[meta-security][kirkstone][PATCH 0/9] Assorted fixes

[Scott Murray <scott.murray@konsulko.com>]

This patch series pulls together the couple of recent contributions
to kirkstone branch with selected backported changes for known broken
recipes plus getting the base CI build tests working.  These changes
are on the kirkstone-next branch of meta-security, and my plan is to
merge them to kirkstone tomorrow evening (EST) if there are no
objections.

Things to note:
- The Parsec and musl build tests fail, and given the impending EOL
  of kirkstone, debugging the failures is currently a low priority.
- checksecurity and lynis have ended up with minor upgrades due to
  the process of working through cherry-picking fixes from master.
  I believe in both cases the upgrades are minor enough to not be an
  issue, and that seems a small tradeoff for actually building now.
  I would have considered being a bit more aggressive with updating
  lynis, but it does not seem worthwhile given the impending kirkstone
  EOL, and no one having complained about the recipe not building.

Scott


Changes:

Armin Kuster (2):
  chkrootkit: update SRC_URI
  checksecurity: update to 2.0.16

Marta Rybczynska (3):
  CI: update build for new CI
  kas: update configuration
  checksecurity: update the debian package

Scott Murray (2):
  Update maintainers
  meta-security-compliance: Update lynis

Vijay Anusuri (2):
  sssd: Fix for CVE-2025-11561
  clamav: Fix for CVE-2024-20328

 .gitlab-ci.yml                                |  49 +++---
 README                                        |   4 +-
 conf/distro/include/maintainers.inc           |  72 ++++-----
 kas/kas-security-alt.yml                      |   4 +-
 kas/kas-security-base.yml                     |  21 ++-
 kas/kas-security-dm.yml                       |   2 +-
 kas/kas-security-parsec.yml                   |   4 +-
 kas/qemuarm64-musl.yml                        |   1 +
 kas/qemux86-musl.yml                          |   1 +
 kas/qemux86-test.yml                          |   4 +
 meta-hardening/README                         |   4 +-
 meta-integrity/README.md                      |   4 +-
 meta-parsec/README.md                         |   1 -
 .../lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb}  |   6 +-
 meta-tpm/README                               |   4 +-
 meta-tpm/conf/distro/include/maintainers.inc  |  33 ++--
 ...rity_2.0.15.bb => checksecurity_2.0.16.bb} |  17 +-
 ...k-setuid-use-more-portable-find-args.patch |  16 +-
 .../files/setuid-log-folder.patch             |  52 ------
 recipes-scanners/clamav/clamav_0.104.0.bb     |   1 +
 .../clamav/files/CVE-2024-20328.patch         | 153 ++++++++++++++++++
 recipes-scanners/rootkits/chkrootkit_0.55.bb  |   2 +-
 .../sssd/files/CVE-2025-11561.patch           |  50 ++++++
 recipes-security/sssd/sssd_2.5.2.bb           |   1 +
 24 files changed, 346 insertions(+), 160 deletions(-)
 rename meta-security-compliance/recipes-auditors/lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb} (84%)
 rename recipes-scanners/checksecurity/{checksecurity_2.0.15.bb => checksecurity_2.0.16.bb} (57%)
 delete mode 100644 recipes-scanners/checksecurity/files/setuid-log-folder.patch
 create mode 100644 recipes-scanners/clamav/files/CVE-2024-20328.patch
 create mode 100644 recipes-security/sssd/files/CVE-2025-11561.patch

-- 
2.51.0