busybox.patchAlexander Kanavin2024-06-242-48/+0
| | | | | | | | | | | The ptest package is nowadays depending on coreutils so busybox tweaks are both incomplete and unneeded. (From OE-Core rev: 2408b0b5ea3090fd151de22c91420210fd7ff48f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ofono: upgrade 2.7 -> 2.8Martin Hundeb?ll2024-06-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: * Release 2.8 * build: Require at least version 0.66 when building with external ELL * qmi: Remove unused shutdown members in qmi_device_qrtr * drivers: Use the new license header format * plugins: Use the new license header format * isimodem: Use the new license header format * rilmodem: Use the new license header format * mbimmodem: Use the new license header format * unit: Use the new license header format * tools: Use the new license header format * include: Use the new license header format * dundee: Use the new license header format * core: Use the new license header format * qmimodem: Use the new license header format * atmodem: Use the new license header format * build: Add notifylist.[ch] from ell * udevng: Fix detection of USB attached tty devices * udevng: Don't crash for non-QMI devices * qmimodem: Remove the create exclusive service API * voicecall: Fix use after free * atmodem: gprs-context: use default PPP ACCM for Quectel serial modems * atmodem: sim: Fix CRSM result handling * qmi: gprs-context: support bind_mux for pcie devices * udevng: Add mhi subsystem detection * udevng: add and use get_ifname() for netdev nodes * gobi: ensure required properties are provided * gobi: Rename KernelDriver to NetworkInterfaceDriver * gobi: add / use DeviceProtocol property * qmi: Use l_basename instead of basename * log: Use l_basename instead of basename * build: link dundee with ell * log: Handle dladdr failure License-Update: license header replaced with spdx identifier (From OE-Core rev: fda6b3ff67b56828f5088667a2e3af0a5ffa6ae5) Signed-off-by: Martin Hundebøll <martin@geanix.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.3.0 -> 3.3.1Peter Marko2024-06-063-240/+1
| | | | | | | | | | | | | | Handles CVE-2024-4741 Removed included backports. Release information: https://github.com/openssl/openssl/blob/openssl-3.3/NEWS.md#major-changes-between-openssl-330-and-openssl-331-4-jun-2024 (From OE-Core rev: 3c7f8f87741702d50e29a5858802f74c5f4aab49) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add passthrough variables to work with bitbakeRichard Purdie2024-06-041-0/+1
| | | | | | | | | | | | | | | | | | Now that bitbake uses websockets over SSL as hashserv and is correctly limiting hash equivalence only to things in the orginal SDK, bitbake builds from buildtools can fail due to broken SSL from buildtools. The issue is that the relocation variables are being removed from the environment. This could be fixed within bitbake or it could be fixed within the SDK environment. This patch does the latter for now. We really need to improve openssl relocation within the SDK in general. Fixing this has become more urgent to fix failing builds in automated testing. (From OE-Core rev: 6a20667c166fa3d7e2b6e8e8b442dec0fc75f349) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* mobile-broadband-provider-info: upgrade 20230416 -> 20240407Alexander Kanavin2024-05-301-3/+3
| | | | | | | | | | Convert to meson. (From OE-Core rev: 643c7c2219886253857fdc7618d5db12ddc0e9de) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libslirp: upgrade 4.7.0 -> 4.8.0Wang Mingyu2024-05-281-2/+2
| | | | | | | | (From OE-Core rev: c1e109eac0c7fa729ca8751c351306cba5f58564) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* iw: upgrade 6.7 -> 6.9Wang Mingyu2024-05-281-1/+1
| | | | | | | | (From OE-Core rev: 27261cda1232ef1a84d1b0d8ba52dc9eb578db81) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* iproute2: upgrade 6.8.0 -> 6.9.0Wang Mingyu2024-05-281-1/+1
| | | | | | | | (From OE-Core rev: f516215f213d809cf89bc8e2e3b36119a80bee63) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: upgrade 9.18.26 -> 9.18.27Wang Mingyu2024-05-281-1/+1
| | | | | | | | | | | | | | Changelog: ========= * Skip to next RRSIG if signature has expired or is in the future rather than failing immediately. * Implement signature jitter for dnssec-policy. (From OE-Core rev: ccf45d3cbd06abd48ca2c82a790587457021e6e3) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ofono: upgrade 2.4 -> 2.7Martin Hundeb?ll2024-05-283-72/+1
| | | | | | | | | | | | | | | | | | | Remove 0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch as TEMP_FAILURE_RETRY usage has been removed in upstream commit 765c6655 ("treewide: Use L_TFR macro"). Remove 0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch as likely()/unlikely() has been removed in upstream commit dbbbebf9 ("mbimmodem: Remove usage of likely and unlikely"). Remove the do_configure:prepend() that purges the bundled ell directory, as it isn't needed when passing --enable-external-ell in EXTRA_OECONF. (From OE-Core rev: 9e018a52ab325dd15f129666fcf8a728fc7c7ec0) Signed-off-by: Martin Hundebøll <martin@geanix.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Fix build on riscvKhem Raj2024-05-232-0/+44
| | | | | | | | | GCC-14 unearths this bug which is already fixed upstream so backport it (From OE-Core rev: 0d5c61a1f5099639acf58b33288f466ce47847b5) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: patch CVE-2024-4603Peter Marko2024-05-222-0/+180
| | | | | | | | | Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46 (From OE-Core rev: f136006676750ac653cd7804396614210d1e5120) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>