Commit Graph

458 Commits

Author SHA1 Message Date
Vijay Anusuri 1421bf8d3b sssd: Fix for CVE-2025-11561
Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2026-01-15 18:46:30 +02:00
Soumya Sambu 353078bc06 sssd: Fix CVE-2023-3758
A race condition flaw was found in sssd where the GPO policy is
not consistently applied for authenticated users. This may lead
to improper authorization issues, granting or denying access to
resources inappropriately.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3758

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-05-05 08:37:19 -04:00
Jeremy A. Puhlman c29ef97c84 python3-privacyidea: add correct path to lib/privacyidea
Nothing in getting installed in ${datadir}/lib, it is all going to
${prefix}/lib. setuptools pulls in ${libdir}/* so for the base lib
case of ${prefix}/lib the build works. If libdir is something else
lib64 for example, its still ending up in ${prefix}/lib and it fails
to build.

Set value to correct path as it is being installed.

Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
2022-07-21 16:47:30 -07:00
Jeremy A. Puhlman ab90048862 libmhash: add multilib header
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
2022-07-21 16:47:24 -07:00
Davide Gardenal 7e3596e848 sssd: ignore CVE-2018-16838
CVE-2018-16838 is patched in our version of sssd but it doesn't have
a vulnerable version range in the NVD database,
that's why it needs to be ignored.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
2022-07-21 16:46:46 -07:00
Armin Kuster 9301e39d19 fscrypt: add distro_check on pam
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 20c13f6335)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-05-23 07:54:29 -07:00
Joe Slater 93f2146211 LICENSE: update to SPDX standard names
Use convert-spdx-licenses.py to update LICENSE in recipes.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-04-13 13:45:44 -07:00
Davide Gardenal 498ca39cd6 fscrypt: update dependecy from go-dep-native to go-native
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-04-07 10:26:45 -07:00
Armin Kuster 2be1d069ec python3-fail2ban: fix compile issue on some hosts
Use python3-native to use 2to3

Fix build issue on some hosts with this error:
 (result, consumed) = self._buffer_decode(data, self.errors, final)
 | UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd8 in position 152: invalid continuation byte

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-04-02 11:21:42 -07:00
Robert Yang 0c41d792cf LICENSE: adopt SPDX standard names
Modify LICENSE for ding-libs and libmhash.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-04-02 11:21:42 -07:00
Ashish Sharma c56ae450c9 meta-security : Use SPDX style licensing format
WARNING: selinux-sandbox-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: selinux-gui-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: semodule-utils-3.3-r0.1 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: selinux-dbus-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: libwhisker2-perl-2.5-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \
WARNING: lib-perl-0.63-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \
WARNING: libhtp-0.5.39-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \
...

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-04-02 11:21:42 -07:00
Armin Kuster 288391edc5 python3-privacyidea: drop old package ref.
meta-python dropped package via commit:

620689d4efba28bc8dd60e2d82908bfb3531fbd0
python3-backports-functional-lru-cache: remove, not needed for Python 3

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-03-13 08:11:21 -07:00
Ashish Sharma e5e3dd4877 Subject: [PATCH] Subject: python3-fail2ban: switch to legacy setuptools3
raise InvalidWheelFilename(f"{filename} is not a valid wheel filename.")
pip._internal.exceptions.InvalidWheelFilename: fail2ban-*-*.whl is not a valid wheel filename.
Removed build tracker: '/tmp/pip-req-tracker-qnepnk46'

ERROR: Failed to pip install wheel. Check the logs.

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-03-11 21:13:15 -08:00
Armin Kuster 30f34fa990 python3-fail2ban: fix SPDX license.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-03-11 21:12:56 -08:00
Armin Kuster be65e1c3ba python3-privacyidea: update to 3.6.2
Fix license.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-03-11 21:08:22 -08:00
Armin Kuster dac1280dee python3-privacyidea: fix QA ERROR
ERROR: python3-privacyidea-3.5.2-r0 do_package: QA Issue: python3-privacyidea: Files/directories were installed but not shipped in any package:
/usr/etc
/usr/etc/privacyidea
/usr/etc/privacyidea/dictionary
/usr/etc/privacyidea/privacyideaapp.wsgi

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-03-11 21:08:22 -08:00
Armin Kuster 8ff2d27721 chipsec: fix WARNING
distutils3.bbclass is deprecated, please use setuptools3.bbclass instead

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-02-22 08:10:02 -08:00
Armin Kuster 419946655d recipes: Use renamed SKIP_RECIPE varFlag
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-02-22 08:09:54 -08:00
Armin Kuster b46386395b google-authenticator-libpam: update to 1.09
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-01-30 12:13:54 -08:00
Armin Kuster cb7778e5ef python3-fail2ban: update to tip
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-12-25 11:29:31 -08:00
Armin Kuster e740a30c10 libest: does not build with openssl 3.x
blacklist for now. Remove from pkg grp

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-12-25 11:29:31 -08:00
Armin Kuster 4c19c83ee8 python3-fail2ban: remove /run
Fixes:

ERROR: python3-fail2ban-0.11.2-r0 do_package_qa: QA Issue: python3-fail2ban installs files in /run, but it is expected to be empty [empty-dirs]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-11-07 11:26:49 -08:00
Armin Kuster f6fa9dc1c9 bastille: Create /var/log/Bastille in runtime
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-11-07 11:26:49 -08:00
Armin Kuster b654040fad sssd: Create /var/log/sssd in runtime
/var/log is normally a link to /var/volatile/log and /var/volatile is a
tmpfs mount. So anything created in /var/log will not be available when
the tmpfs is mounted.

[Thanks to Peter Kjellerstedt for example]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-11-07 11:26:49 -08:00
Armin Kuster 7e27eb5fca recipes: Update SRC_URI branch and protocols
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-11-04 08:18:00 -07:00
Armin Kuster e5e54135da opendnssec: blacklist do to ldns being blacklisted
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-10-24 19:54:00 -07:00
Kai Kang e81c15f851 sssd: re-package to fix QA issues
It packages all file in ${libdir} to package sssd, including the .so
symlink files. Then it causes QA issues:

| ERROR: QA Issue: sssd rdepends on dbus-dev [dev-deps]
| ERROR: QA Issue: sssd rdepends on ding-libs-dev [dev-deps]

So re-package sssd then the .so symlink files and .pc files are packaged
to sssd-dev which should be.

File ${libdir}/libsss_sudo.so is not a symlink file but packaged to
sssd-dev too. Then causes another QA issue:

| ERROR: sssd-2.5.2-r0 do_package_qa: QA Issue:
    -dev package sssd-dev contains non-symlink .so '/usr/lib/libsss_sudo.so' [dev-elf]

So create a new sub-package libsss-sudo to package file libsss_sudo.so
and make sssd rdepends on it.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-10-18 21:50:22 -07:00
Armin Kuster 30a5e16b75 python3-fail2ban: fix build failure and cleanup
Fixes:
error in fail2ban setup command: use_2to3 is invalid.
ERROR: 'python3 setup.py build ' execution failed.

drop custom fail2ban_setup.py
remove pyhton-fail2ban as its a symlink to python3

Update to tip for 11.2 branch

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-10-18 21:50:22 -07:00
Liwei Song 7f9a5b311e recipes-security/chipsec: platform security assessment framework
Add chipsec, tools to dump and analyzing hardware, system firmware
components, like PCH register, ioport or iomem configuration space.

Signed-off-by: Liwei Song <liwei.song@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-10-18 21:50:22 -07:00
Bhupesh Sharma 6a19cc9f00 recipes-security/fscrypt: Add fscrypt .bb file
fscrypt is a high-level tool for the management of Linux
filesystem encryption. fscrypt manages metadata, key generation,
key wrapping, PAM integration, and provides a uniform interface
for creating and modifying encrypted directories.

Add recipe for the same in 'recipes-security'.

Signed-off-by: Bhupesh Sharma <bhupesh.sharma@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-09-28 16:18:27 -07:00
Armin Kuster b2337682b9 isic: set precise BSD license
"BSD" is ambiguous, use the precise licenses BSD-2-Clause

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-09-15 06:48:26 -07:00
Armin Kuster 30e3184704 opendnssec: set precise BSD license
"BSD" is ambiguous, use the precise licenses BSD-2-Clause

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-09-15 06:48:26 -07:00
Armin Kuster 3d684f4325 cryfs: drop recipe
it was accidently pushed and is incmomplete

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-09-15 06:48:10 -07:00
Kai Kang e88df73267 sssd: 2.5.1 -> 2.5.2
SSSD 2.5.2 Highlights
* General information
  - originalADgidNumber attribute in the SSSD cache is now indexed

* New features
  - Debug messages in data provider include a unique request ID that can
    be used to track the request from its start to its end (requires
    libtevent >= 0.11.0)

* Important fixes
  - Update large files in the files provider in batches to avoid timeouts

* Configuration changes
  - Add new config option fallback_to_nss

Full release notes:
* https://sssd.io/release-notes/sssd-2.5.2.html

And backport patch to fix CVE-2021-3621.

CVE: CVE-2021-3621

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-09-10 07:23:00 -07:00
Armin Kuster 06bc20c07a krill: Rust is in core now
drop dynamic-layer

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-08-26 21:45:14 -07:00
Armin Kuster 8fe88fe8d5 cryfs: add new package
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-08-26 21:36:55 -07:00
Armin Kuster 11a67b861a meta-security: Convert to new override syntax
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-08-01 08:47:08 -07:00
Armin Kuster aa84cc36dc sssd: update to 2.5.1
See full change log: https://sssd.io/release-notes/sssd-2.5.1.html

Including a musl build work around

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-07-04 10:59:17 -07:00
Armin Kuster 1ec2783d62 ssshgaurd: add packaage
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-06-29 09:31:13 -07:00
Federico Pellegrin fcd4a8bbf6 aircrack-ng: update to 1.6
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-06-20 15:49:26 -07:00
Kai Kang 94aa6efec6 sssd: add fix-ldblibdir.patch back
The patch fix-ldblibdir.patch has been dropped when update sssd to
2.5.0. But it fails to start sssd without this patch. So add it back.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-06-20 15:49:26 -07:00
Kai Kang 0705f60b81 sssd: set pid path with /run
/var/run is deprecated and set pid path with /run to store pid files for
the SSSD.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-06-20 15:49:16 -07:00
Yi Zhao f9ac521497 libgssglue: update SRC_URI
Update SRC_URI to use Debian mirror because the original site is
unaccessible.

Fixes do_fetch error:
ERROR: libgssglue-0.4-r0 do_fetch: Fetcher failure for URL:
'http://www.citi.umich.edu/projects/nfsv4/linux/libgssglue/libgssglue-0.4.tar.gz'.
Unable to fetch URL from any source.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-06-05 19:25:24 +00:00
Armin Kuster bb06a7cbda python3-scapy: drop , now in meta-python
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-06-05 19:25:24 +00:00
Armin Kuster e471ff0926 sssd: update to 2.5.0
Add new depends
Drop obsolete patches

Signed-off-by: Armin Kuster <akuster808@gmail.com>

----
v2]
Fix issue with nsupdate check
don't use host bind
2021-06-05 19:25:19 +00:00
Armin Kuster 951ea7ca15 python3-scapy: update to 2.4.5
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-06-05 19:25:17 +00:00
Upgrade Helper ed6e250b4d opendnssec: upgrade 2.1.8 -> 2.1.9
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-06-05 19:25:17 +00:00
Armin Kuster c127cf37f2 python3-scapy: add UPSTREAM_CHECK_COMMITS
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-05-16 13:23:55 -07:00
Armin Kuster baca6133f9 libseccomp: drop recipe. In core now
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-04-26 14:33:01 +00:00
Anton Antonov f93595863c Use libest "main" branch instead of "master".
This patch fixes the issue:

WARNING: libest-3.2.0-r0 do_fetch: Failed to fetch URL git://github.com/cisco/libest, attempting MIRRORS if available
ERROR: libest-3.2.0-r0 do_fetch: Fetcher failure: Unable to find revision 4ca02c6d7540f2b1bcea278a4fbe373daac7103b in branch master even from upstream
ERROR: libest-3.2.0-r0 do_fetch: Fetcher failure for URL: 'git://github.com/cisco/libest'. Unable to fetch URL from any source.

Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-04-12 07:00:47 -07:00