[OE-core][kirkstone 0/8] Patch review

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of patches for the kirkstone 4.0.3 release.

The following changes since commit c33eb7fb1d1e91a005b22b65d221d4b899ec69dc:

  openssh: Add openssh-sftp-server to openssh RDEPENDS (2022-08-02 12:32:44 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  lttng-modules: update 2.13.3 -> 2.13.4

Bruce Ashfield (5):
  linux-yocto/5.10: update to v5.10.135
  linux-yocto/5.15: update to v5.15.58
  linux-yocto-rt/5.15: update to -rt48 (and fix -stable merge)
  linux-yocto/5.15: update to v5.15.59
  linux-yocto/5.15: fix reproducibility issues

He Zhe (1):
  lttng-modules: Fix build failure for kernel v5.15.58

Sundeep KOKKONDA (1):
  glibc : stable 2.35 branch updates

 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +--
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 ...x-compaction-migratepages-event-name.patch |  37 ----
 ...oduce-kfree_skb_reason-v5.15.58.v5.1.patch |  53 +++++
 ...emove-unused-tracepoints-v5.10-v5.15.patch |  44 -----
 ...g-Append-prev_state-to-tp-args-inste.patch |  59 ------
 ...vent-allow-same-provider-and-event-n.patch |  48 -----
 ...g-Don-t-re-read-p-state-when-emittin.patch | 183 ------------------
 .../0004-fix-block-remove-genhd.h-v5.18.patch |  45 -----
 ...emove-REQ_OP_WRITE_SAME-support-v5.1.patch |  79 --------
 ...ndom-remove-unused-tracepoints-v5.18.patch |  47 -----
 ...rethook-for-kretprobe-if-possible-v5.patch |  72 -------
 ...ore-Remove-scsi-scsi_request.h-v5.18.patch |  44 -----
 ...n-cleanup-the-compaction-trace-event.patch | 106 ----------
 ...ules_2.13.3.bb => lttng-modules_2.13.4.bb} |  16 +-
 20 files changed, 95 insertions(+), 816 deletions(-)
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-Fix-compaction-migratepages-event-name.patch
 create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-sched-tracing-Append-prev_state-to-tp-args-inste.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-Fix-tracepoint-event-allow-same-provider-and-event-n.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-sched-tracing-Don-t-re-read-p-state-when-emittin.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0004-fix-block-remove-genhd.h-v5.18.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0005-fix-scsi-block-Remove-REQ_OP_WRITE_SAME-support-v5.1.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0006-fix-random-remove-unused-tracepoints-v5.18.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0007-fix-kprobes-Use-rethook-for-kretprobe-if-possible-v5.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0008-fix-scsi-core-Remove-scsi-scsi_request.h-v5.18.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0010-fix-mm-compaction-cleanup-the-compaction-trace-event.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.13.3.bb => lttng-modules_2.13.4.bb} (60%)

-- 
2.25.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Friday.

This should be the final set of patches for the 4.0.5 release.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4380

The following changes since commit 4781fee6aea9512b7cb390b76e6f9f0a86a5bd11:

  lttng-modules: Fix crash on powerpc64 (2022-10-17 04:30:43 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (2):
  linux-yocto/5.10: update to v5.10.147
  linux-yocto/5.10: update to v5.10.149

Steve Sakoman (1):
  Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"

Tim Orling (1):
  git: upgrade 2.35.4 -> 2.35.5

Vyacheslav Yurkov (2):
  files: overlayfs-etc: refactor preinit template
  classes: files: Extend overlayfs-etc class

Yash Shinde (2):
  binutils: stable 2.38 branch updates
  glibc: stable 2.35 branch updates.

 meta/classes/overlayfs-etc.bbclass            |  5 +++-
 meta/files/overlayfs-etc-preinit.sh.in        | 23 ++++++++++++++----
 meta/recipes-core/glibc/glibc-version.inc     |  2 +-
 .../binutils/binutils-2.38.inc                |  2 +-
 .../git/{git_2.35.4.bb => git_2.35.5.bb}      |  2 +-
 .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
 .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
 ...-tools_2.13.8.bb => lttng-tools_2.13.4.bb} |  2 +-
 9 files changed, 45 insertions(+), 29 deletions(-)
 rename meta/recipes-devtools/git/{git_2.35.4.bb => git_2.35.5.bb} (98%)
 rename meta/recipes-kernel/lttng/{lttng-tools_2.13.8.bb => lttng-tools_2.13.4.bb} (98%)

-- 
2.25.1

Re: [OE-core][kirkstone 0/8] Patch review

[Tim Orling]

[-- Attachment #1: Type: text/plain, Size: 2531 bytes --]

On Wed, Oct 26, 2022 at 7:36 PM Steve Sakoman <steve@sakoman.com> wrote:

> Please review this set of patches for kirkstone and have comments back by
> end of day Friday.
>
> This should be the final set of patches for the 4.0.5 release.


I am intentionally holding off on a Python 3.10.8 upgrade just to let this
release get out in a stable manner.


>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4380
>
> The following changes since commit
> 4781fee6aea9512b7cb390b76e6f9f0a86a5bd11:
>
>   lttng-modules: Fix crash on powerpc64 (2022-10-17 04:30:43 -1000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib
> stable/kirkstone-nut
>
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
>
> Bruce Ashfield (2):
>   linux-yocto/5.10: update to v5.10.147
>   linux-yocto/5.10: update to v5.10.149
>
> Steve Sakoman (1):
>   Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"
>
> Tim Orling (1):
>   git: upgrade 2.35.4 -> 2.35.5
>
> Vyacheslav Yurkov (2):
>   files: overlayfs-etc: refactor preinit template
>   classes: files: Extend overlayfs-etc class
>
> Yash Shinde (2):
>   binutils: stable 2.38 branch updates
>   glibc: stable 2.35 branch updates.
>
>  meta/classes/overlayfs-etc.bbclass            |  5 +++-
>  meta/files/overlayfs-etc-preinit.sh.in        | 23 ++++++++++++++----
>  meta/recipes-core/glibc/glibc-version.inc     |  2 +-
>  .../binutils/binutils-2.38.inc                |  2 +-
>  .../git/{git_2.35.4.bb => git_2.35.5.bb}      |  2 +-
>  .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
>  .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
>  meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
>  ...-tools_2.13.8.bb => lttng-tools_2.13.4.bb} |  2 +-
>  9 files changed, 45 insertions(+), 29 deletions(-)
>  rename meta/recipes-devtools/git/{git_2.35.4.bb => git_2.35.5.bb} (98%)
>  rename meta/recipes-kernel/lttng/{lttng-tools_2.13.8.bb =>
> lttng-tools_2.13.4.bb} (98%)
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#172179):
> https://lists.openembedded.org/g/openembedded-core/message/172179
> Mute This Topic: https://lists.openembedded.org/mt/94596838/924729
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> ticotimo@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 5084 bytes --]

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5209

The following changes since commit b67e714b367a08fdeeeff68c2d9495ec9bc07304:

  package.bbclass: correct check for /build in copydebugsources() (2023-04-14 07:19:08 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (2):
  ruby: CVE-2023-28756 ReDoS vulnerability in Time
  screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs

Peter Marko (1):
  go: ignore CVE-2022-41716

Shubham Kulkarni (1):
  go-runtime: Security fix for CVE-2022-41722

Siddharth Doshi (1):
  curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538

Sundeep KOKKONDA (1):
  cargo : non vulnerable cve-2022-46176 added to excluded list

Vivek Kumbhar (1):
  go: fix CVE-2023-24537 Infinite loop in parsing

Xiangyu Chen (1):
  shadow: backport patch to fix CVE-2023-29383

 .../distro/include/cve-extra-exclusions.inc   |   5 +
 meta/recipes-devtools/go/go-1.17.13.inc       |   5 +
 .../go/go-1.18/CVE-2022-41722.patch           | 103 +++++++++
 .../go/go-1.18/CVE-2023-24537.patch           |  75 +++++++
 .../ruby/ruby/CVE-2023-28756.patch            |  73 +++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 .../screen/screen/CVE-2023-24626.patch        |  40 ++++
 meta/recipes-extended/screen/screen_4.9.0.bb  |   1 +
 .../files/0001-Overhaul-valid_field.patch     |  65 ++++++
 .../shadow/files/CVE-2023-29383.patch         |  53 +++++
 meta/recipes-extended/shadow/shadow.inc       |   2 +
 .../curl/curl/CVE-2023-27535-pre1.patch       | 196 ++++++++++++++++++
 .../CVE-2023-27535_and_CVE-2023-27538.patch   | 170 +++++++++++++++
 .../curl/curl/CVE-2023-27536.patch            |  52 +++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   3 +
 15 files changed, 844 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch
 create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5638

The following changes since commit d877d5f07772ec4a05332068ddc03cf387313036:

  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK (2023-07-17 04:45:01 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  ghostscript: fix CVE-2023-36664

Bruce Ashfield (2):
  linux-yocto/5.15: update to v5.15.119
  linux-yocto/5.15: update to v5.15.120

Richard Purdie (1):
  gcc-testsuite: Fix ppc cpu specification

Ross Burton (2):
  gcc: don't pass --enable-standard-branch-protection
  machine/arch-arm64: add -mbranch-protection=standard

Vijay Anusuri (1):
  qemu: backport Debian patch to fix CVE-2023-0330

Xiangyu Chen (1):
  package.bbclass: moving field data process before variable process in
    process_pkgconfig

 meta/classes/package.bbclass                  |  12 +-
 meta/conf/machine/include/arm/arch-arm64.inc  |   5 +
 .../gcc/gcc-configure-common.inc              |   1 -
 meta/recipes-devtools/gcc/gcc-testsuite.inc   |   5 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2023-0330.patch             |  75 +++++++++
 .../ghostscript/CVE-2023-36664-0001.patch     | 146 ++++++++++++++++++
 .../ghostscript/CVE-2023-36664-0002.patch     |  60 +++++++
 .../ghostscript/ghostscript_9.55.0.bb         |   2 +
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 ++--
 12 files changed, 317 insertions(+), 28 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, August 29.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5789

The following changes since commit ea920e3c8075f3a1b79039341f8c889f6197a07f:

  glibc-locale: use stricter matching for metapackages' runtime dependencies (2023-08-22 07:07:13 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Narpat Mali (2):
  ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018
  python3-git: upgrade 3.1.27 -> 3.1.32

Ross Burton (3):
  linux-yocto: add script to generate kernel CVE_CHECK_IGNORE entries
  linux/cve-exclusion: add generated CVE_CHECK_IGNORES.
  linux/cve-exclusion: remove obsolete manual entries

Siddharth (1):
  Qemu: Resolve undefined reference issue in CVE-2023-2861

Soumya Sambu (1):
  go: Fix CVE-2023-29409

Yogita Urade (1):
  nghttp2: fix CVE-2023-35945

 meta/recipes-devtools/go/go-1.17.13.inc       |    1 +
 .../go/go-1.19/CVE-2023-29409.patch           |  175 +
 ...-git-CVE-2022-24439-fix-from-PR-1518.patch |   97 -
 ...-git-CVE-2022-24439-fix-from-PR-1521.patch |  488 --
 ...n3-git_3.1.27.bb => python3-git_3.1.32.bb} |    6 +-
 .../qemu/qemu/CVE-2023-2861.patch             |   66 +-
 meta/recipes-kernel/linux/cve-exclusion.inc   |  869 --
 .../linux/cve-exclusion_5.15.inc              | 7193 +++++++++++++++++
 .../linux/generate-cve-exclusions.py          |  101 +
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |    1 +
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |    6 +
 .../nghttp2/nghttp2/CVE-2023-35945.patch      |  151 +
 .../recipes-support/nghttp2/nghttp2_1.47.0.bb |    1 +
 13 files changed, 7667 insertions(+), 1488 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch
 delete mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
 delete mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
 rename meta/recipes-devtools/python/{python3-git_3.1.27.bb => python3-git_3.1.32.bb} (80%)
 create mode 100644 meta/recipes-kernel/linux/cve-exclusion_5.15.inc
 create mode 100755 meta/recipes-kernel/linux/generate-cve-exclusions.py
 create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, September 15.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5876

The following changes since commit 47a1dd7f389e3cf4ac2dc5fc21dccc870aafab4a:

  sysklogd: fix integration with systemd-journald (2023-09-05 13:34:12 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Meenali Gupta (1):
  flac: fix CVE-2020-22219

Michael Halstead (1):
  yocto-uninative: Update to 4.3

Narpat Mali (1):
  python3-pygments: Fix CVE-2022-40896

Siddharth Doshi (1):
  gdb: Fix CVE-2023-39128

Soumya Sambu (1):
  libxml2: Fix CVE-2023-39615

Yogita Urade (3):
  dropbear: fix CVE-2023-36328
  qemu: fix CVE-2021-3638
  webkitgtk: fix CVE-2022-48503

 meta/conf/distro/include/yocto-uninative.inc  |   8 +-
 meta/recipes-core/dropbear/dropbear.inc       |   1 +
 .../dropbear/dropbear/CVE-2023-36328.patch    | 144 +++++++++++
 .../libxml/libxml2/CVE-2023-39615-0001.patch  |  37 +++
 .../libxml/libxml2/CVE-2023-39615-0002.patch  |  72 ++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |   2 +
 meta/recipes-devtools/gdb/gdb.inc             |   1 +
 .../gdb/gdb/0011-CVE-2023-39128.patch         |  75 ++++++
 .../python3-pygments/CVE-2022-40896.patch     | 124 ++++++++++
 .../python/python3-pygments_2.11.2.bb         |   2 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2021-3638.patch             |  88 +++++++
 .../flac/files/CVE-2020-22219.patch           | 197 +++++++++++++++
 meta/recipes-multimedia/flac/flac_1.3.4.bb    |   1 +
 .../webkit/webkitgtk/CVE-2022-48503.patch     | 225 ++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 16 files changed, 975 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
 create mode 100644 meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch
 create mode 100644 meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
 create mode 100644 meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, December 1

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6260

The following changes since commit 8726ae02d760270f9e7fe7ef5715d8f7553371ce:

  goarch: Move Go architecture mapping to a library (2023-11-21 05:32:39 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  gstreamer1.0-plugins-bad: fix CVE-2023-44429
  vim: Upgrade 9.0.2048 -> 9.0.2068

Hitendra Prajapati (1):
  grub: fix CVE-2023-4693

Li Wang (1):
  systemtap_git: fix used uninitialized error

Ninad Palsule (1):
  kernel-fitImage: Strip path component from dtb

Richard Purdie (1):
  vim: Improve locale handling

Steve Sakoman (1):
  vim: use upstream generated .po files

Vivek Kumbhar (1):
  openssl: fix CVE-2023-5678 Generating excessively long X9.42 DH keys
    or checking excessively long X9.42 DH keys or parameters may be very
    slow

 meta/classes/kernel-fitimage.bbclass          |   5 +
 .../grub/files/CVE-2023-4693.patch            |  62 ++++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 .../openssl/openssl/CVE-2023-5678.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.12.bb                 |   1 +
 ...x-Prevent-Werror-maybe-uninitialized.patch |  53 ++++++
 .../recipes-kernel/systemtap/systemtap_git.bb |   1 +
 .../CVE-2023-44429.patch                      |  38 ++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |   1 +
 meta/recipes-support/vim/vim.inc              |  20 +-
 10 files changed, 350 insertions(+), 12 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
 create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, February 14

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6556

The following changes since commit 2bdae590ab20dc4518ba247c903060fa67ed0fc4:

  openssl: Upgrade 3.0.12 -> 3.0.13 (2024-02-05 03:56:38 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  curl: Fix CVE-2023-46219

Bruce Ashfield (1):
  kernel: fix localversion in v6.3+

Jermain Horsman (1):
  systemd: Only add myhostname to nsswitch.conf if in PACKAGECONFIG

Kai Kang (1):
  ghostscript: correct LICENSE with AGPLv3

Narpat Mali (1):
  python3-pycryptodome: Fix CVE-2023-52323

Soumya Sambu (2):
  go: Fix CVE-2023-45285 and CVE-2023-45287
  libgit2: Fix CVE-2024-24575 and CVE-2024-24577

Vijay Anusuri (1):
  libxml2: Fix for CVE-2024-25062

 meta/classes/kernel-arch.bbclass              |    7 +
 meta/classes/kernel.bbclass                   |   10 +-
 .../libxml/libxml2/CVE-2024-25062.patch       |   33 +
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |    1 +
 meta/recipes-core/systemd/systemd_250.5.bb    |   16 +-
 meta/recipes-devtools/go/go-1.17.13.inc       |    2 +
 .../go/go-1.20/CVE-2023-45285.patch           |  110 ++
 .../go/go-1.20/CVE-2023-45287.patch           | 1695 +++++++++++++++++
 .../python3-pycryptodome/CVE-2023-52323.patch |  436 +++++
 .../python/python3-pycryptodome_3.14.1.bb     |    1 +
 .../CVE-2023-52323.patch                      |  436 +++++
 .../python/python3-pycryptodomex_3.14.1.bb    |    2 +
 .../ghostscript/ghostscript_9.55.0.bb         |    2 +-
 .../curl/curl/CVE-2023-46219-0001.patch       |   42 +
 .../curl/curl/CVE-2023-46219-0002.patch       |  133 ++
 .../curl/curl/CVE-2023-46219-0003.patch       |   81 +
 meta/recipes-support/curl/curl_7.82.0.bb      |    3 +
 .../libgit2/libgit2/CVE-2024-24575.patch      |   56 +
 .../libgit2/libgit2/CVE-2024-24577.patch      |   52 +
 meta/recipes-support/libgit2/libgit2_1.4.5.bb |    5 +-
 20 files changed, 3113 insertions(+), 10 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
 create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch
 create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch
 create mode 100644 meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch
 create mode 100644 meta/recipes-devtools/python/python3-pycryptodomex/CVE-2023-52323.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch
 create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch
 create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, March 13

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6670

The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e:

  golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (6):
  linux-yocto/5.15: update to v5.15.149
  linux-yocto/5.15: update CVE exclusions
  linux-yocto/5.10: update to v5.10.210
  linux-yocto/5.15: update to v5.15.150
  linux-yocto/5.15: update CVE exclusions (5.15.150)
  linux-yocto/5.15: fix partion scanning

Nikhil R (1):
  librsvg: Fix do_package_qa error for librsvg

Vivek Kumbhar (1):
  go: Backport fix CVE-2024-24784 & CVE-2024-24785

 meta/recipes-devtools/go/go-1.17.13.inc       |   2 +
 .../go/go-1.18/CVE-2024-24784.patch           | 207 ++++++++++++++++++
 .../go/go-1.18/CVE-2024-24785.patch           | 196 +++++++++++++++++
 meta/recipes-gnome/librsvg/librsvg_2.52.10.bb |   2 +
 .../linux/cve-exclusion_5.15.inc              | 197 ++++++++++++++++-
 .../linux/linux-yocto-rt_5.10.bb              |   4 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  22 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 11 files changed, 632 insertions(+), 42 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, May 28

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6956

The following changes since commit f85d5dfc91d536a00669ca3148d8c3b2727b183d:

  libpciaccess: Remove duplicated license entry (2024-05-10 05:05:54 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bob Henz (1):
  systemd-systemctl: Fix WantedBy processing

Colin McAllister (1):
  initscripts: Add custom mount args for /var/lib

Dmitry Baryshkov (1):
  go.bbclass: fix path to linker in native Go builds

Joerg Vehlow (1):
  go: Always pass interpreter to linker

Peter Marko (1):
  openssl: patch CVE-2024-4603

Stefan Herbrechtsmeier (1):
  classes: go-mod: do not pack go mod cache

Vijay Anusuri (1):
  binutils: Rename CVE-2022-38126 patch to CVE-2022-35205

Yogita Urade (1):
  libarchive: fix CVE-2024-26256

 meta/classes/go-mod.bbclass                   |   4 +
 meta/classes/go.bbclass                       |   6 +-
 .../openssl/openssl/CVE-2024-4603.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.13.bb                 |   1 +
 .../initscripts-1.0/read-only-rootfs-hook.sh  |   4 +-
 .../initscripts/initscripts_1.0.bb            |   2 +
 .../systemd/systemd-systemctl/systemctl       |  11 ++
 .../binutils/binutils-2.38.inc                |   2 +-
 ...-38126.patch => 0016-CVE-2022-35205.patch} |   3 +-
 .../libarchive/CVE-2024-26256.patch           |  29 +++
 .../libarchive/libarchive_3.6.2.bb            |   5 +-
 11 files changed, 240 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
 rename meta/recipes-devtools/binutils/binutils/{0016-CVE-2022-38126.patch => 0016-CVE-2022-35205.patch} (94%)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch

-- 
2.34.1

[OE-core][kirkstone 1/8] libarchive: fix CVE-2024-26256

[Steve Sakoman]

From: Yogita Urade <yogita.urade@windriver.com>

libarchive Remote Code Execution Vulnerability

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-26256
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-26256

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libarchive/CVE-2024-26256.patch           | 29 +++++++++++++++++++
 .../libarchive/libarchive_3.6.2.bb            |  5 ++--
 2 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
new file mode 100644
index 0000000000..717a31f0e1
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
@@ -0,0 +1,29 @@
+From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Tue, 14 May 2024 08:50:44 +0000
+Subject: [PATCH] fix: OOB in rar e8 filter (#2135) This patch fixes an
+ out-of-bound error in rar e8 filter.
+
+CVE: CVE-2024-26256
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libarchive/archive_read_support_format_rar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 793e8e9..b8397d0 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3624,7 +3624,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
+   uint32_t filesize = 0x1000000;
+   uint32_t i;
+
+-  if (length > PROGRAM_WORK_SIZE || length < 4)
++  if (length > PROGRAM_WORK_SIZE || length <= 4)
+     return 0;
+
+   for (i = 0; i <= length - 5; i++)
+--
+2.40.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index 7d328a0060..c83eec9b1a 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -29,8 +29,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 EXTRA_OECONF += "--enable-largefile --without-iconv"
 
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
-    file://0001-pax-writer-fix-multiple-security-vulnerabilities.patch \
-"
+           file://0001-pax-writer-fix-multiple-security-vulnerabilities.patch \
+           file://CVE-2024-26256.patch \
+           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 
 SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"
-- 
2.34.1

[OE-core][kirkstone 2/8] openssl: patch CVE-2024-4603

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/openssl/CVE-2024-4603.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.13.bb                 |   1 +
 2 files changed, 181 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
new file mode 100644
index 0000000000..b8e0b9fb7d
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
@@ -0,0 +1,180 @@
+From 3559e868e58005d15c6013a0c1fd832e51c73397 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Wed, 8 May 2024 15:23:45 +0200
+Subject: [PATCH] Check DSA parameters for excessive sizes before validating
+
+This avoids overly long computation of various validation
+checks.
+
+Fixes CVE-2024-4603
+
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/24346)
+
+(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
+
+<dropped CHANGES.md modifications as it would need backport of all previous changes>
+
+CVE: CVE-2024-4603
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ crypto/dsa/dsa_check.c                        | 44 ++++++++++++--
+ .../invalid/p10240_q256_too_big.pem           | 57 +++++++++++++++++++
+ 2 files changed, 97 insertions(+), 4 deletions(-)
+ create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+
+diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
+index fb0e9129a2..122449a7bf 100644
+--- a/crypto/dsa/dsa_check.c
++++ b/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++    if (dsa->params.p == NULL || dsa->params.q == NULL) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
+                                                FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
+ {
+     *ret = 0;
+ 
+-    return (dsa->params.q != NULL
+-            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
++    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL;
+ 
+-    if (dsa->params.p == NULL
+-        || dsa->params.g == NULL
++    if (!dsa_precheck_params(dsa, &ret))
++        return 0;
++
++    if (dsa->params.g == NULL
+         || dsa->priv_key == NULL
+         || dsa->pub_key == NULL)
+         return 0;
+diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+new file mode 100644
+index 0000000000..e85e2953b7
+--- /dev/null
++++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+@@ -0,0 +1,57 @@
++-----BEGIN DSA PARAMETERS-----
++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
++oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
++dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
++Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
++pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
++P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
++hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
++UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
++koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
++TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
++RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
++4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
++c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
++cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
++DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
++Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
++rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
++PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
++UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
++5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
++wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
++R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
++xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
++0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
++uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
++9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
++TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
++gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
++ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
++R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
++F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
++SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
+++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
++UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
++fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
++qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
++B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
++hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
++4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
++vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
++k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
++i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
++9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
++ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
++Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
++KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
++x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
++XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
++YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
++ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
++4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
++vKuje86bePD6kD/LH3wmkA==
++-----END DSA PARAMETERS-----
+-- 
+2.30.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
index 3b253ddde0..87ab4047d9 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://CVE-2024-2511.patch \
+           file://CVE-2024-4603.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
-- 
2.34.1

[OE-core][kirkstone 3/8] binutils: Rename CVE-2022-38126 patch to CVE-2022-35205

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

CVE-2022-38126 has been marked "REJECT" in the CVE List by NVD.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-38126

As commit changes in 0016-CVE-2022-38126.patch fixes CVE-2022-35205.
Hence renamed the patch.

Link: https://ubuntu.com/security/CVE-2022-35205

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/binutils/binutils-2.38.inc               | 2 +-
 .../{0016-CVE-2022-38126.patch => 0016-CVE-2022-35205.patch}   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/binutils/binutils/{0016-CVE-2022-38126.patch => 0016-CVE-2022-35205.patch} (94%)

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index bbe7bb57b2..4a8831b534 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -34,7 +34,7 @@ SRC_URI = "\
      file://0013-Avoid-as-info-race-condition.patch \
      file://0014-CVE-2019-1010204.patch \
      file://0015-CVE-2022-38533.patch \
-     file://0016-CVE-2022-38126.patch \
+     file://0016-CVE-2022-35205.patch \
      file://0017-CVE-2022-38127-1.patch \
      file://0017-CVE-2022-38127-2.patch \
      file://0017-CVE-2022-38127-3.patch \
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch
similarity index 94%
rename from meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch
rename to meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch
index 8200e28a81..a582df4466 100644
--- a/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch
@@ -9,8 +9,9 @@ Subject: [PATCH] Replace a run-time assertion failure with a warning message
 	message.
 
 Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e3e5ae049371a27fd1737aba946fe26d06e029b5]
-
+CVE: CVE-2022-35205
 Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
 ---
  binutils/dwarf.c   | 7 ++++++-
 
-- 
2.34.1

[OE-core][kirkstone 4/8] go: Always pass interpreter to linker

[Steve Sakoman]

From: Joerg Vehlow <joerg.vehlow@aox.de>

When gos internal linker is used, it uses hardcoded paths to the
interpreter (dynamic linker). For x86_64 this hardcoded path is
/lib64/ld-linux-x86-64.so.2, but yocto's default dynamic linker path
is /lib64/ld-linux-x86-64.so.2.
Most of the time, the internal linker is not used and binutils linker
sets the correct path, but sometimes the internal linker is used and
the resulting binary will not work on x86_64.

To ensure the path is always correct, pass  it to the linker.

Signed-off-by: Joerg Vehlow <joerg.vehlow@aox.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6b54215074d7f3dbba07f096f16b9c0acf51527c)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/go.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/go.bbclass b/meta/classes/go.bbclass
index d944722309..55f9d8f230 100644
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -1,4 +1,5 @@
 inherit goarch
+inherit linuxloader
 
 GO_PARALLEL_BUILD ?= "${@oe.utils.parallel_make_argument(d, '-p %d')}"
 
@@ -44,7 +45,7 @@ GO_LINKMODE ?= ""
 GO_LINKMODE:class-nativesdk = "--linkmode=external"
 GO_LINKMODE:class-native = "--linkmode=external"
 GO_EXTRA_LDFLAGS ?= ""
-GO_LDFLAGS ?= '-ldflags="${GO_RPATH} ${GO_LINKMODE} ${GO_EXTRA_LDFLAGS} -extldflags '${GO_EXTLDFLAGS}'"'
+GO_LDFLAGS ?= '-ldflags="${GO_RPATH} ${GO_LINKMODE} -I ${@get_linuxloader(d)} ${GO_EXTRA_LDFLAGS} -extldflags '${GO_EXTLDFLAGS}'"'
 export GOBUILDFLAGS ?= "-v ${GO_LDFLAGS} -trimpath"
 export GOPATH_OMIT_IN_ACTIONID ?= "1"
 export GOPTESTBUILDFLAGS ?= "${GOBUILDFLAGS} -c"
-- 
2.34.1

[OE-core][kirkstone 5/8] go.bbclass: fix path to linker in native Go builds

[Steve Sakoman]

From: Dmitry Baryshkov <dbaryshkov@gmail.com>

Building native Go tools results in the tool pointing to the wrong
location of dynamic linker (see below). The linker is looked up in the
temporary dir, which can be removed if rm_work is inherited. This
results in being unable to execute the program with the 'No such file or
directory' error. Override linker specificiation for native recipes (and
let Go build environment to pick up a correct one on it's own).

The error is observed in case the distro doesn't use uninative.bbclass.

If uninative.bbclass is used, the binary will be patched automatically
to use the uninative loader instead of the system one.

Without this patch:

$ ldd tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man
	linux-vdso.so.1 (0x00007ffe945ec000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3a7490e000)
	/home/lumag/Projects/RPB/build-rpb/tmp-rpb-glibc/work/x86_64-linux/go-md2man-native/1.0.10+gitAUTOINC+f79a8a8ca6-r0/recipe-sysroot-native/usr/lib/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007f3a74d13000)
$ tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man  --help
-bash: tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man: No such file or directory

With the patch

$ ldd tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man
	linux-vdso.so.1 (0x00007ffd19dbf000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2d44181000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f2d44586000)
$ tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man  --help
Usage of tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man:
  -in string
	Path to file to be processed (default: stdin)
  -out string
	Path to output processed file (default: stdout)

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 44b397daa68b4d0a461225fe9ff7db8b5fcfdb7b)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/go.bbclass | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/classes/go.bbclass b/meta/classes/go.bbclass
index 55f9d8f230..97366779e3 100644
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -45,7 +45,10 @@ GO_LINKMODE ?= ""
 GO_LINKMODE:class-nativesdk = "--linkmode=external"
 GO_LINKMODE:class-native = "--linkmode=external"
 GO_EXTRA_LDFLAGS ?= ""
-GO_LDFLAGS ?= '-ldflags="${GO_RPATH} ${GO_LINKMODE} -I ${@get_linuxloader(d)} ${GO_EXTRA_LDFLAGS} -extldflags '${GO_EXTLDFLAGS}'"'
+GO_LINUXLOADER ?= "-I ${@get_linuxloader(d)}"
+# Use system loader. If uninative is used, the uninative loader will be patched automatically
+GO_LINUXLOADER:class-native = ""
+GO_LDFLAGS ?= '-ldflags="${GO_RPATH} ${GO_LINKMODE} ${GO_LINUXLOADER} ${GO_EXTRA_LDFLAGS} -extldflags '${GO_EXTLDFLAGS}'"'
 export GOBUILDFLAGS ?= "-v ${GO_LDFLAGS} -trimpath"
 export GOPATH_OMIT_IN_ACTIONID ?= "1"
 export GOPTESTBUILDFLAGS ?= "${GOBUILDFLAGS} -c"
-- 
2.34.1

[OE-core][kirkstone 6/8] classes: go-mod: do not pack go mod cache

[Steve Sakoman]

From: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>

Clean go module cache from builddir to prevent it of beeing packed.

Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 328bea56dec8f83b5c118f567e122510f9243087)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/go-mod.bbclass | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/classes/go-mod.bbclass b/meta/classes/go-mod.bbclass
index 674d2434e0..1ad782a304 100644
--- a/meta/classes/go-mod.bbclass
+++ b/meta/classes/go-mod.bbclass
@@ -18,3 +18,7 @@ inherit go
 
 GO_WORKDIR ?= "${GO_IMPORT}"
 do_compile[dirs] += "${B}/src/${GO_WORKDIR}"
+
+export GOMODCACHE = "${B}/.mod"
+
+do_compile[cleandirs] += "${B}/.mod"
-- 
2.34.1

[OE-core][kirkstone 7/8] systemd-systemctl: Fix WantedBy processing

[Steve Sakoman]

From: Bob Henz <robert_henz@jabil.com>

An empty string assignment to WantedBy should clear all prior WantedBy
settings. This matches behavior of the current systemd implementation.

(From OE-Core rev: 8ede0083c28fadf1e83c9256618190b931edd306)

Signed-off-by: Bob Henz <robert_henz@jabil.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c653bfc68b06bfd4fa07ba18322599a130b1c59a)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd-systemctl/systemctl | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl
index 0fd7e24085..7fe751b397 100755
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -26,6 +26,9 @@ locations = list()
 
 class SystemdFile():
     """Class representing a single systemd configuration file"""
+
+    _clearable_keys = ['WantedBy']
+
     def __init__(self, root, path, instance_unit_name):
         self.sections = dict()
         self._parse(root, path)
@@ -80,6 +83,14 @@ class SystemdFile():
                 v = m.group('value')
                 if k not in section:
                     section[k] = list()
+
+                # If we come across a "key=" line for a "clearable key", then
+                # forget all preceding assignments. This works because we are
+                # processing files in correct parse order.
+                if k in self._clearable_keys and not v:
+                    del section[k]
+                    continue
+
                 section[k].extend(v.split())
 
     def get(self, section, prop):
-- 
2.34.1

[OE-core][kirkstone 8/8] initscripts: Add custom mount args for /var/lib

[Steve Sakoman]

From: Colin McAllister <colin.mcallister@garmin.com>

Adds bitbake variable to set additional mount flags for the /var/lib
overlayfs or bind mount when using a read-only root filesystem. This
can be used to set additional options like "-o nodev".

(From OE-Core rev: c3109e40e2c2c881996dd3fcc95fca74f098646d)

Signed-off-by: Colin McAllister <colin.mcallister@garmin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../initscripts/initscripts-1.0/read-only-rootfs-hook.sh      | 4 ++--
 meta/recipes-core/initscripts/initscripts_1.0.bb              | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh b/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
index 6706a117f7..a29773647f 100644
--- a/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
+++ b/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
@@ -37,9 +37,9 @@ if [ "$1" = "start" ] ; then
 		mkdir -p /var/volatile/.lib-work
 		# Try to mount using overlay, which is much faster than copying
 		# files. If that fails, fallback to the slower copy
-		if ! mount -t overlay overlay -olowerdir=/var/lib,upperdir=/var/volatile/lib,workdir=/var/volatile/.lib-work /var/lib > /dev/null 2>&1; then
+		if ! mount -t overlay overlay SED_VARLIBMOUNTARGS -olowerdir=/var/lib,upperdir=/var/volatile/lib,workdir=/var/volatile/.lib-work /var/lib > /dev/null 2>&1; then
 			cp -a /var/lib/* /var/volatile/lib
-			mount --bind /var/volatile/lib /var/lib
+			mount SED_VARLIBMOUNTARGS --bind /var/volatile/lib /var/lib
 		fi
 	fi
 fi
diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb
index 7c9d9ca4f1..e28d8c6b72 100644
--- a/meta/recipes-core/initscripts/initscripts_1.0.bb
+++ b/meta/recipes-core/initscripts/initscripts_1.0.bb
@@ -59,10 +59,12 @@ FILES:${PN}-functions = "${sysconfdir}/init.d/functions*"
 FILES:${PN}-sushell = "${base_sbindir}/sushell"
 
 HALTARGS ?= "-d -f"
+VARLIBMOUNTARGS ?= ""
 
 do_configure() {
 	sed -i -e "s:SED_HALTARGS:${HALTARGS}:g" ${WORKDIR}/halt
 	sed -i -e "s:SED_HALTARGS:${HALTARGS}:g" ${WORKDIR}/reboot
+	sed -i -e "s:SED_VARLIBMOUNTARGS:${VARLIBMOUNTARGS}:g" ${WORKDIR}/read-only-rootfs-hook.sh
 }
 
 do_install () {
-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, August 6

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7206

The following changes since commit c6cafd2aa50357c80fbab79741d575ff567c5766:

  gcc-runtime: remove bashism (2024-07-31 04:59:21 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Ashish Sharma (1):
  gtk+3 : backport fix for CVE-2024-6655

Bruce Ashfield (5):
  linux-yocto/5.15: update to v5.15.158
  linux-yocto/5.15: update to v5.15.160
  linux-yocto/5.15: update to v5.15.161
  linux-yocto/5.15: update to v5.15.162
  linux-yocto/5.15: update to v5.15.164

Siddharth Doshi (1):
  lttng-modules: Upgrade 2.13.9 -> 2.13.14

Soumya Sambu (1):
  go: Fix CVE-2024-24789

 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2024-24789.patch           | 78 +++++++++++++++++++
 .../gtk+/gtk+3/CVE-2024-6655.patch            | 39 ++++++++++
 meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb      |  1 +
 .../linux/linux-yocto-rt_5.15.bb              |  6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |  6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++----
 .../0009-Rename-genhd-wrapper-to-blkdev.patch | 19 +++--
 ...les_2.13.9.bb => lttng-modules_2.13.14.bb} |  4 +-
 9 files changed, 151 insertions(+), 29 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
 create mode 100644 meta/recipes-gnome/gtk+/gtk+3/CVE-2024-6655.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.13.9.bb => lttng-modules_2.13.14.bb} (89%)

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1311

The following changes since commit 453c5c8d9031be2b3a25e2a04e0f5f6325ef7298:

  cve-update-nvd2-native: handle missing vulnStatus (2025-03-31 09:13:54 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Deepesh Varatharajan (1):
  llvm : Fix CVE-2024-0151

Divya Chellam (1):
  zlib: fix CVE-2014-9485

Guocai He (1):
  mesa: Update SRC_URI

Haixiao Yan (1):
  glibc: Add single-threaded fast path to rand()

Michael Halstead (1):
  yocto-uninative: Update to 4.7 for glibc 2.41

Peter Marko (3):
  libarchive: ignore CVE-2025-1632
  perl: ignore CVE-2023-47038
  freetype: patch CVE-2025-27363

 meta/conf/distro/include/yocto-uninative.inc  |   10 +-
 ...dd-single-threaded-fast-path-to-rand.patch |   47 +
 meta/recipes-core/glibc/glibc_2.35.bb         |    1 +
 .../zlib/zlib/CVE-2014-9485.patch             |   64 +
 meta/recipes-core/zlib/zlib_1.2.11.bb         |    1 +
 .../llvm/llvm/CVE-2024-0151.patch             | 1087 +++++++++++++++++
 meta/recipes-devtools/llvm/llvm_git.bb        |    1 +
 meta/recipes-devtools/perl/perl_5.34.3.bb     |    2 +
 .../libarchive/libarchive_3.6.2.bb            |    2 +
 .../freetype/freetype/CVE-2025-27363.patch    |   44 +
 .../freetype/freetype_2.11.1.bb               |    1 +
 .../recipes-graphics/mesa/mesa-demos_8.4.0.bb |    2 +-
 meta/recipes-graphics/mesa/mesa.inc           |    2 +-
 13 files changed, 1257 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2014-9485.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2025-27363.patch

-- 
2.43.0

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, August 15

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2196

The following changes since commit bd620eb14660075fd0f7476bbbb65d5da6293874:

  build-appliance-image: Update to kirkstone head revision (2025-08-08 06:31:30 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Guocai He (1):
  gnupg: disable tests to avoid running target binaries at build time

Hitendra Prajapati (1):
  libxslt: fix CVE-2023-40403

Peter Marko (3):
  python3: patch CVE-2025-8194
  go: ignore CVE-2025-0913
  libarchive: patch CVE-2025-5918

Quentin Schulz (1):
  go-helloworld: fix license

Yogita Urade (2):
  tiff: fix CVE-2025-8176
  tiff: fix CVE-2025-8177

 meta/recipes-devtools/go/go-1.17.13.inc       |   2 +-
 .../python/python3/CVE-2025-8194.patch        | 219 +++++++++++
 .../python/python3_3.10.18.bb                 |   7 +-
 .../go-examples/go-helloworld_0.1.bb          |   4 +-
 .../0001-FILE-seeking-support-2539.patch      | 190 ++++++++++
 .../0001-Improve-lseek-handling-2564.patch    | 320 ++++++++++++++++
 .../libarchive/libarchive/CVE-2025-5918.patch | 217 +++++++++++
 .../libarchive/libarchive_3.6.2.bb            |   3 +
 .../libtiff/tiff/CVE-2025-8176-0001.patch     |  61 +++
 .../libtiff/tiff/CVE-2025-8176-0002.patch     |  31 ++
 .../libtiff/tiff/CVE-2025-8176-0003.patch     |  28 ++
 .../libtiff/tiff/CVE-2025-8177.patch          |  35 ++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   4 +
 meta/recipes-support/gnupg/gnupg_2.3.7.bb     |   1 +
 .../libxslt/libxslt/CVE-2023-40403-001.patch  | 257 +++++++++++++
 .../libxslt/libxslt/CVE-2023-40403-002.patch  | 147 ++++++++
 .../libxslt/libxslt/CVE-2023-40403-003.patch  | 231 ++++++++++++
 .../libxslt/libxslt/CVE-2023-40403-004.patch  | 349 ++++++++++++++++++
 .../libxslt/libxslt/CVE-2023-40403-005.patch  |  55 +++
 .../recipes-support/libxslt/libxslt_1.1.35.bb |   5 +
 20 files changed, 2160 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-8194.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-FILE-seeking-support-2539.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Improve-lseek-handling-2564.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-002.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-003.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-004.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-005.patch

-- 
2.43.0

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, October 21

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2607

The following changes since commit 8f1000d9dad5e51f08a40b0f6650204425cc8efb:

  glibc: : PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786) (2025-10-14 10:35:12 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (4):
  linux-yocto/5.15: update to v5.15.188
  linux-yocto/5.15: update to v5.15.189
  linux-yocto/5.15: update to v5.15.193
  linux-yocto/5.15: update to v5.15.194

Peter Marko (1):
  python3: upgrade 3.10.18 -> 3.10.19

Rajeshkumar Ramasamy (2):
  glib-networking: fix CVE-2025-60018
  glib-networking: fix CVE-2025-60019

Saravanan (1):
  cmake: fix CVE-2025-9301

 .../glib-networking/CVE-2025-60018.patch      |  83 +++++++
 .../glib-networking/CVE-2025-60019.patch      | 137 +++++++++++
 .../glib-networking/glib-networking_2.72.2.bb |   2 +
 .../cmake/cmake/CVE-2025-9301.patch           |  71 ++++++
 meta/recipes-devtools/cmake/cmake_3.22.3.bb   |   1 +
 ...e-treat-overflow-in-UID-GID-as-failu.patch |   2 +-
 .../python/python3/CVE-2025-8194.patch        | 219 ------------------
 ...{python3_3.10.18.bb => python3_3.10.19.bb} |   3 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 11 files changed, 315 insertions(+), 241 deletions(-)
 create mode 100644 meta/recipes-core/glib-networking/glib-networking/CVE-2025-60018.patch
 create mode 100644 meta/recipes-core/glib-networking/glib-networking/CVE-2025-60019.patch
 create mode 100644 meta/recipes-devtools/cmake/cmake/CVE-2025-9301.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-8194.patch
 rename meta/recipes-devtools/python/{python3_3.10.18.bb => python3_3.10.19.bb} (99%)

-- 
2.43.0

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, November 5

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2677

The following changes since commit 99204008786f659ab03538cd2ae2fd23ed4164c5:

  build-appliance-image: Update to kirkstone head revision (2025-10-31 06:30:23 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  openssh: fix CVE-2025-61985

Hitendra Prajapati (1):
  go: fix CVE-2024-24783

Hongxu Jia (1):
  u-boot: fix CVE-2024-42040

Jason Schonberg (1):
  Don't use ftp.gnome.org

Peter Marko (3):
  wpa-supplicant: patch CVE-2025-24912
  binutils: patch CVE-2025-11412
  binutils: patch CVE-2025-11413

Praveen Kumar (1):
  bind: upgrade 9.18.33 -> 9.18.41

 .../u-boot/files/CVE-2024-42040.patch         | 56 +++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  4 +-
 .../bind/{bind_9.18.33.bb => bind_9.18.41.bb} |  2 +-
 .../openssh/openssh/CVE-2025-61985.patch      | 35 ++++++++
 .../openssh/openssh_8.9p1.bb                  |  1 +
 .../wpa-supplicant/CVE-2025-24912-01.patch    | 79 ++++++++++++++++++
 .../wpa-supplicant/CVE-2025-24912-02.patch    | 70 ++++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |  2 +
 .../binutils/binutils-2.38.inc                |  2 +
 .../binutils/binutils/CVE-2025-11412.patch    | 35 ++++++++
 .../binutils/binutils/CVE-2025-11413.patch    | 38 +++++++++
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2024-24783.patch           | 83 +++++++++++++++++++
 .../python/python3-pygobject_3.42.0.bb        |  2 +-
 meta/recipes-devtools/vala/vala.inc           |  2 +-
 meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb      |  2 +-
 meta/recipes-gnome/libgudev/libgudev_237.bb   |  2 +-
 .../recipes-support/libxslt/libxslt_1.1.35.bb |  2 +-
 18 files changed, 411 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
 rename meta/recipes-connectivity/bind/{bind_9.18.33.bb => bind_9.18.41.bb} (97%)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch

-- 
2.43.0