From 2eaa3fd064097eb221b56d5df0e7136ba705a0cd Mon Sep 17 00:00:00 2001 From: Andrii Davydenko Date: Wed, 14 Dec 2022 12:08:42 +0200 Subject: CVE Packages Update Move libfastjson to the rsyslog directory rsyslog 8.2002.0 -> 8.2206.0 add ntp4.2.8 recipe with fixed CVEs update cryptsetup to 2.4.3 fix libxml2 CVE-2016-3709 curl 7.75.0 -> 7.86.0 strongswan 5.8.4 -> 5.9.8 libmodbus 3.1.6 -> 3.1.7 libesmtp 1.0.6 -> 1.1.0 cifs-utils 6.1 -> 7.0 update libtirpc to version 1.3.3 update rsync to version 3.2.5 Add zlib 1.2.13 upgrade gnutls to 3.7.8 upgrade openssh to 8.9p1 Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680 openvpn 2.4.9 -> 2.4.12 hostapd 2.9 -> 2.10 [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patch for sudo component. Added 2 CVE's to whitelist for OpenVPN component. --- recipes-support/gnutls/gnutls_3.7.8.bb | 90 ++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 recipes-support/gnutls/gnutls_3.7.8.bb (limited to 'recipes-support/gnutls/gnutls_3.7.8.bb') diff --git a/recipes-support/gnutls/gnutls_3.7.8.bb b/recipes-support/gnutls/gnutls_3.7.8.bb new file mode 100644 index 0000000..8f979a5 --- /dev/null +++ b/recipes-support/gnutls/gnutls_3.7.8.bb @@ -0,0 +1,90 @@ +SUMMARY = "GNU Transport Layer Security Library" +DESCRIPTION = "a secure communications library implementing the SSL, \ +TLS and DTLS protocols and technologies around them." +HOMEPAGE = "https://gnutls.org/" +BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" + +LICENSE = "GPL-3.0-or-later & LGPL-2.1-or-later" +LICENSE:${PN} = "LGPL-2.1-or-later" +LICENSE:${PN}-xx = "LGPL-2.1-or-later" +LICENSE:${PN}-bin = "GPL-3.0-or-later" +LICENSE:${PN}-openssl = "GPL-3.0-or-later" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \ + file://doc/COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ + file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343" + +DEPENDS = "nettle gmp virtual/libiconv libunistring" +DEPENDS:append:libc-musl = " argp-standalone" + +SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" + +SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ + file://arm_eabi.patch \ + file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \ + " + +SRC_URI[sha256sum] = "c58ad39af0670efe6a8aee5e3a8b2331a1200418b64b7c51977fb396d4617114" + +inherit autotools texinfo pkgconfig gettext lib_package gtk-doc + +PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)}" + +# You must also have CONFIG_SECCOMP enabled in the kernel for +# seccomp to work. +PACKAGECONFIG[seccomp] = "--with-libseccomp-prefix=${STAGING_EXECPREFIXDIR},ac_cv_libseccomp=no,libseccomp" +PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" +PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" +PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" +PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" +PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR}" + +EXTRA_OECONF = " \ + --enable-doc \ + --disable-libdane \ + --disable-guile \ + --disable-rpath \ + --enable-openssl-compatibility \ + --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ + --with-librt-prefix=${STAGING_DIR_HOST}${prefix} \ + --with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \ +" + +# Otherwise the tools try and use HOSTTOOLS_DIR/bash as a shell. +export POSIX_SHELL="${base_bindir}/sh" + +LDFLAGS:append:libc-musl = " -largp" + +do_configure:prepend() { + for dir in . lib; do + rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4 + done +} + +do_install:append:class-target() { + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then + install -d ${D}${bindir}/bin + install -m 0755 ${B}/lib/.libs/fipshmac ${D}/${bindir}/ + fi +} + +PACKAGES =+ "${PN}-openssl ${PN}-xx ${PN}-fips" + +FILES:${PN}-dev += "${bindir}/gnutls-cli-debug" +FILES:${PN}-openssl = "${libdir}/libgnutls-openssl.so.*" +FILES:${PN}-xx = "${libdir}/libgnutlsxx.so.*" +FILES:${PN}-fips = "${bindir}/fipshmac" + +BBCLASSEXTEND = "native nativesdk" + +pkg_postinst_ontarget:${PN}-fips () { + if test -x ${bindir}/fipshmac + then + mkdir ${sysconfdir}/gnutls + touch ${sysconfdir}/gnutls/config + ${bindir}/fipshmac ${libdir}/libgnutls.so.30.*.* > ${libdir}/.libgnutls.so.30.hmac + ${bindir}/fipshmac ${libdir}/libnettle.so.8.* > ${libdir}/.libnettle.so.8.hmac + ${bindir}/fipshmac ${libdir}/libgmp.so.10.*.* > ${libdir}/.libgmp.so.10.hmac + ${bindir}/fipshmac ${libdir}/libhogweed.so.6.* > ${libdir}/.libhogweed.so.6.hmac + fi +} -- cgit v1.2.3