Mirror of git.yoctoproject.org/meta-security.git https://git.enea.com/cgit/linux/meta-security.git/atom?h=master-next 2026-04-27T18:47:27+00:00 2026-04-27T18:47:27+00:00 Scott Murray scott.murray@konsulko.com 2026-04-26T16:49:58+00:00 urn:sha1:5a333f46463b4c2b24d97472dc995b24dad5e4f1 Add aircrack-ng, crowdsec, ncrack, and opendnssec where appropriate now that they have been updated to build again. Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2026-04-27T18:47:27+00:00 Scott Murray scott.murray@konsulko.com 2026-04-26T02:32:15+00:00 urn:sha1:ffdbb6dffd7460fde0e9a8a3add2cc2da2ca065d Remove libmhash, as it is no longer required to build aide. Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2025-12-22T04:34:11+00:00 Hemant Jadhav hemant.jadhav@emerson.com 2025-11-28T19:51:49+00:00 urn:sha1:dd147f679226f0dee17562eaa545063df5edac2b Add modern ClamAV 1.4.3 recipe with comprehensive improvements over the legacy 0.104.4 version. Remove the end-of-life 0.104.4 recipe and associated patches as they are superseded by this version. Major changes in 1.4.3: - Upgraded core engine with improved threat detection capabilities - Added Rust components requiring cross-compilation support - Updated CMake build system replacing legacy autotools - Modernized library dependencies (LLVM, JSON-C, PCre2) - Added comprehensive license compliance for multi-component package - Enhanced cross-compilation support for all target architectures The recipe includes dynamic Cargo configuration using Yocto variables to support cross-compilation to any target architecture supported by the build system. Runtime configuration improvements: - Set APP_CONFIG_DIRECTORY to ${sysconfdir}/clamav for proper config paths - Added volatiles/tmpfiles support for /var/lib/clamav and /var/log/clamav - Added pkg_postinst scripts to ensure correct directory ownership - Implemented CMake cache variables for cross-compilation - Updated all license checksums for compliance - Added Rust toolchain integration with automatic environment setup - Use Cargo vendoring with cargo + cargo-update-recipe-crates classes Security rationale: - ClamAV 0.104.4 reached end-of-life and is no longer maintained - Upstream strongly recommends migration to 1.4.x for security updates Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com> (regenerated diff, fixed building with systemd, fixed target Rust configuration, disabled for 32-bit targets) Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2025-11-21T14:10:00+00:00 Louis Rannou louis.rannou@non.se.com 2025-11-14T08:26:45+00:00 urn:sha1:a043f0b8eded3444d6ac520a5fab02b191d43cf0 Add basic openscap test. This looks for an existing profile and run a basic scan. Openscap scans return 1 in case of failure, 0 in case of success and 2 when a vulnerability has been found. As this does not aim to check openscap reports, 2 is considered as a successful test. Signed-off-by: Louis Rannou <louis.rannou@non.se.com> (added to test image) Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2025-10-08T15:34:14+00:00 Scott Murray scott.murray@konsulko.com 2025-10-07T18:32:01+00:00 urn:sha1:26e745243d6d28768ed4a237d9a48f68210c70a6 Changes: - Add libmhash and libgssglue so they will get tested by CI. - Switch to MACHINE_ARCH to facilitate the above, but it makes sense anyway due to all the machine overrides used in the packagegroup definition. - Add the recently added python3-suricata-update so it will get tested by CI. Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2025-10-08T15:34:14+00:00 Scott Murray scott.murray@konsulko.com 2025-09-26T19:26:41+00:00 urn:sha1:fa4057267c920f211cdcd49f0a0d060d4e8a8b84 Remove the paxctl recipe since it has seemingly been broken for a while without anyone noticing, and there likely have been no actual users since grsecurity stopped doing public releases in 2017. Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2025-10-08T15:34:14+00:00 Marta Rybczynska marta.rybczynska@ygreky.com 2025-09-29T17:48:36+00:00 urn:sha1:65fd11a293756b5cc0926c2e6aac865bef43c5cf The 1.13.16 version does not work on the kernel 6.16 for now [1]. Disable when waiting for the fix. [1] https://github.com/chipsec/chipsec/issues/2563 Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> 2025-07-23T16:45:56+00:00 Marta Rybczynska marta.rybczynska@ygreky.com 2025-07-21T03:55:40+00:00 urn:sha1:643c3d78b953f149be85ce23869547ca76337911 Aide currently doesn't compile with musl because of copied getopt prototypes and implementation. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> 2025-07-23T16:45:56+00:00 Marta Rybczynska marta.rybczynska@ygreky.com 2025-07-16T03:48:02+00:00 urn:sha1:aa7213378affdca6f87212929862af4d05ec789d The package choice was using TUNE_FEATURES that doesn't work anymore with multiple sub-architectures of RISCV. Instead use the overrides and make sure to take into account also qemu versions. Only riscv32/riscv64 does not work, fail on RDEPEND for qemu targets. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> 2025-01-07T01:01:40+00:00 Armin Kuster akuster808@gmail.com 2025-01-01T19:40:25+00:00 urn:sha1:a9c3a4fdfd4d612e98613d94b10e1380c6180524 appears to be a known issue: https://bugs.gentoo.org/937374 Signed-off-by: Armin Kuster <akuster808@gmail.com>