In case of nodistro, dhcpcd gives us 'Bad system call'
error and exits. This is because there are syscalls that
should be allowed but not in privsep. Backport two patches
to fix this issue.
(From OE-Core rev: a40acd3741069bb70283581d186e09d1d7df2a7a)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f1e6a0c16d6685096ec9313301aa431e73d02c07)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
The key file IO locks objects would never get deleted from the hashtable due to
off-by-one error.
ANY responses could sometimes have the wrong TTL.
Speed up the named shutdown time by explicitly canceling all recursing ns_client
objects for
Removing a catalog zone from catalog-zones without also removing the referenced
zone could leave a dangling pointer. [GL #3683]
nslookup and host were not honoring the selected port in TCP mode. [GL #3721]
Deprecate alt-transfer-source, alt-transfer-source-v6 and
use-alt-transfer-source. [GL #3694]
Move the "final reference detached" log message from dns_zone unit to the
DEBUG(1) log level.
Fix assertion failure in isc_http API used by statschannel if the read callback
would be called on HTTP request that has been already closed.
Deduplicate time unit conversion factors.
Copy TLS identifier when setting up primaries for catalog member zones.
Deprecate 'auto-dnssec'. [GL #3667]
The decompression implementation in dns_name_fromwire() is now smaller and
faster. [GL #3655]
Use the current domain name when checking answers from a dual-stack-server.
Ensure 'named-checkconf -z' respects the check-wildcard option when loading a
zone. [GL #1905]
Deprecate 'coresize', 'datasize', 'files', and 'stacksize' named.conf options.
The view's zone table was not locked when it should have been leading to race
conditions when external extensions that manipulate the zone table where in use.
Some browsers (Firefox) send more than 10 HTTP headers. Bump the number of
allowed HTTP headers to 100. [GL #3670]
NXDOMAIN cache records are no longer retained in the cache after expiry,
even when serve-stale is in use. [GL #3386]
(From OE-Core rev: 932546383875692c4cc9e05c75a4be64a6c3f0c7)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1c093c38e247b522f279f616d16373795a4cdf89)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 410d69c684ba4eb6dd279a40436043259f94b6b9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It appears that rngd is not needed as of linux-5.6 and later[1]
and should not be installed by default since the purpose of rngd
is to provide additional trusted sources of entropy.
We did some testing on real hardware, the result seems to support that
we no longer need rngd by default on kernel v5.6 and later.
Testing result as below:
1. observing the crng init stage.
the "random: crng init done" always available before fs being mounted.
2. generating random number without rngd.
testing command: dd if=/dev/random of=/dev/null status=progress
on Marvell CN96xx RDB board, speed almost 20.4 MB/s without block
on NXP i.mx6q board, speed almost 31.9 MB/s without block
on qemu x86-64, speed almost 2.6MB/s without block
3. using rngtest command without rngd
testing command: rngtest -c 1000 </dev/random
on Marvell CN96xx RDB board:
rngtest: input channel speed: (min=4.340; avg=135.364; max=146.719)Mibits/s
rngtest: FIPS tests speed: (min=8.197; avg=69.020; max=72.800)Mibits/s
rngtest: Program run time: 418771 microseconds
on NXP i.mx6q board:
rngtest: input channel speed: (min=96.820; avg=326.769; max=340.598)Mibits/s
rngtest: FIPS tests speed: (min=15.090; avg=37.543; max=40.324)Mibits/s
rngtest: Program run time: 570229 microseconds
on qemu x86-64:
rngtest: input channel speed: (min=37.769; avg=101.136; max=136.239)Mibits/s
rngtest: FIPS tests speed: (min=10.288; avg=30.682; max=40.155)Mibits/s
rngtest: Program run time: 836800 microseconds
4. observing sshd service.
using "systemctl disable rng-tools" disable service and reboot system.
system boot up normal, sshd service also start in normal time without
block.
Reference:
[1] 30c08efec8
(From OE-Core rev: 2ed579aa28194cf671e5d4f4c61dc38d05de4b0c)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 868dfb46d96a27ec9041cb902fb769330277257d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
Fix a crash that could happen when you change
a dnssec-policy zone with NSEC3 to start using
inline-signing. [GL #3591]
Don't trust a placeholder KEYDATA from the managed-keys
zone by adding it into secroots. [GL #2895]
Fixed a race condition that could cause a crash
in dns_zone_synckeyzone(). [GL #3617]
Don't enforce the jemalloc use on NetBSD. [GL #3634]
Fix an inheritance bug when setting the port on
remote servers in configuration. [GL #3627]
Fix a resolver prefetch bug when the record's TTL value
is equal to the configured prefetch eligibility value,
but the record was erroneously not treated as eligible
for prefetching. [GL #3603]
Always call dns_adb_endudpfetch() after calling
dns_adb_beginudpfetch() for UDP queries in resolver.c,
in order to adjust back the quota. [GL #3598]
Fix a startup issue on Solaris systems with many
(reportedly > 510) CPUs. Thanks to Stacey Marshall from
Oracle for deep investigation of the problem. [GL #3563]
rpz-ip rules could be ineffective in some scenarios
with CD=1 queries. [GL #3247]
The RecursClients statistics counter could overflow
in certain resolution scenarios. [GL #3584]
Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR()
reporting macros. [GL !6914]
Fix a couple of bugs in cfg_print_duration(), which
could result in generating incomplete duration values
when printing the configuration using named-checkconf.
[GL !6880]
Refactor the isc_httpd implementation used in the
statistics channel. [GL !6879]
(From OE-Core rev: 38219ac0617eac1969e4535a7dd22bf4c1fa1463)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit e57fe26b3f85ebfabdc8b574caa5c97602e4d771)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently, dhcpcd does not work well with systemd. When using dhcpcd
to configure network, the /etc/resolv.conf contents are not correct.
This issue could easily be reproduced by using 'qemu + slirp' to
start a systemd based image and using dhcpcd to configure network.
The expected 'nameserver 10.0.2.3' is not in /etc/resolv.conf.
The root cause of this problem is that dhcpcd assumes the resolvconf
should recognize .protocol suffix[1]. But systemd's resolvconf (which
is a symlink to resolvectl) has a limited support for traditional
resolvconf interface[2], and "may not work with all clients"[3]. This
of cource includes the clients that use the .protocol suffix.
The current situation is:
1. systemd is not going to support the .protocol suffix in the foreseeable
near future[4].
2. dhcpcd does not want to merge systemd specific patch and insists
systemd needs to consider the .protocol suffix[5][6].
It's a normal thing that people have different opinions. As a build system
that supports such combination, however, we do need to come up with a
solution to fix this typical integration problem, making dhcpcd and systemd
work together.
This patch solves this integration problem by relying on dhcpcd's ability
to manage its own resolv.conf contents. But instead of letting it to write
to /etc/resolv.conf directly, we supply the generated contents to resolvconf.
In this way, the resolvconf still stands in the central place and dhcpcd remains
a supplier to it. And the /etc/resolv.conf can get the correct contents.
With this patch, dhcpcd could work with both sysvinit and systemd.
[1] https://man.archlinux.org/man/resolvconf.8.en
[2] https://man.archlinux.org/man/resolvectl.1#COMPATIBILITY_WITH_RESOLVCONF(8)
[3] https://wiki.archlinux.org/title/systemd-resolved
[4] https://github.com/systemd/systemd/issues/25032
[5] https://github.com/NetworkConfiguration/dhcpcd/pull/152
[6] https://github.com/NetworkConfiguration/dhcpcd/issues/146
(From OE-Core rev: 26c1338f5ad73488d80cdb97ae2efbf0652ee1ac)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 935ae419f51d911c73f5dc7b4a2e5e9a7b206985)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current resolvconf does not work. Make it work with the
following changes.
1. Install normalize-resolvconf, which is used by resolvconf.
2. Add dependencies: sed, util-linux-flock.
util-linux-flock is needed by our busybox does not support '-w'
by default. sed is needed because we want to avoid package
QA issue complaining sed is needed by no one provides it.
3. Add a patch to replace 'readlink -m' with 'readlink -l'.
This could avoid the runtime dependency on coreutils. The replacement
is safe as /etc always exits in OE's system.
4. Remove allarch inheritage. This is because the above RDEPENDS
change does not allow this any more. test_sstate_allarch_samesigs
would fail if we don't do this.
(From OE-Core rev: 66d85b2d841e6d3281f47ef9a39aa5483aad35d0)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 1b0581fd241cc9de2feda896aefbf055dc0099dc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add the trailing '.git' to git repo uri in SRC_URI then it could share
source code repo on premirror with grpc which uses libuv as a git
submodule with fixed revision.
(From OE-Core rev: 8e5d2044ff27b54a8013fbf2ecf1cccd2cf76871)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit cecdf616e7cf192cdc723a446be1d14c197c980d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the hciattach bcm43xx firmware loader looks up the firmware
blob in /etc/firmware . Change this to /lib/firmware instead, so that
the path is consistent with Linux kernel which also looks up firmware
for the WiFi part in /lib/firmware .
(From OE-Core rev: 67f6fe7d2cfb95c9a39a0d288daabf69babf6f17)
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 72b3b79ad8b980e8dd9470d16b72c2c70072bbc0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.7.4.4 is a bug fix release
0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch
removed since it's included in 1.7.4.4
(From OE-Core rev: 42942e565870bd4d0753e0dc7bed9277a71bccf9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit c00e9d66f0b8449ff1bf24546f232345eb6feebd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_18_8/CHANGES
--- 9.18.7 released ---
5962. [security] Fix memory leak in EdDSA verify processing.
(CVE-2022-38178) [GL #3487]
5960. [security] Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query.
(CVE-2022-3080) [GL #3517]
5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected. (CVE-2022-2906) [GL #3491]
5958. [security] When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer. (CVE-2022-2881) [GL #3493]
5957. [security] Prevent excessive resource use while processing large
delegations. (CVE-2022-2795) [GL #3394]
5956. [func] Make RRL code treat all QNAMEs that are subject to
wildcard processing within a given zone as the same
name. [GL #3459]
5955. [port] The libxml2 library has deprecated the usage of
xmlInitThreads() and xmlCleanupThreads() functions. Use
xmlInitParser() and xmlCleanupParser() instead.
[GL #3518]
5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008
conversion fails. [GL #3485]
5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add
mctx attach/detach pair to make sure that the memory
context used by a memory pool is not destroyed before
the memory pool itself. [GL #3515]
5952. [bug] Use quotes around address strings in YAML output.
[GL #3511]
5951. [bug] In some cases, the dnstap query_message field was
erroneously set when logging response messages.
[GL #3501]
5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing
dns_db_detachnode() call. [GL #3500]
5947. [func] Change dnssec-policy to allow graceful transition from
an NSEC only zone to NSEC3. [GL #3486]
5946. [bug] Fix statistics channel's handling of multiple HTTP
requests in a single connection which have non-empty
request bodies. [GL #3463]
5945. [bug] If parsing /etc/bind.key failed, delv could assert
when trying to parse the built in trust anchors as
the parser hadn't been reset. [GL !6468]
5944. [bug] Fix +http-plain-get and +http-plain-post options
support in dig. Thanks to Marco Davids at SIDN for
reporting the problem. [GL !6672]
5942. [bug] Fix tkey.c:buildquery() function's error handling by
adding the missing cleanup code. [GL #3492]
5941. [func] Zones with dnssec-policy now require dynamic DNS or
inline-siging to be configured explicitly. [GL #3381]
5938. [bug] An integer type overflow could cause an assertion
failure when freeing memory. [GL #3483]
5936. [bug] Don't enable serve-stale for lookups that error because
it is a duplicate query or a query that would be
dropped. [GL #2982]
5935. [bug] Fix DiG lookup reference counting bug, which could
be observed in NSSEARCH mode. [GL #3478]
(From OE-Core rev: ed4a32b9c6e25b09a2aa4eb0446bf0ea9ed37ca9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 1d87d2652f7f6640dda85e037c580c83f99a8ba8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Unless we're using systemd, dbus is not pulled into the system
automatically. Bluez5 will not work without dbus so add it to RDEPENDS
explicitly.
(From OE-Core rev: eba53bb6663222d47e14d26a5f22d26ba198f019)
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 377ef7009a8638efe688b6b61f67ae399eb1f23d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In OE-Core d6b15d1e70b99185cf245d829ada5b6fb99ec1af,
"openssl: export necessary env vars in SDK", the value added for
SSL_CERT_FILE was in conflict with the value used elsewhere, such as
in buildtools. This makes them match and fixes buildtools testsdk
failures.
(From OE-Core rev: 850ccc2a303f940f3a13ea6b2581081162f014e4)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7d383a7fc6da666c80f2fc037af5f49a3388eb2b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit a9a50f2216951e26b62ed2f86f341d9ad13acf48)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In current SDK, when running the following command in python
shell, we get an error.
$ python3
>>> from cryptography.hazmat.backends import openssl
The error message is as below:
cryptography.exceptions.InternalError: Unknown OpenSSL error.
We could set OPENSSL_MODULES explicitly in nativesdk-openssl package
so that when SDK is set up, it's in environment and we can
get rid of the above error.
Also, there are other env vars that need to be exported. And we export
all of them to keep sync with openssl-native.bbclass.
(From OE-Core rev: f51c9af925ab4cf338ec9ba3e4bebdae25113a3a)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d6b15d1e70b99185cf245d829ada5b6fb99ec1af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 69030b368773baae65d95e39d3587913b8401bc7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
BIND 9.18 is a stable branch, suitable for production use.
Notes for BIND 9.18.5
Feature Changes
The dnssec-signzone -H default value has been changed to 0 additional NSEC3
iterations. This change aligns the dnssec-signzone default with the default
used by the dnssec-policy feature. At the same time, documentation about
NSEC3 has been aligned with the Best Current Practice. [GL #3395]
Bug Fixes
- An assertion failure caused by a TCP connection closing between a connect
(or accept) and a read from a socket has been fixed. [GL #3400]
- When grafting non-delegated namespace onto delegated namespace,
synth-from-dnssec could incorrectly synthesize non-existence of records
within the non-delegated namespace using NSEC records from higher zones. [GL #3402]
- Previously, named immediately returned a SERVFAIL response to the client
when it received a FORMERR response from an authoritative server during
recursive resolution. This has been fixed: named acting as a resolver
now attempts to contact other authoritative servers for a given domain
when it receives a FORMERR response from one of them. [GL #3152]
- Previously, rndc reconfig did not pick up changes to endpoints statements
in http blocks. This has been fixed. [GL #3415]
- It was possible for a catalog zone consumer to process a catalog zone
member zone when there was a configured pre-existing forward-only forward
zone with the same name. This has been fixed. [GL #2506]
(From OE-Core rev: 75c4b8361ef2d3a39e192ed8318d1038a3ff0999)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0a419b730ca87daa4e07daf022a550fb4112b9b0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ver 5.65 changes:
Fix issue with A2DP cache invalidation handling.
Fix issue with A2DP and not initialized SEP codec.
Fix issue with A2DP and multiple SetConfiguration to same SEP
Fix issue with AVRCP and not properly initialized volume.
Fix issue with SDP records when operating in LE only mode.
Fix issue with HoG and not reading report map of instances.
Fix issue with GATT server crashing while disconnecting.
Fix issue with not removing connected devices.
Fix issue with enabling wake support without RPA Resolution.
Fix issue with pairing failed due to the error of Already Paired.
Add support for CONFIGURATION_DIRECTORY environment variable.
Add support for STATE_DIRECTORY environment variable.
Add support for "Bonded" property with Device API.
Add experimental support for ISO socket.
Drop fix_service.patch as it is merged upstream.
(From OE-Core rev: 4fdb3d4e031e22c03d03c6cc7713ec45d7498555)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10374b5ed4b5550eadacbcd71ae20b751ce5c038)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
OpenSSH 9.0 uses sftp by default as the transport for scp, add in
sftp-server so that this works as expected for users, rather than being
left with a confusing "scp: Connection closed" message.
(From OE-Core rev: c33eb7fb1d1e91a005b22b65d221d4b899ec69dc)
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be61b9dac78f0d85c870a0d8304fb4b536ec4bc8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Python support was dropped upstream and removed in 8a9a5885995c ("bind:
update 9.16.26 -> 9.18.1"), clean up the remaining pieces of python3 in
the recipe.
(From OE-Core rev: acda23e0d985049ae83e9516315c33afae763ad9)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee4e4eb16a3729dcafad075c42aec1695b8ea15f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Important bugs fixed
loop: better align order-of-events behavior between platforms #3598
zos: fix fs event not fired if the watched file is moved/removed/recreated #3540
win: Fix pipe resource leak if closed during connect (and other bugs) #3611
zos: don't error when killing a zombie process #3625
Regressions fixed
macos: avoid posix_spawnp() cwd bug #3597
kqueue: skip EVFILT_PROC events when invalidating events for an fd. #3629
(From OE-Core rev: c785f1d3a7f8ef2c7047fad7a2a483c5ebd658e0)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ccd589604c2d7648dcd3541c61a2b48e692ca258)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
[func] Don't try to process DNSSEC-related and ZONEMD records
in catz. [GL #3380]
[func] Add some more dnssec-policy checks to detect weird
policies. [GL #1611]
[test] Add new set of unit test macros and move the unit
tests under single namespace in /tests/. [GL !6243]
[func] Key timing options for 'dnssec-settime' and related
utilities now accept "UNSET" times as printed by
'dnssec-settime -p'. [GL #3361]
[bug] When the fetches-per-server quota was adjusted
because of an authoritative server timing out more
or less frequently, it was incorrectly set to 1
rather than the intended value. This has been
fixed. [GL #3327]
[bug] Only write key files if the dnssec-policy keymgr has
changed the metadata. [GL #3302]
[func] Key timing options for 'dnssec-keygen' and
'dnssec-settime' now accept times as printed by
'dnssec-settime -p'. [GL !2947]
(From OE-Core rev: 5bfb44bff5d296b8fd447acb7bdb29b544bd1c20)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d5a12d549209f01324d03963db96449ee43452eb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
[security]
Fix a crash in DNS-over-HTTPS (DoH) code caused by
premature TLS stream socket object deletion.
(CVE-2022-1183) [GL #3216]
[bug]
RPZ NSIP and NSDNAME rule processing didn't handle stub
and static-stub zones at or above the query name. This
has now been addressed. [GL #3232]
Fixed a deadlock that could occur if an rndc
connection arrived during the shutdown of network
interfaces. [GL #3272]
Refactor the fctx_done() function to set fctx to
NULL after detaching, so that reference counting
errors will be easier to avoid. [GL #2969]
udp_recv() in dispatch could trigger an INSIST when the
callback's result indicated success but the response
was canceled in the meantime. [GL #3300]
Work around a jemalloc quirk which could trigger an
out-of-memory condition in named over time. [GL #3287]
If there was a pending negative cache DS entry,
validations depending upon it could fail. [GL #3279]
dig returned a 0 exit status on UDP connection failure.
[GL #3235]
Fix an assertion failure when using dig with +nssearch
and +tcp options by starting the next query in the
send_done() callback (like in the UDP mode) instead
of doing that recursively in start_tcp(). Also
ensure that queries interrupted while connecting
are detached properly. [GL #3144]
Don't remove CDS/CDNSKEY DELETE records on zone sign
when using 'auto-dnssec maintain;'. [GL #2931]
[contrib]
Avoid name space collision in dlz modules by prefixing
functions with 'dlz_'. [GL !5778]
dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
[func]
Add new named command-line option -C to print built-in
defaults. [GL #1326]
Introduce the concept of broken catalog zones described
in the DNS catalog zones draft version 5 document.
[GL #3224]
Add DNS Extended Errors when stale answers are returned
from cache. [GL #2267]
Implement support for catalog zones change of ownership
(coo) mechanism described in the DNS catalog zones draft
version 5 document. [GL #3223]
Implement support for catalog zones options new syntax
based on catalog zones custom properties with "ext"
suffix described in the DNS catalog zones draft version
5 document. [GL #3222]
Implement reference counting for TLS contexts and
allow reloading of TLS certificates on reconfiguration
without destroying the underlying TCP listener sockets
for TLS-based DNS transports. [GL #3122]
Add support for remote TLS certificates
verification, both to BIND and dig, making it possible
to implement Strict and Mutual TLS authentication,
as described in RFC 9103, Section 9.3. [GL #3163]
[cleanup]
Remove use of exclusive mode in ns_interfacemgr in
favor of rwlocked access to localhost and localnets
members of dns_aclenv_t structure. [GL #3229]
Remove the task exclusive mode use in ns_clientmgr.
[GL #3230]
(From OE-Core rev: 1bbedc1c6f9b1d431a7d72b9e8e2871d0fe988f5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2ae8b85c71be2e9e332b1ef0a2d3083b30c63e6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise the SDK fails to build as the main openssh and dropbear packages
conflict with each other
(From OE-Core rev: f90647e9dd95cfd29b5bdb8d7dcd688a10fc060c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes a fix for CVE-2022-2068.
(From OE-Core rev: e5b48730a9916eeda37c34d6d2b41c903a3dcdeb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f034faebd45e63385849078e6ee4b51257763e99)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptests in in openssl have started failing as one of the test certificates has
expired. Backport a fix for this from upstream, replacing the test
certificate to allow the ptests to pass again.
(From OE-Core rev: c3b7f7a9184188db5ce9ac665e6c2f3e22065fec)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f26f0b34f12bbca2beed153da402a3594d127374)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to latest stable branch release
Bug Fixes
- Previously, zone maintenance DNS queries retried forever if the destination
server was unreachable. These queries included outgoing NOTIFY messages,
refresh SOA queries, parental DS checks, and stub zone NS queries. For example,
if a zone had any nameservers with IPv6 addresses and a secondary server without
IPv6 connectivity, that server would keep trying to send a growing amount of
NOTIFY traffic over IPv6. This futile traffic was not logged. This excessive
retry behavior has been fixed. [GL #3242]
- A number of crashes and hangs which could be triggered in dig were identified and
addressed. [GL #3020] [GL #3128] [GL #3145] [GL #3184] [GL #3205] [GL #3244] [GL #3248]
- Invalid dnssec-policy definitions, where the defined keys did not cover both KSK
and ZSK roles for a given algorithm, were being accepted. These are now checked,
and the dnssec-policy is rejected if both roles are not present for all algorithms
in use. [GL #3142]
- Handling of TCP write timeouts has been improved to track the timeout for each TCP
write separately, leading to a faster connection teardown in case the other party
is not reading the data. [GL #3200]
(From OE-Core rev: 297215735613b1c9512780580da2f84cf013a603)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5398263c8e070110a045a5f8999712ba4be628de)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This minor version include fixes for several CVEs
CVE: CVE-2022-1292
CVE: CVE-2022-1343
CVE: CVE-2022-1434
CVE: CVE-2022-1473
(From OE-Core rev: 62bc43a8ca705384fb60742f2f044f4355aaabca)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This module contains legacy cipher suites from libcrypto.
We should not need to include base package because we want
to use this part of libcrypto.
(From OE-Core rev: f44368f58645715f210b46ca3f747d064b872b20)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1537ebc3f6ae2aec9a3864b03704ab4dbc0e971b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop removed python/libtool options.
isc/platform.h is no longer installed.
Rewrite reproducibility patch to fix the problem at the source.
License-Update: copyright years
(From OE-Core rev: 8a9a5885995c77774cdafeb09f7522c50750a1e9)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
for non-prime moduli ([CVE-2022-0778])
(From OE-Core rev: 30f054a1e0afaa26d16a411df2a6310104342e63)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
