This file highlights changes to the product made in RCPLs that may be of interest to the user. The features are grouped by the RCPL in which they were made available. BSP specific changes are located in the BSP section. 7.0.0.29: 1) We add new version ntp 4.2.8p12 to fix following CVEs The default version is still 4.2.6p5. configure ... --with-template=feature/ntp428p12 to enable ntp 4.2.8.p12. CVE-2018-7185 CVE-2018-7183 CVE-2018-7184 CVE-2018-7170 CVE-2018-7182 CVE-2018-12327 2) Upgrade MariaDB to 5.5.61 to fix following CVEs CVE-2018-2755 CVE-2018-2781 CVE-2018-2761 CVE-2018-2819 CVE-2018-2818 CVE-2018-2817 CVE-2018-2813 CVE-2018-2771 CVE-2018-2773 CVE-2018-3058 CVE-2018-3066 CVE-2018-3063 CVE-2018-2767 CVE-2018-3070 CVE-2018-3081 3) Upgrade Intel Microcode version 20180807 $make intel-microcode.addpkg;make iucode-tool.addpkg 4) About CVE-2018-3665 CVE-2018-3665 only effect on Intel CPUs on WRL9 and earlier releases. Mitigation : Never set "eagerfpu=off" in boot command line. You can: A) Set eager mode directly: Set "eagerfpu=on" can always avoid this issue. Or B) Set eager mode indirectly: For WRL6 ~ 8, set "eagerfpu=auto" or no set it, at the same time, not set "noxsave" or "noxsaveopt" in your boot command line. While for WRL9, not set "eagerfpu" to "off" is enough. 7.0.0.28: 1) db: add version 6.0.35 * This version is added to fix a rpm crash issue: https://bugzilla.yoctoproject.org/show_bug.cgi?id=10157 * The original version 6.0.30 is still kept and used by default. * The recipe is backported from yocto 2.2 Note: db 6.x is removed since yocto 2.3, please refer to: http://www.yoctoproject.org/docs/2.3/ref-manual/ref-manual.html#migration-2.3-package-management-changes To enable db 6.0.35: configure .. --with-template=feature/db-6.0.35 2) IEEE 1588 Support for DPAA Ethernet driver on T2080 and B4080 target 3) Upgrade MariaDB to 5.5.59 to fix following CVEs CVE-2018-2640 CVE-2018-2562 CVE-2018-2622 CVE-2018-2668 CVE-2018-2665 7.0.0.27: Upgrade MariaDB to 5.5.58 to fix following CVEs CVE-2017-10268 CVE-2017-10379 CVE-2017-10384 CVE-2017-10378 7.0.0.26 1) Fixed the CVE-2017-1000364, CVE-2017-1000365, CVE-2017-1000366 2) The fix of apache2 CVE-2016-8743 The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. 3) Upgrade MariaDB to 5.5.57 to fix following CVE-2017-3636 CVE-2017-3651 CVE-2017-3653 CVE-2017-3652 CVE-2017-3641 CVE-2017-3648 7.0.0.25 1) We upgrade dpdk to 16.11, openvswitch to v2.70 and qemu to 2.7 in OVP profile. The default versions of openvswith/dpdk/qemu are not changed. After upgrading OVP 7.0.0.25, the new versions can't be applied on your existing configuration directly. To enable the new version packages, you need to append the option --with-template=feature/new-dpdk-ovs to your configuration. NOTE: the qemu 2.7 only can be built with host gcc 4.8 and upper, so please check your host gcc version before enabling the template 2) We upgrade MariaDB 5.5.55 7.0.0.23 1) We upgrade MariaDB 5.5.54 2) We plan to add new ntp 4.2.8.p10 in 7.0.0.24 to fix a bundle of CVEs More details http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities 7.0.0.22 1) We upgrade MariaDB 5.5.53 2) We add new version ntp 4.2.8p9 in order to fix a bundle of CVEs The default version is still 4.2.6p5. configure ... --with-template=feature/ntp428p9 to enable ntp 4.2.8.p9. 7.0.0.17 ) We add new version ntp 4.2.8p8 in order to fix a bundle of CVEs The default version is still 4.2.6p5. configure ... --with-template=feature/ntp428p8 to enable ntp 4.2.8.p8. 7.0.0.16 We plant to upgrade MariaDB 5.5.49 in RCPL 17 7.0.0.15 1) We add new version webkitgtk 2.10.9 to fix many CVEs FYI http://webkitgtk.org/security/WSA-2016-0002.html The default version is still 1.8.3. configure ... --with-template=feature/webkitgtk2109 to enable webkitgtk 2.10.9. 2) Add X server resource database utility - xrdb 1.1.0 7.0.0.14 1) Disable SSLv2 default build, default negotiation and weak ciphers. FYI http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800 Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2": https://www.drownattack.com/drown-attack-paper.pdf The packages 'monit' and 'python-m2crypto' call SSLv2_method() by default, so disable the SSLv2 in both pacakges. 2) We add new version ntp 4.2.8p6 in order to fix following CVEs CVE-2015-7974 CVE-2015-8158 CVE-2015-7976 CVE-2015-7973 CVE-2015-7978 CVE-2015-8138 CVE-2015-7977 CVE-2015-7979 CVE-2015-8139 CVE-2015-8140 CVE-2015-5300 The default version is still 4.2.6p5. configure ... --with-template=feature/ntp428p6 to enable ntp 4.2.8.p6. Note: we will change the default version to 4.2.8.p6 in 7.0.0.16. 7.0.0.13 1) We upgrade mariadb 5.5.47 in order to integrate following CVE fixes: CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616 2) Add dpdk 2.1.0 Default DPDK version is 1.7.1, if you want to use DPDK 2.1.0, please please add the following option when configuring your project: --with-template=feature/dpdk-2.1 7.0.0.12 upgrade mariadb to 5.5.46 7.0.0.11 1) We plan to upgrade mariadb 5.5.46 in 7.0.0.12 in order to integrate following security fixes: CVE-2015-4879 CVE-2015-4870 CVE-2015-4830 CVE-2015-4836 CVE-2015-4802 CVE-2015-4792 CVE-2015-4858 CVE-2015-4864 CVE-2015-4861 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4913 CVE-2015-4826 CVE-2015-4807 2) We plan to upgrade linux 3.14.x stable tree in 7.0.0.13 3) We rebase the Yocto 1.7.1 stable tree. The last commit we merged from upstream is http://git.openembedded.org/openembedded-core/commit/?h=dizzy&id=7bb182bdd130266100fc541fd09b82d09c51cd80 7.0.0.10 We plan to rebase Yocto 1.7.x stable tree in 7.0.0.11 7.0.0.9 1) We merge the newest yocto 3.14.x kernel stable tree FYI http://git.yoctoproject.org/cgit/cgit.cgi/linux-yocto-3.14/ 2) We rebase the Yocto 1.7.1 stable tree. The last commit we merged from upstream is http://git.openembedded.org/openembedded-core/commit/?h=dizzy&id=4621675632518caae3a8c2098ee36896b9372551 The fixes of following CVEs and YOCTO issues haven been merged. CVE-2014-3707 CVE-2014-8118 CVE-2013-6435 [YOCTO #7586] [YOCTO #7390] [YOCTO #7181] [YOCTO #6276] [YOCTO #7988] 7.0.0.8: 1) We plan to rebase Yocto 1.7.3 stable tree in 7.0.0.9 2) We plan to upgrade mariadb 5.5.44 in 7.0.0.3 in order to integrate following security fixes: CVE-2015-2643 CVE-2015-2648 CVE-2015-2582 CVE-2015-2620 CVE-2015-4752 CVE-2015-4757 CVE-2015-4737 7.0.0.7: 1) We plan to sync up yocto 3.14.x kernel stable tree in 7.0.0.9 FYI http://git.yoctoproject.org/cgit/cgit.cgi/linux-yocto-3.14/ 2) Doing 'yum update' before building WRLinux 7.0 on Redhat 7.0 or CentOS 7.0 A bug on Redhat 7.0 and CentOS 7.0 can causes building WRLinux 7.0 failed. The bug has been fixed by the last Redhat 7.0 or CentOS 7.0, please run # yum update # reboot 7.0.0.6: 1) We plan to upgrade mariadb 5.5.43 in 7.0.0.7 in order to integrate following security fixes: CVE-2015-0433 CVE-2015-0499 CVE-2015-2573 CVE-2015-2568 CVE-2015-0441 CVE-2015-0505 CVE-2015-0501 CVE-2015-2571 FYI https://mariadb.com/kb/en/mariadb/mariadb-5543-release-notes/ 2) We rebase the Yocto 1.7.1 stable tree. The last commit we merged from upstream is http://git.openembedded.org/openembedded-core/commit/?h=dizzy&id=4a44c9287d80dec0973b31d30d3d6250ce4b4df4 The fixes of following CVEs and YOCTO issues haven been merged. CVE-2014-8503 CVE-2014-8504 CVE-2014-8500 CVE-2014-9114 CVE-2014-4877 CVE-2014-4607 [YOCTO #7645] [YOCTO #7411] [YOCTO #7287] [YOCTO #7529] [YOCTO #7032] [YOCTO #7410] [YOCTO #7522] [YOCTO #7182] [YOCTO #7180] [YOCTO #7317] [YOCTO #7265] [YOCTO #6735] [YOCTO #7128] [YOCTO #7090] [YOCTO #7112] [YOCTO #7129] [YOCTO #6827] [YOCTO #7134] [YOCTO #7114] [YOCTO #7098] [YOCTO #7033] [YOCTO #6997] [YOCTO #7077] [YOCTO #6967] [YOCTO #6994] [YOCTO #7001] [YOCTO #5361] [YOCTO #6833] [YOCTO #6685] [YOCTO #6890] [YOCTO #6816] [YOCTO #6842] [YOCTO #6844] [YOCTO #6413] [YOCTO #6863]. [YOCTO #6464] [YOCTO #6290] 7.0.0.4: Set HOSTNAME as environment variable. Before $env | grep HOSTNAME (nulla) After $env | grep HOSTNAME HOSTNAME=qemu111 (running on a qemu) 7.0.0.3: 1) Upgrade the kernel to v3.14.29 2) Upgrade the mariadb to 5.5.41 7.0.0.2: 1) We plan to sync up yocto 3.14.x kernel stable tree in 7.0.0.3 FYI http://git.yoctoproject.org/cgit/cgit.cgi/linux-yocto-3.14/ 2) We plan to upgrade mariadb 5.5.41 in 7.0.0.3 in order to integrate following security fixes: CVE-2015-0411 CVE-2015-0382 CVE-2015-0381 CVE-2015-0432 CVE-2014-6568 CVE-2015-0374 FYI https://mariadb.com/kb/en/mariadb/mariadb-5541-release-notes/ BSP Updates: 7.0.0.27: fsl-b4xxx: support 32bit kernel 7.0.0.24: ti-66ak2xxx: support security profile 7.0.0.16: fsl-imx6: Add i.MX6UL (Ultra Light) 7.0.0.14: fsl-t2xxx: add 32b support intel-edison: Intel Edison 7.0.0.12: fsl-ls1021: EPIC: [Update] Freescale LS1021 - (Update SDK and enable Rev 2 hardware) 7.0.0.11: fsl-ls1043: [NEW] Freescale LS1043 (Cortex A5) 7.0.0.10: xilinx-zynq: update latest PCIe driver fsl-p10xx: add fsl-p10xx support ti-ompa3: add Ti OMAP 3530 7.0.0.9: lsi-acp34xx: add lsi-acp34xx support fsl-ls20xx: add lx20xx bsp support cav-thunderx: Add hardware support fsl-e500mc: Add P4080 Rev2 7.0.0.8: fsl-p50xx: Freescale P50xx (FSL SDK 1.7 based) fsl-imx6: Full Featured ti-am335x: add cgl support fsl-e500mc: Add P4080 7.0.0.7: fsl-ls10xx: Enable features for Avnet Event Demo 7.0.0.6: fsl-b4xxx: Add fsl-b4xxx BSP to WRL7 based on SDK1.7 ti-am335x: Add ti-am335x BSP to WRL7 based on TISDK-8 fsl-ls10xx: Freescale LS10xx (LS1021A) - FSL SDK 1.7 Rebase fsl-imx6: add imx6 bsp support ti-66ak2xxx: TI 66AK2H (Add 66AK2E) fsl-e500mc: support fsl e500mc SDK 1.7 intel-x86: update DPDK to latest 2.0.0 in WRL7 7.0.0.5: cav-octeon3: support cavium sdk 3.1.1 GA release intel-x86: [CF] Fortville (40Gb Eth card) 7.0.0.4: xilinx_zynq fsl_t4xxx: support fsl 4xxx SDK 1.7 intel-x86: Add Intel Baytrail Platform support [New] Intel Denlow Refresh(BDW) + Basking Ridge(BDW-H) support [New] Intel Grangeville (Broadwell-DE) [Update] Intel graphic software stack update to fully support Broadwell GPU 7.0.0.2: intel-x86: integrate new fixes/features suggested by Intel OSVE team(Jan 2015) 7.0.0.1: altera-socfpga: Add Async BSP altera-socfpga support intel-x86: integrate new fixes/features suggested by Intel OSVE team(Dec 2014)