faec1c1050
release notes: https://downloads.isc.org/isc/bind9/9.18.19/doc/arm/html/notes.html#notes-for-bind-9-18-19 Security Fixes Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341) ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. [GL #4152] A flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been fixed. (CVE-2023-4236) ISC would like to thank Robert Story from USC/ISI Root Server Operations for bringing this vulnerability to our attention. [GL #4242] Removed Features The dnssec-must-be-secure option has been deprecated and will be removed in a future release. [GL #4263] Feature Changes If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. [GL #1181] Bug Fixes The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). [GL #4124] This issue was reported independently by Eric Sesterhenn of X41 D-Sec GmbH and Cameron Whitehead. The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an assertion failure. [GL This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. Several memory leaks caused by not clearing the OpenSSL error stack were fixed. [GL #4159] This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies accidentally caused named to return SERVFAIL responses to deletion requests for non-existent PTR and SRV records. This has been fixed. [GL #4280] The stale-refresh-time feature was mistakenly disabled when the server cache was flushed by rndc flush. This has been fixed. [GL #4278] BIND’s memory consumption has been improved by implementing dedicated jemalloc memory arenas for sending buffers. This optimization ensures that memory usage is more efficient and better manages the return of memory pages to the operating system. [GL #4038] Previously, partial writes in the TLS DNS code were not accounted for correctly, which could have led to DNS message corruption. This has been fixed. [GL #4255] Known Issues There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch. (From OE-Core rev: 29cc2203b06b12d4c93ffc1fb56f1754f6982e80) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Poky
Poky is an integration of various components to form a pre-packaged build system and development environment which is used as a development and validation tool by the Yocto Project. It features support for building customised embedded style device images and custom containers. There are reference demo images ranging from X11/GTK+ to Weston, commandline and more. The system supports cross-architecture application development using QEMU emulation and a standalone toolchain and SDK suitable for IDE integration.
Additional information on the specifics of hardware that Poky supports is available in README.hardware. Further hardware support can easily be added in the form of BSP layers which extend the systems capabilities in a modular way. Many layers are available and can be found through the layer index.
As an integration layer Poky consists of several upstream projects such as BitBake, OpenEmbedded-Core, Yocto documentation, the 'meta-yocto' layer which has configuration and hardware support components. These components are all part of the Yocto Project and OpenEmbedded ecosystems.
The Yocto Project has extensive documentation about the system including a reference manual which can be found at https://docs.yoctoproject.org/
OpenEmbedded is the build architecture used by Poky and the Yocto project. For information about OpenEmbedded, see the OpenEmbedded website.
Contribution Guidelines
Please refer to our contributor guide here: https://docs.yoctoproject.org/dev/contributor-guide/ for full details on how to submit changes.
Where to Send Patches
As Poky is an integration repository (built using a tool called combo-layer), patches against the various components should be sent to their respective upstreams:
OpenEmbedded-Core (files in meta/, meta-selftest/, meta-skeleton/, scripts/):
- Git repository: https://git.openembedded.org/openembedded-core/
- Mailing list: openembedded-core@lists.openembedded.org
BitBake (files in bitbake/):
- Git repository: https://git.openembedded.org/bitbake/
- Mailing list: bitbake-devel@lists.openembedded.org
Documentation (files in documentation/):
- Git repository: https://git.yoctoproject.org/cgit/cgit.cgi/yocto-docs/
- Mailing list: docs@lists.yoctoproject.org
meta-yocto (files in meta-poky/, meta-yocto-bsp/):
- Git repository: https://git.yoctoproject.org/cgit/cgit.cgi/meta-yocto
- Mailing list: poky@lists.yoctoproject.org
If in doubt, check the openembedded-core git repository for the content you intend to modify as most files are from there unless clearly one of the above categories. Before sending, be sure the patches apply cleanly to the current git repository branch in question.