Fixes the occasional error:
# cd /etc/raddb/certs
# ./bootstrap
[snip]
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
The matching entry has the following details
Type :Valid
Expires on :200908024833Z
Serial Number :02
File name :unknown
Subject Name :/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
make: *** [Makefile:128: client.crt] Error 1
Add the check to fix the above error and it does the same for server.crt.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixed when rebuild:
DEBUG: Executing shell function autotools_preconfigure
NOTE: make clean
aclocal
autoheader
autoconf
You need to call ./configure with appropriate arguments (again).
make: *** [Makefile:287: config.status] Error 1
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since networkmanager: upgrade 1.22.10 -> 1.22.14, it added a new
build option 'firewalld-zone', while enabling multilib, there is
a QA issue
...
ERROR: QA Issue: networkmanager: Files/directories were installed but not shipped in any package:
/usr/lib/firewalld
/usr/lib/firewalld/zones
/usr/lib/firewalld/zones/nm-shared.xml
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- removed B = "${S}", which is the default anyway
- removed FILES_${PN} =+ "${bindir}",
as it's already covered by ${PN}-bin package
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2.1.3
Changes
* Force cython to use python language version 3
Bugs fixed
* Fix tooltip not updating when bluetooth is disabled
* Fix dbus timeout in DhcClient
* Call the right method when pulseaudio crashes
* Handle os.remove failing
2.1.2
Bugs fixed
* Signal bar updates with multiple adapters
* Pairing with pincode
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
================================================
NetworkManager-1.22.14
Overview of changes since NetworkManager-1.22.12
================================================
This is a new stable release of NetworkManager. Notable changes include:
* ifcfg-rh: handle "802-1x.{,phase2-}ca-path". Otherwise setting this
property silently fails and a profile might accidentally not perform
any authentication (CVE-2020-10754).
* ifcfg-rh: handle 802-1x.pin properties.
================================================
NetworkManager-1.22.12
Overview of changes since NetworkManager-1.22.10
================================================
This is a new stable release of NetworkManager. Notable changes include:
* Fix a bug preventing lease renewal in the internal DHCP client.
* Add a new build option 'firewalld-zone'; when enabled,
NetworkManager installs a firewalld zone for connection sharing and
puts interfaces using IPv4 or IPv6 shared mode in this zone during
activation. The option is enabled by default.
Note that NetworkManager still calls to iptables to enable
masquerading and open needed ports for DHCP and DNS. The new option
is useful on systems using firewalld with the nftables backend,
where the iptables rules would not be sufficient.
* Support changing the MTU of OVS interfaces.
* Better handle a restart of ovsdb process.
* Support the 'no-reload' and 'trust-ad' resolv.conf options.
* Various minor bug fixes and improvements.
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Source: net-snmp.org
MR: 104509
Type: Security Fix
Disposition: Backport from https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9
ChangeID: 206d822029d48d904864f23fd1b1af69dffc26c8
Description:
Fixes CVE-2019-20892 which affect net-snmp <= 5.8pre1
Had to fix up some file do to later code restructioning.
"int refcnt;" addition was done in include/net-snmp/library/snmpusm.h
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
>From [1]
* Increase cache buffers size to accomodate VLAN edits (#594)
* Correct L2 header length to correct IP header offset (#583)
* Fix warnings from gcc version 10 (#580)
* Heap Buffer Overflow in randomize_iparp (#579)
* Use after free in get_ipv6_next (#578)
* Heap Buffer Overflow in git_ipv6_next (#576)
* Call pcap_freecode() on pcap_compile() (#572)
* Increase max snaplen to 262144 (#571)
* Fix divide by zero in fuzzing (#570)
* Unique IP repeats at very high iteration counts (#566)
* Fails to compile on FreeBSD amd64 13.0 (#558)
* Heap Buffer Overflow in do_checksum (#556) (#577)
* Attempt to correct corrupt pcap files, if possible (#557)
* Fix GCC v10 warnings (#555)
* Remove some duplicated SOURCES entries (#551)
* Expand /dev/bpfX hard limit to fix macOS Mojave (#550)
* Implement --loopdelay-ms when using --loop=0 (#546)
* Heap overflow packet2tree and get_l2len (#530)
[1] https://github.com/appneta/tcpreplay/releases
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The "ssl" PACKAGECONFIG setting contains WITH_EC_OFF instead of
WITH_EC=OFF, resulting in a build break when "ssl" is not set.
Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
As ??= assignment will be overwritten by += in any case,
one can't define a default of PACKAGECONFIG in this recipe.
Using _append instead mitigates chances of accidental overwriting
the default
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-0001-chdeck-for-gettid-API-during-configure.patch
Removed since this is included in 2.9.16
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Refreshed patches for 5.8 due to the following:
ERROR: net-snmp-5.8-r0 do_patch: Command Error: 'quilt --quiltrc .../net-snmp/5.8-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output:
Applying patch 0001-Add-pkg-config-support-for-building-applications-and.patch
patching file configure
...
Hunk #1 succeeded at 32248 with fuzz 2 (offset 1826 lines).
Hunk #2 FAILED at 31447.
1 out of 2 hunks FAILED -- rejects in file configure
...
Patch 0001-Add-pkg-config-support-for-building-applications-and.patch does not apply (enforce with -f)
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Full changelog:
Version 5.0 - 4/22/2020
Major security updates. The key exchange and key derivation algorithms
were modified and supported algorithms were pruned using TLS 1.3 as a
basis. This includes:
- HKDF used in multiple stages for key derivation from raw shared secrets.
- Included addtional context in key derivation and signatures to protect
against replay attacks and downgrade attacks.
- Reduced set of supported EC curves to those supported by TLS 1.3
- Removed RSA key exchange which does not provide perfect forward secrecy.
All key exchanges now use ECDH.
- Removed support for SHA-1 hashes in key exchanges.
- Supported symmetric ciphers are AES in AEAD mode (GCM or CCM).
- Increased supported RSA key sizes
Encrypted sessions are now enabled by default. It can be disabled by
specifying "none" for the key type in the server's -Y option.
Backward compatibility retained for version 4.x in clients and proxies.
When communicating with a 4.x server, only allow algorithms and key
exchange modes permitted in the new version.
Clients and proxies no longer need to use signature keys that match the
type and size used by the server. As a result, the -k and -K options to
the client now only accept a single key instead of multiple. The proxy
still supports multiple keys for 4.x compatibility, however only the first
key listed is used for any version 5.x session.
Proxies now send their keys in a separate message instead of injecting them
in the ANNOUNCE sent by the server. This allows clients to be fully
aware of proixes and allows them to authenticate servers and proxies
separately.
Format of client's server list modified to specify the proxy that a server
communicates through. Fingerprints listed in this file now always
specify the server as opposed to having the proxy's key in some cases.
Added -R option to client to specify a list of proxies along with their
public key fingerprints. The old use of -R to specify a version 4.x
response proxy has moved to -r.
Previously, using -S in the client or proxy to specify a server list would
automatically enable source specific multicast (SSM). The use of SSM is
now enabled separately via the -o option on both the client and proxy.
Fixed a bug that caused ECDSA signatures created on Linux with curve
secp521r1 from being verified successfully on Windows.
Fixed cleanup on clients and proxies to prevent occasional crashes on
shutdown under Windows.
Update timstamps in messages to use 64-bit microseconds since the epoch,
addressing Y2038 issues.
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Make sure PNBLACKLIST assignments in recipe files use weak assignment,
so they can be overridden in, for example, local.conf files.
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-dnsmasq/0001-dnsmasq-fix-build-against-5.2-headers.patch
-dnsmasq/0001-dnsmasq-fix-memory-leak-in-helper-c.patch
Removed since these are included in 2.81
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
it needs to link with libsystemd when using systemd as init system
Fixes
Package libsystemd was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd.pc'
to the PKG_CONFIG_PATH environment variable
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a security release in order to address the following defects:
CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes building TCPDump without OpenSSL. Current version does not
recognize the option --without-openssl.
Signed-off-by: Alexander Vickberg <wickbergster@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It is unnecessary, and libbsd uses the "BSD-4-Clause" license, which can
be problematic.
To make it deterministic, a patch is introduced to allow libbsd support
to be disabled. It resembles similar patches in, e.g., libldb,
libtalloc, libtdb and libtevent.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There are some shell scripts such as kea-admin,
upgrade_4.0_to_5.0.sh, wipe_data.sh and etc contain
build path.
Actually the build path is meanlingless on the target,
so replace abs_top_builddir to abs_top_builddir_placeholder
to avoid expanding abs_top_builddir which introduces
build path.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Mingli Yu
Armin Kuster
Robert Yang
Hongxu Jia
Konrad Weihmann
Andre Carvalho
Adrian
Zang Ruochen
Andreas Müller
Jacopo Dall'Aglio
Ovidiu Panait
Wang Mingyu
Zheng Ruoqin
Pierre-Jean Texier
Martin Kelly
Patrick Williams
Robert P. J. Day
Adrian Bunk
Khem Raj
Yi Zhao
Alexander Vickberg
Alejandro Enedino Hernandez Samaniego
Peter Kjellerstedt