aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking
AgeCommit message (Collapse)Author
2021-03-16mdns: Whitelisted CVE-2007-0613 for mdnsSana Kazi
CVE-2007-0613 is not applicable as it only affects Apple products i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, https://www.exploit-db.com/exploits/3230 shows the part of code affected by CVE-2007-0613 which is not preset in upstream source code. Hence, CVE-2007-0613 does not affect other Yocto implementations and is not reported for other distros can be marked whitelisted. Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 https://security-tracker.debian.org/tracker/CVE-2007-0613 https://ubuntu.com/security/CVE-2007-0613 https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f37e5423da984b7dc721d52f04673d3afc0879a1) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-16nghttp2: Add fix for CVE-2020-11080Rahul Taya
Added below two patches to fix CVE-2020-11080: 1. CVE-2020-11080-1.patch 2. CVE-2020-11080-2.patch Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> [Refreshed patches to apply] Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-19openipmi: Inherit python3targetconfigKhem Raj
Fixes configure: error: Could not link test program to Python. Maybe the main Python library has been installed in some non-standard library path. If so, pass it to configure, via the LIBS environment variable. Example: ./configure LIBS="-L/usr/non-standard-path/python/lib" Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 59f817bbe374799e4398766c2a444692d932d979) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 59d3d64e902d4d2e7ea9c3d2e1fec442912bcdd5) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-15dnsmasq: Fix systemd serviceMario Schuknecht
Systemd service file option 'ExecStopPre' is warned and ignored by systemd. By replacing 'ExecStopPre' with 'ExecStop', the intended behavior is realized. The 'ExecStop' commands are executed one after the other. Signed-off-by: Mario Schuknecht <mario.schuknecht@dresearch-fe.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 55c94cb3196f53d0c1c76bbd74136d1b5d51802d) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 83842c9150fdead52dc7b0913ffac32677720f98) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-15celt051: update SRC_URIchangqing.li@windriver.com
original SRC_URI is not valid now, offical CELT repository moved to gitlab Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5450c958bf66afd560fd8dff5b432ea71f10165c) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 1de0f4c33b92b9bbd885044df505154c177db59e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-10wireguard-module: remove PKG assignmentMartin Jansa
* it's not clear why it was added in first place and it's causing issues since: "package: get_package_mapping: avoid dependency mapping if renamed package provides original name" commit in oe-core as discussed in: https://lists.openembedded.org/g/openembedded-core/message/143672 https://github.com/openembedded/meta-openembedded/issues/285 Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 304f660f880bdf7dd5c51695875ab0a73aaed8b2) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit f9502868169715ee4945f5d8bef7c845dbb7b9e0) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-01-28networkd-dispatcher: use git fetcherMartin Jansa
* now the gitlab QA check was backported to dunfell as well in: https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=72f2c45880afbba1745e5e0cbd841d7fd666f374 and this started failing with: ERROR: networkd-dispatcher-2.0.1-r0 do_package_qa: QA Issue: networkd-dispatcher: SRC_URI uses unstable GitHub/GitLab archives, convert recipe to use git protocol [src-uri-bad] Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2021-01-25iscsi-initiator-utils: upgrade 2.1.2 -> 2.1.3zangrc
Source: git.openembedded.org MR: 108115, 108125, 108095, 108105 Type: Security Fix Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-daemons/iscsi-initiator-utils?id=46e30569e3b3d0cc66ce05e9accd759f37705feb ChangeID: 46e30569e3b3d0cc66ce05e9accd759f37705feb Description: 0001-libopeniscsiusr-Compare-with-max-int-instead-of-max-.patch Removed since this is included in 2.1.3 Bugfix only update. Also includes these CVE fixes: CVE-2020-13988 CVE-2020-13987 CVE-2020-17438 CVE-2020-17437 Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
2021-01-25iscsi-initiator-utils: Silence a clang warning on 64bit systemsKhem Raj
This unbreaks the build with clang as well. Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 409032dcc59bed5051cca454f7344b3cd207cebf) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-01-25iscsi-initiator-utils: Upgrade to _2.1.2Khem Raj
Fix build with clang Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b99b2f5297a587188cf28e687111b58d7e358fb7) [Bug fix only update] Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-01-12wireshark: Several securtiy fixesArmin Kuster
Source: Wireshark.org MR: 106181, 106696, 107655, 107673, 107682 Type: Security Fix Disposition: Backport from wireshark.org ChangeID: 57df6ac3b11aabd96e6aec728501ce7988bc176a Description: Bugfix only update including these cves: 3.2.8 CVE-2020-26575 CVE-2020-28030 3.2.9 CVE-2020-26418 CVE-2020-26421 CVE-2020-26420 Signed-off-by: Armin Kuster <akuster@mvista.com> (cherry picked from commit a10ea62a1c9c7b0c4810f2e4ef0dcc6f75b0ca6b) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-01-10samba: CVE-2020-14383 Security AdvisoryZheng Ruoqin
References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14383 Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit baee1ebeafce5d6a99dafc30b91e6fb760197686) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 81d14a86353829eba1d55a93d478faf4c5527a89) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-01-10samba: CVE-2020-14318 Security AdvisoryZheng Ruoqin
References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14318 Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1d44b4c03d51e91ce01cf5fd0b33155ce36f1862) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 38beb6fe98894ffaf82a05ccfd6694f735daba26) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-12-24wireguard-module: fix build issue with 5.4 kernelArmin Kuster
/tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined | 44 | #define SYM_FUNC_START ENTRY | | | In file included from /tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:9, | from <command-line>: | /tmp/work-shared/qemux86-64/kernel-source/include/linux/linkage.h:218: note: this is the location of the previous definition | 218 | #define SYM_FUNC_START(name) \ | | | In file included from <command-line>: | /tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:45: warning: "SYM_FUNC_END" redefined | 45 | #define SYM_FUNC_END ENDPROC | | Backporit fix from upstream Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-12-10tcpdump: Patch for CVE-2020-8037viatsk
Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-09chrony: Patch CVE-2020-14367Anatol Belski
Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b4d7b1ee421d9ae75548ac0c0dd0ea9405a0571e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-09samba: upgrade 4.10.17 -> 4.10.18Yi Zhao
This is security release in order to address CVE-2020-1472 (Unauthenticated domain takeover via netlogon ("ZeroLogon")). See: https://www.samba.org/samba/history/samba-4.10.18.html Also remove 3 backported patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bebdea8530652ff698885a3f55b0a650de319379) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-09wireshark: upgrade 3.2.6 -> 3.2.7Zang Ruochen
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 47821db8ed0dc81e84d5ba6b873dc14d50f85e07) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-09wireshark: upgrade 3.2.5 -> 3.2.6Zang Ruochen
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 88df26ab74a5d1274127f83b854da2d5747b9952) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-04crda: rdepends on wireless-regdb-staticRobert Yang
The wireless-regdb has been moved to oe-core. According the commit message: wireless-regdb-static should be used with kernel >= 4.15. wireless-regdb can be used with older kernels and is mostly irrelevant here, but keeping it in meta-networking would create needless recipe duplication. it should replace runtime dependency wireless-regdb with wireless-regdb-static. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ac313b638068aabc88f0fa9d1888380e94100f31) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-04strongswan: Remove obsolete setting regarding the Standard OutputMingli Yu
The Standard output type "syslog" is obsolete, causing a warning since systemd version 246 [1]. Please consider using "journal" or "journal+console" [1] https://github.com/systemd/systemd/blob/master/NEWS#L202 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e61b73e6d388006375c6fe84cc194299c094a526) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-04ssmtp: adjust u-aMartin Jansa
* it's newaliases not newalias in sbindir * drop u-a for man pages, because only ssmtp.8 was created which shouldn't conflict with esmpt In my build I don't have mailq, sendmail, newaliases as man pages, but binaries in sbindir (and the sbinbinary is called newaliases, not newalias) tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/ tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/share tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/share/man tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/share/man/man8 tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/share/man/man8/ssmtp.8 tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/sbin tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/sbin/mailq tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/sbin/sendmail tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/sbin/newaliases tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/usr/sbin/ssmtp tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/etc tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/etc/ssmtp tmp-glibc/work/core2-64-oe-linux/ssmtp/2.64-r0/image/etc/ssmtp/revaliases this added u-a is causing following warnings: WARNING: ssmtp-2.64-r0 do_package: ssmtp: alternative target (/usr/share/man/man1/mailq.1 or /usr/share/man/man1/mailq.1.ssmtp) does not exist, skipping... WARNING: ssmtp-2.64-r0 do_package: ssmtp: alternative target (/usr/share/man/man1/newaliases.1 or /usr/share/man/man1/newaliases.1.ssmtp) does not exist, skipping... WARNING: ssmtp-2.64-r0 do_package: ssmtp: alternative target (/usr/share/man/man1/sendmail.1 or /usr/share/man/man1/sendmail.1.ssmtp) does not exist, skipping... WARNING: ssmtp-2.64-r0 do_package: ssmtp: alternative target (/usr/sbin/newalias or /usr/sbin/newalias.ssmtp) does not exist, skipping... WARNING: ssmtp-2.64-r0 do_package: ssmtp: NOT adding alternative provide /usr/share/man/man1/mailq.1: /usr/share/man/man1/mailq.1.ssmtp does not exist WARNING: ssmtp-2.64-r0 do_package: ssmtp: NOT adding alternative provide /usr/share/man/man1/newaliases.1: /usr/share/man/man1/newaliases.1.ssmtp does not exist WARNING: ssmtp-2.64-r0 do_package: ssmtp: NOT adding alternative provide /usr/share/man/man1/sendmail.1: /usr/share/man/man1/sendmail.1.ssmtp does not exist WARNING: ssmtp-2.64-r0 do_package: ssmtp: NOT adding alternative provide /usr/sbin/newalias: /usr/sbin/newalias.ssmtp does not exist WARNING: ssmtp-2.64-r0 do_package: ssmtp: alt_link == alt_target: /usr/share/man/man1/mailq.1 == /usr/share/man/man1/mailq.1 WARNING: ssmtp-2.64-r0 do_package: ssmtp: alt_link == alt_target: /usr/share/man/man1/newaliases.1 == /usr/share/man/man1/newaliases.1 WARNING: ssmtp-2.64-r0 do_package: ssmtp: alt_link == alt_target: /usr/share/man/man1/sendmail.1 == /usr/share/man/man1/sendmail.1 WARNING: ssmtp-2.64-r0 do_package: ssmtp: alt_link == alt_target: /usr/sbin/newalias == /usr/sbin/newalias Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bdb964c907bd7d6972e09992505a0c4bbbda8fa4) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-04ssmtp: Use update alternatives for conflicts with esmtpKhem Raj
Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 916b6f15efe924dc66d7908ac0bea554eaf7ac92) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-04netkit-rsh: inherit update-alternativesMartin Jansa
* fixes: netkit-rsh-0.17-r0 do_package_qa: QA Issue: netkit-rsh: recipe defines ALTERNATIVE_netkit-rsh-client but doesn't inherit update-alternatives. This might fail during do_rootfs later! [missing-update-alternatives] netkit-rsh-0.17-r0 do_package_qa: QA Issue: netkit-rsh: recipe defines ALTERNATIVE_netkit-rsh-server but doesn't inherit update-alternatives. This might fail during do_rootfs later! [missing-update-alternatives] Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e48aabf951c8759d3c3cb93aed87f1b03a788fe3) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-09-19libldb: upgrade 1.5.7 -> 1.5.8Yi Zhao
Samba version 4.10.17 which has been already available in Dunfell depends on version 1.5.8 of libldb. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-09-03net-snmp: Fix CVE-2020-15861 and CVE-2020-15862Ovidiu Panait
Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following. Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. References: https://nvd.nist.gov/vuln/detail/CVE-2020-15861 https://nvd.nist.gov/vuln/detail/CVE-2020-15862 Upstream patches: https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3 https://github.com/net-snmp/net-snmp/commit/9cfb38b0aa95363da1466ca81dd929989ba27c1f https://github.com/net-snmp/net-snmp/commit/114e4c2cec2601ca56e8afb1f441520f75a9a312 https://github.com/net-snmp/net-snmp/commit/2968b455e6f182f329746e2bca1043f368618c73 https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602 https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205 CVE-2020-15861-0005.patch is the actual fix for CVE-2020-15861 and CVE-2020-15861-0001.patch through CVE-2020-15861-0004.patch are context patches needed by the fix to apply cleanly. Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-08-23freeradius: fix the occasional verification failureMingli Yu
Fixes: # cd /etc/raddb/certs # ./bootstrap [snip] chmod g+r ca.key openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever' chmod g+r server.pem C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org error 7 at 0 depth lookup: certificate signature failure 140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553: 140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170: error server.pem: verification failed make: *** [Makefile:107: server.vrfy] Error 2 It seems the ca.pem mismatchs server.pem which results in failing to execute "openssl verify -CAfile ca.pem server.pem", so add the logic to check the file to avoid inconsistency. Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 52f5141109fae5f49c5a7334e9ded2b028e16cf6) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-08-23rdist: fix parallel buildKai Kang
It fails to compile rdist occasionally when system load of build server is high: | In file included from common.c:57: | ../include/defs.h:49:10: fatal error: y.tab.h: No such file or directory | 49 | #include "y.tab.h" | | ^~~~~~~~~ | compilation terminated. Make $(COMMONOBJS) which include common.o to depends on related header files and y.tab.h to fix the parallel build failure. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1bb990c6ca1b149c19404fbe006fb6b372af8c4c) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-08-23samba: upgrade 4.10.15 -> 4.10.17Yi Zhao
This is a security release in order to address the following defects: CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results. CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV. CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd. Also backport 3 patches to fix build error with musl. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1609df11530ebb73de863d0c705e16107015dbe3) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-30samba: Fix conflicts with nss.h from glibcKhem Raj
This is seen with glibc 2.32 where these names are also defined Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5cf2665446f3fdc16b484c64afffaa0ac8373a35) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-30radvd: add /etc/radvd.confChangqing Li
When starting radvd without any configuration the following errors would be triggered. """ root@intel-x86-64:~# systemctl status radvd ● radvd.service - Router advertisement daemon for IPv6 Loaded: loaded (/lib/systemd/system/radvd.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed at Tue 2019-09-24 13:29:36 UTC; 3s ago └─ ConditionPathExists=/etc/radvd.conf was not met """ Normally the user should create and configrue the /etc/radvd.conf manually. However the radvd provide a example file for redhad located at "radvd/redhat/radvd.conf.empty". When installing, it would copy radvd/redhat/radvd.conf.empty to /etc/radvd.conf. Also add this empty conf here to used as an example of configuration Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5af77740a46c334978adc7f37f53ea9a318d3a33) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-29netkit-telnetd: Fix buffer overflow in netoprintfJulius Hemanth Pitti
netoprintf() was not handling a case where return value of vsnprintf is greater than "size"(2nd argument), results in buffer overflow while adjusting "nfrontp" pointer to point beyond "netobuf" buffer. Here is one such case where "nfrontp" crossed boundaries of "netobuf", and pointing to another global variable. (gdb) p &netobuf[8255] $5 = 0x55c93afe8b1f <netobuf+8255> "" (gdb) p nfrontp $6 = 0x55c93afe8c20 <terminaltype> "\377" (gdb) p &terminaltype $7 = (char **) 0x55c93afe8c20 <terminaltype> (gdb) This resulted in crash of telnetd service with segmentation fault. Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 232b82afd405c526f822294509e1d32388544ed4) [appears to be CVE-2020-10188] Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-29freeradius: fix the existed certificate errorMingli Yu
Fixes the occasional error: # cd /etc/raddb/certs # ./bootstrap [snip] openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf Check that the request matches the signature Signature ok ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org The matching entry has the following details Type :Valid Expires on :200908024833Z Serial Number :02 File name :unknown Subject Name :/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org make: *** [Makefile:128: client.crt] Error 1 Add the check to fix the above error and it does the same for server.crt. Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0d7522b7df80e45c379ad76addfddd51d0e56e9d) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-12wireshark: Update to 3.2.5Armin Kuster
Source: wireshark.org MR: 104620 Type: Security Fix Disposition: Backport from wireshark.org ChangeID: 64e3701e4d6bd53972c22c49d655556e6f37e461 Description: Affects: 3.2.0 to 3.2.4 Includes: CVE-2020-15466 For more info see: https://www.wireshark.org/docs/relnotes/wireshark-3.2.5.html Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9019ceb2ccfd32789b7bc680269b3af234ebd397) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-12drbd-utils: Add CLEANBROKEN to fix rebuild errorsRobert Yang
Fixed when rebuild: DEBUG: Executing shell function autotools_preconfigure NOTE: make clean aclocal autoheader autoconf You need to call ./configure with appropriate arguments (again). make: *** [Makefile:287: config.status] Error 1 Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 922e061fdbbc80c44f49866c7b08b2e09e4a3d0a) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-12nftables: upgrade 0.9.5 -> 0.9.6Zang Ruochen
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b0d884a994197a9bc0b181545fe67f19a7630cd7) [AK: This release fixes vmap support which broke in the previous 0.9.5 release.] Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-12blueman: upgrade 2.1.1 -> 2.1.3Andreas Müller
2.1.3 Changes * Force cython to use python language version 3 Bugs fixed * Fix tooltip not updating when bluetooth is disabled * Fix dbus timeout in DhcClient * Call the right method when pulseaudio crashes * Handle os.remove failing 2.1.2 Bugs fixed * Signal bar updates with multiple adapters * Pairing with pincode Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d05070c7d8d1f384914b1243298b4759fd9accae) [AK: Dunfell does not support py2 so upgrade seems resonable] Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-12net-snmp: Security fix CVE-2019-20892Armin Kuster
Source: net-snmp.org MR: 104509 Type: Security Fix Disposition: Backport from https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9 ChangeID: 206d822029d48d904864f23fd1b1af69dffc26c8 Description: Fixes CVE-2019-20892 which affect net-snmp <= 5.8pre1 Had to fix up some file do to later code restructioning. "int refcnt;" addition was done in include/net-snmp/library/snmpusm.h Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 96a63b1ecf321c9a63880a963ed257086998133b) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-12freediameter: Fix testcnx ptest failureOvidiu Panait
Currently, testcnx ptest fails due to expired CA certificates: Test project /usr/lib64/freeDiameter/ptest ... Start 10: testcnx 10/11 Test #10: testcnx ..........................***Failed 0.12 sec ... <snip> Command: "/usr/lib64/freeDiameter/ptest/testcnx" Directory: /usr/lib64/freeDiameter/ptest "testcnx" start time: Jun 17 10:52 UTC Output: ---------------------------------------------------------- 10:52:43 ERROR ERROR: Invalid parameter '(conn->cc_rcvthr != (pthread_t)((voidd *)0))', 22 10:52:43 ERROR TLS: Remote certificate invalid on socket 6 (Remote: 'localhostt .localdomain')(Connection: '{---T} TCP from [127.0.0.1]:57898 (4<-6)') : 10:52:43 ERROR - The certificate has expired. 10:52:43 ERROR TLS ERROR: in 'ret = gnutls_handshake(conn->cc_tls_para.sessionn )' : Error in the certificate. 10:52:43 FATAL! testcnx.c:867: CHECK FAILED : fd_cnx_handshake(server_side, GNUU TLS_SERVER, ALGO_HANDSHAKE_DEFAULT , NULL, NULL) == 16 != 0 10:52:43 FATAL! FAILED: testcnx.c <end of output> Test time = 0.02 sec <snip> Backport upstream patch [1] to fix this issue. [1] http://www.freediameter.net/hg/freeDiameter/rev/eff5bb332b5a This patch is present in version 1.4.0, so master is not affected. Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-01ntp: update 4.2.8p15Armin Kuster
Source: ntp.org MR: 104487 Type: Security Fix Disposition: Backport from http://archive.ntp.org/ntp4/ntp-4.2/ ChangeID: 65b220646dc29168c45b051a6ea2a651b9e669d1 Description: Bugfix only update including a security fix: CVE-2020-15025 changelog: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c9384d7fc40acdf8b5ed668ac3f5fa0e2ad4dbd1) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-01tcpreplay: upgrade 4.3.2 -> 4.3.3Andreas Müller
>From [1] * Increase cache buffers size to accomodate VLAN edits (#594) * Correct L2 header length to correct IP header offset (#583) * Fix warnings from gcc version 10 (#580) * Heap Buffer Overflow in randomize_iparp (#579) * Use after free in get_ipv6_next (#578) * Heap Buffer Overflow in git_ipv6_next (#576) * Call pcap_freecode() on pcap_compile() (#572) * Increase max snaplen to 262144 (#571) * Fix divide by zero in fuzzing (#570) * Unique IP repeats at very high iteration counts (#566) * Fails to compile on FreeBSD amd64 13.0 (#558) * Heap Buffer Overflow in do_checksum (#556) (#577) * Attempt to correct corrupt pcap files, if possible (#557) * Fix GCC v10 warnings (#555) * Remove some duplicated SOURCES entries (#551) * Expand /dev/bpfX hard limit to fix macOS Mojave (#550) * Implement --loopdelay-ms when using --loop=0 (#546) * Heap overflow packet2tree and get_l2len (#530) [1] https://github.com/appneta/tcpreplay/releases Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 822963c6cba8edde6d91fc56e2f0ae9e7a730551) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-01libtalloc: fix upstream urlKonrad Weihmann
https://samba.org seems to be gone, switch to https://www.samba.org Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9a85b925c51308f93475d7cc8e2ddda90dff30fd) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-01openipmi: upgrade 2.0.28 -> 2.0.29Wang Mingyu
???Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0b0c102d8c6daae12894f47f9523fe27fca5b15f) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-01nftables: upgrade 0.9.4 -> 0.9.5Pierre-Jean Texier
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bf1ac503e8a54387a6b46623235dadff0d14596e) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-01libnftnl: upgrade 1.1.6 -> 1.1.7Pierre-Jean Texier
See https://lwn.net/Articles/822353/ Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9e7912b8fd841001a2ffb78dc32edc86fd70b8cd) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-01netkit-rsh: properly append PACKAGECONFIGKonrad Weihmann
As ??= assignment will be overwritten by += in any case, one can't define a default of PACKAGECONFIG in this recipe. Using _append instead mitigates chances of accidental overwriting the default Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4cca3eff387dc6630915ba4238b97712589308b8) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-06-12proftpd: Fix typo for SRC_URI[md5sum]Konrad Weihmann
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5caca0f7bdefd28b9ecc446aea4177e2e297aa20) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-06-12wireshark: upgrade 3.2.2 -> 3.2.4Zang Ruochen
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8a4039c61296801dc7f9d6f1badd9310acadf2b8) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-06-12snort: upgrade 2.9.15 -> 2.9.16Zang Ruochen
-0001-chdeck-for-gettid-API-during-configure.patch Removed since this is included in 2.9.16 Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e44e7be3e9d140410d3c7d799a32cf867e494f9c) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-06-12mosquitto: upgrade 1.6.9 -> 1.6.10Zang Ruochen
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit aa615a8e6093759fd580217be79dc037d9c0d79c) Signed-off-by: Armin Kuster <akuster808@gmail.com>