Commit Graph

1390 Commits

Author SHA1 Message Date
Wang Mingyu 4a2bf0b55e strongswan: upgrade 5.9.12 -> 5.9.13
Changelog:
- Fixes a regression with handling OCSP error responses and adds a new
  option to specify the length of nonces in OCSP requests.  Also adds some
  other improvements for OCSP handling and fuzzers for OCSP
  requests/responses.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5be2e20157)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-16 19:20:45 -05:00
Wang Mingyu 3c4c97f230 strongswan: upgrade 5.9.11 -> 5.9.12
Changelog:
==========
- Fixed a vulnerability in charon-tkm related to processing DH public values
  that can lead to a buffer overflow and potentially remote code execution.
- The new `pki --ocsp` command produces OCSP responses based on certificate
  status information provided by plugins.
- The cert-enroll script handles the initial enrollment of an X.509 host
  certificate with a PKI server via the EST or SCEP protocols.
- The --priv argument for charon-cmd allows using any type of private key.
- Support for nameConstraints of type iPAddress has been added (the openssl
  plugin previously didn't support nameConstraints at all).
- SANs of type uniformResourceIdentifier can now be encoded in certificates.
- Password-less PKCS#12 and PKCS#8 files are supported.
- A new global option allows preventing peers from authenticating with trusted
  end-entity certificates (i.e. local certificates).
- ECDSA public keys that encode curve parameters explicitly are now rejected by
  all plugins that support ECDSA.
- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
  also use the name in connection.interface-name.
- The resolve plugin tries to maintain the order of installed DNS servers.
- The kernel-libipsec plugin always installs routes even if no address is found
  in the local traffic selectors.
- Increased the default receive buffer size for Netlink sockets to 8 MiB and
  simplified its configuration.
- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
  always generating a hash of the subjectPublicKey.
- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
  timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
  unrelated traffic selectors.
- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
  instead callbacks are always invoked even if only errors are signaled.
- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
  handling invalid messages.
- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
  CHILD_SA is not found during rekeying.
- The testing environment is now based on Debian 12 (bookworm), by default.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 077489fda8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-05 07:52:17 -05:00
Khem Raj 04395fd148 openvpn: upgrade 2.6.3 -> 2.6.6
License-Update: Added Apache2 linking exception

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 45ad525348)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-05 07:52:16 -05:00
Andrew Jeffery f6eb3b597a mdio-tools: Add virtual/kernel dependency to avoid stale SPDX reference
OpenBMC enables SPDX SBOM generation by default. For Meta's Bletchley
platform we found that mdio-tools and its relationships with both
mdio-netlink and the mdio-netlink kernel module break SPDX processing
while generating the rootfs after a kernel bump. For example, the
following output was generated by `bitbake obmc-phosphor-image`:

    ERROR: obmc-phosphor-image-1.0-r0 do_rootfs: Cannot find any SPDX file for document http://spdx.org/spdxdoc/kernel-module-mdio-netlink-6.5.4-da279e9-00089-gda279e98c07f-89187488-3164-50cb-94c5-8b76a30ea093

The error occurred after the following patch was applied (again, in the
context of OpenBMC):

    diff --git a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
    index e6f98297c540..b852e993f0f6 100644
    --- a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
    +++ b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
    @@ -1,6 +1,6 @@
     KBRANCH ?= "dev-6.5"
    -LINUX_VERSION ?= "6.5.4"
    +LINUX_VERSION ?= "6.5.9"

    -SRCREV="da279e98c07f9c948c60a434ab0043a55c26ea1d"
    +SRCREV="fc8d4fdba5bd2b9b1cea2aa8a731531943c45aa7"

     require linux-aspeed.inc

With the lack of a dependency the mdio-tools package is not rebuilt
subsequent to the kernel bump and the package information remains stale,
leading to an incorrect SPDX path being generated.

Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 668cf43b21)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-11-01 08:16:30 -04:00
Richard Purdie d92a059e21 meta-networking: Drop broken BBCLASSEXTEND variants
The command "bitbake universe -c fetch" currently throws a ton of warnings
as there are many 'impossible' dependencies.

In some cases these variants may never have worked and were just added by copy
and paste of recipes. In some cases they once clearly did work but became
broken somewhere along the way. Users may also be carrying local bbappend files
which add further BBCLASSEXTEND.

Having universe fetch work without warnings is desireable so clean up the broken
variants. Anyone actually needing something dropped here can propose adding it
and the correct functional dependencies back quite easily. This also then
ensures we're not carrying or fixing things nobody uses.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1b332f2ef)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-11-01 08:16:30 -04:00
Wang Mingyu 4965d1ec41 wireshark: upgrade 4.0.8 -> 4.0.10
Bugfix:
Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7e44aac2fb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-30 07:14:03 -04:00
Wang Mingyu 4e3b73537f rdma-core: upgrade 47.0 -> 48.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 21db09270d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-30 07:14:03 -04:00
Charles Perry 766dcdff95 libexosip2: add recipe
libexosip2 extends the capabilities of the osip2 library. It can be a
useful building block for an embedded device application.

Signed-off-by: Charles Perry <charles.perry@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2b4cb938b0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-30 07:14:02 -04:00
Charles Perry ad9072a34e libosip2: add recipe
The GNU oSIP library is an implementation of SIP - rfc3261. It can be a
useful building block for an embedded device application.

Signed-off-by: Charles Perry <charles.perry@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 03a948375e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-30 07:14:02 -04:00
Yi Zhao 3426b62b54 libldb: add ptest
* use external cmocka instead of bundled cmocka
* add run-ptest script

Ptest results:
$ ptest-runner libldb
START: ptest-runner
2023-10-12T11:49
BEGIN: /usr/lib/libldb/ptest
PASS: test_ldb_dn
PASS: test_ldb_qsort
DURATION: 0
END: /usr/lib/libldb/ptest
2023-10-12T11:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4a07ee78c5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-17 08:23:02 -04:00
Yi Zhao 872c600a9f libtevent: fix ptest
* use external cmocka instead of bundled cmocka
* add run-ptest script

Ptest results:
$ ./run-ptest
PASS: replace_testsuite
PASS: test_tevent_tag
PASS: test_tevent_trace

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 287386a51f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-17 08:23:02 -04:00
Martin Jansa 78bd023a62 gnome-tweaks, networkmanager-fortisslvpn, libesmtp, json-schema-validator, python3-pybluez, python3-pynetlinux, apache2: Fix Malformed Upstream-Status
* Accepted was replaced with Backport in gatesgarth:
  https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes

* as detected with oe-core/scripts/contrib/patchreview.py:

meta-openembedded $ grep -A 3 Malformed *qa-patches
meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch
meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch
meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status :
meta-gnome.qa-patches-Upstream-Status: Accepted [https://gitlab.gnome.org/GNOME/gnome-tweaks/-/commit/dc9701e18775c01d0b69fabaa350147f70096da8]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a1c3c7f4e8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-04 07:52:48 -07:00
Lee Chee Yang 0ad3c58736 ntpsec: 1.2.2 -> 1.2.2a
Fix a crash in ntpd if NTS is disabled and an NTS-enabled client request
(mode 3) is received. (CVE-2023-4012) #794

https://gitlab.com/NTPsec/ntpsec/-/releases/NTPsec_1_2_2a

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-22 07:36:16 -07:00
Wang Mingyu 5f295bc8e9 dovecot: upgrade 2.3.20 -> 2.3.21
Changelog:
==========
* lib-oauth2: Allow JWT tokens to be validated with missing typ field.
+ auth: Auth passdb and userdb reply can contain "event_<name>=value"
  which will be added to login event and mail user event respectively.
+ lib-master: Set process title during various initialization stages to
  clearly describe what the process is waiting on.
+ lib-storage: The mail_temp_scan_interval is now fuzzed incrementing it
  by 0..30% based on username's hash to reduce the chance of load spikes.
+ lib-storage: The temp file scan has been moved from the open of the
  mailbox to the close, to reduce the latency perceived by users.
+ stats: If metric has fields specified, all these fields are
  exported as counters to prometheus exposition.
- *-login: Processes might have crashed when a SSL connection disconnects
  uncleanly.
- acl: When plugin was loaded \HasChildren and \HasNoChildren flags
  were calculated incorrectly for mailboxes containing '*' and '%'
  in their names.
- auth: Crash occured if a connection to PostgreSQL database server
  failed during startup.
- auth: Logins with invalid passwords (e.g. unknown scheme) in passdb
  were failing with "password mismatch" instead of "internal error".
- auth: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol
  specific error message on all errors. This especially broke OIDC
  discovery.
- dbox: When last_temp_file_scan header wasn't set (especially after
  dsync migration), the next mailbox open always triggers the temp file
  scan.
- dict-redis: A crash would occur on transaction rollback.
- dsync: Infinite loop causing out of memory would occur when handling
  mailbox deletion from remote end and hierarchy separators would differ.
- dsync: Incremental dsync failed for folder names ending with '%',
  unless BROKENCHAR was set. Also folder names with '%' elsewhere in
  them caused each incremental dsync to unnecessarily rename the folder
  to a temporary name and back. v2.3.19 regression.
- imap-hibernate: If an IMAP client unhibernation timed out with
  "(version received)", the unhibernation could still have successfully
  finished later on and continued working normally. This was rather
  confusing, because imap-hibernate already logged that the client got
  disconnected.
- imapc: Crashed when a folder mapped through the virtual plugin
  disappears from the storage.
- imapc: EXPUNGE, EXISTS or FETCH replies from a server for a previously
  selected mailbox could have been processed as if they belonged to the
  new mailbox currently being selected.
- lib-http: Dovecot HTTP server (doveadm, stats/openmetrics) may have
  disconnected HTTP clients before the response is fully sent. This
  happened only on busy servers where kernel's socket buffers were
  rather full.
- lib-http: Fixed a potential crash on http-server if a client
  disconnected early. v2.3.18 regression.
- lib-index: Index file corruption could have caused a crash. Fixes:
  Panic: file mail-transaction-log-view.c: line 165 (mail_transaction_log_view_set):
  assertion failed: (min_file_seq <= max_file_seq).
- lib-index: Purging an existing >1GB cache file can crash. Now cache
  files still above 1GB after purging are removed. Fixes:
  Panic: file mail-index-util.c: line 10 (mail_index_uint32_to_offset):
  assertion failed: (offset < 0x40000000)
- lib-lua: A HTTP client could not resolve DNS names in mail processes,
  because it expected "the dns-client" socket to exist in the current
  directory.
- lib-oauth2: Dovecot would send client_id and client_secret as POST
  parameters to the introspection server. These need to be optionally in
  Basic auth instead.
- lib-oauth2: JWT aud validation was not performed if aud was missing
  from a token, but was configured on Dovecot.
- lib-oauth2: JWT key type check was too strict.
- lib-oauth2: JWT token audience was not validated against client_id as
  required by the specification.
- lib-ssl-iostream: Using the ssl_require_crl=yes setting may have caused
  CRL check failures for outgoing SSL/TLS connections, although it was
  supposed to affect checking CRLs only for client-side SSL
  certificates. v2.3.17 regression.
- lib-sql: MySQL driver leaked memory when connection failed.
- lib-storage: Various fixes when running into out of disk space.
- master: Service idle_kill setting didn't work properly on busy
  servers.
- mdbox: Temp file scan was done for always empty directories.
- mdbox: The fdatasync() call was done in wrong parent directory when
  writing mails. Also on a failure it crashed instead of logging an error.
- notify_status: The plugin crashes if any user initialization fails.
- pop3: Sending command with the ':' character caused an assert-crash.
  v2.3.18 regression. Fixes: Panic: event_reason_code_prefix(): name has ':'
- stats: Fix panic when a nonexistent event exporter was referenced while
  adding a new metric dynamically via doveadm stats add.
- stats: If process exported a lot of events and then exited, some of
  the last events may have become lost.
- stats: Invalid Prometheus label names were created with specific
  histogram group_by configurations. Prometheus rejected these labels.
- welcome: The plugin didn't execute in some situations that created
  INBOX but didn't open it.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-20 15:34:02 -07:00
Beniamin Sandu f5d31863c9 unbound: upgrade 1.17.1 -> 1.18.0
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-07 08:22:44 -07:00
Wang Mingyu 5480dfef23 wireshark: upgrade 4.0.7 -> 4.0.8
Changelog:
============
The following vulnerabilities have been fixed:
    wnpa-sec-2023-23 CBOR dissector crash. Issue 19144.
    wnpa-sec-2023-24 BT SDP dissector infinite loop. Issue 19258.
    wnpa-sec-2023-25 BT SDP dissector memory leak. Issue 19259.
    wnpa-sec-2023-26 CP2179 dissector crash. Issue 19229.

The following bugs have been fixed:
    TShark cannot capture to pipe on Windows correctly. Issue 17900.
    Wireshark wrongly blames group membership when pcap capabilities are removed. Issue 18279.
    Packet bytes window broken layout. Issue 18326.
    RTP Player only shows waveform until sequence rollover. Issue 18829.
    Valid Ethernet CFM DMM packets are shown as malformed. Issue 19198.
    Crash on DICOM Export Objects window close. Issue 19207.
    The QUIC dissector is reporting the quic_transport_parameters max_ack_delay with the title \"GREASE\" Issue 19209.
    Preferences: Folder name editing behaves weirdly, cursor jumps. Issue 19213.
    DHCPFO: Expert info list does not show all expert infos. Issue 19216.
    Websocket packets not decoded and displayed for Field type=Custom and Field name websocket.payload.text. Issue 19220.
    Cannot read pcapng file captured on OpenBSD and read on FreeBSD. Issue 19230.
    UI: While capturing the Wireshark icon changes from green to blue when new file is created. Issue 19252.
    Conversation: heap-use-after-free after wmem_leave_file_scope. Issue 19265.
    IP Packets with DSCP 44 does not indicate "Voice-Admit" Issue 19270.
    NAS 5GS Malformed Packet Decoding SOR transparent container PLMN ID and access technology list. Issue 19273.
    UI: Auto scroll button in the toolbar is turned on when manually scrolling to the end of packet list. Issue 19274.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-07 08:22:43 -07:00
Wang Mingyu a2d749df14 traceroute: upgrade 2.1.2 -> 2.1.3
Changelog:
 Fix command line parsing in wrappers.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-07 08:22:43 -07:00
Yi Zhao 241dbe5428 ntp: add missing runtime dependencies
Some perl modules are required by ntptrace:

$ ntptrace
Can't locate lib.pm in @INC (you may need to install the lib module)
(@INC contains: /usr/lib/perl5/site_perl/5.36.0/x86_64-linux
 /usr/lib/perl5/site_perl/5.36.0
 /usr/lib/perl5/vendor_perl/5.36.0/x86_64-linux
 /usr/lib/perl5/vendor_perl/5.36.0 /usr/lib/perl5/5.36.0/x86_64-linux
 /usr/lib/perl5/5.36.0) at /usr/sbin/ntptrace line 10.
BEGIN failed--compilation aborted at /usr/sbin/ntptrace line 10.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-07 08:22:43 -07:00
Martin Jansa b74b10e316 tcpreplay: fix pcap detection with /usr/lib32 multilib
* use BPN, BP where useful
* use prefix instead of hardcoding /usr
* add patch to search also in lib32 subdir of --with-libpcap value
  to fix:
  checking for libpcap... configure: error: "Unable to find matching library for header file in TOPDIR/BUILD/work/raspberrypi4_64-oemllib32-linux-gnueabi/lib32-tcpreplay/4.4.4-r0/lib32-recipe-sysroot/usr"

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-03 09:04:57 -07:00
Martin Jansa aecd7f7f4a phodav: make sure systemd files are packaged correctly
* fixes installed-vs-shipped QA issue with multilib:

ERROR: lib32-phodav-3.0-r0 do_package: QA Issue: lib32-phodav: Files/directories were installed but not shipped in any package:
  /usr/lib/systemd
  /usr/lib/systemd/system
  /usr/lib/systemd/system/spice-webdavd.service
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
lib32-phodav: 3 installed and not shipped files. [installed-vs-shipped]

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-30 14:45:47 -07:00
Markus Volk 00f8179720 spice-guest-vdagent: add missing dependencies
add x11 to REQUIRED_DISTRO_FEATURES

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Acked-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-30 14:45:47 -07:00
Markus Volk 1bc98e3643 spice: add missing dependency on orc
this fixes:
meson.build:139:23: ERROR: Dependency "orc-0.4" not found, tried pkgconfig

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Acked-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-30 14:45:47 -07:00
Chen Qi f74d5dfd69 spice-protocol: fix populate_sdk error when spice is installed
spice depends on spice-protocol, when IMAGE_INSTALL contains spice,
do_populate_sdk fails with the following error:

  Error:
  Problem: package libspice-server-dev-0.14.2+git0+7cbd70b931_4fc4c2db36-r0.core2_64 requires spice-protocol-dev, but none of the providers can be installed
  - conflicting requests
  - nothing provides spice-protocol = 0.14.4-r0 needed by spice-protocol-dev-0.14.4-r0.core2_64
  (try to add '--skip-broken' to skip uninstallable packages)

For spice-protocol, it's a development package and all things are in
the dev package, so set ALLOW_EMPTY to fix the above error.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-28 08:55:26 -07:00
Markus Volk 9882289b75 spice-guest-vdagent: add recipe
The spice-vdagent needs to be running alongside qemu-guest-agent on
virtualizationguest systems that are using the spice protocol to
get seamless integration.

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-26 17:32:45 -07:00
Markus Volk e074e958dc phodav: add recipe
phodav is a small webdav server, that was originally created as a tool to
provide folder sharing for spice but it can be used on a wider range
of applications.

It is usable e.g. in virt-viewer or gnome-boxes

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-26 17:32:45 -07:00
Markus Volk 523f935691 spice-gtk: fix api-documentation build
- add support for smartcard
- add missing rdepend on usbids

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-26 17:32:44 -07:00
Markus Volk 9320d33900 spice: upgrade 0.14.2 -> 0.15.2
-switch to meson buildsystem
-remove patches
-update dependencies
-fetch spice-common as a submodule

Major Changes in 0.15.2:
Really minor fix release, mainly to fix a distribution issue

Add missing file to distribution
Fix sound recording fix in case of buffer wrapping

Major Changes in 0.15.1:

Fix some compatibility issues with FreeBSD
Fix some minor issue with build
Improve packaging with Meson
Lot of C++ improves (clang-tidy)
Fix some compatibility with no-Glibc libraries (like Musl)
Fix minor leaks shutting down library
Add Doxygen file to distribution
Fix a longstanding issue related to surface updates where wrong surfaces were possibly used
Fix compatibility with OpenSSL 3
Updates and fixes for CI
Use more random connection IDs to fix possible issues with proxies

Major Changes in 0.15:
This is the first release in the new 0.15.x stable series. This release should
be ready for production use.

Minor updates to CI
Some compatibility with OpenSSL
Change the behavior of handle_dev_start ignoring multiple start requests
Ignore multiple calls to handle_dev_stop
Pick up newer spice-common to fix a buffer overflow issue

Major Changes in 0.14.91:
IMPORTANT
0.14.91 is the first release candidate for the stable 0.15.x series. While some
bugs might still be present, it should be reasonably stable. If you are looking
for stability for daily use, please keep using the latest 0.14.x release.

Support UNIX abstract sockets
Fix some potential thread race condition in RedClient
Many cleanups in the code
Improve migration test script
Update in protocol documentation
Improve Meson build
Removed CELT support
Update CI
Removed QXLWorker definition, it was deprecated 6 years ago
Fix some compatibility with MacOS
Fix some compatibility with Windows
Move the project to C++
Some fixes for SASL dealing with WebDAV
Fix minor Coverity reports
Add Doxygen support, manually built with "make doxy"
Support more mouse buttons (up to 16 buttons)
CVE-2020-14355 multiple buffer overflow vulnerabilities in QUIC decoding
code

Major Changes in 0.14.3:
Main changes are WebSocket and support for Windows.

Add support for WebSocket, this will allow to use spice-html5 without proxy
Support Windows, now Qemu Windows can be build enabling Spice
Fix some alignment problem
Converted some documentation to Asciidoc format to make easier to update,
updated some
Minor compatibility fix for PPC64EL and ARMHF
Minor fixes for big endian machines like MIPS
Avoid some crashes with some buggy guest drivers, simply ignore the invalid
request
Fix for old OpenSSL versions
Minor fix for Windows clients and brushes, fixed an issue with Photoshop
under Windows 7
Add ability to query video-codecs
Small use-after-free fix
Fix for debugging recording/replaying using QUIC images
Fix a regression where spice reported no monitors to the client
Fix DoS in spicevmc if WebDAV used
Updated and improved test migration script
Some minor fixes to smartcard support
Avoid possible disconnection using proxies using a in-flow keepalive
mechanism

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-26 17:32:44 -07:00
Markus Volk 1b8c39fe98 usbredir: upgrade 0.9.0 -> 0.13.0
-switch to meson buildsystem

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-26 17:32:44 -07:00
Markus Volk 93a23d595f libcacard: add recipe
libcacard is a library that adds smartcard support to qemu and/or spice

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-26 17:32:44 -07:00
Wang Mingyu b3d6aba320 chrony: upgrade 4.3 -> 4.4
arm_eabi.patch
refreshed for 4.4

Changelog:
===========
* Add support for AES-GCM-SIV with Nettle >= 3.9 to shorten NTS
  cookies to avoid some length-specific blocking of NTP on Internet
* Add support for multiple refclocks using extpps option on one PHC
* Add maxpoll option to hwtimestamp directive to improve PHC tracking
  with low packet rates
* Add hwtstimeout directive to configure timeout for late timestamps
* Handle late hardware transmit timestamps of NTP requests on all sockets
* Handle mismatched 32/64-bit time_t in SOCK refclock samples
* Improve source replacement
* Log important changes made by command requests (chronyc)
* Refresh address of NTP sources periodically
* Request nanosecond kernel RX timestamping on FreeBSD
* Set DSCP for IPv6 packets
* Shorten NTS-KE retry interval when network is down
* Update seccomp filter for musl
* Warn if loading keys from file with unexpected permissions
* Warn if source selection fails or falseticker is detected
* Add selectopts command to modify source-specific selection options
* Add timestamp sources to serverstats report and make its fields 64-bit
* Add -e option to chronyc to indicate end of response

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-15 20:07:54 -07:00
Chen Qi 22d5614d2d open-vm-tools: add CVE_PRODUCT
vmware:tools is also a valid CVE_PRODUCT for open-vm-tools,
e.g., https://nvd.nist.gov/vuln/detail/CVE-2023-20867.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-07 09:01:00 -07:00
Michael Opdenacker c1330b1f53 remove unused AUTHOR variable
No longer used in generating packages
Also creates a possible confusion with the recipe maintainer
name.

Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-03 09:14:20 -07:00
Wang Mingyu b9d9436390 rdma-core: upgrade 46.0 -> 47.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-01 08:46:48 -07:00
Wang Mingyu 5779ec238a mdio-tools,mdio-netlink: Upgrade recipes to 1.3.0
Changelog:
===========
Primarily widen the gamut of supported kernel versions, now supporting
all kernels from 5.2 and onwards.

Added
------
    mvls: Support for 88E6320/88E6321

Changed
--------
    mdio-netlink: Adapt to the upstream C22/C45 refactor.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-01 08:46:48 -07:00
Andrej Valek 8af2f17a6f cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-27 08:54:40 -07:00
Wang Mingyu da2ce88484 wireshark: upgrade 4.0.6 -> 4.0.7
Changelog:
==========
The following vulnerabilities have been fixed:

 wnpa-sec-2023-21[3] Kafka dissector crash. Issue 19105[4].
 wnpa-sec-2023-22[5] iSCSI dissector crash. Issue 19164[6].

The following bugs have been fixed:

-Crash when (re)loading a capture file after renaming a dfilter
 macro. Issue 13753[7].
- Moving a column deselects selected packet and moves to beginning
 of packet list. Issue 16251[8].
-If you set the default interface in the preferences, it doesn't
 work with TShark. Issue 16593[9].
-Severe performance issues in Follow → Save As raw workflow. Issue
 17313[10].
-TShark doesn't support the tab character as an aggregator
 character in \"-T fields\" Issue 18002[11].
-On Windows clicking on a link in the 'Software Update' window
 launches, now unsupported, MS Internet Explorer. Issue 18488[12].
-Wireshark 4.x.x on Win10-x64 crashes after saving a file with a
 name already in use. Issue 18679[13].
-NAS-5GS Operator-defined Access Category: Multiple Criteria
 values not displayed in dissected packet display. Issue
 18941[14].
-Server Hello Packet Invisible - during 802.1x Authentication-
 from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) &
 above. Issue 19071[15].
-TShark reassembled data is incomplete/truncated. Issue 19107[16].
 CQL protocol parsing issues with 'Result' frames from open source
 Cassandra. Issue 19119[17].
-TLS 1.3 second Key Update doesn't work. Issue 19120[18].
-HTTP2 dissector reports an assertion error on large data frames.
 Issue 19121[19].
-epan: Single letter hostnames aren't displayed correctly. Issue
 19137[20].
-BLF: CAN-FD-Message format is missing a field. Issue 19146[21].
-BLF: last parameter of LIN-Message is not mandatory (BUGFIX)
 Issue 19147[22].
-PPP IPv6CP: Incorrect payload length warning. Issue 19149[23].
-INSTALL file needs to be updated for Debian. Issue 19167[24].
-Some RTP streams make Wireshark crash when trying to play stream.
 Issue 19170[25].
-Wrong ordering in OpenFlow 1.0 Datapath unique ID. Issue
 19172[26].
-Incorrect mask in RTCP slice picture ID. Issue 19182[27].
-Dissection error in AMQP 1.0. Issue 19191[28].

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-20 19:08:57 -07:00
Khem Raj cf42a4421b mdio-tools: Update to latest on trunk
This brings fixed for compiling kmod with linux 6.4+

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-15 13:23:02 -07:00
Yi Zhao cb3864b380 open-vm-tools: Security fix CVE-2023-20867
CVE-2023-20867:
A fully compromised ESXi host can force VMware Tools to fail to
authenticate host-to-guest operations, impacting the confidentiality and
integrity of the guest virtual machine.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-20867

Patch from:
https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-29 14:45:34 -07:00
Archana Polampalli f504625983 tcpreplay: upgrade 4.4.3 -> 4.4.4
This release contains bug fixes only.
The following CVEs have been addressed:

CVE-2023-27783
CVE-2023-27784
CVE-2023-27785
CVE-2023-27786
CVE-2023-27787
CVE-2023-27788
CVE-2023-27789

Changelog:
=========
dlt_jnpr_ether_cleanup: check subctx before cleanup by @Marsman1996 in #781
Bug #780 assert tcpedit dlt cleanup by @fklassen in #800
Fix bugs caused by strtok_r by @Marsman1996 in #783
Bug #782 #784 #785 #786 #787 #788 strtok r isuses by @fklassen in #801
Update en10mb.c by @david-guti in #793
PR #793 ip6 unicast flood by @fklassen in #802
Bug #719 fix overflow check for parse_mpls() by @fklassen in #804
PR #793 - update tests for corrected IPv6 MAC by @fklassen in #805
PR #793 - update tests for vlandel by @fklassen in #806
Feature #773 gh actions ci by @fklassen in #807

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-26 05:12:55 -07:00
Beniamin Sandu 2638d458a5 unbound: add option to build with libevent
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-24 09:01:53 -07:00
Martin Jansa be8c765c7c *.patch: add Upstream-Status to all patches
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a

This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).

This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.

This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:

5 (26%) 	meta-xfce
6 (50%) 	meta-perl
15 (42%)        meta-webserver
21 (36%)        meta-gnome
25 (57%)        meta-filesystems
26 (43%)        meta-initramfs
45 (45%)        meta-python
47 (55%)        meta-multimedia
312 (63%)       meta-networking
756 (61%)       meta-oe

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-21 09:15:20 -07:00
Wang Mingyu 4c8b3a91c6 strongswan: upgrade 5.9.10 -> 5.9.11
Changelog:
==========
- A deadlock in the vici plugin has been fixed that could get triggered when
  multiple connections were initiated/terminated concurrently and control-log
  events were raised by the watcher_t component.
- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
  encoded (even if it's a CA), or a CA certificate without keyUsage extension.
- Optional CA labels in EST server URIs are supported by `pki --est/estca`.
- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
  openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.
- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
  earlier that was introduced with 5.9.10.
- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.
- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
  gained support for trap policies.
- The dhcp plugin uses an alternate method to determine the source address
  for unicast DHCP requests that's not affected by interface filtering.
- Certificate and trust chain selection as initiator has been improved in case
  the local trust chain is incomplete and an unrelated certreq is received.
- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.
- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
  policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.
- Stale OCSP responses are now replace in-place in the certificate cache.
- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-19 10:24:49 -07:00
Johannes Kauffmann d04c39d753 ntpd: switch service type from forking to simple
Type=forking means systemd waits untill the main process, /usr/sbin/ntpd
in this case, has exited. However, the ntpd daemon does not seem to call
fork() or vfork() and runs endlessly untill killed. Eventually, this
causes systemd to trigger a timeout, and the ntpd service is killed. All
the while, "systemctl status ntpd" shows "activating (start)" instead of
"active (running)". This is fixed by switching Type=forking to
Type=simple.

Reading ntpd(8) shows that the "-n" option requests ntpd not to fork, so
also use that to be safe.

Finally, there is no need anymore to keep a pidfile around.

Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-15 10:28:20 -07:00
Wang Mingyu d2a38a5ec5 ntp: upgrade 4.2.8p16 -> 4.2.8p17
Changelog:
===========
* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
             event_sync.
* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
             4.2.8p15 or earlier.
* Add tests/libntp/digests.c to catch regressions reading keys file or with
  symmetric authentication digest output.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-14 09:41:35 -07:00
Wang Mingyu a0b670cdac ipcalc: upgrade 1.0.2 -> 1.0.3
Changelog:
===========
- When --no-decorate is given the default output will
  include no colors (#28)
- Correctly split networks with /31 (#25)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-14 09:41:35 -07:00
Khem Raj a97b97bdaa spice-gtk: Fix build with lld linker
lld flags errors when checking for --version-script linker option since
the export file specifies symbols which do not exist during link, so in
a way it is right, however bfd linker works fine and ignores this error.

perhaps the meson check should be improved but until them lets add
--undefined-version option to linker when using lld

Fixes
aarch64-yoe-linux-ld.lld: error: TOPDIR/build/tmp/work/cortexa72-cortexa53-crypto-mx8-yoe-linux/spice-gtk/0.42-r0/git/src/spice-glib-sym-file:1: unknown directive: spice_audio_get
>>> spice_audio_get
>>> ^

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-14 09:41:35 -07:00
Armin Kuster 4bdd8014d5 wireshark: Update to a supported version 4.0.x
Drop CVE patch as its included.
Drop 0003-bison-Remove-line-directives.patch as file is not longer there.
refactor 0001-wireshark-src-improve-reproducibility.patch
LIC_FILES_CHKSUM changed do to re-structuring.
Remove TMPDIR found in some files.
Remove c-ares PACKAGECONFIG as its a required pkg

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-06 23:07:58 -07:00
Lei Maohui dd3ce95fb0 dovecot: Fix install conflict when enable multilib.
There's conflict of config.h between dovecot and lib32-dovecot.

The differences of config-64.h and config-32.h are as follows:
@@ -774,7 +774,7 @@
#define MODULE_SUFFIX ".so"

/* Maximum value of off_t */
-#define OFF_T_MAX LONG_MAX
+#define OFF_T_MAX LLONG_MAX

/* Name of package */
#define PACKAGE "dovecot"
@@ -834,7 +834,7 @@
#define PRIdTIME_T "ld"

/* printf() format for uoff_t */
-#define PRIuUOFF_T "lu"
+#define PRIuUOFF_T "llu"

/* printf() fmt for hex time_t */
#define PRIxTIME_T "lx"
@@ -846,19 +846,19 @@
#define SIZEOF_INT 4

/* The size of `long', as computed by sizeof. */
-#define SIZEOF_LONG 8
+#define SIZEOF_LONG 4

/* The size of `long long', as computed by sizeof. */
#define SIZEOF_LONG_LONG 8

/* The size of `void *', as computed by sizeof. */
-#define SIZEOF_VOID_P 8
+#define SIZEOF_VOID_P 4

/* Build SQL drivers as plugins */
/* #undef SQL_DRIVER_PLUGINS */

/* Maximum value of ssize_t */
-#define SSIZE_T_MAX LONG_MAX
+#define SSIZE_T_MAX INT_MAX

/* C99 static array */
#define STATIC_ARRAY static
@@ -887,13 +887,13 @@
/* #undef UOFF_T_INT */

/* Define if off_t is long */
-#define UOFF_T_LONG /**/
+/* #undef UOFF_T_LONG */

/* Define if off_t is long long */
-/* #undef UOFF_T_LONG_LONG */
+#define UOFF_T_LONG_LONG /**/

/* Maximum value of uoff_t */
-#define UOFF_T_MAX ULONG_MAX
+#define UOFF_T_MAX ULLONG_MAX

/* Build with checkpassword userdb support */
#define USERDB_CHECKPASSWORD /**/
@@ -935,7 +935,7 @@
#endif

/* Number of bits in a file offset, on hosts where this is settable. */
-/* #undef _FILE_OFFSET_BITS */
+#define _FILE_OFFSET_BITS 64

/* Define for large files, on AIX-style hosts. */
/* #undef _LARGE_FILES */

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-06 09:00:27 -07:00
Wang Mingyu d17e287c81 ntp: upgrade 4.2.8p15 -> 4.2.8p16
0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
0001-test-Fix-build-with-new-compiler-defaults-to-fno-com.patch
refreshed for new version.

Changelog
=========
- fixes 4 vulnerabilities (3 LOW and 1 None severity),
- fixes 46 bugs
- includes 15 general improvements
- adds support for OpenSSL-3.0

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-05 09:29:35 -07:00
Khem Raj cf298e28e9 ettercap: Do not generate #line directives with bison/flex
Fixes
File /usr/src/debug/ettercap/0.8.3.1-r0/utils/ef_grammar.c in package ettercap-src contains reference to TMPDIR

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-05-28 16:35:00 -07:00