Pick commit from 2.13 branch as 2.12 branch is unmaintained now.
(From OE-Core rev: 2335d4f0d1826647eaee224c469331980fc84ed2)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit which has been backported to 2.12 release branch.
(From OE-Core rev: 187052ce4ddd43b46b8335cc955a63ca19ee6994)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch to remove vulnerable component.
This is a breaking change, but there will be no other fix for this CVE
as upstream did the deletion without providing a fix first.
If someone really needs this feature, which the commit message describes
as deprecated, bbappend with patch removal is possible.
License-Update: passprompt plugin removed
(From OE-Core rev: 5350ef531ded14f0b4c32c211aaf993354be1ec9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from b7b9636208
(From OE-Core rev: 78a04ce17e7d828c0cf8cae2164882683d46275e)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
After introducing the DISTRO_LATEST_TAG and DISTRO_REL_LATEST_TAG
macros, use them in links that currently use DISTRO/DISTRO_REL_TAG. When
building for the tip of a branch, this will replace the current A.B.999
in links to the latest existing tag.
The links were found across the documentation by running 'grep -r
"http.*5\.2\.999"' inside the _build/html output after building the
docs.
[YOCTO #14802]
(From yocto-docs rev: d1f3616b373334a5aa75ad7874f05ee4b0e6591f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 29be069ebbf2c55d72fc51d99ed5a558af37c05e)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Introduce the DISTRO_LATEST_TAG macro, which should always point to the
latest existing tag in the documentation, unlike DISTRO which may point
to A.B.999 to represent the tip of a branch.
This variable is needed to fix dead links in the documentation that
currently use the DISTRO macro.
Also, make DISTRO_REL_TAG use the DISTRO macro directly, to avoid
repetition, and add a DISTRO_REL_LATEST_TAG macro that has the same role
as DISTRO_LATEST_TAG but with "yocto-" prepended to it.
In set_versions.py, run the "git describe --abbrev=0 --tags
--match='yocto-*'" command to get the latest existing tag on the
currently checked out commit. Fallback to ourversion in case we didn't
find any.
(From yocto-docs rev: 4195f52117b8132b46dd562acaf40e6e4480be33)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a85b0e500c94921f77fa7b7dbb877e4945f96d1e)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The word "modern" appears twice, remove the extra one.
(From yocto-docs rev: 6d2715b74d43c39fcee3ad7631d93b5396ce84bf)
Signed-off-by: Andrew Kreimer <algonell@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It may be confusing for users that source control information is not
present in the BitBake environment. Document it as a warning block.
(From yocto-docs rev: 990b3708d7131ccfb4e435e8a53e987195de3e06)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These variables control the flags for the assembler, compiler and
linker, but depend on the context.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 1520ba47f66c6d51f710005cdd4f4b880eccd5b0)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f8eb33569a5e8cadc036855e2d95eee77e627cb4)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These variables control the flags for the assembler, compiler and linker
when building for nativesdk recipes.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 95f4aabe48a6e06f8391e032c6a7038bf0e10332)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit c08f6d3c8aee86264c069b7c30850cb02de76076)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These toolchain variables are used in a native context. Some of the
BUILD_* variables missed documentation. Also, some of the base commands
were also not there so document them.
Some of existing BUILD_* variable documentation were missing the note
about their usage in a native context, so add it too so that all BUILD_*
variables are documented the same way.
[YOCTO #15719]
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: e692a7553ccf7496288f2eb7df71766cb5261eb4)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 87103afa1cb6690e9aaa87ca1f23e45eaaa359ac)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Use the :manpage: role to provide links to common toolchain utilities.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: adfb1a4a768f53a0404b65297f7fa9ed12b77088)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 7023e5f176efde05a6798476712c8a4e006a6b0d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Document the AUTOTOOLS_SCRIPT_PATH and the CONFIGURE_SCRIPT variables.
(From yocto-docs rev: b63d665549e14e1a468ffbf07c8494a491833770)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This change will prevent these tools from being installed if the image doesn't install bluez5-noinst-tools package.
BlueZ 5.66: tools/mesh-tester
BlueZ 5.66: tools/ioctl-tester
BlueZ 5.65: tools/iso-tester
BlueZ 5.56: tools/btpclientctl
BlueZ 5.51: tools/bcmfw
BlueZ 5.49: tools/rtlfw
BlueZ 5.47: tools/btconfig (not a new tool, but it was moved from bin_PROGRAMS to noinst_PROGRAMS)
(From OE-Core rev: 87cadf62ba0d6b0fc3dc0151a5d320919b7eb1ab)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The update includes 82 commits. Full list of changes can be found on Github [1]
All patches were refreshed with devtool.
[1] systemd/systemd-stable@v255.17...v255.18
(From OE-Core rev: 121e1fb42c4c909115bc550585b2ebcb3a13e0a5)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Allow the '+' symbol as a valid character in filenames listed in the
IMAGE_EFI_BOOT_FILES variable.
The '+' symbol might be used to support boot counting for boot entries,
as described in the UAPI Boot Loader Specification [1]:
The boot counting data is stored in the name of the boot loader entry.
A boot loader entry file name may contain a plus (+) followed by a
number. This may optionally be followed by a minus (-)
followed by a second number. The dot (.) and file name suffix
(conf or efi) must immediately follow.
Boot counting is enabled for entries which match this pattern.
Example:
IMAGE_EFI_BOOT_FILES:append = " entry.conf;loader/entries/entry+3.conf"
[1] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
(From OE-Core rev: 081fa0ebb33dbbfd0f6e8239690261c0a9dcdb2c)
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3f25822281eb9423ff86105eaebb0bed48663648)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When asked to use a `.netrc` file for credentials *and* to
follow HTTP redirects, curl could leak the password used
for the first host to the followed-to host under certain
circumstances.
This flaw only manifests itself if the netrc file has a
`default` entry that omits both login and password. A
rare circumstance.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0167
Upstream patch:
https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
(From OE-Core rev: b74dba43f2d6896245232373f2a9fdf07086a237)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Rewrite (again) the openssl test suite installation.
Depend on and reuse already installed libraries and modules instead of
installing them twice.
Be more selective when installing from the build tree so we don't install
intermediate .c .d .o files.
This further reduces the size of openssl-dbg from ~120MB to ~18MB.
(From OE-Core rev: 8baa0ce7eae65026cb3a784adaf3a4fc724ce9c9)
Upstream-Status: Backport[https://git.yoctoproject.org/poky/commit/?id=76212866402edb947f745f837e3c3b98b3056e58]
(From OE-Core rev: b3cd05f123625c4c301fee925cdbb9641bc73412)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7621286640)
Signed-off-by: Vishwas Udupa <quic_vudupa@quicinc.com>
Change-Id: Ifc0e3a019c2abe5142d0f1e359ae5aa33dae1608
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These is update with only bug and security releases.
On top of previous CVE patches, also CVE-2024-48615 is handled.
Also many security fixes without CVE assigment are included.
Note that upgrade to 3.7.5 on master required fix of test in
python3-libarchive-c, however that recipe does not yet have ptest in
scarthgap and the fix was in test only, not in productive code, so it is
not necessary in scarthgap.
Also remove CVE_STATUS which was obsolete already before this upgrade.
(From OE-Core rev: f20516a3ed8a39d7e4deddf11dd2acd871894048)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When PATCHTOOL is set to 'git', and user don't setup
user.name and user.email for git, do_patch fail with
the following error, fix by passing -c options.
CmdError("git notes --ref refs/notes/devtool append -m 'original patch: 0001-PATCH-increase-to-cpp17-version.patch' HEAD", 0, 'stdout:
stderr: Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
(From OE-Core rev: 9de38ac99c2b19f549c00ea5277faf621c6f4e65)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-Update: homepage update in [1]
[1] c5c091332c
(From OE-Core rev: e6565ca37da4821f8e3924fe6bc6a6f4eeedd9a9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD responses changed to an invalid json between:
* April 5, 2025 at 3:03:44 AM GMT+2
* April 5, 2025 at 4:19:48 AM GMT+2
The last response is since then in format
{
"resultsPerPage": 625,
"startIndex": 288000,
"totalResults": 288625,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2025-04-07T07:17:17.534",
"vulnerabilities": [
{...},
...
{...},
]
}
Json does not allow trailing , in responses, that is json5 format.
So cve-update-nvd2-native do_Fetch task fails with log backtrace ending:
...
File: '/builds/ccp/meta-siemens/projects/ccp/../../poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 234, function: update_db_file
0230: if raw_data is None:
0231: # We haven't managed to download data
0232: return False
0233:
*** 0234: data = json.loads(raw_data)
0235:
0236: index = data["startIndex"]
0237: total = data["totalResults"]
0238: per_page = data["resultsPerPage"]
...
File: '/usr/lib/python3.11/json/decoder.py', lineno: 355, function: raw_decode
0351: """
0352: try:
0353: obj, end = self.scan_once(s, idx)
0354: except StopIteration as err:
*** 0355: raise JSONDecodeError("Expecting value", s, err.value) from None
0356: return obj, end
Exception: json.decoder.JSONDecodeError: Expecting value: line 1 column 1442633 (char 1442632)
...
There was no announcement about json format of API v2.0 by nvd.
Also this happens only if whole database is queried (database update is
fine, even when multiple pages as queried).
And lastly it's only the cve list, all other lists inside are fine.
So this looks like a bug in NVD 2.0 introduced with some update.
Patch this with simple character deletion for now and let's monitor the
situation and possibly switch to json5 in the future.
Note that there is no native json5 support in python, we'd have to use
one of external libraries for it.
(From OE-Core rev: 4358fdfdd7a8908df98f7c4def2c8c1a6efb7256)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e526327f5c9e739ac7981e4a43a4ce53a908945)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
