Code maintenance / Compat changes
---------------------------------
- adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these
need special handling which we don't do, so the t_lpback self-test
failed on them. Exclude from list of allowed ciphers, as there is no
strong reason today to make OpenVPN use these.
- fix various compile-time warnings
Documentation updates
---------------------
- fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings,
manpage, ...)
Bugfixes
--------
- Fix memcmp check for the hmac verification in the 3way handshake.
This bug renders the HMAC based protection against state exhaustion on
receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
CVE: 2025-13086
- fix invalid pointer creation in tls_pre_decrypt() - technically this is
a memory over-read issue, in practice, the compilers optimize it away
so no negative effects could be observed.
- Windows: in the interactive service, fix the "undo DNS config" handling.
- Windows: in the interactive service, disallow using of "stdin" for the
config file, unless the caller is authorized OpenVPN Administrator
- Windows: in the interactive service, change all netsh calls to use
interface index and not interface name - sidesteps all possible attack
avenues with special characters in interface names.
- Windows: in the interactive service, improve error handling in
some "unlikely to happen" paths.
- auth plugin/script handling: properly check for errors in creation on
$auth_failed_reason_file (arf).
- for incoming TCP connections, close-on-exec option was applied to
the wrong socket fd, leaking socket FDs to child processes.
- sitnl: set close-on-exec flag on netlink socket
- ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 351ac66213)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
bpftrace set the version by "git describe --dirty", since we have local
patch for bpftrace, '-dirty' will be added into the version, set
CHECK_VERSION_PV to mute the version mismatch warning
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 219328f37c)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* flite --version return 1 block version output for
check-version-mismatch.bbclass
* even with version output flite-2.2-current, regular version match
regexp cannot match the version
so mute version mismatch warning for flite
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d819512cb3)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
==============
* Removed unintentional copy requiment from some of async functions parameter.
* Fixed Heap-use-after-free during broker shutdown.
* Rifined documents.
* Added TLS Websocket verify none port to broker for browser.
* Added Cerfiticate file's digitalSignature to keyUsage.
* Fixed wss connection from Web Browser handshake failed problem.
* Changed trial broker on `async-mqtt.redboltz.net` ws and wss port.
* ws was 10080 but Chrome block it by default. Updated to 80.
* wss was 10443 but Chrome doesn't block it by default. But for consistency, updated to 443.
* system_test still uses 10080 and 10443 to avoid conflict.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 43779307f4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Clang needs 64-bit atomics on rv32 here and builtins does
not have them so help it by linking with libatomic
Fixes
riscv32-yoe-linux-musl-ld.lld: error: undefined symbol: __atomic_fetch_add_8
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e3257c3360)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Add bash-completion directory to FILES to resolve the installed-vs-shipped QA error.
Fix:
ERROR: proj-9.7.0-r0 do_package: QA Issue: proj: Files/directories were installed but not shipped in any package:
/usr/share/bash-completion
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/projinfo
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
proj: 3 installed and not shipped files. [installed-vs-shipped]
ERROR: proj-9.7.0-r0 do_package: Fatal QA errors were found, failing task.
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1175d5c8c1)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
After upgrading hdf5 to 2.0.0, h5cc and h5hlcc will only be generated
when pkg-config is found. With current default config, it will not be
generated, remove related configs to fix do_package failure
| DEBUG: Executing shell function multilibscript_rename
| mv: cannot stat '/tmp/work/cortexa72-wrs-linux/hdf5/2.0.0/package/usr/bin/h5cc': No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 39ccbba725)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
Mostly bugfix release, with most focus on dmeventd, persitent reservations,
lvmdevices, and improvement in tests.
* Improvements in dmeventd thread safety, shutdown times and more.
* Many fixes and improvements for persistent reservations.
* Support output in list mode for all lvmconfig --typeconfig types with --list.
* Fix deadlock in lvmdbusd on SIGINT in lvm shell mode.
* And many more.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 22af3b81a7)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
From the changelog.md file:
Version 2.8.137 (02/21/2025)
---
- Minor update to improve XML entity parsing within limits.
Version 2.8.136 (01/28/2025)
---
- Updated TLS/SSL demo server and client certificates and keys.
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 49894e57b0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This avoid overridding the original PACKAGE_BEFORE_PN value could be
set in bbclasses.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nativesdk-python3-icontract is needed for the dependency tree :
`-> nativesdk-python3-pylddwrap
`-> nativesdk-python3-checksec-py
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nativesdk-python3-asttokens is needed for the dependency tree :
`-> nativesdk-python3-icontract
`-> nativesdk-python3-pylddwrap
`-> nativesdk-python3-checksec-py
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Acked-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to version 3.0.1:
- Fixed compilation error in `type_caster_enum_type` when casting
pointer-to-enum types. Added pointer overload to handle
dereferencing before enum conversion.
- Implement binary version of `make_index_sequence` to reduce
template depth requirements for functions with many parameters.
- Subinterpreter-specific exception handling code was removed to
resolve segfaults.
- Fixed issue that caused ``PYBIND11_MODULE`` code to run again if
the module was re-imported after being deleted from
``sys.modules``.
- Prevent concurrent creation of sub-interpreters as a workaround
for stdlib concurrency issues in Python 3.12.
- Fixed potential crash when using `cpp_function` objects with
sub-interpreters.
- Fixed non-entrant check in `implicitly_convertible()`.
- Support C++20 on platforms that have older c++ runtimes.
- Fix compilation with clang on msys2.
- Avoid `nullptr` dereference warning with GCC 13.3.0 and python
3.11.13.
- Fix potential warning about number of threads being too large.
- Fix gcc 11.4+ warning about serial compilation using CMake.
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 0.17.1:
- Fix missing visibility
- Fix incorrect paging computations that occurred when only a
subset of formats was enabled.
- Fix include issue with the COFF format
This work was sponsored by GOVCERT.LU.
License-Update: Update years
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 1.20.2:
- When opening tiled images, do not check against maximum image size
immediately to allow for tile-based decoding of very large images.
- Several smaller fixes in writing image sequences
- CMake option to disable building of heif-view, which pulls in
dependency on SDL
- Fixes reading/writing of GIMI content IDs
- Some build fixes
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 1.1.1:
- libheif was updated from the 1.20.1 to 1.20.2 version.
- macOS: Wheels now support older macOS versions like Catalina
(x86_64 CPU) or Ventura (ARM CPU)
1.0.0 changelog:
- Support for YCbCr AUX images.
- AVIF support was dropped, as the new upcoming Pillow has
native AVIF support.
- libde265 was updated from the 1.0.15 to 1.0.16 version.
- Removed deprecated PyPy 3.9 wheels & added PyPy 3.11 wheels.
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
They need a cert infrastructure to execute.
Mutual TLS authentication requires client/server certificates
and a proper PKI setup that doesn't exist in the minimal qemu ptest
environment. These are integration tests that need real
certificate infrastructure.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 12.0.0:
- Fix issue with forward references in parent TypedDict classes
- Exclude fields with exclude_if from JSON Schema required fields
- Revert URL percent-encoding of credentials in the build() method
of the AnyUrl and Dsn types
- Add type inference for IP address types
- Avoid getting default values from defaultdict
- Fix issue with field serializers on nested typed dictionaries
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release python3-pydantic:
- Fix issue with forward references in parent TypedDict classes
- Exclude fields with exclude_if from JSON Schema required fields
- Revert URL percent-encoding of credentials in the build() method
of the AnyUrl and Dsn types
- Add type inference for IP address types
- Avoid getting default values from defaultdict
- Fix issue with field serializers on nested typed dictionaries
- Add more pydantic-core builds for the three-threaded version of
Python 3.14
This work was sponsored by GOVCERT.LU
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 2.41.5:
- Correct invalid serialization of date/datetime/time/timedelta
by pulling downcast checks up
- Avoid getting default values from defaultdict
- ci: add more 3.14t builds, delete duplicate linux aarch64 build
- JsonValue: Deduplicate keys before populating Dict
- Fix: only percent-encode characters in the userinfo encode set
- Bump jiter from 0.11.0 to 0.11.1
- Bump regex from 1.11.3 to 1.12.2
- Bump percent-encoding from 2.3.1 to 2.3.2
- Fix issue with field_serializers on nested typed dicts
- Clean up GC traversal for some top-level types
- Add type inference for serializing ip address types
- Revert url credential encoding (to be reintroduced as an option
in future)
- optimizations in URL implementation
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 13.42:
- Added warning if tag arguments come before -csv= or -json= in
a command
- Added a new CanonModelID and RFLensType (thanks Norbert Wasser)
- Added ability to read XML as a block from Sony MP4 videos
- Added "EOS" to the R5 Mark II CanonModelID string
- Decode ReEditData in Samsung trailer
- Decode a couple more Sony rtmd tags from MP4 videos
- Tolerate some types of trailer corruption as caused by Samsung
Gallery
- Restrict decoding of MetaImageSize to HEIC files only
- Fixed issue writing Keys tags to Sony PMW-EX1R videos
- Fixed behaviour of CSV/JSON import when specifying tags to import
into an existing list, or when importing ValueConv values (ie.
"TAG#"), or when specifying a group name of "All"
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Some post-processing options require an argument, otherwise a segfault
will occur:
root@qemux86-64:~# rasdaemon -p --status --ipid
Segmentation fault (core dumped) rasdaemon -p --status --ipid
Backport a patch to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[snip of Makefile]
# bison will create both sqlhist.tab.c and sqlhist.tab.h
sqlhist.tab.h:
sqlhist.tab.c: sqlhist.y sqlhist.tab.h
bison --debug -v --report-file=bison.report -d -o $@ $<
[snip]
sources of libtracefs is fetched by git, the mtime of sqlhist.y,
sqlhist.tab.c is random. so sometimes, sqlhist.tab.c is regenerated,
sometimes, sqlhist.tab.c in original sources in used. bison used to
gernerate sqlhist.tab.c by upstream libtracefs maybe has different
version with the build host one. This make the final libtracefs.so not
reproducible. This fix touch sqlhist.tab.c to make it has the newest
mtime, and sqlhist.tab.c is not regenerated during build.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Wang Mingyu
Valeria Petrov
Changqing Li
Yi Zhao
Khem Raj
yuyu
Alper Ak
Gyorgy Sarvari
Liu Yiding
Mingli Yu
Jason Schonberg
Yoann Congal
Ming Liu
Leon Anavi