A flaw was found in open-vm-tools. This flaw allows a malicious actor that
has been granted Guest Operation Privileges in a target virtual machine to
elevate their privileges if that target virtual machine has been assigned
a more privileged Guest Alias.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-34058
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-38802:
FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote
attacker to cause a denial of service via a crafted BGP update with a
corrupted attribute 23 (Tunnel Encapsulation).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-38802
Patch from:
46817adab0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* use BPN, BP where useful
* use prefix instead of hardcoding /usr
* add patch to search also in lib32 subdir of --with-libpcap value
to fix:
checking for libpcap... configure: error: "Unable to find matching library for header file in TOPDIR/BUILD/work/raspberrypi4_64-oemllib32-linux-gnueabi/lib32-tcpreplay/4.4.4-r0/lib32-recipe-sysroot/usr"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
==========
Source code:
----------------
Fix spaces before tabs in indentation.
Updated printers:
-----------------
LSP ping: Fix "Unused value" warnings from Coverity.
CVE-2023-1801: Fix an out-of-bounds write in the SMB printer.
DNS: sync resource types with IANA.
ICMPv6: Update the output to show a RPL DAO field name.
Geneve: Fix the Geneve UDP port test.
Building and testing:
----------------------
Require at least autoconf 2.69.
Don't check for strftime(), as it's in C90 and beyond.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Documentation:
-------------
man: Document TCP flag names better.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2e782260d0b6018614dbdea95899a4a0921915e0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-3748:
A flaw was found in FRRouting when parsing certain babeld unicast hello
messages that are intended to be ignored. This issue may allow an
attacker to send specially crafted hello messages with the unicast flag
set, the interval field set to 0, or any TLV that contains a sub-TLV
with the Mandatory flag set to enter an infinite loop and cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3748
Patch from:
ae1e0e1fed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ee1026ab77dcb31b0f5cb723b4d998aab4c00382)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Mbed TLS 2.28 is a long-time support branch. It will be supported with
bug-fixes and security fixes until end of 2024.
ChangeLog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2023-27783
CVE-2023-27784
CVE-2023-27785
CVE-2023-27786
CVE-2023-27787
CVE-2023-27788
CVE-2023-27789
Changelog:
=========
dlt_jnpr_ether_cleanup: check subctx before cleanup by @Marsman1996 in #781
Bug #780 assert tcpedit dlt cleanup by @fklassen in #800
Fix bugs caused by strtok_r by @Marsman1996 in #783
Bug #782#784#785#786#787#788 strtok r isuses by @fklassen in #801
Update en10mb.c by @david-guti in #793
PR #793 ip6 unicast flood by @fklassen in #802
Bug #719 fix overflow check for parse_mpls() by @fklassen in #804
PR #793 - update tests for corrected IPv6 MAC by @fklassen in #805
PR #793 - update tests for vlandel by @fklassen in #806
Feature #773 gh actions ci by @fklassen in #807
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
These pyc files include references to buildtime TMPDIR, therefore delete
them and let them be regerated during runtime if needed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b1b7ee87ac55fced4bcf88b0e374025d7f908731)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Remove intltool-native as it is not used, and add autoconf-archive-native.
Also explicitly disable systemd when not selected to be sure it doesn't
automatically enable.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0713297ae90cdf6fc7339ebdcaf5f6f839bcd028)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CCFLAGS is used in Make rules which will ensure file remapping options
are used when compiling
Fixes
WARNING: vlan-1.9-r0 do_package_qa: QA Issue: File /usr/sbin/.debug/vconfig.vlan in package vlan-dbg contains reference to TMPDIR [buildpaths]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 26842ecc3b4811fd39a65c55af0711777f41fdbb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* without gobject-introspection-data in DISTRO_FEATURES the bbclass
correctly disables it:
$ bitbake-getvar -r spice-gtk EXTRA_OEMESON
#
# $EXTRA_OEMESON [6 operations]
# :append /OE/build/oe-core/openembedded-core/meta/classes-recipe/meson.bbclass:44
# " ${PACKAGECONFIG_CONFARGS}"
# :prepend[class-target] /OE/build/oe-core/openembedded-core/meta/classes-recipe/gobject-introspection.bbclass:28
# "${@['', '${GIRMESONTARGET}'][d.getVar('GIR_MESON_OPTION') != '']}"
# :prepend[class-native] /OE/build/oe-core/openembedded-core/meta/classes-recipe/gobject-introspection.bbclass:33
# "${@['', '${GIRMESONBUILD}'][d.getVar('GIR_MESON_OPTION') != '']}"
# :prepend[class-nativesdk] /OE/build/oe-core/openembedded-core/meta/classes-recipe/gobject-introspection.bbclass:34
# "${@['', '${GIRMESONBUILD}'][d.getVar('GIR_MESON_OPTION') != '']}"
# set /OE/build/oe-core/meta-openembedded/meta-networking/recipes-support/spice/spice-gtk_0.42.bb:49
# "-Dpie=true -Dvapi=enabled"
# :append[libc-musl] /OE/build/oe-core/meta-openembedded/meta-networking/recipes-support/spice/spice-gtk_0.42.bb:50
# " -Dcoroutine=libucontext"
# pre-expansion value:
# "${@['', '${GIRMESONTARGET}'][d.getVar('GIR_MESON_OPTION') != '']}-Dpie=true -Dvapi=enabled ${PACKAGECONFIG_CONFARGS}"
EXTRA_OEMESON="-Dintrospection=false -Dpie=true -Dvapi=enabled "
and prevents build failure:
http://errors.yoctoproject.org/Errors/Details/702789/
Run-time dependency gobject-introspection-1.0 found: NO (tried pkgconfig)
../git/meson.build:346:0: ERROR: Dependency "gobject-introspection-1.0" not found, tried pkgconfig
* it just needs GIR_MESON_*_FLAG to be set to avoid:
meson.build:4:0: ERROR: Value "false" (of type "string") for combo option "Check for GObject instrospection requirements" is not one of the choices. Possible choices are (as string): "enabled", "disabled", "auto".
* and enable vapi only when introspection is enabled, use PACKAGECONFIG for that to avoid:
meson.build:358:4: ERROR: Problem encountered: VAPI support requested without introspection
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This removes the old unused license for netperf as upstream
moved to using the MIT license for netperf.
See: meta-openembedded commit 587fe5877790b6c2e1d337c351b8f50603ad4db9
Signed-off-by: Arsalan H. Awan <arsalan.awan@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 27bdecd1bcf1fa86bf4ebbc527fceb455efe2970)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A typo that probably caused a left over from override syntax conversion.
INITSCRIPT_PARAMS$_${PN} --> INITSCRIPT_PARAMS:${PN}
Signed-off-by: Peter Bergin <peter.bergin@windriver.com>
Signed-off-by: Peter Bergin <peter@berginkonsult.se>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 77f031776ec9c9edb18e7323b17b697f5c52d5f5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This tarball is not available on debian ftp archive anymore
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fe62e64c973730da0e385ddbbab8cdc3217e0e69)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
drop md5 SRC_URI checksums while here
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 29c80a7350a56b6f7c4e27ed5aa0747ca570d2fd)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Links from https://nvd.nist.gov/vuln/detail/CVE-2019-11331 lead to
conclusion that this is how icurrent ntp protocol is designed.
New RFC is propsed for future but it will not be compatible with current
one.
See https://support.f5.com/csp/article/K09940637
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 648912f72d3d85ef43ba5114953794faa1572bdf)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* do_populate_lic as well as do_configure fails in multilib builds, because S points to empty:
lib32-restinio/0.6.13-r0/lib32-restinio-0.6.13/dev
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
With the exception of paho-mqtt-cpp, the double protocol= attributes
were added to the SRC_URIs when protocol=https was added to all SRC_URIs
fetching from github.com in commit b402a3076f (recipes: Update SRC_URI
branch and protocols).
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Correct "startline=" to "beginline=" in LIC_FILES_CHKSUM so that the
correct lines from autossh.c and daemon.h are used. Also remove
autossh.spec from LIC_FILES_CHKSUM as it doesn't really contain any
license information.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Release Notes:
https://www.samba.org/samba/history/samba-4.18.1.html
This is a security release in order to address the following defects:
CVE-2023-0225
CVE-2023-0922
CVE-2023-0614
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
dco: don't use NetLink to exchange control packets
dco: print version to log if available
dco-linux: remove M_ERRNO flag when printing netlink error message
multi: don't call DCO APIs if DCO is disabled
dco-freebsd: use m->instances[] instead of m->hash
dco-linux: implement dco_get_peer_stats{, multi} API
Set netlink socket to be non-blocking
Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
Fix memory leaks in open_tun_dco()
Fix memory leaks in HMAC initial packet generation
Use key_state instead of multi for tls_send_payload parameter
Make sending plain text control message session aware
Only update frame calculation if we have a valid link sockets
Improve description of compat-mode
Simplify --compress parsing in options.c
Refuse connection if server pushes an option contradicting allow-compress
Add 'allow-compression stub-only' internally for DCO
Parse compression options and bail out when compression is disabled
tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled
preparing release 2.6.2
dns option: allow up to eight addresses per server
dco: print FreeBSD version
Support --inactive option for DCO
Fix '--inactive <time> 0' behavior for DCO
Print DCO client stats on SIGUSR2
Don't overwrite socket flags when using DCO on Windows
using OpenSSL3 API for EVP PKEY type name reporting
Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
Import some sample certificates into Windows store for testing
Add tests for finding certificates in Windows cert store
Refactor SSL_CTX_use_CryptoAPI_certificate()
Add a test for signing with certificates in Windows store
Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
Improve error message on short read from socks proxy
Make error in setting metric for IPv6 interface non-fatal
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
# Do not ignore multicast advertisements when discovery was sent as unicast
(fix regression from 1.0.5).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The patch is modified by removing irrelevant and conflicting
CHANGELOG entry.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-configure-check-for-ns_get16-and-ns_get32-as-well.patch
Fixed-build-error-on-musl.patch
removed since they're included in 0.9.2.
Changelog:
==========
- adenroll: set password via LDAP instead Kerberos [#27]
- disco: fall back to LDAPS if CLDAP ping was not successful [#31]
- tools: replace getpass() [#10]
- adenroll: write SID before secret to Samba's db [rhbz#1991619]
- doc: add clarification to add-member command on doc/adcli.xml
- tools: Set umask before calling mkdtemp()
- Avoid undefined behaviour in short option parsing
- library: include endian.h for le32toh
- man: Fix typos and use consistent upper case for some keywords
- doc: avoid gnu-make specific usage of $< [#26]
- configure: check for ns_get16 and ns_get32 as well [rhbz#1984891]
- Add setattr and delattr options [rhbz#1690920]
- entry: add passwd-user sub-command [rhbz#1952828]
- Add dont-expire-password option [rhbz#1769644]
- build: add --with-vendor-error-message configure option [rhbz#1889386]
- tools: add show-computer command [rhbz#1737342]
- add description option to join and update [rhbz#1737342]
- Use GSS-SPNEGO if available [rhbz#1762420]
- add option use-ldaps [rhbz#1762420]
- tools: disable SSSD's locator plugin [rhbz#1762633]
- doc: explain required AD permissions [gfo#20]
- computer: add create-msa sub-command [rhbz#1854112}
- Add account-disable option [gfo#21]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update:
"Copyright (C) 2013-2020 Red Hat Inc." changed to "Copyright Red Hat"
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The patch has been applied upstream, so update the Upstream-Status
line accordingly.
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
