<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git, branch whinlatter-next</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=whinlatter-next</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=whinlatter-next'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2026-01-18T14:48:52+00:00</updated>
<entry>
<title>dm-verity-img.bbclass: filter units from value part</title>
<updated>2026-01-18T14:48:52+00:00</updated>
<author>
<name>Stephan Wurm</name>
<email>stephan.wurm@a-eberle.de</email>
</author>
<published>2026-01-07T13:37:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=18c6a7b5d836cc35c5131e33449b786111eceaf5'/>
<id>urn:sha1:18c6a7b5d836cc35c5131e33449b786111eceaf5</id>
<content type='text'>
This is necessary for cryptsetup starting from v2.8.0 which introduced
"[units]" in its output breaking the parsing of veritysetup output.

VERITY header information for image-poky-20250701085433.squashfs-zst.verity.
UUID:                   5dc16c55-79b8-4988-9d79-900f8e143f98
Hash type:              1
Data blocks:            40091
Data block size:        4096 [bytes]
Hash blocks:            318
Hash block size:        4096 [bytes]
Hash algorithm:         sha256
Salt:                   f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b
Root hash:              a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693

This extends the value filter to remove the "[units]" from the .env file,
while retaining compatibility to older cryptsetup releases.

Signed-off-by: Stephan Wurm &lt;stephan.wurm@a-eberle.de&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute</title>
<updated>2026-01-18T14:48:45+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2026-01-10T15:27:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=252f97af420cd170c37f3c33c2c1e86afeaa25f5'/>
<id>urn:sha1:252f97af420cd170c37f3c33c2c1e86afeaa25f5</id>
<content type='text'>
Add option to prevent memory mappings that are both writable and
executable.

https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute=

Core Suricata developer:
https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23

Fedora:
https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d

Resolve SELinux AVC denial:
type=PROCTITLE proctitle=/usr/bin/suricata
-c /etc/suricata/suricata.yaml -i eth0

type=SYSCALL arch=aarch64 syscall=mprotect success=no
exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main
exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null)

type=AVC avc:  denied  { execmem } for  pid=283 comm=Suricata-Main
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>lynis: upgrade to 3.1.6</title>
<updated>2026-01-18T14:48:38+00:00</updated>
<author>
<name>Scott Murray</name>
<email>scott.murray@konsulko.com</email>
</author>
<published>2026-01-16T20:03:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=0a448b7bc73b26aeb659bc1fdd4c90049d7d51bb'/>
<id>urn:sha1:0a448b7bc73b26aeb659bc1fdd4c90049d7d51bb</id>
<content type='text'>
Release notes:
https://github.com/CISOfy/lynis/releases/tag/3.1.6

Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>Update CI configuration for whinlatter</title>
<updated>2026-01-07T15:04:56+00:00</updated>
<author>
<name>Scott Murray</name>
<email>scott.murray@konsulko.com</email>
</author>
<published>2026-01-07T15:04:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=8538fa27b466f971a854ef93e938e863d4c53ffd'/>
<id>urn:sha1:8538fa27b466f971a854ef93e938e863d4c53ffd</id>
<content type='text'>
Update kas configuration for CI to use whinlatter branch.

Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>Update kas configuration</title>
<updated>2026-01-07T14:50:08+00:00</updated>
<author>
<name>Scott Murray</name>
<email>scott.murray@konsulko.com</email>
</author>
<published>2026-01-06T16:11:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=b5192f58f4926aa08c338b899221cc2121056bf1'/>
<id>urn:sha1:b5192f58f4926aa08c338b899221cc2121056bf1</id>
<content type='text'>
Changes to catch up with current kas and future-proof a bit:
* Update the kas configuration file versions to 19 to match kas 4.8.x.
* Change refspec to branch to remove deprecation warnings.
* Add quoting around URLs to match upstream examples.

Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>meta-parsec: Remove meta-clang dependency</title>
<updated>2026-01-07T14:49:29+00:00</updated>
<author>
<name>Scott Murray</name>
<email>scott.murray@konsulko.com</email>
</author>
<published>2026-01-06T16:08:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=7d0ae0d688d34c1574530cb93c12323ac48f1bb3'/>
<id>urn:sha1:7d0ae0d688d34c1574530cb93c12323ac48f1bb3</id>
<content type='text'>
Since clang is in openembedded-core now, meta-parsec no longer needs
meta-clang.  Also updated maintainers in meta-parsec README.md since
it had previously been missed.

Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: update PACKAGECONFIG[jansson] option to required</title>
<updated>2025-12-31T20:26:10+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2025-12-30T19:32:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=635238de190ed0281fbdecec6ed3a2a517f71bc6'/>
<id>urn:sha1:635238de190ed0281fbdecec6ed3a2a517f71bc6</id>
<content type='text'>
jansson is required as of Suricata 5.0:
https://github.com/OISF/suricata/commit/e49c40428e1b9f7e5dcdb5857c3978d5cb859fd9

This is still required in the latest release:
https://github.com/OISF/suricata/blob/suricata-8.0.2/configure.ac#L828

On exclusion attempt:
[...]
| checking for jansson.h... no
| checking for json_dump_callback in -ljansson... no
|
|     ERROR: Jansson is now required.
|
|     Go get it from your distribution or from:
|       http://www.digip.org/jansson/
|
|     Ubuntu/Debian: apt install libjansson-dev
|     CentOS: yum install jansson-devel
|     Fedora: dnf install jansson-devel
|
| NOTE: The following config.log files may provide further information.
| NOTE: [...]/poky-whinlatter/build/tmp/work/cortexa57-poky-linux/suricata/7.0.13/sources/suricata-7.0.13/config.log
| ERROR: configure failed
| WARNING: exit code 1 from a shell command.
ERROR: Task ([...]/poky-whinlatter/layers/meta-security/recipes-ids/suricata/suricata_7.0.13.bb:do_configure) failed with exit code '1'

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: drop trailing whitespace</title>
<updated>2025-12-31T20:25:06+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2025-12-30T19:40:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=2fc3c2748b2edafcab27dc38e988f60aaa2991d6'/>
<id>urn:sha1:2fc3c2748b2edafcab27dc38e988f60aaa2991d6</id>
<content type='text'>
Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: drop deprecated nss, nspr PACKAGECONFIGs</title>
<updated>2025-12-22T04:37:23+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2025-12-11T15:29:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=3b93a09d528fd93995a15c4994de92759b057b15'/>
<id>urn:sha1:3b93a09d528fd93995a15c4994de92759b057b15</id>
<content type='text'>
Default add in 3f95047ae1e1d ("suricata: package update to 2.0.8")

https://docs.suricata.io/en/suricata-8.0.1/upgrade.html#id7
As of 7.0, "NSS is no longer required. File hashing and JA3 can now be
used without the NSS compile time dependency."

Removed in 8.0:
https://github.com/OISF/suricata/blob/suricata-8.0.1/ChangeLog#L647

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
</content>
</entry>
<entry>
<title>openscap: switch to libpcre2</title>
<updated>2025-12-22T04:35:47+00:00</updated>
<author>
<name>hongxu</name>
<email>hongxu.jia@windriver.com</email>
</author>
<published>2025-12-01T07:03:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=51cc72c2d7f4ee900d201217db4e356832aa768b'/>
<id>urn:sha1:51cc72c2d7f4ee900d201217db4e356832aa768b</id>
<content type='text'>
The openscap added PCRE2 library since 2023 [1]

[1] https://github.com/OpenSCAP/openscap/commit/cd1d4289581fa15527e516ddd07be814af7cba55

Signed-off-by: Hongxu Jia &lt;hongxu.jia@windriver.com&gt;
</content>
</entry>
</feed>
