CVE Packages Update

Move libfastjson to the rsyslog directory rsyslog 8.2002.0 -> 8.2206.0 add ntp4.2.8 recipe with fixed CVEs update cryptsetup to 2.4.3 fix libxml2 CVE-2016-3709 curl 7.75.0 -> 7.86.0 strongswan 5.8.4 -> 5.9.8 libmodbus 3.1.6 -> 3.1.7 libesmtp 1.0.6 -> 1.1.0 cifs-utils 6.1 -> 7.0 update libtirpc to version 1.3.3 update rsync to version 3.2.5 Add zlib 1.2.13 upgrade gnutls to 3.7.8 upgrade openssh to 8.9p1 Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680 openvpn 2.4.9 -> 2.4.12 hostapd 2.9 -> 2.10 [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patch for sudo component. Added 2 CVE's to whitelist for OpenVPN component.
author: Andrii Davydenko <andrii.davydenko@globallogic.com> 2022-12-14 12:08:42 +0200
committer: Mykyta Dorokhin <mykyta.dorokhin@globallogic.com> 2023-01-24 12:41:29 +0200
commit: 2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch)
tree: 2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-core/openvpn
parent: 1e52890ac41318d28923787af35541a8f9ee0653 (diff)
download: meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip
4 files changed, 201 insertions, 0 deletions
diff --git a/recipes-core/openvpn/openvpn/openvpn b/recipes-core/openvpn/openvpn/openvpn
new file mode 100755
index 0000000..e5af4b2
--- /dev/null
+++ b/recipes-core/openvpn/openvpn/openvpn
@@ -0,0 +1,112 @@
+#!/bin/sh -e
+#
+# Original version by Robert Leslie
+# <rob@mars.org>, edited by iwj and cs
+# Modified for openvpn by Alberto Gonzalez Iniesta <agi@agi.as>
+# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>
+# Modified for respecting pid file on service start by Fabian Klemp <fabian.klemp@axino-group.com>
+
+test $DEBIAN_SCRIPT_DEBUG && set -v -x
+
+DAEMON=/usr/sbin/openvpn
+CONFIG_DIR=/etc/openvpn
+test -x $DAEMON || exit 0
+test -d $CONFIG_DIR || exit 0
+
+start_vpn () {
+    modprobe tun >/dev/null 2>&1 || true
+    start-stop-daemon --start --quiet --pidfile /var/run/openvpn.$NAME.pid \
+            --exec $DAEMON -- \
+            --daemon --writepid /var/run/openvpn.$NAME.pid \
+            --config $CONFIG_DIR/$NAME.conf --cd $CONFIG_DIR || rc="$?"
+    case $rc in
+        1) echo -n " ALREADY STARTED->";;
+        3) echo -n " FAILED->";;
+    esac
+    echo -n " $NAME"
+}
+
+stop_vpn () {
+   kill `cat $PIDFILE` || true
+  rm $PIDFILE
+}
+
+case "$1" in
+start)
+  echo -n "Starting openvpn:"
+
+  if test -z $2 ; then
+    for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
+      NAME=${CONFIG%%.conf}
+      start_vpn
+    done
+  else
+    if test -e $CONFIG_DIR/$2.conf ; then
+      NAME=$2
+      start_vpn
+    else
+      echo -n " No such VPN: $2"
+    fi
+  fi
+  echo "."
+
+  ;;
+stop)
+  echo -n "Stopping openvpn:"
+
+  if test -z $2 ; then
+    for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
+      NAME=`echo $PIDFILE | cut -c18-`
+      NAME=${NAME%%.pid}
+      stop_vpn
+      echo -n " $NAME"
+    done
+  else
+    if test -e /var/run/openvpn.$2.pid ; then
+      PIDFILE=`ls /var/run/openvpn.$2.pid 2> /dev/null`
+      NAME=`echo $PIDFILE | cut -c18-`
+      NAME=${NAME%%.pid}
+      stop_vpn
+      echo -n " $NAME"
+    else
+      echo -n " No such VPN: $2"
+    fi
+  fi
+  echo "."
+  ;;
+# We only 'reload' for running VPNs. New ones will only start with 'start' or 'restart'.
+reload|force-reload)
+  echo -n "Reloading openvpn:"
+  for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
+    NAME=`echo $PIDFILE | cut -c18-`
+    NAME=${NAME%%.pid}
+# If openvpn if running under a different user than root we'll need to restart
+    if egrep '^( |\t)*user' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then
+      stop_vpn
+      sleep 1
+      start_vpn
+      echo -n "(restarted)"
+    else
+      kill -HUP `cat $PIDFILE` || true
+#    start-stop-daemon --stop --signal HUP --quiet --oknodo \
+#      --exec $DAEMON --pidfile $PIDFILE
+    echo -n " $NAME"
+    fi
+  done
+  echo "."
+  ;;
+
+restart)
+  $0 stop $2
+  sleep 1
+  $0 start $2
+  ;;
+*)
+  echo "Usage: $0 {start|stop|reload|restart|force-reload}" >&2
+  exit 1
+  ;;
+esac
+
+exit 0
+
+# vim:set ai et sts=2 sw=2 tw=0:
diff --git a/recipes-core/openvpn/openvpn/openvpn-volatile.conf b/recipes-core/openvpn/openvpn/openvpn-volatile.conf
new file mode 100644
index 0000000..1205806
--- /dev/null
+++ b/recipes-core/openvpn/openvpn/openvpn-volatile.conf
@@ -0,0 +1 @@
+d @LOCALSTATEDIR@/run/openvpn 0755 root root -
diff --git a/recipes-core/openvpn/openvpn/openvpn@.service b/recipes-core/openvpn/openvpn/openvpn@.service
new file mode 100644
index 0000000..358dcb7
--- /dev/null
+++ b/recipes-core/openvpn/openvpn/openvpn@.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
+After=syslog.target network.target
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-core/openvpn/openvpn_2.4.12.bb b/recipes-core/openvpn/openvpn_2.4.12.bb
new file mode 100644
index 0000000..55e6603
--- /dev/null
+++ b/recipes-core/openvpn/openvpn_2.4.12.bb
@@ -0,0 +1,76 @@
+SUMMARY = "A full-featured SSL VPN solution via tun device."
+HOMEPAGE = "https://openvpn.net/"
+SECTION = "net"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=7aee596ed2deefe3e8a861e24292abba"
+DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+
+inherit autotools systemd update-rc.d
+
+SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
+           file://openvpn \
+           file://openvpn@.service \
+           file://openvpn-volatile.conf"
+
+UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
+
+SRC_URI[md5sum] = "e83d430947fb7c9ad1a174987317d1dc"
+SRC_URI[sha256sum] = "66952d9c95490e5875f04c9f8fa313b5e816d1b7b4d6cda3fb2ff749ad405dee"
+
+# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
+CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569"
+
+SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME_${PN} = "openvpn"
+INITSCRIPT_PARAMS_${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ."
+
+CFLAGS += "-fno-inline"
+
+# I want openvpn to be able to read password from file (hrw)
+EXTRA_OECONF += "--enable-iproute2"
+EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}"
+
+# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host.
+EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip"
+
+do_install_append() {
+    install -d ${D}/${sysconfdir}/init.d
+    install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d
+
+    install -d ${D}/${sysconfdir}/openvpn
+    install -d ${D}/${sysconfdir}/openvpn/sample
+    install -m 755 ${S}/sample/sample-config-files/loopback-server  ${D}${sysconfdir}/openvpn/sample/loopback-server.conf
+    install -m 755 ${S}/sample/sample-config-files/loopback-client  ${D}${sysconfdir}/openvpn/sample/loopback-client.conf
+    install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys
+    install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys
+
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -d ${D}/${systemd_unitdir}/system
+        install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system
+        install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-server.service
+        install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-client.service
+
+        install -d ${D}/${localstatedir}
+        install -d ${D}/${localstatedir}/lib
+        install -d -m 710 ${D}/${localstatedir}/lib/openvpn
+
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        install -m 0644 ${WORKDIR}/openvpn-volatile.conf ${D}${sysconfdir}/tmpfiles.d/openvpn.conf
+        sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/tmpfiles.d/openvpn.conf
+    fi
+}
+
+PACKAGES =+ " ${PN}-sample "
+
+RRECOMMENDS_${PN} = "kernel-module-tun"
+
+FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug"
+FILES_${PN} += "${systemd_unitdir}/system/openvpn@.service \
+                ${sysconfdir}/tmpfiles.d \
+               "
+FILES_${PN}-sample += "${systemd_unitdir}/system/openvpn@loopback-server.service \
+                       ${systemd_unitdir}/system/openvpn@loopback-client.service \
+                       ${sysconfdir}/openvpn/sample/"
author	Andrii Davydenko <andrii.davydenko@globallogic.com>	2022-12-14 12:08:42 +0200
committer	Mykyta Dorokhin <mykyta.dorokhin@globallogic.com>	2023-01-24 12:41:29 +0200
commit	2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch)
tree	2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-core/openvpn
parent	1e52890ac41318d28923787af35541a8f9ee0653 (diff)
download	meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2 meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip