Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=nanbield 2024-03-28T17:08:30+00:00 2024-03-28T17:08:30+00:00 Ross Burton ross.burton@arm.com 2024-03-27T11:16:15+00:00 urn:sha1:68f1b7f429c8d8f1821be6c38e54867090626ea1 On aarch64, if the processor doesn't have the Crypto instructions then OpenSSL will fall back onto the "bit-sliced" assembler routines. When branch protection (BTI) was enabled in OpenSSL these routines were missed, so if BTI is available libssl will immediately abort when it enters this assembler. Backport a patch submitted upstream to add the required call target annotations so that BTI doesn't believe the code is being exploited. (From OE-Core rev: ec555688dbdc87cc695db653201c8d9e20079d22) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-03-20T16:02:50+00:00 Lee Chee Yang chee.yang.lee@intel.com 2024-03-14T02:26:27+00:00 urn:sha1:6d2b73edc960222d586029b3099f451cc2d0eb48 Changes between 3.1.4 and 3.1.5 [30 Jan 2024] * A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. ([CVE-2024-0727]) https://www.openssl.org/news/cl31.txt drop fix_random_labels.patch as fixed in https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867 (From OE-Core rev: aeac11fa743567e185179b27b4700bbf8fcf06e1) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-03-20T16:02:50+00:00 Claus Stovgaard claus.stovgaard@gmail.com 2024-02-27T17:45:50+00:00 urn:sha1:12c5aa2329f5a34f7cda019215100a72a9857210 PEAP client: Update Phase 2 authentication requirements. Also see https://www.top10vpn.com/research/wifi-vulnerabilities/ (From OE-Core rev: 7d0e3f31d2193b2b13a9fe3f368a172f4eaa7c48) Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 57b6a329df897de69ae8b90706d9fe37e0ed6d35) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-03-16T18:33:21+00:00 Soumya Sambu soumya.sambu@windriver.com 2024-03-11T08:39:52+00:00 urn:sha1:92b6805f619f6c171d76188bdec901224b74e606 Changelog: ========= 9.18.24: - Fix case insensitive setting for isc_ht hashtable. [GL #4568] 9.18.23: - Specific DNS answers could cause a denial-of-service condition due to DNS validation taking a long time. (CVE-2023-50387) [GL #4424] - Change 6315 inadvertently introduced regressions that could cause named to crash. [GL #4234] - Under some circumstances, the DoT code in client mode could process more than one message at a time when that was not expected. That has been fixed. [GL #4487] 9.18.22: - Limit isc_task_send() overhead for RBTDB tree pruning. [GL #4383] - Restore DNS64 state when handling a serve-stale timeout. (CVE-2023-5679) [GL #4334] - Specific queries could trigger an assertion check with nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] - Speed up parsing of DNS messages with many different names. (CVE-2023-4408) [GL #4234] - Address race conditions in dns_tsigkey_find(). [GL #4182] - Conversion from NSEC3 signed to NSEC signed could temporarily put the zone into a state where it was treated as unsigned until the NSEC chain was built. Additionally conversion from one set of NSEC3 parameters to another could also temporarily put the zone into a state where it was treated as unsigned until the new NSEC3 chain was built. [GL #1794] [GL #4495] - Memory leak in zone.c:sign_zone. When named signed a zone it could leak dst_keys due to a misplaced 'continue'. [GL #4488] - Log more details about the cause of "not exact" errors. [GL #4500] - The wrong time was being used to determine what RRSIGs where to be generated when dnssec-policy was in use. [GL #4494] - The "trust-anchor-telemetry" statement is no longer marked as experimental. This silences a relevant log message that was emitted even when the feature was explicitly disabled. [GL #4497] - Fix statistics export to use full 64 bit signed numbers instead of truncating values to unsigned 32 bits. [GL #4467] - NetBSD has added 'hmac' to libc which collides with our use of 'hmac'. [GL #4478] (cherry-pick from Oe-Core rev d7f31aba343948dbaadafc8c0c66f78e6ffb46e3) (From OE-Core rev: 61fa2f52045b7a1553249c33263b5fd32444a305) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-03-16T18:33:21+00:00 Wang Mingyu wangmy@fujitsu.com 2024-03-11T08:39:51+00:00 urn:sha1:ed0ae8e15bcbf189ea55c07ce092f91dd5e109ad bind-ensure-searching-for-json-headers-searches-sysr.patch refreshed for 9.18.21 Changelog: ========== -Improve LRU cleaning behaviour. -The "resolver-nonbackoff-tries" and "resolver-retry-interval" options are deprecated; a warning will be logged if they are used. -BIND might sometimes crash after startup or re-configuration when one 'tls' entry is used multiple times to connect to remote servers due to initialisation attempts from contexts of multiple threads. That has been fixed. -Dig +yaml will now report "no servers could be reached" also for UDP setup failure when no other servers or tries are left. -Recognize escapes when reading the public key from file. -Dig +yaml will now report "no servers could be reached" on TCP connection failure as well as for UDP timeouts. -Deprecate AES-based DNS cookies. (cherry-pick from Oe-core rev b750d54622a0fa0a35d83ddc59f07661e903360b) (From OE-Core rev: 6977b7ac4202a1dd4264a6b4e4e6fd5c3dc07d37) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-01-31T14:10:24+00:00 Robert Yang liezhi.yang@windriver.com 2023-12-15T13:47:27+00:00 urn:sha1:60f7c83994b168bbc17c239acbc7f3a312329a69 Update Upstream-Status for 0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch. (From OE-Core rev: 2323086931f2abd9b85fc1ec94b6b0d3efd6364a) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7189d1ea5c066b9ffc52103160bb34945fd779d7) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-01-31T14:10:24+00:00 Wang Mingyu wangmy@fujitsu.com 2023-12-19T09:33:46+00:00 urn:sha1:88e9607d71a2bdc65ea51b9944c269d4eabd8d70 Changelog: ========= -The library version numbers have been bumped up for the Kea 2.4.1 stable release. -Fixed interface redetection which had stopped working since Kea 2.3.6. -Fixed a race condition in free lease queue allocator fix-multilib-conflict.patch fix_pid_keactrl.patch refreshed for 2.4. (From OE-Core rev: fcf269bd8fc607882960cebc2c6e2e557517647d) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7afab39fd1c3239df3bb2fa49b79a5efaaaf9db6) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-01-27T18:09:47+00:00 Robert Yang liezhi.yang@windriver.com 2023-12-11T14:49:50+00:00 urn:sha1:7faa0d9b751f87505caed7b705cea00a4220463c * Remove backported patch 0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch. * Add 0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch to fix build with musl (From OE-Core rev: fcd5623dbeb302b3f2e9043fd66cc000f81d206b) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit ff416e9fd6a1a65cf59ecd662613581b6190e05e) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-01-16T17:54:08+00:00 Ross Burton ross.burton@arm.com 2023-12-04T10:41:04+00:00 urn:sha1:68ad4cd71a40259c7b13619d33ca8e22c43c32b3 Avahi has moved to a new parent organisation on GitHub, so update the URLs to match. (From OE-Core rev: b541fbeb99df15a1548f93ddbd654fb629ebc2ce) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 02caef1567186f250e64ae3ef84fcff33d7323e4) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-01-04T14:09:44+00:00 Markus Volk f_l_k@t-online.de 2023-11-25T12:10:27+00:00 urn:sha1:f5a0b258768e4b9e91a4e4ac93b0480c878487e6 Bluez 5.69 added a regression. Bluetooth connection for playstation controllers stopped working. This adds a backport patch for the issue (From OE-Core rev: a4ba3de4248ee05119ae944a972f88517e4e087b) Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit be05a177f943e9c8ce6c0fdbd157ee6f9103eef9) Signed-off-by: Steve Sakoman <steve@sakoman.com>