Upgrade bsdextrautils to 2.36.1-8+deb11u2
Upgrade bsdutils to 1:2.36.1-8+deb11u2
Upgrade eject to 2.36.1-8+deb11u2
Upgrade fdisk to 2.36.1-8+deb11u2
Upgrade libblkid1 to 2.36.1-8+deb11u2
Upgrade libfdisk1 to 2.36.1-8+deb11u2
Upgrade libmount1 to 2.36.1-8+deb11u2
Upgrade libsmartcols1 to 2.36.1-8+deb11u2
Upgrade libuuid1 to 2.36.1-8+deb11u2
Upgrade mount to 2.36.1-8+deb11u2
Upgrade util-linux to 2.36.1-8+deb11u2
Upgrade uuid-dev to 2.36.1-8+deb11u2
Upgrade uuid-runtime to 2.36.1-8+deb11u2
Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2024-28085https://security-tracker.debian.org/tracker/DSA-5650-1
Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot
Closes-bug: #2059877
Signed-off-by: Wentao Zhang <Wentao.Zhang@windriver.com>
Change-Id: I1ed69814ced58837819ebcb26fb50d97484d9bc8
Now the latest json format result file includes the several items
in the set data["scannedCves"][cve_id]["cveContents"]["nvd"], so
the original usage is not available to filter CVE info anymore.
So it's time to drop the exception which is to raise this condition
that the length is greater than 1. It will be failed to throw the
exception. We are going to use the condition 'source=nvd@nist.gov'
to get the accurate CVE information instead.
Another update is to expand the function find_lp_assigned with
adding new condition to find the CVE id in the description section
of the LP page. As the length of title is limited, if one page is
used to track many CVE issues, the length may be not enough to
record all CVE ID items.
Closes-Bug: 2059996
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ia7dfee5db53baaa82a8e6dd9d5dde8a31da5bcc2
Add tabulate module, this is required by [1]
Story: 2010676
Task:49849
[1] https://review.opendev.org/c/starlingx/update/+/914929
Change-Id: Ia388bd2aed6c62a167b05d8e7d6c1d1d6dae948a
Signed-off-by: Bin Qian <bin.qian@windriver.com>
LAT docker file downloads the installer from a hard-coded URL that
points to https://mirror.starlingx.windriver.com . Allow users to
override this location by defining STX_MIRROR_URL in the host
environment. By default, guess mirror location from stx.conf.
TESTS
==========================
* Rebuild LAT container and make sure it uses the mirror URL from
stx.conf
* Set STX_MIRROR_URL prior to calling stx-init-env and make sure it
gets picked up by the docker file
Story: 2010055
Task: 49883
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Id8ea88407f74003db934337efd574451658633d8
Remove python3-zmq package from base-bullseye.lst. The python3-zmq
package has been patched and is now built from source.
Test Plan:
PASS: Build pyzmq package
PASS: Build ISO
Related-Bug: 2060867
Depends-On: https://review.opendev.org/c/starlingx/integ/+/915443
Change-Id: I1cec7e65ba36ca74145c3555ed75fed0dbd70a3f
Signed-off-by: Alyson Deives Pereira <alyson.deivespereira@windriver.com>
Upgrade openssl related packages from 1.1.1n-0+deb11u5 to
1.1.1w-0+deb11u1 in order to fixing the misleading error message when
loading qatengine.
Refer to:
https://github.com/openssl/openssl/issues/17962
TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: /usr/bin/openssl engine -t -c qatengine
Closes-bug: 2055247
Change-Id: I5dd6b13bd77fa61b6ec560193e6dd93fef6183e6
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
librte 20.11.6-1~deb11u1 is no longer available at the given url.
This update substitutes a valid url for librte 20.11.6-1~deb11u1.
Closes-Bug: 2056062
Change-Id: I6f13747bed5f3d365ae2e22790b067d899c770b6
Signed-off-by: Scott Little <scott.little@windriver.com>
tzdata expires every 6-12 months.
Update to the latest txdata, valid until Dec 2024
Partial-bug: 2054466
Change-Id: Ie85112c3cd7bfa9fb29f738f88875f82a72e5b15
Signed-off-by: Scott Little <scott.little@windriver.com>
Upgrade package ovmf from 2020.11-2+deb11u1 to 2020.11-2+deb11u2 in
order to fixing the CVE issue CVE-2023-48733.
Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-48733https://security-tracker.debian.org/tracker/DSA-5624-1
TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation
Closes-Bug: 2054273
Change-Id: I42937791da7c25b59ae4cf2f945bdd4b6d57ade3
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
Aptly repos are signed with a GPG key embedded in environment
containers. That key expired today (2024-02-23).
Replace key with a new one that does not expire at all.
Partial-Bug: 2054862
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I41a5c7a785a23eb8c9546e99865ecf62faaf506a
Don't use --wait with helm uninstall because it requires helm >= 3.7,
and even in those versions doesn't work correctly.
Story: 2011038
Task: 49549
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I4f3be32bf4ce84e1670e7884fc09c3ddac00b85a
The ndisc6 package has useful diagnostic tools for IPv6 networks. It is
being added to allow for duplicate address and gateway reachability
detection by the scripts from the ifupdown-extra package.
The ifupdown package is being removed from the list because it's being
added via the integ project instead, to allow for patches.
Test Plan
[PASS] downloader
[PASS] build-pkgs --clean --all
[PASS] build-image
[PASS] Run full build, system install, bootstrap and unlock SX system
[PASS] Run command "dpkg --list | grep ndisc6"
[PASS] Run command "ndisc6 --help"
[PASS] Run command "dpkg --list | grep ifupdown"
[PASS] Run command "ifup --help"
Depends-On: https://review.opendev.org/c/starlingx/integ/+/908172
Closes-Bug: #2052534
Change-Id: I9dd38bbd1f89e266e0b55ffde9865f94a641c8ff
Signed-off-by: Lucas Ratusznei Fonseca <lucas.ratuszneifonseca@windriver.com>
Make sure aptly & builder containers catch and handle SIGTERM. Otherwise
"stx stop" sends the signal, 2 out of 6 containers ignore it, then
docker waits for ~15 seconds and SIGKILL's them.
* stx-builder.Dockerfile: change default image command from plain "bash"
to "tini" that starts "sleep infinity". Tini catches and broadcasts
signals to its own children (sleep), enabling graceful shutdown to
work
* aptly: replace call to "supervisord" to "exec supervisord", to make
sure it runs as PID 1 and actually receives signals from docker.
* stx_control.py: slightly reduce loop sleep time in "stx control stop"
TESTS
==================
* Retest "stx control start --wait"
* Make sure builder's entry point executes "finisSetup.sh" script, as
before this change
* Make sure "stx control stop --wait" exits quickly (~4 seconds on my
machine, down from ~15 seconds)
Story: 2011038
Task: 49577
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I984846fc45349be045c069b84186f12179fe36ad
Avoid "minikube profile list" when checking whether the profile exists.
The list command attempts to connect to each profile and is quite slow.
Use "minikube status -p $MINIKUBENAME" instead.
Story: 2011038
Task: 49570
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: If799840d749de00af907de7867ec68fb9908afa3
* stx script:
- New command "stx control is-started" to complement start/stop
- New option "stx control {start,stop} --wait"
* stx-init-env:
- new option --reset: delete chroots + restart pods
- new option --reset-hard: stop pods, delete local workspaces,
chroots, aptly, docker & minikube profile
- rename option "--nuke" to "--delete-minikube-profile"; old spelling
is still accepted with a warning
- renamed & refactored some functions
* import-stx:
- new env var STX_RM_METHOD: may be optionally set to "docker" for
deleting root-owned files via "docker run", rather than "sudo"
TESTS
=========================
* Misc sanity checks using minikube & k8s
* Manually tested blacklist checks in safe_rm()
* rm via "sudo" vs "docker run"
* Using minikube:
- stx-init-env
- stx-init-env --rebuild
- stx start, build all packages, --reset, build all packages
- stx start, build all packages, --reset-hard, stx-init-env,
build all packages
Story: 2011038
Task: 49549
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Ife4172ae9fa7b58332ac7ad65beb99525bc2a1a3
This commit fixes a security vulnerability found by a NESSUS Scan
in the sshd configuration. The ssh login as root is allowed in
"/etc/ssh/sshd_config" due to "PermitRootLogin" set to "yes".
It should be disallowed, and the setting of "PermitRootLogin"
should be "no". The fix is to remove the section pertaining to
"Allow root ssh login" in "base_bullseye.yaml", which is a leftover
cleanup from the Debian integration.
Test Plan:
PASS: Verify the stx build installs correctly in an AIO-SX system
configuration.
PASS: Verify the "PermitRootLogin" is set to "no" in
"/etc/ssh/sshd_config" file.
PASS: Verify that remote ssh as user root is not successful.
Closes-Bug: 2051473
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: Iee29cf2d5ade6268dcafcb0f3eb12d5f9afefc88
New etcd version 3.4.27 builds using golang version 1.19.10 minimum.
So bumping it up to closest possible available and working version.
Test Plan:
PASS: Downloader succeeds.
PASS: All packages build succeeds.
PASS: Build Image succeeds.
Story: 2010878
Task: 48961
Change-Id: Ia5fe36f0ed2dba6083a1fd8f8f2c3919b70d5abe
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Package added:
-> inotifytools 3.14-7
-> libinotifytools0 3.14-7
This package will be used by luks-fs-mgr service to detect
file change and creation recursively, so that those files can be rsynced
with the standby controller.
Test Plan:
PASSED: downloader && build-image successful
PASSED: Deployed image successfully on AIO-DX
Both controllers in available and online state
inotifytools package successfully installed on controllers
Able to execute inotifywait command
Story: 2010873
Task: 49371
Change-Id: Ib3fec16671b22107db5b1e8e33a772a765018962
Signed-off-by: Harshad sonde <harshad.sonde@windriver.com>
Upgrade subpackages libbluetooth3 and libbluetooth-dev to
5.55-3.1+deb11u1 to fix the CVE issue CVE-2023-45866.
Add libbluetooth-dev since it's the dependency of python3.9.
Refer to:
https://www.debian.org/security/2023/dsa-5584https://security-tracker.debian.org/tracker/CVE-2023-45866
TestPlan:
PASS: downloader; build-pkgs -c; build-image
PASS: Jenkins Installation
Closes-Bug: 2047185
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Id4175c0ef5791dbc02fa546a6b0a21a64cfec711