* Refresh patch to mute patch-fuzz
* Remove 0001-makedefs-Account-for-linux-7.x-version.patch
* This upgrade include the following commit, which make postfix can
compile on latest stable ubuntu 26.04, which have Linux 7.x kernel
Postfix works on Linux 7.x kernels. Frank Scheiner. Files:
makedefs, util/sys_defs.h.
Changes:
https://www.ftp.saix.net/MTA/postfix/official/postfix-3.11.2.HISTORY
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add a systemd PACKAGECONFIG option to install nftables systemd unit files.
When "systemd" is present in DISTRO_FEATURES, the option is enabled and
the service is installed but disabled by default.
Signed-off-by: Piotr Wejman <piotr.wejman@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
=============
- Fix build with SWIG 4.4.
- Fix build in the event some parts of Boost are installed but Boost.Locale is not.
- Make GetClient() work in the OnClientGetSASLMechanisms module callback.
- Stop accidentally requiring new perl 5.35.1, regression from 1.10.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Multiple hardening fixes across PureDB, the IP access checker, PAM, LDAP,
quota handling, and pure-pwconvert.
- IP access rules now support IPv6 patterns. Hostname rules are resolved
using the client's address family, so AAAA records can match IPv6 clients;
previously this path was IPv4-only.
- Malformed CIDR widths in PureDB allow/deny lists now fail closed and a
warning is logged identifying the offending pattern.
- LDAP searches that return more than one entry are now rejected as
ambiguous and a warning is logged identifying the offending uid.
- Malformed quota files no longer reset usage to zero; the failure
surfaces during quota checks instead.
- PureDB virtual users with a non-numeric or partially numeric uid or
gid field are now rejected. Records with uid or gid 0 continue to require
ACCEPT_ROOT_VIRTUAL_USERS at build time, as documented.
- Anonymous LDAP binds work again after a regression introduced in 1.0.53.
- Pure-pwconvert skips entries whose fields contain ':' or newline
characters rather than emitting corrupted records.
igned-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Use SOURCE_DATE_EPOCH to set MAKE_STAMP instead of using the current
time, thereby improving reproducibility.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The dns-updown script is written in bash which is under the GPLv3
license. As this script is optional, it is preffered to have it in an extra
package.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Switch to psa_crypto_init() which initialises all crypto subsystems,
this works for both Mbed TLS 3 and 4. Also set the daemon version so
it's correctly reported at runtime.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- CVE-2026-35328 - Fixed a vulnerability in libtls related to the processing of
the supported_versions extension in TLS that can result in an infinite loop.
- CVE-2026-35329 - Fixed a vulnerability in libstrongswan and the pkcs7 plugin
related to the processing of encrypted PKCS#7 containers that can result in
a crash.
- CVE-2026-35330 - Fixed a vulnerability in in libsimaka related to the
processing of certain EAP-SIM/AKA attributes that can result in an infinite
loop or a heap-based buffer overflow and potentially remote code execution.
- CVE-2026-35331 - Fixed a vulnerability in the constraints plugin related to
the processing of X.509 name constraints that can allow authentication with
certificates that violate the constraints.
- CVE-2026-35332 - Fixed a vulnerability in libtls related to the processing of
ECDH public values in TLS < 1.3 that can result in a crash.
- CVE-2026-35333 - Fixed a vulnerability in libradius related to the processing
of RADIUS attributes that can result in an infinite loop or an out-of-bounds
read that may cause a crash.
- CVE-2026-35334 - Fixed a vulnerability in the gmp plugin related to RSA
decryption that can result in a crash.
- Made the Botan RNG types used/provided by the botan plugin configurable.
- The fix for the vulnerability in the constraints plugin now causes all
certificates that contain excluded name constraints of type directoryName (DN)
to get rejected.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Add a new addressing mode "mscc": Used to access PHYs from Microchip that
uses C22 register 31 as a page register
- Fix VPATH builds and various other build related warnings
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add initial recipe for Cloudflare Tunnel client (cloudflared).
The upstream source vendors all Go dependencies so no go-mods.inc
is needed.
Includes systemd service with token-based authentication
via /etc/default/cloudflared.
Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The introduction of DISTRO_FEATURES_OPTED_OUT allows rewriting the
DISTRO_FEATURES by removing whatever is in DISTRO_FEATURES_OPTED_OUT
from DISTRO_FEATURES.
Thus, the logic of vala can be negated, and it can changed be to
see if gobject-introspection-data is available in DISTRO_FEATURES.
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
In Linux, memcached relies on transparent huge pages, and even if
libhugetlbfs is enabled by the PACKAGECONFIG (and detected during
do_configure, of course), it is simply not used:
root@qemuriscv64:~# ldd $(which memcached)
linux-vdso.so.1 (0x0000003fa4358000)
libevent-2.1.so.7 => /lib/libevent-2.1.so.7 (0x0000003fa42b0000)
libc.so.6 => /lib/libc.so.6 (0x0000003fa4157000)
/usr/lib/ld-linux-riscv64-lp64d.so.1 (0x0000003fa435a000)
The main reason is the fact that the only call to a function coming from
libhugetlbfs is here:
https://github.com/memcached/memcached/blob/master/memcached.c#L4274
and getpagesizes() is only called if the #if block evaluates to true:
int ret = -1;
size_t sizes[32];
int avail = getpagesizes(sizes, 32);
(...)
/* check if transparent hugepages is compiled into the kernel */
/* RH based systems possibly uses a different path */
static const char *mm_thp_paths[] = {
"/sys/kernel/mm/transparent_hugepage/enabled",
"/sys/kernel/mm/redhat_transparent_hugepage/enabled",
NULL
};
(...)
This block relies on HAVE_MEMCNTL, which is a Solaris-specific feature.
Therefore, the dependency link between memcached and libhugetlbfs
doesn't exist in Linux.
Drop libhugetlbfs from memcached's recipe.
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The commit adding update-alternatives support omitted
ALTERNATIVE_TARGET[ebtables], causing the bbclass to fall back to
constructing the target as ${sbindir}/ebtables.ebtables which does
not exist. The binary is installed as ebtables-legacy, so set
ALTERNATIVE_TARGET accordingly.
fixes QA warnings:
ebtables: alternative target does not exist, skipping
ebtables: NOT adding alternative provide /usr/sbin/ebtables
ebtables: alt_link == alt_target: /usr/sbin/ebtables == /usr/sbin/ebtables
Fixes: 584fec0f74 ("ebtables: Use update alternatives for "ebtables"")
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Variable DISTRO_FEATURES_BACKFILL_CONSIDERED has been renamed
to DISTRO_FEATURES_OPTED_OUT.
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
- Drop 0001-Fix-build-with-gcc-15.patch (merged upstream).
- Add 0001-fix-the-hardcoded-legacy-helper-path.patch: replace the
hardcoded "/lib/drbd" path in add_lib_drbd_to_path() with the
build-configured DRBD_LEGACY_LIB_DIR derived from LIBDIR
- Remove sed fixup for the now-absent ocf.ra@.service.
- Install new upstream 50-drbd.preset into systemd system-preset
Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The build fails because ruli is compiled with -ansi
(which implies C89/C90), but glibc's memchr macro
uses _Generic, a C11 feature. Clang treats this as
an error via -Werror,-Wc11-extensions.
Fixes build with glibc 2.43+
| ruli_conf.c:86:12: error: '_Generic' is a C11 extension [-Werror,-Wc11-extensions]
| 86 | if (!memchr(inbuf, '\0', LOAD_SEARCH_LIST_INBUFSZ))
| | ^
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Set ac_cv_prog_cc_c23=no to prevent autoconf from detecting C23
compiler support, avoiding potential build failures as the package
is not yet fully ported to support C23 standard.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Set ac_cv_prog_cc_c23=no to prevent autoconf from detecting C23
compiler support, avoiding potential build failures as the package
is not yet fully ported to support C23 standard.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The upgrade to mosquitto 2.1.2 follows an upstream change where the
default configuration file is only installed as
${sysconfdir}/mosquitto/mosquitto.conf.example.
However, the shipped systemd service explicitly starts mosquitto using
${sysconfdir}/mosquitto/mosquitto.conf. If this file is not present, the
daemon exits immediately and the service fails to start.
Install the default mosquitto.conf alongside the example file, using the
upstream-provided configuration, to match the expectations of the
service unit and ensure the service starts correctly by default, as done
with the 2.0.22 version.
Signed-off-by: Ricardo Salveti <ricardo.salveti@oss.qualcomm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: Copyright year updated to 2026
fix-openssl-no-des.patch
refreshed for 5.78
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: update LICENSE from https://www.gnu.org/licenses/
Changelog:
=============
- merge README* to single README.md
- Merge pull request #2 from feckert/pr/20250902-build-fixes
- Fix fortify abort when LTO is enabled
- Fix uninitialized buffer data.
- Enable listening on IPv6
- test.sh: redirect stderr to /dev/null when counting lines
- Declare variable D as local in stop_and_clean
- Fix pthread_t format warning for fprintf
- Fix incompatible-pointer-types for pcre2_substring_list_free
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Backport a patch from openLDAP to fix the configure errors with clang-22 -std=gnu23
Fix another issue by dropping C89 signatures in favor of C99 function prototypes
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
-Update tailscale recipe to version 1.94.2
-Regenerate go module dependencies and license checksums
-Export GOFLAGS with build tags so do_update_modules discovers all dependencies
-Manually verify and complete Unknown license entries
Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Samba has a new build-time dependency, libquic[1]. The repository
builds an out-of-tree kernel module and a regular userspace library
with the same build script, however the Makefile seems to be fairly
hostile to cross-compilation. The Samba tarball also vendors the
same with their own build script - for now, this venodred version is used.
There are some efforts that the kernel part is mainlined[2], once it
happens it should be possible to easily remove this from the recipe.
pyldb was removed from RDEPENDS, as it seems that samba now builds its
own version of it.
Patches updated, unneeded patches dropped. Some patches contained a
considerable amount of whitespace changes - those were trimmed for
the ease of rebasing.
Changelog:
https://gitlab.com/samba-team/samba/-/blob/samba-4.23.5/WHATSNEW.txt?ref_type=tags
(Switch to other branches to see earlier changelogs)
[1]: https://github.com/lxin/quic/
[2]: https://github.com/lxin/net-next/commits/quic/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Public domain mDNS/DNS-SD library in C
Add github namespace to recipe name and handle it in CVE_PRODUCT because
there already is a different mdns recipe in meta-openembedded.
Example application is built but not installed.
This is good to verify that current toolchain is copatible with headers.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Those systemd services were added in 1.54 upstream
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2089
According the comments we can see they are meant for the inird
other than using for rootfs. They will conflict with the main
services and can lead to potentially confusing error messages.
So remove them for now to avoid the following issue.
>$systemd-analyze --man=false verify \
> /lib/systemd/system/NetworkManager-wait-online-initrd.service
Failed to put bus name to hashmap: File exists
NetworkManager-initrd.service: Two services allocated for the \
same bus name org.freedesktop.NetworkManager, refusing operation.
Test:
PASS: bitbake core-image-minimal
PASS: runqemu qemux86-64
PASS: systemd-analyze --man=false verify \
/lib/systemd/system/NetworkManager.service
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changqing Li
Piotr Wejman
Wang Mingyu
Yi Zhao
Louis Rannou
Alex Kiernan
Ayoub Zaki
Gyorgy Sarvari
Jose Quaresma
Joao Marcos Costa
Khem Raj
Haiqing Bai
Ricardo Salveti
Peter Marko
Zhixiong Chi
Gianfranco Costamagna