Delete patch "0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch"
since it is not used in the tcpdump recipe anymore.
Signed-off-by: Peiran Hong <peiran.hong@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 01b55a8a55)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This upgrade adds some new features and fixes numerous bugs including
the following CVEs:
CVE: CVE-2017-16808 (AoE)
CVE: CVE-2018-14468 (FrameRelay)
CVE: CVE-2018-14469 (IKEv1)
CVE: CVE-2018-14470 (BABEL)
CVE: CVE-2018-14466 (AFS/RX)
CVE: CVE-2018-14461 (LDP)
CVE: CVE-2018-14462 (ICMP)
CVE: CVE-2018-14465 (RSVP)
CVE: CVE-2018-14881 (BGP)
CVE: CVE-2018-14464 (LMP)
CVE: CVE-2018-14463 (VRRP)
CVE: CVE-2018-14467 (BGP)
CVE: CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
CVE: CVE-2018-10105 (SMB - too unreliably reproduced,
SMB printing disabled)
CVE: CVE-2018-14880 (OSPF6)
CVE: CVE-2018-16451 (SMB)
CVE: CVE-2018-14882 (RPL)
CVE: CVE-2018-16227 (802.11)
CVE: CVE-2018-16229 (DCCP)
CVE: CVE-2018-16301 (was fixed in libpcap)
CVE: CVE-2018-16230 (BGP)
CVE: CVE-2018-16452 (SMB)
CVE: CVE-2018-16300 (BGP)
CVE: CVE-2018-16228 (HNCP)
CVE: CVE-2019-15166 (LMP)
CVE: CVE-2019-15167 (VRRP)
CVE: CVE-2018-14879 (tcpdump -V)
Deleted patch "0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch"
since the fix is included in the upgrade.
Modified patches "avoid-absolute-path-when-searching-for-libdlpi.patch",
"unnecessary-to-check-libpcap.patch", and "add-ptest.path" since
the upgrade renamed configure.in to configure.ac and made changes
to the file.
Added PACKAGECONFIG for smb. It is disabled by default in
the upgraded version in both the package's configure script and this
bitbake recipe since it is insecure.
Modified the parsing of ptest result to align with the new output
format.
With core-image-minimal on qemux86-64/kvm:
Recipe | Passed | Failed | Skipped | Time(s)
Before | 408 | 0 | 2 | 4
After | 431 | 11 | 2 | 10
11 test failed after the upgrade since libpcap is not upgraded
alongside with tcpdump.
Signed-off-by: Peiran Hong <peiran.hong@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 71535e2f0e)
[Upgrade is a resonable path do to the # of patches needed to address
all this issues]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport selected parts of three upstream commits to fix
CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read.
Upstream-Status: Backport
[ several ]
Upstream commits fully backported:
46aead6 [CVE-2017-16808/AoE: Add a missing bounds check]
Upstream commits partially backported:
7068209 [Use nd_ types in 802.x and FDDI headers.]
84ef17a [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using
pointers (1/n)]
46aead6 fixes the vulnerability and requires two macros defined in
7068209 and 84ef17a, which are committed after the release of 4.9.2.
Only the definition of the macros are taken from the two commits
as they impact a wide range of code and are difficult to integrate.
CVE: CVE-2017-16808
Signed-off-by: Peiran Hong <peiran.hong@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 62fc26075a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Replace source zip ball with tarball for net-snmp to avoid zip bomb issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
openvpn only provides options to update a pid file but not to check it
for running processes. Consecutive issued start commands therefore lead
to multiple running processes with the same configurations, which is the
origin of all kinds of problems of which unnecessary resource usage is the least.
Using start-stop-daemon the pid file is inspected for running processes
before start.
Signed-off-by: Fabian Klemp <fabian.klemp@axino-group.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This includes deletion of a frequency where transmission
is no longer legal in Japan.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fix below error:
file /etc/xinetd.d/telnet conflicts between attempted installs of netkit-telnet-0.17-r0.i586 and inetutils-telnetd-1.9.4-r0.i586
file /usr/sbin/in.telnetd conflicts between attempted installs of netkit-telnet-0.17-r0.i586 and inetutils-telnetd-1.9.4-r0.i586
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* it was upgraded to 0.2.1 in:
commit 50979151e6
Author: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Date: Sat Mar 16 18:22:59 2019 +0100
igmpproxy: update to 0.2.1
* which includes _GNU_SOURCE:
7d790aa2f1
* and includes sys/types.h in os-linux.h:
6f92242b23
* and the patch doesn't apply cleanly:
ERROR: Fuzz detected:
checking file src/igmpproxy.h
Hunk #1 succeeded at 51 with fuzz 2 (offset 5 lines).
patching file src/igmpproxy.h
Hunk #1 succeeded at 51 with fuzz 2 (offset 5 lines).
The context lines in the patches can be updated with devtool:
devtool modify lib32-igmpproxy
devtool finish --force-patch-refresh lib32-igmpproxy <layer_path>
Don't forget to review changes done by devtool!
ERROR: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Depends on ipsec-tools which is already MACHINE_ARCH (and also RRECOMMENDS kernel modules)
* Fixes:
ERROR: umip different signature for task do_configure.sigdata between hammerhead and mako
Hash for dependent task umip/umip_1.0.bb.do_prepare_recipe_sysroot changed from 7c74a208880f6c8a5aa46b1c8577e39b6b71429d9a379ea75f17a155ca270035 to 87c6cd438dd9645c98530e3ac1094005bace785bfd89bfe4073bc8815926abba
Unable to find matching sigdata for /OE/build/luneos-master/webos-ports/meta-openembedded/meta-networking/recipes-connectivity/umip/umip_1.0.bb.do_prepare_recipe_sysroot with hashes 7c74a208880f6c8a5aa46b1c8577e39b6b71429d9a379ea75f17a155ca270035 or 87c6cd438dd9645c98530e3ac1094005bace785bfd89bfe4073bc8815926abba
bitbake-diffsigs /OE/build/luneos-master/webos-ports/tmp-glibc/sstate-diff/1557963509/[hm]*/*/umip/*do_prepare*.sigdata*
Hash for dependent task ipsec-tools/ipsec-tools_0.8.2.bb.do_populate_sysroot changed from 1100c4984d88050bb7ca154445205bac3c3ab80c3ff0aa7c9124825c9d4f6e14 to feeddbd35a8106b264c98076e21d0b3cb227ab1d209e150926112b2906273ef4
Unable to find matching sigdata for /OE/build/luneos-master/webos-ports/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb.do_populate_sysroot with hashes 1100c4984d88050bb7ca154445205bac3c3ab80c3ff0aa7c9124825c9d4f6e14 or feeddbd35a8106b264c98076e21d0b3cb227ab1d209e150926112b2906273ef4
as detected with:
openembedded-core/scripts/sstate-diff-machines.sh --targets=world --tmpdir=tmp-glibc/ --analyze --machines="hammerhead mako qemux86"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* This includes security fixes that adresses the following defects:
CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
CVE-2019-3880 (Save registry file outside share as unprivileged user)
* Upstreamed patch removed:
0001-ldb-Refuse-to-build-Samba-against-a-newer-minor-vers.patch
* Extended PACKAGECONFIG ad-dc to be able to build MIT Kerberos
see https://bugzilla.samba.org/show_bug.cgi?id=13678
Signed-off-by: Johannes Pointner <johannes.pointner@br-automation.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The openhpi-fix-testfail-errors.patch tries to fix 2 saftest failures.
But the second fix is not correct. It should not return false when there
is no surrogate pairs since for the code points in UTF-16 Basic
Multilingual Plane (BMP), there is no need surrogate pairs. We should
update saftest case to fix this failure.
Also add more description for the first fix.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
License checksum was changed due to updated copyright years.
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License has been changed due to reformatting, no new stuff added.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Now that we can install smbclient without samba package e.g for gvfs there are
complains:
| gvsd: mkdir failed on directory /var/lib/samba: Permission denied
and browsing Windows network does not work anymore
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Otherwise bundled libraries find their way into samba
-> that causes several packages to rdepend on samba package
-> samba package rdepends on samba-base (and others) installing daemons
smbd & nmbd autostarted by default. This is unwanted / not necessary:
* NetBIOS (nmbd) can cause a security problems
* slow boot: times reported by systemd-analyse reduced from ~16s -> ~8s
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Install missing openhpi.conf to ptest directory to fix failure of ptest
case ohpi_035:
(process:3559): openhpid-CRITICAL **: 08:41:04.036:
../../openhpi-3.8.0/openhpid/conf.c:623: Configuration file
'../../../../openhpi-3.8.0/openhpid/t/ohpi/openhpi.conf' could not be
opened.
FAIL: ohpi_035
Also chage the configure files mode from 755 to 644.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
drbd-utils installs directory /var/run but is a link file installed by
package base-files. Remove /var/run to fix the file conflict issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It fails to build drbd with errors:
| LD [M] .../tmp/work/qemux86_64-poky-linux/drbd/9.0.17-1-r0/drbd-9.0.17-1/drbd/drbd.o
| x86_64-poky-linux-ld.bfd: cannot find
| .../tmp/work/qemux86_64-poky-linux/drbd/9.0.17-1-r0/drbd-9.0.17-1/drbd/drbd_bitmap.o: No such file or directory
Backport patch from upstream to fix the issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Functions registered by atexit and on_exit have different signatures,
if registered with atexit no parameters are passed.
The function only prints a trace on nonzero exit(),
so can safely be disabled in musl builds.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
patches:
* Split out systemd specifics
* Simplfy patch to fix musl / linux-libc definition conflicts. This makes
future maintenance less pain and fixes build for recipes depending on
networkmanager.
For further background read patch description in 0002-Fix-build-with-musl.patch
musl CFLAGS:
* -D__USE_POSIX199309 removed - could not find any trace of it
* CFLAGS_libc-musl_append -> CFLAGS_append_libc-musl
gobject-introspection:
* enable - it builds perfectly fine
Build tested (musl/glibc) with all dependents found in my layers:
* network-manager-applet
* networkmanager-openvpn
* python-networkmanager
* networkmanager-qt
* plasma-nm
* liri-networkmanager
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- refresh and remove obsolete patches
- add openssl and esi as package options
- add missing header for std::bind implementation
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
