The DES algorithm is considered weak and outdated. Remove des from
default PACKAGECONFIG to disable it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1. Add pkgconfig to solve following configure error:
../sources/adcli-0.9.3.1/configure: line 15340: syntax error near unexpected token `LIBSELINUX,'
../sources/adcli-0.9.3.1/configure: line 15340: `PKG_CHECK_MODULES(LIBSELINUX, libselinux, found_libselinux=yes, found_libselinux=no)'
2. Add PACKAGECONFIG[selinux] for new selinux support in 0.9.3.1.
3. Add 0001-configure.ac-Fix-selinux-error-for-cross_compiling.patch to fix SELINUX_MAKEFILE file check in 0.9.3.1.
4. Add --disable-offline-join-support to solve following configure error
configure: error: Couldn't build offline join support, Samba version too old or libnatapi devel package is missing
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE metrics currently report CVE-2025-34468 as open.
CPE is <=4.3.5, while recipe version is 4.3.5a which is a higher
version, however by default cve-check only compares numbers.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use the latest commit from the 1.4 branch; the last 1.4 release was 3
months ago so it contains important fixes.
- The contents of /usr/share/ are slightly different, so change the path
slightly.
- The new patch fixes the .pc file generation (it also ensures that
there are no references to absolute paths in the .pc file which would
need to be removed again).
- PubSub information model is now enabled by default, add a new option
to disable it (disabling only pubsub isn't enough).
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
fix regression where the 'plugin' was not passed to pppd
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/nanomsg/nanomsg/releases/tag/1.2.2
Drop 0001-allow-build-with-cmake-4.patch as the issue has been fixed
upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- New option -J / --json for JSON output. See doc/fping-json.md for
the JSON schema. This feature is still in alpha and the schema
might change in future releases
- The -g, --generate option now also supports IPv6 addresses
- New option --seqmap-timeout to control the time after which sequence
numbers can be used again
- Fix OpenBSD sprintf() warning
- Fix fallback to SO\_TIMESTAMP if SO\_TIMESTAMPNS is not available
- When reading target names from file or standard input, lines longer
than the static buffer are no longer interpreted as more than one line
- Typo fix in error message when SO\_BINDTODEVICE fails
- Options --print-tos and --print-ttl now also work for IPv6, and no
longer require privileges
- Report received ICMPv6 error messages
- Suppress duplicate reports in count mode with -q, --quiet or -Q, --squiet
- Switch to alpine-based multi-stage Docker build to reduce image size
and improve build performance; add OpenContainers-compatible labels
- Print receive ping moved to new functions
- Avoid unsigned overflow when determining the memory size to save
response times on systems where size\_t is the same as unsigned int
- Document the new minimum value for the -p option
- Fix build without IPv6 support
- Fix debug build use of dbg_printf in fping.c
- Remove MacOS-specific test for -I option
- GitHub Actions fixes
- Fix measurement of time for timed reports (-Q) to start after DNS name
resolution.
- Updated autoconf from 2.71 to 2.72
- Updated automake from 1.16.5 to 1.18.1
- Updated libtool from 2.4.6 to 2.5.4
- Implemented verification of autotools tarballs in Github actions.
- Implemented stricter flag value checking (e.g. -c 10xyz is not accepted anymore).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
5.9.5.1:
* Only a version numbering fix.
5.9.5.2:
* Fix an issue with needing limits.h included.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Append -Wno-error=deprecated-declarations to CXXFLAGS so builds
don't break when Boost marks APIs like strand::wrap() as deprecated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The default ${PN} (python3-scapy) CVE fails to match relevant CVEs,
because they are tracked under the scapy:scapy CPE.
Set CVE_PRODUCT to the correct value.
See CVE db query:
sqlite> select * from products where product like '%scapy%';
CVE-2019-1010142|scapy|scapy|2.4.0|=||
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The https link does not work anymore, it just refuses the connection.
http still works though.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The https link does not work anymore, it just refuses the connection.
http still works though.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Some PACKAGECONFIGs (cifsidmap, cifsacl, pam) were failing to build since
a while, erroring out with:
| ../sources/cifs-utils-7.4/resolve_host.c:23:10: fatal error: config.h: No such file or directory
| 23 | #include "config.h"
| | ^~~~~~~~~~
| compilation terminated.
The config.h header is generated in the root of build folder, and it seems
that the recipe can't be built 100% out of the source tree.
To avoid this issue, add ${B} as an include folder to CFLAGS, so it finds
the required header.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2025-2312
The recipe installs two scripts in bindir - this is nothing new.
But the shebang has changed from "/usr/bin/env python3" to
"/usr/bin/python3" - these were always python scripts, but
they weren't recognized as such during the QA checks, and
python wasn't installed as a runtime dependency.
Now QA check is complaining about missing python in RDEPENDS.
To avoid mandatory python installation, package the scripts
separately in cifs-utils-scripts package.
Shortlog:
cifs-utils: bump version to 7.4
mount.cifs: retry mount on -EINPROGRESS
cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
cifscreds: use <libgen.h> for basename
getcifsacl, setcifsacl: use <libgen.h> for basename
cifs.upcall: fix memory leaks in check_service_ticket_exits()
cifs-utils: bump version to 7.3
Fix regression in mount.cifs with guest mount option
resolve_host.c: Initialize site_name
cldap_ping: Fix socket fd leak
cifs-utils: bump version to 7.2
getcifsacl: fix return code check for getting full ACL
cifs-utils: add documentation for upcall_target
cifs-utils: avoid using mktemp when updating mtab
cldap_ping.c: add missing <sys/types.h> include
configure.ac: libtalloc is now mandatory
cifscreds: allow user to set the key's timeout
cifscreds: use continue instead of break when matching commands
Do not pass passwords with sec=none and sec=krb5
docs: add esize description
docs: add max_cached_dirs description
docs: update actimeo description
Fix compiler warnings in mount.cifs
CIFS.upcall to accomodate new namespace mount opt
cifs-utils: Skip TGT check if valid service ticket is already available
use enums to check password or password2 in set_password, get_password_from_file and minor documentation additions
cifs-utils: support and document password2 mount option
smbinfo: add bash completion support for filestreaminfo, keys, gettconinfo
cifs-utils: bump version to 7.1
cifs: update documentation for sloppy mount option
docs: add closetimeo description
docs: add compress description
checkopts: update it to work with latest kernel version
cifs-utils: add documentation for multichannel and max_channels
cifs-utils: smbinfo: add gettconinfo command
Implement CLDAP Ping to find the closest site
mount.cifs.rst: update section about xattr/acl support
mount.cifs.rst: add missing reference for sssd
getcifsacl, setcifsacl: add missing <endian.h> include for le32toh
getcifsacl, setcifsacl: add missing <linux/limits.h> include for XATTR_SIZE_MAX
cifs-utils: Make automake treat /sbin as exec, not data
pam_cifscreds: fix warning on NULL arg passed to %s in pam_syslog()
cifs.upcall: fix UAF in get_cachename_from_process_env()
cifs-utils: add documentation for acregmax and acdirmax
setcifsacl: Fix uninitialized value.
Use explicit "#!/usr/bin/python3"
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1.Drop following patches as they were merged upstream.
0001-Android-Fix-the-build.patch
0012-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
net-snmp-5.9.4-kernel-6.7.patch
0008-net-snmp-fix-engineBoots-value-on-SIGHUP.patch
0001-Fix-LDFLAGS-vs-LIBS-ordering.patch
2.Drop 0005-snmplib-keytools.c-Don-t-check-for-return-from-EVP_M.patch as compile error has been fixed.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Fixed a vulnerability in the NetworkManager plugin charon-nm that potentially
allows using credentials of other local users.
- Concurrent requests to fetch the same CRL URI by multiple threads are now
combined.
- Increased the max. supported length for section names in swanctl.conf to 256.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2025-61962.
License-Update: added a warning about linking against the newly relicensed WolfSSL.
Changelog: https://gitlab.com/fetchmail/fetchmail/-/blob/6.6.2/NEWS
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The recipe had already an almost working ptest config which
wasn't enabled, it just needed some small fixes to make it work:
correct the output of the run-ptest script, and install some
extra testdata.
Execution is quick, single digit seconds:
root@qemux86-64:/usr/lib/unbound/ptest/tests# ptest-runner
START: ptest-runner
2025-12-16T11:53
BEGIN: /usr/lib/unbound/ptest
Start of unbound 1.24.2 unit test.
test authzone functions
test negative cache functions
test ub_random functions
[...many lines...]
PASS: ./testdata/val_unsecds_negcache.rpl
PASS: ./testdata/val_unsecds_qtypeds.rpl
PASS: ./testdata/val_wild_pos.rpl
PASS: ./testdata/version_bind.rpl
PASS: ./testdata/version_bind_hide.rpl
PASS: ./testdata/views.rpl
DURATION: 4
END: /usr/lib/unbound/ptest
2025-12-16T11:53
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518
The vulnerability is disputed by upstream, because the vulnerability
requires a user error, incorrect library usage. See also an upstream
discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
- Windows/interactive service: fix erroneous exit on error that could
be used by a local Windows users to achieve a local denial-of-service
(CVE-2025-13751)
- Windows/interactive service: improve service pipe robustness against
file access races (uuid) and access by unauthorized processes (ACL).
upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper
to 1.31, fixing a parser bug
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This helps tests not hitting timeout (120s default)
especially testmesg_stress test can timeout on slower machines
e.g. fully emulated ( non-kvm ) qemu machines e.g.
qemuarm64 on x86_64 machine.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Relase Overview:
* BFD the ability to listen for specific VRFs only
- Configure which VRFs the BFD daemon will listen to. By default, BFD listens to all VRFs
present in the system, including the default VRF. Default VRF must be specified as `default`.
* BGP SRv6/MPLS coexistence
- Allow MPLS and SRv6 to coexist on the same L3VRF, even for a given prefix. This feature is
important in brown fields where some operators want to migrate from MPLS to SRv6 backbone.
* BGP SRv6 locator per VRF support
- Ability to choose SRv6 locator per VRF.
* BGP Error handling (RFC 7606) for iBGP peers
- Before 10.5.0, once we received a malformed packet between iBGP peers, we always reset the
session, and with this release, we handle malformed packets the same way as for eBGP
(by withdrawing or discarding the malformed packets).
* BGP IPv6 Link-Local Capability is disabled by default
- In 10.4.0, this capability was enabled by default for a “datacenter” profile, but it’s disabled
for 10.5.0 and will be backported to 10.4.2 as well. The problem arises when the receiver has
configured a route-map with `set ipv6 next-hop prefer-global` and we send only an IPv6 Link-Local
address; therefore, it was decided to revert it to be disabled by default.
* BGP BGPID Next-Hop Characteristic
- In some cases, the BGP speaker sending a route might encode only a link-local address and no
global address. To provide uniqueness in this case, it is sufficient to associate the BGP
Identifier and AS Number of the route's sender. The BGP Identifier Characteristic
(BGPID) provides a way to convey this information if required.
* BGP EVPN flooding per VNI support
- Add an ability to adjust BUM flooding per VNI, instead of just globally. E.g., disable flooding
only for an arbitrary VNI.
* BGP RPKI strict mode
- RPKI strict mode prevents BGP from establishing a session if no RPKI cache server
is connected.
* BGP rejects AS_SET by default**
- Until 10.5.0, it was disabled by default, and since RFC 9774 was published, we switched this on
by default (to reject).
* BGP has lots of improvements for Graceful-Restart**
* PIM/PIMv6 route-map support to allow users to filter IGMP/MLD joins using source, group, and
interface combinations
* Support for multiple SRv6 locators
- This extends the SRv6 SID Manager to add support for multiple locators.
* Zebra 16-bit next hop weights support
- The weights used in ECMP’s consistent hashing have been widened from 8 bits to 16 bits since
the 6.12 Linux kernel.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: the project was relicensed from GPL-2 to GPL-3
Inludes fixes for the following vulnerabilities:
CVE-2025-7394, CVE-2025-7395, CVE-2025-7396, CVE-2025-12888, CVE-2025-11936,
CVE-2025-11935, CVE-2025-11934, CVE-2025-11933, CVE-2025-11932, CVE-2025-11931,
CVE-2025-12889
Drop patch that is incorporated in this release.
Changelog: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
Ptests passed:
START: ptest-runner
2025-12-09T18:23
BEGIN: /usr/lib/wolfssl/ptest
Wolfssl ptest logs are stored in /tmp/wolfss_temp.6rsnys/ptest.log
Test script returned: 0
unit_test: Success for all configured tests.
PASS: Wolfssl
DURATION: 13
END: /usr/lib/wolfssl/ptest
2025-12-09T18:23
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: copyright year bump
Changelog:
- Fix potential security issue CVE-2024-54662, related to "socksmethod"
use in client/hostid-rules.
- Add a missing call to setgroups(2).
- Patch to fix compilation with libminiupnp 2.2.8.
- Client connectchild optimizations.
- Client SIGIO handling improvements.
- Various configure/build fixes.
- Updated to support TCP_EXP1 version of TCP hostid format.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9648
It is already fixed in the currently used version.
Also, update CVE-2025-55763's status to "fixed-version" (so it will be
marked as "Patched" in the CVE report instead of "Ignored")
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-fix-typo-in-test-script.patch
removed since it's included in 1.1.6
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
