summaryrefslogtreecommitdiff
path: root/meta/recipes-connectivity
AgeCommit message (Collapse)AuthorFiles
2017-01-11nfs-utils: fix protocol minor version fall-backYi Zhao2
Mount nfs directory would fail if no specific nfsvers: mount -t nfs IP:/foo/bar/ /mnt/ mount.nfs: an incorrect mount option was specified mount.nfs currently expects mount(2) to fail with EPROTONOSUPPORT if the kernel doesn't understand the requested NFS version. Unfortunately if the requested minor is not known to the kernel it returns -EINVAL. Backport patch from nfs-utils-1.3.4 to fix this issue. (From OE-Core rev: 332596628697d28ae6e8c2271c9658aaf5e54796) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-01-11openssl: Security fix CVE-2016-7055Yi Zhao2
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. External References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055 https://www.openssl.org/news/secadv/20161110.txt Patch from: https://github.com/openssl/openssl/commit/57c4b9f6a2f800b41ce2836986fe33640f6c3f8a (From OE-Core rev: 07cfa9e2bceb07f3baf40681f8c57f4d3da0aee5) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-01-11OpenSSL: CVE-2004-2761 replace MD5 hash algorithmT.O. Radzy Radzykewycz1
Use SHA256 as default digest for OpenSSL instead of MD5. CVE: CVE-2004-2761 The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate. Upstream-Status: Backport Backport from OpenSSL 2.0 to OpenSSL 1.0.2 Commit f8547f62c212837dbf44fb7e2755e5774a59a57b Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (From OE-Core rev: f924428cf0c22a0b62769f8f31f11f173f25014f) Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-01-11openssl: fix bashism in c_rehash shell scriptAndré Draszik1
This script claims to be a /bin/sh script, but it uses a bashism: from checkbashisms: possible bashism in meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh line 151 (should be 'b = a'): if [ "x/" == "x$( echo ${FILE} | cut -c1 -)" ] This causes build issues on systems that don't have /bin/sh symlinked to bash: Updating certificates in ${WORKDIR}/rootfs/etc/ssl/certs... <builddir>/tmp/sysroots/x86_64-linux/usr/bin/c_rehash: 151: [: x/: unexpected operator ... Fix this by using POSIX shell syntax for the comparison. (From OE-Core rev: 0526524c74d4c9019fb014a2984119987f6ce9d3) Signed-off-by: André Draszik <adraszik@tycoint.com> Reviewed-by: Sylvain Lemieux <slemieux@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-01-11openssh: fix CVE-2016-8858Kai Kang2
Backport patch to fix CVE-2016-8858 of openssh. Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1384860 (From OE-Core rev: 134a05616839d002970b2e7124ea38348d10209b) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2016-11-16openssl: rehash actual mozilla certificates inside rootfsDmitry Rozhkov1
The c_rehash utility is supposed to be run in the folder /etc/ssl/certs of a rootfs where the package ca-certificates puts symlinks to various CA certificates stored in /usr/share/ca-certificates/mozilla/. These symlinks are absolute. This means that when c_rehash is run at rootfs creation time it can't hash the actual files since they actually reside in the build host's directory $SYSROOT/usr/share/ca-certificates/mozilla/. This problem doesn't reproduce when building on Debian or Ubuntu hosts though, because these OSs have the certificates installed in the same /usr/share/ca-certificates/mozilla/ folder. Images built in other distros, e.g. Fedora, have problems with connecting to https servers when using e.g. python's http lib. The patch fixes c_rehash to check if it runs on a build host by testing $SYSROOT and to translate the paths to certificates accordingly. (From OE-Core rev: 5199b990edf4d9784c19137d0ce9ef141cd85e46) Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2016-11-16connman: fix bad file descriptor initialisationLukasz Nowak2
Import a patch from upstream, which fixes a connman daemon freeze under certain conditions (multiple active interfaces, no r/w storage). (From OE-Core rev: bba18cdce6fb6c5ff2f7161198d46607a72747d6) Signed-off-by: Lukasz Nowak <lnowak@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2016-10-15bind: fix two CVEsZheng Ruoqin3
Add two CVE patches from upstream git: https://www.isc.org/git/ 1.CVE-2016-2775.patch 2.CVE-2016-2776.patch Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-10-15ppp: fix building with linux-4.8Jackie Huang2
Fix a build error when using the linux-4.8 headers that results in: In file included from pppoe.h:87:0, from plugin.c:29: ../usr/include/netinet/in.h:211:8: note: originally defined here struct in6_addr ^~~~~~~~ In file included from ../usr/include/linux/if_pppol2tp.h:20:0, from ../usr/include/linux/if_pppox.h:26, from plugin.c:52: ../usr/include/linux/in6.h:49:8: error: redefinition of 'struct sockaddr_in6' struct sockaddr_in6 { ^~~~~~~~~~~~ Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-10-05Revert "connman-gnome: StatusIcon adapts to size changes"Jussi Kukkonen1
The aim of the original commit was to make connman-gnome load the icons at the exact size of the systray. There are two problems with this: * There are not enough icon sizes provided to make the scaling look good at most sizes (including current panel size) * Both connman-gnome and mb-panel have bugs in the icon size update code and using scaling to exact size makes these much more visible (See bug 9995 for example). The problems the original commit tried to fix can be worked around with better packing in matchbox-panel-2. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-09-28openssl: Upgrade 1.0.2i -> 1.0.2jRichard Purdie2
Deals with a CVE issue Drops a patch applied upstream and no longer needed. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-09-23openssl.inc: avoid random ptest failuresPatrick Ohly1
"make alltests" is sensitive to the timestamps of the installed files. Depending on the order in which cp copies files, .o and/or executables may end up with time stamps older than the source files. Running tests then triggers recompilation attempts, which typically will fail because dev tools and files are not installed. "cp -a" is not enough because the files also have to be newer than the installed header files. Setting the file time stamps to the current time explicitly after copying solves the problem because do_install_ptest_base is guaranteed to run after do_install. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-09-23openssl: update to 1.0.2i (CVE-2016-6304 and more)Patrick Ohly7
This update fixes several CVEs: * OCSP Status Request extension unbounded memory growth (CVE-2016-6304) * SWEET32 Mitigation (CVE-2016-2183) * OOB write in MDC2_Update() (CVE-2016-6303) * Malformed SHA512 ticket DoS (CVE-2016-6302) * OOB write in BN_bn2dec() (CVE-2016-2182) * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) * DTLS buffered message DoS (CVE-2016-2179) * DTLS replay protection DoS (CVE-2016-2181) * Certificate message OOB reads (CVE-2016-6306) Of these, only CVE-2016-6304 is considered of high severity. Everything else is low. CVE-2016-2177 and CVE-2016-2178 were already fixed via local patches, which can be removed now. See https://www.openssl.org/news/secadv/20160922.txt for details. Some patches had to be refreshed and one compile error fix from upstream's OpenSSL_1_0_2-stable was required. The server.pem file is needed for test_dtls. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-09-23bluez5: remove duplicated udev setting from FILES_${PN}Robert Yang1
bitbake.conf already sets it. Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-09-23ofono: remove duplicated udev setting from FILES_${PN}Robert Yang1
It doesn't have files in udev dir, and bitbake.conf already sets it. Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
2016-09-23wpa_supplicant: Security Advisory-CVE-2016-4477Zhixiong Chi4
Add CVE-2016-4477 patch for avoiding \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation. Patches came from http://w1.fi/security/2016-1/ Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-09-23wpa_supplicant: Security Advisory-CVE-2016-4476Zhixiong Chi3
Add CVE-2016-4476 patch for avoiding \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation. Patches came from http://w1.fi/security/2016-1/ Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-09-20openssl: fix do_configure error when cwd is not in @INCRobert Yang2
Fixed when building on Debian-testing: | Can't locate find.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at perlpath.pl line 7. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-09-20openssh: fix potential signed overflow to enable compilation with -ftrapvYuanjie Huang2
Pointer arithmatic results in implementation defined signed integer type, so that 's - src' in strlcpy and others may trigger signed overflow. In case of compilation by gcc or clang with -ftrapv option, the overflow would lead to program abort. Upstream-status: Submitted [https://bugzilla.mindrot.org/show_bug.cgi?id=2608] Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-09-15openssl: Fix MIPS64be and add MIPS64leZubair Lutfullah Kakakhel1
MIPS64 target was being configured for linux-mips which defaults to MIPS32. Doesn't cause any issue as far as I can see but it would be wiser to use the correct target configuration. Also add MIPS64le configuration which is missing. Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-09-05ofono: RRECOMMENDS tun.ko & APN databaseAndré Draszik1
- kernel-module-tun is needed so that ofono can create the ppp network interface - mobile-broadband-provider-info is needed as an explicit dependency even though it is in DEPENDS, because it's just an xml database, and the DEPENDS simply allows ofono to figure out its location in the file system (using pkg-config during configure). But there is no shared library dependency or so for bitbake to figure out this runtime dependency. We make it a recommendation only, so that it can still be removed from filesystem images in case people build images that don't need the provider database (and e.g. hard-code APNs for specific use-cases) Signed-off-by: André Draszik <git@andred.net> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-09-03nfs-utils: control ipv6 support based on DISTRO_FEATURESJackie Huang1
Add PACKAGECONFIG for ipv6 and control it based on DISTRO_FEATURES. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-09-03libpcap: control ipv6 support based on DISTRO_FEATURESJackie Huang1
Add PACKAGECONFIG for ipv6 and control it based on DISTRO_FEATURES. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-08-23openssh: Upgrade 7.2p2 -> 7.3p1Jussi Kukkonen3
Remove CVE-2015-8325.patch as it's included upstream. Rebase another patch. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-20openssl: fix add missing dependencies building for test directoryAndrej Valek1
Regarding the last commit about missing dependencies, another issue was found. The problem was found, while ptest has been built with some set extra settings. It means, when ptest is going to be built, it is necessary to rebuild dependencies for test directory too. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-08-18openssh: add ed25519 host key location to read-only sshd configAndré Draszik1
It's simply been missing. Signed-off-by: André Draszik <git@andred.net> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-18connman: add missing space in _appendAndré Draszik1
We do that everywhere else, and otherwise anybody extending SRC_URI through bbappend must know to add a space at the end, which is an unusual requirement. Signed-off-by: André Draszik <git@andred.net> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-17iproute2: update 4.6.0 -> 4.7.0Maxin B. John1
4.6.0 -> 4.7.0 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-10connman: clean up musl fixesRoss Burton4
The upstreamable include fixes have been sent upstream. The patch set adds AC_USE_SYSTEM_EXTENSIONS so we don't need to explictly define _GNU_SOURCE anymore. Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-10connman: disable version-scripts to fix crashes at startupRoss Burton2
With binutils 2.27 on at least MIPS, connmand will crash on startup. This appears to be due to the symbol visibilty scripts hiding symbols that stdio looks up at runtime, resulting in it segfaulting. This certainly appears to be a bug in binutils 2.27 although the problem has been known about for some time: https://sourceware.org/bugzilla/show_bug.cgi?id=17908 As the version scripts are only used to hide symbols from plugins we can safely remove the scripts to work around the problem until binutils is fixed. Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-10openssl: fix add missing `make depend` command before `make` libraryAndrej Valek1
Settings from EXTRA_OECONF like en/disable no-ssl3, are transferred only into DEPFLAGS. It means that settings have no effect on output files. DEPFLAGS will be transferred into output files with make depend command. https://wiki.openssl.org/index.php/Compilation_and_Installation#Dependencies Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-07openssl: remove dangling patchStefan Müller-Klieser1
Signed-off-by: Stefan Müller-Klieser <s.mueller-klieser@phytec.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-08-04dhcp: dhcrelay.service cannot start successfullyDai Caiyun2
Modify dhcrelay.service to avoid it start failed. Signed-off-by: Dai Caiyun <daicy.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-04meta: add more missing patch tagsRoss Burton2
Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-08-01connman: upgrade to 1.33Maxin B. John1
1.32 -> 1.33 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-28avahi-ui: use PACKAGECONFIG for gtk featuresJackie Huang2
The commit "054ea20 avahi-ui: Build with Gtk+3" enabled gtk3 and disabled gtk2, which causes failure on some package depends on gtk2, like gnome-disk-utility in meta-openembedded/meta-gnome: | checking for GTK2... yes | checking for AVAHI_UI... no | configure: error: Package requirements (avahi-ui >= 0.6.25) were not met: | | No package 'avahi-ui' found The gtk2 and gtk3 feature for avahi-ui is not exclusive, so change to use PACKAGECONFIG for them so we can easily enable/disable one of them or both of them as needed. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-25bluez5: upgrade to 5.41Maxin B. John1
5.40 -> 5.41 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-25dhcp: remove dhclient-script bash dependencyAndre McCurdy3
Take the dash compatible IPv6 link-local address test from the Debian version of dhclient-script. Note that although "echo -e" in the OE version of dhclient-script is technically bash specific too, it is supported by Busybox echo when Busybox is configured with CONFIG_FEATURE_FANCY_ECHO enabled (which is the default in the OE Busybox defconfig) therefore leave as-is. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-25openssh: conditional compile DES code.mingli.yu@windriver.com3
After openssl disabled DES, openssh fails to build for some DES codes are not wrapped in conditional compile statement "#ifndef OPENSSL_NO_DES" and "#endif". Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-25avahi: fix resource temporarily unavailable issueKai Kang2
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with https://github.com/lxc/lxc/issues/25. Backport patch to fix this issue. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-20openssl: Security fix CVE-2016-2178Armin Kuster2
affects openssl <= 1.0.2h CVSS v2 Base Score: 2.1 LOW Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-20openssl: Security fix CVE-2016-2177Armin Kuster2
Affects openssl <= 1.0.2h CVSS v2 Base Score: 7.5 HIGH Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-20neard: upgrade to 0.16Maxin B. John1
0.15 -> 0.16 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-08socat: remove the hardcoded shifting offsetZhenhua Luo1
The hardcoded shifting offset causes the following runtime error: | socat: xioinitialize.c:41: xioinitialize: Assertion `3 << | opt_crdly.arg3 == 00030000' failed. Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-08meta: update patch metadataRoss Burton5
Enforce the correct tag names across all of oe-core for consistency. Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-01connman-gnome: StatusIcon adapts to size changesJussi Kukkonen1
Update the Gtk3 patch to make the StatusIcon load pixbufs at (more) correct sizes -- Gtk3 does not seem to reliably position the icon otherwise. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-07-01openssl: prevent warnings from openssl-c_rehash.shJoshua Lock1
The openssl-c_rehash.sh script reports duplicate files and files which don't contain a certificate or CRL by echoing a WARNING to stdout. This warning gets picked up by the log checker during rootfs and results in several warnings getting reported to the console during an image build. To prevent the log from being overrun by warnings related to certificates change these messages in openssl-c_rehash.sh to be prefixed with NOTE not WARNING. Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-06-23openssh: fix init script restart with read-only-rootfsMatthew Campbell1
restart in the init script uses the check_config() function which doesn't have the $SSHD_OPTS passed through. This causes it to check the wrong config (and fail when read-only-rootfs is enabled. Signed-off-by: Matthew Campbell <mcampbell@izotope.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-06-15avahi-ui: Build with Gtk+3Jussi Kukkonen2
Add patch to install GtkBuilder ui files for GTK+3. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-06-15connman-gnome: Add patch to port to Gtk+3Jussi Kukkonen2
Upstream is not really active anymore: patch the Gtk+3 upgrade in for now (long term solution is to change to another UI). Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>