Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9cfcd906cff299ef83b48681e50bcef9df124ad4
rpi-buildroot/package/netdata/netdata.mk
Titouan Christophe 9cfcd906cf package/netdata: security bump to v1.37.1 
Do not bump to a more recent version, as the build system has
fundamentally changed.

See the release notes:
- https://github.com/netdata/netdata/releases/tag/1.34.0
- https://github.com/netdata/netdata/releases/tag/v1.34.1
- https://github.com/netdata/netdata/releases/tag/v1.35.0
- https://github.com/netdata/netdata/releases/tag/v1.35.1
- https://github.com/netdata/netdata/releases/tag/v1.36.0
- https://github.com/netdata/netdata/releases/tag/v1.36.1
- https://github.com/netdata/netdata/releases/tag/v1.37.0
- https://github.com/netdata/netdata/releases/tag/v1.37.1

In addition, add upstream patch to fix cross-compilation.

This fixes the following vulnerabilities:
- CVE-2023-22496:
    Netdata is an open source option for real-time infrastructure
    monitoring and troubleshooting. An attacker with the ability to
    establish a streaming connection can execute arbitrary commands on the
    targeted Netdata agent. When an alert is triggered, the function
    `health_alarm_execute` is called. This function performs different
    checks and then enqueues a command by calling `spawn_enq_cmd`. This
    command is populated with several arguments that are not sanitized.
    One of them is the `registry_hostname` of the node for which the alert
    is raised. By providing a specially crafted `registry_hostname` as
    part of the health data that is streamed to a Netdata (parent) agent,
    an attacker can execute arbitrary commands at the remote host as a
    side-effect of the raised alert. Note that the commands are executed
    as the user running the Netdata Agent. This user is usually named
    `netdata`. The ability to run arbitrary commands may allow an attacker
    to escalate privileges by escalating other vulnerabilities in the
    system, as that user. The problem has been fixed in: Netdata agent
    v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
    workaround, streaming is not enabled by default. If you have
    previously enabled this, it can be disabled. Limiting access to the
    port on the recipient Agent to trusted child connections may mitigate
    the impact of this vulnerability.
    https://www.cve.org/CVERecord?id=CVE-2023-22496

- CVE-2023-22497:
    Netdata is an open source option for real-time infrastructure
    monitoring and troubleshooting. Each Netdata Agent has an
    automatically generated MACHINE GUID. It is generated when the agent
    first starts and it is saved to disk, so that it will persist across
    restarts and reboots. Anyone who has access to a Netdata Agent has
    access to its MACHINE_GUID. Streaming is a feature that allows a
    Netdata Agent to act as parent for other Netdata Agents (children),
    offloading children from various functions (increased data retention,
    ML, health monitoring, etc) that can now be handled by the parent
    Agent. Configuration is done via `stream.conf`. On the parent side,
    users configure in `stream.conf` an API key (any random UUID can do)
    to provide common configuration for all children using this API key
    and per MACHINE GUID configuration to customize the configuration for
    each child. The way this was implemented, allowed an attacker to use a
    valid MACHINE_GUID as an API key. This affects all users who expose
    their Netdata Agents (children) to non-trusted users and they also
    expose to the same users Netdata Agent parents that aggregate data
    from all these children. The problem has been fixed in: Netdata agent
    v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
    workaround, do not enable streaming by default. If you have previously
    enabled this, it can be disabled. Limiting access to the port on the
    recipient Agent to trusted child connections may mitigate the impact
    of this vulnerability.
    https://www.cve.org/CVERecord?id=CVE-2023-22497

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment before _AUTORECONF with patch name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
2025-10-24 22:59:00 +02:00

104 lines
2.6 KiB
Makefile
Raw Blame History

################################################################################
#
# netdata
#
################################################################################
NETDATA_VERSION = 1.37.1
NETDATA_SOURCE = netdata-v$(NETDATA_VERSION).tar.gz
NETDATA_SITE = \
https://github.com/netdata/netdata/releases/download/v$(NETDATA_VERSION)
NETDATA_LICENSE = GPL-3.0+
NETDATA_LICENSE_FILES = LICENSE
NETDATA_CPE_ID_VENDOR = netdata
NETDATA_CONF_OPTS = \
--disable-cloud \
--disable-dbengine \
--disable-ebpf \
--disable-ml \
--disable-unit-tests
NETDATA_DEPENDENCIES = libuv util-linux zlib
# 0001-libjudy-remove-JudyLTablesGen.patch
NETDATA_AUTORECONF = YES
# ac_cv_prog_cc_c99 is required for BR2_USE_WCHAR=n because the C99 test
# provided by autoconf relies on wchar_t.
NETDATA_CONF_ENV = ac_cv_prog_cc_c99=-std=gnu99
ifeq ($(BR2_ENABLE_LTO),y)
NETDATA_CONF_OPTS += --enable-lto
else
NETDATA_CONF_OPTS += --disable-lto
endif
ifeq ($(BR2_PACKAGE_CUPS),y)
NETDATA_CONF_OPTS += --enable-plugin-cups
NETDATA_DEPENDENCIES += cups
else
NETDATA_CONF_OPTS += --disable-plugin-cups
endif
ifeq ($(BR2_PACKAGE_FREEIPMI),y)
NETDATA_CONF_OPTS += --enable-plugin-freeipmi
NETDATA_DEPENDENCIES += freeipmi
else
NETDATA_CONF_OPTS += --disable-plugin-freeipmi
endif
ifeq ($(BR2_PACKAGE_JSON_C),y)
NETDATA_CONF_OPTS += --enable-jsonc
NETDATA_DEPENDENCIES += json-c
else
NETDATA_CONF_OPTS += --disable-jsonc
endif
ifeq ($(BR2_PACKAGE_LIBCAP),y)
NETDATA_CONF_OPTS += --with-libcap
NETDATA_DEPENDENCIES += libcap
else
NETDATA_CONF_OPTS += --without-libcap
endif
ifeq ($(BR2_PACKAGE_LZ4),y)
NETDATA_CONF_OPTS += --enable-compression
NETDATA_DEPENDENCIES += lz4
else
NETDATA_CONF_OPTS += --disable-compression
endif
ifeq ($(BR2_PACKAGE_NFACCT),y)
NETDATA_CONF_OPTS += --enable-plugin-nfacct
NETDATA_DEPENDENCIES += nfacct
else
NETDATA_CONF_OPTS += --disable-plugin-nfacct
endif
ifeq ($(BR2_PACKAGE_OPENSSL),y)
NETDATA_CONF_OPTS += --enable-https
NETDATA_DEPENDENCIES += openssl
else
NETDATA_CONF_OPTS += --disable-https
endif
ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
NETDATA_CONF_ENV += LIBS=-latomic
endif
ifeq ($(BR2_PACKAGE_NETDATA_PROMETHEUS),y)
# Override the result of AC_PATH_PROG([CXX_BINARY], [${CXX}], [no])
# which fails because CXX is set to the full CXX binary path
NETDATA_CONF_ENV += ac_cv_path_CXX_BINARY=yes
NETDATA_CONF_OPTS += --enable-backend-prometheus-remote-write
NETDATA_DEPENDENCIES += protobuf snappy
else
NETDATA_CONF_OPTS += --disable-backend-prometheus-remote-write
endif
define NETDATA_INSTALL_INIT_SYSV
$(INSTALL) -D -m 755 package/netdata/S60netdata \
$(TARGET_DIR)/etc/init.d/S60netdata
endef
$(eval $(autotools-package))
Reference in New Issue View Git Blame Copy Permalink