| Age | Commit message (Collapse) | Author |
|---|
|
upstream patch
This also fixes a dhcp breakage noticed by Enrico Scholz.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Commit 7cb42ae87ef9 "dhcp: update 4.4.1" dropped
0008-tweak-to-support-external-bind.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.
Cc: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Source: OE.org
MR: 99751, 99752, 99753
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4
ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01
Description:
Bugfix-only compared to 9.11.5, mostly CVE fixes.
COPYRIGHT checksum changed due to 2018 -> 2019.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Included cves:
CVE-2018-5744
CVE-2018-5745
CVE-2019-6465
]
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
Source: bind.org
MR: 99750
Type: Security Fix
Disposition: Backport from bind.org
ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224
Description:
includes:
CVE-2018-5738
drop patch for CVE-2018-5740 now included in update
see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html
Add RECIPE_NO_UPDATE_REASON for lts
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Also includes CVE-2018-5740]
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
I goofed up the scissor line on the last attempt. Not sure how much it matters,
but here it is correct this time.
Here it is, updated to work with wpa-supplicant_2.6.bb.
-- >8 --
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=
When building root filesystems with any of the wpa_supplicant systemd
template service files enabled (current default is to have them disabled) the
systemd-native-fake script would not process the line:
Alias=multi-user.target.wants/wpa_supplicant@%i.service
appropriately due the the use of "%i."
According to the systemd documentation "WantedBy=foo.service in a service
bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in
the same file." However, this is not really the intended purpose of install
Aliases.
All lines of the form:
Alias=multi-user.target.wants/*%i.service
Were replaced with the following lines:
WantedBy=multi-user.target
Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Backport patch to fix CVE-2017-6519.
CVE: CVE-2017-6519
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Fix this CVE (Bluetooth discoverability may be enabled with no agents to handle
requests) by backporting a number of patches from upstream.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Update the bluez5 init script to resolve an issue where the status
subcommand would exit without printing any message if bluez was not
running. The early exit was caused by the fact that the init script has
"set -e". When "pidof ${DAEMON} >/dev/null" is executed, the script
terminates immediately if bluez isn't running because pidof returns a
non-zero result. The fixed version does not suffer from this issue and
makes use of the "status" function from the functions library.
Signed-off-by: David Frey <dpfrey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Introduced at or before 5.50.
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
License-Update: copyright years updated
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Whether the AFALG engine (use of hardware crypto via AF_ALG) is enable or
disable depends on whether the host kernel is 4.1 or above, which has no bearing
on whether the target system supports it.
Remove the complicated logic and simply enable/disable as requested.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The old bsd cryptodev engine was removed in
https://github.com/openssl/openssl/pull/3699
and the new one added in:
https://github.com/openssl/openssl/pull/3744
It can be enabled by configuring with "enable-devcryptoeng".
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
It is only needed by 95-test_external_pyca_data which is
actually skipped on the target.
[YOCTO #13204]
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
openssl-ptest was recording now results, despite most tests passing. Fix
so that the successes/skips/failures are reported correctly.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The fix is heavily based on Khem's previous fix for bn.h/BN_LLONG breakage:
https://git.openembedded.org/openembedded-core/commit/?id=f787b0bb9b0626ddbf2ac94cb206c76716a3773d
(From OE-Core rev: 914e1520bf9c45e14bce9993c9131a2c0702b9c9)
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Cc: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
After adding #pragma once to wrapper header ( opensslconf.h ) this
latent issue got to bite us, where it expect bn.h to be including
openssl.h to define BN_* defines, which is fragile. This patch removes
the contraints for nested includes for bn.h
(From OE-Core rev: f787b0bb9b0626ddbf2ac94cb206c76716a3773d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: 03149ca307282c22dd9ceb6fe3224bf586b03f6d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
To avoid issue like below if run "bitbake lib32-core-image-minimal"
with series userspace packages(LAMP,krb5...) added.
Add multilib_script support for openssl's c_rehash which is a perl script.
Error: Transaction check error:
file /usr/bin/c_rehash conflicts between attempted installs of
lib32-openssl-bin-1.1.1-r0.armv7at2hf_neon and openssl-bin-1.1.1-r0.aarch64
(From OE-Core rev: a4032f3cc5de451f0e97eca1f0cbe4a310e1560b)
Signed-off-by: Xulin Sun <xulin.sun@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The current iw4.14 has a fatal bug that could casue a Segmentation fault
when parsing WEP keys. The issue has been fixed by upstream.
[https://git.kernel.org/pub/scm/linux/kernel/git/jberg/iw.git/commit/?id=0e39f109c4b8155697a12ef090b59cdb304c8c44]
(From OE-Core rev: 6de9eb72f679dd8d8e4de972b1da978522cff8b4)
Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Fixed:
cp ../bluez-5.50/tools/hid2hci.rules tools/97-hid2hci.rules
cp: cannot create regular file tools/97-hid2hci.rules: No such file or directory
make[1]: *** [tools/97-hid2hci.rules] Error 1
(From OE-Core rev: 5cb2b165cf89a307531e199248bc98fb51541521)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This code is written for elfv1 ABI in mind and linked as such: disable
all optimizations at the moment when building for powerpc64 with musl.
(From OE-Core rev: bee9e807430178426b2a5635b573ae285e889c39)
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
When built without D-Bus, libavahi-client is not build:
Building libavahi-client: no (You need avahi-daemon and D-Bus!)
which causes avahi-dev RDEPENDS failing when creating an image
containing development-tools:
* - nothing provides libavahi-client = 0.7-r0 needed by avahi-dev-0.7-r0.cortexa8hf-neon
(From OE-Core rev: 319532792435be73e96c8319e90336e1298ac2a1)
Signed-off-by: Jens Rehsack <sno@netbsd.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: fab0f5162b930f87798be61359a5c287fb13a76c)
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This file contains CC, CPP, CFLAGS, CXXFLAGS and the like.
(From OE-Core rev: c423cd1070045849c3a5b4e2b53043b28e5194f7)
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
In case of SDK generation, /usr/bin/ path are not correct
and must be replaced by ${bindir}.
(From OE-Core rev: 0fa7d99444763192914e798d8bc9dba1d9cdae42)
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: eec95f90093a6aa1d8be145e351fc9df4abef172)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: b5acefc041b2316c75eefae745d894412ac7bd78)
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
According to both the README and source headers, the LICENSE value for
socat is explicitly GPLv2, not v2 or later, so adjust LICENSE
accordingly (leaving aside whether "GPL-2.0+-with-OpenSSL-exception"
should actually be considered a valid LICENSE string or not).
(From OE-Core rev: 466044a341a8b42159bd9388950c9079e0d7a2c3)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The openssl build system generates buildinf.h containing the full
compiler command line used to compile objects. This breaks
reproducibility, as the compile command is baked into libcrypto, where
it is used when running `openssl version -f`.
Add stripped build variables for the compiler and cflags lines, and use
those when generating buildinfo.h.
This is based on a similar patch for older openssl versions:
https://patchwork.openembedded.org/patch/147229/
Signed-off-by: Martin Hundebøll <martin@geanix.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport patch to fix CVE-2018-0735 for openssl 1.1.1.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport patches to fix CVE-2018-0734 for both openssl 1.0.2p and 1.1.1
versions.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
OpenSSL supports out-of-tree builds so we should use them. This makes builds
more reliable, and makes it easier to reduce the size of the ptest package.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously the ptest installation was simply a copy of the entire build tree,
which is terribly ugly.
Instead copy just the pieces we need, symlink to /usr as appropriate, and add
missing dependencies. Remove PRIVATE_LIBS as we don't ship copies of the
libraries now.
Also remember to do 'set -x' in run-ptest, so if the tests fail the runner
knows!
[ YOCTO #12965 ]
[ YOCTO #12967 ]
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Use dhcpd6.conf for DHCP IPv6 and dhpcd.conf for DHCP IPv4.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The comment here stated that openssl is dual-licensed, but that would
mean that either of the two licenses could be used which is *not* the
case [1]. However LICENSE = "openssl" *is* correct because in OE that
maps to a generic license file which includes both licenses, which
makes sense because there isn't really any such thing as OpenSSL that
would be covered by the "OpenSSL license" and not the "SSLeay license".
Correct the comment to avoid any confusion.
[1] https://www.openssl.org/source/license.html
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The generated key file should try to have bind group so that if
the named daemon is started via '-u bind' option, which is the
default in OE core, we will not get startup failure because of
'permission denied' error.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1. The building openssl requires to install perl Text::Template module(>=1.46),
but Text::Template is a non core Perl module, openssl chooses to bundle
Text::Template 1.46 into the source, for convenience.
https://github.com/openssl/openssl/commit/8ff2af548303d311ce3591406111f77862875a60
2. While Text::Template < 1.46, the produced build files are gravely faulty.
https://github.com/openssl/openssl/pull/6682
3. If host has installed Text::Template < 1.46 (such as CentOS-7.5 has Text::
Template 1.45). The mismatched old module was used although the right one in
openssl source.
So set PERL5LIB to use deterministic perl Text::Template module bundled
by openssl source and ignore the one of host
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These patches are all upstream now, so mark as Backport.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The upstreamable include-tweaking patches contained fragments that should be in
the not-upstreamable musl-specific res_ninit replacement, so move them to the
right patch.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The case in ptest use `nm -Pg libcrypto.so' to check symbol presence,
if library is stripped or debug split, the case will fail.
The test case needs debug symbols then we just disable that test.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
It adds ${libdir} to linker options in scripts bind9-config and
isc-config.sh. And then causes install file conflicts when install bind
andl ib32-bind both.
Inherit multilib_script.bbclass to fix this issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The configure script ended up creating Makefile with
LIBDIR=/lib
which got leaked into various places including all
pkg-config .pc files where lines like (note the
double slash //):
libdir=${exec_prefix}//lib
...
Libs: -L${libdir} -lcrypto
which causes pkg-config --libs to include the full absolute path
to the recipe specific sysroot. This isn't a big problem
until something like CMake projects start generating
their own .cmake modules using this absolute path and exposing
them to sysroots of other bitbake recipes thus escaping
their recipe specific sysroots.
Then the fun begins when these users of the .cmake module start
to randomly fail builds with error messages like:
/home/builder/src/base/build/tmp/work/corei7-64-linux/package/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-linux/../../libexec/x86_64-linux/gcc/x86_64-linux/7.3.0/ld: cannot find /lib/libpthread.so.0
/home/builder/src/base/build/tmp/work/corei7-64-linux/package/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-linux/../../libexec/x86_64-linux/gcc/x86_64-linux/7.3.0/ld: cannot find /usr/lib/libpthread_nonshared.a
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
WARNING: exit code 1 from a shell command.
As luck has it, this problem goes away by recompiling the recipes
alone but repeats with multiple recipes here and there when full
images are build.
A careful inspection of multi page linker command lines shows
that some linker paramaters point to libraries in a different
recipes sysroot than what bitbake was building when the task
failed.
So, fix is to remove this one extra slash from openssl
library path configuration option. This changes openssl
Makefile to have:
LIBDIR=lib
and all users of LIBDIR variable in the Makefile are already
adding slashes as path separators if that is needed.
With this the generated .pc files have:
libdir=${exec_prefix}/lib
and pkg-config --libs knows to strip the already default
sysroot path away.
This then fixes the generated .cmake files to not include
these absolute paths and fixes the random build failures
when building images.
Thanks to Thomas, Michael and Ross for debugging support!
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Cc: Thomas Witt <thomas.witt@bmw.de>
Cc: Michael Ho <michael.ho@bmw.de>
Cc: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fixes build for older versions of git which don't follow redirects
properly if the .git suffix is missing.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Current configuration for debian-mips64 is not correct,
'SIXTY_FOUR_BIT_LONG' need to be specified. otherwise,
it will cause other recipe like crda compile failed since
use default THIRTY_TWO_BIT mode.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Since openssh support oepnssl 1.1.x, there is no reason
to keep libressl.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Adrian Bunk
Ruslan Bilovol
Armin Kuster
Armin Kuster
Joshua DeWeese
Kai Kang
Ross Burton
David Frey
Peter A. Bigot
Chen Qi
Otavio Salvador
Ovidiu Panait
Alexander Kanavin
Richard Purdie
Denys Dmytriyenko
Khem Raj
Xulin Sun
Liu Haitao
Robert Yang
Serhey Popovych
Jens Rehsack
Douglas Royds
Christophe PRIOUZEAU
Changhyeok Bae
Paul Eggleton
Martin Hundebøll
Yi Zhao
Hongxu Jia
Mikko Rapeli
Alexey Brodkin
Anuj Mittal
Changqing Li