<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git/recipes-ids, branch master-next</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=master-next</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=master-next'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2026-05-17T14:45:41+00:00</updated>
<entry>
<title>samhain: upgrade 4.5.2 -&gt; 4.5.3</title>
<updated>2026-05-17T14:45:41+00:00</updated>
<author>
<name>Bin Cao</name>
<email>bin.cao.cn@windriver.com</email>
</author>
<published>2026-05-13T08:57:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=dc0a7622e4a60c8729d281b5f909119c781e8a67'/>
<id>urn:sha1:dc0a7622e4a60c8729d281b5f909119c781e8a67</id>
<content type='text'>
Update samhain-client, samhain-server, and samhain-standalone to 4.5.3.

Release notes: https://www.la-samhna.de/samhain/archive.html

Signed-off-by: Bin Cao &lt;bin.cao.cn@windriver.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>aide: fix pkg_postinst_ontarget shell script</title>
<updated>2026-05-17T14:45:41+00:00</updated>
<author>
<name>jason.lau</name>
<email>Haitao.Liu@windriver.com</email>
</author>
<published>2026-04-28T09:19:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=9d749026dd1054104a946565710152b50c6330ea'/>
<id>urn:sha1:9d749026dd1054104a946565710152b50c6330ea</id>
<content type='text'>
- Fix conditional checks for AIDE_SCAN_POSTINIT and AIDE_RESCAN_POSTINIT:
  '[ 0 ]' always evaluates to true since it's a non-empty string.
  Use string comparison '= "1"' instead.
- Fix invalid use of '&amp;&amp;' inside '[ ]' test brackets. Use separate
  test expressions joined by shell '&amp;&amp;'.

Signed-off-by: Haitao Liu &lt;haitao.liu@windriver.com&gt;
(reworked for 0.19.3, fixed indentation)
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>aide: Upgrade to 0.19.3</title>
<updated>2026-04-27T18:47:27+00:00</updated>
<author>
<name>Scott Murray</name>
<email>scott.murray@konsulko.com</email>
</author>
<published>2026-04-26T02:30:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=203087eb7031085d57f34a9e7fa94e1ee32929c3'/>
<id>urn:sha1:203087eb7031085d57f34a9e7fa94e1ee32929c3</id>
<content type='text'>
Release notes:
https://github.com/aide/aide/releases/tag/v0.19
https://github.com/aide/aide/releases/tag/v0.19.1
https://github.com/aide/aide/releases/tag/v0.19.2
https://github.com/aide/aide/releases/tag/v0.19.3

Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>crowdsec: Upgrade to v1.7.7</title>
<updated>2026-04-27T18:47:27+00:00</updated>
<author>
<name>Scott Murray</name>
<email>scott.murray@konsulko.com</email>
</author>
<published>2026-04-25T20:15:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=cd05fe69928631eee79d4795b1b7036adfef8251'/>
<id>urn:sha1:cd05fe69928631eee79d4795b1b7036adfef8251</id>
<content type='text'>
The crowdsec recipes has seemingly been broken since soon after its
addition, rewrite it to build the latest version with the go-mod
bbclass.

Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: update 7.0.13 -&gt; 8.0.4</title>
<updated>2026-04-27T18:46:41+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2026-04-23T03:40:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=1dcf90fa424ba076603b8fead35dcf810549a99b'/>
<id>urn:sha1:1dcf90fa424ba076603b8fead35dcf810549a99b</id>
<content type='text'>
8.0.0 [1]:
Increased Rust use (including libhtp, suricatactl, and suricatasc)
More protocols
Lua sandboxed and available by default

8.0.4 [2]: security, performance, accuracy, and stability fixes

Resolve startup warning [3]:
W: af-packet: eth0: AF_PACKET tpacket-v3 is recommended for non-inline
operation

Add "ja4" option for fingerprinting TLS and QUIC clients [4]

CFLAGS modification for (see [5]):
do_package_qa: QA Issue: File /usr/bin/.debug/suricata in package
suricata-dbg contains reference to TMPDIR [buildpaths]

SURICATA_LUA_SYS_HEADER_DST [6]

[1] https://suricata.io/2025/07/08/suricata-8-0-0-released/
[2] https://suricata.io/2026/03/17/suricata-8-0-4-and-7-0-15-released/
[3] https://docs.suricata.io/en/suricata-8.0.4/upgrade.html#id1
[4] https://github.com/OISF/suricata/pull/10836
[5] https://git.openembedded.org/openembedded-core/commit/?id=3239961e35434592c06ec2cae2885ab464d35744
[6] https://github.com/OISF/suricata/commit/3a7eef812198118fa0b96059e70074bec5a8cdbe

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
(added musl libunwind fix)
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: improve PACKAGECONFIG[unittests] control</title>
<updated>2026-03-04T10:12:43+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2026-01-22T03:51:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=83008a93aabd14deb6e17a3957094f2049c11549'/>
<id>urn:sha1:83008a93aabd14deb6e17a3957094f2049c11549</id>
<content type='text'>
Allow downstream users to explicitly select desired PACKAGECONFIG
options (e.g. via "=").

Users are currently forced to use ":remove" (with "ptest").

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute</title>
<updated>2026-01-16T21:24:59+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2026-01-10T15:27:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=c32a913012ddac4f70c86494576c70f6719b77ab'/>
<id>urn:sha1:c32a913012ddac4f70c86494576c70f6719b77ab</id>
<content type='text'>
Add option to prevent memory mappings that are both writable and
executable.

https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute=

Core Suricata developer:
https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23

Fedora:
https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d

Resolve SELinux AVC denial:
type=PROCTITLE proctitle=/usr/bin/suricata
-c /etc/suricata/suricata.yaml -i eth0

type=SYSCALL arch=aarch64 syscall=mprotect success=no
exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main
exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null)

type=AVC avc:  denied  { execmem } for  pid=283 comm=Suricata-Main
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: update PACKAGECONFIG[jansson] option to required</title>
<updated>2025-12-31T20:26:10+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2025-12-30T19:32:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=635238de190ed0281fbdecec6ed3a2a517f71bc6'/>
<id>urn:sha1:635238de190ed0281fbdecec6ed3a2a517f71bc6</id>
<content type='text'>
jansson is required as of Suricata 5.0:
https://github.com/OISF/suricata/commit/e49c40428e1b9f7e5dcdb5857c3978d5cb859fd9

This is still required in the latest release:
https://github.com/OISF/suricata/blob/suricata-8.0.2/configure.ac#L828

On exclusion attempt:
[...]
| checking for jansson.h... no
| checking for json_dump_callback in -ljansson... no
|
|     ERROR: Jansson is now required.
|
|     Go get it from your distribution or from:
|       http://www.digip.org/jansson/
|
|     Ubuntu/Debian: apt install libjansson-dev
|     CentOS: yum install jansson-devel
|     Fedora: dnf install jansson-devel
|
| NOTE: The following config.log files may provide further information.
| NOTE: [...]/poky-whinlatter/build/tmp/work/cortexa57-poky-linux/suricata/7.0.13/sources/suricata-7.0.13/config.log
| ERROR: configure failed
| WARNING: exit code 1 from a shell command.
ERROR: Task ([...]/poky-whinlatter/layers/meta-security/recipes-ids/suricata/suricata_7.0.13.bb:do_configure) failed with exit code '1'

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: drop trailing whitespace</title>
<updated>2025-12-31T20:25:06+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2025-12-30T19:40:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=2fc3c2748b2edafcab27dc38e988f60aaa2991d6'/>
<id>urn:sha1:2fc3c2748b2edafcab27dc38e988f60aaa2991d6</id>
<content type='text'>
Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>suricata: drop deprecated nss, nspr PACKAGECONFIGs</title>
<updated>2025-12-22T04:37:23+00:00</updated>
<author>
<name>Clayton Casciato</name>
<email>majortomtosourcecontrol@gmail.com</email>
</author>
<published>2025-12-11T15:29:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=3b93a09d528fd93995a15c4994de92759b057b15'/>
<id>urn:sha1:3b93a09d528fd93995a15c4994de92759b057b15</id>
<content type='text'>
Default add in 3f95047ae1e1d ("suricata: package update to 2.0.8")

https://docs.suricata.io/en/suricata-8.0.1/upgrade.html#id7
As of 7.0, "NSS is no longer required. File hashing and JA3 can now be
used without the NSS compile time dependency."

Removed in 8.0:
https://github.com/OISF/suricata/blob/suricata-8.0.1/ChangeLog#L647

Signed-off-by: Clayton Casciato &lt;majortomtosourcecontrol@gmail.com&gt;
</content>
</entry>
</feed>
