frr's configure links libatomic whenever the toolchain merely has it:
AC_CHECK_LIB([atomic], [main], [LIBS="$LIBS -latomic"], [], [])
This probe only asks whether -latomic links, never whether frr needs a
symbol from it. On x86-64 the atomics frr uses are inlined, so the
resulting native clippy references no __atomic_* symbol at all, yet
still records a DT_NEEDED on libatomic.so.1.
Nothing prunes it: ASNEEDED is part of TARGET_LDFLAGS only, so native
links get no --as-needed. Nothing can satisfy it either: clippy's
RUNPATH points solely into recipe-sysroot-native, there is no
libatomic-native, and uninative only rewrites the ELF interpreter.
buildtools-extended-tarball ships nativesdk-libatomic, so on hosts using
buildtools (Rocky 8, Alma 8, openSUSE on the autobuilder) the probe
succeeds at link time while the loader cannot find libatomic later, and
the target do_compile dies executing clippy:
clippy: error while loading shared libraries: libatomic.so.1:
cannot open shared object file: No such file or directory
Hosts with a system libatomic in the default loader path, such as Ubuntu
with libatomic1 installed, only avoid this by accident.
Link native clippy with --as-needed so the unused libatomic dependency is
dropped, making the frr-native artifact independent of the build host.
Fixes [YOCTO #15590] and [YOCTO #15590]
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Analysis:
- The Mbed TLS advisory states the issue occurs when LLVM
select-optimize is enabled. [1]
- The same advisory also states that Arm/x86 builds with
MBEDTLS_HAVE_ASM enabled are not affected. The default mbedtls
configuration in this branch enables MBEDTLS_HAVE_ASM.
- NVD also describes the issue as occurring only with LLVM's
select-optimize feature. [2]
- The mbedtls recipes now evaluate the effective build flags across
target, native, and nativesdk variants, handle the supported
-mllvm spellings, and only mark the CVE unpatched when the
vulnerable LLVM option combination is explicitly enabled and the
Arm/x86 MBEDTLS_HAVE_ASM carve-out does not apply.
- When those conditions are not met, the current mbedtls build
configuration is not affected.
- Hence ignoring/deferred the CVE for now.
Reference:
[1] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-66442
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
GCC 14 promotes -Wincompatible-pointer-types to an error by default. The
buffer_init*.c sources pass read()/write() directly where a typeless op
function pointer is expected:
buffer/buffer_init_read.c:6:18: error: passing argument 2 of 'buffer_init'
from incompatible pointer type [-Wincompatible-pointer-types]
The existing gcc-15 patch only fixes the BUFFER_INIT macro, not these call
sites. Add -Wno-error=incompatible-pointer-types so the build completes.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The shipped Makefile does 'include config.mk' which is only created by
configure, so the 'make clean' run by autotools_preconfigure fails before
configure has run.
Set CLEANBROKEN to skip that pre-configure clean.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit python3targetconfig
point CMake's FindPython at the target sysroot libpython/headers
so Embed component resolves when cross compiling.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The webkit2gtk pkg-config check was unconditional, but WEBKIT is only
used by the GNOME auth dialog. Move it under the with-gnome guard
add webkitgtk3 to the gnome PACKAGECONFIG deps
ship the D-Bus system policy file.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: copyright year range updated; still BSD-3-Clause
Update LIC_FILES_CHKSUM: the LICENSE text changed only in its copyright
year range, it is still BSD-3-Clause.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add a patch fixing the autoconf 2.13-era idioms that abort autom4te
under autoconf 2.73, and regenerate the existing patches so they apply
without fuzz.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Drop 0001-replace-__pure__-with-compiler-attribute-pure, which is obsolete
in 0.34, and refresh 0001-fix-incompatible-type-error-with-gcc-15 to the
hunks still needed.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: license header switched from "LIC: GPL" to SPDX GPL-2.0-or-later; license text unchanged
Adapt the patches to the 4.0 source restructure: refresh
configure_in_cross.patch for the new configure, and drop
0001-ppoe-Dont-include-linux-if_ether.h and
0002-Enable-support-for-the-kernel-module which are obsolete/upstreamed
in 4.0.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: added GPLv2/GPLv2+ files (linux_helpers.h, rbtree_augmented.h, rbtree_types.h) to the per-file license listing
Drop 0001-dlm_controld-remove-unnecessary-header-include,
0001-Disable-annobin-plugin and 0001-Remove-fcf-protection-full, which
are all present in 4.3.0.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
drop upstreamed cross-compile test patch
This release already guards the auth-pam unit test TESTS assignment with
"if !CROSS_COMPILING" in tests/unit_tests/plugins/auth-pam/Makefile.am
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
lftp 4.9.3 bundles gnulib sources that fail to build with the OpenEmbedded
clang + lld toolchain. Carry a single patch with the gnulib compatibility
fixes:
1. Single-argument static_assert (lib/dirent.in.h, lib/uchar.in.h) is a
C++17 feature; clang in its default C++14 mode rejects it with
"static_assert with no message is a C++17 extension". Add a message.
Reported upstream: https://github.com/lavv17/lftp/issues/766
2. lib/stdlib.in.h pre-includes <string> to pre-instantiate std::strtoull
before the "#define strtoull rpl_strtoull" macro fires, but guarded the
workaround with "&& !defined __clang__" so it never triggered under
clang + libstdc++, rewriting std::strtoull to the non-existent
std::rpl_strtoull. Extend the guard to cover clang.
3. After gnulib split md5.c/sha1.c into primary + -stream.c files, both
define GL_OPENSSL_INLINE to _GL_EXTERN_INLINE before including the
header, so with the OpenSSL md5/sha1 backends both translation units
emit out-of-line wrapper copies and lld fails with duplicate symbol
errors. Drop the override from the -stream.c files.
Consolidates the three previously separate patches into one; verified by
building lftp for qemux86-64 with clang + lld (the duplicate-symbol link
failure reproduces without the patch and is resolved with it).
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Update to a newer version of the last release, because this does not compile
which got fixed with
https://github.com/irontec/sngrep/commit/b84f0663e47de6f238d9f81eed67612a9ab616ef.
sngrep supports pcre2, so use this instead of pcre, which is outdated.
Changelog:
* capture: add support for telephony-event rtp streams (RFC 4733)
* capture: replace fake HEP frames for network captured packets
* call flow: limit call-id displayed on title to 125 characters
* rtp: fix duration value in telephony-event is incorrectly converted
* core: fix out of bound arrays crashes
* eep: fix multiple memory crashes in HEP parsing
* ipv6: fixed incorrect payload length for fragmented IPv6 packets
* build: use libgcrypt-config if pkg-config is not available for libcrypt
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The Debian package page is not the appropriate homepage. And we can add the
bug tracker URL and a description. Configure has some more options we can
expose as PACKAGECONFIG. In INSTALL file in the source repository states
that libpcre2 (instead of libpcre) should be used. And std=gnu89 is no
longer needed.
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
GCC 16 defaults to C++20 which enforces stricter designated
initializer rules. Add patches to fix the two affected test files.
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Comparator objects used in standard containers (such as std::set)
must be invocable as const. Opensaf contains several comparators
that lack the 'const' qualifier, leading to compilation failures like:
error: passing 'const XxxCompare*' as 'this' argument discards qualifiers
Add a backported patch to fix the comparators in imm_xmlw_dump.cc
and amfd/node.h by adding the missing 'const' to operator().
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit updates the RDEPENDS for the ptest package to include
${PN}-python only when the 'python' PACKAGECONFIG option is enabled.
This change will ensure that we dont get below failure when ptest is enabled in the distro features,
and packageconfig is not set.
It causes this error-
ERROR: Nothing RPROVIDES 'nftables-python' (meta-openembedded/meta-networking/recipes-filter/nftables/nftables_1.1.6.bb RDEPENDS on or otherwise requires it)
NOTE: Runtime target 'nftables-python' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['nftables-python']
ERROR: Required build target 'nftables' has no buildable providers.
Missing or unbuildable dependency chain was: ['nftables', 'nftables-python']
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Issue 2057 - SQL Injection in mod_wrap2_sql via reverse DNS
hostname (CVE-2026-44331).
- Issue 2056 - Incomplete fix for session management with OpenSSL 3.2.x or
later, when using TLSv1.2 or earlier. This complements the fix for
Issue #1963.
- Issue 2098 - Hard quota limits on uploads do not cause SFTP WRITE requests
to fail as expected.
- Issue 2102 - SSH payload length underflow calculation for ETM/ChaChaPoly
algorithms in mod_sftp.
- Issue 2104 - SSH packet with empty payload triggers null pointer dereference
in mod_sftp.
- Issue 2106 - Bad DSA signatures can lead to out-of-bounds read of heap memory
in mod_sftp.
- Issue 2108 - Mismatched RSA/DSA algorithm signatures can lead to null
dereference in mod_sftp.
- Issue 2115 - SFTP request payload length underflow calculation in mod_sftp.
- Issue 2120 - Several modules fail to build using OpenSSL 4.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
After the recent recipe update I see this build error:
| Makefile.linux:67: config.mk: No such file or directory
| make: *** No rule to make target '/configure', needed by 'config.mk'. Stop.
Run the configure script so that config.mk gets created
Also fix LIC_FILE_CHECKSUM. Copyright year has been changed
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Several useful clients are available as part of the overall mDNSResponder
build, package these alongside the main binary.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>