| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
As already mentioned in upgrade commit, this CVE is fixed.
But cve_check still reports it as NVD DB was not updated.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add squashfs to images supported by verity.
Signed-off-by: Maciek Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit ab8651c139a05c476d7e8a6a987106b2f7e9a354)
Signed-off-by: Maciek Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
[PATCH] Add support for the EROFS image, and it's compressed options,
to the dm-verity-img.bbclass setup, theoretically this is a simple addition
to the list of types however there is a quirk in how Poky handles the
filesystems in poky/meta/classes/image_types.bbclass.
Specifically the 'IMAGE_CMD' and 'IMAGE_FSTYPES' use a hyphen, e.g.
erofs-lz4, however in the image_type bbclass the task for that would be
"do_image_erofs_lz4", replacing the hyphen with an underscore.
As the dm-verity-img.bbclass adds a dependency to the wic image creation
on the do_image_* task then it fails as there is no
"do_image_erofs-lz4", so simply replace the hypen with an underscore.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 8ca6bb86e653a332f7cb5b30babc0cd6c58769d0)
Signed-off-by: Maciek Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Maciej Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Changelog:
3.2.2
A buffer overflow in tss2-rc as CVE-2023-22745.
The drv layer in tss2-rc should have been the policy layer.
Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec.
FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0.
3.2.1
Makefile.am: make all EXTRA_DIST includes unconditional to fix pristine tars
Fix usage of NULL pointer if Esys_TR_SetAuth is calles with ESYS_TR_NONE.
Store VERSION into the release tarball.
fapi: fix usage of policy_nv with a TPM nv index.
Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea handle and not as parameter one, this affected the contents of cpHash.
linking tcti for libtpms against tss2-tctildr. It should be linked against tss2-mu.
build: Remove erroneous trailing comma in linker option. Bug #2391.
esys: fix allow usage of HMAC sessions for Esys_TR_FromTPMPublic.
test: build with opaque FILE structure like in musl libc.
Usage of a second profile in a path was not possible because the default profile was always used.
FAPI: Fix provisioning if auth value for storage hierarchy was set.
FAPI: Fix recreation of EK.
FAPI: Fix usage of lockout auth value in Fapi_Provison.
FAPI: Fix loading of key in policy execution.
FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being reflected across profiles.
Esys_PCR_SetAuthValue: remembers the auth like other SetAutg ESAPI functions.
tests: esys-pcr-auth-value.int moved to destructive tests.
FAPI: Fix double free if keystore is corrupted.
Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
fixes:
swtpm: Could not open TCP socket: Address already in use
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b5642c519b90f83ab6ec1507db9b3b36db43c548)
[Fixup for kirkstone context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 3db9e08300c3d5e3f7b6e4e6cb743a914ed3f00b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Starting with [1] kernel modules symbols is being slipped in OE-core
and this breaks the kernel modules sign, so disable it.
[1] https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit c1c80cf0c0f26215fb252242f0d70f8870916734)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
USERADD_PARAM:${PN}-freshclam = "--system -g ${CLAMAV_GID} --home-dir \
${localstatedir}/lib/${BPN} \
--no-create-home --shell /sbin/nologin ${PN}"
The username added to the passwd file is ${PN}. When ${PN} is
multilibized, it no longer matches CLAMAV_UID. Make the two match.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
|
Nothing in getting installed in ${datadir}/lib, it is all going to
${prefix}/lib. setuptools pulls in ${libdir}/* so for the base lib
case of ${prefix}/lib the build works. If libdir is something else
lib64 for example, its still ending up in ${prefix}/lib and it fails
to build.
Set value to correct path as it is being installed.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
|
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
|
CVE-2018-16838 is patched in our version of sssd but it doesn't have
a vulnerable version range in the NVD database,
that's why it needs to be ignored.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
|
The following occurs when pkgs-docs added to image features.
Error: Transaction test error:
file /usr/share/man/man3/lib.3 conflicts between attempted installs of lib-perl-doc-0.63-r0.corei7_64 and perl-doc-5.34.1-r0.corei7_64
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e05ce8fb3943755ef7c73c07e456e8ee8757f7bd)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 17d7ad92eaad54d2d977e5a08dffb369cf2e61a4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
local.conf
TEST_SUITES = "ssh ping tpm2"
IMAGE_INSTALL:append = " swtpm tpm2-pkcs11"
RESULTS:
RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
RESULTS - ssh.SSHTest.test_ssh: PASSED (2.19s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pcrread: PASSED (1.06s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pkcs11: PASSED (1.17s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_reset: PASSED (0.59s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_socket: PASSED (307.72s)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 8be830dd85846a1a7da18a1a4adb2aa87cba5c78)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 311b7daea1eac094b7221c8b487b5e94b0605fc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Correctly fix symlink issue by putting module in -dev pkg.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 3045de13abe1ee6c39e06d1ce0d2b31478d2ff35)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Precalculate buffer size in base64 functions (CVE-2021-45417)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5a5edebbb8b4b4f2e9725ee141cf09d18f75d81b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
| checking for libaudit.h... no
| configure: error: You don't have libaudit properly installed. Install it if you need it.
| NOTE: The following config.log files may provide further information.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit a8fba7a8ef99ce41a86ce4861c75ba5157f8389d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 20c13f6335165d693f7f3270c829b3069dbbad66)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Use convert-spdx-licenses.py to update LICENSE in recipes.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
It seems below change done manually and so LICENSE variable modified
from GPLv2 to GPL-2.0-or-later. But it should be GPL-2.0-only
Link: https://git.yoctoproject.org/meta-security/commit/?id=c56ae450c93a1383a1ce800a32a6ef2c3fbbae1c
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The build patches are now included in the upstream,
the local binary checkes can be disabled with --disable-ptool-checks,
the boostrap doesn't need to be called if the release .tar.gz is used.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.
Since Yocto now uses OpenSSL 3.0, the file packaging need to
be updated.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The version number is correctly assigned only when the release .tar.gz
is used.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This deletes the patches that were unused for a long time,
updates the tpm2-tss package and introduces a fix to the version
number problem that got introduced with the 3.2.0 version.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Also, the recipe is fixed to correctly package the openssl provider.
This new tpm2-openssl:
- Fixed segmentation fault when a signature algorithm is beging initialized
without a private key.
- Fixed RSA/EC key equality checks. Works with OpenSSL 3.0.1.
- Added support for the `TPM2OPENSSL_PARENT_AUTH` environment variable.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add COMPATIBLE_HOST to match what is found in glibc
to avoid build error when using musl
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This fixes musl builds too.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This allows to track tip easier.
refresh patch
Fix LICENSE to match SPDX format
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Use python3-native to use 2to3
Fix build issue on some hosts with this error:
(result, consumed) = self._buffer_decode(data, self.errors, final)
| UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd8 in position 152: invalid continuation byte
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Modify LICENSE for ding-libs and libmhash.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
WARNING: selinux-sandbox-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: selinux-gui-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: semodule-utils-3.3-r0.1 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: selinux-dbus-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \
WARNING: libwhisker2-perl-2.5-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \
WARNING: lib-perl-0.63-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \
WARNING: libhtp-0.5.39-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \
...
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
meta-python dropped package via commit:
620689d4efba28bc8dd60e2d82908bfb3531fbd0
python3-backports-functional-lru-cache: remove, not needed for Python 3
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
raise InvalidWheelFilename(f"{filename} is not a valid wheel filename.")
pip._internal.exceptions.InvalidWheelFilename: fail2ban-*-*.whl is not a valid wheel filename.
Removed build tracker: '/tmp/pip-req-tracker-qnepnk46'
ERROR: Failed to pip install wheel. Check the logs.
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
[Yocto #14724]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
On some systems, pod2man is not available so add native depends.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
lnr is a script in oe-core that creates relative symlinks, with the same
behaviour as `ln --relative --symlink`. It was added back in 2014[1] as
not all of the supported host distributions at the time shipped
coreutils 8.16, the first release with --relative.
However the oldest coreutils release in the supported distributions is
now 8.22 in CentOS 7, so lnr can be deprecated and users switched to ln.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
includes: CVE-2021-3623
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
fixes: CVE-2022-23645.
Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
Armin Kuster
Peter Marko
Maciej Borzęcki
Josh Harley
Jose Quaresma
Jeremy A. Puhlman
Davide Gardenal
Anton Antonov
Joe Slater
Ranjitsinh Rathod
Petr Gotthard
Robert Yang
Ashish Sharma