Changelog:
==========
* src/dynamic-preprocessors/appid/service_plugins/service_ssl.c :
Fixed a scenario where SSL traffic was not detected correctly.
* src/dynamic-preprocessors/smtp/snort_smtp.c :
Fixed a possible memory corruption.
* src/dynamic-preprocessors/imap/imap_util.c
src/dynamic-preprocessors/pop/pop_util.c
src/dynamic-preprocessors/smtp/smtp_util.c
src/preprocessors/spp_httpinspect.c :
Fixed malformed packet debug engine output.
* src/preprocessors/Stream6/snort_stream_tcp.c :
Fixed security zones info in intrusion events.
* src/dynamic-preprocessors/appid/fw_appid.c :
Fixed URL lookup failure.
* src/preprocessors/HttpInspect/server/hi_server.c :
Fixed a possible memory leak.
* src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c
src/dynamic-preprocessors/appid/fw_appid.c
src/dynamic-preprocessors/appid/fw_appid.h
src/dynamic-preprocessors/appid/detector_plugins/service_plugins/service_api.h :
Added support for dns root queries and underflow.
* src/dynamic-preprocessors/smtp/snort_smtp.c
src/Makefile.am
src/dynamic-examples/Makefile.am
src/dynamic-plugins/sf_dynamic_plugins.c
src/dynamic-plugins/sf_dynamic_preprocessor.h
src/dynamic-preprocessors/Makefile.am
src/dynamic-preprocessors/smtp/snort_smtp.h
src/dynamic-preprocessors/smtp/spp_smtp.c
src/smtp_api.h :
Added support to get extra data from SMTP and HTTP into IPS event.
* src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c
src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c :
Added support for login success and failure eventing for IMAP and POP3.
* src/dynamic-preprocessors/appid/hi_server.c :
Added support to handle empty string for SNI/CN/SAN/ORG.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Merge pull request #1178 from yishaih/mlx5_misc
mlx5: Fix check for SQ overflow in bind_mw
mlx5: DR, Add support for modify IP ECN action for CX7
Merge pull request #1175 from zhijianli88/print-style
Merge pull request #1176 from EdwardSro/pr-extend-wqe-class
Merge pull request #1174 from EdwardSro/pr-pyverbs-read-write
Merge pull request #1170 from Hakon-Bugge/rdma_xserver_xclient
Merge pull request #1166 from EdwardSro/pr-tests-fixes
pyverbs/mr.pyx: Make MR and MW print style identical
pyverbs: Extend segments format of WQE class
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2021.
0001-Fix-build-under-GCC-fno-common.patch
0001-configure-Check-for-flex-if-lex-is-not-found.patch
removed since they're included in 1.1.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Split out apache2-utils so this small package could be used by
other packages. For example, htpasswd could be used by docker-registry.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Do note that some collectors (a.k.a. plugins) moved from Python to
Go. And Go is not (yet) part of this recipe.
More info at https://github.com/netdata/netdata/releases/tag/v1.35.0
under 'Deprecated in this release'
The patch should be handled by recoding upstream.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0004-apache2-log-the-SELinux-context-at-startup.patch
refresh for new version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.54
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport 2 patches to fix the below build failure when
debug build is enabled.
Add DEBUG_BUILD = "1" in conf/local.conf.
$ bitbake s-nail
| /build/tmp-glibc/work/corei7-64-wrs-linux/s-nail/14.9.24-r0/recipe-sysroot-native/usr/bin/x86_64-wrs-linux/../../libexec/x86_64-wrs-linux/gcc/x86_64-wrs-linux/12.1.0/ld: mx-047.o: in function `a_nm_alias_expand':
| /usr/src/debug/s-nail/14.9.24-r0/s-nail-14.9.24/src/mx/names.c:308: undefined reference to `su_cs_dict_lookup'
| /build/tmp-glibc/work/corei7-64-wrs-linux/s-nail/14.9.24-r0/recipe-sysroot-native/usr/bin/x86_64-wrs-linux/../../libexec/x86_64-wrs-linux/gcc/x86_64-wrs-linux/12.1.0/ld: mx-028.o: in function `mx_fs_linepool_book':
| /usr/src/debug/s-nail/14.9.24-r0/s-nail-14.9.24/src/mx/file-streams.c:1036: undefined reference to `su_mem_get_can_book'
collect2: error: ld returned 1 exit status
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14829 reports
that duktape isn't fully compatible with mozjs as the supported
javascript features are different. duktape supports
ECMAScript standard version 5 while mozjs supports a lot more.
See https://kangax.github.io/compat-table/es5/ for the differences.
Thus the change from mozjs to duktape may break some rules
which rely on javascript features which duktape doesn't support,
for example array.includes() function,
https://kangax.github.io/compat-table/es6/https://262.ecma-international.org/7.0/#sec-array.prototype.includes
For many embedded systems which care about fast boot times and smaller
rootfs using duktape is recommended but rules must be written in reduced
set of ECMA script language features. For array.includes() one alternative
is "array.indexOf(search) >= 0".
[YOCTO #14829]
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We encountered a runtime error with slappasswd:
$ slappasswd -s foo
Password generation failed for scheme {SSHA}:
This is because the URANDOM_DEVICE is not passed to CPPFLAGS correctly,
then the program can not open /dev/urandom.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
News in 1.11.1, 2022-06-10
--------------------------
* Build: minor improvements, small change to how enum-types are built.
* A few documentation improvements.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove change of default for clear_untrusted_proxy_headers
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bugfixes
==========
Improve logging when keyring fails. (#890)
Reconfgure root logger to show all log messages. (#896)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
*Improved macro definition logic and platform detection to enable building
universal2 binary wheels for macOS, alongside arm64 and x86_64 ones;
added step to GitHub Actions to generate and publish them (#28).
*Mention explicit support for Python 3.10.
*Fixed minor compilation warning in ARM64 builds.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add dependence asyncio.
Changelog:
==========
Parse SPNs in SYM Files
Miscellaneous smaller fixes
Implement support for AUTOSAR secure on-board communication
Distribute & expose type annotations per PEP 561
Add more type annotations
Improve encoding performance
Add Support for Dumping Database as SYM File
Fix SYM file bugs
Fix parsing of referenced data in CDDs
implement decoding of partial messages
Use floating point scaling in encoding
Small improvements after #417
minor bug fixes and improvements
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
*Alembic 1.8 now supports Python 3.7 and above.
*The "Pylons" environment template has been removed as of Alembic 1.8. This
template was based on the very old pre-Pyramid Pylons web framework which
has been long superseded by Pyramid.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
*Flag instances now raise an error if used in a bool context.
This prevents the occasional mistake of testing an instance for truthiness
rather than testing flag.value.
*absl-py no longer depends on six.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Support Python 3.11 (beta)
refresh ci settings.
Don't define _*ENDIAN macro on Unix.
Update setuptools and black
Use PyFloat_Pack8() on Python 3.11a7
Upgrade black to fix CI
Fix Unpacker max_buffer_length handling
ci: Update action versions.
Signed-off-by: Xu Huan <xuhuan.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Bugs fixed
----------
* GH#341: The mixin inheritance order in ''lxml.html'' was corrected.
Patch by xmo-odoo.
Other changes
-------------
* Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.
* Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35
(libxml2 2.9.12+ and libxslt 1.1.34 on Windows).
* GH#343: Windows-AArch64 build support in Visual Studio.
Patch by Steve Dower.
Signed-off-by: Xu Huan <xuhuan.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Maximum number of tries, in rare cases, is insufficient for
elf parse. Backport patch that fixes the issue.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup SSH tokens is the only feature that has a dependency on
libssh. Add a packageconfig to control this dependency.
Change-Id: Iac4f91e099ad2e3a79aab183734108f8bfbff57f
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update firewalld by 2 major versions, which also includes breaking and
behavioral changes.
Highlights from 0.9 to 1.0:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Details:
- https://firewalld.org/2021/07/firewalld-1-0-0-release
- https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0
From 1.0 to 1.1 is mostly a bug fix release update.
Details:
- https://firewalld.org/2022/02/firewalld-1-1-0-release
- https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0
Improvements on the recipe:
- Add ptest
- Very helpful to get all the kernel modules
- Long running, probably not suitable for any OE autobuilder
- RRECOMMENS kernel modules, document configuration
- Improve package splitting
- firewalld-config and firewalld-applet depend on QT5, pyqt5 and GTK.
The dependencies were not correctly set but the code was ending up
on the target device. Now the code gets into a separate package but
the dependeinces are probably still not complete. Since this is
probably not used anyway it is not tested yet. It's still not
perfect but much better than installing broken stuff to the target
device.
- The dependenices are added to variables instead of rdepends to keep
the meta-qt5 and gnome layers optional also at build-time.
- New packageconfigs: ebtables, ipset. This is mosly required to get the
test suite running but probably also usable otherwise.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* A new connection status dispatcher setup is provided, where users can
provide custom scripts that will be called on bearer connect/disconnect
events. This dispatcher will make the netifd integration in openwrt work
much better, as we'll be able to report network-initiated disconnections
cleanly to netifd.
There are no default connection status dispatcher scripts installed, but
it's suggested distributions make sure the following directories exist:
- ${sysconfdir}/ModemManager/connection.d/
- ${libdir}/ModemManager/connection.d/
* API:
** Add missing Simple interface definitions in ModemManager-names.h.
* Build:
** meson: fix daemon enums dependencies.
** meson: fix port enums includes.
** meson: fix 'export_packages' in GIR setup.
** meson: fix simtech plugin module name.
** systemd: don't run ModemManager in containers.
* Core:
** serial: ensure the port object is valid after BUFFER_FULL handling.
** netlink: use unaligned netlink attribute length.
** netlink: only change IFF_UP flag.
** bearer: match unknown auth to chap in loose comparisons.
** charsets: return error if UTF-8 validation fails.
** fcc-unlock: make scripts POSIX shell compatible.
** modem-helpers: consider minimum ID when choosing best profile.
** modem-helpers: fix reading <Act> given in COPS=? responses.
** sms: prevent crash if date is out of range.
** profile-manager: fix copy-paste error on tags for quarks.
* QMI:
** Ignore slot status indications until initial status is known.
** Return error when loading capabilities if none is found.
* MBIM:
** Default initial EPS bearer's auth to chap when unknown.
** Update default error when network error is out of range.
* mmcli:
** Fix key length when printing list of items.
* Plugins:
** linktop: new port type hints.
** cinterion: add support for PLSx3w modems
** huawei: disable +CPOL based features in Huawei E226
* Several other minor improvements and fixes.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Add support for route type "throw".
* Fix bug setting priority for IP addresses.
* Static IPv6 addresses from "ipv6.addresses" are now preferred over
addresses from DHCPv6, which are preferred over addresses from autoconf.
This affects IPv6 source address selection, if the rules from
RFC 6724, section 5 don't give a exhaustive match.
* Static IPv6 addresses from "ipv6.addresses" are now interpreted with
first address being preferred. Their order got inverted. This is now
consistent with IPv4.
* Wi-Fi hotspots will use a (stable) random channel number unless one is
chosen manually.
* Don't use unsupported SAE/WPA3 mode for AP mode.
* NetworkManager will no longer advertise frequencies as supported when
they're disallowed in configured regulatory domain.
* Attempt to connect to WEP-encrypted Wi-Fi network will now fail
gracefully with a recent version of wpa_supplicant when built
without WEP support. As long as wpa_supplicant supports WEP,
NetworkManager will continue to work.
* Disable WPA3 transition mode for wifi.key-mgmt=wpa-psk if the NIC
does not support PMF. This is known to cause problems in some setups. It
is still possible to explicitly configure wifi.key-mgmt=sae for WPA3.
* Add new dummy crypto backend "null" that does nothing. NetworkManager
uses the crypto library when handling certificates for 802.1x profiles.
* Veth devices with name "eth*" are now managed by default via the
udev rule. This is to support managing the network in LXD containers.
* The hostname received from DHCP is now shortened to the first dot
(or to 64 characters, whatever comes first) if it's too long.
* As the insecure WEP encryption for Wi-Fi network is phased out,
nmcli now discourages its use when activating or modifying a
profile.
* Fix connectivity checks in case the check endpoint address resolves to
multiple addresses.
* Workaround libcurl blocking NetworkManager while resolving DNS names.
* nmcli: indicate missing Wi-Fi hardware when showing rfkill setting.
* nmcli: add connection migrate command to move a profile to a specified
settings plugin. This allows to convert profiles in the deprecated ifcfg-rh
format to keyfile.
* Set "src" attribute for routes from DHCPv4 to the leased address. This
helps with source address selection.
* Updated translations.
* Various bugfixes and internal improvements.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
From NEWS file of netowrkmanager 1.32:
firewall: add nftables firewall backend for configuring IPv4 NAT with
shared mode. Now two backends are supported, "iptables" and "nftables".
The default gets detected based on whether /usr/sbin/nft or
/usr/sbin/iptables is installed, with nftables preferred.
With this change nftables is not the prefered backend also with OE. But
it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to
iptables.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The main motivation for this rework is to support compiling the
NetworkManager with many plugins, but to install only a few of them in
a firmware image. This is advantageous when different products with
different network interfaces should be supported by only one binary
distribution. This is more in line with the way NetworkManager is
designed and used by other binary Linux distributions. Basically this
is already supported since the last rework of the networkmanager recipe.
However, the rrecomments from networkmanager to all available plugins is
not straight forward to be used in such a scenario. Installing only a
subset of the compiled plugins required to override the rrecommends
from networkmanager to the plugins in some way. To simplify the usage
the networkmanager package is now an empty meta package and
networkmanager itself gets moved to a new networkmanager-daemon package.
This allows to keep backward compatibility: Installing the
networkmanager package still adds all compiled plugins to the firmware.
But with the new package splitting it's also possible to install for
example only the networkmanager-wifi but not the networkmanager-wwan
package even if networkamanger has been compiled with the modemmanager
PACAKGECONFIG flag enabled as well.
The relation from plugins to services is now a stronger rdepends which
reflects better how NetworkManager is supposed to be used. If a plugin
is installed but the required service is not the plugin periodically
tries to connect to the service and reports error messages to the syslog
if the service is not available. Therefore it's better to make the
installation of the plugin optional but not the installation of the
services.
The bash-completion package adds support for the nmcli command line
utility. This change also moves the bash completion configuration to a
new package networkmanager-nmcli-bash-completion. This is more
consistent anyway but gets even more important when the networkmanager
package gets optional.
To simplify the usage of all these packages a SUMMARY:${PN}-.. for each
packages has been added.
The separation of the doc packages has been removed.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Plugins of networkmanager redpends on related services. If for example
modemmanager or wpa-supplicant is not installed but the related
networkmanager plugin is, the plugin writes error messages to the
syslog.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
