[meta-security][PATCH 1/4] opendnssec: blacklist do to ldns being blacklisted

[meta-security][PATCH 1/4] opendnssec: blacklist do to ldns being blacklisted

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-core/packagegroup/packagegroup-core-security.bb       | 1 -
 .../opendnssec/{opendnssec_2.1.9.bb => opendnssec_2.1.10.bb}  | 4 +++-
 2 files changed, 3 insertions(+), 2 deletions(-)
 rename recipes-security/opendnssec/{opendnssec_2.1.9.bb => opendnssec_2.1.10.bb} (88%)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index 6375e24..e9dad5b 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -39,7 +39,6 @@ RDEPENDS:packagegroup-security-utils = "\
     python3-fail2ban \
     softhsm \
     libest \
-    opendnssec \
     sshguard \
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
diff --git a/recipes-security/opendnssec/opendnssec_2.1.9.bb b/recipes-security/opendnssec/opendnssec_2.1.10.bb
similarity index 88%
rename from recipes-security/opendnssec/opendnssec_2.1.9.bb
rename to recipes-security/opendnssec/opendnssec_2.1.10.bb
index 6c1bd46..6b53711 100644
--- a/recipes-security/opendnssec/opendnssec_2.1.9.bb
+++ b/recipes-security/opendnssec/opendnssec_2.1.10.bb
@@ -10,7 +10,7 @@ SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \
            file://libdns_conf_fix.patch \
            "
 
-SRC_URI[sha256sum] = "6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5"
+SRC_URI[sha256sum] = "c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756"
 
 inherit autotools pkgconfig perlnative
 
@@ -32,3 +32,5 @@ do_install:append () {
 }
 
 RDEPENDS:${PN} = "softhsm"
+
+PNBLACKLIST[opendnssec] ?= "Needs porting to openssl 3.x"
-- 
2.25.1

[meta-security][PATCH 2/4] apparmor: Add a python 3.10 compatability patch

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-mac/AppArmor/apparmor_3.0.1.bb        |  4 +--
 recipes-mac/AppArmor/files/py3_10_fixup.patch | 35 +++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 recipes-mac/AppArmor/files/py3_10_fixup.patch

diff --git a/recipes-mac/AppArmor/apparmor_3.0.1.bb b/recipes-mac/AppArmor/apparmor_3.0.1.bb
index dca53a3..389e72a 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.1.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.1.bb
@@ -16,15 +16,15 @@ DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
 SRC_URI = " \
     git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
     file://run-ptest \
-    file://disable_perl_h_check.patch \
     file://crosscompile_perl_bindings.patch \
     file://0001-Makefile.am-suppress-perllocal.pod.patch \
     file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
     file://0001-Makefile-fix-hardcoded-installation-directories.patch \
     file://0001-rc.apparmor.debian-add-missing-functions.patch \
+    file://py3_10_fixup.patch \
     "
 
-SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
+SRCREV = "b23de501807b8b5793e9654da8688b5fd3281154"
 S = "${WORKDIR}/git"
 
 PARALLEL_MAKE = ""
diff --git a/recipes-mac/AppArmor/files/py3_10_fixup.patch b/recipes-mac/AppArmor/files/py3_10_fixup.patch
new file mode 100644
index 0000000..05f8460
--- /dev/null
+++ b/recipes-mac/AppArmor/files/py3_10_fixup.patch
@@ -0,0 +1,35 @@
+m4/ax_python_devel.m4: do not check for distutils
+
+With py 3.10 this prints a deprecation warning which is
+taken as an error. Upstream should rework the code to not
+use distuils.
+
+Upstream-Status: Inappropriate [needs a proper fix upstream]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/libraries/libapparmor/m4/ac_python_devel.m4
+===================================================================
+--- git.orig/libraries/libapparmor/m4/ac_python_devel.m4
++++ git/libraries/libapparmor/m4/ac_python_devel.m4
+@@ -66,21 +66,6 @@ variable to configure. See ``configure -
+         fi
+ 
+         #
+-        # Check if you have distutils, else fail
+-        #
+-        AC_MSG_CHECKING([for the distutils Python package])
+-        ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
+-        if test -z "$ac_distutils_result"; then
+-                AC_MSG_RESULT([yes])
+-        else
+-                AC_MSG_RESULT([no])
+-                AC_MSG_ERROR([cannot import Python module "distutils".
+-Please check your Python installation. The error was:
+-$ac_distutils_result])
+-                PYTHON_VERSION=""
+-        fi
+-
+-        #
+         # Check for Python include path
+         #
+         AC_MSG_CHECKING([for Python include path])
-- 
2.25.1

[meta-security][PATCH 3/4] tpm2-tools: update to 5.2

[Armin Kuster]

openssl 3.0 support

see https://github.com/tpm2-software/tpm2-tools/releases/tag/5.2

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../tpm2-tools/{tpm2-tools_5.0.bb => tpm2-tools_5.2.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-tpm/recipes-tpm2/tpm2-tools/{tpm2-tools_5.0.bb => tpm2-tools_5.2.bb} (81%)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
similarity index 81%
rename from meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
rename to meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index dbd324a..6e95a0e 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -8,6 +8,6 @@ DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive"
 
 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1"
+SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630"
 
 inherit autotools pkgconfig bash-completion
-- 
2.25.1

[meta-security][PATCH 4/4] openssl-tpm-engine: fix build issue with openssl 3

[Armin Kuster]

ERROR: openssl-tpm-engine-0.5.0-r0 do_package: QA Issue: openssl-tpm-engine: Files/directories were installed but not shipped in any package:
  /usr/lib/engines-3/tpm.so

fix engine locations

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
index 9ad8967..dab1589 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -46,17 +46,17 @@ do_configure:prepend() {
     touch NEWS AUTHORS ChangeLog README
 }
 
-FILES:${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la"
+FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la"
 FILES:${PN}-dbg += "\
-    ${libdir}/ssl/engines-1.1/.debug \
-    ${libdir}/engines-1.1/.debug \
-    ${prefix}/local/ssl/lib/engines-1.1/.debug \
+    ${libdir}/ssl/engines-3/.debug \
+    ${libdir}/engines-3/.debug \
+    ${prefix}/local/ssl/lib/engines-3/.debug \
 "
 FILES:${PN} += "\
-    ${libdir}/ssl/engines-1.1/tpm.so* \
-    ${libdir}/engines-1.1/tpm.so* \
+    ${libdir}/ssl/engines-3/tpm.so* \
+    ${libdir}/engines-3/tpm.so* \
     ${libdir}/libtpm.so* \
-    ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \
+    ${prefix}/local/ssl/lib/engines-3/tpm.so* \
 "
 
 RDEPENDS:${PN} += "libcrypto libtspi"
-- 
2.25.1