summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* nikto: fix branchscarthgap-nextscarthgapScott Murray2026-03-061-1/+1
| | | | | | | Upstream has renamed their master branch to main, adjust SRC_URI to match. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: update to 7.0.13Hitendra Prajapati2026-03-042-705/+734
| | | | | | | | | | | Release notes: https://suricata.io/2025/11/06/suricata-8-0-2-and-7-0-13-released/ See suricata release notes for more details about changes and CVEs fixed. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* lynis: upgrade to 3.1.6Scott Murray2026-01-191-1/+1
| | | | | | | Release notes: https://github.com/CISOfy/lynis/releases/tag/3.1.6 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* lynis: move to GitHub fetchingMarta Rybczynska2026-01-191-3/+3
| | | | | | | | | Move to fetching from GitHub hashes to avoid issues at releases, when the last-recent release changes place. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> (adapted for scarthgap) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* lynis: update to 3.1.5Michael Opdenacker2026-01-191-1/+1
| | | | | | | | | | | | | | | | | | | | | Tested on master (whinlatter) with beaglebone-yocto New in version 3.1.5 (2025-07-29): https://cisofy.com/changelog/lynis/#315 Added: - Support for OpenWrt - Bitdefender detection on Linux - Detection of openSUSE Tumbleweed-Slowroll Changed: - Corrected detection of service manager SMF - Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt - Check modules also under /usr/lib/modules.d Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com> (backported to scarthgap) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* sssd: Upgrade to 2.9.7Scott Murray2026-01-198-54/+90
| | | | | | | | Release notes: https://sssd.io/release-notes/sssd-2.9.6.html https://sssd.io/release-notes/sssd-2.9.7.html Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* sssd: Fix for CVE-2025-11561Vijay Anusuri2026-01-192-0/+51
| | | | | | | Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* sssd: Upgrade 2.9.2 -> 2.9.5Vijay Anusuri2026-01-191-1/+1
| | | | | | | | | | Includes security fix CVE-2023-3758 ChangeLog: https://github.com/SSSD/sssd/releases/tag/2.9.5 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: update to 7.0.12Clayton Casciato2025-11-2430-10261/+780
| | | | | | | | | | | | | | | | | | | | | | | Also update libhtp to required version 0.5.52. See suricata release notes for more details about changes and CVEs fixed: https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/ https://suricata.io/2024/03/19/suricata-7-0-4-and-6-0-17-released/ https://suricata.io/2024/04/23/suricata-7-0-5-and-6-0-19-released/ https://suricata.io/2024/06/27/suricata-7-0-6-and-6-0-20-released/ https://suricata.io/2024/10/01/suricata-7-0-7-released/ https://suricata.io/2024/12/12/suricata-7-0-8-released/ https://suricata.io/2025/03/18/suricata-7-0-9-released/ https://suricata.io/2025/07/08/suricata-7-0-11-released/ https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/ Obsolete CVE patches removed. Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> (cherry picked from commit fbb8343cf81b0cfe1dc396b0cd2417a8315de9ad) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: populate SYSTEMD_SERVICE for service autostartClayton Casciato2025-11-241-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://docs.yoctoproject.org/dev/ref-manual/variables.html#term-SYSTEMD_SERVICE Before: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; preset: disabled) Active: inactive (dead) Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki After: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Mon 2025-09-22 04:05:08 UTC; 20s ago Invocation: 8cfeb29631f443f0830bffeb00975931 Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki Main PID: 268 (Suricata-Main) Tasks: 7 (limit: 4915) Memory: 36.8M (peak: 37M) CPU: 2.222s CGroup: /system.slice/suricata.service `-268 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 Sep 22 04:05:08 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon. Sep 22 04:05:09 beaglebone-yocto suricata[268]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: 1 rule files specified, but no rules were loaded! Sep 22 04:05:10 beaglebone-yocto suricata[268]: i: threads: Threads created -> W: 1 FM: 1 FR: 1 Engine started. Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> (cherry picked from commit 0b7b0629bebe98237ce3060ebe132db05cdcc3b7) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: install classification, reference configsClayton Casciato2025-11-241-0/+2
| | | | | | | | | | | | | | | suricata.yaml references these configs Resolve: <Warning> -- could not open: "/etc/suricata/classification.config": No such file or directory <Error> -- please check the "classification-file" option in your suricata.yaml file Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> (cherry picked from commit 9a49fcbd05e46cafb0a2300a035a9528242bd4b2) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: fix "interface" arg in systemd serviceClayton Casciato2025-11-241-1/+1
| | | | | | | | | | | Fix service startup https://docs.suricata.io/en/suricata-7.0.0/command-line-options.html#cmdoption-i Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com> (cherry picked from commit ca34a66f82caa95b6469f2dee5be6c26bbe2cecc) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: drop pkg_postinst_ontarget systemd initClayton Casciato2025-11-241-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | /var/log/suricata initialization is handled by systemd-tmpfiles-setup.service, which occurs before services like suricata Work towards resolving: ERROR: [...] do_rootfs: The following packages could not be configured offline and rootfs is read-only: ['100-suricata'] Added in commit 36d656fe7244 ("suricata: add tmpfiles.d config") systemd testing: root@beaglebone-yocto:~# ls -d /var/log/suricata /var/log/suricata root@beaglebone-yocto:~# systemctl enable suricata Created symlink '/etc/systemd/system/multi-user.target.wants/suricata.service' -> '/usr/lib/systemd/system/suricata.service'. root@beaglebone-yocto:~# rmdir /var/log/suricata root@beaglebone-yocto:~# reboot now root@beaglebone-yocto:~# ls -d /var/log/suricata /var/log/suricata root@beaglebone-yocto:~# journalctl -o short-iso-precise -u systemd-tmpfiles-setup -u suricata 2025-05-20T00:45:46.450027+00:00 beaglebone-yocto systemd[1]: Starting Create System Files and Directories... [...] 2025-05-20T00:45:47.041049+00:00 beaglebone-yocto systemd[1]: Finished Create System Files and Directories. 2025-05-20T00:45:47.542976+00:00 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon. [...] Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 9109f7258dc60c88985869ceff5ca3523cd01400) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: resolve TMPDIR QA issues in do_configureClayton Casciato2025-11-241-0/+16
| | | | | | | | | | | | | | | | | | | | | | | ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/bin/suricata in package suricata contains reference to TMPDIR [buildpaths] ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/src/debug/suricata/7.0.0/src/build-info.h in package suricata-src contains reference to TMPDIR [buildpaths] Address references when src/build-info.h is being written This is similar to Debian's approach: https://sources.debian.org/patches/suricata/1:7.0.10-1~bpo12%2B1/reproducible.patch/ Restore the "already-stripped" check and CFLAGS info Original resolution in commit c0e3fecc3bea ("suricata: fix QA warnings") Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 277bf8f9160540d582fec58f0f2139b4e4aebef0) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* fail2ban: replace fail2ban-python shebang with python3Haixiao Yan2025-11-241-0/+3
| | | | | | | | | | | In Yocto, there is only one Python interpreter (python3), and the auto-generated "fail2ban-python" symlink is not used. To ensure all installed scripts can run correctly, replace the shebang line from "#!/usr/bin/env fail2ban-python" to "#!/usr/bin/env python3" during installation. Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* fail2ban: Adapt test output to Automake format for ptest compatibilityHaixiao Yan2025-11-242-1/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert fail2ban-testcases output to follow Automake-compatible format (PASS:/FAIL:) so that ptest-runner can correctly parse and report test results. root@intel-x86-64:~# ptest-runner python3-fail2ban -t 300 START: ptest-runner 2025-09-22T07:57 BEGIN: /usr/lib64/python3-fail2ban/ptest Fail2ban 1.1.1.dev1 test suite. Python 3.12.11 (main, Jun 3 2025, 15:41:47) [GCC 13.4.0]. Please wait... I: Skipping smtp tests: No module named 'smtpd' I: Skipping SSL smtp tests: No module named 'aiosmtpd' PASS: fail2ban.tests.servertestcase.Transmitter.testAction PASS: fail2ban.tests.servertestcase.Transmitter.testAddJail PASS: fail2ban.tests.servertestcase.Transmitter.testDatabase PASS: fail2ban.tests.servertestcase.Transmitter.testDatePattern PASS: fail2ban.tests.servertestcase.Transmitter.testGetNOK PASS: fail2ban.tests.servertestcase.Transmitter.testJailAttemptIP PASS: fail2ban.tests.servertestcase.Transmitter.testJailBanIP ... PASS: fail2ban.tests.servertestcase.TransmitterLogging.testBanTimeIncr PASS: fail2ban.tests.servertestcase.TransmitterLogging.testFlushLogs PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogLevel PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogTarget PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogTargetSYSLOG PASS: fail2ban.tests.servertestcase.TransmitterLogging.testSyslogSocket PASS: fail2ban.tests.servertestcase.TransmitterLogging.testSyslogSocketNOK ============================================================================ Testsuite summary DURATION: 48 END: /usr/lib64/python3-fail2ban/ptest 2025-09-22T07:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* python3-fail2ban: fix ptest failuresYi Zhao2025-11-243-1/+255
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix ptest failures by backporting patch and updating test case config files. Before the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:42 BEGIN: /usr/lib64/python3-fail2ban/ptest <snip> Ran 524 tests in 23.023s FAILED (failures=5, errors=7, skipped=3) DURATION: 24 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:42 STOP: ptest-runner TOTAL: 1 FAIL: 1 After the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:59 BEGIN: /usr/lib64/python3-fail2ban/ptest <snip> Ran 524 tests in 25.982s OK (skipped=3) DURATION: 27 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:59 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: fix CVE-2024-55627 && CVE-2024-55628Hitendra Prajapati2025-11-248-0/+6390
| | | | | | | | | | Backport fixes for: * CVE-2024-55627 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/0dc364aef2dec122fc0e7ee4c190864f4cc5f1bd && https://github.com/OISF/suricata/commit/949bfeca0e5f92212dc3d79f4a87c7c482d376aa && https://github.com/OISF/suricata/commit/7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e * CVE-2024-55628 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/58c41a7fa99f62d9a8688e970ab1a9b09c79723a && https://github.com/OISF/suricata/commit/284ad462fcb2e47f1518a1abc19e27ca84c6972e && https://github.com/OISF/suricata/commit/5edb84fe234f47a0fedfbf9b10b49699152fe8cb && https://github.com/OISF/suricata/commit/71212b78bd1b7b841c9d9a907d0b3eea71a54060 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: Fix multiple CVEsHitendra Prajapati2025-11-248-0/+1891
| | | | | | | | | | | Backport fixes for: * CVE-2024-32663 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5 && https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd * CVE-2024-32664 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 * CVE-2024-32867 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66 && https://github.com/OISF/suricata/commit/7137d5e7ab5500f1b7f3391f8ab55a59f1e4cbd7 && https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9 && https://github.com/OISF/suricata/commit/e6267758ed5da27f804f0c1c07f9423bdf4d72b8 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* fail2ban: update to 1.1.0+Rasmus Villemoes2025-11-241-12/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current 1.0.2 version does not work with scarthgap or later releases, as the asynchat module has been removed (as scheduled) from python's stdlib as of v3.12. fail2ban 1.1.0 also does not work out-of-the-box, as the distutils module which the pyinotify and systemd backends depend has also been removed. So update the recipe to point at commit ac62658c10f4, which fixes those two backends to no longer depend on distutils. Upstream's out-of-the-box ban action now uses the 'nft' command. People can still override and customize that in jail.conf/jail.local, but to make the recipe useful without customizing things back to use iptables, change the dependency iptables->nftables. Since 1.1.0, fail2ban has been python3-only, so the recipe becomes somewhat simpler since the whole do_compile preparation step can be removed. Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> (update PV) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* libhtp: fix CVE-2025-53537Hitendra Prajapati2025-11-243-0/+112
| | | | | | | | Upstream-Status: Backport from https://github.com/OISF/libhtp/commit/226580d502ae98c148aaecc4846f78694b5e253c && https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* smack: Switch to CVE_STATUSAidan Stewart2025-11-241-4/+3
| | | | | | | | CVE_CHECK_IGNORE has been deprecated starting with the Nanbield release. Signed-off-by: Aidan Stewart <astewart@tektelic.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: fix multiple CVEsHitendra Prajapati2025-11-246-0/+545
| | | | | | | | | | | Backport fixes for: * CVE-2025-29916 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/2f432c99a9734ea3a75c9218f35060e11a7a39ad && https://github.com/OISF/suricata/commit/e28c8c655a324a18932655a2c2b8f0d5aa1c55d7 && https://github.com/OISF/suricata/commit/d86c5f9f0c75736d4fce93e27c0773fcb27e1047 * CVE-2025-29917 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/bab716776ba3561cfbfd1a57fc18ff1f6859f019 * CVE-2025-29918 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* clamav: fix CVE-2025-20260Hitendra Prajapati2025-11-242-0/+367
| | | | | | | Upstream-Status: Backport https://github.com/Cisco-Talos/clamav/commit/7fe290b573db66ffcf590902977b2b6043b30834 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: Fix CVE-2024-55605Hitendra Prajapati2025-11-242-0/+206
| | | | | | | Upstream-Status: Backport from https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* meta-security: Remove True option to getVar callsakash hadke2025-11-242-3/+3
| | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Signed-off-by: Akash Hadke <akash.hadke27@gmail.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: fix CVE-2024-45795 & CVE-2024-45796Hitendra Prajapati2025-11-243-0/+158
| | | | | | | | * CVE-2024-45795 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/72456d359bf3064306b62024c809bb30b162f18c && https://github.com/OISF/suricata/commit/96d5c81aed01f2bc0cd3e2e60057d0deb38caa99 * CVE-2024-45796 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/9203656496c4081260817cce018a0d8fd57869b5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* harden-image-minimal: Fix usermodArmin Kuster2025-11-241-2/+2
| | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit c08a91e5e607806460854936ef622f6f78bb0f03) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* ima-evm-utils: remove unnecessary FILESEXTRAPATHS tweakScott Murray2025-11-241-2/+0
| | | | | | | | | | It was pointed out that the recipe was wrongly doing FILESEXTRAPATHS:append, but on inspection the recipe does not need it at all, so just remove. Reported-by: Robert P. J. Day <rpjday@crashcourse.ca> (cherry picked from commit 5770a76fc0d78a645ab254979986f572fd18b3ec) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* meta-tpm: Small maintainers fixScott Murray2025-11-241-1/+0
| | | | | | | | To avoid confusion, remove stray aircrack-ng entry as it is actually in the main layer and not meta-tpm. (cherry picked from commit 9f1d763bb17bf105cc313a95eb3b07496b34bacc) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* packagegroup-core-security: add missing packagesScott Murray2025-11-241-0/+4
| | | | | | | | | | | | | Changes: - Add libmhash and libgssglue so they will get tested by CI. - Switch to MACHINE_ARCH to facilitate the above, but it makes sense anyway due to all the machine overrides used in the packagegroup definition. Since this packagegroup is to facilitate testing and unlikely to be used by downstreams, it is believed this will have minimal impact. (adapted from 26e745243d6d28768ed4a237d9a48f68210c70a6) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* libgssglue: switch to use git sourceChen Qi2025-11-241-2/+3
| | | | | | | | | | | | | The 0.8 orig.tar.gz is not in debian mirror any more. In fact, we really should avoid using orig.tar.gz like this because distros like debian will just delete those that they don't maintain any more. Switch to use git source. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit baaafdf08b7ffb8703618684d571c4766ea3e28e) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* bastille: prevent host uids on filesMarta Rybczynska2025-11-241-0/+2
| | | | | | | | | | | | We get an intermittent QA error about file permissions, happening roughly on 1 build of 10. The change adds chown to prevent host ids on files related to the set_required_questions.py script, to avoid long debugging for now. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> (cherry picked from commit 7bdd0a8b48442e3a93b98647801c2ff5dee7267b) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* checksecurity: update the debian packageMarta Rybczynska2025-11-241-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previously used package (nmu1) is not longer available, use the latest current one (nmu3). The changelog between the two: checksecurity (2.0.16+nmu3) unstable; urgency=medium * Non-maintainer upload. * Fix "missing required debian/rules targets build-arch and/or build- indep": Add targets to debian/rules. (Closes: #999082) * Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm": Bump to 7 in debian/{compat,control}. (Closes: #965448) * Fix some grave packaging errors: - move debhelper from Build-Depends-Indep to Build-Depends - remove temporary files debian/postrm.debhelper and debian/substvars from source package -- gregor herrmann <gregoa@debian.org> Sun, 26 Dec 2021 01:56:10 +0100 checksecurity (2.0.16+nmu2) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. * No source change upload to rebuild on buildd with .buildinfo files. -- Holger Levsen <holger@debian.org> Fri, 01 Jan 2021 19:17:53 +0100 Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> (adapted from 828a78314f51b919baf638d64e8e12c0c0a408ad) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* chkrootkit: use debian mirrorMarta Rybczynska2025-11-241-1/+1
| | | | | | Use the debian mirror as the ubuntu one is failing frequently. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* lynis: update 3.1.1 -> 3.1.4Marta Rybczynska2025-11-241-1/+1
| | | | | | | | Changelog at [1]. [1] https://cisofy.com/changelog/lynis/#314 Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* kas: update configurationMarta Rybczynska2025-11-226-6/+18
| | | | | | | | | | | | | | Changes: - switch to scarthgap - add required usrmerge feature to kas-security-alt configuration - add whitespaces around assignement - add common dldir/sstate - don't build apparmor in musl configus - only enable ptest for the test image Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> (squashed and recent master changes backported) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* CI: update build for new CIMarta Rybczynska2025-11-221-20/+27
| | | | | | | | | | | | | | | Update for Ubuntu 24.04 runners: - use venv for installing kas - add missing directories - assume that python3 and pip are installed. Other changes: - add logging of jobs to files - build parsec images where appropriate Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> (squashed and updated with missing master version changes) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* Update maintainersScott Murray2025-11-227-58/+64
| | | | | | | | | | | Add Marta and myself as maintainers for meta-security and the other embedded layers that Armin had been maintaining. To avoid Armin getting bugged about individual recipes, set the RECIPE_MAINTAINER variables to myself. (backport from master) Signed-off-by: Scott Murray <scott.murray@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libhtp: fix CVE-2024-45797Hitendra Prajapati2024-11-042-1/+151
| | | | | | | Upstream-Status: Backport from https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: upgrade 4.0.1 -> 4.0.2Vijay Anusuri2024-09-091-1/+1
| | | | | | | | | | | Changelog: https://github.com/tpm2-software/tpm2-tss/releases/tag/4.0.2 Includes Security fix: CVE-2024-29040 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* clamav: fix CVE-2024-20505 & CVE-2024-20506Hitendra Prajapati2024-09-093-0/+244
| | | | | | | | | | Backport fixes for: * CVE-2024-20505 - Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/8915bd22570ee608907f1b88a68e587d17813812 * CVE-2024-20506 - Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/88efeda2a4cb93a69cf0994c02a8987f06fa204d Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tools: Upgrade 5.5 -> 5.7Vijay Anusuri2024-08-101-1/+1
| | | | | | | | | | | | | Include Security fixes: Fixed CVE-2024-29038 Fixed CVE-2024-29039 Changelog: https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7 https://github.com/tpm2-software/tpm2-tools/releases/tag/5.6 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ibmtpm2tss: upgrade 1661 -> 2.2.0Yi Zhao2024-04-222-19/+21
| | | | | | | | * Refresh patch * Fix UPSTREAM_CHECK_GITTAGREGEX Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lynis: upgrade 3.0.9 -> 3.1.1Wang Mingyu2024-04-222-55/+2
| | | | | | | | 0001-osdetection-add-OpenEmbedded-and-Poky.patch removed since it's included in 3.1.1. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ibmswtpm2: upgrade 164-2020-192.1 -> 183-2024-03-27Yi Zhao2024-04-161-3/+3
| | | | | | | | | | Remove '-DALG_CAMELLIA=ALG_NO' from CFLAGS to fix compile error: | TpmProfile_Common.h:109: error: "ALG_CAMELLIA" redefined [-Werror] | 109 | #define ALG_CAMELLIA ALG_YES | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: update to new patches mailing listArmin Kuster2024-04-095-12/+12
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pyinotify: Make asyncore support optional for Python 3Mingli Yu2024-03-272-0/+96
| | | | | | | | | | | | | | | | | | | | | | Simple fix for Python 3.12 since it dropped asyncore. Catches the import error instead of using a version check so that the user can install the compatibility package for any uses that can't be upgraded to asyncio or similar immediately. Fixes: # python3 Python 3.12.1 (main, Dec 7 2023, 20:45:44) [GCC 13.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import pyinotify Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.12/site-packages/pyinotify.py", line 71, in <module> import asyncore ModuleNotFoundError: No module named 'asyncore' >>> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update for the scarthgap release seriesMax Krummenacher2024-03-275-5/+5
| | | | | Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* arpwatch: install man8 dirJeremy A. Puhlman2024-03-271-1/+1
| | | | | | | | | | | | | | The install expects man8 directory to already exists. If not created the man page gets installed as "man8", which causes conflicts with other packages, that expect it to be a directory. 'arpsnmp' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/sbin/arpsnmp' './arpwatch.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' removed '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' './arpsnmp.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>