[meta-security][PATCH 0/7] Assorted updates 04/15

[meta-security][PATCH 0/7] Assorted updates 04/15

[Scott Murray]

This patch series rolls up the contributed patches from the past few
weeks, barring the suricata 8.04 update that will need some rework for
Lua 5.5.  These changes are queued on the master-next branch if you
would like to check them out to test yourself.  I intend to merge these
to master branch at end of day tomorrow (Eastern Time, April 16) unless
there are objections.

Note that there are the following known issues atm:
* parsec-service currently fails to build with an error in the
  cryptoki crate.  This was likely triggered by the upgrade to
  Rust 1.94.x in oe-core.
* Including python3-privacyidea in an image results in packaging
  conflicts between python3-cryptography and python3-pyrad that
  need to be addressed in those recipes in oe-core/meta-python.

I hope to get these addressed in the next week or so.

Scott


Changes:

Haiqing Bai (1):
  isic: fix RDEPNEDS typo

Khem Raj (1):
  wic: wic need to be moved to files/wic within the layer to be
    found/used

Peter Marko (2):
  libtpms: fix build with glibc 2.43
  tpm2-pkcs11: fix build failure

Yi Zhao (2):
  scap-security-guide: upgrade 0.1.78 -> 0.1.80
  openscap: upgrade 1.4.2 -> 1.4.3

Zhang Peng (1):
  meta-security: fix incorrect HOMEPAGE variable names

 .../wic}/beaglebone-yocto-verity.wks.in       |  0
 .../systemd-bootdisk-dmverity-hash.wks.in     |  0
 .../wic}/systemd-bootdisk-dmverity.wks.in     |  0
 ...ilation-error-in-TPMLIB_GetPlaintext.patch | 34 +++++++++++++++++++
 meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb |  4 ++-
 ...eturn-NULL-for-twist-on-auth-failure.patch | 28 +++++++++++++++
 .../tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb          |  1 +
 recipes-compliance/lynis/lynis_3.1.6.bb       |  2 +-
 .../{openscap_1.4.2.bb => openscap_1.4.3.bb}  |  4 +--
 ....1.78.bb => scap-security-guide_0.1.80.bb} |  4 +--
 recipes-scanners/arpwatch/arpwatch_3.3.bb     |  2 +-
 recipes-security/glome/glome_git.bb           |  2 +-
 .../google-authenticator-libpam_1.09.bb       |  2 +-
 recipes-security/isic/isic_0.07.bb            |  2 +-
 14 files changed, 75 insertions(+), 10 deletions(-)
 rename {wic => files/wic}/beaglebone-yocto-verity.wks.in (100%)
 rename {wic => files/wic}/systemd-bootdisk-dmverity-hash.wks.in (100%)
 rename {wic => files/wic}/systemd-bootdisk-dmverity.wks.in (100%)
 create mode 100644 meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch
 create mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch
 rename recipes-compliance/openscap/{openscap_1.4.2.bb => openscap_1.4.3.bb} (96%)
 rename recipes-compliance/scap-security-guide/{scap-security-guide_0.1.78.bb => scap-security-guide_0.1.80.bb} (93%)

-- 
2.53.0

[meta-security][PATCH 1/7] libtpms: fix build with glibc 2.43

[Scott Murray]

From: Peter Marko <peter.marko@siemens.com>

Backport patch stable-0.10 branch (not tagged yet).

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 ...ilation-error-in-TPMLIB_GetPlaintext.patch | 34 +++++++++++++++++++
 meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb |  4 ++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch

diff --git a/meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch b/meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch
new file mode 100644
index 0000000..3a82473
--- /dev/null
+++ b/meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch
@@ -0,0 +1,34 @@
+From a20f8b6a22f1ae60d96ae7e554f5e13dd431471b Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Fri, 2 Jan 2026 11:37:31 -0500
+Subject: [PATCH] Fix a compilation error in TPMLIB_GetPlaintext
+
+Fix a compilation error that newer gcc versions may complain about:
+
+tpm_library.c: In function 'TPMLIB_GetPlaintext':
+tpm_library.c:441:11: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
+  441 |     start = strstr(stream, starttag);
+      |           ^
+At top level:
+cc1: note: unrecognized command-line option '-Wno-self-assign' may have been intended to silence earlier diagnostics
+cc1: all warnings being treated as errors
+
+Upstream-Status: Backport [https://github.com/stefanberger/libtpms/commit/a20f8b6a22f1ae60d96ae7e554f5e13dd431471b]
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm_library.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tpm_library.c b/src/tpm_library.c
+index f48f4fd3..7b2ea687 100644
+--- a/src/tpm_library.c
++++ b/src/tpm_library.c
+@@ -435,7 +435,7 @@ static unsigned char *TPMLIB_GetPlaintext(const char *stream,
+                                           const char *endtag,
+                                           size_t *length)
+ {
+-    char *start, *end;
++    const char *start, *end;
+     unsigned char *plaintext = NULL;
+ 
+     start = strstr(stream, starttag);
diff --git a/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb b/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
index 3727bb3..7f00216 100644
--- a/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
+++ b/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
@@ -3,7 +3,9 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
 
 SRCREV = "17f253a767f6b5b7813ae33f12bc79c479576cdc"
-SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.10;protocol=https"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.10;protocol=https \
+    file://0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch \
+"
 
 PE = "2"
 
-- 
2.53.0

[meta-security][PATCH 2/7] scap-security-guide: upgrade 0.1.78 -> 0.1.80

[Scott Murray]

From: Yi Zhao <yi.zhao@eng.windriver.com>

ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.80

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 ...p-security-guide_0.1.78.bb => scap-security-guide_0.1.80.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/scap-security-guide/{scap-security-guide_0.1.78.bb => scap-security-guide_0.1.80.bb} (97%)

diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.80.bb
similarity index 97%
rename from recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb
rename to recipes-compliance/scap-security-guide/scap-security-guide_0.1.80.bb
index 919a09c..ab495db 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.80.bb
@@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
-SRCREV = "f7d794851971087db77d4be8eeb716944a1aae21"
+SRCREV = "a1b32362394c7739a7a94426c61c7cb24449d9a0"
 SRC_URI = "git://github.com/ComplianceAsCode/content.git;protocol=https;branch=stable \
            file://run_eval.sh \
            "
-- 
2.53.0

[meta-security][PATCH 3/7] openscap: upgrade 1.4.2 -> 1.4.3

[Scott Murray]

From: Yi Zhao <yi.zhao@eng.windriver.com>

ChangeLog:
https://github.com/OpenSCAP/openscap/releases/tag/1.4.3

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../openscap/{openscap_1.4.2.bb => openscap_1.4.3.bb}           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/openscap/{openscap_1.4.2.bb => openscap_1.4.3.bb} (98%)

diff --git a/recipes-compliance/openscap/openscap_1.4.2.bb b/recipes-compliance/openscap/openscap_1.4.3.bb
similarity index 98%
rename from recipes-compliance/openscap/openscap_1.4.2.bb
rename to recipes-compliance/openscap/openscap_1.4.3.bb
index 7b3786e..e1cb295 100644
--- a/recipes-compliance/openscap/openscap_1.4.2.bb
+++ b/recipes-compliance/openscap/openscap_1.4.3.bb
@@ -13,7 +13,7 @@ SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=main;protocol=https \
            file://0001-CMakeLists.txt-fix-installation-directory-for-system.patch \
           "
 
-SRCREV = "e9b2a41f5796f5ead3d1e2d9df1fb06818a569ac"
+SRCREV = "24986066961363e24fcff83294995b3cfe4058ba"
 
 COMPATIBLE_HOST:libc-musl = "null"
 
-- 
2.53.0

[meta-security][PATCH 4/7] wic: wic need to be moved to files/wic within the layer to be found/used

[Scott Murray]

From: Khem Raj <raj.khem@gmail.com>

Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 {wic => files/wic}/beaglebone-yocto-verity.wks.in        | 0
 {wic => files/wic}/systemd-bootdisk-dmverity-hash.wks.in | 0
 {wic => files/wic}/systemd-bootdisk-dmverity.wks.in      | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename {wic => files/wic}/beaglebone-yocto-verity.wks.in (100%)
 rename {wic => files/wic}/systemd-bootdisk-dmverity-hash.wks.in (100%)
 rename {wic => files/wic}/systemd-bootdisk-dmverity.wks.in (100%)

diff --git a/wic/beaglebone-yocto-verity.wks.in b/files/wic/beaglebone-yocto-verity.wks.in
similarity index 100%
rename from wic/beaglebone-yocto-verity.wks.in
rename to files/wic/beaglebone-yocto-verity.wks.in
diff --git a/wic/systemd-bootdisk-dmverity-hash.wks.in b/files/wic/systemd-bootdisk-dmverity-hash.wks.in
similarity index 100%
rename from wic/systemd-bootdisk-dmverity-hash.wks.in
rename to files/wic/systemd-bootdisk-dmverity-hash.wks.in
diff --git a/wic/systemd-bootdisk-dmverity.wks.in b/files/wic/systemd-bootdisk-dmverity.wks.in
similarity index 100%
rename from wic/systemd-bootdisk-dmverity.wks.in
rename to files/wic/systemd-bootdisk-dmverity.wks.in
-- 
2.53.0

[meta-security][PATCH 5/7] tpm2-pkcs11: fix build failure

[Scott Murray]

From: Peter Marko <peter.marko@siemens.com>

Use patch submitted upstream to fix build error:
| src/lib/tpm.c: In function ‘tpm_unseal’:
| src/lib/tpm.c:1040:16: error: incompatible types when returning type ‘_Bool’ but ‘twist’ {aka ‘const char *’} was expected
|  1040 |         return false;
|       |                ^~~~~

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 ...eturn-NULL-for-twist-on-auth-failure.patch | 28 +++++++++++++++++++
 .../tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb          |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch

diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch
new file mode 100644
index 0000000..2992b11
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch
@@ -0,0 +1,28 @@
+From 0db779aecaae93633be963ffb8fdb097c85cc166 Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Thu, 9 Apr 2026 00:00:00 +0000
+Subject: [PATCH] src/lib/tpm: return NULL for twist on auth failure
+
+`tpm_unseal` returns `twist` (a const char pointer alias). Returning
+`false` in the error path is a type mismatch that fails with stricter
+compiler settings. Return `NULL` instead.
+
+Upstream-Status: Submitted [https://github.com/tpm2-software/tpm2-pkcs11/pull/923]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/lib/tpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/tpm.c b/src/lib/tpm.c
+index 5fff5d5..c51d984 100644
+--- a/src/lib/tpm.c
++++ b/src/lib/tpm.c
+@@ -1037,7 +1037,7 @@ twist tpm_unseal(tpm_ctx *ctx, uint32_t handle, twist objauth) {
+ 
+     bool result = set_esys_auth(ctx->esys_ctx, handle, objauth);
+     if (!result) {
+-        return false;
++        return NULL;
+     }
+ 
+     TPM2B_SENSITIVE_DATA *unsealed_data = NULL;
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb
index 331dc4f..762b82f 100644
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"
 DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
 
 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+SRC_URI += "file://0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch"
 
 SRC_URI[sha256sum] = "ce24aa5ec2471545576e892b6f64fd873a424371bbf9be4ca3a0e689ea11c9b7"
 
-- 
2.53.0

[meta-security][PATCH 6/7] meta-security: fix incorrect HOMEPAGE variable names

[Scott Murray]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

Several recipes used non-standard variable names for the homepage
URL (HOME_PAGE, HOME_URL, HOMEDIR) which are not recognized by
bitbake. Rename them all to the correct HOMEPAGE variable.

Affected recipes:
- glome: HOME_PAGE -> HOMEPAGE
- google-authenticator-libpam: HOME_PAGE -> HOMEPAGE
- arpwatch: HOME_PAGE -> HOMEPAGE
- openscap: HOME_URL -> HOMEPAGE
- scap-security-guide: HOME_URL -> HOMEPAGE
- lynis: HOMEDIR -> HOMEPAGE

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/lynis/lynis_3.1.6.bb                         | 2 +-
 recipes-compliance/openscap/openscap_1.4.3.bb                   | 2 +-
 .../scap-security-guide/scap-security-guide_0.1.80.bb           | 2 +-
 recipes-scanners/arpwatch/arpwatch_3.3.bb                       | 2 +-
 recipes-security/glome/glome_git.bb                             | 2 +-
 .../google-authenticator-libpam_1.09.bb                         | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/recipes-compliance/lynis/lynis_3.1.6.bb b/recipes-compliance/lynis/lynis_3.1.6.bb
index 722072f..0b81ea9 100644
--- a/recipes-compliance/lynis/lynis_3.1.6.bb
+++ b/recipes-compliance/lynis/lynis_3.1.6.bb
@@ -2,7 +2,7 @@
 # Released under the MIT license (see COPYING.MIT for the terms)
 
 SUMMARY = "Lynis is a free and open source security and auditing tool."
-HOMEDIR = "https://cisofy.com/lynis/"
+HOMEPAGE = "https://cisofy.com/lynis/"
 LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
diff --git a/recipes-compliance/openscap/openscap_1.4.3.bb b/recipes-compliance/openscap/openscap_1.4.3.bb
index e1cb295..1b6d9af 100644
--- a/recipes-compliance/openscap/openscap_1.4.3.bb
+++ b/recipes-compliance/openscap/openscap_1.4.3.bb
@@ -2,7 +2,7 @@
 # Released under the MIT license (see COPYING.MIT for the terms)
 
 SUMMARY = "NIST Certified SCAP 1.2 toolkit"
-HOME_URL = "https://www.open-scap.org/tools/openscap-base/"
+HOMEPAGE = "https://www.open-scap.org/tools/openscap-base/"
 LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
 LICENSE = "LGPL-2.1-only"
 
diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.80.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.80.bb
index ab495db..3777e36 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.80.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.80.bb
@@ -2,7 +2,7 @@
 # Released under the MIT license (see COPYING.MIT for the terms)
 
 SUMARRY = "SCAP content for various platforms, upstream version"
-HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
+HOMEPAGE = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
diff --git a/recipes-scanners/arpwatch/arpwatch_3.3.bb b/recipes-scanners/arpwatch/arpwatch_3.3.bb
index 84f93da..3ab5993 100644
--- a/recipes-scanners/arpwatch/arpwatch_3.3.bb
+++ b/recipes-scanners/arpwatch/arpwatch_3.3.bb
@@ -1,6 +1,6 @@
 SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings"
 LICENSE = "BSD-4-Clause"
-HOME_PAGE = "http://ee.lbl.gov/"
+HOMEPAGE = "http://ee.lbl.gov/"
 LIC_FILES_CHKSUM = "file://configure;md5=0f6cca2f69f384a14e2f5803210ca92e"
 
 DEPENDS += "libpcap"
diff --git a/recipes-security/glome/glome_git.bb b/recipes-security/glome/glome_git.bb
index 5a0300f..68f2132 100644
--- a/recipes-security/glome/glome_git.bb
+++ b/recipes-security/glome/glome_git.bb
@@ -1,5 +1,5 @@
 SUMMARY = "GLOME Login Client"
-HOME_PAGE = "https://github.com/google/glome"
+HOMEPAGE = "https://github.com/google/glome"
 DESCRIPTION = "GLOME is used to authorize serial console access to Linux machines"
 PV = "0.1+git${SRCPV}"
 
diff --git a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
index 60f2c9e..333caab 100644
--- a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
+++ b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
@@ -1,5 +1,5 @@
 SUMMARY = "Google Authenticator PAM module"
-HOME_PAGE = "https://github.com/google/google-authenticator-libpam"
+HOMEPAGE = "https://github.com/google/google-authenticator-libpam"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 LICENSE = "Apache-2.0"
 
-- 
2.53.0

[meta-security][PATCH 7/7] isic: fix RDEPNEDS typo

[Scott Murray]

From: Haiqing Bai <haiqing.bai@windriver.com>

Fix typo: RDEPNEDS -> RDEPENDS

Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
(fixed RDEPENDS:${PN})
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-security/isic/isic_0.07.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/isic/isic_0.07.bb b/recipes-security/isic/isic_0.07.bb
index 8e0f5ce..9ebb669 100644
--- a/recipes-security/isic/isic_0.07.bb
+++ b/recipes-security/isic/isic_0.07.bb
@@ -31,4 +31,4 @@ do_configure () {
     oe_runconf
 }
 
-RDEPNEDS += "libnet"
+RDEPENDS:${PN} += "libnet"
-- 
2.53.0

Re: [yocto-patches] [meta-security][PATCH 0/7] Assorted updates 04/15

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 3680 bytes --]

Hi Scott,

Scott Murray via lists.yoctoproject.org <scott.murray=
konsulko.com@lists.yoctoproject.org> escreveu (quarta, 15/04/2026 à(s)
21:19):

> This patch series rolls up the contributed patches from the past few
> weeks, barring the suricata 8.04 update that will need some rework for
> Lua 5.5.  These changes are queued on the master-next branch if you
> would like to check them out to test yourself.  I intend to merge these
> to master branch at end of day tomorrow (Eastern Time, April 16) unless
> there are objections.
>

Were there any objections or other restrictions?

Jose


>
> Note that there are the following known issues atm:
> * parsec-service currently fails to build with an error in the
>   cryptoki crate.  This was likely triggered by the upgrade to
>   Rust 1.94.x in oe-core.
> * Including python3-privacyidea in an image results in packaging
>   conflicts between python3-cryptography and python3-pyrad that
>   need to be addressed in those recipes in oe-core/meta-python.
>
> I hope to get these addressed in the next week or so.
>
> Scott
>
>
> Changes:
>
> Haiqing Bai (1):
>   isic: fix RDEPNEDS typo
>
> Khem Raj (1):
>   wic: wic need to be moved to files/wic within the layer to be
>     found/used
>
> Peter Marko (2):
>   libtpms: fix build with glibc 2.43
>   tpm2-pkcs11: fix build failure
>
> Yi Zhao (2):
>   scap-security-guide: upgrade 0.1.78 -> 0.1.80
>   openscap: upgrade 1.4.2 -> 1.4.3
>
> Zhang Peng (1):
>   meta-security: fix incorrect HOMEPAGE variable names
>
>  .../wic}/beaglebone-yocto-verity.wks.in       |  0
>  .../systemd-bootdisk-dmverity-hash.wks.in     |  0
>  .../wic}/systemd-bootdisk-dmverity.wks.in     |  0
>  ...ilation-error-in-TPMLIB_GetPlaintext.patch | 34 +++++++++++++++++++
>  meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb |  4 ++-
>  ...eturn-NULL-for-twist-on-auth-failure.patch | 28 +++++++++++++++
>  .../tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb          |  1 +
>  recipes-compliance/lynis/lynis_3.1.6.bb       |  2 +-
>  .../{openscap_1.4.2.bb => openscap_1.4.3.bb}  |  4 +--
>  ....1.78.bb => scap-security-guide_0.1.80.bb} |  4 +--
>  recipes-scanners/arpwatch/arpwatch_3.3.bb     |  2 +-
>  recipes-security/glome/glome_git.bb           |  2 +-
>  .../google-authenticator-libpam_1.09.bb       |  2 +-
>  recipes-security/isic/isic_0.07.bb            |  2 +-
>  14 files changed, 75 insertions(+), 10 deletions(-)
>  rename {wic => files/wic}/beaglebone-yocto-verity.wks.in (100%)
>  rename {wic => files/wic}/systemd-bootdisk-dmverity-hash.wks.in (100%)
>  rename {wic => files/wic}/systemd-bootdisk-dmverity.wks.in (100%)
>  create mode 100644
> meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch
>  create mode 100644
> meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch
>  rename recipes-compliance/openscap/{openscap_1.4.2.bb =>
> openscap_1.4.3.bb} (96%)
>  rename recipes-compliance/scap-security-guide/{
> scap-security-guide_0.1.78.bb => scap-security-guide_0.1.80.bb} (93%)
>
> --
> 2.53.0
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#3708):
> https://lists.yoctoproject.org/g/yocto-patches/message/3708
> Mute This Topic: https://lists.yoctoproject.org/mt/118847685/5052612
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe:
> https://lists.yoctoproject.org/g/yocto-patches/leave/13170708/5052612/1504338242/xyzzy
> [quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 6809 bytes --]

Re: [yocto-patches] [meta-security][PATCH 0/7] Assorted updates 04/15

[Scott Murray]

[-- Attachment #1: Type: text/plain, Size: 3467 bytes --]

On Mon, 20 Apr 2026, Jose Quaresma via lists.yoctoproject.org wrote:

> Hi Scott,
>
> Scott Murray via lists.yoctoproject.org <scott.murray=
> konsulko.com@lists.yoctoproject.org> escreveu (quarta, 15/04/2026 à(s)
> 21:19):
>
> > This patch series rolls up the contributed patches from the past few
> > weeks, barring the suricata 8.04 update that will need some rework for
> > Lua 5.5.  These changes are queued on the master-next branch if you
> > would like to check them out to test yourself.  I intend to merge these
> > to master branch at end of day tomorrow (Eastern Time, April 16) unless
> > there are objections.
> >
>
> Were there any objections or other restrictions?

Sorry, no, I had forgotten to push to master before the weekend, but did
so yesterday morning.  I'll try to be more on the ball going forward.

Scott


> > Note that there are the following known issues atm:
> > * parsec-service currently fails to build with an error in the
> >   cryptoki crate.  This was likely triggered by the upgrade to
> >   Rust 1.94.x in oe-core.
> > * Including python3-privacyidea in an image results in packaging
> >   conflicts between python3-cryptography and python3-pyrad that
> >   need to be addressed in those recipes in oe-core/meta-python.
> >
> > I hope to get these addressed in the next week or so.
> >
> > Scott
> >
> >
> > Changes:
> >
> > Haiqing Bai (1):
> >   isic: fix RDEPNEDS typo
> >
> > Khem Raj (1):
> >   wic: wic need to be moved to files/wic within the layer to be
> >     found/used
> >
> > Peter Marko (2):
> >   libtpms: fix build with glibc 2.43
> >   tpm2-pkcs11: fix build failure
> >
> > Yi Zhao (2):
> >   scap-security-guide: upgrade 0.1.78 -> 0.1.80
> >   openscap: upgrade 1.4.2 -> 1.4.3
> >
> > Zhang Peng (1):
> >   meta-security: fix incorrect HOMEPAGE variable names
> >
> >  .../wic}/beaglebone-yocto-verity.wks.in       |  0
> >  .../systemd-bootdisk-dmverity-hash.wks.in     |  0
> >  .../wic}/systemd-bootdisk-dmverity.wks.in     |  0
> >  ...ilation-error-in-TPMLIB_GetPlaintext.patch | 34 +++++++++++++++++++
> >  meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb |  4 ++-
> >  ...eturn-NULL-for-twist-on-auth-failure.patch | 28 +++++++++++++++
> >  .../tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb          |  1 +
> >  recipes-compliance/lynis/lynis_3.1.6.bb       |  2 +-
> >  .../{openscap_1.4.2.bb => openscap_1.4.3.bb}  |  4 +--
> >  ....1.78.bb => scap-security-guide_0.1.80.bb} |  4 +--
> >  recipes-scanners/arpwatch/arpwatch_3.3.bb     |  2 +-
> >  recipes-security/glome/glome_git.bb           |  2 +-
> >  .../google-authenticator-libpam_1.09.bb       |  2 +-
> >  recipes-security/isic/isic_0.07.bb            |  2 +-
> >  14 files changed, 75 insertions(+), 10 deletions(-)
> >  rename {wic => files/wic}/beaglebone-yocto-verity.wks.in (100%)
> >  rename {wic => files/wic}/systemd-bootdisk-dmverity-hash.wks.in (100%)
> >  rename {wic => files/wic}/systemd-bootdisk-dmverity.wks.in (100%)
> >  create mode 100644
> > meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch
> >  create mode 100644
> > meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch
> >  rename recipes-compliance/openscap/{openscap_1.4.2.bb =>
> > openscap_1.4.3.bb} (96%)
> >  rename recipes-compliance/scap-security-guide/{
> > scap-security-guide_0.1.78.bb => scap-security-guide_0.1.80.bb} (93%)
> >
> > --
> > 2.53.0
> >
> >
> >
> >
> >
> >
> >
>
>

Re: [yocto-patches] [meta-security][PATCH 0/7] Assorted updates 04/15

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 4142 bytes --]

Scott Murray <scott.murray@konsulko.com> escreveu (terça, 21/04/2026 à(s)
17:57):

> On Mon, 20 Apr 2026, Jose Quaresma via lists.yoctoproject.org wrote:
>
> > Hi Scott,
> >
> > Scott Murray via lists.yoctoproject.org <scott.murray=
> > konsulko.com@lists.yoctoproject.org> escreveu (quarta, 15/04/2026 à(s)
> > 21:19):
> >
> > > This patch series rolls up the contributed patches from the past few
> > > weeks, barring the suricata 8.04 update that will need some rework for
> > > Lua 5.5.  These changes are queued on the master-next branch if you
> > > would like to check them out to test yourself.  I intend to merge these
> > > to master branch at end of day tomorrow (Eastern Time, April 16) unless
> > > there are objections.
> > >
> >
> > Were there any objections or other restrictions?
>
> Sorry, no, I had forgotten to push to master before the weekend, but did
> so yesterday morning.  I'll try to be more on the ball going forward.
>

No worries!

It probably had already been integrated yesterday when I asked.
I asked because I didn't see anything in [1], and for your information,
it's still outdated.

[1] https://git.yoctoproject.org/meta-security/

Thanks

Jose


>
> Scott
>
>
> > > Note that there are the following known issues atm:
> > > * parsec-service currently fails to build with an error in the
> > >   cryptoki crate.  This was likely triggered by the upgrade to
> > >   Rust 1.94.x in oe-core.
> > > * Including python3-privacyidea in an image results in packaging
> > >   conflicts between python3-cryptography and python3-pyrad that
> > >   need to be addressed in those recipes in oe-core/meta-python.
> > >
> > > I hope to get these addressed in the next week or so.
> > >
> > > Scott
> > >
> > >
> > > Changes:
> > >
> > > Haiqing Bai (1):
> > >   isic: fix RDEPNEDS typo
> > >
> > > Khem Raj (1):
> > >   wic: wic need to be moved to files/wic within the layer to be
> > >     found/used
> > >
> > > Peter Marko (2):
> > >   libtpms: fix build with glibc 2.43
> > >   tpm2-pkcs11: fix build failure
> > >
> > > Yi Zhao (2):
> > >   scap-security-guide: upgrade 0.1.78 -> 0.1.80
> > >   openscap: upgrade 1.4.2 -> 1.4.3
> > >
> > > Zhang Peng (1):
> > >   meta-security: fix incorrect HOMEPAGE variable names
> > >
> > >  .../wic}/beaglebone-yocto-verity.wks.in       |  0
> > >  .../systemd-bootdisk-dmverity-hash.wks.in     |  0
> > >  .../wic}/systemd-bootdisk-dmverity.wks.in     |  0
> > >  ...ilation-error-in-TPMLIB_GetPlaintext.patch | 34 +++++++++++++++++++
> > >  meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb |  4 ++-
> > >  ...eturn-NULL-for-twist-on-auth-failure.patch | 28 +++++++++++++++
> > >  .../tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb          |  1 +
> > >  recipes-compliance/lynis/lynis_3.1.6.bb       |  2 +-
> > >  .../{openscap_1.4.2.bb => openscap_1.4.3.bb}  |  4 +--
> > >  ....1.78.bb => scap-security-guide_0.1.80.bb} |  4 +--
> > >  recipes-scanners/arpwatch/arpwatch_3.3.bb     |  2 +-
> > >  recipes-security/glome/glome_git.bb           |  2 +-
> > >  .../google-authenticator-libpam_1.09.bb       |  2 +-
> > >  recipes-security/isic/isic_0.07.bb            |  2 +-
> > >  14 files changed, 75 insertions(+), 10 deletions(-)
> > >  rename {wic => files/wic}/beaglebone-yocto-verity.wks.in (100%)
> > >  rename {wic => files/wic}/systemd-bootdisk-dmverity-hash.wks.in
> (100%)
> > >  rename {wic => files/wic}/systemd-bootdisk-dmverity.wks.in (100%)
> > >  create mode 100644
> > >
> meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch
> > >  create mode 100644
> > >
> meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch
> > >  rename recipes-compliance/openscap/{openscap_1.4.2.bb =>
> > > openscap_1.4.3.bb} (96%)
> > >  rename recipes-compliance/scap-security-guide/{
> > > scap-security-guide_0.1.78.bb => scap-security-guide_0.1.80.bb} (93%)
> > >
> > > --
> > > 2.53.0
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >



-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 7568 bytes --]

Re: [yocto-patches] [meta-security][PATCH 0/7] Assorted updates 04/15

[Scott Murray]

[-- Attachment #1: Type: text/plain, Size: 4320 bytes --]

On Tue, 21 Apr 2026, Jose Quaresma wrote:

> Scott Murray <scott.murray@konsulko.com> escreveu (terça, 21/04/2026 à(s)
> 17:57):
>
> > On Mon, 20 Apr 2026, Jose Quaresma via lists.yoctoproject.org wrote:
> >
> > > Hi Scott,
> > >
> > > Scott Murray via lists.yoctoproject.org <scott.murray=
> > > konsulko.com@lists.yoctoproject.org> escreveu (quarta, 15/04/2026 à(s)
> > > 21:19):
> > >
> > > > This patch series rolls up the contributed patches from the past few
> > > > weeks, barring the suricata 8.04 update that will need some rework for
> > > > Lua 5.5.  These changes are queued on the master-next branch if you
> > > > would like to check them out to test yourself.  I intend to merge these
> > > > to master branch at end of day tomorrow (Eastern Time, April 16) unless
> > > > there are objections.
> > > >
> > >
> > > Were there any objections or other restrictions?
> >
> > Sorry, no, I had forgotten to push to master before the weekend, but did
> > so yesterday morning.  I'll try to be more on the ball going forward.
> >
>
> No worries!
>
> It probably had already been integrated yesterday when I asked.
> I asked because I didn't see anything in [1], and for your information,
> it's still outdated.
>
> [1] https://git.yoctoproject.org/meta-security/

Odd, the commits seem to be there when I look, perhaps there's some behind
the scenes mirror issue?

Scott


> > > > Note that there are the following known issues atm:
> > > > * parsec-service currently fails to build with an error in the
> > > >   cryptoki crate.  This was likely triggered by the upgrade to
> > > >   Rust 1.94.x in oe-core.
> > > > * Including python3-privacyidea in an image results in packaging
> > > >   conflicts between python3-cryptography and python3-pyrad that
> > > >   need to be addressed in those recipes in oe-core/meta-python.
> > > >
> > > > I hope to get these addressed in the next week or so.
> > > >
> > > > Scott
> > > >
> > > >
> > > > Changes:
> > > >
> > > > Haiqing Bai (1):
> > > >   isic: fix RDEPNEDS typo
> > > >
> > > > Khem Raj (1):
> > > >   wic: wic need to be moved to files/wic within the layer to be
> > > >     found/used
> > > >
> > > > Peter Marko (2):
> > > >   libtpms: fix build with glibc 2.43
> > > >   tpm2-pkcs11: fix build failure
> > > >
> > > > Yi Zhao (2):
> > > >   scap-security-guide: upgrade 0.1.78 -> 0.1.80
> > > >   openscap: upgrade 1.4.2 -> 1.4.3
> > > >
> > > > Zhang Peng (1):
> > > >   meta-security: fix incorrect HOMEPAGE variable names
> > > >
> > > >  .../wic}/beaglebone-yocto-verity.wks.in       |  0
> > > >  .../systemd-bootdisk-dmverity-hash.wks.in     |  0
> > > >  .../wic}/systemd-bootdisk-dmverity.wks.in     |  0
> > > >  ...ilation-error-in-TPMLIB_GetPlaintext.patch | 34 +++++++++++++++++++
> > > >  meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb |  4 ++-
> > > >  ...eturn-NULL-for-twist-on-auth-failure.patch | 28 +++++++++++++++
> > > >  .../tpm2-pkcs11/tpm2-pkcs11_1.9.1.bb          |  1 +
> > > >  recipes-compliance/lynis/lynis_3.1.6.bb       |  2 +-
> > > >  .../{openscap_1.4.2.bb => openscap_1.4.3.bb}  |  4 +--
> > > >  ....1.78.bb => scap-security-guide_0.1.80.bb} |  4 +--
> > > >  recipes-scanners/arpwatch/arpwatch_3.3.bb     |  2 +-
> > > >  recipes-security/glome/glome_git.bb           |  2 +-
> > > >  .../google-authenticator-libpam_1.09.bb       |  2 +-
> > > >  recipes-security/isic/isic_0.07.bb            |  2 +-
> > > >  14 files changed, 75 insertions(+), 10 deletions(-)
> > > >  rename {wic => files/wic}/beaglebone-yocto-verity.wks.in (100%)
> > > >  rename {wic => files/wic}/systemd-bootdisk-dmverity-hash.wks.in
> > (100%)
> > > >  rename {wic => files/wic}/systemd-bootdisk-dmverity.wks.in (100%)
> > > >  create mode 100644
> > > >
> > meta-tpm/recipes-tpm/libtpm/libtpms/0001-Fix-a-compilation-error-in-TPMLIB_GetPlaintext.patch
> > > >  create mode 100644
> > > >
> > meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-src-lib-tpm-return-NULL-for-twist-on-auth-failure.patch
> > > >  rename recipes-compliance/openscap/{openscap_1.4.2.bb =>
> > > > openscap_1.4.3.bb} (96%)
> > > >  rename recipes-compliance/scap-security-guide/{
> > > > scap-security-guide_0.1.78.bb => scap-security-guide_0.1.80.bb} (93%)
> > > >
> > > > --
> > > > 2.53.0
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
>
>
>
>