[meta-security][PATCH 0/5] Assorted fixes

[meta-security][PATCH 0/5] Assorted fixes

[Scott Murray]

This patch series rolls up contributed patches from the past few weeks.
I intend to merge these to master branch by end of day Thursday unless
there are any objections.

Scott


Changes:

Clayton Casciato (1):
  suricata: install classification, reference configs

J. S. (1):
  lib-perl: add a HOMEPAGE. Use CPAN_MIRROR

Michael Opdenacker (2):
  lynis: homepage update
  lynis: update to 3.1.5

Patrick Wicki (1):
  tpm2-tss-engine: remove libgcrypt dependency

 .../recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.2.0.bb     | 2 +-
 recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb}   | 4 ++--
 recipes-ids/suricata/suricata_7.0.0.bb                        | 2 ++
 recipes-perl/perl/lib-perl_0.63.bb                            | 3 ++-
 4 files changed, 7 insertions(+), 4 deletions(-)
 rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} (91%)

-- 
2.50.1

[meta-security][PATCH 1/5] lib-perl: add a HOMEPAGE. Use CPAN_MIRROR

[Scott Murray]

From: "J. S." <schonm@gmail.com>

Signed-off-by: Jason Schonberg <schonm@gmail.com>
---
 recipes-perl/perl/lib-perl_0.63.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/recipes-perl/perl/lib-perl_0.63.bb b/recipes-perl/perl/lib-perl_0.63.bb
index 6fc44e4..f0d6832 100644
--- a/recipes-perl/perl/lib-perl_0.63.bb
+++ b/recipes-perl/perl/lib-perl_0.63.bb
@@ -4,6 +4,7 @@ directories to Perl's search path so that later 'use' or 'require' statements \
 will find modules which are not located in the default search path."
 
 SECTION = "libs"
+HOMEPAGE = "https://metacpan.org/dist/lib"
 LICENSE = "Artistic-1.0 | GPL-1.0-or-later"
 PR = "r0"
 
@@ -11,7 +12,7 @@ LIC_FILES_CHKSUM = "file://README;beginline=26;endline=30;md5=94b119f1a7b8d611ef
 
 DEPENDS += "perl"
 
-SRC_URI = "http://www.cpan.org/authors/id/S/SM/SMUELLER/lib-${PV}.tar.gz"
+SRC_URI = "${CPAN_MIRROR}/authors/id/S/SM/SMUELLER/lib-${PV}.tar.gz"
 
 SRC_URI[md5sum] = "8607ac4e0d9d43585ec28312f52df67c"
 SRC_URI[sha256sum] = "72f63db9220098e834d7a38231626bd0c9b802c1ec54a628e2df35f3818e5a00"
-- 
2.50.1

[meta-security][PATCH 2/5] suricata: install classification, reference configs

[Scott Murray]

From: Clayton Casciato <majortomtosourcecontrol@gmail.com>

suricata.yaml references these configs

Resolve:
<Warning> -- could not open: "/etc/suricata/classification.config": No
such file or directory

<Error> -- please check the "classification-file" option in your
suricata.yaml file

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
 recipes-ids/suricata/suricata_7.0.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb
index f2df09e..f02d343 100644
--- a/recipes-ids/suricata/suricata_7.0.0.bb
+++ b/recipes-ids/suricata/suricata_7.0.0.bb
@@ -105,6 +105,8 @@ do_install () {
     install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
     install -m 0644 ${UNPACKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/03_suricata
 
+    install -m 0644 ${S}/etc/classification.config ${D}${sysconfdir}/suricata
+    install -m 0644 ${S}/etc/reference.config ${D}${sysconfdir}/suricata
     install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
     install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata
 
-- 
2.50.1

[meta-security][PATCH 3/5] tpm2-tss-engine: remove libgcrypt dependency

[Scott Murray]

From: Patrick Wicki <patrick.wicki@siemens.com>

There is no hint of libgcrypt in the upstream code and distro packages
like Debian and Fedora do not have this dependency either.

Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
---
 meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.2.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.2.0.bb b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.2.0.bb
index af9dec8..6bc44ef 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.2.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.2.0.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=7b3ab643b9ce041de515d1ed092a36d4"
 
 SECTION = "security/tpm"
 
-DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
+DEPENDS = "autoconf-archive-native bash-completion libtss2 openssl"
 
 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-Configure-Allow-disabling-of-digest-sign-operations.patch \
-- 
2.50.1

[meta-security][PATCH 4/5] lynis: homepage update

[Scott Murray]

From: Michael Opdenacker <michael.opdenacker@rootcommit.com>

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
---
 recipes-compliance/lynis/lynis_3.1.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-compliance/lynis/lynis_3.1.4.bb b/recipes-compliance/lynis/lynis_3.1.4.bb
index 4059662..3546a9e 100644
--- a/recipes-compliance/lynis/lynis_3.1.4.bb
+++ b/recipes-compliance/lynis/lynis_3.1.4.bb
@@ -2,7 +2,7 @@
 # Released under the MIT license (see COPYING.MIT for the terms)
 
 SUMMARY = "Lynis is a free and open source security and auditing tool."
-HOMEDIR = "https://cisofy.com/"
+HOMEDIR = "https://cisofy.com/lynis/"
 LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
-- 
2.50.1

[meta-security][PATCH 5/5] lynis: update to 3.1.5

[Scott Murray]

From: Michael Opdenacker <michael.opdenacker@rootcommit.com>

Tested on master (whinlatter) with beaglebone-yocto

New in version 3.1.5 (2025-07-29):
https://cisofy.com/changelog/lynis/#315

Added:
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll

Changed:
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
---
 recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} (93%)

diff --git a/recipes-compliance/lynis/lynis_3.1.4.bb b/recipes-compliance/lynis/lynis_3.1.5.bb
similarity index 93%
rename from recipes-compliance/lynis/lynis_3.1.4.bb
rename to recipes-compliance/lynis/lynis_3.1.5.bb
index 3546a9e..3d1e8b7 100644
--- a/recipes-compliance/lynis/lynis_3.1.4.bb
+++ b/recipes-compliance/lynis/lynis_3.1.5.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
 SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6"
+SRC_URI[sha256sum] = "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
-- 
2.50.1

Re: [yocto-patches] [meta-security][PATCH 5/5] lynis: update to 3.1.5

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 2284 bytes --]

On Wed, Sep 17, 2025 at 10:43 PM Scott Murray via lists.yoctoproject.org
<scott.murray=konsulko.com@lists.yoctoproject.org> wrote:

> From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
>
> Tested on master (whinlatter) with beaglebone-yocto
>
> New in version 3.1.5 (2025-07-29):
> https://cisofy.com/changelog/lynis/#315
>
> Added:
> - Support for OpenWrt
> - Bitdefender detection on Linux
> - Detection of openSUSE Tumbleweed-Slowroll
>
> Changed:
> - Corrected detection of service manager SMF
> - Extended GetHostID function to allow HostID and HostID2 creation on
> OpenWrt
> - Check modules also under /usr/lib/modules.d
>
> Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
> ---
>  recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} (93%)
>
> diff --git a/recipes-compliance/lynis/lynis_3.1.4.bb
> b/recipes-compliance/lynis/lynis_3.1.5.bb
> similarity index 93%
> rename from recipes-compliance/lynis/lynis_3.1.4.bb
> rename to recipes-compliance/lynis/lynis_3.1.5.bb
> index 3546a9e..3d1e8b7 100644
> --- a/recipes-compliance/lynis/lynis_3.1.4.bb
> +++ b/recipes-compliance/lynis/lynis_3.1.5.bb
> @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM =
> "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
>
>  SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
>
> -SRC_URI[sha256sum] =
> "c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6"
> +SRC_URI[sha256sum] =
> "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
>
>  #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
>
>
Hello,
I was thinking about this one, as lynis is causing issues for each new
version. The last version is indeed  ${BPN}-${PV}.tar.gz
<https://downloads.cisofy.com/lynis/$%7BBPN%7D-$%7BPV%7D.tar.gz>, but when
they release, they move the previous one. Existing recipes do not work
anymore.

I think the solution would be to use their GitHub releases like
https://github.com/CISOfy/lynis/archive/refs/tags/3.1.5.tar.gz

That would avoid the need to update the link every time they release.

What do you think?

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 4177 bytes --]

Re: [yocto-patches] [meta-security][PATCH 5/5] lynis: update to 3.1.5

[Scott Murray]

[-- Attachment #1: Type: text/plain, Size: 2845 bytes --]

On Thu, 18 Sep 2025, Marta Rybczynska via lists.yoctoproject.org wrote:

> On Wed, Sep 17, 2025 at 10:43 PM Scott Murray via lists.yoctoproject.org
> <scott.murray=konsulko.com@lists.yoctoproject.org> wrote:
>
> > From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
> >
> > Tested on master (whinlatter) with beaglebone-yocto
> >
> > New in version 3.1.5 (2025-07-29):
> > https://cisofy.com/changelog/lynis/#315
> >
> > Added:
> > - Support for OpenWrt
> > - Bitdefender detection on Linux
> > - Detection of openSUSE Tumbleweed-Slowroll
> >
> > Changed:
> > - Corrected detection of service manager SMF
> > - Extended GetHostID function to allow HostID and HostID2 creation on
> > OpenWrt
> > - Check modules also under /usr/lib/modules.d
> >
> > Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
> > ---
> >  recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >  rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} (93%)
> >
> > diff --git a/recipes-compliance/lynis/lynis_3.1.4.bb
> > b/recipes-compliance/lynis/lynis_3.1.5.bb
> > similarity index 93%
> > rename from recipes-compliance/lynis/lynis_3.1.4.bb
> > rename to recipes-compliance/lynis/lynis_3.1.5.bb
> > index 3546a9e..3d1e8b7 100644
> > --- a/recipes-compliance/lynis/lynis_3.1.4.bb
> > +++ b/recipes-compliance/lynis/lynis_3.1.5.bb
> > @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM =
> > "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
> >
> >  SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
> >
> > -SRC_URI[sha256sum] =
> > "c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6"
> > +SRC_URI[sha256sum] =
> > "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
> >
> >  #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
> >
>
> Hello,
> I was thinking about this one, as lynis is causing issues for each new
> version. The last version is indeed  ${BPN}-${PV}.tar.gz
> <https://downloads.cisofy.com/lynis/$%7BBPN%7D-$%7BPV%7D.tar.gz>, but when
> they release, they move the previous one. Existing recipes do not work
> anymore.
>
> I think the solution would be to use their GitHub releases like
> https://github.com/CISOfy/lynis/archive/refs/tags/3.1.5.tar.gz
>
> That would avoid the need to update the link every time they release.
>
> What do you think?

Those are not reliable, as Github may regenerate them randomly.  There's
actually a QA check in oe-core (src-uri-bad) that explicitly flags such
URIs.  It may be worth asking upstream to always also put the new
releases into their archive directory on downloads.cisofy.com right away
so that the URI can stay stable.  I can imagine them not going for that,
though, based on the recommendation to always use the latest version on
their download site.

Scott

Re: [yocto-patches] [meta-security][PATCH 5/5] lynis: update to 3.1.5

[Scott Murray]

[-- Attachment #1: Type: text/plain, Size: 3622 bytes --]

On Thu, 18 Sep 2025, Marta Rybczynska (Ygreky) wrote:

>
> On 18/09/2025 2:42 PM, Scott Murray wrote:
> > On Thu, 18 Sep 2025, Marta Rybczynska via lists.yoctoproject.org wrote:
> >
> >> On Wed, Sep 17, 2025 at 10:43 PM Scott Murray via lists.yoctoproject.org
> >> <scott.murray=konsulko.com@lists.yoctoproject.org> wrote:
> >>
> >>> From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
> >>>
> >>> Tested on master (whinlatter) with beaglebone-yocto
> >>>
> >>> New in version 3.1.5 (2025-07-29):
> >>> https://cisofy.com/changelog/lynis/#315
> >>>
> >>> Added:
> >>> - Support for OpenWrt
> >>> - Bitdefender detection on Linux
> >>> - Detection of openSUSE Tumbleweed-Slowroll
> >>>
> >>> Changed:
> >>> - Corrected detection of service manager SMF
> >>> - Extended GetHostID function to allow HostID and HostID2 creation on
> >>> OpenWrt
> >>> - Check modules also under /usr/lib/modules.d
> >>>
> >>> Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
> >>> ---
> >>>   recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} | 2 +-
> >>>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>>   rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} (93%)
> >>>
> >>> diff --git a/recipes-compliance/lynis/lynis_3.1.4.bb
> >>> b/recipes-compliance/lynis/lynis_3.1.5.bb
> >>> similarity index 93%
> >>> rename from recipes-compliance/lynis/lynis_3.1.4.bb
> >>> rename to recipes-compliance/lynis/lynis_3.1.5.bb
> >>> index 3546a9e..3d1e8b7 100644
> >>> --- a/recipes-compliance/lynis/lynis_3.1.4.bb
> >>> +++ b/recipes-compliance/lynis/lynis_3.1.5.bb
> >>> @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM =
> >>> "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
> >>>
> >>>   SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
> >>>
> >>> -SRC_URI[sha256sum] =
> >>> "c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6"
> >>> +SRC_URI[sha256sum] =
> >>> "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
> >>>
> >>>   #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
> >>>
> >> Hello,
> >> I was thinking about this one, as lynis is causing issues for each new
> >> version. The last version is indeed  ${BPN}-${PV}.tar.gz
> >> <https://downloads.cisofy.com/lynis/$%7BBPN%7D-$%7BPV%7D.tar.gz>, but when
> >> they release, they move the previous one. Existing recipes do not work
> >> anymore.
> >>
> >> I think the solution would be to use their GitHub releases like
> >> https://github.com/CISOfy/lynis/archive/refs/tags/3.1.5.tar.gz
> >>
> >> That would avoid the need to update the link every time they release.
> >>
> >> What do you think?
> > Those are not reliable, as Github may regenerate them randomly.  There's
> > actually a QA check in oe-core (src-uri-bad) that explicitly flags such
> > URIs.  It may be worth asking upstream to always also put the new
> > releases into their archive directory on downloads.cisofy.com right away
> > so that the URI can stay stable.  I can imagine them not going for that,
> > though, based on the recommendation to always use the latest version on
> > their download site.
>
> We can download the source code with the given hash of the release, as many
> for many other projects. Lynis doesn't have any build process, it is a shell
> script.

Yes, switching to git fetcher with the tagged SRCREV seems like a
reasonable approach (perhaps also using the new tag <-> SRCREV checking
in the fetcher).  I'd say perhaps submit that as a change on top of this
version bump from Michael, as I assume the real target is the older
branches that are going to be more likely to break.

Scott