| Age | Commit message (Collapse) | Author | Files |
|---|
|
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
(From OE-Core master rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
Anonymous ECDH denial of service (CVE-2014-3470)
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224)
An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS recursion flaw (CVE-2014-0221)
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.
Only applications using OpenSSL as a DTLS client are affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
https://access.redhat.com/security/cve/CVE-2014-0198
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes the "heartbleed" TLS vulnerability (CVE-2014-0160). More
information here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Patch borrowed from Debian; this is just a tweaked version of the
upstream commit (without patching the CHANGES file which otherwise
would fail to apply on top of this version).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
(From OE-Core master rev: 3e0ac7357a962e3ef6595d21ec4843b078a764dd)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
(From OE-Core master rev: 94352e694cd828aa84abd846149712535f48ab0f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
(From OE-Core master rev: 35ccce7002188c8270d2fead35f9763b22776877)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* it's autodetected from sysroot
* add PACKAGECONFIG to make it deterministic
(From OE-Core master rev: 15d82c0f0cccdf0886d4452fddf399b7569f7e56)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* do_configure fails without:
| configure:13590: error: xsltproc (from the libxslt source package) is required
(From OE-Core master rev: fe84f0b28ce49300d9744532fa011ab1678fbb70)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
start-stop-daemon should be called with '--oknodo' instead of
'-oknodo'.
(From OE-Core master rev: 40f65a76b3291ae625c072a8efebbf134b15c367)
Signed-off-by: Marc Ferland <ferlandm@sonatest.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Change /var/run/bind/run to /var/run/named to avoid the following error message.
chmod: cannot access '/var/run/bind/run': No such file or directory
[YOCTO #4429]
(From OE-Core master rev: a32c05f691ef5620516b2f84452fb5129e16bb14)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add patch file for one of the ciphers used in openssl, namely the cipher
des-ede3-cfb1. Details of the bug, without this patch, can be found here.
http://rt.openssl.org/Ticket/Display.html?id=2867
(From OE-Core master rev: ed61c28b9af2f11f46488332b80752b734a3cdeb)
Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core master rev: 8792b7fb4ef8d66336d52de7e81efbb818e16b08)
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core master rev: de1238a589ade1220d51cb4b9277cc17479f6f17)
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some ofono test scripts i.e. enable-modem use python-dbus module
and this must be installed along with ofono-tests package.
(From OE-Core master rev: e5422ed7f3e4b1ee8554ffe3a98006477fb52c4d)
Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Without using our python classes and having appropriate dependencies, the
build is nondeterministic, and whether a python-avahi package is produced will
vary depending on the host environment, yet avahi-discover is always produced,
and it depends on python-avahi.
(From OE-Core master rev: 4599ef630c13224506671bf84569bfc240cd3032)
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Otherwise you get errors like:
| ../libcrypto.so: file not recognized: File truncated
| collect2: error: ld returned 1 exit status
| make[2]: *** [link_o.gnu] Error 1
(From OE-Core master rev: 61c21a0f7a2041446a82b76ee3658fda5dfbff1d)
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The connman init script sources a setup file from /usr/lib/connman,
so we end up with no network in qemu multilib enabled images.
The init script it's installed by connman and because wired-setup
it's installed by another package (connman-conf) we can't use
libexecdir here and now (in the init script and systemd service file).
Once libexecdir changes from ${libdir}/${bpn} to something else like
/usr/libexec we could use that instead of ${libdir}/connman.
Changed in v2: - better commit message
[YOCTO #4493]
(From OE-Core master rev: fca3a884e9cae13a521d840838eee3c01f0b6acf)
Signed-off-by: Stefan Stanacar <stefanx.stanacar@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
After installing Avahi we need DBus to reload it's configuration. In a
pure-systemd image there isn't a DBus init script to reload, so cut out the
middleman and just sent SIGHUP to all running dbus-daemon processes instead.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
After installing Avahi we need DBus to reload it's configuration. In a
pure-systemd image there isn't a DBus init script to reload, so cut out the
middleman and just sent SIGHUP to all running dbus-daemon processes instead.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
do_patch failed after upgrading to openssl-1.0.1e. Log:
| ERROR: Command Error: exit status: 1 Output:
| Applying patch man-section.patch
| patching file Makefile.org
| Hunk #1 succeeded at 160 (offset 26 lines).
| Hunk #2 succeeded at 626 (offset 19 lines).
| misordered hunks! output would be garbled
| Hunk #3 FAILED at 633.
| 1 out of 3 hunks FAILED -- rejects in file Makefile.org
| Patch man-section.patch does not apply (enforce with -f)
| ERROR: Function failed: patch_do_patch
| ERROR: Logfile of failure stored in:temp/log.do_patch.14679
| ERROR: Task 646 (virtual:native:openssl_1.0.1e.bb, do_patch) failed with exit code '1'
Change-Id: Ib63031fdbd09443e387ee57efa70381e0aca382c
Signed-off-by: Ting Liu <b28495@freescale.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Other recipe versions in other layers
may be using connman.inc, so by resetting
INC_PR they go backwards in version.
Set the INC_PR correctly.
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Dropped obolete patches and pulled updates for debian patches.
Addresses CVEs:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2686
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0166
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169
[YOCTO #3965]
Signed-off-by: Radu Moisan <radu.moisan@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
bluez4 uses readline to be build, but the dependency is not listed
This is listed in the configuration log.
So we add it.
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* sysvinit/systemd assumes that update-rc.d can be inhibited
* with systemd enabled, sysvinit scripts are missing in packages
and update-rc.d needs to be put in BAD_RECOMMENDATIONS to prevent
update-rc.d trying to install them in postinst
* update-rd.c shouldn't be in DEPENDS
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Added support for correctly configuring
wired interface if systemd is the init system.
Fixes [YOCTO #4041].
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If run more than once, the IP addresses would be appended
to IPv4 variable. Avoid that by rewriting the IPv4 always.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The /etc/connman is not suitable for the setup script.
There are other connman related scripts in /usr/lib/connman
so moving the wired setup script there.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add patch to allow out of tree builds to work.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
neard ver 0.10:
Added initial WiFi handover support.
Added Service Name Lookup support to nfctool.
Added NDEF building unit tests.
Added State support to Bluetooth handover agent.
Added neard and neard.conf man pages.
Added a copy of the NFC kernel header.
Fixed handover validation tests failures.
Fixed Tag and Device PropertyChanged signal.
Signed-off-by: Olivier Guiter <olivier.guiter@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Radu Moisan <radu.moisan@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
There is no reason to disable exec-stack only for -native builds;
binaries on the target will suffer from the same SELinux ACLs.
OpenSSL does not use executable stack so this option can be disabled
unconditionally.
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch installs neard daemon in /usr/lib/neard.
Signed-off-by: Olivier Guiter <olivier.guiter@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Otherwise configure will use pkg-config and may find systemd, even though we
don't want it.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The issue is that an ethernet config file is removed without
proper checks in place (rm -f), which triggers an error and
makes the connman startup script to fail.
The file is now removed with proper checks in place.
Fixes [YOCTO #4003].
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Removes hardcoded include path -I/usr/include/libnl3. OE's include
path gets injected by do_configure.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Copy from WORKDIR first, then modify. Improves consistency
between successive invocations of do_configure.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
This makes it possible to apply patches to ../src.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The Linux NFC project aims to provide a full NFC support for Linux.
It is based on the neard NFC user space stack running on top of the
Linux kernel NFC subsystem.
The code generated using this recipe was tested on a ARM11 device, with
a kernel 3.6, using, for the NFC hardware, a USB dongle with the PN533
chipset (SCL3711)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
- connman-conf package re-implemented
- connman 1.12 introduces provisioning for
wired interfaces also;
- wired interface settings are read from
kernel cmdline if present;
- after that are passed to connman as a
config file
- for BA, this is not needed, as BA will
have a network infrastructure to work with.
Fixes [YOCTO #3227];
Fixes [YOCTO #3804];
Fixes [YOCTO #3843].
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
- 0002-storage.c-If-there-is-no-d_type-support-use-fstatat.patch no longer needed;
fix included in package source code
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Backport three patches from upstream for ppc64:
http://git.kernel.org/cgit/linux/kernel/git/shemminger/iproute2.git
ae70d96 ipntable: more fixes for ppc64
a55a8fd fix dependency on sizeof(__u64) == sizeof(unsigned long long)
a7c2882 ip: fix ipv6 ntable on ppc64
Signed-off-by: Ting Liu <b28495@freescale.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
* The variable name was truncated.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
