* [OE-core][scarthgap 00/14] Patch review
@ 2024-09-04 21:32 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 01/14] python3-setuptools: Fix CVE-2024-6345 Steve Sakoman
` (13 more replies)
0 siblings, 14 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, September 6
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7306
The following changes since commit 553f31396a5d966ab827f1c4b807ef46649080d0:
linux-firmware: add a package for ath12k firmware (2024-08-28 05:15:47 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Alexander Kanavin (1):
apr: drop
0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch
Benjamin Szőke (1):
mc: fix source URL
Dmitry Baryshkov (1):
xserver-xorg: fix CVE-2023-5574 status
Jon Mason (2):
oeqa/runtime/ssh: increase the number of attempts
openssh: add backported header file include
Siddharth Doshi (1):
wpa-supplicant: Upgrade 2.10 -> 2.11
Soumya Sambu (3):
python3-setuptools: Fix CVE-2024-6345
python3: Fix CVE-2024-7592
python3: Fix CVE-2024-8088
Vijay Anusuri (1):
apr: upgrade 1.7.4 -> 1.7.5
Wang Mingyu (4):
cups: upgrade 2.4.9 -> 2.4.10
libadwaita: upgrade 1.5.1 -> 1.5.2
libdnf: upgrade 0.73.1 -> 0.73.2
wireless-regdb: upgrade 2024.05.08 -> 2024.07.04
meta/lib/oeqa/runtime/cases/ssh.py | 2 +-
...sing-header-for-systemd-notification.patch | 27 ++
.../openssh/openssh_9.6p1.bb | 1 +
...all-wpa_passphrase-when-not-disabled.patch | 33 --
...te-Phase-2-authentication-requiremen.patch | 213 ------------
...options-for-libwpa_client.so-and-wpa.patch | 73 ----
...oval-of-wpa_passphrase-on-make-clean.patch | 26 --
...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +-
.../{libdnf_0.73.1.bb => libdnf_0.73.2.bb} | 2 +-
.../python3-setuptools/CVE-2024-6345.patch | 312 ++++++++++++++++++
.../python/python3-setuptools_69.1.1.bb | 4 +-
.../python/python3/CVE-2024-7592.patch | 143 ++++++++
.../python/python3/CVE-2024-8088.patch | 128 +++++++
.../recipes-devtools/python/python3_3.12.4.bb | 2 +
.../cups/0001-use-echo-only-in-init.patch | 11 +-
...-don-t-try-to-run-generated-binaries.patch | 16 +-
...-fix-multilib-install-file-conflicts.patch | 12 +-
.../cups/{cups_2.4.9.bb => cups_2.4.10.bb} | 2 +-
meta/recipes-extended/mc/mc_4.8.31.bb | 2 +-
...ibadwaita_1.5.1.bb => libadwaita_1.5.2.bb} | 2 +-
.../xorg-xserver/xserver-xorg.inc | 2 +-
....05.08.bb => wireless-regdb_2024.07.04.bb} | 2 +-
...-runtime-test-for-mmap-that-can-map-.patch | 2 +-
...libapr-against-phtread-to-make-gold-.patch | 50 ---
.../apr/{apr_1.7.4.bb => apr_1.7.5.bb} | 3 +-
25 files changed, 642 insertions(+), 438 deletions(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%)
rename meta/recipes-devtools/libdnf/{libdnf_0.73.1.bb => libdnf_0.73.2.bb} (97%)
create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
rename meta/recipes-extended/cups/{cups_2.4.9.bb => cups_2.4.10.bb} (51%)
rename meta/recipes-gnome/libadwaita/{libadwaita_1.5.1.bb => libadwaita_1.5.2.bb} (88%)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} (94%)
delete mode 100644 meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch
rename meta/recipes-support/apr/{apr_1.7.4.bb => apr_1.7.5.bb} (96%)
--
2.34.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 01/14] python3-setuptools: Fix CVE-2024-6345
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 02/14] python3: Fix CVE-2024-7592 Steve Sakoman
` (12 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Soumya Sambu <soumya.sambu@windriver.com>
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for
remote code execution via its download functions. These functions, which are used to download
packages from URLs provided by users or retrieved from package index servers, are susceptible
to code injection. If these functions are exposed to user-controlled inputs, such as package
URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
Upstream-patch:
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python3-setuptools/CVE-2024-6345.patch | 312 ++++++++++++++++++
.../python/python3-setuptools_69.1.1.bb | 4 +-
2 files changed, 315 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch
new file mode 100644
index 0000000000..ac520be74a
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch
@@ -0,0 +1,312 @@
+From 88807c7062788254f654ea8c03427adc859321f0 Mon Sep 17 00:00:00 2001
+From: Jason R. Coombs <jaraco@jaraco.com>
+Date: Mon Apr 29 20:01:38 2024 -0400
+Subject: [PATCH] Merge pull request #4332 from pypa/debt/package-index-vcs
+
+Modernize package_index VCS handling
+
+CVE: CVE-2024-6345
+
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ setup.cfg | 1 +
+ setuptools/package_index.py | 145 ++++++++++++++------------
+ setuptools/tests/test_packageindex.py | 56 +++++-----
+ 3 files changed, 106 insertions(+), 96 deletions(-)
+
+diff --git a/setup.cfg b/setup.cfg
+index edf9798..238d00a 100644
+--- a/setup.cfg
++++ b/setup.cfg
+@@ -65,6 +65,7 @@ testing =
+ sys_platform != "cygwin"
+ jaraco.develop >= 7.21; python_version >= "3.9" and sys_platform != "cygwin"
+ pytest-home >= 0.5
++ pytest-subprocess
+ testing-integration =
+ pytest
+ pytest-xdist
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 271aa97..00a972d 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -1,6 +1,7 @@
+ """PyPI and direct package downloading."""
+
+ import sys
++import subprocess
+ import os
+ import re
+ import io
+@@ -585,7 +586,7 @@ class PackageIndex(Environment):
+ scheme = URL_SCHEME(spec)
+ if scheme:
+ # It's a url, download it to tmpdir
+- found = self._download_url(scheme.group(1), spec, tmpdir)
++ found = self._download_url(spec, tmpdir)
+ base, fragment = egg_info_for_url(spec)
+ if base.endswith('.py'):
+ found = self.gen_setup(found, fragment, tmpdir)
+@@ -814,7 +815,7 @@ class PackageIndex(Environment):
+ else:
+ raise DistutilsError("Download error for %s: %s" % (url, v)) from v
+
+- def _download_url(self, scheme, url, tmpdir):
++ def _download_url(self, url, tmpdir):
+ # Determine download filename
+ #
+ name, fragment = egg_info_for_url(url)
+@@ -829,19 +830,59 @@ class PackageIndex(Environment):
+
+ filename = os.path.join(tmpdir, name)
+
+- # Download the file
+- #
+- if scheme == 'svn' or scheme.startswith('svn+'):
+- return self._download_svn(url, filename)
+- elif scheme == 'git' or scheme.startswith('git+'):
+- return self._download_git(url, filename)
+- elif scheme.startswith('hg+'):
+- return self._download_hg(url, filename)
+- elif scheme == 'file':
+- return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
+- else:
+- self.url_ok(url, True) # raises error if not allowed
+- return self._attempt_download(url, filename)
++ return self._download_vcs(url, filename) or self._download_other(url, filename)
++
++ @staticmethod
++ def _resolve_vcs(url):
++ """
++ >>> rvcs = PackageIndex._resolve_vcs
++ >>> rvcs('git+http://foo/bar')
++ 'git'
++ >>> rvcs('hg+https://foo/bar')
++ 'hg'
++ >>> rvcs('git:myhost')
++ 'git'
++ >>> rvcs('hg:myhost')
++ >>> rvcs('http://foo/bar')
++ """
++ scheme = urllib.parse.urlsplit(url).scheme
++ pre, sep, post = scheme.partition('+')
++ # svn and git have their own protocol; hg does not
++ allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
++ return next(iter({pre} & allowed), None)
++
++ def _download_vcs(self, url, spec_filename):
++ vcs = self._resolve_vcs(url)
++ if not vcs:
++ return
++ if vcs == 'svn':
++ raise DistutilsError(
++ f"Invalid config, SVN download is not supported: {url}"
++ )
++
++ filename, _, _ = spec_filename.partition('#')
++ url, rev = self._vcs_split_rev_from_url(url)
++
++ self.info(f"Doing {vcs} clone from {url} to {filename}")
++ subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
++
++ co_commands = dict(
++ git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
++ hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
++ )
++ if rev is not None:
++ self.info(f"Checking out {rev}")
++ subprocess.check_call(co_commands[vcs])
++
++ return filename
++
++ def _download_other(self, url, filename):
++ scheme = urllib.parse.urlsplit(url).scheme
++ if scheme == 'file': # pragma: no cover
++ return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
++ # raise error if not allowed
++ self.url_ok(url, True)
++ return self._attempt_download(url, filename)
+
+ def scan_url(self, url):
+ self.process_url(url, True)
+@@ -857,64 +898,36 @@ class PackageIndex(Environment):
+ os.unlink(filename)
+ raise DistutilsError(f"Unexpected HTML page found at {url}")
+
+- def _download_svn(self, url, _filename):
+- raise DistutilsError(f"Invalid config, SVN download is not supported: {url}")
+-
+ @staticmethod
+- def _vcs_split_rev_from_url(url, pop_prefix=False):
+- scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
++ def _vcs_split_rev_from_url(url):
++ """
++ Given a possible VCS URL, return a clean URL and resolved revision if any.
++ >>> vsrfu = PackageIndex._vcs_split_rev_from_url
++ >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
++ ('https://github.com/pypa/setuptools', 'v69.0.0')
++ >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
++ ('https://github.com/pypa/setuptools', None)
++ >>> vsrfu('http://foo/bar')
++ ('http://foo/bar', None)
++ """
++ parts = urllib.parse.urlsplit(url)
+
+- scheme = scheme.split('+', 1)[-1]
++ clean_scheme = parts.scheme.split('+', 1)[-1]
+
+ # Some fragment identification fails
+- path = path.split('#', 1)[0]
+-
+- rev = None
+- if '@' in path:
+- path, rev = path.rsplit('@', 1)
+-
+- # Also, discard fragment
+- url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
+-
+- return url, rev
+-
+- def _download_git(self, url, filename):
+- filename = filename.split('#', 1)[0]
+- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+-
+- self.info("Doing git clone from %s to %s", url, filename)
+- os.system("git clone --quiet %s %s" % (url, filename))
+-
+- if rev is not None:
+- self.info("Checking out %s", rev)
+- os.system(
+- "git -C %s checkout --quiet %s"
+- % (
+- filename,
+- rev,
+- )
+- )
++ no_fragment_path, _, _ = parts.path.partition('#')
+
+- return filename
++ pre, sep, post = no_fragment_path.rpartition('@')
++ clean_path, rev = (pre, post) if sep else (post, None)
+
+- def _download_hg(self, url, filename):
+- filename = filename.split('#', 1)[0]
+- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
++ resolved = parts._replace(
++ scheme=clean_scheme,
++ path=clean_path,
++ # discard the fragment
++ fragment='',
++ ).geturl()
+
+- self.info("Doing hg clone from %s to %s", url, filename)
+- os.system("hg clone --quiet %s %s" % (url, filename))
+-
+- if rev is not None:
+- self.info("Updating to %s", rev)
+- os.system(
+- "hg --cwd %s up -C -r %s -q"
+- % (
+- filename,
+- rev,
+- )
+- )
+-
+- return filename
++ return resolved, rev
+
+ def debug(self, msg, *args):
+ log.debug(msg, *args)
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 41b9661..e4cd91a 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -2,7 +2,6 @@ import distutils.errors
+ import urllib.request
+ import urllib.error
+ import http.client
+-from unittest import mock
+
+ import pytest
+
+@@ -171,49 +170,46 @@ class TestPackageIndex:
+ assert dists[0].version == ''
+ assert dists[1].version == vc
+
+- def test_download_git_with_rev(self, tmpdir):
++ def test_download_git_with_rev(self, tmp_path, fp):
+ url = 'git+https://github.example/group/project@master#egg=foo'
+ index = setuptools.package_index.PackageIndex()
+
+- with mock.patch("os.system") as os_system_mock:
+- result = index.download(url, str(tmpdir))
++ expected_dir = tmp_path / 'project@master'
++ fp.register([
++ 'git',
++ 'clone',
++ '--quiet',
++ 'https://github.example/group/project',
++ expected_dir,
++ ])
++ fp.register(['git', '-C', expected_dir, 'checkout', '--quiet', 'master'])
+
+- os_system_mock.assert_called()
++ result = index.download(url, tmp_path)
+
+- expected_dir = str(tmpdir / 'project@master')
+- expected = (
+- 'git clone --quiet ' 'https://github.example/group/project {expected_dir}'
+- ).format(**locals())
+- first_call_args = os_system_mock.call_args_list[0][0]
+- assert first_call_args == (expected,)
++ assert result == str(expected_dir)
++ assert len(fp.calls) == 2
+
+- tmpl = 'git -C {expected_dir} checkout --quiet master'
+- expected = tmpl.format(**locals())
+- assert os_system_mock.call_args_list[1][0] == (expected,)
+- assert result == expected_dir
+-
+- def test_download_git_no_rev(self, tmpdir):
++ def test_download_git_no_rev(self, tmp_path, fp):
+ url = 'git+https://github.example/group/project#egg=foo'
+ index = setuptools.package_index.PackageIndex()
+
+- with mock.patch("os.system") as os_system_mock:
+- result = index.download(url, str(tmpdir))
+-
+- os_system_mock.assert_called()
+-
+- expected_dir = str(tmpdir / 'project')
+- expected = (
+- 'git clone --quiet ' 'https://github.example/group/project {expected_dir}'
+- ).format(**locals())
+- os_system_mock.assert_called_once_with(expected)
+-
+- def test_download_svn(self, tmpdir):
++ expected_dir = tmp_path / 'project'
++ fp.register([
++ 'git',
++ 'clone',
++ '--quiet',
++ 'https://github.example/group/project',
++ expected_dir,
++ ])
++ index.download(url, tmp_path)
++
++ def test_download_svn(self, tmp_path):
+ url = 'svn+https://svn.example/project#egg=foo'
+ index = setuptools.package_index.PackageIndex()
+
+ msg = r".*SVN download is not supported.*"
+ with pytest.raises(distutils.errors.DistutilsError, match=msg):
+- index.download(url, str(tmpdir))
++ index.download(url, tmp_path)
+
+
+ class TestContentCheckers:
+--
+2.40.0
+
diff --git a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
index 67475b68eb..7b9b02059f 100644
--- a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
@@ -9,7 +9,9 @@ inherit pypi python_setuptools_build_meta
SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
SRC_URI += " \
- file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch"
+ file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
+ file://CVE-2024-6345.patch \
+"
SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 02/14] python3: Fix CVE-2024-7592
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 01/14] python3-setuptools: Fix CVE-2024-6345 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 03/14] python3: Fix CVE-2024-8088 Steve Sakoman
` (11 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Soumya Sambu <soumya.sambu@windriver.com>
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592
Upstream-Patch:
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python/python3/CVE-2024-7592.patch | 143 ++++++++++++++++++
.../recipes-devtools/python/python3_3.12.4.bb | 1 +
2 files changed, 144 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
new file mode 100644
index 0000000000..7a6d63005c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
@@ -0,0 +1,143 @@
+From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 25 Aug 2024 00:37:11 +0200
+Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted
+ cookie values with backslashes (GH-123075) (#123104)
+
+gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
+
+This fixes CVE-2024-7592.
+(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+
+CVE: CVE-2024-7592
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ Lib/http/cookies.py | 34 ++++-------------
+ Lib/test/test_http_cookies.py | 38 +++++++++++++++++++
+ ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 +
+ 3 files changed, 47 insertions(+), 26 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index 35ac2dc..2c1f021 100644
+--- a/Lib/http/cookies.py
++++ b/Lib/http/cookies.py
+@@ -184,8 +184,13 @@ def _quote(str):
+ return '"' + str.translate(_Translator) + '"'
+
+
+-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
+-_QuotePatt = re.compile(r"[\\].")
++_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
++
++def _unquote_replace(m):
++ if m[1]:
++ return chr(int(m[1], 8))
++ else:
++ return m[2]
+
+ def _unquote(str):
+ # If there aren't any doublequotes,
+@@ -205,30 +210,7 @@ def _unquote(str):
+ # \012 --> \n
+ # \" --> "
+ #
+- i = 0
+- n = len(str)
+- res = []
+- while 0 <= i < n:
+- o_match = _OctalPatt.search(str, i)
+- q_match = _QuotePatt.search(str, i)
+- if not o_match and not q_match: # Neither matched
+- res.append(str[i:])
+- break
+- # else:
+- j = k = -1
+- if o_match:
+- j = o_match.start(0)
+- if q_match:
+- k = q_match.start(0)
+- if q_match and (not o_match or k < j): # QuotePatt matched
+- res.append(str[i:k])
+- res.append(str[k+1])
+- i = k + 2
+- else: # OctalPatt matched
+- res.append(str[i:j])
+- res.append(chr(int(str[j+1:j+4], 8)))
+- i = j + 4
+- return _nulljoin(res)
++ return _unquote_sub(_unquote_replace, str)
+
+ # The _getdate() routine is used to set the expiration time in the cookie's HTTP
+ # header. By default, _getdate() returns the current time in the appropriate
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index 925c869..8879902 100644
+--- a/Lib/test/test_http_cookies.py
++++ b/Lib/test/test_http_cookies.py
+@@ -5,6 +5,7 @@ import unittest
+ import doctest
+ from http import cookies
+ import pickle
++from test import support
+
+
+ class CookieTests(unittest.TestCase):
+@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
+ for k, v in sorted(case['dict'].items()):
+ self.assertEqual(C[k].value, v)
+
++ def test_unquote(self):
++ cases = [
++ (r'a="b=\""', 'b="'),
++ (r'a="b=\\"', 'b=\\'),
++ (r'a="b=\="', 'b=='),
++ (r'a="b=\n"', 'b=n'),
++ (r'a="b=\042"', 'b="'),
++ (r'a="b=\134"', 'b=\\'),
++ (r'a="b=\377"', 'b=\xff'),
++ (r'a="b=\400"', 'b=400'),
++ (r'a="b=\42"', 'b=42'),
++ (r'a="b=\\042"', 'b=\\042'),
++ (r'a="b=\\134"', 'b=\\134'),
++ (r'a="b=\\\""', 'b=\\"'),
++ (r'a="b=\\\042"', 'b=\\"'),
++ (r'a="b=\134\""', 'b=\\"'),
++ (r'a="b=\134\042"', 'b=\\"'),
++ ]
++ for encoded, decoded in cases:
++ with self.subTest(encoded):
++ C = cookies.SimpleCookie()
++ C.load(encoded)
++ self.assertEqual(C['a'].value, decoded)
++
++ @support.requires_resource('cpu')
++ def test_unquote_large(self):
++ n = 10**6
++ for encoded in r'\\', r'\134':
++ with self.subTest(encoded):
++ data = 'a="b=' + encoded*n + ';"'
++ C = cookies.SimpleCookie()
++ C.load(data)
++ value = C['a'].value
++ self.assertEqual(value[:3], 'b=\\')
++ self.assertEqual(value[-2:], '\\;')
++ self.assertEqual(len(value), n + 3)
++
+ def test_load(self):
+ C = cookies.SimpleCookie()
+ C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
+diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+new file mode 100644
+index 0000000..6a23456
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+@@ -0,0 +1 @@
++Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.4.bb
index e4c3fbb673..9199edce3d 100644
--- a/meta/recipes-devtools/python/python3_3.12.4.bb
+++ b/meta/recipes-devtools/python/python3_3.12.4.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
file://0001-test_deadlock-skip-problematic-test.patch \
file://0001-test_active_children-skip-problematic-test.patch \
+ file://CVE-2024-7592.patch \
"
SRC_URI:append:class-native = " \
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 03/14] python3: Fix CVE-2024-8088
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 01/14] python3-setuptools: Fix CVE-2024-6345 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 02/14] python3: Fix CVE-2024-7592 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 04/14] xserver-xorg: fix CVE-2023-5574 status Steve Sakoman
` (10 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Soumya Sambu <soumya.sambu@windriver.com>
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module. When iterating over names of entries in a zip archive (for example,
methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()",
etc) the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8088
Upstream-Patch:
https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python/python3/CVE-2024-8088.patch | 128 ++++++++++++++++++
.../recipes-devtools/python/python3_3.12.4.bb | 1 +
2 files changed, 129 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
new file mode 100644
index 0000000000..13836f1ccc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
@@ -0,0 +1,128 @@
+From dcc5182f27c1500006a1ef78e10613bb45788dea Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 12 Aug 2024 02:35:17 +0200
+Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906)
+ (#122923)
+
+CVE: CVE-2024-8088
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ Lib/test/test_zipfile/_path/test_path.py | 17 +++++
+ Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++-
+ ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 +
+ 3 files changed, 81 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
+
+diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py
+index 06d5aab..90885db 100644
+--- a/Lib/test/test_zipfile/_path/test_path.py
++++ b/Lib/test/test_zipfile/_path/test_path.py
+@@ -577,3 +577,20 @@ class TestPath(unittest.TestCase):
+ zipfile.Path(alpharep)
+ with self.assertRaises(KeyError):
+ alpharep.getinfo('does-not-exist')
++
++ def test_malformed_paths(self):
++ """
++ Path should handle malformed paths.
++ """
++ data = io.BytesIO()
++ zf = zipfile.ZipFile(data, "w")
++ zf.writestr("/one-slash.txt", b"content")
++ zf.writestr("//two-slash.txt", b"content")
++ zf.writestr("../parent.txt", b"content")
++ zf.filename = ''
++ root = zipfile.Path(zf)
++ assert list(map(str, root.iterdir())) == [
++ 'one-slash.txt',
++ 'two-slash.txt',
++ 'parent.txt',
++ ]
+diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
+index 78c4135..42f9fde 100644
+--- a/Lib/zipfile/_path/__init__.py
++++ b/Lib/zipfile/_path/__init__.py
+@@ -83,7 +83,69 @@ class InitializedState:
+ super().__init__(*args, **kwargs)
+
+
+-class CompleteDirs(InitializedState, zipfile.ZipFile):
++class SanitizedNames:
++ """
++ ZipFile mix-in to ensure names are sanitized.
++ """
++
++ def namelist(self):
++ return list(map(self._sanitize, super().namelist()))
++
++ @staticmethod
++ def _sanitize(name):
++ r"""
++ Ensure a relative path with posix separators and no dot names.
++
++ Modeled after
++ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
++ but provides consistent cross-platform behavior.
++
++ >>> san = SanitizedNames._sanitize
++ >>> san('/foo/bar')
++ 'foo/bar'
++ >>> san('//foo.txt')
++ 'foo.txt'
++ >>> san('foo/.././bar.txt')
++ 'foo/bar.txt'
++ >>> san('foo../.bar.txt')
++ 'foo../.bar.txt'
++ >>> san('\\foo\\bar.txt')
++ 'foo/bar.txt'
++ >>> san('D:\\foo.txt')
++ 'D/foo.txt'
++ >>> san('\\\\server\\share\\file.txt')
++ 'server/share/file.txt'
++ >>> san('\\\\?\\GLOBALROOT\\Volume3')
++ '?/GLOBALROOT/Volume3'
++ >>> san('\\\\.\\PhysicalDrive1\\root')
++ 'PhysicalDrive1/root'
++
++ Retain any trailing slash.
++ >>> san('abc/')
++ 'abc/'
++
++ Raises a ValueError if the result is empty.
++ >>> san('../..')
++ Traceback (most recent call last):
++ ...
++ ValueError: Empty filename
++ """
++
++ def allowed(part):
++ return part and part not in {'..', '.'}
++
++ # Remove the drive letter.
++ # Don't use ntpath.splitdrive, because that also strips UNC paths
++ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
++ clean = bare.replace('\\', '/')
++ parts = clean.split('/')
++ joined = '/'.join(filter(allowed, parts))
++ if not joined:
++ raise ValueError("Empty filename")
++ return joined + '/' * name.endswith('/')
++
++
++class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
+ """
+ A ZipFile subclass that ensures that implied directories
+ are always included in the namelist.
+diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
+new file mode 100644
+index 0000000..1be44c9
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
+@@ -0,0 +1 @@
++:class:`zipfile.Path` objects now sanitize names from the zipfile.
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.4.bb
index 9199edce3d..3ac83166ac 100644
--- a/meta/recipes-devtools/python/python3_3.12.4.bb
+++ b/meta/recipes-devtools/python/python3_3.12.4.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_deadlock-skip-problematic-test.patch \
file://0001-test_active_children-skip-problematic-test.patch \
file://CVE-2024-7592.patch \
+ file://CVE-2024-8088.patch \
"
SRC_URI:append:class-native = " \
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 04/14] xserver-xorg: fix CVE-2023-5574 status
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 03/14] python3: Fix CVE-2024-8088 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 05/14] apr: drop 0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch Steve Sakoman
` (9 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
If XvFB is enabled, the CVE_STATUS for CVE-2023-5574 should be
'unpatched' rather than the empty string. Otherwise SDPX checker
complains:
xserver-xorg-2_21.1.13-r0 do_create_spdx: Unknown CVE status
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0ec5dcbdd7c922df25ce90b04902d9c7c749a8c0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index 22f7d9a8ad..e2754426cf 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -176,4 +176,4 @@ python populate_packages:prepend() {
d.appendVar("RPROVIDES:" + pn, " " + get_abi("video"))
}
-CVE_STATUS[CVE-2023-5574] = "${@bb.utils.contains('PACKAGECONFIG', 'xvfb', '', 'not-applicable-config: specific to Xvfb', d)}"
+CVE_STATUS[CVE-2023-5574] = "${@bb.utils.contains('PACKAGECONFIG', 'xvfb', 'unpatched', 'not-applicable-config: specific to Xvfb', d)}"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 05/14] apr: drop 0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 04/14] xserver-xorg: fix CVE-2023-5574 status Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 06/14] apr: upgrade 1.7.4 -> 1.7.5 Steve Sakoman
` (8 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
At some point this became unnecessary, as tested by building apr
with DISTRO_FEATURES:append = " ld-is-gold"
The logs do confirm that (previously) problematic binary links without errors.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c041932f14cf552b0446732ce0cca6537f3286ab)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...libapr-against-phtread-to-make-gold-.patch | 50 -------------------
meta/recipes-support/apr/apr_1.7.4.bb | 1 -
2 files changed, 51 deletions(-)
delete mode 100644 meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch
diff --git a/meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch b/meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch
deleted file mode 100644
index 8760b0140c..0000000000
--- a/meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From c6afc4a4a766478cb6aa6b43a50051881b6318d7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andreas=20M=C3=BCller?= <schnitzeltony@googlemail.com>
-Date: Fri, 3 Mar 2017 22:24:17 +0100
-Subject: [PATCH 7/7] explicitly link libapr against phtread to make gold happy
- on test
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutexattr_init'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutexattr_settype'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutexattr_destroy'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutex_trylock'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_attr_setstacksize'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_create'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_join'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_detach'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_sigmask'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_once'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_key_create'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_getspecific'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_key_delete'
-| ../.libs/libapr-1.so: error: undefined reference to 'pthread_setspecific'
-| collect2: error: ld returned 1 exit status
-| Makefile:114: recipe for target 'globalmutexchild' failed
-| make[1]: *** [globalmutexchild] Error 1
-| make[1]: Leaving directory '/home/superandy/tmp/oe-core-glibc/work/cortexa7t2hf-neon-vfpv4-angstrom-linux-gnueabi/apr/1.5.2-r0/apr-1.5.2/test'
-
-Upstream-Status: Pending
-
-Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com>
----
- configure.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/configure.in b/configure.in
-index a227e72..cbc0f90 100644
---- a/configure.in
-+++ b/configure.in
-@@ -784,6 +784,7 @@ else
- APR_PTHREADS_CHECK_RESTORE ] )
- fi
- if test "$pthreadh" = "1"; then
-+ APR_ADDTO(LIBS,[-lpthread])
- APR_CHECK_PTHREAD_GETSPECIFIC_TWO_ARGS
- APR_CHECK_PTHREAD_ATTR_GETDETACHSTATE_ONE_ARG
- APR_CHECK_PTHREAD_RECURSIVE_MUTEX
---
-1.8.3.1
-
diff --git a/meta/recipes-support/apr/apr_1.7.4.bb b/meta/recipes-support/apr/apr_1.7.4.bb
index d322629b66..4df741c766 100644
--- a/meta/recipes-support/apr/apr_1.7.4.bb
+++ b/meta/recipes-support/apr/apr_1.7.4.bb
@@ -18,7 +18,6 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
file://0002-apr-Remove-workdir-path-references-from-installed-ap.patch \
file://0004-Fix-packet-discards-HTTP-redirect.patch \
file://0005-configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \
- file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
file://libtoolize_check.patch \
file://0001-Add-option-to-disable-timed-dependant-tests.patch \
file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 06/14] apr: upgrade 1.7.4 -> 1.7.5
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (4 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 05/14] apr: drop 0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 07/14] cups: upgrade 2.4.9 -> 2.4.10 Steve Sakoman
` (7 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Refreshed patch 0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
Includes security fix
CVE-2023-49582
changelog:
https://downloads.apache.org/apr/CHANGES-APR-1.7
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c5d9498466526451910fa02862f8860b2bb81df8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...1-configure-Remove-runtime-test-for-mmap-that-can-map-.patch | 2 +-
meta/recipes-support/apr/{apr_1.7.4.bb => apr_1.7.5.bb} | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-support/apr/{apr_1.7.4.bb => apr_1.7.5.bb} (98%)
diff --git a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
index a78b16284f..3480deaa4d 100644
--- a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
+++ b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
@@ -34,7 +34,7 @@ index 3663220..dce9789 100644
-#ifdef HAVE_SYS_MMAN_H
-#include <sys/mman.h>
-#endif
-- int main()
+- int main(int argc, const char *argv[])
- {
- int fd;
- void *m;
diff --git a/meta/recipes-support/apr/apr_1.7.4.bb b/meta/recipes-support/apr/apr_1.7.5.bb
similarity index 98%
rename from meta/recipes-support/apr/apr_1.7.4.bb
rename to meta/recipes-support/apr/apr_1.7.5.bb
index 4df741c766..78796476e2 100644
--- a/meta/recipes-support/apr/apr_1.7.4.bb
+++ b/meta/recipes-support/apr/apr_1.7.5.bb
@@ -25,7 +25,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
file://0001-dso-Check-for-NULL-handle-in-apr_dso_sym.patch \
"
-SRC_URI[sha256sum] = "fc648de983f3a2a6c9e78dea1f180639bd2fad6c06d556d4367a701fe5c35577"
+SRC_URI[sha256sum] = "cd0f5d52b9ab1704c72160c5ee3ed5d3d4ca2df4a7f8ab564e3cb352b67232f2"
inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 07/14] cups: upgrade 2.4.9 -> 2.4.10
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (5 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 06/14] apr: upgrade 1.7.4 -> 1.7.5 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 08/14] wpa-supplicant: Upgrade 2.10 -> 2.11 Steve Sakoman
` (6 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Changelog:
===========
- Fixed error handling when reading a mixed "1setOf" attribute.
- Fixed scheduler start if there is only domain socket to listen on
0001-use-echo-only-in-init.patch
0002-don-t-try-to-run-generated-binaries.patch
0004-cups-fix-multilib-install-file-conflicts.patch
refreshed for 2.4.10.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd7a978d2d7feb11f6c265ba812c8ca29912ebc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../cups/cups/0001-use-echo-only-in-init.patch | 11 ++++-------
...002-don-t-try-to-run-generated-binaries.patch | 16 ++++++----------
...ups-fix-multilib-install-file-conflicts.patch | 12 ++++--------
.../cups/{cups_2.4.9.bb => cups_2.4.10.bb} | 2 +-
4 files changed, 15 insertions(+), 26 deletions(-)
rename meta/recipes-extended/cups/{cups_2.4.9.bb => cups_2.4.10.bb} (51%)
diff --git a/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch b/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch
index 80bbad0a44..e6bd400779 100644
--- a/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch
+++ b/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch
@@ -1,7 +1,7 @@
-From a3f4d8ba97f4669a95943a7e65eb61aa44ce7999 Mon Sep 17 00:00:00 2001
+From ddfe6ed6a89226985e8c9f0751c026aabc0927a0 Mon Sep 17 00:00:00 2001
From: Saul Wold <sgw@linux.intel.com>
Date: Thu, 13 Dec 2012 19:03:52 -0800
-Subject: [PATCH 1/4] use echo only in init
+Subject: [PATCH] use echo only in init
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
@@ -10,10 +10,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scheduler/cups.sh.in b/scheduler/cups.sh.in
-index 89ac36d..6618a0f 100644
+index 74cce18..c57f0db 100644
--- a/scheduler/cups.sh.in
+++ b/scheduler/cups.sh.in
-@@ -50,7 +50,7 @@ case "`uname`" in
+@@ -51,7 +51,7 @@ case "`uname`" in
ECHO_ERROR=:
;;
@@ -22,6 +22,3 @@ index 89ac36d..6618a0f 100644
IS_ON=/bin/true
if test -f /etc/init.d/functions; then
. /etc/init.d/functions
---
-2.17.1
-
diff --git a/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch b/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch
index 2bc26edbfc..75270cb0cb 100644
--- a/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch
+++ b/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch
@@ -1,21 +1,20 @@
-From 3e9a965dcd65ab2d40b753b6f792a1a4559182aa Mon Sep 17 00:00:00 2001
+From ff6c7168c3f26094b3a18298208a28831d1c1fd5 Mon Sep 17 00:00:00 2001
From: Koen Kooi <koen@dominion.thruhere.net>
Date: Sun, 30 Jan 2011 16:37:27 +0100
-Subject: [PATCH 2/4] don't try to run generated binaries
+Subject: [PATCH] don't try to run generated binaries
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
-
---
- ppdc/Makefile | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
+ ppdc/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ppdc/Makefile b/ppdc/Makefile
-index 32e2e0b..f1478d4 100644
+index e36ed11..3fe97e1 100644
--- a/ppdc/Makefile
+++ b/ppdc/Makefile
-@@ -186,8 +186,8 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \
+@@ -187,8 +187,8 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \
$(LD_CXX) $(ARCHFLAGS) $(ALL_LDFLAGS) -o genstrings genstrings.o \
libcupsppdc.a $(LINKCUPSSTATIC)
$(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@
@@ -26,6 +25,3 @@ index 32e2e0b..f1478d4 100644
#
---
-2.17.1
-
diff --git a/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch b/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch
index bc9260307c..d49fb8f2c2 100644
--- a/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch
+++ b/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch
@@ -1,7 +1,7 @@
-From 7dbda1887aa19ab720aff22312f4caff2d575f62 Mon Sep 17 00:00:00 2001
+From 6e286b582571ffca3f7874076d70eec6fd5713f6 Mon Sep 17 00:00:00 2001
From: Kai Kang <kai.kang@windriver.com>
Date: Wed, 3 Oct 2018 00:27:11 +0800
-Subject: [PATCH 4/4] cups: fix multilib install file conflicts
+Subject: [PATCH] cups: fix multilib install file conflicts
@CUPS_SERVERBIN@ is ${libdir} related that causes multilib install file
conflict. Remove @CUPS_SERVERBIN@ from the comment line of cups-files.conf to
@@ -10,16 +10,15 @@ avoid the conflict.
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
---
conf/cups-files.conf.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in
-index 4a78ba6..03c6582 100644
+index 93584a1..65b7052 100644
--- a/conf/cups-files.conf.in
+++ b/conf/cups-files.conf.in
-@@ -73,7 +73,7 @@ PageLog @CUPS_LOGDIR@/page_log
+@@ -67,7 +67,7 @@ PageLog @CUPS_LOGDIR@/page_log
#RequestRoot @CUPS_REQUESTS@
# Location of helper programs...
@@ -28,6 +27,3 @@ index 4a78ba6..03c6582 100644
# SSL/TLS keychain for the scheduler...
#ServerKeychain @CUPS_SERVERKEYCHAIN@
---
-2.17.1
-
diff --git a/meta/recipes-extended/cups/cups_2.4.9.bb b/meta/recipes-extended/cups/cups_2.4.10.bb
similarity index 51%
rename from meta/recipes-extended/cups/cups_2.4.9.bb
rename to meta/recipes-extended/cups/cups_2.4.10.bb
index e0a3522004..e16ad47cf5 100644
--- a/meta/recipes-extended/cups/cups_2.4.9.bb
+++ b/meta/recipes-extended/cups/cups_2.4.10.bb
@@ -2,4 +2,4 @@ require cups.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SRC_URI[sha256sum] = "38fbf4535a10554113e013d54fedda03ee88007ea6a9761d626a04e1e4489e8c"
+SRC_URI[sha256sum] = "d75757c2bc0f7a28b02ee4d52ca9e4b1aa1ba2affe16b985854f5336940e5ad7"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 08/14] wpa-supplicant: Upgrade 2.10 -> 2.11
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (6 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 07/14] cups: upgrade 2.4.9 -> 2.4.10 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 09/14] libadwaita: upgrade 1.5.1 -> 1.5.2 Steve Sakoman
` (5 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Siddharth Doshi <sdoshi@mvista.com>
License-Update:
===============
- README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af
- wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af
CVE's Fixed:
===========
- CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation
- CVE-2023-52160 wpa_supplicant: potential authorization bypass
Changes between 2.10 -> 2.11:
============================
https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
Note:
=====
Patches
0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch,
0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch,
0001-Install-wpa_passphrase-when-not-disabled.patch,
0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160)
are already fixed and hence removing them.
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 824eb0641dc6001a5e9ad7a685e60c472c9fdce8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...all-wpa_passphrase-when-not-disabled.patch | 33 ---
...te-Phase-2-authentication-requiremen.patch | 213 ------------------
...options-for-libwpa_client.so-and-wpa.patch | 73 ------
...oval-of-wpa_passphrase-on-make-clean.patch | 26 ---
...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +-
5 files changed, 3 insertions(+), 352 deletions(-)
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%)
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
deleted file mode 100644
index c04c608bde..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
-From: Alex Kiernan <alexk@zuma.ai>
-Date: Thu, 21 Apr 2022 10:15:29 +0100
-Subject: [PATCH] Install wpa_passphrase when not disabled
-
-As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
-built, its not installed during `make install`.
-
-Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
-Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
----
- wpa_supplicant/Makefile | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index 0bab313f2355..12787c0c7d0f 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
-
- install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
- $(MAKE) -C ../src install
-+ifndef CONFIG_NO_WPA_PASSPHRASE
-+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
-+endif
- ifdef CONFIG_BUILD_WPA_CLIENT_SO
- install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
- install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
---
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
deleted file mode 100644
index 620560d3c7..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 8 Jul 2023 19:55:32 +0300
-Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
-
-The previous PEAP client behavior allowed the server to skip Phase 2
-authentication with the expectation that the server was authenticated
-during Phase 1 through TLS server certificate validation. Various PEAP
-specifications are not exactly clear on what the behavior on this front
-is supposed to be and as such, this ended up being more flexible than
-the TTLS/FAST/TEAP cases. However, this is not really ideal when
-unfortunately common misconfiguration of PEAP is used in deployed
-devices where the server trust root (ca_cert) is not configured or the
-user has an easy option for allowing this validation step to be skipped.
-
-Change the default PEAP client behavior to be to require Phase 2
-authentication to be successfully completed for cases where TLS session
-resumption is not used and the client certificate has not been
-configured. Those two exceptions are the main cases where a deployed
-authentication server might skip Phase 2 and as such, where a more
-strict default behavior could result in undesired interoperability
-issues. Requiring Phase 2 authentication will end up disabling TLS
-session resumption automatically to avoid interoperability issues.
-
-Allow Phase 2 authentication behavior to be configured with a new phase1
-configuration parameter option:
-'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-tunnel) behavior for PEAP:
- * 0 = do not require Phase 2 authentication
- * 1 = require Phase 2 authentication when client certificate
- (private_key/client_cert) is no used and TLS session resumption was
- not used (default)
- * 2 = require Phase 2 authentication in all cases
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-
-CVE: CVE-2023-52160
-Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
-
-Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
-
----
- src/eap_peer/eap_config.h | 8 ++++++
- src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
- src/eap_peer/eap_tls_common.c | 6 +++++
- src/eap_peer/eap_tls_common.h | 5 ++++
- wpa_supplicant/wpa_supplicant.conf | 7 ++++++
- 5 files changed, 63 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
-index 3238f74..047eec2 100644
---- a/src/eap_peer/eap_config.h
-+++ b/src/eap_peer/eap_config.h
-@@ -469,6 +469,14 @@ struct eap_peer_config {
- * 1 = use cryptobinding if server supports it
- * 2 = require cryptobinding
- *
-+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
-+ * tunnel) behavior for PEAP:
-+ * 0 = do not require Phase 2 authentication
-+ * 1 = require Phase 2 authentication when client certificate
-+ * (private_key/client_cert) is no used and TLS session resumption was
-+ * not used (default)
-+ * 2 = require Phase 2 authentication in all cases
-+ *
- * EAP-WSC (WPS) uses following options: pin=Device_Password and
- * uuid=Device_UUID
- *
-diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
-index 12e30df..6080697 100644
---- a/src/eap_peer/eap_peap.c
-+++ b/src/eap_peer/eap_peap.c
-@@ -67,6 +67,7 @@ struct eap_peap_data {
- u8 cmk[20];
- int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
- * is enabled. */
-+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
- };
-
-
-@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
- }
-
-+ if (os_strstr(phase1, "phase2_auth=0")) {
-+ data->phase2_auth = NO_AUTH;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Do not require Phase 2 authentication");
-+ } else if (os_strstr(phase1, "phase2_auth=1")) {
-+ data->phase2_auth = FOR_INITIAL;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
-+ } else if (os_strstr(phase1, "phase2_auth=2")) {
-+ data->phase2_auth = ALWAYS;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Require Phase 2 authentication for all cases");
-+ }
- #ifdef EAP_TNC
- if (os_strstr(phase1, "tnc=soh2")) {
- data->soh = 2;
-@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
- data->force_peap_version = -1;
- data->peap_outer_success = 2;
- data->crypto_binding = OPTIONAL_BINDING;
-+ data->phase2_auth = FOR_INITIAL;
-
- if (config && config->phase1)
- eap_peap_parse_phase1(data, config->phase1);
-@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
- }
-
-
-+static bool peap_phase2_sufficient(struct eap_sm *sm,
-+ struct eap_peap_data *data)
-+{
-+ if ((data->phase2_auth == ALWAYS ||
-+ (data->phase2_auth == FOR_INITIAL &&
-+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
-+ !data->ssl.client_cert_conf) ||
-+ data->phase2_eap_started) &&
-+ !data->phase2_eap_success)
-+ return false;
-+ return true;
-+}
-+
-+
- /**
- * eap_tlv_process - Process a received EAP-TLV message and generate a response
- * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
-@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
- " - force failed Phase 2");
- resp_status = EAP_TLV_RESULT_FAILURE;
- ret->decision = DECISION_FAIL;
-+ } else if (!peap_phase2_sufficient(sm, data)) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
-+ resp_status = EAP_TLV_RESULT_FAILURE;
-+ ret->decision = DECISION_FAIL;
- } else {
- resp_status = EAP_TLV_RESULT_SUCCESS;
- ret->decision = DECISION_UNCOND_SUCC;
-@@ -887,8 +921,7 @@ continue_req:
- /* EAP-Success within TLS tunnel is used to indicate
- * shutdown of the TLS channel. The authentication has
- * been completed. */
-- if (data->phase2_eap_started &&
-- !data->phase2_eap_success) {
-+ if (!peap_phase2_sufficient(sm, data)) {
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
- "Success used to indicate success, "
- "but Phase 2 EAP was not yet "
-@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
- static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
- {
- struct eap_peap_data *data = priv;
-+
- return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
-- data->phase2_success;
-+ data->phase2_success && data->phase2_auth != ALWAYS;
- }
-
-
-diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
-index c1837db..a53eeb1 100644
---- a/src/eap_peer/eap_tls_common.c
-+++ b/src/eap_peer/eap_tls_common.c
-@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
-
- sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
-
-+ if (!phase2)
-+ data->client_cert_conf = params->client_cert ||
-+ params->client_cert_blob ||
-+ params->private_key ||
-+ params->private_key_blob;
-+
- return 0;
- }
-
-diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
-index 9ac0012..3348634 100644
---- a/src/eap_peer/eap_tls_common.h
-+++ b/src/eap_peer/eap_tls_common.h
-@@ -79,6 +79,11 @@ struct eap_ssl_data {
- * tls_v13 - Whether TLS v1.3 or newer is used
- */
- int tls_v13;
-+
-+ /**
-+ * client_cert_conf: Whether client certificate has been configured
-+ */
-+ bool client_cert_conf;
- };
-
-
-diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
-index 6619d6b..d63f73c 100644
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -1321,6 +1321,13 @@ fast_reauth=1
- # * 0 = do not use cryptobinding (default)
- # * 1 = use cryptobinding if server supports it
- # * 2 = require cryptobinding
-+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-+# tunnel) behavior for PEAP:
-+# * 0 = do not require Phase 2 authentication
-+# * 1 = require Phase 2 authentication when client certificate
-+# (private_key/client_cert) is no used and TLS session resumption was
-+# not used (default)
-+# * 2 = require Phase 2 authentication in all cases
- # EAP-WSC (WPS) uses following options: pin=<Device Password> or
- # pbc=1.
- #
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
deleted file mode 100644
index 6e930fc98d..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
-From: Sergey Matyukevich <geomatsi@gmail.com>
-Date: Tue, 22 Feb 2022 11:52:19 +0300
-Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
- wpa_passphrase
-
-Commit a41a29192e5d ("build: Pull common fragments into a build.rules
-file") introduced a regression into wpa_supplicant build process. The
-build target libwpa_client.so is not built regardless of whether the
-option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
-this config option is used before it is imported from the configuration
-file. Moving its use after including build.rules does not help: the
-variable ALL is processed by build.rules and further changes are not
-applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
-as expected: wpa_passphrase is always built regardless of whether the
-option is set or not.
-
-Re-enable these options by adding both build targets to _all
-dependencies.
-
-Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
-Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
-Upstream-Status: Backport
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alexk@gmail.com>
----
- wpa_supplicant/Makefile | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index cb66defac7c8..c456825ae75f 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -1,24 +1,29 @@
- BINALL=wpa_supplicant wpa_cli
-
--ifndef CONFIG_NO_WPA_PASSPHRASE
--BINALL += wpa_passphrase
--endif
--
- ALL = $(BINALL)
- ALL += systemd/wpa_supplicant.service
- ALL += systemd/wpa_supplicant@.service
- ALL += systemd/wpa_supplicant-nl80211@.service
- ALL += systemd/wpa_supplicant-wired@.service
- ALL += dbus/fi.w1.wpa_supplicant1.service
--ifdef CONFIG_BUILD_WPA_CLIENT_SO
--ALL += libwpa_client.so
--endif
-
- EXTRA_TARGETS=dynamic_eap_methods
-
- CONFIG_FILE=.config
- include ../src/build.rules
-
-+ifdef CONFIG_BUILD_WPA_CLIENT_SO
-+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
-+# being set in the config which is read by build.rules
-+_all: libwpa_client.so
-+endif
-+
-+ifndef CONFIG_NO_WPA_PASSPHRASE
-+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
-+# being set in the config which is read by build.rules
-+_all: wpa_passphrase
-+endif
-+
- ifdef LIBS
- # If LIBS is set with some global build system defaults, clone those for
- # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
---
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
deleted file mode 100644
index 53b0fcdf53..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <quic_jouni@quicinc.com>
-Date: Thu, 3 Mar 2022 13:26:42 +0200
-Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
-
-Fixes: 0430bc8267b4 ("build: Add a common-clean target")
-Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
-Upstream-Status: Backport
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alexk@gmail.com>
----
- wpa_supplicant/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index c456825ae75f..4b4688931b1d 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -2077,3 +2077,4 @@ clean: common-clean
- rm -f libwpa_client.a
- rm -f libwpa_client.so
- rm -f libwpa_test1 libwpa_test2
-+ rm -f wpa_passphrase
---
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
similarity index 90%
rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
index 22028ce957..03e4571cfb 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
@@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/"
SECTION = "network"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
- file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \
- file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
+ file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
+ file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
DEPENDS = "dbus libnl"
@@ -15,12 +15,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://wpa_supplicant.conf \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
- file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \
- file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \
- file://0001-Install-wpa_passphrase-when-not-disabled.patch \
- file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
"
-SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
+SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
S = "${WORKDIR}/wpa_supplicant-${PV}"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 09/14] libadwaita: upgrade 1.5.1 -> 1.5.2
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (7 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 08/14] wpa-supplicant: Upgrade 2.10 -> 2.11 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 10/14] libdnf: upgrade 0.73.1 -> 0.73.2 Steve Sakoman
` (4 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Changelog:
==========
- AdwAlertDialog
- Fix unmatched va_start()
- Fix setting default widget when removing a response
- AdwBreakpointCondition
- Fix leaks when parsing
- AdwBreakpointBin
- Fix a leak
- AdwDialog
- Fix toggling presentation mode
- Fix close button ignoring :can-close
- Fix ::close-attempt not emitting in some cases
- Fix swipe area for bottom sheets
- Leak fixes
- AdwHeaderBar
- Fix initial focus for the back button
- Fix split view links in docs
- AdwMessageDialog
- Fix unmatched va_start()
- AdwSpinRow
- Fix ::input handling
- AdwTabButton
- Fix needs-attention badge on RTL
- AdwTabView
- Accessibility fixes
- AdwViewStack
- Accessibility fixes
- Translation updates
- Nepali
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 25b8f5059061bf52257117ba7d54031a31388fb1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libadwaita/{libadwaita_1.5.1.bb => libadwaita_1.5.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-gnome/libadwaita/{libadwaita_1.5.1.bb => libadwaita_1.5.2.bb} (88%)
diff --git a/meta/recipes-gnome/libadwaita/libadwaita_1.5.1.bb b/meta/recipes-gnome/libadwaita/libadwaita_1.5.2.bb
similarity index 88%
rename from meta/recipes-gnome/libadwaita/libadwaita_1.5.1.bb
rename to meta/recipes-gnome/libadwaita/libadwaita_1.5.2.bb
index 6cb67c0db0..078f81c677 100644
--- a/meta/recipes-gnome/libadwaita/libadwaita_1.5.1.bb
+++ b/meta/recipes-gnome/libadwaita/libadwaita_1.5.2.bb
@@ -10,7 +10,7 @@ DEPENDS = " \
inherit gnomebase gobject-introspection gi-docgen vala features_check
-SRC_URI[archive.sha256sum] = "7f144c5887d6dd2d99517c00fd42395ee20abc13ce55958a4fda64e6d7e473f8"
+SRC_URI[archive.sha256sum] = "c9faee005cb4912bce34f69f1af26b01a364534e12ede5d9bac44d8226d72c16"
ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
REQUIRED_DISTRO_FEATURES = "opengl"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 10/14] libdnf: upgrade 0.73.1 -> 0.73.2
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (8 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 09/14] libadwaita: upgrade 1.5.1 -> 1.5.2 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 11/14] wireless-regdb: upgrade 2024.05.08 -> 2024.07.04 Steve Sakoman
` (3 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Changelog:
==========
- context: use rpmtsAddReinstallElement() when doing a reinstall
- MergedTransaction: Fix invalid memory access when dropping items
- ConfigParser: fix use-out-of-scope leaks
- Since we use rpmtsAddReinstallElement rpm also uninstalls the package
- Fix countme bucket calculation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9cf8330068503a5721640763309c4c74f293a94d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libdnf/{libdnf_0.73.1.bb => libdnf_0.73.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/libdnf/{libdnf_0.73.1.bb => libdnf_0.73.2.bb} (97%)
diff --git a/meta/recipes-devtools/libdnf/libdnf_0.73.1.bb b/meta/recipes-devtools/libdnf/libdnf_0.73.2.bb
similarity index 97%
rename from meta/recipes-devtools/libdnf/libdnf_0.73.1.bb
rename to meta/recipes-devtools/libdnf/libdnf_0.73.2.bb
index 3ab840b1b0..ed433d4a9f 100644
--- a/meta/recipes-devtools/libdnf/libdnf_0.73.1.bb
+++ b/meta/recipes-devtools/libdnf/libdnf_0.73.2.bb
@@ -13,7 +13,7 @@ SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=dnf-4-master;p
file://armarch.patch \
"
-SRCREV = "0120e70747dcf05e716792e2e846c62eccd44319"
+SRCREV = "86bbb159732e43dd6dff98c96e99382843f7c63b"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(?!4\.90)\d+(\.\d+)+)"
S = "${WORKDIR}/git"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 11/14] wireless-regdb: upgrade 2024.05.08 -> 2024.07.04
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (9 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 10/14] libdnf: upgrade 0.73.1 -> 0.73.2 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 12/14] oeqa/runtime/ssh: increase the number of attempts Steve Sakoman
` (2 subsequent siblings)
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b460d2d55a35450564ea04255153b0a3bf715530)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} (94%)
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb
index 95e33d9fb1..daf5e6dfcd 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "9aee1d86ebebb363b714bec941b2820f31e3b7f1a485ddc9fcbd9985c7d3e7c4"
+SRC_URI[sha256sum] = "9832a14e1be24abff7be30dee3c9a1afb5fdfcf475a0d91aafef039f8d85f5eb"
inherit bin_package allarch
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 12/14] oeqa/runtime/ssh: increase the number of attempts
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (10 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 11/14] wireless-regdb: upgrade 2024.05.08 -> 2024.07.04 Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 13/14] openssh: add backported header file include Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 14/14] mc: fix source URL Steve Sakoman
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Jon Mason <jdmason@kudzu.us>
Under high load, the ssh test is hitting the amount of retries.
Increase it to 20 to avoid this issue. This would increase the maximum
failure time from 50 seconds (5 * 10) to 100 seconds.
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c796438eec5dd6b4671b798f85506bc89ff402ab)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/runtime/cases/ssh.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/runtime/cases/ssh.py b/meta/lib/oeqa/runtime/cases/ssh.py
index 08430ae9db..b86428002f 100644
--- a/meta/lib/oeqa/runtime/cases/ssh.py
+++ b/meta/lib/oeqa/runtime/cases/ssh.py
@@ -16,7 +16,7 @@ class SSHTest(OERuntimeTestCase):
@OETestDepends(['ping.PingTest.test_ping'])
@OEHasPackage(['dropbear', 'openssh-sshd'])
def test_ssh(self):
- for i in range(10):
+ for i in range(20):
status, output = self.target.run("uname -a", timeout=5)
if status == 0:
break
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 13/14] openssh: add backported header file include
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (11 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 12/14] oeqa/runtime/ssh: increase the number of attempts Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 14/14] mc: fix source URL Steve Sakoman
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Jon Mason <jdmason@kudzu.us>
Backport upstream patch to add a missing header. The patch says it is
for systemd, but I am seeing build issues when building openssh with
clang and musl. The issue being seen is:
#warning usage of non-standard #include <sys/cdefs.h> is deprecated
And similar deprecated warnings. This patch resolves the issue.
Original patch can be found at
https://github.com/openssh/openssh-portable/commit/88351eca17dcc55189991ba60e50819b6d4193c1
This issue was introduced with OE-Core 1c9d3c22718bf49ae85c2d06e0ee60ebdc2fd0c1
https://github.com/openembedded/openembedded-core/commit/1c9d3c22718bf49ae85c2d06e0ee60ebdc2fd0c1
Patch suggested by Khem Raj.
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
| 27 +++++++++++++++++++
.../openssh/openssh_9.6p1.bb | 1 +
2 files changed, 28 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch
--git a/meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch b/meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch
new file mode 100644
index 0000000000..2baa4a6fe5
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch
@@ -0,0 +1,27 @@
+From 88351eca17dcc55189991ba60e50819b6d4193c1 Mon Sep 17 00:00:00 2001
+From: 90 <hi@90.gripe>
+Date: Fri, 5 Apr 2024 19:36:06 +0100
+Subject: [PATCH] Fix missing header for systemd notification
+
+Upstream-Status: Backport [88351eca17dcc55189991ba60e50819b6d4193c1]
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+
+---
+ openbsd-compat/port-linux.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index df7290246df6..4c024c6d2d61 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -33,6 +33,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <time.h>
++#include <unistd.h>
+
+ #include "log.h"
+ #include "xmalloc.h"
+--
+2.39.2
+
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index 042acffe6a..3c507cf911 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://0001-notify-systemd-on-listen-and-reload.patch \
file://CVE-2024-6387.patch \
file://CVE-2024-39894.patch \
+ file://0001-Fix-missing-header-for-systemd-notification.patch \
"
SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 14/14] mc: fix source URL
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
` (12 preceding siblings ...)
2024-09-04 21:32 ` [OE-core][scarthgap 13/14] openssh: add backported header file include Steve Sakoman
@ 2024-09-04 21:32 ` Steve Sakoman
13 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-09-04 21:32 UTC (permalink / raw)
To: openembedded-core
From: Benjamin Szőke <egyszeregy@freemail.hu>
new URL for sources: http://ftp.midnight-commander.org/
Signed-off-by: Benjamin Szőke <egyszeregy@freemail.hu>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 03c4052718a9b8392b25e1770630317b8cf29fbe)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/mc/mc_4.8.31.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/mc/mc_4.8.31.bb b/meta/recipes-extended/mc/mc_4.8.31.bb
index 69c32887a2..5f8257f71f 100644
--- a/meta/recipes-extended/mc/mc_4.8.31.bb
+++ b/meta/recipes-extended/mc/mc_4.8.31.bb
@@ -8,7 +8,7 @@ DEPENDS = "ncurses glib-2.0 util-linux file-replacement-native"
RDEPENDS:${PN} = "ncurses-terminfo-base"
RRECOMMENDS:${PN} = "ncurses-terminfo"
-SRC_URI = "http://www.midnight-commander.org/downloads/${BPN}-${PV}.tar.bz2 \
+SRC_URI = "http://ftp.midnight-commander.org/${BPN}-${PV}.tar.bz2 \
file://nomandate.patch \
"
SRC_URI[sha256sum] = "f42f4114ed42f6cf9995f1d896fa6c797ccb36dac57760dda8dd9f78ac462841"
--
2.34.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 00/14] Patch review
@ 2025-01-22 3:02 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-01-22 3:02 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, January 23
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/856
The following changes since commit 92eea72a25e553c698bee9e3f551a5880bd4631c:
systemd: enable create-log-dirs (2025-01-13 06:16:07 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 5.0.6
Alexis Lothoré (1):
oeqa/ssh: allow to retrieve raw, unformatted ouput
Catalin Popescu (1):
Revert "bluez5: remove configuration files from install task"
Chen Qi (1):
libgfortran: fix buildpath QA issue
Divya Chellam (1):
wget: fix CVE-2024-10524
Esben Haabendal (1):
pulseaudio: fix webrtc audio depdency
Hitendra Prajapati (1):
ofono: Fix multiple CVEs
Peter Marko (4):
socat: patch CVE-2024-54661
ofono: patch CVE-2024-7540, CVE-2024-7541, CVE-2024-7542
ofono: patch CVE-2023-4232
ofono: patch CVE-2023-4235
Ross Burton (2):
classes/nativesdk: also override TUNE_PKGARCH
classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package
architecture
Zhang Peng (1):
avahi: fix CVE-2024-52616
meta/classes-recipe/nativesdk.bbclass | 1 +
meta/classes-recipe/qemu.bbclass | 8 +-
meta/lib/oeqa/core/target/ssh.py | 16 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 +
.../avahi/files/CVE-2024-52616.patch | 104 +++++++++
meta/recipes-connectivity/bluez5/bluez5.inc | 8 +
.../ofono/ofono/CVE-2023-4232.patch | 31 +++
.../ofono/ofono/CVE-2023-4235.patch | 38 ++++
.../ofono/ofono/CVE-2024-7539.patch | 88 ++++++++
...024-7540_CVE-2024-7541_CVE-2024-7542.patch | 52 +++++
.../ofono/ofono/CVE-2024-7543.patch | 30 +++
.../ofono/ofono/CVE-2024-7544.patch | 30 +++
.../ofono/ofono/CVE-2024-7545.patch | 32 +++
.../ofono/ofono/CVE-2024-7546.patch | 30 +++
.../ofono/ofono/CVE-2024-7547.patch | 29 +++
meta/recipes-connectivity/ofono/ofono_2.4.bb | 9 +
.../socat/files/CVE-2024-54661.patch | 113 ++++++++++
.../socat/socat_1.8.0.0.bb | 1 +
meta/recipes-devtools/gcc/gcc-testsuite.inc | 4 +-
meta/recipes-devtools/gcc/libgfortran.inc | 2 +-
.../wget/wget/CVE-2024-10524.patch | 197 ++++++++++++++++++
meta/recipes-extended/wget/wget_1.21.4.bb | 1 +
.../pulseaudio/pulseaudio.inc | 2 +-
scripts/install-buildtools | 4 +-
24 files changed, 811 insertions(+), 20 deletions(-)
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-4232.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-4235.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
create mode 100644 meta/recipes-connectivity/socat/files/CVE-2024-54661.patch
create mode 100644 meta/recipes-extended/wget/wget/CVE-2024-10524.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 00/14] Patch review
@ 2025-02-11 20:08 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-02-11 20:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, February 13
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/997
The following changes since commit 72156282059aa5a013a386eb95f89dc38726326e:
selftest/rust: correctly form the PATH environment variable (2025-02-07 06:29:37 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Archana Polampalli (8):
ffmpeg: fix CVE-2024-35365
ffmpeg: fix CVE-2024-36613
ffmpeg: fix CVE-2024-36616
ffmpeg: fix CVE-2024-36617
ffmpeg: fix CVE-2024-36618
ffmpeg: fix CVE-2024-36619
ffmpeg: fix CVE-2024-35369
gstreamer1.0-rtsp-server: fix CVE-2024-44331
Bruce Ashfield (1):
linux-yocto/6.6: update to v6.6.75
Khem Raj (1):
qemu: Do not define sched_attr with glibc >= 2.41
Marek Vasut (1):
base-files: Drop /bin/sh dependency
Peter Marko (3):
python3: upgrade 3.12.8 -> 3.12.9
go: upgrade 1.22.11 -> 1.22.12
cmake: apply parallel build settings to ptest tasks
meta/classes-recipe/cmake.bbclass | 2 +
.../base-files/base-files_3.0.14.bb | 23 -------
.../go/{go-1.22.11.inc => go-1.22.12.inc} | 2 +-
...1.22.11.bb => go-binary-native_1.22.12.bb} | 6 +-
....22.11.bb => go-cross-canadian_1.22.12.bb} | 0
...o-cross_1.22.11.bb => go-cross_1.22.12.bb} | 0
...ssdk_1.22.11.bb => go-crosssdk_1.22.12.bb} | 0
...ntime_1.22.11.bb => go-runtime_1.22.12.bb} | 0
.../go/{go_1.22.11.bb => go_1.22.12.bb} | 0
...shebang-overflow-on-python-config.py.patch | 2 +-
...sts-due-to-load-variability-on-YP-AB.patch | 4 +-
...001-ctypes-correct-gcc-check-in-test.patch | 53 ++++++++++++++++
...asename-to-replace-CC-for-checking-c.patch | 10 +--
...t_readline-skip-limited-history-test.patch | 4 +-
...up.py-do-not-add-a-curses-include-pa.patch | 2 +-
.../python/python3/makerace.patch | 2 +-
.../{python3_3.12.8.bb => python3_3.12.9.bb} | 3 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
...ed_attr-Do-not-define-for-glibc-2.41.patch | 47 ++++++++++++++
.../linux/linux-yocto-rt_6.6.bb | 6 +-
.../linux/linux-yocto-tiny_6.6.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 ++++-----
.../ffmpeg/ffmpeg/CVE-2024-35365.patch | 62 +++++++++++++++++++
.../ffmpeg/ffmpeg/CVE-2024-35369.patch | 37 +++++++++++
.../ffmpeg/ffmpeg/CVE-2024-36613.patch | 37 +++++++++++
.../ffmpeg/ffmpeg/CVE-2024-36616.patch | 35 +++++++++++
.../ffmpeg/ffmpeg/CVE-2024-36617.patch | 36 +++++++++++
.../ffmpeg/ffmpeg/CVE-2024-36618.patch | 36 +++++++++++
.../ffmpeg/ffmpeg/CVE-2024-36619.patch | 36 +++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 7 +++
.../CVE-2024-44331.patch | 44 +++++++++++++
.../gstreamer1.0-rtsp-server_1.22.12.bb | 4 +-
32 files changed, 474 insertions(+), 61 deletions(-)
rename meta/recipes-devtools/go/{go-1.22.11.inc => go-1.22.12.inc} (89%)
rename meta/recipes-devtools/go/{go-binary-native_1.22.11.bb => go-binary-native_1.22.12.bb} (78%)
rename meta/recipes-devtools/go/{go-cross-canadian_1.22.11.bb => go-cross-canadian_1.22.12.bb} (100%)
rename meta/recipes-devtools/go/{go-cross_1.22.11.bb => go-cross_1.22.12.bb} (100%)
rename meta/recipes-devtools/go/{go-crosssdk_1.22.11.bb => go-crosssdk_1.22.12.bb} (100%)
rename meta/recipes-devtools/go/{go-runtime_1.22.11.bb => go-runtime_1.22.12.bb} (100%)
rename meta/recipes-devtools/go/{go_1.22.11.bb => go_1.22.12.bb} (100%)
create mode 100644 meta/recipes-devtools/python/python3/0001-ctypes-correct-gcc-check-in-test.patch
rename meta/recipes-devtools/python/{python3_3.12.8.bb => python3_3.12.9.bb} (99%)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-sched_attr-Do-not-define-for-glibc-2.41.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 00/14] Patch review
@ 2025-04-23 13:20 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-04-23 13:20 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, April 25
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1437
The following changes since commit 04038ecd1edd6592b826665a2b787387bb7074fa:
build-appliance-image: Update to scarthgap head revision (2025-04-19 14:43:09 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Ashish Sharma (1):
binutils: patch CVE-2025-1182
Guðni Már Gilbert (2):
systemd: upgrade 255.17 -> 255.18
bluez5: add missing tools to noinst-tools package
Igor Opaniuk (1):
wic: bootimg-efi: Support + symbol in filenames
Peter Marko (2):
sqlite3: patch CVE-2025-3277
sqlite3: patch CVE-2025-29088
Soumya Sambu (1):
python3-jinja2: upgrade 3.1.4 -> 3.1.6
Vijay Anusuri (5):
libsoup: Fix CVE-2025-32910
libsoup: Fix CVE-2025-32909
libsoup: Fix CVE-2025-32911 & CVE-2025-32913
libsoup: Fix CVE-2025-32912
libsoup: Fix CVE-2025-32906
Yogita Urade (2):
curl: fix CVE-2024-11053
curl: fix CVE-2025-0167
.../bluez5/bluez5_5.72.bb | 8 +-
...55.17.bb => systemd-boot-native_255.18.bb} | 0
...-boot_255.17.bb => systemd-boot_255.18.bb} | 0
meta/recipes-core/systemd/systemd.inc | 2 +-
...1-missing_type.h-add-comparison_fn_t.patch | 2 +-
...k-parse_printf_format-implementation.patch | 4 +-
...tall-dependency-links-at-install-tim.patch | 2 +-
...missing.h-check-for-missing-strndupa.patch | 6 +-
...OB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch | 4 +-
...005-add-missing-FTW_-macros-for-musl.patch | 2 +-
...06-Use-uintmax_t-for-handling-rlim_t.patch | 2 +-
...T_SYMLINK_NOFOLLOW-flag-to-faccessat.patch | 2 +-
...patible-basename-for-non-glibc-syste.patch | 2 +-
...implment-systemd-sysv-install-for-OE.patch | 2 +-
...uffering-when-writing-to-oom_score_a.patch | 4 +-
...compliant-strerror_r-from-GNU-specif.patch | 2 +-
...definition-of-prctl_mm_map-structure.patch | 2 +-
...-not-disable-buffer-in-writing-files.patch | 2 +-
.../0013-Handle-__cpu_mask-usage.patch | 2 +-
.../systemd/0014-Handle-missing-gshadow.patch | 8 +-
...l.h-Define-MIPS-ABI-defines-for-musl.patch | 2 +-
...ass-correct-parameters-to-getdents64.patch | 4 +-
.../0017-Adjust-for-musl-headers.patch | 2 +-
...trerror-is-assumed-to-be-GNU-specifi.patch | 2 +-
...util-Make-STRERROR-portable-for-musl.patch | 2 +-
...ake-malloc_trim-conditional-on-glibc.patch | 2 +-
...hared-Do-not-use-malloc_info-on-musl.patch | 2 +-
...22-avoid-missing-LOCK_EX-declaration.patch | 2 +-
.../{systemd_255.17.bb => systemd_255.18.bb} | 0
.../binutils/binutils-2.42.inc | 1 +
.../binutils/binutils/CVE-2025-1182.patch | 33 +
...inja2_3.1.4.bb => python3-jinja2_3.1.6.bb} | 5 +-
.../curl/curl/CVE-2024-11053-0001.patch | 353 +++++++++
.../curl/curl/CVE-2024-11053-0002.patch | 728 ++++++++++++++++++
.../curl/curl/CVE-2024-11053-0003.patch | 130 ++++
.../curl/curl/CVE-2025-0167.patch | 178 +++++
meta/recipes-support/curl/curl_8.7.1.bb | 4 +
.../libsoup-3.4.4/CVE-2025-32906-1.patch | 61 ++
.../libsoup-3.4.4/CVE-2025-32906-2.patch | 83 ++
.../libsoup-3.4.4/CVE-2025-32909.patch | 36 +
.../libsoup-3.4.4/CVE-2025-32910-1.patch | 98 +++
.../libsoup-3.4.4/CVE-2025-32910-2.patch | 149 ++++
.../libsoup-3.4.4/CVE-2025-32910-3.patch | 27 +
.../CVE-2025-32911_CVE-2025-32913-1.patch | 72 ++
.../CVE-2025-32911_CVE-2025-32913-2.patch | 44 ++
.../libsoup-3.4.4/CVE-2025-32912-1.patch | 41 +
.../libsoup-3.4.4/CVE-2025-32912-2.patch | 30 +
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 10 +
.../sqlite/sqlite3/CVE-2025-29088.patch | 179 +++++
.../sqlite/sqlite3/CVE-2025-3277.patch | 28 +
meta/recipes-support/sqlite/sqlite3_3.45.3.bb | 5 +-
scripts/lib/wic/plugins/source/bootimg-efi.py | 2 +-
52 files changed, 2335 insertions(+), 38 deletions(-)
rename meta/recipes-core/systemd/{systemd-boot-native_255.17.bb => systemd-boot-native_255.18.bb} (100%)
rename meta/recipes-core/systemd/{systemd-boot_255.17.bb => systemd-boot_255.18.bb} (100%)
rename meta/recipes-core/systemd/{systemd_255.17.bb => systemd_255.18.bb} (100%)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1182.patch
rename meta/recipes-devtools/python/{python3-jinja2_3.1.4.bb => python3-jinja2_3.1.6.bb} (81%)
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-11053-0001.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-11053-0002.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-11053-0003.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-0167.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch
create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-29088.patch
create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 00/14] Patch review
@ 2025-05-30 21:21 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-05-30 21:21 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Wednesday, June 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1695
The following changes since commit 56431a98ac661eaa42803e83a9ede6eae0b72b67:
u-boot: ensure keys are generated before assembling U-Boot FIT image (2025-05-27 09:47:09 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Ashish Sharma (1):
screen: patch CVE-2025-46805
Bruce Ashfield (8):
linux-yocto/6.6: update to v6.6.85
linux-yocto/6.6: fix beaglebone ethernet
linux-yocto/6.6: update to v6.6.86
linux-yocto/6.6: update to v6.6.87
linux-yocto/6.6: update to v6.6.88
linux-yocto/6.6: update to v6.6.89
linux-yocto/6.6: update to v6.6.91
linux-yocto/6.6: update to v6.6.92
Hitendra Prajapati (2):
libsoup-3.4.4: Fix CVE-2025-4969
libsoup-2.4: Fix CVE-2025-4969
NeilBrown (1):
nfs-utils: don't use signals to shut down nfs server.
Richard Purdie (1):
sstatetests: Switch to new CDN
Wang Mingyu (1):
ghostscript: upgrade 10.05.0 -> 10.05.1
meta/lib/oeqa/selftest/cases/sstatetests.py | 2 +-
.../nfs-utils/nfs-utils/nfsserver | 28 +----
...ript_10.05.0.bb => ghostscript_10.05.1.bb} | 2 +-
.../screen/screen/CVE-2025-46805.patch | 101 ++++++++++++++++++
meta/recipes-extended/screen/screen_4.9.1.bb | 1 +
.../linux/linux-yocto-rt_6.6.bb | 6 +-
.../linux/linux-yocto-tiny_6.6.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 ++---
.../libsoup/libsoup-2.4/CVE-2025-4969.patch | 76 +++++++++++++
.../libsoup/libsoup-2.4_2.74.3.bb | 1 +
.../libsoup/libsoup-3.4.4/CVE-2025-4969.patch | 76 +++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
12 files changed, 282 insertions(+), 46 deletions(-)
rename meta/recipes-extended/ghostscript/{ghostscript_10.05.0.bb => ghostscript_10.05.1.bb} (97%)
create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46805.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4969.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2025-05-30 21:22 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-04 21:32 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 01/14] python3-setuptools: Fix CVE-2024-6345 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 02/14] python3: Fix CVE-2024-7592 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 03/14] python3: Fix CVE-2024-8088 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 04/14] xserver-xorg: fix CVE-2023-5574 status Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 05/14] apr: drop 0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 06/14] apr: upgrade 1.7.4 -> 1.7.5 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 07/14] cups: upgrade 2.4.9 -> 2.4.10 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 08/14] wpa-supplicant: Upgrade 2.10 -> 2.11 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 09/14] libadwaita: upgrade 1.5.1 -> 1.5.2 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 10/14] libdnf: upgrade 0.73.1 -> 0.73.2 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 11/14] wireless-regdb: upgrade 2024.05.08 -> 2024.07.04 Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 12/14] oeqa/runtime/ssh: increase the number of attempts Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 13/14] openssh: add backported header file include Steve Sakoman
2024-09-04 21:32 ` [OE-core][scarthgap 14/14] mc: fix source URL Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-01-22 3:02 [OE-core][scarthgap 00/14] Patch review Steve Sakoman
2025-02-11 20:08 Steve Sakoman
2025-04-23 13:20 Steve Sakoman
2025-05-30 21:21 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox