Age | Commit message (Collapse) | Author |
|
In wpa_supplicant and hostapd 2.9, forging attacks may occur because
AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and
tls/x509v3.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30004
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b32b671bf430b36a5547f8d822dbb760d6be47f7)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Only security issues fixed in this release according to
https://www.openssl.org/news/cl111.txt
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant
before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests.
It could result in denial of service or other impact (potentially
execution of arbitrary code), for an attacker within radio range.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-27803
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 81e4260b83c52558c320fd7d1c1eafcb312ad6be)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
BIND Operational Notification: Zone journal (.jnl) file incompatibility.
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write
due to a missing bounds check. This could lead to remote code execution
if the target device is performing a Wi-Fi Direct search, with no
additional execution privileges needed. User interaction is not needed
for exploitation.Product: AndroidVersions: Android-10 Android-11
Android-8.1 Android-9 Android ID: A-172937525
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-0326
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e<links_for_CVE_patches>
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b7940edabe100512e8f558cc37f9da836feae74d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a67635ca2c7a016efcf450e4011f2032883e995d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Bug fix only and includes two security fixes:
CVE-2021-26675
CVE-2021-26676
Changelog:
- Fix issue with scanning state synchronization and iwd.
- Fix issue with invalid key with 4-way handshake offloading.
- Fix issue with DNS proxy length checks to prevent buffer overflow.
- Fix issue with DHCP leaking stack data via uninitialized variable.
[Yocto #14231]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit eb20fd47d738f469f7bbeb4b8d85040f9163722b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
This fixes openssh failing to work on qemux86 with glibc 2.33 due to
seccomp and the fact new syscalls are used. Also likely fixes issues
on other platforms.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 22f8ce6e6d998c0539a40b2776b1a2abb4f44bb3)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 17df664a32a74f17baaef8c31ac23adec2d6255f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 812eb3121e0aabe4e3de9a8c61b1e62c87f55aa4)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
This fixes a NULL pointer dereference in GENERAL_NAME_cmp function.
CVE: CVE-2020-1971
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5f486c39a766f921fb4374165b6e342dd87244ec)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Release note:
https://github.com/bluez/bluez/commit/5a180f2ec9edfacafd95e5fed20d36fe8e077f07
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c2895e3e4eabca64cbcc8682e72d25026df5e5f0)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
The OpenSSH server, as used in Fedora and Red Hat Enterprise
Linux 7 and when running in a Kerberos environment, allows remote
authenticated users to log in as another user when they are listed
in the .k5users file of that user, which might bypass intended
authentication requirements that would force a local login.
Whitelist the CVE since this issue is Redhat specific.
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 309132e50d23b1e3f15ef8db1a101166b35f7ca4)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
[ Yocto # 14074 ]
Add init scripts for dhcp4,6 and ddns
Signed-off-by: Armin kuster <akuster808@gmail.com>
--
V2]
remove 'status' from usage
add patch to fix ps -p in keactrl.in
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
By default, the dhcpcd will search ntp/chrony/ypbind in host path when
configuring and install the hooks once it find them. Add PACKAGECONFIG
for these hooks to avoid the host contamination.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
enabling it by default so there is no behavior change.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
As the default network manager, connman has its own internal DHCP
implement. If run dhcpcd and connman simultaneously, they may conflict
with each other.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Host keys are getting bigger and taking an ever increasing amount of time
to generate. Whilst we do need to test that works, we don't need to test
it in every image. Add a recipe which can be added to images with
pre-generated keys, allowing us to speed up tests on the autobuilder
where it makes sense to.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The dhcpcd enables privsep by default. It requires a user added to the
system. Add dhcpcd user and group to support it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Set --runstatedir to /run/dhcpcd rather than /var/run/dhcpcd
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Set --dbdir to /var/lib/dhcpcd rather than /var/db/dhcpcd to satisfy FHS
compliance
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There are conflict of config files between kea and lib32-kea:
| Error: Transaction test error:
| file /etc/kea/kea-ctrl-agent.conf conflicts between attempted installs of
lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
| file /etc/kea/kea-dhcp4.conf conflicts between attempted installs of
lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
Because they are all commented out, replace the expanded libdir path with
'$libdir' in the config files to avoid conflict.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The named service fail to start as below:
# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-09-16 06:07:49 UTC; 9s ago
Process: 134206 ExecStartPre=/usr/sbin/generate-rndc-key.sh (code=exited, status=1/FAILURE)
Sep 16 06:07:49 intel-x86-64 systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134206]: Generating /etc/bind/rndc.key:
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134207]: rndc-confgen: The -r option has been deprecated.
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134208]: chown: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134209]: chmod: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Failed with result 'exit-code'.
Sep 16 06:07:49 intel-x86-64 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
It is because fail to execute "/usr/sbin/generate-rndc-key.sh" as
-r is deprecated since bind 9.13.x and the random function changes
in [1], so remove -r option to fix the above issue.
DNSSEC validation is now active by default after bind upgrade to 9.16.x,
but it is not in 9.11.x. So disable DNSSEC validation explicitly to
silence below message.
Sep 18 03:21:37 intel-x86-64 named[23272]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
[1]: https://gitlab.isc.org/isc-projects/bind9/-/commit/3a4f820d625c214cfb21f5e6d18ce9160d2a193b
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Create /var/lib/kea and /var/run/kea folder if they don't
exist to fix below error:
# keactrl start
INFO/keactrl: Starting /usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
INFO/keactrl: Starting /usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
INFO/keactrl: Starting /usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
Unable to use interprocess sync lockfile (No such file or directory): /var/run/kea/logger_lockfile
Service failed: Launch failed: Unable to open PID file '/var/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid' for write
[snip]
ERROR [kea-dhcp4.dhcp4/615.140641792751488] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /etc/kea/kea-dhcp4.conf, reason: Unable to open database: unable to open '/var/lib/kea/kea-leases4.csv'
[snip]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Where we have images with PAM+systemd, serial login can be extremely
slow. The load generated by key generation does slow down the rest
of the boot process.
Lower the priority level of these systemd services, since we'd
prefer to have the rest of the system boot more effectively.
This doesn't "solve" the slow systemd boot issues but does help.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We are setting u-a for nslookup and it won't work unless we inherit this
class
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrey Zhizhikin <andrey.z@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upgrade dhcpcd from 9.1.4 to 9.2.0. And add systemd services files
dhcpcd.service and dhcpcd@.service from Fedora:
https://src.fedoraproject.org/rpms/dhcpcd/tree/master
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the latest release in the 1.7.x series so should be a safe
upgrade, and means we can drop a patch as the AC_TRY_RUN has an
optimistic fallback for cross-compiling now.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The Kea recipe has PACKAGECONFIG options for boost, openssl, and
log4cplus. However, these are not optional but mandatory dependencies.
Remove the PACKAGECONFIGs and replace with explicit DEPENDS and
EXTRA_OECONF. Also the RDEPENDS in the PACKAGECONFIGs are redundant as
the library dependencies are generated correctly.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
kea-msg-compiler is only needed if you alter the messages and the
generated sources need to be rebuilt. When this is the case, there are
better ways to build kea-msg-compiler that don't involve building all of
Kea.
Don't depend on kea-native, remove BBCLASSEXTEND=native, and the target
overrides.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Removed obsolete packageconfig options
License change to MPL-2.0
https://gitlab.isc.org/isc-projects/bind9/blob/master/LICENSE
Refreshed:
bind-ensure-searching-for-json-headers-searches-sysr.patch
0001-named-lwresd-V-and-start-log-hide-build-options.patch
bind-ensure-searching-for-json-headers-searches-sysr.patch
Drop obsolete patch: 0001-configure.in-remove-useless-L-use_openssl-lib.patch
RP: Dropped the multilib scripts handling as those scripts are no longer present
in this version.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
update maintainers.inc too
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Shortly after the recipe was updated to add ell as a mesh dependency
the way ell was integrated into bluez5 was changed. BlueZ requires
ell only for mesh and for btpclient (external test programs). It will
be ignored unless either mesh or btpclient are selected.
ell can be supplied externally, or it can be copied into the bluez
build directory from an existing sibling source directory. Since
bitbake builds do not provide a sibling source directory tell bluez to
look for it as an external library in the conditions where it's
required.
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A directory can be specified in SRC_URI, there is no need to use
globbing. This means that the files are checksummed correctly and
the recipe rebuilds when the files change as globbing breaks that.
We're about to remove the use of globbing in SRC_URI so improve these.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Source: isc.org
MR: 105232, 105246, 105260
Type: Security Fix
Disposition: Backport from https://www.isc.org/bind/
ChangeID: 655cfdf1e91c4107321e63a2012302e1cc184366
Description:
Bug fix only update
Three CVE fixes
CVE-2020-8622
CVE-2020-8623
CVE-2020-8624
For more information see: https://downloads.isc.org/isc/bind9/9.11.22/RELEASE-NOTES-bind-9.11.22.pdf
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
With systemd v246 the syslog target now generates a warning (and has
been deprecated for some time). Drop the target and allow the default to
take effect.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
With systemd v246 the syslog target now generates a warning (and has
been deprecated for some time). Drop the target and allow the default to
take effect.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes errors like
telnetd/state.c:69: multiple definition of `not42'; utility.o:/usr/src/debug/inetutils/1.9.4-r0/build/telnetd/../../inetutils-1.9.4/telnetd/utility.c:66: first defined here
| clang-11: error: linker command failed with exit code 1 (use -v to see invocation)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This ensures -fcommon is still used when compiler defaults to
-fno-common in gcc10 and clang11
Fixes
dhcp-4.4.2/server/mdb.c:70: multiple definition of `dhcp_type_host'; dhcpd-omapi.o:/usr/src/debug/dhcp/4.4.2-r0/dhcp-4.4.2/server/omapi.c:50: first defined here
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|