summaryrefslogtreecommitdiff
path: root/meta/recipes-connectivity
AgeCommit message (Collapse)AuthorFiles
2017-04-28bind: Security fix CVE-2016-6170Yi Zhao2
CVE-2016-6170: ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message. External References: https://nvd.nist.gov/vuln/detail/CVE-2016-6170 Patch from: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-04-28bind: Security fix CVE-2016-8864Yi Zhao2
CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. External References: https://nvd.nist.gov/vuln/detail/CVE-2016-8864 Patch from: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-04-21openssl: Bump SONAME to match the ABIJussi Kukkonen2
Commit 7933fbbc637 "Security fix Drown via 1.0.2g update" included a version-script change from Debian that was an ABI change. It did not include the soname change that Debian did so we have been calling our ABI 1.0.0 but it really matches what others call 1.0.2. Bump SONAME to match the ABI. In practice this changes both libcrypto and libssl sonames from 1.0.0 to 1.0.2. For background: Upstream does not do sonames so these are set by distros. In this case the ABI changes based on a build time configuration! Debian took the ABI changing configuration and bumped soname but e.g. Ubuntu kept the deprecated API and just made it not work, keeping soname. So both have same version of openssl but support different ABI (and expose different SONAME). Fixes [YOCTO #11396]. Thanks to Alexander Larsson et al for detective work. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-04-19Revert "openssl: Fix symlink creation"Jussi Kukkonen1
This reverts commit 991620f3962a9917fa99abb5582f4b72ebd42a3d. The commit breaks openssl-native (you can no longer generate keys because it can't find the configuration file). Also the idea that we would install configuration files normally but then add the symlinks pointing to them in a postinstall feels wrong. Fixes [YOCTO #11296]. The bug contains an alternative fix but I'm sending a revert as I cannot fully understand the motive of the original patch. See also discussion in http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135176.html Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-04-11openssl: fix the reference to native perl in ptestsAlexander Kanavin1
This was causing a couple of ptest failures. [YOCTO #10840] Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-03-31openssl: add a "openssl10" PROVIDESAlexander Kanavin1
In 2.4 development cycle openssl 1.1 will replace openssl 1.0 as the default openssl version. Openssl 1.0 will stay but will be renamed to openssl10, and eventually it will be removed (hopefully much sooner than the official end of support date of Dec 2019, as we do not want an unsupported openssl version in supported Yocto releases). There are several recipes that are not API compatible with 1.1; some of them will eventually be fixed, but others will never be (such as Qt4). To avoid breaking such recipes when openssl 1.1 is added to oe-core, let's provide "openssl10" already now and change the recipes to depend on that where necessary; Qt4 is a particularly pressing issue as it is causing failures on the autobuilder with my work in progress openssl 1.1 branch, and so I'm not able to see what else would fail later in the build process. Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-03-31openssl: Fix regression when building for thumb2Max Krummenacher1
Commit 'c8da8ce openssl: Fix build with clang' introduced a regression. do_compile fails when building with gcc/thumb2. Note that I did not test if it still builds with clang. Prevents the following when building with thumb2: | ghash-armv4.S: Assembler messages: | ghash-armv4.S:88: Error: thumb conditional instruction should be in IT block -- `ldrplb r12,[r2,r3]' | ghash-armv4.S:98: conditional infixes are deprecated in unified syntax | ghash-armv4.S:98: Error: thumb conditional instruction should be in IT block -- `ldrplb r8,[r0,r3]' | ghash-armv4.S:105: Error: thumb conditional instruction should be in IT block -- `eorpl r12,r12,r8' | ghash-armv4.S:107: Error: thumb conditional instruction should be in IT block -- `andpl r14,r12,#0xf0' | ghash-armv4.S:108: Error: thumb conditional instruction should be in IT block -- `andpl r12,r12,#0x0f' | ghash-armv4.S:144: conditional infixes are deprecated in unified syntax | ghash-armv4.S:144: Error: thumb conditional instruction should be in IT block -- `ldrneb r12,[r2,#15]' | ghash-armv4.S:231: conditional infixes are deprecated in unified syntax | ghash-armv4.S:231: Error: thumb conditional instruction should be in IT block -- `ldrplb r12,[r0,r3]' | ghash-armv4.S:248: Error: thumb conditional instruction should be in IT block -- `andpl r14,r12,#0xf0' | ghash-armv4.S:249: Error: thumb conditional instruction should be in IT block -- `andpl r12,r12,#0x0f' Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-03-21openssl: Fix build with clangKhem Raj2
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-03-17neard: Fix parallel build issueJussi Kukkonen2
This only started showing up now for some reason but it does seem like a legitimate bug in Makefile.am. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-03-17openssl: Disable make's -e flag without breaking ${AR}Olof Johansson1
The OpenSSL recipe tried to workaround the -e make flag (overriding variables from the environment). And when the -e flag was dropped as the global default, it was specifically added for OpenSSL. This is unnecessary, as only the value of ${AR} seems to be affected, and that can be handled correctly by OpenSSL's build system if we just let it. Signed-off-by: Olof Johansson <olof.johansson@axis.com> Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-03-14openssl: actually apply Use-SHA256-not-MD5-as-default-digest.patchRoss Burton1
This patch was added to fix a CVE, but wasn't actually added to SRC_URI: CVE: CVE-2004-2761 The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-03-10openssl: Fix symlink creationDavid Vincent1
Symlinking the openssl configuration file at install time results in errors when overriding it using an external package which also provides openssl-conf. This should be done as a postinstall task for such packages. Signed-off-by: David Vincent <freesilicon@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-03-01wireless-tools: Update URLsJussi Kukkonen1
wireless-tools is now hosted on https://hewlettpackard.github.io/wireless-tools/Tools.html Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-03-01iproute2: upgrade to 4.10.0Maxin B. John3
4.9.0 -> 4.10.0 added the following patch to fix build with musl libc 1) 0001-libc-compat.h-add-musl-workaround.patch Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-03-01recipes: Make use of the new bb.utils.filter() functionPeter Kjellerstedt7
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-02-15socat: 1.7.3.1 -> 1.7.3.2Hongxu Jia1
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2017-02-09openssl/fontconfig/bzip2: Use relative symlinks instead of absolute ones ↵Richard Purdie1
(using a new class) Absolute path symlinks are a bit of a pain for sstate and the native versions of these recipes currently contain broken symlinks as a result. There are only a small number of problematic recipes, at least in OE-Core, namely the three here. Rather than trying to make sstate handle this magically, which turns out to be a harder problem than you'd first realise, simply make the symlinks relative early in the process and avoid all the problems. The alternative is adding new complexity to sstate which we could really do without as without the complexity, you can't always tell where the absolute symlink is relative to (due to prefixes used for native sstate). Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-02-07iproute2: Inherit pkgconfigKhem Raj1
Fixes ERROR: iproute2-4.9.0-r0 do_package: QA Issue: iproute2: Files/directories were installed but not shipped in any package: /usr/lib /usr/lib/tc Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-02-05openssl: Updgrade 1.0.2j -> 1.0.2kAndrej Valek2
Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-31wpa-supplicant: inherit pkgconfigMarkus Lehtonen1
Missing dependency uncovered after recipe specific sysroots were enabled. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-31bluez5: make readline support conditional.Ismo Puustinen1
Add readline support to PACKAGECONFIG. If readline needs if left out of compilation, the bluez utilities which depend on readline are not included in build or packages. The defaults in PACKAGECONFIG are the same as before, so there should be no change to current users. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-26openssh: upgrade to 7.4p1Dengke Du4
1. Drop CVE patch: fix-CVE-2016-8858.patch, because the version 7.4p1 have been fixed it. 2. Rebase the remaining patchs on the version 7.4p1. Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-26socat: support native compilationPatrick Ohly1
This is needed for building the swtpm TPM simulator (recipe in meta-security). Native compilation disables tcp-wrappers by default to simplify the build. "nativesdk" is added just in case that someone also wants this in an SDK. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-26connman: Add workaround to build with musl & 4.9 headersJussi Kukkonen2
Kernel headers break when musl defines IFF_LOWER_UP. While waiting for more proper fix in musl, add a workaround to connman. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-26ppp: update SRC_URIRoss Burton1
ppp.samba.org has disappeared from the Internet and isn't responding anymore, so point the SRC_URI at the canonical samba.org download server instead. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-19openssl: Use linux-aarch64 target for aarch64Fabio Berton1
aarch64 target was being configured for linux-generic64 but openssl has linux-aarch64 target. Change to use linux-aarch64 as default. Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-16iproute2 4.7->4.9Zheng Ruoqin3
Upgrade iproute2 from 4.7 to 4.9 Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-16nfs-utils: remove -f exports from nfsserverSaul Wold1
The upstream project remove that option as it was quote: It is completely ineffective. [YOCTO #10843] Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-09ppp: Add patch to fix build with musl and 4.9 headersJussi Kukkonen2
Removing unused includes fixes the build. Fixes [YOCTO #10853]. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-09ppp: Partly remove patch that doesn't make sense any moreJussi Kukkonen1
ppp no longer provides the duplicate if_pppox.h header so no need to patch that out of the Makefile. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-22openssl: Add support for many MIPS configurationsZubair Lutfullah Kakakhel1
Add more case statements to catch MIPS tune configurations Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-19openssl-native: Compile with -fPICKhem Raj1
Fixes | /usr/bin/ld: libcrypto.a(sha1-x86_64.o): relocation R_X86_64_PC32 against undefined symbol `OPENSSL_ia32cap_P' can not be used when making a shared object; recompile with -fPIC | /usr/bin/ld: final link failed: Bad value Signed-off-by: Khem Raj <raj.khem@gmail.com>
2016-12-17wpa-supplicant: 2.5 -> 2.6Zheng Ruoqin6
1)Upgrade wpa-supplicant from 2.5 to 2.6. 2)Delete 5 patches below, since they are integrated upstream. 0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch 0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch 0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch 0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch 0003-Reject-SET-commands-with-newline-characters-in-the-s.patch 3)License checksum changes are not related to license changes. (From OE-Core rev: 878d411eb53e96bf78e902cc2345eccda8807bfc) Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-12-16meta: remove True option to getVar callsJoshua Lock2
getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13libpcap: Disable exposed bits of WinPCAP remote capture supportFabio Berton2
Disable bits of remote capture support inherited from the WinPCAP merge which cause applications to fails to build if they define HAVE_REMOTE. Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08nfs-utils: sync systemd unit files with nfs-utils.gitAndreas Oberritter3
nfs-server failed to start after installation from a package feed. Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08nfs-utils: don't try to load kernel moduleAndreas Oberritter1
This conflicts with KERNEL_MODULE_AUTOLOAD += "nfsd". Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08nfs-utils: create package nfs-utils-mountAndreas Oberritter1
Contains just enough to mount and unmount nfs volumes, i.e. the same as nfs-utils-client before commit 39bb7e3 ("nfs-utils: separate package as Debain style"). Drop nfs-utils-client's dependency on bash. It contains two shell scripts, /etc/init.d/nfscommon and /usr/sbin/start-statd, both using /bin/sh. Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08nfs-utils: systemd fixesAndreas Oberritter3
- Start daemons by default like the initscripts do, but only if /etc/exports exists. - Inform systemd.bbclass about nfs-utils-client package. Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08dhcp: 4.3.4 -> 4.3.5Huang Qiyu1
Upgrade dhcp from 4.3.4 to 4.3.5. Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30nfs-utils: 1.3.3 -> 1.3.4Mariano Lopez4
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30nfs-utils: remove non-existant variable INHIBIT_AUTO_STAGERoss Burton1
This variable doesn't exist anywhere else in meta/ so presumably this is historical legacy. Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30iw: upgrade to 4.9Maxin B. John1
Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30bluez5: upgrade to 5.43Maxin B. John1
Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30ofono: update 1.18 -> 1.19André Draszik1
In particular, this fixes a crash on shutdown. From upstream's ChangeLog: ver 1.19: Fix issue with DHCP parsing and Huawei modems. Fix issue with detecting Huawei E3372 modem. Fix issue with handling serving cell info. Fix issue with handling SIM SC facility lock. Fix issue with Android RIL PIN retry logic. Fix issue with Android RIL and RAT handling. Add support for Android RIL cell broadcast. Add support for SoFIA 3GR thermal management. Signed-off-by: André Draszik <adraszik@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-23libpcap: Fix build when PACKAGECONFIG ipv6 is not enableFabio Berton3
Add patches to fix error: / | ERROR: oe_runmake failed | config.status: creating pcap-config.tmp | mv pcap-config.tmp pcap-config | chmod a+x pcap-config | ../libpcap-1.8.1/gencode.c: In function 'pcap_compile': | ../libpcap-1.8.1/gencode.c:693:8: error: 'compiler_state_t | {aka struct _compiler_state}' has no member named 'ai' | cstate.ai = NULL; | ^ | ../libpcap-1.8.1/gencode.c: In function 'gen_gateway': | ../libpcap-1.8.1/gencode.c:4914:13: error: 'cstate' undeclared | (first use in this function) | bpf_error(cstate, "direction applied to 'gateway'"); | ^~~~~~ | ../libpcap-1.8.1/gencode.c:4914:13: note: each undeclared identifier is | reported only once for each function it appears in \ Patches were submitted to upstream [1] [1] https://github.com/the-tcpdump-group/libpcap/pull/541 Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-23nfs-utils: fix protocol minor version fall-backYi Zhao2
Mount nfs directory would fail if no specific nfsvers: mount -t nfs IP:/foo/bar/ /mnt/ mount.nfs: an incorrect mount option was specified mount.nfs currently expects mount(2) to fail with EPROTONOSUPPORT if the kernel doesn't understand the requested NFS version. Unfortunately if the requested minor is not known to the kernel it returns -EINVAL. Backport patch from nfs-utils-1.3.4 to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-23openssl: Security fix CVE-2016-7055Yi Zhao2
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. External References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055 https://www.openssl.org/news/secadv/20161110.txt Patch from: https://github.com/openssl/openssl/commit/57c4b9f6a2f800b41ce2836986fe33640f6c3f8a Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-23OpenSSL: CVE-2004-2761 replace MD5 hash algorithmT.O. Radzy Radzykewycz1
Use SHA256 as default digest for OpenSSL instead of MD5. CVE: CVE-2004-2761 The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate. Upstream-Status: Backport Backport from OpenSSL 2.0 to OpenSSL 1.0.2 Commit f8547f62c212837dbf44fb7e2755e5774a59a57b Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-23openssh: fix CVE-2016-8858Kai Kang2
Backport patch to fix CVE-2016-8858 of openssh. Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1384860 Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>