[PATCH 00/15] core package updates

[PATCH 00/15] core package updates

[Armin Kuster]

please consider these update for master-next

The following changes since commit 3b413a80578caacd9a7f405f3c51a3921d78a60d:

  README.qemu: qemuppc64 is not supported (2017-10-16 23:54:27 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib akuster/master-updates
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=akuster/master-updates

Armin Kuster (15):
  tzcode-native: update to 2017c
  tzdata: update 2017c
  libxres: upgrading to 1.2.0
  xkeyboard-config: upgrade to 2.22
  libxkbcommon: update to 0.7.2
  nspr: update to 4.17
  libxfont: update to 1.5.3
  xorg-xserver: update to 1.19.5
  libxfont2: update to 2.0.2
  xf86-input-libinput: update to 0.26.0
  nss: update to 3.33.0
  libpcre2: update to 10.30
  gnutls: update to 3.5.16
  bind: update to 9.10.6
  openssh: update to 7.6

 .../bind/{bind_9.10.5-P3.bb => bind_9.10.6.bb}     |   5 +-
 .../openssh/add-test-support-for-busybox.patch     |  64 +++-----
 ...h-7.1p1-conditional-compile-des-in-cipher.patch | 119 --------------
 ...h-7.1p1-conditional-compile-des-in-pkcs11.patch |  70 ---------
 .../openssh/{openssh_7.5p1.bb => openssh_7.6p1.bb} |  11 +-
 .../files/0001-Fix-Makefile-quoting-bug.patch      | 174 +++++++++++++++++++++
 .../files/0002-Port-zdump-to-C90-snprintf.patch    | 115 ++++++++++++++
 ...code-native_2017b.bb => tzcode-native_2017c.bb} |  15 +-
 .../tzdata/{tzdata_2017b.bb => tzdata_2017c.bb}    |   6 +-
 ...put_0.25.1.bb => xf86-input-libinput_0.26.0.bb} |   4 +-
 .../{libxfont2_2.0.1.bb => libxfont2_2.0.2.bb}     |   4 +-
 .../{libxfont_1.5.2.bb => libxfont_1.5.3.bb}       |   4 +-
 ...libxkbcommon_0.7.1.bb => libxkbcommon_0.7.2.bb} |   4 +-
 .../{libxres_1.0.7.bb => libxres_1.2.0.bb}         |   4 +-
 ...ard-config_2.21.bb => xkeyboard-config_2.22.bb} |   5 +-
 .../xserver-xorg/CVE-2017-10971-1.patch            |  76 ---------
 .../xserver-xorg/CVE-2017-10971-2.patch            |  55 -------
 .../xserver-xorg/CVE-2017-10971-3.patch            |  50 ------
 ...erver-xorg_1.19.3.bb => xserver-xorg_1.19.5.bb} |   7 +-
 .../gnutls/{gnutls_3.5.13.bb => gnutls_3.5.16.bb}  |   4 +-
 .../libpcre/libpcre2/libpcre2-CVE-2017-7186.patch  |  96 ------------
 .../libpcre/libpcre2/libpcre2-CVE-2017-8786.patch  |  93 -----------
 .../{libpcre2_10.23.bb => libpcre2_10.30.bb}       |   8 +-
 .../nspr/{nspr_4.16.bb => nspr_4.17.bb}            |   4 +-
 .../nss/{nss_3.31.1.bb => nss_3.33.bb}             |   4 +-
 25 files changed, 353 insertions(+), 648 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.10.5-P3.bb => bind_9.10.6.bb} (96%)
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
 rename meta/recipes-connectivity/openssh/{openssh_7.5p1.bb => openssh_7.6p1.bb} (94%)
 create mode 100644 meta/recipes-extended/tzcode/files/0001-Fix-Makefile-quoting-bug.patch
 create mode 100644 meta/recipes-extended/tzcode/files/0002-Port-zdump-to-C90-snprintf.patch
 rename meta/recipes-extended/tzcode/{tzcode-native_2017b.bb => tzcode-native_2017c.bb} (54%)
 rename meta/recipes-extended/tzdata/{tzdata_2017b.bb => tzdata_2017c.bb} (97%)
 rename meta/recipes-graphics/xorg-driver/{xf86-input-libinput_0.25.1.bb => xf86-input-libinput_0.26.0.bb} (63%)
 rename meta/recipes-graphics/xorg-lib/{libxfont2_2.0.1.bb => libxfont2_2.0.2.bb} (80%)
 rename meta/recipes-graphics/xorg-lib/{libxfont_1.5.2.bb => libxfont_1.5.3.bb} (81%)
 rename meta/recipes-graphics/xorg-lib/{libxkbcommon_0.7.1.bb => libxkbcommon_0.7.2.bb} (83%)
 rename meta/recipes-graphics/xorg-lib/{libxres_1.0.7.bb => libxres_1.2.0.bb} (77%)
 rename meta/recipes-graphics/xorg-lib/{xkeyboard-config_2.21.bb => xkeyboard-config_2.22.bb} (87%)
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_1.19.3.bb => xserver-xorg_1.19.5.bb} (81%)
 rename meta/recipes-support/gnutls/{gnutls_3.5.13.bb => gnutls_3.5.16.bb} (61%)
 delete mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch
 delete mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
 rename meta/recipes-support/libpcre/{libpcre2_10.23.bb => libpcre2_10.30.bb} (85%)
 rename meta/recipes-support/nspr/{nspr_4.16.bb => nspr_4.17.bb} (96%)
 rename meta/recipes-support/nss/{nss_3.31.1.bb => nss_3.33.bb} (98%)

-- 
2.7.4

[PATCH 01/15] tzcode-native: update to 2017c

[Armin Kuster]

LICENSE changes do to rewording
https://github.com/eggert/tz/commit/7097a652778d35acf747d14f8bf7b3ced479bbc0#diff-9879d6db96fd29134fc802214163b95a

Backported to fixes from upstream too.

Changes to code

    zic and the reference runtime now reject multiple leap seconds
    within 28 days of each other, or leap seconds before the Epoch.
    As a result, support for double leap seconds, which was
    obsolescent and undocumented, has been removed.  Double leap
    seconds were an error in the C89 standard; they have never existed
    in civil timekeeping.  (Thanks to Robert Elz and Bradley White for
    noticing glitches in the code that uncovered this problem.)

    zic now warns about use of the obsolescent and undocumented -y
    option, and about use of the obsolescent TYPE field of Rule lines.

    zic now allows unambiguous abbreviations like "Sa" and "Su" for
    weekdays; formerly it rejected them due to a bug.  Conversely, zic
    no longer considers non-prefixes to be abbreviations; for example,
    it no longer accepts "lF" as an abbreviation for "lastFriday".
    Also, zic warns about the undocumented usage with a "last-"
    prefix, e.g., "last-Fri".

    Similarly, zic now accepts the unambiguous abbreviation "L" for
    "Link" in ordinary context and for "Leap" in leap-second context.
    Conversely, zic no longer accepts non-prefixes such as "La" as
    abbreviations for words like "Leap".

    zic no longer accepts leap second lines in ordinary input, or
    ordinary lines in leap second input.  Formerly, zic sometimes
    warned about this undocumented usage and handled it incorrectly.

    The new macro HAVE_TZNAME governs whether the tzname external
    variable is exported, instead of USG_COMPAT.  USG_COMPAT now
    governs only the external variables "timezone" and "daylight".
    This change is needed because the three variables are not in the
    same category: although POSIX requires tzname, it specifies the
    other two variables as optional.  Also, USG_COMPAT is now 1 or 0:
    if not defined, the code attempts to guess it from other macros.

    localtime.c and difftime.c no longer require stdio.h, and .c files
    other than zic.c no longer require sys/wait.h.

    zdump.c no longer assumes snprintf.  (Reported by Jonathan Leffler.)

    Calculation of time_t extrema works around a bug in GCC 4.8.4
    (Reported by Stan Shebs and Joseph Myers.)

    zic.c no longer mistranslates formats of line numbers in non-English
    locales.  (Problem reported by Benno Schulenberg.)

    Several minor changes have been made to the code to make it a
    bit easier to port to MS-Windows and Solaris.  (Thanks to Kees
    Dekker for reporting the problems.)

  Changes to documentation and commentary

    The two new files 'theory.html' and 'calendars' contain the
    contents of the removed file 'Theory'.  The goal is to document
    tzdb theory more accessibly.

    The zic man page now documents abbreviation rules.

    tz-link.htm now covers how to apply tzdata changes to clients.
    (Thanks to Jorge Fábregas for the AIX link.)  It also mentions MySQL.

    The leap-seconds.list URL has been updated to something that is
    more reliable for tzdb.  (Thanks to Tim Parenti and Brian Inglis.)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../files/0001-Fix-Makefile-quoting-bug.patch      | 174 +++++++++++++++++++++
 .../files/0002-Port-zdump-to-C90-snprintf.patch    | 115 ++++++++++++++
 ...code-native_2017b.bb => tzcode-native_2017c.bb} |  15 +-
 3 files changed, 298 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-extended/tzcode/files/0001-Fix-Makefile-quoting-bug.patch
 create mode 100644 meta/recipes-extended/tzcode/files/0002-Port-zdump-to-C90-snprintf.patch
 rename meta/recipes-extended/tzcode/{tzcode-native_2017b.bb => tzcode-native_2017c.bb} (54%)

diff --git a/meta/recipes-extended/tzcode/files/0001-Fix-Makefile-quoting-bug.patch b/meta/recipes-extended/tzcode/files/0001-Fix-Makefile-quoting-bug.patch
new file mode 100644
index 0000000..e49fa09
--- /dev/null
+++ b/meta/recipes-extended/tzcode/files/0001-Fix-Makefile-quoting-bug.patch
@@ -0,0 +1,174 @@
+From b520d20b8122a783f99f088758b78d928f70ee34 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon, 23 Oct 2017 11:42:45 -0700
+Subject: [PATCH] Fix Makefile quoting bug
+
+Problem with INSTALLARGS reported by Zefram in:
+https://mm.icann.org/pipermail/tz/2017-October/025360.html
+Fix similar problems too.
+* Makefile (ZIC_INSTALL, VALIDATE_ENV, CC, install)
+(INSTALL, version, INSTALLARGS, right_posix, posix_right)
+(check_public): Use apostrophes to prevent undesirable
+interpretation of names by the shell.  We still do not support
+directory names containing apostrophes or newlines, but this is
+good enough.
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+* NEWS: Mention this.
+---
+ Makefile | 64 ++++++++++++++++++++++++++++++++--------------------------------
+ NEWS     |  8 ++++++++
+ 2 files changed, 40 insertions(+), 32 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index c92edc0..97649ca 100644
+--- a/Makefile
++++ b/Makefile
+@@ -313,7 +313,7 @@ ZFLAGS=
+ 
+ # How to use zic to install tz binary files.
+ 
+-ZIC_INSTALL=	$(ZIC) -d $(DESTDIR)$(TZDIR) $(LEAPSECONDS)
++ZIC_INSTALL=	$(ZIC) -d '$(DESTDIR)$(TZDIR)' $(LEAPSECONDS)
+ 
+ # The name of a Posix-compliant 'awk' on your system.
+ AWK=		awk
+@@ -341,8 +341,8 @@ SGML_CATALOG_FILES= \
+ VALIDATE = nsgmls
+ VALIDATE_FLAGS = -s -B -wall -wno-unused-param
+ VALIDATE_ENV = \
+-  SGML_CATALOG_FILES=$(SGML_CATALOG_FILES) \
+-  SGML_SEARCH_PATH=$(SGML_SEARCH_PATH) \
++  SGML_CATALOG_FILES='$(SGML_CATALOG_FILES)' \
++  SGML_SEARCH_PATH='$(SGML_SEARCH_PATH)' \
+   SP_CHARSET_FIXED=YES \
+   SP_ENCODING=UTF-8
+ 
+@@ -396,7 +396,7 @@ GZIPFLAGS=	-9n
+ #MAKE=		make
+ 
+ cc=		cc
+-CC=		$(cc) -DTZDIR=\"$(TZDIR)\"
++CC=		$(cc) -DTZDIR='"$(TZDIR)"'
+ 
+ AR=		ar
+ 
+@@ -473,29 +473,29 @@ all:		tzselect yearistype zic zdump libtz.a $(TABDATA)
+ ALL:		all date $(ENCHILADA)
+ 
+ install:	all $(DATA) $(REDO) $(MANS)
+-		mkdir -p $(DESTDIR)$(ETCDIR) $(DESTDIR)$(TZDIR) \
+-			$(DESTDIR)$(LIBDIR) \
+-			$(DESTDIR)$(MANDIR)/man3 $(DESTDIR)$(MANDIR)/man5 \
+-			$(DESTDIR)$(MANDIR)/man8
++		mkdir -p '$(DESTDIR)$(ETCDIR)' '$(DESTDIR)$(TZDIR)' \
++			'$(DESTDIR)$(LIBDIR)' \
++			'$(DESTDIR)$(MANDIR)/man3' '$(DESTDIR)$(MANDIR)/man5' \
++			'$(DESTDIR)$(MANDIR)/man8'
+ 		$(ZIC_INSTALL) -l $(LOCALTIME) -p $(POSIXRULES)
+-		cp -f $(TABDATA) $(DESTDIR)$(TZDIR)/.
+-		cp tzselect zic zdump $(DESTDIR)$(ETCDIR)/.
+-		cp libtz.a $(DESTDIR)$(LIBDIR)/.
+-		$(RANLIB) $(DESTDIR)$(LIBDIR)/libtz.a
+-		cp -f newctime.3 newtzset.3 $(DESTDIR)$(MANDIR)/man3/.
+-		cp -f tzfile.5 $(DESTDIR)$(MANDIR)/man5/.
+-		cp -f tzselect.8 zdump.8 zic.8 $(DESTDIR)$(MANDIR)/man8/.
++		cp -f $(TABDATA) '$(DESTDIR)$(TZDIR)/.'
++		cp tzselect zic zdump '$(DESTDIR)$(ETCDIR)/.'
++		cp libtz.a '$(DESTDIR)$(LIBDIR)/.'
++		$(RANLIB) '$(DESTDIR)$(LIBDIR)/libtz.a'
++		cp -f newctime.3 newtzset.3 '$(DESTDIR)$(MANDIR)/man3/.'
++		cp -f tzfile.5 '$(DESTDIR)$(MANDIR)/man5/.'
++		cp -f tzselect.8 zdump.8 zic.8 '$(DESTDIR)$(MANDIR)/man8/.'
+ 
+ INSTALL:	ALL install date.1
+-		mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man1
+-		cp date $(DESTDIR)$(BINDIR)/.
+-		cp -f date.1 $(DESTDIR)$(MANDIR)/man1/.
++		mkdir -p '$(DESTDIR)$(BINDIR)' '$(DESTDIR)$(MANDIR)/man1'
++		cp date '$(DESTDIR)$(BINDIR)/.'
++		cp -f date.1 '$(DESTDIR)$(MANDIR)/man1/.'
+ 
+ version:	$(VERSION_DEPS)
+ 		{ (type git) >/dev/null 2>&1 && \
+ 		  V=`git describe --match '[0-9][0-9][0-9][0-9][a-z]*' \
+ 				--abbrev=7 --dirty` || \
+-		  V=$(VERSION); } && \
++		  V='$(VERSION)'; } && \
+ 		printf '%s\n' "$$V" >$@.out
+ 		mv $@.out $@
+ 
+@@ -529,12 +529,12 @@ leapseconds:	$(LEAP_DEPS)
+ # Arguments to pass to submakes of install_data.
+ # They can be overridden by later submake arguments.
+ INSTALLARGS = \
+- BACKWARD=$(BACKWARD) \
+- DESTDIR=$(DESTDIR) \
++ BACKWARD='$(BACKWARD)' \
++ DESTDIR='$(DESTDIR)' \
+  LEAPSECONDS='$(LEAPSECONDS)' \
+  PACKRATDATA='$(PACKRATDATA)' \
+- TZDIR=$(TZDIR) \
+- YEARISTYPE=$(YEARISTYPE) \
++ TZDIR='$(TZDIR)' \
++ YEARISTYPE='$(YEARISTYPE)' \
+  ZIC='$(ZIC)'
+ 
+ # 'make install_data' installs one set of tz binary files.
+@@ -558,16 +558,16 @@ right_only:
+ # You must replace all of $(TZDIR) to switch from not using leap seconds
+ # to using them, or vice versa.
+ right_posix:	right_only
+-		rm -fr $(DESTDIR)$(TZDIR)-leaps
+-		ln -s $(TZDIR_BASENAME) $(DESTDIR)$(TZDIR)-leaps || \
+-		  $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-leaps right_only
+-		$(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-posix posix_only
++		rm -fr '$(DESTDIR)$(TZDIR)-leaps'
++		ln -s '$(TZDIR_BASENAME)' '$(DESTDIR)$(TZDIR)-leaps' || \
++		  $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-leaps' right_only
++		$(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-posix' posix_only
+ 
+ posix_right:	posix_only
+-		rm -fr $(DESTDIR)$(TZDIR)-posix
+-		ln -s $(TZDIR_BASENAME) $(DESTDIR)$(TZDIR)-posix || \
+-		  $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-posix posix_only
+-		$(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-leaps right_only
++		rm -fr '$(DESTDIR)$(TZDIR)-posix'
++		ln -s '$(TZDIR_BASENAME)' '$(DESTDIR)$(TZDIR)-posix' || \
++		  $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-posix' posix_only
++		$(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-leaps' right_only
+ 
+ # This obsolescent rule is present for backwards compatibility with
+ # tz releases 2014g through 2015g.  It should go away eventually.
+@@ -764,7 +764,7 @@ set-timestamps.out: $(ENCHILADA)
+ 
+ check_public:
+ 		$(MAKE) maintainer-clean
+-		$(MAKE) "CFLAGS=$(GCC_DEBUG_FLAGS)" ALL
++		$(MAKE) CFLAGS='$(GCC_DEBUG_FLAGS)' ALL
+ 		mkdir -p public.dir
+ 		for i in $(TDATA) tzdata.zi; do \
+ 		  $(zic) -v -d public.dir $$i 2>&1 || exit; \
+diff --git a/NEWS b/NEWS
+index bd2bec2..75ab095 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,13 @@
+ News for the tz database
+ 
++Unreleased, experimental changes
++
++  Changes to build procedure
++
++    The Makefile now quotes values like BACKWARD more carefully when
++    passing them to the shell.  (Problem reported by Zefram.)
++
++
+ Release 2017c - 2017-10-20 14:49:34 -0700
+ 
+   Briefly:
+-- 
+2.7.4
+
diff --git a/meta/recipes-extended/tzcode/files/0002-Port-zdump-to-C90-snprintf.patch b/meta/recipes-extended/tzcode/files/0002-Port-zdump-to-C90-snprintf.patch
new file mode 100644
index 0000000..87afe47
--- /dev/null
+++ b/meta/recipes-extended/tzcode/files/0002-Port-zdump-to-C90-snprintf.patch
@@ -0,0 +1,115 @@
+From e231da4fb2beb17c60b4b1a5c276366d6a6e433f Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon, 23 Oct 2017 17:58:36 -0700
+Subject: [PATCH] Port zdump to C90 + snprintf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem reported by Jon Skeet in:
+https://mm.icann.org/pipermail/tz/2017-October/025362.html
+* NEWS: Mention this.
+* zdump.c (my_snprintf): New macro or function.  If a macro, it is
+just snprintf.  If a function, it is the same as the old snprintf
+static function, with an ATTRIBUTE_FORMAT to pacify modern GCC.
+All uses of snprintf changed to use my_snprintf.  This way,
+installers don’t need to specify -DHAVE_SNPRINTF if they are using
+a pre-C99 compiler with a library that has snprintf.
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ NEWS    |  4 ++++
+ zdump.c | 29 ++++++++++++++++-------------
+ 2 files changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 75ab095..dea08b8 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,10 @@ Unreleased, experimental changes
+     The Makefile now quotes values like BACKWARD more carefully when
+     passing them to the shell.  (Problem reported by Zefram.)
+ 
++    Builders no longer need to specify -DHAVE_SNPRINTF on platforms
++    that have snprintf and use pre-C99 compilers.  (Problem reported
++    by Jon Skeet.)
++
+ 
+ Release 2017c - 2017-10-20 14:49:34 -0700
+ 
+diff --git a/zdump.c b/zdump.c
+index 8e3bf3e..d4e6084 100644
+--- a/zdump.c
++++ b/zdump.c
+@@ -795,12 +795,14 @@ show(timezone_t tz, char *zone, time_t t, bool v)
+ 		abbrok(abbr(tmp), zone);
+ }
+ 
+-#if !HAVE_SNPRINTF
++#if HAVE_SNPRINTF
++# define my_snprintf snprintf
++#else
+ # include <stdarg.h>
+ 
+ /* A substitute for snprintf that is good enough for zdump.  */
+-static int
+-snprintf(char *s, size_t size, char const *format, ...)
++static int ATTRIBUTE_FORMAT((printf, 3, 4))
++my_snprintf(char *s, size_t size, char const *format, ...)
+ {
+   int n;
+   va_list args;
+@@ -839,10 +841,10 @@ format_local_time(char *buf, size_t size, struct tm const *tm)
+ {
+   int ss = tm->tm_sec, mm = tm->tm_min, hh = tm->tm_hour;
+   return (ss
+-	  ? snprintf(buf, size, "%02d:%02d:%02d", hh, mm, ss)
++	  ? my_snprintf(buf, size, "%02d:%02d:%02d", hh, mm, ss)
+ 	  : mm
+-	  ? snprintf(buf, size, "%02d:%02d", hh, mm)
+-	  : snprintf(buf, size, "%02d", hh));
++	  ? my_snprintf(buf, size, "%02d:%02d", hh, mm)
++	  : my_snprintf(buf, size, "%02d", hh));
+ }
+ 
+ /* Store into BUF, of size SIZE, a formatted UTC offset for the
+@@ -877,10 +879,10 @@ format_utc_offset(char *buf, size_t size, struct tm const *tm, time_t t)
+   mm = off / 60 % 60;
+   hh = off / 60 / 60;
+   return (ss || 100 <= hh
+-	  ? snprintf(buf, size, "%c%02ld%02d%02d", sign, hh, mm, ss)
++	  ? my_snprintf(buf, size, "%c%02ld%02d%02d", sign, hh, mm, ss)
+ 	  : mm
+-	  ? snprintf(buf, size, "%c%02ld%02d", sign, hh, mm)
+-	  : snprintf(buf, size, "%c%02ld", sign, hh));
++	  ? my_snprintf(buf, size, "%c%02ld%02d", sign, hh, mm)
++	  : my_snprintf(buf, size, "%c%02ld", sign, hh));
+ }
+ 
+ /* Store into BUF (of size SIZE) a quoted string representation of P.
+@@ -983,15 +985,16 @@ istrftime(char *buf, size_t size, char const *time_fmt,
+ 	    for (abp = ab; is_alpha(*abp); abp++)
+ 	      continue;
+ 	    len = (!*abp && *ab
+-		   ? snprintf(b, s, "%s", ab)
++		   ? my_snprintf(b, s, "%s", ab)
+ 		   : format_quoted_string(b, s, ab));
+ 	    if (s <= len)
+ 	      return false;
+ 	    b += len, s -= len;
+ 	  }
+-	  formatted_len = (tm->tm_isdst
+-			   ? snprintf(b, s, &"\t\t%d"[show_abbr], tm->tm_isdst)
+-			   : 0);
++	  formatted_len
++	    = (tm->tm_isdst
++	       ? my_snprintf(b, s, &"\t\t%d"[show_abbr], tm->tm_isdst)
++	       : 0);
+ 	}
+ 	break;
+       }
+-- 
+2.7.4
+
diff --git a/meta/recipes-extended/tzcode/tzcode-native_2017b.bb b/meta/recipes-extended/tzcode/tzcode-native_2017c.bb
similarity index 54%
rename from meta/recipes-extended/tzcode/tzcode-native_2017b.bb
rename to meta/recipes-extended/tzcode/tzcode-native_2017c.bb
index 165d2c6..aeaef72 100644
--- a/meta/recipes-extended/tzcode/tzcode-native_2017b.bb
+++ b/meta/recipes-extended/tzcode/tzcode-native_2017c.bb
@@ -3,16 +3,19 @@
 SUMMARY = "tzcode, timezone zoneinfo utils -- zic, zdump, tzselect"
 LICENSE = "PD & BSD & BSD-3-Clause"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ef1a352b901ee7b75a75df8171d6aca7"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
 SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \
-           http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata"
+           http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \
+           file://0001-Fix-Makefile-quoting-bug.patch \
+           file://0002-Port-zdump-to-C90-snprintf.patch"
+
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.md5sum] = "afaf15deb13759e8b543d86350385b16"
-SRC_URI[tzcode.sha256sum] = "4d1735bb54e22b8d7443d4d1f1a13d007ae11be79a35e51f8e8322fb8e292d40"
-SRC_URI[tzdata.md5sum] = "50dc0dc50c68644c1f70804f2e7a1625"
-SRC_URI[tzdata.sha256sum] = "f8242a522ea3496b0ce4ff4f2e75a049178da21001a08b8e666d8cbe07d18086"
+SRC_URI[tzcode.md5sum] = "2fe6986231db5182c61d565021a0cd7b"
+SRC_URI[tzcode.sha256sum] = "81e8b4bc23e60906640c266bbff3789661e22f0fa29fe61b96ec7c2816c079b7"
+SRC_URI[tzdata.md5sum] = "1e751e7e08f8b68530674f04619d894d"
+SRC_URI[tzdata.sha256sum] = "d6543f92a929826318e2f44ff3a7611ce5f565a43e10250b42599d0ba4cbd90b"
 
 S = "${WORKDIR}"
 
-- 
2.7.4

[PATCH 02/15] tzdata: update 2017c

[Armin Kuster]

LICENSE changed do to rewording
https://github.com/eggert/tz/commit/7097a652778d35acf747d14f8bf7b3ced479bbc0#diff-9879d6db96fd29134fc802214163b95a

  Briefly:
  Northern Cyprus switches from +03 to +02/+03 on 2017-10-29.
  Fiji ends DST 2018-01-14, not 2018-01-21.
  Namibia switches from +01/+02 to +02 on 2018-04-01.
  Sudan switches from +03 to +02 on 2017-11-01.
  Tonga likely switches from +13/+14 to +13 on 2017-11-05.
  Turks & Caicos switches from -04 to -05/-04 on 2018-11-04.
  A new file tzdata.zi now holds a small text copy of all data.
  The zic input format has been regularized slightly.

  Changes to future time stamps

    Northern Cyprus has decided to resume EU rules starting
    2017-10-29, thus reinstituting winter time.

    Fiji ends DST 2018-01-14 instead of the 2018-01-21 previously
    predicted.  (Thanks to Dominic Fok.)  Adjust future predictions
    accordingly.

    Namibia will switch from +01 with DST to +02 all year on
    2017-09-03 at 02:00.  This affects UT offsets starting 2018-04-01
    at 02:00.  (Thanks to Steffen Thorsen.)

    Sudan will switch from +03 to +02 on 2017-11-01.  (Thanks to Ahmed
    Atyya and Yahia Abdalla.)  South Sudan is not switching, so
    Africa/Juba is no longer a link to Africa/Khartoum.

    Tonga has likely ended its experiment with DST, and will not
    adjust its clocks on 2017-11-05.  Although Tonga has not announced
    whether it will continue to observe DST, the IATA is assuming that
    it will not.  (Thanks to David Wade.)

    Turks & Caicos will switch from -04 all year to -05 with US DST on
    2018-03-11 at 03:00.  This affects UT offsets starting 2018-11-04
    at 02:00.  (Thanks to Steffen Thorsen.)

  Changes to past time stamps

    Namibia switched from +02 to +01 on 1994-03-21, not 1994-04-03.
    (Thanks to Arthur David Olson.)

    Detroit did not observe DST in 1967.

    Use railway time for Asia/Kolkata before 1941, by switching to
    Madras local time (UT +052110) in 1870, then to IST (UT +0530) in
    1906.  Also, treat 1941-2's +0630 as DST, like 1942-5.

    Europe/Dublin's 1946 and 1947 fallback transitions occurred at
    02:00 standard time, not 02:00 DST.  (Thanks to Michael Deckers.)

    Pacific/Apia and Pacific/Pago_Pago switched from Antipodean to
    American time in 1892, not 1879.  (Thanks to Michael Deckers.)

    Adjust the 1867 transition in Alaska to better reflect the
    historical record, by changing it to occur on 1867-10-18 at 15:30
    Sitka time rather than at the start of 1867-10-17 local time.
    Although strictly speaking this is accurate only for Sitka,
    the rest of Alaska's blanks need to be filled in somehow.

    Fix off-by-one errors in UT offsets for Adak and Nome before 1867.
    (Thanks to Michael Deckers.)

    Add 7 s to the UT offset in Asia/Yangon before 1920.

  Changes to zone names

    Remove Canada/East-Saskatchewan from the 'backward' file, as it
    exceeded the 14-character limit and was an unused misnomer anyway.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-extended/tzdata/{tzdata_2017b.bb => tzdata_2017c.bb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-extended/tzdata/{tzdata_2017b.bb => tzdata_2017c.bb} (97%)

diff --git a/meta/recipes-extended/tzdata/tzdata_2017b.bb b/meta/recipes-extended/tzdata/tzdata_2017c.bb
similarity index 97%
rename from meta/recipes-extended/tzdata/tzdata_2017b.bb
rename to meta/recipes-extended/tzdata/tzdata_2017c.bb
index 55e8976..9e5b929 100644
--- a/meta/recipes-extended/tzdata/tzdata_2017b.bb
+++ b/meta/recipes-extended/tzdata/tzdata_2017c.bb
@@ -2,15 +2,15 @@ SUMMARY = "Timezone data"
 HOMEPAGE = "http://www.iana.org/time-zones"
 SECTION = "base"
 LICENSE = "PD & BSD & BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ef1a352b901ee7b75a75df8171d6aca7"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
 DEPENDS = "tzcode-native"
 
 SRC_URI = "http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata"
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzdata.md5sum] = "50dc0dc50c68644c1f70804f2e7a1625"
-SRC_URI[tzdata.sha256sum] = "f8242a522ea3496b0ce4ff4f2e75a049178da21001a08b8e666d8cbe07d18086"
+SRC_URI[tzdata.md5sum] = "1e751e7e08f8b68530674f04619d894d"
+SRC_URI[tzdata.sha256sum] = "d6543f92a929826318e2f44ff3a7611ce5f565a43e10250b42599d0ba4cbd90b"
 
 inherit allarch
 
-- 
2.7.4

[PATCH 03/15] libxres: upgrading to 1.2.0

[Armin Kuster]

https://lists.x.org/archives/xorg-announce/2017-October/002812.html
integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-graphics/xorg-lib/{libxres_1.0.7.bb => libxres_1.2.0.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{libxres_1.0.7.bb => libxres_1.2.0.bb} (77%)

diff --git a/meta/recipes-graphics/xorg-lib/libxres_1.0.7.bb b/meta/recipes-graphics/xorg-lib/libxres_1.2.0.bb
similarity index 77%
rename from meta/recipes-graphics/xorg-lib/libxres_1.0.7.bb
rename to meta/recipes-graphics/xorg-lib/libxres_1.2.0.bb
index 8c04c44..8c34e47 100644
--- a/meta/recipes-graphics/xorg-lib/libxres_1.0.7.bb
+++ b/meta/recipes-graphics/xorg-lib/libxres_1.2.0.bb
@@ -16,5 +16,5 @@ PE = "1"
 
 XORG_PN = "libXres"
 
-SRC_URI[md5sum] = "45ef29206a6b58254c81bea28ec6c95f"
-SRC_URI[sha256sum] = "26899054aa87f81b17becc68e8645b240f140464cf90c42616ebb263ec5fa0e5"
+SRC_URI[md5sum] = "5d6d443d1abc8e1f6fc1c57fb27729bb"
+SRC_URI[sha256sum] = "ff75c1643488e64a7cfbced27486f0f944801319c84c18d3bd3da6bf28c812d4"
-- 
2.7.4

[PATCH 04/15] xkeyboard-config: upgrade to 2.22

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../xorg-lib/{xkeyboard-config_2.21.bb => xkeyboard-config_2.22.bb}  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{xkeyboard-config_2.21.bb => xkeyboard-config_2.22.bb} (87%)

diff --git a/meta/recipes-graphics/xorg-lib/xkeyboard-config_2.21.bb b/meta/recipes-graphics/xorg-lib/xkeyboard-config_2.22.bb
similarity index 87%
rename from meta/recipes-graphics/xorg-lib/xkeyboard-config_2.21.bb
rename to meta/recipes-graphics/xorg-lib/xkeyboard-config_2.22.bb
index 01a51ad..4fd894f 100644
--- a/meta/recipes-graphics/xorg-lib/xkeyboard-config_2.21.bb
+++ b/meta/recipes-graphics/xorg-lib/xkeyboard-config_2.22.bb
@@ -13,8 +13,9 @@ LICENSE = "MIT & MIT-style"
 LIC_FILES_CHKSUM = "file://COPYING;md5=0e7f21ca7db975c63467d2e7624a12f9"
 
 SRC_URI = "${XORG_MIRROR}/individual/data/xkeyboard-config/${BPN}-${PV}.tar.bz2"
-SRC_URI[md5sum] = "af9498e8954907d0a47f0f7b3d21e1ef"
-SRC_URI[sha256sum] = "30c17049fae129fc14875656da9aa3099e3031d6ce0ee1d77aae190fd9edcec5"
+
+SRC_URI[md5sum] = "eb61fb3fd419e817df572b0c8d94a883"
+SRC_URI[sha256sum] = "deaec9989fbc443358b43864437b7b6d39caff07890a4a8055105ce9fcaa59bd"
 
 SECTION = "x11/libs"
 DEPENDS = "intltool-native util-macros libxslt-native"
-- 
2.7.4

[PATCH 05/15] libxkbcommon: update to 0.7.2

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../xorg-lib/{libxkbcommon_0.7.1.bb => libxkbcommon_0.7.2.bb}         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{libxkbcommon_0.7.1.bb => libxkbcommon_0.7.2.bb} (83%)

diff --git a/meta/recipes-graphics/xorg-lib/libxkbcommon_0.7.1.bb b/meta/recipes-graphics/xorg-lib/libxkbcommon_0.7.2.bb
similarity index 83%
rename from meta/recipes-graphics/xorg-lib/libxkbcommon_0.7.1.bb
rename to meta/recipes-graphics/xorg-lib/libxkbcommon_0.7.2.bb
index 81df1dd..e32dc80 100644
--- a/meta/recipes-graphics/xorg-lib/libxkbcommon_0.7.1.bb
+++ b/meta/recipes-graphics/xorg-lib/libxkbcommon_0.7.2.bb
@@ -9,8 +9,8 @@ DEPENDS = "util-macros flex-native bison-native"
 
 SRC_URI = "http://xkbcommon.org/download/${BPN}-${PV}.tar.xz"
 
-SRC_URI[md5sum] = "947ba609cb0239b9462127d5cf8908ee"
-SRC_URI[sha256sum] = "ba59305d2e19e47c27ea065c2e0df96ebac6a3c6e97e28ae5620073b6084e68b"
+SRC_URI[md5sum] = "f53fa65beb5ae4b6a6b7f08f9dedabc4"
+SRC_URI[sha256sum] = "28a4dc2735863bec2dba238de07fcdff28c5dd2300ae9dfdb47282206cd9b9d8"
 
 UPSTREAM_CHECK_URI = "http://xkbcommon.org/"
 
-- 
2.7.4

[PATCH 06/15] nspr: update to 4.17

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/nspr/{nspr_4.16.bb => nspr_4.17.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/nspr/{nspr_4.16.bb => nspr_4.17.bb} (96%)

diff --git a/meta/recipes-support/nspr/nspr_4.16.bb b/meta/recipes-support/nspr/nspr_4.17.bb
similarity index 96%
rename from meta/recipes-support/nspr/nspr_4.16.bb
rename to meta/recipes-support/nspr/nspr_4.17.bb
index 78ef994..21768c7 100644
--- a/meta/recipes-support/nspr/nspr_4.16.bb
+++ b/meta/recipes-support/nspr/nspr_4.17.bb
@@ -23,8 +23,8 @@ CACHED_CONFIGUREVARS_append_libc-musl = " CFLAGS='${CFLAGS} -D_PR_POLL_AVAILABLE
 UPSTREAM_CHECK_URI = "http://ftp.mozilla.org/pub/nspr/releases/"
 UPSTREAM_CHECK_REGEX = "v(?P<pver>\d+(\.\d+)+)/"
 
-SRC_URI[md5sum] = "42fd8963a4b394f62d43ba604f03fab7"
-SRC_URI[sha256sum] = "9b3102d97665504aeee73363c11a21c062ad67a2522242368b7f019f96a53cd1"
+SRC_URI[md5sum] = "0534d9ac45dca251655b9b240670eab4"
+SRC_URI[sha256sum] = "590a0aea29412ae22d7728038c21ef2ab42646e48172a47d2e4bb782846d1095"
 
 CVE_PRODUCT = "netscape_portable_runtime"
 
-- 
2.7.4

[PATCH 07/15] libxfont: update to 1.5.3

[Armin Kuster]

Check for end of string in PatternMatch (CVE-2017-13720)
pcfGetProperties: Check string boundaries (CVE-2017-13722)

https://lists.x.org/archives/xorg-announce/2017-October/002816.html

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../xorg-lib/{libxfont_1.5.2.bb => libxfont_1.5.3.bb}                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{libxfont_1.5.2.bb => libxfont_1.5.3.bb} (81%)

diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.3.bb
similarity index 81%
rename from meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb
rename to meta/recipes-graphics/xorg-lib/libxfont_1.5.3.bb
index b11dda5..5b15a4e 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.3.bb
@@ -18,8 +18,8 @@ XORG_PN = "libXfont"
 
 BBCLASSEXTEND = "native"
 
-SRC_URI[md5sum] = "254ee42bd178d18ebc7a73aacfde7f79"
-SRC_URI[sha256sum] = "02945ea68da447102f3e6c2b896c1d2061fd115de99404facc2aca3ad7010d71"
+SRC_URI[md5sum] = "9ba75bf38ba62a6ad52550ab716da9b3"
+SRC_URI[sha256sum] = "ab85c10fd2683481dfef672a77fe60e6a2039558cbc0e9bf56b5e1df471c93d0"
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
-- 
2.7.4

[PATCH 08/15] xorg-xserver: update to 1.19.5

[Armin Kuster]

Remove patches that are included in 1.19.4

[ANNOUNCE] xorg-server 1.19.4
https://lists.x.org/archives/xorg-devel/2017-October/054839.html

xkb: Handle xkb formated string output safely (CVE-2017-13723)
Xext/shm: Validate shmseg resource id (CVE-2017-13721)

[ANNOUNCE] xorg-server 1.19.5
https://lists.x.org/archives/xorg-announce/2017-October/002814.html
One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-
12176 through 2017-12187. C is a terrible language, please stop writing
code in it.

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../xserver-xorg/CVE-2017-10971-1.patch            | 76 ----------------------
 .../xserver-xorg/CVE-2017-10971-2.patch            | 55 ----------------
 .../xserver-xorg/CVE-2017-10971-3.patch            | 50 --------------
 ...erver-xorg_1.19.3.bb => xserver-xorg_1.19.5.bb} |  7 +-
 4 files changed, 2 insertions(+), 186 deletions(-)
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_1.19.3.bb => xserver-xorg_1.19.5.bb} (81%)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
deleted file mode 100644
index 23c8049..0000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:40 +0300
-Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request.
-
-The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
-no less. Both ProcSendEvent and SProcSendEvent verify that the received data
-exactly match the request size. However nothing stops the client from passing
-in event with xEvent::type = GenericEvent and any value of
-xGenericEvent::length.
-
-In the case of ProcSendEvent, the event will be eventually passed to
-WriteEventsToClient which will see that it is Generic event and copy the
-arbitrary length from the receive buffer (and possibly past it) and send it to
-the other client. This allows clients to copy unitialized heap memory out of X
-server or to crash it.
-
-In case of SProcSendEvent, it will attempt to swap the incoming event by
-calling a swapping function from the EventSwapVector array. The swapped event
-is written to target buffer, which in this case is local xEvent variable. The
-xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
-expect that the target buffer has size matching the size of the source
-GenericEvent. This allows clients to cause stack buffer overflows.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-CVE: CVE-2017-10971
-
-Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c]
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- dix/events.c  |    6 ++++++
- dix/swapreq.c |    7 +++++++
- 2 files changed, 13 insertions(+)
-
-diff --git a/dix/events.c b/dix/events.c
-index 3e3a01e..d3a33ea 100644
---- a/dix/events.c
-+++ b/dix/events.c
-@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
-         client->errorValue = stuff->event.u.u.type;
-         return BadValue;
-     }
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-     if (stuff->event.u.u.type == ClientMessage &&
-         stuff->event.u.u.detail != 8 &&
-         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
-diff --git a/dix/swapreq.c b/dix/swapreq.c
-index 719e9b8..6785059 100644
---- a/dix/swapreq.c
-+++ b/dix/swapreq.c
-@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
-     swapl(&stuff->destination);
-     swapl(&stuff->eventMask);
- 
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-+
-     /* Swap event */
-     proc = EventSwapVector[stuff->event.u.u.type & 0177];
-     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
--- 
-1.7.9.5
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
deleted file mode 100644
index 5c9887a..0000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:41 +0300
-Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent.
-
-The requirement is that events have type in range
-EXTENSION_EVENT_BASE..lastEvent, but it was tested
-only for first event of all.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-CVE: CVE-2017-10971
-
-Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d]
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- Xi/sendexev.c |   12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 1cf118a..5e63bfc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- int
- ProcXSendExtensionEvent(ClientPtr client)
- {
--    int ret;
-+    int ret, i;
-     DeviceIntPtr dev;
-     xEvent *first;
-     XEventClass *list;
-@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
-     /* The client's event type must be one defined by an extension. */
- 
-     first = ((xEvent *) &stuff[1]);
--    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
--          (first->u.u.type < lastEvent))) {
--        client->errorValue = first->u.u.type;
--        return BadValue;
-+    for (i = 0; i < stuff->num_events; i++) {
-+        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
-+            (first[i].u.u.type < lastEvent))) {
-+            client->errorValue = first[i].u.u.type;
-+            return BadValue;
-+        }
-     }
- 
-     list = (XEventClass *) (first + stuff->num_events);
--- 
-1.7.9.5
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
deleted file mode 100644
index 54ba481..0000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:42 +0300
-Subject: [PATCH] Xi: Do not try to swap GenericEvent.
-
-The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
-it is assuming that the event has fixed size and gives the swapping function
-xEvent-sized buffer.
-
-A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-CVE: CVE-2017-10971
-
-Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455]
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- Xi/sendexev.c |   10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 5e63bfc..5c2e0fc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
- 
-     eventP = (xEvent *) &stuff[1];
-     for (i = 0; i < stuff->num_events; i++, eventP++) {
-+        if (eventP->u.u.type == GenericEvent) {
-+            client->errorValue = eventP->u.u.type;
-+            return BadValue;
-+        }
-+
-         proc = EventSwapVector[eventP->u.u.type & 0177];
--        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
-+        /* no swapping proc; invalid event type? */
-+        if (proc == NotImplemented) {
-+            client->errorValue = eventP->u.u.type;
-             return BadValue;
-+        }
-         (*proc) (eventP, &eventT);
-         *eventP = eventT;
-     }
--- 
-1.7.9.5
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.5.bb
similarity index 81%
rename from meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
rename to meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.5.bb
index 65ef6c6..c953031 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.5.bb
@@ -5,12 +5,9 @@ SRC_URI += "file://musl-arm-inb-outb.patch \
             file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \
             file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \
             file://0003-Remove-check-for-useSIGIO-option.patch \
-            file://CVE-2017-10971-1.patch \
-            file://CVE-2017-10971-2.patch \
-            file://CVE-2017-10971-3.patch \
             "
-SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e"
-SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98"
+SRC_URI[md5sum] = "4ac6feeae6790436ce9de879ca9a3bf8"
+SRC_URI[sha256sum] = "18fffa8eb93d06d2800d06321fc0df4d357684d8d714315a66d8dfa7df251447"
 
 # These extensions are now integrated into the server, so declare the migration
 # path for in-place upgrades.
-- 
2.7.4

[PATCH 09/15] libxfont2: update to 2.0.2

[Armin Kuster]

A collection of minor fixes since 2.0.1, including CVEs 2017-13720
and 2017-13722.

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../xorg-lib/{libxfont2_2.0.1.bb => libxfont2_2.0.2.bb}               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{libxfont2_2.0.1.bb => libxfont2_2.0.2.bb} (80%)

diff --git a/meta/recipes-graphics/xorg-lib/libxfont2_2.0.1.bb b/meta/recipes-graphics/xorg-lib/libxfont2_2.0.2.bb
similarity index 80%
rename from meta/recipes-graphics/xorg-lib/libxfont2_2.0.1.bb
rename to meta/recipes-graphics/xorg-lib/libxfont2_2.0.2.bb
index 4bfb290..08d1123 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont2_2.0.1.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont2_2.0.2.bb
@@ -15,8 +15,8 @@ XORG_PN = "libXfont2"
 
 BBCLASSEXTEND = "native"
 
-SRC_URI[md5sum] = "0d9f6dd9c23bf4bcbfb00504b566baf5"
-SRC_URI[sha256sum] = "e9fbbb475ddd171b3a6a54b989cbade1f6f874fc35d505ebc5be426bc6e4db7e"
+SRC_URI[md5sum] = "d39e6446e46f939486d1a8b856e8b67b"
+SRC_URI[sha256sum] = "94088d3b87f7d42c7116d9adaad155859e93330c6e47f5989f2de600b9a6c111"
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
-- 
2.7.4

[PATCH 10/15] xf86-input-libinput: update to 0.26.0

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../{xf86-input-libinput_0.25.1.bb => xf86-input-libinput_0.26.0.bb}  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-driver/{xf86-input-libinput_0.25.1.bb => xf86-input-libinput_0.26.0.bb} (63%)

diff --git a/meta/recipes-graphics/xorg-driver/xf86-input-libinput_0.25.1.bb b/meta/recipes-graphics/xorg-driver/xf86-input-libinput_0.26.0.bb
similarity index 63%
rename from meta/recipes-graphics/xorg-driver/xf86-input-libinput_0.25.1.bb
rename to meta/recipes-graphics/xorg-driver/xf86-input-libinput_0.26.0.bb
index 7b3ea16..54c33d7 100644
--- a/meta/recipes-graphics/xorg-driver/xf86-input-libinput_0.25.1.bb
+++ b/meta/recipes-graphics/xorg-driver/xf86-input-libinput_0.26.0.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5e6b20ea2ef94a998145f0ea3f788ee0"
 
 DEPENDS += "libinput"
 
-SRC_URI[md5sum] = "14003139614b25cc76c9a4cad059df89"
-SRC_URI[sha256sum] = "489f7d591c9ef08463d4966e61f7c6ea433f5fcbb9f5370fb621da639a84c7e0"
+SRC_URI[md5sum] = "da47ef62eab1d0e922a8fa929ff81758"
+SRC_URI[sha256sum] = "abca558fc2226f295691f1cf3412d4c0edeaa439f677ca25b5c9fab310d2387b"
 
 FILES_${PN} += "${datadir}/X11/xorg.conf.d"
-- 
2.7.4

[PATCH 11/15] nss: update to 3.33.0

[Armin Kuster]

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.33_release_notes

* TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled.
* This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems.
* The compile time flag DISABLE_ECC has been removed.
* When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore.
* Fixes CVE-2017-7805, a potential use-after-free in TLS 1.2 server when verifying client authentication

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.32_release_notes
The Websites (TLS/SSL) trust bit was turned off for the following root certificates.

*    CN = AddTrust Class 1 CA Root
        SHA-256 Fingerprint: 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7
*    CN = Swisscom Root CA 2
        SHA-256 Fingerprint: F0:9B:12:2C:71:14:F4:A0:9B:D4:EA:4F:4A:99:D5:58:B4:6E:4C:25:CD:81:14:0D:29:C0:56:13:91:4C:38:41

The following CA certificates were Removed:

*    CN = AddTrust Public CA Root
        SHA-256 Fingerprint: 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27
*    CN = AddTrust Qualified CA Root
        SHA-256 Fingerprint: 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16
*    CN = China Internet Network Information Center EV Certificates Root
        SHA-256 Fingerprint: 1C:01:C6:F4:DB:B2:FE:FC:22:55:8B:2B:CA:32:56:3F:49:84:4A:CF:C3:2B:7B:E4:B0:FF:59:9F:9E:8C:7A:F7
*    CN = CNNIC ROOT
        SHA-256 Fingerprint: E2:83:93:77:3D:A8:45:A6:79:F2:08:0C:C7:FB:44:A3:B7:A1:C3:79:2C:B7:EB:77:29:FD:CB:6A:8D:99:AE:A7
*    CN = ComSign Secured CA
        SHA-256 Fingerprint: 50:79:41:C7:44:60:A0:B4:70:86:22:0D:4E:99:32:57:2A:B5:D1:B5:BB:CB:89:80:AB:1C:B1:76:51:A8:44:D2
*    CN = GeoTrust Global CA 2
        SHA-256 Fingerprint: CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85
*    CN = Secure Certificate Services
        SHA-256 Fingerprint: BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8
*    CN = Swisscom Root CA 1
        SHA-256 Fingerprint: 21:DB:20:12:36:60:BB:2E:D4:18:20:5D:A1:1E:E7:A8:5A:65:E2:BC:6E:55:B5:AF:7E:78:99:C8:A2:66:D9:2E
*    CN = Swisscom Root EV CA 2
        SHA-256 Fingerprint: D9:5F:EA:3C:A4:EE:DC:E7:4C:D7:6E:75:FC:6D:1F:F6:2C:44:1F:0F:A8:BC:77:F0:34:B1:9E:5D:B2:58:01:5D
*    CN = Trusted Certificate Services
        SHA-256 Fingerprint: 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69
*    CN = UTN-USERFirst-Hardware
        SHA-256 Fingerprint: 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37
*    CN = UTN-USERFirst-Object
        SHA-256 Fingerprint: 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/nss/{nss_3.31.1.bb => nss_3.33.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/nss/{nss_3.31.1.bb => nss_3.33.bb} (98%)

diff --git a/meta/recipes-support/nss/nss_3.31.1.bb b/meta/recipes-support/nss/nss_3.33.bb
similarity index 98%
rename from meta/recipes-support/nss/nss_3.31.1.bb
rename to meta/recipes-support/nss/nss_3.33.bb
index 588708f..e3d4f96 100644
--- a/meta/recipes-support/nss/nss_3.31.1.bb
+++ b/meta/recipes-support/nss/nss_3.33.bb
@@ -28,8 +28,8 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
            file://Fix-compilation-for-X32.patch \
            "
 
-SRC_URI[md5sum] = "ebb44f1394250d2cf6ec3c2e3d71fa20"
-SRC_URI[sha256sum] = "933439214dc03ee60e86d1419c19e1568998b0776dde987f41fa70ced6cd08dc"
+SRC_URI[md5sum] = "43663c850e2b2ed48ecb8910b055f5a9"
+SRC_URI[sha256sum] = "98f0dabd36408e83dd3a11727336cc3cdfee4cbdd9aede2b2831eb2389c284e4"
 
 UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases"
 UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes"
-- 
2.7.4

[PATCH 12/15] libpcre2: update to 10.30

[Armin Kuster]

LICENSE files changed:
Amend licence to relax its conditions for chains of binary distributions.

removed included patches

includes CVE-2017-8399

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../libpcre/libpcre2/libpcre2-CVE-2017-7186.patch  | 96 ----------------------
 .../libpcre/libpcre2/libpcre2-CVE-2017-8786.patch  | 93 ---------------------
 .../{libpcre2_10.23.bb => libpcre2_10.30.bb}       |  8 +-
 3 files changed, 3 insertions(+), 194 deletions(-)
 delete mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch
 delete mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
 rename meta/recipes-support/libpcre/{libpcre2_10.23.bb => libpcre2_10.30.bb} (85%)

diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch
deleted file mode 100644
index bfa3bfe..0000000
--- a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-libpcre2-10.23: Fix CVE-2017-7186
-
-A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the
-library. For who is interested in a detailed description of the bug, will
-follow a feedback from upstream:
-
-This was a genuine bug in the 32-bit library. Thanks for finding it. The crash
-was caused by trying to find a Unicode property for a code value greater than
-0x10ffff, the Unicode maximum, when running in non-UTF mode (where character
-values can be up to 0xffffffff).
-
-The complete ASan output:
-
-# pcretest -32 -d $FILE
-==14788==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1bbffed4df (pc 0x7f1bbee3fe6b bp 0x7fff8b50d8c0 sp 0x7fff8b50d3a0 T0)
-==14788==The signal is caused by a READ memory access.
-    #0 0x7f1bbee3fe6a in match /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18
-    #1 0x7f1bbee09226 in pcre32_exec /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:6936:8
-    #2 0x527d6c in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5218:9
-    #3 0x7f1bbddd678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
-    #4 0x41b438 in _init (/usr/bin/pcretest+0x41b438)
-
-AddressSanitizer can not provide additional info.
-SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18 in match
-==14788==ABORTING
-
-Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?view=patch&r1=316&r2=670&sortby=date \
-                        https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?view=patch&r1=600&r2=670&sortby=date]
-CVE: CVE-2017-7186
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-
---- trunk/src/pcre2_ucd.c  2015/07/17 15:44:51 316
-+++ trunk/src/pcre2_ucd.c  2017/02/24 18:25:32 670
-@@ -41,6 +41,20 @@
- 
- const char *PRIV(unicode_version) = "8.0.0";
- 
-+/* If the 32-bit library is run in non-32-bit mode, character values
-+greater than 0x10ffff may be encountered. For these we set up a
-+special record. */
-+
-+#if PCRE2_CODE_UNIT_WIDTH == 32
-+const ucd_record PRIV(dummy_ucd_record)[] = {{
-+  ucp_Common,    /* script */
-+  ucp_Cn,        /* type unassigned */
-+  ucp_gbOther,   /* grapheme break property */
-+  0,             /* case set */
-+  0,             /* other case */
-+  }};
-+#endif
-+
- /* When recompiling tables with a new Unicode version, please check the
- types in this structure definition from pcre2_internal.h (the actual
- field names will be different):
---- trunk/src/pcre2_internal.h 2016/11/19 12:46:24 600
-+++ trunk/src/pcre2_internal.h 2017/02/24 18:25:32 670
-@@ -1774,10 +1774,17 @@
- /* UCD access macros */
- 
- #define UCD_BLOCK_SIZE 128
--#define GET_UCD(ch) (PRIV(ucd_records) + \
-+#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
-         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
-         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
- 
-+#if PCRE2_CODE_UNIT_WIDTH == 32
-+#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
-+  PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
-+#else
-+#define GET_UCD(ch) REAL_GET_UCD(ch)
-+#endif
-+
- #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
- #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
- #define UCD_CATEGORY(ch)    PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
-@@ -1834,6 +1841,9 @@
- #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
- #define _pcre2_default_match_context   PCRE2_SUFFIX(_pcre2_default_match_context_)
- #define _pcre2_default_tables          PCRE2_SUFFIX(_pcre2_default_tables_)
-+#if PCRE2_CODE_UNIT_WIDTH == 32
-+#define _pcre2_dummy_ucd_record        PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
-+#endif
- #define _pcre2_hspace_list             PCRE2_SUFFIX(_pcre2_hspace_list_)
- #define _pcre2_vspace_list             PCRE2_SUFFIX(_pcre2_vspace_list_)
- #define _pcre2_ucd_caseless_sets       PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
-@@ -1858,6 +1868,9 @@
- extern const uint32_t                  PRIV(vspace_list)[];
- extern const uint32_t                  PRIV(ucd_caseless_sets)[];
- extern const ucd_record                PRIV(ucd_records)[];
-+#if PCRE2_CODE_UNIT_WIDTH == 32
-+extern const ucd_record                PRIV(dummy_ucd_record)[];
-+#endif
- extern const uint8_t                   PRIV(ucd_stage1)[];
- extern const uint16_t                  PRIV(ucd_stage2)[];
- extern const uint32_t                  PRIV(ucp_gbtable)[];
diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
deleted file mode 100644
index eafafc1..0000000
--- a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-libpcre2-10.23: Fix CVE-2017-8786
-
-The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
-service (heap-based buffer overflow) or possibly have unspecified other impact
-via a crafted regular expression.
-
-Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch]
-CVE: CVE-2017-8786
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-
---- trunk/src/pcre2test.c  2017/03/21 16:18:54 692
-+++ trunk/src/pcre2test.c  2017/03/21 18:36:13 697
-@@ -1017,9 +1017,9 @@
-   if (test_mode == PCRE8_MODE) \
-     r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
-   else if (test_mode == PCRE16_MODE) \
--    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
-+    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
-   else \
--    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
-+    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
- 
- #define PCRE2_GET_OVECTOR_COUNT(a,b) \
-   if (test_mode == PCRE8_MODE) \
-@@ -1399,6 +1399,9 @@
- 
- /* ----- Common macros for two-mode cases ----- */
- 
-+#define BYTEONE (BITONE/8)
-+#define BYTETWO (BITTWO/8)
-+
- #define CASTFLD(t,a,b) \
-   ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
-     (t)(G(a,BITTWO)->b))
-@@ -1481,9 +1484,9 @@
- 
- #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
-   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
--    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
-+    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
-   else \
--    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
-+    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
- 
- #define PCRE2_GET_OVECTOR_COUNT(a,b) \
-   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
-@@ -1904,7 +1907,7 @@
- #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
-   a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
- #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
--  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
-+  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
- #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
- #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
- #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
-@@ -2000,7 +2003,7 @@
- #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
-   a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
- #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
--  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
-+  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
- #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
- #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
- #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
-@@ -2889,7 +2892,7 @@
-   {
-   if (pbuffer32 != NULL) free(pbuffer32);
-   pbuffer32_size = 4*len + 4;
--  if (pbuffer32_size < 256) pbuffer32_size = 256;
-+  if (pbuffer32_size < 512) pbuffer32_size = 512;
-   pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
-   if (pbuffer32 == NULL)
-     {
-@@ -7600,7 +7603,8 @@
-   int errcode;
-   char *endptr;
- 
--/* Ensure the relevant non-8-bit buffer is available. */
-+/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at 
-+least 128 code units, because it is used for retrieving error messages. */
- 
- #ifdef SUPPORT_PCRE2_16
-   if (test_mode == PCRE16_MODE)
-@@ -7620,7 +7624,7 @@
- #ifdef SUPPORT_PCRE2_32
-   if (test_mode == PCRE32_MODE)
-     {
--    pbuffer32_size = 256;
-+    pbuffer32_size = 512;
-     pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
-     if (pbuffer32 == NULL)
-       {
diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.30.bb
similarity index 85%
rename from meta/recipes-support/libpcre/libpcre2_10.23.bb
rename to meta/recipes-support/libpcre/libpcre2_10.30.bb
index ca2b028..a7df055 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.23.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.30.bb
@@ -8,16 +8,14 @@ SUMMARY = "Perl Compatible Regular Expressions version 2"
 HOMEPAGE = "http://www.pcre.org"
 SECTION = "devel"
 LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=12d55e15a0c6da5c645ba40382bd3293"
 
 SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
            file://pcre-cross.patch \
-           file://libpcre2-CVE-2017-8786.patch \
-           file://libpcre2-CVE-2017-7186.patch \
 "
 
-SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"
-SRC_URI[sha256sum] = "dfc79b918771f02d33968bd34a749ad7487fa1014aeb787fad29dd392b78c56e"
+SRC_URI[md5sum] = "d3adf4b130eed854a530390f00020a65"
+SRC_URI[sha256sum] = "90bd41c605d30e3745771eb81928d779f158081a51b2f314bbcc1f73de5773db"
 
 CVE_PRODUCT = "pcre2"
 
-- 
2.7.4

[PATCH 13/15] gnutls: update to 3.5.16

[Armin Kuster]

This is a bug fix release on the
current stable branch. Note that, I've also switched the release
cadence to bi-monthly as less and less bug fixes/updates accumulate
each month on this branch.

** API and ABI modifications:
No changes since last version.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-support/gnutls/{gnutls_3.5.13.bb => gnutls_3.5.16.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/gnutls/{gnutls_3.5.13.bb => gnutls_3.5.16.bb} (61%)

diff --git a/meta/recipes-support/gnutls/gnutls_3.5.13.bb b/meta/recipes-support/gnutls/gnutls_3.5.16.bb
similarity index 61%
rename from meta/recipes-support/gnutls/gnutls_3.5.13.bb
rename to meta/recipes-support/gnutls/gnutls_3.5.16.bb
index 35d7d09..635c519 100644
--- a/meta/recipes-support/gnutls/gnutls_3.5.13.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.5.16.bb
@@ -4,7 +4,7 @@ SRC_URI += "file://0001-configure.ac-fix-sed-command.patch \
             file://use-pkg-config-to-locate-zlib.patch \
             file://arm_eabi.patch \
            "
-SRC_URI[md5sum] = "4fd41ad86572933c2379b4cc321a0959"
-SRC_URI[sha256sum] = "79f5480ad198dad5bc78e075f4a40c4a315a1b2072666919d2d05a08aec13096"
+SRC_URI[md5sum] = "4c39612f1ec3ef7ed79cfb8936fa8143"
+SRC_URI[sha256sum] = "0924dec90c37c05f49fec966eba3672dab4d336d879e5c06e06e13325cbfec25"
 
 BBCLASSEXTEND = "native nativesdk"
-- 
2.7.4

[PATCH 14/15] bind: update to 9.10.6

[Armin Kuster]

Security Fixes

     * An error in TSIG handling could permit unauthorized zone transfers
       or zone updates. These flaws are disclosed in CVE-2017-3142 and
       CVE-2017-3143. [RT #45383]
     * The BIND installer on Windows used an unquoted service path, which
       can enable privilege escalation. This flaw is disclosed in
       CVE-2017-3141. [RT #45229]
     * With certain RPZ configurations, a response with TTL 0 could cause
       named to go into an infinite query loop. This flaw is disclosed in
       CVE-2017-3140. [RT #45181]

End of Life

   The end of life for BIND 9.10 is yet to be determined but will not be
   before BIND 9.12.0 has been released for 6 months.
   https://www.isc.org/downloads/software-support-policy/

more info see https://lists.isc.org/pipermail/bind-announce/2017-July/001063.html

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-connectivity/bind/{bind_9.10.5-P3.bb => bind_9.10.6.bb} | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.10.5-P3.bb => bind_9.10.6.bb} (96%)

diff --git a/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.6.bb
similarity index 96%
rename from meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
rename to meta/recipes-connectivity/bind/bind_9.10.6.bb
index b20a4aa..7a35390 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.6.bb
@@ -23,11 +23,12 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://use-python3-and-fix-install-lib-path.patch \
            "
 
+SRC_URI[md5sum] = "84e663284b17aee0df1ce6f248b137d7"
+SRC_URI[sha256sum] = "17bbcd2bd7b1d32f5ba4b30d5dbe8a39bce200079048073d1e0d050fdf47e69d"
+
 UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
 
-SRC_URI[md5sum] = "d79cafbd9ac76239ee532dd89d05cc83"
-SRC_URI[sha256sum] = "8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a"
 
 ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
 EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
-- 
2.7.4

[PATCH 15/15] openssh: update to 7.6

[Armin Kuster]

LICENSE changed do to name being added

removed patches included in some form

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../openssh/add-test-support-for-busybox.patch     |  64 ++++-------
 ...h-7.1p1-conditional-compile-des-in-cipher.patch | 119 ---------------------
 ...h-7.1p1-conditional-compile-des-in-pkcs11.patch |  70 ------------
 .../openssh/{openssh_7.5p1.bb => openssh_7.6p1.bb} |  11 +-
 4 files changed, 25 insertions(+), 239 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
 rename meta/recipes-connectivity/openssh/{openssh_7.5p1.bb => openssh_7.6p1.bb} (94%)

diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
index adc25c6..b8402a4 100644
--- a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+++ b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
@@ -6,64 +6,42 @@ Adjust test cases to work with busybox.
 Signed-off-by: Maxin B. John <maxin.john@enea.com>
 Upstream-Status: Pending
 
-Index: openssh-6.8p1/regress/cipher-speed.sh
+Index: openssh-7.6p1/regress/cipher-speed.sh
 ===================================================================
---- openssh-6.8p1.orig/regress/cipher-speed.sh
-+++ openssh-6.8p1/regress/cipher-speed.sh
+--- openssh-7.6p1.orig/regress/cipher-speed.sh
++++ openssh-7.6p1/regress/cipher-speed.sh
 @@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
  		printf "%-60s" "$c/$m:"
  		( ${SSH} -o 'compression no' \
- 			-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+ 			-F $OBJ/ssh_proxy -m $m -c $c somehost \
 -			exec sh -c \'"dd of=/dev/null obs=32k"\' \
 +			exec sh -c \'"dd of=/dev/null bs=32k"\' \
  		< ${DATA} ) 2>&1 | getbytes
  
  		if [ $? -ne 0 ]; then
-@@ -42,7 +42,7 @@ for c in $ciphers; do
- 		printf "%-60s" "$c:"
- 		( ${SSH} -o 'compression no' \
- 			-F $OBJ/ssh_proxy -1 -c $c somehost \
--			exec sh -c \'"dd of=/dev/null obs=32k"\' \
-+			exec sh -c \'"dd of=/dev/null bs=32k"\' \
- 		< ${DATA} ) 2>&1 | getbytes
- 		if [ $? -ne 0 ]; then
- 			fail "ssh -1 failed with cipher $c"
-Index: openssh-6.8p1/regress/transfer.sh
-===================================================================
---- openssh-6.8p1.orig/regress/transfer.sh
-+++ openssh-6.8p1/regress/transfer.sh
-@@ -15,7 +15,7 @@ for p in ${SSH_PROTOCOLS}; do
- 	for s in 10 100 1k 32k 64k 128k 256k; do
- 		trace "proto $p dd-size ${s}"
- 		rm -f ${COPY}
--		dd if=$DATA obs=${s} 2> /dev/null | \
-+		dd if=$DATA bs=${s} 2> /dev/null | \
- 			${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
- 		if [ $? -ne 0 ]; then
- 			fail "ssh cat $DATA failed"
-Index: openssh-6.8p1/regress/yes-head.sh
+Index: openssh-7.6p1/regress/transfer.sh
 ===================================================================
---- openssh-6.8p1.orig/regress/yes-head.sh
-+++ openssh-6.8p1/regress/yes-head.sh
-@@ -4,7 +4,7 @@
- tid="yes pipe head"
- 
- for p in ${SSH_PROTOCOLS}; do
--	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
-+	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)`
+--- openssh-7.6p1.orig/regress/transfer.sh
++++ openssh-7.6p1/regress/transfer.sh
+@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY}		|| fail "corrupted
+ for s in 10 100 1k 32k 64k 128k 256k; do
+ 	trace "dd-size ${s}"
+ 	rm -f ${COPY}
+-	dd if=$DATA obs=${s} 2> /dev/null | \
++	dd if=$DATA bs=${s} 2> /dev/null | \
+ 		${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
  	if [ $? -ne 0 ]; then
- 		fail "yes|head test failed"
- 		lines = 0;
-Index: openssh-6.8p1/regress/key-options.sh
+ 		fail "ssh cat $DATA failed"
+Index: openssh-7.6p1/regress/key-options.sh
 ===================================================================
---- openssh-6.8p1.orig/regress/key-options.sh
-+++ openssh-6.8p1/regress/key-options.sh
-@@ -54,7 +54,7 @@ for p in ${SSH_PROTOCOLS}; do
+--- openssh-7.6p1.orig/regress/key-options.sh
++++ openssh-7.6p1/regress/key-options.sh
+@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
  	fi
  
  	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
 -	from=`head -1 $authkeys | cut -f1 -d ' '`
 +	from=`head -n 1 $authkeys | cut -f1 -d ' '`
- 	verbose "key option proto $p $from"
- 	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
+ 	verbose "key option $from"
+ 	r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
  	if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
deleted file mode 100644
index 1098b97..0000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001
-From: Dengke Du <dengke.du@windriver.com>
-Date: Thu, 19 Jan 2017 03:00:08 -0500
-Subject: [PATCH 1/3] Remove des in cipher.
-
-Upstream-Status: Pending
-
-Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Signed-off-by: Dengke Du <dengke.du@windriver.com>
----
- cipher.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/cipher.c b/cipher.c
-index 2def333..59f6792 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -53,8 +53,10 @@
- 
- #ifdef WITH_SSH1
- extern const EVP_CIPHER *evp_ssh1_bf(void);
-+#ifndef OPENSSL_NO_DES
- extern const EVP_CIPHER *evp_ssh1_3des(void);
- extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-+#endif /* OPENSSL_NO_DES */
- #endif
- 
- struct sshcipher_ctx {
-@@ -88,15 +90,19 @@ struct sshcipher {
- 
- static const struct sshcipher ciphers[] = {
- #ifdef WITH_SSH1
-+#ifndef OPENSSL_NO_DES
- 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
- 	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
-+#endif /* OPENSSL_NO_DES */
- # ifndef OPENSSL_NO_BF
- 	{ "blowfish",	SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
- # endif /* OPENSSL_NO_BF */
- #endif /* WITH_SSH1 */
- #ifdef WITH_OPENSSL
-+#ifndef OPENSSL_NO_DES
- 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
- 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
-+#endif /* OPENSSL_NO_DES */
- # ifndef OPENSSL_NO_BF
- 	{ "blowfish-cbc",
- 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-@@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c)
- u_int
- cipher_seclen(const struct sshcipher *c)
- {
-+#ifndef OPENSSL_NO_DES
- 	if (strcmp("3des-cbc", c->name) == 0)
- 		return 14;
-+#endif /* OPENSSL_NO_DES */
- 	return cipher_keylen(c);
- }
- 
-@@ -230,11 +238,13 @@ u_int
- cipher_mask_ssh1(int client)
- {
- 	u_int mask = 0;
-+#ifndef OPENSSL_NO_DES
- 	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
- 	mask |= 1 << SSH_CIPHER_BLOWFISH;
- 	if (client) {
- 		mask |= 1 << SSH_CIPHER_DES;
- 	}
-+#endif /*OPENSSL_NO_DES*/
- 	return mask;
- }
- 
-@@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
- 	switch (c->number) {
- #ifdef WITH_OPENSSL
- 	case SSH_CIPHER_SSH2:
-+#ifndef OPENSSL_NO_DES
- 	case SSH_CIPHER_DES:
-+#endif /* OPENSSL_NO_DES */
- 	case SSH_CIPHER_BLOWFISH:
- 		evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
- 		if (evplen == 0)
-@@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
- 		break;
- #endif
- #ifdef WITH_SSH1
-+#ifndef OPENSSL_NO_DES
- 	case SSH_CIPHER_3DES:
- 		return ssh1_3des_iv(cc->evp, 0, iv, 24);
-+#endif /* OPENSSL_NO_DES */
- #endif
- 	default:
- 		return SSH_ERR_INVALID_ARGUMENT;
-@@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
- 	switch (c->number) {
- #ifdef WITH_OPENSSL
- 	case SSH_CIPHER_SSH2:
-+#ifndef OPENSSL_NO_DES
- 	case SSH_CIPHER_DES:
-+#endif /* OPENSSL_NO_DES */
- 	case SSH_CIPHER_BLOWFISH:
- 		evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
- 		if (evplen <= 0)
-@@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
- 		break;
- #endif
- #ifdef WITH_SSH1
-+#ifndef OPENSSL_NO_DES
- 	case SSH_CIPHER_3DES:
- 		return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24);
-+#endif /* OPENSSL_NO_DES */
- #endif
- 	default:
- 		return SSH_ERR_INVALID_ARGUMENT;
--- 
-2.8.1
-
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
deleted file mode 100644
index 47dc73b..0000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001
-From: Dengke Du <dengke.du@windriver.com>
-Date: Thu, 19 Jan 2017 03:21:40 -0500
-Subject: [PATCH 2/3] remove des in pkcs11.
-
-Upstream-Status: Pending
-
-Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
-Signed-off-by: Dengke Du <dengke.du@windriver.com>
----
- pkcs11.h | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/pkcs11.h b/pkcs11.h
-index b01d58f..98b36e6 100644
---- a/pkcs11.h
-+++ b/pkcs11.h
-@@ -342,9 +342,11 @@ typedef unsigned long ck_key_type_t;
- #define CKK_GENERIC_SECRET	(0x10)
- #define CKK_RC2			(0x11)
- #define CKK_RC4			(0x12)
-+#ifndef OPENSSL_NO_DES
- #define CKK_DES			(0x13)
- #define CKK_DES2		(0x14)
- #define CKK_DES3		(0x15)
-+#endif /* OPENSSL_NO_DES */
- #define CKK_CAST		(0x16)
- #define CKK_CAST3		(0x17)
- #define CKK_CAST128		(0x18)
-@@ -512,6 +514,7 @@ typedef unsigned long ck_mechanism_type_t;
- #define CKM_RC2_CBC_PAD			(0x105)
- #define CKM_RC4_KEY_GEN			(0x110)
- #define CKM_RC4				(0x111)
-+#ifndef OPENSSL_NO_DES
- #define CKM_DES_KEY_GEN			(0x120)
- #define CKM_DES_ECB			(0x121)
- #define CKM_DES_CBC			(0x122)
-@@ -525,6 +528,7 @@ typedef unsigned long ck_mechanism_type_t;
- #define CKM_DES3_MAC			(0x134)
- #define CKM_DES3_MAC_GENERAL		(0x135)
- #define CKM_DES3_CBC_PAD		(0x136)
-+#endif /* OPENSSL_NO_DES */
- #define CKM_CDMF_KEY_GEN		(0x140)
- #define CKM_CDMF_ECB			(0x141)
- #define CKM_CDMF_CBC			(0x142)
-@@ -610,8 +614,10 @@ typedef unsigned long ck_mechanism_type_t;
- #define CKM_MD5_KEY_DERIVATION		(0x390)
- #define CKM_MD2_KEY_DERIVATION		(0x391)
- #define CKM_SHA1_KEY_DERIVATION		(0x392)
-+#ifndef OPENSSL_NO_DES
- #define CKM_PBE_MD2_DES_CBC		(0x3a0)
- #define CKM_PBE_MD5_DES_CBC		(0x3a1)
-+#endif /* OPENSSL_NO_DES */
- #define CKM_PBE_MD5_CAST_CBC		(0x3a2)
- #define CKM_PBE_MD5_CAST3_CBC		(0x3a3)
- #define CKM_PBE_MD5_CAST5_CBC		(0x3a4)
-@@ -620,8 +626,10 @@ typedef unsigned long ck_mechanism_type_t;
- #define CKM_PBE_SHA1_CAST128_CBC	(0x3a5)
- #define CKM_PBE_SHA1_RC4_128		(0x3a6)
- #define CKM_PBE_SHA1_RC4_40		(0x3a7)
-+#ifndef OPENSSL_NO_DES
- #define CKM_PBE_SHA1_DES3_EDE_CBC	(0x3a8)
- #define CKM_PBE_SHA1_DES2_EDE_CBC	(0x3a9)
-+#endif /* OPENSSL_NO_DES */
- #define CKM_PBE_SHA1_RC2_128_CBC	(0x3aa)
- #define CKM_PBE_SHA1_RC2_40_CBC		(0x3ab)
- #define CKM_PKCS5_PBKD2			(0x3b0)
--- 
-2.8.1
-
diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
similarity index 94%
rename from meta/recipes-connectivity/openssh/openssh_7.5p1.bb
rename to meta/recipes-connectivity/openssh/openssh_7.6p1.bb
index 86ca6ff..ebb9a57 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
@@ -6,7 +6,7 @@ and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
 LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
 
 # openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
 DEPENDS = "zlib openssl10"
@@ -21,19 +21,16 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://sshd@.service \
            file://sshdgenkeys.service \
            file://volatiles.99_sshd \
-           file://add-test-support-for-busybox.patch \
            file://run-ptest \
-           file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
-           file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
-           file://0001-openssh-Fix-syntax-error-on-x32.patch \
            file://sshd_check_keys \
+           file://add-test-support-for-busybox.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
 
-SRC_URI[md5sum] = "652fdc7d8392f112bef11cacf7e69e23"
-SRC_URI[sha256sum] = "9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0"
+SRC_URI[md5sum] = "06a88699018e5fef13d4655abfed1f63"
+SRC_URI[sha256sum] = "a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723"
 
 inherit useradd update-rc.d update-alternatives systemd
 
-- 
2.7.4

✗ patchtest: failure for core package updates

[Patchwork]

== Series Details ==

Series: core package updates
Revision: 1
URL   : https://patchwork.openembedded.org/series/9623/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            [03/15] libxres: upgrading to 1.2.0
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: ✗ patchtest: failure for core package updates

[Leonardo Sandoval]

On Fri, 03 Nov 2017 20:03:06 -0000
Patchwork <patchwork@patchwork.openembedded.org> wrote:

> == Series Details ==
> 
> Series: core package updates
> Revision: 1
> URL   : https://patchwork.openembedded.org/series/9623/
> State : failure
> 
> == Summary ==
> 
> 
> Thank you for submitting this patch series to OpenEmbedded Core. This is
> an automated response. Several tests have been executed on the proposed
> series by patchtest resulting in the following failures:
> 
> 
> 
> * Patch            [03/15] libxres: upgrading to 1.2.0
>  Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
>   Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"


This is false positive error from patchwork/test; I will provide a fix, so please ignore it.

Leo

> 
> 
> 
> If you believe any of these test results are incorrect, please reply to the
> mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
> Otherwise we would appreciate you correcting the issues and submitting a new
> version of the patchset if applicable. Please ensure you add/increment the
> version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
> [PATCH v3] -> ...).
> 
> ---
> Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core