[OE-core][kirkstone 00/15] Patch review

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3799

The following changes since commit 0f7a8359ba370c7f5d5153453ed699e9566f5b1d:

  rootfs.py: close kernel_abi_ver_file (2022-06-10 05:13:53 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Jack Mitchell (1):
  meson.bbclass: add cython binary to cross/native toolchain config

Jose Quaresma (2):
  archiver: use bb.note instead of echo
  archiver: don't use machine variables in shared recipes

Kai Kang (1):
  xxhash: fix build with gcc 12

Mingli Yu (1):
  oescripts: change compare logic in OEListPackageconfigTests

Pavel Zhukov (1):
  systemd: update 0008-add-missing-FTW_-macros-for-musl.patch

Rasmus Villemoes (1):
  e2fsprogs: add alternatives handling of lsattr as well

Richard Purdie (5):
  vim: Upgrade 8.2.5034 -> 8.2.5083
  uboot-sign: Fix potential index error issues
  selftest/multiconfig: Test that multiconfigs in separate layers works
  gcc-source: Fix incorrect task dependencies from ${B}
  liberror-perl: Update sstate/equiv versions to clean cache

Xiaobing Luo (1):
  devtool: Fix _copy_file() TypeError

Yi Zhao (2):
  popt: fix override syntax in RDEPENDS
  git: fix override syntax in RDEPENDS

 meta-selftest/conf/multiconfig/muslmc.conf          |  2 ++
 meta/classes/archiver.bbclass                       | 11 ++++++++---
 meta/classes/meson.bbclass                          |  2 ++
 meta/classes/uboot-sign.bbclass                     |  2 ++
 meta/lib/oeqa/selftest/cases/multiconfig.py         | 13 +++++++++++++
 meta/lib/oeqa/selftest/cases/oescripts.py           |  3 ++-
 .../0008-add-missing-FTW_-macros-for-musl.patch     |  8 ++++----
 meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb |  5 ++++-
 meta/recipes-devtools/gcc/gcc-common.inc            |  2 +-
 meta/recipes-devtools/gcc/gcc-source.inc            |  1 +
 meta/recipes-devtools/git/git_2.35.3.bb             |  2 +-
 meta/recipes-devtools/perl/liberror-perl_0.17029.bb |  4 ++++
 meta/recipes-support/popt/popt_1.18.bb              |  2 +-
 meta/recipes-support/vim/vim.inc                    |  4 ++--
 meta/recipes-support/xxhash/xxhash_0.8.1.bb         |  2 ++
 scripts/lib/devtool/standard.py                     |  2 +-
 16 files changed, 50 insertions(+), 15 deletions(-)
 create mode 100644 meta-selftest/conf/multiconfig/muslmc.conf

-- 
2.25.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3979

The following changes since commit f1c2e21a28f8ad5dc6ff7b0db877aa22e01a9e00:

  pulseaudio: add m4-native to DEPENDS (2022-07-17 16:59:57 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  gnupg: update 2.3.4 -> 2.3.6

Joshua Watt (1):
  sstatesig: Include all dependencies in SPDX task signatures

Khem Raj (2):
  lua: Backport fix for CVE-2022-33099
  gcc-runtime: Pass -nostartfiles when building dummy libstdc++.so

Ming Liu (1):
  rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}

Naveen (1):
  gcc: Backport a fix for gcc bug 105039

Richard Purdie (1):
  vim: Upgrade 9.0.0021 -> 9.0.0063

Sakib Sajal (3):
  dpkg: fix CVE-2022-1664
  go: update v1.17.10 -> v1.17.12
  git: upgrade v2.35.3 -> v2.35.4

Tom Hochstein (1):
  gobject-introspection-data: Disable cache for g-ir-scanner

Yi Zhao (1):
  tiff: Security fixes CVE-2022-1354 and CVE-2022-1355

Yue Tao (1):
  gnupg: upgrade to 2.3.7 to fix CVE-2022-34903

wangmy (2):
  bind: upgrade 9.18.2 -> 9.18.3
  bind: upgrade 9.18.3 -> 9.18.4

 .../gobject-introspection-data.bbclass        |   5 +
 meta/classes/rootfs-postcommands.bbclass      |   2 +-
 meta/lib/oe/sstatesig.py                      |   9 +
 ...1-avoid-start-failure-with-bind-user.patch |   0
 ...d-V-and-start-log-hide-build-options.patch |   0
 ...ching-for-json-headers-searches-sysr.patch |   0
 .../bind/{bind-9.18.2 => bind-9.18.4}/bind9   |   0
 .../{bind-9.18.2 => bind-9.18.4}/conf.patch   |   0
 .../generate-rndc-key.sh                      |   0
 ...t.d-add-support-for-read-only-rootfs.patch |   0
 .../make-etc-initd-bind-stop-work.patch       |   0
 .../named.service                             |   0
 .../bind/{bind_9.18.2.bb => bind_9.18.4.bb}   |   2 +-
 ...ive-Prevent-directory-traversal-for-.patch | 328 ++++++++++++++++++
 meta/recipes-devtools/dpkg/dpkg_1.21.4.bb     |   1 +
 meta/recipes-devtools/gcc/gcc-11.3.inc        |   2 +-
 meta/recipes-devtools/gcc/gcc-runtime.inc     |   3 +-
 .../gcc/gcc/0030-rust-recursion-limit.patch   |  92 +++++
 .../git/{git_2.35.3.bb => git_2.35.4.bb}      |   2 +-
 .../go/{go-1.17.10.inc => go-1.17.12.inc}     |   2 +-
 ...1.17.10.bb => go-binary-native_1.17.12.bb} |   4 +-
 ....17.10.bb => go-cross-canadian_1.17.12.bb} |   0
 ...o-cross_1.17.10.bb => go-cross_1.17.12.bb} |   0
 ...ssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} |   0
 ...native_1.17.10.bb => go-native_1.17.12.bb} |   0
 ...ntime_1.17.10.bb => go-runtime_1.17.12.bb} |   0
 .../go/{go_1.17.10.bb => go_1.17.12.bb}       |   0
 .../lua/lua/CVE-2022-33099.patch              |  61 ++++
 meta/recipes-devtools/lua/lua_5.4.4.bb        |   1 +
 .../gobject-introspection_1.72.0.bb           |   3 -
 .../libtiff/tiff/CVE-2022-1354.patch          | 212 +++++++++++
 .../libtiff/tiff/CVE-2022-1355.patch          |  62 ++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   2 +
 ...-a-custom-value-for-the-location-of-.patch |   6 +-
 .../0003-dirmngr-uses-libgpg-error.patch      |  29 --
 .../gnupg/gnupg/relocate.patch                |  18 +-
 .../gnupg/{gnupg_2.3.4.bb => gnupg_2.3.7.bb}  |   3 +-
 .../vim/files/crosscompile.patch              |  51 +++
 meta/recipes-support/vim/files/racefix.patch  |  12 +-
 meta/recipes-support/vim/vim.inc              |   9 +-
 40 files changed, 860 insertions(+), 61 deletions(-)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/0001-avoid-start-failure-with-bind-user.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/bind9 (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/conf.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/generate-rndc-key.sh (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/init.d-add-support-for-read-only-rootfs.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/make-etc-initd-bind-stop-work.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/named.service (100%)
 rename meta/recipes-connectivity/bind/{bind_9.18.2.bb => bind_9.18.4.bb} (98%)
 create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc/0030-rust-recursion-limit.patch
 rename meta/recipes-devtools/git/{git_2.35.3.bb => git_2.35.4.bb} (98%)
 rename meta/recipes-devtools/go/{go-1.17.10.inc => go-1.17.12.inc} (92%)
 rename meta/recipes-devtools/go/{go-binary-native_1.17.10.bb => go-binary-native_1.17.12.bb} (83%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.17.10.bb => go-cross-canadian_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.17.10.bb => go-cross_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.17.10.bb => go-native_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.17.10.bb => go-runtime_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.17.10.bb => go_1.17.12.bb} (100%)
 create mode 100644 meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
 delete mode 100644 meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
 rename meta/recipes-support/gnupg/{gnupg_2.3.4.bb => gnupg_2.3.7.bb} (95%)
 create mode 100644 meta/recipes-support/vim/files/crosscompile.patch

-- 
2.25.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5269

The following changes since commit 2d67702bdfc64358d364dd6484ae41842ee7c52f:

  glibc: stable 2.35 branch updates. (2023-04-28 03:55:33 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Arturo Buzarra (1):
  run-postinsts: Set dependency for ldconfig to avoid boot issues

Deepthi Hemraj (4):
  binutils : Fix CVE-2023-25584
  binutils : Fix CVE-2023-25585
  binutils : Fix CVE-2023-1972
  binutils : Fix CVE-2023-25588

Hitendra Prajapati (1):
  connman: fix CVE-2023-28488 DoS in client.c

Kai Kang (1):
  webkitgtk: fix CVE-2022-32888 & CVE-2022-32923

Narpat Mali (2):
  ffmpeg: fix for CVE-2022-48434
  python3-cryptography: fix for CVE-2023-23931

Randolph Sapp (2):
  wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
  kernel-devicetree: allow specification of dtb directory

Ranjitsinh Rathod (1):
  libbsd: Add correct license for all packages

Shubham Kulkarni (1):
  go: Security fix for CVE-2023-24538

Vivek Kumbhar (2):
  freetype: fix CVE-2023-2004 integer overflowin in
    tt_hvadvance_adjust() in src/truetype/ttgxvar.c
  go: fix CVE-2023-24534 denial of service from excessive memory
    allocation

 meta/classes/kernel-devicetree.bbclass        |  22 +-
 meta/classes/kernel.bbclass                   |   2 +
 .../connman/connman/CVE-2023-28488.patch      |  60 ++
 .../connman/connman_1.41.bb                   |   1 +
 .../binutils/binutils-2.38.inc                |   6 +
 .../binutils/0022-CVE-2023-25584-1.patch      |  56 ++
 .../binutils/0022-CVE-2023-25584-2.patch      |  38 ++
 .../binutils/0022-CVE-2023-25584-3.patch      | 534 ++++++++++++++++++
 .../binutils/0023-CVE-2023-25585.patch        |  54 ++
 .../binutils/0025-CVE-2023-25588.patch        | 147 +++++
 .../binutils/0026-CVE-2023-1972.patch         |  41 ++
 meta/recipes-devtools/go/go-1.17.13.inc       |   2 +
 .../go/go-1.18/CVE-2023-24534.patch           | 200 +++++++
 .../go/go-1.18/CVE-2023-24538.patch           | 208 +++++++
 .../python3-cryptography/CVE-2023-23931.patch |  49 ++
 .../python/python3-cryptography_36.0.2.bb     |   1 +
 .../run-postinsts/run-postinsts.service       |   2 +-
 .../freetype/freetype/CVE-2023-2004.patch     |  41 ++
 .../freetype/freetype_2.11.1.bb               |   1 +
 .../ffmpeg/ffmpeg/CVE-2022-48434.patch        | 130 +++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |   3 +-
 .../webkit/webkitgtk/CVE-2022-32888.patch     |  41 ++
 .../webkit/webkitgtk/CVE-2022-32923.patch     | 435 ++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   2 +
 meta/recipes-support/libbsd/libbsd_0.11.5.bb  |   7 +
 scripts/lib/wic/plugins/source/bootimg-efi.py |   7 +
 26 files changed, 2083 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5285

The following changes since commit 5fca673d8fe0ee97dc37ed2c9941696842cd667a:

  run-postinsts: Set dependency for ldconfig to avoid boot issues (2023-05-08 04:15:11 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  git: fix CVE-2023-29007
  git: fix CVE-2023-25652

Bruce Ashfield (1):
  kernel: improve initramfs bundle processing time

Dmitry Baryshkov (1):
  linux-firmware: upgrade 20230210 -> 20230404

Martin Jansa (1):
  populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO
    override

Peter Bergin (1):
  update-alternatives.bbclass: fix old override syntax

Peter Marko (1):
  libxml2: patch CVE-2023-28484 and CVE-2023-29469

Piotr Łobacz (1):
  libarchive: Enable acls, xattr for native as well as target

Steve Sakoman (1):
  Revert "xserver-xorg: backport fix for CVE-2023-1393"

Thomas Roos (1):
  oeqa/utils/metadata.py: Fix running oe-selftest running with no distro
    set

Wang Mingyu (2):
  wpebackend-fdo: upgrade 1.14.0 -> 1.14.2
  xserver-xorg: upgrade 21.1.7 -> 21.1.8

Yoann Congal (1):
  linux-yocto: Exclude 121 CVEs already fixed upstream

Zhixiong Chi (1):
  libpam: Fix the xtests/tst-pam_motd[1|3] failures

bkylerussell@gmail.com (1):
  kernel-devsrc: depend on python3-core instead of python3

 meta/classes/kernel.bbclass                   |   2 +-
 meta/classes/populate_sdk_ext.bbclass         |   3 +-
 meta/classes/update-alternatives.bbclass      |   4 +-
 meta/lib/oeqa/utils/metadata.py               |   6 +-
 .../libxml/libxml2/CVE-2023-28484.patch       |  79 ++
 .../libxml/libxml2/CVE-2023-29469.patch       |  42 +
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |   2 +
 .../git/git/CVE-2023-25652.patch              |  94 ++
 .../git/git/CVE-2023-29007.patch              | 162 ++++
 meta/recipes-devtools/git/git_2.35.7.bb       |   2 +
 .../libarchive/libarchive_3.6.2.bb            |   6 +-
 ...rely-on-all-filesystems-providing-a-.patch | 108 +++
 meta/recipes-extended/pam/libpam_1.5.2.bb     |   1 +
 ...posite-Fix-use-after-free-of-the-COW.patch |  46 -
 ...-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb} |   5 +-
 ...20230210.bb => linux-firmware_20230404.bb} |   6 +-
 meta/recipes-kernel/linux/cve-exclusion.inc   | 875 ++++++++++++++++++
 meta/recipes-kernel/linux/kernel-devsrc.bb    |   2 +-
 meta/recipes-kernel/linux/linux-yocto.inc     |   3 +
 ...fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb} |   2 +-
 20 files changed, 1384 insertions(+), 66 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch
 create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb} (80%)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230210.bb => linux-firmware_20230404.bb} (99%)
 create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
 rename meta/recipes-sato/webkit/{wpebackend-fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb} (90%)

-- 
2.34.1

[OE-core][kirkstone 01/15] git: fix CVE-2023-29007

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../git/git/CVE-2023-29007.patch              | 162 ++++++++++++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |   1 +
 2 files changed, 163 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 0000000000..472f4022b2
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,162 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+Upstream-Status: Backport
+CVE: CVE-2023-29007
+
+Reference to upstream patch:
+https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ config.c          | 36 +++++++++++++++++++++++++-----------
+ t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index 2bffa8d..6a01938 100644
+--- a/config.c
++++ b/config.c
+@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char *key, const char *value,
+					flags);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+-	int i = 0, j = 0, dot = 0;
++	size_t i = 0, j = 0;
++	int dot = 0;
+	if (buf[i] != '[')
+		return 0;
+	for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name)
+	return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
++
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char *config_filename,
+				      const char *old_name,
+@@ -3256,11 +3259,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+	char *filename_buf = NULL;
+	struct lock_file lock = LOCK_INIT;
+	int out_fd;
+-	char buf[1024];
++	struct strbuf buf = STRBUF_INIT;
+	FILE *config_file = NULL;
+	struct stat st;
+	struct strbuf copystr = STRBUF_INIT;
+	struct config_store_data store;
++	uint32_t line_nr = 0;
+
+	memset(&store, 0, sizeof(store));
+
+@@ -3297,16 +3301,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+		goto out;
+	}
+
+-	while (fgets(buf, sizeof(buf), config_file)) {
+-		unsigned i;
+-		int length;
++	while (!strbuf_getwholeline(&buf, config_file, '\n')) {
++		size_t i, length;
+		int is_section = 0;
+-		char *output = buf;
+-		for (i = 0; buf[i] && isspace(buf[i]); i++)
++		char *output = buf.buf;
++
++		line_nr++;
++
++		if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
++			ret = error(_("refusing to work with overly long line "
++				      "in '%s' on line %"PRIuMAX),
++				    config_filename, (uintmax_t)line_nr);
++			goto out;
++		}
++
++		for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
+			; /* do nothing */
+-		if (buf[i] == '[') {
++		if (buf.buf[i] == '[') {
+			/* it's a section */
+-			int offset;
++			size_t offset;
+			is_section = 1;
+
+			/*
+@@ -3323,7 +3336,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+				strbuf_reset(&copystr);
+			}
+
+-			offset = section_name_match(&buf[i], old_name);
++			offset = section_name_match(&buf.buf[i], old_name);
+			if (offset > 0) {
+				ret++;
+				if (new_name == NULL) {
+@@ -3398,6 +3411,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ out_no_rollback:
+	free(filename_buf);
+	config_store_data_clear(&store);
++	strbuf_release(&buf);
+	return ret;
+ }
+
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index 78359f1..b07feb1 100755
+--- a/t/t1300-config.sh
++++ b/t/t1300-config.sh
+@@ -617,6 +617,36 @@ test_expect_success 'renaming to bogus section is rejected' '
+	test_must_fail git config --rename-section branch.zwei "bogus name"
+ '
+
++test_expect_success 'renaming a section with a long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %1024s [a] e = f\\n" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	git config -f y --rename-section a xyz &&
++	test_must_fail git config -f y b.e
++'
++
++test_expect_success 'renaming an embedded section with a long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %1024s [a] [foo] e = f\\n" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	git config -f y --rename-section a xyz &&
++	test_must_fail git config -f y foo.e
++'
++
++test_expect_success 'renaming a section with an overly-long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %525000s e" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	test_must_fail git config -f y --rename-section a xyz 2>err &&
++	test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
++'
++
+ cat >> .git/config << EOF
+   [branch "zwei"] a = 1 [branch "vier"]
+ EOF
+--
+2.40.0
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index faf0b67051..199ac950fa 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -10,6 +10,7 @@ PROVIDES:append:class-native = " git-replacement-native"
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
            file://fixsort.patch \
            file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
+           file://CVE-2023-29007.patch \
            "
 
 S = "${WORKDIR}/git-${PV}"
-- 
2.34.1

[OE-core][kirkstone 02/15] git: fix CVE-2023-25652

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../git/git/CVE-2023-25652.patch              | 94 +++++++++++++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
new file mode 100644
index 0000000000..825701eaff
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
+Date: Thu Mar 9 16:02:54 2023 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+   The `git apply --reject` is expected to write out `.rej` files in case
+   one or more hunks fail to apply cleanly. Historically, the command
+   overwrites any existing `.rej` files. The idea being that
+   apply/reject/edit cycles are relatively common, and the generated `.rej`
+   files are not considered precious.
+
+    But the command does not overwrite existing `.rej` symbolic links, and
+    instead follows them. This is unsafe because the same patch could
+    potentially create such a symbolic link and point at arbitrary paths
+    outside the current worktree, and `git apply` would write the contents
+    of the `.rej` file into that location.
+
+    Therefore, let's make sure that any existing `.rej` file or symbolic
+    link is removed before writing it.
+
+    Reported-by: RyotaK <ryotak.mail@gmail.com>
+    Helped-by: Taylor Blau <me@ttaylorr.com>
+    Helped-by: Junio C Hamano <gitster@pobox.com>
+    Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
+    Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+CVE: CVE-2023-25652
+Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ apply.c                  | 14 ++++++++++++--
+ t/t4115-apply-symlink.sh | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index fc6f484..47f2686 100644
+--- a/apply.c
++++ b/apply.c
+@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+	FILE *rej;
+	char namebuf[PATH_MAX];
+	struct fragment *frag;
+-	int cnt = 0;
++	int fd, cnt = 0;
+	struct strbuf sb = STRBUF_INIT;
+
+	for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+	memcpy(namebuf, patch->new_name, cnt);
+	memcpy(namebuf + cnt, ".rej", 5);
+
+-	rej = fopen(namebuf, "w");
++	fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++	if (fd < 0) {
++		if (errno != EEXIST)
++			return error_errno(_("cannot open %s"), namebuf);
++		if (unlink(namebuf))
++			return error_errno(_("cannot unlink '%s'"), namebuf);
++		fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++		if (fd < 0)
++			return error_errno(_("cannot open %s"), namebuf);
++	}
++	rej = fdopen(fd, "w");
+	if (!rej)
+		return error_errno(_("cannot open %s"), namebuf);
+
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 65ac7df..e95e6d4 100755
+--- a/t/t4115-apply-symlink.sh
++++ b/t/t4115-apply-symlink.sh
+@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
+	test_path_is_file .git/delete-me
+ '
+
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++	test_when_finished "git reset --hard && git clean -dfx" &&
++
++	test_commit file &&
++	echo modified >file.t &&
++	git diff -- file.t >patch &&
++	echo modified-again >file.t &&
++
++	ln -s foo file.t.rej &&
++	test_must_fail git apply patch --reject 2>err &&
++	test_i18ngrep "Rejected hunk" err &&
++	test_path_is_missing foo &&
++	test_path_is_file file.t.rej
++'
++
+ test_done
+--
+2.40.0
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index 199ac950fa..99d3d70683 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -11,6 +11,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
            file://fixsort.patch \
            file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
            file://CVE-2023-29007.patch \
+           file://CVE-2023-25652.patch \
            "
 
 S = "${WORKDIR}/git-${PV}"
-- 
2.34.1

[OE-core][kirkstone 03/15] libxml2: patch CVE-2023-28484 and CVE-2023-29469

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Backports from:
* https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
* https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxml/libxml2/CVE-2023-28484.patch       | 79 +++++++++++++++++++
 .../libxml/libxml2/CVE-2023-29469.patch       | 42 ++++++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |  2 +
 3 files changed, 123 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
new file mode 100644
index 0000000000..907f2c4d47
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
+From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+
+CVE: CVE-2023-28484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml     |  1 +
+ test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
+ xmlschemas.c                    |  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 00000000..9b2bb969
+--- /dev/null
++++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 00000000..e2b2fc2e
+--- /dev/null
++++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++<Child xmlns="http://www.test.com">5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 00000000..81702649
+--- /dev/null
++++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
++  <xs:complexType name="BaseType">
++    <xs:simpleContent>
++      <xs:extension base="xs:int" />
++    </xs:simpleContent>
++  </xs:complexType>
++  <xs:complexType name="ChildType">
++    <xs:complexContent>
++      <xs:extension base="BaseType">
++        <xs:sequence>
++          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
++        </xs:sequence>
++      </xs:extension>
++    </xs:complexContent>
++  </xs:complexType>
++  <xs:element name="Child" type="ChildType" />
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 6a353858..a4eaf591 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ 			"allowed to appear inside other model groups",
+ 			NULL, NULL);
+ 
+-		} else if (! dummySequence) {
++		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ 		    xmlSchemaTreeItemPtr effectiveContent =
+ 			(xmlSchemaTreeItemPtr) type->subtypes;
+ 		    /*
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
new file mode 100644
index 0000000000..f60d160c49
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
+From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+
+CVE: CVE-2023-29469
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 86c3f6d7..d7fd1a06 100644
+--- a/dict.c
++++ b/dict.c
+@@ -433,7 +433,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
++    if ((name == NULL) || (namelen <= 0))
++        return(value);
+     value += *name;
+     value <<= 5;
+     if (namelen > 10) {
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index e15f8eb13f..9241b279e4 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -25,6 +25,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
            file://0001-Port-gentest.py-to-Python-3.patch \
            file://CVE-2022-40303.patch \
            file://CVE-2022-40304.patch \
+           file://CVE-2023-28484.patch \
+           file://CVE-2023-29469.patch \
            "
 
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
-- 
2.34.1

[OE-core][kirkstone 04/15] linux-yocto: Exclude 121 CVEs already fixed upstream

[Steve Sakoman]

From: Yoann Congal <yoann.congal@smile.fr>

Exclude CVEs that are fixed in both current linux-yocto version
v5.10.175 and v5.15.108.

To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].

[1]: https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/linux/cve-exclusion.inc | 875 ++++++++++++++++++++
 meta/recipes-kernel/linux/linux-yocto.inc   |   3 +
 2 files changed, 878 insertions(+)
 create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc

diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
new file mode 100644
index 0000000000..7fd362881a
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -0,0 +1,875 @@
+# Kernel CVE exclusion file
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
+# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
+# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
+# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
+CVE_CHECK_IGNORE += "CVE-2021-3759"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4135
+# Patched in kernel since v5.16 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46
+# Backported in version v5.4.168 699e794c12a3cd79045ff135bc87a53b97024e43
+# Backported in version v5.10.88 1a34fb9e2bf3029f7c0882069d67ff69cbd645d8
+# Backported in version v5.15.11 27358aa81a7d60e6bd36f0bb1db65cd084c2cad0
+CVE_CHECK_IGNORE += "CVE-2021-4135"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4155
+# Patched in kernel since v5.16 983d8e60f50806f90534cc5373d0ce867e5aaf79
+# Backported in version v5.4.171 102af6edfd3a372db6e229177762a91f552e5f5e
+# Backported in version v5.10.91 16d8568378f9ee2d1e69216d39961aa72710209f
+# Backported in version v5.15.14 b0e72ba9e520b95346e68800afff0db65e766ca8
+CVE_CHECK_IGNORE += "CVE-2021-4155"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0168
+# Patched in kernel since v5.18 b92e358757b91c2827af112cae9af513f26a3f34
+# Backported in version v5.10.110 9963ccea6087268e1275b992dca5d0dd4b938765
+# Backported in version v5.15.33 f143f8334fb9eb2f6c7c15b9da1472d9c965fd84
+CVE_CHECK_IGNORE += "CVE-2022-0168"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0171
+# Patched in kernel since v5.18 683412ccf61294d727ead4a73d97397396e69a6b
+# Backported in version v5.10.146 a60babeb60ff276963d4756c7fd2e7bf242bb777
+# Backported in version v5.15.70 39b0235284c7aa33a64e07b825add7a2c108094a
+CVE_CHECK_IGNORE += "CVE-2022-0171"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1016
+# Patched in kernel since v5.18 4c905f6740a365464e91467aa50916555b28213d
+# Backported in version v5.4.188 06f0ff82c70241a766a811ae1acf07d6e2734dcb
+# Backported in version v5.10.109 2c74374c2e88c7b7992bf808d9f9391f7452f9d9
+# Backported in version v5.15.32 fafb904156fbb8f1dd34970cd5223e00b47c33be
+CVE_CHECK_IGNORE += "CVE-2022-1016"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
+# Patched in kernel since v6.1 61a1d87a324ad5e3ed27c6699dfc93218fcf3201
+# Backported in version v5.10.150 483831ad0440f62c10d1707c97ce824bd82d98ae
+# Backported in version v5.15.75 dd366295d1eca557e7a9000407ec3952f691d27b
+# Backported in version v5.19.17 edb71f055684f9023fd97e2f85c6f31380d163c1
+CVE_CHECK_IGNORE += "CVE-2022-1184"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1198
+# Patched in kernel since v5.17 efe4186e6a1b54bf38b9e05450d43b0da1fd7739
+# Backported in version v5.4.189 28c8fd84bea13cbf238d7b19d392de2fcc31331c
+# Backported in version v5.10.110 f67a1400788f550d201c71aeaf56706afe57f0da
+# Backported in version v5.15.33 3eb18f8a1d02a9462a0e4903efc674ca3d0406d1
+CVE_CHECK_IGNORE += "CVE-2022-1198"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1199
+# Patched in kernel since v5.17 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac
+# Backported in version v5.4.185 0a64aea5fe023cf1e4973676b11f49038b1f045b
+# Backported in version v5.10.106 e2201ef32f933944ee02e59205adb566bafcdf91
+# Backported in version v5.15.29 46ad629e58ce3a88c924ff3c5a7e9129b0df5659
+CVE_CHECK_IGNORE += "CVE-2022-1199"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
+# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
+# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
+# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
+# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
+CVE_CHECK_IGNORE += "CVE-2022-1462"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1734
+# Patched in kernel since v5.18 d270453a0d9ec10bb8a802a142fb1b3601a83098
+# Backported in version v5.4.193 33d3e76fc7a7037f402246c824d750542e2eb37f
+# Backported in version v5.10.115 1961c5a688edb53fe3bc25cbda57f47adf12563c
+# Backported in version v5.15.39 b8f2b836e7d0a553b886654e8b3925a85862d2eb
+CVE_CHECK_IGNORE += "CVE-2022-1734"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1852
+# Patched in kernel since v5.19 fee060cd52d69c114b62d1a2948ea9648b5131f9
+# Backported in version v5.10.120 3d8fc6e28f321d753ab727e3c3e740daf36a8fa3
+# Backported in version v5.15.45 531d1070d864c78283b7597449e60ddc53319d88
+CVE_CHECK_IGNORE += "CVE-2022-1852"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1882
+# Patched in kernel since v5.19 353f7988dd8413c47718f7ca79c030b6fb62cfe5
+# Backported in version v5.10.134 0adf21eec59040b31af113e626efd85eb153c728
+# Backported in version v5.15.58 ba3a8af8a21a81cfd0c8c689a81261caba934f97
+CVE_CHECK_IGNORE += "CVE-2022-1882"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1998
+# Patched in kernel since v5.17 ee12595147ac1fbfb5bcb23837e26dd58d94b15d
+# Backported in version v5.10.97 7b4741644cf718c422187e74fb07661ef1d68e85
+# Backported in version v5.15.20 60765e43e40fbf7a1df828116172440510fcc3e4
+CVE_CHECK_IGNORE += "CVE-2022-1998"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2078
+# Patched in kernel since v5.19 fecf31ee395b0295f2d7260aa29946b7605f7c85
+# Backported in version v5.10.120 c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048
+# Backported in version v5.15.45 89ef50fe03a55feccf5681c237673a2f98161161
+CVE_CHECK_IGNORE += "CVE-2022-2078"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
+# Patched in kernel since v6.2 2e7eab81425ad6c875f2ed47c0ce01e78afc38a5
+# Backported in version v5.4.233 f93a1a5bdcdd122aae0a3eab7a52c15b71fb725b
+# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
+# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
+# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
+CVE_CHECK_IGNORE += "CVE-2022-2196"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2318
+# Patched in kernel since v5.19 9cc02ede696272c5271a401e4f27c262359bc2f6
+# Backported in version v5.4.204 bb91556d2af066f8ca2e7fd8e334d652e731ee29
+# Backported in version v5.10.129 8f74cb27c2b4872fd14bf046201fa7b36a46885e
+# Backported in version v5.15.53 659d39545260100628d8a30020d09fb6bf63b915
+CVE_CHECK_IGNORE += "CVE-2022-2318"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2380
+# Patched in kernel since v5.18 bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8
+# Backported in version v5.4.189 478154be3a8c21ff106310bb1037b1fc9d81dc62
+# Backported in version v5.10.110 72af8810922eb143ed4f116db246789ead2d8543
+# Backported in version v5.15.33 46cdbff26c88fd75dccbf28df1d07cbe18007eac
+CVE_CHECK_IGNORE += "CVE-2022-2380"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2503
+# Patched in kernel since v5.19 4caae58406f8ceb741603eee460d79bacca9b1b5
+# Backported in version v5.4.197 fd2f7e9984850a0162bfb6948b98ffac9fb5fa58
+# Backported in version v5.10.120 8df42bcd364cc3b41105215d841792aea787b133
+# Backported in version v5.15.45 69712b170237ec5979f168149cd31e851a465853
+CVE_CHECK_IGNORE += "CVE-2022-2503"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
+# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
+# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
+# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
+# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
+CVE_CHECK_IGNORE += "CVE-2022-26365"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
+# Patched in kernel since v6.0 e8d5dfd1d8747b56077d02664a8838c71ced948e
+# Backported in version v5.4.215 d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2
+# Backported in version v5.10.146 9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d
+# Backported in version v5.15.71 dc33ffbc361e2579a8f31b8724ef85d4117440e4
+# Backported in version v5.19.12 510ea9eae5ee45f4e443023556532bda99387351
+CVE_CHECK_IGNORE += "CVE-2022-2663"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2873
+# Patched in kernel since v6.2 39244cc754829bf707dccd12e2ce37510f5b1f8d
+# Backported in version v5.4.229 cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd
+# Backported in version v5.10.163 9ac541a0898e8ec187a3fa7024b9701cffae6bf2
+# Backported in version v5.15.86 96c12fd0ec74641295e1c3c34dea3dce1b6c3422
+# Backported in version v6.1.2 233348a04becf133283f0076e20b317302de21d9
+CVE_CHECK_IGNORE += "CVE-2022-2873"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2905
+# Patched in kernel since v6.0 a657182a5c5150cdfacb6640aad1d2712571a409
+# Backported in version v5.10.140 e8979807178434db8ceaa84dfcd44363e71e50bb
+# Backported in version v5.15.64 4f672112f8665102a5842c170be1713f8ff95919
+# Backported in version v5.19.6 a36df92c7ff7ecde2fb362241d0ab024dddd0597
+CVE_CHECK_IGNORE += "CVE-2022-2905"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2959
+# Patched in kernel since v5.19 189b0ddc245139af81198d1a3637cac74f96e13a
+# Backported in version v5.10.120 8fbd54ab06c955d247c1a91d5d980cddc868f1e7
+# Backported in version v5.15.45 cf2fbc56c478a34a68ff1fa6ad08460054dfd499
+CVE_CHECK_IGNORE += "CVE-2022-2959"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3028
+# Patched in kernel since v6.0 ba953a9d89a00c078b85f4b190bc1dde66fe16b5
+# Backported in version v5.4.212 8ee27a4f0f1ad36d430221842767880df6494147
+# Backported in version v5.10.140 c5c4d4c9806dadac7bc82f9c29ef4e1b78894775
+# Backported in version v5.15.64 103bd319c0fc90f1cb013c3a508615e6df8af823
+# Backported in version v5.19.6 6901885656c029c976498290b52f67f2c251e6a0
+CVE_CHECK_IGNORE += "CVE-2022-3028"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3078
+# Patched in kernel since v5.18 e6a21a14106d9718aa4f8e115b1e474888eeba44
+# Backported in version v5.10.110 663e7a72871f89f7a10cc8d7b2f17f27c64e071d
+# Backported in version v5.15.33 9dd2fd7a1f84c947561af29424c5ddcecfcf2cbe
+CVE_CHECK_IGNORE += "CVE-2022-3078"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3104
+# Patched in kernel since v5.19 4a9800c81d2f34afb66b4b42e0330ae8298019a2
+# Backported in version v5.10.122 56ac04f35fc5dc8b5b67a1fa2f7204282aa887d5
+# Backported in version v5.15.47 1aeeca2b8397e3805c16a4ff26bf3cc8485f9853
+CVE_CHECK_IGNORE += "CVE-2022-3104"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3105
+# Patched in kernel since v5.16 7694a7de22c53a312ea98960fcafc6ec62046531
+# Backported in version v5.4.171 7646a340b25bb68cfb6d2e087a608802346d0f7b
+# Backported in version v5.10.91 16e5cad6eca1e506c38c39dc256298643fa1852a
+# Backported in version v5.15.14 0ea8bb0811ba0ec22903cbb48ff2cd872382e8d4
+CVE_CHECK_IGNORE += "CVE-2022-3105"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3106
+# Patched in kernel since v5.16 407ecd1bd726f240123f704620d46e285ff30dd9
+# Backported in version v5.10.88 734a3f3106053ee41cecae2a995b3d4d0c246764
+# Backported in version v5.15.11 9a77c02d1d2147a76bd187af1bf5a34242662d12
+CVE_CHECK_IGNORE += "CVE-2022-3106"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3107
+# Patched in kernel since v5.17 886e44c9298a6b428ae046e2fa092ca52e822e6a
+# Backported in version v5.4.187 b01e2df5fbf68719dfb8e766c1ca6089234144c2
+# Backported in version v5.10.108 9b763ceda6f8963cc99df5772540c54ba46ba37c
+# Backported in version v5.15.31 ab0ab176183191cffc69fe9dd8ac6c8db23f60d3
+CVE_CHECK_IGNORE += "CVE-2022-3107"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3111
+# Patched in kernel since v5.18 6dee930f6f6776d1e5a7edf542c6863b47d9f078
+# Backported in version v5.4.189 90bec38f6a4c81814775c7f3dfc9acf281d5dcfa
+# Backported in version v5.10.110 48d23ef90116c8c702bfa4cad93744e4e5588d7d
+# Backported in version v5.15.33 4124966fbd95eeecca26d52433f393e2b9649a33
+CVE_CHECK_IGNORE += "CVE-2022-3111"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3112
+# Patched in kernel since v5.18 c8c80c996182239ff9b05eda4db50184cf3b2e99
+# Backported in version v5.10.110 032b141a91a82a5f0107ce664a35b201e60c5ce1
+# Backported in version v5.15.33 b0b890dd8df3b9a2fe726826980b1cffe17b9679
+CVE_CHECK_IGNORE += "CVE-2022-3112"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3113
+# Patched in kernel since v5.18 e25a89f743b18c029bfbe5e1663ae0c7190912b0
+# Backported in version v5.10.110 bc2573abc691a269b54a6c14a2660f26d88876a5
+# Backported in version v5.15.33 0022dc8cafa5fcd156da8ae7bfc9ca99497bdffc
+CVE_CHECK_IGNORE += "CVE-2022-3113"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3115
+# Patched in kernel since v5.19 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33
+# Backported in version v5.4.198 fa0d7ba25a53ac2e4bb24ef31aec49ff3578b44f
+# Backported in version v5.10.121 b4c7dd0037e6aeecad9b947b30f0d9eaeda11762
+# Backported in version v5.15.46 4cb37f715f601cee5b026c6f9091a466266b5ba5
+CVE_CHECK_IGNORE += "CVE-2022-3115"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3202
+# Patched in kernel since v5.18 a53046291020ec41e09181396c1e829287b48d47
+# Backported in version v5.4.189 e19c3149a80e4fc8df298d6546640e01601f3758
+# Backported in version v5.10.111 b9c5ac0a15f24d63b20f899072fa6dd8c93af136
+# Backported in version v5.15.34 d925b7e78b62805fcc5440d1521181c82b6f03cb
+CVE_CHECK_IGNORE += "CVE-2022-3202"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-32250
+# Patched in kernel since v5.19 520778042ccca019f3ffa136dd0ca565c486cedd
+# Backported in version v5.4.198 f36736fbd48491a8d85cd22f4740d542c5a1546e
+# Backported in version v5.10.120 ea62d169b6e731e0b54abda1d692406f6bc6a696
+# Backported in version v5.15.45 f692bcffd1f2ce5488d24fbcb8eab5f351abf79d
+CVE_CHECK_IGNORE += "CVE-2022-32250"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-32296
+# Patched in kernel since v5.18 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5
+# Backported in version v5.4.201 c26e1addf15763ae404f4bbf131719a724e768ab
+# Backported in version v5.10.125 9429b75bc271b6f29e50dbb0ee0751800ff87dd9
+# Backported in version v5.15.41 952a238d779eea4ecb2f8deb5004c8f56be79bc9
+CVE_CHECK_IGNORE += "CVE-2022-32296"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-32981
+# Patched in kernel since v5.19 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9
+# Backported in version v5.4.198 0c4bc0a2f8257f79a70fe02b9a698eb14695a64b
+# Backported in version v5.10.122 3be74fc0afbeadc2aff8dc69f3bf9716fbe66486
+# Backported in version v5.15.47 2a0165d278973e30f2282c15c52d91788749d2d4
+CVE_CHECK_IGNORE += "CVE-2022-32981"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3303
+# Patched in kernel since v6.0 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d
+# Backported in version v5.4.215 4051324a6dafd7053c74c475e80b3ba10ae672b0
+# Backported in version v5.10.148 fce793a056c604b41a298317cf704dae255f1b36
+# Backported in version v5.15.68 8015ef9e8a0ee5cecfd0cb6805834d007ab26f86
+# Backported in version v5.19.9 723ac5ab2891b6c10dd6cc78ef5456af593490eb
+CVE_CHECK_IGNORE += "CVE-2022-3303"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
+# Patched in kernel since v5.19 307c8de2b02344805ebead3440d8feed28f2f010
+# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
+# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
+# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
+CVE_CHECK_IGNORE += "CVE-2022-33740"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
+# Patched in kernel since v5.19 4491001c2e0fa69efbb748c96ec96b100a5cdb7e
+# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
+# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
+# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
+CVE_CHECK_IGNORE += "CVE-2022-33741"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
+# Patched in kernel since v5.19 2400617da7eebf9167d71a46122828bc479d64c9
+# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
+# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
+# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
+CVE_CHECK_IGNORE += "CVE-2022-33742"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33743
+# Patched in kernel since v5.19 f63c2c2032c2e3caad9add3b82cc6e91c376fd26
+# Backported in version v5.10.129 547b7c640df545a344358ede93e491a89194cdfa
+# Backported in version v5.15.53 1052fc2b7391a43b25168ae69ad658fff5170f04
+CVE_CHECK_IGNORE += "CVE-2022-33743"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33744
+# Patched in kernel since v5.19 b75cd218274e01d026dc5240e86fdeb44bbed0c8
+# Backported in version v5.4.204 5c03cad51b84fb26ccea7fd99130d8ec47949cfc
+# Backported in version v5.10.129 43c8d33ce353091f15312cb6de3531517d7bba90
+# Backported in version v5.15.53 9f83c8f6ab14bbf4311b70bf1b7290d131059101
+CVE_CHECK_IGNORE += "CVE-2022-33744"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33981
+# Patched in kernel since v5.18 233087ca063686964a53c829d547c7571e3f67bf
+# Backported in version v5.4.192 7dea5913000c6a2974a00d9af8e7ffb54e47eac1
+# Backported in version v5.10.114 54c028cfc49624bfc27a571b94edecc79bbaaab4
+# Backported in version v5.15.37 e52da8e4632f9c8fe78bf1c5881ce6871c7e08f3
+CVE_CHECK_IGNORE += "CVE-2022-33981"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
+# Patched in kernel since v6.2 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc
+# Backported in version v5.4.229 0078dd8758561540ed30b2c5daa1cb647e758977
+# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
+# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
+# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
+CVE_CHECK_IGNORE += "CVE-2022-3424"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
+# Patched in kernel since v6.1 61b91eb33a69c3be11b259c5ea484505cd79f883
+# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
+# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
+# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
+CVE_CHECK_IGNORE += "CVE-2022-3435"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-34918
+# Patched in kernel since v5.19 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6
+# Backported in version v5.10.130 0a5e36dbcb448a7a8ba63d1d4b6ade2c9d3cc8bf
+# Backported in version v5.15.54 c1784d2075138992b00c17ab4ffc6d855171fe6d
+CVE_CHECK_IGNORE += "CVE-2022-34918"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3521
+# Patched in kernel since v6.1 ec7eede369fe5b0d085ac51fdbb95184f87bfc6c
+# Backported in version v5.4.225 ad39d09190a545d0f05ae0a82900eee96c5facea
+# Backported in version v5.10.156 7deb7a9d33e4941c5ff190108146d3a56bf69e9d
+# Backported in version v5.15.80 27d706b0d394a907ff8c4f83ffef9d3e5817fa84
+CVE_CHECK_IGNORE += "CVE-2022-3521"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3545
+# Patched in kernel since v6.0 02e1a114fdb71e59ee6770294166c30d437bf86a
+# Backported in version v5.4.228 3c837460f920a63165961d2b88b425703f59affb
+# Backported in version v5.10.160 eb6313c12955c58c3d3d40f086c22e44ca1c9a1b
+# Backported in version v5.15.84 9d933af8fef33c32799b9f2d3ff6bf58a63d7f24
+CVE_CHECK_IGNORE += "CVE-2022-3545"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
+# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
+# Backported in version v5.4.224 4cd094fd5d872862ca278e15b9b51b07e915ef3f
+# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
+# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
+CVE_CHECK_IGNORE += "CVE-2022-3564"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3586
+# Patched in kernel since v6.0 9efd23297cca530bb35e1848665805d3fcdd7889
+# Backported in version v5.4.213 279c7668e354fa151d5fd2e8c42b5153a1de3135
+# Backported in version v5.10.143 2ee85ac1b29dbd2ebd2d8e5ac1dd5793235d516b
+# Backported in version v5.15.68 1a889da60afc017050e1f517b3b976b462846668
+# Backported in version v5.19.9 8f796f36f5ba839c11eb4685150ebeed496c546f
+CVE_CHECK_IGNORE += "CVE-2022-3586"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3594
+# Patched in kernel since v6.1 93e2be344a7db169b7119de21ac1bf253b8c6907
+# Backported in version v5.4.220 61fd56b0a1a3e923aced4455071177778dd59e88
+# Backported in version v5.10.150 484400d433ca1903a87268c55f019e932297538a
+# Backported in version v5.15.75 b3179865cf7e892b26eedab3d6c54b4747c774a2
+# Backported in version v5.19.17 2e896abccf99fef76691d8e1019bd44105a12e1f
+CVE_CHECK_IGNORE += "CVE-2022-3594"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-36123
+# Patched in kernel since v5.19 38fa5479b41376dc9d7f57e71c83514285a25ca0
+# Backported in version v5.4.207 a3c7c1a726a4c6b63b85e8c183f207543fd75e1b
+# Backported in version v5.10.132 136d7987fcfdeca73ee3c6a29e48f99fdd0f4d87
+# Backported in version v5.15.56 26bb7afc027ce6ac8ab6747babec674d55689ff0
+CVE_CHECK_IGNORE += "CVE-2022-36123"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
+# Patched in kernel since v6.1 21a87d88c2253350e115029f14fe2a10a7e6c856
+# Backported in version v5.4.218 792211333ad77fcea50a44bb7f695783159fc63c
+# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
+# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
+# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
+CVE_CHECK_IGNORE += "CVE-2022-3621"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
+# Patched in kernel since v6.1 fac35ba763ed07ba93154c95ffc0c4a55023707f
+# Backported in version v5.4.228 176ba4c19d1bb153aa6baaa61d586e785b7d736c
+# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
+# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
+# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
+CVE_CHECK_IGNORE += "CVE-2022-3623"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
+# Patched in kernel since v6.0 7e97cfed9929eaabc41829c395eb0d1350fccb9d
+# Backported in version v5.4.211 f82f1e2042b397277cd39f16349950f5abade58d
+# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
+# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
+# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
+CVE_CHECK_IGNORE += "CVE-2022-3629"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
+# Patched in kernel since v6.0 8c21c54a53ab21842f5050fa090f26b03c0313d6
+# Backported in version v5.4.211 04e41b6bacf474f5431491f92e981096e8cc8e93
+# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
+# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
+# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
+CVE_CHECK_IGNORE += "CVE-2022-3633"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
+# Patched in kernel since v6.0 3f4093e2bf4673f218c0bf17d8362337c400e77b
+# Backported in version v5.4.211 9a6cbaa50f263b12df18a051b37f3f42f9fb5253
+# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
+# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
+# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
+CVE_CHECK_IGNORE += "CVE-2022-3635"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
+# Patched in kernel since v6.1 d0d51a97063db4704a5ef6bc978dddab1636a306
+# Backported in version v5.4.218 b7e409d11db9ce9f8bc05fcdfa24d143f60cd393
+# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
+# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
+# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
+CVE_CHECK_IGNORE += "CVE-2022-3646"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
+# Patched in kernel since v6.1 d325dc6eb763c10f591c239550b8c7e5466a5d09
+# Backported in version v5.4.220 d1c2d820a2cd73867b7d352e89e92fb3ac29e926
+# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
+# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
+# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
+CVE_CHECK_IGNORE += "CVE-2022-3649"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-36879
+# Patched in kernel since v5.19 f85daf0e725358be78dfd208dea5fd665d8cb901
+# Backported in version v5.4.208 f4248bdb7d5c1150a2a6f8c3d3b6da0b71f62a20
+# Backported in version v5.10.134 47b696dd654450cdec3103a833e5bf29c4b83bfa
+# Backported in version v5.15.58 c8e32bca0676ac663266a3b16562cb017300adcd
+CVE_CHECK_IGNORE += "CVE-2022-36879"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-36946
+# Patched in kernel since v5.19 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164
+# Backported in version v5.4.209 52be29e8b6455788a4d0f501bd87aa679ca3ba3c
+# Backported in version v5.10.135 440dccd80f627e0e11ceb0429e4cdab61857d17e
+# Backported in version v5.15.59 91c11008aab0282957b8b8ccb0707d90e74cc3b9
+CVE_CHECK_IGNORE += "CVE-2022-36946"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3707
+# Patched in kernel since v6.2 4a61648af68f5ba4884f0e3b494ee1cabc4b6620
+# Backported in version v5.4.233 787ef0db014085df8691e5aeb58ab0bb081e5ff0
+# Backported in version v5.10.170 3d743415c6fb092167df6c23e9c7e9f6df7db625
+# Backported in version v5.15.96 0d3d5099a50badadad6837edda00e42149b2f657
+# Backported in version v6.1.5 1022519da69d99d455c58ca181a6c499c562c70e
+CVE_CHECK_IGNORE += "CVE-2022-3707"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-39188
+# Patched in kernel since v5.19 b67fbebd4cf980aecbcc750e1462128bffe8ae15
+# Backported in version v5.4.212 c9c5501e815132530d741ec9fdd22657f91656bc
+# Backported in version v5.10.141 895428ee124ad70b9763259308354877b725c31d
+# Backported in version v5.15.65 3ffb97fce282df03723995f5eed6a559d008078e
+CVE_CHECK_IGNORE += "CVE-2022-39188"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-39190
+# Patched in kernel since v6.0 e02f0d3970404bfea385b6edb86f2d936db0ea2b
+# Backported in version v5.10.140 c08a104a8bce832f6e7a4e8d9ac091777b9982ea
+# Backported in version v5.15.64 51f192ae71c3431aa69a988449ee2fd288e57648
+# Backported in version v5.19.6 fdca693fcf26c11596e7aa1e540af2b4a5288c76
+CVE_CHECK_IGNORE += "CVE-2022-39190"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-39842
+# Patched in kernel since v5.19 a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7
+# Backported in version v5.4.215 1878eaf0edb8c9e58a6ca0cf31b7a647ca346be9
+# Backported in version v5.10.145 06e194e1130c98f82d46beb40cdbc88a0d4fd6de
+# Backported in version v5.15.70 ab5140c6ddd7473509e12f468948de91138b124e
+CVE_CHECK_IGNORE += "CVE-2022-39842"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-40307
+# Patched in kernel since v6.0 9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95
+# Backported in version v5.4.213 8028ff4cdbb3f20d3c1c04be33a83bab0cb94997
+# Backported in version v5.10.143 918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6
+# Backported in version v5.15.68 dd291e070be0eca8807476b022bda00c891d9066
+# Backported in version v5.19.9 d46815a8f26ca6db2336106a148265239f73b0af
+CVE_CHECK_IGNORE += "CVE-2022-40307"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-40768
+# Patched in kernel since v6.1 6022f210461fef67e6e676fd8544ca02d1bcfa7a
+# Backported in version v5.4.218 20a5bde605979af270f94b9151f753ec2caf8b05
+# Backported in version v5.10.148 36b33c63515a93246487691046d18dd37a9f589b
+# Backported in version v5.15.74 76efb4897bc38b2f16176bae27ae801037ebf49a
+# Backported in version v5.19.16 6ae8aa5dcf0d7ada07964c8638e55d3af5896a86
+CVE_CHECK_IGNORE += "CVE-2022-40768"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4095
+# Patched in kernel since v6.0 e230a4455ac3e9b112f0367d1b8e255e141afae0
+# Backported in version v5.4.213 d0aac7146e96bf39e79c65087d21dfa02ef8db38
+# Backported in version v5.10.142 19e3f69d19801940abc2ac37c169882769ed9770
+# Backported in version v5.15.66 dc02aaf950015850e7589696521c7fca767cea77
+# Backported in version v5.19.8 b1727def850904e4b8ba384043775672841663a1
+CVE_CHECK_IGNORE += "CVE-2022-4095"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41218
+# Patched in kernel since v6.2 fd3d91ab1c6ab0628fe642dd570b56302c30a792
+# Backported in version v5.4.229 a29d6213098816ed4574824b6adae94fb1c0457d
+# Backported in version v5.10.163 3df07728abde249e2d3f47cf22f134cb4d4f5fb1
+# Backported in version v5.15.87 8b45a3b19a2e909e830d09a90a7e1ec8601927d9
+# Backported in version v6.1.4 530ca64b44625f7d39eb1d5efb6f9ff21da991e2
+CVE_CHECK_IGNORE += "CVE-2022-41218"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4139
+# Patched in kernel since v6.1 04aa64375f48a5d430b5550d9271f8428883e550
+# Backported in version v5.4.226 3659e33c1e4f8cfc62c6c15aca5d797010c277a4
+# Backported in version v5.10.157 86f0082fb9470904b15546726417f28077088fee
+# Backported in version v5.15.81 ee2d04f23bbb16208045c3de545c6127aaa1ed0e
+CVE_CHECK_IGNORE += "CVE-2022-4139"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41849
+# Patched in kernel since v6.1 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c
+# Backported in version v5.4.220 3742e9fd552e6c4193ebc5eb3d2cd02d429cad9c
+# Backported in version v5.10.150 e50472949604f385e09ce3fa4e74dce9f44fb19b
+# Backported in version v5.15.75 2b0897e33682a332167b7d355eec28693b62119e
+# Backported in version v5.19.17 02c871d44090c851b07770176f88c6f5564808a1
+CVE_CHECK_IGNORE += "CVE-2022-41849"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41850
+# Patched in kernel since v6.1 cacdb14b1c8d3804a3a7d31773bc7569837b71a4
+# Backported in version v5.4.220 e30c3a9a88818e5cf3df3fda6ab8388bef3bc6cd
+# Backported in version v5.10.150 dbcca76435a606a352c794956e6df62eedd3a353
+# Backported in version v5.15.75 c61786dc727d1850336d12c85a032c9a36ae396d
+# Backported in version v5.19.17 2d38886ae0365463cdba3db669170eef1e3d55c0
+CVE_CHECK_IGNORE += "CVE-2022-41850"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41858
+# Patched in kernel since v5.18 ec4eb8a86ade4d22633e1da2a7d85a846b7d1798
+# Backported in version v5.4.190 d05cd68ed8460cb158cc62c41ffe39fe0ca16169
+# Backported in version v5.10.112 ca24c5e8f0ac3d43ec0cff29e1c861be73aff165
+# Backported in version v5.15.35 efb020924a71391fc12e6f204eaf25694cc116a1
+CVE_CHECK_IGNORE += "CVE-2022-41858"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42328
+# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5
+# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883
+# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9
+# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8
+CVE_CHECK_IGNORE += "CVE-2022-42328"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42329
+# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5
+# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883
+# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9
+# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8
+CVE_CHECK_IGNORE += "CVE-2022-42329"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42703
+# Patched in kernel since v6.0 2555283eb40df89945557273121e9393ef9b542b
+# Backported in version v5.4.212 2fe3eee48899a890310177d54537d5b8e255eb31
+# Backported in version v5.10.141 98f401d36396134c0c86e9e3bd00b6b6b028b521
+# Backported in version v5.15.65 c18a209b56e37b2a60414f714bd70b084ef25835
+# Backported in version v5.19.7 7877eaa1131147b4d6a063962f3aac0ab1b8ea1c
+CVE_CHECK_IGNORE += "CVE-2022-42703"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42721
+# Patched in kernel since v6.1 bcca852027e5878aec911a347407ecc88d6fff7f
+# Backported in version v5.4.218 77bb20ccb9dfc9ed4f9c93788c90d08cfd891cdc
+# Backported in version v5.10.148 b0e5c5deb7880be5b8a459d584e13e1f9879d307
+# Backported in version v5.15.74 0a8ee682e4f992eccce226b012bba600bb2251e2
+# Backported in version v5.19.16 1d73c990e9bafc2754b1ced71345f73f5beb1781
+CVE_CHECK_IGNORE += "CVE-2022-42721"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42722
+# Patched in kernel since v6.1 b2d03cabe2b2e150ff5a381731ea0355459be09f
+# Backported in version v5.10.148 58c0306d0bcd5f541714bea8765d23111c9af68a
+# Backported in version v5.15.74 93a3a32554079432b49cf87f326607b2a2fab4f2
+# Backported in version v5.19.16 fa63b5f6f8853ace755d9a23fb75817d5ba20df5
+CVE_CHECK_IGNORE += "CVE-2022-42722"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
+# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
+# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_CHECK_IGNORE += "CVE-2022-42895"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
+# Patched in kernel since v6.2 d18dcfe9860e842f394e37ba01ca9440ab2178f4
+# Backported in version v5.4.230 9a39f4626b361ee7aa10fd990401c37ec3b466ae
+# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
+# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
+# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
+CVE_CHECK_IGNORE += "CVE-2022-4382"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4662
+# Patched in kernel since v6.0 9c6d778800b921bde3bff3cff5003d1650f942d1
+# Backported in version v5.4.213 df1875084898b15cbc42f712e93d7f113ae6271b
+# Backported in version v5.10.142 abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8
+# Backported in version v5.15.66 c548b99e1c37db6f7df86ecfe9a1f895d6c5966e
+# Backported in version v5.19.8 d5eb850b3e8836197a38475840725260b9783e94
+CVE_CHECK_IGNORE += "CVE-2022-4662"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-47518
+# Patched in kernel since v6.1 0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0
+# Backported in version v5.10.157 3eb6b89a4e9f9e44c3170d70d8d16c3c8dc8c800
+# Backported in version v5.15.81 7aed1dd5d221dabe3fe258f13ecf5fc7df393cbb
+CVE_CHECK_IGNORE += "CVE-2022-47518"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-47519
+# Patched in kernel since v6.1 051ae669e4505abbe05165bebf6be7922de11f41
+# Backported in version v5.10.157 905f886eae4b065656a575e8a02544045cbaadcf
+# Backported in version v5.15.81 143232cb5a4c96d69a7d90b643568665463c6191
+CVE_CHECK_IGNORE += "CVE-2022-47519"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-47520
+# Patched in kernel since v6.1 cd21d99e595ec1d8721e1058dcdd4f1f7de1d793
+# Backported in version v5.10.157 7c6535fb4d67ea37c98a1d1d24ca33dd5ec42693
+# Backported in version v5.15.81 cd9c4869710bb6e38cfae4478c23e64e91438442
+CVE_CHECK_IGNORE += "CVE-2022-47520"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-47929
+# Patched in kernel since v6.2 96398560f26aa07e8f2969d73c8197e6a6d10407
+# Backported in version v5.4.229 9b83ec63d0de7b1f379daa1571e128bc7b9570f8
+# Backported in version v5.10.163 9f7bc28a6b8afc2274e25650511555e93f45470f
+# Backported in version v5.15.88 04941c1d5bb59d64165e09813de2947bdf6f4f28
+# Backported in version v6.1.6 e8988e878af693ac13b0fa80ba2e72d22d68f2dd
+CVE_CHECK_IGNORE += "CVE-2022-47929"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0179
+# Patched in kernel since v6.2 696e1a48b1a1b01edad542a1ef293665864a4dd0
+# Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
+# Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
+# Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
+CVE_CHECK_IGNORE += "CVE-2023-0179"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
+# Patched in kernel since v6.2 cb3e9864cdbe35ff6378966660edbcbac955fe17
+# Backported in version v5.4.229 3998dba0f78a59922b0ef333ccfeb58d9410cd3d
+# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
+# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
+# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
+CVE_CHECK_IGNORE += "CVE-2023-0394"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0461
+# Patched in kernel since v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c
+# Backported in version v5.4.229 c6d29a5ffdbc362314853462a0e24e63330a654d
+# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
+# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
+# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
+CVE_CHECK_IGNORE += "CVE-2023-0461"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0590
+# Patched in kernel since v6.1 ebda44da44f6f309d302522b049f43d6f829f7aa
+# Backported in version v5.10.152 7aa3d623c11b9ab60f86b7833666e5d55bac4be9
+# Backported in version v5.15.76 ce1234573d183db1ebcab524668ca2d85543bf80
+CVE_CHECK_IGNORE += "CVE-2023-0590"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1073
+# Patched in kernel since v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
+# Backported in version v5.4.231 89e7fe3999e057c91f157b6ba663264f4cdfcb55
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_CHECK_IGNORE += "CVE-2023-1073"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1074
+# Patched in kernel since v6.2 458e279f861d3f61796894cd158b780765a1569f
+# Backported in version v5.4.231 a7585028ac0a5836f39139c11594d79ede97d975
+# Backported in version v5.10.166 6ef652f35dcfaa1ab2b2cf6c1694718595148eee
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_CHECK_IGNORE += "CVE-2023-1074"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1077
+# Patched in kernel since v6.3 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
+# Backported in version v5.4.235 084cd75643b61fb924f70cba98a71dea14942938
+# Backported in version v5.10.173 80a1751730b302d8ab63a084b2fa52c820ad0273
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+# Backported in version v6.2.3 1099004ae1664703ec573fc4c61ffb24144bcb63
+CVE_CHECK_IGNORE += "CVE-2023-1077"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1078
+# Patched in kernel since v6.2 f753a68980cf4b59a80fe677619da2b1804f526d
+# Backported in version v5.4.232 ba38eacade35dd2316d77b37494e6e0c01bab595
+# Backported in version v5.10.168 c53f34ec3fbf3e9f67574118a6bb35ae1146f7ca
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_CHECK_IGNORE += "CVE-2023-1078"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1079
+# Patched in kernel since v6.3 4ab3a086d10eeec1424f2e8a968827a6336203df
+# Backported in version v5.4.235 dd08e68d04d08d2f42b09162c939a0b0841216cc
+# Backported in version v5.10.173 21a2eec4a440060a6eb294dc890eaf553101ba09
+# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
+# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
+# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
+CVE_CHECK_IGNORE += "CVE-2023-1079"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1095
+# Patched in kernel since v6.0 580077855a40741cf511766129702d97ff02f4d9
+# Backported in version v5.4.211 a452bc3deb23bf93f8a13d3e24611b7ef39645dc
+# Backported in version v5.10.137 80977126bc20309f7f7bae6d8621356b393e8b41
+# Backported in version v5.15.61 8a2df34b5bf652566f2889d9fa321f3b398547ef
+# Backported in version v5.19.2 109539c9ba8497aad2948af4f09077f6a65059fe
+CVE_CHECK_IGNORE += "CVE-2023-1095"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
+# Patched in kernel since v6.3 29b0589a865b6f66d141d79b2dd1373e4e50fe17
+# Backported in version v5.4.235 d120334278b370b6a1623a75ebe53b0c76cb247c
+# Backported in version v5.10.173 78da5a378bdacd5bf68c3a6389bdc1dd0c0f5b3c
+# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
+# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
+# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
+CVE_CHECK_IGNORE += "CVE-2023-1118"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1249
+# Patched in kernel since v5.18 390031c942116d4733310f0684beb8db19885fe6
+# Backported in version v5.10.110 558564db44755dfb3e48b0d64de327d20981e950
+# Backported in version v5.15.33 39fd0cc079c98dafcf355997ada7b5e67f0bb10a
+CVE_CHECK_IGNORE += "CVE-2023-1249"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1252
+# Patched in kernel since v5.16 9a254403760041528bc8f69fe2f5e1ef86950991
+# Backported in version v5.10.80 4fd9f0509a1452b45e89c668e2bab854cb05cd25
+# Backported in version v5.15.3 2f372e38f5724301056e005353c8beecc3f8d257
+CVE_CHECK_IGNORE += "CVE-2023-1252"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1281
+# Patched in kernel since v6.2 ee059170b1f7e94e55fa6cadee544e176a6e59c2
+# Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
+# Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
+# Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
+CVE_CHECK_IGNORE += "CVE-2023-1281"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1382
+# Patched in kernel since v6.1 a7b42969d63f47320853a802efd879fbdc4e010e
+# Backported in version v5.4.226 59f9aad22fd743572bdafa37d3e1dd5dc5658e26
+# Backported in version v5.10.157 4058e3b74ab3eabe0835cee9a0c6deda79e8a295
+# Backported in version v5.15.81 33fb115a76ae6683e34f76f7e07f6f0734b2525f
+CVE_CHECK_IGNORE += "CVE-2023-1382"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1513
+# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
+# Backported in version v5.4.232 9f95a161a7deef62d6d2f57b1a69f94e0546d8d8
+# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
+# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
+# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
+CVE_CHECK_IGNORE += "CVE-2023-1513"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1829
+# Patched in kernel since v6.3 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
+# Backported in version v5.4.235 7a6fb69bbcb21e9ce13bdf18c008c268874f0480
+# Backported in version v5.10.173 18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6
+# Backported in version v5.15.100 7c183dc0af472dec33d2c0786a5e356baa8cad19
+# Backported in version v6.1.18 3abebc503a5148072052c229c6b04b329a420ecd
+# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
+CVE_CHECK_IGNORE += "CVE-2023-1829"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1838
+# Patched in kernel since v5.18 fb4554c2232e44d595920f4d5c66cf8f7d13f9bc
+# Backported in version v5.4.196 3a12b2c413b20c17832ec51cb836a0b713b916ac
+# Backported in version v5.10.118 ec0d801d1a44d9259377142c6218885ecd685e41
+# Backported in version v5.15.42 42d8a6dc45fc6619b8def1a70b7bd0800bcc4574
+CVE_CHECK_IGNORE += "CVE-2023-1838"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1998
+# Patched in kernel since v6.3 6921ed9049bc7457f66c1596c5b78aec0dae4a9d
+# Backported in version v5.4.235 34c1b60e7a80404056c03936dd9c2438da2789d4
+# Backported in version v5.10.173 abfed855f05863d292de2d0ebab4656791bab9c8
+# Backported in version v5.15.99 e7f1ddebd9f5b12de40bc37db9243957678f1448
+# Backported in version v6.1.16 08d87c87d6461d16827c9b88d84c48c26b6c994a
+# Backported in version v6.2.3 ead3c8e54d28fa1d5454b1f8a21b96b4a969b1cb
+CVE_CHECK_IGNORE += "CVE-2023-1998"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2006
+# Patched in kernel since v6.1 3bcd6c7eaa53b56c3f584da46a1f7652e759d0e5
+# Backported in version v5.10.157 3535c632e6d16c98f76e615da8dc0cb2750c66cc
+# Backported in version v5.15.81 38fe0988bd516f35c614ea9a5ff86c0d29f90c9a
+CVE_CHECK_IGNORE += "CVE-2023-2006"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2008
+# Patched in kernel since v5.19 05b252cccb2e5c3f56119d25de684b4f810ba40a
+# Backported in version v5.4.202 c7bdaad9cbfe17c83e4f56c7bb7a2d87d944f0fb
+# Backported in version v5.10.127 20119c1e0fff89542ff3272ace87e04cf6ee6bea
+# Backported in version v5.15.51 5b45535865d62633e3816ee30eb8d3213038dc17
+CVE_CHECK_IGNORE += "CVE-2023-2008"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2162
+# Patched in kernel since v6.2 f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3
+# Backported in version v5.4.232 d4d765f4761f9e3a2d62992f825aeee593bcb6b9
+# Backported in version v5.10.168 9758ffe1c07b86aefd7ca8e40d9a461293427ca0
+# Backported in version v5.15.93 0aaabdb900c7415caa2006ef580322f7eac5f6b6
+# Backported in version v6.1.11 61e43ebfd243bcbad11be26bd921723027b77441
+CVE_CHECK_IGNORE += "CVE-2023-2162"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2166
+# Patched in kernel since v6.1 0acc442309a0a1b01bcdaa135e56e6398a49439c
+# Backported in version v5.4.227 3982652957e8d79ac32efcb725450580650a8644
+# Backported in version v5.10.159 c42221efb1159d6a3c89e96685ee38acdce86b6f
+# Backported in version v5.15.83 c142cba37de29f740a3852f01f59876af8ae462a
+CVE_CHECK_IGNORE += "CVE-2023-2166"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2177
+# Patched in kernel since v5.19 181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d
+# Backported in version v5.4.209 8d6dab81ee3d0309c09987ff76164a25486c43e0
+# Backported in version v5.10.135 6f3505588d66b27220f07d0cab18da380fae2e2d
+# Backported in version v5.15.59 e796e1fe20ecaf6da419ef6a5841ba181bba7a0c
+CVE_CHECK_IGNORE += "CVE-2023-2177"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-22999
+# Patched in kernel since v5.17 b52fe2dbb3e655eb1483000adfab68a219549e13
+# Backported in version v5.10.94 94177fcecc35e9e9d3aecaa5813556c6b5aed7b6
+# Backported in version v5.15.17 5157828d3975768b53a51cdf569203b953184022
+CVE_CHECK_IGNORE += "CVE-2023-22999"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23002
+# Patched in kernel since v5.17 6845667146a28c09b5dfc401c1ad112374087944
+# Backported in version v5.10.94 4579954bf4cc0bdfc4a42c88b16fe596f1e7f82d
+# Backported in version v5.15.17 9186e6ba52af11ba7b5f432aa2321f36e00ad721
+CVE_CHECK_IGNORE += "CVE-2023-23002"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23004
+# Patched in kernel since v5.19 15342f930ebebcfe36f2415049736a77d7d2e045
+# Backported in version v5.10.173 a5bbea50d622b8f49ab8ee3b0eb283107febcf1a
+# Backported in version v5.15.100 1c7988d5c79f72287177bb774cde15fde69f3c97
+CVE_CHECK_IGNORE += "CVE-2023-23004"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23454
+# Patched in kernel since v6.2 caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12
+# Backported in version v5.4.229 6b17b84634f932f4787f04578f5d030874b9ff32
+# Backported in version v5.10.163 b2c917e510e5ddbc7896329c87d20036c8b82952
+# Backported in version v5.15.87 04dc4003e5df33fb38d3dd85568b763910c479d4
+# Backported in version v6.1.5 dc46e39b727fddc5aacc0272ef83ee872d51be16
+CVE_CHECK_IGNORE += "CVE-2023-23454"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23455
+# Patched in kernel since v6.2 a2965c7be0522eaa18808684b7b82b248515511b
+# Backported in version v5.4.229 63e469cb54a87df53edcfd85bb5bcdd84327ae4a
+# Backported in version v5.10.163 5f65f48516bfeebaab1ccc52c8fad698ddf21282
+# Backported in version v5.15.87 f02327a4877a06cbc8277e22d4834cb189565187
+# Backported in version v6.1.5 85655c63877aeafdc23226510ea268a9fa0af807
+CVE_CHECK_IGNORE += "CVE-2023-23455"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23559
+# Patched in kernel since v6.2 b870e73a56c4cccbec33224233eaf295839f228c
+# Backported in version v5.4.231 9042a9a3f29c942387e6d6036551d90c9ae6ce4f
+# Backported in version v5.10.166 802fd7623e9ed19ee809b503e93fccc1e3f37bd6
+# Backported in version v5.15.91 8cbf932c5c40b0c20597fa623c308d5bde0848b5
+# Backported in version v6.1.9 7794efa358bca8b8a2a80070c6e088a74945f018
+CVE_CHECK_IGNORE += "CVE-2023-23559"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-25012
+# Patched in kernel since v6.3 76ca8da989c7d97a7f76c75d475fe95a584439d7
+# Backported in version v5.4.235 25e14bf0c894f9003247e3475372f33d9be1e424
+# Backported in version v5.10.173 fddde36316da8acb45a3cca2e5fda102f5215877
+# Backported in version v5.15.99 0fd9998052926ed24cfb30ab1a294cfeda4d0a8f
+# Backported in version v6.1.16 f2bf592ebd5077661e00aa11e12e054c4c8f6dd0
+# Backported in version v6.2.3 90289e71514e9533a9c44d694e2b492be9ed2b77
+CVE_CHECK_IGNORE += "CVE-2023-25012"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-26545
+# Patched in kernel since v6.2 fda6c89fe3d9aca073495a664e1d5aea28cd4377
+# Backported in version v5.4.232 df099e65564aa47478eb1cacf81ba69024fb5c69
+# Backported in version v5.10.169 7ff0fdba82298d1f456c685e24930da89703c0fb
+# Backported in version v5.15.95 59a74da8da75bdfb464cbdb399e87ba4f7500e96
+# Backported in version v6.1.13 c376227845eef8f2e62e2c29c3cf2140d35dd8e8
+CVE_CHECK_IGNORE += "CVE-2023-26545"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28327
+# Patched in kernel since v6.1 b3abe42e94900bdd045c472f9c9be620ba5ce553
+# Backported in version v5.4.227 c66d78aee55dab72c92020ebfbebc464d4f5dd2a
+# Backported in version v5.10.159 575a6266f63dbb3b8eb1da03671451f0d81b8034
+# Backported in version v5.15.83 5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
+CVE_CHECK_IGNORE += "CVE-2023-28327"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28328
+# Patched in kernel since v6.2 0ed554fd769a19ea8464bb83e9ac201002ef74ad
+# Backported in version v5.4.229 8b256d23361c51aa4b7fdb71176c1ca50966fb39
+# Backported in version v5.10.163 559891d430e3f3a178040c4371ed419edbfa7d65
+# Backported in version v5.15.86 210fcf64be4db82c0e190e74b5111e4eef661a7a
+# Backported in version v6.1.2 6b60cf73a931af34b7a0a3f467a79d9fe0df2d70
+CVE_CHECK_IGNORE += "CVE-2023-28328"
diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 1f8289b6b6..4943d5ab57 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -69,3 +69,6 @@ do_devshell:prepend() {
     d.setVarFlag("PKG_CONFIG_SYSROOT_DIR", "unexport", "1")
     d.appendVar("OE_TERMINAL_EXPORTS", " PKG_CONFIG_DIR PKG_CONFIG_PATH PKG_CONFIG_LIBDIR PKG_CONFIG_SYSROOT_DIR")
 }
+
+# CVE exclusion
+include recipes-kernel/linux/cve-exclusion.inc
-- 
2.34.1

[OE-core][kirkstone 05/15] wpebackend-fdo: upgrade 1.14.0 -> 1.14.2

[Steve Sakoman]

From: Wang Mingyu <wangmy@fujitsu.com>

Changelog:
==========
- Reverted a change introduced in 1.14.1 which introduced crashes both
  with WebKitGTK and WPE running under Wayland in some configurations.
- Fix a crash caused by wrong assertion, which was typically triggered in
  debug builds when using the NVidia drivers.
- Fix WebKit no longer repainting after provisional navigation with
  PSON enabled.
- Fix graphics buffer leaks by always freeing them in buffer destroy
  listener callbacks.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit aa37e18a51714af3281b4127dceb40b38aa8ac3c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../{wpebackend-fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb}      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-sato/webkit/{wpebackend-fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb} (90%)

diff --git a/meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb b/meta/recipes-sato/webkit/wpebackend-fdo_1.14.2.bb
similarity index 90%
rename from meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb
rename to meta/recipes-sato/webkit/wpebackend-fdo_1.14.2.bb
index 708201043b..b3d7b229c8 100644
--- a/meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb
+++ b/meta/recipes-sato/webkit/wpebackend-fdo_1.14.2.bb
@@ -13,7 +13,7 @@ inherit meson features_check pkgconfig
 REQUIRED_DISTRO_FEATURES = "opengl"
 
 SRC_URI = "https://wpewebkit.org/releases/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "e75b0cb2c7145448416e8696013d8883f675c66c11ed750e06865efec5809155"
+SRC_URI[sha256sum] = "93c9766ae9864eeaeaee2b0a74f22cbca08df42c1a1bdb55b086f2528e380d38"
 
 # Especially helps compiling with clang which enable this as error when
 # using c++11
-- 
2.34.1

[OE-core][kirkstone 06/15] Revert "xserver-xorg: backport fix for CVE-2023-1393"

[Steve Sakoman]

This reverts commit dc2c777cab0230fc54e078d20d872aaa9287a8b9.

Fixed in subsequent version bump

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...posite-Fix-use-after-free-of-the-COW.patch | 46 -------------------
 .../xorg-xserver/xserver-xorg_21.1.7.bb       |  3 +-
 2 files changed, 1 insertion(+), 48 deletions(-)
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
deleted file mode 100644
index fc426daba5..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Mon, 13 Mar 2023 11:08:47 +0100
-Subject: [PATCH] composite: Fix use-after-free of the COW
-
-ZDI-CAN-19866/CVE-2023-1393
-
-If a client explicitly destroys the compositor overlay window (aka COW),
-we would leave a dangling pointer to that window in the CompScreen
-structure, which will trigger a use-after-free later.
-
-Make sure to clear the CompScreen pointer to the COW when the latter gets
-destroyed explicitly by the client.
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-
-CVE: CVE-2023-1393
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- composite/compwindow.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/composite/compwindow.c b/composite/compwindow.c
-index 4e2494b86..b30da589e 100644
---- a/composite/compwindow.c
-+++ b/composite/compwindow.c
-@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
-     ret = (*pScreen->DestroyWindow) (pWin);
-     cs->DestroyWindow = pScreen->DestroyWindow;
-     pScreen->DestroyWindow = compDestroyWindow;
-+
-+    /* Did we just destroy the overlay window? */
-+    if (pWin == cs->pOverlayWin)
-+        cs->pOverlayWin = NULL;
-+
- /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
-     return ret;
- }
--- 
-2.34.1
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
index f0771cc86e..212c7d39c2 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
@@ -1,8 +1,7 @@
 require xserver-xorg.inc
 
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
-            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
-            file://0001-composite-Fix-use-after-free-of-the-COW.patch \
+           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
            "
 SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
 
-- 
2.34.1

[OE-core][kirkstone 07/15] xserver-xorg: upgrade 21.1.7 -> 21.1.8

[Steve Sakoman]

From: Wang Mingyu <wangmy@fujitsu.com>

This release contains the fix for CVE-2023-1393 in today's security
advisory: https://lists.x.org/archives/xorg-announce/2023-March/003374.html

Benno Schulenberg (1):
       xkbUtils: use existing symbol names instead of deleted deprecated ones

Olivier Fourdan (2):
       composite: Fix use-after-free of the COW
       xserver 21.1.8

git tag: xorg-server-21.1.8

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7b08dff8f46bcaa05f7fbffbe27d524579af4faf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../{xserver-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb}          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb} (92%)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
similarity index 92%
rename from meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
rename to meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 212c7d39c2..19db7ea434 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -3,7 +3,7 @@ require xserver-xorg.inc
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
            "
-SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
+SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
 
 # These extensions are now integrated into the server, so declare the migration
 # path for in-place upgrades.
-- 
2.34.1

[OE-core][kirkstone 08/15] linux-firmware: upgrade 20230210 -> 20230404

[Steve Sakoman]

From: Dmitry Baryshkov <dbaryshkov@gmail.com>

The LICENCE.qat_firmware license file was updated to reflect Intel
licensing (it removed a term regarding patent licenses).

License-Update: additional files

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit fd43b59ab32e2115fcda7ad63d3a5ccc2683c7d5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...inux-firmware_20230210.bb => linux-firmware_20230404.bb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230210.bb => linux-firmware_20230404.bb} (99%)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
index bf5d4f54e6..7412c022ba 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
@@ -108,7 +108,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \
                     file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \
                     file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \
-                    file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \
+                    file://LICENCE.qat_firmware;md5=72de83dfd9b87be7685ed099a39fbea4 \
                     file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \
                     file://LICENSE.qcom_yamato;md5=d0de0eeccaf1843a850bf7a6777eec5c \
                     file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \
@@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     "
 # WHENCE checksum is defined separately to ease overriding it if
 # class-devupstream is selected.
-WHENCE_CHKSUM  = "aadb3cccbde1e53fc244a409e9bd5a22"
+WHENCE_CHKSUM  = "0782deea054d4b1b7f10c92c3a245da4"
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
 # so that the license files will be copied from fetched source
@@ -212,7 +212,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw
 # Pin this to the 20220509 release, override this in local.conf
 SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
 
-SRC_URI[sha256sum] = "6e3d9e8d52cffc4ec0dbe8533a8445328e0524a20f159a5b61c2706f983ce38a"
+SRC_URI[sha256sum] = "c3f9ad2bb5311cce2490f37a8052f836703d6936aabd840246b6576f1f71f607"
 
 inherit allarch
 
-- 
2.34.1

[OE-core][kirkstone 09/15] kernel-devsrc: depend on python3-core instead of python3

[Steve Sakoman]

From: "bkylerussell@gmail.com" <bkylerussell@gmail.com>

Avoids pulling in potential GPLv3 packages through python3-misc catch-all.

python3-core is the intended minimal RDEPENDS for packages requiring python3
support.  Other python3 module dependencies should be listed explicitly.

Signed-off-by: Kyle Russell <bkylerussell@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 231f93becad619f6afa383f9b1132f1d4b02fa64)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/linux/kernel-devsrc.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb b/meta/recipes-kernel/linux/kernel-devsrc.bb
index f8f717199c..ed9746f837 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -334,7 +334,7 @@ do_install[lockfiles] = "${TMPDIR}/kernel-scripts.lock"
 FILES:${PN} = "${KERNEL_BUILD_ROOT} ${KERNEL_SRC_PATH}"
 FILES:${PN}-dbg += "${KERNEL_BUILD_ROOT}*/build/scripts/*/.debug/*"
 
-RDEPENDS:${PN} = "bc python3 flex bison ${TCLIBC}-utils"
+RDEPENDS:${PN} = "bc python3-core flex bison ${TCLIBC}-utils"
 # 4.15+ needs these next two RDEPENDS
 RDEPENDS:${PN} += "openssl-dev util-linux"
 # and x86 needs a bit more for 4.15+
-- 
2.34.1

[OE-core][kirkstone 10/15] libarchive: Enable acls, xattr for native as well as target

[Steve Sakoman]

From: Piotr Łobacz <p.lobacz@welotec.com>

Libarchive is being used by OPKG package manager as default
API for extracting tar files. This fix allows us to extract
ipks packages with preserved ACLs and xattrs.

Partially addresses [YOCTO #15091]

[RP: Merge into main PACKAGECONFIG and tweak commit message]
Signed-off-by: Piotr Łobacz <p.lobacz@welotec.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 913aad1ac013368aef8f6af332588ef24bba46bd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/libarchive/libarchive_3.6.2.bb | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index acc84de9da..ffcc103112 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -7,11 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d499814247adaee08d88080841cb5665"
 
 DEPENDS = "e2fsprogs-native"
 
-PACKAGECONFIG ?= "zlib bz2 xz lzo zstd"
-
-PACKAGECONFIG:append:class-target = "\
-	${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)} \
-"
+PACKAGECONFIG ?= "zlib bz2 xz lzo zstd ${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)}"
 
 DEPENDS_BZIP2 = "bzip2-replacement-native"
 DEPENDS_BZIP2:class-target = "bzip2"
-- 
2.34.1

[OE-core][kirkstone 11/15] populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override

[Steve Sakoman]

From: Martin Jansa <Martin.Jansa@gmail.com>

* otherwise it ends '<unknown>' inside esdk, because of parsing order:
  # $METADATA_REVISION [3 operations]
  #   set /OE/build/test-D/conf/local.conf:43
  #     "f2da54ef432eac89b0f18eaad68e602b6990b5de"
  #   immediate /OE/build/test-D/layers/poky/meta/classes/metadata_scm.bbclass:9
  #     "${@oe.buildcfg.detect_revision(d)}"
  #   set /OE/build/test-D/layers/poky/meta/classes/metadata_scm.bbclass:10
  #     [vardepvalue] "${METADATA_REVISION}"
  # pre-expansion value:
  #   "<unknown>"
  METADATA_REVISION="<unknown>"

* This causes base-files.do_install and following tasks to have different
  signatures between esdk and the build directory where this esdk was created:

  bitbake-diffsigs {test-D,poky/build-uninative-disabled}/tmp/stamps/qemux86_64-poky-linux/base-files/*do_install*sigdata*
  NOTE: Starting bitbake server...
  basehash changed from 5b6981cf58bfd57d416b0e31611b73a26baae635dd1ac31c08d46f95064c3ffc to dbdce042da4d7813d632b6d1cc87a16f728ad20e55fecbc392830e6acf72babd
  Variable METADATA_REVISION value changed from '<unknown>' to 'f2da54ef432eac89b0f18eaad68e602b6990b5de'

  and an warning from "python3 /OE/build/test-D/ext-sdk-prepare.py" when eSDK is being prepared for use:
  WARNING: The base-files:do_install sig is computed to be 83b9c9a6ef1145baac5a1e0d08814b9156af239c58fc42df95c25a9cd8a7f201,
    but the sig is locked to 3dc22233059075978e5503691e98e79e7cc60db94259dfcd886bca2291c0add7 in SIGGEN_LOCKEDSIGS_t-qemux86-64

[RP: Add commit about why we need the override for future reference]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 675ea7281c17f77bf5dea17cfd4d9da0928382a0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/populate_sdk_ext.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index a673af7e7b..ca1b7753cb 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -363,7 +363,8 @@ python copy_buildsystem () {
             f.write('BUILDCFG_HEADER = ""\n\n')
 
             # Write METADATA_REVISION
-            f.write('METADATA_REVISION = "%s"\n\n' % d.getVar('METADATA_REVISION'))
+            # Needs distro override so it can override the value set in the bbclass code (later than local.conf)
+            f.write('METADATA_REVISION:%s = "%s"\n\n' % (d.getVar('DISTRO'), d.getVar('METADATA_REVISION')))
 
             f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n')
             f.write('WITHIN_EXT_SDK = "1"\n\n')
-- 
2.34.1

[OE-core][kirkstone 12/15] libpam: Fix the xtests/tst-pam_motd[1|3] failures

[Steve Sakoman]

From: Zhixiong Chi <zhixiong.chi@windriver.com>

Reproducer:
1.Enable the ptest of libpam and build the image.
2.Boot the rootfs with nfs, then run the following tests as root:
 cd /usr/share/Linux-PAM/xtests
 /usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd1
 /usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd3

After applying this patch, the ptest doesn't be failed.

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 549e54ad6a175359b0a57987ccdab8989df9d3a9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...rely-on-all-filesystems-providing-a-.patch | 108 ++++++++++++++++++
 meta/recipes-extended/pam/libpam_1.5.2.bb     |   1 +
 2 files changed, 109 insertions(+)
 create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch

diff --git a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch b/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
new file mode 100644
index 0000000000..94dcb04f0a
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
@@ -0,0 +1,108 @@
+From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001
+From: Per Jessen <per@jessen.ch>
+Date: Fri, 22 Apr 2022 18:15:36 +0200
+Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype
+
+When using scandir() to look for MOTD files to display, we wrongly
+relied on all filesystems providing a filetype.  This is a fix to divert
+to lstat() when we have no filetype.  To maintain MT safety, it isn't
+possible to use lstat() in the scandir() filter function, so all of the
+filtering has been moved to an additional loop after scanning all the
+motd dirs.
+Also, remove superfluous alphasort from scandir(), we are doing
+a qsort() later.
+
+Resolves: https://github.com/linux-pam/linux-pam/issues/455
+
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70]
+
+Signed-off-by: Per Jessen <per@jessen.ch>
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ modules/pam_motd/pam_motd.c | 49 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
+index 6ac8cba2..5ca486e4 100644
+--- a/modules/pam_motd/pam_motd.c
++++ b/modules/pam_motd/pam_motd.c
+@@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b)
+     }
+ }
+ 
+-static int filter_dirents(const struct dirent *d)
+-{
+-    return (d->d_type == DT_REG || d->d_type == DT_LNK);
+-}
+-
+ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+ 	char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
+ {
+@@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+ 
+     for (i = 0; i < num_motd_dirs; i++) {
+ 	int rv;
+-	rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
+-		filter_dirents, alphasort);
++	rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL);
+ 	if (rv < 0) {
+ 	    if (errno != ENOENT || report_missing) {
+ 		pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m",
+@@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+     if (dirscans_size_total == 0)
+         goto out;
+ 
++    /* filter out unwanted names, directories, and complement data with lstat() */
++    for (i = 0; i < num_motd_dirs; i++) {
++	struct dirent **d = dirscans[i];
++	for (unsigned int j = 0; j < dirscans_sizes[i]; j++) {
++	    int rc;
++	    char *fullpath;
++	    struct stat s;
++
++	    switch(d[j]->d_type) {    /* the filetype determines how to proceed */
++	    case DT_REG:              /* regular files and     */
++	    case DT_LNK:              /* symlinks              */
++		continue;             /* are good.             */
++	    case DT_UNKNOWN:   /* for file systems that do not provide */
++			       /* a filetype, we use lstat()           */
++		if (join_dir_strings(&fullpath, motd_dir_path_split[i],
++				     d[j]->d_name) <= 0)
++		    break;
++		rc = lstat(fullpath, &s);
++		_pam_drop(fullpath);  /* free the memory alloc'ed by join_dir_strings */
++		if (rc != 0)          /* if the lstat() somehow failed */
++		    break;
++
++		if (S_ISREG(s.st_mode) ||          /* regular files and  */
++		    S_ISLNK(s.st_mode)) continue;  /* symlinks are good  */
++		break;
++	    case DT_DIR:          /* We don't want directories     */
++	    default:              /* nor anything else             */
++		break;
++	    }
++	    _pam_drop(d[j]);  /* free memory                   */
++	    d[j] = NULL;      /* indicate this one was dropped */
++	    dirscans_size_total--;
++	}
++    }
++
+     /* Allocate space for all file names found in the directories, including duplicates. */
+     if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) {
+ 	pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array");
+@@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+ 	unsigned int j;
+ 
+ 	for (j = 0; j < dirscans_sizes[i]; j++) {
+-	    dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
+-	    i_dirnames++;
++	    if (NULL != dirscans[i][j]) {
++	        dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
++	        i_dirnames++;
++	    }
+ 	}
+     }
+ 
+-- 
+2.39.0
+
diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb
index dabd3256c8..0799102f8e 100644
--- a/meta/recipes-extended/pam/libpam_1.5.2.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
            file://run-ptest \
            file://pam-volatiles.conf \
            file://CVE-2022-28321-0002.patch \
+           file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
            "
 
 SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
-- 
2.34.1

[OE-core][kirkstone 13/15] oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set

[Steve Sakoman]

From: Thomas Roos <throos@amazon.de>

This will use default values when no distribution is set.

[YOCTO #15086]

Signed-off-by: Thomas Roos <throos@amazon.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 888fe63b46efceeff08dbe8c4f66fec33d06cb7a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/utils/metadata.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oeqa/utils/metadata.py b/meta/lib/oeqa/utils/metadata.py
index 8013aa684d..15ec190c4a 100644
--- a/meta/lib/oeqa/utils/metadata.py
+++ b/meta/lib/oeqa/utils/metadata.py
@@ -27,9 +27,9 @@ def metadata_from_bb():
     data_dict = get_bb_vars()
 
     # Distro information
-    info_dict['distro'] = {'id': data_dict['DISTRO'],
-                           'version_id': data_dict['DISTRO_VERSION'],
-                           'pretty_name': '%s %s' % (data_dict['DISTRO'], data_dict['DISTRO_VERSION'])}
+    info_dict['distro'] = {'id': data_dict.get('DISTRO', 'NODISTRO'),
+                                'version_id': data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'),
+                                'pretty_name': '%s %s' % (data_dict.get('DISTRO', 'NODISTRO'), data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'))}
 
     # Host distro information
     os_release = get_os_release()
-- 
2.34.1

[OE-core][kirkstone 14/15] kernel: improve initramfs bundle processing time

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

This is a partial fix for bugzilla 15059 [https://bugzilla.yoctoproject.org/show_bug.cgi?id=15059]

It has been noted by several people that when an initramfs is bundled:

  - a lot of the kernel is rebuilt
  - it takes a really long time

When looking at the logs, the second kernel compilation (that performs
the bundle) is not using the parallel make settings, and builds with
-j1.

We are already explicitly passing PARALLEL_MAKE when building kernel
modules, and by extending that explicit use to the main kernel
compilation, we ensure that we always get a parallel build.

Build times chnaged from more than 30 minutes for the bundle, to
3 minutes in local testing.

The question of whether or not too much is rebuilding during the
bundle step is still an open question, but with this tweak, at least
the build time is back in the realm of acceptable.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 88fd394ecf0f2174b792075d409d87046896426b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index b315737fd2..d45fa25c32 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -377,7 +377,7 @@ kernel_do_compile() {
 		use_alternate_initrd=CONFIG_INITRAMFS_SOURCE=${B}/usr/${INITRAMFS_IMAGE_NAME}.cpio
 	fi
 	for typeformake in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do
-		oe_runmake ${typeformake} ${KERNEL_EXTRA_ARGS} $use_alternate_initrd
+		oe_runmake ${PARALLEL_MAKE} ${typeformake} ${KERNEL_EXTRA_ARGS} $use_alternate_initrd
 	done
 }
 
-- 
2.34.1

[OE-core][kirkstone 15/15] update-alternatives.bbclass: fix old override syntax

[Steve Sakoman]

From: Peter Bergin <peter.bergin@windriver.com>

Function 'gen_updatealternativesvardeps' still used old override
syntax when fetching variable flags. Update to use ':' instead to match
recipe meta data. This was found by review and no real issue encountered
but it is a bug that affects variable dependencies and can affect rebuilds
as task hashes might not be accurate.

Signed-off-by: Peter Bergin <peter.bergin@windriver.com>
Signed-off-by: Peter Bergin <peter@berginkonsult.se>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5691f554b2cd50f256a8cbb1d96781e9eb6b930e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/update-alternatives.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/update-alternatives.bbclass b/meta/classes/update-alternatives.bbclass
index 7581a70439..2804299fc4 100644
--- a/meta/classes/update-alternatives.bbclass
+++ b/meta/classes/update-alternatives.bbclass
@@ -80,10 +80,10 @@ def gen_updatealternativesvardeps(d):
 
     for p in pkgs:
         for v in vars:
-            for flag in sorted((d.getVarFlags("%s_%s" % (v,p)) or {}).keys()):
+            for flag in sorted((d.getVarFlags("%s:%s" % (v,p)) or {}).keys()):
                 if flag == "doc" or flag == "vardeps" or flag == "vardepsexp":
                     continue
-                d.appendVar('%s_VARDEPS_%s' % (v,p), ' %s:%s' % (flag, d.getVarFlag('%s_%s' % (v,p), flag, False)))
+                d.appendVar('%s_VARDEPS_%s' % (v,p), ' %s:%s' % (flag, d.getVarFlag('%s:%s' % (v,p), flag, False)))
 
 def ua_extend_depends(d):
     if not 'virtual/update-alternatives' in d.getVar('PROVIDES'):
-- 
2.34.1

Re: [OE-core][kirkstone 04/15] linux-yocto: Exclude 121 CVEs already fixed upstream

[Yoann Congal]

Hi Steve!

On 5/10/23 00:32, Steve Sakoman wrote:
> From: Yoann Congal <yoann.congal@smile.fr>
> 
> Exclude CVEs that are fixed in both current linux-yocto version
> v5.10.175 and v5.15.108.
> 
> To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].
> 
> [1]: https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398
> 
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-kernel/linux/cve-exclusion.inc | 875 ++++++++++++++++++++
>  meta/recipes-kernel/linux/linux-yocto.inc   |   3 +
>  2 files changed, 878 insertions(+)
>  create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
> 
> diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
> new file mode 100644
> index 0000000000..7fd362881a
> --- /dev/null
> +++ b/meta/recipes-kernel/linux/cve-exclusion.inc
> @@ -0,0 +1,875 @@
> +# Kernel CVE exclusion file
> +

.../...
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2503
> +# Patched in kernel since v5.19 4caae58406f8ceb741603eee460d79bacca9b1b5
> +# Backported in version v5.4.197 fd2f7e9984850a0162bfb6948b98ffac9fb5fa58
> +# Backported in version v5.10.120 8df42bcd364cc3b41105215d841792aea787b133
> +# Backported in version v5.15.45 69712b170237ec5979f168149cd31e851a465853
> +CVE_CHECK_IGNORE += "CVE-2022-2503"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
> +# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
> +# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
> +# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
> +# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
> +CVE_CHECK_IGNORE += "CVE-2022-26365"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
> +# Patched in kernel since v6.0 e8d5dfd1d8747b56077d02664a8838c71ced948e
> +# Backported in version v5.4.215 d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2
> +# Backported in version v5.10.146 9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d
> +# Backported in version v5.15.71 dc33ffbc361e2579a8f31b8724ef85d4117440e4
> +# Backported in version v5.19.12 510ea9eae5ee45f4e443023556532bda99387351
> +CVE_CHECK_IGNORE += "CVE-2022-2663"

I just noticed that the list in not sorted :(

I'll send a V2 sorted (This will make the next iterations cleaner)

-- 
Yoann Congal
Smile ECS - Tech Expert

Re: [OE-core][kirkstone 04/15] linux-yocto: Exclude 121 CVEs already fixed upstream

[Steve Sakoman]

On Wed, May 10, 2023 at 5:32 AM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> Hi Steve!
>
> On 5/10/23 00:32, Steve Sakoman wrote:
> > From: Yoann Congal <yoann.congal@smile.fr>
> >
> > Exclude CVEs that are fixed in both current linux-yocto version
> > v5.10.175 and v5.15.108.
> >
> > To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].
> >
> > [1]: https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398
> >
> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/recipes-kernel/linux/cve-exclusion.inc | 875 ++++++++++++++++++++
> >  meta/recipes-kernel/linux/linux-yocto.inc   |   3 +
> >  2 files changed, 878 insertions(+)
> >  create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
> >
> > diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
> > new file mode 100644
> > index 0000000000..7fd362881a
> > --- /dev/null
> > +++ b/meta/recipes-kernel/linux/cve-exclusion.inc
> > @@ -0,0 +1,875 @@
> > +# Kernel CVE exclusion file
> > +
>
> .../...
> > +
> > +# https://nvd.nist.gov/vuln/detail/CVE-2022-2503
> > +# Patched in kernel since v5.19 4caae58406f8ceb741603eee460d79bacca9b1b5
> > +# Backported in version v5.4.197 fd2f7e9984850a0162bfb6948b98ffac9fb5fa58
> > +# Backported in version v5.10.120 8df42bcd364cc3b41105215d841792aea787b133
> > +# Backported in version v5.15.45 69712b170237ec5979f168149cd31e851a465853
> > +CVE_CHECK_IGNORE += "CVE-2022-2503"
> > +
> > +# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
> > +# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
> > +# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
> > +# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
> > +# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
> > +CVE_CHECK_IGNORE += "CVE-2022-26365"
> > +
> > +# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
> > +# Patched in kernel since v6.0 e8d5dfd1d8747b56077d02664a8838c71ced948e
> > +# Backported in version v5.4.215 d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2
> > +# Backported in version v5.10.146 9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d
> > +# Backported in version v5.15.71 dc33ffbc361e2579a8f31b8724ef85d4117440e4
> > +# Backported in version v5.19.12 510ea9eae5ee45f4e443023556532bda99387351
> > +CVE_CHECK_IGNORE += "CVE-2022-2663"
>
> I just noticed that the list in not sorted :(
>
> I'll send a V2 sorted (This will make the next iterations cleaner)

I'm just about to finalize the patchset for the upcoming 4.0.10
release, so I'll need to get the v2 today if you want it in the
release!

Thanks for doing this!

Steve

Re: [OE-core][kirkstone 04/15] linux-yocto: Exclude 121 CVEs already fixed upstream

[akuster808]

On 5/9/23 6:32 PM, Steve Sakoman wrote:
> From: Yoann Congal <yoann.congal@smile.fr>
>
> Exclude CVEs that are fixed in both current linux-yocto version
> v5.10.175 and v5.15.108.
>
> To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].
>
> [1]: https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398

Just a cautionary note: If anyone is including linux-yocto.inc in their 
custom kernel recipes based on the same kernel version but have not 
updated past the dot release Yocto has, you wont know you are missing fixes.

I don't know how we advise the proper use of linux-yocto.inc?

- Armin

>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>   meta/recipes-kernel/linux/cve-exclusion.inc | 875 ++++++++++++++++++++
>   meta/recipes-kernel/linux/linux-yocto.inc   |   3 +
>   2 files changed, 878 insertions(+)
>   create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
>
> diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
> new file mode 100644
> index 0000000000..7fd362881a
> --- /dev/null
> +++ b/meta/recipes-kernel/linux/cve-exclusion.inc
> @@ -0,0 +1,875 @@
> +# Kernel CVE exclusion file
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
> +# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
> +# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
> +# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
> +CVE_CHECK_IGNORE += "CVE-2021-3759"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2021-4135
> +# Patched in kernel since v5.16 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46
> +# Backported in version v5.4.168 699e794c12a3cd79045ff135bc87a53b97024e43
> +# Backported in version v5.10.88 1a34fb9e2bf3029f7c0882069d67ff69cbd645d8
> +# Backported in version v5.15.11 27358aa81a7d60e6bd36f0bb1db65cd084c2cad0
> +CVE_CHECK_IGNORE += "CVE-2021-4135"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2021-4155
> +# Patched in kernel since v5.16 983d8e60f50806f90534cc5373d0ce867e5aaf79
> +# Backported in version v5.4.171 102af6edfd3a372db6e229177762a91f552e5f5e
> +# Backported in version v5.10.91 16d8568378f9ee2d1e69216d39961aa72710209f
> +# Backported in version v5.15.14 b0e72ba9e520b95346e68800afff0db65e766ca8
> +CVE_CHECK_IGNORE += "CVE-2021-4155"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-0168
> +# Patched in kernel since v5.18 b92e358757b91c2827af112cae9af513f26a3f34
> +# Backported in version v5.10.110 9963ccea6087268e1275b992dca5d0dd4b938765
> +# Backported in version v5.15.33 f143f8334fb9eb2f6c7c15b9da1472d9c965fd84
> +CVE_CHECK_IGNORE += "CVE-2022-0168"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-0171
> +# Patched in kernel since v5.18 683412ccf61294d727ead4a73d97397396e69a6b
> +# Backported in version v5.10.146 a60babeb60ff276963d4756c7fd2e7bf242bb777
> +# Backported in version v5.15.70 39b0235284c7aa33a64e07b825add7a2c108094a
> +CVE_CHECK_IGNORE += "CVE-2022-0171"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1016
> +# Patched in kernel since v5.18 4c905f6740a365464e91467aa50916555b28213d
> +# Backported in version v5.4.188 06f0ff82c70241a766a811ae1acf07d6e2734dcb
> +# Backported in version v5.10.109 2c74374c2e88c7b7992bf808d9f9391f7452f9d9
> +# Backported in version v5.15.32 fafb904156fbb8f1dd34970cd5223e00b47c33be
> +CVE_CHECK_IGNORE += "CVE-2022-1016"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
> +# Patched in kernel since v6.1 61a1d87a324ad5e3ed27c6699dfc93218fcf3201
> +# Backported in version v5.10.150 483831ad0440f62c10d1707c97ce824bd82d98ae
> +# Backported in version v5.15.75 dd366295d1eca557e7a9000407ec3952f691d27b
> +# Backported in version v5.19.17 edb71f055684f9023fd97e2f85c6f31380d163c1
> +CVE_CHECK_IGNORE += "CVE-2022-1184"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1198
> +# Patched in kernel since v5.17 efe4186e6a1b54bf38b9e05450d43b0da1fd7739
> +# Backported in version v5.4.189 28c8fd84bea13cbf238d7b19d392de2fcc31331c
> +# Backported in version v5.10.110 f67a1400788f550d201c71aeaf56706afe57f0da
> +# Backported in version v5.15.33 3eb18f8a1d02a9462a0e4903efc674ca3d0406d1
> +CVE_CHECK_IGNORE += "CVE-2022-1198"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1199
> +# Patched in kernel since v5.17 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac
> +# Backported in version v5.4.185 0a64aea5fe023cf1e4973676b11f49038b1f045b
> +# Backported in version v5.10.106 e2201ef32f933944ee02e59205adb566bafcdf91
> +# Backported in version v5.15.29 46ad629e58ce3a88c924ff3c5a7e9129b0df5659
> +CVE_CHECK_IGNORE += "CVE-2022-1199"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
> +# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
> +# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
> +# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
> +# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
> +CVE_CHECK_IGNORE += "CVE-2022-1462"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1734
> +# Patched in kernel since v5.18 d270453a0d9ec10bb8a802a142fb1b3601a83098
> +# Backported in version v5.4.193 33d3e76fc7a7037f402246c824d750542e2eb37f
> +# Backported in version v5.10.115 1961c5a688edb53fe3bc25cbda57f47adf12563c
> +# Backported in version v5.15.39 b8f2b836e7d0a553b886654e8b3925a85862d2eb
> +CVE_CHECK_IGNORE += "CVE-2022-1734"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1852
> +# Patched in kernel since v5.19 fee060cd52d69c114b62d1a2948ea9648b5131f9
> +# Backported in version v5.10.120 3d8fc6e28f321d753ab727e3c3e740daf36a8fa3
> +# Backported in version v5.15.45 531d1070d864c78283b7597449e60ddc53319d88
> +CVE_CHECK_IGNORE += "CVE-2022-1852"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1882
> +# Patched in kernel since v5.19 353f7988dd8413c47718f7ca79c030b6fb62cfe5
> +# Backported in version v5.10.134 0adf21eec59040b31af113e626efd85eb153c728
> +# Backported in version v5.15.58 ba3a8af8a21a81cfd0c8c689a81261caba934f97
> +CVE_CHECK_IGNORE += "CVE-2022-1882"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1998
> +# Patched in kernel since v5.17 ee12595147ac1fbfb5bcb23837e26dd58d94b15d
> +# Backported in version v5.10.97 7b4741644cf718c422187e74fb07661ef1d68e85
> +# Backported in version v5.15.20 60765e43e40fbf7a1df828116172440510fcc3e4
> +CVE_CHECK_IGNORE += "CVE-2022-1998"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2078
> +# Patched in kernel since v5.19 fecf31ee395b0295f2d7260aa29946b7605f7c85
> +# Backported in version v5.10.120 c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048
> +# Backported in version v5.15.45 89ef50fe03a55feccf5681c237673a2f98161161
> +CVE_CHECK_IGNORE += "CVE-2022-2078"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
> +# Patched in kernel since v6.2 2e7eab81425ad6c875f2ed47c0ce01e78afc38a5
> +# Backported in version v5.4.233 f93a1a5bdcdd122aae0a3eab7a52c15b71fb725b
> +# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
> +# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
> +# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
> +CVE_CHECK_IGNORE += "CVE-2022-2196"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2318
> +# Patched in kernel since v5.19 9cc02ede696272c5271a401e4f27c262359bc2f6
> +# Backported in version v5.4.204 bb91556d2af066f8ca2e7fd8e334d652e731ee29
> +# Backported in version v5.10.129 8f74cb27c2b4872fd14bf046201fa7b36a46885e
> +# Backported in version v5.15.53 659d39545260100628d8a30020d09fb6bf63b915
> +CVE_CHECK_IGNORE += "CVE-2022-2318"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2380
> +# Patched in kernel since v5.18 bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8
> +# Backported in version v5.4.189 478154be3a8c21ff106310bb1037b1fc9d81dc62
> +# Backported in version v5.10.110 72af8810922eb143ed4f116db246789ead2d8543
> +# Backported in version v5.15.33 46cdbff26c88fd75dccbf28df1d07cbe18007eac
> +CVE_CHECK_IGNORE += "CVE-2022-2380"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2503
> +# Patched in kernel since v5.19 4caae58406f8ceb741603eee460d79bacca9b1b5
> +# Backported in version v5.4.197 fd2f7e9984850a0162bfb6948b98ffac9fb5fa58
> +# Backported in version v5.10.120 8df42bcd364cc3b41105215d841792aea787b133
> +# Backported in version v5.15.45 69712b170237ec5979f168149cd31e851a465853
> +CVE_CHECK_IGNORE += "CVE-2022-2503"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
> +# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
> +# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
> +# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
> +# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
> +CVE_CHECK_IGNORE += "CVE-2022-26365"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
> +# Patched in kernel since v6.0 e8d5dfd1d8747b56077d02664a8838c71ced948e
> +# Backported in version v5.4.215 d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2
> +# Backported in version v5.10.146 9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d
> +# Backported in version v5.15.71 dc33ffbc361e2579a8f31b8724ef85d4117440e4
> +# Backported in version v5.19.12 510ea9eae5ee45f4e443023556532bda99387351
> +CVE_CHECK_IGNORE += "CVE-2022-2663"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2873
> +# Patched in kernel since v6.2 39244cc754829bf707dccd12e2ce37510f5b1f8d
> +# Backported in version v5.4.229 cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd
> +# Backported in version v5.10.163 9ac541a0898e8ec187a3fa7024b9701cffae6bf2
> +# Backported in version v5.15.86 96c12fd0ec74641295e1c3c34dea3dce1b6c3422
> +# Backported in version v6.1.2 233348a04becf133283f0076e20b317302de21d9
> +CVE_CHECK_IGNORE += "CVE-2022-2873"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2905
> +# Patched in kernel since v6.0 a657182a5c5150cdfacb6640aad1d2712571a409
> +# Backported in version v5.10.140 e8979807178434db8ceaa84dfcd44363e71e50bb
> +# Backported in version v5.15.64 4f672112f8665102a5842c170be1713f8ff95919
> +# Backported in version v5.19.6 a36df92c7ff7ecde2fb362241d0ab024dddd0597
> +CVE_CHECK_IGNORE += "CVE-2022-2905"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2959
> +# Patched in kernel since v5.19 189b0ddc245139af81198d1a3637cac74f96e13a
> +# Backported in version v5.10.120 8fbd54ab06c955d247c1a91d5d980cddc868f1e7
> +# Backported in version v5.15.45 cf2fbc56c478a34a68ff1fa6ad08460054dfd499
> +CVE_CHECK_IGNORE += "CVE-2022-2959"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3028
> +# Patched in kernel since v6.0 ba953a9d89a00c078b85f4b190bc1dde66fe16b5
> +# Backported in version v5.4.212 8ee27a4f0f1ad36d430221842767880df6494147
> +# Backported in version v5.10.140 c5c4d4c9806dadac7bc82f9c29ef4e1b78894775
> +# Backported in version v5.15.64 103bd319c0fc90f1cb013c3a508615e6df8af823
> +# Backported in version v5.19.6 6901885656c029c976498290b52f67f2c251e6a0
> +CVE_CHECK_IGNORE += "CVE-2022-3028"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3078
> +# Patched in kernel since v5.18 e6a21a14106d9718aa4f8e115b1e474888eeba44
> +# Backported in version v5.10.110 663e7a72871f89f7a10cc8d7b2f17f27c64e071d
> +# Backported in version v5.15.33 9dd2fd7a1f84c947561af29424c5ddcecfcf2cbe
> +CVE_CHECK_IGNORE += "CVE-2022-3078"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3104
> +# Patched in kernel since v5.19 4a9800c81d2f34afb66b4b42e0330ae8298019a2
> +# Backported in version v5.10.122 56ac04f35fc5dc8b5b67a1fa2f7204282aa887d5
> +# Backported in version v5.15.47 1aeeca2b8397e3805c16a4ff26bf3cc8485f9853
> +CVE_CHECK_IGNORE += "CVE-2022-3104"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3105
> +# Patched in kernel since v5.16 7694a7de22c53a312ea98960fcafc6ec62046531
> +# Backported in version v5.4.171 7646a340b25bb68cfb6d2e087a608802346d0f7b
> +# Backported in version v5.10.91 16e5cad6eca1e506c38c39dc256298643fa1852a
> +# Backported in version v5.15.14 0ea8bb0811ba0ec22903cbb48ff2cd872382e8d4
> +CVE_CHECK_IGNORE += "CVE-2022-3105"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3106
> +# Patched in kernel since v5.16 407ecd1bd726f240123f704620d46e285ff30dd9
> +# Backported in version v5.10.88 734a3f3106053ee41cecae2a995b3d4d0c246764
> +# Backported in version v5.15.11 9a77c02d1d2147a76bd187af1bf5a34242662d12
> +CVE_CHECK_IGNORE += "CVE-2022-3106"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3107
> +# Patched in kernel since v5.17 886e44c9298a6b428ae046e2fa092ca52e822e6a
> +# Backported in version v5.4.187 b01e2df5fbf68719dfb8e766c1ca6089234144c2
> +# Backported in version v5.10.108 9b763ceda6f8963cc99df5772540c54ba46ba37c
> +# Backported in version v5.15.31 ab0ab176183191cffc69fe9dd8ac6c8db23f60d3
> +CVE_CHECK_IGNORE += "CVE-2022-3107"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3111
> +# Patched in kernel since v5.18 6dee930f6f6776d1e5a7edf542c6863b47d9f078
> +# Backported in version v5.4.189 90bec38f6a4c81814775c7f3dfc9acf281d5dcfa
> +# Backported in version v5.10.110 48d23ef90116c8c702bfa4cad93744e4e5588d7d
> +# Backported in version v5.15.33 4124966fbd95eeecca26d52433f393e2b9649a33
> +CVE_CHECK_IGNORE += "CVE-2022-3111"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3112
> +# Patched in kernel since v5.18 c8c80c996182239ff9b05eda4db50184cf3b2e99
> +# Backported in version v5.10.110 032b141a91a82a5f0107ce664a35b201e60c5ce1
> +# Backported in version v5.15.33 b0b890dd8df3b9a2fe726826980b1cffe17b9679
> +CVE_CHECK_IGNORE += "CVE-2022-3112"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3113
> +# Patched in kernel since v5.18 e25a89f743b18c029bfbe5e1663ae0c7190912b0
> +# Backported in version v5.10.110 bc2573abc691a269b54a6c14a2660f26d88876a5
> +# Backported in version v5.15.33 0022dc8cafa5fcd156da8ae7bfc9ca99497bdffc
> +CVE_CHECK_IGNORE += "CVE-2022-3113"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3115
> +# Patched in kernel since v5.19 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33
> +# Backported in version v5.4.198 fa0d7ba25a53ac2e4bb24ef31aec49ff3578b44f
> +# Backported in version v5.10.121 b4c7dd0037e6aeecad9b947b30f0d9eaeda11762
> +# Backported in version v5.15.46 4cb37f715f601cee5b026c6f9091a466266b5ba5
> +CVE_CHECK_IGNORE += "CVE-2022-3115"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3202
> +# Patched in kernel since v5.18 a53046291020ec41e09181396c1e829287b48d47
> +# Backported in version v5.4.189 e19c3149a80e4fc8df298d6546640e01601f3758
> +# Backported in version v5.10.111 b9c5ac0a15f24d63b20f899072fa6dd8c93af136
> +# Backported in version v5.15.34 d925b7e78b62805fcc5440d1521181c82b6f03cb
> +CVE_CHECK_IGNORE += "CVE-2022-3202"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-32250
> +# Patched in kernel since v5.19 520778042ccca019f3ffa136dd0ca565c486cedd
> +# Backported in version v5.4.198 f36736fbd48491a8d85cd22f4740d542c5a1546e
> +# Backported in version v5.10.120 ea62d169b6e731e0b54abda1d692406f6bc6a696
> +# Backported in version v5.15.45 f692bcffd1f2ce5488d24fbcb8eab5f351abf79d
> +CVE_CHECK_IGNORE += "CVE-2022-32250"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-32296
> +# Patched in kernel since v5.18 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5
> +# Backported in version v5.4.201 c26e1addf15763ae404f4bbf131719a724e768ab
> +# Backported in version v5.10.125 9429b75bc271b6f29e50dbb0ee0751800ff87dd9
> +# Backported in version v5.15.41 952a238d779eea4ecb2f8deb5004c8f56be79bc9
> +CVE_CHECK_IGNORE += "CVE-2022-32296"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-32981
> +# Patched in kernel since v5.19 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9
> +# Backported in version v5.4.198 0c4bc0a2f8257f79a70fe02b9a698eb14695a64b
> +# Backported in version v5.10.122 3be74fc0afbeadc2aff8dc69f3bf9716fbe66486
> +# Backported in version v5.15.47 2a0165d278973e30f2282c15c52d91788749d2d4
> +CVE_CHECK_IGNORE += "CVE-2022-32981"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3303
> +# Patched in kernel since v6.0 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d
> +# Backported in version v5.4.215 4051324a6dafd7053c74c475e80b3ba10ae672b0
> +# Backported in version v5.10.148 fce793a056c604b41a298317cf704dae255f1b36
> +# Backported in version v5.15.68 8015ef9e8a0ee5cecfd0cb6805834d007ab26f86
> +# Backported in version v5.19.9 723ac5ab2891b6c10dd6cc78ef5456af593490eb
> +CVE_CHECK_IGNORE += "CVE-2022-3303"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
> +# Patched in kernel since v5.19 307c8de2b02344805ebead3440d8feed28f2f010
> +# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
> +# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
> +# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
> +CVE_CHECK_IGNORE += "CVE-2022-33740"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
> +# Patched in kernel since v5.19 4491001c2e0fa69efbb748c96ec96b100a5cdb7e
> +# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
> +# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
> +# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
> +CVE_CHECK_IGNORE += "CVE-2022-33741"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
> +# Patched in kernel since v5.19 2400617da7eebf9167d71a46122828bc479d64c9
> +# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
> +# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
> +# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
> +CVE_CHECK_IGNORE += "CVE-2022-33742"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33743
> +# Patched in kernel since v5.19 f63c2c2032c2e3caad9add3b82cc6e91c376fd26
> +# Backported in version v5.10.129 547b7c640df545a344358ede93e491a89194cdfa
> +# Backported in version v5.15.53 1052fc2b7391a43b25168ae69ad658fff5170f04
> +CVE_CHECK_IGNORE += "CVE-2022-33743"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33744
> +# Patched in kernel since v5.19 b75cd218274e01d026dc5240e86fdeb44bbed0c8
> +# Backported in version v5.4.204 5c03cad51b84fb26ccea7fd99130d8ec47949cfc
> +# Backported in version v5.10.129 43c8d33ce353091f15312cb6de3531517d7bba90
> +# Backported in version v5.15.53 9f83c8f6ab14bbf4311b70bf1b7290d131059101
> +CVE_CHECK_IGNORE += "CVE-2022-33744"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33981
> +# Patched in kernel since v5.18 233087ca063686964a53c829d547c7571e3f67bf
> +# Backported in version v5.4.192 7dea5913000c6a2974a00d9af8e7ffb54e47eac1
> +# Backported in version v5.10.114 54c028cfc49624bfc27a571b94edecc79bbaaab4
> +# Backported in version v5.15.37 e52da8e4632f9c8fe78bf1c5881ce6871c7e08f3
> +CVE_CHECK_IGNORE += "CVE-2022-33981"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
> +# Patched in kernel since v6.2 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc
> +# Backported in version v5.4.229 0078dd8758561540ed30b2c5daa1cb647e758977
> +# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
> +# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
> +# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
> +CVE_CHECK_IGNORE += "CVE-2022-3424"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
> +# Patched in kernel since v6.1 61b91eb33a69c3be11b259c5ea484505cd79f883
> +# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
> +# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
> +# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
> +CVE_CHECK_IGNORE += "CVE-2022-3435"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-34918
> +# Patched in kernel since v5.19 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6
> +# Backported in version v5.10.130 0a5e36dbcb448a7a8ba63d1d4b6ade2c9d3cc8bf
> +# Backported in version v5.15.54 c1784d2075138992b00c17ab4ffc6d855171fe6d
> +CVE_CHECK_IGNORE += "CVE-2022-34918"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3521
> +# Patched in kernel since v6.1 ec7eede369fe5b0d085ac51fdbb95184f87bfc6c
> +# Backported in version v5.4.225 ad39d09190a545d0f05ae0a82900eee96c5facea
> +# Backported in version v5.10.156 7deb7a9d33e4941c5ff190108146d3a56bf69e9d
> +# Backported in version v5.15.80 27d706b0d394a907ff8c4f83ffef9d3e5817fa84
> +CVE_CHECK_IGNORE += "CVE-2022-3521"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3545
> +# Patched in kernel since v6.0 02e1a114fdb71e59ee6770294166c30d437bf86a
> +# Backported in version v5.4.228 3c837460f920a63165961d2b88b425703f59affb
> +# Backported in version v5.10.160 eb6313c12955c58c3d3d40f086c22e44ca1c9a1b
> +# Backported in version v5.15.84 9d933af8fef33c32799b9f2d3ff6bf58a63d7f24
> +CVE_CHECK_IGNORE += "CVE-2022-3545"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
> +# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
> +# Backported in version v5.4.224 4cd094fd5d872862ca278e15b9b51b07e915ef3f
> +# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
> +# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
> +CVE_CHECK_IGNORE += "CVE-2022-3564"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3586
> +# Patched in kernel since v6.0 9efd23297cca530bb35e1848665805d3fcdd7889
> +# Backported in version v5.4.213 279c7668e354fa151d5fd2e8c42b5153a1de3135
> +# Backported in version v5.10.143 2ee85ac1b29dbd2ebd2d8e5ac1dd5793235d516b
> +# Backported in version v5.15.68 1a889da60afc017050e1f517b3b976b462846668
> +# Backported in version v5.19.9 8f796f36f5ba839c11eb4685150ebeed496c546f
> +CVE_CHECK_IGNORE += "CVE-2022-3586"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3594
> +# Patched in kernel since v6.1 93e2be344a7db169b7119de21ac1bf253b8c6907
> +# Backported in version v5.4.220 61fd56b0a1a3e923aced4455071177778dd59e88
> +# Backported in version v5.10.150 484400d433ca1903a87268c55f019e932297538a
> +# Backported in version v5.15.75 b3179865cf7e892b26eedab3d6c54b4747c774a2
> +# Backported in version v5.19.17 2e896abccf99fef76691d8e1019bd44105a12e1f
> +CVE_CHECK_IGNORE += "CVE-2022-3594"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-36123
> +# Patched in kernel since v5.19 38fa5479b41376dc9d7f57e71c83514285a25ca0
> +# Backported in version v5.4.207 a3c7c1a726a4c6b63b85e8c183f207543fd75e1b
> +# Backported in version v5.10.132 136d7987fcfdeca73ee3c6a29e48f99fdd0f4d87
> +# Backported in version v5.15.56 26bb7afc027ce6ac8ab6747babec674d55689ff0
> +CVE_CHECK_IGNORE += "CVE-2022-36123"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
> +# Patched in kernel since v6.1 21a87d88c2253350e115029f14fe2a10a7e6c856
> +# Backported in version v5.4.218 792211333ad77fcea50a44bb7f695783159fc63c
> +# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
> +# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
> +# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
> +CVE_CHECK_IGNORE += "CVE-2022-3621"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
> +# Patched in kernel since v6.1 fac35ba763ed07ba93154c95ffc0c4a55023707f
> +# Backported in version v5.4.228 176ba4c19d1bb153aa6baaa61d586e785b7d736c
> +# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
> +# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
> +# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
> +CVE_CHECK_IGNORE += "CVE-2022-3623"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
> +# Patched in kernel since v6.0 7e97cfed9929eaabc41829c395eb0d1350fccb9d
> +# Backported in version v5.4.211 f82f1e2042b397277cd39f16349950f5abade58d
> +# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
> +# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
> +# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
> +CVE_CHECK_IGNORE += "CVE-2022-3629"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
> +# Patched in kernel since v6.0 8c21c54a53ab21842f5050fa090f26b03c0313d6
> +# Backported in version v5.4.211 04e41b6bacf474f5431491f92e981096e8cc8e93
> +# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
> +# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
> +# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
> +CVE_CHECK_IGNORE += "CVE-2022-3633"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
> +# Patched in kernel since v6.0 3f4093e2bf4673f218c0bf17d8362337c400e77b
> +# Backported in version v5.4.211 9a6cbaa50f263b12df18a051b37f3f42f9fb5253
> +# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
> +# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
> +# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
> +CVE_CHECK_IGNORE += "CVE-2022-3635"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
> +# Patched in kernel since v6.1 d0d51a97063db4704a5ef6bc978dddab1636a306
> +# Backported in version v5.4.218 b7e409d11db9ce9f8bc05fcdfa24d143f60cd393
> +# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
> +# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
> +# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
> +CVE_CHECK_IGNORE += "CVE-2022-3646"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
> +# Patched in kernel since v6.1 d325dc6eb763c10f591c239550b8c7e5466a5d09
> +# Backported in version v5.4.220 d1c2d820a2cd73867b7d352e89e92fb3ac29e926
> +# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
> +# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
> +# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
> +CVE_CHECK_IGNORE += "CVE-2022-3649"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-36879
> +# Patched in kernel since v5.19 f85daf0e725358be78dfd208dea5fd665d8cb901
> +# Backported in version v5.4.208 f4248bdb7d5c1150a2a6f8c3d3b6da0b71f62a20
> +# Backported in version v5.10.134 47b696dd654450cdec3103a833e5bf29c4b83bfa
> +# Backported in version v5.15.58 c8e32bca0676ac663266a3b16562cb017300adcd
> +CVE_CHECK_IGNORE += "CVE-2022-36879"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-36946
> +# Patched in kernel since v5.19 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164
> +# Backported in version v5.4.209 52be29e8b6455788a4d0f501bd87aa679ca3ba3c
> +# Backported in version v5.10.135 440dccd80f627e0e11ceb0429e4cdab61857d17e
> +# Backported in version v5.15.59 91c11008aab0282957b8b8ccb0707d90e74cc3b9
> +CVE_CHECK_IGNORE += "CVE-2022-36946"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3707
> +# Patched in kernel since v6.2 4a61648af68f5ba4884f0e3b494ee1cabc4b6620
> +# Backported in version v5.4.233 787ef0db014085df8691e5aeb58ab0bb081e5ff0
> +# Backported in version v5.10.170 3d743415c6fb092167df6c23e9c7e9f6df7db625
> +# Backported in version v5.15.96 0d3d5099a50badadad6837edda00e42149b2f657
> +# Backported in version v6.1.5 1022519da69d99d455c58ca181a6c499c562c70e
> +CVE_CHECK_IGNORE += "CVE-2022-3707"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-39188
> +# Patched in kernel since v5.19 b67fbebd4cf980aecbcc750e1462128bffe8ae15
> +# Backported in version v5.4.212 c9c5501e815132530d741ec9fdd22657f91656bc
> +# Backported in version v5.10.141 895428ee124ad70b9763259308354877b725c31d
> +# Backported in version v5.15.65 3ffb97fce282df03723995f5eed6a559d008078e
> +CVE_CHECK_IGNORE += "CVE-2022-39188"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-39190
> +# Patched in kernel since v6.0 e02f0d3970404bfea385b6edb86f2d936db0ea2b
> +# Backported in version v5.10.140 c08a104a8bce832f6e7a4e8d9ac091777b9982ea
> +# Backported in version v5.15.64 51f192ae71c3431aa69a988449ee2fd288e57648
> +# Backported in version v5.19.6 fdca693fcf26c11596e7aa1e540af2b4a5288c76
> +CVE_CHECK_IGNORE += "CVE-2022-39190"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-39842
> +# Patched in kernel since v5.19 a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7
> +# Backported in version v5.4.215 1878eaf0edb8c9e58a6ca0cf31b7a647ca346be9
> +# Backported in version v5.10.145 06e194e1130c98f82d46beb40cdbc88a0d4fd6de
> +# Backported in version v5.15.70 ab5140c6ddd7473509e12f468948de91138b124e
> +CVE_CHECK_IGNORE += "CVE-2022-39842"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-40307
> +# Patched in kernel since v6.0 9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95
> +# Backported in version v5.4.213 8028ff4cdbb3f20d3c1c04be33a83bab0cb94997
> +# Backported in version v5.10.143 918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6
> +# Backported in version v5.15.68 dd291e070be0eca8807476b022bda00c891d9066
> +# Backported in version v5.19.9 d46815a8f26ca6db2336106a148265239f73b0af
> +CVE_CHECK_IGNORE += "CVE-2022-40307"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-40768
> +# Patched in kernel since v6.1 6022f210461fef67e6e676fd8544ca02d1bcfa7a
> +# Backported in version v5.4.218 20a5bde605979af270f94b9151f753ec2caf8b05
> +# Backported in version v5.10.148 36b33c63515a93246487691046d18dd37a9f589b
> +# Backported in version v5.15.74 76efb4897bc38b2f16176bae27ae801037ebf49a
> +# Backported in version v5.19.16 6ae8aa5dcf0d7ada07964c8638e55d3af5896a86
> +CVE_CHECK_IGNORE += "CVE-2022-40768"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-4095
> +# Patched in kernel since v6.0 e230a4455ac3e9b112f0367d1b8e255e141afae0
> +# Backported in version v5.4.213 d0aac7146e96bf39e79c65087d21dfa02ef8db38
> +# Backported in version v5.10.142 19e3f69d19801940abc2ac37c169882769ed9770
> +# Backported in version v5.15.66 dc02aaf950015850e7589696521c7fca767cea77
> +# Backported in version v5.19.8 b1727def850904e4b8ba384043775672841663a1
> +CVE_CHECK_IGNORE += "CVE-2022-4095"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-41218
> +# Patched in kernel since v6.2 fd3d91ab1c6ab0628fe642dd570b56302c30a792
> +# Backported in version v5.4.229 a29d6213098816ed4574824b6adae94fb1c0457d
> +# Backported in version v5.10.163 3df07728abde249e2d3f47cf22f134cb4d4f5fb1
> +# Backported in version v5.15.87 8b45a3b19a2e909e830d09a90a7e1ec8601927d9
> +# Backported in version v6.1.4 530ca64b44625f7d39eb1d5efb6f9ff21da991e2
> +CVE_CHECK_IGNORE += "CVE-2022-41218"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-4139
> +# Patched in kernel since v6.1 04aa64375f48a5d430b5550d9271f8428883e550
> +# Backported in version v5.4.226 3659e33c1e4f8cfc62c6c15aca5d797010c277a4
> +# Backported in version v5.10.157 86f0082fb9470904b15546726417f28077088fee
> +# Backported in version v5.15.81 ee2d04f23bbb16208045c3de545c6127aaa1ed0e
> +CVE_CHECK_IGNORE += "CVE-2022-4139"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-41849
> +# Patched in kernel since v6.1 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c
> +# Backported in version v5.4.220 3742e9fd552e6c4193ebc5eb3d2cd02d429cad9c
> +# Backported in version v5.10.150 e50472949604f385e09ce3fa4e74dce9f44fb19b
> +# Backported in version v5.15.75 2b0897e33682a332167b7d355eec28693b62119e
> +# Backported in version v5.19.17 02c871d44090c851b07770176f88c6f5564808a1
> +CVE_CHECK_IGNORE += "CVE-2022-41849"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-41850
> +# Patched in kernel since v6.1 cacdb14b1c8d3804a3a7d31773bc7569837b71a4
> +# Backported in version v5.4.220 e30c3a9a88818e5cf3df3fda6ab8388bef3bc6cd
> +# Backported in version v5.10.150 dbcca76435a606a352c794956e6df62eedd3a353
> +# Backported in version v5.15.75 c61786dc727d1850336d12c85a032c9a36ae396d
> +# Backported in version v5.19.17 2d38886ae0365463cdba3db669170eef1e3d55c0
> +CVE_CHECK_IGNORE += "CVE-2022-41850"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-41858
> +# Patched in kernel since v5.18 ec4eb8a86ade4d22633e1da2a7d85a846b7d1798
> +# Backported in version v5.4.190 d05cd68ed8460cb158cc62c41ffe39fe0ca16169
> +# Backported in version v5.10.112 ca24c5e8f0ac3d43ec0cff29e1c861be73aff165
> +# Backported in version v5.15.35 efb020924a71391fc12e6f204eaf25694cc116a1
> +CVE_CHECK_IGNORE += "CVE-2022-41858"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42328
> +# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5
> +# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883
> +# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9
> +# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8
> +CVE_CHECK_IGNORE += "CVE-2022-42328"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42329
> +# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5
> +# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883
> +# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9
> +# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8
> +CVE_CHECK_IGNORE += "CVE-2022-42329"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42703
> +# Patched in kernel since v6.0 2555283eb40df89945557273121e9393ef9b542b
> +# Backported in version v5.4.212 2fe3eee48899a890310177d54537d5b8e255eb31
> +# Backported in version v5.10.141 98f401d36396134c0c86e9e3bd00b6b6b028b521
> +# Backported in version v5.15.65 c18a209b56e37b2a60414f714bd70b084ef25835
> +# Backported in version v5.19.7 7877eaa1131147b4d6a063962f3aac0ab1b8ea1c
> +CVE_CHECK_IGNORE += "CVE-2022-42703"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42721
> +# Patched in kernel since v6.1 bcca852027e5878aec911a347407ecc88d6fff7f
> +# Backported in version v5.4.218 77bb20ccb9dfc9ed4f9c93788c90d08cfd891cdc
> +# Backported in version v5.10.148 b0e5c5deb7880be5b8a459d584e13e1f9879d307
> +# Backported in version v5.15.74 0a8ee682e4f992eccce226b012bba600bb2251e2
> +# Backported in version v5.19.16 1d73c990e9bafc2754b1ced71345f73f5beb1781
> +CVE_CHECK_IGNORE += "CVE-2022-42721"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42722
> +# Patched in kernel since v6.1 b2d03cabe2b2e150ff5a381731ea0355459be09f
> +# Backported in version v5.10.148 58c0306d0bcd5f541714bea8765d23111c9af68a
> +# Backported in version v5.15.74 93a3a32554079432b49cf87f326607b2a2fab4f2
> +# Backported in version v5.19.16 fa63b5f6f8853ace755d9a23fb75817d5ba20df5
> +CVE_CHECK_IGNORE += "CVE-2022-42722"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
> +# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
> +# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
> +# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
> +# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
> +CVE_CHECK_IGNORE += "CVE-2022-42895"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
> +# Patched in kernel since v6.2 d18dcfe9860e842f394e37ba01ca9440ab2178f4
> +# Backported in version v5.4.230 9a39f4626b361ee7aa10fd990401c37ec3b466ae
> +# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
> +# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
> +# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
> +CVE_CHECK_IGNORE += "CVE-2022-4382"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-4662
> +# Patched in kernel since v6.0 9c6d778800b921bde3bff3cff5003d1650f942d1
> +# Backported in version v5.4.213 df1875084898b15cbc42f712e93d7f113ae6271b
> +# Backported in version v5.10.142 abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8
> +# Backported in version v5.15.66 c548b99e1c37db6f7df86ecfe9a1f895d6c5966e
> +# Backported in version v5.19.8 d5eb850b3e8836197a38475840725260b9783e94
> +CVE_CHECK_IGNORE += "CVE-2022-4662"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-47518
> +# Patched in kernel since v6.1 0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0
> +# Backported in version v5.10.157 3eb6b89a4e9f9e44c3170d70d8d16c3c8dc8c800
> +# Backported in version v5.15.81 7aed1dd5d221dabe3fe258f13ecf5fc7df393cbb
> +CVE_CHECK_IGNORE += "CVE-2022-47518"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-47519
> +# Patched in kernel since v6.1 051ae669e4505abbe05165bebf6be7922de11f41
> +# Backported in version v5.10.157 905f886eae4b065656a575e8a02544045cbaadcf
> +# Backported in version v5.15.81 143232cb5a4c96d69a7d90b643568665463c6191
> +CVE_CHECK_IGNORE += "CVE-2022-47519"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-47520
> +# Patched in kernel since v6.1 cd21d99e595ec1d8721e1058dcdd4f1f7de1d793
> +# Backported in version v5.10.157 7c6535fb4d67ea37c98a1d1d24ca33dd5ec42693
> +# Backported in version v5.15.81 cd9c4869710bb6e38cfae4478c23e64e91438442
> +CVE_CHECK_IGNORE += "CVE-2022-47520"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-47929
> +# Patched in kernel since v6.2 96398560f26aa07e8f2969d73c8197e6a6d10407
> +# Backported in version v5.4.229 9b83ec63d0de7b1f379daa1571e128bc7b9570f8
> +# Backported in version v5.10.163 9f7bc28a6b8afc2274e25650511555e93f45470f
> +# Backported in version v5.15.88 04941c1d5bb59d64165e09813de2947bdf6f4f28
> +# Backported in version v6.1.6 e8988e878af693ac13b0fa80ba2e72d22d68f2dd
> +CVE_CHECK_IGNORE += "CVE-2022-47929"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-0179
> +# Patched in kernel since v6.2 696e1a48b1a1b01edad542a1ef293665864a4dd0
> +# Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
> +# Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
> +# Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
> +CVE_CHECK_IGNORE += "CVE-2023-0179"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
> +# Patched in kernel since v6.2 cb3e9864cdbe35ff6378966660edbcbac955fe17
> +# Backported in version v5.4.229 3998dba0f78a59922b0ef333ccfeb58d9410cd3d
> +# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
> +# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
> +# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
> +CVE_CHECK_IGNORE += "CVE-2023-0394"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-0461
> +# Patched in kernel since v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c
> +# Backported in version v5.4.229 c6d29a5ffdbc362314853462a0e24e63330a654d
> +# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
> +# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
> +# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
> +CVE_CHECK_IGNORE += "CVE-2023-0461"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-0590
> +# Patched in kernel since v6.1 ebda44da44f6f309d302522b049f43d6f829f7aa
> +# Backported in version v5.10.152 7aa3d623c11b9ab60f86b7833666e5d55bac4be9
> +# Backported in version v5.15.76 ce1234573d183db1ebcab524668ca2d85543bf80
> +CVE_CHECK_IGNORE += "CVE-2023-0590"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1073
> +# Patched in kernel since v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
> +# Backported in version v5.4.231 89e7fe3999e057c91f157b6ba663264f4cdfcb55
> +# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
> +# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
> +# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
> +CVE_CHECK_IGNORE += "CVE-2023-1073"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1074
> +# Patched in kernel since v6.2 458e279f861d3f61796894cd158b780765a1569f
> +# Backported in version v5.4.231 a7585028ac0a5836f39139c11594d79ede97d975
> +# Backported in version v5.10.166 6ef652f35dcfaa1ab2b2cf6c1694718595148eee
> +# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
> +# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
> +CVE_CHECK_IGNORE += "CVE-2023-1074"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1077
> +# Patched in kernel since v6.3 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
> +# Backported in version v5.4.235 084cd75643b61fb924f70cba98a71dea14942938
> +# Backported in version v5.10.173 80a1751730b302d8ab63a084b2fa52c820ad0273
> +# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
> +# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
> +# Backported in version v6.2.3 1099004ae1664703ec573fc4c61ffb24144bcb63
> +CVE_CHECK_IGNORE += "CVE-2023-1077"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1078
> +# Patched in kernel since v6.2 f753a68980cf4b59a80fe677619da2b1804f526d
> +# Backported in version v5.4.232 ba38eacade35dd2316d77b37494e6e0c01bab595
> +# Backported in version v5.10.168 c53f34ec3fbf3e9f67574118a6bb35ae1146f7ca
> +# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
> +# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
> +CVE_CHECK_IGNORE += "CVE-2023-1078"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1079
> +# Patched in kernel since v6.3 4ab3a086d10eeec1424f2e8a968827a6336203df
> +# Backported in version v5.4.235 dd08e68d04d08d2f42b09162c939a0b0841216cc
> +# Backported in version v5.10.173 21a2eec4a440060a6eb294dc890eaf553101ba09
> +# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
> +# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
> +# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
> +CVE_CHECK_IGNORE += "CVE-2023-1079"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1095
> +# Patched in kernel since v6.0 580077855a40741cf511766129702d97ff02f4d9
> +# Backported in version v5.4.211 a452bc3deb23bf93f8a13d3e24611b7ef39645dc
> +# Backported in version v5.10.137 80977126bc20309f7f7bae6d8621356b393e8b41
> +# Backported in version v5.15.61 8a2df34b5bf652566f2889d9fa321f3b398547ef
> +# Backported in version v5.19.2 109539c9ba8497aad2948af4f09077f6a65059fe
> +CVE_CHECK_IGNORE += "CVE-2023-1095"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
> +# Patched in kernel since v6.3 29b0589a865b6f66d141d79b2dd1373e4e50fe17
> +# Backported in version v5.4.235 d120334278b370b6a1623a75ebe53b0c76cb247c
> +# Backported in version v5.10.173 78da5a378bdacd5bf68c3a6389bdc1dd0c0f5b3c
> +# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
> +# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
> +# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
> +CVE_CHECK_IGNORE += "CVE-2023-1118"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1249
> +# Patched in kernel since v5.18 390031c942116d4733310f0684beb8db19885fe6
> +# Backported in version v5.10.110 558564db44755dfb3e48b0d64de327d20981e950
> +# Backported in version v5.15.33 39fd0cc079c98dafcf355997ada7b5e67f0bb10a
> +CVE_CHECK_IGNORE += "CVE-2023-1249"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1252
> +# Patched in kernel since v5.16 9a254403760041528bc8f69fe2f5e1ef86950991
> +# Backported in version v5.10.80 4fd9f0509a1452b45e89c668e2bab854cb05cd25
> +# Backported in version v5.15.3 2f372e38f5724301056e005353c8beecc3f8d257
> +CVE_CHECK_IGNORE += "CVE-2023-1252"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1281
> +# Patched in kernel since v6.2 ee059170b1f7e94e55fa6cadee544e176a6e59c2
> +# Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
> +# Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
> +# Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
> +CVE_CHECK_IGNORE += "CVE-2023-1281"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1382
> +# Patched in kernel since v6.1 a7b42969d63f47320853a802efd879fbdc4e010e
> +# Backported in version v5.4.226 59f9aad22fd743572bdafa37d3e1dd5dc5658e26
> +# Backported in version v5.10.157 4058e3b74ab3eabe0835cee9a0c6deda79e8a295
> +# Backported in version v5.15.81 33fb115a76ae6683e34f76f7e07f6f0734b2525f
> +CVE_CHECK_IGNORE += "CVE-2023-1382"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1513
> +# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
> +# Backported in version v5.4.232 9f95a161a7deef62d6d2f57b1a69f94e0546d8d8
> +# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
> +# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
> +# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
> +CVE_CHECK_IGNORE += "CVE-2023-1513"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1829
> +# Patched in kernel since v6.3 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
> +# Backported in version v5.4.235 7a6fb69bbcb21e9ce13bdf18c008c268874f0480
> +# Backported in version v5.10.173 18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6
> +# Backported in version v5.15.100 7c183dc0af472dec33d2c0786a5e356baa8cad19
> +# Backported in version v6.1.18 3abebc503a5148072052c229c6b04b329a420ecd
> +# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
> +CVE_CHECK_IGNORE += "CVE-2023-1829"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1838
> +# Patched in kernel since v5.18 fb4554c2232e44d595920f4d5c66cf8f7d13f9bc
> +# Backported in version v5.4.196 3a12b2c413b20c17832ec51cb836a0b713b916ac
> +# Backported in version v5.10.118 ec0d801d1a44d9259377142c6218885ecd685e41
> +# Backported in version v5.15.42 42d8a6dc45fc6619b8def1a70b7bd0800bcc4574
> +CVE_CHECK_IGNORE += "CVE-2023-1838"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-1998
> +# Patched in kernel since v6.3 6921ed9049bc7457f66c1596c5b78aec0dae4a9d
> +# Backported in version v5.4.235 34c1b60e7a80404056c03936dd9c2438da2789d4
> +# Backported in version v5.10.173 abfed855f05863d292de2d0ebab4656791bab9c8
> +# Backported in version v5.15.99 e7f1ddebd9f5b12de40bc37db9243957678f1448
> +# Backported in version v6.1.16 08d87c87d6461d16827c9b88d84c48c26b6c994a
> +# Backported in version v6.2.3 ead3c8e54d28fa1d5454b1f8a21b96b4a969b1cb
> +CVE_CHECK_IGNORE += "CVE-2023-1998"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-2006
> +# Patched in kernel since v6.1 3bcd6c7eaa53b56c3f584da46a1f7652e759d0e5
> +# Backported in version v5.10.157 3535c632e6d16c98f76e615da8dc0cb2750c66cc
> +# Backported in version v5.15.81 38fe0988bd516f35c614ea9a5ff86c0d29f90c9a
> +CVE_CHECK_IGNORE += "CVE-2023-2006"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-2008
> +# Patched in kernel since v5.19 05b252cccb2e5c3f56119d25de684b4f810ba40a
> +# Backported in version v5.4.202 c7bdaad9cbfe17c83e4f56c7bb7a2d87d944f0fb
> +# Backported in version v5.10.127 20119c1e0fff89542ff3272ace87e04cf6ee6bea
> +# Backported in version v5.15.51 5b45535865d62633e3816ee30eb8d3213038dc17
> +CVE_CHECK_IGNORE += "CVE-2023-2008"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-2162
> +# Patched in kernel since v6.2 f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3
> +# Backported in version v5.4.232 d4d765f4761f9e3a2d62992f825aeee593bcb6b9
> +# Backported in version v5.10.168 9758ffe1c07b86aefd7ca8e40d9a461293427ca0
> +# Backported in version v5.15.93 0aaabdb900c7415caa2006ef580322f7eac5f6b6
> +# Backported in version v6.1.11 61e43ebfd243bcbad11be26bd921723027b77441
> +CVE_CHECK_IGNORE += "CVE-2023-2162"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-2166
> +# Patched in kernel since v6.1 0acc442309a0a1b01bcdaa135e56e6398a49439c
> +# Backported in version v5.4.227 3982652957e8d79ac32efcb725450580650a8644
> +# Backported in version v5.10.159 c42221efb1159d6a3c89e96685ee38acdce86b6f
> +# Backported in version v5.15.83 c142cba37de29f740a3852f01f59876af8ae462a
> +CVE_CHECK_IGNORE += "CVE-2023-2166"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-2177
> +# Patched in kernel since v5.19 181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d
> +# Backported in version v5.4.209 8d6dab81ee3d0309c09987ff76164a25486c43e0
> +# Backported in version v5.10.135 6f3505588d66b27220f07d0cab18da380fae2e2d
> +# Backported in version v5.15.59 e796e1fe20ecaf6da419ef6a5841ba181bba7a0c
> +CVE_CHECK_IGNORE += "CVE-2023-2177"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-22999
> +# Patched in kernel since v5.17 b52fe2dbb3e655eb1483000adfab68a219549e13
> +# Backported in version v5.10.94 94177fcecc35e9e9d3aecaa5813556c6b5aed7b6
> +# Backported in version v5.15.17 5157828d3975768b53a51cdf569203b953184022
> +CVE_CHECK_IGNORE += "CVE-2023-22999"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-23002
> +# Patched in kernel since v5.17 6845667146a28c09b5dfc401c1ad112374087944
> +# Backported in version v5.10.94 4579954bf4cc0bdfc4a42c88b16fe596f1e7f82d
> +# Backported in version v5.15.17 9186e6ba52af11ba7b5f432aa2321f36e00ad721
> +CVE_CHECK_IGNORE += "CVE-2023-23002"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-23004
> +# Patched in kernel since v5.19 15342f930ebebcfe36f2415049736a77d7d2e045
> +# Backported in version v5.10.173 a5bbea50d622b8f49ab8ee3b0eb283107febcf1a
> +# Backported in version v5.15.100 1c7988d5c79f72287177bb774cde15fde69f3c97
> +CVE_CHECK_IGNORE += "CVE-2023-23004"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-23454
> +# Patched in kernel since v6.2 caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12
> +# Backported in version v5.4.229 6b17b84634f932f4787f04578f5d030874b9ff32
> +# Backported in version v5.10.163 b2c917e510e5ddbc7896329c87d20036c8b82952
> +# Backported in version v5.15.87 04dc4003e5df33fb38d3dd85568b763910c479d4
> +# Backported in version v6.1.5 dc46e39b727fddc5aacc0272ef83ee872d51be16
> +CVE_CHECK_IGNORE += "CVE-2023-23454"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-23455
> +# Patched in kernel since v6.2 a2965c7be0522eaa18808684b7b82b248515511b
> +# Backported in version v5.4.229 63e469cb54a87df53edcfd85bb5bcdd84327ae4a
> +# Backported in version v5.10.163 5f65f48516bfeebaab1ccc52c8fad698ddf21282
> +# Backported in version v5.15.87 f02327a4877a06cbc8277e22d4834cb189565187
> +# Backported in version v6.1.5 85655c63877aeafdc23226510ea268a9fa0af807
> +CVE_CHECK_IGNORE += "CVE-2023-23455"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-23559
> +# Patched in kernel since v6.2 b870e73a56c4cccbec33224233eaf295839f228c
> +# Backported in version v5.4.231 9042a9a3f29c942387e6d6036551d90c9ae6ce4f
> +# Backported in version v5.10.166 802fd7623e9ed19ee809b503e93fccc1e3f37bd6
> +# Backported in version v5.15.91 8cbf932c5c40b0c20597fa623c308d5bde0848b5
> +# Backported in version v6.1.9 7794efa358bca8b8a2a80070c6e088a74945f018
> +CVE_CHECK_IGNORE += "CVE-2023-23559"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-25012
> +# Patched in kernel since v6.3 76ca8da989c7d97a7f76c75d475fe95a584439d7
> +# Backported in version v5.4.235 25e14bf0c894f9003247e3475372f33d9be1e424
> +# Backported in version v5.10.173 fddde36316da8acb45a3cca2e5fda102f5215877
> +# Backported in version v5.15.99 0fd9998052926ed24cfb30ab1a294cfeda4d0a8f
> +# Backported in version v6.1.16 f2bf592ebd5077661e00aa11e12e054c4c8f6dd0
> +# Backported in version v6.2.3 90289e71514e9533a9c44d694e2b492be9ed2b77
> +CVE_CHECK_IGNORE += "CVE-2023-25012"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-26545
> +# Patched in kernel since v6.2 fda6c89fe3d9aca073495a664e1d5aea28cd4377
> +# Backported in version v5.4.232 df099e65564aa47478eb1cacf81ba69024fb5c69
> +# Backported in version v5.10.169 7ff0fdba82298d1f456c685e24930da89703c0fb
> +# Backported in version v5.15.95 59a74da8da75bdfb464cbdb399e87ba4f7500e96
> +# Backported in version v6.1.13 c376227845eef8f2e62e2c29c3cf2140d35dd8e8
> +CVE_CHECK_IGNORE += "CVE-2023-26545"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-28327
> +# Patched in kernel since v6.1 b3abe42e94900bdd045c472f9c9be620ba5ce553
> +# Backported in version v5.4.227 c66d78aee55dab72c92020ebfbebc464d4f5dd2a
> +# Backported in version v5.10.159 575a6266f63dbb3b8eb1da03671451f0d81b8034
> +# Backported in version v5.15.83 5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
> +CVE_CHECK_IGNORE += "CVE-2023-28327"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-28328
> +# Patched in kernel since v6.2 0ed554fd769a19ea8464bb83e9ac201002ef74ad
> +# Backported in version v5.4.229 8b256d23361c51aa4b7fdb71176c1ca50966fb39
> +# Backported in version v5.10.163 559891d430e3f3a178040c4371ed419edbfa7d65
> +# Backported in version v5.15.86 210fcf64be4db82c0e190e74b5111e4eef661a7a
> +# Backported in version v6.1.2 6b60cf73a931af34b7a0a3f467a79d9fe0df2d70
> +CVE_CHECK_IGNORE += "CVE-2023-28328"
> diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> index 1f8289b6b6..4943d5ab57 100644
> --- a/meta/recipes-kernel/linux/linux-yocto.inc
> +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> @@ -69,3 +69,6 @@ do_devshell:prepend() {
>       d.setVarFlag("PKG_CONFIG_SYSROOT_DIR", "unexport", "1")
>       d.appendVar("OE_TERMINAL_EXPORTS", " PKG_CONFIG_DIR PKG_CONFIG_PATH PKG_CONFIG_LIBDIR PKG_CONFIG_SYSROOT_DIR")
>   }
> +
> +# CVE exclusion
> +include recipes-kernel/linux/cve-exclusion.inc
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181089): https://lists.openembedded.org/g/openembedded-core/message/181089
> Mute This Topic: https://lists.openembedded.org/mt/98795092/3616698
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][kirkstone 04/15] linux-yocto: Exclude 121 CVEs already fixed upstream

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1312 bytes --]

On Thu, May 11, 2023 at 11:17 PM Armin Kuster <akuster808@gmail.com> wrote:

>
>
> On 5/9/23 6:32 PM, Steve Sakoman wrote:
> > From: Yoann Congal <yoann.congal@smile.fr>
> >
> > Exclude CVEs that are fixed in both current linux-yocto version
> > v5.10.175 and v5.15.108.
> >
> > To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].
> >
> > [1]:
> https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398
>
> Just a cautionary note: If anyone is including linux-yocto.inc in their
> custom kernel recipes based on the same kernel version but have not
> updated past the dot release Yocto has, you wont know you are missing
> fixes.
>
> I don't know how we advise the proper use of linux-yocto.inc?
>

Most of those should be in the NVD database and not included this way.
While working on the new featcher, I was also considering a multiple
fetcher configuration. Originally to allow OSV and such. But also,  an
additional "fetcher" could contain entries where we want to override the
NVD database. IMO that would be a cleaner solution and would allow safer
include of the complete fix file, because it will be always checked to the
actual package version. What do you think about it? Worth a POC?

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 2222 bytes --]

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, December 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6300

The following changes since commit 11da43b58e19583a9bc16044309610cfb2e86469:

  systemtap_git: fix used uninitialized error (2023-11-28 05:11:52 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (3):
  linux-yocto/5.10: update to v5.10.198
  linux-yocto/5.10: update to v5.10.200
  linux-yocto/5.10: update to v5.10.202

Lee Chee Yang (1):
  xwayland: fix CVE-2023-5367

Narpat Mali (1):
  python3-cryptography: fix CVE-2023-49083

Niko Mauno (1):
  rust-llvm: Allow overriding LLVM target archs

Richard Purdie (5):
  rust-common: Set llvm-target correctly for cross SDK targets
  rust-cross-canadian: Fix ordering of target json config generation
  rust-cross/rust-common: Merge arm target handling code to fix
    cross-canadian
  rust-cross: Simplfy the rust_gen_target calls
  native: Clear TUNE_FEATURES/ABIEXTENSION

Steve Sakoman (1):
  cve-exclusion_5.10.inc: update for 5.10.202

Tim Orling (1):
  vim: upgrade 9.0.2068 -> 9.0.2130

Vivek Kumbhar (1):
  libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c

Wenlin Kang (1):
  bash: changes to SIGINT handler while waiting for a child

 meta/classes/native.bbclass                   |   2 +
 .../python3-cryptography/CVE-2023-49083.patch |  53 ++++
 .../python/python3-cryptography_36.0.2.bb     |   1 +
 meta/recipes-devtools/rust/rust-common.inc    |  24 +-
 .../rust/rust-cross-canadian-common.inc       |   5 +-
 meta/recipes-devtools/rust/rust-cross.inc     |  21 +-
 meta/recipes-devtools/rust/rust-llvm.inc      |   4 +-
 ...T-handler-while-waiting-for-a-child-.patch | 229 ++++++++++++++++++
 meta/recipes-extended/bash/bash_5.1.16.bb     |   1 +
 .../xwayland/xwayland/CVE-2023-5367.patch     |  85 +++++++
 .../xwayland/xwayland_22.1.8.bb               |   4 +-
 .../linux/cve-exclusion_5.10.inc              |  92 +++++--
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +-
 .../libsndfile1/CVE-2022-33065.patch          |  46 ++++
 .../libsndfile/libsndfile1_1.0.31.bb          |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 18 files changed, 542 insertions(+), 68 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
 create mode 100644 meta/recipes-extended/bash/bash/0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5367.patch
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, March 22

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6699

The following changes since commit 2501534c9581c6c3439f525d630be11554a57d24:

  build-appliance-image: Update to kirkstone head revision (2024-03-13 07:39:46 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alex Kiernan (1):
  wireless-regdb: Upgrade 2023.09.01 -> 2024.01.23

Alexander Kanavin (1):
  linux-firmware: upgrade 20231211 -> 20240220

Haitao Liu (1):
  glibc: Fix subscript typos for get_nscd_addresses

Martin Jansa (1):
  stress-ng: avoid calling sync during do_compile

Meenali Gupta (1):
  expat: fix CVE-2023-52426

Michael Halstead (1):
  yocto-uninative: Update to 4.4 for glibc 2.39

Peter Marko (1):
  expat: patch CVE-2024-28757

Vijay Anusuri (1):
  python3-cryptography: Backport fix for CVE-2024-26130

Wang Mingyu (1):
  wireless-regdb: upgrade 2023.05.03 -> 2023.09.01

Yoann Congal (6):
  cve-update-nvd2-native: Fix typo in comment
  cve-update-nvd2-native: Add an age threshold for incremental update
  cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definition
  cve-update-nvd2-native: nvd_request_next: Improve comment
  cve-update-nvd2-native: Fix CVE configuration update
  cve-update-nvd2-native: Remove rejected CVE from database

 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 .../expat/expat/CVE-2023-52426-001.patch      |  35 ++
 .../expat/expat/CVE-2023-52426-002.patch      |  72 +++
 .../expat/expat/CVE-2023-52426-003.patch      |  28 ++
 .../expat/expat/CVE-2023-52426-004.patch      | 429 ++++++++++++++++++
 .../expat/expat/CVE-2023-52426-005.patch      |  34 ++
 .../expat/expat/CVE-2023-52426-006.patch      | 174 +++++++
 .../expat/expat/CVE-2023-52426-007.patch      |  53 +++
 .../expat/expat/CVE-2023-52426-008.patch      |  37 ++
 .../expat/expat/CVE-2023-52426-009.patch      | 354 +++++++++++++++
 .../expat/expat/CVE-2023-52426-010.patch      |  50 ++
 .../expat/expat/CVE-2023-52426-011.patch      |  45 ++
 .../expat/expat/CVE-2024-28757.patch          |  58 +++
 meta/recipes-core/expat/expat_2.5.0.bb        |  12 +
 ...dresses-Fix-subscript-typos-BZ-29605.patch |  40 ++
 meta/recipes-core/glibc/glibc_2.35.bb         |   1 +
 .../meta/cve-update-nvd2-native.bb            |  35 +-
 .../python3-cryptography/CVE-2024-26130.patch |  66 +++
 .../python/python3-cryptography_36.0.2.bb     |   1 +
 .../0001-Makefile-avoid-calling-sync.patch    |  35 ++
 .../stress-ng/stress-ng_0.13.12.bb            |   1 +
 ...20231211.bb => linux-firmware_20240220.bb} |   6 +-
 ....05.03.bb => wireless-regdb_2024.01.23.bb} |   4 +-
 23 files changed, 1562 insertions(+), 18 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-001.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-002.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-004.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-005.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-006.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-007.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-008.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-009.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-010.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-011.patch
 create mode 100755 meta/recipes-core/expat/expat/CVE-2024-28757.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
 create mode 100644 meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231211.bb => linux-firmware_20240220.bb} (99%)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.05.03.bb => wireless-regdb_2024.01.23.bb} (88%)

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, September 24

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7353

The following changes since commit 88630352d6d1cfee06787fa84b73ca8ad335cb08:

  libedit: Make docs generation deterministic (2024-09-11 05:03:48 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Colin McAllister (2):
  busybox: Fix cut with "-s" flag
  udev-extraconf: Add collect flag to mount

Divya Chellam (1):
  python3: Upgrade 3.10.14 -> 3.10.15

Konrad Weihmann (3):
  runqemu: keep generating tap devices
  testimage: fallback for empty IMAGE_LINK_NAME
  testexport: fallback for empty IMAGE_LINK_NAME

Michael Halstead (2):
  yocto-uninative: Update to 4.5 for gcc 14
  yocto-uninative: Update to 4.6 for glibc 2.40

Pedro Ferreira (2):
  buildhistory: Fix intermittent package file list creation
  buildhistory: Restoring files from preserve list

Richard Purdie (1):
  buildhistory: Simplify intercept call sites and drop
    SSTATEPOSTINSTFUNC usage

Rohini Sangam (1):
  cups: Security fix for CVE-2024-35235

Ross Burton (1):
  lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex

Vijay Anusuri (1):
  libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006

Vivek Kumbhar (1):
  webkitgtk: Security fix CVE-2024-40779

 meta/classes/buildhistory.bbclass             |  71 ++-
 meta/classes/sstate.bbclass                   |   5 +-
 meta/classes/testexport.bbclass               |   2 +-
 meta/classes/testimage.bbclass                |   4 +-
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/lib/oeqa/selftest/cases/runcmd.py        |   4 +-
 .../libpcap/libpcap/CVE-2023-7256-pre1.patch  |  99 ++++
 .../libpcap/libpcap/CVE-2023-7256-pre2.patch  | 131 +++++
 .../libpcap/libpcap/CVE-2023-7256-pre3.patch  |  67 +++
 .../libpcap/libpcap/CVE-2023-7256-pre4.patch  |  37 ++
 .../libpcap/libpcap/CVE-2023-7256.patch       | 368 +++++++++++++
 .../libpcap/libpcap/CVE-2024-8006.patch       |  42 ++
 .../libpcap/libpcap_1.10.1.bb                 |  10 +-
 ...1-cut-Fix-s-flag-to-omit-blank-lines.patch |  66 +++
 meta/recipes-core/busybox/busybox_1.35.0.bb   |   1 +
 .../recipes-core/udev/udev-extraconf/mount.sh |   2 +-
 .../python/python3/CVE-2023-27043.patch       | 510 ------------------
 .../python/python3/CVE-2024-6232.patch        | 251 ---------
 .../python/python3/CVE-2024-7592.patch        | 140 -----
 .../python/python3/CVE-2024-8088.patch        | 124 -----
 ...{python3_3.10.14.bb => python3_3.10.15.bb} |   6 +-
 meta/recipes-extended/cups/cups.inc           |   1 +
 .../cups/cups/CVE-2024-35235.patch            | 121 +++++
 .../webkit/webkitgtk/CVE-2024-40779.patch     |  91 ++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 scripts/runqemu                               |  24 +-
 26 files changed, 1109 insertions(+), 1079 deletions(-)
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
 create mode 100644 meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2023-27043.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-6232.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
 rename meta/recipes-devtools/python/{python3_3.10.14.bb => python3_3.10.15.bb} (98%)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-35235.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, March 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1094

The following changes since commit 73b5570a16708d1e749b1ec525299d10557cbf56:

  vim: Upgrade 9.1.0764 -> 9.1.1043 (2025-02-24 06:54:05 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Guocai He (2):
  tzcode: Update SRC_URI
  xz: Update SRC_URI

Jiaying Song (1):
  boost: fix do_fetch error

Libo Chen (1):
  virglrenderer: fix do_fetch error

Moritz Haase (1):
  meta: Enable '-o pipefail' for the SDK installer

Narpat Mali (1):
  systemd: upgrade 250.5 -> 250.14

Vijay Anusuri (9):
  xserver-xorg: Fix for CVE-2025-26594
  xserver-xorg: Fix for CVE-2025-26595
  xserver-xorg: Fix for CVE-2025-26596
  xserver-xorg: Fix for CVE-2025-26597
  xserver-xorg: Fix for CVE-2025-26598
  xserver-xorg: Fix for CVE-2025-26599
  xserver-xorg: Fix for CVE-2025-26600
  xserver-xorg: Fix for CVE-2025-26601
  bind: Upgrade 9.18.28 -> 9.18.33

 meta/files/toolchain-shar-extract.sh          |   5 +
 .../bind/{bind_9.18.28.bb => bind_9.18.33.bb} |   2 +-
 ...d-boot_250.5.bb => systemd-boot_250.14.bb} |   0
 meta/recipes-core/systemd/systemd.inc         |   2 +-
 .../0001-Adjust-for-musl-headers.patch        |  20 +-
 ...sysctl.d-binfmt.d-modules-load.d-to-.patch |  18 +-
 ...1-core-fix-build-when-seccomp-is-off.patch |  41 ++
 ...ass-correct-parameters-to-getdents64.patch |  49 ++-
 ...w-json_variant_dump-to-return-an-err.patch |  60 ---
 .../0002-Add-sys-stat.h-for-S_IFDIR.patch     |   6 +-
 ...3-missing_type.h-add-comparison_fn_t.patch |   6 +-
 ...k-parse_printf_format-implementation.patch |   6 +-
 ...missing.h-check-for-missing-strndupa.patch |  62 ++-
 ...OB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch |   8 +-
 ...008-add-missing-FTW_-macros-for-musl.patch |   4 +-
 ..._register_atfork-for-non-glibc-build.patch |   6 +-
 ...10-Use-uintmax_t-for-handling-rlim_t.patch |   6 +-
 ...sable-tests-for-missing-typedefs-in-.patch |   2 +-
 ...T_SYMLINK_NOFOLLOW-flag-to-faccessat.patch |   4 +-
 ...patible-basename-for-non-glibc-syste.patch |   2 +-
 ...uffering-when-writing-to-oom_score_a.patch |   6 +-
 ...compliant-strerror_r-from-GNU-specif.patch |   2 +-
 ...definition-of-prctl_mm_map-structure.patch |   2 +-
 .../0021-test-json.c-define-M_PIl.patch       |   4 +-
 ...-not-disable-buffer-in-writing-files.patch |  38 +-
 .../0025-Handle-__cpu_mask-usage.patch        |   2 +-
 .../systemd/0026-Handle-missing-gshadow.patch |   4 +-
 ...l.h-Define-MIPS-ABI-defines-for-musl.patch |   4 +-
 .../systemd/systemd/CVE-2022-3821.patch       |  45 --
 .../systemd/systemd/CVE-2022-4415-1.patch     | 109 -----
 .../systemd/systemd/CVE-2022-4415-2.patch     | 391 ------------------
 .../systemd/systemd/CVE-2022-45873.patch      | 124 ------
 .../systemd/systemd/CVE-2023-7008.patch       |  40 --
 .../{systemd_250.5.bb => systemd_250.14.bb}   |   7 +-
 meta/recipes-extended/timezone/timezone.inc   |   8 +-
 meta/recipes-extended/xz/xz_5.2.6.bb          |   2 +-
 .../virglrenderer/virglrenderer_0.9.1.bb      |   2 +-
 .../xserver-xorg/CVE-2025-26594-1.patch       |  54 +++
 .../xserver-xorg/CVE-2025-26594-2.patch       |  51 +++
 .../xserver-xorg/CVE-2025-26595.patch         |  65 +++
 .../xserver-xorg/CVE-2025-26596.patch         |  49 +++
 .../xserver-xorg/CVE-2025-26597.patch         |  46 +++
 .../xserver-xorg/CVE-2025-26598.patch         | 120 ++++++
 .../xserver-xorg/CVE-2025-26599-1.patch       |  66 +++
 .../xserver-xorg/CVE-2025-26599-2.patch       | 129 ++++++
 .../xserver-xorg/CVE-2025-26600.patch         |  68 +++
 .../xserver-xorg/CVE-2025-26601-1.patch       |  71 ++++
 .../xserver-xorg/CVE-2025-26601-2.patch       |  85 ++++
 .../xserver-xorg/CVE-2025-26601-3.patch       |  52 +++
 .../xserver-xorg/CVE-2025-26601-4.patch       | 132 ++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  13 +
 meta/recipes-support/boost/boost-1.78.0.inc   |   2 +-
 52 files changed, 1201 insertions(+), 901 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.28.bb => bind_9.18.33.bb} (97%)
 rename meta/recipes-core/systemd/{systemd-boot_250.5.bb => systemd-boot_250.14.bb} (100%)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-core-fix-build-when-seccomp-is-off.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-4415-1.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-4415-2.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-45873.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
 rename meta/recipes-core/systemd/{systemd_250.5.bb => systemd_250.14.bb} (99%)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26597.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26598.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-3.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-4.patch

-- 
2.43.0

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, May 15

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1582

The following changes since commit 00f7a2f60dd6de95a1a47fa642978613ce76dc56:

  glibc: Add single-threaded fast path to rand() (2025-05-09 09:01:16 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 4.0.26

Alexander Kanavin (1):
  perl: enable _GNU_SOURCE define via d_gnulibc

Alon Bar-Lev (1):
  module.bbclass: add KBUILD_EXTRA_SYMBOLS to install

Deepesh Varatharajan (1):
  glibc: stable 2.35 branch updates

Peter Marko (1):
  perl: patch CVE-2024-56406

Vijay Anusuri (10):
  libsoup-2.4: Update fix CVE-2024-52532
  libsoup-2.4: Fix CVE-2025-32906
  libsoup-2.4: Fix CVE-2025-32909
  libsoup: update fix CVE-2024-52532
  libsoup: Fix CVE-2025-32906
  libsoup: Fix CVE-2025-32909
  libsoup: Fix CVE-2025-32910
  libsoup: Fix CVE-2025-32911 & CVE-2025-32913
  libsoup: Fix CVE-2025-32912
  libsoup: Fix CVE-2025-32914

 meta/classes/module.bbclass                   |   1 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 ...4-56406-Heap-buffer-overflow-with-tr.patch |  30 ++++
 meta/recipes-devtools/perl/perl_5.34.3.bb     |   2 +
 .../libsoup-2.4/CVE-2024-52532-3.patch        |  46 ++++++
 .../libsoup-2.4/CVE-2025-32906-1.patch        |  61 +++++++
 .../libsoup-2.4/CVE-2025-32906-2.patch        |  83 ++++++++++
 .../libsoup/libsoup-2.4/CVE-2025-32909.patch  |  36 +++++
 .../libsoup/libsoup-2.4_2.74.2.bb             |   4 +
 .../libsoup/libsoup/CVE-2024-52532-3.patch    |  46 ++++++
 .../libsoup/libsoup/CVE-2025-32906-1.patch    |  61 +++++++
 .../libsoup/libsoup/CVE-2025-32906-2.patch    |  83 ++++++++++
 .../libsoup/libsoup/CVE-2025-32909.patch      |  36 +++++
 .../libsoup/libsoup/CVE-2025-32910-1.patch    |  98 ++++++++++++
 .../libsoup/libsoup/CVE-2025-32910-2.patch    | 149 ++++++++++++++++++
 .../libsoup/libsoup/CVE-2025-32910-3.patch    |  27 ++++
 .../CVE-2025-32911_CVE-2025-32913-1.patch     |  72 +++++++++
 .../CVE-2025-32911_CVE-2025-32913-2.patch     |  44 ++++++
 .../libsoup/libsoup/CVE-2025-32912-1.patch    |  41 +++++
 .../libsoup/libsoup/CVE-2025-32912-2.patch    |  30 ++++
 .../libsoup/libsoup/CVE-2025-32914.patch      | 111 +++++++++++++
 meta/recipes-support/libsoup/libsoup_3.0.7.bb |  12 ++
 scripts/install-buildtools                    |   4 +-
 23 files changed, 1076 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-devtools/perl/files/0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2024-52532-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32909.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32914.patch

-- 
2.43.0

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of hcanges for kirkstone and have comments back by
end of day Thursday, June 12

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1770

The following changes since commit 415e73d53e5342f3f6ff6acd521ded2df3fbca1f:

  nfs-utils: don't use signals to shut down nfs server. (2025-05-29 08:22:59 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (4):
  ghostscript: fix CVE-2025-48708
  ffmpeg: upgrade 5.0.1 -> 5.0.3
  ffmpeg: fix CVE-2025-22919
  ffmpeg: fix CVE-2025-22921

Deepesh Varatharajan (1):
  binutils: Fix CVE-2025-5244 & CVE-2025-5245

Divya Chellam (2):
  screen: fix CVE-2025-46802
  screen: fix CVE-2025-46804

Harish Sadineni (1):
  binutils: add CVE-2025-1182 patch file to SRC_URI

Hitendra Prajapati (1):
  icu: fix CVE-2025-5222

Jiaying Song (1):
  taglib: fix CVE-2023-47466

Martin Jansa (1):
  kernel.bbclass: add original package name to RPROVIDES for -image and
    -base

Peter Marko (1):
  python3: upgrade 3.10.16 -> 3.10.18

Vijay Anusuri (3):
  libsoup-2.4: Backport auth tests for CVE-2025-32910
  python3-setuptools: Fix CVE-2025-47273
  git: Fix CVE-2024-50349 and CVE-2024-52006

 meta/classes/kernel.bbclass                   |   3 +-
 .../binutils/binutils-2.38.inc                |   3 +
 .../binutils/0040-CVE-2025-1182.patch         |  18 +-
 .../binutils/0041-CVE-2025-5244.patch         |  25 ++
 .../binutils/0042-CVE-2025-5245.patch         |  38 +++
 .../git/git/CVE-2024-50349-0001.patch         | 100 ++++++
 .../git/git/CVE-2024-50349-0002.patch         | 321 ++++++++++++++++++
 .../git/git/CVE-2024-52006.patch              | 165 +++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |   3 +
 .../CVE-2025-47273-pre1.patch                 |  54 +++
 .../python3-setuptools/CVE-2025-47273.patch   |  59 ++++
 .../python/python3-setuptools_59.5.0.bb       |   2 +
 ...ib-termcap-to-linker-flags-to-avoid-.patch |   2 +-
 ...hell-version-of-python-config-that-w.patch |   2 +-
 ...file-do-not-compile-.pyc-in-parallel.patch |   2 +-
 ...sts-due-to-load-variability-on-YP-AB.patch |   6 +-
 ...e-treat-overflow-in-UID-GID-as-failu.patch |   2 +-
 ...asename-to-replace-CC-for-checking-c.patch |  16 +-
 ...detect-multiarch-paths-when-cross-co.patch |   2 +-
 ...orlines-skip-due-to-load-variability.patch |   2 +-
 ...report-missing-dependencies-for-disa.patch |   2 +-
 ...up.py-do-not-add-a-curses-include-pa.patch |   4 +-
 .../python/python3/CVE-2025-0938.patch        | 131 -------
 .../python3/avoid_warning_about_tkinter.patch |   2 +-
 .../python/python3/makerace.patch             |   2 +-
 ...{python3_3.10.16.bb => python3_3.10.18.bb} |   3 +-
 .../ghostscript/CVE-2025-48708.patch          |  46 +++
 .../ghostscript/ghostscript_9.55.0.bb         |   1 +
 .../screen/screen/CVE-2025-46802.patch        | 146 ++++++++
 .../screen/screen/CVE-2025-46804.patch        | 131 +++++++
 meta/recipes-extended/screen/screen_4.9.0.bb  |   2 +
 .../ffmpeg/ffmpeg/CVE-2024-36613.patch        |  18 +-
 .../ffmpeg/ffmpeg/CVE-2025-22919.patch        |  41 +++
 .../ffmpeg/ffmpeg/CVE-2025-22921.patch        |  34 ++
 .../{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb}      |   9 +-
 .../icu/icu/CVE-2025-5222.patch               | 164 +++++++++
 meta/recipes-support/icu/icu_70.1.bb          |   1 +
 ...ckport-auth-tests-for-CVE-2025-32910.patch |  76 +++++
 .../libsoup/libsoup-2.4_2.74.2.bb             |   1 +
 .../taglib/files/CVE-2023-47466.patch         |  38 +++
 meta/recipes-support/taglib/taglib_1.12.bb    |   4 +-
 41 files changed, 1500 insertions(+), 181 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0001.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0002.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-52006.patch
 create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
 create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-0938.patch
 rename meta/recipes-devtools/python/{python3_3.10.16.bb => python3_3.10.18.bb} (99%)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46802.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46804.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch
 rename meta/recipes-multimedia/ffmpeg/{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} (96%)
 create mode 100644 meta/recipes-support/icu/icu/CVE-2025-5222.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
 create mode 100644 meta/recipes-support/taglib/files/CVE-2023-47466.patch

-- 
2.43.0