diff options
author | Andrii Davydenko <andrii.davydenko@globallogic.com> | 2022-12-14 12:08:42 +0200 |
---|---|---|
committer | Mykyta Dorokhin <mykyta.dorokhin@globallogic.com> | 2023-01-24 12:41:29 +0200 |
commit | 2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch) | |
tree | 2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-support/gnutls | |
parent | 1e52890ac41318d28923787af35541a8f9ee0653 (diff) | |
download | meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2 meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip |
CVE Packages Update
Move libfastjson to the rsyslog directory
rsyslog 8.2002.0 -> 8.2206.0
add ntp4.2.8 recipe with fixed CVEs
update cryptsetup to 2.4.3
fix libxml2 CVE-2016-3709
curl 7.75.0 -> 7.86.0
strongswan 5.8.4 -> 5.9.8
libmodbus 3.1.6 -> 3.1.7
libesmtp 1.0.6 -> 1.1.0
cifs-utils 6.1 -> 7.0
update libtirpc to version 1.3.3
update rsync to version 3.2.5
Add zlib 1.2.13
upgrade gnutls to 3.7.8
upgrade openssh to 8.9p1
Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat
Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680
openvpn 2.4.9 -> 2.4.12
hostapd 2.9 -> 2.10
[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report.
[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21.
[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patch for sudo component.
Added 2 CVE's to whitelist for OpenVPN component.
Diffstat (limited to 'recipes-support/gnutls')
5 files changed, 197 insertions, 0 deletions
diff --git a/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch b/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch new file mode 100644 index 0000000..e40b2be --- /dev/null +++ b/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch @@ -0,0 +1,28 @@ +From b729a356538d499fe25e82bfc78ea663bdaca0a8 Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@fujitsu.com> +Date: Mon, 23 May 2022 10:44:43 +0900 +Subject: [PATCH] Creating .hmac file should be excuted in target environment, + so deleted it from build process. + +Upstream-Status: Inappropriate [https://gitlab.com/gnutls/gnutls/-/issues/1373] +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> +--- + lib/Makefile.am | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index 0b43ef9..cf263f0 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -206,8 +206,7 @@ hmac_files = .libs/.gnutls.hmac + + all-local: $(hmac_files) + +-.libs/.gnutls.hmac: libgnutls.la fipshmac +- $(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@ ++.libs/.gnutls.hmac: + + CLEANFILES = $(hmac_files) + endif +-- +2.25.1 diff --git a/recipes-support/gnutls/gnutls/arm_eabi.patch b/recipes-support/gnutls/gnutls/arm_eabi.patch new file mode 100644 index 0000000..6eb1edb --- /dev/null +++ b/recipes-support/gnutls/gnutls/arm_eabi.patch @@ -0,0 +1,30 @@ +From 8a5c96057cf305bbeac0d6e0e59ee24fbb9497fe Mon Sep 17 00:00:00 2001 +From: Joe Slater <jslater@windriver.com> +Date: Wed, 25 Jan 2017 13:52:59 -0800 +Subject: [PATCH] gnutls: account for ARM_EABI + +Certain syscall's are not availabe for arm-eabi, so we eliminate +reference to them. + +Upstream-Status: Pending + +Signed-off-by: Joe Slater <jslater@windriver.com> + +--- + tests/seccomp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/seccomp.c b/tests/seccomp.c +index ed14d00..3c5b726 100644 +--- a/tests/seccomp.c ++++ b/tests/seccomp.c +@@ -53,7 +53,9 @@ int disable_system_calls(void) + + ADD_SYSCALL(nanosleep, 0); + ADD_SYSCALL(clock_nanosleep, 0); ++#if ! defined(__ARM_EABI__) + ADD_SYSCALL(time, 0); ++#endif + ADD_SYSCALL(getpid, 0); + ADD_SYSCALL(gettimeofday, 0); + #if defined(HAVE_CLOCK_GETTIME) diff --git a/recipes-support/gnutls/gnutls_3.7.8.bb b/recipes-support/gnutls/gnutls_3.7.8.bb new file mode 100644 index 0000000..8f979a5 --- /dev/null +++ b/recipes-support/gnutls/gnutls_3.7.8.bb @@ -0,0 +1,90 @@ +SUMMARY = "GNU Transport Layer Security Library" +DESCRIPTION = "a secure communications library implementing the SSL, \ +TLS and DTLS protocols and technologies around them." +HOMEPAGE = "https://gnutls.org/" +BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" + +LICENSE = "GPL-3.0-or-later & LGPL-2.1-or-later" +LICENSE:${PN} = "LGPL-2.1-or-later" +LICENSE:${PN}-xx = "LGPL-2.1-or-later" +LICENSE:${PN}-bin = "GPL-3.0-or-later" +LICENSE:${PN}-openssl = "GPL-3.0-or-later" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \ + file://doc/COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ + file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343" + +DEPENDS = "nettle gmp virtual/libiconv libunistring" +DEPENDS:append:libc-musl = " argp-standalone" + +SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" + +SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ + file://arm_eabi.patch \ + file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \ + " + +SRC_URI[sha256sum] = "c58ad39af0670efe6a8aee5e3a8b2331a1200418b64b7c51977fb396d4617114" + +inherit autotools texinfo pkgconfig gettext lib_package gtk-doc + +PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)}" + +# You must also have CONFIG_SECCOMP enabled in the kernel for +# seccomp to work. +PACKAGECONFIG[seccomp] = "--with-libseccomp-prefix=${STAGING_EXECPREFIXDIR},ac_cv_libseccomp=no,libseccomp" +PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" +PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" +PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" +PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" +PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR}" + +EXTRA_OECONF = " \ + --enable-doc \ + --disable-libdane \ + --disable-guile \ + --disable-rpath \ + --enable-openssl-compatibility \ + --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ + --with-librt-prefix=${STAGING_DIR_HOST}${prefix} \ + --with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \ +" + +# Otherwise the tools try and use HOSTTOOLS_DIR/bash as a shell. +export POSIX_SHELL="${base_bindir}/sh" + +LDFLAGS:append:libc-musl = " -largp" + +do_configure:prepend() { + for dir in . lib; do + rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4 + done +} + +do_install:append:class-target() { + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then + install -d ${D}${bindir}/bin + install -m 0755 ${B}/lib/.libs/fipshmac ${D}/${bindir}/ + fi +} + +PACKAGES =+ "${PN}-openssl ${PN}-xx ${PN}-fips" + +FILES:${PN}-dev += "${bindir}/gnutls-cli-debug" +FILES:${PN}-openssl = "${libdir}/libgnutls-openssl.so.*" +FILES:${PN}-xx = "${libdir}/libgnutlsxx.so.*" +FILES:${PN}-fips = "${bindir}/fipshmac" + +BBCLASSEXTEND = "native nativesdk" + +pkg_postinst_ontarget:${PN}-fips () { + if test -x ${bindir}/fipshmac + then + mkdir ${sysconfdir}/gnutls + touch ${sysconfdir}/gnutls/config + ${bindir}/fipshmac ${libdir}/libgnutls.so.30.*.* > ${libdir}/.libgnutls.so.30.hmac + ${bindir}/fipshmac ${libdir}/libnettle.so.8.* > ${libdir}/.libnettle.so.8.hmac + ${bindir}/fipshmac ${libdir}/libgmp.so.10.*.* > ${libdir}/.libgmp.so.10.hmac + ${bindir}/fipshmac ${libdir}/libhogweed.so.6.* > ${libdir}/.libhogweed.so.6.hmac + fi +} diff --git a/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch b/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch new file mode 100644 index 0000000..216d636 --- /dev/null +++ b/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch @@ -0,0 +1,26 @@ +From 629fc6427710e48b78f8b1f300dd698fe898cfd4 Mon Sep 17 00:00:00 2001 +From: Marko Lindqvist <cazfi74@gmail.com> +Date: Mon, 7 Jan 2013 01:49:40 +0200 +Subject: [PATCH] libtasn1: remove help2man dependency + +Upstream-Status: Inappropriate + +Signed-off-by: Marko Lindqvist <cazfi74@gmail.com> + +--- + doc/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index a0171a5..8aa4d3d 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -28,7 +28,7 @@ libtasn1_TEXINFOS += asn1Coding-help.texi asn1Decoding-help.texi asn1Parser-help + + AM_MAKEINFOHTMLFLAGS = --no-split $(AM_MAKEINFOFLAGS) + +-dist_man_MANS = $(gdoc_MANS) asn1Parser.1 asn1Coding.1 asn1Decoding.1 ++dist_man_MANS = $(gdoc_MANS) + + HELP2MAN_OPTS = --info-page libtasn1 + diff --git a/recipes-support/gnutls/libtasn1_4.19.0.bb b/recipes-support/gnutls/libtasn1_4.19.0.bb new file mode 100644 index 0000000..5fb8b54 --- /dev/null +++ b/recipes-support/gnutls/libtasn1_4.19.0.bb @@ -0,0 +1,23 @@ +SUMMARY = "Library for ASN.1 and DER manipulation" +DESCRIPTION = "A highly portable C library that encodes and decodes \ +DER/BER data following an ASN.1 schema. " +HOMEPAGE = "http://www.gnu.org/software/libtasn1/" + +LICENSE = "GPL-3.0-or-later & LGPL-2.1-or-later" +LICENSE:${PN}-bin = "GPL-3.0-or-later" +LICENSE:${PN} = "LGPL-2.1-or-later" +LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \ + file://doc/COPYING.LESSER;md5=4fbd65380cdd255951079008b364516c \ + file://COPYING;md5=75ac100ec923f959898182307970c360" + +SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ + file://dont-depend-on-help2man.patch \ + " + +DEPENDS = "bison-native" + +SRC_URI[sha256sum] = "1613f0ac1cf484d6ec0ce3b8c06d56263cc7242f1c23b30d82d23de345a63f7a" + +inherit autotools texinfo lib_package gtk-doc + +BBCLASSEXTEND = "native nativesdk" |