subtree updates july 21 2023 poky,openembedded
poky: 13b646c0e1..b398c7653e:
Adrian Freihofer (2):
runqemu-ifdown: catch up with ifup
runqemu: drop uid parameter for ifdown
Alejandro Hernandez Samaniego (3):
baremetal-helloworld: Fix race condition
runqemu: Stop using warn() since its been deprecated
runqemu: Fix automated call to runqemu-ifup
Alex Kiernan (3):
rootfs: Add debugfs package db file copy and cleanup
rpm: Pick debugfs package db files/dirs explicitly
eudev: Add group sgx to eudev package
Alexander Kanavin (27):
insane.bbclass: enable 32 bit time API check (as a warning) on affected architectures
libxcrypt: upgrade 4.4.34 -> 4.4.35
libxml2: update 2.10.4 -> 2.11.4
ovmf: update 202302 -> 202305
lua: update 5.4.4 -> 5.4.6
cargo.bbclass: set up cargo environment in common do_compile
rust-common.bbclass: move musl-specific linking fix from rust-source.inc
python3-cryptography: update 39.0.2 -> 41.0.1
python3-cryptography-vectors: update 39.0.2 -> 41.0.1
python3: update 3.11.3 -> 3.11.4
diffutils: update 3.9 -> 3.10
shadow: remove dependency on pam-plugin-lastlog
libpam: update 1.5.2 -> 1.5.3
librsvg: update 2.56.0 -> 2.56.1
vulkan-validation-layers: update 1.3.243 -> 1.3.250
xcb-util-cursor: add a recipe from meta-oe
weston: update 11.0.1 -> 12.0.1
libdmx: update 1.1.4 -> 1.1.5
xtrans: update 1.4.0 -> 1.5.0
libproxy: fetch from git
libproxy: update 0.4.18 -> 0.5.2
libssh2: update 1.10.0 -> 1.11.0
gstreamer1.0-plugins-base: enable glx/opengl support
webkitgtk: update 2.38.5 -> 2.40.2
python3-cryptography: update a patch to upstream's better followup fix
time64.inc: annotate and clean up recipe-specific Y2038 exceptions
Revert "rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock"
Andrej Valek (3):
cve-check: add option to add additional patched CVEs
oeqa/selftest/cve_check: rework test to new cve status handling
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
Anuj Mittal (7):
rpm: backport fix to prevent crashes with latest sqlite
sqlite3: upgrade 3.41.2 -> 3.42.0
vte: upgrade 0.72.1 -> 0.72.2
libpng: upgrade 1.6.39 -> 1.6.40
glib-networking: upgrade 2.76.0 -> 2.76.1
bluez5: upgrade 5.66 -> 5.68
selftest/cases/glibc.py: fix the override syntax
BELOUARGA Mohamed (9):
bitbake: fetch2/npmsw: Add support for the new format of the shrinkwrap file
bitbake: fetch2/npmsw: Don't fetch dev dependencies when they are not demanded
bitbake: fetch2/npm: Remove special caracters that causes recipe tool to fail
recipetool: create: npm: Remove duplicate function to not have future conflicts
classes: npm: Handle peer dependencies for npm packages
recipetool: create: npm: Add support for the new format of the shrinkwrap file
recipetool: create: npm: Add support to handle peer dependencies
classes: npm: Add support for the new format of the shrinkwrap file
classe-recipes: npm: Add support for dependencies and devDependencies
Benjamin Bouvier (1):
util-linux: add alternative links for ipcs,ipcrm
Bruce Ashfield (19):
perf: fix buildpaths QA warning in 6.4+
linux-libc-headers: bump to 6.4
kernel: fix localversion in v6.3+
linux-yocto: introduce 6.4 reference kernel recipes
linux-yocto/6.4: update to latest
linux-yocto/6.4: aufs6 integration
linux-yocto/6.4: refresh configuration
linux-yocto-rt/6.4: integrate -rt6
linux-yocto/6.4: update to v6.4.2
linux-yocto-tiny/6.4: fix configuration warnings (HID)
linux-yocto-tiny/arm: fix configuration warnings (HID)
linux-yocto/ppc: add elfutils-native to DEPENDS
linux-yocto/6.1: update to v6.1.36
linux-yocto/6.1: update to v6.1.37
linux-yocto/6.1: update to v6.1.38
linux-yocto/6.x: cfg: update ima.cfg to match current meta-integrity
linux-yocto/6.4: update to v6.4.3
kernel: set HOSTPKG_CONFIG to use pkg-config-native
linux-yocto/6.4: fix menuconfig
Changqing Li (2):
dnf: only write the log lock to root for native dnf
rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock
Denys Dmytriyenko (1):
bitbake: runqueue: convert deferral messages from bb.note to bb.debug
Enrico Scholz (1):
shadow-sysroot: add license information
Etienne Cordonnier (2):
libxcrypt: fix hard-coded ".so" extension
qemu: fix typo
Fabio Estevam (3):
u-boot: Update Upstream-Status
u-boot: Upgrade to 2023.07
u-boot: Upgrade to 2023.07.02
Frederic Martinsons (1):
ptest-cargo.bbclass: fix condition to detect test executable
Joe Slater (1):
ghostscript: advance to version 10.01.2
Jose Quaresma (12):
kernel: config modules directories are handled by kernel-module-split
kernel-module-split: install config modules directories only when they are needed
kernel-module-split: use context manager to open files
kernel-module-split: make autoload and probeconf distribution specific
kernel-module-split add systemd modulesloaddir and modprobedir config
pybootchartgui: calcule elapsed_time when starting the loop
pybootchartgui: concatenate the elapsed time with the process
pybootchartgui: fix overlapping argument in render_processes_chart
pybootchartgui: fix width max usage in draw_label_in_box
openssl: add PERLEXTERNAL path to test its existence
openssl: use a glob on the PERLEXTERNAL to track updates on the path
go: update 1.20.5 -> 1.20.6
Julien Stephan (1):
automake: fix buildtest patch
Khem Raj (9):
ffmpeg: Fix build on riscv
libpam: Fix examples build on musl
webkitgtk: Enable JIT on RISCV64
musl: Guard fallocate64 with _LARGEFILE64_SOURCE
alsa-lib: Disable old API symbols
mesa: Fix build with upcoming LLVM 17
meson.bbclass: Point to llvm-config from native sysroot
webkitgtk: Unbreak build on platforms using pvr graphics drivers
python3-lxml: upgrade 4.9.2 -> 4.9.3
Martin Jansa (4):
selftest: multiconfig-image-packager: try to respect IMAGE_LINK_NAME
kernel-devicetree: install dtb files without -${KERNEL_DTB_NAME} suffix
image-artifact-names: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME}
cpio: respect MLPREFIX for PACKAGE_WRITE_DEPS
Michael Halstead (1):
resulttool/resultutils: allow index generation despite corrupt json
Mingli Yu (1):
qemu: Add qemu-user-* and qemu-system-* to PACKAGES_DYNAMIC
Natasha Bailey (1):
tiff: backport a fix for CVE-2023-26965
Ovidiu Panait (5):
mdadm: fix util-linux ptest dependency
mdadm: fix 07revert-inplace ptest
mdadm: fix segfaults when running ptests
mdadm: skip running known broken ptests
mdadm: re-add mdadm-ptest to PTESTS_SLOW
Peter Hoyes (5):
bitbake: bitbake: tests/fetch: Mark TestTimeout as not a test suite
bitbake: bitbake: tests/fetch: Rename assertRaisesRegexp to assertRaisesRegex
bitbake: bitbake: tests/fetch: Set git config if not already set
bitbake: bitbake: tests: Use assertLogs to test logging output
bitbake: bitbake: Bootstrap pytest for self-tests
Peter Marko (4):
cve-update-nvd2-native: fix cvssV3 metrics
gcsections: apply section removal also in C++, not only in C
cve-update-nvd2-native: retry all errors and sleep between retries
cve-update-nvd2-native: increase retry count
Piotr Łobacz (1):
bitbake.conf: Add acl distro native features support
Quentin Schulz (1):
uboot-extlinux-config.bbclass: fix old override syntax in comment
Richard Purdie (14):
defaultsetup: Enable largefile and 64bit time_t support systemwide for 32 bit platforms
time64: Disable CFLAGS for strace
bitbake: runqueue: Fix deferred task/multiconfig race issue
strace: Update patches/tests with upstream fixes
bitbake: fetch2/npmsw: Support old and new shrinkwrap formats
ptest-runner: Pull in "runner: Remove threads and mutexes" fix
bitbake: server/process: Show command in timeout message
bitbake: cooker: Log when parsing starts in server log
gcc-testsuite: Fix ppc cpu specification
ptest-runner: Pull in parallel test fixes and output handling
oeqa/selftest/rust: Various fixes to work correctly
bitbake: runqueue: Add pressure change logging
build-appliance-image: Update to master head revision
glibc-testsuite: Fix network restrictions causing test failures
Ross Burton (26):
cve-update-db-native: remove
cve-update-nvd2-native: handle all configuration nodes, not just first
cve-update-nvd2-native: use exact times, don't truncate
ghostscript: remove CVE_CHECK_IGNORE for CVE-2013-6629
pkgconf: update SRC_URI
libjpeg-turbo: upgrade to 3.0.0
cups: upgrade to 2.4.6
tiff: upgrade to 4.5.1
linux-yocto/cve-exclusion: move entries from cve-extra-exclusions
linux-yocto/cve-exclusion: ignore more backported CVEs
python3: fix missing comma in get_module_deps3.py
python3-jsonpointer: upgrade to 2.4
oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case
cml1: add showconfig task to easily find the generated .config file
rootfs_rpm: don't depend on opkg-native for update-alternatives
poky: add Debian 12 to supported distribution list
cve-update-nvd2-native: log a little more
cve-update-nvd2-native: actually use API keys
gcc: don't pass --enable-standard-branch-protection
machine/arch-arm64: add -mbranch-protection=standard
qemuarm: pin kernel to 6.1
libdmx: remove obsolete library
linux-yocto_6.1: ignore backported CVEs
python3: ignore CVE-2023-36632
ltp: add RDEPENDS on findutils
oeqa/ltp: rewrote LTP testcase and parser
Siddharth Doshi (2):
bind: Upgrade 9.18.15 -> 9.18.16
flac: Upgrade 1.4.2 -> 1.4.3
Soumya (1):
perl: Fix CVE-2023-31486
Staffan Rydén (1):
kernel: Fix path comparison in kernel staging dir symlinking
Stéphane Veyret (1):
scripts/oe-setup-builddir: copy conf-notes.txt to build dir
Sudip Mukherjee (1):
libssh2: disable rpath to fix curl-native build
Thomas Roos (1):
testimage/oeqa: Drop testimage_dump_host functionality
Tim Orling (10):
python3-pytest-subtests: upgrade 0.10.0 -> 0.11.0
python3-urllib3: upgrade 2.0.2 -> 2.0.3
python3-typing-extensions: upgrade 4.6.3 -> 4.7.0
python3-hypothesis: upgrade 6.79.2 -> 6.80.0
python3-pygments: upgrade 2.14.0 -> 2.15.1
python3-importlib-metadata: upgrade 6.7.0 -> 6.8.0
python3-typing-extensions: upgrade 4.7.0 -> 4.7.1
python3-cryptography{-vectors}: upgrade 41.0.1 -> 41.0.2
python3-zipp: upgrade 3.15.0 -> 3.16.2
python3-hypothesis: upgrade 6.80.0 -> 6.81.2
Trevor Gamblin (15):
python3: add cgitb, zipapp ptest dependencies
qemu: upgrade 8.0.0 -> 8.0.3
python3: parallelize ptests, add test_cppext dependencies
python3-setuptools: upgrade 67.6.1 -> 68.0.0
diffoscope: upgrade 242 -> 243
p11-kit: upgrade 0.24.1 -> 0.25.0
diffoscope: add missing RDEPENDS and alphabetize
linux-firmware: upgrade 20230515 -> 20230625
python3-trove-classifiers: upgrade 2023.5.24 -> 2023.7.6
python3-cython: upgrade 0.29.35 -> 0.29.36
icu: upgrade 72-1 -> 73-2
python3-editables: add python3-io to RDEPENDS
python3: ensure ptest regression capture
diffoscope: upgrade 243 -> 244
xeyes: upgrade 1.2.0 -> 1.3.0
Wang Mingyu (51):
freetype: upgrade 2.13.0 -> 2.13.1
gstreamer1.0: upgrade 1.22.3 -> 1.22.4
kbd: upgrade 2.5.1 -> 2.6.0
libassuan: upgrade 2.5.5 -> 2.5.6
libksba: upgrade 1.6.3 -> 1.6.4
libmd: upgrade 1.0.4 -> 1.1.0
libsdl2: upgrade 2.26.5 -> 2.28.0
libtraceevent: upgrade 1.7.2 -> 1.7.3
libx11: upgrade 1.8.5 -> 1.8.6
lttng-ust: upgrade 2.13.5 -> 2.13.6
nettle: upgrade 3.9 -> 3.9.1
nghttp2: upgrade 1.53.0 -> 1.54.0
ccache: upgrade 4.8.1 -> 4.8.2
mesa: upgrade 23.1.1 -> 23.1.3
python3-numpy: upgrade 1.24.3 -> 1.25.0
python3-typing-extensions: upgrade 4.6.2 -> 4.6.3
xorgproto: upgrade 2022.2 -> 2023.2
python3-hatchling: upgrade 1.17.0 -> 1.18.0
python3-hypothesis: upgrade 6.75.7 -> 6.79.2
python3-importlib-metadata: upgrade 6.6.0 -> 6.7.0
python3-iso8601: upgrade 1.1.0 -> 2.0.0
python3-markupsafe: upgrade 2.1.2 -> 2.1.3
python3-pluggy: upgrade 1.0.0 -> 1.2.0
python3-pycairo: upgrade 1.23.0 -> 1.24.0
python3-pyparsing: upgrade 3.0.9 -> 3.1.0
python3-pytest: upgrade 7.3.1 -> 7.4.0
python3-ruamel-yaml: upgrade 0.17.31 -> 0.17.32
python3-sphinx-rtd-theme: upgrade 1.2.1 -> 1.2.2
xkeyboard-config: upgrade 2.38 -> 2.39
xwayland: upgrade 23.1.1 -> 23.1.2
wayland-protocols: upgrade 1.31 -> 1.32
taglib: upgrade 1.13 -> 1.13.1
libxcrypt: upgrade 4.4.35 -> 4.4.36
msmtp: upgrade 1.8.23 -> 1.8.24
libwebp: upgrade 1.3.0 -> 1.3.1
libuv: upgrade 1.45.0 -> 1.46.0
acpica: upgrade 20230331 -> 20230628
libnss-nis: upgrade 3.1 -> 3.2
harfbuzz: upgrade 7.3.0 -> 8.0.1
libproxy: upgrade 0.5.2 -> 0.5.3
nghttp2: upgrade 1.54.0 -> 1.55.1
debianutils: upgrade 5.7 -> 5.8
glib-2.0: upgrade 2.76.3 -> 2.76.4
python3-pip: upgrade 23.1.2 -> 23.2
opkg: upgrade 0.6.1 -> 0.6.2
opkg-utils: upgrade 0.5.0 -> 0.6.2
python3-editables: upgrade 0.3 -> 0.4
python3-git: upgrade 3.1.31 -> 3.1.32
python3-numpy: upgrade 1.25.0 -> 1.25.1
repo: upgrade 2.34.1 -> 2.35
libva: upgrade to 2.19.0
Yash Shinde (1):
oeqa/selftest: Add rust selftests
Yi Zhao (1):
ifupdown: install missing directories
Yoann Congal (2):
recipetool: Fix inherit in created -native* recipes
oeqa/selftest/devtool: add unit test for "devtool add -b"
Yuta Hayama (1):
systemd-systemctl: fix errors in instance name expansion
meta-openembedded: 2638d458a5..0e3f5e5201:
Alex Kiernan (1):
ostree: Upgrade 2023.4 -> 2023.5
Archana Polampalli (1):
tcpreplay: upgrade 4.4.3 -> 4.4.4
Beniamin Sandu (1):
mbedtls: fix builds with crypto extensions
Bruce Ashfield (1):
vboxguestdrivers: fix compilation against 6.4 kernel / headers
Carlos Rafael Giani (3):
pipewire: Disable libmysofa since it is not available in OE
pipewire: Improve packageconfigs
pipewire: Add dedicated aes67 package and fix rlimits.d package assignment
Chee Yang Lee (1):
rabbitmq-c: Fix CVE-2023-35789
Jasper Orschulko (8):
python3-pytest-cov: Add initial recipe 4.1.0
python3-covdefaults: Add initial recipe 2.3.0
python3-platformdirs: Fix recipe version 3.6.0
python3-distlib: Add initial recipe 0.3.6
python3-filelock: Add initial recipe 3.12.0
python3-virtualenv: Add initial recipe 20.23.0
python3-pyproject-api: Add initial recipe 1.5.1
python3-tox: Add initial recipe 4.6.0
Joe Slater (1):
libgpiod: modify RDEPENDS for ptest
Justin Bronder (2):
python3-asyncinotify: upgrade 3.0.1 -> 4.0.2
python3-pytest-asyncio: upgrade 0.16.0 -> 0.21.1
Kai Kang (2):
libtimezonemap: rename downloaded file name
fltk-native: fix libdl link issue
Khem Raj (33):
gupnp-av: Fix build with libxml2-2.11 and newer
xcb-util-cursor: Delete recipe
pidgin-sipe: Add packageconfig to turn Werror on/off
fbida: Fix build on musl
pcp: Update to 6.0.5
geos: Upgrade to 3.12.0
ctags: Extend to build native package
libcoap: Build linker symbol file explicitly
geos: Use cmake directly
pcp: Fix build race
sblim-sfcc: Fix build with clang17
minifi-cpp: Fix build with clang 17
python3-grpcio-tools: Upgrade to 1.56.0
python3-grpcio: Upgrade to 1.56.0
python3-grpcio: Fix build on musl
python3-grpcio-tools: Fix build with musl
thin-provisioning-tools: Upgrade to 1.0.4
thin-provisioning-tools: Fix build on musl.
pcp: Disable parallel build
crash: Fix build with glibc 2.38+
breakpad: Update to latest trunk
python3-requests-toolbelt: Fix ptest failures seen with urllib3 2.0
ptest-packagelists-meta-oe: Limit mcelog to x86/x86_64
graphviz: Upgrade to 8.1.0 release
emlog: Update to latest to fix build with 6.4 kernel
dlm: Upgrade to 4.2.0
mdio-tools: Update to latest on trunk
dlm: Fix build with linux kernel 6.4+
dlm: Do not pass -fcf-protection=full via Makefile
dlm: Do not use -fcf-protection=full on arm platforms
zfs: Update to 2.2.0 rc1
zfs: Disable builds on aarch64 for now
dhcp-relay: Pass cross configure flags to bind build
Luke Schaefer (1):
nginx: Add stream Signed-off-by: Luke Schaefer <lukeschafer17@gmail.com>
Marek Vasut (4):
lvgl: Factor out and unify lv-drivers configuration
lvgl: Add default input device configuration option
linux-serial-test: Update to latest git revision
libiio: enable c++ bindings
Markus Volk (10):
pipewire: upgrade 0.3.71 -> 0.3.72
pipewire: upgrade 0.3.72 -> 0.3.73
gnome-software: upgrade 44.2 -> 44.3
eog: upgrade 44.2 -> 44.3
spdlog: upgrade 1.11.0 -> 1.12.0
flatpak: update dependencies
gnome-control-center: upgrade 44.2 -> 44.3
gnome-shell: upgrade 44.2 -> 44.3
mutter: upgrade 44.2 -> 44.3
gnome-settings-daemon: upgrade 44.0 -> 44.1
Martin Jansa (4):
nodejs: use PIE for host binaries
gupnp: backport a fix not to use deprecated xmlReadMemory
pidgin-sipe: allow to build with libxml2-2.11
raptor2: backport a fix to build with libxml2-2.11
Michael Haener (1):
nginx: upgrade to 1.24.0 release
Michael Weiß (1):
pv: Show progress bar even if no terminal is set as in 1.6.6
Mingli Yu (1):
snort: Add systemd unit file
Peter Kjellerstedt (1):
cppzmq: Move the version to the recipe file name
Petr Gotthard (2):
python3-pyroute2: upgrade 0.5.19 -> 0.7.9
networkmanager: upgrade 1.42.6 -> 1.42.8
Ricardo Salveti (1):
lshw: bump to b4e0673
Ross Burton (5):
poppler: fix missing include
libpaper: remove redundant autoreconf --install
liblbxutil: remove obsolete library
xsetmode: remove obsolete utility
libxkbui: remove obsolete recipe
Tim Orling (1):
python3-argh: upgrade 0.26.2 -> 0.28.1
Trevor Gamblin (9):
python3-alembic: upgrade 1.10.4 -> 1.11.1
python3-sqlalchemy: upgrade 2.0.15 -> 2.0.19
python3-argcomplete: upgrade 3.1.0 -> 3.1.1
python3-arpeggio: upgrade 2.0.0 -> 2.0.2
python3-astroid: upgrade 2.15.5 -> 2.15.6
python3-autobahn: upgrade 23.6.1 -> 23.6.2
python3-bandit: upgrade 1.7.4 -> 1.7.5
python3-bandit: add python3-rich to RDEPENDS
python3-bitarray: upgrade 2.7.3 -> 2.7.6
Wang Mingyu (44):
cppzmq: upgrade 4.9.0 -> 4.10.0
iwd: upgrade 2.5 -> 2.6
libburn: upgrade 1.5.4 -> 1.5.6
libzip: upgrade 1.9.2 -> 1.10.0
openfortivpn: upgrade 1.20.3 -> 1.20.5
psqlodbc: upgrade 13.02.0000 -> 15.00.0000
python3-aenum: upgrade 3.1.12 -> 3.1.14
python3-can: upgrade 4.2.1 -> 4.2.2
python3-google-api-python-client: upgrade 2.89.0 -> 2.90.0
python3-h5py: upgrade 3.8.0 -> 3.9.0
python3-natsort: upgrade 8.3.1 -> 8.4.0
python3-pymodbus: upgrade 3.3.1 -> 3.3.2
python3-pymongo: upgrade 4.3.3 -> 4.4.0
python3-pyscaffold: upgrade 4.4.1 -> 4.5
python3-pyzstd: upgrade 0.15.7 -> 0.15.9
python3-requests-futures: upgrade 1.0.0 -> 1.0.1
python3-sentry-sdk: upgrade 1.25.1 -> 1.26.0
python3-zeroconf: upgrade 0.68.0 -> 0.69.0
weechat: upgrade 3.8 -> 4.0.0
python3-platformdirs: upgrade 3.6.0 -> 3.8.0
renderdoc: upgrade 1.13 -> 1.27
gegl: upgrade 0.4.44 -> 0.4.46
gvfs: upgrade 1.50.4 -> 1.51.1
weechat: upgrade 4.0.0 -> 4.0.1
avro-c: upgrade 1.11.1 -> 1.11.2
glfw: upgrade 3.3 -> 3.3.8
hwloc: upgrade 2.9.1 -> 2.9.2
minicoredumper: upgrade 2.0.3 -> 2.0.6
thingsboard-gateway: upgrade 3.2 -> 3.3
xterm: upgrade 382 -> 383
passwdqc: upgrade 2.0.2 -> 2.0.3
python3-aenum: upgrade 3.1.14 -> 3.1.15
python3-configargparse : upgrade 1.5.3 -> 1.5.5
python3-elementpath: upgrade 4.1.3 -> 4.1.4
python3-google-api-python-client: upgrade 2.90.0 -> 2.92.0
python3-google-auth: upgrade 2.20.0 -> 2.21.0
python3-joblib: upgrade 1.2.0 -> 1.3.1
python3-pillow: upgrade 9.5.0 -> 10.0.0
python3-redis: upgrade 4.5.5 -> 4.6.0
python3-tox: upgrade 4.6.0 -> 4.6.3
python3-virtualenv: upgrade 20.23.0 -> 20.23.1
python3-zeroconf: upgrade 0.69.0 -> 0.70.0
libyang: Fix install conflict when enable multilib.
php: Fix install conflict when enable multilib.
Wolfgang Meyer (4):
fbida: Switch to git fetcher
fbida: build with meson
fbida: SRC_REV bump ac9005b..eb769e3
fbida: make fbpdf build optional
Yi Zhao (6):
conntrack-tools: add systemd unit file
conntrack-tools: add required kernel modules to RRECOMMENDS
frr: upgrade 8.4.2 -> 8.4.4
mbedtls: upgrade 2.28.2 -> 2.28.3
open-vm-tools: Security fix CVE-2023-20867
samba: upgrade 4.18.3 -> 4.18.4
Zoltán Böszörményi (1):
opencv: 4.8.0
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I48c2ba4573ee81b637b1ba890c312f491004f666
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb b/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb
index d36646c..e5f7e03 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3p1.bb
@@ -34,7 +34,14 @@
CFLAGS += "-D_GNU_SOURCE -fcommon"
LDFLAGS:append = " -pthread"
-EXTRA_OECONF = "--enable-paranoia \
+BIND_EXTRA_CONFIG = "\
+ --build=${BUILD_SYS} \
+ --host=${HOST_SYS} \
+ --target=${TARGET_SYS} \
+"
+
+EXTRA_OECONF = "--with-bind-extra-config="${BIND_EXTRA_CONFIG}" \
+ --enable-paranoia \
--disable-static \
--enable-libtool \
--with-randomdev=/dev/random \
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch
new file mode 100644
index 0000000..d98d8fa
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch
@@ -0,0 +1,33 @@
+From 2246925e3cb16183e25d4e2cfd13fb800df86270 Mon Sep 17 00:00:00 2001
+From: Beniamin Sandu <beniaminsandu@gmail.com>
+Date: Sun, 25 Jun 2023 19:58:08 +0300
+Subject: [PATCH] aesce: do not specify an arch version when enabling crypto
+ instructions
+
+Building mbedtls with different aarch64 tuning variations revealed
+that we should use the crypto extensions without forcing a particular
+architecture version or core, as that can create issues.
+
+Upstream-Status: Submitted [https://github.com/Mbed-TLS/mbedtls/pull/7834]
+
+Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
+---
+ library/aesce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/library/aesce.c b/library/aesce.c
+index fe056dc4c..843de3973 100644
+--- a/library/aesce.c
++++ b/library/aesce.c
+@@ -60,7 +60,7 @@
+ # error "A more recent GCC is required for MBEDTLS_AESCE_C"
+ # endif
+ # pragma GCC push_options
+-# pragma GCC target ("arch=armv8-a+crypto")
++# pragma GCC target ("+crypto")
+ # define MBEDTLS_POP_TARGET_PRAGMA
+ # else
+ # error "Only GCC and Clang supported for MBEDTLS_AESCE_C"
+--
+2.25.1
+
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch
new file mode 100644
index 0000000..4775c8d
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch
@@ -0,0 +1,34 @@
+From 03d3523f974536f2358047382aadb0d4cc762f8a Mon Sep 17 00:00:00 2001
+From: Beniamin Sandu <beniaminsandu@gmail.com>
+Date: Mon, 26 Jun 2023 12:07:21 +0300
+Subject: [PATCH] aesce: use correct target attribute when building with clang
+
+Seems clang has its own issues when it comes to crypto extensions,
+and right now the best way to avoid them is to accurately enable
+the needed instructions instead of the broad crypto feature.
+
+E.g.: https://github.com/llvm/llvm-project/issues/61645
+
+Upstream-Status: Pending
+
+Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
+---
+ library/aesce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/library/aesce.c b/library/aesce.c
+index 843de3973..7bea088ba 100644
+--- a/library/aesce.c
++++ b/library/aesce.c
+@@ -53,7 +53,7 @@
+ # if __clang_major__ < 4
+ # error "A more recent Clang is required for MBEDTLS_AESCE_C"
+ # endif
+-# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
++# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
+ # define MBEDTLS_POP_TARGET_PRAGMA
+ # elif defined(__GNUC__)
+ # if __GNUC__ < 6
+--
+2.25.1
+
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
similarity index 92%
rename from meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb
rename to meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
index 242495e..ce094d5 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
@@ -23,7 +23,7 @@
SECTION = "libs"
S = "${WORKDIR}/git"
-SRCREV = "89f040a5c938985c5f30728baed21e49d0846a53"
+SRCREV = "981743de6fcdbe672e482b6fd724d31d0a0d2476"
SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28 \
file://run-ptest \
"
@@ -62,6 +62,12 @@
# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
CVE_CHECK_IGNORE += "CVE-2021-45451"
+# Strip host paths from autogenerated test files
+do_compile:append() {
+ sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || :
+ sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || :
+}
+
# Export source files/headers needed by Arm Trusted Firmware
sysroot_stage_all:append() {
sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
index ebc6ba5..b8c9662 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
@@ -25,8 +25,9 @@
S = "${WORKDIR}/git"
SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33"
SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \
- file://run-ptest \
- "
+ file://0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch \
+ file://0002-aesce-use-correct-target-attribute-when-building-wit.patch \
+ file://run-ptest"
inherit cmake update-alternatives ptest
@@ -41,9 +42,6 @@
EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}"
-# Needs crypto instructions on aarch64
-TUNE_CCARGS_MARCH_OPTS:append:aarch64 = "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}"
-
# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS
CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.6.bb b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.8.bb
similarity index 98%
rename from meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.6.bb
rename to meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.8.bb
index 3196b0c..5d9c6f4 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.6.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.42.8.bb
@@ -32,7 +32,7 @@
file://enable-iwd.conf \
"
-SRC_URI[sha256sum] = "8c388ac3775ac6bceb605fae21be2c3e261cafe6067994a89f0dfa4610ed0279"
+SRC_URI[sha256sum] = "0337e7583d2ec5ade2ba2e8c625d2f09eeccda1d22836ee29aa72925d399c353"
S = "${WORKDIR}/NetworkManager-${PV}"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.3.bb b/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.5.bb
similarity index 93%
rename from meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.3.bb
rename to meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.5.bb
index bfd51f7..bcfe646 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.3.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/openfortivpn/openfortivpn_1.20.5.bb
@@ -3,7 +3,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=3d575262a651a6f1a17210ce41bf907d"
SRC_URI = "git://github.com/adrienverge/openfortivpn.git;protocol=https;branch=master"
-SRCREV = "45cb8e0f9984f1d54b648e499bda637d96568908"
+SRCREV = "1ccb8ee682af255ae85fecd5fcbab6497ccb6b38"
DEPENDS = "openssl"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.3.bb b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb
similarity index 99%
rename from meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.3.bb
rename to meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb
index ee3665c..66089ed 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.3.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb
@@ -32,7 +32,7 @@
file://cmocka-uintptr_t.patch \
"
-SRC_URI[sha256sum] = "c67e1453165a3918ffffad600236ca3966b47bde4798e89ae600ae3903ccc32c"
+SRC_URI[sha256sum] = "6ba7b3503cc59c9ff4f6fcb1b510c2c855fff93e0b366ab891a32a4732e88e53"
UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.18(\.\d+)+).tar.gz"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.default b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.default
new file mode 100644
index 0000000..f1f67c5
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.default
@@ -0,0 +1 @@
+INTERFACES="eth0"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.service b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.service
new file mode 100644
index 0000000..487328c
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort/snort.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Snort NIDS Daemon
+After=syslog.target network.target
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/default/snort
+ExecStartPre=/bin/mkdir -p /var/log/snort
+ExecStart=/usr/bin/snort -q -c /etc/snort/snort.conf -l /var/log/snort -i $INTERFACES
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb
index c15c204..8b9092b 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/snort/snort_2.9.20.bb
@@ -8,6 +8,8 @@
SRC_URI = "https://www.snort.org/downloads/archive/snort/${BP}.tar.gz \
file://snort.init \
+ file://snort.service \
+ file://snort.default \
file://volatiles.99_snort \
file://0001-libpcap-search-sysroot-for-headers.patch \
file://fix-host-contamination-when-enable-static-daq.patch \
@@ -19,11 +21,15 @@
UPSTREAM_CHECK_URI = "https://www.snort.org/downloads"
UPSTREAM_CHECK_REGEX = "snort-(?P<pver>\d+(\.\d+)+)\.tar"
-inherit autotools gettext update-rc.d pkgconfig
+inherit autotools gettext update-rc.d pkgconfig systemd
INITSCRIPT_NAME = "snort"
INITSCRIPT_PARAMS = "defaults"
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE:${PN} = "snort.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
EXTRA_OECONF = " \
--enable-gre \
--enable-linux-smp-stats \
@@ -69,8 +75,17 @@
${D}${sysconfdir}/snort/snort.conf
cp ${S}/preproc_rules/*.rules ${D}${sysconfdir}/snort/preproc_rules/
- install -m 755 ${WORKDIR}/snort.init ${D}${sysconfdir}/init.d/snort
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
+ install -m 755 ${WORKDIR}/snort.init ${D}${sysconfdir}/init.d/snort
+ fi
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}/${systemd_system_unitdir}
+ install -m 644 ${WORKDIR}/snort.service ${D}/${systemd_system_unitdir}
+ # Install default environment file
+ install -d ${D}/${sysconfdir}/default
+ install -m 0644 ${WORKDIR}/snort.default ${D}${sysconfdir}/default/snort
+ fi
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/volatiles.99_snort ${D}${sysconfdir}/default/volatiles/99_snort
@@ -87,6 +102,7 @@
${libdir}/snort_dynamicengine/*.so.* \
${libdir}/snort_dynamicpreprocessor/*.so.* \
${libdir}/snort_dynamicrules/*.so.* \
+ ${systemd_system_unitdir}/snort.service \
"
FILES:${PN}-dbg += " \
${libdir}/snort_dynamicengine/.debug \
diff --git a/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb b/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb
index 0fc3425..efea3fa 100644
--- a/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb
+++ b/meta-openembedded/meta-networking/recipes-devtools/libcoap/libcoap_4.3.1.bb
@@ -16,6 +16,8 @@
inherit autotools manpages pkgconfig ptest
+DEPENDS += "ctags-native"
+
PACKAGECONFIG ?= "\
async openssl tcp \
${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \
@@ -42,6 +44,10 @@
export SGML_CATALOG_FILES="file://${STAGING_ETCDIR_NATIVE}/xml/catalog"
+do_compile:prepend() {
+ oe_runmake update-map-file
+}
+
do_install_ptest () {
install -d ${D}${PTEST_PATH}
install -m 0755 ${WORKDIR}/run-ptest ${D}${PTEST_PATH}/run-ptest
diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Disable-annobin-plugin.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Disable-annobin-plugin.patch
new file mode 100644
index 0000000..6302829
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Disable-annobin-plugin.patch
@@ -0,0 +1,31 @@
+From 5a0799d0bacc0cf93e15febdac7d8c50b21e7234 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 15 Jul 2023 13:13:12 -0700
+Subject: [PATCH] Disable annobin plugin
+
+OE gcc does not build this plugin, moreover there are non gcc compilers
+which can be used with OE as well e.g. clang which might not have it
+either
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ dlm_controld/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dlm_controld/Makefile b/dlm_controld/Makefile
+index 8802d88..0380ec9 100644
+--- a/dlm_controld/Makefile
++++ b/dlm_controld/Makefile
+@@ -47,7 +47,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
+
+ BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE
+ BIN_CFLAGS += -I../include -I../libdlm
+-LIB_CFLAGS += $(CFLAGS) -fPIC -fplugin=annobin
++LIB_CFLAGS += $(CFLAGS) -fPIC
+
+ BIN_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,now -pie
+ BIN_LDFLAGS += -lpthread -lrt -lcpg -lcmap -lcfg -lquorum -luuid
+--
+2.41.0
+
diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Remove-fcf-protection-full.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Remove-fcf-protection-full.patch
new file mode 100644
index 0000000..6290aa4
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-Remove-fcf-protection-full.patch
@@ -0,0 +1,64 @@
+From e4ae70ae71f88d48cf1ab63810c9f7b4177af3a5 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 15 Jul 2023 19:05:54 -0700
+Subject: [PATCH] Remove -fcf-protection=full
+
+This option is not available on all architectures e.g. RISC-V
+Fixes
+| cc1: error: '-fcf-protection=full' is not supported for this target
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ dlm_controld/Makefile | 1 -
+ dlm_tool/Makefile | 1 -
+ fence/Makefile | 1 -
+ libdlm/Makefile | 4 ++--
+ 4 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/dlm_controld/Makefile
++++ b/dlm_controld/Makefile
+@@ -43,7 +43,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
+ -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
+ -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
+ -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
+- -fstack-clash-protection -fcf-protection=full
++ -fstack-clash-protection
+
+ BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE
+ BIN_CFLAGS += -I../include -I../libdlm
+--- a/dlm_tool/Makefile
++++ b/dlm_tool/Makefile
+@@ -15,7 +15,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
+ -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
+ -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
+ -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
+- -fstack-clash-protection -fcf-protection=full
++ -fstack-clash-protection
+
+ CFLAGS += -fPIE -DPIE
+ CFLAGS += -I../include -I../libdlm -I../dlm_controld
+--- a/fence/Makefile
++++ b/fence/Makefile
+@@ -15,7 +15,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
+ -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
+ -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
+ -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
+- -fstack-clash-protection -fcf-protection=full
++ -fstack-clash-protection
+
+ CFLAGS += -fPIE -DPIE
+ CFLAGS += -I../include
+--- a/libdlm/Makefile
++++ b/libdlm/Makefile
+@@ -80,8 +80,8 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
+ -fdiagnostics-show-option \
+ -fPIC
+
+-LIB_CFLAGS += $(CFLAGS) -D_REENTRANT -fcf-protection=full
+-LLT_CFLAGS += $(CFLAGS) -fcf-protection=full
++LIB_CFLAGS += $(CFLAGS) -D_REENTRANT
++LLT_CFLAGS += $(CFLAGS)
+
+ LIB_LDFLAGS += $(LDFLAGS) -lpthread -Wl,-z,now
+ LLT_LDFLAGS += $(LDFLAGS) -Wl,-z,now
diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch
deleted file mode 100644
index 3d15515..0000000
--- a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From da08f5ec5e553bd43f92a0b0f7476179b0b74502 Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Wed, 26 Jun 2019 11:49:33 +0800
-Subject: [PATCH] dlm: fix compile error since xml2-config should not be used
-
-xml2-config is disabled, so change Makefile to use pkgconfig
-to find libxml2.
-
-Upstream-Status: Inappropriate [oe-specific]
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
-
----
- fence/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fence/Makefile b/fence/Makefile
-index 2b080468..ff2eda3f 100644
---- a/fence/Makefile
-+++ b/fence/Makefile
-@@ -18,12 +18,12 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
- -fstack-clash-protection -Wl,-z,now
-
- CFLAGS += -fPIE -DPIE
--CFLAGS += `xml2-config --cflags`
-+CFLAGS += `pkg-config libxml-2.0 --cflags`
- CFLAGS += -I../include
- CFLAGS += $(shell pkg-config --cflags pacemaker-fencing)
-
- LDFLAGS += -Wl,-z,relro -Wl,-z,defs -pie
--LDFLAGS += `xml2-config --libs`
-+LDFLAGS += `pkg-config libxml-2.0 --libs`
- LDFLAGS += -ldl
-
- all: $(BIN_TARGET)
diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm_controld-remove-unnecessary-header-include.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm_controld-remove-unnecessary-header-include.patch
new file mode 100644
index 0000000..55efcea
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0001-dlm_controld-remove-unnecessary-header-include.patch
@@ -0,0 +1,35 @@
+From 4c40289eb9e47cfd272a8cc402fd2ddb29e2a3dc Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Wed, 24 May 2023 13:50:59 +0000
+Subject: [PATCH] dlm_controld: remove unnecessary header include
+
+The timewarn netlink functionality got dropped and will be removed by
+kernel v6.4. The user space part was already dropped by commit 34ea31e7
+("controld: remove timewarn handling"). This is just a left over of this
+commit. Recent builds fails now because the UAPI header in the Linux
+kernel was removed. This means older dlm sources cannot be build with
+newer kernel-headers, however it is not recommended to use older dlm
+sources and all existing users should upgrade anyway.
+
+Upstream-Status: Backport [https://pagure.io/dlm/c/ddbba6608896f81bfce8f8edf3d0f507714cfc43?branch=main]
+Reported-by: Fabio M. Di Nitto <fdinitto@redhat.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ dlm_controld/main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/dlm_controld/main.c b/dlm_controld/main.c
+index 7cf6348..e70e96a 100644
+--- a/dlm_controld/main.c
++++ b/dlm_controld/main.c
+@@ -12,7 +12,6 @@
+ #include <pthread.h>
+ #include <linux/netlink.h>
+ #include <linux/genetlink.h>
+-#include <linux/dlm_netlink.h>
+ #include <uuid/uuid.h>
+
+ #ifdef USE_SD_NOTIFY
+--
+2.41.0
+
diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0004-include-string.h-for-memset-prototype.patch b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0004-include-string.h-for-memset-prototype.patch
deleted file mode 100644
index 257c5d0..0000000
--- a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm/0004-include-string.h-for-memset-prototype.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 9652e6b3c43b4c051f2ff0e000d7ebf5fbab418e Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 29 Aug 2022 10:54:51 -0700
-Subject: [PATCH] include string.h for memset prototype
-
-Upstream-Status: Submitted [https://pagure.io/dlm/pull-request/3]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- dlm_controld/lib.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/dlm_controld/lib.c b/dlm_controld/lib.c
-index 8cbdd27f..a7502fcd 100644
---- a/dlm_controld/lib.c
-+++ b/dlm_controld/lib.c
-@@ -10,6 +10,7 @@
- #include <stdlib.h>
- #include <unistd.h>
- #include <stdint.h>
-+#include <string.h>
- #include <errno.h>
- #include <time.h>
- #include <sys/types.h>
diff --git a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.1.1.bb b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.2.0.bb
similarity index 79%
rename from meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.1.1.bb
rename to meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.2.0.bb
index bb33890..094dbb1 100644
--- a/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.1.1.bb
+++ b/meta-openembedded/meta-networking/recipes-extended/dlm/dlm_4.2.0.bb
@@ -6,13 +6,14 @@
REQUIRED_DISTRO_FEATURES = "systemd"
SRC_URI = "https://pagure.io/dlm/archive/dlm-${PV}/dlm-dlm-${PV}.tar.gz \
- file://0001-dlm-fix-compile-error-since-xml2-config-should-not-b.patch \
file://0001-Include-sys-sysmacros.h-for-major-minor-macros-in-gl.patch \
file://0001-make-Replace-cp-a-with-mode-preserving-options.patch \
- file://0004-include-string.h-for-memset-prototype.patch \
+ file://0001-dlm_controld-remove-unnecessary-header-include.patch \
+ file://0001-Disable-annobin-plugin.patch \
+ file://0001-Remove-fcf-protection-full.patch \
"
-SRC_URI[sha256sum] = "f12c0056b9196dfcecbec2fa8930feb87c605a86ef0f3d7bd6fb0b77cd7f45ca"
+SRC_URI[sha256sum] = "90237e18af7422ac15fc756899b3bb6932597b13342296de8e0e120e6d8729ab"
UPSTREAM_CHECK_URI = "https://pagure.io/dlm/releases"
UPSTREAM_CHECK_REGEX = "dlm-(?P<pver>\d+(\.\d+)+)"
@@ -35,11 +36,15 @@
export EXTRA_OEMAKE = ""
-DONTBUILD = "${@bb.utils.contains('PACKAGECONFIG', 'pacemaker', '', 'fence', d)}"
+CFPROTECTION ?= "-fcf-protection=full"
+CFPROTECTION:riscv64 = ""
+CFPROTECTION:arm = ""
-do_compile:prepend:toolchain-clang() {
- sed -i -e "s/-fstack-clash-protection//g" ${S}/*/Makefile
-}
+CFLAGS += "${CFPROTECTION}"
+
+PARALLEL_MAKE = ""
+
+DONTBUILD = "${@bb.utils.contains('PACKAGECONFIG', 'pacemaker', '', 'fence', d)}"
do_compile() {
sed -i "s/libsystemd-daemon/libsystemd/g" ${S}/dlm_controld/Makefile
@@ -57,4 +62,3 @@
install -Dm 0644 ${S}/init/dlm.service ${D}${systemd_unitdir}/system/dlm.service
fi
}
-
diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
index 8b47ceb..0c6fd90 100644
--- a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
+++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
@@ -11,6 +11,7 @@
SRC_URI = "http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-${PV}.tar.bz2 \
file://conntrack-failover \
file://init \
+ file://conntrackd.service \
"
SRC_URI[sha256sum] = "099debcf57e81690ced57f516b493588a73518f48c14d656f823b29b4fc24b5d"
@@ -25,6 +26,10 @@
INITSCRIPT_NAME = "conntrackd"
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE:${PN} = "conntrackd.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
do_install:append() {
install -d ${D}/${sysconfdir}/conntrackd
install -d ${D}/${sysconfdir}/init.d
@@ -37,6 +42,11 @@
sed -i 's!/etc/!${sysconfdir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd
sed -i 's!/var/!${localstatedir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample
sed -i 's!^export PATH=.*!export PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}/${sysconfdir}/init.d/conntrackd
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}/${systemd_system_unitdir}
+ install -m 644 ${WORKDIR}/conntrackd.service ${D}/${systemd_system_unitdir}
+ fi
}
# fix error message: Do not forget that you need *root* or CAP_NET_ADMIN capabilities ;-)
@@ -44,3 +54,7 @@
setcap cap_net_admin+ep "$D/${sbindir}/conntrack"
}
PACKAGE_WRITE_DEPS += "libcap-native"
+
+RRECOMMENDS:${PN} = "kernel-module-nf-conntrack kernel-module-nfnetlink \
+ kernel-module-nf-conntrack-netlink \
+ "
diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrackd.service b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrackd.service
new file mode 100644
index 0000000..b3b0f1d
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrackd.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Conntrack Daemon
+Documentation=man:conntrackd(8) man:conntrackd.conf(5)
+
+[Service]
+Type=notify
+ExecStartPre=-/bin/rm -f /var/lock/conntrackd.lock
+ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_3.8.bb b/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_4.0.1.bb
similarity index 93%
rename from meta-openembedded/meta-networking/recipes-irc/weechat/weechat_3.8.bb
rename to meta-openembedded/meta-networking/recipes-irc/weechat/weechat_4.0.1.bb
index 8c77093..00472e2 100644
--- a/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_3.8.bb
+++ b/meta-openembedded/meta-networking/recipes-irc/weechat/weechat_4.0.1.bb
@@ -10,7 +10,7 @@
file://0001-use-pkg-config-for-gcrypt-instead.patch \
"
-SRC_URI[sha256sum] = "f7cb65c200f8c090c56f2cf98c0b184051e516e5f7099a4308cacf86f174bf28"
+SRC_URI[sha256sum] = "1b9533123af427922b3d7fabede958dc85392d50881d97d0b7986d8f514556e9"
inherit cmake pkgconfig
diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
similarity index 98%
rename from meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb
rename to meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
index 9669260..b87c3e7 100644
--- a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb
+++ b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@@ -14,7 +14,7 @@
file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \
"
-SRCREV = "62ac43de9f3bc470586cf4f51fadf013bf542b32"
+SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"
UPSTREAM_CHECK_GITTAGREGEX = "frr-(?P<pver>\d+(\.\d+)+)$"
diff --git a/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc b/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc
index 7afe1c5..46d0c1b 100644
--- a/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc
+++ b/meta-openembedded/meta-networking/recipes-support/mdio-tools/mdio-tools.inc
@@ -5,4 +5,4 @@
LIC_FILES_CHKSUM = "file://${WORKDIR}/git/COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRC_URI = "git://github.com/wkz/mdio-tools.git;protocol=https;branch=master"
-SRCREV = "ee47c32d958ae0dcb9900b3b06654a8c08001331"
+SRCREV = "0dbfca13a094d20d736153c63161cf11b9ccf2d3"
diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch
new file mode 100644
index 0000000..170dddf
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch
@@ -0,0 +1,163 @@
+From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Mon, 8 May 2023 19:04:57 -0700
+Subject: [PATCH] Remove some dead code.
+
+Address CVE-2023-20867.
+Remove some authentication types which were deprecated long
+ago and are no longer in use. These are dead code.
+
+CVE: CVE-2023-20867
+
+Upstream-Status: Backport
+[https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 102 --------------------------
+ 1 file changed, 102 deletions(-)
+
+diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
+index 9f376a7..85c5ba7 100644
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
++++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
+ #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication"
+ #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents"
+
+-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE
+-
+ /*
+ * The switch that controls all APIs
+ */
+@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
+
+ void GuestAuthUnimpersonate();
+
+-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
+- const char *typeName);
+-
+ #if SUPPORT_VGAUTH
+
+ VGAuthError TheVGAuthContext(VGAuthContext **ctx);
+@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN
+ userToken);
+ break;
+ }
+- case VIX_USER_CREDENTIAL_ROOT:
+- {
+- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
+- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
+- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
+- /*
+- * Don't accept hashed shared secret if disabled.
+- */
+- g_message("%s: Requested authentication type has been disabled.\n",
+- __FUNCTION__);
+- err = VIX_E_GUEST_AUTHTYPE_DISABLED;
+- goto done;
+- }
+- }
+- // fall through
+-
+- case VIX_USER_CREDENTIAL_CONSOLE_USER:
+- err = VixToolsImpersonateUserImplEx(NULL,
+- credentialType,
+- NULL,
+- loadUserProfile,
+- userToken);
+- break;
+ case VIX_USER_CREDENTIAL_NAME_PASSWORD:
+ case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
+ case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
+@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN
+ }
+
+ /*
+- * If the VMX asks to be root, then we allow them.
+- * The VMX will make sure that only it will pass this value in,
+- * and only when the VM and host are configured to allow this.
+- */
+- if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
+- && (thisProcessRunsAsRoot)) {
+- *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+- gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
+- err = VIX_OK;
+- goto quit;
+- }
+-
+- /*
+- * If the VMX asks to be root, then we allow them.
+- * The VMX will make sure that only it will pass this value in,
+- * and only when the VM and host are configured to allow this.
+- *
+- * XXX This has been deprecated XXX
+- */
+- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
+- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
+- *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
+- err = VIX_OK;
+- goto quit;
+- }
+-
+- /*
+ * If the VMX asks us to run commands in the context of the current
+ * user, make sure that the user who requested the command is the
+ * same as the current user.
+@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN
+ /*
+ *-----------------------------------------------------------------------------
+ *
+- * VixToolsCheckIfAuthenticationTypeEnabled --
+- *
+- * Checks to see if a given authentication type has been
+- * disabled via the tools configuration.
+- *
+- * Return value:
+- * TRUE if enabled, FALSE otherwise.
+- *
+- * Side effects:
+- * None
+- *
+- *-----------------------------------------------------------------------------
+- */
+-
+-static Bool
+-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN
+- const char *typeName) // IN
+-{
+- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
+- gboolean disabled;
+-
+- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
+- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
+- typeName);
+-
+- ASSERT(confDictRef != NULL);
+-
+- /*
+- * XXX Skip doing the strcmp() to verify the auth type since we only
+- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
+- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
+- */
+- disabled = VMTools_ConfigGetBoolean(confDictRef,
+- VIX_TOOLS_CONFIG_API_GROUPNAME,
+- authnDisabledName,
+- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
+-
+- return !disabled;
+-}
+-
+-
+-/*
+- *-----------------------------------------------------------------------------
+- *
+ * VixTools_ProcessVixCommand --
+ *
+ *
+--
+2.6.2
+
diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb
index d389d24..e12e4be 100644
--- a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb
+++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb
@@ -43,6 +43,7 @@
file://0012-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \
file://0013-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \
file://0001-timeSync-Portable-way-to-print-64bit-time_t.patch;patchdir=.. \
+ file://CVE-2023-20867.patch;patchdir=.. \
"
UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
similarity index 88%
rename from meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb
rename to meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index d461c8d..c7d14e2 100644
--- a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb
+++ b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -11,7 +11,7 @@
file://0001-libopts.m4-set-POSIX_SHELL-to-bin-sh.patch \
"
-SRC_URI[sha256sum] = "216331692e10c12d7f257945e777928d79bd091117f3e4ffb5b312eb2ca0bf7c"
+SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"
UPSTREAM_CHECK_URI = "https://github.com/appneta/tcpreplay/releases"