Age | Commit message (Collapse) | Author | Files |
|
CVE-2016-2105
CVE-2016-2106
CVE-2016-2109
CVE-2016-2176
https://www.openssl.org/news/secadv/20160503.txt
fixup openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
drop crypto_use_bigint_in_x86-64_perl.patch as that fix is in latest.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
4.4.0 -> 4.5.0
Refreshed iproute2 musl build fix patch for 4.5.0
Remove backported patch:
iproute2-fix-building-with-musl.patch
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
5.37 -> 5.39
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
A patch is needed to fix a race in out-of-tree builds, and the install-ptest
logic can be simplified.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
opehssh <= 7.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is required for dbus-binding-tool.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before
4.3.4 does not restrict the number of concurrent TCP sessions,
which allows remote attackers to cause a denial of service
(INSIST assertion failure or request-processing outage)
by establishing many sessions.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2774
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Duplicate EDNS COOKIE options in a response could trigger an
assertion failure: Fix with a backport.
bind as built with the oe-core recipe is not at risk: Only servers
which are built with DNS cookie support (--enable-sit) are vulnerable
to denial of service.
Fixes [YOCTO #9438]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
do_install_append function installs init scripts but to enable this
service we need to inherit update-rc.d class and set INITSCRIPT name
and params.
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes following vulnerabilities:
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure
[YOCTO #9400]
External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
References to the Upstream commits and Security Advisories:
===========================================================
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=70037e040e587329cec82123e12b9f4f7c945f67
CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=a3d327bf1ceaaeabb20223d8de85166e940b9f12
CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=7602be276a73a6eb5431c5acd9718e68a55e8b61
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
musl calls them __c_ispeed and __c_ospeed
and we can not use get/set APIs because the get APIs
will return the value from iflags and not from *speed
element from termios struct
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
libcrypto.so was explicitly added to FILES_${PN}-dev as part of moving
libcrypto from libdir -> base_libdir to support dhclient [1].
However, the line has been unnecessary since ${base_libdir}/lib*.so
files started to be included in FILES_${PN}-dev by default [2] (and
it's still unnecessary now, after moving libcrypto from back to libdir
to support ntp [3]).
[1] http://git.openembedded.org/openembedded-core/commit/?id=01ea85f7f6c53c66c76d6f832518b28bf06ec072
[2] http://git.openembedded.org/openembedded-core/commit/?id=66c36bcb7d9368718453265e58bd5e3c854c786a
[3] http://git.openembedded.org/openembedded-core/commit/?id=0be2ab32f690a2fcba0e821abe11460958bbc6dc
Also define FILES_libssl using SOLIBS instead of a hardcoded pattern.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Bluez 5.37 itself correctly installs bluetooth.conf, and honors
the path settings in dbus-1.pc.
Removing the obsolete workaround is necessary for compiling
"stateless" (= read-only system configuration moved out of /etc).
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
[YOCTO #5134]
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Change the ownership of /var/cache/bind to bind rather than root.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch enables the functionality for dhcpd service to be started
with dhcp uid and gid.
Test steps:
Step 1: Assign ip to interface
ifconfig eth0 192.168.1.1
Step 2: Edit /etc/dhcp/dhcpd.conf:
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
subnet 192.168.1.0 netmask 255.255.255.0 {
option broadcast-address 192.168.1.255;
range 192.168.1.88 192.168.1.88;
option routers 192.168.1.0;
}
Step 3: Edit /etc/default/dhcp-server:
INTERFACES="eth0"
Step 4: Check uid and gid of running dhcpd process
$ ps -eo user:19,group:19,cmd | grep dhcpd
dhcp dhcp /usr/sbin/dhcpd eth0 -user dhcp -group dhcp
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This includes a proper D-Bus service file for obexd in systems that do
not support systemd.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
make it more portable across libc implementations
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
For now, if 'openssl' is enabled for ntp, ntp would still be built
without openssl & libcrypto. This is because that ntp thinks openssl
and libcrypto locates under the same directory.
This patch removes the codes of moving libcrypto to base_libdir.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
For now, `systemctl stop dhcpd' cannot stop dhcpd correctly, the SIGTERM
signal would time out, causing a SIGKILL signal sent to dhcpd.
Patch site.h to enable gentle shutdown to so that dhcpd could be stopped
by SIGTERM.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
python-pygtk is removed in a separate commit; the reasons for
that are explained in that commit's message.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Now that avahi has a dbus PACKAGECONFIG we need to ensure it's enabled as
otherwise the avahi-ui module won't build.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Since do_install fails when dbus is removed by .bbappend, add packageconfig
to allow users to get rid of desktop ipc helper dbus.
Signed-off-by: Jens Rehsack <sno@netbsd.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Apply a patch taken from Gentoo to hopefully fix the remaining parallel make
races.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE-2016-0800
CVE-2016-0705
CVE-2016-0798
CVE-2016-0797
CVE-2016-0799
CVE-2016-0702
CVE-2016-0703
CVE-2016-0704
https://www.openssl.org/news/secadv/20160301.txt
Updated 2 debian patches to match changes in 1.0.2g
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ISC DHCP allows remote attackers to cause a denial of
service (application crash) via an invalid length field
in a UDP IPv4 packet.
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
0.6.31 -> 0.6.32
a. Switched to the new repository hosted in github.
b. Removed the following Upstreamed/Backported patches
1. 0001-Don-t-log-warnings-about-invalid-packets-Fixes-lathi.patch
2. 0001-avahi-fix-avahi-status-command-error-prompt.patch
3. avahi_fix_install_issue.patch
4. fix_for_automake_1.12.x.patch
5. out-of-tree.patch
6. reuseport-check.patch
c. Added UPSTREAM_CHECK_URI
[YOCTO #7553]
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream nfs-utils use 'rpc-statd.service' and Yocto introduced
'nfs-statd.service' instead but forgot to update the mount.nfs helper
'start-statd' accordingly.
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
NETDB_INTERNAL is a glibc define
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
4.3.0 -> 4.4.0
a) Added iproute2-fix-building-with-musl.patch to fix build with
musl.
b) Include below listed utilities that are not yet enabled/packaged
in the iproute2 recipe:
1. lnstat
2. ifstat
3. genl
4. rtacct
5. nstat
6. ss
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
4.3.0 -> 4.4.0
Added iproute2-fix-building-with-musl.patch to fix build with
musl.
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Without the exit there will be a SKIP and a FAIL for the same test.
Also fix typo in a message.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
[YOCTO #9049]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Machine specific over-rides for mtx-1 (aka MeshCube) and
mtx-2 (aka SurfBox 2nd generation) don't belong in oe-core.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This fixes Socat Security Advisory 7 (MSVR-1499) and 8.
[ YOCTO #9024 ]
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The openssl recipe currently relies on EXTRA_OEMAKE having been set to
"-e MAKEFLAGS=" in bitbake.conf to operate. It is necessary to make this
explicit so that the default in bitbake.conf can be changed.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
nss.h is not available on all libcs
so check for it and if its not there provide
the needed data types.
Fixed buil with musl
../../nss-mdns-0.10/src/nss.c:32:17: fatal error: nss.h: No such file or
directory
compilation terminated.
make[2]: *** [libnss_mdns4_la-nss.lo] Error 1
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
o DH small subgroups (CVE-2016-0701)
o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Updated LICENSE hash due to change in copyright year.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The struct of xtables_globals has been modified in iptables 1.6.
If connman runs with iptables 1.6, it can crash.
Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
0xb7dea89c in xtables_find_target () from /usr/lib/libxtables.so.11
0xb7deac1c in ?? () from /usr/lib/libxtables.so.11
0xb7dea793 in xtables_find_target () from /usr/lib/libxtables.so.11
The the missing function item of xtables is added to xtables_globals.
It can fix the above issue.
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
connman-conf is now a systemd oneshot and therefore doesn't need to
be sed'ed in to the ConnMan service file.
Note: this doesn't affect sysvinit where we provide a ConnMan
init script which checks for the presence of the wired-networking
script and, if it exists, executes it as part of the connman init.
[YOCTO #8399]
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Install a oneshot unit file that is started before ConnMan to
configure a wired network inteface with the wired-setup script,
rather than requiring this script to be manually run some how.
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Windows 10 will respond to mDNS messages when it really shouldn't,
resulting in a lot of logging. Pulling the change from avahi upstream.
This will be fixed in avahi 0.6.32
External References:
https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/1342400
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794145
https://bugzilla.redhat.com/show_bug.cgi?id=1240711
https://social.technet.microsoft.com/Forums/en-US/b334e797-ef80-4525-b74a-b4830420a14e/windows-10-spams-network-with-invalid-mdns-response-packets?forum=win10itpronetworking
Signed-off-by: Brad Mouring <brad.mouring@ni.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Addresses CVE-2015-8704 and CVE-2015-8705
CVE-2015-8704
Allows remote authenticated users to cause a denial of service via a malformed Address Prefix List record
CVE-2015-8705:
When debug loggin is enabled, allows remote attackers to cause a denial of service or have possibly unspecified impact via OPT data or ECS option
[YOCTO 8966]
References:
https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Doesnt build with musl
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Helps compile with musl
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|