[OE-core][nanbield 0/7] Patch review

[OE-core][nanbield 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for nanbield and have comments back by
end of day Friday, March 15

Passsed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6674

The following changes since commit d88e0fa7c5e6c8252f8f775996f512a37fea4818:

  kernel.bbclass: Set pkg-config variables for building modules (2024-03-08 12:33:07 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/nanbield-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/nanbield-nut

Dhairya Nagodra (1):
  xwayland: upgrade 23.2.3 -> 23.2.4

Lee Chee Yang (1):
  libxml2: upgrade to 2.11.7

Simone Weiß (1):
  gnutls: Upgrade 3.8.2 -> 3.8.3

Soumya Sambu (1):
  bind: Upgrade 9.18.21 -> 9.18.24

Wang Mingyu (3):
  python3-jinja2: upgrade 3.1.2 -> 3.1.3
  bind: upgrade 9.18.20 -> 9.18.21
  gnutls: upgrade 3.8.1 -> 3.8.2

 ...nd-ensure-searching-for-json-headers-searches-sysr.patch | 6 +++---
 .../bind/{bind_9.18.20.bb => bind_9.18.24.bb}               | 2 +-
 .../libxml/{libxml2_2.11.5.bb => libxml2_2.11.7.bb}         | 2 +-
 .../{python3-jinja2_3.1.2.bb => python3-jinja2_3.1.3.bb}    | 2 +-
 .../xwayland/{xwayland_23.2.3.bb => xwayland_23.2.4.bb}     | 2 +-
 .../gnutls/{gnutls_3.8.1.bb => gnutls_3.8.3.bb}             | 2 +-
 6 files changed, 8 insertions(+), 8 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.20.bb => bind_9.18.24.bb} (97%)
 rename meta/recipes-core/libxml/{libxml2_2.11.5.bb => libxml2_2.11.7.bb} (97%)
 rename meta/recipes-devtools/python/{python3-jinja2_3.1.2.bb => python3-jinja2_3.1.3.bb} (92%)
 rename meta/recipes-graphics/xwayland/{xwayland_23.2.3.bb => xwayland_23.2.4.bb} (95%)
 rename meta/recipes-support/gnutls/{gnutls_3.8.1.bb => gnutls_3.8.3.bb} (97%)

-- 
2.34.1

[OE-core][nanbield 1/7] xwayland: upgrade 23.2.3 -> 23.2.4

[Steve Sakoman]

From: Dhairya Nagodra <dnagodra@cisco.com>

Includes fixes for CVE-2023-6816, CVE-2024-0408, CVE-2024-0409

Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xwayland/{xwayland_23.2.3.bb => xwayland_23.2.4.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/xwayland/{xwayland_23.2.3.bb => xwayland_23.2.4.bb} (95%)

diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.3.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.4.bb
similarity index 95%
rename from meta/recipes-graphics/xwayland/xwayland_23.2.3.bb
rename to meta/recipes-graphics/xwayland/xwayland_23.2.4.bb
index 9aa7b4dfcd..092359172a 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.3.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.4.bb
@@ -10,7 +10,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880"
 
 SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz"
-SRC_URI[sha256sum] = "eb9d9aa7232c47412c8835ec15a97c575f03563726c787754ff0c019bd07e302"
+SRC_URI[sha256sum] = "a99e159b6d0d33098b3b6ab22a88bfcece23c8b9d0ca72c535c55dcb0681b46b"
 
 UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
 
-- 
2.34.1

[OE-core][nanbield 2/7] libxml2: upgrade to 2.11.7

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

libxml2 2.11.7
Security
[CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking

libxml2 2.11.6
Regressions
threads: Fix --with-thread-alloc
xinclude: Fix 'last' pointer in xmlXIncludeCopyNode

Bug fixes
parser: Fix potential use-after-free in xmlParseCharDataInternal

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxml/{libxml2_2.11.5.bb => libxml2_2.11.7.bb}             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/libxml/{libxml2_2.11.5.bb => libxml2_2.11.7.bb} (97%)

diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.11.7.bb
similarity index 97%
rename from meta/recipes-core/libxml/libxml2_2.11.5.bb
rename to meta/recipes-core/libxml/libxml2_2.11.7.bb
index fc82912df2..482ce9042d 100644
--- a/meta/recipes-core/libxml/libxml2_2.11.5.bb
+++ b/meta/recipes-core/libxml/libxml2_2.11.7.bb
@@ -18,7 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://install-tests.patch \
            "
 
-SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6"
+SRC_URI[archive.sha256sum] = "fb27720e25eaf457f94fd3d7189bcf2626c6dccf4201553bc8874d50e3560162"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
 
 # Disputed as a security issue, but fixed in d39f780
-- 
2.34.1

[OE-core][nanbield 3/7] python3-jinja2: upgrade 3.1.2 -> 3.1.3

[Steve Sakoman]

From: Wang Mingyu <wangmy@fujitsu.com>

Changelog:
==========
-Fix compiler error when checking if required blocks in parent templates are empty.
-xmlattr filter does not allow keys with spaces.
-Make error messages stemming from invalid nesting of {% trans %} blocks more helpful

upgrade include fix for CVE-2024-22195.
(cherry-pick from Oe-Core rev 8a0524464583d69df7746253f5020c2c125a8e1f)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python/{python3-jinja2_3.1.2.bb => python3-jinja2_3.1.3.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-jinja2_3.1.2.bb => python3-jinja2_3.1.3.bb} (92%)

diff --git a/meta/recipes-devtools/python/python3-jinja2_3.1.2.bb b/meta/recipes-devtools/python/python3-jinja2_3.1.3.bb
similarity index 92%
rename from meta/recipes-devtools/python/python3-jinja2_3.1.2.bb
rename to meta/recipes-devtools/python/python3-jinja2_3.1.3.bb
index fa6d930a9c..18057809c8 100644
--- a/meta/recipes-devtools/python/python3-jinja2_3.1.2.bb
+++ b/meta/recipes-devtools/python/python3-jinja2_3.1.3.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "https://pypi.org/project/Jinja2/"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
 
-SRC_URI[sha256sum] = "31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852"
+SRC_URI[sha256sum] = "ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90"
 
 PYPI_PACKAGE = "Jinja2"
 
-- 
2.34.1

[OE-core][nanbield 4/7] bind: upgrade 9.18.20 -> 9.18.21

[Steve Sakoman]

From: Wang Mingyu <wangmy@fujitsu.com>

bind-ensure-searching-for-json-headers-searches-sysr.patch
refreshed for 9.18.21

Changelog:
==========
-Improve LRU cleaning behaviour.
-The "resolver-nonbackoff-tries" and "resolver-retry-interval" options are
 deprecated; a warning will be logged if they are used.
-BIND might sometimes crash after startup or re-configuration when one 'tls'
 entry is used multiple times to connect to remote servers due to initialisation
 attempts from contexts of multiple threads. That has been fixed.
-Dig +yaml will now report "no servers could be reached" also for UDP setup
 failure when no other servers or tries are left.
-Recognize escapes when reading the public key from file.
-Dig +yaml will now report "no servers could be reached" on TCP connection
 failure as well as for UDP timeouts.
-Deprecate AES-based DNS cookies.

(cherry-pick from Oe-core rev b750d54622a0fa0a35d83ddc59f07661e903360b)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...nd-ensure-searching-for-json-headers-searches-sysr.patch | 6 +++---
 .../bind/{bind_9.18.20.bb => bind_9.18.21.bb}               | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.20.bb => bind_9.18.21.bb} (97%)

diff --git a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
index f1abd179e8..38d07cae39 100644
--- a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
@@ -1,4 +1,4 @@
-From 246087f89e9434b726c7884e4c0964f71084f091 Mon Sep 17 00:00:00 2001
+From 5ae30329f168c1e8d2e0c3831988a4f3e9096e39 Mon Sep 17 00:00:00 2001
 From: Paul Gortmaker <paul.gortmaker@windriver.com>
 Date: Tue, 9 Jun 2015 11:22:00 -0400
 Subject: [PATCH] bind: ensure searching for json headers searches sysroot
@@ -33,10 +33,10 @@ Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 10e8bf6..bf20690 100644
+index 2ab8ddd..92fe983 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -814,7 +814,7 @@ AS_CASE([$with_lmdb],
+@@ -761,7 +761,7 @@ AS_CASE([$with_lmdb],
  	[no],[],
  	[auto|yes], [PKG_CHECK_MODULES([LMDB], [lmdb],
  				       [ac_lib_lmdb_found=yes],
diff --git a/meta/recipes-connectivity/bind/bind_9.18.20.bb b/meta/recipes-connectivity/bind/bind_9.18.21.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.20.bb
rename to meta/recipes-connectivity/bind/bind_9.18.21.bb
index 187685eef5..f5fb4bd1e5 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.20.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.21.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "4b891ebf58d3f2a7ac3dd2682990f528a3448eaa1c992ddc5c141b8587a98ec5"
+SRC_URI[sha256sum] = "a556be22505d9ea4f9c6717aee9c549739c68498aff3ca69035787ecc648fec5"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
-- 
2.34.1

[OE-core][nanbield 5/7] bind: Upgrade 9.18.21 -> 9.18.24

[Steve Sakoman]

From: Soumya Sambu <soumya.sambu@windriver.com>

Changelog:
=========
9.18.24:
	- Fix case insensitive setting for isc_ht hashtable.
	[GL #4568]

9.18.23:
	- Specific DNS answers could cause a denial-of-service
	condition due to DNS validation taking a long time.
	(CVE-2023-50387) [GL #4424]
	- Change 6315 inadvertently introduced regressions that
	could cause named to crash. [GL #4234]
	- Under some circumstances, the DoT code in client
	mode could process more than one message at a time when
	that was not expected. That has been fixed. [GL #4487]

9.18.22:
	- Limit isc_task_send() overhead for RBTDB tree pruning.
	[GL #4383]
	- Restore DNS64 state when handling a serve-stale timeout.
	(CVE-2023-5679) [GL #4334]
	- Specific queries could trigger an assertion check with
	nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
	- Speed up parsing of DNS messages with many different
	names. (CVE-2023-4408) [GL #4234]
	- Address race conditions in dns_tsigkey_find().
	[GL #4182]
	- Conversion from NSEC3 signed to NSEC signed could
	temporarily put the zone into a state where it was
	treated as unsigned until the NSEC chain was built.
	Additionally conversion from one set of NSEC3 parameters
	to another could also temporarily put the zone into a
	state where it was treated as unsigned until the new
	NSEC3 chain was built. [GL #1794] [GL #4495]
	- Memory leak in zone.c:sign_zone. When named signed a
	zone it could leak dst_keys due to a misplaced
	'continue'. [GL #4488]
	- Log more details about the cause of "not exact" errors.
	[GL #4500]
	- The wrong time was being used to determine what RRSIGs
	where to be generated when dnssec-policy was in use.
	[GL #4494]
	- The "trust-anchor-telemetry" statement is no longer
	marked as experimental. This silences a relevant log
	message that was emitted even when the feature was
	explicitly disabled. [GL #4497]
	- Fix statistics export to use full 64 bit signed numbers
	instead of truncating values to unsigned 32 bits.
	[GL #4467]
	- NetBSD has added 'hmac' to libc which collides with our
	use of 'hmac'. [GL #4478]

(cherry-pick from Oe-Core rev d7f31aba343948dbaadafc8c0c66f78e6ffb46e3)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bind/{bind_9.18.21.bb => bind_9.18.24.bb}                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.21.bb => bind_9.18.24.bb} (97%)

diff --git a/meta/recipes-connectivity/bind/bind_9.18.21.bb b/meta/recipes-connectivity/bind/bind_9.18.24.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.21.bb
rename to meta/recipes-connectivity/bind/bind_9.18.24.bb
index f5fb4bd1e5..2874990320 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.21.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.24.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "a556be22505d9ea4f9c6717aee9c549739c68498aff3ca69035787ecc648fec5"
+SRC_URI[sha256sum] = "709d73023c9115ddad3bab65b6c8c79a590196d0d114f5d0ca2533dbd52ddf66"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
-- 
2.34.1

[OE-core][nanbield 6/7] gnutls: upgrade 3.8.1 -> 3.8.2

[Steve Sakoman]

From: Wang Mingyu <wangmy@fujitsu.com>

Changelog:
============
** libgnutls: Fix timing side-channel inside RSA-PSK key exchange.
** libgnutls: Add API functions to perform ECDH and DH key agreement
** libgnutls: Added support for AES-GCM-SIV ciphers
** libgnutls: transparent KTLS support is extended to FreeBSD kernel
** gnutls-cli: New option --starttls-name

(cherry-pick from Oe-Core rev 3c01bb0be8ddafa0aa1ad996ec524b51fd28f512)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../recipes-support/gnutls/{gnutls_3.8.1.bb => gnutls_3.8.2.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/gnutls/{gnutls_3.8.1.bb => gnutls_3.8.2.bb} (97%)

diff --git a/meta/recipes-support/gnutls/gnutls_3.8.1.bb b/meta/recipes-support/gnutls/gnutls_3.8.2.bb
similarity index 97%
rename from meta/recipes-support/gnutls/gnutls_3.8.1.bb
rename to meta/recipes-support/gnutls/gnutls_3.8.2.bb
index 455031dd47..43fb5c4c4e 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.1.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.2.bb
@@ -25,7 +25,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://Add-ptest-support.patch \
            "
 
-SRC_URI[sha256sum] = "ba8b9e15ae20aba88f44661978f5b5863494316fe7e722ede9d069fe6294829c"
+SRC_URI[sha256sum] = "e765e5016ffa9b9dd243e363a0460d577074444ee2491267db2e96c9c2adef77"
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest
 
-- 
2.34.1

[OE-core][nanbield 7/7] gnutls: Upgrade 3.8.2 -> 3.8.3

[Steve Sakoman]

From: Simone Weiß <simone.p.weiss@posteo.com>

Upgrade version to adress recent CVE findings.

Changelog
=========
** libgnutls: Fix more timing side-channel inside RSA-PSK key exchange
   [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553]

** libgnutls: Fix assertion failure when verifying a certificate chain with a
   cycle of cross signatures
   [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567]

** libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token
   certtool was unable to handle Ed25519 keys generated on PKCS#11
   with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2.

(cherry-pick from Oe-Core rev 705d2972b38efc9f331e3635c07ca92f8812b365)

Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../recipes-support/gnutls/{gnutls_3.8.2.bb => gnutls_3.8.3.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/gnutls/{gnutls_3.8.2.bb => gnutls_3.8.3.bb} (97%)

diff --git a/meta/recipes-support/gnutls/gnutls_3.8.2.bb b/meta/recipes-support/gnutls/gnutls_3.8.3.bb
similarity index 97%
rename from meta/recipes-support/gnutls/gnutls_3.8.2.bb
rename to meta/recipes-support/gnutls/gnutls_3.8.3.bb
index 43fb5c4c4e..27d6753be0 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.2.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.3.bb
@@ -25,7 +25,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://Add-ptest-support.patch \
            "
 
-SRC_URI[sha256sum] = "e765e5016ffa9b9dd243e363a0460d577074444ee2491267db2e96c9c2adef77"
+SRC_URI[sha256sum] = "f74fc5954b27d4ec6dfbb11dea987888b5b124289a3703afcada0ee520f4173e"
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest
 
-- 
2.34.1