[OE-core][dunfell 0/6] Patch review

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Thursday, October 26

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6098

with the exception of a known intermittent reproducibility issue with the
vim-common package.

The following changes since commit 6b4a583169ae40a8d51e7ffa33785409b5111a81:

  systemd: Backport systemd-resolved: use hostname for certificate validation in DoT (2023-10-16 05:07:13 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ashish Sharma (1):
  binutils: Backport fix CVE-2023-25588

Meenali Gupta (1):
  linux-firmware: upgrade 20230625 -> 20230804

Richard Purdie (1):
  resulttool/report: Avoid divide by zero

Siddharth Doshi (1):
  vim: Upgrade 9.0.2009 -> 9.0.2048

Steve Sakoman (2):
  patch.py: Use shlex instead of deprecated pipe
  cve-exclusion_5.4.inc: update for 5.4.257

 meta/lib/oe/patch.py                          |   6 +-
 .../binutils/binutils-2.34.inc                |   1 +
 .../binutils/binutils/CVE-2023-25588.patch    | 146 ++++++++++++
 ...20230625.bb => linux-firmware_20230804.bb} |   4 +-
 .../linux/cve-exclusion_5.4.inc               | 207 +++++++++++++++---
 meta/recipes-support/vim/vim.inc              |   4 +-
 scripts/lib/resulttool/report.py              |   5 +-
 7 files changed, 338 insertions(+), 35 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230625.bb => linux-firmware_20230804.bb} (99%)

-- 
2.34.1

[OE-core][dunfell 1/6] binutils: Backport fix CVE-2023-25588

[Steve Sakoman]

From: Ashish Sharma <asharma@mvista.com>

Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
CVE: CVE-2023-25588
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.34.inc                |   1 +
 .../binutils/binutils/CVE-2023-25588.patch    | 146 ++++++++++++++++++
 2 files changed, 147 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 713e428a3e..a9a2bf332f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -53,5 +53,6 @@ SRC_URI = "\
      file://CVE-2020-16593.patch \
      file://0001-CVE-2021-45078.patch \
      file://CVE-2022-38533.patch \
+     file://CVE-2023-25588.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
new file mode 100644
index 0000000000..065d8e47f0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
@@ -0,0 +1,146 @@
+From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 14 Oct 2022 10:30:21 +1030
+Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised
+
+Besides not initialising the_bfd of synthetic symbols, counting
+symbols when sizing didn't match symbols created if there were any
+dynsyms named "".  We don't want synthetic symbols without names
+anyway, so get rid of them.  Also, simplify and correct sanity checks.
+
+	PR 29677
+	* mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
+---
+Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
+CVE: CVE-2023-25588
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ bfd/mach-o.c | 72 ++++++++++++++++++++++------------------------------
+ 1 file changed, 31 insertions(+), 41 deletions(-)
+
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c
+index acb35e7f0c6..5279343768c 100644
+--- a/bfd/mach-o.c
++++ b/bfd/mach-o.c
+@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   bfd_mach_o_symtab_command *symtab = mdata->symtab;
+   asymbol *s;
+   char * s_start;
+-  char * s_end;
+   unsigned long count, i, j, n;
+   size_t size;
+   char *names;
+-  char *nul_name;
+   const char stub [] = "$stub";
+ 
+   *ret = NULL;
+@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   /* We need to allocate a bfd symbol for every indirect symbol and to
+      allocate the memory for its name.  */
+   count = dysymtab->nindirectsyms;
+-  size = count * sizeof (asymbol) + 1;
+-
++  size = 0;
+   for (j = 0; j < count; j++)
+     {
+-      const char * strng;
+       unsigned int isym = dysymtab->indirect_syms[j];
++      const char *str;
+ 
+       /* Some indirect symbols are anonymous.  */
+-      if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
+-	/* PR 17512: file: f5b8eeba.  */
+-	size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
++      if (isym < symtab->nsyms
++	  && (str = symtab->symbols[isym].symbol.name) != NULL)
++	{
++	  /* PR 17512: file: f5b8eeba.  */
++	  size += strnlen (str, symtab->strsize - (str - symtab->strtab));
++	  size += sizeof (stub);
++	}
+     }
+ 
+-  s_start = bfd_malloc (size);
++  s_start = bfd_malloc (size + count * sizeof (asymbol));
+   s = *ret = (asymbol *) s_start;
+   if (s == NULL)
+     return -1;
+   names = (char *) (s + count);
+-  nul_name = names;
+-  *names++ = 0;
+-  s_end = s_start + size;
+ 
+   n = 0;
+   for (i = 0; i < mdata->nsects; i++)
+@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ 	  entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
+ 
+ 	  /* PR 17512: file: 08e15eec.  */
+-	  if (first >= count || last >= count || first > last)
++	  if (first >= count || last > count || first > last)
+ 	    goto fail;
+ 
+ 	  for (j = first; j < last; j++)
+ 	    {
+ 	      unsigned int isym = dysymtab->indirect_syms[j];
+-
+-	      /* PR 17512: file: 04d64d9b.  */
+-	      if (((char *) s) + sizeof (* s) > s_end)
+-		goto fail;
+-
+-	      s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
+-	      s->section = sec->bfdsection;
+-	      s->value = addr - sec->addr;
+-	      s->udata.p = NULL;
++	      const char *str;
++	      size_t len;
+ 
+ 	      if (isym < symtab->nsyms
+-		  && symtab->symbols[isym].symbol.name)
++		  && (str = symtab->symbols[isym].symbol.name) != NULL)
+ 		{
+-		  const char *sym = symtab->symbols[isym].symbol.name;
+-		  size_t len;
+-
+-		  s->name = names;
+-		  len = strlen (sym);
+-		  /* PR 17512: file: 47dfd4d2.  */
+-		  if (names + len >= s_end)
++		  /* PR 17512: file: 04d64d9b.  */
++		  if (n >= count)
+ 		    goto fail;
+-		  memcpy (names, sym, len);
+-		  names += len;
+-		  /* PR 17512: file: 18f340a4.  */
+-		  if (names + sizeof (stub) >= s_end)
++		  len = strnlen (str, symtab->strsize - (str - symtab->strtab));
++		  /* PR 17512: file: 47dfd4d2, 18f340a4.  */
++		  if (size < len + sizeof (stub))
+ 		    goto fail;
+-		  memcpy (names, stub, sizeof (stub));
+-		  names += sizeof (stub);
++		  memcpy (names, str, len);
++		  memcpy (names + len, stub, sizeof (stub));
++		  s->name = names;
++		  names += len + sizeof (stub);
++		  size -= len + sizeof (stub);
++		  s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
++		  s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
++		  s->section = sec->bfdsection;
++		  s->value = addr - sec->addr;
++		  s->udata.p = NULL;
++		  s++;
++		  n++;
+ 		}
+-	      else
+-		s->name = nul_name;
+-
+ 	      addr += entry_size;
+-	      s++;
+-	      n++;
+ 	    }
+ 	  break;
+ 	default:
+-- 
+2.39.3
+
-- 
2.34.1

[OE-core][dunfell 2/6] vim: Upgrade 9.0.2009 -> 9.0.2048

[Steve Sakoman]

From: Siddharth Doshi <sdoshi@mvista.com>

This includes CVE fix for CVE-2023-5535.

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 51247cbe0a..d8e88af22e 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".2009"
-SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091"
+PV .= ".2048"
+SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.34.1

[OE-core][dunfell 3/6] linux-firmware: upgrade 20230625 -> 20230804

[Steve Sakoman]

From: Meenali Gupta <meenali.gupta@windriver.com>

License-Update: additional firmwares

upgrade include fix for CVE-2023-20569 CVE-2022-40982 CVE-2023-20593

Changelog:
      https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/

References:
      https://nvd.nist.gov/vuln/detail/CVE-2023-20569
      https://nvd.nist.gov/vuln/detail/CVE-2022-40982
      https://nvd.nist.gov/vuln/detail/CVE-2023-20593

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit d3f1448246c9711f4f23f2e12c664e0ba3ae3f02)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...{linux-firmware_20230625.bb => linux-firmware_20230804.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230625.bb => linux-firmware_20230804.bb} (99%)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20230804.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20230804.bb
index 7fe7e51240..507a003224 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230804.bb
@@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     "
 # WHENCE checksum is defined separately to ease overriding it if
 # class-devupstream is selected.
-WHENCE_CHKSUM  = "57bf874056926f12aec2405d3fc390d9"
+WHENCE_CHKSUM  = "41f9a48bf27971b126a36f9344594dcd"
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
 # so that the license files will be copied from fetched source
@@ -212,7 +212,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw
 # Pin this to the 20220509 release, override this in local.conf
 SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
 
-SRC_URI[sha256sum] = "87597111c0d4b71b31e53cb85a92c386921b84c825a402db8c82e0e86015500d"
+SRC_URI[sha256sum] = "88d46c543847ee3b03404d4941d91c92974690ee1f6fdcbee9cef3e5f97db688"
 
 inherit allarch
 
-- 
2.34.1

[OE-core][dunfell 4/6] resulttool/report: Avoid divide by zero

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Avoid a divide by zero traceback if unfortunate test counts are encountered.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c5aeea53dfacb53dedb8445cb3523dc3a8cb6dca)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/resulttool/report.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/resulttool/report.py b/scripts/lib/resulttool/report.py
index f0ca50ebe2..a349510ab8 100644
--- a/scripts/lib/resulttool/report.py
+++ b/scripts/lib/resulttool/report.py
@@ -176,7 +176,10 @@ class ResultsTextReport(object):
             vals['sort'] = line['testseries'] + "_" + line['result_id']
             vals['failed_testcases'] = line['failed_testcases']
             for k in cols:
-                vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f'))
+                if total_tested:
+                    vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f'))
+                else:
+                    vals[k] = "0 (0%)"
             for k in maxlen:
                 if k in vals and len(vals[k]) > maxlen[k]:
                     maxlen[k] = len(vals[k])
-- 
2.34.1

[OE-core][dunfell 5/6] patch.py: Use shlex instead of deprecated pipe

[Steve Sakoman]

The pipe library is deprecated in Python 3.11 and will be removed in
Python 3.13.  pipe.quote is just an import of shlex.quote anyway.

Clean up imports while we're at it.

Signed-off-by: Ola x Nilsson <olani@axis.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 5f33c7b99a991c380d1813da8248ba5470ca4d4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/patch.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py
index 7cd8436da5..feb6ee7082 100644
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
+import os
+import shlex
+import subprocess
 import oe.path
 import oe.types
 
@@ -24,7 +27,6 @@ class CmdError(bb.BBHandledException):
 
 
 def runcmd(args, dir = None):
-    import pipes
     import subprocess
 
     if dir:
@@ -35,7 +37,7 @@ def runcmd(args, dir = None):
         # print("cwd: %s -> %s" % (olddir, dir))
 
     try:
-        args = [ pipes.quote(str(arg)) for arg in args ]
+        args = [ shlex.quote(str(arg)) for arg in args ]
         cmd = " ".join(args)
         # print("cmd: %s" % cmd)
         (exitstatus, output) = subprocess.getstatusoutput(cmd)
-- 
2.34.1

[OE-core][dunfell 6/6] cve-exclusion_5.4.inc: update for 5.4.257

[Steve Sakoman]

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/cve-exclusion_5.4.inc               | 207 +++++++++++++++---
 1 file changed, 179 insertions(+), 28 deletions(-)

diff --git a/meta/recipes-kernel/linux/cve-exclusion_5.4.inc b/meta/recipes-kernel/linux/cve-exclusion_5.4.inc
index 28e66d6f4f..4c17b701df 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_5.4.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_5.4.inc
@@ -1,9 +1,9 @@
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2023-08-25 15:56:12.313882 for version 5.4.251
+# Generated at 2023-10-24 06:03:05.289306 for version 5.4.257
 
 python check_kernel_cve_status_version() {
-    this_version = "5.4.251"
+    this_version = "5.4.257"
     kernel_version = d.getVar("LINUX_VERSION")
     if kernel_version != this_version:
         bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
@@ -4832,6 +4832,9 @@ CVE_CHECK_WHITELIST += "CVE-2020-27194"
 # cpe-stable-backport: Backported in 5.4.23
 CVE_CHECK_WHITELIST += "CVE-2020-2732"
 
+# cpe-stable-backport: Backported in 5.4.25
+CVE_CHECK_WHITELIST += "CVE-2020-27418"
+
 # cpe-stable-backport: Backported in 5.4.75
 CVE_CHECK_WHITELIST += "CVE-2020-27673"
 
@@ -4966,6 +4969,9 @@ CVE_CHECK_WHITELIST += "CVE-2020-36558"
 # cpe-stable-backport: Backported in 5.4.86
 CVE_CHECK_WHITELIST += "CVE-2020-36694"
 
+# cpe-stable-backport: Backported in 5.4.62
+CVE_CHECK_WHITELIST += "CVE-2020-36766"
+
 # cpe-stable-backport: Backported in 5.4.143
 CVE_CHECK_WHITELIST += "CVE-2020-3702"
 
@@ -6408,7 +6414,8 @@ CVE_CHECK_WHITELIST += "CVE-2022-40768"
 # cpe-stable-backport: Backported in 5.4.213
 CVE_CHECK_WHITELIST += "CVE-2022-4095"
 
-# CVE-2022-40982 has no known resolution
+# cpe-stable-backport: Backported in 5.4.252
+CVE_CHECK_WHITELIST += "CVE-2022-40982"
 
 # cpe-stable-backport: Backported in 5.4.229
 CVE_CHECK_WHITELIST += "CVE-2022-41218"
@@ -6489,9 +6496,9 @@ CVE_CHECK_WHITELIST += "CVE-2022-4382"
 # fixed-version: only affects 5.11rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2022-43945"
 
-# CVE-2022-44032 has no known resolution
+# CVE-2022-44032 needs backporting (fixed from 6.4rc1)
 
-# CVE-2022-44033 has no known resolution
+# CVE-2022-44033 needs backporting (fixed from 6.4rc1)
 
 # CVE-2022-44034 has no known resolution
 
@@ -6504,14 +6511,17 @@ CVE_CHECK_WHITELIST += "CVE-2022-45869"
 
 # CVE-2022-45885 has no known resolution
 
-# CVE-2022-45886 has no known resolution
+# cpe-stable-backport: Backported in 5.4.246
+CVE_CHECK_WHITELIST += "CVE-2022-45886"
 
-# CVE-2022-45887 has no known resolution
+# cpe-stable-backport: Backported in 5.4.246
+CVE_CHECK_WHITELIST += "CVE-2022-45887"
 
 # fixed-version: only affects 5.14rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2022-45888"
 
-# CVE-2022-45919 has no known resolution
+# cpe-stable-backport: Backported in 5.4.246
+CVE_CHECK_WHITELIST += "CVE-2022-45919"
 
 # cpe-stable-backport: Backported in 5.4.229
 CVE_CHECK_WHITELIST += "CVE-2022-45934"
@@ -6586,7 +6596,8 @@ CVE_CHECK_WHITELIST += "CVE-2023-0047"
 # fixed-version: only affects 6.0rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-0122"
 
-# CVE-2023-0160 has no known resolution
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-0160"
 
 # fixed-version: only affects 5.5rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-0179"
@@ -6661,12 +6672,14 @@ CVE_CHECK_WHITELIST += "CVE-2023-1192"
 
 # CVE-2023-1193 has no known resolution
 
-# CVE-2023-1194 has no known resolution
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1194"
 
 # fixed-version: only affects 5.16rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-1195"
 
-# CVE-2023-1206 needs backporting (fixed from 6.5rc4)
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-1206"
 
 # CVE-2023-1249 needs backporting (fixed from 5.18rc1)
 
@@ -6695,7 +6708,8 @@ CVE_CHECK_WHITELIST += "CVE-2023-1513"
 # fixed-version: only affects 5.19rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-1583"
 
-# CVE-2023-1611 needs backporting (fixed from 6.3rc5)
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-1611"
 
 # cpe-stable-backport: Backported in 5.4.189
 CVE_CHECK_WHITELIST += "CVE-2023-1637"
@@ -6744,9 +6758,10 @@ CVE_CHECK_WHITELIST += "CVE-2023-2008"
 # fixed-version: only affects 5.12rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-2019"
 
-# CVE-2023-20569 has no known resolution
+# cpe-stable-backport: Backported in 5.4.252
+CVE_CHECK_WHITELIST += "CVE-2023-20569"
 
-# CVE-2023-20588 has no known resolution
+# CVE-2023-20588 needs backporting (fixed from 6.5rc6)
 
 # cpe-stable-backport: Backported in 5.4.250
 CVE_CHECK_WHITELIST += "CVE-2023-20593"
@@ -6772,7 +6787,8 @@ CVE_CHECK_WHITELIST += "CVE-2023-2124"
 # fixed-version: only affects 5.16rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-21255"
 
-# CVE-2023-21264 needs backporting (fixed from 6.4rc5)
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-21264"
 
 # CVE-2023-21400 has no known resolution
 
@@ -6866,6 +6882,9 @@ CVE_CHECK_WHITELIST += "CVE-2023-25012"
 # cpe-stable-backport: Backported in 5.4.242
 CVE_CHECK_WHITELIST += "CVE-2023-2513"
 
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-25775"
+
 # fixed-version: only affects 6.3rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-2598"
 
@@ -6918,7 +6937,8 @@ CVE_CHECK_WHITELIST += "CVE-2023-2898"
 # cpe-stable-backport: Backported in 5.4.235
 CVE_CHECK_WHITELIST += "CVE-2023-2985"
 
-# CVE-2023-3006 needs backporting (fixed from 6.1rc1)
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-3006"
 
 # Skipping CVE-2023-3022, no affected_versions
 
@@ -6940,11 +6960,11 @@ CVE_CHECK_WHITELIST += "CVE-2023-3106"
 
 # CVE-2023-31082 has no known resolution
 
-# CVE-2023-31083 has no known resolution
+# CVE-2023-31083 needs backporting (fixed from 6.6rc1)
 
 # CVE-2023-31084 needs backporting (fixed from 6.4rc3)
 
-# CVE-2023-31085 has no known resolution
+# CVE-2023-31085 needs backporting (fixed from 5.4.258)
 
 # cpe-stable-backport: Backported in 5.4.247
 CVE_CHECK_WHITELIST += "CVE-2023-3111"
@@ -7017,7 +7037,8 @@ CVE_CHECK_WHITELIST += "CVE-2023-3317"
 # cpe-stable-backport: Backported in 5.4.240
 CVE_CHECK_WHITELIST += "CVE-2023-33203"
 
-# CVE-2023-33250 has no known resolution
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-33250"
 
 # CVE-2023-33288 needs backporting (fixed from 6.3rc4)
 
@@ -7055,7 +7076,10 @@ CVE_CHECK_WHITELIST += "CVE-2023-34255"
 # cpe-stable-backport: Backported in 5.4.243
 CVE_CHECK_WHITELIST += "CVE-2023-34256"
 
-# CVE-2023-34319 has no known resolution
+# fixed-version: only affects 6.1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-34319"
+
+# CVE-2023-34324 needs backporting (fixed from 5.4.258)
 
 # fixed-version: only affects 5.15rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-3439"
@@ -7094,21 +7118,28 @@ CVE_CHECK_WHITELIST += "CVE-2023-3609"
 # fixed-version: only affects 5.9rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-3610"
 
-# CVE-2023-3611 needs backporting (fixed from 6.5rc2)
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-3611"
 
 # CVE-2023-3640 has no known resolution
 
-# CVE-2023-37453 has no known resolution
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-37453"
 
 # CVE-2023-37454 has no known resolution
 
-# CVE-2023-3772 has no known resolution
+# cpe-stable-backport: Backported in 5.4.255
+CVE_CHECK_WHITELIST += "CVE-2023-3772"
 
-# CVE-2023-3773 has no known resolution
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3773"
 
 # cpe-stable-backport: Backported in 5.4.251
 CVE_CHECK_WHITELIST += "CVE-2023-3776"
 
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3777"
+
 # cpe-stable-backport: Backported in 5.4.224
 CVE_CHECK_WHITELIST += "CVE-2023-3812"
 
@@ -7139,12 +7170,44 @@ CVE_CHECK_WHITELIST += "CVE-2023-38432"
 # cpe-stable-backport: Backported in 5.4.251
 CVE_CHECK_WHITELIST += "CVE-2023-3863"
 
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3865"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3866"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3867"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-39189"
+
+# CVE-2023-39191 needs backporting (fixed from 6.3rc1)
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-39192"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-39193"
+
+# cpe-stable-backport: Backported in 5.4.255
+CVE_CHECK_WHITELIST += "CVE-2023-39194"
+
 # fixed-version: only affects 5.6rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-4004"
 
 # CVE-2023-4010 has no known resolution
 
-# CVE-2023-4128 needs backporting (fixed from 6.5rc5)
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4015"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-40283"
+
+# CVE-2023-40791 needs backporting (fixed from 6.5rc6)
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4128"
 
 # cpe-stable-backport: Backported in 5.4.251
 CVE_CHECK_WHITELIST += "CVE-2023-4132"
@@ -7156,9 +7219,97 @@ CVE_CHECK_WHITELIST += "CVE-2023-4132"
 # fixed-version: only affects 5.9rc1 onwards
 CVE_CHECK_WHITELIST += "CVE-2023-4147"
 
-# CVE-2023-4155 has no known resolution
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4155"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4194"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4206"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4207"
 
-# CVE-2023-4194 needs backporting (fixed from 6.5rc5)
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4208"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4244"
 
-# CVE-2023-4273 needs backporting (fixed from 6.5rc5)
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4273"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-42752"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-42753"
+
+# CVE-2023-42754 needs backporting (fixed from 5.4.258)
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-42755"
+
+# fixed-version: only affects 6.4rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-42756"
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2023-4385"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2023-4387"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4389"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4394"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-44466"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2023-4459"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4563"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4569"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-45862"
+
+# CVE-2023-45863 needs backporting (fixed from 6.3rc1)
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-45871"
+
+# CVE-2023-45898 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-4610 has no known resolution
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4611"
+
+# CVE-2023-4622 needs backporting (fixed from 6.5rc1)
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-4623"
+
+# CVE-2023-4732 needs backporting (fixed from 5.14rc1)
+
+# CVE-2023-4881 needs backporting (fixed from 6.6rc1)
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-4921"
+
+# CVE-2023-5158 has no known resolution
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5197"
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5345"
 
-- 
2.34.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Friday, January 19

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6460

The following changes since commit b3dd6852c0d6b8aa9b36377d7024ac95062e8098:

  linux-firmware: upgrade 20230804 -> 20231030 (2024-01-04 07:24:12 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Peter Marko (1):
  zlib: ignore CVE-2023-6992

Vijay Anusuri (5):
  go: Backport fix for CVE-2023-45287
  xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478
  libxml2: Fix for CVE-2023-45322
  qemu: Backport fix for CVE-2023-2861
  libtiff: Fix for CVE-2023-6228

 .../libxml/libxml2/CVE-2023-45322-1.patch     |   50 +
 .../libxml/libxml2/CVE-2023-45322-2.patch     |   80 +
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |    2 +
 meta/recipes-core/zlib/zlib_1.2.11.bb         |    3 +
 meta/recipes-devtools/go/go-1.14.inc          |    4 +
 .../go/go-1.14/CVE-2023-45287-pre1.patch      |  393 ++++
 .../go/go-1.14/CVE-2023-45287-pre2.patch      |  401 ++++
 .../go/go-1.14/CVE-2023-45287-pre3.patch      |   86 +
 .../go/go-1.14/CVE-2023-45287.patch           | 1697 +++++++++++++++++
 meta/recipes-devtools/qemu/qemu.inc           |    2 +
 ...x-libcap-header-issue-on-some-distro.patch |    9 +-
 ...e-O_NOATIME-if-we-don-t-have-permiss.patch |   63 +
 .../qemu/qemu/CVE-2023-2861.patch             |  178 ++
 .../xserver-xorg/CVE-2023-6377.patch          |   79 +
 .../xserver-xorg/CVE-2023-6478.patch          |   63 +
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |    2 +
 .../libtiff/files/CVE-2023-6228.patch         |   30 +
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |    1 +
 18 files changed, 3140 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch

-- 
2.34.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Thursday, December 28

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6376

The following changes since commit 05d9f9c6b27c0216fa4e349109ef42cf91bb4084:

  testimage: Exclude wtmp from target-dumper commands (2023-12-21 04:08:46 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Hitendra Prajapati (1):
  bluez5: fix CVE-2023-45866

Lee Chee Yang (1):
  curl: fix CVE-2023-46218

Steve Sakoman (1):
  testimage: drop target_dumper and  host_dumper

Vijay Anusuri (2):
  flac: Backport fix for CVE-2021-0561
  openssh: backport Debian patch for CVE-2023-48795

Virendra Thakur (1):
  binutils: fix multiple cve

 meta/classes/testimage.bbclass                |  21 -
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2023-45866.patch        |  54 ++
 .../openssh/openssh/CVE-2023-48795.patch      | 468 ++++++++++++++++++
 .../openssh/openssh_8.2p1.bb                  |   1 +
 .../binutils/binutils-2.34.inc                |   6 +
 .../binutils/binutils/CVE-2022-47007.patch    |  32 ++
 .../binutils/binutils/CVE-2022-47008.patch    |  64 +++
 .../binutils/binutils/CVE-2022-47010.patch    |  34 ++
 .../binutils/binutils/CVE-2022-47011.patch    |  31 ++
 .../binutils/binutils/CVE-2022-47695.patch    |  57 +++
 .../binutils/binutils/CVE-2022-48063.patch    |  49 ++
 .../flac/files/CVE-2021-0561.patch            |  34 ++
 meta/recipes-multimedia/flac/flac_1.3.3.bb    |   1 +
 .../curl/curl/CVE-2023-46218.patch            |  52 ++
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 16 files changed, 885 insertions(+), 21 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
 create mode 100644 meta/recipes-multimedia/flac/files/CVE-2021-0561.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46218.patch

-- 
2.34.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this final set of patches for the dunfell 3.1.24 release.

We hope to do the release build this Thursday, so please have any comments
back as soon as possible.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5043

The following changes since commit 51424b9955374196307aaf73cf4b6c184ce4fb6d:

  devshell: Do not add scripts/git-intercept to PATH (2023-03-06 04:54:35 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ming Liu (1):
  linux: inherit pkgconfig in kernel.bbclass

Richard Purdie (1):
  oeqa/selftest/prservice: Improve debug output for failure

Ross Burton (2):
  shadow: ignore CVE-2016-15024
  vim: add missing pkgconfig inherit

Siddharth Doshi (1):
  harfbuzz: Security fix for CVE-2023-25193

Vivek Kumbhar (1):
  gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key
    exchange code

 meta/classes/kernel.bbclass                   |   2 +-
 meta/lib/oeqa/selftest/cases/prservice.py     |   2 +-
 meta/recipes-extended/shadow/shadow_4.8.1.bb  |   4 +
 .../harfbuzz/CVE-2023-25193-pre0.patch        | 335 ++++++++++++++++++
 .../harfbuzz/CVE-2023-25193-pre1.patch        | 135 +++++++
 .../harfbuzz/harfbuzz/CVE-2023-25193.patch    | 179 ++++++++++
 .../harfbuzz/harfbuzz_2.6.4.bb                |   5 +-
 meta/recipes-kernel/linux/linux-yocto-dev.bb  |   2 -
 .../gnutls/gnutls/CVE-2023-0361.patch         |  85 +++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 meta/recipes-support/vim/vim.inc              |   2 +-
 11 files changed, 746 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch

-- 
2.34.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4272

The following changes since commit ef38f7acee3f0ae400138fa60f4695a86dffc16e:

  linux-yocto/5.4: update to v5.4.213 (2022-09-22 04:40:18 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Dmitry Baryshkov (3):
  linux-firmware: upgrade 20220708 -> 20220913
  linux-firmware: package new Qualcomm firmware
  linux-firmware: package new Qualcomm firmware

Minjae Kim (1):
  inetutils: CVE-2022-39028 - fix remote DoS vulnerability in
    inetutils-telnetd

Richard Purdie (1):
  vim: Upgrade 9.0.453 -> 9.0.541

Robert Joslyn (1):
  tzdata: Update from 2022b to 2022c

 .../inetutils/inetutils/CVE-2022-39028.patch  | 54 +++++++++++++++++++
 .../inetutils/inetutils_1.9.4.bb              |  1 +
 meta/recipes-extended/timezone/timezone.inc   |  6 +--
 ...20220708.bb => linux-firmware_20220913.bb} | 39 ++++++++++++--
 meta/recipes-support/vim/vim.inc              |  4 +-
 5 files changed, 95 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220708.bb => linux-firmware_20220913.bb} (94%)

-- 
2.25.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4245

The following changes since commit 46ba253059738dbd4de4bc7a7ac02a2585c498f5:

  vim: Upgrade 9.0.0341 -> 9.0.0453 (2022-09-14 08:08:22 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Andrei Gherzan (1):
  qemu: Define libnfs PACKAGECONFIG

Chee Yang Lee (1):
  qemu: fix and ignore several CVEs

Hitendra Prajapati (1):
  connman: CVE-2022-32293 man-in-the-middle attack against a WISPR HTTP

Richard Purdie (1):
  qemu: Add PACKAGECONFIG for brlapi

Virendra Thakur (2):
  sqlite3: Fix CVE-2020-35525
  sqlite3: Fix CVE-2020-35527

 .../connman/connman/CVE-2022-32293.patch      | 266 ++++++++++++++++++
 .../connman/connman_1.37.bb                   |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |  17 ++
 .../qemu/qemu/CVE-2020-13754-1.patch          |  91 ++++++
 .../qemu/qemu/CVE-2020-13754-2.patch          |  69 +++++
 .../qemu/qemu/CVE-2020-13754-3.patch          |  65 +++++
 .../qemu/qemu/CVE-2020-13754-4.patch          |  39 +++
 .../qemu/qemu/CVE-2021-3713.patch             |  67 +++++
 .../qemu/qemu/CVE-2021-3748.patch             | 124 ++++++++
 .../qemu/qemu/CVE-2021-3930.patch             |  53 ++++
 .../qemu/qemu/CVE-2021-4206.patch             |  89 ++++++
 .../qemu/qemu/CVE-2021-4207.patch             |  43 +++
 .../qemu/qemu/CVE-2022-0216-1.patch           |  42 +++
 .../qemu/qemu/CVE-2022-0216-2.patch           |  52 ++++
 .../sqlite/files/CVE-2020-35525.patch         |  21 ++
 .../sqlite/files/CVE-2020-35527.patch         |  22 ++
 meta/recipes-support/sqlite/sqlite3_3.31.1.bb |   2 +
 17 files changed, 1063 insertions(+)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35525.patch
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35527.patch

-- 
2.25.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3805

The following changes since commit 135adeb82c9303c26193bb6f6bd3bc696793aa62:

  archiver: don't use machine variables in shared recipes (2022-06-15 06:40:10 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Chee Yang Lee (1):
  dpkg: update to 1.19.8

Dmitry Baryshkov (2):
  linux-firmware: add support for building snapshots
  linux-firmware: upgrade 20220509 -> 20220610

Hitendra Prajapati (2):
  python-pip: CVE-2021-3572 Incorrect handling of unicode separators in
    git references
  golang: CVE-2021-44717 syscall: don't close fd 0 on ForkExec error

Nick Potenski (1):
  systemd: systemd-systemctl: Support instance conf files during enable

 .../systemd/systemd-systemctl/systemctl       | 14 +++-
 .../dpkg/{dpkg_1.19.7.bb => dpkg_1.19.8.bb}   |  4 +-
 meta/recipes-devtools/go/go-1.14.inc          |  1 +
 .../go/go-1.14/CVE-2021-44717.patch           | 83 ++++++++++++++++++
 .../python/python3-pip/CVE-2021-3572.patch    | 48 +++++++++++
 .../python/python3-pip_20.0.2.bb              |  1 +
 ...01-Makefile-replace-mkdir-by-install.patch | 84 -------------------
 ...20220509.bb => linux-firmware_20220610.bb} | 11 ++-
 8 files changed, 154 insertions(+), 92 deletions(-)
 rename meta/recipes-devtools/dpkg/{dpkg_1.19.7.bb => dpkg_1.19.8.bb} (86%)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch
 create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
 delete mode 100644 meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220509.bb => linux-firmware_20220610.bb} (99%)

-- 
2.25.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end of
day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3587

The following changes since commit 8e81d38048c953d0823abf04d5b2506cd988f0bb:

  build-appliance-image: Update to dunfell head revision (2022-04-25 15:58:54 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Dmitry Baryshkov (1):
  linux-firmware: correct license for ar3k firmware

Marta Rybczynska (1):
  cve-check: add json format

Richard Purdie (1):
  perf-build-test/report: Drop phantomjs and html email reports support

Ross Burton (1):
  boost: don't specify gcc version

Steve Sakoman (1):
  scripts/contrib/oe-build-perf-report-email.py: remove obsolete check
    for phantomjs and optipng

sana kazi (1):
  tiff: Fix CVE-2022-0891

 meta/classes/cve-check.bbclass                | 144 +++++++++++-
 meta/lib/oe/cve_check.py                      |  16 ++
 .../linux-firmware/linux-firmware_20220411.bb |   4 +-
 .../libtiff/files/CVE-2022-0891.patch         | 217 ++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 meta/recipes-support/boost/boost.inc          |   2 +-
 scripts/contrib/build-perf-test-wrapper.sh    |  15 +-
 scripts/contrib/oe-build-perf-report-email.py | 167 +-------------
 8 files changed, 388 insertions(+), 178 deletions(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch

-- 
2.25.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this next set of patches for dundell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2247

The following changes since commit 2246b0d7a71c69eb2e89c55991d1387069895466:

  kernel-devicetree: Introduce KERNEL_DTC_FLAGS to pass dtc flags (2021-06-08 04:32:17 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Andrea Adami (1):
  kernel.bbclass: fix do_sizecheck() comparison

Kai Kang (1):
  valgrind: fix a typo

Lee Chee Yang (4):
  gstreamer-plugins-good: fix CVE-2021-3497 CVE-2021-3498
  bind: 9.11.22 -> 9.11.32
  ruby: 2.7.1 -> 2.7.3
  python3: fix CVE-2021-23336

 meta/classes/kernel.bbclass                   |   2 +-
 .../bind/bind/CVE-2020-8625.patch             |  17 -
 .../bind/{bind_9.11.22.bb => bind_9.11.32.bb} |   5 +-
 .../python/python3/CVE-2021-23336.patch       | 530 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 .../ruby/ruby/CVE-2020-25613.patch            |  40 --
 .../ruby/{ruby_2.7.1.bb => ruby_2.7.3.bb}     |   5 +-
 .../valgrind/valgrind_3.15.0.bb               |   2 +-
 .../CVE-2021-3497.patch                       | 207 +++++++
 .../CVE-2021-3498.patch                       |  44 ++
 .../gstreamer1.0-plugins-good_1.16.3.bb       |   2 +
 11 files changed, 790 insertions(+), 65 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
 rename meta/recipes-connectivity/bind/{bind_9.11.22.bb => bind_9.11.32.bb} (96%)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-23336.patch
 delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
 rename meta/recipes-devtools/ruby/{ruby_2.7.1.bb => ruby_2.7.3.bb} (94%)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch

-- 
2.25.1

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2220

The following changes since commit 090452c5284181f18c32dc33887f4dda20c48004:

  Revert "busybox: make busybox's syslog.cfg depend on VIRTUAL-RUNTIME_base-utils-syslog" (2021-06-08 04:32:17 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (2):
  linux-yocto/5.4: update to v5.4.120
  linux-yocto/5.4: update to v5.4.123

Klaus Heinrich Kiwi (1):
  kernel-fitimage: Don't use unit addresses on FIT

Lee Chee Yang (2):
  libxml: fix CVE-2021-3517 CVE-2021-3537
  gnutls: fix CVE-2021-20231 CVE-2021-20232

Ovidiu Panait (1):
  kernel-devicetree: Introduce KERNEL_DTC_FLAGS to pass dtc flags

 meta/classes/kernel-devicetree.bbclass        |  7 ++
 meta/classes/kernel-fitimage.bbclass          | 32 ++++-----
 .../libxml/libxml2/CVE-2021-3517.patch        | 53 +++++++++++++++
 .../libxml/libxml2/CVE-2021-3537.patch        | 50 ++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  2 +
 .../linux/linux-yocto-rt_5.4.bb               |  6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +--
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++---
 .../gnutls/gnutls/CVE-2021-20231.patch        | 67 +++++++++++++++++++
 .../gnutls/gnutls/CVE-2021-20232.patch        | 65 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |  2 +
 11 files changed, 280 insertions(+), 34 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch

-- 
2.25.1