the commit addressing CVE-2022-41973 caused new QA errors due to
.so symlinks getting slurped into multipath-tools-libs:
QA Issue: non -dev/-dbg/nativesdk- package multipath-tools-libs
contains symlink .so '/usr/lib/libdmmp.so'
...
Fix this by making the new pattern for multipath-tools-libs package
more specific.
Signed-off-by: S. Lockwood-Childs <sjl@vctlabs.com>
It fixes CVE-2022-45062 in xfce4-settings 4.16.5.
CVE: CVE-2022-45062
$ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5 | grep -v "Update translation"
83ea11cf Updates for release
f1cb5bda mime-settings: Properly quote command parameters
f7707d8b Revert "Escape characters which do not belong into an URI/URL
(Issue #390)"
b532324f Back to development
b9729c85 Updates for release
55e3c5fb Escape characters which do not belong into an URI/URL (Issue #390)
341443f8 Prefer full command when basic command is env (Fixes#358)
8d4106b3 Back to development
024399b1 Updates for release
af601e32 build: Fix intltool lock file problem during make distcheck
0875cfba xfsettingsd: Fix recursive lock in libX11 (Fixes#369)
20d866dc Back to developmen
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
[ alt summary
4.16.5 (2022-11-12)
======
- mime-settings: Properly quote command parameters
- Revert "Escape characters which do not belong into an URI/URL (Issue
4.16.4 (2022-11-07)
======
- Escape characters which do not belong into an URI/URL (Issue #390)
- Prefer full command when basic command is env (Fixes#358)
- Translation Updates:
Japanese, Portuguese, Russian
4.16.3
======
- xfsettingsd: Fix recursive lock in libX11 (Fixes#369)
- build: Fix intltool lock file problem during make distcheck
- Translation Updates:
Armenian (Armenia), Belarusian, Catalan, English (Canada), English
(United Kingdom), Estonian, Galician, Greek, Indonesian, Kazakh,
Korean, Lithuanian, Malay, Occitan (post 1500), Polish, Romanian,
Swedish
]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Distutils package and pipes are deprecated and slated for removal in Python 3.13 for Nodejs 16.18
Replaced distutils with setuptools
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
/dev/shm may have unsafe permissions. Use /run instead.
Use systemd's tmpfiles.d mechanism to create /run/multipath
early during boot.
For backward compatibilty, make the runtime directory configurable
via the "runtimedir" make variable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41973
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
tests/test_downloadutils.py::test_stream_response_to_specific_filename
requests_toolbelt/downloadutils/stream.py:161: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
if path and isinstance(getattr(path, 'write', None), collections.Callable):
Upstream-Status: Backport [https://github.com/requests/toolbelt/commit/7188b06330e5260be20bce8cbcf0d5ae44e34eaf]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When cleaning the package during rebuild in base_do_configure()
'make clean' deletes docs/dool.1. This files comes from source repository
but can't be recreated using 'make docs'.
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Drop Openssl legacy provider patch and install both binaries patch
which are already available in 16.x
* Refresh native binaries patch against 16.x base
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Compile redis with full systemd support when the chosen init system is
systemd.
Enabling systemd supervision allows redis to communicate the actual
server status (i.e. "Loading dataset", "Waiting for master<->replica
sync") to systemd, instead of declaring readiness right after
initializing the server process.
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is no need for these configs on their own and they would only mess
up the sechash and privdrop configs. To actually enable sechash one also
had to enable nss, and to enable privdrop one also had to enable libcap.
This also avoids passing --with-libcap if privdrop is enabled since the
option does not exist.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Support for readline was dropped in Chrony 4.2. Enabling the readline
PACKAGECONFIG would result in no suppport for command line editing as
only editline is supported and it would be disabled.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Switch from using DISTUTILS_*_ARGS to SETUPTOOLS_*_ARGS to correspond
with the earlier change to use setuptools3_legacy instead of distutils3.
Without this change, you will get the following error if your build host
does not have iptables installed:
Fixes:
ERROR: ufw-0.36.1-r0 do_compile: 'python3 setup.py build ' execution failed.
Log data follows:
| DEBUG: Executing shell function do_compile
| ERROR: could not find required binary 'iptables'
| ERROR: 'python3 setup.py build ' execution failed.
| WARNING: exit code 1 from a shell command.
ERROR: Task ([snip]/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb:do_compile) failed with exit code '1'
Also, although the build will not fail on a host that has iptables, it
could cause a problem if it is installed at a different path than where
OpenEmbedded's iptables will be installed on the target.
Fixes: 3e2ed1dcc0 ("ufw: port to setuptools, use setuptools_legacy")
Signed-off-by: Howard Cochran <howard_cochran@jabil.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Upgrade summary:
----------------
- drop 0002-configure-fix-a-cc-check-issue.patch, as it was replaced with
upstream commit https://github.com/net-snmp/net-snmp/commit/dbb49acfa2af
- drop 0001-snmpd-always-exit-after-displaying-usage.patch backport
- rebase net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch manually
- refresh patches with devtool to get rid of fuzz
Changelog:
----------
*5.9.3*:
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Windows:
- WinExtDLL: Fix multiple compiler warnings
- WinExtDLL: Make long strings occupy a single line Make it easier to
look up error messages in the source code by making long strings
occupy a single source code line.
- WinExtDLL: Restore MIB-II support Make winExtDLL work on 64-bit
Windows systems") caused snmpd to skip MIB-II on 64-bit systems.
IF-MIB: Update ifTable entries even if the interface name has changed
At least on Linux a network interface index may be reused for a
network interface with a different name. Hence this patch that
enables replacing network interface information even if the network
interface name has changed.
unspecified:
- Moved transport code into a separate subdirectory in snmplib
- Snmplib: remove inline versions of container funcs".
misc:
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
*5.9.2*:
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf4a826c7d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
License-Update : format of License file changed.
CVE-2022-0934.patch
deleted since it's included in 2.87.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 79ed6782a6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* cec-client doesn't link with libcec, but uses LibCecInitialise to
dlopen libcec, so do_package cannot add the runtime dependency
automatically
* fixes:
root@rpi4:# cec-client -l
libcec.so.6: cannot open shared object file: No such file or directory
root@rpi4:# cecc-client -l
libcec.so.6: cannot open shared object file: No such file or directory
libcec.so.6: cannot open shared object file: No such file or directory
libcec/6.0.2-r0 $ objdump -p ./build/src/cec-client/cec-client-6.0.2 | grep NEEDED
NEEDED libncurses.so.5
NEEDED libtinfo.so.5
NEEDED libstdc++.so.6
NEEDED libgcc_s.so.1
NEEDED libc.so.6
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This tweak is needed for building audit but not the interfaces it may
expose via the headers, therefore undo the tweak before packaging things
up
Reported-By: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4ff83dfb5a)
The patch for removing 'QA issues' with pg_config was incomplete, it did not
change the number of items supposed to be in the configdata stucture. This leads to
get_configdata function asserting, and pg_config command does not work
Signed-off-by: Steffen Olsen <steffen.olsen@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 730c85613e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The test case tfork_cmd_send in smbtorture fails on target as it
requries a script located in the source directory:
$ smbtorture ncalrpc:localhost local.tfork.tfork_cmd_send
test: tfork_cmd_send
/buildarea/build/tmp/work/core2-64-poky-linux/samba/4.14.14-r0/samba-4.14.14/testprogs/blackbox/tfork.sh:
Failed to exec child - No such file or directory
This also triggers the buildpaths warning:
QA Issue: File /usr/bin/smbtorture in package samba-testsuite contains reference to TMPDIR [buildpaths]
Skip this test case in smbtorture to avoid the warning.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2b8b5dbe03)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changqing Li
S. Lockwood-Childs
Mingli Yu
Siddharth Doshi
Polampalli, Archana
Yogita Urade
Narpat Mali
Alexander Stein
He Zhe
Zheng Qiu
Hitendra Prajapati
Peter Kjellerstedt
Martin Jansa
Chase Qi
Alexander Thoma
Carsten Bäcker
Philippe Coval
Howard Cochran
Yi Zhao
Wang Mingyu
Ovidiu Panait
Chen Qi
Hitomi Hasegawa
Sakib Sajal
Richard Purdie
Khem Raj
Steffen Olsen