[ptxdist] [PATCH] lighttpd: version bump 1.4.32 - 1.4.33
Time to get some fixes out; nothing special, just many small fixes – and some new features. Changes from 1.4.32: http://www.lighttpd.net/2013/9/27/1-4-33/ Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/lighttpd.make |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/lighttpd.make b/rules/lighttpd.make index 5267b12..da97233 100644 --- a/rules/lighttpd.make +++ b/rules/lighttpd.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_LIGHTTPD) += lighttpd # # Paths and names # -LIGHTTPD_VERSION := 1.4.32 -LIGHTTPD_MD5 := 8e2d4ae8e918d4de1aeb9842584d170b +LIGHTTPD_VERSION := 1.4.33 +LIGHTTPD_MD5 := e66b8164e5fc5a6beec0823b697fbe1d LIGHTTPD := lighttpd-$(LIGHTTPD_VERSION) LIGHTTPD_SUFFIX:= tar.bz2 LIGHTTPD_URL := http://download.lighttpd.net/lighttpd/releases-1.4.x/$(LIGHTTPD).$(LIGHTTPD_SUFFIX) -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] openssl: version bump 1.0.0k - 1.0.1e
Updating openssl to 1.0.1e improves TLS 1.x support in lighttpd. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/openssl.make |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/openssl.make b/rules/openssl.make index 35e9aa5..eaeb95a 100644 --- a/rules/openssl.make +++ b/rules/openssl.make @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl # # Paths and names # -OPENSSL_VERSION:= 1.0.0k -OPENSSL_MD5:= 99af9b319f928da5ea3e860311b396ef +OPENSSL_VERSION:= 1.0.1e +OPENSSL_MD5:= 66bf6f10f060d561929de96f9dfe5b8c OPENSSL:= openssl-$(OPENSSL_VERSION) OPENSSL_SUFFIX := tar.gz OPENSSL_URL:= http://www.openssl.org/source/$(OPENSSL).$(OPENSSL_SUFFIX) -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] openssl: version bump 1.0.0k - 1.0.1e
Hi Juergen, PTXdist comes with various patches for openssl-1.0.0k. Did you check if they are obsolete when updating to release 1.0.1e? If yes, you should remove them with your patch as well. Ups, I was using the openssl-1.0.0h patch series when testing 1.0.1e. I will try to rebase/cleanup/test patch series and resubmit a patch. Venlig hilsen / Best regards Kamstrup A/S http://www.kamstrup.dk Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: b...@kamstrup.dk Web: www.kamstrup.dk -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 1/2] Fix compiling of PHP with sqlite3 support on ptxdist 2012.04.0.
Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/php5.make |3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/php5.make b/rules/php5.make index b24cd33..f66a664 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -250,6 +250,9 @@ endif ifdef PTXCONF_PHP5_EXT_SQLITE3 PHP5_AUTOCONF += --with-sqlite3=$(PTXDIST_SYSROOT_TARGET)/usr --with-pdo-sqlite +# broken config system: sqlite3 (local copy) uses it +# but it is only linked to if used by external dependencies +PHP5_CONF_ENV += PHP_LDFLAGS=-ldl else PHP5_AUTOCONF += --without-sqlite3 --without-pdo-sqlite endif -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 0/2] php: version bump 5.3.10 - 5.4.24
Hi Updated PHP due to many security flaws in 5.3.10. Tested on Freescale i.MX28 with ptxdist 2012.04.0. I'm unsure if newer versions of ptxdist still require the first patch, if not just discard it. Bruno Thomsen (2): Fix compiling of PHP with sqlite3 support on ptxdist 2012.04.0. php: version bump 5.3.10 - 5.4.24 ...make-it-possible-to-force-cross-compiling.patch | 35 patches/php-5.3.10/series |4 --- rules/php5.make|7 ++-- 3 files changed, 5 insertions(+), 41 deletions(-) delete mode 100644 patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch delete mode 100644 patches/php-5.3.10/series -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 2/2] php: version bump 5.3.10 - 5.4.24
Fixes a lot of security flaws and bugs.
Changelog:
http://www.php.net/ChangeLog-5.php#5.4.24
Old HACK patch removed since it cannot be applied on configure script.
Signed-off-by: Bruno Thomsen b...@kamstrup.dk
---
...make-it-possible-to-force-cross-compiling.patch | 35
patches/php-5.3.10/series |4 ---
rules/php5.make|4 +--
3 files changed, 2 insertions(+), 41 deletions(-)
delete mode 100644
patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
delete mode 100644 patches/php-5.3.10/series
diff --git
a/patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
b/patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
deleted file mode 100644
index 931f9b0..000
---
a/patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Michael Olbrich m.olbr...@pengutronix.de
-Date: Sat, 27 Oct 2012 11:37:38 +0200
-Subject: [PATCH] HACK: make it possible to force cross-compiling
-
-configure checks for cross-compiling by running a simple program.
-This returns the wrong result when build and host architecture are
-the same.
-This patch makes it possible to force cross-compiling. It hacks
-configure because it cannot be regenerated.
-
-Signed-off-by: Michael Olbrich m.olbr...@pengutronix.de
- configure |2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/configure b/configure
-index 0900d02..ca0dec0 100755
a/configure
-+++ b/configure
-@@ -2377,6 +2377,7 @@ ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS
conftest.$ac_ext 15'
- ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS
conftest.$ac_ext $LIBS 15'
- cross_compiling=$ac_cv_prog_cc_cross
-
-+if test -z $ac_cv_prog_cc_cross; then
- cat conftest.$ac_ext EOF
-
- #line 2383 configure
-@@ -2398,6 +2399,7 @@ else
- ac_cv_prog_cc_works=no
- fi
- rm -fr conftest*
-+fi
- ac_ext=c
- # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
- ac_cpp='$CPP $CPPFLAGS'
diff --git a/patches/php-5.3.10/series b/patches/php-5.3.10/series
deleted file mode 100644
index bad412b..000
--- a/patches/php-5.3.10/series
+++ /dev/null
@@ -1,4 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-HACK-make-it-possible-to-force-cross-compiling.patch
-# 92e34182fd5e0535892f282141ab5993 - git-ptx-patches magic
diff --git a/rules/php5.make b/rules/php5.make
index f66a664..3e0f4de 100644
--- a/rules/php5.make
+++ b/rules/php5.make
@@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5
#
# Paths and names
#
-PHP5_VERSION := 5.3.10
-PHP5_MD5 := 816259e5ca7d0a7e943e56a3bb32b17f
+PHP5_VERSION := 5.4.24
+PHP5_MD5 := acef880cc808b85e216897ee88187ee1
PHP5 := php-$(PHP5_VERSION)
PHP5_SUFFIX:= tar.bz2
PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX)
--
1.7.9.5
--
ptxdist mailing list
ptxdist@pengutronix.de
[ptxdist] [PATCHv2] php: version bump 5.3.10 - 5.4.24
On Tue, Jan 21, 2014 at 04:34:05PM +0100, Bruno Thomsen wrote: Fixes a lot of security flaws and bugs. Changelog: http://www.php.net/ChangeLog-5.php#5.4.24 Old HACK patch removed since it cannot be applied on configure script. cannot be applied is a bad reason. The correct one in this case is is no longer needed. Also, I get configure: error: unrecognized options: --with-curl-wrappers when I try to build it with everything enabled. Fixed curl-wrappers configuration error in version 2. I thought that cross-compile with x86-64 host and ARM 32-bit target was the normal use case. Unfortunately I don't have a test setup to confirm/deny the need for that HACK patch. I would recommend the patch to developers of devices that needs to pass a security audit, since the previous version of PHP contain exploits. /Bruno Bruno Thomsen (1): php: version bump 5.3.10 - 5.4.24 ...make-it-possible-to-force-cross-compiling.patch | 35 patches/php-5.3.10/series |4 --- rules/php5.make| 10 +++--- 3 files changed, 6 insertions(+), 43 deletions(-) delete mode 100644 patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch delete mode 100644 patches/php-5.3.10/series -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCHv2 1/1] php: version bump 5.3.10 - 5.4.24
php: version bump 5.3.10 - 5.4.24
Fix compiling of PHP with sqlite3 support on ptxdist 2012.04.0.
Fixes a lot of security flaws and bugs.
Changelog:
http://www.php.net/ChangeLog-5.php#5.4.24
PHP: Removal of curl-wrappers.
This feature has been marked as experimental for years and never turned to
stable.
Most people using it just do so by accident.
This experimental feature should be moved in a new PECL extension for
improvements until it gets stable.
https://wiki.php.net/rfc/curl-wrappers-removal-rfc
---
...make-it-possible-to-force-cross-compiling.patch | 35
patches/php-5.3.10/series |4 ---
rules/php5.make| 10 +++---
3 files changed, 6 insertions(+), 43 deletions(-)
delete mode 100644
patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
delete mode 100644 patches/php-5.3.10/series
diff --git
a/patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
b/patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
deleted file mode 100644
index 931f9b0..000
---
a/patches/php-5.3.10/0001-HACK-make-it-possible-to-force-cross-compiling.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Michael Olbrich m.olbr...@pengutronix.de
-Date: Sat, 27 Oct 2012 11:37:38 +0200
-Subject: [PATCH] HACK: make it possible to force cross-compiling
-
-configure checks for cross-compiling by running a simple program.
-This returns the wrong result when build and host architecture are
-the same.
-This patch makes it possible to force cross-compiling. It hacks
-configure because it cannot be regenerated.
-
-Signed-off-by: Michael Olbrich m.olbr...@pengutronix.de
- configure |2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/configure b/configure
-index 0900d02..ca0dec0 100755
a/configure
-+++ b/configure
-@@ -2377,6 +2377,7 @@ ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS
conftest.$ac_ext 15'
- ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS
conftest.$ac_ext $LIBS 15'
- cross_compiling=$ac_cv_prog_cc_cross
-
-+if test -z $ac_cv_prog_cc_cross; then
- cat conftest.$ac_ext EOF
-
- #line 2383 configure
-@@ -2398,6 +2399,7 @@ else
- ac_cv_prog_cc_works=no
- fi
- rm -fr conftest*
-+fi
- ac_ext=c
- # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
- ac_cpp='$CPP $CPPFLAGS'
diff --git a/patches/php-5.3.10/series b/patches/php-5.3.10/series
deleted file mode 100644
index bad412b..000
--- a/patches/php-5.3.10/series
+++ /dev/null
@@ -1,4 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-HACK-make-it-possible-to-force-cross-compiling.patch
-# 92e34182fd5e0535892f282141ab5993 - git-ptx-patches magic
diff --git a/rules/php5.make b/rules/php5.make
index b24cd33..ad3e216 100644
--- a/rules/php5.make
+++ b/rules/php5.make
@@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5
#
# Paths and names
#
-PHP5_VERSION := 5.3.10
-PHP5_MD5 := 816259e5ca7d0a7e943e56a3bb32b17f
+PHP5_VERSION := 5.4.24
+PHP5_MD5 := acef880cc808b85e216897ee88187ee1
PHP5 := php-$(PHP5_VERSION)
PHP5_SUFFIX:= tar.bz2
PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX)
@@ -222,8 +222,7 @@ endif
ifdef PTXCONF_PHP5_EXT_CURL
PHP5_AUTOCONF += \
- --with-curl=$(SYSROOT)/usr \
- --with-curl-wrappers
+ --with-curl=$(SYSROOT)/usr
else
PHP5_AUTOCONF += --without-curl
endif
@@ -250,6 +249,9 @@ endif
ifdef PTXCONF_PHP5_EXT_SQLITE3
PHP5_AUTOCONF += --with-sqlite3=$(PTXDIST_SYSROOT_TARGET)/usr --with-pdo-sqlite
+# broken config system: sqlite3 (local copy) uses it
+# but it is only linked to if used by external dependencies
+PHP5_CONF_ENV += PHP_LDFLAGS=-ldl
else
PHP5_AUTOCONF += --without-sqlite3 --without-pdo-sqlite
endif
--
1.7.9.5
--
ptxdist mailing list
ptxdist@pengutronix.de
[ptxdist] [PATCH v2] net-snmp: Improved SNMPv3 authentication and privacy support.
Enabled SHA authentication and AES privacy (encryption) using OpenSSL. Upgraded from libnl1 to libnl3 dependency. Disable minimal agent when privacy is enabled. Tested SNMPv3 with USM (User-based Security Model) SHA auth + AES priv, minimal agent option disabled. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/net-snmp.in | 13 - rules/net-snmp.make |4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/rules/net-snmp.in b/rules/net-snmp.in index 9821328..052e59e 100644 --- a/rules/net-snmp.in +++ b/rules/net-snmp.in @@ -5,8 +5,10 @@ menuconfig NET_SNMP select LIBC_M select GCCLIBS_GCC_Sif NET_SNMP_AGENT select LIBC_DL if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS - select LIBNLif NET_SNMP_AGENT || NET_SNMP_APPLICATIONS + select LIBNL3 if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS select LM_SENSORS if NET_SNMP_MIB_MODULES_LM_SENSORS + select OPENSSL if NET_SNMP_SHA_AES + select NET_SNMP_PRIVACY if NET_SNMP_SHA_AES || NET_SNMP_DES if NET_SNMP @@ -174,6 +176,7 @@ endchoice config NET_SNMP_MINI_AGENT bool default y + depends on ! NET_SNMP_PRIVACY prompt minimal agent config NET_SNMP_AGENT @@ -200,6 +203,10 @@ config NET_SNMP_SNMPV2C bool prompt support for SNMPv2c +config NET_SNMP_PRIVACY + bool + prompt support for privacy (encryption) + config NET_SNMP_DES bool prompt DES encryption @@ -208,6 +215,10 @@ config NET_SNMP_MD5 bool prompt MD5 authentication +config NET_SNMP_SHA_AES + bool + prompt SHA authentication and AES encryption + config NET_SNMP_DOM_SOCK_ONLY bool Disable UDP/TCP transports for agentx if NET_SNMP_AGENT default y diff --git a/rules/net-snmp.make b/rules/net-snmp.make index 6bdecd8..6ddb954 100644 --- a/rules/net-snmp.make +++ b/rules/net-snmp.make @@ -47,7 +47,7 @@ NET_SNMP_AUTOCONF := \ $(GLOBAL_IPV6_OPTION) \ --with-defaults \ --disable-manuals \ - --without-openssl \ + --$(call ptx/wwo, PTXCONF_NET_SNMP_SHA_AES)-openssl \ --with-mib-modules=$(NET_SNMP_MIB_MODULES-y) \ --with-out-mib-modules=$(NET_SNMP_MIB_MODULES-) \ --with-mibs=$(PTXCONF_NET_SNMP_DEFAULT_MIBS) \ @@ -58,7 +58,7 @@ NET_SNMP_AUTOCONF := \ --disable-embedded-perl \ --without-perl-modules \ --disable-static \ - --disable-privacy \ + --$(call ptx/endis, PTXCONF_NET_SNMP_PRIVACY)-privacy \ --disable-internal-md5 \ --$(call ptx/endis, PTXCONF_NET_SNMP_DOM_SOCK_ONLY)-agentx-dom-sock-only \ --enable-mib-config-checking \ -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] ntp: version bump 4.2.6 - 4.2.6p5
Version 4.2.6p5 is the latest stable release.
Fixed install ntpq option.
Signed-off-by: Bruno Thomsen b...@kamstrup.dk
---
patches/ntp-4.2.6/Fix-undefined-MOD_NANO.patch | 42 --
patches/ntp-4.2.6/series |1 -
patches/ntp-4.2.6p5/Fix-undefined-MOD_NANO.patch | 42 ++
patches/ntp-4.2.6p5/series |1 +
rules/ntp.make |6 ++--
5 files changed, 46 insertions(+), 46 deletions(-)
delete mode 100644 patches/ntp-4.2.6/Fix-undefined-MOD_NANO.patch
delete mode 100644 patches/ntp-4.2.6/series
create mode 100644 patches/ntp-4.2.6p5/Fix-undefined-MOD_NANO.patch
create mode 100644 patches/ntp-4.2.6p5/series
diff --git a/patches/ntp-4.2.6/Fix-undefined-MOD_NANO.patch
b/patches/ntp-4.2.6/Fix-undefined-MOD_NANO.patch
deleted file mode 100644
index f4200cf..000
--- a/patches/ntp-4.2.6/Fix-undefined-MOD_NANO.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 4ccca7260da74d8f9a238a79c03da440831bd33e Mon Sep 17 00:00:00 2001
-From: Alexander Stein alexander.st...@systec-electronic.com
-Date: Tue, 5 Jan 2010 13:13:02 +0100
-Subject: [PATCH] Fix undefined MOD_NANO
-
-With gcc version 4.4.1 (Sourcery G++ Lite 2009q3-67) I get this error:
-
-ntp_loopfilter.c: In function 'local_clock':
-ntp_loopfilter.c:571: error: 'MOD_NANO' undeclared (first use in this function)
-ntp_loopfilter.c:571: error: (Each undeclared identifier is reported only once
-ntp_loopfilter.c:571: error: for each function it appears in.)
-ntp_loopfilter.c: In function 'loop_config':
-ntp_loopfilter.c:896: error: 'MOD_NANO' undeclared (first use in this function)
-make[4]: *** [ntp_loopfilter.o] Error 1
-
-Fix it by chaning MOD_NANO to STA_NANO.
-
-This may be related to some specific toolchains, due to some defines. I use
the
-Codesourcery Sourcery G++ Lite 2009q3-67 toolchain.
-
-Signed-off-by: Alexander Stein alexander.st...@systec-electronic.com
-Signed-off-by: Marc Kleine-Budde m...@pengutronix.de
-
-#mkl: ported to ntp-4.2.6
-
- ntpd/ntp_loopfilter.c |2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: ntp-4.2.6/ntpd/ntp_loopfilter.c
-===
ntp-4.2.6.orig/ntpd/ntp_loopfilter.c
-+++ ntp-4.2.6/ntpd/ntp_loopfilter.c
-@@ -517,7 +517,7 @@ local_clock(
- ntv.modes = MOD_STATUS;
- } else {
- #ifdef STA_NANO
-- ntv.modes = MOD_BITS | MOD_NANO;
-+ ntv.modes = MOD_BITS | STA_NANO;
- #else /* STA_NANO */
- ntv.modes = MOD_BITS;
- #endif /* STA_NANO */
diff --git a/patches/ntp-4.2.6/series b/patches/ntp-4.2.6/series
deleted file mode 100644
index 6a7679c..000
--- a/patches/ntp-4.2.6/series
+++ /dev/null
@@ -1 +0,0 @@
-Fix-undefined-MOD_NANO.patch
diff --git a/patches/ntp-4.2.6p5/Fix-undefined-MOD_NANO.patch
b/patches/ntp-4.2.6p5/Fix-undefined-MOD_NANO.patch
new file mode 100644
index 000..f4200cf
--- /dev/null
+++ b/patches/ntp-4.2.6p5/Fix-undefined-MOD_NANO.patch
@@ -0,0 +1,42 @@
+From 4ccca7260da74d8f9a238a79c03da440831bd33e Mon Sep 17 00:00:00 2001
+From: Alexander Stein alexander.st...@systec-electronic.com
+Date: Tue, 5 Jan 2010 13:13:02 +0100
+Subject: [PATCH] Fix undefined MOD_NANO
+
+With gcc version 4.4.1 (Sourcery G++ Lite 2009q3-67) I get this error:
+
+ntp_loopfilter.c: In function 'local_clock':
+ntp_loopfilter.c:571: error: 'MOD_NANO' undeclared (first use in this function)
+ntp_loopfilter.c:571: error: (Each undeclared identifier is reported only once
+ntp_loopfilter.c:571: error: for each function it appears in.)
+ntp_loopfilter.c: In function 'loop_config':
+ntp_loopfilter.c:896: error: 'MOD_NANO' undeclared (first use in this function)
+make[4]: *** [ntp_loopfilter.o] Error 1
+
+Fix it by chaning MOD_NANO to STA_NANO.
+
+This may be related to some specific toolchains, due to some defines. I use
the
+Codesourcery Sourcery G++ Lite 2009q3-67 toolchain.
+
+Signed-off-by: Alexander Stein alexander.st...@systec-electronic.com
+Signed-off-by: Marc Kleine-Budde m...@pengutronix.de
+
+---
+#mkl: ported to ntp-4.2.6
+
+ ntpd/ntp_loopfilter.c |2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: ntp-4.2.6/ntpd/ntp_loopfilter.c
+===
+--- ntp-4.2.6.orig/ntpd/ntp_loopfilter.c
ntp-4.2.6/ntpd/ntp_loopfilter.c
+@@ -517,7 +517,7 @@ local_clock(
+ ntv.modes = MOD_STATUS;
+ } else {
+ #ifdef STA_NANO
+- ntv.modes = MOD_BITS | MOD_NANO;
++ ntv.modes = MOD_BITS | STA_NANO;
+ #else /* STA_NANO */
+ ntv.modes = MOD_BITS;
+ #endif /* STA_NANO */
diff --git a/patches/ntp-4.2.6p5/series b/patches/ntp-4.2.6p5/series
new file mode 100644
index 000..6a7679c
--- /dev/null
+++ b/patches/ntp-4.2.6p5/series
@@ -0,0 +1 @@
+Fix-undefined-MOD_NANO.patch
diff --git
Re: [ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support.
Hi Michael -Original Message- From: ptxdist-boun...@pengutronix.de [mailto:ptxdist-boun...@pengutronix.de] On Behalf Of Michael Olbrich Sent: 6. marts 2014 18:30 To: ptxdist@pengutronix.de Subject: Re: [ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support. Are you sure about this? libnl3 requieres -$SYSROOT/libnl3 and I don't see how this is added. The rest looks ok, although the whole file could really use come cleanup. But that's unrelated to this patch. In my setup I only use libnl3 (mainline rule), there might be an issue if you install both libnl1 and libnl3. If I understand the libnl3 requires -$SYSROOT/libnl3 correct, you want to add the following? === --- net-snmp.make (revision 191422) +++ net-snmp.make (working copy) @@ -54,6 +54,7 @@ --with-logfile=$(call remove_quotes,$(PTXCONF_NET_SNMP_LOGFILE)) \ --with-persistent-directory=$(call remove_quotes,$(PTXCONF_NET_SNMP_PERSISTENT_DIR)) \ --with-default-snmp-version=$(call remove_quotes,$(PTXCONF_NET_SNMP_DEFAULT_VERSION)) \ + --$(call ptx/wwo, PTXCONF_LIBNL3)-nl=$(SYSROOT)/usr/include/libnl3 \ --enable-shared \ --disable-embedded-perl \ --without-perl-modules \ I didn't want to clutter this patch with rule cleanup, but I was planning to do a cleanup patch after this was mainlined. Venlig hilsen / Best regards Kamstrup A/S http://www.kamstrup.dk Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: b...@kamstrup.dk Web: www.kamstrup.dk -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCHv3] net-snmp: Improved SNMPv3 authentication and privacy support.
Enabled SHA authentication and AES privacy (encryption) using OpenSSL. Upgraded from libnl1 to libnl3 dependency, and explicitly request libnl3. Disable minimal agent when privacy is enabled. Tested SNMPv3 with USM (User-based Security Model) SHA auth + AES priv, minimal agent option disabled. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/net-snmp.in | 13 - rules/net-snmp.make |5 +++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/rules/net-snmp.in b/rules/net-snmp.in index 9821328..052e59e 100644 --- a/rules/net-snmp.in +++ b/rules/net-snmp.in @@ -5,8 +5,10 @@ menuconfig NET_SNMP select LIBC_M select GCCLIBS_GCC_Sif NET_SNMP_AGENT select LIBC_DL if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS - select LIBNLif NET_SNMP_AGENT || NET_SNMP_APPLICATIONS + select LIBNL3 if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS select LM_SENSORS if NET_SNMP_MIB_MODULES_LM_SENSORS + select OPENSSL if NET_SNMP_SHA_AES + select NET_SNMP_PRIVACY if NET_SNMP_SHA_AES || NET_SNMP_DES if NET_SNMP @@ -174,6 +176,7 @@ endchoice config NET_SNMP_MINI_AGENT bool default y + depends on ! NET_SNMP_PRIVACY prompt minimal agent config NET_SNMP_AGENT @@ -200,6 +203,10 @@ config NET_SNMP_SNMPV2C bool prompt support for SNMPv2c +config NET_SNMP_PRIVACY + bool + prompt support for privacy (encryption) + config NET_SNMP_DES bool prompt DES encryption @@ -208,6 +215,10 @@ config NET_SNMP_MD5 bool prompt MD5 authentication +config NET_SNMP_SHA_AES + bool + prompt SHA authentication and AES encryption + config NET_SNMP_DOM_SOCK_ONLY bool Disable UDP/TCP transports for agentx if NET_SNMP_AGENT default y diff --git a/rules/net-snmp.make b/rules/net-snmp.make index 6bdecd8..fd97886 100644 --- a/rules/net-snmp.make +++ b/rules/net-snmp.make @@ -47,18 +47,19 @@ NET_SNMP_AUTOCONF := \ $(GLOBAL_IPV6_OPTION) \ --with-defaults \ --disable-manuals \ - --without-openssl \ + --$(call ptx/wwo, PTXCONF_NET_SNMP_SHA_AES)-openssl \ --with-mib-modules=$(NET_SNMP_MIB_MODULES-y) \ --with-out-mib-modules=$(NET_SNMP_MIB_MODULES-) \ --with-mibs=$(PTXCONF_NET_SNMP_DEFAULT_MIBS) \ --with-logfile=$(call remove_quotes,$(PTXCONF_NET_SNMP_LOGFILE)) \ --with-persistent-directory=$(call remove_quotes,$(PTXCONF_NET_SNMP_PERSISTENT_DIR)) \ --with-default-snmp-version=$(call remove_quotes,$(PTXCONF_NET_SNMP_DEFAULT_VERSION)) \ + --$(call ptx/wwo, PTXCONF_LIBNL3)-nl$(call ptx/ifdef, PTXCONF_LIBNL3, =$(SYSROOT)/usr/include/libnl3, ) \ --enable-shared \ --disable-embedded-perl \ --without-perl-modules \ --disable-static \ - --disable-privacy \ + --$(call ptx/endis, PTXCONF_NET_SNMP_PRIVACY)-privacy \ --disable-internal-md5 \ --$(call ptx/endis, PTXCONF_NET_SNMP_DOM_SOCK_ONLY)-agentx-dom-sock-only \ --enable-mib-config-checking \ -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCHv3] net-snmp: Improved SNMPv3 authentication and privacy support.
-Original Message- From: ptxdist-boun...@pengutronix.de [mailto:ptxdist-boun...@pengutronix.de] On Behalf Of Michael Olbrich Sent: 13. marts 2014 15:38 To: ptxdist@pengutronix.de Subject: Re: [ptxdist] [PATCHv3] net-snmp: Improved SNMPv3 authentication and privacy support. On Thu, Mar 13, 2014 at 03:20:26PM +0100, Bruno Thomsen wrote: Enabled SHA authentication and AES privacy (encryption) using OpenSSL. Upgraded from libnl1 to libnl3 dependency, and explicitly request libnl3. Disable minimal agent when privacy is enabled. Tested SNMPv3 with USM (User-based Security Model) SHA auth + AES priv, minimal agent option disabled. This still doesn't work with nl3: ptxdist -f clean ptxdist prepare net-snmp [...] checking for library containing nl_connect... no [...] I've applied this without the nl1 - nl3 change. Okay, my configure also state nl_connect... no, but compiles and run as expected with network interfaces, routing, etc. information. I only upgraded from libnl1 since it produced compile-time errors in my setup (ptxdist 2012.04.0 with mainline rules). Venlig hilsen / Best regards Kamstrup A/S http://www.kamstrup.dk Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: b...@kamstrup.dk Web: www.kamstrup.dk -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] net-snmp: clean up rule file
Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/net-snmp.make | 98 --- 1 file changed, 14 insertions(+), 84 deletions(-) diff --git a/rules/net-snmp.make b/rules/net-snmp.make index 6ddb954..a2efc59 100644 --- a/rules/net-snmp.make +++ b/rules/net-snmp.make @@ -60,91 +60,27 @@ NET_SNMP_AUTOCONF := \ --disable-static \ --$(call ptx/endis, PTXCONF_NET_SNMP_PRIVACY)-privacy \ --disable-internal-md5 \ + --with-endianness=$(call ptx/ifdef, PTXCONF_ENDIAN_LITTLE, little, big) --$(call ptx/endis, PTXCONF_NET_SNMP_DOM_SOCK_ONLY)-agentx-dom-sock-only \ + --$(call ptx/endis, PTXCONF_NET_SNMP_MINI_AGENT)-mini-agent \ + --$(call ptx/endis, PTXCONF_NET_SNMP_AGENT)-agent \ + --$(call ptx/endis, PTXCONF_NET_SNMP_APPLICATIONS)-applications \ + --$(call ptx/endis, PTXCONF_NET_SNMP_SCRIPTS)-scripts \ + --$(call ptx/endis, PTXCONF_NET_SNMP_MIBS)-mibs \ + --$(call ptx/endis, PTXCONF_NET_SNMP_MIB_LOADING)-mib-loading \ + --$(call ptx/endis, PTXCONF_NET_SNMP_SNMPV1)-snmpv1 \ + --$(call ptx/endis, PTXCONF_NET_SNMP_SNMPV2C)-snmpv2c \ + --$(call ptx/endis, PTXCONF_NET_SNMP_DES)-des \ + --$(call ptx/endis, PTXCONF_NET_SNMP_MD5)-md5 \ + --$(call ptx/endis, PTXCONF_NET_SNMP_SNMPTRAPD)-snmptrapd-subagent \ + --$(call ptx/endis, PTXCONF_NET_SNMP_LOCAL_SMUX)-local-smux \ + --$(call ptx/endis, PTXCONF_NET_SNMP_DEVELOPER)-developer \ --enable-mib-config-checking \ --enable-mfd-rewrites \ --disable-testing-code \ --disable-reentrant \ --disable-ucd-snmp-compatibility -ifdef PTXCONF_ENDIAN_LITTLE -NET_SNMP_AUTOCONF += --with-endianness=little -else -NET_SNMP_AUTOCONF += --with-endianness=big -endif - -ifdef PTXCONF_NET_SNMP_MINI_AGENT -NET_SNMP_AUTOCONF += --enable-mini-agent -else -NET_SNMP_AUTOCONF += --disable-mini-agent -endif - -ifdef PTXCONF_NET_SNMP_AGENT -NET_SNMP_AUTOCONF += --enable-agent -else -NET_SNMP_AUTOCONF += --disable-agent -endif - -ifdef PTXCONF_NET_SNMP_APPLICATIONS -NET_SNMP_AUTOCONF += --enable-applications -else -NET_SNMP_AUTOCONF += --disable-applications -endif - -ifdef PTXCONF_NET_SNMP_SCRIPTS -NET_SNMP_AUTOCONF += --enable-scripts -else -NET_SNMP_AUTOCONF += --disable-scripts -endif - -ifdef PTXCONF_NET_SNMP_MIBS -NET_SNMP_AUTOCONF += --enable-mibs -else -NET_SNMP_AUTOCONF += --disable-mibs -endif - -ifdef PTXCONF_NET_SNMP_MIB_LOADING -NET_SNMP_AUTOCONF += --enable-mib-loading -else -NET_SNMP_AUTOCONF += --disable-mib-loading -endif - -ifdef PTXCONF_NET_SNMP_SNMPV1 -NET_SNMP_AUTOCONF += --enable-snmpv1 -else -NET_SNMP_AUTOCONF += --disable-snmpv1 -endif - -ifdef PTXCONF_NET_SNMP_SNMPV2C -NET_SNMP_AUTOCONF += --enable-snmpv2c -else -NET_SNMP_AUTOCONF += --disable-snmpv2c -endif - -ifdef PTXCONF_NET_SNMP_DES -NET_SNMP_AUTOCONF += --enable-des -else -NET_SNMP_AUTOCONF += --disable-des -endif - -ifdef PTXCONF_NET_SNMP_MD5 -NET_SNMP_AUTOCONF += --enable-md5 -else -NET_SNMP_AUTOCONF += --disable-md5 -endif - -ifdef PTXCONF_NET_SNMP_SNMPTRAPD -NET_SNMP_AUTOCONF += --enable-snmptrapd-subagent -else -NET_SNMP_AUTOCONF += --disable-snmptrapd-subagent -endif - -ifdef PTXCONF_NET_SNMP_LOCAL_SMUX -NET_SNMP_AUTOCONF += --enable-local-smux -else -NET_SNMP_AUTOCONF += --disable-local-smux -endif - ifdef PTXCONF_NET_SNMP_FORCE_DEBUGGING NET_SNMP_AUTOCONF += --enable-debugging endif @@ -153,12 +89,6 @@ ifdef PTXCONF_NET_SNMP_STRIP_DEBUGGING NET_SNMP_AUTOCONF += --disable-debugging endif -ifdef PTXCONF_NET_SNMP_DEVELOPER -NET_SNMP_AUTOCONF += --enable-developer -else -NET_SNMP_AUTOCONF += --disable-developer -endif - NET_SNMP_MAKE_PAR := NO # -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] net-snmp: clean up rule file
-Original Message- From: ptxdist-boun...@pengutronix.de [mailto:ptxdist-boun...@pengutronix.de] On Behalf Of Michael Olbrich Sent: 8. april 2014 17:43 To: ptxdist@pengutronix.de Subject: Re: [ptxdist] [PATCH] net-snmp: clean up rule file On Tue, Apr 08, 2014 at 03:13:51PM +0200, Bruno Thomsen wrote: Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/net-snmp.make | 98 --- 1 file changed, 14 insertions(+), 84 deletions(-) diff --git a/rules/net-snmp.make b/rules/net-snmp.make index 6ddb954..a2efc59 100644 --- a/rules/net-snmp.make +++ b/rules/net-snmp.make @@ -60,91 +60,27 @@ NET_SNMP_AUTOCONF := \ --disable-static \ --$(call ptx/endis, PTXCONF_NET_SNMP_PRIVACY)-privacy \ --disable-internal-md5 \ + --with-endianness=$(call ptx/ifdef, PTXCONF_ENDIAN_LITTLE, little, +big) This line is missing '\' at the end. Sharp eyes :) It has been lost somewhere between company SVN and GIT. I will resend a fixed patch. Venlig hilsen / Best regards Kamstrup A/S http://www.kamstrup.dk Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: b...@kamstrup.dk Web: www.kamstrup.dk -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: version bump 5.4.24 - 5.4.27
Multiple bugs were fixed including CVE-2013-7345, CVE-2014-1943, CVE-2014-2270. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/php5.make |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index ad3e216..90c6996 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.4.24 -PHP5_MD5 := acef880cc808b85e216897ee88187ee1 +PHP5_VERSION := 5.4.27 +PHP5_MD5 := 1c6e99187d25023411b663ea09f145ee PHP5 := php-$(PHP5_VERSION) PHP5_SUFFIX:= tar.bz2 PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 1/2] dropbear: version bump 2013.60 - 2014.63
Added ECC (elliptic curve) support with ECDSA hostkeys (requires new keys to be generated) and ECDH for setting up encryption keys (no intervention required). Added new -R option to automatically generate hostkeys as needed (recommended for embedded platforms). Darwin patch is no longer needed due to mainline fix. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- .../0001-Fix-build-on-Darwin.patch | 43 patches/dropbear-2013.60/series|4 -- rules/dropbear.make|4 +- 3 files changed, 2 insertions(+), 49 deletions(-) delete mode 100644 patches/dropbear-2013.60/0001-Fix-build-on-Darwin.patch delete mode 100644 patches/dropbear-2013.60/series diff --git a/patches/dropbear-2013.60/0001-Fix-build-on-Darwin.patch b/patches/dropbear-2013.60/0001-Fix-build-on-Darwin.patch deleted file mode 100644 index 1d5d539..000 --- a/patches/dropbear-2013.60/0001-Fix-build-on-Darwin.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Bernhard Walle bernh...@bwalle.de -Date: Tue, 20 Mar 2012 08:28:57 +0100 -Subject: [PATCH] Fix build on Darwin - -From -https://dev.openwrt.org/browser/trunk/package/dropbear/patches/200-lcrypt_bsdfix.patch?rev=25891. - -Signed-off-by: Bernhard Walle bernh...@bwalle.de - Makefile.in | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index bce11c8..e0ed668 100644 a/Makefile.in -+++ b/Makefile.in -@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h packet.h algo.h ssh.h buffer.h kex.h \ - loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ - listener.h fake-rfc2553.h - --dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ -+dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) - dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) - dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) - dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) -@@ -79,7 +79,7 @@ STRIP=@STRIP@ - INSTALL=@INSTALL@ - CPPFLAGS=@CPPFLAGS@ - CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ --LIBS+=@LIBS@ -+LIBS+=@LIBS@ @CRYPTLIB@ - LDFLAGS=@LDFLAGS@ - - EXEEXT=@EXEEXT@ -@@ -169,7 +169,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile - # multi-binary compilation. - MULTIOBJS= - ifeq ($(MULTI),1) -- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ -+ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) - CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI - endif - diff --git a/patches/dropbear-2013.60/series b/patches/dropbear-2013.60/series deleted file mode 100644 index d9df7e0..000 --- a/patches/dropbear-2013.60/series +++ /dev/null @@ -1,4 +0,0 @@ -# generated by git-ptx-patches -#tag:base --start-number 1 -0001-Fix-build-on-Darwin.patch -# e4c948951d2fafee17a83f484c126a7e - git-ptx-patches magic diff --git a/rules/dropbear.make b/rules/dropbear.make index 60de9d4..5ab6fd3 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2013.60 -DROPBEAR_MD5 := fffa2fec0c887201bed3a3cc6df7fa35 +DROPBEAR_VERSION := 2014.63 +DROPBEAR_MD5 := 7066bb9a2da708f3ed06314fdc9c47fd DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX:= tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 2/2] dropbear: Added Elliptic Curve Cryptography options.
Support for ecdsa, ecdh and curve25519-donna options. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/dropbear.in | 27 +++ rules/dropbear.make | 24 2 files changed, 51 insertions(+) diff --git a/rules/dropbear.in b/rules/dropbear.in index 21301ba..c99d432 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -288,6 +288,33 @@ config DROPBEAR_DSS key size). In contrast, RSA signature length is a function of the key length employed. +config DROPBEAR_ECDSA + bool + prompt ecdsa + default n + help + ECDSA stands for Elliptic Curve Digital Signature Algorithm. + ECDSA is significantly faster than RSA or DSS. + +config DROPBEAR_ECDH + bool + prompt ecdh + default n + help + ECDH stands for Elliptic Curve Diffie-Hellman. + +config DROPBEAR_CURVE25519 + bool + depends on DROPBEAR_ECDSA || DROPBEAR_ECDH + prompt curve25519-donna + default n + help + Enable curve25519-donna for key exchange. + This is another elliptic curve method with good security properties. + This algorithm does not rely on NIST-based curves + and gives us more security confidence against a possible + backdoor in nistp-256 curve. + comment Authentication types, at least one required --- RFC Draft requires pubkey auth config DROPBEAR_PASSWD diff --git a/rules/dropbear.make b/rules/dropbear.make index 5ab6fd3..5cbd4aa 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -222,6 +222,30 @@ else @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS) endif +ifdef PTXCONF_DROPBEAR_ECDSA + @echo ptxdist: enabling ecdsa + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA) +else + @echo ptxdist: disabling ecdsa + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA) +endif + +ifdef PTXCONF_DROPBEAR_ECDH + @echo ptxdist: enabling ecdh + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH) +else + @echo ptxdist: disabling ecdh + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH) +endif + +ifdef PTXCONF_DROPBEAR_CURVE25519 + @echo ptxdist: enabling curve25519 + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519) +else + @echo ptxdist: disabling curve25519 + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519) +endif + ifdef PTXCONF_DROPBEAR_PASSWD @echo ptxdist: enabling passwd @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH) -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: version bump 5.4.27 - 5.4.29
Multiple bugs were fixed including security issues CVE-2014-0238, CVE-2014-0237 and CVE-2014-0185. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/php5.make |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index 90c6996..7b64b26 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.4.27 -PHP5_MD5 := 1c6e99187d25023411b663ea09f145ee +PHP5_VERSION := 5.4.29 +PHP5_MD5 := 64326cef257e5af17c366fefab136e53 PHP5 := php-$(PHP5_VERSION) PHP5_SUFFIX:= tar.bz2 PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) -- 1.7.9.5 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2] php5: version pump 5.4.29 - 5.4.30
Multiple bugs were fixed including security issues CVE-2014-3981, CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-4049, CVE-2014-3515. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- v1..v2: Wrong package hash; Mixup between php 5.4 and 5.5 test. rules/php5.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index 7b64b26..3657bc4 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.4.29 -PHP5_MD5 := 64326cef257e5af17c366fefab136e53 +PHP5_VERSION := 5.4.30 +PHP5_MD5 := a8a27fdc1d9e1020c9f8922b608326de PHP5 := php-$(PHP5_VERSION) PHP5_SUFFIX:= tar.bz2 PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [RFC] u-boot-tools: emmc support in fw_printenv/fw_setenv
Provide read/write access to U-Boot environment stored in eMMC flash from Linux.
Access to U-Boot environment can be very useful; dual kernel/rootfs images,
production default values, change kernel bootargs, etc.
Tested with U-Boot 2009.08 and 2013.04 on TQMa28.
Warning! This is not ready for ptxdist mainline inclusion.
Signed-off-by: Martin Fisker m...@kamstrup.dk
Signed-off-by: Bruno Thomsen b...@kamstrup.dk
---
...oot-emmc-support-in-fw_printenv-fw_setenv.patch | 182 +
patches/u-boot-2011.12/series | 3 +-
2 files changed, 184 insertions(+), 1 deletion(-)
create mode 100644
patches/u-boot-2011.12/0002-u-boot-emmc-support-in-fw_printenv-fw_setenv.patch
diff --git
a/patches/u-boot-2011.12/0002-u-boot-emmc-support-in-fw_printenv-fw_setenv.patch
b/patches/u-boot-2011.12/0002-u-boot-emmc-support-in-fw_printenv-fw_setenv.patch
new file mode 100644
index 000..95916ca
--- /dev/null
+++
b/patches/u-boot-2011.12/0002-u-boot-emmc-support-in-fw_printenv-fw_setenv.patch
@@ -0,0 +1,182 @@
+From: Bruno Thomsen b...@kamstrup.dk
+Date: Fri, 1 Aug 2014 10:00:16 +0200
+Subject: [RFC] u-boot: emmc support in fw_printenv/fw_setenv
+
+Provide read/write access to U-Boot environment stored in eMMC flash from
Linux.
+
+Signed-off-by: Martin Fisker m...@kamstrup.dk
+Signed-off-by: Bruno Thomsen b...@kamstrup.dk
+---
+ tools/env/fw_env.c | 77 +
+ tools/env/fw_env.config | 4 +++
+ 2 files changed, 56 insertions(+), 25 deletions(-)
+
+diff --git a/tools/env/fw_env.c b/tools/env/fw_env.c
+index 996682e..631a26f 100644
+--- a/tools/env/fw_env.c
b/tools/env/fw_env.c
+@@ -45,6 +45,8 @@
+
+ #include fw_env.h
+
++#define CONFIG_ENV_IS_IN_MMC
++
+ #define WHITESPACE(c) ((c == '\t') || (c == ' '))
+
+ #define min(x, y) ({ \
+@@ -773,10 +775,10 @@ static int flash_write_buf (int dev, int fd, void *buf,
size_t count,
+
+ blocklen = DEVESIZE (dev);
+
+- top_of_range = ((DEVOFFSET(dev) / blocklen) +
+- ENVSECTORS (dev)) * blocklen;
++ top_of_range = (DEVOFFSET(dev) ~(blocklen - 1)) +
++ ENVSECTORS (dev) * blocklen;
+
+- erase_offset = (offset / blocklen) * blocklen;
++ erase_offset = offset ~(blocklen - 1);
+
+ /* Maximum area we may use */
+ erase_len = top_of_range - erase_offset;
+@@ -790,8 +792,7 @@ static int flash_write_buf (int dev, int fd, void *buf,
size_t count,
+* to the start of the data, then count bytes of data, and to the
+* end of the block
+*/
+- write_total = ((block_seek + count + blocklen - 1) /
+- blocklen) * blocklen;
++ write_total = (block_seek + count + blocklen - 1) ~(blocklen - 1);
+
+ /*
+* Support data anywhere within erase sectors: read out the complete
+@@ -807,9 +808,9 @@ static int flash_write_buf (int dev, int fd, void *buf,
size_t count,
+ return -1;
+ }
+
+- rc = flash_read_buf (dev, fd, data, write_total, erase_offset,
+- mtd_type);
+- if (write_total != rc)
++ rc = flash_read_buf (dev, fd, data, CONFIG_ENV_SIZE,
++ DEVOFFSET(dev_current), mtd_type);
++ if (CONFIG_ENV_SIZE != rc)
+ return -1;
+
+ /* Overwrite the old environment */
+@@ -835,22 +836,27 @@ static int flash_write_buf (int dev, int fd, void *buf,
size_t count,
+ erase.length = erasesize;
+
+ /* This only runs once on NOR flash and SPI-dataflash */
++ int loopcount = 0;
+ while (processed write_total) {
+- rc = flash_bad_block (fd, mtd_type, blockstart);
+- if (rc 0) /* block test failed */
+- return rc;
+-
+- if (blockstart + erasesize top_of_range) {
+- fprintf (stderr, End of range reached, aborting\n);
+- return -1;
+- }
++ loopcount++;
++ if(mtd_type != MTD_ABSENT)
++ {
++ rc = flash_bad_block (fd, mtd_type, blockstart);
++ if (rc 0) /* block test failed */
++ return rc;
++
++ if (blockstart + erasesize top_of_range) {
++ fprintf (stderr, End of range reached,
aborting\n);
++ return -1;
++ }
+
+- if (rc) { /* block is bad */
+- blockstart += blocklen;
+- continue;
++ if (rc) { /* block is bad */
++ blockstart += blocklen;
++ continue
[ptxdist] [PATCH] dropbear: version bump 2014.63 - 2014.65
Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/dropbear.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/dropbear.make b/rules/dropbear.make index 5cbd4aa..f03d0fc 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2014.63 -DROPBEAR_MD5 := 7066bb9a2da708f3ed06314fdc9c47fd +DROPBEAR_VERSION := 2014.65 +DROPBEAR_MD5 := 1918604238817385a156840fa2c39490 DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX:= tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [RFC] u-boot-tools: emmc support in fw_printenv/fw_setenv
-Original Message- From: ptxdist-boun...@pengutronix.de [mailto:ptxdist-boun...@pengutronix.de] On Behalf Of Michael Olbrich Sent: 8. august 2014 12:18 To: ptxdist@pengutronix.de Subject: Re: [ptxdist] [RFC] u-boot-tools: emmc support in fw_printenv/fw_setenv On Tue, Aug 05, 2014 at 02:29:12PM +0200, Markus Niebel wrote: Hello Bruno, Am 04.08.2014 10:29, wrote Bruno Thomsen: Provide read/write access to U-Boot environment stored in eMMC flash from Linux. Access to U-Boot environment can be very useful; dual kernel/rootfs images, production default values, change kernel bootargs, etc. Tested with U-Boot 2009.08 and 2013.04 on TQMa28. Wouldn't it be better to rework the support for u-boot tools in general? (I know, this will be tricky, since U-Boot environment tools compilation is really an adventure). Also I think, we should use the same version of U-Boot tools as we use for the U-Boot itself. What do you think? I think it's a good idea. Yes, use the same U-Boot package for both bootloader and tools. Then we have the block device (emmc, etc.) vs. mtd[1] (NAND, NOR) support issue. As I see there are the following solutions: 1) Select fw_printenv/fw_setenv storage support based on define in board configuration, ex. CONFIG_ENV_IS_IN_MMC in mx28evk. 2) fw_printenv/fw_setenv support both storage technologies: a) Add storage type parameter to /etc/fw_env.config b) Autodetect storage type with strcmp() based on device name [1] MTD: Memory Technology Device, http://www.linux-mtd.infradead.org/faq/general.html Venlig hilsen / Best regards Kamstrup A/S http://www.kamstrup.dk Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: b...@kamstrup.dk Web: www.kamstrup.dk -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] ptxdist-2013.01.0 Cups support required but cups-config notlocated. Make sure cups-devel related files are installed.
I'm trying build cups with ptxdist-2013.01.0. I see this error, Do you have any idea ? checking for offset_t... (cached) no checking for ssize_t... (cached) yes checking for wchar_t... yes checking for comparison_fn_t... (cached) yes checking for cups-config... no configure: error: Cups support required but cups-config not located. Make sure cups-devel related files are installed. Looks like you are missing Development files CUPS library on host machine. $ sudo apt-get install libcups2-dev Venlig hilsen / Best regards Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: b...@kamstrup.dk Web: www.kamstrup.dk -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] bash: shellshock fix
Fixes CVE-2014-6271: remote code execution through bash.
Applied missing patches between version 3.2 patch level 48 and 52.
Signed-off-by: Bruno Thomsen b...@kamstrup.dk
---
patches/bash-3.2.48/0001-bash-3.2-patch49.patch | 67 ++
patches/bash-3.2.48/0002-bash-3.2-patch50.patch | 57
patches/bash-3.2.48/0003-bash-3.2-patch51.patch | 54 +++
patches/bash-3.2.48/0004-bash-3.2-patch52.patch | 114
patches/bash-3.2.48/series | 4 +
5 files changed, 296 insertions(+)
create mode 100644 patches/bash-3.2.48/0001-bash-3.2-patch49.patch
create mode 100644 patches/bash-3.2.48/0002-bash-3.2-patch50.patch
create mode 100644 patches/bash-3.2.48/0003-bash-3.2-patch51.patch
create mode 100644 patches/bash-3.2.48/0004-bash-3.2-patch52.patch
create mode 100644 patches/bash-3.2.48/series
diff --git a/patches/bash-3.2.48/0001-bash-3.2-patch49.patch
b/patches/bash-3.2.48/0001-bash-3.2-patch49.patch
new file mode 100644
index 000..c245ff9
--- /dev/null
+++ b/patches/bash-3.2.48/0001-bash-3.2-patch49.patch
@@ -0,0 +1,67 @@
+From fb26772ce5a02cc2e677925ce62a459947a4709e Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen b...@kamstrup.dk
+Date: Thu, 25 Sep 2014 15:41:58 +0200
+Subject: [PATCH] bash-3.2: patch 49
+
+Bash-Release: 3.2
+Patch-ID: bash32-049
+
+Bug-Reported-by: Len Lattanzi llatta...@apple.com
+Bug-Reference-ID: 52b1297f-6675-45cc-b63e-24745337d...@apple.com
+Bug-Reference-URL:
+
+Bug-Description:
+
+On systems where mbrtowc() returns -2 when passed a length argument with
+value 0, when using a multibyte locale, Readline's emacs-mode forward-char
+at the end of a line will leave the point beyond the end of the line.
+
+Signed-off-by: Bruno Thomsen b...@kamstrup.dk
+---
+ lib/readline/mbutil.c | 9 ++---
+ patchlevel.h | 2 +-
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/readline/mbutil.c b/lib/readline/mbutil.c
+index 17dde53..0f8191c 100644
+--- a/lib/readline/mbutil.c
b/lib/readline/mbutil.c
+@@ -77,7 +77,7 @@ _rl_find_next_mbchar_internal (string, seed, count,
find_non_zero)
+ char *string;
+ int seed, count, find_non_zero;
+ {
+- size_t tmp;
++ size_t tmp, len;
+ mbstate_t ps;
+ int point;
+ wchar_t wc;
+@@ -96,9 +96,12 @@ _rl_find_next_mbchar_internal (string, seed, count,
find_non_zero)
+ if (seed point)
+ count--;
+
+- while (count 0)
++ while (count 0)
+ {
+- tmp = mbrtowc (wc, string+point, strlen(string + point), ps);
++ len = strlen (string + point);
++ if (len == 0)
++break;
++ tmp = mbrtowc (wc, string+point, len, ps);
+ if (MB_INVALIDCH ((size_t)tmp))
+ {
+ /* invalid bytes. asume a byte represents a character */
+diff --git a/patchlevel.h b/patchlevel.h
+index aff99d9..19e5eca 100644
+--- a/patchlevel.h
b/patchlevel.h
+@@ -25,6 +25,6 @@
+regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 48
++#define PATCHLEVEL 49
+
+ #endif /* _PATCHLEVEL_H_ */
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/0002-bash-3.2-patch50.patch
b/patches/bash-3.2.48/0002-bash-3.2-patch50.patch
new file mode 100644
index 000..ceea444
--- /dev/null
+++ b/patches/bash-3.2.48/0002-bash-3.2-patch50.patch
@@ -0,0 +1,57 @@
+From 6ec1590129b1855ce3366d53636f6a6272bbdb86 Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen b...@kamstrup.dk
+Date: Thu, 25 Sep 2014 15:49:40 +0200
+Subject: [PATCH] bash-3.2: patch 50
+
+Bash-Release: 3.2
+Patch-ID: bash32-050
+
+Bug-Reported-by: Jan Hnatek jan.hna...@sun.com
+Bug-Reference-ID: 4a44991f.8010...@sun.com
+Bug-Reference-URL:
http://lists.gnu.org/archive/html/bug-bash/2009-06/msg00084.html
+
+Bug-Description:
+
+On systems where mbrtowc() returns -2 when passed a length argument with
+value 0, when using a multibyte locale, Readline's emacs-mode forward-char
+at the end of a line will leave the point beyond the end of the line.
+
+Signed-off-by: Bruno Thomsen b...@kamstrup.dk
+---
+ lib/readline/mbutil.c | 4 +---
+ patchlevel.h | 2 +-
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/readline/mbutil.c b/lib/readline/mbutil.c
+index 0f8191c..6d3da95 100644
+--- a/lib/readline/mbutil.c
b/lib/readline/mbutil.c
+@@ -131,12 +131,10 @@ _rl_find_next_mbchar_internal (string, seed, count,
find_non_zero)
+ if (find_non_zero)
+ {
+ tmp = mbrtowc (wc, string + point, strlen (string + point), ps);
+- while (tmp 0 wcwidth (wc) == 0)
++ while (MB_NULLWCH (tmp) == 0 MB_INVALIDCH (tmp) == 0 wcwidth (wc)
== 0)
+ {
+ point += tmp;
+ tmp = mbrtowc (wc, string + point, strlen (string + point), ps);
+-if (MB_NULLWCH (tmp) || MB_INVALIDCH (tmp))
+- break;
+ }
+ }
+
+diff --git a/patchlevel.h b/patchlevel.h
+index 19e5eca..37480dc 100644
[ptxdist] [PATCH] php5: version bump 5.4.30 - 5.4.33
Multiple bugs were fixed including security vulnerabilities CVE-2014-3597, CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120, CVE-2014-4698 and CVE-2014-4670. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/php5.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index 3657bc4..1bf97df 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.4.30 -PHP5_MD5 := a8a27fdc1d9e1020c9f8922b608326de +PHP5_VERSION := 5.4.33 +PHP5_MD5 := c6878bb1cdb46bfc1e1a5cd67a024737 PHP5 := php-$(PHP5_VERSION) PHP5_SUFFIX:= tar.bz2 PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] bash: shellshock part 2 fix
Fix CVE-2014-7169.
Applied patches 53 and 54 from version 3.2.
Signed-off-by: Bruno Thomsen b...@kamstrup.dk
---
patches/bash-3.2.48/0005-bash-3.2-patch53.patch | 51 +++
patches/bash-3.2.48/0006-bash-3.2-patch54.patch | 185
patches/bash-3.2.48/series | 2 +
3 files changed, 238 insertions(+)
create mode 100644 patches/bash-3.2.48/0005-bash-3.2-patch53.patch
create mode 100644 patches/bash-3.2.48/0006-bash-3.2-patch54.patch
diff --git a/patches/bash-3.2.48/0005-bash-3.2-patch53.patch
b/patches/bash-3.2.48/0005-bash-3.2-patch53.patch
new file mode 100644
index 000..cad5435
--- /dev/null
+++ b/patches/bash-3.2.48/0005-bash-3.2-patch53.patch
@@ -0,0 +1,51 @@
+From bb47ebbc22117d0dfcff43734b5eeb293b4249e7 Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen b...@kamstrup.dk
+Date: Mon, 29 Sep 2014 10:18:41 +0200
+Subject: [PATCH] bash-3.2: patch 53
+
+Bash-Release: 3.2
+Patch-ID: bash32-053
+
+Bug-Reported-by: Tavis Ormandy tav...@cmpxchg8b.com
+Bug-Reference-ID:
+Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929
+
+Bug-Description:
+
+Under certain circumstances, bash can incorrectly save a lookahead character
and
+return it on a subsequent call, even when reading a new line.
+
+Signed-off-by: Bruno Thomsen b...@kamstrup.dk
+---
+ parse.y | 2 ++
+ patchlevel.h | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parse.y b/parse.y
+index 8a2b081..6cb2bce 100644
+--- a/parse.y
b/parse.y
+@@ -2503,6 +2503,8 @@ reset_parser ()
+ FREE (word_desc_to_read);
+ word_desc_to_read = (WORD_DESC *)NULL;
+
++ eol_ungetc_lookahead = 0;
++
+ last_read_token = '\n';
+ token_to_read = '\n';
+ }
+diff --git a/patchlevel.h b/patchlevel.h
+index a2d65b2..e5d74f3 100644
+--- a/patchlevel.h
b/patchlevel.h
+@@ -25,6 +25,6 @@
+regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 52
++#define PATCHLEVEL 53
+
+ #endif /* _PATCHLEVEL_H_ */
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/0006-bash-3.2-patch54.patch
b/patches/bash-3.2.48/0006-bash-3.2-patch54.patch
new file mode 100644
index 000..0b7e14d
--- /dev/null
+++ b/patches/bash-3.2.48/0006-bash-3.2-patch54.patch
@@ -0,0 +1,185 @@
+From 3daa4e268f15c666754e17c901194ca19199 Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen b...@kamstrup.dk
+Date: Mon, 29 Sep 2014 10:36:58 +0200
+Subject: [PATCH] bash-3.2: patch 54
+
+Bash-Release: 3.2
+Patch-ID: bash32-054
+
+Bug-Reported-by: Florian Weimer fwei...@redhat.com
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+This patch changes the encoding bash uses for exported functions to avoid
+clashes with shell variables and to avoid depending only on an environment
+variable's contents to determine whether or not to interpret it as a shell
+function.
+
+Signed-off-by: Bruno Thomsen b...@kamstrup.dk
+---
+ patchlevel.h | 2 +-
+ variables.c | 80 +---
+ 2 files changed, 61 insertions(+), 21 deletions(-)
+
+diff --git a/patchlevel.h b/patchlevel.h
+index e5d74f3..d449c7c 100644
+--- a/patchlevel.h
b/patchlevel.h
+@@ -25,6 +25,6 @@
+regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 53
++#define PATCHLEVEL 54
+
+ #endif /* _PATCHLEVEL_H_ */
+diff --git a/variables.c b/variables.c
+index eb80326..76501cf 100644
+--- a/variables.c
b/variables.c
+@@ -74,6 +74,11 @@
+
+ #define ifsname(s)((s)[0] == 'I' (s)[1] == 'F' (s)[2] == 'S'
(s)[3] == '\0')
+
++#define BASHFUNC_PREFIX BASH_FUNC_
++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
++#define BASHFUNC_SUFFIX %%
++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
++
+ extern char **environ;
+
+ /* Variables used here and defined in other files. */
+@@ -241,7 +246,7 @@ static void push_temp_var __P((PTR_T));
+ static void propagate_temp_var __P((PTR_T));
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+-static inline char *mk_env_string __P((const char *, const char *));
++static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+ static char **make_func_export_array __P((void));
+@@ -309,27 +314,41 @@ initialize_shell_variables (env, privmode)
+
+ /* If exported function, define it now. Don't import functions from
+the environment in privileged mode. */
+- if (privmode == 0 read_but_dont_execute == 0 STREQN (() {,
string, 4))
++ if (privmode == 0 read_but_dont_execute == 0
++STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN)
++STREQ (BASHFUNC_SUFFIX
Re: [ptxdist] BASH_FUNC_set_shell_label() not a valid identifier
Hello, I'm not sure why I'm getting this message, but speculatively it seems to have started appearing after I updated Ubuntu-14.04 with bash shellshock patches... ? Anyone else see this type of message? Same here on Debian 7 (wheezy) and I had the same assumption. I work with zsh, but I also see those messages. 8-) I have just searched the logs from our build server and it does not seems to be affected. ptxdist-2013.12.0 (+ some mainline rules) Ubuntu 14.04 LTS GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu) Venlig hilsen / Best regards Kamstrup A/S http://www.kamstrup.dk Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: b...@kamstrup.dk Web: www.kamstrup.dk -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] libcurl: version bump 7.26.0 - 7.38.0
See upstream changelog for details. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/libcurl.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/libcurl.make b/rules/libcurl.make index f8c77e4..5babcb0 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl # # Paths and names # -LIBCURL_VERSION:= 7.26.0 -LIBCURL_MD5:= 3fa4d5236f2a36ca5c3af6715e837691 +LIBCURL_VERSION:= 7.38.0 +LIBCURL_MD5:= b6e3ea55bb718f2270489581efa50a8a LIBCURL:= curl-$(LIBCURL_VERSION) LIBCURL_SUFFIX := tar.gz LIBCURL_URL:= http://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] strongswan: install curl plugin if selected
Curl plugin was not installed due to typo in ifdef. Runtime error message: plugin 'curl' failed to load: /usr/lib/plugins/libstrongswan-curl.so: cannot open shared object file: No such file or directory Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/strongswan.make | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 387e69e..57fc7da 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -225,7 +225,7 @@ STRONGSWAN_PLUGINS := \ libstrongswan-xauth-generic.so \ libstrongswan-xcbc.so -ifdef PTXCONF_STRONGSWAN_LIBCUR +ifdef PTXCONF_STRONGSWAN_LIBCURL STRONGSWAN_PLUGINS += libstrongswan-curl.so endif ifdef PTXCONF_STRONGSWAN_AFALG -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: added openssl support option
This is useful when handling certificates in a web interface. Ex. Validate parameters on a PEM certificate. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/php5.in | 7 +++ rules/php5.make | 6 ++ 2 files changed, 13 insertions(+) diff --git a/rules/php5.in b/rules/php5.in index f4c3aeb..17ead2c 100644 --- a/rules/php5.in +++ b/rules/php5.in @@ -13,6 +13,7 @@ menuconfig PHP5 select XMLRPC_C if PHP5_XML_LIBXML2_XMLRPC select SQLITE if PHP5_EXT_SQLITE3 select ZLIB if PHP5_EXT_ZLIB + select OPENSSL if PHP5_EXT_OPENSSL if PHP5 @@ -272,6 +273,12 @@ config PHP5_EXT_ZLIB help Enable zlib support for PHP. +config PHP5_EXT_OPENSSL + bool + prompt openssl + help + Enable openssl support for PHP. + config PHP5_EXT_PEAR bool prompt pear [BROKEN] diff --git a/rules/php5.make b/rules/php5.make index 1bf97df..aef503b 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -220,6 +220,12 @@ else PHP5_AUTOCONF += --without-zlib endif +ifdef PTXCONF_PHP5_EXT_OPENSSL +PHP5_AUTOCONF += --with-openssl=$(SYSROOT)/usr +else +PHP5_AUTOCONF += --without-openssl +endif + ifdef PTXCONF_PHP5_EXT_CURL PHP5_AUTOCONF += \ --with-curl=$(SYSROOT)/usr -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: version bump 5.4.33 - 5.4.35
Multiple bugs were fixed including security vulnerabilities CVE-2014-3710, CVE-2014-3669, CVE-2014-3670, CVE-2014-3668. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/php5.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index aef503b..c3f0168 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.4.33 -PHP5_MD5 := c6878bb1cdb46bfc1e1a5cd67a024737 +PHP5_VERSION := 5.4.35 +PHP5_MD5 := 489cc8336488fb2e722ffa3c08f9c864 PHP5 := php-$(PHP5_VERSION) PHP5_SUFFIX:= tar.bz2 PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] curl: install root CA certificates option
Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format. The bundle is automatically extracted from one of Mozilla's development channels/trees. Test case 1: openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt Result: Verify return code: 0 (ok) Test case 2: openssl s_client -connect www.google.com:443 Result: Verify return code: 20 (unable to get local issuer certificate) Test case 3: curl https://www.google.com Result: HTMLHEAD... Test case 4: rm /usr/share/ca-certificates/curl/ca-bundle.crt curl https://www.google.com Result: curl: (77) error setting certificate verify locations: CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt CApath: none Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/libcurl.in | 57 ++ rules/libcurl.make | 40 +- 2 files changed, 96 insertions(+), 1 deletion(-) diff --git a/rules/libcurl.in b/rules/libcurl.in index 0ad7fb4..e5f25f8 100644 --- a/rules/libcurl.in +++ b/rules/libcurl.in @@ -20,6 +20,63 @@ if LIBCURL config LIBCURL_CURL bool install curl program +config LIBCURL_CA_BUNDLE + bool install CA Root Certificates + help + Bundle of CA Root Certificates. + + This is a bundle of X.509 certificates of public Certificate Authorities + (CA). These were automatically extracted from Mozilla's root certificates + file (certdata.txt). + + It contains the certificates in PEM format and therefore + can be directly used with curl / libcurl / php_curl / openssl. + +choice + prompt Mozilla tree + default LIBCURL_CA_TREE_RELEASE + depends on LIBCURL_CA_BUNDLE + help + Pull certdata.txt from this Mozilla tree. + https://wiki.mozilla.org/Tree_Rules + +config LIBCURL_CA_TREE_CENTRAL + bool + prompt central + help + Central is also known as nightly channel. + +config LIBCURL_CA_TREE_AURORA + bool + prompt aurora + help + Aurora channel is after central and before beta. + +config LIBCURL_CA_TREE_BETA + bool + prompt beta + help + Beta channel is just before release. + +config LIBCURL_CA_TREE_RELEASE + bool + prompt release + help + Changes to the release branch are limited to urgent chemspills + like zero-day security vulnerabilities and other unplanned emergencies. + In the normal development process, no changes will land on release + except regular merges from beta every six weeks. + +config LIBCURL_CA_TREE_NSS + bool + prompt nss + help + Network Security Services (NSS) is a set of libraries designed to support + cross-platform development of security-enabled client and server applications. + Mozilla develops NSS separate from Firefox. + +endchoice + config LIBCURL_HTTP bool http default y diff --git a/rules/libcurl.make b/rules/libcurl.make index 5babcb0..9e7b57b 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -26,6 +26,36 @@ LIBCURL_SOURCE := $(SRCDIR)/$(LIBCURL).$(LIBCURL_SUFFIX) LIBCURL_DIR:= $(BUILDDIR)/$(LIBCURL) LIBCURL_LICENSE:= MIT +ifdef PTXCONF_LIBCURL_CA_TREE_CENTRAL +MOZ_CA_TREE := central +endif +ifdef PTXCONF_LIBCURL_CA_TREE_AURORA +MOZ_CA_TREE := aurora +endif +ifdef PTXCONF_LIBCURL_CA_TREE_BETA +MOZ_CA_TREE := beta +endif +ifdef PTXCONF_LIBCURL_CA_TREE_RELEASE +MOZ_CA_TREE := release +endif +ifdef PTXCONF_LIBCURL_CA_TREE_NSS +MOZ_CA_TREE := nss +endif + +# +# Extract +# + +$(STATEDIR)/libcurl.extract: + @$(call targetinfo) + @$(call clean, $(LIBCURL_DIR)) + @$(call extract, LIBCURL, $(BUILDDIR)) + @$(call patchin, LIBCURL, $(LIBCURL_DIR)) +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt +endif + @$(call touch) + # # Prepare # @@ -62,7 +92,6 @@ LIBCURL_AUTOCONF := \ --without-gssapi \ --without-gnutls \ --without-nss \ - --without-ca-bundle \ --without-ca-path \ --without-libidn \ --without-axtls \ @@ -82,6 +111,12 @@ else LIBCURL_AUTOCONF += --without-ssl endif +ifdef PTXCONF_LIBCURL_CA_BUNDLE +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt +else +LIBCURL_AUTOCONF += --without-ca-bundle +endif + # # Target-Install
[ptxdist] [PATCH 1/2] strongswan: added openssl plugin option
OpenSSL adds Elliptic Curve support in IKE Diffie-Hellman key exchange. Signed-off-by: Bruno Thomsen b...@kamstrup.dk --- rules/strongswan.in | 8 rules/strongswan.make | 5 - 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/rules/strongswan.in b/rules/strongswan.in index 5402ffb..d50ea8d 100644 --- a/rules/strongswan.in +++ b/rules/strongswan.in @@ -5,6 +5,7 @@ menuconfig STRONGSWAN prompt strongswan select LIBGMP select LIBCURL if STRONGSWAN_LIBCURL + select OPENSSL if STRONGSWAN_OPENSSL help strongSwan is a complete IPsec implementation. Please keep in mind to configure the kernel accordingly to fulfill @@ -22,6 +23,13 @@ config STRONGSWAN_LIBCURL (CRLs) from an HTTP server or as an alternative want to use the Online Certificate Status Protocol (OCSP) say yes. +config STRONGSWAN_OPENSSL + bool + default n + prompt OpenSSL crypto library for IKE + help + This will add Elliptic Curve support in IKE Diffie-Hellman key exchange. + config STRONGSWAN_AFALG bool default y diff --git a/rules/strongswan.make b/rules/strongswan.make index 57fc7da..df4f9c8 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -34,6 +34,7 @@ STRONGSWAN_CONF_TOOL := autoconf STRONGSWAN_CONF_OPT:= \ $(CROSS_AUTOCONF_USR) \ --$(call ptx/endis, PTXCONF_STRONGSWAN_LIBCURL)-curl \ + --$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \ --disable-unbound \ --disable-soup \ --disable-ldap \ @@ -150,7 +151,6 @@ STRONGSWAN_CONF_OPT := \ --disable-osx-attr \ --enable-resolve \ --disable-padlock \ - --disable-openssl \ --disable-gcrypt \ --disable-agent \ --disable-pkcs11 \ @@ -228,6 +228,9 @@ STRONGSWAN_PLUGINS := \ ifdef PTXCONF_STRONGSWAN_LIBCURL STRONGSWAN_PLUGINS += libstrongswan-curl.so endif +ifdef PTXCONF_STRONGSWAN_OPENSSL + STRONGSWAN_PLUGINS += libstrongswan-openssl.so +endif ifdef PTXCONF_STRONGSWAN_AFALG STRONGSWAN_PLUGINS += libstrongswan-af-alg.so endif -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 1/2] host-certdata: root CA certificate bundle downloader
From: Bruno Thomsen b...@kamstrup.com Added a new host dummy package that download a specific firefox bundle of root CA certificates. This functionality is used by libcurl package. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/host-certdata.in | 5 + rules/host-certdata.make | 57 2 files changed, 62 insertions(+) create mode 100644 rules/host-certdata.in create mode 100644 rules/host-certdata.make diff --git a/rules/host-certdata.in b/rules/host-certdata.in new file mode 100644 index 000..087f34c --- /dev/null +++ b/rules/host-certdata.in @@ -0,0 +1,5 @@ +## SECTION=hosttools_noprompt + +config HOST_CERTDATA + tristate + diff --git a/rules/host-certdata.make b/rules/host-certdata.make new file mode 100644 index 000..0bdccc4 --- /dev/null +++ b/rules/host-certdata.make @@ -0,0 +1,57 @@ +# -*-makefile-*- +# +# Copyright (C) 2015 by Bruno Thomsen b...@kamstrup.com +# +# See CREDITS for details about who has contributed to this project. +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +# +# We provide this package +# +HOST_PACKAGES-$(PTXCONF_HOST_CERTDATA) += host-certdata + +# +# Paths and names +# +FIREFOX_MAJOR_VERSION := 33 +FIREFOX_MINOR_VERSION := 0 +HOST_CERTDATA_VERSION := $(FIREFOX_MAJOR_VERSION)_$(FIREFOX_MINOR_VERSION) +HOST_CERTDATA_MD5 := c9a187ce3bcd6d5ee1f8f5f531cf97f9 +HOST_CERTDATA := certdata +HOST_CERTDATA_SUFFIX := txt +HOST_CERTDATA_URL := \ + http://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_$(HOST_CERTDATA_VERSION)_RELEASE/security/nss/lib/ckfw/builtins/$(HOST_CERTDATA).$(HOST_CERTDATA_SUFFIX) +HOST_CERTDATA_SOURCE := $(SRCDIR)/$(HOST_CERTDATA).$(HOST_CERTDATA_SUFFIX) +HOST_CERTDATA_DIR := $(HOST_BUILDDIR)/$(HOST_CERTDATA)-$(HOST_CERTDATA_VERSION) + +# +# Extract +# + +$(STATEDIR)/host-certdata.extract: + @$(call targetinfo) + @$(call clean, $(HOST_CERTDATA_DIR)) + @mkdir -p $(HOST_CERTDATA_DIR) + @cp $(HOST_CERTDATA_SOURCE) $(HOST_CERTDATA_DIR) + @$(call touch) + +# +# Compile +# + +$(STATEDIR)/host-certdata.compile: + @$(call targetinfo) + @$(call touch) + +# +# Install +# + +$(STATEDIR)/host-certdata.install: + @$(call targetinfo) + @$(call touch) + +# vim: syntax=make -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 2/2] curl: install root CA certificates option
From: Bruno Thomsen b...@kamstrup.com Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format. The bundle is extracted from Mozilla's release tree by a host package called certdata. Test case 1: openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt Result: Verify return code: 0 (ok) Test case 2: openssl s_client -connect www.google.com:443 Result: Verify return code: 20 (unable to get local issuer certificate) Test case 3: curl https://www.google.com Result: HTMLHEAD... Test case 4: rm /usr/share/ca-certificates/curl/ca-bundle.crt curl https://www.google.com Result: curl: (77) error setting certificate verify locations: CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt CApath: none Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/libcurl.in | 18 -- rules/libcurl.make | 23 ++- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/rules/libcurl.in b/rules/libcurl.in index 0ad7fb4..11c3698 100644 --- a/rules/libcurl.in +++ b/rules/libcurl.in @@ -5,8 +5,10 @@ menuconfig LIBCURL prompt libcurl select LIBC_RT select ZLIB - select OPENSSL if LIBCURL_SSL - select LIBSSH2 if LIBCURL_LIBSSH2 + select HOST_SYSTEM_PERL if LIBCURL_CA_BUNDLE + select HOST_CERTDATAif LIBCURL_CA_BUNDLE + select OPENSSL if LIBCURL_SSL + select LIBSSH2 if LIBCURL_LIBSSH2 help curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. @@ -20,6 +22,18 @@ if LIBCURL config LIBCURL_CURL bool install curl program +config LIBCURL_CA_BUNDLE + bool install root CA certificates + help + Bundle of Root CA Certificates. + + This is a bundle of X.509 certificates of public Certificate Authorities (CA). + These were automatically extracted from Mozilla's root certificates + file (certdata.txt). + + It contains the certificates in PEM format and therefore + can be directly used with curl / libcurl / php_curl / strongswan. + config LIBCURL_HTTP bool http default y diff --git a/rules/libcurl.make b/rules/libcurl.make index 5babcb0..7f83ca4 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -62,7 +62,6 @@ LIBCURL_AUTOCONF := \ --without-gssapi \ --without-gnutls \ --without-nss \ - --without-ca-bundle \ --without-ca-path \ --without-libidn \ --without-axtls \ @@ -82,6 +81,25 @@ else LIBCURL_AUTOCONF += --without-ssl endif +ifdef PTXCONF_LIBCURL_CA_BUNDLE +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt +else +LIBCURL_AUTOCONF += --without-ca-bundle +endif + +# +# Compile +# + +$(STATEDIR)/libcurl.compile: + @$(call targetinfo) + +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @cd $(HOST_CERTDATA_DIR) + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -n -v $(LIBCURL_DIR)/ca-bundle.crt +endif + @$(call touch) + # # Target-Install # @@ -99,6 +117,9 @@ ifdef PTXCONF_LIBCURL_CURL @$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl) endif @$(call install_lib, libcurl, 0, 0, 0644, libcurl) +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt) +endif @$(call install_finish, libcurl) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] curl: install root CA certificates option
Hi Michael Thanks for feedback. I have created 2 new patches that address the issues you have found. +$(STATEDIR)/libcurl.extract: + @$(call targetinfo) + @$(call clean, $(LIBCURL_DIR)) + @$(call extract, LIBCURL, $(BUILDDIR)) + @$(call patchin, LIBCURL, $(LIBCURL_DIR)) +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt +endif No, not like this. Downloading an undefined version of a file during the build process is not acceptable. Add a second file to download (see rules/host-tz-database.make) how to do this) and use a URL that does not change, maybe the last tag: http://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_35_0_RELEASE/security/nss/lib/ckfw/builtins/certdata.txt I have create a new host certificate bundle downloader-package (rules/host-certdata.make). Also, you need to 'select HOST_SYSTEM_PERL' in the .in file and running mk-ca-bundle.pl should be in the compile stage. Otherwise the dependencies are not handled correctly. I have add dependency on HOST_SYSTEM_PERL and HOST_CERTDATA if LIBCURL_CA_BUNDLE is selected. Moved mk-ca-bundle.pl call from extract to compile stage. Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] dropbear: version bump 2014.65 - 2015.67
The new version contain options to enable/disable cipher modes. Keeping today's default cipher mode. In a secure solution one would disable CBC and enable CTR. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/dropbear.in | 15 +++ rules/dropbear.make | 18 -- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index fe2ada3..79aad57 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -203,6 +203,21 @@ config DROPBEAR_TWOFISH256 bijective f function made by four key-dependent 8x8-bit S-boxes. +config DROPBEAR_CBC_CIPHERS + bool + prompt CBC mode ciphers + default y + help + Enable CBC mode for ciphers. This has security issues though + is the most compatible with older SSH implementations. + +config DROPBEAR_CTR_CIPHERS + bool + prompt Counter mode ciphers + help + Enable Counter Mode for ciphers. This is more secure than normal + CBC mode against certain attacks. This adds around 1kB to binary + size and is recommended for most cases. comment Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96 diff --git a/rules/dropbear.make b/rules/dropbear.make index f03d0fc..ab9da5d 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2014.65 -DROPBEAR_MD5 := 1918604238817385a156840fa2c39490 +DROPBEAR_VERSION := 2015.67 +DROPBEAR_MD5 := e967e320344cd4bfebe321e3ab8514d6 DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX:= tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) @@ -163,7 +163,21 @@ else @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) endif +ifdef PTXCONF_DROPBEAR_CBC_CIPHERS + @echo ptxdist: enabling cbc ciphers + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) +else + @echo ptxdist: disabling cbc ciphers + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) +endif +ifdef PTXCONF_DROPBEAR_CTR_CIPHERS + @echo ptxdist: enabling ctr ciphers + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) +else + @echo ptxdist: disabling ctr ciphers + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) +endif ifdef PTXCONF_DROPBEAR_SHA1 @echo ptxdist: enabling sha1 -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] dropbear: version bump 2014.65 - 2015.67
+config DROPBEAR_CBC_CIPHERS + bool + prompt CBC mode ciphers + default y + help + Enable CBC mode for ciphers. This has security issues though + is the most compatible with older SSH implementations. In that case, shouldn't this be off by default? Those that still need it can enable it. I was a bit in doubt about ptxdist default policy was to be fairly secure out-of-box or compatible with old software/equipment. I'm all in for pushing a strong default security configuration :) Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] dropbear: stronger default MAC algorithms
Disable SHA1-96 since it gets flagged by Nessus security scanner. Disable SHA1 since it's no longer recommended for cryotography, and Google, Mozilla, Microsoft NIST have all announced deprecation of it. Tenable Network Security - Nessus: http://www.tenable.com/plugins/index.php?view=singleid=71049 Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/dropbear.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index 1c1d813..db4a8ab 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -224,7 +224,6 @@ comment Integrity, at least one required --- RFC Draft requires sha1-hmac and r config DROPBEAR_SHA1 bool prompt sha1 - default y help The Secure Hash Algorithm (SHA) was developed by NIST and is specified in the Secure Hash Standard (SHS, FIPS 180). @@ -237,7 +236,6 @@ config DROPBEAR_SHA1 config DROPBEAR_SHA1_96 bool prompt sha1-96 - default y help The Secure Hash Algorithm (SHA) was developed by NIST and is specified in the Secure Hash Standard (SHS, FIPS 180). @@ -250,6 +248,7 @@ config DROPBEAR_SHA1_96 config DROPBEAR_SHA256 bool prompt sha256 + default y help SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384, SHA-512) designed by the National Security Agency (NSA) @@ -262,6 +261,7 @@ config DROPBEAR_SHA256 config DROPBEAR_SHA512 bool prompt sha512 + default y help SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384, SHA-512) designed by the National Security Agency (NSA) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCHv2] dropbear: version bump 2014.65 - 2015.67
The new version contain options to enable/disable cipher modes. Default security level increased by disabling CBC mode and enabling CTR mode. Tenable Network Security - Nessus: http://www.tenable.com/plugins/index.php?view=singleid=70658 Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/dropbear.in | 15 +++ rules/dropbear.make | 18 -- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index fe2ada3..1c1d813 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -203,6 +203,21 @@ config DROPBEAR_TWOFISH256 bijective f function made by four key-dependent 8x8-bit S-boxes. +config DROPBEAR_CBC_CIPHERS + bool + prompt CBC mode ciphers + help + Enable CBC mode for ciphers. This has security issues though + is the most compatible with older SSH implementations. + +config DROPBEAR_CTR_CIPHERS + bool + prompt Counter mode ciphers + default y + help + Enable Counter Mode for ciphers. This is more secure than normal + CBC mode against certain attacks. This adds around 1kB to binary + size and is recommended for most cases. comment Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96 diff --git a/rules/dropbear.make b/rules/dropbear.make index f03d0fc..ab9da5d 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2014.65 -DROPBEAR_MD5 := 1918604238817385a156840fa2c39490 +DROPBEAR_VERSION := 2015.67 +DROPBEAR_MD5 := e967e320344cd4bfebe321e3ab8514d6 DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX:= tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) @@ -163,7 +163,21 @@ else @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) endif +ifdef PTXCONF_DROPBEAR_CBC_CIPHERS + @echo ptxdist: enabling cbc ciphers + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) +else + @echo ptxdist: disabling cbc ciphers + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) +endif +ifdef PTXCONF_DROPBEAR_CTR_CIPHERS + @echo ptxdist: enabling ctr ciphers + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) +else + @echo ptxdist: disabling ctr ciphers + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) +endif ifdef PTXCONF_DROPBEAR_SHA1 @echo ptxdist: enabling sha1 -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] nsupdate
Hi Tom, I am currently working on a kind of dyndns approach and plan to use nsupdate to make the ddns aware of the new IP. However, it seems that nsupdate is missing in ptxdist. Is this the case or do I miss something in the configuration to enable it? Yes, there are currently no rule to install nsupdate that is part of Bind. I also needs to update DNS records automatically and was planning to create a rule that compile and install DNS client tools from Bind 9. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] strongswan: version bump 5.1.3 - 5.2.2
enable-tools option has been replaced by enable-pki and enable-scepclient options. disable-kernel-klips option has been obsoleted. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/strongswan.make | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index dad1e10..5e4a76d 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan # # Paths and names # -STRONGSWAN_VERSION := 5.1.3 -STRONGSWAN_MD5 := 1d1c108775242743cd8699215b2918c3 +STRONGSWAN_VERSION := 5.2.2 +STRONGSWAN_MD5 := 7ee1a33060b2bde35be0f6d78a1d26d0 STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 STRONGSWAN_URL := http://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) @@ -125,7 +125,6 @@ STRONGSWAN_CONF_OPT := \ --enable-kernel-netlink \ --disable-kernel-pfkey \ --disable-kernel-pfroute \ - --disable-kernel-klips \ --disable-kernel-libipsec \ --disable-libipsec \ --enable-socket-default \ @@ -141,7 +140,8 @@ STRONGSWAN_CONF_OPT := \ --enable-ikev2 \ --enable-charon \ --disable-cmd \ - --enable-tools \ + --enable-pki \ + --enable-scepclient \ --enable-scripts \ --disable-conftest \ --enable-updown \ -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] version bump to 2.4.7
Subject: [ptxdist] [PATCH] version bump to 2.4.7 Add package name to subject. version bump to 2.4.7 What about patch set from ppp 2.4.5? Have they been merged/fixed upstream? /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: version bump 5.4.35 - 5.5.21
Disabled new OPcache feature (Zend Optimizer+) due to cross-compiling issue. https://bugs.php.net/bug.php?id=66103 Package format changed from tar.bz2 to tar.xz. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/php5.make | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index c3f0168..5dddeab 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -17,10 +17,10 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.4.35 -PHP5_MD5 := 489cc8336488fb2e722ffa3c08f9c864 +PHP5_VERSION := 5.5.21 +PHP5_MD5 := 79664ce44f7c93f355a25a3fe3dcc91b PHP5 := php-$(PHP5_VERSION) -PHP5_SUFFIX:= tar.bz2 +PHP5_SUFFIX:= tar.xz PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) PHP5_DIR := $(BUILDDIR)/$(PHP5) @@ -49,6 +49,7 @@ PHP5_AUTOCONF := \ $(CROSS_AUTOCONF_USR) \ --disable-phar \ --with-config-file-path=/etc/php5 \ + --enable-opcache=no \ --without-iconv # FIXME: php5 doesn't interprete with_foo=no correctly, so we cannot -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] php accelerator/ upgrade to php 5.5
I am using lighttpd with php-cgi on Freescale i.mx28. Response time of Webgui could be faster. Has anyone made experience with php accelerators, or is anyone already using php5.5 which has Zend Optimizer+ integrated by default. Are there reasons not go to for php 5.5? There is currently a bug that causes problems with cross-compiling OPcache (Zend Optimizer+) in PHP 5.5. https://bugs.php.net/bug.php?id=66103 I can send a patch that uses PHP 5.5.21 without OPcache. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] license info
-Original Message- From: ptxdist-boun...@pengutronix.de [mailto:ptxdist-boun...@pengutronix.de] On Behalf Of Guillermo Rodriguez Garcia Sent: 11. februar 2015 18:12 To: ptxdist@pengutronix.de Subject: Re: [ptxdist] license info OK. My view is that this (storing the license text in the rootfs) would be unnecessary for many licenses, while not completely fulfilling requirements for others. But IANAL either and you may very well be right :-) We include all licenses with full text on rootfs using a custom Python script that generate a PHP page, so they can be shown by the embedded webserver. Header - Pre - Package - Post - Pre - Package - Post - . - Footer Package = name, version, license /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 1/2] host-certdata: root CA certificate bundle downloader
Ping.. Are there any outstanding issues with this patch series? /Bruno -Original Message- From: Bruno Thomsen Sent: 16. januar 2015 12:59 To: m.olbr...@pengutronix.de Cc: ptxdist@pengutronix.de; Bruno Thomsen Subject: [PATCH 1/2] host-certdata: root CA certificate bundle downloader From: Bruno Thomsen b...@kamstrup.com Added a new host dummy package that download a specific firefox bundle of root CA certificates. This functionality is used by libcurl package. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/host-certdata.in | 5 + rules/host-certdata.make | 57 2 files changed, 62 insertions(+) create mode 100644 rules/host-certdata.in create mode 100644 rules/host-certdata.make diff --git a/rules/host-certdata.in b/rules/host-certdata.in new file mode 100644 index 000..087f34c --- /dev/null +++ b/rules/host-certdata.in @@ -0,0 +1,5 @@ +## SECTION=hosttools_noprompt + +config HOST_CERTDATA + tristate + diff --git a/rules/host-certdata.make b/rules/host-certdata.make new file mode 100644 index 000..0bdccc4 --- /dev/null +++ b/rules/host-certdata.make @@ -0,0 +1,57 @@ +# -*-makefile-*- +# +# Copyright (C) 2015 by Bruno Thomsen b...@kamstrup.com +# +# See CREDITS for details about who has contributed to this project. +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +# +# We provide this package +# +HOST_PACKAGES-$(PTXCONF_HOST_CERTDATA) += host-certdata + +# +# Paths and names +# +FIREFOX_MAJOR_VERSION := 33 +FIREFOX_MINOR_VERSION := 0 +HOST_CERTDATA_VERSION := $(FIREFOX_MAJOR_VERSION)_$(FIREFOX_MINOR_VERSION) +HOST_CERTDATA_MD5 := c9a187ce3bcd6d5ee1f8f5f531cf97f9 +HOST_CERTDATA := certdata +HOST_CERTDATA_SUFFIX := txt +HOST_CERTDATA_URL := \ + http://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_$(HOST_CERTDATA_VERSION)_RELEASE/security/nss/lib/ckfw/builtins/$(HOST_CERTDATA).$(HOST_CERTDATA_SUFFIX) +HOST_CERTDATA_SOURCE := $(SRCDIR)/$(HOST_CERTDATA).$(HOST_CERTDATA_SUFFIX) +HOST_CERTDATA_DIR := $(HOST_BUILDDIR)/$(HOST_CERTDATA)-$(HOST_CERTDATA_VERSION) + +# +# Extract +# + +$(STATEDIR)/host-certdata.extract: + @$(call targetinfo) + @$(call clean, $(HOST_CERTDATA_DIR)) + @mkdir -p $(HOST_CERTDATA_DIR) + @cp $(HOST_CERTDATA_SOURCE) $(HOST_CERTDATA_DIR) + @$(call touch) + +# +# Compile +# + +$(STATEDIR)/host-certdata.compile: + @$(call targetinfo) + @$(call touch) + +# +# Install +# + +$(STATEDIR)/host-certdata.install: + @$(call targetinfo) + @$(call touch) + +# vim: syntax=make -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Feature Request: Option to install man pages
However the smart phone boom of the last few years dramatically changed the definition of 'small' - the smallest flash devices for our embedded HW starts now around 2-4 *Giga*bytes. And as smallest does NOT mean cheapest, the standard flash device at work - right now - is 4 GB eMMC, which will probably increase the usual 2^n steps the next months/years. Yes, eMMC seems to be the way many boards are going today. We have also switched from 2 GB to 4 GB due to LTB. Your opinions? +1. Seems like a good idea. It's mostly useful when you get new application developers that isn't used to working on Linux. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] bash: Updated bash to release 4.3.30
Not needed, as the whole block is enclosed in an if BASH...endif Otherwise looks good to me, however I'll let Michael look over this and pick it up after his holidays. Maybe Michael could also have a look on the old patches for bash 3.2. I don't know, if they are still needed or not. The patch series for Bash 3.2 was added by me to fix the Shellshock vulnerability. All the fixes are included in Bash 4.3.30, so just delete the old patch series in v2. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] openssl: version bump 1.0.1k - 1.0.2
Used Debian patch series and ptxdist specific patch from 1.0.1k.
Debian patches was generated using Michael Olbrich's openssl-apply-debian
script using the following source:
openssl_1.0.2-1.debian.tar.xz [MD5: 3df9826bec6f37f4d4d524291ed4f1f3]
Signed-off-by: Bruno Thomsen b...@kamstrup.com
---
patches/openssl-1.0.1k/0007-valgrind.patch | 31 -
patches/openssl-1.0.1k/0008-rehash-crt.patch | 44 ---
patches/openssl-1.0.1k/0010-stddef.patch | 23
.../0013-Change-default-bit-size-and-digest.patch | 131 -
.../openssl-1.0.1k/0014-openssl_fix_for_x32.patch | 50
.../0001-ca.patch | 10 +-
.../0002-debian-targets.patch | 16 +--
.../0003-engines-path.patch| 53 +
.../0004-no-rpath.patch| 10 +-
.../0005-no-symbolic.patch | 10 +-
.../0006-pic.patch | 26 ++--
patches/openssl-1.0.2/0007-valgrind.patch | 31 +
.../0008-shared-lib-ext.patch} | 12 +-
.../0009-libdoc-manpgs-pod-spell.patch | 24
.../openssl-1.0.2/0010-openssl-pod-misspell.patch | 52
.../0011-block_diginotar.patch | 32 ++---
.../0012-block_digicert_malaysia.patch | 10 +-
.../openssl-1.0.2/0013-Disable-the-freelist.patch | 42 +++
...-don-t-ask-dpkg-buildflags-for-more-flags.patch | 0
patches/{openssl-1.0.1k = openssl-1.0.2}/series | 11 +-
rules/openssl.make | 4 +-
21 files changed, 250 insertions(+), 372 deletions(-)
delete mode 100644 patches/openssl-1.0.1k/0007-valgrind.patch
delete mode 100644 patches/openssl-1.0.1k/0008-rehash-crt.patch
delete mode 100644 patches/openssl-1.0.1k/0010-stddef.patch
delete mode 100644
patches/openssl-1.0.1k/0013-Change-default-bit-size-and-digest.patch
delete mode 100644 patches/openssl-1.0.1k/0014-openssl_fix_for_x32.patch
rename patches/{openssl-1.0.1k = openssl-1.0.2}/0001-ca.patch (77%)
rename patches/{openssl-1.0.1k = openssl-1.0.2}/0002-debian-targets.patch
(92%)
rename patches/{openssl-1.0.1k = openssl-1.0.2}/0003-engines-path.patch (77%)
rename patches/{openssl-1.0.1k = openssl-1.0.2}/0004-no-rpath.patch (73%)
rename patches/{openssl-1.0.1k = openssl-1.0.2}/0005-no-symbolic.patch (72%)
rename patches/{openssl-1.0.1k = openssl-1.0.2}/0006-pic.patch (89%)
create mode 100644 patches/openssl-1.0.2/0007-valgrind.patch
rename patches/{openssl-1.0.1k/0009-shared-lib-ext.patch =
openssl-1.0.2/0008-shared-lib-ext.patch} (70%)
create mode 100644 patches/openssl-1.0.2/0009-libdoc-manpgs-pod-spell.patch
create mode 100644 patches/openssl-1.0.2/0010-openssl-pod-misspell.patch
rename patches/{openssl-1.0.1k = openssl-1.0.2}/0011-block_diginotar.patch
(65%)
rename patches/{openssl-1.0.1k =
openssl-1.0.2}/0012-block_digicert_malaysia.patch (77%)
create mode 100644 patches/openssl-1.0.2/0013-Disable-the-freelist.patch
rename patches/{openssl-1.0.1k =
openssl-1.0.2}/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
(100%)
rename patches/{openssl-1.0.1k = openssl-1.0.2}/series (65%)
diff --git a/patches/openssl-1.0.1k/0007-valgrind.patch
b/patches/openssl-1.0.1k/0007-valgrind.patch
deleted file mode 100644
index 9ec92c4..000
--- a/patches/openssl-1.0.1k/0007-valgrind.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Michael Olbrich m.olbr...@pengutronix.de
-Date: Sat, 10 Jan 2015 09:16:02 +0100
-Subject: [PATCH] valgrind
-
-Imported from openssl_1.0.1k-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich m.olbr...@pengutronix.de
- crypto/rand/md_rand.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
-index 888b4eb8dd0b..90ec46315f4d 100644
a/crypto/rand/md_rand.c
-+++ b/crypto/rand/md_rand.c
-@@ -482,6 +482,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int
pseudo, int lock)
- MD_Update(m,(unsigned char *)(md_c[0]),sizeof(md_c));
-
- #ifndef PURIFY /* purify complains */
-+#if 0
- /* The following line uses the supplied buffer as a small
-* source of entropy: since this buffer is often uninitialised
-* it may cause programs such as purify or valgrind to
-@@ -491,6 +492,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int
pseudo, int lock)
-*/
- MD_Update(m,buf,j);
- #endif
-+#endif
-
- k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
- if (k 0)
diff --git a/patches/openssl-1.0.1k/0008-rehash-crt.patch
b/patches/openssl-1.0.1k/0008-rehash-crt.patch
deleted file mode 100644
index 2dbcaaf..000
--- a/patches/openssl-1.0.1k/0008-rehash-crt.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Michael Olbrich m.olbr...@pengutronix.de
-Date: Sat, 10 Jan 2015 09:16:02 +0100
-Subject: [PATCH] rehash-crt
-
-Imported from
[ptxdist] [PATCH] prelink: first boot warning
Running prelink with rc.once.d causes a first boot stall of about 2 minutes on Freescale i.MX28 454MHz ARM9 processor. This can be expensive if first device boot is during product manufacturing (assembly, programming, configuration, test). Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/prelink.in | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/prelink.in b/rules/prelink.in index 5d04fb0..1e06200 100644 --- a/rules/prelink.in +++ b/rules/prelink.in @@ -21,6 +21,7 @@ config PRELINK_RC_ONCE help install a script that will be run on the first boot to prelink all programs and libraries. + warning! this can increase first boot with a few minutes! config PRELINK_SKIP_ON_NFSROOT bool -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] automatic root-fs fsck at boottime with autorepair
Hi Marc, Just fyi in the syslog I found these lines: Apr 21 11:50:11 [..] [ 1.854104] EXT3-fs: barriers not enabled Apr 21 11:50:11 [..] [12.856129] kjournald starting. Commit interval 5 seconds Apr 21 11:50:11 [..] [12.856223] EXT3-fs (mmcblk0p1): warning: maximal mount count reached, running e2fsck is recommended Apr 21 11:50:11 [..] [13.091387] EXT3-fs (mmcblk0p1): using internal journal Apr 21 11:50:11 [..] [13.091398] EXT3-fs (mmcblk0p1): recovery complete Apr 21 11:50:11 [..] [13.093917] EXT3-fs (mmcblk0p1): mounted filesystem with ordered data mode We just encountered an issue in a mysqld-logfile upon an unexpected power-off but this was actually not an issue of the filesystem. Anyway I thought a fsck might be helpful sometimes. You are using the ext3 filesystem in a unsafe manner (default) that can cause data corruption. Enable barriers and change data mode to journal. The downside to safety is lower R/W performance. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] prelink: first boot warning
Hi Juergen, Running prelink with rc.once.d causes a first boot stall of about 2 minutes on Freescale i.MX28 454MHz ARM9 processor. This can be expensive if first device boot is during product manufacturing (assembly, programming, configuration, test). With Using a recent linker the prelink becomes redundant. It is already done when the linker hash-style it set to gnu (which is the default in a recent PTXdist). Or did you still see improvements with or without the pre-link step and that's why you are still using this feature? The feature was enabled by mistake during a ptxdist upgrade from 2012.04 (TQ BSP 0101) to 2013.12 (TQ BSP 0109). Normally I cherry-pick rule upgrades rather than doing full ptxdist upgrade, since it's easier to maintain auto build servers, if they only need to do a source checkout. We don't see any noticeable app start improvements. But disabling prelink result in a significant lower product production time. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCHv2 1/2] strongswan: version bump 5.2.2 - 5.3.2
This fixes the EAP or PSK IKEv2 authentication vulnerability aka CVE-2015-4171. Added new configure options: aesni, connmark, forecast, ruby-gems and python-eggs. Removed obsolete unit-tester option. Version 2: Disabled configure options: ruby-gems-install, python-eggs-install and files. Fixed typo in subject. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/strongswan.make | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 5e4a76d..2cc0a69 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan # # Paths and names # -STRONGSWAN_VERSION := 5.2.2 -STRONGSWAN_MD5 := 7ee1a33060b2bde35be0f6d78a1d26d0 +STRONGSWAN_VERSION := 5.3.2 +STRONGSWAN_MD5 := fab014be1477ef4ebf9a765e10f8802c STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 STRONGSWAN_URL := http://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) @@ -43,6 +43,7 @@ STRONGSWAN_CONF_OPT := \ --disable-blowfish \ --disable-md4 \ --enable-md5 \ + --disable-aesni \ --enable-sha1 \ --enable-sha2 \ --enable-fips-prf \ @@ -80,7 +81,6 @@ STRONGSWAN_CONF_OPT := \ --disable-sql \ --disable-leak-detective \ --disable-lock-profiler \ - --disable-unit-tester \ --disable-load-tester \ --disable-dnscert \ --disable-eap-sim \ @@ -170,6 +170,8 @@ STRONGSWAN_CONF_OPT := \ --disable-lookip \ --disable-error-notify \ --disable-certexpire \ + --disable-connmark \ + --disable-forecast \ --disable-systime-fix \ --disable-led \ --disable-duplicheck \ @@ -178,8 +180,12 @@ STRONGSWAN_CONF_OPT:= \ --disable-monolithic \ --disable-bfd-backtraces \ --disable-unwind-backtraces \ + --disable-ruby-gems \ + --disable-ruby-gems-install \ + --disable-python-eggs \ + --disable-python-eggs-install \ + --disable-files \ --disable-coverage \ - --disable-unit-tester \ --disable-tkm \ --disable-defaults \ --enable-dependency-tracking \ -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCHv2 2/2] strongswan: removed md5 hash and des encryption support.
Removed legacy crypto support. Version 2: no changes. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/strongswan.make | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 2cc0a69..9a9dd40 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -39,10 +39,10 @@ STRONGSWAN_CONF_OPT := \ --disable-soup \ --disable-ldap \ --enable-aes \ - --enable-des \ + --disable-des \ --disable-blowfish \ --disable-md4 \ - --enable-md5 \ + --disable-md5 \ --disable-aesni \ --enable-sha1 \ --enable-sha2 \ @@ -205,14 +205,12 @@ STRONGSWAN_PLUGINS := \ libstrongswan-attr.so \ libstrongswan-cmac.so \ libstrongswan-constraints.so \ - libstrongswan-des.so \ libstrongswan-dnskey.so \ libstrongswan-fips-prf.so \ libstrongswan-gcm.so \ libstrongswan-gmp.so \ libstrongswan-hmac.so \ libstrongswan-kernel-netlink.so \ - libstrongswan-md5.so \ libstrongswan-nonce.so \ libstrongswan-pem.so \ libstrongswan-pgp.so \ -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 2/2] strongswan: removed md5 hash and des encryption support.
Removed legacy crypto support. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/strongswan.make | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 5005930..3c102a7 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -39,10 +39,10 @@ STRONGSWAN_CONF_OPT := \ --disable-soup \ --disable-ldap \ --enable-aes \ - --enable-des \ + --disable-des \ --disable-blowfish \ --disable-md4 \ - --enable-md5 \ + --disable-md5 \ --disable-aesni \ --enable-sha1 \ --enable-sha2 \ @@ -202,14 +202,12 @@ STRONGSWAN_PLUGINS := \ libstrongswan-attr.so \ libstrongswan-cmac.so \ libstrongswan-constraints.so \ - libstrongswan-des.so \ libstrongswan-dnskey.so \ libstrongswan-fips-prf.so \ libstrongswan-gcm.so \ libstrongswan-gmp.so \ libstrongswan-hmac.so \ libstrongswan-kernel-netlink.so \ - libstrongswan-md5.so \ libstrongswan-nonce.so \ libstrongswan-pem.so \ libstrongswan-pgp.so \ -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 1/2] strognswan: version bump 5.2.2 - 5.3.2
This fixes the EAP or PSK IKEv2 authentication vulnerability aka CVE-2015-4171. Added new configure options: aesni, connmark, forecast, ruby-gems and python-eggs. Removed obsolete unit-tester option. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/strongswan.make | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 5e4a76d..5005930 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan # # Paths and names # -STRONGSWAN_VERSION := 5.2.2 -STRONGSWAN_MD5 := 7ee1a33060b2bde35be0f6d78a1d26d0 +STRONGSWAN_VERSION := 5.3.2 +STRONGSWAN_MD5 := fab014be1477ef4ebf9a765e10f8802c STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 STRONGSWAN_URL := http://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) @@ -43,6 +43,7 @@ STRONGSWAN_CONF_OPT := \ --disable-blowfish \ --disable-md4 \ --enable-md5 \ + --disable-aesni \ --enable-sha1 \ --enable-sha2 \ --enable-fips-prf \ @@ -80,7 +81,6 @@ STRONGSWAN_CONF_OPT := \ --disable-sql \ --disable-leak-detective \ --disable-lock-profiler \ - --disable-unit-tester \ --disable-load-tester \ --disable-dnscert \ --disable-eap-sim \ @@ -170,6 +170,8 @@ STRONGSWAN_CONF_OPT := \ --disable-lookip \ --disable-error-notify \ --disable-certexpire \ + --disable-connmark \ + --disable-forecast \ --disable-systime-fix \ --disable-led \ --disable-duplicheck \ @@ -178,8 +180,9 @@ STRONGSWAN_CONF_OPT := \ --disable-monolithic \ --disable-bfd-backtraces \ --disable-unwind-backtraces \ + --disable-ruby-gems \ + --disable-python-eggs \ --disable-coverage \ - --disable-unit-tester \ --disable-tkm \ --disable-defaults \ --enable-dependency-tracking \ -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] OpenSSH patches
Hey Clemens, what do you think about my recent OpenSSH patches (not the version bumps) but enabling the sandbox per default (to use seccomp if available) and the switch from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys by default and add them as HostKey to sshd_config. They keep DSA and ECDSA but as they fall apart completely if the random numbers used are not good, I am not sure this is a good idea for embedded systems where entropy is often very scarce. Ed25519 is not that sensitive to entropy problems. I agree, when possible we should use ed25519. Adam Langley blog entry[1]. /Bruno [1] https://www.imperialviolet.org/2013/06/15/suddendeathentropy.html -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 1/2] strognswan: version bump 5.2.2 - 5.3.2
typo in comment subject: strognswan = strongswan Damn, so close :) /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Replace MD5 with SHA256 hashes all at once
Hi Michael, Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to download them all. And the first step must be to support checking md5 or sha256, whichever is available. We still need md5 so we don't break BSPs with local packages during the transition. Sounds like a good idea, but then I would prefer that 2-3 ppl run the script, just to make sure different proxies are used. While this is a nice idea, this only works for the existing packages. I can't do the same for new packages or new versions of existing packages. I don't expect we do this for new packages, only on exiting due to the sheer number of packages. So far the checksum has only been a protection against broken archives or stupid upstream. It is not a security feature. If we change that, then we need a way to verify, that the initial checksums are correct. I don't know how I can do that for new packages. Ideally all upstream packages should include a SHA256 hash when they are releasing new versions. Unfortunate we can't change the whole world in day :) So continue with the current way of manual download and hash, but also include audit information about download URL (in case of mirrors) and date of download. Suggested actions: 1) include SHA256 hash in rules 2) include audit info in commit message (hash source + date) 3) push upstream packages to include SHA256 4) prefer HTTPS/FTPS as source URL in rules /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] OPENSWAN IPSEC Configuration
Hi, I am looking for strongswan.make file. You can find the newest upstream strongswan rule[1][2] in the pengutronix ptxdist git repository[3]. [1] http://git.pengutronix.de/?p=ptxdist.git;a=blob_plain;f=rules/strongswan.in;hb=HEAD [2] http://git.pengutronix.de/?p=ptxdist.git;a=blob_plain;f=rules/strongswan.make;hb=HEAD [3] http://git.pengutronix.de/?p=ptxdist.git;a=summary /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] FW: connman and ofono
Hi Thomas, does someone have some information about the use of ofone? I am wondering if no one else is using it? I appreciate your feedback! I am currently working on using ptxdist on a multi-interface hardware device (ethernet, wifi, gsm) and I setup connman to handle the ethernet and wifi portion (works up to a certain extent so far). Now I also want to include the gsm-modem into that and what I found is to use ofono for this. Is there a package available for ptxdist that provides the ofono support and interacts with connman for the connection management? I use a custom in-house developed connection handler (Ethernet/GSM/VPN) since I could not find an open source that support headless setup, production config in-field reconfig. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] OPENSWAN IPSEC Configuration
Hi Hardik, I trying to add OPENSWAN package into development. I have referred the following to configure ptxdist. Any reason you don't use Strongswan[1]? It's actively maintained in ptxdist, and has good cipher suite support[2]. /Bruno [1] https://strongswan.org/ [2] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 10/13] util-linux-ng: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/util-linux-ng.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/util-linux-ng.make b/rules/util-linux-ng.make index be5e528..9b48961 100644 --- a/rules/util-linux-ng.make +++ b/rules/util-linux-ng.make @@ -19,6 +19,7 @@ PACKAGES-$(PTXCONF_UTIL_LINUX_NG) += util-linux-ng # UTIL_LINUX_NG_VERSION := 2.26.2 UTIL_LINUX_NG_MD5 := 9bdf368c395f1b70325d0eb22c7f48fb +UTIL_LINUX_NG_SHA256 := 0e29bda142528a48a0a953c39ff63093651a4809042e1790fbd6aa8663fd9666 UTIL_LINUX_NG := util-linux-$(UTIL_LINUX_NG_VERSION) UTIL_LINUX_NG_SUFFIX := tar.xz UTIL_LINUX_NG_URL := $(call ptx/mirror, KERNEL, utils/util-linux/v$(basename $(UTIL_LINUX_NG_VERSION))/$(UTIL_LINUX_NG).$(UTIL_LINUX_NG_SUFFIX)) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 11/13] usbutils: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/usbutils.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/usbutils.make b/rules/usbutils.make index c34176d..c369fa4 100644 --- a/rules/usbutils.make +++ b/rules/usbutils.make @@ -19,6 +19,7 @@ PACKAGES-$(PTXCONF_USBUTILS) += usbutils # USBUTILS_VERSION := 007 USBUTILS_MD5 := c9df5107ae9d26b10a1736a261250139 +USBUTILS_SHA256:= 7593a01724bbc0fd9fe48e62bc721ceb61c76654f1d7b231b3c65f6dfbbaefa4 USBUTILS := usbutils-$(USBUTILS_VERSION) USBUTILS_SUFFIX:= tar.xz USBUTILS_URL := $(call ptx/mirror, KERNEL, utils/usb/usbutils/$(USBUTILS).$(USBUTILS_SUFFIX)) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 12/13] libcoap: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/libcoap.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/libcoap.make b/rules/libcoap.make index 9292ced..73d28de 100644 --- a/rules/libcoap.make +++ b/rules/libcoap.make @@ -18,6 +18,7 @@ PACKAGES-$(PTXCONF_LIBCOAP) += libcoap # LIBCOAP_VERSION:= 4.1.1 LIBCOAP_MD5:= 2ab6daf1f187f02d25b77c39c2ecc56b +LIBCOAP_SHA256 := 20cd0f58434480aa7e97e93a66ffef4076921de9687b14bd29fbbf18621bd394 LIBCOAP:= libcoap-$(LIBCOAP_VERSION) LIBCOAP_SUFFIX := tar.gz LIBCOAP_URL:= $(call ptx/mirror, SF, libcoap/$(LIBCOAP).$(LIBCOAP_SUFFIX)) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 04/13] lighttpd: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/lighttpd.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/lighttpd.make b/rules/lighttpd.make index 6fd6fff..5413b3b 100644 --- a/rules/lighttpd.make +++ b/rules/lighttpd.make @@ -19,6 +19,7 @@ PACKAGES-$(PTXCONF_LIGHTTPD) += lighttpd # LIGHTTPD_VERSION := 1.4.35 LIGHTTPD_MD5 := c7ae774eab4cb7ac85e41b712f4ee9ba +LIGHTTPD_SHA256:= 113e9b72ccbd1da5deb0774bf93cf0ca15dc82aad2da0f04e5ab27d37d3f30a3 LIGHTTPD := lighttpd-$(LIGHTTPD_VERSION) LIGHTTPD_SUFFIX:= tar.xz LIGHTTPD_URL := http://download.lighttpd.net/lighttpd/releases-1.4.x/$(LIGHTTPD).$(LIGHTTPD_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 07/13] iptables: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/iptables.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/iptables.make b/rules/iptables.make index 67917bd..9fc2714 100644 --- a/rules/iptables.make +++ b/rules/iptables.make @@ -21,6 +21,7 @@ PACKAGES-$(PTXCONF_IPTABLES) += iptables # IPTABLES_VERSION := 1.4.21 IPTABLES_MD5 := 536d048c8e8eeebcd9757d0863ebb0c0 +IPTABLES_SHA256:= 52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0 IPTABLES := iptables-$(IPTABLES_VERSION) IPTABLES_SUFFIX:= tar.bz2 IPTABLES_URL := http://ftp.netfilter.org/pub/iptables/$(IPTABLES).$(IPTABLES_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 05/13] sqlite: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/sqlite.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/sqlite.make b/rules/sqlite.make index bd2ada0..f0cf330 100644 --- a/rules/sqlite.make +++ b/rules/sqlite.make @@ -22,6 +22,7 @@ PACKAGES-$(PTXCONF_SQLITE) += sqlite # SQLITE_VERSION := 3080801 SQLITE_MD5 := a6381941ffe8817ba19669ec0c0ede6f +SQLITE_SHA256 := 2721361eb4a71d5f727dfa466bd910dadd5dbeb4d2d57b8b34205f7ce7e5b7f9 SQLITE := sqlite-autoconf-$(SQLITE_VERSION) SQLITE_SUFFIX := tar.gz SQLITE_URL := http://www.sqlite.org/2015/$(SQLITE).$(SQLITE_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 03/13] strongswan: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/strongswan.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/strongswan.make b/rules/strongswan.make index 033deeb..2eceab9 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -19,6 +19,7 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan # STRONGSWAN_VERSION := 5.3.2 STRONGSWAN_MD5 := fab014be1477ef4ebf9a765e10f8802c +STRONGSWAN_SHA256 := a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 01/13] libcurl: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/libcurl.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/libcurl.make b/rules/libcurl.make index 2a2f7f9..4e044b5 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -19,6 +19,7 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl # LIBCURL_VERSION:= 7.43.0 LIBCURL_MD5:= 11bddbb452a8b766b932f859aaeeed39 +LIBCURL_SHA256 := baa654a1122530483ccc1c58cc112fec3724a82c11c6a389f1e6a37dc8858df9 LIBCURL:= curl-$(LIBCURL_VERSION) LIBCURL_SUFFIX := tar.bz2 LIBCURL_URL:= https://github.com/bagder/curl/releases/download/curl-7_43_0/$(LIBCURL).$(LIBCURL_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 02/13] openssl: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/openssl.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/openssl.make b/rules/openssl.make index a50e64e..bf97a29 100644 --- a/rules/openssl.make +++ b/rules/openssl.make @@ -20,6 +20,7 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl # OPENSSL_VERSION:= 1.0.2d OPENSSL_MD5:= 38dd619b2e77cbac69b99f52a053d25a +OPENSSL_SHA256 := 671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 OPENSSL:= openssl-$(OPENSSL_VERSION) OPENSSL_SUFFIX := tar.gz OPENSSL_URL:= http://www.openssl.org/source/$(OPENSSL).$(OPENSSL_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 08/13] net-snmp: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/net-snmp.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/net-snmp.make b/rules/net-snmp.make index 7c4cb75..5d22a4b 100644 --- a/rules/net-snmp.make +++ b/rules/net-snmp.make @@ -20,6 +20,7 @@ PACKAGES-$(PTXCONF_NET_SNMP) += net-snmp # NET_SNMP_VERSION := 5.7.3 NET_SNMP_MD5 := d4a3459e1577d0efa8d96ca70a885e53 +NET_SNMP_SHA256:= 12ef89613c7707dc96d13335f153c1921efc9d61d3708ef09f3fc4a7014fb4f0 NET_SNMP := net-snmp-$(NET_SNMP_VERSION) NET_SNMP_SUFFIX:= tar.gz NET_SNMP_URL := $(call ptx/mirror, SF, net-snmp/$(NET_SNMP).$(NET_SNMP_SUFFIX)) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 09/13] ntp: added sha256 secure hash of package
Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/ntp.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/ntp.make b/rules/ntp.make index ba06543..9f48afe 100644 --- a/rules/ntp.make +++ b/rules/ntp.make @@ -19,6 +19,7 @@ PACKAGES-$(PTXCONF_NTP) += ntp # NTP_VERSION:= 4.2.6p5 NTP_MD5:= 00df80a84ec9528fcfb09498075525bc +NTP_SHA256 := d6ab8371f9d31e594eb6922823d5ccd03dcc4e9d84b0e23ea25ac1405432f91c NTP:= ntp-$(NTP_VERSION) NTP_SUFFIX := tar.gz NTP_URL:= http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/$(NTP).$(NTP_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] libcurl: version bump 7.38.0 - 7.43.0
Changed archive type from tar.gz to tar.bz2. Changed download URL from http to https (official release @ github). Added missing configure options. Disabled: rtsp, pop3, imap, smb, smtp, gopher, ntlm-wb, proxy. Without: winssl, darwinssl, winidn, polarssl, librtmp. http2 support is disabled but kconfig option should be added when required nghttp2 lib is added as package. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/libcurl.make | 22 ++ 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/rules/libcurl.make b/rules/libcurl.make index 822c584..2a2f7f9 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -17,11 +17,11 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl # # Paths and names # -LIBCURL_VERSION:= 7.38.0 -LIBCURL_MD5:= b6e3ea55bb718f2270489581efa50a8a +LIBCURL_VERSION:= 7.43.0 +LIBCURL_MD5:= 11bddbb452a8b766b932f859aaeeed39 LIBCURL:= curl-$(LIBCURL_VERSION) -LIBCURL_SUFFIX := tar.gz -LIBCURL_URL:= http://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX) +LIBCURL_SUFFIX := tar.bz2 +LIBCURL_URL:= https://github.com/bagder/curl/releases/download/curl-7_43_0/$(LIBCURL).$(LIBCURL_SUFFIX) LIBCURL_SOURCE := $(SRCDIR)/$(LIBCURL).$(LIBCURL_SUFFIX) LIBCURL_DIR:= $(BUILDDIR)/$(LIBCURL) LIBCURL_LICENSE:= MIT @@ -44,29 +44,43 @@ LIBCURL_AUTOCONF := \ \ --disable-ldap \ --disable-ldaps \ + --disable-rtsp \ --disable-dict \ --disable-telnet \ + --disable-pop3 \ + --disable-imap \ + --disable-smb \ + --disable-smtp \ + --disable-gopher \ --disable-manual \ \ --disable-ares \ --disable-sspi \ + --disable-ntlm-wb \ --disable-debug \ --disable-verbose \ \ --enable-thread \ --enable-nonblocking\ --enable-hidden-symbols \ + --enable-proxy \ \ --without-krb4 \ --without-spnego \ --without-gssapi \ + --without-winssl \ + --without-darwinssl \ --without-gnutls \ --without-nss \ + --without-winidn \ --without-libidn \ --without-axtls \ + --without-polarssl \ --without-cyassl \ + --without-librtmp \ \ --$(call ptx/endis, PTXCONF_LIBCURL_HTTP)-http \ + --disable-nghttp2 \ --$(call ptx/endis, PTXCONF_LIBCURL_COOKIES)-cookies \ --$(call ptx/endis, PTXCONF_LIBCURL_FTP)-ftp \ --$(call ptx/endis, PTXCONF_LIBCURL_TFTP)-tftp \ -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCHv2] dropbear: add authorized key directory
This directory (/root/.ssh) is needed when doing ssh login with pre-shared keys, and it must be configured with correct permissions otherwise they will be rejected. One-line psk setup (x.x.x.x = target): cat ~/.ssh/id_ecdsa.pub | ssh root@x.x.x.x cat - ~/.ssh/authorized_keys v2: Commit message cleanup. Wrongly included OpenSSH one-liner; changed ed25519 to ecdsa. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/dropbear.make | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/dropbear.make b/rules/dropbear.make index a659114..9a510a4 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -316,6 +316,7 @@ endif endif @$(call install_copy, dropbear, 0, 0, 0755, $(PTXCONF_DROPBEAR_KEY_DIR)) + @$(call install_copy, dropbear, 0, 0, 0600, /root/.ssh) @$(call install_finish, dropbear) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: version bump 5.5.26 - 5.5.27
Several bugs were fixed in this release as well as CVE-2015-3152 (keep Nessus happy). Added SHA256 package hash in preparation for secure hash usage in ptxdist. Added myself to credit as this is my 9th upstream php5 patch in the last 15 months. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/php5.make | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index aed0237..0d8c85b 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -2,6 +2,7 @@ # # Copyright (C) 2006-2008 by Robert Schwebel # 2009, 2012 by Marc Kleine-Budde m...@pengutronix.de +# 2015 by Bruno Thomsen b...@kamstrup.com # # See CREDITS for details about who has contributed to this project. # @@ -17,8 +18,9 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.5.26 -PHP5_MD5 := a3de70d115b8580e50c433f83691cfaf +PHP5_VERSION := 5.5.27 +PHP5_MD5 := 2efe7c087d7073bffa64e5d538f22711 +PHP5_SHA256:= 7ee398058067a7d8184e402fcdccb25003852cb8dc94eefa3cda051a3e47fdd8 PHP5 := php-$(PHP5_VERSION) PHP5_SUFFIX:= tar.xz PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Replace MD5 with SHA256 hashes all at once
what do you think about a script to replace all existing MD5 hashes with SHA256 instead of replacing all of them individually? Okay, so you want to create a script that take all rules; download the source; sha256sum; modify rule. Sounds like a good idea, but then I would prefer that 2-3 ppl run the script, just to make sure different proxies are used. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] Generation of additional xz rootfs archive
Hi, I am currently looking into the possibility of adding ptxdist generation of a xz rootfs archive, as I thought the feature might be useful for others as well. Should it be added as a new script like ptxd_make_image_archive_impl (image/archive) or implemented in C inside genimage (image/genimage)? The goal is to optimize our firmware upgrade image size. This could be done by switching from gz to xz rootfs which reduces size with approx 35%. The production firmware will still be using a gz rootfs archive. I basically want to do the following command: gzip -d < root.tgz | xz -9e > root.tar.xz Compression level should be configurable so it can be adjusted to target memory size. Memory usage is approx 65MB during extraction of a -9 archive on an i.MX28 processor when using xz from Busybox. In my testing the CompMem/DecMem listed in "man xz" seems to be valid for embedded ARM Linux systems as well. Otherwise this will just end as even more clutter in our custom build script wrapper around ptxdist :) /Bruno smime.p7s Description: S/MIME cryptographic signature ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] OpenSSL 1.0.2d security release announced
Hi Michael, OpenSSL 1.0.2d security release due 9th July 2015[1]. [1] https://mta.openssl.org/pipermail/openssl-announce/2015-July/37.html Venlig hilsen / Best regards Kamstrup A/S http://kamstrup.com Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg T: +45 89 93 10 00 D: +45 89 93 13 94 b...@kamstrup.com kamstrup.com -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] OpenSSL 1.0.2d security release announced
Hi, OpenSSL 1.0.2d security release due 9th July 2015[1]. PTXdist master has the new version. Thanks, we have pulled the update. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCHv2 1/2] strongswan: version bump 5.2.2 - 5.3.2
Hi Christoph, STRONGSWAN_URL := http://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) Changing here to https to get this security related package would be nice. Yes, I just tested https and it works flawlessly. I will send it as a new patch so it's highlighted in ptxdist short log, that packages should preferably be downloaded from https/ftps urls. By the way, is there any work in the pipe to get PGP-Signature verification into ptxdist instead of md5summing? Yes, PGP-signature verification could be nice. Would you bundle all public keys in ptxdist git repo? An easy step stone could be to add SHA256 hash support in ptxdist. Pseudo code: if STRONGSWAN_SHA256 exist: hash = sha256sum STRONGSWAN_SOURCE return (hash == STRONGSWAN_SHA256) else hash = md5sum STRONGSWAN_SOURCE return (hash == STRONGSWAN_MD5) After looking at how the md5 hash check is performed, I think it's easier to add sha256 hashes to all rules and then change hash function. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] strongswan: secure download url (http - https)
Downloading the package source from an unsecure locations and using an insecure hash (md5) would allow a malicious proxy to inject vulnerabilities. The build system would be unable to detect it. Signed-off-by: Bruno Thomsen b...@kamstrup.com --- rules/strongswan.make | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 9a9dd40..033deeb 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -21,7 +21,7 @@ STRONGSWAN_VERSION:= 5.3.2 STRONGSWAN_MD5 := fab014be1477ef4ebf9a765e10f8802c STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 -STRONGSWAN_URL := http://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) +STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) STRONGSWAN_SOURCE := $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) STRONGSWAN_DIR := $(BUILDDIR)/$(STRONGSWAN) STRONGSWAN_LICENSE := GPL -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Booting kernel crashes when using OSELAS.Toolchain-2014.12.1 for ARMv5TE
Hi I've applied both patches to my kernel source tree and now the kernel is starting! \o/ FYI.. I have just upgraded to OSELAS.Toolchain-2014.12.1 for an ARM926EJ-S (ARMv5TEJ) based system and Linux kernel 3.14 works. /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] PTXdist variables
Hi Jan-Marc, Is there an deterministic way to obtain the list of existent variables for a project? ptxdist bash printenv /Bruno -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: version bump 5.5.27 -> 5.5.30
Fixes multiple vulnerabilities: 5.5.28: CVE-2015-6833, CVE-2015-6832, CVE-2015-6831. 5.5.29: CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838. 5.5.30: CVE-2015-7803, CVE-2015-7804. Signed-off-by: Bruno Thomsen <b...@kamstrup.com> --- rules/php5.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/php5.make b/rules/php5.make index 98fc788..cc9dc8e 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_PHP5) += php5 # # Paths and names # -PHP5_VERSION := 5.5.27 -PHP5_MD5 := 2efe7c087d7073bffa64e5d538f22711 +PHP5_VERSION := 5.5.30 +PHP5_MD5 := ef6d848756ea9d19b7a7e1a9d824d7c1 PHP5 := php-$(PHP5_VERSION) PHP5_SUFFIX:= tar.xz PHP5_SOURCE:= $(SRCDIR)/$(PHP5).$(PHP5_SUFFIX) -- 2.1.4 ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCHv7] linux-pam: this patch add Linux-PAM support to ptxdist
Hi Oliver > On 22/10/15, Oliver Graute wrote: > > this patch add Linux-PAM support to ptxdist > > some feedback to this patch? Good job, I had PAM support in my backlog and now I can just use your work :) /Bruno smime.p7s Description: S/MIME cryptographic signature ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] lighttpd: upgrade from 1.4.38 to 1.4.39
Hi, > According to http://www.lighttpd.net/2016/1/2/1.4.39/ this fixes crashes > introduced in 1.4.36. > > Signed-off-by: Alexander Dahl <p...@lespocky.de> No issues observed with lighttpd-1.4.39 when used in combination with php-5.5.30, sqlite-3.9.2.0 & openssl-1.0.2e. Tested-by: Bruno Thomsen <b...@kamstrup.com> /Bruno ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] Busybox: fixed inverted BUSYBOX_DESKTOP for ps
Currently you have to choose between -o options and -l/-w options. This patch make it possible to enable all advanced ps features when the BUSYBOX_DESKTOP flag is enabled. Signed-off-by: Bruno Thomsen <b...@kamstrup.com> --- config/busybox/procps/Config.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/busybox/procps/Config.in b/config/busybox/procps/Config.in index 56b9150..a8f9e13 100644 --- a/config/busybox/procps/Config.in +++ b/config/busybox/procps/Config.in @@ -205,7 +205,7 @@ config BUSYBOX_PS config BUSYBOX_FEATURE_PS_WIDE bool "Enable wide output option (-w)" default y - depends on BUSYBOX_PS && !BUSYBOX_DESKTOP + depends on BUSYBOX_PS && BUSYBOX_DESKTOP help Support argument 'w' for wide output. If given once, 132 chars are printed, and if given more @@ -214,7 +214,7 @@ config BUSYBOX_FEATURE_PS_WIDE config BUSYBOX_FEATURE_PS_LONG bool "Enable long output option (-l)" default y - depends on BUSYBOX_PS && !BUSYBOX_DESKTOP + depends on BUSYBOX_PS && BUSYBOX_DESKTOP help Support argument 'l' for long output. Adds fields PPID, RSS, START, TIME & TTY -- 2.1.4 ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 0/6] OSELAS.Toolchain host tool version bumps
> > > > > > What is the status of the new oselas toolchain? > > > We're concerned about CVE-2015-7547 (google it), which is fixed in > > > glibc-2.23 > > > > I second the concerns, a "official" ptxdist toolchain update would be nice. +1 > > The patches have already been backported and Michael is testing the toolchain > updates. Do you have an approx. ETA on the new toolchain? Are we talking weeks or months? Venlig hilsen / Best regards Kamstrup A/S Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg T: +45 89 93 10 00 D: +45 89 93 13 94 b...@kamstrup.com kamstrup.com ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] dtc: multiple dts causes sporadic missing separator error
Hi, I am having problems with sporadic missing separator error when configuring PTXdist (2015.10.0) with multiple device tree sources. When PTXdist ends up in this state it's unable to work on any packages (clean/targetinstall) except clean all. I added the extra device tree source after upgrading to 2015.10.0 so I don't know if it's a regression or something new. Have anyone else experienced this issue? Build output error: --- For a proper NFS-root environment, some device nodes are essential. In order to create them root privileges are required. --- (Please press enter to start 'sudo' to gain root privileges.) WARNING: NFS-root might not be working correctly! /home/bth/sandbox/penguin/ptxdist/platform-tqma28/state/dtc.imx28-omnicon.dts.deps:10: *** missing separator. Stop. PTXdist configuration: Symbol: DTC_OFTREE_DTS [=imx28-omnicon.dts imx28-omnicon-2gen.dts] Unable to clean that or other packages when PTXdist is in this state: bth at tinypenguin in ~/sandbox/penguin/ptxdist on build_system▲ $ ./p clean dtc /home/bth/sandbox/penguin/ptxdist/platform-tqma28/state/dtc.imx28-omnicon.dts.deps:10: *** missing separator. Stop. bth at tinypenguin in ~/sandbox/penguin/ptxdist on build_system▲ $ ./p clean libcurl /home/bth/sandbox/penguin/ptxdist/platform-tqma28/state/dtc.imx28-omnicon.dts.deps:10: *** missing separator. Stop. bth at tinypenguin in ~/sandbox/penguin/ptxdist on build_system▲ $ ./p targetinstall dtc /home/bth/sandbox/penguin/ptxdist/platform-tqma28/state/dtc.imx28-omnicon.dts.deps:10: *** missing separator. Stop. State of dtc package: bth at tinypenguin in ~/sandbox/penguin/ptxdist on build_system▲ $ ll platform-tqma28/state/dtc.* -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.compile -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.extract -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.extract.post -rw-rw-r--. 1 bth bth0 Jul 15 10:08 platform-tqma28/state/dtc.get -rw-rw-r--. 1 bth bth 1127 Jul 15 10:12 platform-tqma28/state/dtc.imx28-omnicon-2gen.dts.deps -rw-rw-r--. 1 bth bth 1888 Jul 15 10:12 platform-tqma28/state/dtc.imx28-omnicon.dts.deps -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.install -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.install.pack -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.install.post -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.prepare -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.targetinstall -rw-rw-r--. 1 bth bth0 Jul 15 10:12 platform-tqma28/state/dtc.targetinstall.post bth at tinypenguin in ~/sandbox/penguin/ptxdist on build_system▲ $ cat platform-tqma28/state/dtc.imx28-omnicon-2gen.dts.deps /home/bth/sandbox/penguin/ptxdist/platform-tqma28/images/imx28-omnicon-2gen.dtb: \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/imx28-omnicon-2gen.dts) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/imx28-tqma28.dtsi) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/imx28.dtsi) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/include/dt-bindings/gpio/gpio.h) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/skeleton.dtsi) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/imx28-pinfunc.h) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/mxs-pinfunc.h) /home/bth/sandbox/penguin/ptxdist/platform-tqma28/images/imx28-omnicon-2gen.dtb: $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/state/imx28-omnicon-2gen.dts.tmp) bth at tinypenguin in ~/sandbox/penguin/ptxdist on build_system▲ $ cat platform-tqma28/state/dtc.imx28-omnicon.dts.deps /home/bth/sandbox/penguin/ptxdist/platform-tqma28/images/imx28-omnicon.dtb: \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/imx28-omnicon.dts) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/imx28-tqma28.dtsi) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/imx28.dtsi) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/include/dt-bindings/gpio/gpio.h) \ $(wildcard /home/bth/sandbox/penguin/ptxdist/platform-tqma28/build-target/linux-4.1/arch/arm/boot/dts/skeleton.dtsi) \ $(wildcard
Re: [ptxdist] dtc: multiple dts causes sporadic missing separator error
Hi Michael,
> > /home/bth/sandbox/penguin/ptxdist/platform-tqma28/state/dtc.imx28-omnicon.dts.deps:10:
> > *** missing separator. Stop.
>
> This is a known issue and fixed since PTXdist 2016.01.0. The relevant
> commit is b206b09665e3c6a052228eb3f976f511c3a41d83 ("ptxd_make_dts_dtb: fix
> parallel building").
Thanks, I will apply that fix for now.
Venlig hilsen / Best regards
Bruno Thomsen
Development engineer
Technology
Kamstrup A/S
Industrivej 28
DK-8660 Skanderborg
T: +45 89 93 10 00
D: +45 89 93 13 94
b...@kamstrup.com
kamstrup.com
___
ptxdist mailing list
ptxdist@pengutronix.de
[ptxdist] [PATCHv2] php5: enable support for the phar extension.
Hi This updated patch was never send by Kalle before he completed his internship and was hired by another department in the company. He found that the Phar extension does not work in CLI mode so this combination is now disabled. In our use-case it's used in CGI mode for on-the-fly compression of multiple files before download from a web interface. ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH] php5: enable support for the phar extension.
v2: - use ptx/endis - phar extension is broken in cli. Signed-off-by: Bruno Thomsen <b...@kamstrup.com> Signed-off-by: Kalle Ladefoged Pedersen <k...@kamstrup.com> --- rules/php5.in | 11 +++ rules/php5.make | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/rules/php5.in b/rules/php5.in index d2f7baa..a9286e4 100644 --- a/rules/php5.in +++ b/rules/php5.in @@ -289,6 +289,17 @@ config PHP5_EXT_PEAR help pear +config PHP5_EXT_PHAR + bool + prompt "phar" + depends on !PHP5_SAPI_CLI + help + The phar extension provides a way to put entire PHP applications + into a single file called "phar" (PHP Archive) for easy + distribution and installation. The phar extension also provides + a file-format abstraction method for creating and manipulating + tar and zip files through the PharData class. + endmenu endif diff --git a/rules/php5.make b/rules/php5.make index cc9dc8e..33e842c 100644 --- a/rules/php5.make +++ b/rules/php5.make @@ -48,7 +48,7 @@ PHP5_CONF_ENV := \ # PHP5_AUTOCONF := \ $(CROSS_AUTOCONF_USR) \ - --disable-phar \ + --$(call ptx/endis, PTXCONF_PHP5_EXT_PHAR)-phar \ --with-config-file-path=/etc/php5 \ --enable-opcache=no \ --without-iconv -- 2.5.0 ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [ANNOUNCE] OSELAS.Toolchain() 2016.06.0 released
Hi, I had the same compile issue on a Fedora 23 host but got Michaels patch working with a minor ")" tweak. Attached working patch just-in-case somebody stumble across the same issue. /Bruno diff --git a/rules/cross-gcc.make b/rules/cross-gcc.make index 00da7a0..068447c 100644 --- a/rules/cross-gcc.make +++ b/rules/cross-gcc.make @@ -193,8 +193,10 @@ $(STATEDIR)/cross-gcc.install: $(STATEDIR)/cross-gcc.report done @find $(PTXCONF_SYSROOT_CROSS) -name "*.la" -print0 | xargs -0 rm -v -f +ifneq ($(call remove_quotes, $(PTXCONF_DESTDIR)),) sed -i -e 's;$(call remove_quotes,$(PTXCONF_DESTDIR));;' \ $(PTXCONF_SYSROOT_CROSS)/lib/gcc/$(PTXCONF_GNU_TARGET)/$(CROSS_GCC_VERSION)/install-tools/mkheaders.conf +endif @$(call touch) ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] host-ncurses on Fedora 26
Hi,
Just a little FYI :)
host-ncurses version 5.9 does not compile with GCC 7.1.1 that Fedora 26 ships.
I don't have the time ATM to create a proper rule patch.
ncurses-5.9 patch series is no longer needed and here is a rule diff.
diff --git a/rules/ncurses.make
b/usr/local/lib/ptxdist-2017.07.0/rules/ncurses.make
index ee8a611..25341cb 100644
--- a/rules/ncurses.make
+++ b/usr/local/lib/ptxdist-2017.07.0/rules/ncurses.make
@@ -15,9 +15,9 @@ PACKAGES-$(PTXCONF_NCURSES) += ncurses
#
# Paths and names
#
-NCURSES_VERSION:= 6.0
+NCURSES_VERSION:= 5.9
NCURSES_MAJOR := $(word 1,$(subst ., ,$(NCURSES_VERSION)))
-NCURSES_MD5:= ee13d052e1ead260d7c28071f46eefb1
+NCURSES_MD5:= 8cb9c412e5f2d96bc6f459aa8c6282a1
NCURSES:= ncurses-$(NCURSES_VERSION)
NCURSES_SUFFIX := tar.gz
NCURSES_URL:= $(call ptx/mirror, GNU, ncurses/$(NCURSES).$(NCURSES_SUFFIX))
@@ -25,7 +25,7 @@ NCURSES_SOURCE:=
$(SRCDIR)/$(NCURSES).$(NCURSES_SUFFIX)
NCURSES_DIR:= $(BUILDDIR)/$(NCURSES)
NCURSES_LICENSE:= MIT
NCURSES_LICENSE_FILES := \
-
file://include/curses.h.in;startline=2;endline=26;md5=d74c4dc9413785675043431309dfbea0
+
file://include/curses.h.in;startline=2;endline=26;md5=3d0f6ef3745ae794471d5c62b7deb9c3
#
# Prepare
There are a lot of new configure options.
$ /usr/local/lib/ptxdist-2017.07.0/scripts/configure_helper.py --new-src
platform-tqma28/build-target/ncurses-6.0/ --old-src
platform-tqma28/build-target/ncurses-5.9/
--- ncurses-5.9
+++ ncurses-6.0
@@ -1,15 +1,18 @@
--with-rel-version=XXX
--with-abi-version=XXX
--with-system-type=XXX
+ --without-ada
--without-cxx
--without-cxx-binding
- --without-ada
+ --disable-db-install
--without-manpages
--without-progs
--without-tests
--without-curses-h
--with-pkg-config{=path}
+ --with-pkg-config-libdir=XXX
--enable-pc-files
+ --with-pc-suffix
--enable-mixed-case
--with-build-cc=XXX
--with-build-cpp=XXX
@@ -22,6 +25,7 @@
--with-normal
--with-debug
--with-profile
+ --with-cxx-shared
--with-termlib
--with-ticlib
--with-gpm
@@ -30,12 +34,18 @@
--enable-rpath
--disable-relink
--with-shlib-version=X
+ --with-libtool-opts=XXX
+ --with-export-syms=XXX
+ --with-versioned-syms=X
+ --disable-lib-suffixes
--disable-rpath-hack
+ --with-extra-suffix=X
--disable-overwrite
--disable-database
--with-hashed-db
--with-fallbacks=XXX
--without-xterm-new
+ --with-xterm-kbs=XXX
--with-terminfo-dirs=XXX
--with-default-terminfo-dir=DIR
--disable-big-core
@@ -60,6 +70,7 @@
--with-ospeed=TYPE
--with-mmask-t=TYPE
--with-ccharw-max=XXX
+ --with-tparm-arg=TYPE
--with-rcs-ids
--with-manpage-format
--with-manpage-renames
@@ -72,6 +83,7 @@
--enable-const
--enable-ext-colors
--enable-ext-mouse
+ --enable-ext-putwin
--enable-no-padding
--enable-signed-char
--enable-sigwinch
@@ -90,8 +102,9 @@
--enable-safe-sprintf
--disable-scroll-hints
--enable-wgetch-events
- --enable-echo
+ --disable-echo
--enable-warnings
+ --enable-string-hacks
--enable-assertions
--with-dmalloc
--with-dbmalloc
@@ -100,7 +113,8 @@
--enable-expanded
--disable-macros
--with-trace
+ --disable-gnat-projects
--with-ada-compiler=CMD
--with-ada-include=DIR
--with-ada-objects=DIR
- --with-ada-sharedlib=XX
+ --with-ada-sharedlib=soname
Regards,
Bruno
___
ptxdist mailing list
ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 1/2] strongswan: fix configure flags from previous updates
Hi, We are using Strongswan 5.6.1 with OSELAS 2018.02.0 (gcc 7.3.1) and it builds just fine. I can prepare an upstream patch in a few days. Venlig hilsen / Best regards Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg T: +45 89 93 10 00 D: +45 89 93 13 94 b...@kamstrup.com kamstrup.com ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 0/2] Strongswan is alive
Hi, Strongswan is used in products that are shipping today with an expected lifetime of >10 years. We don't use systemd so I am unaware of issues relating to that area. This has been tested on an iMX28 processor running linux 4.14.39 and compiled with GCC 7.3.1. /Bruno Bruno Thomsen (2): strongswan: version bump 5.3.5 -> 5.6.1 strongswan: remove staging rules/strongswan.in | 8 +--- rules/strongswan.make | 22 ++ 2 files changed, 19 insertions(+), 11 deletions(-) -- 2.17.0 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 1/2] strongswan: version bump 5.3.5 -> 5.6.1
16 new configuration parameters all set as disabled. 1 configuration parameter has been removed. libhydra has been removed, all plugins and the kernel interface have been integrated into libcharon. Signed-off-by: Bruno Thomsen --- rules/strongswan.make | 22 ++ 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 7016b64bd..c4ecce9c6 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan # # Paths and names # -STRONGSWAN_VERSION := 5.3.5 -STRONGSWAN_MD5 := a2f9ea185f27e7f8413d4cd2ee61efe4 +STRONGSWAN_VERSION := 5.6.1 +STRONGSWAN_MD5 := cb2241f1b96c524cd15b1c0f50ed9a27 STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) @@ -46,9 +46,12 @@ STRONGSWAN_CONF_OPT := \ --enable-gcm \ --disable-gcrypt \ --enable-gmp \ + --disable-curve25519 \ --enable-hmac \ --disable-md4 \ --disable-md5 \ + --disable-mgf1 \ + --disable-newhope \ --enable-nonce \ --disable-ntru \ --$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \ @@ -89,6 +92,7 @@ STRONGSWAN_CONF_OPT := \ --disable-eap-sim-file \ --disable-eap-sim-pcsc \ --disable-eap-aka \ + --disable-eap-aka-3gpp \ --disable-eap-aka-3gpp2 \ --disable-eap-simaka-sql \ --disable-eap-simaka-pseudonym \ @@ -107,6 +111,7 @@ STRONGSWAN_CONF_OPT := \ --disable-ipseckey \ --disable-keychain \ --disable-pkcs11 \ + --disable-tpm \ --enable-revocation \ --disable-whitelist \ --enable-xauth-generic \ @@ -132,6 +137,7 @@ STRONGSWAN_CONF_OPT := \ --disable-attr-sql \ --disable-dhcp \ --disable-osx-attr \ + --disable-p-cscf \ --enable-resolve \ --disable-unity \ --disable-imc-test \ @@ -144,6 +150,8 @@ STRONGSWAN_CONF_OPT := \ --disable-imv-attestation \ --disable-imc-swid \ --disable-imv-swid \ + --disable-imc-swima \ + --disable-imv-swima \ --disable-imc-hcd \ --disable-imv-hcd \ --disable-tnc-ifmap \ @@ -154,8 +162,10 @@ STRONGSWAN_CONF_OPT:= \ --disable-tnccs-20 \ --disable-tnccs-dynamic \ --disable-android-log \ + --disable-bypass-lan \ --disable-certexpire \ --disable-connmark \ + --disable-counters \ --disable-forecast \ --disable-duplicheck \ --disable-error-notify \ @@ -164,7 +174,6 @@ STRONGSWAN_CONF_OPT := \ --disable-led \ --disable-load-tester \ --disable-lookip \ - --disable-maemo \ --disable-radattr \ --disable-systime-fix \ --disable-test-vectors \ @@ -175,6 +184,7 @@ STRONGSWAN_CONF_OPT := \ --disable-conftest \ --disable-dumm \ --disable-fast \ + --disable-fuzzing \ --disable-libipsec \ --disable-manager \ --disable-medcli \ @@ -199,9 +209,14 @@ STRONGSWAN_CONF_OPT:= \ --disable-ruby-gems-install \ --disable-python-eggs \ --disable-python-eggs-install \ + --disable-perl-cpan \ + --disable-perl-cpan-install \ + --disable-tss-trousers \ + --disable-tss-tss2 \ --disable-coverage \ --disable-leak-detective \ --disable-lock-profiler \ + --disable-log-thread-ids \ --disable-monolithic \ --disable-defaults \ --enable-dependency-tracking \ @@ -272,7 +287,6 @@ $(STATEDIR)/strongswan.targetinstall: @$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec) @$(call install_lib, strongswan, 0, 0, 0644, libcharon) - @$(call install_lib, strongswan, 0, 0, 0644, libhydra) @$(call install_lib, strongswan, 0, 0, 0644, libstrongswan) @$(foreach plugin, $(STRONGSWAN_PLUGINS), \ -- 2.17.0 ___ ptxdist mailing list ptxdist@pengutronix.de
