This file highlights changes to the product made in RCPLs that may be of
interest to the user. The features are grouped by the RCPL in which they were
made available. BSP specific changes are located in the BSP section.
8.0.0.34:
1) change the default version of ntp to 4.2.8.p14.
2) Upgrade MariaDB to 5.5.67 to fix following CVEs
CVE-2020-2812
CVE-2020-2752
3) upgrade timezone 2020c
4) openjdk-8: update to latest ga version 252 to fix this CVEs below:
CVE-2018-2942
CVE-2018-2938
CVE-2018-2940
CVE-2018-2973
CVE-2018-2964
CVE-2018-3169
CVE-2018-3180
CVE-2018-3211
CVE-2018-3136
CVE-2018-3149
CVE-2018-3214
CVE-2018-3209
CVE-2018-3139
CVE-2018-3183
CVE-2019-2422
CVE-2019-2426
CVE-2019-2449
CVE-2019-2699
CVE-2019-2698
CVE-2019-2697
CVE-2019-2684
CVE-2019-2602
CVE-2019-2842
CVE-2019-2816
CVE-2019-2786
CVE-2019-2769
CVE-2019-2766
CVE-2019-2762
CVE-2019-2745
CVE-2019-2983
CVE-2019-2981
CVE-2019-2978
CVE-2019-2975
CVE-2019-2973
CVE-2019-2964
CVE-2019-2962
CVE-2019-2958
CVE-2019-2949
CVE-2019-2945
CVE-2019-2933
CVE-2019-2999
CVE-2019-2996
CVE-2019-2992
CVE-2019-2988
CVE-2020-2659
CVE-2020-2654
CVE-2020-2601
CVE-2020-2593
CVE-2020-2590
CVE-2020-2585
CVE-2020-2583
CVE-2020-2830
CVE-2020-2805
CVE-2020-2800
CVE-2020-2781
CVE-2020-2773
CVE-2020-2757
CVE-2020-2756
CVE-2020-2755
CVE-2020-2754
CVE-2020-2803
CVE-2020-14556
CVE-2020-14577
CVE-2020-14578
CVE-2020-14579
CVE-2020-14581
CVE-2020-14583
CVE-2020-14593
CVE-2020-14621
CVE-2020-14664
CVE-2018-2811
CVE-2018-2815
CVE-2018-2794
CVE-2018-2800
CVE-2018-2814
CVE-2018-2799
CVE-2018-2796
CVE-2018-2797
CVE-2018-2798
CVE-2018-2790
CVE-2016-5568
CVE-2016-5556
CVE-2017-3231
CVE-2017-3272
CVE-2016-5546
CVE-2017-3262
CVE-2016-8328
CVE-2017-3259
CVE-2016-5548
CVE-2017-3241
CVE-2017-3514
CVE-2017-3526
CVE-2017-3512
CVE-2017-10114
CVE-2017-10193
CVE-2017-10086
CVE-2017-10198
CVE-2017-10105
CVE-2017-10102
CVE-2017-10125
CVE-2017-10115
CVE-2017-10345
CVE-2017-10281
CVE-2017-10293
CVE-2018-2637
CVE-2018-2582
CVE-2018-2638
CVE-2018-2627
CVE-2018-2657
CVE-2018-2639
CVE-2018-2581
CVE-2018-2783
CVE-2016-3511
CVE-2016-3503
CVE-2016-3552
CVE-2016-3508
CVE-2016-3498
8.0.0.33:
1) Upgrade MariaDB to 5.5.67 to fix following CVEs
CVE-2020-2574
2) We add new version ntp 4.2.8p14 to fix 3 security issues, including CVE-2020-11868
Refer to
http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele
The default version is still 4.2.8p4.
setup.sh ... --template feature/ntp428p14 to enable ntp 4.2.8.p14.
8.0.0.32:
1) libvirtd: Facilitate using tls connection mode (LIN8-10588)
8.0.0.31:
1) We add new version ntp 4.2.8p13 to fix CVE-2019-8936
The default version is still 4.2.8p4.
configure ... --with-template=feature/ntp428p13 to enable ntp 4.2.8.p13.
2) Add a new version bind 9.10.5-P3 to fix CVE-2018-5740
The default version is still 9.10.2
To enable 9.10.5-P3
configure .. --with-template=feature/bind9105p3
3) Implementing RB tree in IP stack to fix CVE-2018-5391
4) Upgrade tzcode and tzdata to 2019c
5) Upgrade MariaDB to 5.5.65 to fix following CVEs
CVE-2019-2805
CVE-2019-2740
CVE-2019-2739
CVE-2019-2737
CVE-2019-2974
CVE-2019-2614
CVE-2019-2627
CVE-2019-2529
8.0.0.30:
Add new version 2.2.0 tipcutils in order to fix defect LIN8-10156 (https://support2.windriver.com/index.php?page=defects&on=view&id=LIN8-10156)
The default version is still 2.0.6, to enable the 2.2.0 version, please
configure ... --with-template=feature/tipcutils-git
8.0.0.29:
Announcement: WRLinux 8.0 is in compliance with Security Technical
Implementation Guides (STIG) since RCPL 29. Please contact with local support for
details.
8.0.0.28:
1) Side effect of resolution of CVE-2018-5391
We revert upstream commit c2a936 to shrink the default value of
net.ipv4.ipfrag_high_thresh/net.ipv4.ipfrag_low_thresh from 4M/3M to
256K/192K.
There can be some impact on performance though, due to ipfrag_high_thresh
of 262144 bytes, as only two 64K fragments can fit in the reassembly queue
at the same time. For example, there is a risk of breaking applications that
rely on large UDP packets.
In some special cases, it can make the NFS boot failed as "server not
responding, still trying". To avoid it, please use TCP instead of UDP to
make it as:
"nfsroot=128.224.178.20:/export/pxeboot/vlm-boards/25010/rootfs,v3,tcp"
While if you really don't care about the risk of CVE-2018-5391, two
methods to make it:
In kernel source tree:
Integrate commit c2a936 back to enlarge the default value of these
threshold;
At runtimeļ¼
$ echo 4194304 > /proc/sys/net/ipv6/ip6frag_high_thresh
$ echo 3145728 > /proc/sys/net/ipv6/ip6frag_low_thresh
$ echo 4194304 > /proc/sys/net/ipv4/ipfrag_high_thresh
$ echo 3145728 > /proc/sys/net/ipv4/ipfrag_low_thresh
2) Upgrade MariaDB to 5.5.62 to fix following CVEs
CVE-2018-3282
CVE-2018-3174
CVE-2018-3133
8.0.0.27:
1) Upgrade Intel Microcode version 20180807
$make intel-microcode.addpkg;make iucode-tool.addpkg
$make fs
2) Add 2 features in systemd
i) Add rework crash handling for systemd
ii) Add lz4 compression method for coredump
3) About CVE-2018-3665
CVE-2018-3665 only effect on Intel CPUs on WRL9 and earlier releases.
Mitigation :
Never set "eagerfpu=off" in boot command line. You can:
A) Set eager mode directly:
Set "eagerfpu=on" can always avoid this issue.
Or
B) Set eager mode indirectly:
For WRL6 ~ 8, set "eagerfpu=auto" or no set it, at the same time, not
set "noxsave" or "noxsaveopt" in your boot command line. While for WRL9,
not set "eagerfpu" to "off" is enough.
4) Upgrade MariaDB to 5.5.61 to fix following CVEs
CVE-2018-3058
CVE-2018-3066
CVE-2018-3063
CVE-2018-2767
CVE-2018-3070
CVE-2018-3081
5) We add new version ntp 4.2.8p12 to fix CVE-2018-12327
The default version is still 4.2.8p4.
configure ... --with-template=feature/ntp428p12 to enable ntp 4.2.8.p12.
8.0.0.26:
1) We add new version ntp 4.2.8p11 to fix following CVEs
The default version is still 4.2.8p4.
configure ... --with-template=feature/ntp428p11 to enable ntp 4.2.8.p11.
CVE-2018-7185
CVE-2018-7183
CVE-2018-7184
CVE-2018-7170
CVE-2018-7182
2) Altera Arria 10 board supports on-board QSPI flash
3) Integrate the KPTI (KERNEL PAGE TABLE ISOLATION) feature from https://git.yoctoproject.org/cgit/cgit.cgi/linux-yocto-4.1/log/?h=standard/base
to mitigate the Meltdown.
This approach helps to ensure that side-channel attacks leveraging the paging structures do not function when PTI is enabled.
It can be enabled by setting CONFIG_PAGE_TABLE_ISOLATION=y at compile time. Once enabled at compile-time, it can be disabled
at boot with the 'nopti' or 'pti=' kernel parameters (see kernel-parameters.txt).
BTW, we enable the CONFIG_PAGE_TABLE_ISOLATION by default.
4) Upgrade MariaDB to 5.5.60 to fix following CVEs
CVE-2018-2755
CVE-2018-2781
CVE-2018-2761
CVE-2018-2819
CVE-2018-2818
CVE-2018-2817
CVE-2018-2813
CVE-2018-2771
CVE-2018-2773
8.0.0.25:
1) strongswan: add version 5.3.3
One of newly added features in strongswan 5.3.3 as listed below is strongly demanded:
* auto=route with right=%any for Transport Mode Connections
Refer to strongswan-5.3.3 release note for details
https://www.strongswan.org/blog/2015/09/07/strongswan-5.3.3-released.html
The version 5.3.2 is still kept and used by default.
So if you want to use the strongswan version 5.3.3, add the following as a configure option:
--with-template=feature/strongswan-5.3.3
2) Upgrade MariaDB to 5.5.59 to fix following CVEs
CVE-2018-2640
CVE-2018-2562
CVE-2018-2622
CVE-2018-2668
CVE-2018-2665
8.0.0.23:
Upgrade MariaDB to 5.5.58 to fix following CVEs
CVE-2017-10268
CVE-2017-10379
CVE-2017-10384
CVE-2017-10378
8.0.0.22:
1) Wi-Fi WPA/WPA2 Security Protocol Vulnerability [a.k.a. KRACK]
The patch of the vulnerability missed the window of 8.0.0.22. Please download
the source patch from
https://knowledge.windriver.com/Content_Lookup?id=K-511283
We will integrate the patch into 8.0.0.23
2) Gdb-gdbserver add new feature to show the thread names in remote protocol.
3) xf86-video-intel: use UXA to replace SNA as the default acceleration mode
The SNA mode causes screen distortion issue on board MinnowMAX described in this link:
https://bugs.freedesktop.org/show_bug.cgi?id=100700
The UXA mode is verified to not have above issue. UXA is more stable and has more releases
than SNA, so use UXA to replace sna as the default acceleration mode.
If SNA mode is still more preferred than UXA, you can change uxa to SNA in PACKAGECONFIG
of the xf86-video-intel bb file.
8.0.0.21:
Upgrade MariaDB to 5.5.57 to fix following CVEs
CVE-2017-3636
CVE-2017-3651
CVE-2017-3653
CVE-2017-3652
CVE-2017-3641
CVE-2017-3648
8.0.0.19:
1) Fixed the CVE-2017-1000364, CVE-2017-1000365, CVE-2017-1000366
2) We openvswitch to v2.70 and qemu to 2.7 in OVP profile.
The default versions of openvswith/dpdk/qemu are not changed. After upgrading OVP 8.0.0.19,
the new versions can't be applied on your existing configuration directly.
To enable the new version packages, you need to append the option --with-template=feature/ovs-2.7.0
to your configuration.
NOTE: the qemu 2.7 only can be built with host gcc 4.8 and upper, so please check your host gcc version
before enabling the template
3) The fix of apache2 CVE-2016-8743
The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility
issues with clients that do not strictly follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing
restrictions, at the expense of security.
8.0.0.18:
1) We upgrade MariaDB to 5.5.55
2) Change to gdb.sh in an SDK
The gdb.sh script, which is in the scripts directory of an SDK, is used to
start a gdb session with gdb set to look for source files in the target image
installed under export/dist in the SDK.
In prior releases, gdb.sh wrote an initialization file into the SDK
so the installation could not be read-only. The script has been modified to
create the initialization file in a temporary file which would usually be
in the /tmp directory. The file is created with the mktemp command, so it will
be uniquely named.
8.0.0.17:
We plan to upgrade MariaDB 5.5.55 in 8.0.0.18 to fix the CVEs:
CVE-2017-3329
CVE-2017-3453
CVE-2017-3309
CVE-2017-3600
CVE-2017-3308
CVE-2017-3305
CVE-2017-3456
CVE-2017-3462
CVE-2017-3463
CVE-2017-3461
CVE-2017-3464
8.0.0.16:
We add new version ntp 4.2.8p10 to fix following CVEs
CVE-2017-6464
CVE-2017-6462
CVE-2017-6463
CVE-2017-6458
CVE-2017-6451
CVE-2017-6460
CVE-2016-9042
The default version is still 4.2.8p4.
configure ... --with-template=feature/ntp428p10 to enable ntp 4.2.8.p10.
8.0.0.15:
1) We upgrade MariaDB 5.5.54
2) We plan to add new ntp 4.2.8.p10 in 8.0.0.16 to fix a bundle of CVEs
8.0.0.14:
1) Rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=a9db40da62c13b0010ce5afc1fde16d987bdfbc6
2) We plan to upgrade MariaDB 5.5.54 in 8.0.0.15 to fix a bundle of CVEs.
8.0.0.12:
1) We upgrade MariaDB 5.5.53
2) We added the new version ntp 4.2.8p9 in order to fix following CVEs
CVE-2016-9311
CVE-2016-9310
CVE-2016-7427
CVE-2016-7428
CVE-2016-9312
CVE-2016-7431
CVE-2016-7434
CVE-2016-7429
CVE-2016-7426
CVE-2016-7433
The default version is still 4.2.8p4.
configure ... --with-template=feature/ntp428p9 to enable ntp 4.2.8.p9.
8.0.0.11:
1) Rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=39ef8e22b52d3f5daa853aa7866145e9c5469d4b
8.0.0.9:
1) Rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=a27b907dd3ad20fc60b7732c19012793aaaba2df
8.0.0.8:
1) Rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=1f4bfa33073584c25396d74f3929f263f3df188b
8.0.0.7:
We add new version ntp 4.2.8p8 in order to fix following CVEs
CVE-2016-1551
CVE-2016-1549
CVE-2016-2516
CVE-2016-2517
CVE-2016-2518
CVE-2016-2519
CVE-2016-1547
CVE-2016-1548
CVE-2015-7704
CVE-2016-1550
CVE-2016-4957
CVE-2016-4953
CVE-2016-4954
CVE-2016-4955
CVE-2016-4956
The default version is still 4.2.8p4.
configure ... --with-template=feature/ntp428p8 to enable ntp 4.2.8.p8.
8.0.0.6:
1) Rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=69b1e25a53255433262178b91ab3e328768ad725
2) We plant to upgrade MariaDB 5.5.49 in RCPL 7
8.0.0.5:
1) Upgrade linux kernel version from 4.1.18 to 4.1.21
2) Rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=28032d8c3122b75ceb3f4a664a2b478c9a9a6a2c
[YOCTO #9379]
[YOCTO #9357]
[YOCTO #9265]
3) Add X server resource database utility - xrdb 1.1.0
8.0.0.4:
1) Disable SSLv2 default build, default negotiation and weak ciphers.
FYI
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2":
https://www.drownattack.com/drown-attack-paper.pdf
The packages 'monit' and 'python-m2crypto' call SSLv2_method() by default, so disable the
SSLv2 in both pacakges.
2) We rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=883c38cf0e59082276f933f9b47e276b6b88270f
3) We add new version ntp 4.2.8p6 in order to fix following CVEs
CVE-2015-7974
CVE-2015-8158
CVE-2015-7976
CVE-2015-7973
CVE-2015-7978
CVE-2015-8138
CVE-2015-7977
CVE-2015-7979
CVE-2015-8139
CVE-2015-8140
CVE-2015-5300
The default version is still 4.2.8p4.
configure ... --with-template=feature/ntp428p6 to enable ntp 4.2.8.p6.
4) We add new version webkitgtk 2.10.9 to fix many CVEs
FYI
http://webkitgtk.org/security/WSA-2016-0002.html
The default version is still 2.8.5.
configure ... --with-template=feature/webkitgtk2109 to enable webkitgtk 2.10.9.
8.0.0.3:
1) We rebase the Yocto 2.0 stable tree
Update to the commit
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=c99ed6b73f397906475c09323b03b53deb83de55
[YOCTO #9197]
[YOCTO #9067]
[YOCTO #8553]
[YOCTO #8693]
[YOCTO #8854]
2) We upgrade linux kernel version from 4.1.17 to 4.1.18
8.0.0.2:
1) We upgrade linux kernel version from 4.1.15 to 4.1.17
2) We rebase the Yocto 2.0 stable tree. The last commit we merged from upstream is
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=824a43c30b99971a382abd5edcf126f96cf4d485
[YOCTO #8739]
[YOCTO #8739]
[YOCTO #8869]
[YOCTO #8611]
[YOCTO #8243]
[YOCTO #8971]
[YOCTO 8966]
[YOCTO #8028]
[YOCTO #8509]
[YOCTO #8825]
[YOCTO #8839]
[YOCTO #8625]
[YOCTO #8658]
[YOCTO #8661]
[YOCTO #8639]
[YOCTO #8639]
[YOCTO #8645]
[YOCTO #8124]
[YOCTO #8562]
3) We upgrade mariadb 5.5.47 in order to integrate following CVE fixes:
CVE-2016-0505
CVE-2016-0546
CVE-2016-0596
CVE-2016-0597
CVE-2016-0598
CVE-2016-0600
CVE-2016-0606
CVE-2016-0608
CVE-2016-0609
CVE-2016-0616
8.0.0.1:
1) We upgrade linux kernel version from 4.1.13 to 4.1.15
2) We rebase the Yocto 2.0 stable tree. The last commit we merged from upstream is
http://git.openembedded.org/openembedded-core/commit/?h=jethro&id=224bcc2ead676600bcd9e290ed23d9b2ed2f481e
[YOCTO #8709]
[YOCTO #8710]
[YOCTO #8448]
BSP Updates:
8.0.0.25
xilinx-zynqmp: SCP 8 Support for Xilinx Zynq UltraScale
8.0.0.22:
fsl-ls1021atwr: EPIC: LIN8-6638: Validate LS1021-TWR on existing LS1021-IoT BSP in WRL8
fsl-ls1046: EPIC: [NEW] NXP LS1046
cav_octeon3: Update cav_octeon3 from SDK 3.1.1 to 3.1.2-568
8.0.0.20:
nxp-ls1012: EPIC: [NEW] WRL8 BSP for NXP LS1012A? RDB
renesas-rcar3: EPIC: [NEW] Renesas R-Car H3 (Salvator-X) in WRL8
fls-ls1043: EPIC: [Update] LS1043 - Add support for Rev 1.1 (WRL8)
8.0.0.18:
nxp-imx7: EPIC: [NEW] Add NXP i.MX7 support in WRL8
8.0.0.17:
intel-apollolake-i: [update] Intel Apollo Lake BSP update to yocto MR2 version
8.0.0.12:
rose-apple-pi: EPIC: [NEW] Add Roseapple Pi support - WRL8
8.0.0.11:
fsl-imx6: Freescale i.MX6 rebase to kernel 4.1 SDK
intel-apollolake-i: EPIC: [update] intel-x86: update Apollo Lake (Broxton) to Yocto gold release - WRL8
xilinx-zynqmp: EPIC: [NEW] Xilinx Ultrascale MPSoC? - ZCU102
8.0.0.10:
mv-armada-38x: Marvell Armada 385
8.0.0.9:
fsl-t4xxx: Freescale T4240 (FSL SDK 2.0 based)
fsl-p2020: Freescale e500v2 fsl-p2020 BSP (SDK 1.8 Based)
fsl-ls1043: Freescale LS1043 - based on SDK 2.0
8.0.0.7:
altera-socfpga: Altera Arria 10
fsl-ls20xx: EPIC: [CF] Freescale LS2085
8.0.0.5:
fsl-t4xxx: Freescale T4240 (FSL SDK 1.8 based)
axxiaarm64: add BSP axxiaarm64
ti-am335x: add TI AM335X
8.0.0.4:
fsl-imx6: Freescale i.MX6
intel-x86: add support for Intel Compute Stick
Add Broadwell-DE support
8.0.0.3:
fsl-ls10xx: Freescale LS1021
8.0.0.2:
altera-socfpga: Add BSP altera-socfpga
fsl-e500mc: add fsl-e500mc BSP
8.0.0.1:
xilinx-zynq: [Update] Add Avnet Mini-ITX, MicroZED?, PicoZED
axxiaarm: [Add] LSI AXM55xx