Version 4.11.3 fixes
CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
CVE-2019-14870: DelegationNotAllowed not being enforced in protocol
transition on Samba AD DC.
Changelog:
https://www.samba.org/samba/history/samba-4.11.3.htmlhttps://www.samba.org/samba/history/samba-4.11.4.html
Removed patches applied upstream, rebased patch 0002.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The hyperv integration services offer convenience features for guest
operating systems running on the microsoft hyperv virtualization
platform. They roughly are for HyperV what openvmtools are for VMWare.
The installed binary names are derived from what seems common in large
distros like RedHat:
linux kernel source name -> installed binary name
hv_vss_daemon -> hypervvssd
hv_kvp_daemon -> hypervkvpd
hv_fcopy_daemon -> hypervfcopyd
Each tool was introduced at different points in the kernel history, so
we need to check each of them.
We provide a single init script that is responsible for starting all
enabled programs. The global status will be the status of the last
program to fail to start, or empty (i.e. success) if they all started
successfuly.
However, we provide one systemd unit per program, because it is not easy
to use a single unit to start (and monitor) more than one executable.
Additionally, we do not provide a template that is filled at tinstall
time either, because it does not gain much (three simple units vs. a
template and some replacement code in the .mk).
Finally, the key-value daemon uses a few helper scripts to get/set the
network config. All are optional (their presence is checked before
running them), but one, hv_set_ifconfig. However, it is not strictly
speaking required either, so we just symlink it to /bin/true to avoid
any warning at runtime. Providing actual helpers is left to the end
user, to adapt to their own environment.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
[yann.morin.1998@free.fr:
- aggregate all three tools in a single sub-package
- introduce the main HV option, use a sub-option for each tool
- aggregate the three init scripts into one
- don't install the helpers; symlink the mandatory one
- don't create symlinks for systemd units (systemctl preset-all does
it for us now)
- expand commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Some linux tools (e.g. the Microsoft HyperV convenience utilities) will
install programs tostart at boot time, so they need to be able to
install init files (systemd units, sysv init script, or openrc units).
Unlike the other commands, we are redefining the real _INSTALL_INIT_*
macros, rather than use hooks, to let the infra call those at the right
moment.
We must be careful about the openrc support, though: if two tools are
enabled, one which provides sysv scripts but no openrc config, and the
other which provides openrc config, and we are using openrc as init
system, then we want to use the sysv scripts from the former as well as
the openrc config of the latter. Thus we need to duplicate a bit the
openrc logic here.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
[yann.morin.1998@free.fr:
- define macros, not hooks
- introduce support for openrc too
- expand commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The test-case for python-gitdb2 consists solely in verifying that the
module can indeed be imported.
However, flake8 errors out on unused imports. Furthermore, it also
errors about wildcard imports, as it can detect unused symbols.
Commit d8c86be9cd (support/testing: fix python-gitdb2 test) tried to
address this issue, by explicitly squelching the two errors, F401 and
F403.
While that works on recent distros, the image used by our docker
pipeline is laggign behind and the flake8 there only handles at most a
single error in the noqa list.
Do as is done with the other python samples, and just blindly ignore
all errors.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Small update with several memory leaks fixed.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit 9fa2add810 (support/testing: add test for python-avro) added a
test for python-avro but failed to update .gitlab-ci.yml. Do that now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Set AM_CFLAGS to an empty value to avoid the following redefinition
error when building with our custom _FORTIFY_SOURCE:
/accts/mlweber1/rc-buildroot-test/scripts/instance-1/output/host/bin/mips-linux-gnu-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -Werror -Wuninitialized -Wundef -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -D_FORTIFY_SOURCE=1 -Wp,-MMD,3rdparty/hmac_sha/.hmac_sha2.o.d,-MT,3rdparty/hmac_sha/hmac_sha2.o -c 3rdparty/hmac_sha/hmac_sha2.c -o 3rdparty/hmac_sha/hmac_sha2.o
<command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
Fixes:
- http://autobuild.buildroot.org/results/cfef9315441b5f4909b58a6dccd8bea8e67ae992
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If the linux-pam package is selected, add the package to the
dependency list and explicitly set --enable-plugin-auth-pam.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit aee39cbf27 (arch/riscv: set the default float ABI based on
ISA extensions), the default ABI changed, so the config fragments used
by the autobuilders were adapated accordingly, in commit f89871e810
(support/config-fragments: fix br-riscv{32,64} toolchain fragments).
But now, we need to revert again, because the newer toolchains are now
using the default ABI again.
We do not really do a revert, though, because the original change was
right, and a revert would mean it was not.
Fixes:
http://autobuild.buildroot.org/results/b59/b593267fb9fc9a002b977e049b2a5389dbaded30/ (riscv32)
http://autobuild.buildroot.org/results/b42/b42a4b22b29f47d5c85be119b310f1dfb61112a1/ (riscv64)
... and so many others on various packages...
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
intltool has been replaced by gettext since version 12.99.1 and
57e3ccaf51
so replace host-intltool by $(TARGET_NLS_DEPENDENCIES)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
intltool has been replaced by gettext since version 3.33.4 and
4fb05684d2
so replace host-intltool by $(TARGET_NLS_DEPENDENCIES)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libnss expects OS_TEST to be set to ppc, ppc64, or ppc64le instead of
the usual values defined by Buildroot, respectively powerpc, powerpc64,
or powerpc64le.
This fixes the inconsistencies where functions would be prototyped and
called, but no implementation would be provided, causing link issues.
Define all the variants (of which the existing aarch64be) in Kconfig.
The latest default uses the usual architecture names as defined by
Buildroot, BR2_ARCH.
Additionally, libnss makes use of Altivec intrinsics which are only
available starting with gcc 8, not gcc 5, so we patch it to fix that
condition.
Fixes:
http://autobuild.buildroot.org/results/579/57928e6cf69d584b430a1d9a99156c57f29b692f/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
- move the arch setting to kconfig (like recently done in e3159cad71)
- add the build failure
- add pointer to upstream bug report and patch sybmission
- reformat and reword commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Now that the metadata_csum ext4 option is disabled, we no longer need
the U-Boot workaround.
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The U-Boot ext4 write support doesn't work with the metadata_csum
option, and the stm32mp157 U-Boot defconfig uses an environment stored
in an ext4 filesystem, so we must create the ext4 root filesystem
without the metadata_csum option enabled.
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[Thomas: only disable the metadata_csum option, the 64bit and
dir_index options can be kept enabled]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The proj package exhibits gcc bug 68485 when building for the
Microblaze architecture C files (which was already worked around), but
also for C++ files.
As done for other packages in Buildroot work around this gcc bug by
setting optimization to -O0 when compiling C++ files too if
BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y.
Fixes:
http://autobuild.buildroot.net/results/dc9/dc9bc52ff3d5a83dcfe4a86a391590bef57e1cf0/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Thomas: rework implementation to use a single condition for both CFLAGS and CXXFLAGS]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
/usr/bin/suricatactl and /usr/bin/suricatasc have their interpreter set
to the path of python in the HOST machine.
Use distutils' option '-e' to specify a better shabang.
[yann.morin.1998@free.fr:
- author did not provide their SoB, but it's simple enough to
not require it for once
- reword commit log
- use git-formatted patch, with a proper commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The original UBOOT_FIXUP_LIBFDT_INCLUDE hook only works for u-boot versions
starting from v2017.11.
As older u-boot versions are still in common use today, e.g. in the
ci20_defconfig, extend the hook to cover a wider range of u-boot versions.
The main code change was proposed by Arnout Vandecappelle in [1].
Testing and comment changes were done by Thomas De Schampheleire.
Additional (build) testing done by Yann.
[1] http://lists.busybox.net/pipermail/buildroot/2019-May/251231.html
This was tested with the following defconfigs, that each excercise one
case:
----.-- No defconfig identified
2010.06 'lib/libfdt/', used to be simply 'libfdt' before upstream commit 0de71d507157...
2013.10 ci20_defconfig
2014.04 'srctree' used to be called 'SRCTREE' before upstream commit 01286329b27b27ea...
2017.05 olimex_a13_olinuxino_defconfig
2017.11 scripts/dtc/libfdt only exists since upstream commit c0e032e0090d6541549b19cc...
2018.01 mx6udoo_defconfig
2018.03 core change is equivalent to upstream commit e0d20dc1521e74b82dbd69be53a04884...
2019.10 nanopi_neo_defconfig
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[yann.morin.1998@free.fr: add the build-test results]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
TinySSH is a minimalistic SSH server which implements only a subset of
SSHv2 features.
Might be useful for small systems.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[yann.morin.1998@free.fr:
- add missing licence file, as noticed by Giulio
- update the version to bring two fixes
- update hash file accordingly (version and licence file)
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Following Arnout review of "autofs: fix mount, umount and fsck program
paths" in https://patchwork.ozlabs.org/patch/1148086, set
ac_cv_path_E2FSCK to /sbin/fsck and ac_cv_path_E{3,4}FSCK to no so that
the fsck wrapper will always gets used (if the e3 and e4 versions don't
exist, the e2 version is used regardless of fs type).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The apitrace package exhibits gcc bug 68485 when built for the
Microblaze architecture with optimization enabled, which causes a build
failure. This is mainly due to 3rd party brotli embedded in apitrace
that already has been fixed in Buildroot as single package. After
working around this bug overriding -O0 to CFLAGS(Brotli is a C program),
gcc bug 81580 showed off while compiling C++ files.
So, as done for other packages in Buildroot, work around this gcc bug by
setting optimization to -O0(in CFLAGS) if
BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y. And do the same(but in CXXFLAGS) if
BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y as already done for other packages.
Fixes:
http://autobuild.buildroot.net/results/a46/a46626cc50f07f41d831614306f556d346d31429/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr: reorganise the conditions]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
the upstream php-fpm sample configuration is placed in
/etc/php-fpm.d/www.conf.default
in recent version of php, so adjust the build cleanup
accordingly
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
[yann.morin.1998@free.fr: only remove the file, not the directory]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Linux version is changed to 4.19.91 (the last version of 4.19).
Build- and runtime-tested for aarch64 and x86_64.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
[yann.morin.1998@free.fr: add the test report provided by Philipe on IRC]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since we already have a choice to select the backend to do crypto, push
the limits even further and add an option to do no crypto.
Usually, we would have added that option first in the choice, but if we
were to do that now, existing defconfigs that previously used openssl
(the first item in the choice) would now default to non crypto, which is
not so nice. So we add the new option last in the choice.
Each crypto backend option is used in a conditional block, each of which
default to disabling said backend. So, selecting none will indeed
disable all.
We can now drop the blind intermediate option that would hide the choice
when no backend library was available; there will now always be at least
the none option in the choice, so we need not hide it.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Baruch Siach <baruch@tkos.co.il>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update dependency documentation to detail the order-only relationship
associated with the DEPENDENCIES variable. See the thread at [1] for
details.
[1] http://lists.busybox.net/pipermail/buildroot/2019-October/262685.html
Signed-off-by: Dan Walkes <danwalkes@trellis-logic.com>
[yann.morin.1998@free.fr: indentation & slight rephrasing]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Libcurl recipe allows selecting between various TLS backends. Users can
already select between several options but WolfSSL was missing. WolfSSL
is an efficient TLS library, it supports TLS 1.3 and is used in many
embedded systems.
Add WolfSSL to libcurl "SSL/TLS library to use" choice list when WolfSSL
package is enabled. When selected in the list, use libcurl
--with-wolfssl configure option. Explicitly set --without-wolfssl
when it is not selected.
Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Lothar added the beaglebone and beaglebone_qt5 defconfigs, and has
been regularly maintaining them, so it makes sense to have him listed
as a contact for those two defconfigs.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Lothar Felten <lothar.felten@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Theo added this defconfig in 2016, and is listed as the contact for
the pugixml package, so it probably makes sense to have him listed as
a contact for the beagleboardx15_defconfig as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Theo Debrouwere <t.debrouwere@televic.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Masahiro is the last person who made significant changes to this
defconfig, so let's add him as a contact for it, so that he receives
notifications of build failures and gets Cc'ed on patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Nicholas was the most recent person to make significant changes to the
galileo_defconfig, so let's add him as a contact for this defconfig,
so that he receives notification of build failures and gets Cc'ed on
patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Nicholas Sielicki <sielicki@yandex.com>
Cc: Ray Kinsella <ray.kinsella@intel.com>
Cc: Padraig James Connolly <padraig.connolly@intel.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Joao added this defconfig a while ago, and is still active
contributing to Buildroot, so let's add him as the contact for this
defconfig, so that he receives build failure notifications and gets
Cc'ed on patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Joao Pinto <jpinto@synopsys.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Julien originally added this defconfig in 2017, so let's add him as a
contact for it, so that he receives build failure notifications and is
Cc'ed on patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Julien Grossholtz <julien.grossholtz@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
We have an existing patch to configure.in that chains the test to find
fltk (supposedly because a symbol of fltk got renamed sometime in the
past). By doing so, this chaining breaks the build when configure later
checks for the alsa libraries.
This is because chaining calls to AC_CHECK_LIBS() one in the other would
be expanded in such a way that internal functions, like ac_fn_c_try_link,
would get defined after being called, which results in configure failures
(see new bundled patch).
So, we change configure to use AC_SEARCH_LIBS() instead, which allows us
to memorise the result of each test, and we only fail when both tests
failed.
We can now drop the ac_cv overrides we had.
Incidentally, this also fixes detection of newer alsa-libs, where
atopology functions were offloaded to their own separate library:
75d393a563
Fixes:
http://autobuild.buildroot.org/results/564c1561e83e0c064f3859d25e68dec96640e060
(Note: upstream has been basically dead for at least 15 years now, so we
did not even try to submit the patch there...)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
