Date   

[meta-security][PATCH 2/2] libtpm: update to 0.9.2

Armin Kuster
 

includes: CVE-2021-3623

Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-tpm/libtpm/{libtpm_0.8.7.bb => libtpm_0.9.3.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-tpm/recipes-tpm/libtpm/{libtpm_0.8.7.bb => libtpm_0.9.3.bb} (84%)

diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb b/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.3.bb
similarity index 84%
rename from meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
rename to meta-tpm/recipes-tpm/libtpm/libtpm_0.9.3.bb
index 8fe62cf..c03c44c 100644
--- a/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
+++ b/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.3.bb
@@ -2,8 +2,8 @@ SUMMARY = "LIBPM - Software TPM Library"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"

-SRCREV = "f6dd8f55eab4910131ec6a6a570dcd7951bd10e4"
-SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8;protocol=https"
+SRCREV = "3f8fbc831b7bc3a6cc8422c432f577596b4cf3df"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https"

PE = "1"

--
2.25.1


[meta-security][PATCH 1/2] swtpm: update to 0.7.1

Armin Kuster
 

fixes: CVE-2022-23645.
Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs

Signed-off-by: Armin Kuster <akuster808@...>
---
.../swtpm/files/oe_configure.patch | 65 -------------------
.../swtpm/{swtpm_0.6.1.bb => swtpm_0.7.1.bb} | 5 +-
2 files changed, 2 insertions(+), 68 deletions(-)
delete mode 100644 meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch
rename meta-tpm/recipes-tpm/swtpm/{swtpm_0.6.1.bb => swtpm_0.7.1.bb} (94%)

diff --git a/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch b/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch
deleted file mode 100644
index 5aee933..0000000
--- a/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Don't check for tscd deamon on host.
-
-Upstream-Status: OE Specific
-
-Signed-off-by: Armin Kuster <akuster808@...>
-
-Index: git/configure.ac
-===================================================================
---- git.orig/configure.ac
-+++ git/configure.ac
-@@ -179,15 +179,6 @@ AC_SUBST([LIBTPMS_LIBS])
- AC_CHECK_LIB(c, clock_gettime, LIBRT_LIBS="", LIBRT_LIBS="-lrt")
- AC_SUBST([LIBRT_LIBS])
-
--AC_PATH_PROG([TCSD], tcsd)
--if test "x$TCSD" = "x"; then
-- have_tcsd=no
-- AC_MSG_WARN([tcsd could not be found; typically need it for tss user account and tests])
--else
-- have_tcsd=yes
--fi
--AM_CONDITIONAL([HAVE_TCSD], test "$have_tcsd" != "no")
--
- dnl We either need netstat (more common across systems) or 'ss' for test cases
- AC_PATH_PROG([NETSTAT], [netstat])
- if test "x$NETSTAT" = "x"; then
-@@ -440,23 +431,6 @@ AC_ARG_WITH([tss-group],
- [TSS_GROUP="tss"]
- )
-
--case $have_tcsd in
--yes)
-- AC_MSG_CHECKING([whether TSS_USER $TSS_USER is available])
-- if ! test $(id -u $TSS_USER); then
-- AC_MSG_ERROR(["$TSS_USER is not available"])
-- else
-- AC_MSG_RESULT([yes])
-- fi
-- AC_MSG_CHECKING([whether TSS_GROUP $TSS_GROUP is available])
-- if ! test $(id -g $TSS_GROUP); then
-- AC_MSG_ERROR(["$TSS_GROUP is not available"])
-- else
-- AC_MSG_RESULT([yes])
-- fi
-- ;;
--esac
--
- AC_SUBST([TSS_USER])
- AC_SUBST([TSS_GROUP])
-
-Index: git/tests/Makefile.am
-===================================================================
---- git.orig/tests/Makefile.am
-+++ git/tests/Makefile.am
-@@ -83,10 +83,6 @@ TESTS += \
- test_tpm2_swtpm_cert \
- test_tpm2_swtpm_cert_ecc \
- test_tpm2_swtpm_setup_create_cert
--if HAVE_TCSD
--TESTS += \
-- test_tpm2_samples_create_tpmca
--endif
- endif
-
- EXTRA_DIST=$(TESTS) \
diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
similarity index 94%
rename from meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
rename to meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
index 63734b9..85e4c5d 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
@@ -6,10 +6,9 @@ SECTION = "apps"
# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"

-SRCREV = "98187d24fe14851653a7c46eb16e9c5f0b9beaa1"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.6;protocol=https \
+SRCREV = "92a7035f45d9b08aa7c6b8bd6fa4c6916ef07a9e"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.7-next;protocol=https \
file://ioctl_h.patch \
- file://oe_configure.patch \
"
PE = "1"

--
2.25.1


Re: suricata: enable lua support

Gary Huband
 

Adding DEPENDS += "lua"  fixed that error.  I'm assuming that allows the configure to find lua.

Now I'm getting a compile error

| /tmp/work/cortexa7t2hf-neon-poky-linux-gnueabi/suricata/6.0.3-r0/recipe-sysroot-native/usr/bin/arm-poky-linux-gnueabi/../../libexec/arm-poky-linux-gnueabi/gcc/arm-poky-linux-gnueabi/9.2.0/ld: util-lua-dns.o: in function `DnsGetTxid':
| /usr/src/debug/suricata/6.0.3-r0/suricata-6.0.3/src/util-lua-dns.c:80: undefined reference to `rs_dns_lua_get_tx_id'
| /tmp/work/cortexa7t2hf-neon-poky-linux-gnueabi/suricata/6.0.3-r0/recipe-sysroot-native/usr/bin/arm-poky-linux-gnueabi/../../libexec/arm-poky-linux-gnueabi/gcc/arm-poky-linux-gnueabi/9.2.0/ld: util-lua-dns.o: in function `DnsGetAnswerTable':
| /usr/src/debug/suricata/6.0.3-r0/suricata-6.0.3/src/util-lua-dns.c:125: undefined reference to `rs_dns_lua_get_answer_table'
| /tmp/work/cortexa7t2hf-neon-poky-linux-gnueabi/suricata/6.0.3-r0/recipe-sysroot-native/usr/bin/arm-poky-linux-gnueabi/../../libexec/arm-poky-linux-gnueabi/gcc/arm-poky-linux-gnueabi/9.2.0/ld: util-lua-dns.o: in function `DnsGetAuthorityTable':
| /usr/src/debug/suricata/6.0.3-r0/suricata-6.0.3/src/util-lua-dns.c:133: undefined reference to `rs_dns_lua_get_authority_table'
| /tmp/work/cortexa7t2hf-neon-poky-linux-gnueabi/suricata/6.0.3-r0/recipe-sysroot-native/usr/bin/arm-poky-linux-gnueabi/../../libexec/arm-poky-linux-gnueabi/gcc/arm-poky-linux-gnueabi/9.2.0/ld: util-lua-dns.o: in function `DnsGetQueryTable':
| /usr/src/debug/suricata/6.0.3-r0/suricata-6.0.3/src/util-lua-dns.c:117: undefined reference to `rs_dns_lua_get_query_table'
| /tmp/work/cortexa7t2hf-neon-poky-linux-gnueabi/suricata/6.0.3-r0/recipe-sysroot-native/usr/bin/arm-poky-linux-gnueabi/../../libexec/arm-poky-linux-gnueabi/gcc/arm-poky-linux-gnueabi/9.2.0/ld: util-lua-dns.o: in function `DnsGetDnsRrname':
| /usr/src/debug/suricata/6.0.3-r0/suricata-6.0.3/src/util-lua-dns.c:69: undefined reference to `rs_dns_lua_get_rrname'
| /tmp/work/cortexa7t2hf-neon-poky-linux-gnueabi/suricata/6.0.3-r0/recipe-sysroot-native/usr/bin/arm-poky-linux-gnueabi/../../libexec/arm-poky-linux-gnueabi/gcc/arm-poky-linux-gnueabi/9.2.0/ld: util-lua-dns.o: in function `DnsGetRcode':
| /usr/src/debug/suricata/6.0.3-r0/suricata-6.0.3/src/util-lua-dns.c:92: undefined reference to `rs_dns_lua_get_rcode'
| collect2: error: ld returned 1 exit status
| Makefile:2118: recipe for target 'suricata' failed
| make[2]: *** [suricata] Error 1


[meta-security][PATCH] openscap-daemon: fix wheels and License issues.

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
.../openscap-daemon/openscap-daemon_0.1.10.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
index 549a888..cf6d531 100644
--- a/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
+++ b/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
@@ -4,7 +4,7 @@
SUMARRY = "The OpenSCAP Daemon is a service that runs in the background."
HOME_URL = "https://www.open-scap.org/tools/openscap-daemon/"
LIC_FILES_CHKSUM = "file://LICENSE;md5=40d2542b8c43a3ec2b7f5da31a697b88"
-LICENSE = "LGPL-2.1"
+LICENSE = "LGPL-2.1-only"

DEPENDS = "python3-dbus"

@@ -13,7 +13,7 @@ SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git;branch=master;protocol=
file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \
"

-inherit setuptools3
+inherit setuptools_build_meta

S = "${WORKDIR}/git"

--
2.25.1


Re: suricata: enable lua support

Khem Raj
 

perhaps you needs to add lua to DEPENDS as well.

On Fri, Mar 4, 2022 at 11:18 AM Gary Huband via lists.yoctoproject.org
<gary=missionsecure.com@...> wrote:

How can I enable lua support for suricata? According to
https://suricata.readthedocs.io/en/suricata-6.0.0/install.html
I can add --enable-lua, so I created a suricata_%.bbappend file with

# Add lua
DEPENDS += "lua-native"
RDEPENDS_${PN} += "lua"
EXTRA_OECONF += "--enable-lua"

But when I bitbake suricata I get this error

| checking for magic.h... yes
| checking for magic_open in -lmagic... yes
| checking for LUA... no
| checking for LUA... no
| checking for LUA... no
| checking for LUA... no
| checking lualib.h usability... no
| checking lualib.h presence... no
| checking for lualib.h... no
|
| ERROR! liblua headers not found, go get them
| from http://lua.org/index.html or your distribution:
|
| Ubuntu: apt-get install liblua5.1-dev
| Fedora: dnf install lua-devel
| CentOS/RHEL: yum install lua-devel
|
| If you installed software in a non-standard prefix
| consider adjusting the PKG_CONFIG_PATH environment variable
| or use --with-liblua-includes and --with-liblua-libraries
| configure option.

lua and lua-native appear to build.




suricata: enable lua support

Gary Huband
 

How can I enable lua support for suricata?  According to
https://suricata.readthedocs.io/en/suricata-6.0.0/install.html
I can add --enable-lua, so I created a suricata_%.bbappend file with

# Add lua
DEPENDS += "lua-native"
RDEPENDS_${PN} += "lua"
EXTRA_OECONF += "--enable-lua"

But when I bitbake suricata I get this error

| checking for magic.h... yes
| checking for magic_open in -lmagic... yes
| checking for LUA... no
| checking for LUA... no
| checking for LUA... no
| checking for LUA... no
| checking lualib.h usability... no
| checking lualib.h presence... no
| checking for lualib.h... no
|
|    ERROR!  liblua headers not found, go get them
|    from http://lua.org/index.html or your distribution:
|
|    Ubuntu: apt-get install liblua5.1-dev
|    Fedora: dnf install lua-devel
|    CentOS/RHEL: yum install lua-devel
|
|    If you installed software in a non-standard prefix
|    consider adjusting the PKG_CONFIG_PATH environment variable
|    or use --with-liblua-includes and --with-liblua-libraries
|    configure option.

lua and lua-native appear to build.


Re: Honister on Ubuntu 14.04

Joshua Watt
 

On 3/3/22 12:06, Daniel Ammann wrote:
Hi,

I'm trying to build honister on Ubuntu 14.04. This is meant as a temporary
solution until the build server can be upgraded to something recent.
For now, I got it running with extended buildtools from poky, but the build of
libnsl2-native fails. It appears that the pkgconfig step is not executed
properly since do_compile fails with a header not found error.

Has anybody done a successful build of honister on Ubuntu 14.04? Is it even
possible?
You might be better off trying to use a container to build, but with a host that old, even that might be hard. There are several container solutions for the project, including:

* crops - https://github.com/crops/poky-container

* pyrex - https://github.com/garmin/pyrex

* kas - https://github.com/siemens/kas


Kind regards

Daniel



Changing keyboard layout in core-image-clutter / qemuarm64

Edgar Mobile
 

Greetings,

I successfully built and ran core-image-clutter under qemuarm64. However, the default keyboard layout is a qwerty although I need german qwertz.
I already tried loadkeys de to no avail. I suspect the reason might be that core-image-clutter uses x11 but I don't know how I should configure this for Yocto.

Can someone give me a hint? Having this baked into the recipes would probably be most helpful.

Regards


Re: How to build flashable yocto image for amd ryzen 5 #bitbake

Khem Raj
 

On Fri, Mar 4, 2022 at 12:07 AM <prashantsingh@...> wrote:

Hi Team,
I'm need to build yocto image for my AMD Ryzen 5 x86 machine.
I need help to build one haddisk flashable image.

Please assist me regarding this.
Please start by reading this
https://git.yoctoproject.org/meta-amd/tree/README.md


Thanks & Regards.


How to build flashable yocto image for amd ryzen 5 #bitbake

@prashant2314
 

Hi Team,
I'm need to build yocto image for my AMD Ryzen 5 x86 machine.
I need help to build one haddisk flashable image.

Please assist me regarding this.

Thanks & Regards.


[meta-security][PATCH 2/2] python3-privacyidea: update to 3.6.2

Armin Kuster
 

Fix license.

Signed-off-by: Armin Kuster <akuster808@...>
---
...hon3-privacyidea_3.5.2.bb => python3-privacyidea_3.6.2.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename recipes-security/mfa/{python3-privacyidea_3.5.2.bb => python3-privacyidea_3.6.2.bb} (95%)

diff --git a/recipes-security/mfa/python3-privacyidea_3.5.2.bb b/recipes-security/mfa/python3-privacyidea_3.6.2.bb
similarity index 95%
rename from recipes-security/mfa/python3-privacyidea_3.5.2.bb
rename to recipes-security/mfa/python3-privacyidea_3.6.2.bb
index 043cbfd..ecfeca6 100644
--- a/recipes-security/mfa/python3-privacyidea_3.5.2.bb
+++ b/recipes-security/mfa/python3-privacyidea_3.6.2.bb
@@ -2,11 +2,11 @@ SUMMARY = "identity, multifactor authentication (OTP), authorization, audit"
DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications."

HOMEPAGE = "http://www.privacyidea.org/"
-LICENSE = "AGPL-3.0"
+LICENSE = "AGPL-3.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55"

PYPI_PACKAGE = "privacyIDEA"
-SRC_URI[sha256sum] = "26aeb0d353af1f212c4df476202516953c20f7f31566cfe0b67cbb553de04763"
+SRC_URI[sha256sum] = "4441282d086331dac0aee336286de8262d9ac8eb11e14b7f9aa69f865caebe17"

inherit pypi setuptools3

--
2.25.1


[meta-security][PATCH 1/2] python3-privacyidea: fix QA ERROR

Armin Kuster
 

ERROR: python3-privacyidea-3.5.2-r0 do_package: QA Issue: python3-privacyidea: Files/directories were installed but not shipped in any package:
/usr/etc
/usr/etc/privacyidea
/usr/etc/privacyidea/dictionary
/usr/etc/privacyidea/privacyideaapp.wsgi

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-security/mfa/python3-privacyidea_3.5.2.bb | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/recipes-security/mfa/python3-privacyidea_3.5.2.bb b/recipes-security/mfa/python3-privacyidea_3.5.2.bb
index a4ab59d..043cbfd 100644
--- a/recipes-security/mfa/python3-privacyidea_3.5.2.bb
+++ b/recipes-security/mfa/python3-privacyidea_3.5.2.bb
@@ -11,8 +11,6 @@ SRC_URI[sha256sum] = "26aeb0d353af1f212c4df476202516953c20f7f31566cfe0b67cbb553d
inherit pypi setuptools3

do_install:append () {
- #install ${D}/var/log/privacyidea
-
rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests
}

@@ -21,7 +19,7 @@ GROUPADD_PARAM:${PN} = "--system privacyidea"
USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \
--shell /bin/false privacyidea"

-FILES:${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*"
+FILES:${PN} += " ${prefix}/etc/privacyidea/* ${datadir}/lib/privacyidea/*"

RDEPENDS:${PN} += " bash perl freeradius-mysql freeradius-utils"

--
2.25.1


[ANNOUNCEMENT] Yocto Project 3.3.5 (hardknott-25.0.5) is Released

Lee Chee Yang
 

Hello,

 

We are pleased to announce the Yocto Project 3.3.5 (hardknott-25.0.5) Release is now available for download.

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/poky-hardknott-25.0.5.tar.bz2

http://mirrors.kernel.org/yocto/yocto/yocto-3.3.5/poky-hardknott-25.0.5.tar.bz2

 

A gpg signed version of these release notes is available at:

 

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/RELEASENOTES

 

Full Test Report:

 

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/testreport.txt

 

Thank you for everyone's contributions to this release.

 

 

Chee Yang Lee chee.yang.lee@...

Yocto Project Build and Release

 

 

--------------------------

yocto-3.3.5 Release Notes

--------------------------

 

 

--------------------------

Repositories/Downloads

--------------------------

 

Repository Name: poky

Repository Location: https://git.yoctoproject.org/git/poky

Branch: hardknott

Tag: yocto-3.3.5

Git Revision: 8d3e054f6d432b5ca0fcd613e0c767fab3c85f24

Release Artefact: poky-hardknott-25.0.5

sha: f8c0248ea25e7b90a0cf68450835403ca41f386672b9ec2d6f019750b1a185a6

Download Locations:

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/poky-hardknott-25.0.5.tar.bz2

http://mirrors.kernel.org/yocto/yocto/yocto-3.3.5/poky-hardknott-25.0.5.tar.bz2

 

Repository Name: openembedded-core

Repository Location: https://git.openembedded.org/openembedded-core

Branch: hardknott

Tag: yocto-3.3.5

Git Revision: 29cd1d796057ef5599fe17c39b42aa099f7b1c29

Release Artefact: oecore-hardknott-25.0.5

sha: f892b4e412ebd780e814abcdf676600ed13de167970f8711ea226066fd4624e6

Download Locations:

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/oecore-hardknott-25.0.5.tar.bz2

http://mirrors.kernel.org/yocto/yocto/yocto-3.3.5/oecore-hardknott-25.0.5.tar.bz2

 

Repository Name: meta-mingw

Repository Location: https://git.yoctoproject.org/git/meta-mingw

Branch: hardknott

Tag: yocto-3.3.5

Git Revision: 422b96cb2b6116442be1f40dfb5bd77447d1219e

Release Artefact: meta-mingw-hardknott-25.0.5

sha: 8bdf3d62c0974af8bab66a6cbbf70ef5e431c0d4e9eef3acb8da8fef116ca70c

Download Locations:

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/meta-mingw-hardknott-25.0.5.tar.bz2

http://mirrors.kernel.org/yocto/yocto/yocto-3.3.5/meta-mingw-hardknott-25.0.5.tar.bz2

 

Repository Name: meta-gplv2

Repository Location: https://git.yoctoproject.org/git/meta-gplv2

Branch: hardknott

Tag: yocto-3.3.5

Git Revision: 9e119f333cc8f53bd3cf64326f826dbc6ce3db0f

Release Artefact: meta-gplv2-hardknott-25.0.5

sha: ee8c5f3ec99177d9a0b8c041f92fc512b4a25bde99750772b119739a4750ccc1

Download Locations:

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/meta-gplv2-hardknott-25.0.5.tar.bz2

http://mirrors.kernel.org/yocto/yocto/yocto-3.3.5/meta-gplv2-hardknott-25.0.5.tar.bz2

 

Repository Name: bitbake

Repository Location: https://git.openembedded.org/bitbake

Branch: hardknott

Tag: yocto-3.3.5

Git Revision: aaa7f7af23d5f89fe4a5ed48c57ea3dfca07c79d

Release Artefact: bitbake-hardknott-25.0.5

sha: f96a82a79a80cc3581c16ce9dad59f83370801427f9e1b798df02d07c6ac8bb3

Download Locations:

http://downloads.yoctoproject.org/releases/yocto/yocto-3.3.5/bitbake-hardknott-25.0.5.tar.bz2

http://mirrors.kernel.org/yocto/yocto/yocto-3.3.5/bitbake-hardknott-25.0.5.tar.bz2

 

Repository Name: yocto-docs

Repository Location: https://git.yoctoproject.org/git/yocto-docs

Branch: hardknott

Tag: yocto-3.3.5

Git Revision: cba66e3a284b852b0da9a3b53f5f2540244d1072

 

 

---------------

Known Issues

---------------

N/A

 

 

---------------

Security Fixes

---------------

vim: update to include latest CVE fixes

expat: fix CVE-2022-23852

qemu: fix CVE-2021-20196

qemu: fix CVE-2021-3930

qemu: fix CVE-2021-3748

qemu: fix CVE-2021-3713

lighttpd: backport a fix for CVE-2022-22707

speex: fix CVE-2020-23903

expat: fix CVE-2021-46143

expat: fix CVE-2021-45960

expat fix CVE-2022-22822 through CVE-2022-22827

linux-yocto/5.10: amdgpu: updates for CVE-2021-42327

xserver-xorg: whitelist two CVEs

curl: Backport CVE fixes

libsndfile1: fix CVE-2021-4156

glibc: Backport fix for CVE-2021-43396

busybox: backport patches to fix CVEs

gcc: Fix CVE-2021-42574

grub2: fix CVE-2021-3981

webkitgtk: fix fix CVE-2021-42762

xserver-xorg: update CVE_PRODUCT

binutils: Fix CVE-2021-45078

xserver-xorg: fix CVE-2021-4011

xserver-xorg: fix CVE-2021-4010

xserver-xorg: fix CVE-2021-4009

xserver-xorg: fix CVE-2021-4008

binutils: CVE-2021-42574

gcc: Add CVE-2021-37322 to the list of CVEs to ignore

gmp: fix CVE-2021-43618

squashfs-tools: fix CVE-2021-41072

vim: fix CVE-2021-3927 and CVE-2021-3928

bind: fix CVE-2021-25219

vim: fix CVE-2021-3875

vim: fix CVE-2021-3872 and CVE-2021-3903

rpm: fix CVE-2021-3521

gcc: Fix CVE-2021-35465

inetutils: fix CVE-2021-40491

avahi: update CVE id fixed by local-ping.patch

 

---------------

Fixes

---------------

README.OE-Core.md: update URLs

arch-armv8-5a.inc: Add tune include for armv8.5a

armv9a/tune: Add the support for the Neoverse N2 core

binutils: upgrade binutils-2.36 to latest version

bitbake: bitbake: adjust parser error check for python 3.10 compatibility

bitbake: bitbake: correct deprecation warning in process.py

bitbake: bitbake: correct the collections vs collections.abc deprecation

bitbake: bitbake:toaster:test: Update SSTATE URL

bitbake: cooker: Fix task-depends.dot for multiconfig targets

bitbake: cooker: Handle parse threads disappearing to avoid hangs

bitbake: cooker: Handle parsing results queue race

bitbake: cooker: Remove debug code, oops :(

bitbake: cooker: check if upstream hash equivalence server is available

bitbake: fetch/wget: Add timeout for checkstatus calls (30s)

bitbake: fetch2/perforce: Fix typo

bitbake: fetch: Handle mirror user/password replacements correctly

bitbake: hashserv: let asyncio discover the running loop

bitbake: process: Do not mix stderr with stdout

bitbake: runqueue: Fix runall option handling

bitbake: runqueue: Fix runall option task deletion ordering issue

bitbake: tests/fetch: Drop gnu urls from wget connectivity test

bitbake: tests/fetch: Update github urls

bitbake: tests/fetch: Update pcre.org address after github changes

bitbake: utils: Handle lockfile filenames that are too long for filesystems

bitbake: utils: Update to use exec_module() instead of load_module()

build-appliance-image: Update to hardknott head revision

buildhistory: Fix srcrevs output

busybox: upgrade 1.33.1 -> 1.33.2

convert-srcuri.py: use regex to check space in SRC_URI

cross-canadian: correct the location of pkg-config files

cups: Fix missing installation of cups sysv init scripts

cve-check: add lockfile to task

cve-check: create directory of CVE_CHECK_MANIFEST before copy

cve-extra-exclusions: add db CVEs to exclusion list

default-distrovars.inc: Switch connectivity check to a yoctoproject.org page

documentation: conf.py: fix version of bitbake objects.inv

gcc: add aarch64 support for Arm's Neoverse N2 CPU

gcc: add support for Neoverse N2 CPU

gcc: upgrade to gcc-10.3 version

glibc: Fix i586/c3 support

glibc: upgrade glibc-2.33 to latest version

go: upgrade to 1.16.13

lib/oe/reproducible: correctly set .git location when recursively looking for git repos

libpcre/libpcre2: correct SRC_URI

libusb1: correct SRC_URI

linunistring: Add missing gperf-native dependency

linux-firmware: Add CLM blob to linux-firmware-bcm4373 package

linux-firmware: upgrade 20211027 -> 20211216

linux-yocto-rt/5.10: update to -rt56

linux-yocto/5.10/cfg: add kcov feature fragment

linux-yocto/5.10: update genericx86* machines to v5.10.82

linux-yocto/5.10: update to v5.10.99

linux-yocto/5.4: update genericx86* machines to v5.4.158

linux-yocto/5.4: update to v5.4.178

linux-yocto: add libmpc-native to DEPENDS

llvm: bump HASHEQUIV_HASH_VERSION

manuals: releases.rst: move gatesgarth to outdated releases section

meta/scripts: Manual git url branch additions

meta: add explicit branch and protocol to SRC_URI

mirrors: Add kernel.org sources mirror for downloads.yoctoproject.org

mirrors: Add uninative mirror on kernel.org

mklibs-native: drop deprecated cpp17 exceptions

oeqa/parselogs: Fix quoting

oeqa/selftest/bbtests: Use YP sources mirror instead of GNU

openssl: Add reproducibility fix

os-release: Add DISTRO_CODENAME as vardeps for do_compile

patch.py: Initialize git repo before patching

patchelf: fix PT_PHDR program header corruption

pigz: fix one failure of command "unpigz -l"

poky.conf: add debian11 to supported distros

poky.conf: add fedora 34 to supported distros

poky.conf: bump version for 3.3.5 release

populate_sdk_base: remove unneeded dirs such as /dev

pseudo: Add fcntl64 wrapper

pseudo: Add in ability to flush database with shutdown request

python3-pyelftools: Depend on debugger, pprint

python3-pyelftools: fix the override syntax

python3: upgrade to 3.9.9

recipetool: Fix circular reference in SRC_URI

recipetool: Set master branch only as fallback

recipetool: extend curl detection when creating recipes

recipetool: handle GitLab URLs like we do GitHub

ref-manual: fix patch documentation

rootfs-postcommands: update systemd_create_users

runqemu: check the qemu PID has been set before kill()ing it

runtime_test: skip virgl test on fedora 34

scripts/checklayer/common.py: Fixed a minor grammatical error

scripts/convert-srcuri: Backport SRC_URI conversion script from master branch

scripts/lib/wic/help.py: Update Fedora Kickstart URLs

scripts/oe-package-browser: Handle no packages being built

scripts/runqemu-ifdown: Don't treat the last iptables command as special

scripts: Update to use exec_module() instead of load_module()

sdk: fix search for dynamic loader

selftest/devtool: Check branch in git fetch

selftest: reproducible: Set maximum report size

selftest: skip virgl test on centos 8 entirely

selftest: skip virgl test on fedora 34 entirely

socat: update SRC_URI

sstate: A third fix for for touching files inside pseudo

sstate: Account for reserved characters when shortening sstate filenames

sstate: another fix for touching files inside pseudo

tune-cortexa72: Drop the redundant cortexa72-crc tune

tune-cortexa72: Enable the crc extension by default for cortexa72

tune-cortexa72: remove crypto for the default cortex-a72

uboot-sign: fix the concatenation when multiple U-BOOT configurations are specified

uninative: Add version to uninative tarball name

updates for recent releases

vim: upgrade to patch 4269

webkitgtk: Add reproducibility fix

wic: support rootdev identified by partition label

wic: use shutil.which

yocto-check-layer: add debug output for the layers that were found

 

 


Re: Honister on Ubuntu 14.04

Khem Raj
 

On Thu, Mar 3, 2022 at 10:07 AM Daniel Ammann
<daniel.ammann@...> wrote:

Hi,

I'm trying to build honister on Ubuntu 14.04. This is meant as a temporary
solution until the build server can be upgraded to something recent.
For now, I got it running with extended buildtools from poky, but the build of
libnsl2-native fails. It appears that the pkgconfig step is not executed
properly since do_compile fails with a header not found error.

Has anybody done a successful build of honister on Ubuntu 14.04? Is it even
possible?
Honister is newer releases, Always check the tested sanity distros
list for honister ( 3.4.x release)

https://docs.yoctoproject.org/3.4.2/ref-manual/system-requirements.html#detailed-supported-distros

it seems ubuntu 18.04 is oldest tested ubuntu distro.


Kind regards

Daniel

--
bytes at work
Technoparkstrasse 7
CH-8406 Winterthur
Switzerland

phone: +41 52 550 50 67



Re: Honister on Ubuntu 14.04

Josef Holzmayr
 

Howdy!

Just pack a more recent Ubuntu into the container engine of your least dislike - docker usually does the trick well enough if you can go with its license situation, otherwise podman is an interesting option.

Greetz,
Josef

On 3. Mar 2022, at 19:06, Daniel Ammann <daniel.ammann@...> wrote:

Hi,

I'm trying to build honister on Ubuntu 14.04. This is meant as a temporary
solution until the build server can be upgraded to something recent.
For now, I got it running with extended buildtools from poky, but the build of
libnsl2-native fails. It appears that the pkgconfig step is not executed
properly since do_compile fails with a header not found error.

Has anybody done a successful build of honister on Ubuntu 14.04? Is it even
possible?

Kind regards

Daniel

--
bytes at work
Technoparkstrasse 7
CH-8406 Winterthur
Switzerland

phone: +41 52 550 50 67



Honister on Ubuntu 14.04

Daniel Ammann
 

Hi,

I'm trying to build honister on Ubuntu 14.04. This is meant as a temporary
solution until the build server can be upgraded to something recent.
For now, I got it running with extended buildtools from poky, but the build of
libnsl2-native fails. It appears that the pkgconfig step is not executed
properly since do_compile fails with a header not found error.

Has anybody done a successful build of honister on Ubuntu 14.04? Is it even
possible?

Kind regards

Daniel

--
bytes at work
Technoparkstrasse 7
CH-8406 Winterthur
Switzerland

phone: +41 52 550 50 67


[meta-security-isafw][PATCH] meta-security-isafw: Fixes to work with oe-core master

Akshay Bhat
 

Update isafw bbclass to build with oe-core master
- prelink support was dropped in oe-core as part of 23c0be78106f
- do_populate_cve_db was renamed to do_fetch in oe-core as part
of f5f97d33a1703d

Signed-off-by: Akshay Bhat <akshay.bhat@...>
---
meta-security-isafw/classes/isafw.bbclass | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta-security-isafw/classes/isafw.bbclass b/meta-security-isafw/classes/isafw.bbclass
index da6bf76..3854c0f 100644
--- a/meta-security-isafw/classes/isafw.bbclass
+++ b/meta-security-isafw/classes/isafw.bbclass
@@ -105,7 +105,7 @@ python process_reports_handler() {
os.environ["PATH"] = savedenv["PATH"]
}

-do_build[depends] += "cve-update-db-native:do_populate_cve_db ca-certificates-native:do_populate_sysroot"
+do_build[depends] += "cve-update-db-native:do_fetch ca-certificates-native:do_populate_sysroot"
do_build[depends] += "python3-lxml-native:do_populate_sysroot"

# These tasks are intended to be called directly by the user (e.g. bitbake -c)
@@ -179,7 +179,6 @@ fakeroot python do_analyse_image() {
}

do_rootfs[depends] += "checksec-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
-do_rootfs[depends] += "prelink-native:do_populate_sysroot"
do_rootfs[depends] += "python3-lxml-native:do_populate_sysroot"

isafw_init[vardepsexclude] = "DATETIME"
--
2.25.1


Minutes: Yocto Project Weekly Triage Meeting 3/3/2022

Trevor Gamblin
 

Wiki: https://wiki.yoctoproject.org/wiki/Bug_Triage

Attendees: Alexandre, Armin, Daiane, Joshua, Luca, Pavel, Randy, Richard, Saul, Stephen, Steve, Tim, Trevor

ARs:

- Randy to talk to David Reyna about triaging his Toaster Future/3.99 bugs (25)

Notes:

- ~43% of AB workers have been switched to SSDs. Failure rate appears lower, but still TBD. More coming soon!

Medium+ 3.5 Unassigned Enhancements/Bugs: 77 (Last week 71)

Medium+ 3.5 Unassigned Enhancements/Bugs: 6 (new)

Medium+ 3.99 Unassigned Enhancements/Bugs: 38 (Last week 39)

AB Bugs: 71 (Last week 75)


Re: [meta-rockchip][PATCH] layers: Bump to use kirkstone

Trevor Woerner
 



On Thu, Mar 3, 2022 at 2:33 AM Martin Jansa <martin.jansa@...> wrote:
Hi,

can you please create honister branch.

I think 17703ee37b46d15ec369588fbb86dde336df6028 commit (just before this kirkstone change was applied) would be reasonable branching point.

Now there isn't any branch compatible with Honister release.

Done, thanks!
 

Thanks

On Tue, Feb 22, 2022 at 3:16 PM Trevor Woerner <twoerner@...> wrote:
On Mon 2022-02-21 @ 06:28:47 PM, Khem Raj wrote:
> its not going to be backward ABI compatible with honister due to variable renaming.
>
> Signed-off-by: Khem Raj <raj.khem@...>
> ---
>  conf/layer.conf | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied to meta-rockchip master and kirkstone.
Thanks!




[PATCH yocto-autobuilder-helper] auh-config: update smtp server to localhost

Alexander Kanavin
 

Current setup only allows sending mail via localhost on alma workers.

Signed-off-by: Alexander Kanavin <alex.kanavin@...>
---
scripts/auh-config/upgrade-helper.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/auh-config/upgrade-helper.conf b/scripts/auh-config/upgrade-helper.conf
index 6255f3f..3a0aa6c 100644
--- a/scripts/auh-config/upgrade-helper.conf
+++ b/scripts/auh-config/upgrade-helper.conf
@@ -9,7 +9,7 @@ blacklist=linux-libc-headers linux-yocto alsa-utils-scripts build-appliance-imag
# only recipes belonging to maintainers in whitelist will be attempted
#maintainers_whitelist=anibal.limon@...
# SMTP server
-smtp=mail.yoctoproject.org:25
+smtp=localhost:25
# from whom should the mails arrive
from=auh@...
# who should get the status mail with statistics, at the end
--
2.35.1

1021 - 1040 of 57347