diff options
Diffstat (limited to 'meta/recipes-connectivity')
16 files changed, 233 insertions, 14 deletions
diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch index 94116ad1f3..29c192d296 100644 --- a/meta/recipes-connectivity/avahi/files/local-ping.patch +++ b/meta/recipes-connectivity/avahi/files/local-ping.patch @@ -1,4 +1,5 @@ CVE: CVE-2021-36217 +CVE: CVE-2021-3502 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> diff --git a/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch new file mode 100644 index 0000000000..f63c333264 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch @@ -0,0 +1,76 @@ +From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> +Date: Fri, 24 Sep 2021 09:35:11 +0200 +Subject: [PATCH] Disable lame-ttl cache + +The lame-ttl cache is implemented in ADB as per-server locked +linked-list "indexed" with <qname,qtype>. This list has to be walked +every time there's a new query or new record added into the lame cache. +Determined attacker can use this to degrade performance of the resolver. + +Resolver testing has shown that disabling the lame cache has little +impact on the resolver performance and it's a minimal viable defense +against this kind of attack. + +CVE: CVE-2021-25219 + +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/8fe18c0566c41228a568157287f5a44f96d37662] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + bin/named/config.c | 2 +- + bin/named/server.c | 7 +++++-- + doc/arm/reference.rst | 6 +++--- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index fa8473db7c..b6453b814e 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -151,7 +151,7 @@ options {\n\ + fetches-per-server 0;\n\ + fetches-per-zone 0;\n\ + glue-cache yes;\n\ +- lame-ttl 600;\n" ++ lame-ttl 0;\n" + #ifdef HAVE_LMDB + " lmdb-mapsize 32M;\n" + #endif /* ifdef HAVE_LMDB */ +diff --git a/bin/named/server.c b/bin/named/server.c +index 638703e8c2..35ad6a0b7f 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, + result = named_config_get(maps, "lame-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + lame_ttl = cfg_obj_asduration(obj); +- if (lame_ttl > 1800) { +- lame_ttl = 1800; ++ if (lame_ttl > 0) { ++ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, ++ "disabling lame cache despite lame-ttl > 0 as it " ++ "may cause performance issues"); ++ lame_ttl = 0; + } + dns_resolver_setlamettl(view->resolver, lame_ttl); + +diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst +index 3bc4439745..fea854f3d1 100644 +--- a/doc/arm/reference.rst ++++ b/doc/arm/reference.rst +@@ -3358,9 +3358,9 @@ Tuning + ^^^^^^ + + ``lame-ttl`` +- This sets the number of seconds to cache a lame server indication. 0 +- disables caching. (This is **NOT** recommended.) The default is +- ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes). ++ This is always set to 0. More information is available in the ++ `security advisory for CVE-2021-25219 ++ <https://kb.isc.org/docs/cve-2021-25219>`_. + + ``servfail-ttl`` + This sets the number of seconds to cache a SERVFAIL response due to DNSSEC +-- +2.17.1 + diff --git a/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch new file mode 100644 index 0000000000..1217f7f186 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch @@ -0,0 +1,65 @@ +From 117cf776a7add27ac6d236b4062258da0d068486 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> +Date: Mon, 15 Nov 2021 16:26:52 +0800 +Subject: [PATCH] Enable lame response detection even with disabled lame cache + +Previously, when lame cache would be disabled by setting lame-ttl to 0, +it would also disable lame answer detection. In this commit, we enable +the lame response detection even when the lame cache is disabled. This +enables stopping answer processing early rather than going through the +whole answer processing flow. + +CVE: CVE-2021-25219 + +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e4931584a34bdd0a0d18e4d918fb853bf5296787] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/dns/resolver.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 50fadc0..9291bd4 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -10217,25 +10217,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { + */ + static isc_result_t + rctx_lameserver(respctx_t *rctx) { +- isc_result_t result; ++ isc_result_t result = ISC_R_SUCCESS; + fetchctx_t *fctx = rctx->fctx; + resquery_t *query = rctx->query; + +- if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) || +- !is_lame(fctx, query->rmessage)) +- { ++ if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) { + return (ISC_R_SUCCESS); + } + + inc_stats(fctx->res, dns_resstatscounter_lame); + log_lame(fctx, query->addrinfo); +- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name, +- fctx->type, rctx->now + fctx->res->lame_ttl); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, +- "could not mark server as lame: %s", +- isc_result_totext(result)); ++ if (fctx->res->lame_ttl != 0) { ++ result = dns_adb_marklame(fctx->adb, query->addrinfo, ++ &fctx->name, fctx->type, ++ rctx->now + fctx->res->lame_ttl); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, ++ "could not mark server as lame: %s", ++ isc_result_totext(result)); ++ } + } + rctx->broken_server = DNS_R_LAME; + rctx->next_server = true; +-- +2.17.1 + diff --git a/meta/recipes-connectivity/bind/bind_9.16.20.bb b/meta/recipes-connectivity/bind/bind_9.16.20.bb index ddf323fb9c..0ba0a46b15 100644 --- a/meta/recipes-connectivity/bind/bind_9.16.20.bb +++ b/meta/recipes-connectivity/bind/bind_9.16.20.bb @@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2021-25219-1.patch \ + file://CVE-2021-25219-2.patch \ " SRC_URI[sha256sum] = "4d0d93c0d0b63080609e84625f24ff8777f8d164e78a75b1c19c334ce42d5b58" diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb index 55c687968f..7e1619aab2 100644 --- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb +++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb @@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native" # 0.7 tag SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143" -SRC_URI = "git://github.com/connectivity/connman-gnome.git \ +SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \ file://0001-Removed-icon-from-connman-gnome-about-applet.patch \ file://null_check_for_ipv4_config.patch \ file://images/ \ diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb index e455a60bd5..f5c87f7291 100644 --- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb +++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1" DEPENDS = "avahi" -SRC_URI = "git://github.com/lathiat/nss-mdns \ +SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \ " SRCREV = "4b3cfe818bf72d99a02b8ca8b8813cb2d6b40633" diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb index 9a8c46e0ef..dbe2fd8157 100644 --- a/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb +++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb @@ -19,10 +19,11 @@ BINCONFIG = "${bindir}/pcap-config" # Explicitly disable dag support. We don't have recipe for it and if enabled here, # configure script poisons the include dirs with /usr/local/include even when the -# support hasn't been detected. +# support hasn't been detected. Do the same thing for DPDK. EXTRA_OECONF = " \ --with-pcap=linux \ --without-dag \ + --without-dpdk \ " EXTRA_AUTORECONF += "--exclude=aclocal" diff --git a/meta/recipes-connectivity/libuv/libuv_1.42.0.bb b/meta/recipes-connectivity/libuv/libuv_1.42.0.bb index 169bd6206b..2dfbb8b895 100644 --- a/meta/recipes-connectivity/libuv/libuv_1.42.0.bb +++ b/meta/recipes-connectivity/libuv/libuv_1.42.0.bb @@ -6,7 +6,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47" SRCREV = "6ce14710da7079eb248868171f6343bc409ea3a4" -SRC_URI = "git://github.com/libuv/libuv;branch=v1.x" +SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https" S = "${WORKDIR}/git" diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index 837490f15f..4246f4dcbd 100644 --- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -8,7 +8,7 @@ SRCREV = "11f2247eccd3c161b8fd9b41143862e9fb81193c" PV = "20210805" PE = "1" -SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https" +SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=master" S = "${WORKDIR}/git" inherit autotools diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.16.bb index b6cc1d6ced..936b3c5754 100644 --- a/meta/recipes-connectivity/neard/neard_0.16.bb +++ b/meta/recipes-connectivity/neard/neard_0.16.bb @@ -2,21 +2,22 @@ SUMMARY = "Linux NFC daemon" DESCRIPTION = "A daemon for the Linux Near Field Communication stack" HOMEPAGE = "http://01.org/linux-nfc" LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ + file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \ + " DEPENDS = "dbus glib-2.0 libnl" -SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \ +SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \ file://neard.in \ file://Makefile.am-fix-parallel-issue.patch \ file://Makefile.am-do-not-ship-version.h.patch \ file://0001-Add-header-dependency-to-nciattach.o.patch \ " -SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41" -SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36" -LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ - file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \ - " +SRCREV = "949795024f7625420e93e288c56e194cb9a3e74a" + +S = "${WORKDIR}/git" inherit autotools pkgconfig systemd update-rc.d diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch new file mode 100644 index 0000000000..bebde7f26d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch @@ -0,0 +1,48 @@ +From 1f0707e8e78ef290fd0f229df3fcd2236f29db89 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 28 Oct 2021 11:11:05 +0800 +Subject: [PATCH] upstream: need initgroups() before setresgid(); reported by + anton@, + +ok deraadt@ + +OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce + +CVE: CVE-2021-41617 +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455 +https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + misc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/misc.c b/misc.c +index d988ce3..33eca1c 100644 +--- a/misc.c ++++ b/misc.c +@@ -56,6 +56,7 @@ + #ifdef HAVE_PATHS_H + # include <paths.h> + #include <pwd.h> ++#include <grp.h> + #endif + #ifdef SSH_TUN_OPENBSD + #include <net/if.h> +@@ -2629,6 +2630,13 @@ subprocess(const char *tag, const char *command, + } + closefrom(STDERR_FILENO + 1); + ++ if (geteuid() == 0 && ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { ++ error("%s: initgroups(%s, %u): %s", tag, ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); ++ _exit(1); ++ } ++ + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, + strerror(errno)); +-- +2.17.1 + diff --git a/meta/recipes-connectivity/openssh/openssh_8.7p1.bb b/meta/recipes-connectivity/openssh/openssh_8.7p1.bb index 07cd6b74cd..d19833e56f 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.7p1.bb @@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://CVE-2021-41617.patch \ " SRC_URI[sha256sum] = "7ca34b8bb24ae9e50f33792b7091b3841d7e1b440ff57bc9fabddf01e2ed1e24" diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch new file mode 100644 index 0000000000..8accbc9df2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch @@ -0,0 +1,22 @@ +Using localtime() means the output can depend on the timezone of the build machine. +Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +Upstream-Status: Pending [should be suitable] + +Index: openssl-3.0.1/apps/progs.pl +=================================================================== +--- openssl-3.0.1.orig/apps/progs.pl ++++ openssl-3.0.1/apps/progs.pl +@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or + my %commands = (); + my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; + my $apps_openssl = shift @ARGV; +-my $YEAR = [localtime()]->[5] + 1900; ++my $YEAR = [gmtime()]->[5] + 1900; ++if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { ++ $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900; ++} + + # because the program apps/openssl has object files as sources, and + # they then have the corresponding C files as source, we need to chain diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb index b241ba78bc..d6386c33a9 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb @@ -17,6 +17,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://reproducible.patch \ + file://reproducibility.patch \ " SRC_URI:append:class-nativesdk = " \ @@ -28,7 +29,7 @@ SRC_URI:append:riscv32 = " \ file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ " -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" +SRC_URI[sha256sum] = "9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -203,6 +204,7 @@ do_install_ptest () { install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines # seems to be needed with perl 5.32.1 diff --git a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb index 1ad5f15b93..41c8552f25 100644 --- a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb +++ b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb @@ -9,7 +9,7 @@ LICENSE = "GPL-2.0-with-OpenSSL-exception" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86" -SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ +SRC_URI = "http://www.dest-unreach.org/socat/download/Archive/socat-${PV}.tar.bz2 \ " SRC_URI[md5sum] = "36cad050ecf4981ab044c3fbd75c643f" diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 33b1495bb2..25cd8ef82c 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -108,7 +108,7 @@ do_install () { install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles } -pkg_postinst:wpa-supplicant () { +pkg_postinst:${PN} () { # If we're offline, we don't need to do this. if [ "x$D" = "x" ]; then killall -q -HUP dbus-daemon || true |