diff options
Diffstat (limited to 'meta/recipes-connectivity')
15 files changed, 295 insertions, 8 deletions
diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch index 94116ad1f3..29c192d296 100644 --- a/meta/recipes-connectivity/avahi/files/local-ping.patch +++ b/meta/recipes-connectivity/avahi/files/local-ping.patch @@ -1,4 +1,5 @@ CVE: CVE-2021-36217 +CVE: CVE-2021-3502 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> diff --git a/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch new file mode 100644 index 0000000000..f63c333264 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch @@ -0,0 +1,76 @@ +From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> +Date: Fri, 24 Sep 2021 09:35:11 +0200 +Subject: [PATCH] Disable lame-ttl cache + +The lame-ttl cache is implemented in ADB as per-server locked +linked-list "indexed" with <qname,qtype>. This list has to be walked +every time there's a new query or new record added into the lame cache. +Determined attacker can use this to degrade performance of the resolver. + +Resolver testing has shown that disabling the lame cache has little +impact on the resolver performance and it's a minimal viable defense +against this kind of attack. + +CVE: CVE-2021-25219 + +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/8fe18c0566c41228a568157287f5a44f96d37662] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + bin/named/config.c | 2 +- + bin/named/server.c | 7 +++++-- + doc/arm/reference.rst | 6 +++--- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index fa8473db7c..b6453b814e 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -151,7 +151,7 @@ options {\n\ + fetches-per-server 0;\n\ + fetches-per-zone 0;\n\ + glue-cache yes;\n\ +- lame-ttl 600;\n" ++ lame-ttl 0;\n" + #ifdef HAVE_LMDB + " lmdb-mapsize 32M;\n" + #endif /* ifdef HAVE_LMDB */ +diff --git a/bin/named/server.c b/bin/named/server.c +index 638703e8c2..35ad6a0b7f 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, + result = named_config_get(maps, "lame-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + lame_ttl = cfg_obj_asduration(obj); +- if (lame_ttl > 1800) { +- lame_ttl = 1800; ++ if (lame_ttl > 0) { ++ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, ++ "disabling lame cache despite lame-ttl > 0 as it " ++ "may cause performance issues"); ++ lame_ttl = 0; + } + dns_resolver_setlamettl(view->resolver, lame_ttl); + +diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst +index 3bc4439745..fea854f3d1 100644 +--- a/doc/arm/reference.rst ++++ b/doc/arm/reference.rst +@@ -3358,9 +3358,9 @@ Tuning + ^^^^^^ + + ``lame-ttl`` +- This sets the number of seconds to cache a lame server indication. 0 +- disables caching. (This is **NOT** recommended.) The default is +- ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes). ++ This is always set to 0. More information is available in the ++ `security advisory for CVE-2021-25219 ++ <https://kb.isc.org/docs/cve-2021-25219>`_. + + ``servfail-ttl`` + This sets the number of seconds to cache a SERVFAIL response due to DNSSEC +-- +2.17.1 + diff --git a/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch new file mode 100644 index 0000000000..1217f7f186 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch @@ -0,0 +1,65 @@ +From 117cf776a7add27ac6d236b4062258da0d068486 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> +Date: Mon, 15 Nov 2021 16:26:52 +0800 +Subject: [PATCH] Enable lame response detection even with disabled lame cache + +Previously, when lame cache would be disabled by setting lame-ttl to 0, +it would also disable lame answer detection. In this commit, we enable +the lame response detection even when the lame cache is disabled. This +enables stopping answer processing early rather than going through the +whole answer processing flow. + +CVE: CVE-2021-25219 + +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e4931584a34bdd0a0d18e4d918fb853bf5296787] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/dns/resolver.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 50fadc0..9291bd4 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -10217,25 +10217,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { + */ + static isc_result_t + rctx_lameserver(respctx_t *rctx) { +- isc_result_t result; ++ isc_result_t result = ISC_R_SUCCESS; + fetchctx_t *fctx = rctx->fctx; + resquery_t *query = rctx->query; + +- if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) || +- !is_lame(fctx, query->rmessage)) +- { ++ if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) { + return (ISC_R_SUCCESS); + } + + inc_stats(fctx->res, dns_resstatscounter_lame); + log_lame(fctx, query->addrinfo); +- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name, +- fctx->type, rctx->now + fctx->res->lame_ttl); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, +- "could not mark server as lame: %s", +- isc_result_totext(result)); ++ if (fctx->res->lame_ttl != 0) { ++ result = dns_adb_marklame(fctx->adb, query->addrinfo, ++ &fctx->name, fctx->type, ++ rctx->now + fctx->res->lame_ttl); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, ++ "could not mark server as lame: %s", ++ isc_result_totext(result)); ++ } + } + rctx->broken_server = DNS_R_LAME; + rctx->next_server = true; +-- +2.17.1 + diff --git a/meta/recipes-connectivity/bind/bind_9.16.16.bb b/meta/recipes-connectivity/bind/bind_9.16.16.bb index b152598402..4bfdeca9ce 100644 --- a/meta/recipes-connectivity/bind/bind_9.16.16.bb +++ b/meta/recipes-connectivity/bind/bind_9.16.16.bb @@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2021-25219-1.patch \ + file://CVE-2021-25219-2.patch \ " SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b" diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb index af986c4eab..e4eeb3c726 100644 --- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb +++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb @@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native" # 0.7 tag SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143" -SRC_URI = "git://github.com/connectivity/connman-gnome.git \ +SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \ file://0001-Removed-icon-from-connman-gnome-about-applet.patch \ file://null_check_for_ipv4_config.patch \ file://images/ \ diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch new file mode 100644 index 0000000000..f05c696929 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch @@ -0,0 +1,67 @@ +From 98ccabf68e5b3f0a177bd1925581753d10041448 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <simon@josefsson.org> +Date: Wed, 1 Sep 2021 09:09:50 +0200 +Subject: [PATCH] ftp: check that PASV/LSPV addresses match. + +* NEWS: Mention change. +* ftp/ftp.c (initconn): Validate returned addresses. + +CVE: CVE-2021-40491 + +Upstream-Status: Backport +[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + ftp/ftp.c | 21 +++++++++++++++++++++ + 1 files changed, 21 insertions(+) + +diff --git a/ftp/ftp.c b/ftp/ftp.c +index d21dbdd..7513539 100644 +--- a/ftp/ftp.c ++++ b/ftp/ftp.c +@@ -1365,6 +1365,13 @@ initconn (void) + uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr; + pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]); + } ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv4 */ + else /* IPv6 */ + { +@@ -1395,6 +1402,13 @@ initconn (void) + pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]); + pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]); + } ++ if (data_addr_sa6->sin6_addr.s6_addr ++ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv6 */ + } + else /* !EPSV && !LPSV */ +@@ -1415,6 +1429,13 @@ initconn (void) + | ((a2 & 0xff) << 8) | (a3 & 0xff) ); + data_addr_sa4->sin_port = + htons (((p0 & 0xff) << 8) | (p1 & 0xff)); ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* PASV */ + else + { +-- +2.17.1 + diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.0.bb b/meta/recipes-connectivity/inetutils/inetutils_2.0.bb index a4d05b0542..d299bc359e 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.0.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.0.bb @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://tftpd.xinetd.inetutils \ file://inetutils-1.9-PATH_PROCNET_DEV.patch \ file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ + file://CVE-2021-40491.patch \ " SRC_URI[md5sum] = "5e1018502cd131ed8e42339f6b5c98aa" diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb index 9a83898e52..5213b28345 100644 --- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb +++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1" DEPENDS = "avahi" -SRC_URI = "git://github.com/lathiat/nss-mdns \ +SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \ " SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae" diff --git a/meta/recipes-connectivity/libuv/libuv_1.41.0.bb b/meta/recipes-connectivity/libuv/libuv_1.41.0.bb index 4987331dc8..e15d338941 100644 --- a/meta/recipes-connectivity/libuv/libuv_1.41.0.bb +++ b/meta/recipes-connectivity/libuv/libuv_1.41.0.bb @@ -6,7 +6,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47" SRCREV = "1dff88e5161cba5c59276d2070d2e304e4dcb242" -SRC_URI = "git://github.com/libuv/libuv;branch=v1.x" +SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https" S = "${WORKDIR}/git" diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index f170cf4650..781b9216c5 100644 --- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -4,11 +4,12 @@ DESCRIPTION = "Mobile Broadband Service Provider Database stores service provide SECTION = "network" LICENSE = "PD" LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" -SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a" -PV = "20201225" + +SRCREV = "4cbb44a9fe26aa6f0b28beb79f9488b37c097b5e" +PV = "20220315" PE = "1" -SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https" +SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" S = "${WORKDIR}/git" inherit autotools diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch new file mode 100644 index 0000000000..9ca7c2f202 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch @@ -0,0 +1,49 @@ +From 1f0707e8e78ef290fd0f229df3fcd2236f29db89 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 28 Oct 2021 11:11:05 +0800 +Subject: [PATCH] upstream: need initgroups() before setresgid(); reported by + anton@, + +ok deraadt@ + +OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce + +CVE: CVE-2021-41617 +Upstream-Status: [Backport] +https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455 +https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + misc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/misc.c b/misc.c +index d988ce3..33eca1c 100644 +--- a/misc.c ++++ b/misc.c +@@ -56,6 +56,7 @@ + #ifdef HAVE_PATHS_H + # include <paths.h> + #include <pwd.h> ++#include <grp.h> + #endif + #ifdef SSH_TUN_OPENBSD + #include <net/if.h> +@@ -2629,6 +2630,13 @@ subprocess(const char *tag, const char *command, + } + closefrom(STDERR_FILENO + 1); + ++ if (geteuid() == 0 && ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { ++ error("%s: initgroups(%s, %u): %s", tag, ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); ++ _exit(1); ++ } ++ + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, + strerror(errno)); +-- +2.17.1 + diff --git a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb index c6de519884..9a5f37bc39 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb @@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://CVE-2021-41617.patch \ " SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25" diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch new file mode 100644 index 0000000000..8accbc9df2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch @@ -0,0 +1,22 @@ +Using localtime() means the output can depend on the timezone of the build machine. +Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +Upstream-Status: Pending [should be suitable] + +Index: openssl-3.0.1/apps/progs.pl +=================================================================== +--- openssl-3.0.1.orig/apps/progs.pl ++++ openssl-3.0.1/apps/progs.pl +@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or + my %commands = (); + my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; + my $apps_openssl = shift @ARGV; +-my $YEAR = [localtime()]->[5] + 1900; ++my $YEAR = [gmtime()]->[5] + 1900; ++if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { ++ $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900; ++} + + # because the program apps/openssl has object files as sources, and + # they then have the corresponding C files as source, we need to chain diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb index 9ea5c4c81f..df13abf54e 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb @@ -17,6 +17,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://reproducible.patch \ + file://reproducibility.patch \ " SRC_URI_append_class-nativesdk = " \ @@ -28,7 +29,7 @@ SRC_URI_append_riscv32 = " \ file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ " -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" +SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -203,6 +204,7 @@ do_install_ptest () { install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines # seems to be needed with perl 5.32.1 diff --git a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb index 5a13af91bc..0a1b65a8ca 100644 --- a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb +++ b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb @@ -9,7 +9,7 @@ LICENSE = "GPL-2.0-with-OpenSSL-exception" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86" -SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ +SRC_URI = "http://www.dest-unreach.org/socat/download/Archive/socat-${PV}.tar.bz2 \ " SRC_URI[md5sum] = "36cad050ecf4981ab044c3fbd75c643f" |