The xml PACKAGECONFIG entry uses libxm2, which is a typo and not a
valid dependency in OE.
Replace it with libxml2 so enabling PACKAGECONFIG:xml pulls in the
correct provider.
Signed-off-by: Aviv Daum <aviv.daum@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865
This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.
The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.
See also discussion in the Github issue.
I just put it on the ignore list.
[1]: https://github.com/proftpd/proftpd/issues/1298
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This ancient CVE [1] is unversioned ("*") in NVD DB.
"mod_sqlpw module in ProFTPD does not reset a cached password..."
Looking at history and changelog, the module was removed [2] around
the time when this CVE was published, likely as reaction to this CVE.
"mod_sqlpw.c, mod_mysql.c and mod_pgsql.c have been REMOVED from the
distribution. They are currently unmaintained and have numerous bugs."
Note: It was later re-introduced as mod_sql when it got fixed under
new maintainer.
[1] https://nvd.nist.gov/vuln/detail/CVE-2001-0027
[2] https://github.com/proftpd/proftpd/blob/v1.3.8b/NEWS#L3362
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 03a1b56bc7)
Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The original xz-compressed tarball isn't available at the download
location anymore - switch to the gz tarball which is still there.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
libxml has derecated the "xmlSetFeature" call, and hid is behind a special
config flag (--with-legacy), which is not used by default in oe-core.
This makes compilation fail, when "esi" PACKAGECONFIG is enabled:
Libxml2Parser.cc:94:5: error: 'xmlSetFeature' was not declared in this scope; did you mean 'xmlHasFeature'?
This backported patch fixes this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Switch the SRC_URI from "ftp:" to "https:". Drop the obsolete SRC_URI[md5sum].
Drop ncftp-3.2.5-gcc10.patch since we're using gcc13 and upstream has fixed the build
to work by adding an extern to sh_util/gpshare.c for example.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9dbf1b42bb)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
nostrip.patch
refreshed for 1.0.52
License-Update: Copyright year updated to 2024
Changelog:
==========
- The QUIT command is now accepted during a transfer.
- The server can be built with --with-minimal again.
- Fixed an out of bounds read in the MLSD command.
- Larger mmap()ed pages are used on aarch64.
- Improved compatibility with HPUX
- Improved OpenSSL API compatibility
- Improved compatibility with OpenWall Linux
- Improved compatibility with Netfilter
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fac6357f60)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
According to [1] the ESI feature implementation in squid is vulnerable
without any fix available.
NVD says it's fixed in 6.10, however the change in this release only
disables ESI by default (which we always did via PACKAGECONFIG).
Commit in master branch related to this CVE is [2].
Title is "Remove Edge Side Include (ESI) protocol" and it's also what it
does. So there will never be a fix for these ESI vulnerabilities.
We should not break features in LTS branch and cannot fix this problem.
So ignrore this CVE based on set PACKAGECONFIG which should remove it
from reports for most users. Thos who need ESI need to assess the risk
themselves.
[1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
[2] https://github.com/squid-cache/squid/commit/5eb89ef3d828caa5fc43cd8064f958010dbc8158
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This patch fixes warnings when useradd-staticids.bbclass is used and
USERADD_PARAM is used to add the user to a group that has not been
explicitly created yet. By adding the GROUPADD_PARAM for the new group
being used the warnings for changing the gid from GID-OLD to GID-NEW
is eliminated.
Warnings fixed:
cyrus-sasl: Changing groupname mail's gid from (WXYZ) to (JKLM), verify configuration files!
radvd: Changing groupname nogroup's gid from (WXYZ) to (JKLM), verify configuration files!
Signed-off-by: JD Schroeder <sweng5080@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch
0001-makeinit.sh-fix-parallel-build-issue.patch
0004-configure.ac-fix-condition-for-suppliment-snprintf-i.patch
deleted since they're included in 2.1.28
CVE-2019-19906.patch
avoid-to-call-AC_TRY_RUN.patch
refreshed for new version
Changelog:
=========
build:
------
configure - Restore LIBS after checking gss_inquire_sec_context_by_oid
makemd5.c - Fix potential out of bound writes
fix build with –disable-shared –enable-static
Dozens of fixes for Windows specific builds
Fix cross platform builds with SPNEGO
Do not try to build broken java subtree
Fix build error with –enable-auth-sasldb
common:
-------
plugin_common.c:
Ensure size is always checked if called repeatedly (#617)
documentation:
--------------
Fixed generation of saslauthd(8) man page
Fixed installation of saslauthd(8) and testsaslauthd(8) man pages (#373)
Updates for additional SCRAM mechanisms
Fix sasl_decode64 and sasl_encode64 man pages
Tons of fixes for Sphinx
include:
--------
sasl.h:
Allow up to 16 bits for security flags
lib:
----
checkpw.c:
Skip one call to strcat
Disable auxprop-hashed (#374)
client.c:
Use proper length for fully qualified domain names
common.c:
CVE-2019-19906 Fix off by one error (#587)
external.c:
fix EXTERNAL with non-terminated input (#689)
saslutil.c:
fix index_64 to be a signed char (#619)
plugins:
--------
gssapi.c:
Emit debug log only in case of errors
ntlm.c:
Fail compile if MD4 is not available (#632)
sql.c:
Finish reading residual return data (#639)
CVE-2022-24407 Escape password for SQL insert/update commands.
sasldb:
-------
db_gdbm.c:
fix gdbm_errno overlay from gdbm_close
DIGEST-MD5 plugin:
------------------
Prevent double free of RC4 context
Use OpenSSL RC4 implementation if available
SCRAM plugin:
------------
Return BADAUTH on incorrect password (#545)
Add -224, -384, -512 (#552)
Remove SCRAM_HASH_SIZE
Add function to return SCRAM auth method name
Allocate enough memory in scam_setpass()
Add function to sort SCRAM methods by hash strength
Update windows build for newer SCRAM options
saslauthd:
---------
auth_httpform.c:
Avoid signed overflow with non-ascii characters (#576)
auth_krb5.c:
support setting an explicit auth_krb5 server name
support setting an explicit servername with Heimdal
unify the MIT and Heimdal auth_krb5 implementations
Remove call to krbtf
auth_rimap.c:
provide native memmem implementation if missing
lak.c:
Allow LDAP_OPT_X_TLS_REQUIRE_CERT to be 0 (no certificate verification)
lak.h:
Increase supported DN length to 4096 (#626)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-Fix-compiler-error-introduced-with-recent-IPv6-commi.patch
removed since it's included in 2.1.6.
Changelog:
=========
This release adds more bug fixes and cleanups. No major functionality changes.
libopeniscsiusr: extend sysfs ignore_error to include EINVAL
Fix compiler error introduced with recent IPv6 commit.
Remove dependences from iscsi-init.service
Use "sbindir" for path in systemd service files
Updated README a bit
Finish ability to have binary location configurable.
Fix iscsi-init so that it runs when root writable
remove redundant params in Makefile
Fixing last parts of sbindir configuration
Cosmetic cleanup on recent addition
Update the iscsi-gen-initiatorname script: harden and generalize
change iscsi-gen-initiatorname option -b => -p
Add man page for the iscsi-gen-initiatorname script.
Install new man page for iscsi-gen-initiatorname
Fix issues discovered by gcc12
Fix more issues discovered by gcc12
iscsi sysfs: check state before onlining devs
iscsistart: fix login timeout handling
iscsid: use infinite timeout if passed in
iscsid: add error code for req timeouts
Improve 'iscsid.conf'
iscsiadm: Call log_init() first to fix a segmentation fault
iscsi_err: Add iscsid request timed out error messages
Fix wrong install_systemd destination path
actor: add name to struct actor and init it with function name
actor: print thread name in log
actor: enhanced: print error log when init a initilized thread
initiator_common: make set operational parameter log easy to read
iscsid: Check session id before start sync a thread
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
* log: removal of letter 'C'/'R' from msgId in RFC5424 format [#3303]
* log: Stop all threads while releasing the log agent object [#3302]
* amf: Correct HC period to make it effect immediately[#3298]
* log: Correct condition to shutdown the log agent [#3301]
* log: Increase timeout in logtest [#3291]
* log: Shutdown log agent when not in use [#3291]
* log: Introduce the initial clm node status [#3291]
* amf: Correct the version of csi attribute message [#3296]
* ntf: correct the behavior of periodic check log pending [#3297]
* mds: Resolve active MxN VDEST conflict in split brain [#3281]
* smf: correct merge bundle rolling to single step [#3290]
* ntf: get attribute value from local when value not existed [#3289]
* immd: fix cannot find candidate for new immnd coordinator [#3284]
* smf: make more robustness in BISU upgrade [#3286]
* amfd: Tightens sync window condition to proceed headless restoration [#3271]
* osaf: fixed redefinition of typedef 'SaConstStringT' [#3287]
* amf: update runtime attributes of node to IMM in sync [#3285]
* amfd: Correct checking CSICOMP while deleting CSI [#3282]
* base: using mutex for test case sysf_ipc_test instead of atomic [#3283]
* build: adaptive python version for rpm build [#3270]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: year updated to 2021.
Changelog
==========
This version fixes some really old issues, the most significant one being
excessive memory use for large memory listings.
When virtual quotas were used, transfers were not aborted after the limit was
reached; files were only removed at the end of a transfer. That should now be fixed.
Support for MD5, SHA1 and the MySQL PASSWORD() function were removed for
password hashing. You should now use scrypt, argon2 or the system crypt(3) function.
The server used to reject class E reserved network ranges. People reported that
Linux containers may use them, so this is now accepted.
Finally, it is now possible to recursively include additional files in a
configuration file, with the new Include directive.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Rename /etc/init.d/opensafd to /usr/lib/opensaf/opensafd-init as it is
needed by opensafd.service, but /etc/init.d is removed by
systemd.bbclass if sysvinit is not in DISTRO_FEATURES.
Note that this will not actually make the initscript and service file
work since they depend on /lib/lsb/init-functions, which does not exist
since the lsb recipe was removed from OE-Core.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>