[meta-security][scarthgap][PATCH 0/6] Assorted updates 01/19

[meta-security][scarthgap][PATCH 0/6] Assorted updates 01/19

[Scott Murray]

This patch series rolls up the contributed patches from the past couple
weeks, plus backported lynis updates and a sssd update from myself.
These changes are queued on the scarthgap-next branch if you would like
to check them out to test yourself.  I intend to merge these to scarthgap
branch at end of day tomorrow (Eastern Time, Jan. 20) unless there are
objections.

Scott


Changes:

Marta Rybczynska (1):
  lynis: move to GitHub fetching

Michael Opdenacker (1):
  lynis: update to 3.1.5

Scott Murray (2):
  sssd: Upgrade to 2.9.7
  lynis: upgrade to 3.1.6

Vijay Anusuri (2):
  sssd: Upgrade 2.9.2 -> 2.9.5
  sssd: Fix for CVE-2025-11561

 .../0001-sssctl-add-error-analyzer.patch      | 42 +++++++++-------
 .../sssd/files/CVE-2025-11561.patch           | 50 +++++++++++++++++++
 .../sssd/files/drop_ntpdate_chk.patch         | 17 +++++--
 .../sssd/files/fix-ldblibdir.patch            |  9 +++-
 .../recipes-security/sssd/files/fix_gid.patch | 16 ++++--
 .../sssd/files/musl_fixup.patch               | 34 +++++++------
 .../recipes-security/sssd/files/no_gen.patch  | 18 ++++---
 .../sssd/{sssd_2.9.2.bb => sssd_2.9.7.bb}     |  3 +-
 .../lynis/{lynis_3.1.4.bb => lynis_3.1.6.bb}  |  6 +--
 9 files changed, 141 insertions(+), 54 deletions(-)
 create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
 rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.9.7.bb} (98%)
 rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.6.bb} (87%)

-- 
2.51.0

[meta-security][scarthgap][PATCH 1/6] sssd: Upgrade 2.9.2 -> 2.9.5

[Scott Murray]

From: Vijay Anusuri <vanusuri@mvista.com>

Includes security fix CVE-2023-3758

ChangeLog:
https://github.com/SSSD/sssd/releases/tag/2.9.5

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.9.5.bb}      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.9.5.bb} (98%)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
similarity index 98%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
index d61471c..cb27675 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
@@ -26,7 +26,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
            file://musl_fixup.patch \
            file://0001-sssctl-add-error-analyzer.patch \
            "
-SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba"
+SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3"
 
 UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
 
-- 
2.51.0

[meta-security][scarthgap][PATCH 2/6] sssd: Fix for CVE-2025-11561

[Scott Murray]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../sssd/files/CVE-2025-11561.patch           | 50 +++++++++++++++++++
 .../recipes-security/sssd/sssd_2.9.5.bb       |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
new file mode 100644
index 0000000..8111ca0
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
@@ -0,0 +1,50 @@
+From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 10 Oct 2025 12:57:40 +0200
+Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a client is joined to AD or IPA SSSD's localauth plugin can handle
+the mapping of Kerberos principals to local accounts. In case it cannot
+map the Kerberos principals libkrb5 is currently configured to fall back
+to the default localauth plugins 'default', 'rule', 'names',
+'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
+All plugins except 'an2ln' require some explicit configuration by either
+the administrator or the local user. To avoid some unexpected mapping is
+done by the 'an2ln' plugin this patch disables it in the configuration
+snippets for SSSD's localauth plugin.
+
+Resolves: https://github.com/SSSD/sssd/issues/8021
+
+:relnote: After startup SSSD already creates a Kerberos configuration
+ snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+ if the AD or IPA providers are used. This enables SSSD's localauth plugin.
+ Starting with this release the an2ln plugin is disabled in the
+ configuration snippet as well. If this file or its content are included in
+ the Kerberos configuration it will fix CVE-2025-11561.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204]
+CVE: CVE-2025-11561
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/util/domain_info_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index edaf967e186..5c1f050184e 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
+ #define LOCALAUTH_PLUGIN_CONFIG \
+ "[plugins]\n" \
+ " localauth = {\n" \
++"  disable = an2ln\n" \
+ "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+ " }\n"
+ 
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
index cb27675..2954257 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
            file://fix-ldblibdir.patch \
            file://musl_fixup.patch \
            file://0001-sssctl-add-error-analyzer.patch \
+           file://CVE-2025-11561.patch \
            "
 SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3"
 
-- 
2.51.0

[meta-security][scarthgap][PATCH 3/6] sssd: Upgrade to 2.9.7

[Scott Murray]

Release notes:
https://sssd.io/release-notes/sssd-2.9.6.html
https://sssd.io/release-notes/sssd-2.9.7.html

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../0001-sssctl-add-error-analyzer.patch      | 42 ++++++++++---------
 .../sssd/files/CVE-2025-11561.patch           |  6 +--
 .../sssd/files/drop_ntpdate_chk.patch         | 17 +++++---
 .../sssd/files/fix-ldblibdir.patch            |  9 +++-
 .../recipes-security/sssd/files/fix_gid.patch | 16 +++++--
 .../sssd/files/musl_fixup.patch               | 34 ++++++++-------
 .../recipes-security/sssd/files/no_gen.patch  | 18 +++++---
 .../sssd/{sssd_2.9.5.bb => sssd_2.9.7.bb}     |  2 +-
 8 files changed, 90 insertions(+), 54 deletions(-)
 rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.5.bb => sssd_2.9.7.bb} (98%)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
index 6880405..4f58125 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
@@ -1,13 +1,17 @@
+From 56bcfecda72dc56c1bb8b8eb2721033f54dba9f8 Mon Sep 17 00:00:00 2001
+From: roy214 <abroy@redhat.com>
+Date: Tue, 25 Apr 2023 20:01:24 +0530
+Subject: [PATCH] sssctl: add error analyzer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
 Backport patch to fix interpreter of sss_analyze.
 
 Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 
-From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
-From: roy214 <abroy@redhat.com>
-Date: Tue, 25 Apr 2023 20:01:24 +0530
-Subject: [PATCH] sssctl: add error analyzer
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -28,7 +32,7 @@ Reviewed-by: Tomáš Halman <thalman@redhat.com>
  create mode 100644 src/tools/analyzer/util.py
 
 diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
-index b40043d043..7692af8528 100644
+index b40043d..7692af8 100644
 --- a/src/tools/analyzer/Makefile.am
 +++ b/src/tools/analyzer/Makefile.am
 @@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
@@ -46,7 +50,7 @@ index b40043d043..7692af8528 100644
      $(NULL)
 diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
 new file mode 100644
-index 0000000000..71173670c5
+index 0000000..7117367
 --- /dev/null
 +++ b/src/tools/analyzer/modules/error.py
 @@ -0,0 +1,61 @@
@@ -112,7 +116,7 @@ index 0000000000..71173670c5
 +            print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
 +        return
 diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index d661dddb84..e4d5f060c7 100644
+index d661ddd..e4d5f06 100644
 --- a/src/tools/analyzer/modules/request.py
 +++ b/src/tools/analyzer/modules/request.py
 @@ -1,6 +1,6 @@
@@ -123,7 +127,7 @@ index d661dddb84..e4d5f060c7 100644
  from sssd.parser import SubparsersAction
  from sssd.parser import Option
  
-@@ -38,7 +38,6 @@ def print_module_help(self, args):
+@@ -38,7 +38,6 @@ class RequestAnalyzer:
      def setup_args(self, parser_grp, cli):
          """
          Setup module parser, subcommands, and options
@@ -131,7 +135,7 @@ index d661dddb84..e4d5f060c7 100644
          Args:
              parser_grp (argparse.Action): Parser group to nest
                 module and subcommands under
-@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
+@@ -63,42 +62,6 @@ class RequestAnalyzer:
  
          return self.module_parser
  
@@ -174,7 +178,7 @@ index d661dddb84..e4d5f060c7 100644
      def get_linked_ids(self, source, pattern, regex):
          """
          Retrieve list of associated REQ_TRACE ids. Filter
-@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
+@@ -114,8 +77,9 @@ class RequestAnalyzer:
          Returns:
              List of linked ids discovered
          """
@@ -185,7 +189,7 @@ index d661dddb84..e4d5f060c7 100644
              id_re = re.compile(regex)
              match = id_re.search(match)
              if match:
-@@ -250,7 +214,8 @@ def list_requests(self, args):
+@@ -250,7 +214,8 @@ class RequestAnalyzer:
          Args:
              args (Namespace):  populated argparse namespace
          """
@@ -195,7 +199,7 @@ index d661dddb84..e4d5f060c7 100644
          component = source.Component.NSS
          resp = "nss"
          # Log messages matching the following regex patterns contain
-@@ -266,7 +231,7 @@ def list_requests(self, args):
+@@ -266,7 +231,7 @@ class RequestAnalyzer:
          if args.verbose:
              self.print_formatted_verbose(source)
          else:
@@ -204,7 +208,7 @@ index d661dddb84..e4d5f060c7 100644
                  if type(source).__name__ == 'Journald':
                      print(line)
                  else:
-@@ -279,7 +244,8 @@ def track_request(self, args):
+@@ -279,7 +244,8 @@ class RequestAnalyzer:
          Args:
              args (Namespace):  populated argparse namespace
          """
@@ -214,7 +218,7 @@ index d661dddb84..e4d5f060c7 100644
          cid = args.cid
          resp_results = False
          be_results = False
-@@ -294,7 +260,7 @@ def track_request(self, args):
+@@ -294,7 +260,7 @@ class RequestAnalyzer:
          logger.info(f"******** Checking {resp} responder for Client ID"
                      f" {cid} *******")
          source.set_component(component, args.child)
@@ -223,7 +227,7 @@ index d661dddb84..e4d5f060c7 100644
              resp_results = self.consume_line(match, source, args.merge)
  
          logger.info(f"********* Checking Backend for Client ID {cid} ********")
-@@ -307,7 +273,7 @@ def track_request(self, args):
+@@ -307,7 +273,7 @@ class RequestAnalyzer:
          pattern.clear()
          [pattern.append(f'\\{id}') for id in be_ids]
  
@@ -233,7 +237,7 @@ index d661dddb84..e4d5f060c7 100644
  
          if args.merge:
 diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
-index 3f1beaf38b..6d4b5b30c6 100755
+index 3f1beaf..6d4b5b3 100755
 --- a/src/tools/analyzer/sss_analyze
 +++ b/src/tools/analyzer/sss_analyze
 @@ -1,4 +1,4 @@
@@ -243,7 +247,7 @@ index 3f1beaf38b..6d4b5b30c6 100755
  from sssd import sss_analyze
  
 diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
-index 18b998f380..dafc84fc03 100644
+index 18b998f..dafc84f 100644
 --- a/src/tools/analyzer/sss_analyze.py
 +++ b/src/tools/analyzer/sss_analyze.py
 @@ -1,6 +1,7 @@
@@ -254,7 +258,7 @@ index 18b998f380..dafc84fc03 100644
  from sssd.parser import SubparsersAction
  
  
-@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
+@@ -55,9 +56,11 @@ class Analyzer:
          """
          # Currently only the 'request' module exists
          req = request.RequestAnalyzer()
@@ -268,7 +272,7 @@ index 18b998f380..dafc84fc03 100644
          """
 diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
 new file mode 100644
-index 0000000000..2a8d153a71
+index 0000000..2a8d153
 --- /dev/null
 +++ b/src/tools/analyzer/util.py
 @@ -0,0 +1,44 @@
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
index 8111ca0..110444a 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
@@ -1,4 +1,4 @@
-From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
+From 9fdc7f2b4ed50a5ce788a86f2a5be448668381f5 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Fri, 10 Oct 2025 12:57:40 +0200
 Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
@@ -37,10 +37,10 @@ Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
-index edaf967e186..5c1f050184e 100644
+index edaf967..5c1f050 100644
 --- a/src/util/domain_info_utils.c
 +++ b/src/util/domain_info_utils.c
-@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
+@@ -751,6 +751,7 @@ done:
  #define LOCALAUTH_PLUGIN_CONFIG \
  "[plugins]\n" \
  " localauth = {\n" \
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
index 338af5d..e86a720 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
@@ -1,14 +1,21 @@
+From 1e8e2a324bfdeb2443c78db1689fe526fd5d8b60 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 18 May 2021 15:10:53 +0000
+Subject: [PATCH] sssd: update to 2.5.0
+
 nsupdate path is needed for various exec call
 but don't run natvie tests on it.
 
-
 Upstream-Status: Inappropriate [OE specific]
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/external/nsupdate.m4 | 12 ------------
+ 1 file changed, 12 deletions(-)
 
-Index: sssd-2.5.0/src/external/nsupdate.m4
-===================================================================
---- sssd-2.5.0.orig/src/external/nsupdate.m4
-+++ sssd-2.5.0/src/external/nsupdate.m4
+diff --git a/src/external/nsupdate.m4 b/src/external/nsupdate.m4
+index a137f38..ab08f57 100644
+--- a/src/external/nsupdate.m4
++++ b/src/external/nsupdate.m4
 @@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate)
  if test -x "$NSUPDATE"; then
    AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate])
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
index e350baf..f482716 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
@@ -1,3 +1,8 @@
+From 512e46f3b9965cff200aa47879857d198afd8fe2 Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Wed, 16 Jun 2021 14:42:33 +0800
+Subject: [PATCH] sssd: fix for ldblibdir and systemd etc
+
 When calculate value of ldblibdir, it checks whether the directory of
 $ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
 suitable for cross compile. Fix it that only re-assign ldblibdir when its value
@@ -11,10 +16,10 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
-index c400add..5e5f06d 100644
+index e8285a9..e98913c 100644
 --- a/src/external/libldb.m4
 +++ b/src/external/libldb.m4
-@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
+@@ -22,7 +22,7 @@ if test x"$with_ldb_lib_dir" != x; then
      ldblibdir=$with_ldb_lib_dir
  else
      ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 419b83f..642002f 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -1,3 +1,8 @@
+From cf9fd2126e697b02e1561501a20dfa13fee16505 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 18 May 2021 15:10:53 +0000
+Subject: [PATCH] sssd: update to 2.5.0
+
 from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
 | ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'?
 |    88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid);
@@ -11,11 +16,14 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
 
 Upstream-Status: Pending
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/util/debug.h | 2 ++
+ 1 file changed, 2 insertions(+)
 
-Index: sssd-2.7.1/src/util/debug.h
-===================================================================
---- sssd-2.7.1.orig/src/util/debug.h
-+++ sssd-2.7.1/src/util/debug.h
+diff --git a/src/util/debug.h b/src/util/debug.h
+index c33c14e..405c21d 100644
+--- a/src/util/debug.h
++++ b/src/util/debug.h
 @@ -24,6 +24,8 @@
  #include "config.h"
  
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
index 68f267c..f998005 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
@@ -1,4 +1,7 @@
-fix musl build failures
+From abb66c871d5571accff49a281730246a057b4967 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Sun, 4 Jul 2021 08:50:06 -0700
+Subject: [PATCH] fix musl build failures
 
 Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
 
@@ -8,22 +11,25 @@ These are work arounds for now while we figure out where the real fix should res
 |  1199 |                   _PATH_HOSTS);
 |       |                   ^~~~~~~~~~~
 
-and 
+and
 
 i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function)
 |   415 |         *h_errnop = NETDB_INTERNAL;
 
-
 Upstream-Status: Pending
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: sssd-2.5.1/src/providers/fail_over.c
-===================================================================
---- sssd-2.5.1.orig/src/providers/fail_over.c
-+++ sssd-2.5.1/src/providers/fail_over.c
-@@ -31,6 +31,10 @@
- #include <talloc.h>
+---
+ src/providers/fail_over.c | 4 ++++
+ src/sss_client/sss_cli.h  | 8 ++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
+index 835ac52..dea4fab 100644
+--- a/src/providers/fail_over.c
++++ b/src/providers/fail_over.c
+@@ -33,6 +33,10 @@
  #include <netdb.h>
+ #include <arpa/inet.h>
  
 +#if !defined(_PATH_HOSTS)
 +#define _PATH_HOSTS     "/etc/hosts"
@@ -32,10 +38,10 @@ Index: sssd-2.5.1/src/providers/fail_over.c
  #include "util/dlinklist.h"
  #include "util/refcount.h"
  #include "util/util.h"
-Index: sssd-2.5.1/src/sss_client/sss_cli.h
-===================================================================
---- sssd-2.5.1.orig/src/sss_client/sss_cli.h
-+++ sssd-2.5.1/src/sss_client/sss_cli.h
+diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
+index 29b496e..c47e776 100644
+--- a/src/sss_client/sss_cli.h
++++ b/src/sss_client/sss_cli.h
 @@ -44,6 +44,14 @@ typedef int errno_t;
  #define EOK 0
  #endif
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 7d8e80b..0a1972e 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -1,14 +1,20 @@
-don't run generate-sbus-code
+From 81074928bf6bf339628eb6427c44f8ad4512a431 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 18 May 2021 15:10:53 +0000
+Subject: [PATCH] don't run generate-sbus-code
 
 Upstream-Status: Inappropriate [OE Specific]
 
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ Makefile.am | 2 --
+ 1 file changed, 2 deletions(-)
 
-Index: sssd-2.7.1/Makefile.am
-===================================================================
---- sssd-2.7.1.orig/Makefile.am
-+++ sssd-2.7.1/Makefile.am
-@@ -1023,8 +1023,6 @@ generate-sbus-code:
+diff --git a/Makefile.am b/Makefile.am
+index 3477aa0..8943e8a 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1036,8 +1036,6 @@ generate-sbus-code:
  
  .PHONY: generate-sbus-code
  
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.7.bb
similarity index 98%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.7.bb
index 2954257..f92fe65 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.7.bb
@@ -27,7 +27,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
            file://0001-sssctl-add-error-analyzer.patch \
            file://CVE-2025-11561.patch \
            "
-SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3"
+SRC_URI[sha256sum] = "6b5284a4d72b67c0897699794360d79e0f67461957e20273c2649f025e76c248"
 
 UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
 
-- 
2.51.0

[meta-security][scarthgap][PATCH 4/6] lynis: update to 3.1.5

[Scott Murray]

From: Michael Opdenacker <michael.opdenacker@rootcommit.com>

Tested on master (whinlatter) with beaglebone-yocto

New in version 3.1.5 (2025-07-29):
https://cisofy.com/changelog/lynis/#315

Added:
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll

Changed:
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
(backported to scarthgap)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} (93%)

diff --git a/recipes-compliance/lynis/lynis_3.1.4.bb b/recipes-compliance/lynis/lynis_3.1.5.bb
similarity index 93%
rename from recipes-compliance/lynis/lynis_3.1.4.bb
rename to recipes-compliance/lynis/lynis_3.1.5.bb
index 9cce848..6264edc 100644
--- a/recipes-compliance/lynis/lynis_3.1.4.bb
+++ b/recipes-compliance/lynis/lynis_3.1.5.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
 SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6"
+SRC_URI[sha256sum] = "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
-- 
2.51.0

[meta-security][scarthgap][PATCH 5/6] lynis: move to GitHub fetching

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Move to fetching from GitHub hashes to avoid issues at releases,
when the last-recent release changes place.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(adapted for scarthgap)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/lynis/lynis_3.1.5.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.5.bb
index 6264edc..9105bbc 100644
--- a/recipes-compliance/lynis/lynis_3.1.5.bb
+++ b/recipes-compliance/lynis/lynis_3.1.5.bb
@@ -6,13 +6,13 @@ HOMEDIR = "https://cisofy.com/"
 LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
-SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
+SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https"
 
-SRC_URI[sha256sum] = "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
+SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
-S = "${WORKDIR}/${BPN}"
+S = "${WORKDIR}/git"
 
 inherit autotools-brokensep
 
-- 
2.51.0

[meta-security][scarthgap][PATCH 6/6] lynis: upgrade to 3.1.6

[Scott Murray]

Release notes:
https://github.com/CISOfy/lynis/releases/tag/3.1.6

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} (96%)

diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.6.bb
similarity index 96%
rename from recipes-compliance/lynis/lynis_3.1.5.bb
rename to recipes-compliance/lynis/lynis_3.1.6.bb
index 9105bbc..c3961b7 100644
--- a/recipes-compliance/lynis/lynis_3.1.5.bb
+++ b/recipes-compliance/lynis/lynis_3.1.6.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
 SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https"
 
-SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa"
+SRCREV = "06153321ea50d53a27446084e646d9f43fe46e0e"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
-- 
2.51.0