[OE-core][scarthgap 00/10] Patch review

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, June 13.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7024

The following changes since commit a3f5ac9f9fee2c8e10fec7c3f758e49513fef724:

  git: set --with-gitconfig=/etc/gitconfig for -native builds (2024-05-31 14:02:17 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Deepthi Hemraj (1):
  gcc : upgrade to v13.3

Lei Maohui (1):
  run-postinsts.service: Removed --no-reload to fix reload warning when
    users execute systemctl in the first boot.

Mark Hatle (1):
  binutils: Fix aarch64 disassembly abort

Martin Hundeb?ll (1):
  classes: image_types: quote variable assignment needed by dash

Robert Joslyn (1):
  libgloss: Do not apply non-existent patch

Ross Burton (1):
  gdk-pixbuf: upgrade 2.42.11 -> 2.42.12

Siddharth (1):
  openssl: Upgrade 3.2.1 -> 3.2.2

Soumya Sambu (2):
  util-linux: Fix CVE-2024-28085
  git: upgrade 2.44.0 -> 2.44.1

Wang Mingyu (1):
  gdk-pixbuf: upgrade 2.42.10 -> 2.42.11

 meta/classes-recipe/image_types.bbclass       |    2 +-
 meta/conf/distro/include/maintainers.inc      |    2 +-
 .../openssl/openssl/CVE-2024-2511.patch       |  120 -
 .../openssl/openssl/CVE-2024-4603.patch       |  179 -
 .../openssl/openssl/bti.patch                 |   58 -
 .../{openssl_3.2.1.bb => openssl_3.2.2.bb}    |    5 +-
 meta/recipes-core/newlib/libgloss_git.bb      |    1 -
 meta/recipes-core/util-linux/util-linux.inc   |    2 +
 .../util-linux/CVE-2024-28085-0001.patch      |   36 +
 .../util-linux/CVE-2024-28085-0002.patch      |   34 +
 .../binutils/binutils-2.42.inc                |    1 +
 ...sserts-from-operand-qualifier-decode.patch |  382 ++
 .../gcc/{gcc-13.2.inc => gcc-13.3.inc}        |    9 +-
 ...ian_13.2.bb => gcc-cross-canadian_13.3.bb} |    0
 .../{gcc-cross_13.2.bb => gcc-cross_13.3.bb}  |    0
 ...-crosssdk_13.2.bb => gcc-crosssdk_13.3.bb} |    0
 ...cc-runtime_13.2.bb => gcc-runtime_13.3.bb} |    0
 ...itizers_13.2.bb => gcc-sanitizers_13.3.bb} |    0
 ...{gcc-source_13.2.bb => gcc-source_13.3.bb} |    0
 ...AMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch |    9 +-
 ...ch64-Fix-loose-ldpstp-check-PR111411.patch |  117 -
 .../gcc/gcc/CVE-2023-4039.patch               | 3093 -----------------
 .../gcc/gcc/CVE-2024-0151.patch               |  315 --
 .../gcc/{gcc_13.2.bb => gcc_13.3.bb}          |    0
 ...initial_13.2.bb => libgcc-initial_13.3.bb} |    0
 .../gcc/{libgcc_13.2.bb => libgcc_13.3.bb}    |    0
 ...ibgfortran_13.2.bb => libgfortran_13.3.bb} |    0
 .../git/{git_2.44.0.bb => git_2.44.1.bb}      |    2 +-
 .../run-postinsts/run-postinsts.service       |    2 +-
 ...w-a-subset-of-tests-in-cross-compile.patch |   10 +-
 .../gdk-pixbuf/gdk-pixbuf/fatal-loader.patch  |    7 +-
 ...ixbuf_2.42.10.bb => gdk-pixbuf_2.42.12.bb} |    2 +-
 32 files changed, 479 insertions(+), 3909 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/bti.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.2.1.bb => openssl_3.2.2.bb} (97%)
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0016-aarch64-Remove-asserts-from-operand-qualifier-decode.patch
 rename meta/recipes-devtools/gcc/{gcc-13.2.inc => gcc-13.3.inc} (94%)
 rename meta/recipes-devtools/gcc/{gcc-cross-canadian_13.2.bb => gcc-cross-canadian_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-cross_13.2.bb => gcc-cross_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-crosssdk_13.2.bb => gcc-crosssdk_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-runtime_13.2.bb => gcc-runtime_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-sanitizers_13.2.bb => gcc-sanitizers_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-source_13.2.bb => gcc-source_13.3.bb} (100%)
 delete mode 100644 meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch
 delete mode 100644 meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch
 delete mode 100644 meta/recipes-devtools/gcc/gcc/CVE-2024-0151.patch
 rename meta/recipes-devtools/gcc/{gcc_13.2.bb => gcc_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{libgcc-initial_13.2.bb => libgcc-initial_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{libgcc_13.2.bb => libgcc_13.3.bb} (100%)
 rename meta/recipes-devtools/gcc/{libgfortran_13.2.bb => libgfortran_13.3.bb} (100%)
 rename meta/recipes-devtools/git/{git_2.44.0.bb => git_2.44.1.bb} (98%)
 rename meta/recipes-gnome/gdk-pixbuf/{gdk-pixbuf_2.42.10.bb => gdk-pixbuf_2.42.12.bb} (98%)

-- 
2.34.1

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, August 9

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7220

with the exception of a load related parsing failure on qemuarm64-armhost
which passed on subsequent re-test:

https://autobuilder.yoctoproject.org/typhoon/#/builders/97/builds/8717

The following changes since commit 136a25567499191b23a4d000a06bf83a473224ca:

  rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS (2024-08-03 11:45:57 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Archana Polampalli (1):
  ffmpeg: fix CVE-2024-31582

Ashish Sharma (1):
  bind: Upgrade 9.18.25 -> 9.18.28

Changqing Li (2):
  curl: correct the PACKAGECONFIG for native/nativesdk
  libpng: update SRC_URI

Peter Marko (4):
  curl: Patch CVE-2024-6197
  glibc: cleanup old cve status
  qemu: set cve status for CVE-2023-6683
  libmnl: explicitly disable doxygen

Richard Purdie (1):
  nasm: Upgrade 2.16.01 -> 2.16.03

Wang Mingyu (1):
  orc: upgrade 0.4.38 -> 0.4.39

 .../bind/{bind_9.18.25.bb => bind_9.18.28.bb} |  2 +-
 meta/recipes-core/glibc/glibc-version.inc     |  2 --
 .../nasm/{nasm_2.16.01.bb => nasm_2.16.03.bb} |  2 +-
 .../orc/{orc_0.4.38.bb => orc_0.4.39.bb}      |  2 +-
 meta/recipes-devtools/qemu/qemu.inc           |  2 ++
 meta/recipes-extended/libmnl/libmnl_1.0.5.bb  |  2 ++
 .../ffmpeg/ffmpeg/CVE-2024-31582.patch        | 34 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb |  1 +
 .../libpng/libpng_1.6.42.bb                   |  2 +-
 .../curl/curl/CVE-2024-6197.patch             | 24 +++++++++++++
 meta/recipes-support/curl/curl_8.7.1.bb       |  5 +--
 11 files changed, 70 insertions(+), 8 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.25.bb => bind_9.18.28.bb} (97%)
 rename meta/recipes-devtools/nasm/{nasm_2.16.01.bb => nasm_2.16.03.bb} (88%)
 rename meta/recipes-devtools/orc/{orc_0.4.38.bb => orc_0.4.39.bb} (92%)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31582.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2024-6197.patch

-- 
2.34.1

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, October 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7374

The following changes since commit 3d894863f442188bad446095bd7fdd82665bb54b:

  makedevs: Fix issue when rootdir of / is given (2024-09-28 05:21:51 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Deepesh Varatharajan (1):
  glibc: stable 2.39 branch updates.

Hitendra Prajapati (1):
  webkitgtk: upgrade 2.44.1 -> 2.44.3

Khem Raj (2):
  gnupg: Document CVE-2022-3219 and mark wontfix
  openssh: Mark CVE-2023-51767 as wont-fix

Martin Jansa (2):
  populate_sdk_base: inherit nopackages
  meta-world-pkgdata: Inherit nopackages

Peter Marko (3):
  wpa-supplicant: Ignore CVE-2024-5290
  wpa-supplicant: Patch CVE-2024-3596
  wpa-supplicant: Patch security advisory 2024-2

Wang Mingyu (1):
  cryptodev: upgrade 1.13 -> 1.14

 meta/classes-recipe/populate_sdk_base.bbclass |   2 +-
 .../openssh/openssh_9.6p1.bb                  |   1 +
 ...valid-Rejected-Groups-element-length.patch |  52 ++++++
 ...valid-Rejected-Groups-element-length.patch |  50 ++++++
 ...id-Rejected-Groups-element-in-the-pa.patch |  38 ++++
 .../wpa-supplicant/CVE-2024-3596_00.patch     |  82 +++++++++
 .../wpa-supplicant/CVE-2024-3596_01.patch     | 165 ++++++++++++++++++
 .../wpa-supplicant/CVE-2024-3596_02.patch     |  62 +++++++
 .../wpa-supplicant/CVE-2024-3596_03.patch     |  37 ++++
 .../wpa-supplicant/CVE-2024-3596_04.patch     |  52 ++++++
 .../wpa-supplicant/CVE-2024-3596_05.patch     |  51 ++++++
 .../wpa-supplicant/CVE-2024-3596_06.patch     |  46 +++++
 .../wpa-supplicant/CVE-2024-3596_07.patch     |  67 +++++++
 .../wpa-supplicant/CVE-2024-3596_08.patch     |  47 +++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |  14 ++
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 meta/recipes-core/meta/meta-world-pkgdata.bb  |   1 +
 ...-linux_1.13.bb => cryptodev-linux_1.14.bb} |   0
 ...odule_1.13.bb => cryptodev-module_1.14.bb} |   3 -
 ...-tests_1.13.bb => cryptodev-tests_1.14.bb} |   4 -
 meta/recipes-kernel/cryptodev/cryptodev.inc   |   4 +-
 ...ng-header-file-provided-by-another-p.patch |  25 ---
 ...001-tests-Makefile-do-not-use-Werror.patch |  25 ---
 ...able-to-control-macro-__PAS_ALWAYS_I.patch |   6 +-
 ...spection.cmake-prefix-variables-obta.patch |   2 +-
 ...fic-declarations-in-FELighting.h-unn.patch |  44 -----
 ...icDowncast-adoption-in-platform-code.patch |  65 -------
 ...d5e22213fdaca2a29ec3400c927d710a37a8.patch |   2 +-
 .../webkit/webkitgtk/no-musttail-arm.patch    |   6 +-
 .../webkit/webkitgtk/reproducibility.patch    |   2 +-
 .../webkit/webkitgtk/t6-not-declared.patch    |  12 +-
 ...ebkitgtk_2.44.1.bb => webkitgtk_2.44.3.bb} |   6 +-
 meta/recipes-support/gnupg/gnupg_2.4.4.bb     |   1 +
 33 files changed, 786 insertions(+), 190 deletions(-)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_00.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_01.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_02.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_03.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_04.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_05.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_06.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_07.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_08.patch
 rename meta/recipes-kernel/cryptodev/{cryptodev-linux_1.13.bb => cryptodev-linux_1.14.bb} (100%)
 rename meta/recipes-kernel/cryptodev/{cryptodev-module_1.13.bb => cryptodev-module_1.14.bb} (74%)
 rename meta/recipes-kernel/cryptodev/{cryptodev-tests_1.13.bb => cryptodev-tests_1.14.bb} (74%)
 delete mode 100644 meta/recipes-kernel/cryptodev/files/0001-Disable-installing-header-file-provided-by-another-p.patch
 delete mode 100644 meta/recipes-kernel/cryptodev/files/0001-tests-Makefile-do-not-use-Werror.patch
 delete mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-Remove-ARM-specific-declarations-in-FELighting.h-unn.patch
 delete mode 100644 meta/recipes-sato/webkit/webkitgtk/0002-More-dynamicDowncast-adoption-in-platform-code.patch
 rename meta/recipes-sato/webkit/{webkitgtk_2.44.1.bb => webkitgtk_2.44.3.bb} (96%)

-- 
2.34.1

Re: [OE-core][scarthgap 00/10] Patch review

[Khem Raj]

series looks ok to me.

On Sun, Oct 6, 2024 at 6:55 PM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, October 8
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7374
>
> The following changes since commit 3d894863f442188bad446095bd7fdd82665bb54b:
>
>   makedevs: Fix issue when rootdir of / is given (2024-09-28 05:21:51 -0700)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> Deepesh Varatharajan (1):
>   glibc: stable 2.39 branch updates.
>
> Hitendra Prajapati (1):
>   webkitgtk: upgrade 2.44.1 -> 2.44.3
>
> Khem Raj (2):
>   gnupg: Document CVE-2022-3219 and mark wontfix
>   openssh: Mark CVE-2023-51767 as wont-fix
>
> Martin Jansa (2):
>   populate_sdk_base: inherit nopackages
>   meta-world-pkgdata: Inherit nopackages
>
> Peter Marko (3):
>   wpa-supplicant: Ignore CVE-2024-5290
>   wpa-supplicant: Patch CVE-2024-3596
>   wpa-supplicant: Patch security advisory 2024-2
>
> Wang Mingyu (1):
>   cryptodev: upgrade 1.13 -> 1.14
>
>  meta/classes-recipe/populate_sdk_base.bbclass |   2 +-
>  .../openssh/openssh_9.6p1.bb                  |   1 +
>  ...valid-Rejected-Groups-element-length.patch |  52 ++++++
>  ...valid-Rejected-Groups-element-length.patch |  50 ++++++
>  ...id-Rejected-Groups-element-in-the-pa.patch |  38 ++++
>  .../wpa-supplicant/CVE-2024-3596_00.patch     |  82 +++++++++
>  .../wpa-supplicant/CVE-2024-3596_01.patch     | 165 ++++++++++++++++++
>  .../wpa-supplicant/CVE-2024-3596_02.patch     |  62 +++++++
>  .../wpa-supplicant/CVE-2024-3596_03.patch     |  37 ++++
>  .../wpa-supplicant/CVE-2024-3596_04.patch     |  52 ++++++
>  .../wpa-supplicant/CVE-2024-3596_05.patch     |  51 ++++++
>  .../wpa-supplicant/CVE-2024-3596_06.patch     |  46 +++++
>  .../wpa-supplicant/CVE-2024-3596_07.patch     |  67 +++++++
>  .../wpa-supplicant/CVE-2024-3596_08.patch     |  47 +++++
>  .../wpa-supplicant/wpa-supplicant_2.10.bb     |  14 ++
>  meta/recipes-core/glibc/glibc-version.inc     |   2 +-
>  meta/recipes-core/meta/meta-world-pkgdata.bb  |   1 +
>  ...-linux_1.13.bb => cryptodev-linux_1.14.bb} |   0
>  ...odule_1.13.bb => cryptodev-module_1.14.bb} |   3 -
>  ...-tests_1.13.bb => cryptodev-tests_1.14.bb} |   4 -
>  meta/recipes-kernel/cryptodev/cryptodev.inc   |   4 +-
>  ...ng-header-file-provided-by-another-p.patch |  25 ---
>  ...001-tests-Makefile-do-not-use-Werror.patch |  25 ---
>  ...able-to-control-macro-__PAS_ALWAYS_I.patch |   6 +-
>  ...spection.cmake-prefix-variables-obta.patch |   2 +-
>  ...fic-declarations-in-FELighting.h-unn.patch |  44 -----
>  ...icDowncast-adoption-in-platform-code.patch |  65 -------
>  ...d5e22213fdaca2a29ec3400c927d710a37a8.patch |   2 +-
>  .../webkit/webkitgtk/no-musttail-arm.patch    |   6 +-
>  .../webkit/webkitgtk/reproducibility.patch    |   2 +-
>  .../webkit/webkitgtk/t6-not-declared.patch    |  12 +-
>  ...ebkitgtk_2.44.1.bb => webkitgtk_2.44.3.bb} |   6 +-
>  meta/recipes-support/gnupg/gnupg_2.4.4.bb     |   1 +
>  33 files changed, 786 insertions(+), 190 deletions(-)
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_00.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_01.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_02.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_03.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_04.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_05.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_06.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_07.patch
>  create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_08.patch
>  rename meta/recipes-kernel/cryptodev/{cryptodev-linux_1.13.bb => cryptodev-linux_1.14.bb} (100%)
>  rename meta/recipes-kernel/cryptodev/{cryptodev-module_1.13.bb => cryptodev-module_1.14.bb} (74%)
>  rename meta/recipes-kernel/cryptodev/{cryptodev-tests_1.13.bb => cryptodev-tests_1.14.bb} (74%)
>  delete mode 100644 meta/recipes-kernel/cryptodev/files/0001-Disable-installing-header-file-provided-by-another-p.patch
>  delete mode 100644 meta/recipes-kernel/cryptodev/files/0001-tests-Makefile-do-not-use-Werror.patch
>  delete mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-Remove-ARM-specific-declarations-in-FELighting.h-unn.patch
>  delete mode 100644 meta/recipes-sato/webkit/webkitgtk/0002-More-dynamicDowncast-adoption-in-platform-code.patch
>  rename meta/recipes-sato/webkit/{webkitgtk_2.44.1.bb => webkitgtk_2.44.3.bb} (96%)
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#205248): https://lists.openembedded.org/g/openembedded-core/message/205248
> Mute This Topic: https://lists.openembedded.org/mt/108861069/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of patches for scarthgap and have comments back by
end of day Friday, November 8

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/400

The following changes since commit bcd4e6d77dc7455a453e69b6d37769ec94cc02ad:

  lsb-release: fix Distro Codename shell escaping (2024-10-24 06:09:29 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Aditya Tayade (1):
  e2fsprogs: removed 'sed -u' option

Deepthi Hemraj (1):
  rust-llvm: Fix CVE-2024-0151

Hiago De Franco (1):
  weston: backport patch to allow neatvnc < v0.9.0

Martin Jansa (1):
  python3-lxml=v5.0.2

Peter Marko (3):
  cve-check: add support for cvss v4.0
  go: upgrade 1.22.6 -> 1.22.7
  go: upgrade 1.22.7 -> 1.22.8

Richard Purdie (1):
  cve_check: Use a local copy of the database during builds

Vijay Anusuri (1):
  xserver-xorg: upgrade 21.1.13 -> 21.1.14

Wang Mingyu (1):
  orc: upgrade 0.4.39 -> 0.4.40

 meta/classes/cve-check.bbclass                |   16 +-
 .../meta/cve-update-nvd2-native.bb            |   32 +-
 .../e2fsprogs/e2fsprogs/run-ptest             |    3 +-
 .../go/{go-1.22.6.inc => go-1.22.8.inc}       |    2 +-
 ...e_1.22.6.bb => go-binary-native_1.22.8.bb} |    6 +-
 ..._1.22.6.bb => go-cross-canadian_1.22.8.bb} |    0
 ...{go-cross_1.22.6.bb => go-cross_1.22.8.bb} |    0
 ...osssdk_1.22.6.bb => go-crosssdk_1.22.8.bb} |    0
 ...runtime_1.22.6.bb => go-runtime_1.22.8.bb} |    0
 .../go/{go_1.22.6.bb => go_1.22.8.bb}         |    0
 .../orc/{orc_0.4.39.bb => orc_0.4.40.bb}      |    2 +-
 ...n3-lxml_5.0.0.bb => python3-lxml_5.0.2.bb} |    3 +-
 .../0004-llvm-Fix-CVE-2024-0151.patch         | 1086 +++++++++++++++++
 .../recipes-devtools/rust/rust-llvm_1.75.0.bb |    3 +-
 ...1-vnc-Allow-neatvnc-in-version-0.8.0.patch |   27 +
 .../recipes-graphics/wayland/weston_13.0.1.bb |    1 +
 ...org_21.1.13.bb => xserver-xorg_21.1.14.bb} |    2 +-
 17 files changed, 1158 insertions(+), 25 deletions(-)
 rename meta/recipes-devtools/go/{go-1.22.6.inc => go-1.22.8.inc} (89%)
 rename meta/recipes-devtools/go/{go-binary-native_1.22.6.bb => go-binary-native_1.22.8.bb} (78%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.22.6.bb => go-cross-canadian_1.22.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.22.6.bb => go-cross_1.22.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.22.6.bb => go-crosssdk_1.22.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.22.6.bb => go-runtime_1.22.8.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.22.6.bb => go_1.22.8.bb} (100%)
 rename meta/recipes-devtools/orc/{orc_0.4.39.bb => orc_0.4.40.bb} (92%)
 rename meta/recipes-devtools/python/{python3-lxml_5.0.0.bb => python3-lxml_5.0.2.bb} (94%)
 create mode 100644 meta/recipes-devtools/rust/rust-llvm/0004-llvm-Fix-CVE-2024-0151.patch
 create mode 100644 meta/recipes-graphics/wayland/weston/0001-vnc-Allow-neatvnc-in-version-0.8.0.patch
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.13.bb => xserver-xorg_21.1.14.bb} (92%)

-- 
2.34.1

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, December 20

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/674

The following changes since commit b19b1e905d966443c4e4d17dfaeb299ae2526575:

  cve-update-nvd2-native: Tweak to work better with NFS DL_DIR (2024-12-18 06:41:14 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Alexander Kanavin (1):
  rust: add reproducibility patch to eliminate host leakage

Archana Polampalli (3):
  ffmpeg: fix CVE-2024-35366
  ffmpeg: fix CVE-2024-35367
  ffmpeg: fix CVE-2024-35368

Hongxu Jia (1):
  kern-tools-native: fix SyntaxWarning for RegEx calls on Python 3.12

Jiaying Song (1):
  subversion: fix CVE-2024-46901

Khem Raj (1):
  python3: Drop empty patch

Ross Burton (1):
  python3: add dependency on -compression to -core

Sunil Dora (1):
  gcc: Fix c++: tweak for Wrange-loop-construct

Yash Shinde (1):
  binutils: Fix CVE-2024-53589

 .../binutils/binutils-2.42.inc                |   1 +
 .../binutils/0016-CVE-2024-53589.patch        |  92 ++++++++++
 meta/recipes-devtools/gcc/gcc-13.3.inc        |   1 +
 ...ix-c-tweak-for-Wrange-loop-construct.patch | 113 ++++++++++++
 ...lize-struct-termios-before-calling-t.patch |  26 ---
 .../python/python3/python3-manifest.json      |   2 +-
 .../recipes-devtools/python/python3_3.12.6.bb |   1 -
 ...te-host-information-into-compilation.patch |  51 ++++++
 meta/recipes-devtools/rust/rust-source.inc    |   1 +
 .../subversion/CVE-2024-46901.patch           | 161 ++++++++++++++++++
 .../subversion/subversion_1.14.3.bb           |   3 +-
 ...yntaxWarning-for-RegEx-calls-on-Pyth.patch |  60 +++++++
 .../kern-tools/kern-tools-native_git.bb       |   4 +-
 .../ffmpeg/ffmpeg/CVE-2024-35366.patch        |  35 ++++
 .../ffmpeg/ffmpeg/CVE-2024-35367.patch        |  47 +++++
 .../ffmpeg/ffmpeg/CVE-2024-35368.patch        |  41 +++++
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb |   3 +
 17 files changed, 612 insertions(+), 30 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc/0028-gcc-Fix-c-tweak-for-Wrange-loop-construct.patch
 delete mode 100644 meta/recipes-devtools/python/python3/0001-gh-114492-Initialize-struct-termios-before-calling-t.patch
 create mode 100644 meta/recipes-devtools/rust/files/0001-cargo-do-not-write-host-information-into-compilation.patch
 create mode 100644 meta/recipes-devtools/subversion/subversion/CVE-2024-46901.patch
 create mode 100644 meta/recipes-kernel/kern-tools/files/0001-symbol_why-fix-SyntaxWarning-for-RegEx-calls-on-Pyth.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch

-- 
2.34.1

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, February 27

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1081

The following changes since commit fc46705cc629a151f85717a57f7d789de8fd9b64:

  icu: remove host references in nativesdk to fix reproducibility (2025-02-19 06:28:10 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Etienne Cordonnier (1):
  python3-setuptools-scm: respect GIT_CEILING_DIRECTORIES

Hitendra Prajapati (1):
  libcap: fix CVE-2025-1390

Hongxu Jia (6):
  u-boot: fix CVE-2024-57254
  u-boot: fix CVE-2024-57255
  u-boot: fix CVE-2024-57256
  u-boot: fix CVE-2024-57257
  u-boot: fix CVE-2024-57258
  u-boot: fix CVE-2024-57259

Peter Marko (1):
  libxml2: upgrade 2.12.9 -> 2.12.10

Vijay Anusuri (1):
  bind: Upgrade 9.18.28 -> 9.18.33

 .../u-boot/files/CVE-2024-57254.patch         |  47 ++++
 .../u-boot/files/CVE-2024-57255.patch         |  53 ++++
 .../u-boot/files/CVE-2024-57256.patch         |  51 ++++
 .../u-boot/files/CVE-2024-57257.patch         | 227 ++++++++++++++++++
 .../u-boot/files/CVE-2024-57258-1.patch       |  47 ++++
 .../u-boot/files/CVE-2024-57258-2.patch       |  43 ++++
 .../u-boot/files/CVE-2024-57258-3.patch       |  40 +++
 .../u-boot/files/CVE-2024-57259.patch         |  41 ++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  11 +-
 .../bind/{bind_9.18.28.bb => bind_9.18.33.bb} |   2 +-
 .../{libxml2_2.12.9.bb => libxml2_2.12.10.bb} |   2 +-
 ...0001-respect-GIT_CEILING_DIRECTORIES.patch |  36 +++
 .../python/python3-setuptools-scm_8.0.4.bb    |   1 +
 .../libcap/files/CVE-2025-1390.patch          |  36 +++
 meta/recipes-support/libcap/libcap_2.69.bb    |   1 +
 15 files changed, 635 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
 rename meta/recipes-connectivity/bind/{bind_9.18.28.bb => bind_9.18.33.bb} (97%)
 rename meta/recipes-core/libxml/{libxml2_2.12.9.bb => libxml2_2.12.10.bb} (97%)
 create mode 100644 meta/recipes-devtools/python/python3-setuptools-scm/0001-respect-GIT_CEILING_DIRECTORIES.patch
 create mode 100644 meta/recipes-support/libcap/files/CVE-2025-1390.patch

-- 
2.43.0

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Monday, March 31

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1283

The following changes since commit a720df7ad77af1f8b1c00a211c88537e5f23edbc:

  nativesdk-libtool: sanitize the script, remove buildpaths (2025-03-20 12:51:41 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Bruce Ashfield (6):
  linux-yocto/6.6: update to v6.6.77
  linux-yocto/6.6: update to v6.6.78
  linux-yocto/6.6: update to v6.6.80
  linux-yocto/6.6: update to v6.6.82
  linux-yocto/6.6: update to v6.6.83
  linux-yocto/6.6: update to v6.6.84

Divya Chellam (1):
  ruby: fix CVE-2025-27220

Madhu Marri (1):
  qemu 8.2.7: ignore CVE-2023-1386

Stefan Mueller-Klieser (1):
  kernel-arch: add macro-prefix-map in KERNEL_CC

Vijay Anusuri (1):
  vim: Upgrade 9.1.1115 -> 9.1.1198

 meta/classes-recipe/kernel-arch.bbclass       |  8 +-
 meta/recipes-devtools/qemu/qemu.inc           |  2 +
 .../ruby/ruby/CVE-2025-27220.patch            | 78 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.3.5.bb      |  1 +
 .../linux/linux-yocto-rt_6.6.bb               |  6 +-
 .../linux/linux-yocto-tiny_6.6.bb             |  6 +-
 meta/recipes-kernel/linux/linux-yocto_6.6.bb  | 28 +++----
 meta/recipes-support/vim/vim.inc              |  4 +-
 8 files changed, 110 insertions(+), 23 deletions(-)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch

-- 
2.43.0

[OE-core][scarthgap 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, August 21

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2234

The following changes since commit fa45d6d5bec8fe503ff6b9166a3b4af31ea95369:

  go-helloworld: fix license (2025-08-14 07:34:07 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Daniel Turull (2):
  xz: ignore CVE-2024-47611
  libxml2: ignore CVE-2025-8732

Khem Raj (3):
  e2fsprogs: Fix build failure with gcc 15
  parted: Fix build with GCC 15
  bash: Stick to C17 std

Martin Jansa (2):
  cairo: fix build with gcc-15 on host
  bash: use -std=gnu17 also for native CFLAGS

Peter Marko (2):
  dropbear: patch CVE-2025-47203
  glib-2.0: ignore CVE-2025-4056

Philip Lorenz (1):
  cve-check: Add missing call to exit_if_errors

 meta/classes/cve-check.bbclass                |   1 +
 ...iable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch |  27 ++
 ...-length-paths-and-commands-in-multih.patch |  63 +++
 ...and-also-forward-this-when-multihop-.patch |  81 ++++
 ...add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch |  29 ++
 .../dropbear/dropbear/CVE-2025-47203.patch    | 367 ++++++++++++++++++
 .../recipes-core/dropbear/dropbear_2022.83.bb |   5 +
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb |   2 +
 meta/recipes-core/libxml/libxml2_2.12.10.bb   |   4 +
 ...-libext2fs-fix-std-c23-build-failure.patch |  42 ++
 .../e2fsprogs/e2fsprogs_1.47.0.bb             |   1 +
 meta/recipes-extended/bash/bash_5.2.21.bb     |   5 +
 ...CH-parted-fix-do_version-declaration.patch |  40 ++
 meta/recipes-extended/parted/parted_3.6.bb    |   1 +
 meta/recipes-extended/xz/xz_5.4.7.bb          |   2 +
 .../cairo/cairo/0001-Require-C11.patch        |  25 ++
 .../cairo/cairo/0002-Meson-Require-C-11.patch |  22 ++
 meta/recipes-graphics/cairo/cairo_1.18.0.bb   |   2 +
 18 files changed, 719 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Avoid-unused-variable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-add-o-BatchMode-and-also-forward-this-when-multihop-.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-cli-runopts.c-add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-std-c23-build-failure.patch
 create mode 100644 meta/recipes-extended/parted/files/0001-bug-74444-PATCH-parted-fix-do_version-declaration.patch
 create mode 100644 meta/recipes-graphics/cairo/cairo/0001-Require-C11.patch
 create mode 100644 meta/recipes-graphics/cairo/cairo/0002-Meson-Require-C-11.patch

-- 
2.43.0

[OE-core][scarthgap 01/10] cve-check: Add missing call to exit_if_errors

[Steve Sakoman]

From: Philip Lorenz <philip.lorenz@bmw.de>

check_cves may raise the cve_status_not_in_db QA check. Call
exit_if_errors to make sure that the task is marked as failed when the
check is categorized as an error.

cve_status_not_in_db was in the meantime dropped in OE-Core
452e605b55ad61c08f4af7089a5a9c576ca28f7d so this change is only required
on scarthgap.

Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6b8376bf17..d08c6ac670 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -196,6 +196,7 @@ python do_cve_check () {
         else:
             bb.note("No CVE database found, skipping CVE check")
 
+    oe.qa.exit_if_errors(d)
 }
 
 addtask cve_check before do_build
-- 
2.43.0

[OE-core][scarthgap 02/10] dropbear: patch CVE-2025-47203

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Based on Debian patch for this CVE, pick the same commits as mentioned
in kirkstone for this CVE except those already included in 2022.83.

https://salsa.debian.org/debian/dropbear/-/commit/7f48e75892c40cfc6336137d62581d2c4ca7d84c

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...iable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch |  27 ++
 ...-length-paths-and-commands-in-multih.patch |  63 +++
 ...and-also-forward-this-when-multihop-.patch |  81 ++++
 ...add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch |  29 ++
 .../dropbear/dropbear/CVE-2025-47203.patch    | 367 ++++++++++++++++++
 .../recipes-core/dropbear/dropbear_2022.83.bb |   5 +
 6 files changed, 572 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Avoid-unused-variable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-add-o-BatchMode-and-also-forward-this-when-multihop-.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-cli-runopts.c-add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch

diff --git a/meta/recipes-core/dropbear/dropbear/0001-Avoid-unused-variable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch b/meta/recipes-core/dropbear/dropbear/0001-Avoid-unused-variable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch
new file mode 100644
index 0000000000..fbe200151e
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-Avoid-unused-variable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch
@@ -0,0 +1,27 @@
+From d59436a4d56de58b856142a5d489a4a8fc7382ed Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 8 Apr 2024 22:01:21 +0800
+Subject: [PATCH] Avoid unused variable with DROPBEAR_CLI_PUBKEY_AUTH 0
+
+Fixes PR #291
+
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/d59436a4d56de58b856142a5d489a4a8fc7382ed]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ cli-runopts.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/cli-runopts.c b/cli-runopts.c
+index b853a13..6668aee 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -533,7 +533,9 @@ static void loadidentityfile(const char* filename, int warnfail) {
+ static char* multihop_passthrough_args(void) {
+ 	char *args = NULL;
+ 	unsigned int len, total;
++#if DROPBEAR_CLI_PUBKEY_AUTH
+ 	m_list_elem *iter;
++#endif
+ 	/* Sufficient space for non-string args */
+ 	len = 100;
+ 
diff --git a/meta/recipes-core/dropbear/dropbear/0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch b/meta/recipes-core/dropbear/dropbear/0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch
new file mode 100644
index 0000000000..062f215398
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch
@@ -0,0 +1,63 @@
+From 697b1f86c0b2b0caf12e9e32bab29161093ab5d4 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 1 Apr 2024 11:50:26 +0800
+Subject: [PATCH] Handle arbitrary length paths and commands in
+ multihop_passthrough_args()
+
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/697b1f86c0b2b0caf12e9e32bab29161093ab5d4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ cli-runopts.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 37ea61d..219fc53 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -528,15 +528,29 @@ static void loadidentityfile(const char* filename, int warnfail) {
+ 
+ #if DROPBEAR_CLI_MULTIHOP
+ 
+-static char*
+-multihop_passthrough_args() {
+-	char *ret, args[256];
++/* Fill out -i, -y, -W options that make sense for all
++ * the intermediate processes */
++static char* multihop_passthrough_args(void) {
++	char *args = NULL;
+ 	unsigned int len, total;
+ 	m_list_elem *iter;
+-	/* Fill out -i, -y, -W options that make sense for all
+-         * the intermediate processes */
++	/* Sufficient space for non-string args */
++	len = 100;
++
++	/* String arguments have arbitrary length, so determine space required */
++	if (cli_opts.proxycmd) {
++		len += strlen(cli_opts.proxycmd);
++	}
++	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
++	{
++		sign_key * key = (sign_key*)iter->item;
++		len += 4 + strlen(key->filename);
++	}
++
++	args = m_malloc(len);
+ 	total = 0;
+-	len = 255;
++
++	/* Create new argument string */
+ 
+ 	if (cli_opts.quiet) {
+ 		total += m_snprintf(args+total, len-total, "-q ");
+@@ -564,9 +578,7 @@ multihop_passthrough_args() {
+ 	}
+ #endif /* DROPBEAR_CLI_PUBKEY_AUTH */
+ 
+-	ret = m_malloc(total + 1);
+-	strcpy(ret,args);
+-	return ret;
++	return args;
+ }
+ 
+ /* Sets up 'onion-forwarding' connections. This will spawn
diff --git a/meta/recipes-core/dropbear/dropbear/0001-add-o-BatchMode-and-also-forward-this-when-multihop-.patch b/meta/recipes-core/dropbear/dropbear/0001-add-o-BatchMode-and-also-forward-this-when-multihop-.patch
new file mode 100644
index 0000000000..c15da6e099
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-add-o-BatchMode-and-also-forward-this-when-multihop-.patch
@@ -0,0 +1,81 @@
+From 2f1177e55f33afd676e08c9449ab7ab517fc3b30 Mon Sep 17 00:00:00 2001
+From: HansH111 <hans@atbas.org>
+Date: Sat, 24 Feb 2024 08:29:30 +0000
+Subject: [PATCH] add -o BatchMode and also forward this when multihop
+ destination is used
+
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/2f1177e55f33afd676e08c9449ab7ab517fc3b30]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ cli-runopts.c | 33 +++++++++++----------------------
+ 1 file changed, 11 insertions(+), 22 deletions(-)
+
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 38a73f7..37ea61d 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -530,53 +530,42 @@ static void loadidentityfile(const char* filename, int warnfail) {
+ 
+ static char*
+ multihop_passthrough_args() {
+-	char *ret;
++	char *ret, args[256];
+ 	unsigned int len, total;
+ 	m_list_elem *iter;
+ 	/* Fill out -i, -y, -W options that make sense for all
+-	 * the intermediate processes */
+-	len = 30; /* space for "-q -y -y -W <size>\0" */
+-#if DROPBEAR_CLI_PUBKEY_AUTH
+-	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
+-	{
+-		sign_key * key = (sign_key*)iter->item;
+-		len += 3 + strlen(key->filename);
+-	}
+-#endif /* DROPBEAR_CLI_PUBKEY_AUTH */
+-	if (cli_opts.proxycmd) {
+-		/* "-J 'cmd'" */
+-		len += 6 + strlen(cli_opts.proxycmd);
+-	}
+-
+-	ret = m_malloc(len);
++         * the intermediate processes */
+ 	total = 0;
++	len = 255;
+ 
+ 	if (cli_opts.quiet) {
+-		total += m_snprintf(ret+total, len-total, "-q ");
++		total += m_snprintf(args+total, len-total, "-q ");
+ 	}
+ 
+ 	if (cli_opts.no_hostkey_check) {
+-		total += m_snprintf(ret+total, len-total, "-y -y ");
++		total += m_snprintf(args+total, len-total, "-y -y ");
+ 	} else if (cli_opts.always_accept_key) {
+-		total += m_snprintf(ret+total, len-total, "-y ");
++		total += m_snprintf(args+total, len-total, "-y ");
+ 	}
+ 
+ 	if (cli_opts.proxycmd) {
+-		total += m_snprintf(ret+total, len-total, "-J '%s' ", cli_opts.proxycmd);
++		total += m_snprintf(args+total, len-total, "-J '%s' ", cli_opts.proxycmd);
+ 	}
+ 
+ 	if (opts.recv_window != DEFAULT_RECV_WINDOW) {
+-		total += m_snprintf(ret+total, len-total, "-W %u ", opts.recv_window);
++		total += m_snprintf(args+total, len-total, "-W %u ", opts.recv_window);
+ 	}
+ 
+ #if DROPBEAR_CLI_PUBKEY_AUTH
+ 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
+ 	{
+ 		sign_key * key = (sign_key*)iter->item;
+-		total += m_snprintf(ret+total, len-total, "-i %s ", key->filename);
++		total += m_snprintf(args+total, len-total, "-i %s ", key->filename);
+ 	}
+ #endif /* DROPBEAR_CLI_PUBKEY_AUTH */
+ 
++	ret = m_malloc(total + 1);
++	strcpy(ret,args);
+ 	return ret;
+ }
+ 
diff --git a/meta/recipes-core/dropbear/dropbear/0001-cli-runopts.c-add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch b/meta/recipes-core/dropbear/dropbear/0001-cli-runopts.c-add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch
new file mode 100644
index 0000000000..da7de00389
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-cli-runopts.c-add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch
@@ -0,0 +1,29 @@
+From dd03da772bfad6174425066ff9752b60e25ed183 Mon Sep 17 00:00:00 2001
+From: Sergey Ponomarev <stokito@gmail.com>
+Date: Sun, 7 Apr 2024 21:16:50 +0300
+Subject: [PATCH] cli-runopts.c add missing DROPBEAR_CLI_PUBKEY_AUTH
+
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/dd03da772bfad6174425066ff9752b60e25ed183]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ cli-runopts.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 219fc53..b853a13 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -541,11 +541,13 @@ static char* multihop_passthrough_args(void) {
+ 	if (cli_opts.proxycmd) {
+ 		len += strlen(cli_opts.proxycmd);
+ 	}
++#if DROPBEAR_CLI_PUBKEY_AUTH
+ 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
+ 	{
+ 		sign_key * key = (sign_key*)iter->item;
+ 		len += 4 + strlen(key->filename);
+ 	}
++#endif
+ 
+ 	args = m_malloc(len);
+ 	total = 0;
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch b/meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
new file mode 100644
index 0000000000..513fbafce0
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
@@ -0,0 +1,367 @@
+From e5a0ef27c227f7ae69d9a9fec98a056494409b9b Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 5 May 2025 23:14:19 +0800
+Subject: [PATCH] Execute multihop commands directly, no shell
+
+This avoids problems with shell escaping if arguments contain special
+characters.
+
+CVE: CVE-2025-47203
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/e5a0ef27c227f7ae69d9a9fec98a056494409b9b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ cli-main.c    |  59 +++++++++++++++++++----------
+ cli-runopts.c | 100 +++++++++++++++++++++++++++++---------------------
+ dbutil.c      |   9 ++++-
+ dbutil.h      |   1 +
+ runopts.h     |   5 +++
+ 5 files changed, 112 insertions(+), 62 deletions(-)
+
+diff --git a/cli-main.c b/cli-main.c
+index 065fd76..2fafa88 100644
+--- a/cli-main.c
++++ b/cli-main.c
+@@ -77,9 +77,8 @@ int main(int argc, char ** argv) {
+ 	}
+ 
+ #if DROPBEAR_CLI_PROXYCMD
+-	if (cli_opts.proxycmd) {
++	if (cli_opts.proxycmd || cli_opts.proxyexec) {
+ 		cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
+-		m_free(cli_opts.proxycmd);
+ 		if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+ 			signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+ 			signal(SIGHUP, kill_proxy_sighandler) == SIG_ERR) {
+@@ -101,7 +100,8 @@ int main(int argc, char ** argv) {
+ }
+ #endif /* DBMULTI stuff */
+ 
+-static void exec_proxy_cmd(const void *user_data_cmd) {
++#if DROPBEAR_CLI_PROXYCMD
++static void shell_proxy_cmd(const void *user_data_cmd) {
+ 	const char *cmd = user_data_cmd;
+ 	char *usershell;
+ 
+@@ -110,41 +110,62 @@ static void exec_proxy_cmd(const void *user_data_cmd) {
+ 	dropbear_exit("Failed to run '%s'\n", cmd);
+ }
+ 
+-#if DROPBEAR_CLI_PROXYCMD
++static void exec_proxy_cmd(const void *unused) {
++	(void)unused;
++	run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
++	dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
++}
++
+ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+-	char * ex_cmd = NULL;
+-	size_t ex_cmdlen;
++	char * cmd_arg = NULL;
++	void (*exec_fn)(const void *user_data) = NULL;
+ 	int ret;
+ 
++	/* exactly one of cli_opts.proxycmd or cli_opts.proxyexec should be set */
++
+ 	/* File descriptor "-j &3" */
+-	if (*cli_opts.proxycmd == '&') {
++	if (cli_opts.proxycmd && *cli_opts.proxycmd == '&') {
+ 		char *p = cli_opts.proxycmd + 1;
+ 		int sock = strtoul(p, &p, 10);
+ 		/* must be a single number, and not stdin/stdout/stderr */
+ 		if (sock > 2 && sock < 1024 && *p == '\0') {
+ 			*sock_in = sock;
+ 			*sock_out = sock;
+-			return;
++			goto cleanup;
+ 		}
+ 	}
+ 
+-	/* Normal proxycommand */
++	if (cli_opts.proxycmd) {
++		/* Normal proxycommand */
++		size_t shell_cmdlen;
++		/* So that spawn_command knows which shell to run */
++		fill_passwd(cli_opts.own_user);
+ 
+-	/* So that spawn_command knows which shell to run */
+-	fill_passwd(cli_opts.own_user);
++		shell_cmdlen = strlen(cli_opts.proxycmd) + 6; /* "exec " + command + '\0' */
++		cmd_arg = m_malloc(shell_cmdlen);
++		snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
++		exec_fn = shell_proxy_cmd;
++	} else {
++		/* No shell */
++		exec_fn = exec_proxy_cmd;
++	}
+ 
+-	ex_cmdlen = strlen(cli_opts.proxycmd) + 6; /* "exec " + command + '\0' */
+-	ex_cmd = m_malloc(ex_cmdlen);
+-	snprintf(ex_cmd, ex_cmdlen, "exec %s", cli_opts.proxycmd);
+-
+-	ret = spawn_command(exec_proxy_cmd, ex_cmd,
+-			sock_out, sock_in, NULL, pid_out);
+-	DEBUG1(("cmd: %s  pid=%d", ex_cmd,*pid_out))
+-	m_free(ex_cmd);
++	ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
+ 	if (ret == DROPBEAR_FAILURE) {
+ 		dropbear_exit("Failed running proxy command");
+ 		*sock_in = *sock_out = -1;
+ 	}
++
++cleanup:
++	m_free(cli_opts.proxycmd);
++	m_free(cmd_arg);
++	if (cli_opts.proxyexec) {
++		char **a = NULL;
++		for (a = cli_opts.proxyexec; *a; a++) {
++			m_free_direct(*a);
++		}
++		m_free(cli_opts.proxyexec);
++	}
+ }
+ 
+ static void kill_proxy_sighandler(int UNUSED(signo)) {
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 6668aee..b9add84 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -530,58 +530,81 @@ static void loadidentityfile(const char* filename, int warnfail) {
+ 
+ /* Fill out -i, -y, -W options that make sense for all
+  * the intermediate processes */
+-static char* multihop_passthrough_args(void) {
+-	char *args = NULL;
+-	unsigned int len, total;
++static char** multihop_args(const char* argv0, const char* prior_hops) {
++	/* null terminated array */
++	char **args = NULL;
++	size_t max_args = 14, pos = 0, len;
+ #if DROPBEAR_CLI_PUBKEY_AUTH
+ 	m_list_elem *iter;
+ #endif
+-	/* Sufficient space for non-string args */
+-	len = 100;
+ 
+-	/* String arguments have arbitrary length, so determine space required */
+-	if (cli_opts.proxycmd) {
+-		len += strlen(cli_opts.proxycmd);
+-	}
+ #if DROPBEAR_CLI_PUBKEY_AUTH
+ 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
+ 	{
+-		sign_key * key = (sign_key*)iter->item;
+-		len += 4 + strlen(key->filename);
++		/* "-i file" for each */
++		max_args += 2;
+ 	}
+ #endif
+ 
+-	args = m_malloc(len);
+-	total = 0;
++	args = m_malloc(sizeof(char*) * max_args);
++	pos = 0;
+ 
+-	/* Create new argument string */
++	args[pos] = m_strdup(argv0);
++	pos++;
+ 
+ 	if (cli_opts.quiet) {
+-		total += m_snprintf(args+total, len-total, "-q ");
++		args[pos] = m_strdup("-q");
++		pos++;
+ 	}
+ 
+ 	if (cli_opts.no_hostkey_check) {
+-		total += m_snprintf(args+total, len-total, "-y -y ");
++		args[pos] = m_strdup("-y");
++		pos++;
++		args[pos] = m_strdup("-y");
++		pos++;
+ 	} else if (cli_opts.always_accept_key) {
+-		total += m_snprintf(args+total, len-total, "-y ");
++		args[pos] = m_strdup("-y");
++		pos++;
+ 	}
+ 
+ 	if (cli_opts.proxycmd) {
+-		total += m_snprintf(args+total, len-total, "-J '%s' ", cli_opts.proxycmd);
++		args[pos] = m_strdup("-J");
++		pos++;
++		args[pos] = m_strdup(cli_opts.proxycmd);
++		pos++;
+ 	}
+ 
+ 	if (opts.recv_window != DEFAULT_RECV_WINDOW) {
+-		total += m_snprintf(args+total, len-total, "-W %u ", opts.recv_window);
++		args[pos] = m_strdup("-W");
++		pos++;
++		args[pos] = m_malloc(11);
++		m_snprintf(args[pos], 11, "%u", opts.recv_window);
++		pos++;
+ 	}
+ 
+ #if DROPBEAR_CLI_PUBKEY_AUTH
+ 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
+ 	{
+ 		sign_key * key = (sign_key*)iter->item;
+-		total += m_snprintf(args+total, len-total, "-i %s ", key->filename);
++		args[pos] = m_strdup("-i");
++		pos++;
++		args[pos] = m_strdup(key->filename);
++		pos++;
+ 	}
+ #endif /* DROPBEAR_CLI_PUBKEY_AUTH */
+ 
++	/* last hop */
++	args[pos] = m_strdup("-B");
++	pos++;
++	len = strlen(cli_opts.remotehost) + strlen(cli_opts.remoteport) + 2;
++	args[pos] = m_malloc(len);
++	snprintf(args[pos], len, "%s:%s", cli_opts.remotehost, cli_opts.remoteport);
++	pos++;
++
++	/* hostnames of prior hops */
++	args[pos] = m_strdup(prior_hops);
++	pos++;
++
+ 	return args;
+ }
+ 
+@@ -596,7 +619,7 @@ static char* multihop_passthrough_args(void) {
+  * etc for as many hosts as we want.
+  *
+  * Note that "-J" arguments aren't actually used, instead
+- * below sets cli_opts.proxycmd directly.
++ * below sets cli_opts.proxyexec directly.
+  *
+  * Ports for hosts can be specified as host/port.
+  */
+@@ -604,7 +627,7 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
+ 	char *userhostarg = NULL;
+ 	char *hostbuf = NULL;
+ 	char *last_hop = NULL;
+-	char *remainder = NULL;
++	char *prior_hops = NULL;
+ 
+ 	/* both scp and rsync parse a user@host argument
+ 	 * and turn it into "-l user host". This breaks
+@@ -622,6 +645,8 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
+ 	}
+ 	userhostarg = hostbuf;
+ 
++	/* Split off any last hostname and use that as remotehost/remoteport.
++	 * That is used for authorized_keys checking etc */
+ 	last_hop = strrchr(userhostarg, ',');
+ 	if (last_hop) {
+ 		if (last_hop == userhostarg) {
+@@ -629,35 +654,28 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
+ 		}
+ 		*last_hop = '\0';
+ 		last_hop++;
+-		remainder = userhostarg;
++		prior_hops = userhostarg;
+ 		userhostarg = last_hop;
+ 	}
+ 
++	/* Update cli_opts.remotehost and cli_opts.remoteport */
+ 	parse_hostname(userhostarg);
+ 
+-	if (last_hop) {
+-		/* Set up the proxycmd */
+-		unsigned int cmd_len = 0;
+-		char *passthrough_args = multihop_passthrough_args();
+-		if (cli_opts.remoteport == NULL) {
+-			cli_opts.remoteport = "22";
++	/* Construct any multihop proxy command. Use proxyexec to
++	 * avoid worrying about shell escaping. */
++	if (prior_hops) {
++		cli_opts.proxyexec = multihop_args(argv0, prior_hops);
++		/* Any -J argument has been copied to proxyexec */
++		if (cli_opts.proxycmd) {
++			m_free(cli_opts.proxycmd);
+ 		}
+-		cmd_len = strlen(argv0) + strlen(remainder)
+-			+ strlen(cli_opts.remotehost) + strlen(cli_opts.remoteport)
+-			+ strlen(passthrough_args)
+-			+ 30;
+-		/* replace proxycmd. old -J arguments have been copied
+-		   to passthrough_args */
+-		cli_opts.proxycmd = m_realloc(cli_opts.proxycmd, cmd_len);
+-		m_snprintf(cli_opts.proxycmd, cmd_len, "%s -B %s:%s %s %s",
+-				argv0, cli_opts.remotehost, cli_opts.remoteport,
+-				passthrough_args, remainder);
++
+ #ifndef DISABLE_ZLIB
+-		/* The stream will be incompressible since it's encrypted. */
++		/* This outer stream will be incompressible since it's encrypted. */
+ 		opts.compress_mode = DROPBEAR_COMPRESS_OFF;
+ #endif
+-		m_free(passthrough_args);
+ 	}
++
+ 	m_free(hostbuf);
+ }
+ #endif /* !DROPBEAR_CLI_MULTIHOP */
+diff --git a/dbutil.c b/dbutil.c
+index bd66454..910fa27 100644
+--- a/dbutil.c
++++ b/dbutil.c
+@@ -371,7 +371,6 @@ int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data,
+ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) {
+ 	char * argv[4];
+ 	char * baseshell = NULL;
+-	unsigned int i;
+ 
+ 	baseshell = basename(usershell);
+ 
+@@ -393,6 +392,12 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) {
+ 		argv[1] = NULL;
+ 	}
+ 
++	run_command(usershell, argv, maxfd);
++}
++
++void run_command(const char* argv0, char** args, unsigned int maxfd) {
++	unsigned int i;
++
+ 	/* Re-enable SIGPIPE for the executed process */
+ 	if (signal(SIGPIPE, SIG_DFL) == SIG_ERR) {
+ 		dropbear_exit("signal() error");
+@@ -404,7 +409,7 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) {
+ 		m_close(i);
+ 	}
+ 
+-	execv(usershell, argv);
++	execv(argv0, args);
+ }
+ 
+ #if DEBUG_TRACE
+diff --git a/dbutil.h b/dbutil.h
+index 64af170..bfc1f1f 100644
+--- a/dbutil.h
++++ b/dbutil.h
+@@ -63,6 +63,7 @@ char * stripcontrol(const char * text);
+ int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data,
+ 		int *writefd, int *readfd, int *errfd, pid_t *pid);
+ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell);
++void run_command(const char* argv0, char** args, unsigned int maxfd);
+ #if ENABLE_CONNECT_UNIX
+ int connect_unix(const char* addr);
+ #endif
+diff --git a/runopts.h b/runopts.h
+index 1675836..11c3ef2 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -188,7 +188,12 @@ typedef struct cli_runopts {
+ 	unsigned int netcat_port;
+ #endif
+ #if DROPBEAR_CLI_PROXYCMD
++	/* A proxy command to run via the user's shell */
+ 	char *proxycmd;
++#endif
++#if DROPBEAR_CLI_MULTIHOP
++	/* Similar to proxycmd, but is arguments for execve(), not shell */
++	char **proxyexec;
+ #endif
+ 	char *bind_address;
+ 	char *bind_port;
diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2022.83.bb
index 772e08eaed..2ed8d2c2a1 100644
--- a/meta/recipes-core/dropbear/dropbear_2022.83.bb
+++ b/meta/recipes-core/dropbear/dropbear_2022.83.bb
@@ -24,6 +24,11 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
            file://CVE-2023-36328.patch \
            file://CVE-2023-48795.patch \
+           file://0001-add-o-BatchMode-and-also-forward-this-when-multihop-.patch \
+           file://0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch \
+           file://0001-cli-runopts.c-add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch \
+           file://0001-Avoid-unused-variable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch \
+           file://CVE-2025-47203.patch \
            "
 
 SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"
-- 
2.43.0

[OE-core][scarthgap 03/10] xz: ignore CVE-2024-47611

[Steve Sakoman]

From: Daniel Turull <daniel.turull@ericsson.com>

According to the NVD entry, it is only applicable when built
for native Windows (MinGW-w64 or MSVC).

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/xz/xz_5.4.7.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/xz/xz_5.4.7.bb b/meta/recipes-extended/xz/xz_5.4.7.bb
index 563643d4d9..30a4c8e88c 100644
--- a/meta/recipes-extended/xz/xz_5.4.7.bb
+++ b/meta/recipes-extended/xz/xz_5.4.7.bb
@@ -35,6 +35,8 @@ SRC_URI[sha256sum] = "8db6664c48ca07908b92baedcfe7f3ba23f49ef2476864518ab5db6723
 UPSTREAM_CHECK_REGEX = "releases/tag/v(?P<pver>\d+(\.\d+)+)"
 UPSTREAM_CHECK_URI = "https://github.com/tukaani-project/xz/releases/"
 
+CVE_STATUS[CVE-2024-47611] = "not-applicable-platform: Issue only applies on Windows"
+
 CACHED_CONFIGUREVARS += "gl_cv_posix_shell=/bin/sh"
 
 inherit autotools gettext ptest
-- 
2.43.0

[OE-core][scarthgap 04/10] glib-2.0: ignore CVE-2025-4056

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

NVD report [1] says:
A flaw was found in GLib. A denial of service on **Windows platforms**
may occur if an application attempts to spawn a program using long
command lines.

The fix [3] (linked from [2]) also changes only files
glib/gspawn-win32-helper.c
glib/gspawn-win32.c

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-4056
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3668
[3] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index e1a3b57270..53e0543045 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -66,3 +66,5 @@ def find_meson_cross_files(d):
 python () {
     find_meson_cross_files(d)
 }
+
+CVE_STATUS[CVE-2025-4056] = "not-applicable-platform: Issue only applies on Windows"
-- 
2.43.0

[OE-core][scarthgap 05/10] libxml2: ignore CVE-2025-8732

[Steve Sakoman]

From: Daniel Turull <daniel.turull@ericsson.com>

The code maintainer disputes the CVE as the issue can only be triggered with
untrusted SGML catalogs and it makes absolutely no sense to use untrusted
catalogs.

The issue triggers a crash if an invalid file is provided.
Source: https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/libxml/libxml2_2.12.10.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index 078988286a..a155c3708e 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -32,6 +32,10 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 # Disputed as a security issue, but fixed in d39f780
 CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail"
 
+# Disputed as a security issue, if attempts to process an invalid file, it fails
+# https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
+CVE_STATUS[CVE-2025-8732] = "disputed: the code maintainer explains, that the issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. The issue triggers a crash if an invalid file is provided.  https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"
+
 BINCONFIG = "${bindir}/xml2-config"
 
 PACKAGECONFIG ??= "python \
-- 
2.43.0

[OE-core][scarthgap 06/10] e2fsprogs: Fix build failure with gcc 15

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

Backport a needed fix

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...-libext2fs-fix-std-c23-build-failure.patch | 42 +++++++++++++++++++
 .../e2fsprogs/e2fsprogs_1.47.0.bb             |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-std-c23-build-failure.patch

diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-std-c23-build-failure.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-std-c23-build-failure.patch
new file mode 100644
index 0000000000..01ab9d5afb
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-std-c23-build-failure.patch
@@ -0,0 +1,42 @@
+From 72dcef02bee9924c4d5b3dc6e7ef4d07becebcc6 Mon Sep 17 00:00:00 2001
+From: Rudi Heitbaum <rudi@heitbaum.com>
+Date: Fri, 22 Nov 2024 12:36:32 +0000
+Subject: [PATCH] libext2fs: fix -std=c23 build failure
+
+gcc-15 switched to -std=c23 by default:
+
+    https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=55e3bd376b2214e200fa76d12b67ff259b06c212
+
+As a result `e2fsprogs` fails the build so only typedef int bool
+for __STDC_VERSION__ <= 201710L (C17)
+
+    ../../../lib/ext2fs/tdb.c:113:13: error: two or more data types in declaration specifiers
+    ../../../lib/ext2fs/tdb.c:113:1: warning: useless type name in empty declaration
+      113 | typedef int bool;
+          | ^~~~~~~
+
+https://github.com/tytso/e2fsprogs/issues/202
+
+Upstream-Status: Backport [https://github.com/tytso/e2fsprogs/commit/49fd04d77b3244c6c6990be41142168eef373aef]
+Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
+Link: https://lore.kernel.org/r/Z0B60JhdvT9bpSQ6@6f91903e89da
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/ext2fs/tdb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/ext2fs/tdb.c b/lib/ext2fs/tdb.c
+index b07b2917..98dc95d8 100644
+--- a/lib/ext2fs/tdb.c
++++ b/lib/ext2fs/tdb.c
+@@ -110,7 +110,9 @@ static char *rep_strdup(const char *s)
+ #endif
+ #endif
+ 
++#if defined __STDC__ && defined __STDC_VERSION__ && __STDC_VERSION__ <= 201710L
+ typedef int bool;
++#endif
+ 
+ #include "tdb.h"
+ 
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.0.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.0.bb
index 940b47c155..0288854527 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.0.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.0.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \
            file://run-ptest \
            file://ptest.patch \
            file://mkdir_p.patch \
+           file://0001-libext2fs-fix-std-c23-build-failure.patch \
            "
 SRC_URI:append:class-native = " \
            file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
-- 
2.43.0

[OE-core][scarthgap 07/10] parted: Fix build with GCC 15

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...CH-parted-fix-do_version-declaration.patch | 40 +++++++++++++++++++
 meta/recipes-extended/parted/parted_3.6.bb    |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-extended/parted/files/0001-bug-74444-PATCH-parted-fix-do_version-declaration.patch

diff --git a/meta/recipes-extended/parted/files/0001-bug-74444-PATCH-parted-fix-do_version-declaration.patch b/meta/recipes-extended/parted/files/0001-bug-74444-PATCH-parted-fix-do_version-declaration.patch
new file mode 100644
index 0000000000..a8ea7ec4f7
--- /dev/null
+++ b/meta/recipes-extended/parted/files/0001-bug-74444-PATCH-parted-fix-do_version-declaration.patch
@@ -0,0 +1,40 @@
+From eb6bb2e8dfc78ca1a187d07ea29b23a805c61794 Mon Sep 17 00:00:00 2001
+From: Rudi Heitbaum <rudi@heitbaum.com>
+Date: Wed, 20 Nov 2024 12:22:22 +0000
+Subject: [PATCH] bug#74444: [PATCH] parted: fix do_version declaration
+
+With gcc 15-20241117 compile fails with the below error, update the
+do_version declaration to match the header in command.h
+
+../../parted/parted.c: In function '_init_commands':
+../../parted/parted.c:2469:9: error: passing argument 2 of 'command_create' from incompatible pointer type [-Wincompatible-pointer-types]
+ 2469 |         do_version,
+      |         ^~~~~~~~~~
+      |         |
+      |         int (*)(void)
+In file included from ../../parted/parted.c:28:
+../../parted/command.h:35:39: note: expected 'int (*)(PedDevice **, PedDisk **)' {aka 'int (*)(struct _PedDevice **, struct _PedDisk **)'} but argument is of type 'int (*)(void)'
+   35 |                                 int (*method) (PedDevice** dev, PedDisk** diskp),
+      |                                 ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/parted.git/commit/?id=16343bda6ce0d41edf43f8dac368db3bbb63d271]
+Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
+Signed-off-by: Brian C. Lane <bcl@redhat.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ parted/parted.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parted/parted.c b/parted/parted.c
+index 3abb52f..fc2aeba 100644
+--- a/parted/parted.c
++++ b/parted/parted.c
+@@ -2172,7 +2172,7 @@ do_unit (PedDevice** dev, PedDisk** diskp)
+ }
+ 
+ static int
+-do_version ()
++do_version (PedDevice** dev, PedDisk** diskp)
+ {
+     printf ("\n%s\n%s",
+             prog_name,
diff --git a/meta/recipes-extended/parted/parted_3.6.bb b/meta/recipes-extended/parted/parted_3.6.bb
index a537ef74db..0e79a2e837 100644
--- a/meta/recipes-extended/parted/parted_3.6.bb
+++ b/meta/recipes-extended/parted/parted_3.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/parted/parted-${PV}.tar.xz \
            file://fix-doc-mandir.patch \
            file://0001-fs-Add-libuuid-to-linker-flags-for-libparted-fs-resi.patch \
            file://autoconf-2.73.patch \
+           file://0001-bug-74444-PATCH-parted-fix-do_version-declaration.patch \
            file://run-ptest \
            "
 
-- 
2.43.0

[OE-core][scarthgap 08/10] cairo: fix build with gcc-15 on host

[Steve Sakoman]

From: Martin Jansa <martin.jansa@gmail.com>

* backports from 1.18.2 used since:
  https://git.openembedded.org/openembedded-core/commit/?id=070d79c8adec7e0a8862019cf61910a59b18613a

* fixes build on hosts with gcc-15 (e.g. ubuntu-25.10)

../cairo-1.18.0/test/pdiff/pdiff.h:22:13: error: ‘bool’ cannot be defined via ‘typedef’
   22 | typedef int bool;
      |             ^~~~
../cairo-1.18.0/test/pdiff/pdiff.h:22:13: note: ‘bool’ is a keyword with ‘-std=c23’ onwards
../cairo-1.18.0/test/pdiff/pdiff.h:22:1: warning: useless type name in empty declaration
   22 | typedef int bool;
      | ^~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../cairo/cairo/0001-Require-C11.patch        | 25 +++++++++++++++++++
 .../cairo/cairo/0002-Meson-Require-C-11.patch | 22 ++++++++++++++++
 meta/recipes-graphics/cairo/cairo_1.18.0.bb   |  2 ++
 3 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-graphics/cairo/cairo/0001-Require-C11.patch
 create mode 100644 meta/recipes-graphics/cairo/cairo/0002-Meson-Require-C-11.patch

diff --git a/meta/recipes-graphics/cairo/cairo/0001-Require-C11.patch b/meta/recipes-graphics/cairo/cairo/0001-Require-C11.patch
new file mode 100644
index 0000000000..a2e888e46b
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/0001-Require-C11.patch
@@ -0,0 +1,25 @@
+From de2452228814e804b103dfa7c2d37b3a216c6155 Mon Sep 17 00:00:00 2001
+From: Adrian Johnson <ajohnson@redneon.com>
+Date: Sun, 28 Apr 2024 21:31:41 +0930
+Subject: [PATCH] Require C11
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/b60f47dfd5bbe98aec43f6c356ba3be9a1b7989e]
+---
+ meson.build | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 9100152..f8432fd 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1,7 +1,8 @@
+ project('cairo', 'c', 'cpp',
+-  meson_version: '>= 0.59.0',
++  meson_version: '>= 1.3.0',
+   version: run_command(find_program('version.py'), check: true).stdout().strip(),
+-  default_options: ['warning_level=2'],
++  default_options: ['c_std=gnu11,c11',
++                    'warning_level=2'],
+ )
+ 
+ freetype_required_version = '>= 9.7.3'
diff --git a/meta/recipes-graphics/cairo/cairo/0002-Meson-Require-C-11.patch b/meta/recipes-graphics/cairo/cairo/0002-Meson-Require-C-11.patch
new file mode 100644
index 0000000000..b395fbbc8b
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/0002-Meson-Require-C-11.patch
@@ -0,0 +1,22 @@
+From d9cc95b94b2bb1e67f2095cda484d4a8a63aba10 Mon Sep 17 00:00:00 2001
+From: Luca Bacci <luca.bacci982@gmail.com>
+Date: Thu, 16 Jan 2025 16:48:12 +0100
+Subject: [PATCH] Meson: Require C++11
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/dfd06ab3884d79de3b5bac782d1e8b2a0bd791ab]
+---
+ meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/meson.build b/meson.build
+index f8432fd..85434d2 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2,6 +2,7 @@ project('cairo', 'c', 'cpp',
+   meson_version: '>= 1.3.0',
+   version: run_command(find_program('version.py'), check: true).stdout().strip(),
+   default_options: ['c_std=gnu11,c11',
++                    'cpp_std=gnu++11,c++11',
+                     'warning_level=2'],
+ )
+ 
diff --git a/meta/recipes-graphics/cairo/cairo_1.18.0.bb b/meta/recipes-graphics/cairo/cairo_1.18.0.bb
index 4c97e973d0..f1a87ccb3f 100644
--- a/meta/recipes-graphics/cairo/cairo_1.18.0.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.18.0.bb
@@ -30,6 +30,8 @@ DEPENDS = "fontconfig freetype glib-2.0 libpng pixman zlib"
 
 SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
            file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \
+           file://0001-Require-C11.patch \
+           file://0002-Meson-Require-C-11.patch \
           "
 
 SRC_URI[sha256sum] = "243a0736b978a33dee29f9cca7521733b78a65b5418206fef7bd1c3d4cf10b64"
-- 
2.43.0

[OE-core][scarthgap 09/10] bash: Stick to C17 std

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

GCC 15 defaults to C23 and bash is not yet ready for that
so keep using C17 like GCC 14 for now

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/bash/bash_5.2.21.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/bash/bash_5.2.21.bb b/meta/recipes-extended/bash/bash_5.2.21.bb
index ccfe5c47a7..42ab02c440 100644
--- a/meta/recipes-extended/bash/bash_5.2.21.bb
+++ b/meta/recipes-extended/bash/bash_5.2.21.bb
@@ -22,4 +22,6 @@ SRC_URI[tarball.sha256sum] = "c8e31bdc59b69aaffc5b36509905ba3e5cbb12747091d27b4b
 DEBUG_OPTIMIZATION:append:armv4 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb', '-fomit-frame-pointer', '', d)}"
 DEBUG_OPTIMIZATION:append:armv5 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb', '-fomit-frame-pointer', '', d)}"
 
+CFLAGS += "-std=gnu17"
+
 BBCLASSEXTEND = "nativesdk"
-- 
2.43.0

[OE-core][scarthgap 10/10] bash: use -std=gnu17 also for native CFLAGS

[Steve Sakoman]

From: Martin Jansa <martin.jansa@gmail.com>

* fixes builds on host with gcc-15:
  http://errors.yoctoproject.org/Errors/Details/853016/

../../bash-5.2.37/builtins/mkbuiltins.c:268:29: error: too many arguments to function ‘xmalloc’; expected 0, have 1
  268 |           error_directory = xmalloc (2 + strlen (argv[arg_index]));
      |                             ^~~~~~~  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/bash/bash_5.2.21.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-extended/bash/bash_5.2.21.bb b/meta/recipes-extended/bash/bash_5.2.21.bb
index 42ab02c440..7652e7d87a 100644
--- a/meta/recipes-extended/bash/bash_5.2.21.bb
+++ b/meta/recipes-extended/bash/bash_5.2.21.bb
@@ -23,5 +23,8 @@ DEBUG_OPTIMIZATION:append:armv4 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb
 DEBUG_OPTIMIZATION:append:armv5 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb', '-fomit-frame-pointer', '', d)}"
 
 CFLAGS += "-std=gnu17"
+# mkbuiltins.c is built with native toolchain and needs gnu17 as well:
+# http://errors.yoctoproject.org/Errors/Details/853016/
+BUILD_CFLAGS += "-std=gnu17"
 
 BBCLASSEXTEND = "nativesdk"
-- 
2.43.0

Patchtest results for [OE-core][scarthgap 08/10] cairo: fix build with gcc-15 on host

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 2931 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/scarthgap-08-10-cairo-fix-build-with-gcc-15-on-host.patch

FAIL: test Signed-off-by presence: A patch file has been added without a Signed-off-by tag: '0001-Require-C11.patch' (test_patch.TestPatch.test_signed_off_by_presence)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!