Do not pass CFLAGS/LDFLAGS to gcc while building, The needed flags has
been passed by xxx_CFLAGS=$(CFLAGS_FOR_BUILD).
(From OE-Core rev: e4b01d651cf94185cfb285a7b64292b26b74c6bb)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
testlk is built with host gcc at do_compile stage, which leads to unrecognized
some flags for special architecture. So unset CFLAGS for testlk to make sure
it passed.
(From OE-Core rev: 2461336b9432cf8379bda19d425ba00e542fbab7)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add some missing dependencies and fix the Makefile in order to get most
of the ptest tests working (specifically test_bn, test_verify, test_cms,
test_srp and test_heartbeat). test_verify still fails for unknown
reasons (perhaps some of the now expired certificates weren't meant to
have expired as far as the test is concerned?) but at least it has the
certificates to run now.
(From OE-Core rev: c679ec81c19dd2b5e366b713801785ce0ba5b49a)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes the following security issues:
* CVE-2014-0224
* CVE-2014-0221
* CVE-2014-0195
* CVE-2014-3470
The patch for CVE-2010-5298, CVE-2014-0198 and a fix for building the
documentation are integrated upstream in this release and so were
dropped. Additionally, a patch from upstream was added in order to
fix a failure during do_compile_ptest_base.
A similar upgrade was also submitted by Yao Xinpan <yaoxp@cn.fujitsu.com>
and Lei Maohui <leimaohui@cn.fujitsu.com>.
(From OE-Core rev: a3e80de6d423c272a287bf3538196b48ac5ddec1)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
for neard tools/snep-send object might cause a
parallel build failure,due to undetected
dependency on dbus.h header file.
Patch will be submitted upstream.
Fixes [YOCTO #6389].
(From OE-Core rev: ae55abd60ef217ad1a957102d80b06857ea8ebcd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These recipes all use pkg-config in some way but were missing
dependencies on the tool, this patch adds them.
(From OE-Core rev: 2543b14dd0ca13005be0df027543431fc8e882ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
socat manually maintains config.h.in instead of using autoheader, so exclude
autoheader from autoreconf and remove all patches that are intended to enable
use of autoheader.
The license checksum changed, because the company address changed.
Based on a upgrade by Hongxu Jia <hongxu.jia@windriver.com>, with cleanup after
noticing that config.h.in was hand-maintained.
(From OE-Core rev: ea3ec30c19af23f6b62ce3d4d9d42c1fcb23a215)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
make openssl-CVE-2010-5298.patch truely work
(From OE-Core rev: eab33442480cc27a5cd00b3f46984fea74b7c0f9)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Fixes to OBEX, AVRCP browsing, HID over GATT
and handling of device unpaired events for dual-mode devices.
- New features: user space based HID host implementation (for BR/EDR).
(From OE-Core rev: 5dce15e6623748ce3c1456f12d5cde6edc1be939)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
(From OE-Core rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In bluez5, agent interface has been renamed from org.bluez.Agent
to org.bluez.Agent1. Reflect this change in bluetooth.conf to
allow sending of dbus messages to agent interface.
*Resolves no PIN prompt bug while pairing
*Resolves bluetooth keyboard connection problem
(From OE-Core rev: c53c9ba05a5f38c047f3f928a9496f952843f467)
Signed-off-by: Yasir-Khan <yasir_khan@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and
earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking
by presenting an unacceptable HostCertificate.
(From OE-Core rev: 7b2fff61b3d1c0566429793ee348fa8978ef0cba)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
sshd in OpenSSH before 6.6 does not properly support wildcards on
AcceptEnv lines in sshd_config, which allows remote attackers to
bypass intended environment restrictions by using a substring located
before a wildcard character.
(From OE-Core rev: a8d3b8979c27a8dc87971b66a1d9d9282f660596)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The /var/log/messages reports /var/log/lastlog as missing, since openssh
needs this file, create it as a volatile.
[YOCTO #6172]
(From OE-Core rev: a29af8c20187a65fbdbbedd0b7158c07d3e713cf)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch is not included in 1.0.1g, but it is included on 1.0.2
branch.
(From OE-Core rev: f99ca886da274fafa212e354f9e4871eb7e59e87)
Signed-off-by: Cristiana Voicu <cristiana.voicu@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
https://access.redhat.com/security/cve/CVE-2014-0198
(From OE-Core rev: 580033721abbbb4302bc803ebc70c90e331e4587)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gnutls doesn't depend on libgcrypt anymore but
wpa-supplicant does. So add it as a dependencie.
(From OE-Core rev: b5e0e0589dba0e3eb6fa070594c904fec6e6c3a8)
Signed-off-by: Valentin Popa <valentin.popa@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Install openssl test suite and run it as ptest.
(From OE-Core rev: c48981d2d24a20978a17866fa478dde21bd96b91)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch adds support for read-only rootfs to the bind service.
Basically it just bind mounts several directories so that the bind
service could start correctly without reporting any error.
(From OE-Core rev: 99cc96eaee28bfde89096689b1296d28937ead88)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
(From OE-Core rev: d83b16dbf0862be387f84228710cb165c6d2b03b)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Install openssh test-suite and run it as ptest.
(From OE-Core rev: 4d0ecccae671bffb40c870a6e33d20be869b89bc)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add systemd support for ppp.
The unit file mostly comes from ArchLinux.
(From OE-Core rev: e84f7ea24b08e3127b70731908b819fbdc1cbfd5)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Resolves warnings of this kind in the OpenPLi layer:
WARNING: Use of PRINC * was detected in the recipe *
(From OE-Core rev: 5ffb38d6ace7faae839c8cac7327b5b1c2daae1a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If you do a readelf -x .rodata /path/.../to/openssh/6.5p1-r0/packages-split/openssh-sshd/usr/sbin/sshd
You'll see two references to OE's sysroots/${BUILD_SYS} login and passwd binaries.
First one can be overridden with LOGIN_PROGRAM environment variable (see configure.ac),
second needs a cached variable definition.
(From OE-Core rev: 2127c80d0cc2a3a4d676bd3c0890454a175fba8e)
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The readonly sshd config sshd_config_readonly needs to be created from
the installed sshd_config as make install will adjust the paths in
the config file. This fixes the path for sftp-server being correct
in sshd_config but incorrect in sshd_config_readonly.
(From OE-Core rev: 400b4bce34ffb76e500e2195104cc200218aa4c3)
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The trigger for the upgrade was the serious "heartbleed" vulnerability
(CVE-2014-0160). More information:
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
Dropped obsolete patches, because the new version contains them:
0001-Fix-for-TLS-record-tampering-bug-CVE-2013-4353.patch
0001-Fix-DTLS-retransmission-from-previous-session.patch
0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch
Modified 2 patches (small changes), in order to apply properly:
initial-aarch64-bits.patch
openssl-fix-doc.patch
Addresses CVEs:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
(From OE-Core rev: ff52836e1838590eeec7d7658e15b21d83cf8455)
Signed-off-by: Cristiana Voicu <cristiana.voicu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a formatting fix, '=back' is required before
'=head1' on Ubuntu 12.04.
(From OE-Core rev: 362d20e04e64a7437d7f61761057c721066e805f)
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We do not DEPEND on libbsd, so we do not want to
build with it just because libutil.h is found by configure.
As noted in the patch, specifying --disable-libutil to
configure does not work, so we provide "cached" configure
variables.
(From OE-Core rev: 103ef2295c728e427acc27bb071e786946c459f2)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add --with-libnl autoconfig parameter and dependency
between libpcap and libnl1.
Disable libnl1 by default to avoid libpcap build error
when libnl1 is involved.
(From OE-Core rev: 52f16a5a56868137e17cf52fa7b664047ec7bcaf)
Signed-off-by: Hu Yadi <Yadi.hu@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ocf-linux only provides header file and no kernel module is built. We
can't use ocf-linux without its implementation. And linux-yocto uses an
alternative project cryptodev-linux, so we remove ocf-linux and use
cryptodev-linux instead.
(From OE-Core rev: 45f1659f49edbceed0b75c0319880151161fdc8e)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ocf-linux only provides header files but no implementation in kernel.
And Yocto kernel linux-yocto use cryptodev-linux to implement
/dev/crypto interface. So replace dependency ocf-linux with
cryptodev-linux for openssl.
(From OE-Core rev: b36b15cddbe52e6770b96e06af2959cea0e2436f)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yocto kernel linux-yocto uses cryptodev-linux to use device /dev/crypto.
So add cryptodev-linux which is one alternative of ocf-linux and then
remove ocf-linux later.
(From OE-Core rev: 6b6c24eccdb0030ecccadefe94c1c5b4387e46d1)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
(From OE-Core rev: 3e0ac7357a962e3ef6595d21ec4843b078a764dd)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
(From OE-Core rev: 94352e694cd828aa84abd846149712535f48ab0f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
(From OE-Core rev: 35ccce7002188c8270d2fead35f9763b22776877)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The nslookup had been disabled from 2010 (or earlier), but it still in
FILES_${PN}-utils, we need remove it.
(From OE-Core rev: 3bf1f39d918a428246df774c8d306bcfe40ddbdd)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix the typo:
PACKAGES_preprend -> PACKAGES_prepend
(From OE-Core rev: 1cb1e5487be04da3af649026e9b66642f3d3ce30)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Highlights:
- If VPN is split routed and not the default service, then allow
DNS queries also to be sent to VPN DNS server.
- Session API fixes
- Memory leak fixes
- Crash fixes
- NTP kiss-of-death packet support
- Support for full USB gadget networking. Now USB gadget network can
be used without tethering.
(From OE-Core rev: 61842ca57520b184be5111b7fedf72a5d58d6bbc)
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Chong Lu
Paul Eggleton
Richard Purdie
Saul Wold
Ross Burton
Roy Li
Cristian Iorga
Yue Tao
Yasir-Khan
Chen Qi
Cristiana Voicu
Maxin B. John
Valentin Popa
Otavio Salvador
Denys Dmytriyenko
Mike Looijmans
Matthieu Crapet
Jonathan Liu
Baogen Shang
Joe Slater
Hu Yadi
Kai Kang
Robert Yang