Changelog:
==========
- Issue 2057 - SQL Injection in mod_wrap2_sql via reverse DNS
hostname (CVE-2026-44331).
- Issue 2056 - Incomplete fix for session management with OpenSSL 3.2.x or
later, when using TLSv1.2 or earlier. This complements the fix for
Issue #1963.
- Issue 2098 - Hard quota limits on uploads do not cause SFTP WRITE requests
to fail as expected.
- Issue 2102 - SSH payload length underflow calculation for ETM/ChaChaPoly
algorithms in mod_sftp.
- Issue 2104 - SSH packet with empty payload triggers null pointer dereference
in mod_sftp.
- Issue 2106 - Bad DSA signatures can lead to out-of-bounds read of heap memory
in mod_sftp.
- Issue 2108 - Mismatched RSA/DSA algorithm signatures can lead to null
dereference in mod_sftp.
- Issue 2115 - SFTP request payload length underflow calculation in mod_sftp.
- Issue 2120 - Several modules fail to build using OpenSSL 4.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
After the recent recipe update I see this build error:
| Makefile.linux:67: config.mk: No such file or directory
| make: *** No rule to make target '/configure', needed by 'config.mk'. Stop.
Run the configure script so that config.mk gets created
Also fix LIC_FILE_CHECKSUM. Copyright year has been changed
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Several useful clients are available as part of the overall mDNSResponder
build, package these alongside the main binary.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Be explicit about where we're taking the installation pieces from rather than
having the complexity of mixed build/source pieces based on current directory
and then confusing anyone who tries to append to do_install.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
These three knobs are exposed to reduce the code size for embedded (see
mDNSCore/mDNSEmbeddedAPI.h). If you need them, you'll know you need
them, everyone else almost certainly doesn't.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Drop 0001-Add-OpenEmbedded-cross-compile-case.patch as genconfig.sh
was removed upstream in 2.3.x.
Signed-off-by: Filipe Pires <filipe.pires@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
A buffer overflow in dnsmasq’s extract_addresses() function allows
an attacker to trigger a heap out-of-bounds read and crash by
exploiting a malformed DNS response, enabling extract_name()
to advance the pointer past the record’s end.
Reference:
[ https://nvd.nist.gov/vuln/detail/CVE-2026-5172 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
dnsmasqs extract_name() function can be abused to cause a heap buffer
overflow, allowing an attacker to inject false DNS cache entries,
which could result in DNS lookups to redirect to an attacker-controlled
IP address, or to cause a DoS.
Reference:
[ https://nvd.nist.gov/vuln/detail/CVE-2026-2291 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
* Refresh patch to mute patch-fuzz
* Remove 0001-makedefs-Account-for-linux-7.x-version.patch
* This upgrade include the following commit, which make postfix can
compile on latest stable ubuntu 26.04, which have Linux 7.x kernel
Postfix works on Linux 7.x kernels. Frank Scheiner. Files:
makedefs, util/sys_defs.h.
Changes:
https://www.ftp.saix.net/MTA/postfix/official/postfix-3.11.2.HISTORY
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add a systemd PACKAGECONFIG option to install nftables systemd unit files.
When "systemd" is present in DISTRO_FEATURES, the option is enabled and
the service is installed but disabled by default.
Signed-off-by: Piotr Wejman <piotr.wejman@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
=============
- Fix build with SWIG 4.4.
- Fix build in the event some parts of Boost are installed but Boost.Locale is not.
- Make GetClient() work in the OnClientGetSASLMechanisms module callback.
- Stop accidentally requiring new perl 5.35.1, regression from 1.10.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Multiple hardening fixes across PureDB, the IP access checker, PAM, LDAP,
quota handling, and pure-pwconvert.
- IP access rules now support IPv6 patterns. Hostname rules are resolved
using the client's address family, so AAAA records can match IPv6 clients;
previously this path was IPv4-only.
- Malformed CIDR widths in PureDB allow/deny lists now fail closed and a
warning is logged identifying the offending pattern.
- LDAP searches that return more than one entry are now rejected as
ambiguous and a warning is logged identifying the offending uid.
- Malformed quota files no longer reset usage to zero; the failure
surfaces during quota checks instead.
- PureDB virtual users with a non-numeric or partially numeric uid or
gid field are now rejected. Records with uid or gid 0 continue to require
ACCEPT_ROOT_VIRTUAL_USERS at build time, as documented.
- Anonymous LDAP binds work again after a regression introduced in 1.0.53.
- Pure-pwconvert skips entries whose fields contain ':' or newline
characters rather than emitting corrupted records.
igned-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Use SOURCE_DATE_EPOCH to set MAKE_STAMP instead of using the current
time, thereby improving reproducibility.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The dns-updown script is written in bash which is under the GPLv3
license. As this script is optional, it is preffered to have it in an extra
package.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Switch to psa_crypto_init() which initialises all crypto subsystems,
this works for both Mbed TLS 3 and 4. Also set the daemon version so
it's correctly reported at runtime.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- CVE-2026-35328 - Fixed a vulnerability in libtls related to the processing of
the supported_versions extension in TLS that can result in an infinite loop.
- CVE-2026-35329 - Fixed a vulnerability in libstrongswan and the pkcs7 plugin
related to the processing of encrypted PKCS#7 containers that can result in
a crash.
- CVE-2026-35330 - Fixed a vulnerability in in libsimaka related to the
processing of certain EAP-SIM/AKA attributes that can result in an infinite
loop or a heap-based buffer overflow and potentially remote code execution.
- CVE-2026-35331 - Fixed a vulnerability in the constraints plugin related to
the processing of X.509 name constraints that can allow authentication with
certificates that violate the constraints.
- CVE-2026-35332 - Fixed a vulnerability in libtls related to the processing of
ECDH public values in TLS < 1.3 that can result in a crash.
- CVE-2026-35333 - Fixed a vulnerability in libradius related to the processing
of RADIUS attributes that can result in an infinite loop or an out-of-bounds
read that may cause a crash.
- CVE-2026-35334 - Fixed a vulnerability in the gmp plugin related to RSA
decryption that can result in a crash.
- Made the Botan RNG types used/provided by the botan plugin configurable.
- The fix for the vulnerability in the constraints plugin now causes all
certificates that contain excluded name constraints of type directoryName (DN)
to get rejected.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Add a new addressing mode "mscc": Used to access PHYs from Microchip that
uses C22 register 31 as a page register
- Fix VPATH builds and various other build related warnings
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add initial recipe for Cloudflare Tunnel client (cloudflared).
The upstream source vendors all Go dependencies so no go-mods.inc
is needed.
Includes systemd service with token-based authentication
via /etc/default/cloudflared.
Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The introduction of DISTRO_FEATURES_OPTED_OUT allows rewriting the
DISTRO_FEATURES by removing whatever is in DISTRO_FEATURES_OPTED_OUT
from DISTRO_FEATURES.
Thus, the logic of vala can be negated, and it can changed be to
see if gobject-introspection-data is available in DISTRO_FEATURES.
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
In Linux, memcached relies on transparent huge pages, and even if
libhugetlbfs is enabled by the PACKAGECONFIG (and detected during
do_configure, of course), it is simply not used:
root@qemuriscv64:~# ldd $(which memcached)
linux-vdso.so.1 (0x0000003fa4358000)
libevent-2.1.so.7 => /lib/libevent-2.1.so.7 (0x0000003fa42b0000)
libc.so.6 => /lib/libc.so.6 (0x0000003fa4157000)
/usr/lib/ld-linux-riscv64-lp64d.so.1 (0x0000003fa435a000)
The main reason is the fact that the only call to a function coming from
libhugetlbfs is here:
https://github.com/memcached/memcached/blob/master/memcached.c#L4274
and getpagesizes() is only called if the #if block evaluates to true:
int ret = -1;
size_t sizes[32];
int avail = getpagesizes(sizes, 32);
(...)
/* check if transparent hugepages is compiled into the kernel */
/* RH based systems possibly uses a different path */
static const char *mm_thp_paths[] = {
"/sys/kernel/mm/transparent_hugepage/enabled",
"/sys/kernel/mm/redhat_transparent_hugepage/enabled",
NULL
};
(...)
This block relies on HAVE_MEMCNTL, which is a Solaris-specific feature.
Therefore, the dependency link between memcached and libhugetlbfs
doesn't exist in Linux.
Drop libhugetlbfs from memcached's recipe.
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Khem Raj
Wang Mingyu
Mingli Yu
Abhishek Bachiphale
Ankur Tyagi
Markus Volk
Alex Kiernan
Filipe Pires
Adam Duskett
Changqing Li
Piotr Wejman
Yi Zhao
Louis Rannou
Ayoub Zaki
Gyorgy Sarvari
Jose Quaresma
Joao Marcos Costa