[OE-core][dunfell 00/14] Patch review

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1464

The following changes since commit 552739383321bd9b4780bd0026d6107ece530522:

  perl: fix ptest test count (2020-10-05 04:29:40 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (4):
  linux-yocto/5.4: fix kprobes build warning
  linux-yocto/5.4: update to v5.4.67
  linux-yocto/5.4: update to v5.4.68
  linux-yocto/5.4: update to v5.4.69

Joshua Watt (1):
  classes/sanity: Bump minimum python version to 3.5

Marek Vasut (4):
  lttng-modules: update to 2.11.6
  lttng-tools: update to 2.11.5
  lttng-ust: update to 2.11.1
  stress-ng: Upgrade 0.11.01 -> 0.11.17

Richard Purdie (2):
  glibc: do_stash_locale must not delete files from ${D}
  libtools-cross/shadow-sysroot: Use nopackages inherit

Steve Sakoman (1):
  Revert "lttng-modules: backport writeback.h changes from 2.12.x to fix
    kernel 5.4.62+"

Victor Kamensky (2):
  qemu: add 34Kf-64tlb fictitious cpu type
  qemumips: use 34Kf-64tlb CPU emulation

 meta/classes/sanity.bbclass                   |   4 +-
 meta/conf/machine/qemumips.conf               |   2 +-
 meta/recipes-core/glibc/glibc-package.inc     |   1 -
 .../libtool/libtool-cross_2.4.6.bb            |   2 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 ...tlb-fictitious-cpu-type-like-34Kf-bu.patch | 118 ++++++++++++++++
 .../shadow/shadow-sysroot_4.6.bb              |   2 +
 ...ownership-when-installing-example-jo.patch |   2 +-
 ...ess-ng_0.11.01.bb => stress-ng_0.11.17.bb} |   4 +-
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +--
 ...ckport-writeback.h-changes-from-2.12.patch | 128 ------------------
 ...ules_2.11.2.bb => lttng-modules_2.11.6.bb} |  11 +-
 ...-tools_2.11.2.bb => lttng-tools_2.11.5.bb} |   4 +-
 ...ttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} |   4 +-
 16 files changed, 156 insertions(+), 163 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-mips-add-34Kf-64tlb-fictitious-cpu-type-like-34Kf-bu.patch
 rename meta/recipes-extended/stress-ng/{stress-ng_0.11.01.bb => stress-ng_0.11.17.bb} (83%)
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-lttng-modules-backport-writeback.h-changes-from-2.12.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.11.2.bb => lttng-modules_2.11.6.bb} (81%)
 rename meta/recipes-kernel/lttng/{lttng-tools_2.11.2.bb => lttng-tools_2.11.5.bb} (98%)
 rename meta/recipes-kernel/lttng/{lttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} (93%)

-- 
2.17.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1501

The following changes since commit 3ee9590f96cb50e93864db768b254773e2ff9465:

  uninative: Fix typo in error message (2020-10-19 04:27:15 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  selftest/virgl: drop the custom 30 sec timeout

Changqing Li (1):
  toolchain-shar-extract.sh: don't print useless info

Khem Raj (1):
  packagegroup-core-tools-debug: Disable for rv32/glibc as well

Lee Chee Yang (3):
  libproxy: fix CVE-2020-25219
  python3: fix CVE-2020-26116
  grub2: fix CVE-2020-10713

Martin Jansa (7):
  arch-armv7a.inc: fix typo
  arch-mips.inc: remove duplicated mips64el-o32 from
    PACKAGE_EXTRA_ARCHS_tune-mips64el-o32
  tune-mips64r6.inc: fix typo in mipsisa64r6-nf
  tune-ep9312.inc: add t suffix for thumb to
    PACKAGE_EXTRA_ARCHS_tune-ep9312
  tune-riscv.inc: use nf suffix also for TUNE_PKGARCH
  siteinfo: Recognize 32bit PPC LE
  siteinfo: Recognize bigendian sh3be and sh4be

Victor Kamensky (1):
  qemu: change TLBs number to 64 in 34Kf mips cpu model

 meta-selftest/lib/oeqa/runtime/cases/virgl.py |   2 +-
 meta/classes/siteinfo.bbclass                 |   5 +
 meta/conf/machine/include/arm/arch-armv7a.inc |   2 +-
 meta/conf/machine/include/mips/arch-mips.inc  |   2 +-
 .../conf/machine/include/riscv/tune-riscv.inc |   4 +-
 meta/conf/machine/include/tune-ep9312.inc     |   3 +-
 meta/conf/machine/include/tune-mips64r6.inc   |   2 +-
 meta/files/toolchain-shar-extract.sh          |   2 +-
 .../grub/files/CVE-2020-10713.patch           |  73 ++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 .../packagegroup-core-tools-debug.bb          |   2 +-
 .../python/python3/CVE-2020-26116.patch       | 104 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 ...ease-number-of-TLB-entries-on-the-34.patch |  59 ++++++++++
 .../libproxy/libproxy/CVE-2020-25219.patch    |  61 ++++++++++
 .../libproxy/libproxy_0.4.15.bb               |   1 +
 17 files changed, 315 insertions(+), 10 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-10713.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch
 create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch

-- 
2.17.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2291

The following changes since commit ac8181d9b9ad8360f7dba03aba8b00f008c6ebb4:

  Revert "python3: fix CVE-2021-23336" (2021-06-19 13:11:58 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jasper Orschulko (3):
  expat: fix CVE-2013-0340
  libxml2: Fix CVE-2021-3518
  libx11: Fix CVE-2021-31535

Michael Halstead (1):
  uninative: Upgrade to 3.2 (gcc11 support)

Tim Orling (10):
  python3: upgrade 3.8.2 -> 3.8.3
  python3: upgrade 3.8.3 -> 3.8.4
  python3: upgrade 3.8.4 -> 3.8.5
  python3: upgrade 3.8.5 -> 3.8.6
  python3: upgrade 3.8.6 -> 3.8.7
  python3: upgrade 3.8.7 -> 3.8.8
  powertop: fix aclocal error too many loops
  python3: upgrade 3.8.8 -> 3.8.9
  python3: upgrade 3.8.9 -> 3.8.10
  python3-ptest: add newly discovered missing rdeps

 meta/conf/distro/include/yocto-uninative.inc  |    8 +-
 .../expat/expat/CVE-2013-0340.patch           | 1758 +++++++++++++++++
 .../expat/expat/libtool-tag.patch             |   41 +-
 meta/recipes-core/expat/expat_2.2.9.bb        |   12 +-
 .../libxml/libxml2/CVE-2021-3518.patch        |  112 ++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |    1 +
 ...20-8492-Fix-AbstractBasicAuthHandler.patch |  248 ---
 ...le.py-correct-the-test-output-format.patch |   24 +-
 .../python/python3/CVE-2019-20907.patch       |   44 -
 .../python/python3/CVE-2020-14422.patch       |   77 -
 .../python/python3/CVE-2020-26116.patch       |  104 -
 .../python/python3/CVE-2020-27619.patch       |   70 -
 .../python/python3/CVE-2021-3177.patch        |  191 --
 .../{python3_3.8.2.bb => python3_3.8.10.bb}   |   19 +-
 .../xorg-lib/libx11/CVE-2021-31535.patch      |  333 ++++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |    1 +
 ...2-configure.ac-ax_add_fortify_source.patch |   70 +
 ...003-configure-Use-AX_REQUIRE_DEFINED.patch |   29 +
 meta/recipes-kernel/powertop/powertop_2.10.bb |    8 +-
 19 files changed, 2357 insertions(+), 793 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
 delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch
 rename meta/recipes-devtools/python/{python3_3.8.2.bb => python3_3.8.10.bb} (95%)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
 create mode 100644 meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
 create mode 100644 meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch

-- 
2.25.1

Re: [OE-core] [dunfell 00/14] Patch review

[Steve Sakoman]

On Mon, Jun 28, 2021 at 2:13 PM Minjae Kim <flowergom@gmail.com> wrote:

> How about this patch? I already tested on qemux86-64.
> https://lists.openembedded.org/g/openembedded-core/message/153284
> Do I need more testing?

It will be in the next set of patches.  I haven't seen any issues on
the autobuilder.

Steve

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744:

  meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jose Quaresma (1):
  sstate: another fix for touching files inside pseudo

Joshua Watt (1):
  oeqa: reproducible: Fix test not producing diffs

Khem Raj (1):
  webkitgtk: Fix reproducibility in minibrowser

Marek Vasut (1):
  piglit: upgrade to latest revision

Mark Hatle (1):
  reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking

Mingli Yu (1):
  python3-magic: add the missing rdepends

Richard Purdie (6):
  linunistring: Add missing gperf-native dependency
  pseudo: Add in ability to flush database with shutdown request
  pseudo: Add fcntl64 wrapper
  mirrors: Add uninative mirror on kernel.org
  sstate: Ensure SDE is accounted for in package task timestamps
  sstate: Avoid deploy_source_date_epoch sstate when unneeded

Steve Sakoman (2):
  python3-magic: add missing DEPENDS
  selftest/reproducible: add webkitgtk back to exclusion list for
    dunfell

 meta/classes/mirrors.bbclass                  |  1 +
 meta/classes/reproducible_build.bbclass       | 53 ++++++++++++-------
 meta/classes/sstate.bbclass                   | 34 +++++++++---
 .../oeqa/selftest/cases/diffoscope/A/file.txt |  1 +
 .../oeqa/selftest/cases/diffoscope/B/file.txt |  1 +
 meta/lib/oeqa/selftest/cases/reproducible.py  | 29 +++++++++-
 meta/recipes-devtools/pseudo/pseudo_git.bb    |  2 +-
 .../python/python3-magic_0.4.15.bb            |  7 ++-
 ...ssing-include-for-htobe32-definition.patch | 27 ++++++++++
 ...file.py-make-test-lists-reproducible.patch | 31 +++++++++++
 ...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++
 ...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++
 ...sort-the-file-list-before-working-on.patch | 28 ++++++++++
 ...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++
 meta/recipes-graphics/piglit/piglit_git.bb    | 12 ++++-
 .../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.28.4.bb  |  1 +
 .../libunistring/libunistring_0.9.10.bb       |  1 +
 18 files changed, 333 insertions(+), 30 deletions(-)
 create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
 create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch

-- 
2.25.1

Re: [OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

On Wed, Nov 10, 2021 at 6:08 PM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Please review this set of patches for dunfell and have comments back by end
> of day Friday.

I forgot to add:

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2910

>
> The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744:
>
>   meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000)
>
> are available in the Git repository at:
>
>   git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
>   http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
>
> Jose Quaresma (1):
>   sstate: another fix for touching files inside pseudo
>
> Joshua Watt (1):
>   oeqa: reproducible: Fix test not producing diffs
>
> Khem Raj (1):
>   webkitgtk: Fix reproducibility in minibrowser
>
> Marek Vasut (1):
>   piglit: upgrade to latest revision
>
> Mark Hatle (1):
>   reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking
>
> Mingli Yu (1):
>   python3-magic: add the missing rdepends
>
> Richard Purdie (6):
>   linunistring: Add missing gperf-native dependency
>   pseudo: Add in ability to flush database with shutdown request
>   pseudo: Add fcntl64 wrapper
>   mirrors: Add uninative mirror on kernel.org
>   sstate: Ensure SDE is accounted for in package task timestamps
>   sstate: Avoid deploy_source_date_epoch sstate when unneeded
>
> Steve Sakoman (2):
>   python3-magic: add missing DEPENDS
>   selftest/reproducible: add webkitgtk back to exclusion list for
>     dunfell
>
>  meta/classes/mirrors.bbclass                  |  1 +
>  meta/classes/reproducible_build.bbclass       | 53 ++++++++++++-------
>  meta/classes/sstate.bbclass                   | 34 +++++++++---
>  .../oeqa/selftest/cases/diffoscope/A/file.txt |  1 +
>  .../oeqa/selftest/cases/diffoscope/B/file.txt |  1 +
>  meta/lib/oeqa/selftest/cases/reproducible.py  | 29 +++++++++-
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |  2 +-
>  .../python/python3-magic_0.4.15.bb            |  7 ++-
>  ...ssing-include-for-htobe32-definition.patch | 27 ++++++++++
>  ...file.py-make-test-lists-reproducible.patch | 31 +++++++++++
>  ...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++
>  ...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++
>  ...sort-the-file-list-before-working-on.patch | 28 ++++++++++
>  ...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++
>  meta/recipes-graphics/piglit/piglit_git.bb    | 12 ++++-
>  .../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++
>  meta/recipes-sato/webkit/webkitgtk_2.28.4.bb  |  1 +
>  .../libunistring/libunistring_0.9.10.bb       |  1 +
>  18 files changed, 333 insertions(+), 30 deletions(-)
>  create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
>  create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
>  create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#158132): https://lists.openembedded.org/g/openembedded-core/message/158132
> Mute This Topic: https://lists.openembedded.org/mt/86975084/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3047

with the exception of a known intermittent autobuilder issue on oe-selftest-centos
which passed on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/2977

The following changes since commit 90a07178ea26be453d101c2e8b33d3a0f437635d:

  build-appliance-image: Update to dunfell head revision (2021-12-14 22:49:32 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (1):
  gstreamer1.0: fix failing ptest

Bruce Ashfield (5):
  linux-yocto/5.4: update to v5.4.159
  linux-yocto/5.4: update to v5.4.162
  linux-yocto/5.4: update to v5.4.163
  linux-yocto/5.4: update to v5.4.165
  linux-yocto/5.4: update to v5.4.167

Ernst Sjöstrand (1):
  dropbear: Fix CVE-2020-36254

Marta Rybczynska (1):
  bluez: fix CVE-2021-0129

Mingli Yu (1):
  bootchart2: remove wait_boot logic

Minjae Kim (2):
  vim: fix CVE-2021-4069
  inetutils: fix CVE-2021-40491

Steve Sakoman (1):
  selftest: skip virgl test on fedora 34 entirely

sana kazi (2):
  openssh: Fix CVE-2021-41617
  openssh: Whitelist CVE-2016-20012

 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2021-0129.patch         | 109 ++++++++++++++++++
 .../inetutils/inetutils/CVE-2021-40491.patch  |  67 +++++++++++
 .../inetutils/inetutils_1.9.4.bb              |   1 +
 .../openssh/openssh/CVE-2021-41617.patch      |  52 +++++++++
 .../openssh/openssh_8.2p1.bb                  |  10 ++
 meta/recipes-core/dropbear/dropbear.inc       |   4 +-
 .../dropbear/dropbear/CVE-2020-36254.patch    |  29 +++++
 ...ake-sure-only-one-bootchartd-process.patch |  68 +++++++++++
 .../bootchart2/bootchart2_0.14.9.bb           |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 ++--
 ...-use-too-strict-timeout-for-validati.patch |  33 ++++++
 .../gstreamer/gstreamer1.0_1.16.3.bb          |   1 +
 .../vim/files/CVE-2021-4069.patch             |  43 +++++++
 meta/recipes-support/vim/vim.inc              |   1 +
 18 files changed, 439 insertions(+), 19 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
 create mode 100644 meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
 create mode 100644 meta/recipes-support/vim/files/CVE-2021-4069.patch

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3648

with the exception of the newly added meta-virt test (which has never
worked with dunfell)

The following changes since commit 7c0345ab1058a7e29d37f110923ecd368e102ed7:

  uninative: Upgrade to 3.6 with gcc 12 support (2022-05-09 11:51:55 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (1):
  linux-yocto/5.4: update to v5.4.192

Davide Gardenal (3):
  cve-check: add JSON format to summary output
  cve-check: fix symlinks where link and output path are equal
  rootfs-postcommands: fix symlinks where link and output path are equal

Marta Rybczynska (2):
  cve-update-db-native: update the CVE database once a day only
  cve-update-db-native: let the user to drive the update interval

Pawan Badganchi (2):
  fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
  libinput: Add fix for CVE-2022-1215

Portia (1):
  volatile-binds: Change DefaultDependencies from false to no

Richard Purdie (3):
  base: Avoid circular references to our own scripts
  scripts: Make git intercept global
  scripts/git: Ensure we don't have circular references

Ross Burton (1):
  cve-check: no need to depend on the fetch task

Steve Sakoman (1):
  busybox: fix CVE-2022-28391

 meta/classes/base.bbclass                     |   4 +
 meta/classes/cve-check.bbclass                |  72 ++--
 meta/classes/rootfs-postcommands.bbclass      |  14 +-
 ...tr-ensure-only-printable-characters-.patch |  38 ++
 ...e-all-printed-strings-with-printable.patch |  64 ++++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |   2 +
 .../recipes-core/meta/cve-update-db-native.bb |  13 +-
 .../files/volatile-binds.service.in           |   2 +-
 .../wayland/libinput/CVE-2022-1215.patch      | 360 ++++++++++++++++++
 .../wayland/libinput_1.15.2.bb                |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../fribidi/fribidi/CVE-2022-25308.patch      |  50 +++
 .../fribidi/fribidi/CVE-2022-25309.patch      |  31 ++
 .../fribidi/fribidi/CVE-2022-25310.patch      |  30 ++
 meta/recipes-support/fribidi/fribidi_1.0.9.bb |   3 +
 scripts/{git-intercept => }/git               |   9 +-
 18 files changed, 674 insertions(+), 55 deletions(-)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 create mode 100644 meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
 create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
 create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
 create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
 create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
 rename scripts/{git-intercept => }/git (52%)

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3760

The following changes since commit 4051d1a3aa5f70da96c381f9dea5f52cd9306939:

  openssl: Backport fix for ptest cert expiry (2022-06-07 11:33:46 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (1):
  linux-yocto/5.4: update to v5.4.196

Hitendra Prajapati (2):
  e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted
    filesystem
  pcre2: CVE-2022-1587 Out-of-bounds read

Marta Rybczynska (4):
  cve-check: move update_symlinks to a library
  cve-check: write empty fragment files in the text mode
  cve-check: add coverage statistics on recipes with/without CVEs
  cve-update-db-native: make it possible to disable database updates

Richard Purdie (1):
  libxslt: Mark CVE-2022-29824 as not applying

Robert Joslyn (2):
  curl: Backport CVE fixes
  curl: Fix CVE_CHECK_WHITELIST typo

Steve Sakoman (3):
  Revert "openssl: Backport fix for ptest cert expiry"
  openssl: backport fix for ptest certificate expiration
  openssl: update the epoch time for ct_test ptest

omkar patil (1):
  libxslt: Fix CVE-2021-30560

 meta/classes/cve-check.bbclass                |  86 ++-
 meta/lib/oe/cve_check.py                      |  10 +
 ...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 +++++
 ...ea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch |  55 --
 ...611887cfac633aacc052b2e71a7f195418b8.patch |  29 +
 .../openssl/openssl_1.1.1o.bb                 |   3 +-
 .../recipes-core/meta/cve-update-db-native.bb |   6 +-
 .../e2fsprogs/e2fsprogs/CVE-2022-1304.patch   |  42 ++
 .../e2fsprogs/e2fsprogs_1.45.7.bb             |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../curl/curl/CVE-2022-27774-1.patch          |  45 ++
 .../curl/curl/CVE-2022-27774-2.patch          |  80 +++
 .../curl/curl/CVE-2022-27774-3.patch          |  83 +++
 .../curl/curl/CVE-2022-27774-4.patch          |  35 +
 .../curl/curl/CVE-2022-27781.patch            |  46 ++
 .../curl/curl/CVE-2022-27782-1.patch          | 363 ++++++++++
 .../curl/curl/CVE-2022-27782-2.patch          |  71 ++
 meta/recipes-support/curl/curl_7.69.1.bb      |   9 +-
 .../libpcre/libpcre2/CVE-2022-1587.patch      | 660 ++++++++++++++++++
 .../recipes-support/libpcre/libpcre2_10.34.bb |   1 +
 .../libxslt/libxslt/CVE-2021-30560.patch      | 201 ++++++
 .../recipes-support/libxslt/libxslt_1.1.34.bb |   5 +
 24 files changed, 1949 insertions(+), 110 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3880

The following changes since commit b75caf4a985e3c20996531785125eaffdc832104:

  insane.bbclass: host-user-contaminated: Correct per package home path (2022-06-29 05:15:49 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (1):
  efivar: change branch name to main

Bruce Ashfield (2):
  linux-yocto/5.4: update to v5.4.199
  linux-yocto/5.4: update to v5.4.203

Jate Sujjavanich (1):
  IMAGE_LOCALES_ARCHIVE: add option to prevent locale archive creation

Ranjitsinh Rathod (1):
  openssl: Minor security upgrade 1.1.1o to 1.1.1p

Richard Purdie (5):
  cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
  vim: 8.2.5083 -> 9.0.0005
  oeqa/runtime/scp: Disable scp test for dropbear
  packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation
  oe-selftest-image: Ensure the image has sftp as well as dropbear

Ross Burton (1):
  cve-check: hook cleanup to the BuildCompleted event, not CookerExit

Steve Sakoman (3):
  openssh: break dependency on base package for -dev package
  dropbear: break dependency on base package for -dev package
  qemu: add PACKAGECONFIG for capstone

 .../recipes-test/images/oe-selftest-image.bb  |   2 +-
 meta/classes/cve-check.bbclass                |   2 +-
 meta/classes/image.bbclass                    |   5 +-
 .../distro/include/cve-extra-exclusions.inc   |  31 ++-
 meta/lib/oe/package_manager.py                |  13 +-
 meta/lib/oeqa/runtime/cases/scp.py            |   2 +-
 meta/recipes-bsp/efivar/efivar_37.bb          |   2 +-
 .../openssh/openssh_8.2p1.bb                  |   5 +
 ...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 ------------------
 ...611887cfac633aacc052b2e71a7f195418b8.patch |  29 ---
 .../{openssl_1.1.1o.bb => openssl_1.1.1p.bb}  |   4 +-
 meta/recipes-core/dropbear/dropbear.inc       |   5 +
 .../packagegroup-core-ssh-dropbear.bb         |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb}  |   0
 meta/recipes-support/vim/vim.inc              |   6 +-
 .../vim/{vim_8.2.bb => vim_9.0.bb}            |   0
 20 files changed, 64 insertions(+), 272 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1o.bb => openssl_1.1.1p.bb} (97%)
 rename meta/recipes-support/vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb} (100%)
 rename meta/recipes-support/vim/{vim_8.2.bb => vim_9.0.bb} (100%)

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by end
of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4151

The following changes since commit a3cba15142e98177119ef36c09f553d09acf35ef:

  build-appliance-image: Update to dunfell head revision (2022-08-22 16:07:02 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (3):
  mobile-broadband-provider-info: upgrade 20220511 -> 20220725
  tzdata: upgrade 2022a -> 2022b
  wireless-regdb: upgrade 2022.06.06 -> 2022.08.12

Anuj Mittal (1):
  cryptodev-module: fix build with 5.11+ kernels

Bruce Ashfield (1):
  linux-yocto/5.4: update to v5.4.210

Ernst Sjöstrand (1):
  cve-check: Don't use f-strings

Hitendra Prajapati (5):
  libtiff: CVE-2022-34526 A stack overflow was discovered
  golang: fix CVE-2022-30629 and CVE-2022-30631
  golang: fix CVE-2022-30632 and CVE-2022-30633
  golang: fix CVE-2022-30635 and CVE-2022-32148
  golang: CVE-2022-32189 a denial of service

Paul Eggleton (1):
  relocate_sdk.py: ensure interpreter size error causes relocation to
    fail

Pawan Badganchi (1):
  libxml2: Add fix for CVE-2016-3709

Richard Purdie (1):
  vim: Upgrade 9.0.0115 -> 9.0.0242

 meta/lib/oe/cve_check.py                      |   2 +-
 .../mobile-broadband-provider-info_git.bb     |   4 +-
 .../libxml/libxml2/CVE-2016-3709.patch        |  89 ++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   1 +
 meta/recipes-devtools/go/go-1.14.inc          |   7 +
 .../go/go-1.14/CVE-2022-30629.patch           |  47 +++++++
 .../go/go-1.14/CVE-2022-30631.patch           | 116 ++++++++++++++++
 .../go/go-1.14/CVE-2022-30632.patch           |  71 ++++++++++
 .../go/go-1.14/CVE-2022-30633.patch           | 131 ++++++++++++++++++
 .../go/go-1.14/CVE-2022-30635.patch           | 120 ++++++++++++++++
 .../go/go-1.14/CVE-2022-32148.patch           |  49 +++++++
 .../go/go-1.14/CVE-2022-32189.patch           | 113 +++++++++++++++
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../cryptodev/cryptodev-module_1.10.bb        |   1 +
 .../files/fix-build-for-Linux-5.11-rc1.patch  |  32 +++++
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +--
 ....06.06.bb => wireless-regdb_2022.08.12.bb} |   2 +-
 .../libtiff/files/CVE-2022-34526.patch        |  29 ++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 scripts/relocate_sdk.py                       |  10 +-
 23 files changed, 842 insertions(+), 29 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
 create mode 100644 meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.06.06.bb => wireless-regdb_2022.08.12.bb} (94%)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review these patches for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5073

The following changes since commit efb1a73a13907bed3acac8e06053aef3e2ef57f5:

  build-appliance-image: Update to dunfell head revision (2023-03-15 23:09:39 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alban Bedel (1):
  systemd: Fix systemd when used with busybox less

Andrej Valek (1):
  libarchive: fix CVE-2022-26280

Chee Yang Lee (2):
  ghostscript: add CVE tag for
    check-stack-limits-after-function-evalution.patch
  libksba: fix CVE-2022-3515

Hitendra Prajapati (1):
  QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can
    lead to out-of-bounds read

Kenfe-Mickael Laventure (3):
  buildtools-tarball: Handle spaces within user $PATH
  toolchain-scripts: Handle spaces within user $PATH
  populate_sdk_ext: Handle spaces within user $PATH

Richard Purdie (4):
  staging: Separate out different multiconfig manifests
  staging/multilib: Fix manifest corruption
  glibc: Add missing binutils dependency
  base-files: Drop localhost.localdomain from hosts file

Ross Burton (2):
  vim: upgrade to 9.0.1403
  vim: set modified-by to the recipe MAINTAINER

 meta/classes/multilib.bbclass                 |   1 +
 meta/classes/populate_sdk_ext.bbclass         |   2 +-
 meta/classes/staging.bbclass                  |   4 +
 meta/classes/toolchain-scripts.bbclass        |   2 +-
 meta/recipes-core/base-files/base-files/hosts |   2 +-
 meta/recipes-core/glibc/glibc.inc             |   4 +-
 meta/recipes-core/meta/buildtools-tarball.bb  |   2 +-
 .../systemd/systemd/systemd-pager.sh          |   7 ++
 meta/recipes-core/systemd/systemd_244.5.bb    |   5 +
 meta/recipes-devtools/qemu/qemu.inc           |   9 +-
 .../qemu/qemu/CVE-2022-4144.patch             | 103 ++++++++++++++++++
 ...tack-limits-after-function-evalution.patch |   2 +-
 .../libarchive/CVE-2022-26280.patch           |  29 +++++
 .../libarchive/libarchive_3.4.2.bb            |   1 +
 .../libksba/libksba/CVE-2022-3515.patch       |  47 ++++++++
 meta/recipes-support/libksba/libksba_1.3.5.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   8 +-
 17 files changed, 215 insertions(+), 14 deletions(-)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-pager.sh
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
 create mode 100644 meta/recipes-support/libksba/libksba/CVE-2022-3515.patch

-- 
2.34.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493

The following changes since commit 77f6fbfa18b4ad77c3756cfdc45d441a20210781:

  build-appliance-image: Update to dunfell head revision (2023-06-17 09:47:49 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Abdellatif El Khlifi (1):
  kernel-fitimage: adding support for Initramfs bundle and u-boot script

Andrej Valek (1):
  kernel-fitimage: use correct kernel image

Hitendra Prajapati (1):
  openssl: CVE-2023-2650 Possible DoS translating ASN.1 object
    identifiers

Ian Ray (1):
  systemd-systemctl: support instance expansion in WantedBy

Jan Vermaete (1):
  cve-update-nvd2-native: added the missing http import

Marta Rybczynska (1):
  cve-update-nvd2-native: new CVE database fetcher

Martin Siegumfeldt (1):
  systemd-systemctl: fix instance template WantedBy symlink construction

Michael Halstead (4):
  uninative: Upgrade to 3.8.1 to include libgcc
  uninative: Upgrade to 3.9 to include glibc 2.37
  uninative: Upgrade to 3.10 to support gcc 13
  uninative: Upgrade to 4.0 to include latest gcc 13.1.1

Richard Purdie (1):
  uninative: Ensure uninative is enabled in all cases for BuildStarted
    event

Sanjay Chitroda (1):
  cups: Fix CVE-2023-32324

Steve Sakoman (1):
  uninative.bbclass: handle read only files outside of patchelf

 meta/classes/cve-check.bbclass                |   4 +-
 meta/classes/kernel-fitimage.bbclass          | 142 ++++++--
 meta/classes/uninative.bbclass                |   4 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 .../openssl/openssl/CVE-2023-2650.patch       | 122 +++++++
 .../openssl/openssl_1.1.1t.bb                 |   1 +
 .../meta/cve-update-nvd2-native.bb            | 334 ++++++++++++++++++
 .../systemd/systemd-systemctl/systemctl       |   8 +-
 meta/recipes-extended/cups/cups.inc           |   1 +
 .../cups/cups/CVE-2023-32324.patch            |  36 ++
 10 files changed, 629 insertions(+), 33 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
 create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch

-- 
2.34.1

[OE-core][dunfell 01/14] cups: Fix CVE-2023-32324

[Steve Sakoman]

From: Sanjay Chitroda <schitrod@cisco.com>

OpenPrinting CUPS is an open source printing system. In versions 2.4.2
and prior, a heap buffer overflow vulnerability would allow a remote
attacker to launch a denial of service (DoS) attack. A buffer overflow
vulnerability in the function `format_log_line` could allow remote
attackers to cause a DoS on the affected system. Exploitation of the
vulnerability can be triggered when the configuration file `cupsd.conf`
sets the value of `loglevel `to `DEBUG`. No known patches or
workarounds exist at time of publication.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-32324
https://security-tracker.debian.org/tracker/CVE-2023-32324

Upstream Patch:
https://github.com/OpenPrinting/cups/commit/fd8bc2d32589

Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/cups/cups.inc           |  1 +
 .../cups/cups/CVE-2023-32324.patch            | 36 +++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 21c56e1430..d6e7d95800 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -14,6 +14,7 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
            file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \
            file://0004-cups-fix-multilib-install-file-conflicts.patch\
            file://CVE-2022-26691.patch \
+           file://CVE-2023-32324.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
new file mode 100644
index 0000000000..40b89c9899
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
@@ -0,0 +1,36 @@
+From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 1 Jun 2023 12:04:00 +0200
+Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324)
+
+CVE: CVE-2023-32324
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589]
+
+(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e)
+Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
+---
+ cups/string.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad19..6ef58515 100644
+--- a/cups/string.c
++++ b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+  * String functions for CUPS.
+  *
++ * Copyright © 2023 by OpenPrinting.
+  * Copyright © 2007-2019 by Apple Inc.
+  * Copyright © 1997-2007 by Easy Software Products.
+  *
+@@ -730,6 +731,9 @@ _cups_strlcpy(char       *dst,		/* O - Destination string */
+   size_t	srclen;			/* Length of source string */
+ 
+ 
++  if (size == 0)
++    return (0);
++
+  /*
+   * Figure out how much room is needed...
+   */
-- 
2.34.1

[OE-core][dunfell 02/14] openssl: CVE-2023-2650 Possible DoS translating ASN.1 object identifiers

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/openssl/CVE-2023-2650.patch       | 122 ++++++++++++++++++
 .../openssl/openssl_1.1.1t.bb                 |   1 +
 2 files changed, 123 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
new file mode 100644
index 0000000000..ef344dda7f
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
@@ -0,0 +1,122 @@
+From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Fri, 12 May 2023 10:00:13 +0200
+Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will
+ translate
+
+OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
+numeric text form.  For gigantic sub-identifiers, this would take a very
+long time, the time complexity being O(n^2) where n is the size of that
+sub-identifier.
+
+To mitigate this, a restriction on the size that OBJ_obj2txt() will
+translate to canonical numeric text form is added, based on RFC 2578
+(STD 58), which says this:
+
+> 3.5. OBJECT IDENTIFIER values
+>
+> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
+> For the SMIv2, each number in the list is referred to as a sub-identifier,
+> there are at most 128 sub-identifiers in a value, and each sub-identifier
+> has a maximum value of 2^32-1 (4294967295 decimal).
+
+Fixes otc/security#96
+Fixes CVE-2023-2650
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098]
+CVE: CVE-2023-2650
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ CHANGES                  | 28 +++++++++++++++++++++++++++-
+ NEWS                     |  2 ++
+ crypto/objects/obj_dat.c | 19 +++++++++++++++++++
+ 3 files changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGES b/CHANGES
+index 1eaaf4e..f2cf38f 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -7,7 +7,33 @@
+  https://github.com/openssl/openssl/commits/ and pick the appropriate
+  release branch.
+ 
+- Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
++ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
++
++  *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
++     OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
++
++     OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
++     numeric text form.  For gigantic sub-identifiers, this would take a very
++     long time, the time complexity being O(n^2) where n is the size of that
++     sub-identifier.  (CVE-2023-2650)
++
++     To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
++     IDENTIFIER to canonical numeric text form if the size of that OBJECT
++     IDENTIFIER is 586 bytes or less, and fail otherwise.
++
++     The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
++     IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
++     most 128 sub-identifiers, and that the maximum value that each sub-
++     identifier may have is 2^32-1 (4294967295 decimal).
++
++     For each byte of every sub-identifier, only the 7 lower bits are part of
++     the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
++     these restrictions may occupy is 32 * 128 / 7, which is approximately 586
++     bytes.
++
++     Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
++
++Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
+ 
+   *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+      that it does not enable policy checking. Thanks to
+diff --git a/NEWS b/NEWS
+index a86220a..41922c4 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,8 @@
+ 
+   Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
+ 
++      o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
++        OBJECT IDENTIFIER sub-identities.  (CVE-2023-2650)
+       o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
+       o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
+       o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
+diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
+index 7e8de72..d699915 100644
+--- a/crypto/objects/obj_dat.c
++++ b/crypto/objects/obj_dat.c
+@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
+     first = 1;
+     bl = NULL;
+ 
++    /*
++     * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
++     *
++     * > 3.5. OBJECT IDENTIFIER values
++     * >
++     * > An OBJECT IDENTIFIER value is an ordered list of non-negative
++     * > numbers. For the SMIv2, each number in the list is referred to as a
++     * > sub-identifier, there are at most 128 sub-identifiers in a value,
++     * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
++     * > decimal).
++     *
++     * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
++     * i.e. 586 bytes long.
++     *
++     * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
++     */
++    if (len > 586)
++        goto err;
++
+     while (len > 0) {
+         l = 0;
+         use_bn = 0;
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
index 46875b525c..75fc3c5c1a 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://CVE-2023-0464.patch \
            file://CVE-2023-0465.patch \
            file://CVE-2023-0466.patch \
+           file://CVE-2023-2650.patch \
            "
 
 SRC_URI_append_class-nativesdk = " \
-- 
2.34.1

[OE-core][dunfell 03/14] cve-update-nvd2-native: new CVE database fetcher

[Steve Sakoman]

From: Marta Rybczynska <rybczynska@gmail.com>

Add new fetcher for the NVD database using the 2.0 API [1].
The implementation changes as little as possible, keeping the current
database format (but using a different database file for the transition
period), with a notable exception of not using the META table.

Minor changes that could be visible:
- the database starts in 1999 instead of 2002
- the complete fetch is longer (30 minutes typically)

[1] https://nvd.nist.gov/developers/vulnerabilities

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit fb62c4c3dbca4e58f7ce6cf29d4b630a06411a97)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass                |   4 +-
 .../meta/cve-update-nvd2-native.bb            | 333 ++++++++++++++++++
 2 files changed, 335 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 05b9cb47dc..b0ccefc84d 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
 
 CVE_CHECK_LOG ?= "${T}/cve.log"
@@ -154,7 +154,7 @@ python do_cve_check () {
 }
 
 addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-db-native:do_fetch"
+do_cve_check[depends] = "cve-update-nvd2-native:do_fetch"
 do_cve_check[nostamp] = "1"
 
 python cve_check_cleanup () {
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
new file mode 100644
index 0000000000..1c14481c21
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -0,0 +1,333 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+# Important note:
+# This product uses the NVD API but is not endorsed or certified by the NVD.
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0"
+
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
+
+# Timeout for blocking socket operations, such as the connection attempt.
+CVE_SOCKET_TIMEOUT ?= "60"
+
+CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
+
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
+
+python () {
+    if not bb.data.inherits_class("cve-check", d):
+        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_fetch() {
+    """
+    Update NVD database with API 2.0
+    """
+    import bb.utils
+    import bb.progress
+    import shutil
+
+    bb.utils.export_proxies(d)
+
+    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_dir = os.path.dirname(db_file)
+    db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
+
+    cleanup_db_download(db_file, db_tmp_file)
+    # By default let's update the whole database (since time 0)
+    database_time = 0
+
+    # The NVD database changes once a day, so no need to update more frequently
+    # Allow the user to force-update
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+        if update_interval < 0:
+            bb.note("CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            bb.note("CVE database recently updated, skipping")
+            return
+        database_time = os.path.getmtime(db_file)
+
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(db_dir)
+    if os.path.exists(db_file):
+        shutil.copy2(db_file, db_tmp_file)
+
+    if update_db_file(db_tmp_file, d, database_time) == True:
+        # Update downloaded correctly, can swap files
+        shutil.move(db_tmp_file, db_file)
+    else:
+        # Update failed, do not modify the database
+        bb.warn("CVE database update failed")
+        os.remove(db_tmp_file)
+}
+
+do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+def cleanup_db_download(db_file, db_tmp_file):
+    """
+    Cleanup the download space from possible failed downloads
+    """
+
+    # Clean up the updates done on the main file
+    # Remove it only if a journal file exists - it means a complete re-download
+    if os.path.exists("{0}-journal".format(db_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_file))
+
+        if os.path.exists(db_file):
+            os.remove(db_file)
+
+    # Clean-up the temporary file downloads, we can remove both journal
+    # and the temporary database
+    if os.path.exists("{0}-journal".format(db_tmp_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_tmp_file))
+
+    if os.path.exists(db_tmp_file):
+        os.remove(db_tmp_file)
+
+def nvd_request_next(url, api_key, args):
+    """
+    Request next part of the NVD dabase
+    """
+
+    import urllib.request
+    import urllib.parse
+    import gzip
+
+    headers = {}
+    if api_key:
+        headers['apiKey'] = api_key
+
+    data = urllib.parse.urlencode(args)
+
+    full_request = url + '?' + data
+
+    for attempt in range(3):
+        try:
+            r = urllib.request.urlopen(full_request)
+
+            if (r.headers['content-encoding'] == 'gzip'):
+                buf = r.read()
+                raw_data = gzip.decompress(buf)
+            else:
+                raw_data = r.read().decode("utf-8")
+
+            r.close()
+
+        except UnicodeDecodeError:
+            # Received garbage, retry
+            bb.debug(2, "CVE database: received malformed data, retrying (request: %s)" %(full_request))
+            pass
+        except http.client.IncompleteRead:
+            # Read incomplete, let's try again
+            bb.debug(2, "CVE database: received incomplete data, retrying (request: %s)" %(full_request))
+            pass
+        else:
+            return raw_data
+    else:
+        # We failed at all attempts
+        return None
+
+def update_db_file(db_tmp_file, d, database_time):
+    """
+    Update the given database file
+    """
+    import bb.utils, bb.progress
+    import datetime
+    import sqlite3
+    import json
+
+    # Connect to database
+    conn = sqlite3.connect(db_tmp_file)
+    initialize_db(conn)
+
+    req_args = {'startIndex' : 0}
+
+    # The maximum range for time is 120 days
+    # Force a complete update if our range is longer
+    if (database_time != 0):
+        database_date = datetime.datetime.combine(datetime.date.fromtimestamp(database_time), datetime.time())
+        today_date = datetime.datetime.combine(datetime.date.today(), datetime.time())
+        delta = today_date - database_date
+        if delta.days < 120:
+            bb.debug(2, "CVE database: performing partial update")
+            req_args['lastModStartDate'] = database_date.isoformat()
+            req_args['lastModEndDate'] = today_date.isoformat()
+        else:
+            bb.note("CVE database: file too old, forcing a full update")
+
+    with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
+
+        bb.debug(2, "Updating entries")
+        index = 0
+        url = d.getVar("NVDCVE_URL")
+        while True:
+            req_args['startIndex'] = index
+            raw_data = nvd_request_next(url, None, req_args)
+            if raw_data is None:
+                # We haven't managed to download data
+                return False
+
+            data = json.loads(raw_data)
+
+            index = data["startIndex"]
+            total = data["totalResults"]
+            per_page = data["resultsPerPage"]
+
+            for cve in data["vulnerabilities"]:
+               update_db(conn, cve)
+
+            index += per_page
+            ph.update((float(index) / (total+1)) * 100)
+            if index >= total:
+               break
+
+            # Recommended by NVD
+            time.sleep(6)
+
+        # Update success, set the date to cve_check file.
+        cve_f.write('CVE database update : %s\n\n' % datetime.date.today())
+
+    conn.commit()
+    conn.close()
+    return True
+
+def initialize_db(conn):
+    with conn:
+        c = conn.cursor()
+
+        c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+            VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+            VERSION_END TEXT, OPERATOR_END TEXT)")
+        c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+
+        c.close()
+
+def parse_node_and_insert(conn, node, cveId):
+
+    def cpe_generator():
+        for cpe in node.get('cpeMatch', ()):
+            if not cpe['vulnerable']:
+                return
+            cpe23 = cpe.get('criteria')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
+            vendor = cpe23[3]
+            product = cpe23[4]
+            version = cpe23[5]
+
+            if cpe23[6] == '*' or cpe23[6] == '-':
+                version_suffix = ""
+            else:
+                version_suffix = "_" + cpe23[6]
+
+            if version != '*' and version != '-':
+                # Version is defined, this is a '=' match
+                yield [cveId, vendor, product, version + version_suffix, '=', '', '']
+            elif version == '-':
+                # no version information is available
+                yield [cveId, vendor, product, version, '', '', '']
+            else:
+                # Parse start version, end version and operators
+                op_start = ''
+                op_end = ''
+                v_start = ''
+                v_end = ''
+
+                if 'versionStartIncluding' in cpe:
+                    op_start = '>='
+                    v_start = cpe['versionStartIncluding']
+
+                if 'versionStartExcluding' in cpe:
+                    op_start = '>'
+                    v_start = cpe['versionStartExcluding']
+
+                if 'versionEndIncluding' in cpe:
+                    op_end = '<='
+                    v_end = cpe['versionEndIncluding']
+
+                if 'versionEndExcluding' in cpe:
+                    op_end = '<'
+                    v_end = cpe['versionEndExcluding']
+
+                if op_start or op_end or v_start or v_end:
+                    yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                else:
+                    # This is no version information, expressed differently.
+                    # Save processing by representing as -.
+                    yield [cveId, vendor, product, '-', '', '', '']
+
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+
+def update_db(conn, elt):
+    """
+    Update a single entry in the on-disk database
+    """
+
+    accessVector = None
+    cveId = elt['cve']['id']
+    if elt['cve']['vulnStatus'] ==  "Rejected":
+        return
+    cveDesc = ""
+    for desc in elt['cve']['descriptions']:
+        if desc['lang'] == 'en':
+            cveDesc = desc['value']
+    date = elt['cve']['lastModified']
+    try:
+        accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
+        cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+    except KeyError:
+        cvssv2 = 0.0
+    try:
+        accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
+        cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+    except KeyError:
+        accessVector = accessVector or "UNKNOWN"
+        cvssv3 = 0.0
+
+    conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+
+    try:
+        configurations = elt['cve']['configurations'][0]['nodes']
+        for config in configurations:
+            parse_node_and_insert(conn, config, cveId)
+    except KeyError:
+        bb.debug(2, "Entry without a configuration")
+
+do_fetch[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"
-- 
2.34.1

[OE-core][dunfell 04/14] cve-update-nvd2-native: added the missing http import

[Steve Sakoman]

From: Jan Vermaete <jan.vermaete@gmail.com>

Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 39d2cde7eb922cb0a2cf9402cd8b3ae3b4cc2f62)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 1c14481c21..2b585983ac 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -118,6 +118,7 @@ def nvd_request_next(url, api_key, args):
     import urllib.request
     import urllib.parse
     import gzip
+    import http
 
     headers = {}
     if api_key:
-- 
2.34.1

[OE-core][dunfell 05/14] uninative: Ensure uninative is enabled in all cases for BuildStarted event

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Recent changes in bitbake mean the datastore is not always reset between
ConfigParsed and BuildStarted. This means in a fresh buiild, with memory
resident bitbake active, uninative may end up disabled.

Update the code so the enable code is always run at BuildStarted if
needed.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit db743cc78fe5172bb4a4dac9c1dad4f5aa9e1491)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/uninative.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes/uninative.bbclass b/meta/classes/uninative.bbclass
index 4412d7c567..2940935dd7 100644
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -34,6 +34,8 @@ python uninative_event_fetchloader() {
         with open(loaderchksum, "r") as f:
             readchksum = f.read().strip()
         if readchksum == chksum:
+            if "uninative" not in d.getVar("SSTATEPOSTUNPACKFUNCS"):
+                enable_uninative(d)
             return
 
     import subprocess
-- 
2.34.1

[OE-core][dunfell 06/14] uninative: Upgrade to 3.8.1 to include libgcc

[Steve Sakoman]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Including libgcc solves issues with libpthread.

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 36eb46589fb01374d4738a2c376386c68d06aa83)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 7012db441b..51c0cdee43 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
 #
 
 UNINATIVE_MAXGLIBCVERSION = "2.36"
-UNINATIVE_VERSION = "3.7"
+UNINATIVE_VERSION = "3.8.1"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "6a29bcae4b5b716d2d520e18800b33943b65f8a835eac1ff8793fc5ee65b4be6"
-UNINATIVE_CHECKSUM[i686] ?= "3f6d52e64996570c716108d49f8108baccf499a283bbefae438c7266b7a93305"
-UNINATIVE_CHECKSUM[x86_64] ?= "b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570"
+UNINATIVE_CHECKSUM[aarch64] ?= "3f15d420049b21854bd7a8843da0f42f17064559492c8b752d7a6f998ff5ea65"
+UNINATIVE_CHECKSUM[i686] ?= "a6dcf316d738ade2e5e463bd3b33a270b4bfc25bba41770ad5cbdc3b0e24044c"
+UNINATIVE_CHECKSUM[x86_64] ?= "5fab9a5c97fc73a21134e5a81f74498cbaecda75d56aab971c934e0b803bcc00"
-- 
2.34.1

[OE-core][dunfell 07/14] uninative: Upgrade to 3.9 to include glibc 2.37

[Steve Sakoman]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Update uninative to work with the new glibc 2.37.

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 360971a6ba562fa0b29bd062b96ede2d3a47fa2e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 51c0cdee43..8a5cab5360 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.36"
-UNINATIVE_VERSION = "3.8.1"
+UNINATIVE_MAXGLIBCVERSION = "2.37"
+UNINATIVE_VERSION = "3.9"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "3f15d420049b21854bd7a8843da0f42f17064559492c8b752d7a6f998ff5ea65"
-UNINATIVE_CHECKSUM[i686] ?= "a6dcf316d738ade2e5e463bd3b33a270b4bfc25bba41770ad5cbdc3b0e24044c"
-UNINATIVE_CHECKSUM[x86_64] ?= "5fab9a5c97fc73a21134e5a81f74498cbaecda75d56aab971c934e0b803bcc00"
+UNINATIVE_CHECKSUM[aarch64] ?= "de35708c95c34573af140da910132c3291ba4fd26ebf7b74b755ada432cdf07b"
+UNINATIVE_CHECKSUM[i686] ?= "adac07b08adb88eb26fc7fd87fee0cec9d5be167bf7c5ffd3a549a2a6699c29c"
+UNINATIVE_CHECKSUM[x86_64] ?= "3dd82c3fbdb59e87bf091c3eef555a05fae528eeda3083828f76cd4deaceca8b"
-- 
2.34.1

[OE-core][dunfell 08/14] uninative: Upgrade to 3.10 to support gcc 13

[Steve Sakoman]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f811bffb861b23238e8291394bd6e8407f013619)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 8a5cab5360..f3c05b7e20 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
 #
 
 UNINATIVE_MAXGLIBCVERSION = "2.37"
-UNINATIVE_VERSION = "3.9"
+UNINATIVE_VERSION = "3.10"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "de35708c95c34573af140da910132c3291ba4fd26ebf7b74b755ada432cdf07b"
-UNINATIVE_CHECKSUM[i686] ?= "adac07b08adb88eb26fc7fd87fee0cec9d5be167bf7c5ffd3a549a2a6699c29c"
-UNINATIVE_CHECKSUM[x86_64] ?= "3dd82c3fbdb59e87bf091c3eef555a05fae528eeda3083828f76cd4deaceca8b"
+UNINATIVE_CHECKSUM[aarch64] ?= "b11f7dff0ff5e3c971f22e89a105efb0f8d2006fd71d1ea3e5da771e416b0e01"
+UNINATIVE_CHECKSUM[i686] ?= "ad7daa7fca7693ca07eea5279f830333530171d357759b380954a25254edd8dd"
+UNINATIVE_CHECKSUM[x86_64] ?= "ce8ff7e3247da312fbf84008f415bc1b4d113ac9fe4ec91581e4a20cd8b475d3"
-- 
2.34.1

[OE-core][dunfell 09/14] uninative: Upgrade to 4.0 to include latest gcc 13.1.1

[Steve Sakoman]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f87becb69e02bdf055dffb633ed4f6d36b36f7a7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index f3c05b7e20..ad4816a1f3 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
 #
 
 UNINATIVE_MAXGLIBCVERSION = "2.37"
-UNINATIVE_VERSION = "3.10"
+UNINATIVE_VERSION = "4.0"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "b11f7dff0ff5e3c971f22e89a105efb0f8d2006fd71d1ea3e5da771e416b0e01"
-UNINATIVE_CHECKSUM[i686] ?= "ad7daa7fca7693ca07eea5279f830333530171d357759b380954a25254edd8dd"
-UNINATIVE_CHECKSUM[x86_64] ?= "ce8ff7e3247da312fbf84008f415bc1b4d113ac9fe4ec91581e4a20cd8b475d3"
+UNINATIVE_CHECKSUM[aarch64] ?= "7baa8418a302df52e00916193b0a04f318356d9d2670c9a2bce3e966efefd738"
+UNINATIVE_CHECKSUM[i686] ?= "83114d36883d43a521e280742b9849bf85d039b2f83d8e21d480659babe75ee8"
+UNINATIVE_CHECKSUM[x86_64] ?= "fd75b2a1a67a10f6b7d65afb7d0f3e71a63b0038e428f34dfe420bb37716558a"
-- 
2.34.1

[OE-core][dunfell 10/14] uninative.bbclass: handle read only files outside of patchelf

[Steve Sakoman]

We are seeing autobuilder failures with the latest uninative:

patchelf: open: Permission denied

See upstream discussion which suggests handling
read-only files explicitly outside of patchelf:
https://github.com/NixOS/patchelf/pull/89

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/uninative.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes/uninative.bbclass b/meta/classes/uninative.bbclass
index 2940935dd7..4d4f53ad4d 100644
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -169,5 +169,7 @@ python uninative_changeinterp () {
             if not elf.isDynamic():
                 continue
 
+            os.chmod(f, s[stat.ST_MODE] | stat.S_IWUSR)
             subprocess.check_output(("patchelf-uninative", "--set-interpreter", d.getVar("UNINATIVE_LOADER"), f), stderr=subprocess.STDOUT)
+            os.chmod(f, s[stat.ST_MODE])
 }
-- 
2.34.1

[OE-core][dunfell 11/14] kernel-fitimage: adding support for Initramfs bundle and u-boot script

[Steve Sakoman]

From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>

This commit adds Initramfs bundle support to the FIT image in addition
to u-boot boot script capability.

These new features are selectable.

In case of Initramfs, the kernel is configured to be bundled with the rootfs
in the same binary (ie: zImage-initramfs-<machine>.bin). When the kernel is
copied to RAM and executed, it unpacks the Initramfs rootfs.

For more information about Initramfs please read:

https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt

For more details about the Initramfs bundle and boot script implementation
please check the kernel-fitimage.bbclass paragraph in Yocto reference
or mega manual.

Current limitations:

- Initramfs bundle FIT support has been tested on ARM 32-bit
- The kernel image type in case of ARM 32-bit is zImage

Change-Id: I901bfd899e8d733c5b9a2b6645b1d4748f4b1fda
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Backport of 19fa415c8769a67b52babd80f71d68bf36a21db2 in master branch
Signed-off-by: Remi Peuvergne <remi.peuvergne@non.se.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-fitimage.bbclass | 157 +++++++++++++++++++++++----
 1 file changed, 134 insertions(+), 23 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index e0dd215167..3b23138628 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -1,5 +1,7 @@
 inherit kernel-uboot kernel-artifact-names uboot-sign
 
+KERNEL_IMAGETYPE_REPLACEMENT = ""
+
 python __anonymous () {
     kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
     if 'fitImage' in kerneltypes.split():
@@ -21,6 +23,8 @@ python __anonymous () {
         else:
             replacementtype = "zImage"
 
+        d.setVar("KERNEL_IMAGETYPE_REPLACEMENT", replacementtype)
+
         # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
         # to kernel.bbclass . We have to override it, since we pack zImage
         # (at least for now) into the fitImage .
@@ -45,6 +49,8 @@ python __anonymous () {
         if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'):
             uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'
             d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
+            if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
+                d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
 }
 
 # Options for the device tree compiler passed to mkimage '-D' feature:
@@ -180,6 +186,43 @@ fitimage_emit_section_dtb() {
 EOF
 }
 
+#
+# Emit the fitImage ITS u-boot script section
+#
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to boot script image
+fitimage_emit_section_boot_script() {
+
+	bootscr_csum="${FIT_HASH_ALG}"
+	bootscr_sign_algo="${FIT_SIGN_ALG}"
+	bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
+
+        cat << EOF >> $1
+                bootscr-$2 {
+                        description = "U-boot script";
+                        data = /incbin/("$3");
+                        type = "script";
+                        arch = "${UBOOT_ARCH}";
+                        compression = "none";
+                        hash-1 {
+                                algo = "$bootscr_csum";
+                        };
+                };
+EOF
+
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$bootscr_sign_keyname" ] ; then
+		sed -i '$ d' $1
+		cat << EOF >> $1
+                        signature-1 {
+                                algo = "$bootscr_csum,$bootscr_sign_algo";
+                                key-name-hint = "$bootscr_sign_keyname";
+                        };
+                };
+EOF
+	fi
+}
+
 #
 # Emit the fitImage ITS setup section
 #
@@ -250,8 +293,9 @@ EOF
 # $2 ... Linux kernel ID
 # $3 ... DTB image name
 # $4 ... ramdisk ID
-# $5 ... config ID
-# $6 ... default flag
+# $5 ... u-boot script ID
+# $6 ... config ID
+# $7 ... default flag
 fitimage_emit_section_config() {
 
 	conf_csum="${FIT_HASH_ALG}"
@@ -267,6 +311,7 @@ fitimage_emit_section_config() {
 	kernel_line=""
 	fdt_line=""
 	ramdisk_line=""
+	bootscr_line=""
 	setup_line=""
 	default_line=""
 
@@ -289,21 +334,28 @@ fitimage_emit_section_config() {
 	fi
 
 	if [ -n "${5}" ]; then
+		conf_desc="${conf_desc}${sep}u-boot script"
+		sep=", "
+		bootscr_line="bootscr = \"bootscr-${5}\";"
+	fi
+
+	if [ -n "${6}" ]; then
 		conf_desc="${conf_desc}${sep}setup"
-		setup_line="setup = \"setup-${5}\";"
+		setup_line="setup = \"setup-${6}\";"
 	fi
 
-	if [ "${6}" = "1" ]; then
+	if [ "${7}" = "1" ]; then
 		default_line="default = \"conf-${3}\";"
 	fi
 
 	cat << EOF >> ${1}
                 ${default_line}
                 conf-${3} {
-			description = "${6} ${conf_desc}";
+			description = "${7} ${conf_desc}";
 			${kernel_line}
 			${fdt_line}
 			${ramdisk_line}
+			${bootscr_line}
 			${setup_line}
                         hash-1 {
                                 algo = "${conf_csum}";
@@ -331,6 +383,11 @@ EOF
 		fi
 
 		if [ -n "${5}" ]; then
+			sign_line="${sign_line}${sep}\"bootscr\""
+			sep=", "
+		fi
+
+		if [ -n "${6}" ]; then
 			sign_line="${sign_line}${sep}\"setup\""
 		fi
 
@@ -363,6 +420,7 @@ fitimage_assemble() {
 	DTBS=""
 	ramdiskcount=${3}
 	setupcount=""
+	bootscr_id=""
 	rm -f ${1} arch/${ARCH}/boot/${2}
 
 	fitimage_emit_fit_header ${1}
@@ -373,7 +431,22 @@ fitimage_assemble() {
 	fitimage_emit_section_maint ${1} imagestart
 
 	uboot_prep_kimage
-	fitimage_emit_section_kernel ${1} "${kernelcount}" linux.bin "${linux_comp}"
+
+	if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
+		initramfs_bundle_path="arch/"${UBOOT_ARCH}"/boot/"${KERNEL_IMAGETYPE_REPLACEMENT}".initramfs"
+		if [ -e "${initramfs_bundle_path}" ]; then
+
+			#
+			# Include the kernel/rootfs bundle.
+			#
+
+			fitimage_emit_section_kernel ${1} "${kernelcount}" "${initramfs_bundle_path}" "${linux_comp}"
+		else
+			bbwarn "${initramfs_bundle_path} not found."
+		fi
+	else
+		fitimage_emit_section_kernel ${1} "${kernelcount}" linux.bin "${linux_comp}"
+	fi
 
 	#
 	# Step 2: Prepare a DTB image section
@@ -407,7 +480,21 @@ fitimage_assemble() {
 	fi
 
 	#
-	# Step 3: Prepare a setup section. (For x86)
+	# Step 3: Prepare a u-boot script section
+	#
+
+	if [ -n "${UBOOT_ENV}" ] && [ -d "${STAGING_DIR_HOST}/boot" ]; then
+		if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then
+			cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B}
+			bootscr_id="${UBOOT_ENV_BINARY}"
+			fitimage_emit_section_boot_script ${1} "${bootscr_id}" ${UBOOT_ENV_BINARY}
+		else
+			bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found."
+		fi
+	fi
+
+	#
+	# Step 4: Prepare a setup section. (For x86)
 	#
 	if [ -e arch/${ARCH}/boot/setup.bin ]; then
 		setupcount=1
@@ -415,9 +502,9 @@ fitimage_assemble() {
 	fi
 
 	#
-	# Step 4: Prepare a ramdisk section.
+	# Step 5: Prepare a ramdisk section.
 	#
-	if [ "x${ramdiskcount}" = "x1" ] ; then
+	if [ "x${ramdiskcount}" = "x1" ] && [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
 		# Find and use the first initramfs image archive type we find
 		for img in cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.gz ext2.gz cpio; do
 			initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.${img}"
@@ -438,7 +525,7 @@ fitimage_assemble() {
 	fi
 
 	#
-	# Step 5: Prepare a configurations section
+	# Step 6: Prepare a configurations section
 	#
 	fitimage_emit_section_maint ${1} confstart
 
@@ -449,7 +536,7 @@ fitimage_assemble() {
 			if [ "${dtb_ext}" = "dtbo" ]; then
 				fitimage_emit_section_config ${1} "" "${DTB}" "" "" "`expr ${i} = ${dtbcount}`"
 			else
-				fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${setupcount}" "`expr ${i} = ${dtbcount}`"
+				fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${bootscr_id}" "${setupcount}" "`expr ${i} = ${dtbcount}`"
 			fi
 			i=`expr ${i} + 1`
 		done
@@ -460,7 +547,7 @@ fitimage_assemble() {
 	fitimage_emit_section_maint ${1} fitend
 
 	#
-	# Step 6: Assemble the image
+	# Step 7: Assemble the image
 	#
 	uboot-mkimage \
 		${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
@@ -468,7 +555,7 @@ fitimage_assemble() {
 		arch/${ARCH}/boot/${2}
 
 	#
-	# Step 7: Sign the image and add public key to U-Boot dtb
+	# Step 8: Sign the image and add public key to U-Boot dtb
 	#
 	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
 		add_key_to_u_boot=""
@@ -500,7 +587,11 @@ do_assemble_fitimage_initramfs() {
 	if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \
 		test -n "${INITRAMFS_IMAGE}" ; then
 		cd ${B}
-		fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
+		if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
+			fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage ""
+		else
+			fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
+		fi
 	fi
 }
 
@@ -511,22 +602,32 @@ kernel_do_deploy[vardepsexclude] = "DATETIME"
 kernel_do_deploy_append() {
 	# Update deploy directory
 	if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
-		echo "Copying fit-image.its source file..."
-		install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
-		ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
+		if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
+			echo "Copying fit-image.its source file..."
+			install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
+			if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+				ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
+			fi
 
-		echo "Copying linux.bin file..."
-		install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin
-		ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
+			echo "Copying linux.bin file..."
+			install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin
+			if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+				ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
+			fi
+		fi
 
 		if [ -n "${INITRAMFS_IMAGE}" ]; then
 			echo "Copying fit-image-${INITRAMFS_IMAGE}.its source file..."
 			install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its"
 			ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
 
-			echo "Copying fitImage-${INITRAMFS_IMAGE} file..."
-			install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin"
-			ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
+			if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
+				echo "Copying fitImage-${INITRAMFS_IMAGE} file..."
+				install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin"
+				if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+					ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
+				fi
+			fi
 		fi
 		if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
 			# UBOOT_DTB_IMAGE is a realfile, but we can't use
@@ -536,3 +637,13 @@ kernel_do_deploy_append() {
 		fi
 	fi
 }
+
+# The function below performs the following in case of initramfs bundles:
+# - Removes do_assemble_fitimage. FIT generation is done through
+#   do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
+#   and should not be part of the tasks to be executed.
+python () {
+    d.appendVarFlag('do_compile', 'vardeps', ' INITRAMFS_IMAGE_BUNDLE')
+    if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
+        bb.build.deltask('do_assemble_fitimage', d)
+}
-- 
2.34.1

[OE-core][dunfell 12/14] kernel-fitimage: use correct kernel image

[Steve Sakoman]

From: Andrej Valek <andrej.valek@siemens.com>

Even if initramfs_bundle_path was used, a wrong compression was reflected
in output its template file. Use linux.bin as universal kernel image.
The linux.bin file covers both cases because it's beying created from
vmlinux.

We know, that vmlinux is created inside compressed directory already,
so no external compression will be used.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Walter Schweizer <walter.schweizer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Backport of 27fbbeaf972bb7e2535c1b23375cfa9d66b69db6 in master branch
Signed-off-by: Remi Peuvergne <remi.peuvergne@non.se.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-fitimage.bbclass | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 3b23138628..b88d7dbe4b 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -431,22 +431,7 @@ fitimage_assemble() {
 	fitimage_emit_section_maint ${1} imagestart
 
 	uboot_prep_kimage
-
-	if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
-		initramfs_bundle_path="arch/"${UBOOT_ARCH}"/boot/"${KERNEL_IMAGETYPE_REPLACEMENT}".initramfs"
-		if [ -e "${initramfs_bundle_path}" ]; then
-
-			#
-			# Include the kernel/rootfs bundle.
-			#
-
-			fitimage_emit_section_kernel ${1} "${kernelcount}" "${initramfs_bundle_path}" "${linux_comp}"
-		else
-			bbwarn "${initramfs_bundle_path} not found."
-		fi
-	else
-		fitimage_emit_section_kernel ${1} "${kernelcount}" linux.bin "${linux_comp}"
-	fi
+	fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp"
 
 	#
 	# Step 2: Prepare a DTB image section
-- 
2.34.1

[OE-core][dunfell 13/14] systemd-systemctl: fix instance template WantedBy symlink construction

[Steve Sakoman]

From: Martin Siegumfeldt <mns@gomspace.com>

Fix issue of the below instance template systemd service dependency

[Install]
WantedBy=svc-wants@%i.service

creating the symlink (instance "a" example)

/etc/systemd/system/svc-wants@%i.service.wants/svc-wanted-by@a.service

which should be

/etc/systemd/system/svc-wants@a.service.wants/svc-wanted-by@a.service

as implemented by this change.

The functionality appears regressed just after "thud" baseline when the
logic was refactored from shell script into python (commit
925e30cb104ece7bfa48b78144e758a46dc9ec3f)

(From OE-Core rev: 308397f0bb3d6f3d4e9ec2c6a10823184049c9b5)

Signed-off-by: Martin Siegumfeldt <mns@gomspace.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 372b29c8ad270d4d430c26a4e614976c7029afaf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../systemd/systemd-systemctl/systemctl             | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl
index 6aa2e20465..577c373181 100755
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -182,12 +182,19 @@ class SystemdUnit():
 
         raise SystemdUnitNotFoundError(self.root, unit)
 
-    def _process_deps(self, config, service, location, prop, dirstem):
+    def _process_deps(self, config, service, location, prop, dirstem, instance):
         systemdir = self.root / SYSCONFDIR / "systemd" / "system"
 
         target = ROOT / location.relative_to(self.root)
         try:
             for dependent in config.get('Install', prop):
+                # determine whether or not dependent is a template with an actual
+                # instance (i.e. a '@%i')
+                dependent_is_template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", dependent)
+                if dependent_is_template:
+                    # if so, replace with the actual instance to achieve
+                    # svc-wants@a.service.wants/svc-wanted-by@a.service
+                    dependent = re.sub(dependent_is_template.group('instance'), instance, dependent, 1)
                 wants = systemdir / "{}.{}".format(dependent, dirstem) / service
                 add_link(wants, target)
 
@@ -227,8 +234,8 @@ class SystemdUnit():
         else:
             service = self.unit
 
-        self._process_deps(config, service, path, 'WantedBy', 'wants')
-        self._process_deps(config, service, path, 'RequiredBy', 'requires')
+        self._process_deps(config, service, path, 'WantedBy', 'wants', instance)
+        self._process_deps(config, service, path, 'RequiredBy', 'requires', instance)
 
         try:
             for also in config.get('Install', 'Also'):
-- 
2.34.1

[OE-core][dunfell 14/14] systemd-systemctl: support instance expansion in WantedBy

[Steve Sakoman]

From: Ian Ray <ian.ray@ge.com>

Refactor _process_deps to expand systemd instance specifier "%i" to the
template instance.

This change expands on prior commit e510222b57 ("systemd-systemctl: fix
instance template WantedBy symlink construction") by substituting every
"%i" pattern-match with the instance name.

The regexp handles the following cases:

* svc-wants@%i.service

* sys-subsystem-net-devices-%i.device

Signed-off-by: Ian Ray <ian.ray@ge.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 9356276137267a29ae2289d796a2940918375308)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd-systemctl/systemctl | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl
index 577c373181..b890bdd6f0 100755
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -188,13 +188,8 @@ class SystemdUnit():
         target = ROOT / location.relative_to(self.root)
         try:
             for dependent in config.get('Install', prop):
-                # determine whether or not dependent is a template with an actual
-                # instance (i.e. a '@%i')
-                dependent_is_template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", dependent)
-                if dependent_is_template:
-                    # if so, replace with the actual instance to achieve
-                    # svc-wants@a.service.wants/svc-wanted-by@a.service
-                    dependent = re.sub(dependent_is_template.group('instance'), instance, dependent, 1)
+                # expand any %i to instance (ignoring escape sequence %%)
+                dependent = re.sub("([^%](%%)*)%i", "\\1{}".format(instance), dependent)
                 wants = systemdir / "{}.{}".format(dependent, dirstem) / service
                 add_link(wants, target)
 
-- 
2.34.1

Re: [OE-core][dunfell 00/14] Patch review

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 2867 bytes --]

On Thu, Jun 22, 2023 at 5:31 PM Steve Sakoman <steve@sakoman.com> wrote:

> Please review this set of changes for dunfell and have comments back by
> end of day Monday.
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493
>
> The following changes since commit
> 77f6fbfa18b4ad77c3756cfdc45d441a20210781:
>
>   build-appliance-image: Update to dunfell head revision (2023-06-17
> 09:47:49 -1000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib
> stable/dunfell-nut
>
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
>
> Abdellatif El Khlifi (1):
>   kernel-fitimage: adding support for Initramfs bundle and u-boot script
>
> Andrej Valek (1):
>   kernel-fitimage: use correct kernel image
>
> Hitendra Prajapati (1):
>   openssl: CVE-2023-2650 Possible DoS translating ASN.1 object
>     identifiers
>
> Ian Ray (1):
>   systemd-systemctl: support instance expansion in WantedBy
>
> Jan Vermaete (1):
>   cve-update-nvd2-native: added the missing http import
>
> Marta Rybczynska (1):
>   cve-update-nvd2-native: new CVE database fetcher
>
> Martin Siegumfeldt (1):
>   systemd-systemctl: fix instance template WantedBy symlink construction
>
> Michael Halstead (4):
>   uninative: Upgrade to 3.8.1 to include libgcc
>   uninative: Upgrade to 3.9 to include glibc 2.37
>   uninative: Upgrade to 3.10 to support gcc 13
>   uninative: Upgrade to 4.0 to include latest gcc 13.1.1
>
> Richard Purdie (1):
>   uninative: Ensure uninative is enabled in all cases for BuildStarted
>     event
>
> Sanjay Chitroda (1):
>   cups: Fix CVE-2023-32324
>
> Steve Sakoman (1):
>   uninative.bbclass: handle read only files outside of patchelf
>
>  meta/classes/cve-check.bbclass                |   4 +-
>  meta/classes/kernel-fitimage.bbclass          | 142 ++++++--
>  meta/classes/uninative.bbclass                |   4 +
>  meta/conf/distro/include/yocto-uninative.inc  |  10 +-
>  .../openssl/openssl/CVE-2023-2650.patch       | 122 +++++++
>  .../openssl/openssl_1.1.1t.bb                 |   1 +
>  .../meta/cve-update-nvd2-native.bb            | 334 ++++++++++++++++++
>  .../systemd/systemd-systemctl/systemctl       |   8 +-
>  meta/recipes-extended/cups/cups.inc           |   1 +
>  .../cups/cups/CVE-2023-32324.patch            |  36 ++
>  10 files changed, 629 insertions(+), 33 deletions(-)
>  create mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
>  create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb
>  create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch
>
>
Tested this version for the CVE fetcher backport to dunfell, no unexpected
issues seen.

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 4051 bytes --]

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Satuday, August 26.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5779

The following changes since commit b70a8333a7467162b9d148b99f5970c0af2a531f:

  kernel: skip installing fitImage when using Initramfs bundles (2023-08-12 05:38:11 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ashish Sharma (1):
  curl: Backport fix CVE-2023-32001

BELOUARGA Mohamed (1):
  linux-firmware : Add firmware of RTL8822 serie

Chee Yang Lee (1):
  tiff: CVE-2022-3599.patch also fix CVE-2022-4645 CVE-2023-30774

Dmitry Baryshkov (2):
  linux-firmware: package firmare for Dragonboard 410c
  linux-firmware: split platform-specific Adreno shaders to separate
    packages

Jasper Orschulko (1):
  cve_check: Fix cpe_id generation

Kai Kang (1):
  grub2.inc: remove '-O2' from CFLAGS

Michael Halstead (2):
  yocto-uninative: Update hashes for uninative 4.1
  yocto-uninative: Update to 4.2 for glibc 2.38

Ross Burton (1):
  oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case

Trevor Gamblin (1):
  linux-firmware: upgrade 20230515 -> 20230625

Vijay Anusuri (1):
  elfutils: Backport fix for CVE-2021-33294

Wang Mingyu (1):
  libnss-nis: upgrade 3.1 -> 3.2

Yoann Congal (1):
  recipetool: Fix inherit in created -native* recipes

 meta/conf/distro/include/yocto-uninative.inc  | 10 +--
 meta/lib/oe/cve_check.py                      |  2 +-
 meta/lib/oeqa/runtime/cases/rpm.py            |  4 +-
 meta/recipes-bsp/grub/grub2.inc               |  2 +
 .../elfutils/elfutils_0.178.bb                |  1 +
 .../elfutils/files/CVE-2021-33294.patch       | 72 +++++++++++++++++++
 .../recipes-extended/libnss-nis/libnss-nis.bb |  4 +-
 ...20230515.bb => linux-firmware_20230625.bb} | 37 +++++++---
 .../libtiff/files/CVE-2022-3599.patch         |  2 +-
 .../curl/curl/CVE-2023-32001.patch            | 38 ++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 scripts/lib/recipetool/create.py              |  4 ++
 12 files changed, 158 insertions(+), 19 deletions(-)
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230515.bb => linux-firmware_20230625.bb} (96%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-32001.patch

-- 
2.34.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, September 14.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5868

The following changes since commit c953ccba6c2a334cc58a97eee073bdb51a68f1d3:

  linux/cve-exclusion: remove obsolete manual entries (2023-08-31 04:26:32 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (4):
  glibc/check-test-wrapper: don't emit warnings from ssh
  selftest/cases/glibc.py: increase the memory for testing
  oeqa/utils/nfs: allow requesting non-udp ports
  selftest/cases/glibc.py: switch to using NFS over TCP

Ashish Sharma (1):
  qemu: Backport fix CVE-2023-3180

Michael Halstead (2):
  yocto-uninative: Update to 4.3
  resulttool/resultutils: allow index generation despite corrupt json

Priyal Doshi (1):
  rootfs-post: remove traling blanks from tasks

Richard Purdie (2):
  oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
  oeqa/runtime/ltp: Increase ltp test output timeout

Shubham Kulkarni (1):
  openssh: Securiry fix for CVE-2023-38408

Staffan Rydén (1):
  kernel: Fix path comparison in kernel staging dir symlinking

Vijay Anusuri (2):
  bind: Backport fix for CVE-2023-2828
  qemu: Backport fix for CVE-2023-0330

 meta/classes/kernel.bbclass                   |   7 +-
 meta/classes/rootfs-postcommands.bbclass      |   6 +-
 meta/classes/rootfsdebugfiles.bbclass         |   2 +-
 meta/conf/distro/include/yocto-uninative.inc  |   8 +-
 meta/lib/oeqa/core/target/ssh.py              |   3 +
 meta/lib/oeqa/runtime/cases/ltp.py            |   2 +-
 meta/lib/oeqa/selftest/cases/glibc.py         |   6 +-
 meta/lib/oeqa/utils/nfs.py                    |   4 +-
 .../bind/bind/CVE-2023-2828.patch             | 166 +++++
 .../recipes-connectivity/bind/bind_9.11.37.bb |   1 +
 .../openssh/openssh/CVE-2023-38408-01.patch   | 189 ++++++
 .../openssh/openssh/CVE-2023-38408-02.patch   | 581 ++++++++++++++++++
 .../openssh/openssh/CVE-2023-38408-03.patch   | 171 ++++++
 .../openssh/openssh/CVE-2023-38408-04.patch   |  34 +
 .../openssh/openssh/CVE-2023-38408-05.patch   | 194 ++++++
 .../openssh/openssh/CVE-2023-38408-06.patch   |  73 +++
 .../openssh/openssh/CVE-2023-38408-07.patch   | 125 ++++
 .../openssh/openssh/CVE-2023-38408-08.patch   | 315 ++++++++++
 .../openssh/openssh/CVE-2023-38408-09.patch   |  38 ++
 .../openssh/openssh/CVE-2023-38408-10.patch   |  39 ++
 .../openssh/openssh/CVE-2023-38408-11.patch   | 307 +++++++++
 .../openssh/openssh/CVE-2023-38408-12.patch   | 120 ++++
 .../openssh/openssh_8.2p1.bb                  |  12 +
 .../glibc/glibc/check-test-wrapper            |   2 +-
 meta/recipes-devtools/qemu/qemu.inc           |   4 +-
 ...-2023-0330.patch => CVE-2023-0330_1.patch} |   0
 .../qemu/qemu/CVE-2023-0330_2.patch           | 135 ++++
 .../qemu/qemu/CVE-2023-3180.patch             |  49 ++
 scripts/lib/resulttool/resultutils.py         |   6 +-
 29 files changed, 2579 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
 rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch

-- 
2.34.1