Mbed OS has reached its ends of life in 2024 [1], the annoucement also
includes the change of the Mbed TLS homepage. This commit updates the
HOMEPAGE variable in the mbedtls recipe to reflect the new URL.
Additionally, the BUGTRACKER variable is added, as it is a required
field [2].
[1] https://os.mbed.com/blog/entry/Important-Update-on-Mbed/
[2] https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#required-variables
Signed-off-by: Ricardo Simoes <ricardo.simoes@pt.bosch.com>
Signed-off-by: Mark Jonas <mark.jonas@de.bosch.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: Change license to EPL-2.0 OR BSD-3-Clause
Clarify license in LICENSE.txt: f466e454e0
Updated NOTICE.md: https://github.com/eclipse-mosquitto/mosquitto/commit/827c803cb8d6376891548b856a1faa3f0ab5
Removed patch included in this release
Update PACKAGECONFIG/cmake options:
- manpages: -DDOCUMENTATION → -DWITH_DOCS (the CMake option was renamed in 2.1.x)
- ssl: removed -DWITH_EC=ON/-DWITH_EC=OFF; the WITH_EC option was dropped in 2.1.x
since Elliptic Curve support is now always included with TLS
- websockets — adapt websockets to properly use with picohttpparser
- persist-sqlite - for persistence support in the broker, have sqlite3 dependency
- ctrl-shell: mosquitto_ctrl interactive shell, have libedit dependency
Disable `DWITH_ADNS` option because it required Argon2, which is not part of
meta-oe layer
Disable `DWITH_TESTS` option because mosquitto start using GoogleTest
and we hit a common Yocto + CMake + GoogleTest problem
Improve shipped package to modern version
Changelog:
v2.1.2:
https://github.com/eclipse-mosquitto/mosquitto/blob/v2.1.2/ChangeLog.txtgT
Broker:
- Forbid running with `persistence true` and with a persistence plugin at the
same time.
Build:
- Build fixes for OpenBSD. Closes#3474.
- Add missing libedit to docker builds. Closes#3476.
- Fix static/shared linking of libwebsockets under cmake.
v2.1.1:
https://github.com/eclipse-mosquitto/mosquitto/blob/v2.1.1/ChangeLog.txt
v2.1.0:
https://github.com/eclipse-mosquitto/mosquitto/blob/v2.1.0/ChangeLog.txt
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since there are no sources being fetched, set S to UNPACKDIR to fix:
| WARNING: wowlan-udev-1.0-r0 do_unpack: wowlan-udev: the directory
| ${UNPACKDIR}/${BP} ... pointed to by the S variable doesn't exist
| - please set S within the recipe to point to where the source has
| been unpacked to.
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Create path to fix `meson` build errors
Add missing dependencies.
Disables man page generation. The build was using xsltproc to try
downloading http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
from the network, which fails in embedded build environments.
Changelog:
v1.56.0
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.56.0/NEWS?ref_type=tags
Changed:
- Unify the versioning to use everywhere the scheme with the -rcX or -dev
suffixes when appropriate. This affects, for example, the URL and filename
of the release tarball and the version reported by nmcli and the daemon.
As an exception, the C API will continue to use the 90+ scheme for RC versions.
- nmcli now supports viewing and managing WireGuard peers.
- Support reapplying the "sriov.vfs" property as long as
"sriov.total-vfs" is not changed.
- Support reapplying "bond-port.vlans".
- Accept hostnames longer than 64 characters from DNS lookup.
- Make that global-dns configuration overwrites DNS searches and
options from connections, instead of merging all together.
- Add support for a new rd.net.dhcp.client-id option in
nm-initrd-generator.
- Add gsm device-uid setting to restrict the devices the connection applies to.
- Support configuring the HSR protocol version via the
"hsr.protocol-version" property.
- Fix a bug that makes broadband connections auto-connect getting
blocked if the connection tries to reconnect when modem status is
"disconnecting" / "disconnected".
- Treat modem connection not having an operator code available
as a recoverable error.
- Add support for configuring systemd-resolved's DNSSEC option
per-connection via the "connection.dnssec" connection property.
- Support configuring the HSR interlink port via the
"hsr.interlink" property.
- Fix some connection properties not being applied to vpn connections
(connection.mdns, connection.llmnr, connection.dns-over-tls,
connection.mptcp-flags, ipv6.ip6-privacy)
- Update n-acd to always compile with eBPF enabled, as support
for eBPF is now detected at run time.
- Add new MPTCP 'laminar' endpoint type, and set it by default alongside
the 'subflow' one.
- For private connections (the ones that specify a user in the
"connection.permissions" property), verify that the user can access
the 802.1X certificates and keys set in the connection.
- Introduce a libnm function that can be used by VPN plugins to check
user permissions on certificate and keys.
v1.54.0
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.54.0/NEWS?ref_type=tags
Changed:
- Add support for configuring per-device IPv4 forwarding via the
"ipv4.forwarding" connection property.
- Add a new "prefix-delegation" setting containing a "subnet-id"
property that specifies the subnet to choose on the downstream
interface when using IPv6 prefix delegation.
- Support OCI baremetal in nm-cloud-setup
- When activating a WireGuard connection to an IPv6 endpoint, now
NetworkManager creates firewall rules to ensure that the incoming
packets are not dropped by kernel reverse path filtering.
- Add support for configuring the loopback interface in nmtui.
- Most of the properties of ovs-bridge and ovs-port connections can
now be reapplied at runtime without bringing the connection down.
- Add a new "sriov.preserve-on-down" property that controls whether
NetworkManager preserves the SR-IOV parameters set on the device
when the connection is deactivated, or whether it resets them to
their default value.
- Introduce a new "ovs-dpdk.lsc-interrupt" property to configure the
Link State Change (LSC) detection mode for OVS DPDK interfaces.
- The initrd-generator now can parse the NVMe Boot Firmware Table
(NBFT) to configure networking during early boot.
- Add systemd services to provide networking in the initrd.
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
On some platforms (for example, QCx6490), XO (Crystal Oscillator) shutdown
is prevented by Wireless Processor Subsystem votes on interconnect
bandwidth and XO unless the WoWLAN magic-packet trigger is enabled. These
votes are released only after running:
iw phy0 wowlan enable magic-packet
Add an udev rule to automatically enable WoWLAN magic-packet support when
a Wi-Fi PHY is registered. This rule is provided via a dedicated
wowlan-udev package and is not enabled by default.
Integrators should include this package only if their platform requires
automatic WoWLAN magic-packet enablement.
Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1. Add pkgconfig to solve following configure error:
../sources/adcli-0.9.3.1/configure: line 15340: syntax error near unexpected token `LIBSELINUX,'
../sources/adcli-0.9.3.1/configure: line 15340: `PKG_CHECK_MODULES(LIBSELINUX, libselinux, found_libselinux=yes, found_libselinux=no)'
2. Add PACKAGECONFIG[selinux] for new selinux support in 0.9.3.1.
3. Add 0001-configure.ac-Fix-selinux-error-for-cross_compiling.patch to fix SELINUX_MAKEFILE file check in 0.9.3.1.
4. Add --disable-offline-join-support to solve following configure error
configure: error: Couldn't build offline join support, Samba version too old or libnatapi devel package is missing
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
fix regression where the 'plugin' was not passed to pppd
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/nanomsg/nanomsg/releases/tag/1.2.2
Drop 0001-allow-build-with-cmake-4.patch as the issue has been fixed
upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: the project was relicensed from GPL-2 to GPL-3
Inludes fixes for the following vulnerabilities:
CVE-2025-7394, CVE-2025-7395, CVE-2025-7396, CVE-2025-12888, CVE-2025-11936,
CVE-2025-11935, CVE-2025-11934, CVE-2025-11933, CVE-2025-11932, CVE-2025-11931,
CVE-2025-12889
Drop patch that is incorporated in this release.
Changelog: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
Ptests passed:
START: ptest-runner
2025-12-09T18:23
BEGIN: /usr/lib/wolfssl/ptest
Wolfssl ptest logs are stored in /tmp/wolfss_temp.6rsnys/ptest.log
Test script returned: 0
unit_test: Success for all configured tests.
PASS: Wolfssl
DURATION: 13
END: /usr/lib/wolfssl/ptest
2025-12-09T18:23
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9648
It is already fixed in the currently used version.
Also, update CVE-2025-55763's status to "fixed-version" (so it will be
marked as "Patched" in the CVE report instead of "Ignored")
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- add OpenSSL 3.0+ PKCS#11 support using OSSL_STORE API
- add OpenSSL Engine support (with OpenSSL < 3.0)
- update package links for distros in README
- remove deprecated option --plugin
- increase the maximum size of the proxy response
- route: always remove wrong pppd route to self
- fix several Coverity warnings
- fix a memory leak in new ipv4_drop_wrong_route method
- HTTP: fixes missing '\0' in debug
- IO: fixes a RC use after free
- SSL: Avoid leaking SSL context
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix following conflicts when enabling multilib.
Error: Transaction test error:
file /usr/include/freeradius/features.h conflicts between attempted installs of freeradius-dev-3.2.8-r0.x86_64_v3 and lib32-freeradius-dev-3.2.8-r0.core2_32
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fixes for CVE-2025-54764 and CVE-2025-59438
Also, add the recipe to the ptest image list, because it was missing.
Ptests passed successfully.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.5
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
remove the following files which have the following license:
Copyright (C) 2023 Network RADIUS SARL (legal@networkradius.com)
This software may not be redistributed in any form without the prior
written consent of Network RADIUS.
src/modules/rlm_dpsk/rlm_dpsk.c
src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.h
src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c
src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c
src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.h
src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.c
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
For Samba's Active Directory Domain Controller functionality, it needs
to have python3-markdown listed as an RDEPENDS as well as a DEPENDS.
When trying to provision a domain with samba-tool without this change
then it will error out like:
$ samba-tool domain provision --realm=EXAMPLE.COM --domain=EXAMPLE \
--adminpass='YourPassword123!' --server-role=dc \
--dns-backend=SAMBA_INTERNAL --use-rfc2307
<snip>
Temporarily overriding 'dsdb:schema update allowed' setting
ERROR(<class 'ModuleNotFoundError'>): uncaught exception - No module named 'markdown'
File "/usr/lib/python3.13/site-packages/samba/netcmd/init.py", line 279, in _run
return self.run(*args, **kwargs)
~~~~~~~~^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/samba/netcmd/domain/provision.py", line 343, in run
result = provision(self.logger,
session, smbconf=smbconf, targetdir=targetdir,
...<16 lines>...
backend_store=backend_store,
backend_store_size=backend_store_size)
File "/usr/lib/python3.13/site-packages/samba/provision/init.py", line 2404, in provision
raise e
File "/usr/lib/python3.13/site-packages/samba/provision/init.py", line 2394, in provision
forest = ForestUpdate(samdb, fix=True)
File "/usr/lib/python3.13/site-packages/samba/forest_update.py", line 212, in init
from samba.ms_forest_updates_markdown import read_ms_markdown
File "/usr/lib/python3.13/site-packages/samba/ms_forest_updates_markdown.py", line 27, in <module>
import markdown
Signed-off-by: Andrew Bradford <andrew.bradford@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This update contains a fix for CVE-2025-55763.
License-Update: copyright year bump to 2025.
Shortlog since last update:
5864b55a94...b6ef58f4c4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When enabling multilib with lib32, the radiusd will use etc file for lib32 as default
#systemctl status radiusd
......
/usr/sbin/radiusd -d /etc/lib32-raddb
It should be lib64 as default.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
* Fix bug that caused that challenge was incorrectly reused if invalid or expired.
* Add support for "data-ciphers-fallback" option.
* Add GUI support for "data-ciphers" option.
* Fix export for password connection type that was not exporting some fields.
* Fix mnemonics in editor's Identity - Advanced view
* Auth-dialog ported to GTK4
* Import certificates into the XDG_DATA_HOME directory.
* Update translations: Hindi, Slovenian, Catalan, Polish, Brazilian Portuguese, Ukrainian, Georgian,
Swedish, Hebrew, Russian and Danish.
* Skip release 1.12.1 because of a bug in the release pipeline.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
api: add support for handling DIOCTL_SET_INJECT_DROP
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Includes the provided service and defaults files for using the
tailscale daemon on systemd init machines.
Added the other kernel modules necessary for tailscaled to work
without warnings to RRECOMMENDS.
Tested with `core-image-minimal` under qemu with machines
`qemux86-64`, `genericx86-64` and `qemuarm64`. Ping
host on tailscale network using magicDNS host lookup.
Signed-off-by: Dean Sellers <dean@sellers.id.au>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes several security vulnerabilities:
CVE-2025-49601, CVE-2025-49600, CVE-2025-52496,
CVE-2025-47917, CVE-2025-48965, CVE-2025-52497,
and CVE-2025-49087
The framework directory has been changed into a git submodule.[1][2]
The recipe now uses Git Submodule Fetcher (gitsm)
Changelog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4
[1] 8cf5666a17
[2] c90c6d8ff7
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Tailscale is a mesh VPN built on the WireGuard protocol.
On the client side, it includes a node agent (tailscaled)
and a client application for configuration (tailscale).
These components can be bundled into a single binary for
a more smaller total size, which is done in this recipe.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
Signed-off-by: Mark Bath <mark@baggywrinkle.co.uk>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bump minimum cmake dialect to be 3.5+, this is an openwrt
component, which does not get many updates these days. Ideally
the cmake files for the project should be fixed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
