[OE-core][dunfell 00/11] Patch review

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2031

except for a known autobuilder intermittent issue on qemuppc which passed on
subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/3261

The following changes since commit d044d9c0cb672c499059eb273e399ce4aee17e0d:

  image,populate_sdk_base: move 'func' flag setting for sdk command vars (2021-04-02 04:21:56 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (3):
  selftest/reproducible: enable world reproducibility test
  selftest/reproducible: add an exclusion list for items that are not
    yet reproducible
  selftest/reproducible: track unusued entries in the exclusion list

Guillaume Champagne (1):
  image-live.bbclass: optional depends when ROOTFS empty

Mike Crowe (1):
  curl: Patch CVE-2021-22876 & CVE-2021-22890

Peter Morrow (2):
  goarch: map target os to windows for mingw* TARGET_OS
  go_1.14: don't set -buildmode=pie when building for windows targets

Richard Purdie (3):
  selftest/reproducible: Sort the unused exclusion list
  diffoscope: Upgrade 136 -> 168
  diffoscope: Upgrade 168 -> 172

Steve Sakoman (1):
  selftest/reproducible: adjust exclusion list for dunfell

 meta/classes/go.bbclass                       |   8 +-
 meta/classes/goarch.bbclass                   |   2 +
 meta/classes/image-live.bbclass               |   2 +-
 meta/lib/oeqa/selftest/cases/reproducible.py  |  80 ++-
 meta/recipes-devtools/go/go_1.14.bb           |   8 +-
 .../curl/curl/CVE-2021-22876.patch            |  59 +++
 .../curl/curl/CVE-2021-22890.patch            | 464 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 .../{diffoscope_136.bb => diffoscope_172.bb}  |  15 +-
 9 files changed, 620 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22876.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22890.patch
 rename meta/recipes-support/diffoscope/{diffoscope_136.bb => diffoscope_172.bb} (46%)

-- 
2.25.1

[OE-core][dunfell 01/11] selftest/reproducible: enable world reproducibility test

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Add systemd and pam distro features, and commercial license flag
to include more recipes into the world set.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ed8f94942c07784f9f6eef5c00b75aa9b398ea5e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index f570958f80..4b60b2e1b0 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -83,7 +83,7 @@ class ReproducibleTests(OESelftestTestCase):
     package_classes = ['deb', 'ipk']
 
     # targets are the things we want to test the reproducibility of
-    targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline']
+    targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'world']
     # sstate targets are things to pull from sstate to potentially cut build/debugging time
     sstate_targets = []
     save_results = False
@@ -156,6 +156,8 @@ class ReproducibleTests(OESelftestTestCase):
             PACKAGE_CLASSES = "{package_classes}"
             INHIBIT_PACKAGE_STRIP = "1"
             TMPDIR = "{tmpdir}"
+            LICENSE_FLAGS_WHITELIST = "commercial"
+            DISTRO_FEATURES_append = ' systemd pam'
             ''').format(package_classes=' '.join('package_%s' % c for c in self.package_classes),
                         tmpdir=tmpdir)
 
-- 
2.25.1

[OE-core][dunfell 02/11] selftest/reproducible: add an exclusion list for items that are not yet reproducible

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Hopefully over time this list will be reduced to an empty one.

Non-reproducible excluded packages are not given to diffoscope and do not cause a
failure, but still saved side-by-side with non-reproducible failing ones to make
investigation easier.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 406bd0d48d8f90e2c836f7d3e204f21d5f13c833)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 82 +++++++++++++++++++-
 1 file changed, 79 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index 4b60b2e1b0..cf0375c8a1 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -17,6 +17,72 @@ import stat
 import os
 import datetime
 
+# For sample packages, see:
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-0t7wr_oo/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-4s9ejwyp/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-haiwdlbr/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-hwds3mcl/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201203-sua0pzvc/
+# (both packages/ and packages-excluded/)
+exclude_packages = [
+	'acpica-src',
+	'babeltrace2-ptest',
+	'bootchart2-doc',
+	'cups',
+	'cwautomacros',
+	'dtc',
+	'efivar',
+	'epiphany',
+	'gcr',
+	'git',
+	'glide',
+	'go-dep',
+	'go-helloworld',
+	'go-runtime',
+	'go_',
+	'groff',
+	'gst-devtools',
+	'gstreamer1.0-python',
+	'gtk-doc',
+	'igt-gpu-tools',
+        'kernel-devsrc',
+	'libaprutil',
+	'libcap-ng',
+	'libhandy-1-src',
+	'libid3tag',
+	'libproxy',
+	'libsecret-dev',
+	'libsecret-src',
+	'lttng-tools-dbg',
+	'lttng-tools-ptest',
+	'ltp',
+	'meson',
+	'ovmf-shell-efi',
+	'parted-ptest',
+	'perf',
+	'python3-cython',
+	'qemu',
+	'quilt-ptest',
+	'rsync',
+	'ruby',
+	'spirv-tools-dev',
+	'swig',
+	'syslinux-misc',
+	'systemd-bootchart',
+	'valgrind-ptest',
+	'vim',
+	'watchdog',
+	'xmlto',
+	'xorg-minimal-fonts'
+	]
+
+def is_excluded(package):
+    package_name = os.path.basename(package)
+    for i in exclude_packages:
+        if package_name.startswith(i):
+            return True
+    return False
+
 MISSING = 'MISSING'
 DIFFERENT = 'DIFFERENT'
 SAME = 'SAME'
@@ -39,6 +105,7 @@ class PackageCompareResults(object):
         self.total = []
         self.missing = []
         self.different = []
+        self.different_excluded = []
         self.same = []
 
     def add_result(self, r):
@@ -46,7 +113,10 @@ class PackageCompareResults(object):
         if r.status == MISSING:
             self.missing.append(r)
         elif r.status == DIFFERENT:
-            self.different.append(r)
+            if is_excluded(r.reference):
+                self.different_excluded.append(r)
+            else:
+                self.different.append(r)
         else:
             self.same.append(r)
 
@@ -54,10 +124,11 @@ class PackageCompareResults(object):
         self.total.sort()
         self.missing.sort()
         self.different.sort()
+        self.different_excluded.sort()
         self.same.sort()
 
     def __str__(self):
-        return 'same=%i different=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.missing), len(self.total))
+        return 'same=%i different=%i different_excluded=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total))
 
 def compare_file(reference, test, diffutils_sysroot):
     result = CompareResult()
@@ -226,6 +297,7 @@ class ReproducibleTests(OESelftestTestCase):
 
                 self.write_package_list(package_class, 'missing', result.missing)
                 self.write_package_list(package_class, 'different', result.different)
+                self.write_package_list(package_class, 'different_excluded', result.different_excluded)
                 self.write_package_list(package_class, 'same', result.same)
 
                 if self.save_results:
@@ -233,8 +305,12 @@ class ReproducibleTests(OESelftestTestCase):
                         self.copy_file(d.reference, '/'.join([save_dir, 'packages', strip_topdir(d.reference)]))
                         self.copy_file(d.test, '/'.join([save_dir, 'packages', strip_topdir(d.test)]))
 
+                    for d in result.different_excluded:
+                        self.copy_file(d.reference, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.reference)]))
+                        self.copy_file(d.test, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.test)]))
+
                 if result.missing or result.different:
-                    fails.append("The following %s packages are missing or different: %s" %
+                    fails.append("The following %s packages are missing or different and not in exclusion list: %s" %
                             (c, '\n'.join(r.test for r in (result.missing + result.different))))
 
         # Clean up empty directories
-- 
2.25.1

[OE-core][dunfell 03/11] selftest/reproducible: adjust exclusion list for dunfell

[Steve Sakoman]

Signed-off-be: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 32 ++++++--------------
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index cf0375c8a1..c023c92d5d 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -27,11 +27,8 @@ import datetime
 exclude_packages = [
 	'acpica-src',
 	'babeltrace2-ptest',
+	'bind',
 	'bootchart2-doc',
-	'cups',
-	'cwautomacros',
-	'dtc',
-	'efivar',
 	'epiphany',
 	'gcr',
 	'git',
@@ -40,40 +37,31 @@ exclude_packages = [
 	'go-helloworld',
 	'go-runtime',
 	'go_',
-	'groff',
-	'gst-devtools',
 	'gstreamer1.0-python',
-	'gtk-doc',
-	'igt-gpu-tools',
+	'hwlatdetect',
         'kernel-devsrc',
 	'libaprutil',
 	'libcap-ng',
-	'libhandy-1-src',
-	'libid3tag',
+	'libjson',
 	'libproxy',
-	'libsecret-dev',
-	'libsecret-src',
+	'lsb-release',
 	'lttng-tools-dbg',
 	'lttng-tools-ptest',
 	'ltp',
-	'meson',
 	'ovmf-shell-efi',
 	'parted-ptest',
 	'perf',
-	'python3-cython',
+	'piglit',
+	'pybootchartgui',
 	'qemu',
-	'quilt-ptest',
+	"rpm",
 	'rsync',
 	'ruby',
-	'spirv-tools-dev',
-	'swig',
-	'syslinux-misc',
+	'stress-ng',
 	'systemd-bootchart',
-	'valgrind-ptest',
+	'systemtap',
 	'vim',
-	'watchdog',
-	'xmlto',
-	'xorg-minimal-fonts'
+	'webkitgtk',
 	]
 
 def is_excluded(package):
-- 
2.25.1

[OE-core][dunfell 04/11] selftest/reproducible: track unusued entries in the exclusion list

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

This helps with trimming down the list, and towards 100% reproducibility :)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit da7a173d7a01524229c8515326465968a845e96f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index c023c92d5d..b331c3dedf 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -68,8 +68,8 @@ def is_excluded(package):
     package_name = os.path.basename(package)
     for i in exclude_packages:
         if package_name.startswith(i):
-            return True
-    return False
+            return i
+    return None
 
 MISSING = 'MISSING'
 DIFFERENT = 'DIFFERENT'
@@ -95,14 +95,17 @@ class PackageCompareResults(object):
         self.different = []
         self.different_excluded = []
         self.same = []
+        self.active_exclusions = set()
 
     def add_result(self, r):
         self.total.append(r)
         if r.status == MISSING:
             self.missing.append(r)
         elif r.status == DIFFERENT:
-            if is_excluded(r.reference):
+            exclusion = is_excluded(r.reference)
+            if exclusion:
                 self.different_excluded.append(r)
+                self.active_exclusions.add(exclusion)
             else:
                 self.different.append(r)
         else:
@@ -116,7 +119,10 @@ class PackageCompareResults(object):
         self.same.sort()
 
     def __str__(self):
-        return 'same=%i different=%i different_excluded=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total))
+        return 'same=%i different=%i different_excluded=%i missing=%i total=%i\nunused_exclusions=%s' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total), self.unused_exclusions())
+
+    def unused_exclusions(self):
+        return set(exclude_packages) - self.active_exclusions
 
 def compare_file(reference, test, diffutils_sysroot):
     result = CompareResult()
-- 
2.25.1

[OE-core][dunfell 05/11] selftest/reproducible: Sort the unused exclusion list

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This makes comparisions between lists easier.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2c52125d1cdc06c7e08d507ca68f3e4612a4314)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index b331c3dedf..f5e3bff5a4 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -122,7 +122,7 @@ class PackageCompareResults(object):
         return 'same=%i different=%i different_excluded=%i missing=%i total=%i\nunused_exclusions=%s' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total), self.unused_exclusions())
 
     def unused_exclusions(self):
-        return set(exclude_packages) - self.active_exclusions
+        return sorted(set(exclude_packages) - self.active_exclusions)
 
 def compare_file(reference, test, diffutils_sysroot):
     result = CompareResult()
-- 
2.25.1

[OE-core][dunfell 06/11] diffoscope: Upgrade 136 -> 168

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Needed to support reproducible build testing on autobuilder

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../{diffoscope_136.bb => diffoscope_168.bb}      | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)
 rename meta/recipes-support/diffoscope/{diffoscope_136.bb => diffoscope_168.bb} (46%)

diff --git a/meta/recipes-support/diffoscope/diffoscope_136.bb b/meta/recipes-support/diffoscope/diffoscope_168.bb
similarity index 46%
rename from meta/recipes-support/diffoscope/diffoscope_136.bb
rename to meta/recipes-support/diffoscope/diffoscope_168.bb
index e699d15e90..00a8195c84 100644
--- a/meta/recipes-support/diffoscope/diffoscope_136.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_168.bb
@@ -1,10 +1,5 @@
 SUMMARY = "in-depth comparison of files, archives, and directories"
-DESCRIPTION = "Tries to get to the bottom of what makes files or directories \
-different. It will recursively unpack archives of many kinds and transform \
-various binary formats into more human-readable form to compare them. \
-It can compare two tarballs, ISO images, or PDF just as easily."
 HOMEPAGE = "https://diffoscope.org/"
-BUGTRACKER = "https://salsa.debian.org/reproducible-builds/diffoscope/-/issues"
 LICENSE = "GPL-3.0+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
@@ -12,12 +7,18 @@ PYPI_PACKAGE = "diffoscope"
 
 inherit pypi setuptools3
 
-SRC_URI[md5sum] = "c84d8d308a40176ba2f5dc4abdbf6f73"
-SRC_URI[sha256sum] = "0d6486d6eb6e0445ba21fee2e8bdd3a366ce786bfac98e00e5a95038b7815f15"
+SRC_URI[sha256sum] = "c6f1dc3e75b7e2e5ceac4f857fbd2ee0ddb3f0169c2b39ea9187af34208e98de"
 
 RDEPENDS_${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic"
 
 # Dependencies don't build for musl
 COMPATIBLE_HOST_libc-musl = 'null'
 
+do_install_append_class-native() {
+	create_wrapper ${D}${bindir}/diffoscope \
+		MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
+		RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
+		RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE}
+}
+
 BBCLASSEXTEND = "native"
-- 
2.25.1

[OE-core][dunfell 07/11] diffoscope: Upgrade 168 -> 172

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

In particular 170 includes rpm header fixes which stop the webpages
for rpm diffs breaking web browsers and are important in the context
of the autobuilder.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 275738c3f2116de9b812b46e00d80b4de6975d7f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../diffoscope/{diffoscope_168.bb => diffoscope_172.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/diffoscope/{diffoscope_168.bb => diffoscope_172.bb} (88%)

diff --git a/meta/recipes-support/diffoscope/diffoscope_168.bb b/meta/recipes-support/diffoscope/diffoscope_172.bb
similarity index 88%
rename from meta/recipes-support/diffoscope/diffoscope_168.bb
rename to meta/recipes-support/diffoscope/diffoscope_172.bb
index 00a8195c84..eb85d6c854 100644
--- a/meta/recipes-support/diffoscope/diffoscope_168.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_172.bb
@@ -7,7 +7,7 @@ PYPI_PACKAGE = "diffoscope"
 
 inherit pypi setuptools3
 
-SRC_URI[sha256sum] = "c6f1dc3e75b7e2e5ceac4f857fbd2ee0ddb3f0169c2b39ea9187af34208e98de"
+SRC_URI[sha256sum] = "5ffe7f38555c6409bc7e7edc277ed77dd78641fe1306fc38d153dbbe445ddea4"
 
 RDEPENDS_${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic"
 
-- 
2.25.1

[OE-core][dunfell 08/11] curl: Patch CVE-2021-22876 & CVE-2021-22890

[Steve Sakoman]

From: Mike Crowe <mac@mcrowe.com>

Take patches from Ubuntu 20.04 7.68.0-1ubuntu2.5, which is close enough
that they apply without conflicts.

Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2021-22876.patch            |  59 +++
 .../curl/curl/CVE-2021-22890.patch            | 464 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 3 files changed, 525 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22876.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22890.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
new file mode 100644
index 0000000000..fc396aabef
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
@@ -0,0 +1,59 @@
+transfer: strip credentials from the auto-referer header field
+
+CVE-2021-22876
+
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+Upstream-Status: backport
+---
+ lib/transfer.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index e76834eb3..744e1c00b 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       data->set.followlocation++; /* count location-followers */
+ 
+       if(data->set.http_auto_referer) {
++        CURLU *u;
++        char *referer;
++
+         /* We are asked to automatically set the previous URL as the referer
+            when we get the next URL. We pick the ->url field, which may or may
+            not be 100% correct */
+@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+           data->change.referer_alloc = FALSE;
+         }
+ 
+-        data->change.referer = strdup(data->change.url);
+-        if(!data->change.referer)
++        /* Make a copy of the URL without crenditals and fragment */
++        u = curl_url();
++        if(!u)
++          return CURLE_OUT_OF_MEMORY;
++
++        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++        if(!uc)
++          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++        curl_url_cleanup(u);
++
++        if(uc || referer == NULL)
+           return CURLE_OUT_OF_MEMORY;
++
++        data->change.referer = referer;
+         data->change.referer_alloc = TRUE; /* yes, free this later */
+       }
+     }
+-- 
+2.20.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
new file mode 100644
index 0000000000..8c0ecbfe7f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
@@ -0,0 +1,464 @@
+vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+
+CVE-2021-22890
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+Upstream-Status: backport
+---
+ lib/vtls/bearssl.c   |  9 +++++---
+ lib/vtls/gtls.c      |  9 +++++---
+ lib/vtls/mbedtls.c   |  8 ++++---
+ lib/vtls/mesalink.c  |  9 +++++---
+ lib/vtls/openssl.c   | 52 ++++++++++++++++++++++++++++++++++----------
+ lib/vtls/schannel.c  | 10 +++++----
+ lib/vtls/sectransp.c |  9 ++++----
+ lib/vtls/vtls.c      |  9 ++++++--
+ lib/vtls/vtls.h      |  2 ++
+ lib/vtls/wolfssl.c   |  8 ++++---
+ 10 files changed, 88 insertions(+), 37 deletions(-)
+
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 67f945831..32cb0a4c2 100644
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
+     void *session;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &session, NULL, sockindex)) {
+       br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session);
+       infof(data, "BearSSL: re-using session ID\n");
+     }
+@@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
+       return CURLE_OUT_OF_MEMORY;
+     br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session);
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
++    incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                      &oldsession, NULL, sockindex));
+     if(incache)
+       Curl_ssl_delsessionid(conn, oldsession);
+-    ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
++    ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                session, 0, sockindex);
+     Curl_ssl_sessionid_unlock(conn);
+     if(ret) {
+       free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5f740eeba..46e149c7d 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn,
+     size_t ssl_idsize;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, &ssl_idsize, sockindex)) {
+       /* we got a session id, use it! */
+       gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+ 
+@@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn,
+       gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+ 
+       Curl_ssl_sessionid_lock(conn);
+-      incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
++      incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                        &ssl_sessionid, NULL,
+                                         sockindex));
+       if(incache) {
+         /* there was one before in the cache, so instead of risking that the
+@@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn,
+       }
+ 
+       /* store this session id */
+-      result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
++      result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                     connect_sessionid, connect_idsize,
+                                      sockindex);
+       Curl_ssl_sessionid_unlock(conn);
+       if(result) {
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index f057315f3..19df8478e 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn,
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &old_session, NULL, sockindex)) {
+       ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
+       if(ret) {
+         Curl_ssl_sessionid_unlock(conn);
+@@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn,
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+     if(!our_ssl_sessionid)
+@@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn,
+ 
+     /* If there's already a matching session in the cache, delete it */
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
++    if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex))
+       Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ 
+-    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
++    retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex);
+     Curl_ssl_sessionid_unlock(conn);
+     if(retcode) {
+       mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index cab1e390b..79d1e3dfa 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(conn);
+@@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+ 
+     Curl_ssl_sessionid_lock(conn);
+     incache =
+-      !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
++      !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
++                              NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ 
+     if(!incache) {
+       result = Curl_ssl_addsessionid(
+-        conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++        conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(conn);
+         failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1d09cadca..64f43605a 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void)
+  */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+-  static int ssl_ex_data_sockindex_index = -1;
+-  if(ssl_ex_data_sockindex_index < 0) {
+-    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+-        NULL);
++  static int sockindex_index = -1;
++  if(sockindex_index < 0) {
++    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+   }
+-  return ssl_ex_data_sockindex_index;
++  return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++  static int proxy_index = -1;
++  if(proxy_index < 0) {
++    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++  }
++  return proxy_index;
+ }
+ 
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void)
+ #endif
+ 
+   /* Initialize the extra data indexes */
+-  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
++  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
++     ossl_get_proxy_index() < 0)
+     return 0;
+ 
+   return 1;
+@@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   curl_socket_t *sockindex_ptr;
+   int connectdata_idx = ossl_get_ssl_conn_index();
+   int sockindex_idx = ossl_get_ssl_sockindex_index();
++  int proxy_idx = ossl_get_proxy_index();
++  bool isproxy;
+ 
+-  if(connectdata_idx < 0 || sockindex_idx < 0)
++  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+     return 0;
+ 
+   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+   sockindex = (int)(sockindex_ptr - conn->sock);
+ 
++  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+-                                      sockindex));
++    if(isproxy)
++      incache = FALSE;
++    else
++      incache = !(Curl_ssl_getsessionid(conn, isproxy,
++                                        &old_ssl_sessionid, NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+     }
+ 
+     if(!incache) {
+-      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
++      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
+                                       0 /* unknown size */, sockindex)) {
+         /* the session has been put into the session cache */
+         res = 1;
+@@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+     void *ssl_sessionid = NULL;
+     int connectdata_idx = ossl_get_ssl_conn_index();
+     int sockindex_idx = ossl_get_ssl_sockindex_index();
++    int proxy_idx = ossl_get_proxy_index();
+ 
+-    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
++    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
+       /* Store the data needed for the "new session" callback.
+        * The sockindex is stored as a pointer to an array element. */
+       SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
+       SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++      SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++                      NULL);
++#else
++      SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL);
++#endif
++
+     }
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(conn);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index f665ee340..a354ce95d 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
+   /* check for an existing re-usable credential handle */
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              (void **)&old_cred, NULL, sockindex)) {
+       BACKEND->cred = old_cred;
+       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+ 
+@@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   SECURITY_STATUS sspi_status = SEC_E_OK;
+   CERT_CONTEXT *ccert_context = NULL;
++  bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+     struct curl_schannel_cred *old_cred = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
++    incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
+                                       sockindex));
+     if(incache) {
+       if(old_cred != BACKEND->cred) {
+@@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+       }
+     }
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
++      result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
+                                      sizeof(struct curl_schannel_cred),
+                                      sockindex);
+       if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 7dd028fb7..9c67d465a 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+   char * const ssl_cert = SSL_SET_OPTION(cert);
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  bool isproxy = SSL_IS_PROXY();
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #ifdef ENABLE_IPV6
+@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+ 
+ #ifdef USE_NGHTTP2
+       if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
+-         (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
++         (!isproxy || !conn->bits.tunnel_proxy)) {
+         CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+         infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
+       }
+@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+     size_t ssl_sessionid_len;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
++    if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
+                               &ssl_sessionid_len, sockindex)) {
+       /* we got a session id, use it! */
+       err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+         return CURLE_SSL_CONNECT_ERROR;
+       }
+ 
+-      result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
++      result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len,
+                                      sockindex);
+       Curl_ssl_sessionid_unlock(conn);
+       if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index dfefa1bd5..aaf73ef8f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
+  * there's one suitable, it is provided. Returns TRUE when no entry matched.
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++                           const bool isProxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex)
+@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   long *general_age;
+   bool no_match = TRUE;
+ 
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   int port = isProxy ? (int)conn->port : conn->remote_port;
+   *ssl_sessionid = NULL;
+ 
++#ifdef CURL_DISABLE_PROXY
++  if(isProxy)
++    return TRUE;
++#endif
++
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   if(!SSL_SET_OPTION(primary.sessionid))
+@@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
+  * later on.
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++                               bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex)
+@@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+   char *clone_conn_to_host;
+   int conn_to_port;
+   long *general_age;
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index a81b2f22d..a5e348752 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
+  * under sessionid mutex).
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++                           const bool isproxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex);
+@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+  * object with cache (e.g. incrementing refcount on success)
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++                               const bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index 8c2d3f4a2..dd9f907ff 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn,
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn,
+     void *old_ssl_sessionid = NULL;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
++    incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
+                                       sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+@@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn,
+     }
+ 
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
++      result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
+                                      0 /* unknown size */, sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(conn);
+-- 
+2.20.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 4cc35c2c51..13ab29cf69 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -17,6 +17,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2020-8284.patch \
            file://CVE-2020-8285.patch \
            file://CVE-2020-8286.patch \
+           file://CVE-2021-22876.patch \
+           file://CVE-2021-22890.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
-- 
2.25.1

[OE-core][dunfell 09/11] image-live.bbclass: optional depends when ROOTFS empty

[Steve Sakoman]

From: Guillaume Champagne <champagne.guillaume.c@gmail.com>

`ROOTFS` is optional. It can be empty if the live image doesn't require
a rootfs.  In such cases, the build doesn't depend on
`do_image_{LIVE_ROOTFS_TYPE}`.

Signed-off-by: Guillaume Champagne <champagne.guillaume.c@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 96f47c39f1d17f073243913d524bde84add41d8f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/image-live.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass
index 54058b350d..e9eba1fc4b 100644
--- a/meta/classes/image-live.bbclass
+++ b/meta/classes/image-live.bbclass
@@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \
                         virtual/kernel:do_deploy \
                         ${MLPREFIX}syslinux:do_populate_sysroot \
                         syslinux-native:do_populate_sysroot \
-                        ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \
+                        ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \
                         "
 
 
-- 
2.25.1

[OE-core][dunfell 10/11] goarch: map target os to windows for mingw* TARGET_OS

[Steve Sakoman]

From: Peter Morrow <pemorrow@linux.microsoft.com>

mingw32/mingw64 is not a supported value for GOOS, so map from 'mingw*' to
'windows' to enable building for windows targets.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/goarch.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes/goarch.bbclass b/meta/classes/goarch.bbclass
index 1099b95769..ecd3044edd 100644
--- a/meta/classes/goarch.bbclass
+++ b/meta/classes/goarch.bbclass
@@ -114,6 +114,8 @@ def go_map_mips(a, f, d):
 def go_map_os(o, d):
     if o.startswith('linux'):
         return 'linux'
+    elif o.startswith('mingw'):
+        return 'windows'
     return o
 
 
-- 
2.25.1

[OE-core][dunfell 11/11] go_1.14: don't set -buildmode=pie when building for windows targets

[Steve Sakoman]

From: Peter Morrow <pemorrow@linux.microsoft.com>

go 1.14 for windows targets does not support -buildmode=pie, disable it and use
the default buildmode instead. Support for -buildmode=pie for windows targets
is added with go 1.15 (https://golang.org/doc/go1.15) which is added to poky in
gatesgarth.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/go.bbclass             | 8 ++++----
 meta/recipes-devtools/go/go_1.14.bb | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/meta/classes/go.bbclass b/meta/classes/go.bbclass
index e6c3591479..16e46398b1 100644
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -145,11 +145,11 @@ FILES_${PN}-staticdev = "${libdir}/go/pkg"
 
 INSANE_SKIP_${PN} += "ldflags"
 
-# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but mips
-# doesn't support -buildmode=pie, so skip the QA checking for mips and its
-# variants.
+# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but
+# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
+# for windows/mips/riscv and their variants.
 python() {
-    if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH'):
+    if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH') or 'windows' in d.getVar('TARGET_GOOS'):
         d.appendVar('INSANE_SKIP_%s' % d.getVar('PN'), " textrel")
     else:
         d.appendVar('GOBUILDFLAGS', ' -buildmode=pie')
diff --git a/meta/recipes-devtools/go/go_1.14.bb b/meta/recipes-devtools/go/go_1.14.bb
index bc90a1329e..c17527998b 100644
--- a/meta/recipes-devtools/go/go_1.14.bb
+++ b/meta/recipes-devtools/go/go_1.14.bb
@@ -3,11 +3,11 @@ require go-target.inc
 
 export GOBUILDMODE=""
 export CGO_ENABLED_riscv64 = ""
-# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but mips/riscv
-# doesn't support -buildmode=pie, so skip the QA checking for mips/riscv and its
-# variants.
+# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but
+# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
+# for windows/mips/riscv and their variants.
 python() {
-    if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True):
+    if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True) or 'windows' in d.getVar('TARGET_GOOS', True):
         d.appendVar('INSANE_SKIP_%s' % d.getVar('PN',True), " textrel")
     else:
         d.setVar('GOBUILDMODE', 'pie')
-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3112

The following changes since commit da3bd5e0934b6462ae53225a58305235849b32d5:

  asciidoc: properly detect and compare Python versions >= 3.10 (2022-01-09 06:49:29 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Akash Hadke (1):
  glibc: Add fix for data races in pthread_create and TLS access

Alexander Kanavin (1):
  parselogs: add a couple systemd false positives

Anuj Mittal (1):
  xserver-xorg: update CVE_PRODUCT

Konrad Weihmann (1):
  cve-check: add lockfile to task

Mingli Yu (1):
  wic: use shutil.which

Ricardo Ribalda Delgado (1):
  wic: misc: Do not find for executables in ASSUME_PROVIDED

Richard Purdie (1):
  expat: Update HOMEPAGE to current url

Ross Burton (2):
  cve-update-db-native: use fetch task
  xserver-xorg: whitelist two CVEs

Steve Sakoman (2):
  valgrind: skip flakey ptest (gdbserver_tests/hginfo)
  oeqa/selftest/cases/tinfoil.py: increase timeout 60->120s
    test_wait_event

 meta/classes/cve-check.bbclass                |   3 +-
 meta/lib/oeqa/runtime/cases/parselogs.py      |   2 +
 meta/lib/oeqa/selftest/cases/tinfoil.py       |   4 +-
 meta/recipes-core/expat/expat_2.2.9.bb        |   2 +-
 ...ate-slotinfo-to-avoid-use-after-free.patch |  66 +++++
 ...hread_create-and-TLS-access-BZ-19329.patch | 191 ++++++++++++
 ...d-atomics-for-racy-accesses-BZ-19329.patch | 206 +++++++++++++
 .../0033-elf-Add-test-case-for-BZ-19329.patch | 144 +++++++++
 ...elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch | 180 ++++++++++++
 ...-lazy-relocation-of-tlsdesc-BZ-27137.patch |  56 ++++
 ...-lazy-relocation-of-tlsdesc-BZ-27137.patch | 124 ++++++++
 ...ock-between-pthread_create-and-ctors.patch | 276 ++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.31.bb         |   8 +
 .../recipes-core/meta/cve-update-db-native.bb |   9 +-
 .../valgrind/valgrind/remove-for-aarch64      |   1 +
 .../valgrind/valgrind/remove-for-all          |   1 +
 .../xorg-xserver/xserver-xorg.inc             |  10 +-
 scripts/lib/wic/engine.py                     |   6 +-
 scripts/lib/wic/misc.py                       |  16 +-
 scripts/wic                                   |   4 +-
 20 files changed, 1292 insertions(+), 17 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3141

The following changes since commit 01f256bc72fb45c80b6a6c77506bc4c375965a3a:

  glibc: Add fix for data races in pthread_create and TLS access (2022-01-12 04:37:31 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (5):
  linux-yocto/5.4: update to v5.4.169
  linux-yocto/5.4: update to v5.4.170
  linux-yocto/5.4: update to v5.4.171
  linux-yocto/5.4: update to v5.4.172
  kernel: introduce python3-dtschema-wrapper

Kai Kang (1):
  speex: fix CVE-2020-23903

Marek Vasut (1):
  Revert "weston: Use systemd notify,"

Richard Purdie (1):
  lttng-tools: Add missing DEPENDS on bison-native

Steve Sakoman (3):
  expat fix CVE-2022-22822 through CVE-2022-22827
  expat: fix CVE-2021-45960
  expat: fix CVE-2021-46143

 meta/conf/distro/include/maintainers.inc      |   1 +
 .../expat/expat/CVE-2021-45960.patch          |  65 +++++
 .../expat/expat/CVE-2021-46143.patch          |  43 +++
 .../expat/expat/CVE-2022-22822-27.patch       | 257 ++++++++++++++++++
 meta/recipes-core/expat/expat_2.2.9.bb        |   3 +
 .../wayland/weston-init/weston-start          |  12 -
 .../wayland/weston-init/weston@.service       |   6 -
 .../weston/systemd-notify.weston-start        |   9 -
 .../wayland/weston/xwayland.weston-start      |   3 +-
 meta/recipes-graphics/wayland/weston_8.0.0.bb |   6 -
 .../python3-dtschema-wrapper/dt-doc-validate  |  20 ++
 .../dtc/python3-dtschema-wrapper/dt-mk-schema |  20 ++
 .../dtc/python3-dtschema-wrapper/dt-validate  |  20 ++
 .../dtc/python3-dtschema-wrapper_2021.10.bb   |  17 ++
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../lttng/lttng-tools_2.11.5.bb               |   2 +-
 .../speex/speex/CVE-2020-23903.patch          |  30 ++
 meta/recipes-multimedia/speex/speex_1.2.0.bb  |   4 +-
 20 files changed, 500 insertions(+), 54 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2021-45960.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2021-46143.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
 delete mode 100644 meta/recipes-graphics/wayland/weston/systemd-notify.weston-start
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb
 create mode 100644 meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3537

with the exception of a known issue with meta-intel due to the zlib CVE fix, see:

https://lists.openembedded.org/g/openembedded-core/message/163793

The intent is to fix meta-intel after this patch set is merged to dunfell.

The following changes since commit aa762b7ca2417b80dd114a4ab263d69074912f82:

  tzdata: update to 2022a (2022-04-04 04:22:32 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexandre Belloni (1):
  pseudo: Fix handling of absolute links

Martin Jansa (1):
  license_image.bbclass: close package.manifest file

Peter Kjellerstedt (1):
  metadata_scm.bbclass: Use immediate expansion for the METADATA_*
    variables

Ralph Siemsen (3):
  gzip: fix CVE-2022-1271
  xz: fix CVE-2022-1271
  apt: add -fno-strict-aliasing to CXXFLAGS to fix SHA256 bug

Richard Purdie (4):
  vim: Upgrade 8.2.4524 -> 8.2.4681
  git: Ignore CVE-2022-24975
  pseudo: Add patch to workaround paths with crazy lengths
  libxshmfence: Correct LICENSE to HPND

Ross Burton (1):
  zlib: backport the fix for CVE-2018-25032

 .../recipeutils/recipeutils-test_1.2.bb       |   2 +-
 meta/classes/license_image.bbclass            |   4 +-
 meta/classes/metadata_scm.bbclass             |  10 +-
 .../zlib/zlib/CVE-2018-25032.patch            | 347 ++++++++++++++++++
 meta/recipes-core/zlib/zlib_1.2.11.bb         |   1 +
 meta/recipes-devtools/apt/apt.inc             |   4 +
 meta/recipes-devtools/git/git.inc             |   5 +
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 .../gzip/gzip-1.10/CVE-2022-1271.patch        |  45 +++
 meta/recipes-extended/gzip/gzip_1.10.bb       |   1 +
 .../xz/xz/CVE-2022-1271.patch                 |  96 +++++
 meta/recipes-extended/xz/xz_5.2.4.bb          |   4 +-
 .../xorg-lib/libxshmfence_1.3.bb              |   2 +-
 meta/recipes-support/vim/vim.inc              |   6 +-
 14 files changed, 515 insertions(+), 14 deletions(-)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
 create mode 100644 meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
 create mode 100644 meta/recipes-extended/xz/xz/CVE-2022-1271.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3738

The following changes since commit add860e1a69f848097bbc511137a62d5746e5019:

  oeqa/selftest/cve_check: add tests for recipe and image reports (2022-05-24 04:31:18 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Dan Tran (1):
  ncurses: Fix CVE-2022-29458

Ernst Sjöstrand (2):
  cve-check: Add helper for symlink handling
  cve-check: Only include installed packages for rootfs manifest

Ranjitsinh Rathod (3):
  ruby: Upgrade ruby to 2.7.6 for security fix
  ruby: Whitelist CVE-2021-28966 as this affects Windows OS only
  libsdl2: Add fix for CVE-2021-33657

Richard Purdie (2):
  vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
  cve-check: Allow warnings to be disabled

Riyaz (1):
  libxml2: Fix CVE-2022-29824 for libxml2

Virendra Thakur (1):
  ffmpeg: Fix for CVE-2022-1475

leimaohui (1):
  cve-check.bbclass: Added do_populate_sdk[recrdeptask].

 meta/classes/cve-check.bbclass                | 109 ++++--
 .../libxml2/CVE-2022-29824-dependent.patch    |  53 +++
 .../libxml/libxml2/CVE-2022-29824.patch       | 348 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   2 +
 .../ncurses/files/CVE-2022-29458.patch        | 135 +++++++
 meta/recipes-core/ncurses/ncurses_6.2.bb      |   1 +
 .../ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb}     |   8 +-
 .../libsdl2/libsdl2/CVE-2021-33657.patch      |  38 ++
 .../libsdl2/libsdl2_2.0.12.bb                 |   1 +
 .../ffmpeg/ffmpeg/CVE-2022-1475.patch         |  36 ++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 12 files changed, 694 insertions(+), 42 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2022-29458.patch
 rename meta/recipes-devtools/ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb} (90%)
 create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4058

The following changes since commit 73d2b640ad665f6ff3c4fbe8f5da4ef0dbb175f2:

  libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections (2022-07-28 06:26:48 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  openssh: Add openssh-sftp-server to openssh RDEPENDS

Bruce Ashfield (2):
  linux-yocto/5.4: update to v5.4.208
  linux-yocto/5.4: update to v5.4.209

Hitendra Prajapati (2):
  grub2: Fix several security issue of integer underflow
  gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow

Jose Quaresma (1):
  gstreamer1.0: use the correct meson option for the capabilities

Khem Raj (1):
  libmodule-build-perl: Use env utility to find perl interpreter

Martin Jansa (1):
  libxml2: Port gentest.py to Python-3

Richard Purdie (1):
  insane: Fix buildpaths test to work with special devices

Ross Burton (1):
  cve_check: skip remote patches that haven't been fetched when
    searching for CVE tags

Steve Sakoman (1):
  selftest: skip virgl test on fedora 36

 meta/classes/insane.bbclass                   |   6 +-
 meta/lib/oe/cve_check.py                      |   5 +-
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +
 .../grub/files/CVE-2022-28733.patch           |  60 ++
 .../grub/files/CVE-2022-28734.patch           |  67 ++
 .../grub/files/CVE-2022-28736.patch           | 275 ++++++
 meta/recipes-bsp/grub/grub2.inc               |   3 +
 .../openssh/openssh_8.2p1.bb                  |   2 +-
 .../0001-Port-gentest.py-to-Python-3.patch    | 813 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  11 +
 .../perl/libmodule-build-perl_0.4231.bb       |   1 +
 .../gdk-pixbuf/CVE-2021-46829.patch           |  61 ++
 .../gdk-pixbuf/gdk-pixbuf_2.40.0.bb           |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../gstreamer/gstreamer1.0_1.16.3.bb          |   2 +-
 17 files changed, 1321 insertions(+), 24 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Sunday.

This is the final patch set for the 3.1.19 release.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4098

The following changes since commit ac6ea1a96645d2a4dd54660256603f0b191bb4d3:

  gstreamer1.0: use the correct meson option for the capabilities (2022-08-10 05:04:10 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  linux-firmware: update 20220610 -> 20220708

Dmitry Baryshkov (1):
  linux-firwmare: restore WHENCE_CHKSUM variable

Hitendra Prajapati (3):
  qemu: CVE-2020-27821 heap buffer overflow in msix_table_mmio_write
  gnutls: CVE-2022-2509 Double free during gnutls_pkcs7_verify
  zlib: CVE-2022-37434 a heap-based buffer over-read

Ming Liu (1):
  rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}

Pascal Bach (1):
  bin_package: install into base_prefix

Randy MacLeod (1):
  vim: update from 9.0.0063 to 9.0.0115

Richard Purdie (2):
  vim: Upgrade 9.0.0021 -> 9.0.0063
  kernel-arch: Fix buildpaths leaking into external module compiles

Shruthi Ravichandran (1):
  initscripts: run umountnfs as a KILL script

 meta/classes/bin_package.bbclass              |   3 +-
 meta/classes/kernel-arch.bbclass              |   2 +-
 meta/classes/rootfs-postcommands.bbclass      |   2 +-
 .../initscripts/initscripts_1.0.bb            |   2 +-
 .../zlib/zlib/CVE-2022-37434.patch            |  44 +++
 meta/recipes-core/zlib/zlib_1.2.11.bb         |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2020-27821.patch            |  73 +++++
 ...20220610.bb => linux-firmware_20220708.bb} |  14 +-
 .../gnutls/gnutls/CVE-2022-2509.patch         | 282 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 meta/recipes-support/vim/files/racefix.patch  |  33 --
 meta/recipes-support/vim/vim.inc              |  10 +-
 13 files changed, 418 insertions(+), 50 deletions(-)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220610.bb => linux-firmware_20220708.bb} (98%)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch
 delete mode 100644 meta/recipes-support/vim/files/racefix.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4469

The following changes since commit babcb7cd3bbefe9c0ea28e960e4fd6cefbc03cae:

  bluez5: add dbus to RDEPENDS (2022-11-04 07:52:01 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  openssl: upgrade 1.1.1q to 1.1.1s

Hitendra Prajapati (1):
  bluez: CVE-2022-3637 A DoS exists in monitor/jlink.c

Martin Jansa (1):
  externalsrc.bbclass: fix git repo detection

Peter Kjellerstedt (1):
  externalsrc.bbclass: Remove a trailing slash from ${B}

Ross Burton (1):
  sanity: check for GNU tar specifically

Sundeep KOKKONDA (2):
  binutils: stable 2.34 branch updates
  glibc : stable 2.31 branch updates.

Sunil Kumar (1):
  go: Security Fix for CVE-2022-2879

Vivek Kumbhar (2):
  curl: fix CVE-2022-32221 POST following PUT
  qemu: fix CVE-2021-3638 ati-vga: inconsistent check in ati_2d_blt()
    may lead to out-of-bounds write

ciarancourtney (1):
  wic: swap partitions are not added to fstab

 meta/classes/externalsrc.bbclass              |   6 +-
 meta/classes/sanity.bbclass                   |   8 ++
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2022-3637.patch         |  39 ++++++
 .../{openssl_1.1.1q.bb => openssl_1.1.1s.bb}  |   2 +-
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../glibc/glibc/CVE-2021-33574_1.patch        |  26 ++--
 .../binutils/binutils-2.34.inc                |   2 +-
 .../binutils/binutils/CVE-2020-16593.patch    |   4 +-
 .../binutils/binutils/CVE-2021-3549.patch     |  80 ++++++-------
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2022-2879.patch            | 111 ++++++++++++++++++
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2021-3638.patch             |  80 +++++++++++++
 .../curl/curl/CVE-2022-32221.patch            |  29 +++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 scripts/lib/wic/plugins/imager/direct.py      |   2 +-
 17 files changed, 329 insertions(+), 66 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1q.bb => openssl_1.1.1s.bb} (98%)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32221.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5324

The following changes since commit 1bc254e7969f3d5470bacf9ad9f065d38b7b7fde:

  run-postinsts: Set dependency for ldconfig to avoid boot issues (2023-05-11 07:47:14 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE

Dmitry Baryshkov (1):
  linux-firmware: upgrade 20230210 -> 20230404

Hitendra Prajapati (2):
  git: fix CVE-2023-29007
  git: fix CVE-2023-25652

Khem Raj (1):
  perf: Depend on native setuptools3

Marek Vasut (1):
  cpio: Fix wrong CRC with ASCII CRC for large files

Martin Jansa (1):
  populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO
    override

Randolph Sapp (1):
  wic/bootimg-efi: if fixed-size is set then use that for mkdosfs

Siddharth (1):
  curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled

Steve Sakoman (1):
  selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky

Thomas Roos (1):
  oeqa/utils/metadata.py: Fix running oe-selftest running with no distro
    set

 meta/classes/populate_sdk_ext.bbclass         |   3 +-
 meta/classes/pypi.bbclass                     |   2 +
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   6 +
 meta/lib/oeqa/utils/metadata.py               |   6 +-
 .../git/files/CVE-2023-25652.patch            |  94 +++++++++++
 .../git/files/CVE-2023-29007.patch            | 159 ++++++++++++++++++
 meta/recipes-devtools/git/git.inc             |   2 +
 ...g-CRC-with-ASCII-CRC-for-large-files.patch |  39 +++++
 meta/recipes-extended/cpio/cpio_2.13.bb       |   1 +
 ...20230210.bb => linux-firmware_20230404.bb} |   6 +-
 meta/recipes-kernel/perf/perf.bb              |   2 +-
 .../curl/curl/CVE-2023-27534-pre1.patch       |  51 ++++++
 .../curl/curl/CVE-2023-27534.patch            | 122 ++------------
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 scripts/lib/wic/plugins/source/bootimg-efi.py |   7 +
 15 files changed, 387 insertions(+), 114 deletions(-)
 create mode 100644 meta/recipes-devtools/git/files/CVE-2023-25652.patch
 create mode 100644 meta/recipes-devtools/git/files/CVE-2023-29007.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230210.bb => linux-firmware_20230404.bb} (99%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch

-- 
2.34.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5422

The following changes since commit e4b98a42970574296e0da06842691b9fc1ffc9a1:

  selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky (2023-05-20 06:02:24 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  openssh: Move sshdgenkeys.service to sshd.socket

Ashish Sharma (1):
  golang: Fix CVE-2023-24539

Bruce Ashfield (5):
  linux-yocto/5.4: update to v5.4.238
  linux-yocto/5.4: update to v5.4.240
  linux-yocto/5.4: update to v5.4.241
  linux-yocto/5.4: update to v5.4.242
  linux-yocto/5.4: update to v5.4.243

Nikhil R (1):
  ffmpeg: Fix CVE-2022-48434

Vijay Anusuri (3):
  ghostscript: Fix CVE-2023-28879
  xserver-xorg: Security fix CVE-2023-0494 and CVE-2023-1393
  go: Security fix CVE-2023-24540

 .../openssh/openssh/sshd.socket               |   1 +
 .../openssh/openssh/sshd@.service             |   2 -
 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2023-24539.patch           |  60 ++++++++
 .../go/go-1.14/CVE-2023-24540.patch           |  90 ++++++++++++
 .../ghostscript/CVE-2023-28879.patch          |  54 +++++++
 .../ghostscript/ghostscript_9.52.bb           |   1 +
 .../xserver-xorg/CVE-2023-0494.patch          |  38 +++++
 .../xserver-xorg/CVE-2023-1393.patch          |  46 ++++++
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |   2 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +--
 .../ffmpeg/ffmpeg/CVE-2022-48434.patch        | 136 ++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 15 files changed, 449 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch

-- 
2.34.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, October 12.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6026

The following changes since commit 9a800a2e2c2b14eab8c1f83cb4ac3b94a70dd23c:

  glibc: Fix CVE-2023-4911 "Looney Tunables" (2023-10-05 13:10:56 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Hitendra Prajapati (1):
  xdg-utils: Fix CVE-2022-4055

Julian Haller (2):
  dbus: Backport fix for CVE-2023-34969
  dbus: Add missing CVE_PRODUCT

Marek Vasut (2):
  busybox: Backport CVE-2022-48174 fix
  cpio: Replace fix wrong CRC with ASCII CRC for large files with
    upstream backport

Shinu Chandran (1):
  libpcre2 : Follow up fix CVE-2022-1586

Shubham Kulkarni (1):
  go: Update fix for CVE-2023-24538 & CVE-2023-39318

Sourav Pramanik (1):
  openssl: Upgrade 1.1.1v -> 1.1.1w

Vijay Anusuri (3):
  cups: Backport fix for CVE-2023-32360 and CVE-2023-4504
  gawk: backport Debian patch to fix CVE-2023-4156
  ghostscript: Backport fix CVE-2023-43115

 .../{openssl_1.1.1v.bb => openssl_1.1.1w.bb}  |   2 +-
 .../busybox/busybox/CVE-2022-48174.patch      |  82 +++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |   1 +
 meta/recipes-core/dbus/dbus.inc               |   3 +
 .../dbus/dbus/CVE-2023-34969.patch            |  96 +++
 meta/recipes-devtools/go/go-1.14.inc          |   5 +-
 .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
 .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
 .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
 .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
 .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
 ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
 .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
 ...g-CRC-with-ASCII-CRC-for-large-files.patch |  39 --
 ...-calculation-of-CRC-in-copy-out-mode.patch |  58 ++
 ...appending-to-archives-bigger-than-2G.patch | 312 ++++++++++
 meta/recipes-extended/cpio/cpio_2.13.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |   2 +
 .../cups/cups/CVE-2023-32360.patch            |  31 +
 .../cups/cups/CVE-2023-4504.patch             |  40 ++
 .../gawk/gawk/CVE-2023-4156.patch             |  28 +
 meta/recipes-extended/gawk/gawk_5.0.1.bb      |   1 +
 .../ghostscript/CVE-2023-43115.patch          |  62 ++
 .../ghostscript/ghostscript_9.52.bb           |   1 +
 .../xdg-utils/xdg-utils/CVE-2022-4055.patch   | 165 +++++
 .../xdg-utils/xdg-utils_1.1.3.bb              |   1 +
 .../libpcre2/CVE-2022-1586-regression.patch   |  30 +
 .../recipes-support/libpcre/libpcre2_10.34.bb |   1 +
 28 files changed, 3041 insertions(+), 61 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1v.bb => openssl_1.1.1w.bb} (98%)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
 create mode 100644 meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
 rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%)
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32360.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
 create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
 create mode 100644 meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch

-- 
2.34.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Friday, December 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6293

The following changes since commit 0764da7e3f1d71eb390e5eb8a9aa1323c24d1c19:

  vim: use upstream generated .po files (2023-11-28 12:31:43 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ashish Sharma (1):
  mdadm: Backport fix for CVE-2023-28938

Bruce Ashfield (3):
  linux-yocto/5.4: update to v5.4.258
  linux-yocto/5.4: update to v5.4.260
  linux-yocto/5.4: update to v5.4.262

Lee Chee Yang (2):
  epiphany: fix CVE-2022-29536
  qemu: ignore CVE-2021-20295 CVE-2023-2680

Steve Sakoman (1):
  cve-exclusion_5.4.inc: update for 5.4.262

Tim Orling (1):
  vim: upgrade 9.0.2068 -> 9.0.2130

Vivek Kumbhar (1):
  libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c

poojitha adireddy (2):
  binutils 2.34: Fix CVE-2021-46174
  binutils: Mark CVE-2022-47696 as patched

 .../binutils/binutils-2.34.inc                |  1 +
 .../binutils/binutils/CVE-2021-46174.patch    | 35 ++++++++
 .../binutils/binutils/CVE-2023-25588.patch    |  3 +
 meta/recipes-devtools/qemu/qemu.inc           |  7 ++
 .../mdadm/files/CVE-2023-28938.patch          | 80 +++++++++++++++++++
 meta/recipes-extended/mdadm/mdadm_4.1.bb      |  1 +
 .../recipes-gnome/epiphany/epiphany_3.34.4.bb |  1 +
 .../epiphany/files/CVE-2022-29536.patch       | 46 +++++++++++
 .../linux/cve-exclusion_5.4.inc               | 79 ++++++++++++++----
 .../linux/linux-yocto-rt_5.4.bb               |  6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 ++---
 .../libsndfile1/CVE-2022-33065.patch          | 46 +++++++++++
 .../libsndfile/libsndfile1_1.0.28.bb          |  3 +-
 meta/recipes-support/vim/vim.inc              |  4 +-
 15 files changed, 306 insertions(+), 36 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
 create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
 create mode 100644 meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch

-- 
2.34.1