Code maintenance / Compat changes
---------------------------------
- adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these
need special handling which we don't do, so the t_lpback self-test
failed on them. Exclude from list of allowed ciphers, as there is no
strong reason today to make OpenVPN use these.
- fix various compile-time warnings
Documentation updates
---------------------
- fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings,
manpage, ...)
Bugfixes
--------
- Fix memcmp check for the hmac verification in the 3way handshake.
This bug renders the HMAC based protection against state exhaustion on
receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
CVE: 2025-13086
- fix invalid pointer creation in tls_pre_decrypt() - technically this is
a memory over-read issue, in practice, the compilers optimize it away
so no negative effects could be observed.
- Windows: in the interactive service, fix the "undo DNS config" handling.
- Windows: in the interactive service, disallow using of "stdin" for the
config file, unless the caller is authorized OpenVPN Administrator
- Windows: in the interactive service, change all netsh calls to use
interface index and not interface name - sidesteps all possible attack
avenues with special characters in interface names.
- Windows: in the interactive service, improve error handling in
some "unlikely to happen" paths.
- auth plugin/script handling: properly check for errors in creation on
$auth_failed_reason_file (arf).
- for incoming TCP connections, close-on-exec option was applied to
the wrong socket fd, leaking socket FDs to child processes.
- sitnl: set close-on-exec flag on netlink socket
- ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 351ac66213)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
==========
- Implement support for CURLOPT_CAINFO_BLOB
- Added support for CURLOPT_SSLCERT_BLOB
- Refactor: Pass std::string_view by value instead of by const reference
- Add connection pool option (V3)
- fix: Calling empty callbacks
- fix: callback function pointer type mismatch in writeFunction
- 1.12.0 CI Fixes
- fix: Cmake config file
- fix: make is_same_v check constexpr in set_option_internal
- cpr::MultiPerform fixes - #1047 and #1186
- Bump actions/setup-python from 5 to 6
- Bump actions/checkout from 3 to 5
- Allow disabling PSL
- Make curl dependency management optional
- curl_container: allow calling GetContent without CurlHolder
- Bump stefanzweifel/git-auto-commit-action from 6 to 7
- Bump actions/upload-artifact from 4 to 5
- Bump actions/setup-python from 1 to 5
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since commit 3200122d68 (chrony: create /var/lib/chrony by systemd-tmpfiles)
tmpfiles.d mechanism already ensures populating /var/lib/chrony at runtime.
Introduce volatiles mechanism to make sure the directory is created
at runtime for sysvinit as well.
Since /var/lib/chrony is populated at runtime, stop packaging at build time.
this helps to align towards stateless system expectations
or when updates are done via meta-updater.
Signed-off-by: Vishwas Udupa <vudupa@qti.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The libtalloc recipe did not properly populate the pytalloc package
because pytalloc was listed after the main libtalloc package in the
PACKAGES variable. As a result, the pytalloc package contained only
talloc.so and was missing other required files.
Signed-off-by: Moraless Philius <moraless.philius5@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit sourceforge-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version tunctl
INFO: Current version: 1.5
INFO: Latest version:
After the patch:
$ devtool latest-version tunctl
INFO: Current version: 1.5
INFO: Latest version: 1.5
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit sourceforge-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version openipmi
INFO: Current version: 2.0.36
INFO: Latest version:
After the patch:
$ devtool latest-version openipmi
INFO: Current version: 2.0.36
INFO: Latest version: 2.0.37
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Inherit sourceforge-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version netcat
INFO: Current version: 0.7.1
INFO: Latest version:
After the patch:
$ devtool latest-version netcat
INFO: Current version: 0.7.1
INFO: Latest version: 0.7.1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Source branch was renamed from master to main.
Drop patch that was incorporated in this release.
Changelog:
Use GitHub actions for CI
Allow to manually define CPUs for trafgen
Fix make install and output netsniff-ng stats on stderr
trafgen: Fix for ipv6 header generation when L3-only devices are present
mausezahn: use getopt_long instead of getopt
build: fix install dependencies in Makefile template
trafgen: move cpu stats temp file to /tmp
ring_tx: handle EINTR from sendto
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1.Fix following dovecot.service starting error.
dovecot[364]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 48: cert_file: open(/etc/dovecot/ssl-cert.pem) failed: No such file or directory
systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
systemd[1]: dovecot.service: Failed with result 'exit-code'.
2. There is no need to do "touch ${D}/etc/dovecot/dovecot.conf" as it was created by dovecot after dovecot was upgraded to 2.4.1-4.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
mctp-2.4 was released. It includes a previously submitted patch,
so drop that.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-Fix-compilation-with-musl.patch is obsolete due to
948ecf8 ("hash: include util.h for MIN macro") included in chrony since
version 3.5.
From chrony's NEWS [1] for the 4.8 release:
Enhancements
------------
* Add maxunreach option to limit selection of unreachable sources
* Add -u option to chronyc to drop root privileges (default chronyc user
is set by configure script)
Bug fixes
---------
* Hide chronyc socket to mitigate unsafe permissions change
* Fix refclock extpps option to work on Linux >= 6.15
* Validate refclock samples for reachability updates
[1] https://chrony-project.org/news.html
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Major Changes in 0.16:
Added
Added DMA-BUF encoder support for GStreamer 1.24+
Implemented hardware-accelerated encoding for Intel GPUs
Added environment variable SPICE_CONVERTER_PREFERRED_FORMAT to override converter format
Multi-plane GL scanout support (new spice_qxl_gl_scanout2())
Changed
Improved memslot to preserve address bits for ARM64 TBI/AMD UAI/Intel LAM
Optimized BGR24/BGRX32 conversion when JCS_EXTENSIONS is defined
Removed GStreamer 0.10 support
Send real time to client, instead of synchronizing on both ends, attempting to fix latency issue
Fixes
Fixes a GL_DRAW cookie assertion race
Add SSL_OP_NO_RENEGOTIATION fallback path, fixing w/LibreSSL 3.7.2 builds
Fix Win32 builds
Fix TCP_NOPUSH usage on Darwin
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Major changes in 0.14.5
=======================
* Add SPICE_MSG_DISPLAY_GL_SCANOUT2_UNIX
* Fix for Windows Arm64 build
Signed-off-by: Khem Raj <raj.khem@gmail.com>
I removed the CVE_STATUS setting for CVE-2016-4983 when this recipe was
updated to 2.4.1-4 - but that was a mistake, the CVE database considers
(incorrectly) even the latest version as vulnerable.
Revert that mistake by adding back the correct CVE_STATUS to the recipe.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
While working on it, also ignore CVE-2025-47711 and CVE-2025-47712.
Both vulnerabilities are fixed already (they were fixed before the
upgrade also, but there is no version-range associated with the CVE report).
CVE-2025-47711: https://gitlab.com/nbdkit/nbdkit/-/commit/e6f96bd1b77c0cc927ce6aeff650b52238304f39
CVE-2025-47712: https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7
Shortlog:
Merge branch '2025-optional-qemu-img' into 'master'
build: Check for qemu-img and disable some tests if not present
tests/curl: Skip test if 'disk' was not created
server/public.c: Use common/include parse_bool function
common/include: Extra bool parsing into a mini-library
docs: Shorter title and tweaks to the description
indexed-gzip: Include <stddef.h> to get ptrdiff_t
indexed-gzip: Move variable decl outside for loop
vddk: Sort synopsis into alphabetical order
ext2: Update docs since filter supports concurrent connections
docs: Move --short/--long-options to right place in synopsis
(origin/rhel-10.2) docs: Document how to probe for server command line options
server: Document --long-options and --short-options
docs/nbdkit-probing.pod: Rearrange synopsis to match description
server: Add --name parameter
docs: Fix bolding of --log=/path option
tests/test-python-plugin.py: Remove unused variables
python: Add binding for nbdkit_parse_bool
tests/test-python-plugin.py: Add name of test for test_parse_size
(tag: v1.45.6) Version 1.45.6.
Merge branch '2025-rounding' into 'master'
server/public.c: Use lrint() instead of implicit conversion to int
indexed-gzip: Fixes for 32-bit support
indexed-gzip: More editorially neutral content
Merge branch 'add-indexed-gzip-filter' into 'master'
Introduce index-gzip filter
Move unmodified index build/extract to ig_zran.h/c
Add serialize/deserialize fn for zran structs
Restructure zran.h, zran.c for use as library
Import zran.c/zran.h v1.6 (2 Aug 2024) from zlib
Merge branch '2025-delay-trigger' into 'master'
delay: Add new delay-trigger option
delay: Rearrange the options in alphabetical order in the documentation
tests/test-map.sh: Fix "nbd_pread: count cannot be 0: Invalid argument"
docs/nbdkit-client.pod: Document attaching NBD devices to QEMU VMs
docs/nbdkit-client.pod: Combine and rename "LIMITATIONS" section
Merge branch '2025-fix-golang-test' into 'master'
tests/test-golang-fork-warning.sh: Fix hanging test
Merge branch '2025-misc-fixes' into 'master'
tests: Use 'define script' in a few more places
tests: Modify make-pki and make-psk scripts to be atomic
tests: Define common functions for requiring TLS certs and PSK
tests/test-tls.sh: Remove unused export of pkidir
tests: Generate make-psk.sh
tests/make-psk.sh: Fix typo "pkstool" -> "psktool"
tests: Fix typo "An good" -> "A good"
map: Implement map-size feature
tests/test-at-file.sh: Fix srcdir != builddir
tests: Work around realpath error on BSDs
Merge branch '2025-eq-file' into 'master'
Merge branch '2025-server-debug' into 'master'
server: Use debug() instead of nbdkit_debug() consistently in the server
map: Refer to @PATH syntax in documentation
server: Add @PATH syntax
server/main.c: Factor out the function that parses key=value
server/main.c: Fix comment
server/main.c: Move key=value parsing to a new function
server/options.h: Reject empty string ("") as a short name
server/options.h: Add comment to is_short_name
server/main.c: Reject empty string as a plugin name or filter name
common: utils: Add const to <vector>_duplicate variable decls
data: Use new vector_append_array in a couple of places
map: Use new vector_append_array function instead of loop
common: utils: vector: Fix vector_uniq prototype and add a test
common: utils: vector: Add range functions for insert, append and remove
common: utils: vector: Prefer vector_reset over free()
Merge branch '2025-map-filter' into 'master'
New filter: map for remapping arbitrary blocks
common: utils: vector: Add new vector_uniq function
tests/functions: Factor out 2^63-1 constant used by a few tests
tests/test-cache-block-size.sh: Remove unused socket
data: Minor revisions to the documentation for clarity
full: Remove reference to equivalence of nbdkit-readonly-filter
tests/test-floppy.sh: Simplify this test
count: Add an example to the documentation
common/include/test-once.c: Further fixes for pthread_barrier_t
common/include/test-once.c: Skip test on macOS which lacks pthread_barrier_t
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gyorgy Sarvari
Wang Mingyu
Ankur Tyagi
Mingli Yu
Liu Yiding
Khem Raj
Vishwas Udupa
Yi Zhao
Moraless Philius
Vijay Anusuri
Patrick Williams
Bastian Krause
Markus Volk
Rajeshkumar Ramasamy