mongodb is in the dynamic-layers section of meta-oe, and not available
by default - which makes the layer not YP compatible.
To avoid this breakage, remove mongodb from RDEPENDS.
To run ptests fully, this is still required to be present however
(bbappend, or local.conf...).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Security-sensitive parts of the Python HTTP parser retained minor differences in
allowable character sets, that must trigger error handling to robustly match frame
boundaries of proxies in order to protect against injection of additional requests.
Additionally, validation could trigger exceptions that were not handled consistently
with processing of other malformed input. Being more lenient than internet standards
require could, depending on deployment environment, assist in request smuggling. The
unhandled exception could cause excessive resource consumption on the application
server and/or its logging facilities. This vulnerability exists due to an incomplete
fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-23829https://security-tracker.debian.org/tracker/CVE-2024-23829
Upstream patch:
https://github.com/aio-libs/aiohttp/commit/d33bc21414e283c9e6fe7f6caf69e2ed60d66c82
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Add ptest support for inotify-tools by introducing a run-ptest script.
The ptest verifies the correct functioning of inotify event handling
and related utilities.
Test coverage includes:
- File creation, modification, and deletion event monitoring
- Event handling and command-line option parsing
- Basic consistency and behavior of inotify event queues
The ptest completes in under 20 seconds
output:
root@qemux86-64:~# ptest-runner inotify-tools
START: ptest-runner
BEGIN: /usr/lib/inotify-tools/ptest
If you want to do a malloc trace, set MALLOC_TRACE to a path for logging.
event_to_str: test begin
event_to_str: test end
event_to_str_sep: test begin
event_to_str_sep: test end
str_to_event: test begin
str_to_event: test end
str_to_event_sep: test begin
str_to_event_sep: test end
basic_watch_info: test begin
basic_watch_info: test end
watch_limit: test begin
watch_limit: Warning, this test may take a while
watch_limit: test end
tst_inotifytools_snprintf: test begin
tst_inotifytools_snprintf: test end
Out of 362746 tests, 362746 succeeded and 0 failed.
All tests passed successfully.
DURATION: 16
END: /usr/lib/inotify-tools/ptest
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Verified that enabling ptest does not modify existing package contents
for inotify-tools
Signed-off-by: Nikhil R <nikhil.r@bmwtechworks.in>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Pick patches according to oe-core patch for this CVE in wpa-supplicant.
Leave out commit which patched only files not present in hostapd.
Note that Debian just picked the last commit (actually fixing the CVE)
and removed not-applicable parts, but it is probably better to be
consistent with oe-core status.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Pick patches as listed in NVD CVE report.
Note that Debian lists one of the patches as introducing the
vulnerability. This is against what the original report [1] says.
Also the commit messages provide hints that the first patch fixes this
issue and second is fixing problem with the first patch.
[1] https://jvn.jp/en/jp/JVN19358384/
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The previous version installed the examples as ptests, not the actual tests.
This change compiles the tests on the build machine, install them, and execute
them on the target machine.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
1. Fix tests that output colored text but try to verify uncolored text - filter the
output through "tee" to remove coloring.
2. Add missing dependency
3. Fix a test that fails when C.utf-8 locale is not available on the machine (patch submitted upstream)
4. Enable network connection by setting a nameserver in resolv.conf
While execution is possible, it still requires both ostree and busybox to be compiled statically.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
1. Add a patch to fix an incorrect and failing test
2. Add missing dependencies and test files
3. Enable network in run-ptest script by adding a nameserver
4. Start mongodb from run-ptest script, if it wouldn't be running.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Though tzdata is present in almost all images, some of them are lacking it:
most notably minimal ptest images. mongodb relies on tzdata, otherwise it
doesn't even start up. To ensure that mongodb can be started up
successfully, explicitly add tzdata to its dependencies.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Add missing dependencies.
Also, fixing the tests have surfaced an actual bug: the module
expects unversioned perl library to be present on the system
(or at least present in Perl's $Config{libperl}), however the
OE Perl build has a versioned library, which causes final linking
to fail.
A patch to correct this is part of this change, and it has been
submitted upstream also.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Disable host key checking during tests, so the test can be executed without
human intervention. Also add missing dependency.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
- Detect active network interface to use, instead of asking user, this needs
to run in automation
- Find the location of ppp_null.so with find instead of rpm, rpm is a distro choice
it can be assumed to be always there.
- Add missing runtime deps for ptests
- Kill openl2tpd started by run-ptest script before exiting, otherwise
ptest runner hangs forever.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d30427f475)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The version don't match and only the Jenkins plugin is affected.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 524acf0542)
Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE))
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Vulnerability in the MySQL Client product of Oracle MySQL (component:
Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41,
8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Client. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all MySQL Client
accessible data as well as unauthorized update, insert or delete access to
some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality
and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N).
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-30722
Upstream-patch:
https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Rajeshkumar Ramasamy
Gyorgy Sarvari
Soumya Sambu
Nikhil R
Peter Marko
Yi Zhao
Chen Qi
Zhang Peng
Khem Raj
Ninette Adhikari
Alexandre Truong
Divya Chellam