[OE-core][kirkstone 0/5] Patch review

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by end
of day Friday.  This should be the final set of patches for the 4.0.4 release.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4225

The following changes since commit 08406e03abddc7290c0c2296aa179725a58155d3:

  runqemu: display host uptime when starting (2022-09-12 04:45:14 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  lighttpd: upgrade 1.4.65 -> 1.4.66

Richard Purdie (1):
  vim: Upgrade 9.0.0341 -> 9.0.0453

niko.mauno@vaisala.com (2):
  systemd: Fix unwritable /var/lock when no sysvinit handling
  systemd: Add 'no-dns-fallback' PACKAGECONFIG option

wangmy (1):
  lighttpd: upgrade 1.4.64 -> 1.4.65

 meta/recipes-core/systemd/systemd/00-create-volatile.conf     | 1 +
 meta/recipes-core/systemd/systemd_250.5.bb                    | 1 +
 .../lighttpd/{lighttpd_1.4.64.bb => lighttpd_1.4.66.bb}       | 2 +-
 meta/recipes-support/vim/vim.inc                              | 4 ++--
 4 files changed, 5 insertions(+), 3 deletions(-)
 rename meta/recipes-extended/lighttpd/{lighttpd_1.4.64.bb => lighttpd_1.4.66.bb} (97%)

-- 
2.25.1

[OE-core][kirkstone 1/5] systemd: Fix unwritable /var/lock when no sysvinit handling

[Steve Sakoman]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Commit 8089cefed8e83c0348037768c292058f1bcbbbe5 ("systemd: Add
PACKAGECONFIG for sysvinit") decoupled enabling of systemd's sysvinit
handling behavior behind a distinct PACKAGECONFIG feature.

This new option affects among other things the installing of
tmpfiles.d/legacy.conf, which is responsible for creating /run/lock
directory, which is pointed to by /var/lock symlink provided by
base-files package.

In case the option is not enabled, then base-files provided /var/lock
is a dangling symlink on resulting rootfs, causing problems with
certain Linux userspace components that rely on existence of writable
/var/lock directory. As an example:

  # fw_printenv
  Error opening lock file /var/lock/fw_printenv.lock

Since Filesystem Hierarchy Standard Version 3.0 states in
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s09.html that

  Lock files should be stored within the /var/lock directory structure.

Ensure the /run/lock directory is always created, so that lock files
can be stored under /var/lock also when 'sysvinit' handling is
disabled.

(From OE-Core rev: 85e5ee2c35cf5778c3aefda45f526e8f6a511131)

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd/00-create-volatile.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/systemd/systemd/00-create-volatile.conf b/meta/recipes-core/systemd/systemd/00-create-volatile.conf
index 87cbe1e7d3..c4277221a2 100644
--- a/meta/recipes-core/systemd/systemd/00-create-volatile.conf
+++ b/meta/recipes-core/systemd/systemd/00-create-volatile.conf
@@ -3,5 +3,6 @@
 # inside /var/log.
 
 
+d		/run/lock		1777	-	-	-
 d		/var/volatile/log		-	-	-	-
 d		/var/volatile/tmp		1777	-	-
-- 
2.25.1

[OE-core][kirkstone 2/5] systemd: Add 'no-dns-fallback' PACKAGECONFIG option

[Steve Sakoman]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

systemd defines a default set of fallback DNS servers in
https://github.com/systemd/systemd/blob/v251/meson_options.txt#L328-L330

By adding a PACKAGECONFIG knob providing a convenient way to opt out,
and then adding that value to systemd's PACKAGECONFIG, the output from
runtime 'resolvectl status' command no longer contains the following
line:

  Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google

(From OE-Core rev: 2b300d6b9ec6288a99d9dacb24a86949caf99e55)

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd_250.5.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/systemd/systemd_250.5.bb b/meta/recipes-core/systemd/systemd_250.5.bb
index 9923312830..5d568f639e 100644
--- a/meta/recipes-core/systemd/systemd_250.5.bb
+++ b/meta/recipes-core/systemd/systemd_250.5.bb
@@ -165,6 +165,7 @@ PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native xmlto-native do
 PACKAGECONFIG[microhttpd] = "-Dmicrohttpd=true,-Dmicrohttpd=false,libmicrohttpd"
 PACKAGECONFIG[myhostname] = "-Dnss-myhostname=true,-Dnss-myhostname=false,,libnss-myhostname"
 PACKAGECONFIG[networkd] = "-Dnetworkd=true,-Dnetworkd=false"
+PACKAGECONFIG[no-dns-fallback] = "-Ddns-servers="
 PACKAGECONFIG[nss] = "-Dnss-systemd=true,-Dnss-systemd=false"
 PACKAGECONFIG[nss-mymachines] = "-Dnss-mymachines=true,-Dnss-mymachines=false"
 PACKAGECONFIG[nss-resolve] = "-Dnss-resolve=true,-Dnss-resolve=false"
-- 
2.25.1

[OE-core][kirkstone 3/5] lighttpd: upgrade 1.4.64 -> 1.4.65

[Steve Sakoman]

From: wangmy <wangmy@fujitsu.com>

Changelog:
==========
  * [build] meson: fix typo in variable name
  * [build] autoconf: report if building with zstd
  * [build] meson -Dlua_version=... to specify lua ver
  * [core] avoid CCRandomGenerateBytes on MacOS <10.12 (fixes #3140)
  * [core] use diff var name w/ CCRandomGenerateBytes (fixes #3141)
  * [core] parse conf cmds with SHELL or /bin/sh
  * [core] fix HMAC with openssl 3.0
  * [mod_webdav] no COPYFILE_CLONE_FORCE on OSX <10.12 (fixes #3142)
  * [mod_deflate] fix to return 304 with If-None-Match (fixes #3143)
  * [core] Illumos epoll incompatible w/ lighttpd impl
  * [core] feature flag to allow Range w/ HTTP/1.0
  * [mod_mbedtls] set usekeysize for mbedtls 3.2.0+
  * [mod_deflate] collect mmap code
  * [mod_deflate] prototype using libdeflate w/ mmap
  * [mod_deflate] --with-libdeflate to use libdeflate
  * [mod_deflate] mark input bytes const
  * [core] sys-setjmp.[ch]
  * [mod_magnet] check lighty.result.content b4 setjmp
  * [core] include guard consistency in sys-time.h
  * [core] network_write_file_chunk_remap separate fn
  * [multiple] use new sys_setjmp_eval3() interface
  * [multiple] pedantic chunk.c checks for 0-len chunk
  * [multiple] shared code for struct chunk and mmap
  * [mod_deflate] use pread if available
  * [mod_deflate] improve loop compressing file chunk
  * [core] prep server_tag at startup for h2 resp hdr
  * [mod_magnet] defer req_env init unless needed
  * [mod_magnet] reset after error attaching content
  * [mod_magnet] lua_tointegerx() avoids raising error
  * [mod_mbedtls] use newer mbedtls 3.2.0+ interfaces
  * [mod_magnet] adjust hot path for more inlining
  * [mod_magnet] collect chk for magnet lua_State init
  * [mod_magnet] use type returned from lua_getfield()
  * [core] chunk_file_pread() to wrap pread()
  * [core] disable keep-alive if forcing HTTP/1.0 resp
  * [mod_magnet] use lua_getextraspace() to store r
  * [core] fall back to getauxval(AT_RANDOM), if avail
  * [mod_magnet] keep message handler on stack
  * [doc] update external links
  * [mod_magnet] pass lighty table index, defer pops
  * [mod_magnet] clear and reuse script-env table
  * [mod_magnet] clear stack when reloading script
  * [mod_magnet] use lua_isnoneornil() in interfaces
  * [mod_magnet] fix lighty.c.cookie_tokens()
  * [mod_magnet] fix lighty.c.urldec_query()
  * [mod_magnet] remove duplicated NULL checks
  * [mod_magnet] adjust magnet_lighty_result_get()
  * [mod_magnet] magnet_tmpbuf_acquire(),release()
  * [mod_magnet] lighty.c.quotedenc(),dec() funcs
  * [mod_magnet] fix header,content legacy table clear
  * [mod_cgi] cgi.local-redir request_reset thru fnptr
  * [core] isolate plugins_*() funcs to main server
  * [mod_wolfssl] wolfssl v5.0.0 defines DH_set0_pqg()
  * [mod_auth] save letter-case diff in require config
  * [mod_magnet] magnet_push_quoted_string shared code
  * [mod_magnet] lighty.c.header_tokens convenience fn
  * [core] fill in un.sun_path after accept() (fixes #3147)
  * [mod_extforward] adjust trust check for HTTP/2
  * [mod_proxy] adjust handling of legacy X-* headers
  * [core] permit env w/ blank value (fix regression)
  * [TLS] consistent debug.log-ssl-noise config type
  * [mod_magnet] allow removal of req_env elt via nil
  * [core] compiler workarounds for very old gcc,glibc
  * [mod_mbedtls] use newer mbedtls 3.2.0+ interfaces
  * [mod_ssi] check http_chunk_transfer_cqlen for err
  * [core] chunkqueue_steal() handle unexpected 0 len
  * [core] discard DATA from REFUSED_STREAM at h2 init
  * [multiple] WebSockets over HTTP/2 (fixes #3151)
  * [multiple] immed connect to backend for streaming
  * [core] ensure socket ready before checking connect
  * [core] reduce trace on Upgrade backend connection
  * [core] adjust when TCP_CORK used on TLS connection
  * [mod_cgi] disable input optim if might Upgrade
  * [mod_cgi] immed start CGI if Upgrade
  * [mod_wolfssl] wolfssl v5.0.0 adds ASN1_TIME_diff()
  * [mod_openssl] libressl v3.5.0 adds ASN1_TIME_diff
  * [TLS] warn if leaf cert read is inactive/expired
  * [core] stricter conformance w/ upcoming HTTP/2 rev
  * [build] -D_DEFAULT_SOURCE consistency in builds
  * [mod_extforward] support addtl IPv6 syntax w/ "[]"
  * [core] build fix for cygwin and lmingw
  * [core] short-circuit earlier parsing h2 trailers
  * [core] reformat h2.h for cleaner enum additions
  * [core] consolidate trace for log-state-handling
  * [core] request_config bitmasks for smaller struct
  * [core] prefix (=^), suffix (=$) config conditions (fixes #3153)
  * [core] tighten config parsing loop
  * [core] convert simple config cond regex to pre/sfx
  * [tests] able to run tests when built w/o pcre
  * [core] allow redirect,rewrite ext subst w/o pcre
  * [mod_sockproxy] reset http vers, avoid rare crash (fixes #3152)
  * [core] HTTP/2 PRIORITY_UPDATE frame (experimental)
  * [core] send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES
  * [core] stricter check of HTTP/2 GOAWAY frame size
  * [mod_mbedtls] use newer mbedtls 3.2.0+ interfaces
  * [mod_webdav] opt for partial PUT via copy/rename
  * [core] quiet compiler warning
  * [multiple] recognize HTTP QUERY method
  * [multiple] limit scope of socket config options
  * [core] fix config typo reading large int from str
  * [core] h2 prio sort urgency, incr, then stream id
  * [core] send Priority resp hdr w/ .css, .js re-prio
  * [multiple] reset http vers, avoid rare crash (fixes #3152)
  * [core] delay response to http auth invalid creds
  * [core] connection_state_machine_h2 only if con->h2
  * [core] default server.max-keep-alive-requests 1000
  * [mod_magnet] set script env in func first upvalue
  * [mod_magnet] rewrite lighty.r as table of userdata
  * [mod_status] con->h2 instead of r->http_version
  * [mod_setenv] cleanup user-provided hdr sloppiness
  * [core] remove func decls duplicated in plugin.h
  * [mod_status] fix counting of HTTP/2 bytes written
  * [mod_magnet] no local server port on unix domain
  * [mod_extforward] unix domain socket pedantic chks
  * [core] sketch support for abstract sockets
  * [mod_magnet] magnet_plugin_stats_table() fn
  * [mod_magnet] magnet_script_setup_global_state() fn
  * [mod_magnet] lighty.server.* table w/ new function
  * [mod_accesslog] do not double-count hdr len in %I
  * [mod_magnet] reduce magnet_env_get_id() scanning
  * [mod_magnet] tighten magnet_env_get_buffer_by_id()
  * [mod_status] reusable code for r->state strings
  * [core] reusable code for r->state strings
  * [mod_magnet] expose r->state to lua scripts
  * [mod_magnet] tighten magnet_env_set()
  * [mod_magnet] lighty.r.req_item[] accessors
  * [mod_magnet] expose r->keep_alive to lua scripts
  * [mod_magnet] lighty.c.hrtime high-resolution time
  * [mod_magnet] lighty.r.resp_body.get
  * [mod_magnet] deprecate r.req_attr["response.*]
  * [mod_magnet] separate funcs for uri_path_raw
  * [mod_magnet] lighty.c.stat high precision time
  * [mod_magnet] format multiline err traceback
  * [mod_magnet] adjust p->conf.stage checks
  * [mod_magnet] further isolate legacy API result tbl
  * [core] buffer_append_char() convenience func
  * [mod_accesslog] accesslog.escaping = "json"
  * [multiple] use buffer_append_char()
  * [mod_accesslog] remove begin/end tags from %{}t
  * [core] fix configparser_simplify_regex() comment
  * [multiple] simplify bytes_in/bytes_out accounting
  * [mod_accesslog] reorder fields in switch()
  * [core] remove unused srv->con_* counters
  * [mod_magnet] read-only access to r->server_name
  * [core] buffer_append_bs_escaped()
  * [core] buffer_append_string_c_escaped ASCII optim
  * [mod_magnet] backspace-escape encode/decode
  * [mod_status] display HTTP/2 control stream w/ reqs
  * [multiple] use preferred syntax for Content-Type
  * [doc] regenerate doc/config/conf.d/mime.conf
  * [multiple] rename status_counter -> plugin_stats
  * [core] feature-flag server.metrics-high-precision
  * [mod_magnet] quiet coverity false positive
  * [mod_wolfssl] compile fix for OpenWRT
  * [mod_webdav] If-None-Match: * on non-existent
  * [mod_magnet] r.req_body .collect .get .set .add
  * [mod_cgi] fix detection of failing error handler (fixes #3157)
  * [core] "url-invalid-utf8-reject" normalization opt
  * [mod_magnet] skip req body collect warn if modsec3
  * [build] update descriptions to remove old lua ver
  * [core] use current dir if context->basedir blank
  * [multiple] application/javascript text/javascript
  * [core] reset internal flags after graceful restart
  * [TLS] inherit ssl.engine from global scope
  * [core] avoid server.use-ipv6 warning after SIGUSR1
  * [mod_webdav] alt handling PROPFIND on collection
  * [mod_mbedtls] fix crt chain construction logic
  * [core] h2 SETTINGS_INITIAL_WINDOW_SIZE 64k (fixes #3089)
  * [core] increase session window size to 256k
  * [core] h2: avoid sending small WINDOW_UPDATE frames
  * [core] h2: avoid sending tiny DATA frames
  * [core] update cached tables with Priority header
  * [tests] test stubs for http_header.c and http_kv.c

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 47188fa0dc19f160085554360c81bd9f363837d5)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../lighttpd/{lighttpd_1.4.64.bb => lighttpd_1.4.65.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-extended/lighttpd/{lighttpd_1.4.64.bb => lighttpd_1.4.65.bb} (97%)

diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb
similarity index 97%
rename from meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb
rename to meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb
index 8d2e77e011..10aa27f072 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb
@@ -19,7 +19,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t
            file://lighttpd \
            "
 
-SRC_URI[sha256sum] = "e1489d9fa7496fbf2e071c338b593b2300d38c23f1e5967e52c9ef482e1b0e26"
+SRC_URI[sha256sum] = "bf0fa68a629fbc404023a912b377e70049331d6797bcbb4b3e8df4c3b42328be"
 
 DEPENDS = "virtual/crypt"
 
-- 
2.25.1

[OE-core][kirkstone 4/5] lighttpd: upgrade 1.4.65 -> 1.4.66

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3163134b0f58c58aaabe4e957c30109e63b2d60f)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../lighttpd/{lighttpd_1.4.65.bb => lighttpd_1.4.66.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-extended/lighttpd/{lighttpd_1.4.65.bb => lighttpd_1.4.66.bb} (97%)

diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb
similarity index 97%
rename from meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb
rename to meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb
index 10aa27f072..801162867c 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb
@@ -19,7 +19,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t
            file://lighttpd \
            "
 
-SRC_URI[sha256sum] = "bf0fa68a629fbc404023a912b377e70049331d6797bcbb4b3e8df4c3b42328be"
+SRC_URI[sha256sum] = "47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b"
 
 DEPENDS = "virtual/crypt"
 
-- 
2.25.1

[OE-core][kirkstone 5/5] vim: Upgrade 9.0.0341 -> 9.0.0453

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Includes fixes for CVE-2022-3099 and CVE-2022-3134.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d042923262130b6b96f703b5cd4184f659caeb92)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 33a8299243..70dc2dfecf 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -20,8 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".0341"
-SRCREV = "92a3d20682d46359bb50a452b4f831659e799155"
+PV .= ".0453"
+SRCREV = "83a19c5fda0556330860899bfb484addf9178cd0"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.25.1

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 14

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6324

The following changes since commit 09ecafaf0e128c4dea062d359de37cbef461aed2:

  native: Clear TUNE_FEATURES/ABIEXTENSION (2023-12-07 08:09:37 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  gstreamer1.0-plugins-base: enable glx/opengl support

Archana Polampalli (1):
  bluez5: fix CVE-2023-45866

Mikko Rapeli (1):
  openssh: drop sudo from ptest dependencies

Vijay Anusuri (2):
  avahi: backport CVE-2023-1981 & CVE's follow-up patches
  gnutls: Backport fix for CVE-2023-5981

 meta/recipes-connectivity/avahi/avahi_0.8.bb  |  10 +-
 .../avahi/files/CVE-2023-1981.patch           |  58 +++++
 ...023-38469.patch => CVE-2023-38469-1.patch} |   0
 .../avahi/files/CVE-2023-38469-2.patch        |  65 ++++++
 ...023-38470.patch => CVE-2023-38470-1.patch} |   0
 .../avahi/files/CVE-2023-38470-2.patch        |  52 +++++
 ...023-38471.patch => CVE-2023-38471-1.patch} |   0
 .../avahi/files/CVE-2023-38471-2.patch        |  52 +++++
 .../avahi/files/CVE-2023-38472.patch          |  44 ++--
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2023-45866.patch        |  56 +++++
 .../openssh/openssh/run-ptest                 |   2 +-
 .../openssh/openssh_8.9p1.bb                  |   2 +-
 .../gstreamer1.0-plugins-base_1.20.7.bb       |   6 +-
 .../gnutls/gnutls/CVE-2023-5981.patch         | 206 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   1 +
 16 files changed, 526 insertions(+), 29 deletions(-)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38469.patch => CVE-2023-38469-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38470.patch => CVE-2023-38470-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38471.patch => CVE-2023-38471-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch

-- 
2.34.1

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, May 1

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6857

The following changes since commit b7182571242dc4e23e5250a449d90348e62a6abc:

  build-appliance-image: Update to kirkstone head revision (2024-04-22 16:57:58 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  gnutls: fix CVE-2024-28834
  gnutls: fix CVE-2024-28835

Michael Glembotzki (1):
  rootfs-postcommands.bbclass: Only set DROPBEAR_RSAKEY_DIR once

Peter Marko (1):
  glibc: Update to latest on stable 2.35 branch

Vijay Anusuri (1):
  go: Fix for CVE-2023-45288

 meta/classes/rootfs-postcommands.bbclass      |   4 +-
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 meta/recipes-core/glibc/glibc_2.35.bb         |   2 +-
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.18/CVE-2023-45288.patch           |  95 ++++
 .../gnutls/gnutls/CVE-2024-28834.patch        | 457 ++++++++++++++++++
 .../gnutls/gnutls/CVE-2024-28835.patch        | 406 ++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   2 +
 8 files changed, 966 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch

-- 
2.34.1

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, August 2

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7193

The following changes since commit f6de96c9fa8d0b6c81c32016f342ad93c8940d9e:

  uboot-sign: Fix index error in concat_dtb_helper() with multiple configs (2024-07-19 05:44:22 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Deepthi Hemraj (2):
  llvm: Fix CVE-2023-46049
  llvm: Fix CVE-2024-31852

Peter Marko (2):
  wpa-supplicant: Patch CVE-2023-52160
  gcc-runtime: remove bashism

Wang Mingyu (1):
  wireless-regdb: upgrade 2024.01.23 -> 2024.05.08

 ...te-Phase-2-authentication-requiremen.patch | 213 ++++++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |   1 +
 meta/recipes-devtools/gcc/gcc-runtime.inc     |   2 +-
 .../llvm/llvm/CVE-2023-46049.patch            |  34 +++
 .../llvm/llvm/CVE-2024-31852-1.patch          |  85 +++++++
 .../llvm/llvm/CVE-2024-31852-2.patch          | 117 ++++++++++
 meta/recipes-devtools/llvm/llvm_git.bb        |   3 +
 ....01.23.bb => wireless-regdb_2024.05.08.bb} |   2 +-
 8 files changed, 455 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2023-46049.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2024-31852-1.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2024-31852-2.patch
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.01.23.bb => wireless-regdb_2024.05.08.bb} (94%)

-- 
2.34.1

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, October 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7379

The following changes since commit 3b646f322b4ffd5ed520f3815ce0726cf225ced2:

  populate_sdk_base: inherit nopackages (2024-10-01 15:29:08 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Martin Jansa (2):
  meta-world-pkgdata: Inherit nopackages
  cdrtools-native: fix build with gcc-14

Massimiliano Minella (1):
  zstd: fix LICENSE statement

Peter Marko (1):
  rust: ignore CVE-2024-43402

Vijay Anusuri (1):
  cups: Backport fix for CVE-2024-47175

 meta/recipes-core/meta/meta-world-pkgdata.bb  |   1 +
 .../cdrtools/cdrtools-native_3.01.bb          |   6 +-
 meta/recipes-devtools/rust/rust-source.inc    |   4 +-
 meta/recipes-extended/cups/cups.inc           |   5 +
 .../cups/cups/CVE-2024-47175-1.patch          |  73 +++++
 .../cups/cups/CVE-2024-47175-2.patch          | 148 +++++++++++
 .../cups/cups/CVE-2024-47175-3.patch          | 116 ++++++++
 .../cups/cups/CVE-2024-47175-4.patch          | 249 ++++++++++++++++++
 .../cups/cups/CVE-2024-47175-5.patch          |  37 +++
 meta/recipes-extended/zstd/zstd_1.5.2.bb      |   2 +-
 10 files changed, 637 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-1.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-2.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-3.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-4.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-5.patch

-- 
2.34.1

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, October 21

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/283

The following changes since commit f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf:

  build-appliance-image: Update to kirkstone head revision (2024-10-12 05:20:21 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Ashish Sharma (1):
  libarchive: Fix CVE-2024-48957 & CVE-2024-48958

Khem Raj (1):
  syslinux: Disable error on implicit-function-declaration

Macpaul Lin (1):
  linux-firmware: upgrade 20240220 -> 20240909

Peter Marko (1):
  gcc: ignore CVE-2023-4039

Randolph Sapp (1):
  kmscube: create_framebuffer: backport modifier fix

 meta/recipes-devtools/gcc/gcc-11.5.inc        |  3 ++
 .../syslinux/syslinux_6.04-pre2.bb            |  2 +-
 .../libarchive/CVE-2024-48957.patch           | 33 +++++++++++++++++
 .../libarchive/CVE-2024-48958.patch           | 37 +++++++++++++++++++
 .../libarchive/libarchive_3.6.2.bb            |  2 +
 ...common.c-do-not-use-invalid-modifier.patch | 31 ++++++++++++++++
 meta/recipes-graphics/kmscube/kmscube_git.bb  |  1 +
 ...20240220.bb => linux-firmware_20240909.bb} |  8 ++--
 8 files changed, 112 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
 create mode 100644 meta/recipes-graphics/kmscube/kmscube/0001-drm-common.c-do-not-use-invalid-modifier.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20240220.bb => linux-firmware_20240909.bb} (99%)

-- 
2.34.1

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, November 8

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/398

The following changes since commit 2c913a7b66ea756ebc65a573e1b5bb5dba6834d2:

  util-linux: Define pidfd_* function signatures (2024-10-29 07:51:17 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Martin Jansa (1):
  xmlto: backport a patch to fix build with gcc-14 on host

Peter Marko (1):
  zstd: patch CVE-2022-4899

Richard Purdie (2):
  cve_check: Use a local copy of the database during builds
  package: Switch debug source handling to use prefix map

Ruiqiang Hao (1):
  gcc: restore a patch for Neoverse N2 core

 meta/classes/cve-check.bbclass                |    7 +-
 meta/classes/package.bbclass                  |   68 +-
 .../meta/cve-update-nvd2-native.bb            |   18 +-
 meta/recipes-devtools/gcc/gcc-11.5.inc        |    1 +
 ...4-Update-Neoverse-N2-core-definition.patch |   40 +
 ...001-Fix-return-type-of-main-function.patch |   42 +
 ...mlif.c-and-update-xmlif.l-to-comply-.patch | 1259 +++++++++++++++++
 .../0001-fix-Wimplicit-int-for-ifsense.patch  |   33 +
 meta/recipes-devtools/xmlto/xmlto_0.0.28.bb   |   10 +
 .../zstd/zstd/CVE-2022-4899-1.patch           |   66 +
 .../zstd/zstd/CVE-2022-4899-2.patch           |   83 ++
 meta/recipes-extended/zstd/zstd_1.5.2.bb      |    5 +-
 12 files changed, 1583 insertions(+), 49 deletions(-)
 create mode 100644 meta/recipes-devtools/gcc/gcc/0001-aarch64-Update-Neoverse-N2-core-definition.patch
 create mode 100644 meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-Fix-return-type-of-main-function.patch
 create mode 100644 meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-Regenerate-the-xmlif.c-and-update-xmlif.l-to-comply-.patch
 create mode 100644 meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-fix-Wimplicit-int-for-ifsense.patch
 create mode 100644 meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch
 create mode 100644 meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch

-- 
2.34.1

[OE-core][kirkstone 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, September 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2346

The following changes since commit 71ed9d8394f7e625270ee66f9c2816bba4aa2016:

  pulseaudio: Add audio group explicitly (2025-09-02 09:20:07 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (3):
  ffmpeg: fix CVE-2025-7700
  ffmpeg: fix multiple CVEs
  ffmpeg: fix CVE-2025-1594

Divya Chellam (1):
  wpa-supplicant: fix CVE-2022-37660

Gyorgy Sarvari (1):
  llvm: fix typo in CVE-2024-0151.patch

 .../wpa-supplicant/CVE-2022-37660-0001.patch  | 254 +++++
 .../wpa-supplicant/CVE-2022-37660-0002.patch  | 139 +++
 .../wpa-supplicant/CVE-2022-37660-0003.patch  | 196 ++++
 .../wpa-supplicant/CVE-2022-37660-0004.patch  | 941 ++++++++++++++++++
 .../wpa-supplicant/CVE-2022-37660-0005.patch  | 144 +++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |   5 +
 .../llvm/llvm/CVE-2024-0151.patch             |  13 +-
 ...602-CVE-2023-6604-CVE-2023-6605-0001.patch |  79 ++
 ...602-CVE-2023-6604-CVE-2023-6605-0002.patch | 142 +++
 ...602-CVE-2023-6604-CVE-2023-6605-0003.patch |  45 +
 .../ffmpeg/ffmpeg/CVE-2025-1594.patch         | 104 ++
 .../ffmpeg/ffmpeg/CVE-2025-7700.patch         |  52 +
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb |   5 +
 13 files changed, 2114 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0001.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0003.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0004.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0005.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch

-- 
2.43.0