This file highlights changes to the product made in RCPLs that may be of interest to the user. The features are grouped by the RCPL in which they were made available. BSP specific changes are located in the BSP section. 8.0.0.32: 1) libvirtd: Facilitate using tls connection mode (LIN8-10588) 8.0.0.31: 1) We add new version ntp 4.2.8p13 to fix CVE-2019-8936 The default version is still 4.2.8p4. configure ... --with-template=feature/ntp428p13 to enable ntp 4.2.8.p13. 2) Add a new version bind 9.10.5-P3 to fix CVE-2018-5740 The default version is still 9.10.2 To enable 9.10.5-P3 configure .. --with-template=feature/bind9105p3 3) Implementing RB tree in IP stack to fix CVE-2018-5391 4) Upgrade tzcode and tzdata to 2019c 5) Upgrade MariaDB to 5.5.65 to fix following CVEs CVE-2019-2805 CVE-2019-2740 CVE-2019-2739 CVE-2019-2737 CVE-2019-2974 CVE-2019-2614 CVE-2019-2627 CVE-2019-2529 8.0.0.30: Add new version 2.2.0 tipcutils in order to fix defect LIN8-10156 (https://support2.windriver.com/index.php?page=defects&on=view&id=LIN8-10156) The default version is still 2.0.6, to enable the 2.2.0 version, please configure ... --with-template=feature/tipcutils-git 8.0.0.29: Announcement: WRLinux 8.0 is in compliance with Security Technical Implementation Guides (STIG) since RCPL 29. Please contact with local support for details. 8.0.0.28: 1) Side effect of resolution of CVE-2018-5391 We revert upstream commit c2a936 to shrink the default value of net.ipv4.ipfrag_high_thresh/net.ipv4.ipfrag_low_thresh from 4M/3M to 256K/192K. There can be some impact on performance though, due to ipfrag_high_thresh of 262144 bytes, as only two 64K fragments can fit in the reassembly queue at the same time. For example, there is a risk of breaking applications that rely on large UDP packets. In some special cases, it can make the NFS boot failed as "server not responding, still trying". To avoid it, please use TCP instead of UDP to make it as: "nfsroot=128.224.178.20:/export/pxeboot/vlm-boards/25010/rootfs,v3,tcp" While if you really don't care about the risk of CVE-2018-5391, two methods to make it: In kernel source tree: Integrate commit c2a936 back to enlarge the default value of these threshold; At runtimeļ¼š $ echo 4194304 > /proc/sys/net/ipv6/ip6frag_high_thresh $ echo 3145728 > /proc/sys/net/ipv6/ip6frag_low_thresh $ echo 4194304 > /proc/sys/net/ipv4/ipfrag_high_thresh $ echo 3145728 > /proc/sys/net/ipv4/ipfrag_low_thresh 2) Upgrade MariaDB to 5.5.62 to fix following CVEs CVE-2018-3282 CVE-2018-3174 CVE-2018-3133 8.0.0.27: 1) Upgrade Intel Microcode version 20180807 $make intel-microcode.addpkg;make iucode-tool.addpkg $make fs 2) Add 2 features in systemd i) Add rework crash handling for systemd ii) Add lz4 compression method for coredump 3) About CVE-2018-3665 CVE-2018-3665 only effect on Intel CPUs on WRL9 and earlier releases. Mitigation : Never set "eagerfpu=off" in boot command line. You can: A) Set eager mode directly: Set "eagerfpu=on" can always avoid this issue. Or B) Set eager mode indirectly: For WRL6 ~ 8, set "eagerfpu=auto" or no set it, at the same time, not set "noxsave" or "noxsaveopt" in your boot command line. While for WRL9, not set "eagerfpu" to "off" is enough. 4) Upgrade MariaDB to 5.5.61 to fix following CVEs CVE-2018-3058 CVE-2018-3066 CVE-2018-3063 CVE-2018-2767 CVE-2018-3070 CVE-2018-3081 5) We add new version ntp 4.2.8p12 to fix CVE-2018-12327 The default version is still 4.2.8p4. configure ... --with-template=feature/ntp428p12 to enable ntp 4.2.8.p12. 8.0.0.26: 1) We add new version ntp 4.2.8p11 to fix following CVEs The default version is still 4.2.8p4. configure ... --with-template=feature/ntp428p11 to enable ntp 4.2.8.p11. CVE-2018-7185 CVE-2018-7183 CVE-2018-7184 CVE-2018-7170 CVE-2018-7182 2) Altera Arria 10 board supports on-board QSPI flash 3) Integrate the KPTI (KERNEL PAGE TABLE ISOLATION) feature from https://git.yoctoproject.org/cgit/cgit.cgi/linux-yocto-4.1/log/?h=standard/base to mitigate the Meltdown. This approach helps to ensure that side-channel attacks leveraging the paging structures do not function when PTI is enabled. It can be enabled by setting CONFIG_PAGE_TABLE_ISOLATION=y at compile time. Once enabled at compile-time, it can be disabled at boot with the 'nopti' or 'pti=' kernel parameters (see kernel-parameters.txt). BTW, we enable the CONFIG_PAGE_TABLE_ISOLATION by default. 4) Upgrade MariaDB to 5.5.60 to fix following CVEs CVE-2018-2755 CVE-2018-2781 CVE-2018-2761 CVE-2018-2819 CVE-2018-2818 CVE-2018-2817 CVE-2018-2813 CVE-2018-2771 CVE-2018-2773 8.0.0.25: 1) strongswan: add version 5.3.3 One of newly added features in strongswan 5.3.3 as listed below is strongly demanded: * auto=route with right=%any for Transport Mode Connections Refer to strongswan-5.3.3 release note for details https://www.strongswan.org/blog/2015/09/07/strongswan-5.3.3-released.html The version 5.3.2 is still kept and used by default. So if you want to use the strongswan version 5.3.3, add the following as a configure option: --with-template=feature/strongswan-5.3.3 2) Upgrade MariaDB to 5.5.59 to fix following CVEs CVE-2018-2640 CVE-2018-2562 CVE-2018-2622 CVE-2018-2668 CVE-2018-2665 8.0.0.23: Upgrade MariaDB to 5.5.58 to fix following CVEs CVE-2017-10268 CVE-2017-10379 CVE-2017-10384 CVE-2017-10378 8.0.0.22: 1) Wi-Fi WPA/WPA2 Security Protocol Vulnerability [a.k.a. KRACK] The patch of the vulnerability missed the window of 8.0.0.22. Please download the source patch from https://knowledge.windriver.com/Content_Lookup?id=K-511283 We will integrate the patch into 8.0.0.23 2) Gdb-gdbserver add new feature to show the thread names in remote protocol. 3) xf86-video-intel: use UXA to replace SNA as the default acceleration mode The SNA mode causes screen distortion issue on board MinnowMAX described in this link: https://bugs.freedesktop.org/show_bug.cgi?id=100700 The UXA mode is verified to not have above issue. UXA is more stable and has more releases than SNA, so use UXA to replace sna as the default acceleration mode. If SNA mode is still more preferred than UXA, you can change uxa to SNA in PACKAGECONFIG of the xf86-video-intel bb file. 8.0.0.21: Upgrade MariaDB to 5.5.57 to fix following CVEs CVE-2017-3636 CVE-2017-3651 CVE-2017-3653 CVE-2017-3652 CVE-2017-3641 CVE-2017-3648 8.0.0.19: 1) Fixed the CVE-2017-1000364, CVE-2017-1000365, CVE-2017-1000366 2) We openvswitch to v2.70 and qemu to 2.7 in OVP profile. The default versions of openvswith/dpdk/qemu are not changed. After upgrading OVP 8.0.0.19, the new versions can't be applied on your existing configuration directly. To enable the new version packages, you need to append the option --with-template=feature/ovs-2.7.0 to your configuration. NOTE: the qemu 2.7 only can be built with host gcc 4.8 and upper, so please check your host gcc version before enabling the template 3) The fix of apache2 CVE-2016-8743 The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. 8.0.0.18: 1) We upgrade MariaDB to 5.5.55 2) Change to gdb.sh in an SDK The gdb.sh script, which is in the scripts directory of an SDK, is used to start a gdb session with gdb set to look for source files in the target image installed under export/dist in the SDK. In prior releases, gdb.sh wrote an initialization file into the SDK so the installation could not be read-only. The script has been modified to create the initialization file in a temporary file which would usually be in the /tmp directory. The file is created with the mktemp command, so it will be uniquely named. 8.0.0.17: We plan to upgrade MariaDB 5.5.55 in 8.0.0.18 to fix the CVEs: CVE-2017-3329 CVE-2017-3453 CVE-2017-3309 CVE-2017-3600 CVE-2017-3308 CVE-2017-3305 CVE-2017-3456 CVE-2017-3462 CVE-2017-3463 CVE-2017-3461 CVE-2017-3464 8.0.0.16: We add new version ntp 4.2.8p10 to fix following CVEs CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451 CVE-2017-6460 CVE-2016-9042 The default version is still 4.2.8p4. configure ... --with-template=feature/ntp428p10 to enable ntp 4.2.8.p10. 8.0.0.15: 1) We upgrade MariaDB 5.5.54 2) We plan to add new ntp 4.2.8.p10 in 8.0.0.16 to fix a bundle of CVEs 8.0.0.14: 1) Rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=a9db40da62c13b0010ce5afc1fde16d987bdfbc6 2) We plan to upgrade MariaDB 5.5.54 in 8.0.0.15 to fix a bundle of CVEs. 8.0.0.12: 1) We upgrade MariaDB 5.5.53 2) We added the new version ntp 4.2.8p9 in order to fix following CVEs CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 The default version is still 4.2.8p4. configure ... --with-template=feature/ntp428p9 to enable ntp 4.2.8.p9. 8.0.0.11: 1) Rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=39ef8e22b52d3f5daa853aa7866145e9c5469d4b 8.0.0.9: 1) Rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=a27b907dd3ad20fc60b7732c19012793aaaba2df 8.0.0.8: 1) Rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=1f4bfa33073584c25396d74f3929f263f3df188b 8.0.0.7: We add new version ntp 4.2.8p8 in order to fix following CVEs CVE-2016-1551 CVE-2016-1549 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 CVE-2016-1547 CVE-2016-1548 CVE-2015-7704 CVE-2016-1550 CVE-2016-4957 CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 The default version is still 4.2.8p4. configure ... --with-template=feature/ntp428p8 to enable ntp 4.2.8.p8. 8.0.0.6: 1) Rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=69b1e25a53255433262178b91ab3e328768ad725 2) We plant to upgrade MariaDB 5.5.49 in RCPL 7 8.0.0.5: 1) Upgrade linux kernel version from 4.1.18 to 4.1.21 2) Rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=28032d8c3122b75ceb3f4a664a2b478c9a9a6a2c [YOCTO #9379] [YOCTO #9357] [YOCTO #9265] 3) Add X server resource database utility - xrdb 1.1.0 8.0.0.4: 1) Disable SSLv2 default build, default negotiation and weak ciphers. FYI http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800 Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2": https://www.drownattack.com/drown-attack-paper.pdf The packages 'monit' and 'python-m2crypto' call SSLv2_method() by default, so disable the SSLv2 in both pacakges. 2) We rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=883c38cf0e59082276f933f9b47e276b6b88270f 3) We add new version ntp 4.2.8p6 in order to fix following CVEs CVE-2015-7974 CVE-2015-8158 CVE-2015-7976 CVE-2015-7973 CVE-2015-7978 CVE-2015-8138 CVE-2015-7977 CVE-2015-7979 CVE-2015-8139 CVE-2015-8140 CVE-2015-5300 The default version is still 4.2.8p4. configure ... --with-template=feature/ntp428p6 to enable ntp 4.2.8.p6. 4) We add new version webkitgtk 2.10.9 to fix many CVEs FYI http://webkitgtk.org/security/WSA-2016-0002.html The default version is still 2.8.5. configure ... --with-template=feature/webkitgtk2109 to enable webkitgtk 2.10.9. 8.0.0.3: 1) We rebase the Yocto 2.0 stable tree Update to the commit http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=c99ed6b73f397906475c09323b03b53deb83de55 [YOCTO #9197] [YOCTO #9067] [YOCTO #8553] [YOCTO #8693] [YOCTO #8854] 2) We upgrade linux kernel version from 4.1.17 to 4.1.18 8.0.0.2: 1) We upgrade linux kernel version from 4.1.15 to 4.1.17 2) We rebase the Yocto 2.0 stable tree. The last commit we merged from upstream is http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=824a43c30b99971a382abd5edcf126f96cf4d485 [YOCTO #8739] [YOCTO #8739] [YOCTO #8869] [YOCTO #8611] [YOCTO #8243] [YOCTO #8971] [YOCTO 8966] [YOCTO #8028] [YOCTO #8509] [YOCTO #8825] [YOCTO #8839] [YOCTO #8625] [YOCTO #8658] [YOCTO #8661] [YOCTO #8639] [YOCTO #8639] [YOCTO #8645] [YOCTO #8124] [YOCTO #8562] 3) We upgrade mariadb 5.5.47 in order to integrate following CVE fixes: CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616 8.0.0.1: 1) We upgrade linux kernel version from 4.1.13 to 4.1.15 2) We rebase the Yocto 2.0 stable tree. The last commit we merged from upstream is http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=224bcc2ead676600bcd9e290ed23d9b2ed2f481e [YOCTO #8709] [YOCTO #8710] [YOCTO #8448] BSP Updates: 8.0.0.25 xilinx-zynqmp: SCP 8 Support for Xilinx Zynq UltraScale 8.0.0.22: fsl-ls1021atwr: EPIC: LIN8-6638: Validate LS1021-TWR on existing LS1021-IoT BSP in WRL8 fsl-ls1046: EPIC: [NEW] NXP LS1046 cav_octeon3: Update cav_octeon3 from SDK 3.1.1 to 3.1.2-568 8.0.0.20: nxp-ls1012: EPIC: [NEW] WRL8 BSP for NXP LS1012A? RDB renesas-rcar3: EPIC: [NEW] Renesas R-Car H3 (Salvator-X) in WRL8 fls-ls1043: EPIC: [Update] LS1043 - Add support for Rev 1.1 (WRL8) 8.0.0.18: nxp-imx7: EPIC: [NEW] Add NXP i.MX7 support in WRL8 8.0.0.17: intel-apollolake-i: [update] Intel Apollo Lake BSP update to yocto MR2 version 8.0.0.12: rose-apple-pi: EPIC: [NEW] Add Roseapple Pi support - WRL8 8.0.0.11: fsl-imx6: Freescale i.MX6 rebase to kernel 4.1 SDK intel-apollolake-i: EPIC: [update] intel-x86: update Apollo Lake (Broxton) to Yocto gold release - WRL8 xilinx-zynqmp: EPIC: [NEW] Xilinx Ultrascale MPSoC? - ZCU102 8.0.0.10: mv-armada-38x: Marvell Armada 385 8.0.0.9: fsl-t4xxx: Freescale T4240 (FSL SDK 2.0 based) fsl-p2020: Freescale e500v2 fsl-p2020 BSP (SDK 1.8 Based) fsl-ls1043: Freescale LS1043 - based on SDK 2.0 8.0.0.7: altera-socfpga: Altera Arria 10 fsl-ls20xx: EPIC: [CF] Freescale LS2085 8.0.0.5: fsl-t4xxx: Freescale T4240 (FSL SDK 1.8 based) axxiaarm64: add BSP axxiaarm64 ti-am335x: add TI AM335X 8.0.0.4: fsl-imx6: Freescale i.MX6 intel-x86: add support for Intel Compute Stick Add Broadwell-DE support 8.0.0.3: fsl-ls10xx: Freescale LS1021 8.0.0.2: altera-socfpga: Add BSP altera-socfpga fsl-e500mc: add fsl-e500mc BSP 8.0.0.1: xilinx-zynq: [Update] Add Avnet Mini-ITX, MicroZED?, PicoZED axxiaarm: [Add] LSI AXM55xx