| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
| |
Update lynis SRC_URI to fix building, and while at it bump to 3.0.9
which hopefully be a transparent upgrade for anyone still on kirkstone.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previously used package (nmu1) is not longer available, use the latest current
one (nmu3). The changelog between the two:
checksecurity (2.0.16+nmu3) unstable; urgency=medium
* Non-maintainer upload.
* Fix "missing required debian/rules targets build-arch and/or build-
indep": Add targets to debian/rules.
(Closes: #999082)
* Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm":
Bump to 7 in debian/{compat,control}.
(Closes: #965448)
* Fix some grave packaging errors:
- move debhelper from Build-Depends-Indep to Build-Depends
- remove temporary files debian/postrm.debhelper and debian/substvars from
source package
-- gregor herrmann <gregoa@debian.org> Sun, 26 Dec 2021 01:56:10 +0100
checksecurity (2.0.16+nmu2) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
* No source change upload to rebuild on buildd with .buildinfo files.
-- Holger Levsen <holger@debian.org> Fri, 01 Jan 2021 19:17:53 +0100
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(adapted from 828a78314f51b919baf638d64e8e12c0c0a408ad)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
| |
Drop setuid-log-folder.patch, using sed instead.
Refresh patch check-setuid-use-more-portable-find-args.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
| |
0.55 no longer hosted from main source. Use Ubuntu archive
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update based on latest master configuration.
Changes:
- switch to kirkstone
- add required usrmerge feature to kas-security-alt configuration
- add whitespaces around assignement
- add common dldir/sstate
- don't build apparmor in musl configs
- only enable ptest for the test image
- Update the kas configuration file versions to 19 to match kas 4.8.x.
- Change refspec to branch to remove deprecation warnings.
- Add quoting around URLs to match upstream examples.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
- assume that python3 and pip are installed.
Other changes:
- add logging of jobs to files
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(reworked for kirkstone branch)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add Marta and myself as maintainers for meta-security and the other
embedded layers that Armin had been maintaining. To avoid Armin
getting bugged about individual recipes, set the RECIPE_MAINTAINER
variables to myself.
(backport from master)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
CVES fixed:
- CVE-2024-20505 clamav: out-of-bounds read bug in the PDF file parser
- CVE-2024-20506 clamav: ClamD process writes to log file while privileged without checking if its been replaced with a symlink
Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/8915bd22570ee608907f1b88a68e587d17813812, https://github.com/Cisco-Talos/clamav/commit/88efeda2a4cb93a69cf0994c02a8987f06fa204d
Signed-off-by: Rohini Sangam <rsangam@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://github.com/tpm2-software/tpm2-tss/releases/tag/3.2.3
Includes Security fix:
CVE-2024-29040
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include Security fixes:
Fixed CVE-2024-29038
Fixed CVE-2024-29039
Changelog:
https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7
https://github.com/tpm2-software/tpm2-tools/releases/tag/5.6
https://github.com/tpm2-software/tpm2-tools/releases/tag/5.5
https://github.com/tpm2-software/tpm2-tools/releases/tag/5.4
https://github.com/tpm2-software/tpm2-tools/releases/tag/5.3
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A race condition flaw was found in sssd where the GPO policy is
not consistently applied for authenticated users. This may lead
to improper authorization issues, granting or denying access to
resources inappropriately.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3758
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
As already mentioned in upgrade commit, this CVE is fixed.
But cve_check still reports it as NVD DB was not updated.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add squashfs to images supported by verity.
Signed-off-by: Maciek Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit ab8651c139a05c476d7e8a6a987106b2f7e9a354)
Signed-off-by: Maciek Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[PATCH] Add support for the EROFS image, and it's compressed options,
to the dm-verity-img.bbclass setup, theoretically this is a simple addition
to the list of types however there is a quirk in how Poky handles the
filesystems in poky/meta/classes/image_types.bbclass.
Specifically the 'IMAGE_CMD' and 'IMAGE_FSTYPES' use a hyphen, e.g.
erofs-lz4, however in the image_type bbclass the task for that would be
"do_image_erofs_lz4", replacing the hyphen with an underscore.
As the dm-verity-img.bbclass adds a dependency to the wic image creation
on the do_image_* task then it fails as there is no
"do_image_erofs-lz4", so simply replace the hypen with an underscore.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 8ca6bb86e653a332f7cb5b30babc0cd6c58769d0)
Signed-off-by: Maciek Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Maciej Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
3.2.2
A buffer overflow in tss2-rc as CVE-2023-22745.
The drv layer in tss2-rc should have been the policy layer.
Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec.
FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0.
3.2.1
Makefile.am: make all EXTRA_DIST includes unconditional to fix pristine tars
Fix usage of NULL pointer if Esys_TR_SetAuth is calles with ESYS_TR_NONE.
Store VERSION into the release tarball.
fapi: fix usage of policy_nv with a TPM nv index.
Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea handle and not as parameter one, this affected the contents of cpHash.
linking tcti for libtpms against tss2-tctildr. It should be linked against tss2-mu.
build: Remove erroneous trailing comma in linker option. Bug #2391.
esys: fix allow usage of HMAC sessions for Esys_TR_FromTPMPublic.
test: build with opaque FILE structure like in musl libc.
Usage of a second profile in a path was not possible because the default profile was always used.
FAPI: Fix provisioning if auth value for storage hierarchy was set.
FAPI: Fix recreation of EK.
FAPI: Fix usage of lockout auth value in Fapi_Provison.
FAPI: Fix loading of key in policy execution.
FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being reflected across profiles.
Esys_PCR_SetAuthValue: remembers the auth like other SetAutg ESAPI functions.
tests: esys-pcr-auth-value.int moved to destructive tests.
FAPI: Fix double free if keystore is corrupted.
Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
fixes:
swtpm: Could not open TCP socket: Address already in use
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b5642c519b90f83ab6ec1507db9b3b36db43c548)
[Fixup for kirkstone context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 3db9e08300c3d5e3f7b6e4e6cb743a914ed3f00b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Starting with [1] kernel modules symbols is being slipped in OE-core
and this breaks the kernel modules sign, so disable it.
[1] https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit c1c80cf0c0f26215fb252242f0d70f8870916734)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
USERADD_PARAM:${PN}-freshclam = "--system -g ${CLAMAV_GID} --home-dir \
${localstatedir}/lib/${BPN} \
--no-create-home --shell /sbin/nologin ${PN}"
The username added to the passwd file is ${PN}. When ${PN} is
multilibized, it no longer matches CLAMAV_UID. Make the two match.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Nothing in getting installed in ${datadir}/lib, it is all going to
${prefix}/lib. setuptools pulls in ${libdir}/* so for the base lib
case of ${prefix}/lib the build works. If libdir is something else
lib64 for example, its still ending up in ${prefix}/lib and it fails
to build.
Set value to correct path as it is being installed.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
| |
|
|
| |
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
| |
|
|
|
|
|
|
| |
CVE-2018-16838 is patched in our version of sssd but it doesn't have
a vulnerable version range in the NVD database,
that's why it needs to be ignored.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The following occurs when pkgs-docs added to image features.
Error: Transaction test error:
file /usr/share/man/man3/lib.3 conflicts between attempted installs of lib-perl-doc-0.63-r0.corei7_64 and perl-doc-5.34.1-r0.corei7_64
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e05ce8fb3943755ef7c73c07e456e8ee8757f7bd)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 17d7ad92eaad54d2d977e5a08dffb369cf2e61a4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
local.conf
TEST_SUITES = "ssh ping tpm2"
IMAGE_INSTALL:append = " swtpm tpm2-pkcs11"
RESULTS:
RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
RESULTS - ssh.SSHTest.test_ssh: PASSED (2.19s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pcrread: PASSED (1.06s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pkcs11: PASSED (1.17s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_reset: PASSED (0.59s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_socket: PASSED (307.72s)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 8be830dd85846a1a7da18a1a4adb2aa87cba5c78)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 311b7daea1eac094b7221c8b487b5e94b0605fc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Correctly fix symlink issue by putting module in -dev pkg.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 3045de13abe1ee6c39e06d1ce0d2b31478d2ff35)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Precalculate buffer size in base64 functions (CVE-2021-45417)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5a5edebbb8b4b4f2e9725ee141cf09d18f75d81b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
| checking for libaudit.h... no
| configure: error: You don't have libaudit properly installed. Install it if you need it.
| NOTE: The following config.log files may provide further information.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit a8fba7a8ef99ce41a86ce4861c75ba5157f8389d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 20c13f6335165d693f7f3270c829b3069dbbad66)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Use convert-spdx-licenses.py to update LICENSE in recipes.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
It seems below change done manually and so LICENSE variable modified
from GPLv2 to GPL-2.0-or-later. But it should be GPL-2.0-only
Link: https://git.yoctoproject.org/meta-security/commit/?id=c56ae450c93a1383a1ce800a32a6ef2c3fbbae1c
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
The build patches are now included in the upstream,
the local binary checkes can be disabled with --disable-ptool-checks,
the boostrap doesn't need to be called if the release .tar.gz is used.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.
Since Yocto now uses OpenSSL 3.0, the file packaging need to
be updated.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
The version number is correctly assigned only when the release .tar.gz
is used.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This deletes the patches that were unused for a long time,
updates the tpm2-tss package and introduces a fix to the version
number problem that got introduced with the 3.2.0 version.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Also, the recipe is fixed to correctly package the openssl provider.
This new tpm2-openssl:
- Fixed segmentation fault when a signature algorithm is beging initialized
without a private key.
- Fixed RSA/EC key equality checks. Works with OpenSSL 3.0.1.
- Added support for the `TPM2OPENSSL_PARENT_AUTH` environment variable.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Add COMPATIBLE_HOST to match what is found in glibc
to avoid build error when using musl
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
This fixes musl builds too.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
This allows to track tip easier.
refresh patch
Fix LICENSE to match SPDX format
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use python3-native to use 2to3
Fix build issue on some hosts with this error:
(result, consumed) = self._buffer_decode(data, self.errors, final)
| UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd8 in position 152: invalid continuation byte
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|