linux/meta-openembedded.git/meta-networking, branch nanbield

samba: upgrade 4.18.8 -> 4.18.9

2024-01-17T00:28:29+00:00

This is the latest stable release of the Samba 4.18 release series. It contains the security-relevant bugfix CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Release Notes: https://www.samba.org/samba/history/samba-4.18.9.html Signed-off-by: Yi Zhao Signed-off-by: Khem Raj (cherry picked from commit f4c3c747d6df6015eb1231f2867ffe43ddb9620e) Signed-off-by: Armin Kuster

strongswan: upgrade 5.9.12 -> 5.9.13

2024-01-17T00:20:45+00:00

Changelog: - Fixes a regression with handling OCSP error responses and adds a new option to specify the length of nonces in OCSP requests. Also adds some other improvements for OCSP handling and fuzzers for OCSP requests/responses. Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 5be2e20157f3025f9e2370933267a56fd526c58e) Signed-off-by: Armin Kuster

frr: fix CVEs CVE-2023-4675{2,3} and CVE-2023-4723{4,5}

2024-01-05T12:52:17+00:00

Add patches fixing CVE CVE-2023-46752, CVE-2023-46753, CVE-2023-47234, and CVE-2023-47235 to FRR 9.0. Patch order is commit order, not CVE numerical order, to avoid fuzz / need for rebasing of the patches. References: https://nvd.nist.gov/vuln/detail/CVE-2023-46752 https://nvd.nist.gov/vuln/detail/CVE-2023-46753 https://nvd.nist.gov/vuln/detail/CVE-2023-47234 https://nvd.nist.gov/vuln/detail/CVE-2023-47235 Signed-off-by: Jonas Gorski Signed-off-by: Khem Raj (cherry picked from commit 00e928bcb7e933ada8e67f3bfa887988d1ca9d61) Signed-off-by: Armin Kuster

strongswan: upgrade 5.9.11 -> 5.9.12

2024-01-05T12:52:17+00:00

Changelog: ========== - Fixed a vulnerability in charon-tkm related to processing DH public values that can lead to a buffer overflow and potentially remote code execution. - The new `pki --ocsp` command produces OCSP responses based on certificate status information provided by plugins. - The cert-enroll script handles the initial enrollment of an X.509 host certificate with a PKI server via the EST or SCEP protocols. - The --priv argument for charon-cmd allows using any type of private key. - Support for nameConstraints of type iPAddress has been added (the openssl plugin previously didn't support nameConstraints at all). - SANs of type uniformResourceIdentifier can now be encoded in certificates. - Password-less PKCS#12 and PKCS#8 files are supported. - A new global option allows preventing peers from authenticating with trusted end-entity certificates (i.e. local certificates). - ECDSA public keys that encode curve parameters explicitly are now rejected by all plugins that support ECDSA. - charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can also use the name in connection.interface-name. - The resolve plugin tries to maintain the order of installed DNS servers. - The kernel-libipsec plugin always installs routes even if no address is found in the local traffic selectors. - Increased the default receive buffer size for Netlink sockets to 8 MiB and simplified its configuration. - Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of always generating a hash of the subjectPublicKey. - Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with unrelated traffic selectors. - Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT, instead callbacks are always invoked even if only errors are signaled. - Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when handling invalid messages. - Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs. - Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if CHILD_SA is not found during rekeying. - The testing environment is now based on Debian 12 (bookworm), by default. Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 077489fda8f27336942457da1eaa022804f327c2) Signed-off-by: Armin Kuster

python3-scapy: upgrade to latest revision

2024-01-05T12:52:16+00:00

Signed-off-by: Khem Raj (cherry picked from commit ca49f2025e65713811e73e894c60cb78be1ed34c) Signed-off-by: Armin Kuster

openvpn: upgrade 2.6.3 -> 2.6.6

2024-01-05T12:52:16+00:00

License-Update: Added Apache2 linking exception Signed-off-by: Khem Raj (cherry picked from commit 45ad525348569f8f5f694a88bb311dbf83998304) Signed-off-by: Armin Kuster

mbedtls: upgrade 3.4.1 -> 3.5.0

2023-11-01T12:16:30+00:00

* Includes security fix for CVE-2023-43615 - Buffer overread in TLS stream cipher suites * Includes security fix for CVE-2023-45199 - Buffer overflow in TLS handshake parsing with ECDH * Includes aesce compilation fixes Full changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0 The extra patch fixes x86 32-bit builds. Signed-off-by: Beniamin Sandu Signed-off-by: Khem Raj (cherry picked from commit ae4e1e70a1493bb657190236122527130da93cb0) Signed-off-by: Armin Kuster

mdio-tools: Add virtual/kernel dependency to avoid stale SPDX reference

2023-11-01T12:16:30+00:00

OpenBMC enables SPDX SBOM generation by default. For Meta's Bletchley platform we found that mdio-tools and its relationships with both mdio-netlink and the mdio-netlink kernel module break SPDX processing while generating the rootfs after a kernel bump. For example, the following output was generated by `bitbake obmc-phosphor-image`: ERROR: obmc-phosphor-image-1.0-r0 do_rootfs: Cannot find any SPDX file for document http://spdx.org/spdxdoc/kernel-module-mdio-netlink-6.5.4-da279e9-00089-gda279e98c07f-89187488-3164-50cb-94c5-8b76a30ea093 The error occurred after the following patch was applied (again, in the context of OpenBMC): diff --git a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb index e6f98297c540..b852e993f0f6 100644 --- a/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb +++ b/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb @@ -1,6 +1,6 @@ KBRANCH ?= "dev-6.5" -LINUX_VERSION ?= "6.5.4" +LINUX_VERSION ?= "6.5.9" -SRCREV="da279e98c07f9c948c60a434ab0043a55c26ea1d" +SRCREV="fc8d4fdba5bd2b9b1cea2aa8a731531943c45aa7" require linux-aspeed.inc With the lack of a dependency the mdio-tools package is not rebuilt subsequent to the kernel bump and the package information remains stale, leading to an incorrect SPDX path being generated. Signed-off-by: Andrew Jeffery Signed-off-by: Khem Raj (cherry picked from commit 668cf43b21e27faa34b7c3c7133a480a9e4e480f) Signed-off-by: Armin Kuster

network-manager-applet,networkmanager-openvpn, networkmanager: Apply linker versioning patch when using lld only

2023-11-01T12:16:30+00:00

This patch caused GNU linker to fail linking, therefore limit it to just lld. Signed-off-by: Khem Raj (cherry picked from commit 22889b13f330e4753c5f72440abcfe42830f2f64) Signed-off-by: Armin Kuster

mosquitto: Support building for native again

2023-11-01T12:16:30+00:00

Support for building from native was removed in commit e1b332f2e (meta-networking: Drop broken BBCLASSEXTEND variants), most likely due to no support for building libwebsockets-native. That support has now been added, so it is now possible to build mosquitto-native again. Signed-off-by: Peter Kjellerstedt Signed-off-by: Khem Raj (cherry picked from commit ad27cdd560fe9947a0e0f822d6a71bac5d2e4a7e) Signed-off-by: Armin Kuster