From patchwork Thu Jan 15 22:46:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78823 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9761D4663C for ; Thu, 15 Jan 2026 22:46:58 +0000 (UTC) Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.705.1768517213114374208 for ; Thu, 15 Jan 2026 14:46:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=aAQlZ1Z2; spf=pass (domain: konsulko.com, ip: 209.85.160.174, mailfrom: scott.murray@konsulko.com) Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-502a26e8711so1240101cf.1 for ; Thu, 15 Jan 2026 14:46:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517212; x=1769122012; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8uGXR84RZlEODxfMaF1hsT3XZzZHeWk3xuW83Y7hXhU=; b=aAQlZ1Z2FTUuhcXE6cfn8ZZBgVCrwqKdt+ob45NQEe7+FpD8j0oovQzeyEatrIbtah hOj3qTUU6aDtGv5q1guigmqOZZY2ffiWAMQo5qyUAvdJDoCs9+b2Pc2Va3tUtxxzYc3C xH84gkelnuQM1b4Ow4RJRuL3YRt3vIy6hxs/g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517212; x=1769122012; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=8uGXR84RZlEODxfMaF1hsT3XZzZHeWk3xuW83Y7hXhU=; b=Vc/pi3rL8iXxVLvw2nFB9EJBo0lqqWywdiSxwpgmAc1Y/tjrs4n9OvKr3SY2txKcZR jvB8LZyqrR4jwtbjPg6x5w7Etj1ysjTLRhxaL7jseIe7LjRZRBFxqswulJNHf4wJKnGZ s8uVGiglJiWawpD4NZMY+LGpan4vTLr0KpS7rfuIT7X4Dkt7AocBKKwH1wQCB7DMzSqb PeMLnUdUEABMFi60QnLD5NN7pS/rzIeWi5Pf5LetYP8XE457jW9u8tAiRZkgKHbj8MqJ fCMORjsbDgNotBJLtgfkTTW0FcmQLIVuEJ4BuKOIxHhvQsI/nMTDEa81+cvAj8a+SYrj OCJw== X-Gm-Message-State: AOJu0YzRDObgxOaGQ/vS9RXYiLaTkXfAyOUteNenYCkXjuNcgQf13bcA QT+nYKezO6QW9+z3DltEbYJ5/w8ePx/Vu7ZruI9SreU2skKTMpJNLSk9TtYC6CgTqpeSC1hCfIb 1mezZ X-Gm-Gg: AY/fxX4dzFy6WGM4g2p+pxyXijM+YVE8/ZqQnfXdYEF3SSf5UTpysYIOhU5L43ULPbR WMFM5Ex3qtPYQ7Wa0CF8GcsMYYdOto74ZaiDRX58QU6B9cYtTdnrVvAKAVJxagEBEqcUhzh6sks fNm4rqjh+BGna76AOGuUH/2ptbg8bfUf/0QUT9pud2nEEKfjqGI8f0XeBon4KoePU8RR/MbCrgy ygttYN1cYmsWjcTkK7qj2tw40qWoRKW4lZjM5xN7yzqjbvez7/w9GBd9PJyWHtflOAub8hVKRGR UsY6xg358pjkYYwdBqROLkcXIfzh+L7s/soXWbLSQikbI4KLHbS/mVWxaWB1CMZ3ZNhzXV1ro2r yCRfjtwCCRYMofm5wfj4Vr8CQ398sc5iTr9ccoVPO/T7teDKtRxCXPEGvAY/70TjdDvifMLk7YA EsiDsDWdqX9tdVx0hpKV72tknoBQW+PgVCYTT0GzcVnwCgxP3kswTO0Wg0e0QksZBV34FqmDr6l f3UFxXf5hpIdreP6mKWd56hQ9SklQqh/ys+ZCbmgUeONHKIe2bI X-Received: by 2002:ac8:5d8e:0:b0:501:51cb:1371 with SMTP id d75a77b69052e-502a16520d5mr14832121cf.17.1768517211738; Thu, 15 Jan 2026 14:46:51 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:51 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 1/9] Update maintainers Date: Thu, 15 Jan 2026 17:46:22 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:46:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2966 Add Marta and myself as maintainers for meta-security and the other embedded layers that Armin had been maintaining. To avoid Armin getting bugged about individual recipes, set the RECIPE_MAINTAINER variables to myself. (backport from master) Signed-off-by: Scott Murray Signed-off-by: Richard Purdie --- README | 4 +- conf/distro/include/maintainers.inc | 72 ++++++++++---------- meta-hardening/README | 4 +- meta-integrity/README.md | 4 +- meta-parsec/README.md | 1 - meta-tpm/README | 4 +- meta-tpm/conf/distro/include/maintainers.inc | 33 +++++---- 7 files changed, 64 insertions(+), 58 deletions(-) diff --git a/README b/README index 081669f..7bd7f7c 100644 --- a/README +++ b/README @@ -92,7 +92,9 @@ Now you can just do 'git send-email origin/master' to send all local patches. For pull requests, please use create-pull-request and send-pull-request. -Maintainers: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska License diff --git a/conf/distro/include/maintainers.inc b/conf/distro/include/maintainers.inc index f623d70..c052695 100644 --- a/conf/distro/include/maintainers.inc +++ b/conf/distro/include/maintainers.inc @@ -19,39 +19,39 @@ # RECIPE_MAINTAINER:pn- = "Full Name " # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster " -RECIPE_MAINTAINER:pn-apparmor = "Armin Kuster " -RECIPE_MAINTAINER:pn-bastille = "Armin Kuster " -RECIPE_MAINTAINER:pn-buck-security = "Armin Kuster " -RECIPE_MAINTAINER:pn-ccs-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-checksec = "Armin Kuster " -RECIPE_MAINTAINER:pn-checksecurity = "Armin Kuster " -RECIPE_MAINTAINER:pn-clamav = "Armin Kuster " -RECIPE_MAINTAINER:pn-ding-libs = "Armin Kuster " -RECIPE_MAINTAINER:pn-ecryptfs-utils = "Armin Kuster " -RECIPE_MAINTAINER:pn-fscryptctl = "Armin Kuster " -RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Armin Kuster " -RECIPE_MAINTAINER:pn-hash-perl = "Armin Kuster " -RECIPE_MAINTAINER:pn-isic = "Armin Kuster " -RECIPE_MAINTAINER:pn-keyutils = "Armin Kuster " -RECIPE_MAINTAINER:pn-libaes-siv = "Armin Kuster " -RECIPE_MAINTAINER:pn-libgssglue = "Armin Kuster " -RECIPE_MAINTAINER:pn-libhtp = "Armin Kuster " -RECIPE_MAINTAINER:pn-libmhash = "Armin Kuster " -RECIPE_MAINTAINER:pn-libmspack = "Armin Kuster " -RECIPE_MAINTAINER:pn-lib-perl = "Armin Kuster " -RECIPE_MAINTAINER:pn-libseccomp = "Armin Kuster " -RECIPE_MAINTAINER:pn-libwhisker2-perl = "Armin Kuster " -RECIPE_MAINTAINER:pn-ncrack = "Armin Kuster " -RECIPE_MAINTAINER:pn-nikto = "Armin Kuster " -RECIPE_MAINTAINER:pn-paxctl = "Armin Kuster " -RECIPE_MAINTAINER:pn-python3-fail2ban = "Armin Kuster " -RECIPE_MAINTAINER:pn-python3-scapy = "Armin Kuster " -RECIPE_MAINTAINER:pn-python-fail2ban = "Armin Kuster " -RECIPE_MAINTAINER:pn-python-scapy = "Armin Kuster " -RECIPE_MAINTAINER:pn-redhat-security = "Armin Kuster " -RECIPE_MAINTAINER:pn-samhain = "Armin Kuster " -RECIPE_MAINTAINER:pn-smack = "Armin Kuster " -RECIPE_MAINTAINER:pn-sssd = "Armin Kuster " -RECIPE_MAINTAINER:pn-suricata = "Armin Kuster " -RECIPE_MAINTAINER:pn-tripwire = "Armin Kuster " +RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray " +RECIPE_MAINTAINER:pn-apparmor = "Scott Murray " +RECIPE_MAINTAINER:pn-bastille = "Scott Murray " +RECIPE_MAINTAINER:pn-buck-security = "Scott Murray " +RECIPE_MAINTAINER:pn-ccs-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-checksec = "Scott Murray " +RECIPE_MAINTAINER:pn-checksecurity = "Scott Murray " +RECIPE_MAINTAINER:pn-clamav = "Scott Murray " +RECIPE_MAINTAINER:pn-ding-libs = "Scott Murray " +RECIPE_MAINTAINER:pn-ecryptfs-utils = "Scott Murray " +RECIPE_MAINTAINER:pn-fscryptctl = "Scott Murray " +RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Scott Murray " +RECIPE_MAINTAINER:pn-hash-perl = "Scott Murray " +RECIPE_MAINTAINER:pn-isic = "Scott Murray " +RECIPE_MAINTAINER:pn-keyutils = "Scott Murray " +RECIPE_MAINTAINER:pn-libaes-siv = "Scott Murray " +RECIPE_MAINTAINER:pn-libgssglue = "Scott Murray " +RECIPE_MAINTAINER:pn-libhtp = "Scott Murray " +RECIPE_MAINTAINER:pn-libmhash = "Scott Murray " +RECIPE_MAINTAINER:pn-libmspack = "Scott Murray " +RECIPE_MAINTAINER:pn-lib-perl = "Scott Murray " +RECIPE_MAINTAINER:pn-libseccomp = "Scott Murray " +RECIPE_MAINTAINER:pn-libwhisker2-perl = "Scott Murray " +RECIPE_MAINTAINER:pn-ncrack = "Scott Murray " +RECIPE_MAINTAINER:pn-nikto = "Scott Murray " +RECIPE_MAINTAINER:pn-paxctl = "Scott Murray " +RECIPE_MAINTAINER:pn-python3-fail2ban = "Scott Murray " +RECIPE_MAINTAINER:pn-python3-scapy = "Scott Murray " +RECIPE_MAINTAINER:pn-python-fail2ban = "Scott Murray " +RECIPE_MAINTAINER:pn-python-scapy = "Scott Murray " +RECIPE_MAINTAINER:pn-redhat-security = "Scott Murray " +RECIPE_MAINTAINER:pn-samhain = "Scott Murray " +RECIPE_MAINTAINER:pn-smack = "Scott Murray " +RECIPE_MAINTAINER:pn-sssd = "Scott Murray " +RECIPE_MAINTAINER:pn-suricata = "Scott Murray " +RECIPE_MAINTAINER:pn-tripwire = "Scott Murray " diff --git a/meta-hardening/README b/meta-hardening/README index 191253c..e804bcb 100644 --- a/meta-hardening/README +++ b/meta-hardening/README @@ -76,7 +76,9 @@ $ git config format.subjectPrefix meta-hardening][PATCH Now you can just do 'git send-email origin/master' to send all local patches. -Maintainers: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska License ======= diff --git a/meta-integrity/README.md b/meta-integrity/README.md index eae1c57..b0196dc 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -45,7 +45,9 @@ yocto@yoctoproject.org mailing list. When submitting patches that way, make sure to copy the maintainer and add a "[meta-integrity]" prefix to the subject of the mails. -Maintainer: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska Table of Contents diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 97026ea..292d99d 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -190,7 +190,6 @@ $ git config format.subjectPrefix meta-parsec][PATCH Now you can just do 'git send-email origin/master' to send all local patches. Maintainers: Anton Antonov - Armin Kuster License diff --git a/meta-tpm/README b/meta-tpm/README index 5722a92..e3667da 100644 --- a/meta-tpm/README +++ b/meta-tpm/README @@ -69,7 +69,9 @@ $ git config format.subjectPrefix meta-security][PATCH Now you can just do 'git send-email origin/master' to send all local patches. -Maintainers: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska License diff --git a/meta-tpm/conf/distro/include/maintainers.inc b/meta-tpm/conf/distro/include/maintainers.inc index e7b216d..829f198 100644 --- a/meta-tpm/conf/distro/include/maintainers.inc +++ b/meta-tpm/conf/distro/include/maintainers.inc @@ -19,20 +19,19 @@ # RECIPE_MAINTAINER:pn- = "Full Name " # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster " -RECIPE_MAINTAINER:pn-pcr-extend = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm-quote-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-libtpm = "Armin Kuster " -RECIPE_MAINTAINER:pn-trousers = "Armin Kuster " -RECIPE_MAINTAINER:pn-swtpm = "Armin Kuster " -RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-abrmd = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-totp = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tss = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-ibmswtpm2 = "Armin Kuster " - +RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray " +RECIPE_MAINTAINER:pn-pcr-extend = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm-quote-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-libtpms = "Scott Murray " +RECIPE_MAINTAINER:pn-trousers = "Scott Murray " +RECIPE_MAINTAINER:pn-swtpm = "Scott Murray " +RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-abrmd = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-totp = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tss = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-ibmswtpm2 = "Scott Murray " From patchwork Thu Jan 15 22:46:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78824 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B12FFD4663D for ; Thu, 15 Jan 2026 22:46:58 +0000 (UTC) Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.688.1768517214106491196 for ; Thu, 15 Jan 2026 14:46:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=AXAPTppJ; spf=pass (domain: konsulko.com, ip: 209.85.219.42, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f42.google.com with SMTP id 6a1803df08f44-88a3b9ddd40so8120066d6.1 for ; Thu, 15 Jan 2026 14:46:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517213; x=1769122013; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tUUZzt6Y2g2VvCEas/5BVqY8LI+A1XW6Il+dWwSN6iw=; b=AXAPTppJyIhrflISmEd5Kx0Tvbl4OKiLE42DwTjK9QWC9VhiPndvvv1f+wJ22qBiWc pVunqQCXW+5DJABkapAFR3CiV0R6Ix5eOf8syR2qaQKhKX74y2ERSazs63utnHZZBehO fYaAIWmB+bs32T0GehjQJyWMJrm0xvAUrymMk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517213; x=1769122013; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=tUUZzt6Y2g2VvCEas/5BVqY8LI+A1XW6Il+dWwSN6iw=; b=puVALmhmGbNOGl3DYS/CdRPCbw5g3BQ9xFbKbvt+8vvu3lpAoT0BavY2wpDsAGSOyl 0wktRnqawbWlsQrwNxmox/DxrGKorZmQ78peTe5D5+W0pgyFDj/GtFZBd1FmZsvn28m9 skCmNJ/ETeTIGEEsikHDipJ+gRhXyA2vfm71/jO0FQn1LgjsS7gSUR+Mhg5bSm1DDR+T QmxkglbzEQ6zIHGf458F6ZicwSRn026YdQ5NMX/5g+wDRy6kEPiXcAEWZGCQFZ6lqmsn LriXd5BjunpkXAnFLl+ZYhomP7LG7BsJBDhMxLnYwj1wMcNnQnywLYhBmqgjCGP7wN8h mesw== X-Gm-Message-State: AOJu0YwBFw42f38+/5pnaHDkhDOvtPgRe0H7DiRC9JtbOSnNtbLCMM4w X4ObW45HlcbWHOm6u5YDlQXg31Ofdm2CBLl43prw+VMeleysI5C7pri0lfjyAvCyDTTtneX12AM blo+M X-Gm-Gg: AY/fxX5Wf22r/Vo1cp4Ax0JHAkMDfyqCgWgbgOX6FNFCCIL82bZ9+EjhfAE4W4qk6DE wuM+Cjm/gFkDIyArFSJxGIbOyhX2xEefcXfKTpbIl5EdRd57W/vVL9OB1GY+1hqEdfv95VpFeX9 m5AOnY9hFrGc2hHBFN6qEXucPwUNHXLVxYJV3vjEcD6OXajtjUeT1oTC0RtireJLhOe8E33myhj 2+bLi5qy9HzTHGCPMrSyrnvQT+/lO9RNt+zLfOmOreVpOXbfH47C8WlVokieO75JttO34Z/eQG3 u32ftuH46HKl6HivoueuQkSgDvyViT1IS24dvcOyfxH5ZWK6GrJqXbtrN80SzBnTVoZ5i8BJ07g WmXvzPNSuIa6JsbRCr7xcguwPvrqD8j+s0ZydD7BIqQVwsEUCowNa1YuQGFMZddEDy5duMRbMFt 6fa79GpFEu+Hwez7gk4PVpArA4nc8Sp2qb60oELqaaM1FSW6GuItusHDbWZu9A5qsENEozsiYDL cMjTTBess3yC8Gh2j2dYOAw87YwpdN8jd6s9gBeiuK1aq56/MjQ X-Received: by 2002:ad4:5cef:0:b0:890:e2d:a9d6 with SMTP id 6a1803df08f44-8942ddb3c6amr17442346d6.68.1768517212640; Thu, 15 Jan 2026 14:46:52 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:52 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 2/9] CI: update build for new CI Date: Thu, 15 Jan 2026 17:46:23 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:46:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2967 From: Marta Rybczynska Update for Ubuntu 24.04 runners: - use venv for installing kas - add missing directories - assume that python3 and pip are installed. Other changes: - add logging of jobs to files Signed-off-by: Marta Rybczynska (reworked for kirkstone branch) Signed-off-by: Scott Murray --- .gitlab-ci.yml | 49 ++++++++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a4137cb..e37a161 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,10 +1,13 @@ .before-my-script: &before-my-script - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error + - echo "$CI_PROJECT_DIR" >> ~/.ci_project_dir - export PATH=~/.local/bin:$PATH - - wget https://bootstrap.pypa.io/get-pip.py - - python3 get-pip.py + - python3 -m venv ~/kas_env/ + - source ~/kas_env/bin/activate - python3 -m pip install kas + - mkdir -p $CI_PROJECT_DIR/build/tmp/log/error-report/ + - mkdir -p $CI_PROJECT_DIR/log/ .after-my-script: &after-my-script - cd $CI_PROJECT_DIR/poky @@ -26,6 +29,10 @@ stages: stage: base after_script: - *after-my-script + artifacts: + paths: + - $CI_PROJECT_DIR/log/* + when: always .parsec: before_script: @@ -51,78 +58,78 @@ stages: qemux86: extends: .base script: - - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image integrity-image-minimal" - - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml - - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_security_image.txt + - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_compliance_image.txt + - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_harden_image.txt qemux86-musl: extends: .musl needs: ['qemux86'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_musl_security_image.txt qemux86-parsec: extends: .parsec needs: ['qemux86'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_parsec_security_image.txt qemux86-test: extends: .test needs: ['qemux86'] allow_failure: true script: - - kas build --target security-test-image kas/$CI_JOB_NAME.yml - - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml + - kas build --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_test_security_image.txt + - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_testimage_security_image.txt qemux86-64: extends: .base script: - - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" - - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_image.txt + - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_dm_verify.txt + - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_build_image.txt qemux86-64-parsec: extends: .parsec needs: ['qemux86-64'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_parsec_security_image.txt qemuarm: extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_security_image.txt qemuarm-parsec: extends: .parsec needs: ['qemuarm'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_parsec_security_image.txt qemuarm64: extends: .base script: - - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" - - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_security_image.txt + - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_build_security_image.txt qemuarm64-musl: extends: .musl needs: ['qemuarm64'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_musl_security_image.txt qemuarm64-parsec: extends: .parsec needs: ['qemuarm64'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt qemumips64: extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemumips64_security_image.txt qemuriscv64: extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuriscv64_security_image.txt From patchwork Thu Jan 15 22:46:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78825 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4CC5D3CCB0 for ; Thu, 15 Jan 2026 22:46:58 +0000 (UTC) Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.690.1768517214824433613 for ; Thu, 15 Jan 2026 14:46:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=f378gLUJ; spf=pass (domain: konsulko.com, ip: 209.85.222.180, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-8c5265d06c3so241969585a.1 for ; Thu, 15 Jan 2026 14:46:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517214; x=1769122014; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HNcd9iwZoMzCWgHxeBAhfjAdyaFoSNZ7KeL31k5lk/k=; b=f378gLUJ5bkV6F/SGnqMajXQJ/djr3+f8pJh+FOFsXrT5W+r6NAu93h7yXnkbKXgRZ orK8bYKYGf1GCVgxzmb60ZPzE8INogbhWqc0bZ4bv7reh2t4BoWuuo//wl9aVnxaBTdO 7GR2a4/SSWOVvvlBac3uerENT+qJZ2WLcCTo0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517214; x=1769122014; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HNcd9iwZoMzCWgHxeBAhfjAdyaFoSNZ7KeL31k5lk/k=; b=NuG6DbF5Qrb/gldRCxnCJy5B7ZSZ2KuvPHNo+rR9umdyBATV47YHESrnQbRrTWODTD Dh0RcaJwaOKG1qdYmbTkpVwiNJw4PL4cpkjRIiYfg1Bwn3VOBxKWWsliARoj2qI1e5Hz JUREkXtpopYogNynbsGXRxVAc7tYIqxmFNM45WjzEztGWj/u6uBamsvbiUMhMahDjuxy Nrrq4+N636VI+6KU7lUZ3oB0bpgb1dl/Jt/WXf1MJNE8k1fnCo8cV2BTI3L2gBo311DQ /oS3uyM/ZEKVcJ82Xaj62dPzg6TLqtJZ5w4N1FAEMRoidfXTfS2Ce5NwM9RJdqxe2hhB r61g== X-Gm-Message-State: AOJu0YwkezJiq/1odRxSHul3ZSCmW+NOyA3epplS9Wi2a42Zb7PknvNe W6cV8L3OmFiktdju5T8W4/+lIE/eRdL98MHd9pSdcTJqRS1MgR/OGSk15Pt7skrLT/DqtTjxgJM SpWVu X-Gm-Gg: AY/fxX6q2ZMHxxQ1SbersO9rp46KNQcvVoK9qLLlt7Zq7emV4UFtAgX9SCwzhn4d4QA xtdM83nmd2cYhz+/R8XIH0H1LFG6NYmEi6/oiE6lzWNN7j2yGYD3L7f83rBa1BmYVjgdOGu1yM0 GEwzdB4s9H2lIg1uXh0pbDOTCtsa98xxb0mIvoe1wQ++mVQGH9BfDL/fXto8Z0JYRbtmvNHnjMm mkB3g+2AeCx+/THoe81kxbocdSsqeEw8AdNpblIcB94u6vhZQSfOPVy2X3ZqqOIUTMRYQDAn7r6 xqbI9pFyN5I7aM4qwRQ3mrwg0LSt1cZrCPDFVS6zPKnyn1F/MgUQZez+ga6PqkJ+lntWKkTHiuq lgZkVuhhF5QqmXnTxGJoxlDYUCSZCcufSVz800hcoYSECVaPzrZj+rAljuwzgf/uNJ4i6ni9M+a E74foot6dlVzytHRx7QbwjU6PMs1uo7QkSTHGdq0wZoQ5JgMvlR63D3rO3kRs9vjXpF8KvN6esl fM3VWx3DDGdYl2VxwRMH+lk/VlSgnJ68BI06MHPolYkBeYts3bZ X-Received: by 2002:a05:6214:401a:b0:890:7f85:81d1 with SMTP id 6a1803df08f44-89389fa20f5mr71472296d6.13.1768517213636; Thu, 15 Jan 2026 14:46:53 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:53 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 3/9] kas: update configuration Date: Thu, 15 Jan 2026 17:46:24 -0500 Message-ID: <85c681c0d4163dacdad219e1e17b995b33cbdd51.1768515491.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:46:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2968 From: Marta Rybczynska Update based on latest master configuration. Changes: - switch to kirkstone - add required usrmerge feature to kas-security-alt configuration - add whitespaces around assignement - add common dldir/sstate - don't build apparmor in musl configs - only enable ptest for the test image - Update the kas configuration file versions to 19 to match kas 4.8.x. - Change refspec to branch to remove deprecation warnings. - Add quoting around URLs to match upstream examples. Signed-off-by: Scott Murray --- kas/kas-security-alt.yml | 4 ++-- kas/kas-security-base.yml | 21 +++++++++++++-------- kas/kas-security-dm.yml | 2 +- kas/kas-security-parsec.yml | 4 ++-- kas/qemuarm64-musl.yml | 1 + kas/qemux86-musl.yml | 1 + kas/qemux86-test.yml | 4 ++++ 7 files changed, 24 insertions(+), 13 deletions(-) diff --git a/kas/kas-security-alt.yml b/kas/kas-security-alt.yml index 3ee9808..2a449c5 100644 --- a/kas/kas-security-alt.yml +++ b/kas/kas-security-alt.yml @@ -1,8 +1,8 @@ header: - version: 9 + version: 19 includes: - kas-security-base.yml local_conf_header: alt: | - DISTRO_FEATURES:append = " systemd" + INIT_MANAGER = "systemd" diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml index 3bf46db..78c0b04 100644 --- a/kas/kas-security-base.yml +++ b/kas/kas-security-base.yml @@ -1,5 +1,5 @@ header: - version: 9 + version: 19 distro: poky @@ -13,16 +13,16 @@ repos: meta-hardening: poky: - url: https://git.yoctoproject.org/git/poky - refspec: master + url: "https://git.yoctoproject.org/git/poky" + branch: kirkstone layers: meta: meta-poky: meta-yocto-bsp: - + meta-openembedded: - url: http://git.openembedded.org/meta-openembedded - refspec: master + url: "http://git.openembedded.org/meta-openembedded" + branch: kirkstone layers: meta-oe: meta-perl: @@ -41,8 +41,8 @@ local_conf_header: INHERIT += "report-error" INHERIT += "testimage" INHERIT += "rm_work" - BB_NUMBER_THREADS="24" - BB_NUMBER_PARSE_THREADS="12" + BB_NUMBER_THREADS = "24" + BB_NUMBER_PARSE_THREADS = "12" BB_TASK_NICE_LEVEL = '5' BB_TASK_NICE_LEVEL_task-testimage = '0' BB_TASK_IONICE_LEVEL = '2.7' @@ -52,6 +52,7 @@ local_conf_header: PACKAGE_CLASSES = "package_ipk" DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2" + DISTRO_FEATURES:remove = "ptest" MACHINE_FEATURES:append = " tpm tpm2" diskmon: | @@ -65,6 +66,10 @@ local_conf_header: ABORT,${SSTATE_DIR},100M,1K \ ABORT,/tmp,10M,1K" + dlsstate: | + DL_DIR = "/home/gitlab-runner/build/downloads" + SSTATE_DIR = "/home/gitlab-runner/build/sstate-cache" + bblayers_conf_header: base: | BBPATH = "${TOPDIR}" diff --git a/kas/kas-security-dm.yml b/kas/kas-security-dm.yml index c03b336..fe74d25 100644 --- a/kas/kas-security-dm.yml +++ b/kas/kas-security-dm.yml @@ -1,5 +1,5 @@ header: - version: 9 + version: 19 includes: - kas-security-base.yml diff --git a/kas/kas-security-parsec.yml b/kas/kas-security-parsec.yml index 9a009be..cb59fba 100644 --- a/kas/kas-security-parsec.yml +++ b/kas/kas-security-parsec.yml @@ -1,5 +1,5 @@ header: - version: 9 + version: 19 includes: - kas-security-base.yml @@ -10,7 +10,7 @@ repos: meta-clang: url: https://github.com/kraj/meta-clang.git - refspec: master + branch: kirkstone local_conf_header: meta-parsec: | diff --git a/kas/qemuarm64-musl.yml b/kas/qemuarm64-musl.yml index b353eb4..f01f759 100644 --- a/kas/qemuarm64-musl.yml +++ b/kas/qemuarm64-musl.yml @@ -6,5 +6,6 @@ header: local_conf_header: musl: | TCLIBC = "musl" + DISTRO_FEATURES:remove = "apparmor" machine: qemuarm64 diff --git a/kas/qemux86-musl.yml b/kas/qemux86-musl.yml index 61d9572..aa6572c 100644 --- a/kas/qemux86-musl.yml +++ b/kas/qemux86-musl.yml @@ -6,5 +6,6 @@ header: local_conf_header: musl: | TCLIBC = "musl" + DISTRO_FEATURES:remove = "apparmor" machine: qemux86 diff --git a/kas/qemux86-test.yml b/kas/qemux86-test.yml index 83a5353..98f1e7f 100644 --- a/kas/qemux86-test.yml +++ b/kas/qemux86-test.yml @@ -3,4 +3,8 @@ header: includes: - kas-security-base.yml +local_conf_header: + ptest: | + DISTRO_FEATURES:append = " ptest" + machine: qemux86 From patchwork Thu Jan 15 22:46:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78826 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91828D46631 for ; Thu, 15 Jan 2026 22:46:58 +0000 (UTC) Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.691.1768517215697060685 for ; Thu, 15 Jan 2026 14:46:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=A6NAV1LH; spf=pass (domain: konsulko.com, ip: 209.85.222.174, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-8c52c67f64cso157666485a.0 for ; Thu, 15 Jan 2026 14:46:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517214; x=1769122014; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KozeKux5Q+OSvFJ8f0a3DWSynxBoZ3n6AU5Zw54i9Bo=; b=A6NAV1LHj/MAHqvk/W9G5tW7Lzjd2LqCExDtuP3azB1/FTpf58d7OzYzKNBr5+gBKZ baRXH6B6264ktrcrhhH5aEqELnhXiew6kr4aKI9qIf/+iyMcgf4qAuliK00zbGmq+SdL UUJoDIUYoP/LUMw84HmWQP9NvjFqJe+uZaOt4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517214; x=1769122014; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KozeKux5Q+OSvFJ8f0a3DWSynxBoZ3n6AU5Zw54i9Bo=; b=FOa5xR4sfcZ0U3qznQRBdVo5PLOvWKJbRFY2VFtiPtBJJg2GFADDV7oM7V+W8hJaks shjWu7Pf/Q7dXEAajiZ/PpzGSkjIaXAiagxE473Z60Brg0f8YNmt4NMg2FB6+i7vjhhe RAfE5EHRBrj9Fp6ucQ2QJ016mlh2vNTivTidBy3UGUdEuTAc1y5Tghap84Qlmon5yK+U RC4FoAWxushjRtnW5zEOWodNZbS0OnEYs2cfiB44ceHp/8oHA9M+qon5q386qFv0IfnL Aplq47TBy9GGXpPnFbbKZt8nSqvDxmaWtZVq9leIa02NhOSs+Ilaj8lSuZKmoQU5qVLJ JeYQ== X-Gm-Message-State: AOJu0Yw7tuE3hvylw6eJcXNL2kI60MNGN/Ql2CycQc88b5hV5H/YSzH/ hmzWXMlfHzXdx49IRASqVEPzW8mBORUlqFeMONVh4gkfr4HRteZU/8gGXnAZXORayyBBRsCqtm8 epXut X-Gm-Gg: AY/fxX4s/SgDc8eT1NZJmnXp9QtavGtUuophPeSVhqkOVBuSKoYo9OHll9G6aAaUW5h 0P4t5YSLXayJmIHIdNUOjMYC2i1j/F7KebapUrXaMnmTBzmP88wQ+JuNf1duO2IxnVIRB2DedXq 3synYaZpp1wiq4FJFX5dQLVlKV4HyUBeyRRVJ/qnT2FqqQepDXyPZx7AfEh5ygXMPFEiv3wcJN8 COptPKPOyNvfbWRfhg6SWKDWOdWJmO1a9OPS+GuQ6SrezFs8lhiCOCpUZUYqVQcl4ckWZ5Elyge htvXEejduAnQ/H47ZNFg0LGhkfgzOc2c41XK9zDxh4vb/bjd8U/UaA66BO6Zi5FudRxGEvdNhZH M+BbB7y6hxCXqRsl3KNgq4D6GFUkSVYEj/CMdhjrymO6omtg9khoT+YPlu3avSyOoXdAf1BCfnF xMFegzSNmoVhfD6MVwVxG6C5zN7wAXrU1coixnc3f+9F02PaCC1SsWExVvYIEBR7PUF0QF78dLV InUJ+vfyYvphnL+W7lAgMwAVj5033WpbknFWTJ07Z4i+NPIlmI/sBkRXJu/FZM= X-Received: by 2002:a05:620a:710a:b0:8b2:d56a:f2f1 with SMTP id af79cd13be357-8c6a66d6d75mr159356485a.12.1768517214412; Thu, 15 Jan 2026 14:46:54 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:54 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 4/9] chkrootkit: update SRC_URI Date: Thu, 15 Jan 2026 17:46:25 -0500 Message-ID: <4ea1bb4f16fb8c89a21e936a27900d119bfa4805.1768515491.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:46:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2969 From: Armin Kuster 0.55 no longer hosted from main source. Use Ubuntu archive Signed-off-by: Armin Kuster Signed-off-by: Scott Murray --- recipes-scanners/rootkits/chkrootkit_0.55.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-scanners/rootkits/chkrootkit_0.55.bb b/recipes-scanners/rootkits/chkrootkit_0.55.bb index 20015a1..4293aec 100644 --- a/recipes-scanners/rootkits/chkrootkit_0.55.bb +++ b/recipes-scanners/rootkits/chkrootkit_0.55.bb @@ -5,7 +5,7 @@ SECTION = "security" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff" -SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz" +SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz" SRC_URI[sha256sum] = "a81c0286ec449313f953701202a00e81b204fc2cf43e278585a11c12a5e0258b" inherit autotools-brokensep From patchwork Thu Jan 15 22:46:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78822 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D005D46638 for ; Thu, 15 Jan 2026 22:46:58 +0000 (UTC) Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.707.1768517216525960203 for ; Thu, 15 Jan 2026 14:46:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=nnJXiXil; spf=pass (domain: konsulko.com, ip: 209.85.160.175, mailfrom: scott.murray@konsulko.com) Received: by mail-qt1-f175.google.com with SMTP id d75a77b69052e-5014b671367so17419171cf.3 for ; Thu, 15 Jan 2026 14:46:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517215; x=1769122015; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2QDydrsld/DLcstktrdiAjljG3YqXk8qSpUgPplqNBM=; b=nnJXiXilxj1DNGsnbBoyHLq4X+5KHjybhj9nsPUJQG3UWvxR2Tylm0UeRD+8n8RPqU gSCApHMUGvUVgMvT8yzHRtZqPmq0pBWRE3Y1lJq6fxRHXziNMXmay4iqbemwnip3NhBy ayP49VWP3+kfLRHJb4/ZMUO1f3/aU94Ta/SGE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517215; x=1769122015; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2QDydrsld/DLcstktrdiAjljG3YqXk8qSpUgPplqNBM=; b=TgS11f2R+UmTJQ44Ae6ZKFvDTlQ1Ljx4cRDOZmS4sVa4Q/mENobZPYeU5M8/4Ce7U7 /flI9EArKERLaxnwjPN8CYTEXNnHHUFalWvLGKzlobr5xNbrJIdrMiIHki3xaXJSGanD wJh8cPWgfEArMmaaylhE5SFy5WKdsjfQX2h0yzOtDZN/WlOUv8kcXtV7fdYkFeDMwT6A SrPLDezz6Em9CbHwJ4x6bYsOvmuc+1GNYkkh1lxD0+jrvxu7OF0J9PthMOFUiyJBX+cJ ZUE2b6/881DYArKrjF9ldVZ4JjtxuLrFZDZwOUUyotXcf+nRsR4tF1egGqPsxhty95RX 5O1A== X-Gm-Message-State: AOJu0YwK7A8jqv7twLNq8vBJbb8pe0lWC+F2PiCB/uiQv/X2cwhYGqod bJXhKIiIetQ6rHXTp/v3HLpKe8aSIqqrkySnNsYweJMpub+RGHh1tWSjDSP82kyMj9PI9UHLsk9 //WBl X-Gm-Gg: AY/fxX4Nw3teyGy6AM63WnktBWzblRHXbWfC0tgbcZwejgHegrO3d4ED0nUECXQJeCv Aeyo9oi1tztYIwH886mO4idZPaepx0HqdsxZXNGyrvwsyb/J5McM7FIEa4dijafSqq+6Lweh5I5 iY7ve3Umso3KdzsqjUE57cNdohL+oTyI1wJB7D+cjEGNwNBEqCtmq/eezrSLbnf5YGf5i2ezJmX nPc7nJctk3EGb52PNCRsa5QUoOAv+pG5RQJa2k5z1RKCfT3eg9fNWdkwfavYr8ps5wdx6wSy7Dp 4g9yjRsq3u6K3HLheBSNUgWwl3GfRI2Q4TVKNOn2VTqJcRGoN5m5fJ3Ua4UgxW/+8Acy27pxRwc dh3Vh8dn3BbU5CaHXBWN6hZ/FuQiNJdrQ2WuPBlnq0edyLQFUItsfvYqDGd5EvIt6sU3I/wZS8w KY/o+ywB0Jip/uCTW82bYKTlkOzH/eghByLSFbWqF8MAcnblBoBcBYy2rp8WWfti38l/Q77Lmsp gEVs3BHkt+NgF493S4hPjBpC/0GGKOVCdXIC/kCEUS3JRXbUHEr X-Received: by 2002:a05:622a:1ba5:b0:4fb:f92d:bc8b with SMTP id d75a77b69052e-502a1e02b82mr13514091cf.18.1768517215318; Thu, 15 Jan 2026 14:46:55 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:54 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 5/9] checksecurity: update to 2.0.16 Date: Thu, 15 Jan 2026 17:46:26 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:46:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2970 From: Armin Kuster Drop setuid-log-folder.patch, using sed instead. Refresh patch check-setuid-use-more-portable-find-args.patch Signed-off-by: Armin Kuster Signed-off-by: Scott Murray --- ...rity_2.0.15.bb => checksecurity_2.0.16.bb} | 18 +++++-- ...k-setuid-use-more-portable-find-args.patch | 16 +++--- .../files/setuid-log-folder.patch | 52 ------------------- 3 files changed, 21 insertions(+), 65 deletions(-) rename recipes-scanners/checksecurity/{checksecurity_2.0.15.bb => checksecurity_2.0.16.bb} (57%) delete mode 100644 recipes-scanners/checksecurity/files/setuid-log-folder.patch diff --git a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb similarity index 57% rename from recipes-scanners/checksecurity/checksecurity_2.0.15.bb rename to recipes-scanners/checksecurity/checksecurity_2.0.16.bb index e053a15..8006c9f 100644 --- a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb +++ b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb @@ -4,14 +4,22 @@ SECTION = "security" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" -SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \ - file://setuid-log-folder.patch \ - file://check-setuid-use-more-portable-find-args.patch" +SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \ + file://check-setuid-use-more-portable-find-args.patch \ + " -SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f" -SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32" +SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0" + +S = "${WORKDIR}/checksecurity-${PV}+nmu1" + + +# allow for anylocal, no need to patch +LOGDIR="/etc/checksecurity" do_compile() { + sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/etc/check-setuid.conf + sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/plugins/check-setuid + sed -i -e "s;LOGDIR:=/var/log/setuid;LOGDIR:=${LOGDIR};g" ${B}/plugins/check-setuid } do_install() { diff --git a/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch index f1fe8ed..1a2f364 100644 --- a/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch +++ b/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch @@ -8,16 +8,16 @@ Signed-off-by: Christopher Larson plugins/check-setuid | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -Index: checksecurity-2.0.15/plugins/check-setuid +Index: checksecurity-2.0.16+nmu1/plugins/check-setuid =================================================================== ---- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500 -+++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500 -@@ -99,7 +99,7 @@ - ionice -t -c3 \ +--- checksecurity-2.0.16+nmu1.orig/plugins/check-setuid ++++ checksecurity-2.0.16+nmu1/plugins/check-setuid +@@ -100,7 +100,7 @@ ionice -t -c3 \ find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \ + -ignore_readdir_race \ -xdev $PATHCHK \ -- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \ -+ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \ +- \( -type f -perm /06000 -o \( \( -type b -o -type c \) \ ++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \ $DEVCHK \) \) \ - -ignore_readdir_race \ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | + sort -k 12 >$TMPSETUID diff --git a/recipes-scanners/checksecurity/files/setuid-log-folder.patch b/recipes-scanners/checksecurity/files/setuid-log-folder.patch deleted file mode 100644 index 540ea9c..0000000 --- a/recipes-scanners/checksecurity/files/setuid-log-folder.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu -Date: Thu, 20 Jun 2013 15:14:55 +0300 -Subject: [PATCH] changed log folder for check-setuid - -check-setuid was creating logs in /var/log directory, -which cannot be created persistently. To avoid errors -the log folder was changed to /etc/checksecurity/. - -Signed-off-by: Andrei Dinu ---- - etc/check-setuid.conf | 2 +- - plugins/check-setuid | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf -index 621336f..e1532c0 100644 ---- a/etc/check-setuid.conf -+++ b/etc/check-setuid.conf -@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false" - # - # Location of setuid file databases. - # --LOGDIR=/var/log/setuid -+LOGDIR=/etc/checksecurity/ -diff --git a/plugins/check-setuid b/plugins/check-setuid -index 8d6f90b..bdb21c1 100755 ---- a/plugins/check-setuid -+++ b/plugins/check-setuid -@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then - exit 1 - fi - --TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp --TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp -+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp -+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp - - # - # Check for NFS/AFS mounts that are not nosuid/nodev -@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then - fi - - # Guard against undefined vars --[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid -+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/ - if [ ! -e "$LOGDIR" ] ; then - echo "ERROR: Log directory $LOGDIR does not exist" - exit 1 --- -1.7.9.5 - From patchwork Thu Jan 15 22:46:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78821 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A967BD4663B for ; Thu, 15 Jan 2026 22:46:58 +0000 (UTC) Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com [209.85.219.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.709.1768517217300253447 for ; Thu, 15 Jan 2026 14:46:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=AZdTiG3R; spf=pass (domain: konsulko.com, ip: 209.85.219.49, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-8908f5ed4aeso14639156d6.3 for ; Thu, 15 Jan 2026 14:46:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517216; x=1769122016; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1RwqMO45OtcwJYISgvKXNfcWfnmovdEdxs1d+TiveXQ=; b=AZdTiG3RrefQb06mVd8K7y9jOw3tQulrKh/IlLNN9iC34w0bUDTL+s0z5gZAE0kidO oXV75dvI1FlN89XrOuYLl/Do3hFNRjlfiR45921XDKIZdoKVaW3RDa4gPuUSqqbnyPDa md2oiaGpSKzkuGKbAjtpGd01C3hMdOGb4lOls= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517216; x=1769122016; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1RwqMO45OtcwJYISgvKXNfcWfnmovdEdxs1d+TiveXQ=; b=rbpo4nKVCsYEuGXn24PBjO76a1LvMR8ZYEihDuhkjy8glP2OZuib2qDD+UTmqUTRQt x2e9J7QsZsqkx6qLzR8hi1iujgtpRrCobatA2vdkGy8D+KO3POD3+suSoMhHD+TqKree ykA1Vaka9KpuP8kcPVBdhztdsb3B6kuoLQkiSNS3Z/2onH7rzLVvPEwq8jJoe/0zpXZI dm6CNTm8ig6T48JRNS8UD7CqpC1gkzKqzh4WGt5DFcTnu9FR5VGbMDBj/qG2RN4rp+6W q1D+RHljt0rCxrwYco39kPTkaRTmyaiKgXxZ2HIXeKvGWGAq3IcqEScHq7SsAafCPhjF aksw== X-Gm-Message-State: AOJu0YwSQlyi0Oeu0XYkwG1ipCa0d6pHdykmoZwN42C9De7vt7pVm6d2 Jes+8OM6aSNHax5C7jOfUPLQ61jx1PobgrY5Yi9rXoh+oknYY6BLFIBw4dBcJnQR9NA0tdjrwPJ 6WK1U X-Gm-Gg: AY/fxX5ZMciE7ivcc1HHOSUEpeTtTTrKGhAYqvnYjWOhhD6qL8iwMrAWszr/PhaYiU6 zadaJmUFIzVzCt0RoT/aVr6qdGHP5rRYAj6r1XAKTcEKuFYfIdq6l/4KTitU8rjKO5SiXBkIgA9 HLgDlu0L0gvW5/zllvfLtKlK/WDG/fSUfSk6cgsos5WQtNML7T31f3L3bU6ZS3ugA/Ica5DrOVB yTxVLBjvfBYak2+qWoI80ssNRdlr6j5/Bh9eXaWfN9MHT2QWMAwwwSuxDB0A1HXunDhvcKed3ZF L9h0xBnvi47KqtyHc4EQ/VmV/dQHeTljL6COTXuhtium6hXKWX099mGxygNqffyh5oPH41UBNBI R6e/qX+xc2D8valoMHSCXu9CzRXjFUrlPkjzc5KiV5KW4H/3nKZCzssUKoqOEsZ7eSS1pYCiwVW k4bGEwv6xHHzOxIgCSh0dZ1z97guTUDdgMXxbiJgz/+ZvE/HNq+9L1X+WxWFCgpXU1BUWQaWQsA oSv9zKaxwa9+BF/e8dro2aRpo8iqfLYQTd2Oyupe+kaoNL+I8a3xENhoG87HZk= X-Received: by 2002:a05:6214:495:b0:880:5883:4d23 with SMTP id 6a1803df08f44-8942e2c8ca5mr15394966d6.16.1768517216117; Thu, 15 Jan 2026 14:46:56 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:55 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 6/9] checksecurity: update the debian package Date: Thu, 15 Jan 2026 17:46:27 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:46:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2971 From: Marta Rybczynska The previously used package (nmu1) is not longer available, use the latest current one (nmu3). The changelog between the two: checksecurity (2.0.16+nmu3) unstable; urgency=medium * Non-maintainer upload. * Fix "missing required debian/rules targets build-arch and/or build- indep": Add targets to debian/rules. (Closes: #999082) * Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm": Bump to 7 in debian/{compat,control}. (Closes: #965448) * Fix some grave packaging errors: - move debhelper from Build-Depends-Indep to Build-Depends - remove temporary files debian/postrm.debhelper and debian/substvars from source package -- gregor herrmann Sun, 26 Dec 2021 01:56:10 +0100 checksecurity (2.0.16+nmu2) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. * No source change upload to rebuild on buildd with .buildinfo files. -- Holger Levsen Fri, 01 Jan 2021 19:17:53 +0100 Signed-off-by: Marta Rybczynska (adapted from 828a78314f51b919baf638d64e8e12c0c0a408ad) Signed-off-by: Scott Murray --- recipes-scanners/checksecurity/checksecurity_2.0.16.bb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/recipes-scanners/checksecurity/checksecurity_2.0.16.bb b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb index 8006c9f..6a223f8 100644 --- a/recipes-scanners/checksecurity/checksecurity_2.0.16.bb +++ b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb @@ -4,14 +4,13 @@ SECTION = "security" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" -SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \ +SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu3.tar.gz \ file://check-setuid-use-more-portable-find-args.patch \ " -SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0" - -S = "${WORKDIR}/checksecurity-${PV}+nmu1" +SRC_URI[sha256sum] = "12b043dc7b38512cdf0735c7c147a4f9e60d83a397b5b8ec130c65ceddbe1a0c" +S = "${WORKDIR}/checksecurity-${PV}+nmu3" # allow for anylocal, no need to patch LOGDIR="/etc/checksecurity" From patchwork Thu Jan 15 22:46:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78820 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93F73D46636 for ; Thu, 15 Jan 2026 22:46:58 +0000 (UTC) Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.710.1768517218191320545 for ; Thu, 15 Jan 2026 14:46:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=GsH9GfXi; spf=pass (domain: konsulko.com, ip: 209.85.222.177, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-8c5389c3cd2so156820285a.0 for ; Thu, 15 Jan 2026 14:46:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517217; x=1769122017; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=o7vLdeJZjO1HlcdgrXGdKALHTlTVwbYNw7Lh4SA3MuY=; b=GsH9GfXijpmFK/kwUAeRuP0QJO0xGwWTSQLyMSuV7LfhJLeezPNgoEJ+/K+4me2cA4 41fJmqszzj5xJhXPgM8VrO0gaiRljiQc2nJ5d5kI3Vp7evO+XVvbJe4ROtSf8mEvdYzp U4c216B2lZBZcF9qo4M5jzJk4kK1JgnZF6Cc4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517217; x=1769122017; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=o7vLdeJZjO1HlcdgrXGdKALHTlTVwbYNw7Lh4SA3MuY=; b=ghmszYQBibTMiCFNnhqx2UdIUrQzGEoHAilRWyIpwXFWTG2c1oG5b9XOqknjCcQ3VE oziOpCvTGqVR1dNDaXhEaZVXzLLlrbY+VMwS6QCZw+xoBnYuvLaJPzSpgFXli1V/pmN+ dNKdBpTZt+S68Ebb4VdFL84jPGIxE/zoJY2n8evMw6ITn+p5ZK9Z3udCOSiYOhBjG4pj O0KUpBDLEjG+Sbj7uoAQm5GNof9Z2qrEORUQQYk+LreR3pbjqJd8tSduIgV778vMaYo8 yWHOLY3U00fsnyZQIetAYUage5GEGpHXH/eRBwUCqsjALtCFQNki+Xe3C1AfqHUmYr/1 W8IA== X-Gm-Message-State: AOJu0YxkfQLOrOLYgrtiNApIDhzTg2gl92/+Jcr5ADwGwKdNe/vv7s6T EAEREijcSpy+NtyEySTvNe3UkHo/l0MYqINc7PZF06Is9yDskWerfATO1xkuUEM4FB+b4Mtyp+3 LuCo4 X-Gm-Gg: AY/fxX45q96Lb1C7aNbfc3wRqqz3MsiCX3niGA2zKgdhP3L9tt+lgewjDi+zr6HBtQO 0Sn0jAf7OuovLQnLdL3goLYTpl3pjUnRyageQeZ2+p04NFtViQmcrUUhQ1BZPj2eg1EQN7xeDPR +4Lj8pBI5neizueti8rat7E3ef41pxqhIaOFLa5qu4QuA7t/sIA2mKPLu+8MRBgyercQg+hbE6g /PuVWGdZ8BzW7CvVwvfijnZSRBrbhh5JQTJISa8h4WErm3nMm4HmiHaJF//7V/1xsugU2nDQf0+ 7qO/ENFhH1iRGlZ3yQxlmZj2onwb8BjCTGimjFzhXrpeUmCrghaw5AuvIak1RwgD2387ZIU+jfB o618mAuTa2aUtUnlhlDjKlDTiEzHj9QMXzxi8BM3s+e9BSaDOZ3k8GfhnFW5r1ZFuMgG/egsOhQ Ba1vYeIeXva4oZC+5aysQ4iaU/B2muV6qNk4GeO3hLUwG7PfXTShTzZLl71ZXRuLJUpLqn1X0JM JLk2YuQ+7akyaJiNyuQ1jlyjBLywkg7Emohe/RnQHz5moP5IIQS X-Received: by 2002:a05:620a:4448:b0:811:3f8a:24a6 with SMTP id af79cd13be357-8c6a678e83bmr161166585a.53.1768517216928; Thu, 15 Jan 2026 14:46:56 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:56 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 7/9] meta-security-compliance: Update lynis Date: Thu, 15 Jan 2026 17:46:28 -0500 Message-ID: <80b6b58e40802c6b3ef5102701ced31d06653f16.1768515491.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:46:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2972 Update lynis SRC_URI to fix building, and while at it bump to 3.0.9 which hopefully be a transparent upgrade for anyone still on kirkstone. Signed-off-by: Scott Murray --- .../lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb} | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) rename meta-security-compliance/recipes-auditors/lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb} (84%) diff --git a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.9.bb similarity index 84% rename from meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb rename to meta-security-compliance/recipes-auditors/lynis/lynis_3.0.9.bb index f665e29..e72589e 100644 --- a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb +++ b/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.9.bb @@ -6,9 +6,11 @@ HOMEDIR = "https://cisofy.com/" LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" -SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" +SRC_URI = "https://downloads.cisofy.com/lynis/archive/${BPN}-${PV}.tar.gz" -SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2" +SRC_URI[sha256sum] = "f394df7d20391fb76e975ae88f3eba1da05ac9c4945e2c7f709326e185e17025" + +UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis" S = "${WORKDIR}/${BPN}" From patchwork Thu Jan 15 22:46:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78827 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B45B0D46638 for ; Thu, 15 Jan 2026 22:47:08 +0000 (UTC) Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.711.1768517219140641290 for ; Thu, 15 Jan 2026 14:46:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=odth+q/Y; spf=pass (domain: konsulko.com, ip: 209.85.222.181, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8c6a7638f42so31265885a.2 for ; Thu, 15 Jan 2026 14:46:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517218; x=1769122018; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=02X8hHfA861eBXS5qRBjxR2C+6LN8TNnDmopccDa9Do=; b=odth+q/YuMeYkhy4EIXHyuk5u64XQZ7QTvU5XS6UsGeH1jC1zSZac9PSpoOdxh5AvC /SoyBM7tpYlDcmelklNlKFt7NjYkQUp/xo7PPrH+3DrioyP3jc96cg/yUh+OYLyvmae1 H5t3M24XCq30LkqH9/90PVk/rm+SaDQxhnask= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517218; x=1769122018; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=02X8hHfA861eBXS5qRBjxR2C+6LN8TNnDmopccDa9Do=; b=UoAPhnIJA8c66RM/Xiqt+Vk4Mfghfpk7KdDGHATF05bIWV646VaojaT+O5hTfukZsl ExsZ1l88kY9wDcJ11X7ZUdBg7KZfsolhCJv4lffj/uKZVfWFRzJ1Yq0Z7uFN0hVzdu6S Z+9ho1D+FH1bZkxTLedkc892wW110gMDyq3eJB2caYYPh9Il5TuwUIu5lvi96TR+Di2Z xmc2H1wU3DnvrWWW7Rzi1Y1WvsDAfslZvbCRtyScusMaoogGflMDlvOmLHhCBgMVC8HK +hAEApcEMumW+hW/NQRFUI72GsA3D7ntaNd3ZZ2ecAFkLLIyEqBkXe+Vxc1YfqxPUCX9 HWBA== X-Gm-Message-State: AOJu0YyJn9Zj8hz2YhJpx6h2scsiB7SGUG3bumVencOd1DG0Cq87AFnh Y7EGrbrBaqNY2VlMMs0rcLqlrfane//IpKqzoD5OgW/NZ7Au9jsYPnrMAmyQySqoDTbZWvshQRf aTS6F X-Gm-Gg: AY/fxX7BIqge+IueT5iC96E9jYr5TAJqVwhnvddDIvKQSWTTbIGEkNKsuhUx6ZuF7T9 OnfsxM39AYYedHTLzfXwz8F++aoASCaNalq0j1qY6s0JNAd1v3rzNv78e4Wr+vg3vFbcu4GqGxn mI0VHTjzvlqpy1ttSubDClExpV7JrcFtI4uYYF1WY7qiyyzV/qJ01noefl827H4w9dg+o4XQb23 ViVnSDGhh/cojRWwiwJWbq1Vy4NuWL8LLRig49ojEMAsQWokkI5xvHoPIItPxVyoNVf7GDUNs3K KLfPFY933RGjK9n8nMs9wjXYgC4uZJ07aYoD6VvPL5r8JRBx0Zk+8qF0kcccCVTR6kJGYtHeAjk rsUxLLa9ZlDZyqP8bAlk7IoKKaXC1eM4qA1f5DVOlEIVQVoor3083TH407WC4exLP/SIWE0yvAM eas6Z+UhjihkfRx/gfA8gPicKMss0DyuZI4tXUNJtvdVE/vzlFaEp+ckCXwO3QfiojUtboRUGi7 CN4uXlxaSTXTsUi0MByPSt7ZWL2VvJrsAPqf3XHR508fmOWVQJR X-Received: by 2002:a05:620a:1723:b0:8b2:dfda:66c4 with SMTP id af79cd13be357-8c6a68d2f67mr162361085a.8.1768517217870; Thu, 15 Jan 2026 14:46:57 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:57 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 8/9] sssd: Fix for CVE-2025-11561 Date: Thu, 15 Jan 2026 17:46:29 -0500 Message-ID: <1421bf8d3b64f88abde6bf4349e4a71a0fda5d75.1768515491.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:47:08 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2973 From: Vijay Anusuri Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2] Signed-off-by: Vijay Anusuri Signed-off-by: Scott Murray --- .../sssd/files/CVE-2025-11561.patch | 50 +++++++++++++++++++ recipes-security/sssd/sssd_2.5.2.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 recipes-security/sssd/files/CVE-2025-11561.patch diff --git a/recipes-security/sssd/files/CVE-2025-11561.patch b/recipes-security/sssd/files/CVE-2025-11561.patch new file mode 100644 index 0000000..0bfed6d --- /dev/null +++ b/recipes-security/sssd/files/CVE-2025-11561.patch @@ -0,0 +1,50 @@ +From a0336f4cd69c25b3d501a3d361d3d286c00da4d2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 10 Oct 2025 12:57:40 +0200 +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a client is joined to AD or IPA SSSD's localauth plugin can handle +the mapping of Kerberos principals to local accounts. In case it cannot +map the Kerberos principals libkrb5 is currently configured to fall back +to the default localauth plugins 'default', 'rule', 'names', +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). +All plugins except 'an2ln' require some explicit configuration by either +the administrator or the local user. To avoid some unexpected mapping is +done by the 'an2ln' plugin this patch disables it in the configuration +snippets for SSSD's localauth plugin. + +Resolves: https://github.com/SSSD/sssd/issues/8021 + +:relnote: After startup SSSD already creates a Kerberos configuration + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin + if the AD or IPA providers are used. This enables SSSD's localauth plugin. + Starting with this release the an2ln plugin is disabled in the + configuration snippet as well. If this file or its content are included in + the Kerberos configuration it will fix CVE-2025-11561. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2] +CVE: CVE-2025-11561 +Signed-off-by: Vijay Anusuri +--- + src/util/domain_info_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index e131a5d96af..160e1711bcd 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name, + #define LOCALAUTH_PLUGIN_CONFIG \ + "[plugins]\n" \ + " localauth = {\n" \ ++" disable = an2ln\n" \ + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ + " }\n" + diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb index c07559c..43c31ee 100644 --- a/recipes-security/sssd/sssd_2.5.2.bb +++ b/recipes-security/sssd/sssd_2.5.2.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g file://musl_fixup.patch \ file://CVE-2021-3621.patch \ file://CVE-2023-3758.patch \ + file://CVE-2025-11561.patch \ " SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" From patchwork Thu Jan 15 22:46:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 78828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B45E3D4663B for ; Thu, 15 Jan 2026 22:47:08 +0000 (UTC) Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.692.1768517220020828951 for ; Thu, 15 Jan 2026 14:47:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=DncPdyvE; spf=pass (domain: konsulko.com, ip: 209.85.222.170, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-8c5389c3cd2so156823385a.0 for ; Thu, 15 Jan 2026 14:46:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768517219; x=1769122019; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=71Z5MnYQtuLe18l49zldZVEwOJL43vV4p9V58yzInbc=; b=DncPdyvEpwPX8pngC6cFK6EXXaf1r3Uk0Cl3weqBkQu3a/HmokZESdeiot53sO7Hp5 sZSh+xDJds5uW0g9aR9q+CwKcDLJq0fWBVL5AgrO2t23RozV+E7KZJoyuR0CY3IwiBCp mNudgsXXfrDiagXgiSMfgWoXVJ8LocgYnnac0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768517219; x=1769122019; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=71Z5MnYQtuLe18l49zldZVEwOJL43vV4p9V58yzInbc=; b=XhCIvrCRtik07d6EA172oZDUVQSb5AlKY45pDMLsGGTGNvw+FHbprsUhs2Wm8K2MYn NM+1Z0NVDkjI0b2E3d9xkj1kJVk5OHDYHSM8rHbtVmWJd97sVw/1HX1AfLP77YrnDJA6 eZXDwR9oo0kB6Tf2jZnM96CDT6/XDW6uO+/fuAt+jKqV2pwbuCZf377vlDE9b9rGa4q1 Z7J/iiSmMcqAMRwUNQRkBlbVOCeNu6EeRAQfQLRUEgisPWQqjceMGlGmBOQp3pbLklgU rvwxBfZEd/w8wo1+b61fkAZ7dhZ+pkhJhh8MV0ly5cixHmvMzExY+LZPww73aXra0X13 BFLg== X-Gm-Message-State: AOJu0YxT7UYOCvuzzhrt5qzRHjAC58i3MG2LoCb3cctb0URb2Rl14klw 4PVZtUhfxRqxhfo9PGfys3l5Wzb6tq0J6oMGI3Zd0rGIU2GQLY0oe15kkdgwoNobW4kV2aZW1py +wP2C X-Gm-Gg: AY/fxX6ACChLj7xn4a1FVv2BjhBcBDHSfoqAngK1PeTiRBnCGnWy7eQjFlVCms69Glz d0ToQ5vHaIQv3tqa3ylIMrhipb9nFXQ0fdX1LIjeVHhqY6b6zV2uMcSl1kdjh+FFpiflurEZJyE xCWpLqS3SgwwtBnFm1b4wLNn64qk+P0bYcWPQCGmfyYCq2VQ9iC+DIVb2gHE4CzH1OOKHIojFNJ VZ+gs4XZzP3QjZw5fEb2ziVXleCtxvyE2yFC5rMvBaZvHN+YwE/XDn6hGkKWgQ5Um4AYyg2u8Lg QQbdUcebPXE2zrg/1NFxmw6Nr+LXLHA/oaRnTWfNBnJcQ+2o2OHDE0h4ltZX0oO7ok4KG+71gPl GLbuBqsRQVyylwj6DLfb6OzNaEjI0VhcxTu6Ny5IWDyRTBoWcQAF/sseR/d+zK8FXWGonCYmkyE JIfqtiN10mn+nWC1rqv3FXa/8Ix600rFggpTmDJpJ+J+SS5os7Pu6MgbXW/ZkhqxAyvC/lpD9ND pYvlUULPmlxKyG0hsFTGSOh2on/DSCdSht+nTuhsXXggZuiPx80 X-Received: by 2002:ad4:4eac:0:b0:890:5096:513a with SMTP id 6a1803df08f44-8942dd02ac1mr15511436d6.18.1768517218725; Thu, 15 Jan 2026 14:46:58 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8942e6040casm7921436d6.21.2026.01.15.14.46.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 14:46:58 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][kirkstone][PATCH 9/9] clamav: Fix for CVE-2024-20328 Date: Thu, 15 Jan 2026 17:46:30 -0500 Message-ID: <2ad57a27337ecba58e59ed7aa6fe9769d27804ac.1768515491.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 22:47:08 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2974 From: Vijay Anusuri Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2] Signed-off-by: Vijay Anusuri Signed-off-by: Scott Murray --- recipes-scanners/clamav/clamav_0.104.0.bb | 1 + .../clamav/files/CVE-2024-20328.patch | 153 ++++++++++++++++++ 2 files changed, 154 insertions(+) create mode 100644 recipes-scanners/clamav/files/CVE-2024-20328.patch diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb index 0a6b92a..39abda9 100644 --- a/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/recipes-scanners/clamav/clamav_0.104.0.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=http file://headers_fixup.patch \ file://oe_cmake_fixup.patch \ file://fix_systemd_socket.patch \ + file://CVE-2024-20328.patch \ file://CVE-2024-20505.patch \ file://CVE-2024-20506.patch \ " diff --git a/recipes-scanners/clamav/files/CVE-2024-20328.patch b/recipes-scanners/clamav/files/CVE-2024-20328.patch new file mode 100644 index 0000000..2f422cf --- /dev/null +++ b/recipes-scanners/clamav/files/CVE-2024-20328.patch @@ -0,0 +1,153 @@ +From fe7638287bb11419474ea314652404e7e9b314b2 Mon Sep 17 00:00:00 2001 +From: Micah Snyder +Date: Wed, 10 Jan 2024 12:09:15 -0500 +Subject: [PATCH] ClamD: Disable VirusEvent '%f' feature, use environment var + instead + +The '%f' filename format character has been disabled and will no longer +be replaced with the file name, due to command injection security concerns. +Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. + +For the same reason, you should NOT use the environment variables in the +command directly, but should use it carefully from your executed script. + +Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2] +CVE: CVE-2024-20328 +Signed-off-by: Vijay Anusuri +--- + clamd/clamd_others.c | 8 +++++--- + common/optparser.c | 2 +- + docs/man/clamd.conf.5.in | 14 ++++++++++---- + etc/clamd.conf.sample | 18 ++++++++++++------ + win32/conf_examples/clamd.conf.sample | 18 ++++++++++++------ + 5 files changed, 40 insertions(+), 20 deletions(-) + +diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c +index 23f3b022c7..32d0701a0d 100644 +--- a/clamd/clamd_others.c ++++ b/clamd/clamd_others.c +@@ -101,6 +101,8 @@ void virusaction(const char *filename, const char *virname, + #define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME" + #define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME" + ++#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead." ++ + void virusaction(const char *filename, const char *virname, + const struct optstruct *opts) + { +@@ -145,7 +147,7 @@ void virusaction(const char *filename, const char *virname, + } + len = strlen(opt->strarg); + buffer_cmd = +- (char *)calloc(len + v * strlen(virname) + f * strlen(filename) + 1, sizeof(char)); ++ (char *)calloc(len + v * strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char)); + if (!buffer_cmd) { + if (path) + xfree(env[0]); +@@ -160,8 +162,8 @@ void virusaction(const char *filename, const char *virname, + j += strlen(virname); + i++; + } else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') { +- strcat(buffer_cmd, filename); +- j += strlen(filename); ++ strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE); ++ j += strlen(FILENAME_DISABLED_MESSAGE); + i++; + } else { + buffer_cmd[j++] = opt->strarg[i]; +diff --git a/common/optparser.c b/common/optparser.c +index a7bdbee064..1be7afe867 100644 +--- a/common/optparser.c ++++ b/common/optparser.c +@@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = { + + {"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"}, + +- {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"}, ++ {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"}, + + {"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"}, + +diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in +index 2d9748a39e..a9926533b9 100644 +--- a/docs/man/clamd.conf.5.in ++++ b/docs/man/clamd.conf.5.in +@@ -240,10 +240,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w + Default: yes + .TP + \fBVirusEvent COMMAND\fR +-Execute a command when a virus is found. In the command string %v will be +-replaced with the virus name and %f will be replaced with the file name. +-Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME +-and $CLAM_VIRUSEVENT_VIRUSNAME. ++Execute a command when virus is found. ++Use the following environment variables to identify the file and virus names: ++- $CLAM_VIRUSEVENT_FILENAME ++- $CLAM_VIRUSEVENT_VIRUSNAME ++In the command string, '%v' will also be replaced with the virus name. ++Note: The '%f' filename format character has been disabled and will no longer ++be replaced with the file name, due to command injection security concerns. ++Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. ++For the same reason, you should NOT use the environment variables in the ++command directly, but should use it carefully from your executed script. + \fR + .br + Default: disabled +diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample +index 37fb03bf20..54738128da 100644 +--- a/etc/clamd.conf.sample ++++ b/etc/clamd.conf.sample +@@ -209,12 +209,18 @@ Example + # Default: yes + #ConcurrentDatabaseReload no + +-# Execute a command when virus is found. In the command string %v will +-# be replaced with the virus name and %f will be replaced with the file name. +-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME +-# and $CLAM_VIRUSEVENT_VIRUSNAME. +-# Default: no +-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f" ++# Execute a command when virus is found. ++# Use the following environment variables to identify the file and virus names: ++# - $CLAM_VIRUSEVENT_FILENAME ++# - $CLAM_VIRUSEVENT_VIRUSNAME ++# In the command string, '%v' will also be replaced with the virus name. ++# Note: The '%f' filename format character has been disabled and will no longer ++# be replaced with the file name, due to command injection security concerns. ++# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. ++# For the same reason, you should NOT use the environment variables in the ++# command directly, but should use it carefully from your executed script. ++# Default: no ++#VirusEvent /opt/send_virus_alert_sms.sh + + # Run as another user (clamd must be started by root for this option to work) + # Default: don't drop privileges +diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample +index 5a8a9cfeae..a4813f99cb 100644 +--- a/win32/conf_examples/clamd.conf.sample ++++ b/win32/conf_examples/clamd.conf.sample +@@ -182,12 +182,18 @@ TCPAddr localhost + # Default: yes + #ConcurrentDatabaseReload no + +-# Execute a command when virus is found. In the command string %v will +-# be replaced with the virus name and %f will be replaced with the file name. +-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME +-# and $CLAM_VIRUSEVENT_VIRUSNAME. +-# Default: no +-#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f" ++# Execute a command when virus is found. ++# Use the following environment variables to identify the file and virus names: ++# - $CLAM_VIRUSEVENT_FILENAME ++# - $CLAM_VIRUSEVENT_VIRUSNAME ++# In the command string, '%v' will also be replaced with the virus name. ++# Note: The '%f' filename format character has been disabled and will no longer ++# be replaced with the file name, due to command injection security concerns. ++# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. ++# For the same reason, you should NOT use the environment variables in the ++# command directly, but should use it carefully from your executed script. ++# Default: no ++#VirusEvent "C:\example\SendVirusAlertEmail.ps1" + + # Run as another user (clamd must be started by root for this option to work) + # Default: don't drop privileges