[OE-core][scarthgap 00/16] Patch review

[OE-core][scarthgap 00/16] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, September 24

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7346

The following changes since commit 343f40b0bc8ef65cc1e2abd6c9c33bb2e08bad3d:

  libedit: Make docs generation deterministic (2024-09-12 14:34:56 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Alban Bedel (1):
  bind: Fix build with the `httpstats` package config enabled

Chen Qi (1):
  qemu: back port patches to fix riscv64 build failure

Colin McAllister (2):
  udev-extraconf: Add collect flag to mount
  busybox: Fix cut with "-s" flag

Guðni Már Gilbert (1):
  bluez5: remove redundant patch for MAX_INPUT

Khem Raj (1):
  gcc: Fix spurious '/' in GLIBC_DYNAMIC_LINKER on microblaze

Mark Hatle (1):
  create-sdpx-2.2.bbclass: Switch from exists to isfile checking
    debugsrc

Pedro Ferreira (2):
  buildhistory: Fix intermittent package file list creation
  buildhistory: Restoring files from preserve list

Peter Marko (1):
  python3: Upgrade 3.12.5 -> 3.12.6

Richard Purdie (1):
  buildhistory: Simplify intercept call sites and drop
    SSTATEPOSTINSTFUNC usage

Siddharth Doshi (1):
  openssl: Upgrade 3.2.2 -> 3.2.3

Steve Sakoman (1):
  Revert "wpa-supplicant: Upgrade 2.10 -> 2.11"

Trevor Gamblin (2):
  python3: upgrade 3.12.4 -> 3.12.5
  python3: skip readline limited history tests

Vijay Anusuri (1):
  libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006

 meta/classes-global/sstate.bbclass            |    5 +-
 meta/classes/buildhistory.bbclass             |   71 +-
 meta/classes/create-spdx-2.2.bbclass          |    3 +-
 .../recipes-connectivity/bind/bind_9.18.28.bb |    2 +-
 meta/recipes-connectivity/bluez5/bluez5.inc   |    1 -
 ...shared-util.c-include-linux-limits.h.patch |   27 -
 .../libpcap/libpcap/CVE-2023-7256-pre1.patch  |   37 +
 .../libpcap/libpcap/CVE-2023-7256.patch       |  365 +++++
 .../libpcap/libpcap/CVE-2024-8006.patch       |   42 +
 .../libpcap/libpcap_1.10.4.bb                 |    7 +-
 ...ke-history-reporting-when-test-fails.patch |    8 +-
 .../openssl/openssl/CVE-2024-5535_1.patch     |  113 --
 .../openssl/openssl/CVE-2024-5535_10.patch    |  203 ---
 .../openssl/openssl/CVE-2024-5535_2.patch     |   43 -
 .../openssl/openssl/CVE-2024-5535_3.patch     |   38 -
 .../openssl/openssl/CVE-2024-5535_4.patch     |   82 --
 .../openssl/openssl/CVE-2024-5535_5.patch     |  176 ---
 .../openssl/openssl/CVE-2024-5535_6.patch     | 1173 -----------------
 .../openssl/openssl/CVE-2024-5535_7.patch     |   43 -
 .../openssl/openssl/CVE-2024-5535_8.patch     |   66 -
 .../openssl/openssl/CVE-2024-5535_9.patch     |  271 ----
 .../{openssl_3.2.2.bb => openssl_3.2.3.bb}    |   14 +-
 ...all-wpa_passphrase-when-not-disabled.patch |   33 +
 ...te-Phase-2-authentication-requiremen.patch |  213 +++
 ...options-for-libwpa_client.so-and-wpa.patch |   73 +
 ...oval-of-wpa_passphrase-on-make-clean.patch |   26 +
 ...plicant_2.11.bb => wpa-supplicant_2.10.bb} |   10 +-
 ...1-cut-Fix-s-flag-to-omit-blank-lines.patch |   66 +
 meta/recipes-core/busybox/busybox_1.36.1.bb   |    1 +
 .../recipes-core/udev/udev-extraconf/mount.sh |    2 +-
 ...AMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch |    6 +-
 ...t_readline-skip-limited-history-test.patch |   38 +
 .../python/python3/CVE-2024-7592.patch        |  143 --
 .../python/python3/CVE-2024-8088.patch        |  128 --
 .../{python3_3.12.4.bb => python3_3.12.6.bb}  |    5 +-
 meta/recipes-devtools/qemu/qemu.inc           |    3 +
 ...kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch |   75 ++
 ...kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch |   73 +
 ...cv-kvm-change-timer-regs-size-to-u64.patch |  107 ++
 39 files changed, 1226 insertions(+), 2566 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.2.2.bb => openssl_3.2.3.bb} (94%)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
 rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.11.bb => wpa-supplicant_2.10.bb} (90%)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
 create mode 100644 meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
 rename meta/recipes-devtools/python/{python3_3.12.4.bb => python3_3.12.6.bb} (99%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch

-- 
2.34.1

[OE-core][scarthgap 01/16] Revert "wpa-supplicant: Upgrade 2.10 -> 2.11"

[Steve Sakoman]

This version bump adds new features and should not have been taken.

This reverts commit 35c2b5f56bca789b9723a144fda0a130a67a860c.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...all-wpa_passphrase-when-not-disabled.patch |  33 +++
 ...te-Phase-2-authentication-requiremen.patch | 213 ++++++++++++++++++
 ...options-for-libwpa_client.so-and-wpa.patch |  73 ++++++
 ...oval-of-wpa_passphrase-on-make-clean.patch |  26 +++
 ...plicant_2.11.bb => wpa-supplicant_2.10.bb} |  10 +-
 5 files changed, 352 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
 rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.11.bb => wpa-supplicant_2.10.bb} (90%)

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
new file mode 100644
index 0000000000..c04c608bde
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
@@ -0,0 +1,33 @@
+From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 21 Apr 2022 10:15:29 +0100
+Subject: [PATCH] Install wpa_passphrase when not disabled
+
+As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
+built, its not installed during `make install`.
+
+Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
+---
+ wpa_supplicant/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index 0bab313f2355..12787c0c7d0f 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
+ 
+ install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
+ 	$(MAKE) -C ../src install
++ifndef CONFIG_NO_WPA_PASSPHRASE
++	install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
++endif
+ ifdef CONFIG_BUILD_WPA_CLIENT_SO
+ 	install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
+ 	install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
+-- 
+2.35.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
new file mode 100644
index 0000000000..620560d3c7
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
@@ -0,0 +1,213 @@
+From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2023-52160
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
+
+Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
+
+---
+ src/eap_peer/eap_config.h          |  8 ++++++
+ src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c      |  6 +++++
+ src/eap_peer/eap_tls_common.h      |  5 ++++
+ wpa_supplicant/wpa_supplicant.conf |  7 ++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
+index 3238f74..047eec2 100644
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -469,6 +469,14 @@ struct eap_peer_config {
+ 	 * 1 = use cryptobinding if server supports it
+ 	 * 2 = require cryptobinding
+ 	 *
++	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++	 * tunnel) behavior for PEAP:
++	 * 0 = do not require Phase 2 authentication
++	 * 1 = require Phase 2 authentication when client certificate
++	 *  (private_key/client_cert) is no used and TLS session resumption was
++	 *  not used (default)
++	 * 2 = require Phase 2 authentication in all cases
++	 *
+ 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ 	 * uuid=Device_UUID
+ 	 *
+diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
+index 12e30df..6080697 100644
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ 	u8 cmk[20];
+ 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ 		  * is enabled. */
++	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+ 
+ 
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
+ 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ 	}
+ 
++	if (os_strstr(phase1, "phase2_auth=0")) {
++		data->phase2_auth = NO_AUTH;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Do not require Phase 2 authentication");
++	} else if (os_strstr(phase1, "phase2_auth=1")) {
++		data->phase2_auth = FOR_INITIAL;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
++	} else if (os_strstr(phase1, "phase2_auth=2")) {
++		data->phase2_auth = ALWAYS;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for all cases");
++	}
+ #ifdef EAP_TNC
+ 	if (os_strstr(phase1, "tnc=soh2")) {
+ 		data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
+ 	data->force_peap_version = -1;
+ 	data->peap_outer_success = 2;
+ 	data->crypto_binding = OPTIONAL_BINDING;
++	data->phase2_auth = FOR_INITIAL;
+ 
+ 	if (config && config->phase1)
+ 		eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ }
+ 
+ 
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++				   struct eap_peap_data *data)
++{
++	if ((data->phase2_auth == ALWAYS ||
++	     (data->phase2_auth == FOR_INITIAL &&
++	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++	      !data->ssl.client_cert_conf) ||
++	     data->phase2_eap_started) &&
++	    !data->phase2_eap_success)
++		return false;
++	return true;
++}
++
++
+ /**
+  * eap_tlv_process - Process a received EAP-TLV message and generate a response
+  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
+ 					   " - force failed Phase 2");
+ 				resp_status = EAP_TLV_RESULT_FAILURE;
+ 				ret->decision = DECISION_FAIL;
++			} else if (!peap_phase2_sufficient(sm, data)) {
++				wpa_printf(MSG_INFO,
++					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++				resp_status = EAP_TLV_RESULT_FAILURE;
++				ret->decision = DECISION_FAIL;
+ 			} else {
+ 				resp_status = EAP_TLV_RESULT_SUCCESS;
+ 				ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ 			/* EAP-Success within TLS tunnel is used to indicate
+ 			 * shutdown of the TLS channel. The authentication has
+ 			 * been completed. */
+-			if (data->phase2_eap_started &&
+-			    !data->phase2_eap_success) {
++			if (!peap_phase2_sufficient(sm, data)) {
+ 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ 					   "Success used to indicate success, "
+ 					   "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ 	struct eap_peap_data *data = priv;
++
+ 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+-		data->phase2_success;
++		data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+ 
+ 
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index c1837db..a53eeb1 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
+ 
+ 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+ 
++	if (!phase2)
++		data->client_cert_conf = params->client_cert ||
++			params->client_cert_blob ||
++			params->private_key ||
++			params->private_key_blob;
++
+ 	return 0;
+ }
+ 
+diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
+index 9ac0012..3348634 100644
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ 	 * tls_v13 - Whether TLS v1.3 or newer is used
+ 	 */
+ 	int tls_v13;
++
++	/**
++	 * client_cert_conf: Whether client certificate has been configured
++	 */
++	bool client_cert_conf;
+ };
+ 
+ 
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index 6619d6b..d63f73c 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1321,6 +1321,13 @@ fast_reauth=1
+ #	 * 0 = do not use cryptobinding (default)
+ #	 * 1 = use cryptobinding if server supports it
+ #	 * 2 = require cryptobinding
++#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++#	tunnel) behavior for PEAP:
++#	 * 0 = do not require Phase 2 authentication
++#	 * 1 = require Phase 2 authentication when client certificate
++#	   (private_key/client_cert) is no used and TLS session resumption was
++#	   not used (default)
++#	 * 2 = require Phase 2 authentication in all cases
+ #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ #	pbc=1.
+ #
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
new file mode 100644
index 0000000000..6e930fc98d
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
@@ -0,0 +1,73 @@
+From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <geomatsi@gmail.com>
+Date: Tue, 22 Feb 2022 11:52:19 +0300
+Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
+ wpa_passphrase
+
+Commit a41a29192e5d ("build: Pull common fragments into a build.rules
+file") introduced a regression into wpa_supplicant build process. The
+build target libwpa_client.so is not built regardless of whether the
+option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
+this config option is used before it is imported from the configuration
+file. Moving its use after including build.rules does not help: the
+variable ALL is processed by build.rules and further changes are not
+applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
+as expected: wpa_passphrase is always built regardless of whether the
+option is set or not.
+
+Re-enable these options by adding both build targets to _all
+dependencies.
+
+Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
+Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
+Upstream-Status: Backport
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+Signed-off-by: Alex Kiernan <alexk@gmail.com>
+---
+ wpa_supplicant/Makefile | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index cb66defac7c8..c456825ae75f 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -1,24 +1,29 @@
+ BINALL=wpa_supplicant wpa_cli
+ 
+-ifndef CONFIG_NO_WPA_PASSPHRASE
+-BINALL += wpa_passphrase
+-endif
+-
+ ALL = $(BINALL)
+ ALL += systemd/wpa_supplicant.service
+ ALL += systemd/wpa_supplicant@.service
+ ALL += systemd/wpa_supplicant-nl80211@.service
+ ALL += systemd/wpa_supplicant-wired@.service
+ ALL += dbus/fi.w1.wpa_supplicant1.service
+-ifdef CONFIG_BUILD_WPA_CLIENT_SO
+-ALL += libwpa_client.so
+-endif
+ 
+ EXTRA_TARGETS=dynamic_eap_methods
+ 
+ CONFIG_FILE=.config
+ include ../src/build.rules
+ 
++ifdef CONFIG_BUILD_WPA_CLIENT_SO
++# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
++# being set in the config which is read by build.rules
++_all: libwpa_client.so
++endif
++
++ifndef CONFIG_NO_WPA_PASSPHRASE
++# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
++# being set in the config which is read by build.rules
++_all: wpa_passphrase
++endif
++
+ ifdef LIBS
+ # If LIBS is set with some global build system defaults, clone those for
+ # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
+-- 
+2.35.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
new file mode 100644
index 0000000000..53b0fcdf53
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
@@ -0,0 +1,26 @@
+From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Thu, 3 Mar 2022 13:26:42 +0200
+Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
+
+Fixes: 0430bc8267b4 ("build: Add a common-clean target")
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+Upstream-Status: Backport
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+Signed-off-by: Alex Kiernan <alexk@gmail.com>
+---
+ wpa_supplicant/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index c456825ae75f..4b4688931b1d 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -2077,3 +2077,4 @@ clean: common-clean
+ 	rm -f libwpa_client.a
+ 	rm -f libwpa_client.so
+ 	rm -f libwpa_test1 libwpa_test2
++	rm -f wpa_passphrase
+-- 
+2.35.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
similarity index 90%
rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index 03e4571cfb..22028ce957 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/"
 SECTION = "network"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
-                    file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
-                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
+                    file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \
+                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
 
 DEPENDS = "dbus libnl"
 
@@ -15,8 +15,12 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
            file://wpa_supplicant.conf \
            file://wpa_supplicant.conf-sane \
            file://99_wpa_supplicant \
+           file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \
+           file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \
+           file://0001-Install-wpa_passphrase-when-not-disabled.patch \
+           file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
            "
-SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
+SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
 
 S = "${WORKDIR}/wpa_supplicant-${PV}"
 
-- 
2.34.1

[OE-core][scarthgap 02/16] libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Reference:
https://security-tracker.debian.org/tracker/CVE-2023-7256
https://security-tracker.debian.org/tracker/CVE-2024-8006

Upstream commits:
https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f
https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d
https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libpcap/libpcap/CVE-2023-7256-pre1.patch  |  37 ++
 .../libpcap/libpcap/CVE-2023-7256.patch       | 365 ++++++++++++++++++
 .../libpcap/libpcap/CVE-2024-8006.patch       |  42 ++
 .../libpcap/libpcap_1.10.4.bb                 |   7 +-
 4 files changed, 450 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch

diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
new file mode 100644
index 0000000000..64abfb85cd
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
@@ -0,0 +1,37 @@
+From 73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Tue, 16 May 2023 12:37:11 -0400
+Subject: [PATCH] Remove unused variable retval in sock_present2network
+
+This quiets the compiler since it is not even returned anyway, and is a misleading variable name.
+
+(cherry picked from commit c7b90298984c46d820d3cee79a96d24870b5f200)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f]
+CVE: CVE-2023-7256 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sockutils.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sockutils.c b/sockutils.c
+index 1c07f76fd1..6752f296af 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -2082,7 +2082,6 @@ int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *addres
+  */
+ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr, int addr_family, char *errbuf, int errbuflen)
+ {
+-	int retval;
+ 	struct addrinfo *addrinfo;
+ 	struct addrinfo hints;
+ 
+@@ -2090,7 +2089,7 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+ 
+ 	hints.ai_family = addr_family;
+ 
+-	if ((retval = sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen)) == -1)
++	if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
+ 		return 0;
+ 
+ 	if (addrinfo->ai_family == PF_INET)
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
new file mode 100644
index 0000000000..fffcb2704a
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
@@ -0,0 +1,365 @@
+From 2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 28 Sep 2023 00:37:57 -0700
+Subject: [PATCH] Have sock_initaddress() return the list of addrinfo
+ structures or NULL.
+
+Its return address is currently 0 for success and -1 for failure, with a
+pointer to the first element of the list of struct addrinfos returned
+through a pointer on success; change it to return that pointer on
+success and NULL on failure.
+
+That way, we don't have to worry about what happens to the pointer
+pointeed to by the argument in question on failure; we know that we got
+NULL back if no struct addrinfos were found because getaddrinfo()
+failed.  Thus, we know that we have something to free iff
+sock_initaddress() returned a pointer to that something rather than
+returning NULL.
+
+This avoids a double-free in some cases.
+
+This is apparently CVE-2023-40400.
+
+(backported from commit 262e4f34979872d822ccedf9f318ed89c4d31c03)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d]
+CVE: CVE-2023-7256
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c    | 48 ++++++++++++++++++++--------------------
+ rpcapd/daemon.c |  8 +++++--
+ rpcapd/rpcapd.c |  8 +++++--
+ sockutils.c     | 58 ++++++++++++++++++++++++++++---------------------
+ sockutils.h     |  5 ++---
+ 5 files changed, 72 insertions(+), 55 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index ef0cd6e49c..f1992e4aea 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -1024,7 +1024,6 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ {
+ 	struct activehosts *temp;			/* temp var needed to scan the host list chain */
+ 	struct addrinfo hints, *addrinfo, *ai_next;	/* temp var needed to translate between hostname to its address */
+-	int retval;
+ 
+ 	/* retrieve the network address corresponding to 'host' */
+ 	addrinfo = NULL;
+@@ -1032,9 +1031,9 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++	addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+-	if (retval != 0)
++	if (addrinfo == NULL)
+ 	{
+ 		*error = 1;
+ 		return NULL;
+@@ -1186,7 +1185,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 		hints.ai_flags = AI_PASSIVE;	/* Data connection is opened by the server toward the client */
+ 
+ 		/* Let's the server pick up a free network port for us */
+-		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(NULL, NULL, &hints, fp->errbuf,
++		    PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error_nodiscard;
+ 
+ 		if ((sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER,
+@@ -1311,7 +1312,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 			snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
+ 
+ 			/* Let's the server pick up a free network port for us */
+-			if (sock_initaddress(host, portstring, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++			addrinfo = sock_initaddress(host, portstring, &hints,
++			    fp->errbuf, PCAP_ERRBUF_SIZE);
++			if (addrinfo == NULL)
+ 				goto error;
+ 
+ 			if ((sockdata = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2340,16 +2343,16 @@ rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
+ 		if (port[0] == 0)
+ 		{
+ 			/* the user chose not to specify the port */
+-			if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
+-			    &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-				return -1;
++			addrinfo = sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
++			    &hints, errbuf, PCAP_ERRBUF_SIZE);
+ 		}
+ 		else
+ 		{
+-			if (sock_initaddress(host, port, &hints, &addrinfo,
+-			    errbuf, PCAP_ERRBUF_SIZE) == -1)
+-				return -1;
++			addrinfo = sock_initaddress(host, port, &hints,
++			    errbuf, PCAP_ERRBUF_SIZE);
+ 		}
++		if (addrinfo == NULL)
++			return -1;
+ 
+ 		if ((*sockctrlp = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0,
+ 		    errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2950,19 +2953,19 @@ SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const cha
+ 	/* Do the work */
+ 	if ((port == NULL) || (port[0] == 0))
+ 	{
+-		if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-		{
+-			return (SOCKET)-2;
+-		}
++		addrinfo = sock_initaddress(address,
++		    RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, errbuf,
++		    PCAP_ERRBUF_SIZE);
+ 	}
+ 	else
+ 	{
+-		if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-		{
+-			return (SOCKET)-2;
+-		}
++		addrinfo = sock_initaddress(address, port, &hints, errbuf,
++		    PCAP_ERRBUF_SIZE);
++	}
++	if (addrinfo == NULL)
++	{
++		return (SOCKET)-2;
+ 	}
+-
+ 
+ 	if ((sockmain = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+ 	{
+@@ -3122,7 +3125,6 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ {
+ 	struct activehosts *temp, *prev;	/* temp var needed to scan the host list chain */
+ 	struct addrinfo hints, *addrinfo, *ai_next;	/* temp var needed to translate between hostname to its address */
+-	int retval;
+ 
+ 	temp = activeHosts;
+ 	prev = NULL;
+@@ -3133,9 +3135,9 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++	addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+-	if (retval != 0)
++	if (addrinfo == NULL)
+ 	{
+ 		return -1;
+ 	}
+diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
+index 8d620dd604..b04b29f107 100644
+--- a/rpcapd/daemon.c
++++ b/rpcapd/daemon.c
+@@ -2085,7 +2085,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ 			goto error;
+ 		}
+ 
+-		if (sock_initaddress(peerhost, portdata, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(peerhost, portdata, &hints,
++		    errmsgbuf, PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error;
+ 
+ 		if ((session->sockdata = sock_open(peerhost, addrinfo, SOCKOPEN_CLIENT, 0, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2096,7 +2098,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ 		hints.ai_flags = AI_PASSIVE;
+ 
+ 		// Make the server socket pick up a free network port for us
+-		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(NULL, NULL, &hints, errmsgbuf,
++		    PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error;
+ 
+ 		if ((session->sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+diff --git a/rpcapd/rpcapd.c b/rpcapd/rpcapd.c
+index e1f3f05299..d166522c9f 100644
+--- a/rpcapd/rpcapd.c
++++ b/rpcapd/rpcapd.c
+@@ -611,7 +611,9 @@ void main_startup(void)
+ 		//
+ 		// Get a list of sockets on which to listen.
+ 		//
+-		if (sock_initaddress((address[0]) ? address : NULL, port, &mainhints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress((address[0]) ? address : NULL,
++		    port, &mainhints, errbuf, PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 		{
+ 			rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ 			return;
+@@ -1350,7 +1352,9 @@ main_active(void *ptr)
+ 	memset(errbuf, 0, sizeof(errbuf));
+ 
+ 	// Do the work
+-	if (sock_initaddress(activepars->address, activepars->port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++	addrinfo = sock_initaddress(activepars->address, activepars->port,
++	    &hints, errbuf, PCAP_ERRBUF_SIZE);
++	if (addrinfo == NULL)
+ 	{
+ 		rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ 		return 0;
+diff --git a/sockutils.c b/sockutils.c
+index a1bfa1b5e2..823c2363e0 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -1069,20 +1069,21 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+  * \param errbuflen: length of the buffer that will contains the error. The error message cannot be
+  * larger than 'errbuflen - 1' because the last char is reserved for the string terminator.
+  *
+- * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
+- * in the 'errbuf' variable. The addrinfo variable that has to be used in the following sockets calls is
+- * returned into the addrinfo parameter.
++ * \return a pointer to the first element in a list of addrinfo structures
++ * if everything is fine, NULL if some errors occurred. The error message
++ * is returned in the 'errbuf' variable.
+  *
+- * \warning The 'addrinfo' variable has to be deleted by the programmer by calling freeaddrinfo() when
+- * it is no longer needed.
++ * \warning The list of addrinfo structures returned has to be deleted by
++ * the programmer by calling freeaddrinfo() when it is no longer needed.
+  *
+  * \warning This function requires the 'hints' variable as parameter. The semantic of this variable is the same
+  * of the one of the corresponding variable used into the standard getaddrinfo() socket function. We suggest
+  * the programmer to look at that function in order to set the 'hints' variable appropriately.
+  */
+-int sock_initaddress(const char *host, const char *port,
+-    struct addrinfo *hints, struct addrinfo **addrinfo, char *errbuf, int errbuflen)
++struct addrinfo *sock_initaddress(const char *host, const char *port,
++    struct addrinfo *hints, char *errbuf, int errbuflen)
+ {
++	struct addrinfo *addrinfo;
+ 	int retval;
+ 
+ 	/*
+@@ -1094,9 +1095,13 @@ int sock_initaddress(const char *host, const char *port,
+ 	 * as those messages won't talk about a problem with the port if
+ 	 * no port was specified.
+ 	 */
+-	retval = getaddrinfo(host, port == NULL ? "0" : port, hints, addrinfo);
++	retval = getaddrinfo(host, port == NULL ? "0" : port, hints, &addrinfo);
+ 	if (retval != 0)
+ 	{
++		/*
++		 * That call failed.
++		 * Determine whether the problem is that the host is bad.
++		 */
+ 		if (errbuf)
+ 		{
+ 			if (host != NULL && port != NULL) {
+@@ -1108,7 +1113,7 @@ int sock_initaddress(const char *host, const char *port,
+ 				int try_retval;
+ 
+ 				try_retval = getaddrinfo(host, NULL, hints,
+-				    addrinfo);
++				    &addrinfo);
+ 				if (try_retval == 0) {
+ 					/*
+ 					 * Worked with just the host,
+@@ -1117,14 +1122,16 @@ int sock_initaddress(const char *host, const char *port,
+ 					 *
+ 					 * Free up the address info first.
+ 					 */
+-					freeaddrinfo(*addrinfo);
++					freeaddrinfo(addrinfo);
+ 					get_gai_errstring(errbuf, errbuflen,
+ 					    "", retval, NULL, port);
+ 				} else {
+ 					/*
+ 					 * Didn't work with just the host,
+ 					 * so assume the problem is
+-					 * with the host.
++					 * with the host; we assume
++					 * the original error indicates
++					 * the underlying problem.
+ 					 */
+ 					get_gai_errstring(errbuf, errbuflen,
+ 					    "", retval, host, NULL);
+@@ -1132,13 +1139,14 @@ int sock_initaddress(const char *host, const char *port,
+ 			} else {
+ 				/*
+ 				 * Either the host or port was null, so
+-				 * there's nothing to determine.
++				 * there's nothing to determine; report
++				 * the error from the original call.
+ 				 */
+ 				get_gai_errstring(errbuf, errbuflen, "",
+ 				    retval, host, port);
+ 			}
+ 		}
+-		return -1;
++		return NULL;
+ 	}
+ 	/*
+ 	 * \warning SOCKET: I should check all the accept() in order to bind to all addresses in case
+@@ -1153,30 +1161,28 @@ int sock_initaddress(const char *host, const char *port,
+ 	 * ignore all addresses that are neither?  (What, no IPX
+ 	 * support? :-))
+ 	 */
+-	if (((*addrinfo)->ai_family != PF_INET) &&
+-	    ((*addrinfo)->ai_family != PF_INET6))
++	if ((addrinfo->ai_family != PF_INET) &&
++	    (addrinfo->ai_family != PF_INET6))
+ 	{
+ 		if (errbuf)
+ 			snprintf(errbuf, errbuflen, "getaddrinfo(): socket type not supported");
+-		freeaddrinfo(*addrinfo);
+-		*addrinfo = NULL;
+-		return -1;
++		freeaddrinfo(addrinfo);
++		return NULL;
+ 	}
+ 
+ 	/*
+ 	 * You can't do multicast (or broadcast) TCP.
+ 	 */
+-	if (((*addrinfo)->ai_socktype == SOCK_STREAM) &&
+-	    (sock_ismcastaddr((*addrinfo)->ai_addr) == 0))
++	if ((addrinfo->ai_socktype == SOCK_STREAM) &&
++	    (sock_ismcastaddr(addrinfo->ai_addr) == 0))
+ 	{
+ 		if (errbuf)
+ 			snprintf(errbuf, errbuflen, "getaddrinfo(): multicast addresses are not valid when using TCP streams");
+-		freeaddrinfo(*addrinfo);
+-		*addrinfo = NULL;
+-		return -1;
++		freeaddrinfo(addrinfo);
++		return NULL;
+ 	}
+ 
+-	return 0;
++	return addrinfo;
+ }
+ 
+ /*
+@@ -2089,7 +2095,9 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+ 
+ 	hints.ai_family = addr_family;
+ 
+-	if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
++	addrinfo = sock_initaddress(address, "22222" /* fake port */, &hints,
++	    errbuf, errbuflen);
++	if (addrinfo == NULL)
+ 		return 0;
+ 
+ 	if (addrinfo->ai_family == PF_INET)
+diff --git a/sockutils.h b/sockutils.h
+index a488d8fcb4..30b8cfe0b7 100644
+--- a/sockutils.h
++++ b/sockutils.h
+@@ -138,9 +138,8 @@ void sock_fmterrmsg(char *errbuf, size_t errbuflen, int errcode,
+     PCAP_FORMAT_STRING(const char *fmt), ...) PCAP_PRINTFLIKE(4, 5);
+ void sock_geterrmsg(char *errbuf, size_t errbuflen,
+     PCAP_FORMAT_STRING(const char *fmt), ...)  PCAP_PRINTFLIKE(3, 4);
+-int sock_initaddress(const char *address, const char *port,
+-    struct addrinfo *hints, struct addrinfo **addrinfo,
+-    char *errbuf, int errbuflen);
++struct addrinfo *sock_initaddress(const char *address, const char *port,
++    struct addrinfo *hints, char *errbuf, int errbuflen);
+ int sock_recv(SOCKET sock, SSL *, void *buffer, size_t size, int receiveall,
+     char *errbuf, int errbuflen);
+ int sock_recv_dgram(SOCKET sock, SSL *, void *buffer, size_t size,
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
new file mode 100644
index 0000000000..6819aedd20
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
@@ -0,0 +1,42 @@
+From 8a633ee5b9ecd9d38a587ac9b204e2380713b0d6 Mon Sep 17 00:00:00 2001
+From: Nicolas Badoux <n.badoux@hotmail.com>
+Date: Mon, 19 Aug 2024 12:31:53 +0200
+Subject: [PATCH] makes pcap_findalldevs_ex errors out if the directory does
+ not exist
+
+(backported from commit 0f8a103469ce87d2b8d68c5130a46ddb7fb5eb29)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6]
+CVE: CVE-2024-8006
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-new.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/pcap-new.c b/pcap-new.c
+index be91b3f8db..d449ee623c 100644
+--- a/pcap-new.c
++++ b/pcap-new.c
+@@ -230,6 +230,13 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t
+ #else
+ 		/* opening the folder */
+ 		unixdir= opendir(path);
++		if (unixdir == NULL) {
++			DIAG_OFF_FORMAT_TRUNCATION
++			snprintf(errbuf, PCAP_ERRBUF_SIZE,
++			    "Error when listing files: does folder '%s' exist?", path);
++			DIAG_ON_FORMAT_TRUNCATION
++			return -1;
++		}
+ 
+ 		/* get the first file into it */
+ 		filedata= readdir(unixdir);
+@@ -237,7 +244,7 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t
+ 		if (filedata == NULL)
+ 		{
+ 			DIAG_OFF_FORMAT_TRUNCATION
+-			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' exist?", path);
++			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' contain files?", path);
+ 			DIAG_ON_FORMAT_TRUNCATION
+ 			closedir(unixdir);
+ 			return -1;
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
index 166654e280..36eb4bca75 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
@@ -10,7 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
                     file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
 DEPENDS = "flex-native bison-native"
 
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz"
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
+           file://CVE-2023-7256-pre1.patch \
+           file://CVE-2023-7256.patch \
+           file://CVE-2024-8006.patch \
+          "
+
 SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f"
 
 inherit autotools binconfig-disabled pkgconfig
-- 
2.34.1

[OE-core][scarthgap 03/16] openssl: Upgrade 3.2.2 -> 3.2.3

[Steve Sakoman]

From: Siddharth Doshi <sdoshi@mvista.com>

Updated SRC_URI link and format due to change in openssl website.

CVE's Fixed by upgrade:
CVE-2024-5535: Fixed possible buffer overread in SSL_select_next_proto().
CVE-2024-6119: Fixed possible denial of service in X.509 name checks

- Removed backports of CVE-2024-5535 as it is already fixed.
- Removed first hunk of 0001-Added-handshake-history-reporting-when-test-fails.patch as the copyright years are already updated in test/helpers/handshake.c file

Detailed Information:
https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-322-and-323-3-sep-2024

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...ke-history-reporting-when-test-fails.patch |    8 +-
 .../openssl/openssl/CVE-2024-5535_1.patch     |  113 --
 .../openssl/openssl/CVE-2024-5535_10.patch    |  203 ---
 .../openssl/openssl/CVE-2024-5535_2.patch     |   43 -
 .../openssl/openssl/CVE-2024-5535_3.patch     |   38 -
 .../openssl/openssl/CVE-2024-5535_4.patch     |   82 --
 .../openssl/openssl/CVE-2024-5535_5.patch     |  176 ---
 .../openssl/openssl/CVE-2024-5535_6.patch     | 1173 -----------------
 .../openssl/openssl/CVE-2024-5535_7.patch     |   43 -
 .../openssl/openssl/CVE-2024-5535_8.patch     |   66 -
 .../openssl/openssl/CVE-2024-5535_9.patch     |  271 ----
 .../{openssl_3.2.2.bb => openssl_3.2.3.bb}    |   14 +-
 12 files changed, 3 insertions(+), 2227 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.2.2.bb => openssl_3.2.3.bb} (94%)

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
index aa2e5bb800..9baa0c2d75 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] Added handshake history reporting when test fails
 Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
 
 Signed-off-by: William Lyu <William.Lyu@windriver.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
 ---
  test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++----------
  test/helpers/handshake.h |  70 +++++++++++++++++++-
@@ -16,13 +17,6 @@ diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
 index e0422469e4..ae2ad59dd4 100644
 --- a/test/helpers/handshake.c
 +++ b/test/helpers/handshake.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
 @@ -24,6 +24,102 @@
  #include <netinet/sctp.h>
  #endif
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
deleted file mode 100644
index d5c178eeab..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From b63b4db52e10677db4ab46b608aabd55a44668aa Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Subject: [PATCH 01/10] Fix SSL_select_next_proto
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 40 insertions(+), 23 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 016135f..cf52b31 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                           unsigned int server_len,
-                           const unsigned char *client, unsigned int client_len)
- {
--    unsigned int i, j;
--    const unsigned char *result;
--    int status = OPENSSL_NPN_UNSUPPORTED;
-+    PACKET cpkt, csubpkt, spkt, ssubpkt;
-+
-+    if (!PACKET_buf_init(&cpkt, client, client_len)
-+            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+            || PACKET_remaining(&csubpkt) == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return OPENSSL_NPN_NO_OVERLAP;
-+    }
-+
-+    /*
-+     * Set the default opportunistic protocol. Will be overwritten if we find
-+     * a match.
-+     */
-+    *out = (unsigned char *)PACKET_data(&csubpkt);
-+    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
- 
-     /*
-      * For each protocol in server preference order, see if we support it.
-      */
--    for (i = 0; i < server_len;) {
--        for (j = 0; j < client_len;) {
--            if (server[i] == client[j] &&
--                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
--                /* We found a match */
--                result = &server[i];
--                status = OPENSSL_NPN_NEGOTIATED;
--                goto found;
-+    if (PACKET_buf_init(&spkt, server, server_len)) {
-+        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+            if (PACKET_remaining(&ssubpkt) == 0)
-+                continue; /* Invalid - ignore it */
-+            if (PACKET_buf_init(&cpkt, client, client_len)) {
-+                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+                                     PACKET_remaining(&ssubpkt))) {
-+                        /* We found a match */
-+                        *out = (unsigned char *)PACKET_data(&ssubpkt);
-+                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+                        return OPENSSL_NPN_NEGOTIATED;
-+                    }
-+                }
-+                /* Ignore spurious trailing bytes in the client list */
-+            } else {
-+                /* This should never happen */
-+                return OPENSSL_NPN_NO_OVERLAP;
-             }
--            j += client[j];
--            j++;
-         }
--        i += server[i];
--        i++;
-+        /* Ignore spurious trailing bytes in the server list */
-     }
- 
--    /* There's no overlap between our protocols and the server's list. */
--    result = client;
--    status = OPENSSL_NPN_NO_OVERLAP;
--
-- found:
--    *out = (unsigned char *)result + 1;
--    *outlen = result[0];
--    return status;
-+    /*
-+     * There's no overlap between our protocols and the server's list. We use
-+     * the default opportunistic protocol selected earlier
-+     */
-+    return OPENSSL_NPN_NO_OVERLAP;
- }
- 
- #ifndef OPENSSL_NO_NEXTPROTONEG
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch
deleted file mode 100644
index 7cc36f20ab..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch
+++ /dev/null
@@ -1,203 +0,0 @@
-From 61cad53901703944d22f1cd6a1b57460f2270599 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 14:29:26 +0100
-Subject: [PATCH 10/10] Add a test for an empty NextProto message
-
-It is valid according to the spec for a NextProto message to have no
-protocols listed in it. The OpenSSL implementation however does not allow
-us to create such a message. In order to check that we work as expected
-when communicating with a client that does generate such messages we have
-to use a TLSProxy test.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/301b870546d1c7b2d8f0d66e04a2596142f0399f]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/recipes/70-test_npn.t      | 73 +++++++++++++++++++++++++++++++++
- util/perl/TLSProxy/Message.pm   |  9 ++++
- util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
- util/perl/TLSProxy/Proxy.pm     |  1 +
- 4 files changed, 137 insertions(+)
- create mode 100644 test/recipes/70-test_npn.t
- create mode 100644 util/perl/TLSProxy/NextProto.pm
-
-diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
-new file mode 100644
-index 0000000..f82e71a
---- /dev/null
-+++ b/test/recipes/70-test_npn.t
-@@ -0,0 +1,73 @@
-+#! /usr/bin/env perl
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
-+use OpenSSL::Test::Utils;
-+
-+use TLSProxy::Proxy;
-+
-+my $test_name = "test_npn";
-+setup($test_name);
-+
-+plan skip_all => "TLSProxy isn't usable on $^O"
-+    if $^O =~ /^(VMS)$/;
-+
-+plan skip_all => "$test_name needs the dynamic engine feature enabled"
-+    if disabled("engine") || disabled("dynamic-engine");
-+
-+plan skip_all => "$test_name needs the sock feature enabled"
-+    if disabled("sock");
-+
-+plan skip_all => "$test_name needs NPN enabled"
-+    if disabled("nextprotoneg");
-+
-+plan skip_all => "$test_name needs TLSv1.2 enabled"
-+    if disabled("tls1_2");
-+
-+my $proxy = TLSProxy::Proxy->new(
-+    undef,
-+    cmdstr(app(["openssl"]), display => 1),
-+    srctop_file("apps", "server.pem"),
-+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-+);
-+
-+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-+plan tests => 1;
-+
-+my $npnseen = 0;
-+
-+# Test 1: Check sending an empty NextProto message from the client works. This is
-+#         valid as per the spec, but OpenSSL does not allow you to send it.
-+#         Therefore we must be prepared to receive such a message but we cannot
-+#         generate it except via TLSProxy
-+$proxy->clear();
-+$proxy->filter(\&npn_filter);
-+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
-+$proxy->serverflags("-nextprotoneg foo");
-+$proxy->start();
-+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
-+
-+sub npn_filter
-+{
-+    my $proxy = shift;
-+    my $message;
-+
-+    # The NextProto message always appears in flight 2
-+    return if $proxy->flight != 2;
-+
-+    foreach my $message (@{$proxy->message_list}) {
-+        if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
-+            # Our TLSproxy NextProto message support doesn't support parsing of
-+            # the message. If we repack it just creates an empty NextProto
-+            # message - which is exactly the scenario we want to test here.
-+            $message->repack();
-+            $npnseen = 1;
-+        }
-+    }
-+}
-diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
-index ce22187..fb41b2f 100644
---- a/util/perl/TLSProxy/Message.pm
-+++ b/util/perl/TLSProxy/Message.pm
-@@ -384,6 +384,15 @@ sub create_message
-             [@message_frag_lens]
-         );
-         $message->parse();
-+    }  elsif ($mt == MT_NEXT_PROTO) {
-+        $message = TLSProxy::NextProto->new(
-+            $server,
-+            $data,
-+            [@message_rec_list],
-+            $startoffset,
-+            [@message_frag_lens]
-+        );
-+        $message->parse();
-     } else {
-         #Unknown message type
-         $message = TLSProxy::Message->new(
-diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
-new file mode 100644
-index 0000000..0e18347
---- /dev/null
-+++ b/util/perl/TLSProxy/NextProto.pm
-@@ -0,0 +1,54 @@
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+
-+package TLSProxy::NextProto;
-+
-+use vars '@ISA';
-+push @ISA, 'TLSProxy::Message';
-+
-+sub new
-+{
-+    my $class = shift;
-+    my ($server,
-+        $data,
-+        $records,
-+        $startoffset,
-+        $message_frag_lens) = @_;
-+
-+    my $self = $class->SUPER::new(
-+        $server,
-+        TLSProxy::Message::MT_NEXT_PROTO,
-+        $data,
-+        $records,
-+        $startoffset,
-+        $message_frag_lens);
-+
-+    return $self;
-+}
-+
-+sub parse
-+{
-+    # We don't support parsing at the moment
-+}
-+
-+# This is supposed to reconstruct the on-the-wire message data following changes.
-+# For now though since we don't support parsing we just create an empty NextProto
-+# message - this capability is used in test_npn
-+sub set_message_contents
-+{
-+    my $self = shift;
-+    my $data;
-+
-+    $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00);
-+    $self->data($data);
-+}
-+1;
-diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
-index 3de10ec..b707722 100644
---- a/util/perl/TLSProxy/Proxy.pm
-+++ b/util/perl/TLSProxy/Proxy.pm
-@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
- use TLSProxy::CertificateVerify;
- use TLSProxy::ServerKeyExchange;
- use TLSProxy::NewSessionTicket;
-+use TLSProxy::NextProto;
- 
- my $have_IPv6;
- my $IP_factory;
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
deleted file mode 100644
index 768304f00b..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 6de1d37cd129b0af5b4a247c76f97b98e70b108b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:18:27 +0100
-Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
- processing NPN
-
-In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
-the selected_len is 0 we should fail. Previously this would fail with an
-internal_error alert because calling OPENSSL_malloc(selected_len) will
-return NULL when selected_len is 0. We make this error detection more
-explicit and return a handshake failure alert.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/015255851371757d54c2560643eb3b3a88123cf1]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_clnt.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index 381a6c9..1ab3c13 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
-     if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
-                                 &selected, &selected_len,
-                                 PACKET_data(pkt), PACKET_remaining(pkt),
--                                sctx->ext.npn_select_cb_arg) !=
--             SSL_TLSEXT_ERR_OK) {
-+                                sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
-+            || selected_len == 0) {
-         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
deleted file mode 100644
index d6d4d869be..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 4f9334a33da89949f97927c8fe7df1003c42cda4 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:22:13 +0100
-Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
-
-The QUIC test server was using incorrectly formatted ALPN data. With the
-previous implementation of SSL_select_next_proto this went unnoticed. With
-the new stricter implemenation it was failing.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/6cc511826f09e513b4ec066d9b95acaf4f86d991]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/quic/quic_tserver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
-index 86187d0..15694e7 100644
---- a/ssl/quic/quic_tserver.c
-+++ b/ssl/quic/quic_tserver.c
-@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
- 
-     if (srv->args.alpn == NULL) {
-         alpn = alpndeflt;
--        alpnlen = sizeof(alpn);
-+        alpnlen = sizeof(alpndeflt);
-     } else {
-         alpn = srv->args.alpn;
-         alpnlen = srv->args.alpnlen;
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
deleted file mode 100644
index 03fc1168f9..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 5145a1f50e44c9f86127a76f01519a9f25157290 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:46:38 +0100
-Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
-
-We clarify the input preconditions and the expected behaviour in the event
-of no overlap.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/8e81c57adbbf703dfb63955f65599765fdacc741]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-index 05fee2f..79e1a25 100644
---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
- SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
- set the list of protocols available to be negotiated. The B<protos> must be in
- protocol-list format, described below. The length of B<protos> is specified in
--B<protos_len>.
-+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
-+protocols and no ALPN extension will be sent to the server.
- 
- SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
- server to select which protocol to use for the incoming connection. When B<cb>
-@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
- described below. The first item in the B<server>, B<server_len> list that
- matches an item in the B<client>, B<client_len> list is selected, and returned
- in B<out>, B<outlen>. The B<out> value will point into either B<server> or
--B<client>, so it should be copied immediately. If no match is found, the first
--item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
--function can also be used in the NPN callback.
-+B<client>, so it should be copied immediately. The client list must include at
-+least one valid (nonempty) protocol entry in the list.
-+
-+The SSL_select_next_proto() helper function can be useful from either the ALPN
-+callback or the NPN callback (described below). If no match is found, the first
-+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
-+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
-+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
-+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
-+SSL_select_next_proto().
- 
- SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
- client needs to select a protocol from the server's provided list, and a
-@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
- The length of the protocol name must be written into B<outlen>. The
- server's advertised protocols are provided in B<in> and B<inlen>. The
- callback can assume that B<in> is syntactically valid. The client must
--select a protocol. It is fatal to the connection if this callback returns
--a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
--set via SSL_CTX_set_next_proto_select_cb().
-+select a protocol (although it may be an empty, zero length protocol). It is
-+fatal to the connection if this callback returns a value other than
-+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
-+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
- 
- SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
- when a TLS server needs a list of supported protocols for Next Protocol
-@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
- =item OPENSSL_NPN_NO_OVERLAP
- 
- No match was found. The first item in B<client>, B<client_len> is returned in
--B<out>, B<outlen>.
-+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
-+B<client> is invalid).
- 
- =back
- 
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
deleted file mode 100644
index e439d9b59a..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-From 01d44bc7f50670002cad495654fd99a6371d7662 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 16:35:16 +0100
-Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/add5c52a25c549cec4a730cdf96e2252f0a1862d]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 137 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index ce16332..15cb906 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
-     return testresult;
- }
- 
-+static struct next_proto_st {
-+    int serverlen;
-+    unsigned char server[40];
-+    int clientlen;
-+    unsigned char client[40];
-+    int expected_ret;
-+    size_t selectedlen;
-+    unsigned char selected[40];
-+} next_proto_tests[] = {
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'b', 'c', 'd' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        0, { 0 },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        -1, { 0 },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        0, { 0 },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        -1, { 0 },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    },
-+    {
-+        3, { 3, 'a', 'b', 'c' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        3, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    }
-+};
-+
-+static int test_select_next_proto(int idx)
-+{
-+    struct next_proto_st *np = &next_proto_tests[idx];
-+    int ret = 0;
-+    unsigned char *out, *client, *server;
-+    unsigned char outlen;
-+    unsigned int clientlen, serverlen;
-+
-+    if (np->clientlen == -1) {
-+        client = NULL;
-+        clientlen = 0;
-+    } else {
-+        client = np->client;
-+        clientlen = (unsigned int)np->clientlen;
-+    }
-+    if (np->serverlen == -1) {
-+        server = NULL;
-+        serverlen = 0;
-+    } else {
-+        server = np->server;
-+        serverlen = (unsigned int)np->serverlen;
-+    }
-+
-+    if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
-+                                           client, clientlen),
-+                     np->expected_ret))
-+        goto err;
-+
-+    if (np->selectedlen == 0) {
-+        if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
-+            goto err;
-+    } else {
-+        if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
-+            goto err;
-+    }
-+
-+    ret = 1;
-+ err:
-+    return ret;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
- 
- int setup_tests(void)
-@@ -12053,6 +12189,7 @@ int setup_tests(void)
-     ADD_ALL_TESTS(test_handshake_retry, 16);
-     ADD_TEST(test_data_retry);
-     ADD_ALL_TESTS(test_multi_resume, 5);
-+    ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-     return 1;
- 
-  err:
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
deleted file mode 100644
index df24702fa6..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
+++ /dev/null
@@ -1,1173 +0,0 @@
-From e344d0b5860560ffa59415ea4028ba7760b2a773 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 4 Jun 2024 15:47:32 +0100
-Subject: [PATCH 06/10] Allow an empty NPN/ALPN protocol list in the tests
-
-Allow ourselves to configure an empty NPN/ALPN protocol list and test what
-happens if we do.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7ea1f6a85b299b976cb3f756b2a7f0153f31b2b6]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/helpers/handshake.c      |   6 +
- test/ssl-tests/08-npn.cnf     | 553 +++++++++++++++++++---------------
- test/ssl-tests/08-npn.cnf.in  |  35 +++
- test/ssl-tests/09-alpn.cnf    |  66 +++-
- test/ssl-tests/09-alpn.cnf.in |  33 ++
- 5 files changed, 449 insertions(+), 244 deletions(-)
-
-diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
-index ae2ad59..b66b2f5 100644
---- a/test/helpers/handshake.c
-+++ b/test/helpers/handshake.c
-@@ -444,6 +444,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen)
- 
-     len = strlen(protos);
- 
-+    if (len == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return 1;
-+    }
-+
-     /* Should never have reuse. */
-     if (!TEST_ptr_null(*out)
-             /* Test values are small, so we omit length limit checks. */
-diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf
-index f38b3f6..1931d02 100644
---- a/test/ssl-tests/08-npn.cnf
-+++ b/test/ssl-tests/08-npn.cnf
-@@ -1,6 +1,6 @@
- # Generated with generate_ssl_tests.pl
- 
--num_tests = 20
-+num_tests = 22
- 
- test-0 = 0-npn-simple
- test-1 = 1-npn-client-finds-match
-@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref
- test-3 = 3-npn-client-first-pref-on-mismatch
- test-4 = 4-npn-no-server-support
- test-5 = 5-npn-no-client-support
--test-6 = 6-npn-with-sni-no-context-switch
--test-7 = 7-npn-with-sni-context-switch
--test-8 = 8-npn-selected-sni-server-supports-npn
--test-9 = 9-npn-selected-sni-server-does-not-support-npn
--test-10 = 10-alpn-preferred-over-npn
--test-11 = 11-sni-npn-preferred-over-alpn
--test-12 = 12-npn-simple-resumption
--test-13 = 13-npn-server-switch-resumption
--test-14 = 14-npn-client-switch-resumption
--test-15 = 15-npn-client-first-pref-on-mismatch-resumption
--test-16 = 16-npn-no-server-support-resumption
--test-17 = 17-npn-no-client-support-resumption
--test-18 = 18-alpn-preferred-over-npn-resumption
--test-19 = 19-npn-used-if-alpn-not-supported-resumption
-+test-6 = 6-npn-empty-client-list
-+test-7 = 7-npn-empty-server-list
-+test-8 = 8-npn-with-sni-no-context-switch
-+test-9 = 9-npn-with-sni-context-switch
-+test-10 = 10-npn-selected-sni-server-supports-npn
-+test-11 = 11-npn-selected-sni-server-does-not-support-npn
-+test-12 = 12-alpn-preferred-over-npn
-+test-13 = 13-sni-npn-preferred-over-alpn
-+test-14 = 14-npn-simple-resumption
-+test-15 = 15-npn-server-switch-resumption
-+test-16 = 16-npn-client-switch-resumption
-+test-17 = 17-npn-client-first-pref-on-mismatch-resumption
-+test-18 = 18-npn-no-server-support-resumption
-+test-19 = 19-npn-no-client-support-resumption
-+test-20 = 20-alpn-preferred-over-npn-resumption
-+test-21 = 21-npn-used-if-alpn-not-supported-resumption
- # ===========================================================
- 
- [0-npn-simple]
-@@ -206,253 +208,318 @@ NPNProtocols = foo
- 
- # ===========================================================
- 
--[6-npn-with-sni-no-context-switch]
--ssl_conf = 6-npn-with-sni-no-context-switch-ssl
-+[6-npn-empty-client-list]
-+ssl_conf = 6-npn-empty-client-list-ssl
- 
--[6-npn-with-sni-no-context-switch-ssl]
--server = 6-npn-with-sni-no-context-switch-server
--client = 6-npn-with-sni-no-context-switch-client
--server2 = 6-npn-with-sni-no-context-switch-server2
-+[6-npn-empty-client-list-ssl]
-+server = 6-npn-empty-client-list-server
-+client = 6-npn-empty-client-list-client
- 
--[6-npn-with-sni-no-context-switch-server]
-+[6-npn-empty-client-list-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[6-npn-with-sni-no-context-switch-server2]
-+[6-npn-empty-client-list-client]
-+CipherString = DEFAULT
-+MaxProtocol = TLSv1.2
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-6]
-+ExpectedClientAlert = HandshakeFailure
-+ExpectedResult = ClientFail
-+server = 6-npn-empty-client-list-server-extra
-+client = 6-npn-empty-client-list-client-extra
-+
-+[6-npn-empty-client-list-server-extra]
-+NPNProtocols = foo
-+
-+[6-npn-empty-client-list-client-extra]
-+NPNProtocols = 
-+
-+
-+# ===========================================================
-+
-+[7-npn-empty-server-list]
-+ssl_conf = 7-npn-empty-server-list-ssl
-+
-+[7-npn-empty-server-list-ssl]
-+server = 7-npn-empty-server-list-server
-+client = 7-npn-empty-server-list-client
-+
-+[7-npn-empty-server-list-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[6-npn-with-sni-no-context-switch-client]
-+[7-npn-empty-server-list-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-6]
-+[test-7]
-+ExpectedNPNProtocol = foo
-+server = 7-npn-empty-server-list-server-extra
-+client = 7-npn-empty-server-list-client-extra
-+
-+[7-npn-empty-server-list-server-extra]
-+NPNProtocols = 
-+
-+[7-npn-empty-server-list-client-extra]
-+NPNProtocols = foo
-+
-+
-+# ===========================================================
-+
-+[8-npn-with-sni-no-context-switch]
-+ssl_conf = 8-npn-with-sni-no-context-switch-ssl
-+
-+[8-npn-with-sni-no-context-switch-ssl]
-+server = 8-npn-with-sni-no-context-switch-server
-+client = 8-npn-with-sni-no-context-switch-client
-+server2 = 8-npn-with-sni-no-context-switch-server2
-+
-+[8-npn-with-sni-no-context-switch-server]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[8-npn-with-sni-no-context-switch-server2]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[8-npn-with-sni-no-context-switch-client]
-+CipherString = DEFAULT
-+MaxProtocol = TLSv1.2
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-8]
- ExpectedNPNProtocol = foo
- ExpectedServerName = server1
--server = 6-npn-with-sni-no-context-switch-server-extra
--server2 = 6-npn-with-sni-no-context-switch-server2-extra
--client = 6-npn-with-sni-no-context-switch-client-extra
-+server = 8-npn-with-sni-no-context-switch-server-extra
-+server2 = 8-npn-with-sni-no-context-switch-server2-extra
-+client = 8-npn-with-sni-no-context-switch-client-extra
- 
--[6-npn-with-sni-no-context-switch-server-extra]
-+[8-npn-with-sni-no-context-switch-server-extra]
- NPNProtocols = foo
- ServerNameCallback = IgnoreMismatch
- 
--[6-npn-with-sni-no-context-switch-server2-extra]
-+[8-npn-with-sni-no-context-switch-server2-extra]
- NPNProtocols = bar
- 
--[6-npn-with-sni-no-context-switch-client-extra]
-+[8-npn-with-sni-no-context-switch-client-extra]
- NPNProtocols = foo,bar
- ServerName = server1
- 
- 
- # ===========================================================
- 
--[7-npn-with-sni-context-switch]
--ssl_conf = 7-npn-with-sni-context-switch-ssl
-+[9-npn-with-sni-context-switch]
-+ssl_conf = 9-npn-with-sni-context-switch-ssl
- 
--[7-npn-with-sni-context-switch-ssl]
--server = 7-npn-with-sni-context-switch-server
--client = 7-npn-with-sni-context-switch-client
--server2 = 7-npn-with-sni-context-switch-server2
-+[9-npn-with-sni-context-switch-ssl]
-+server = 9-npn-with-sni-context-switch-server
-+client = 9-npn-with-sni-context-switch-client
-+server2 = 9-npn-with-sni-context-switch-server2
- 
--[7-npn-with-sni-context-switch-server]
-+[9-npn-with-sni-context-switch-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[7-npn-with-sni-context-switch-server2]
-+[9-npn-with-sni-context-switch-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[7-npn-with-sni-context-switch-client]
-+[9-npn-with-sni-context-switch-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-7]
-+[test-9]
- ExpectedNPNProtocol = bar
- ExpectedServerName = server2
--server = 7-npn-with-sni-context-switch-server-extra
--server2 = 7-npn-with-sni-context-switch-server2-extra
--client = 7-npn-with-sni-context-switch-client-extra
-+server = 9-npn-with-sni-context-switch-server-extra
-+server2 = 9-npn-with-sni-context-switch-server2-extra
-+client = 9-npn-with-sni-context-switch-client-extra
- 
--[7-npn-with-sni-context-switch-server-extra]
-+[9-npn-with-sni-context-switch-server-extra]
- NPNProtocols = foo
- ServerNameCallback = IgnoreMismatch
- 
--[7-npn-with-sni-context-switch-server2-extra]
-+[9-npn-with-sni-context-switch-server2-extra]
- NPNProtocols = bar
- 
--[7-npn-with-sni-context-switch-client-extra]
-+[9-npn-with-sni-context-switch-client-extra]
- NPNProtocols = foo,bar
- ServerName = server2
- 
- 
- # ===========================================================
- 
--[8-npn-selected-sni-server-supports-npn]
--ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl
-+[10-npn-selected-sni-server-supports-npn]
-+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl
- 
--[8-npn-selected-sni-server-supports-npn-ssl]
--server = 8-npn-selected-sni-server-supports-npn-server
--client = 8-npn-selected-sni-server-supports-npn-client
--server2 = 8-npn-selected-sni-server-supports-npn-server2
-+[10-npn-selected-sni-server-supports-npn-ssl]
-+server = 10-npn-selected-sni-server-supports-npn-server
-+client = 10-npn-selected-sni-server-supports-npn-client
-+server2 = 10-npn-selected-sni-server-supports-npn-server2
- 
--[8-npn-selected-sni-server-supports-npn-server]
-+[10-npn-selected-sni-server-supports-npn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[8-npn-selected-sni-server-supports-npn-server2]
-+[10-npn-selected-sni-server-supports-npn-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[8-npn-selected-sni-server-supports-npn-client]
-+[10-npn-selected-sni-server-supports-npn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-8]
-+[test-10]
- ExpectedNPNProtocol = bar
- ExpectedServerName = server2
--server = 8-npn-selected-sni-server-supports-npn-server-extra
--server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
--client = 8-npn-selected-sni-server-supports-npn-client-extra
-+server = 10-npn-selected-sni-server-supports-npn-server-extra
-+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra
-+client = 10-npn-selected-sni-server-supports-npn-client-extra
- 
--[8-npn-selected-sni-server-supports-npn-server-extra]
-+[10-npn-selected-sni-server-supports-npn-server-extra]
- ServerNameCallback = IgnoreMismatch
- 
--[8-npn-selected-sni-server-supports-npn-server2-extra]
-+[10-npn-selected-sni-server-supports-npn-server2-extra]
- NPNProtocols = bar
- 
--[8-npn-selected-sni-server-supports-npn-client-extra]
-+[10-npn-selected-sni-server-supports-npn-client-extra]
- NPNProtocols = foo,bar
- ServerName = server2
- 
- 
- # ===========================================================
- 
--[9-npn-selected-sni-server-does-not-support-npn]
--ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl
-+[11-npn-selected-sni-server-does-not-support-npn]
-+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl
- 
--[9-npn-selected-sni-server-does-not-support-npn-ssl]
--server = 9-npn-selected-sni-server-does-not-support-npn-server
--client = 9-npn-selected-sni-server-does-not-support-npn-client
--server2 = 9-npn-selected-sni-server-does-not-support-npn-server2
-+[11-npn-selected-sni-server-does-not-support-npn-ssl]
-+server = 11-npn-selected-sni-server-does-not-support-npn-server
-+client = 11-npn-selected-sni-server-does-not-support-npn-client
-+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2
- 
--[9-npn-selected-sni-server-does-not-support-npn-server]
-+[11-npn-selected-sni-server-does-not-support-npn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[9-npn-selected-sni-server-does-not-support-npn-server2]
-+[11-npn-selected-sni-server-does-not-support-npn-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[9-npn-selected-sni-server-does-not-support-npn-client]
-+[11-npn-selected-sni-server-does-not-support-npn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-9]
-+[test-11]
- ExpectedServerName = server2
--server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
--client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
-+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra
-+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra
- 
--[9-npn-selected-sni-server-does-not-support-npn-server-extra]
-+[11-npn-selected-sni-server-does-not-support-npn-server-extra]
- NPNProtocols = bar
- ServerNameCallback = IgnoreMismatch
- 
--[9-npn-selected-sni-server-does-not-support-npn-client-extra]
-+[11-npn-selected-sni-server-does-not-support-npn-client-extra]
- NPNProtocols = foo,bar
- ServerName = server2
- 
- 
- # ===========================================================
- 
--[10-alpn-preferred-over-npn]
--ssl_conf = 10-alpn-preferred-over-npn-ssl
-+[12-alpn-preferred-over-npn]
-+ssl_conf = 12-alpn-preferred-over-npn-ssl
- 
--[10-alpn-preferred-over-npn-ssl]
--server = 10-alpn-preferred-over-npn-server
--client = 10-alpn-preferred-over-npn-client
-+[12-alpn-preferred-over-npn-ssl]
-+server = 12-alpn-preferred-over-npn-server
-+client = 12-alpn-preferred-over-npn-client
- 
--[10-alpn-preferred-over-npn-server]
-+[12-alpn-preferred-over-npn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[10-alpn-preferred-over-npn-client]
-+[12-alpn-preferred-over-npn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-10]
-+[test-12]
- ExpectedALPNProtocol = foo
--server = 10-alpn-preferred-over-npn-server-extra
--client = 10-alpn-preferred-over-npn-client-extra
-+server = 12-alpn-preferred-over-npn-server-extra
-+client = 12-alpn-preferred-over-npn-client-extra
- 
--[10-alpn-preferred-over-npn-server-extra]
-+[12-alpn-preferred-over-npn-server-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
- 
--[10-alpn-preferred-over-npn-client-extra]
-+[12-alpn-preferred-over-npn-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
- 
- 
- # ===========================================================
- 
--[11-sni-npn-preferred-over-alpn]
--ssl_conf = 11-sni-npn-preferred-over-alpn-ssl
-+[13-sni-npn-preferred-over-alpn]
-+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl
- 
--[11-sni-npn-preferred-over-alpn-ssl]
--server = 11-sni-npn-preferred-over-alpn-server
--client = 11-sni-npn-preferred-over-alpn-client
--server2 = 11-sni-npn-preferred-over-alpn-server2
-+[13-sni-npn-preferred-over-alpn-ssl]
-+server = 13-sni-npn-preferred-over-alpn-server
-+client = 13-sni-npn-preferred-over-alpn-client
-+server2 = 13-sni-npn-preferred-over-alpn-server2
- 
--[11-sni-npn-preferred-over-alpn-server]
-+[13-sni-npn-preferred-over-alpn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[11-sni-npn-preferred-over-alpn-server2]
-+[13-sni-npn-preferred-over-alpn-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[11-sni-npn-preferred-over-alpn-client]
-+[13-sni-npn-preferred-over-alpn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-11]
-+[test-13]
- ExpectedNPNProtocol = bar
- ExpectedServerName = server2
--server = 11-sni-npn-preferred-over-alpn-server-extra
--server2 = 11-sni-npn-preferred-over-alpn-server2-extra
--client = 11-sni-npn-preferred-over-alpn-client-extra
-+server = 13-sni-npn-preferred-over-alpn-server-extra
-+server2 = 13-sni-npn-preferred-over-alpn-server2-extra
-+client = 13-sni-npn-preferred-over-alpn-client-extra
- 
--[11-sni-npn-preferred-over-alpn-server-extra]
-+[13-sni-npn-preferred-over-alpn-server-extra]
- ALPNProtocols = foo
- ServerNameCallback = IgnoreMismatch
- 
--[11-sni-npn-preferred-over-alpn-server2-extra]
-+[13-sni-npn-preferred-over-alpn-server2-extra]
- NPNProtocols = bar
- 
--[11-sni-npn-preferred-over-alpn-client-extra]
-+[13-sni-npn-preferred-over-alpn-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
- ServerName = server2
-@@ -460,356 +527,356 @@ ServerName = server2
- 
- # ===========================================================
- 
--[12-npn-simple-resumption]
--ssl_conf = 12-npn-simple-resumption-ssl
-+[14-npn-simple-resumption]
-+ssl_conf = 14-npn-simple-resumption-ssl
- 
--[12-npn-simple-resumption-ssl]
--server = 12-npn-simple-resumption-server
--client = 12-npn-simple-resumption-client
--resume-server = 12-npn-simple-resumption-server
--resume-client = 12-npn-simple-resumption-client
-+[14-npn-simple-resumption-ssl]
-+server = 14-npn-simple-resumption-server
-+client = 14-npn-simple-resumption-client
-+resume-server = 14-npn-simple-resumption-server
-+resume-client = 14-npn-simple-resumption-client
- 
--[12-npn-simple-resumption-server]
-+[14-npn-simple-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[12-npn-simple-resumption-client]
-+[14-npn-simple-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-12]
-+[test-14]
- ExpectedNPNProtocol = foo
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 12-npn-simple-resumption-server-extra
--resume-server = 12-npn-simple-resumption-server-extra
--client = 12-npn-simple-resumption-client-extra
--resume-client = 12-npn-simple-resumption-client-extra
-+server = 14-npn-simple-resumption-server-extra
-+resume-server = 14-npn-simple-resumption-server-extra
-+client = 14-npn-simple-resumption-client-extra
-+resume-client = 14-npn-simple-resumption-client-extra
- 
--[12-npn-simple-resumption-server-extra]
-+[14-npn-simple-resumption-server-extra]
- NPNProtocols = foo
- 
--[12-npn-simple-resumption-client-extra]
-+[14-npn-simple-resumption-client-extra]
- NPNProtocols = foo
- 
- 
- # ===========================================================
- 
--[13-npn-server-switch-resumption]
--ssl_conf = 13-npn-server-switch-resumption-ssl
-+[15-npn-server-switch-resumption]
-+ssl_conf = 15-npn-server-switch-resumption-ssl
- 
--[13-npn-server-switch-resumption-ssl]
--server = 13-npn-server-switch-resumption-server
--client = 13-npn-server-switch-resumption-client
--resume-server = 13-npn-server-switch-resumption-resume-server
--resume-client = 13-npn-server-switch-resumption-client
-+[15-npn-server-switch-resumption-ssl]
-+server = 15-npn-server-switch-resumption-server
-+client = 15-npn-server-switch-resumption-client
-+resume-server = 15-npn-server-switch-resumption-resume-server
-+resume-client = 15-npn-server-switch-resumption-client
- 
--[13-npn-server-switch-resumption-server]
-+[15-npn-server-switch-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[13-npn-server-switch-resumption-resume-server]
-+[15-npn-server-switch-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[13-npn-server-switch-resumption-client]
-+[15-npn-server-switch-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-13]
-+[test-15]
- ExpectedNPNProtocol = baz
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 13-npn-server-switch-resumption-server-extra
--resume-server = 13-npn-server-switch-resumption-resume-server-extra
--client = 13-npn-server-switch-resumption-client-extra
--resume-client = 13-npn-server-switch-resumption-client-extra
-+server = 15-npn-server-switch-resumption-server-extra
-+resume-server = 15-npn-server-switch-resumption-resume-server-extra
-+client = 15-npn-server-switch-resumption-client-extra
-+resume-client = 15-npn-server-switch-resumption-client-extra
- 
--[13-npn-server-switch-resumption-server-extra]
-+[15-npn-server-switch-resumption-server-extra]
- NPNProtocols = bar,foo
- 
--[13-npn-server-switch-resumption-resume-server-extra]
-+[15-npn-server-switch-resumption-resume-server-extra]
- NPNProtocols = baz,foo
- 
--[13-npn-server-switch-resumption-client-extra]
-+[15-npn-server-switch-resumption-client-extra]
- NPNProtocols = foo,bar,baz
- 
- 
- # ===========================================================
- 
--[14-npn-client-switch-resumption]
--ssl_conf = 14-npn-client-switch-resumption-ssl
-+[16-npn-client-switch-resumption]
-+ssl_conf = 16-npn-client-switch-resumption-ssl
- 
--[14-npn-client-switch-resumption-ssl]
--server = 14-npn-client-switch-resumption-server
--client = 14-npn-client-switch-resumption-client
--resume-server = 14-npn-client-switch-resumption-server
--resume-client = 14-npn-client-switch-resumption-resume-client
-+[16-npn-client-switch-resumption-ssl]
-+server = 16-npn-client-switch-resumption-server
-+client = 16-npn-client-switch-resumption-client
-+resume-server = 16-npn-client-switch-resumption-server
-+resume-client = 16-npn-client-switch-resumption-resume-client
- 
--[14-npn-client-switch-resumption-server]
-+[16-npn-client-switch-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[14-npn-client-switch-resumption-client]
-+[16-npn-client-switch-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[14-npn-client-switch-resumption-resume-client]
-+[16-npn-client-switch-resumption-resume-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-14]
-+[test-16]
- ExpectedNPNProtocol = bar
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 14-npn-client-switch-resumption-server-extra
--resume-server = 14-npn-client-switch-resumption-server-extra
--client = 14-npn-client-switch-resumption-client-extra
--resume-client = 14-npn-client-switch-resumption-resume-client-extra
-+server = 16-npn-client-switch-resumption-server-extra
-+resume-server = 16-npn-client-switch-resumption-server-extra
-+client = 16-npn-client-switch-resumption-client-extra
-+resume-client = 16-npn-client-switch-resumption-resume-client-extra
- 
--[14-npn-client-switch-resumption-server-extra]
-+[16-npn-client-switch-resumption-server-extra]
- NPNProtocols = foo,bar,baz
- 
--[14-npn-client-switch-resumption-client-extra]
-+[16-npn-client-switch-resumption-client-extra]
- NPNProtocols = foo,baz
- 
--[14-npn-client-switch-resumption-resume-client-extra]
-+[16-npn-client-switch-resumption-resume-client-extra]
- NPNProtocols = bar,baz
- 
- 
- # ===========================================================
- 
--[15-npn-client-first-pref-on-mismatch-resumption]
--ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl
-+[17-npn-client-first-pref-on-mismatch-resumption]
-+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl
- 
--[15-npn-client-first-pref-on-mismatch-resumption-ssl]
--server = 15-npn-client-first-pref-on-mismatch-resumption-server
--client = 15-npn-client-first-pref-on-mismatch-resumption-client
--resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server
--resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client
-+[17-npn-client-first-pref-on-mismatch-resumption-ssl]
-+server = 17-npn-client-first-pref-on-mismatch-resumption-server
-+client = 17-npn-client-first-pref-on-mismatch-resumption-client
-+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server
-+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client
- 
--[15-npn-client-first-pref-on-mismatch-resumption-server]
-+[17-npn-client-first-pref-on-mismatch-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[15-npn-client-first-pref-on-mismatch-resumption-resume-server]
-+[17-npn-client-first-pref-on-mismatch-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[15-npn-client-first-pref-on-mismatch-resumption-client]
-+[17-npn-client-first-pref-on-mismatch-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-15]
-+[test-17]
- ExpectedNPNProtocol = foo
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra
--resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
--client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
--resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
-+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra
-+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
-+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
-+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
- 
--[15-npn-client-first-pref-on-mismatch-resumption-server-extra]
-+[17-npn-client-first-pref-on-mismatch-resumption-server-extra]
- NPNProtocols = bar
- 
--[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
-+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
- NPNProtocols = baz
- 
--[15-npn-client-first-pref-on-mismatch-resumption-client-extra]
-+[17-npn-client-first-pref-on-mismatch-resumption-client-extra]
- NPNProtocols = foo,bar
- 
- 
- # ===========================================================
- 
--[16-npn-no-server-support-resumption]
--ssl_conf = 16-npn-no-server-support-resumption-ssl
-+[18-npn-no-server-support-resumption]
-+ssl_conf = 18-npn-no-server-support-resumption-ssl
- 
--[16-npn-no-server-support-resumption-ssl]
--server = 16-npn-no-server-support-resumption-server
--client = 16-npn-no-server-support-resumption-client
--resume-server = 16-npn-no-server-support-resumption-resume-server
--resume-client = 16-npn-no-server-support-resumption-client
-+[18-npn-no-server-support-resumption-ssl]
-+server = 18-npn-no-server-support-resumption-server
-+client = 18-npn-no-server-support-resumption-client
-+resume-server = 18-npn-no-server-support-resumption-resume-server
-+resume-client = 18-npn-no-server-support-resumption-client
- 
--[16-npn-no-server-support-resumption-server]
-+[18-npn-no-server-support-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[16-npn-no-server-support-resumption-resume-server]
-+[18-npn-no-server-support-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[16-npn-no-server-support-resumption-client]
-+[18-npn-no-server-support-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-16]
-+[test-18]
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 16-npn-no-server-support-resumption-server-extra
--client = 16-npn-no-server-support-resumption-client-extra
--resume-client = 16-npn-no-server-support-resumption-client-extra
-+server = 18-npn-no-server-support-resumption-server-extra
-+client = 18-npn-no-server-support-resumption-client-extra
-+resume-client = 18-npn-no-server-support-resumption-client-extra
- 
--[16-npn-no-server-support-resumption-server-extra]
-+[18-npn-no-server-support-resumption-server-extra]
- NPNProtocols = foo
- 
--[16-npn-no-server-support-resumption-client-extra]
-+[18-npn-no-server-support-resumption-client-extra]
- NPNProtocols = foo
- 
- 
- # ===========================================================
- 
--[17-npn-no-client-support-resumption]
--ssl_conf = 17-npn-no-client-support-resumption-ssl
-+[19-npn-no-client-support-resumption]
-+ssl_conf = 19-npn-no-client-support-resumption-ssl
- 
--[17-npn-no-client-support-resumption-ssl]
--server = 17-npn-no-client-support-resumption-server
--client = 17-npn-no-client-support-resumption-client
--resume-server = 17-npn-no-client-support-resumption-server
--resume-client = 17-npn-no-client-support-resumption-resume-client
-+[19-npn-no-client-support-resumption-ssl]
-+server = 19-npn-no-client-support-resumption-server
-+client = 19-npn-no-client-support-resumption-client
-+resume-server = 19-npn-no-client-support-resumption-server
-+resume-client = 19-npn-no-client-support-resumption-resume-client
- 
--[17-npn-no-client-support-resumption-server]
-+[19-npn-no-client-support-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[17-npn-no-client-support-resumption-client]
-+[19-npn-no-client-support-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[17-npn-no-client-support-resumption-resume-client]
-+[19-npn-no-client-support-resumption-resume-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-17]
-+[test-19]
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 17-npn-no-client-support-resumption-server-extra
--resume-server = 17-npn-no-client-support-resumption-server-extra
--client = 17-npn-no-client-support-resumption-client-extra
-+server = 19-npn-no-client-support-resumption-server-extra
-+resume-server = 19-npn-no-client-support-resumption-server-extra
-+client = 19-npn-no-client-support-resumption-client-extra
- 
--[17-npn-no-client-support-resumption-server-extra]
-+[19-npn-no-client-support-resumption-server-extra]
- NPNProtocols = foo
- 
--[17-npn-no-client-support-resumption-client-extra]
-+[19-npn-no-client-support-resumption-client-extra]
- NPNProtocols = foo
- 
- 
- # ===========================================================
- 
--[18-alpn-preferred-over-npn-resumption]
--ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl
-+[20-alpn-preferred-over-npn-resumption]
-+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl
- 
--[18-alpn-preferred-over-npn-resumption-ssl]
--server = 18-alpn-preferred-over-npn-resumption-server
--client = 18-alpn-preferred-over-npn-resumption-client
--resume-server = 18-alpn-preferred-over-npn-resumption-resume-server
--resume-client = 18-alpn-preferred-over-npn-resumption-client
-+[20-alpn-preferred-over-npn-resumption-ssl]
-+server = 20-alpn-preferred-over-npn-resumption-server
-+client = 20-alpn-preferred-over-npn-resumption-client
-+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server
-+resume-client = 20-alpn-preferred-over-npn-resumption-client
- 
--[18-alpn-preferred-over-npn-resumption-server]
-+[20-alpn-preferred-over-npn-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[18-alpn-preferred-over-npn-resumption-resume-server]
-+[20-alpn-preferred-over-npn-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[18-alpn-preferred-over-npn-resumption-client]
-+[20-alpn-preferred-over-npn-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-18]
-+[test-20]
- ExpectedALPNProtocol = foo
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 18-alpn-preferred-over-npn-resumption-server-extra
--resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra
--client = 18-alpn-preferred-over-npn-resumption-client-extra
--resume-client = 18-alpn-preferred-over-npn-resumption-client-extra
-+server = 20-alpn-preferred-over-npn-resumption-server-extra
-+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra
-+client = 20-alpn-preferred-over-npn-resumption-client-extra
-+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra
- 
--[18-alpn-preferred-over-npn-resumption-server-extra]
-+[20-alpn-preferred-over-npn-resumption-server-extra]
- NPNProtocols = bar
- 
--[18-alpn-preferred-over-npn-resumption-resume-server-extra]
-+[20-alpn-preferred-over-npn-resumption-resume-server-extra]
- ALPNProtocols = foo
- NPNProtocols = baz
- 
--[18-alpn-preferred-over-npn-resumption-client-extra]
-+[20-alpn-preferred-over-npn-resumption-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar,baz
- 
- 
- # ===========================================================
- 
--[19-npn-used-if-alpn-not-supported-resumption]
--ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl
-+[21-npn-used-if-alpn-not-supported-resumption]
-+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl
- 
--[19-npn-used-if-alpn-not-supported-resumption-ssl]
--server = 19-npn-used-if-alpn-not-supported-resumption-server
--client = 19-npn-used-if-alpn-not-supported-resumption-client
--resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server
--resume-client = 19-npn-used-if-alpn-not-supported-resumption-client
-+[21-npn-used-if-alpn-not-supported-resumption-ssl]
-+server = 21-npn-used-if-alpn-not-supported-resumption-server
-+client = 21-npn-used-if-alpn-not-supported-resumption-client
-+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server
-+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client
- 
--[19-npn-used-if-alpn-not-supported-resumption-server]
-+[21-npn-used-if-alpn-not-supported-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[19-npn-used-if-alpn-not-supported-resumption-resume-server]
-+[21-npn-used-if-alpn-not-supported-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- 
--[19-npn-used-if-alpn-not-supported-resumption-client]
-+[21-npn-used-if-alpn-not-supported-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
--[test-19]
-+[test-21]
- ExpectedNPNProtocol = baz
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 19-npn-used-if-alpn-not-supported-resumption-server-extra
--resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra
--client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
--resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
-+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra
-+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra
-+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
-+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
- 
--[19-npn-used-if-alpn-not-supported-resumption-server-extra]
-+[21-npn-used-if-alpn-not-supported-resumption-server-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
- 
--[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
-+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
- NPNProtocols = baz
- 
--[19-npn-used-if-alpn-not-supported-resumption-client-extra]
-+[21-npn-used-if-alpn-not-supported-resumption-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar,baz
- 
-diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in
-index 30783e4..1dc2704 100644
---- a/test/ssl-tests/08-npn.cnf.in
-+++ b/test/ssl-tests/08-npn.cnf.in
-@@ -110,6 +110,41 @@ our @tests = (
-             "ExpectedNPNProtocol" => undef,
-         },
-     },
-+    {
-+        name => "npn-empty-client-list",
-+        server => {
-+            extra => {
-+                "NPNProtocols" => "foo",
-+            },
-+        },
-+        client => {
-+            extra => {
-+                "NPNProtocols" => "",
-+            },
-+            "MaxProtocol" => "TLSv1.2"
-+        },
-+        test => {
-+            "ExpectedResult" => "ClientFail",
-+            "ExpectedClientAlert" => "HandshakeFailure"
-+        },
-+    },
-+    {
-+        name => "npn-empty-server-list",
-+        server => {
-+            extra => {
-+                "NPNProtocols" => "",
-+            },
-+        },
-+        client => {
-+            extra => {
-+                "NPNProtocols" => "foo",
-+            },
-+            "MaxProtocol" => "TLSv1.2"
-+        },
-+        test => {
-+            "ExpectedNPNProtocol" => "foo"
-+        },
-+    },
-     {
-         name => "npn-with-sni-no-context-switch",
-         server => {
-diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf
-index e7e6cb9..dd66873 100644
---- a/test/ssl-tests/09-alpn.cnf
-+++ b/test/ssl-tests/09-alpn.cnf
-@@ -1,6 +1,6 @@
- # Generated with generate_ssl_tests.pl
- 
--num_tests = 16
-+num_tests = 18
- 
- test-0 = 0-alpn-simple
- test-1 = 1-alpn-server-finds-match
-@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption
- test-13 = 13-alpn-alert-on-mismatch-resumption
- test-14 = 14-alpn-no-server-support-resumption
- test-15 = 15-alpn-no-client-support-resumption
-+test-16 = 16-alpn-empty-client-list
-+test-17 = 17-alpn-empty-server-list
- # ===========================================================
- 
- [0-alpn-simple]
-@@ -617,3 +619,65 @@ ALPNProtocols = foo
- ALPNProtocols = foo
- 
- 
-+# ===========================================================
-+
-+[16-alpn-empty-client-list]
-+ssl_conf = 16-alpn-empty-client-list-ssl
-+
-+[16-alpn-empty-client-list-ssl]
-+server = 16-alpn-empty-client-list-server
-+client = 16-alpn-empty-client-list-client
-+
-+[16-alpn-empty-client-list-server]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[16-alpn-empty-client-list-client]
-+CipherString = DEFAULT
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-16]
-+server = 16-alpn-empty-client-list-server-extra
-+client = 16-alpn-empty-client-list-client-extra
-+
-+[16-alpn-empty-client-list-server-extra]
-+ALPNProtocols = foo
-+
-+[16-alpn-empty-client-list-client-extra]
-+ALPNProtocols = 
-+
-+
-+# ===========================================================
-+
-+[17-alpn-empty-server-list]
-+ssl_conf = 17-alpn-empty-server-list-ssl
-+
-+[17-alpn-empty-server-list-ssl]
-+server = 17-alpn-empty-server-list-server
-+client = 17-alpn-empty-server-list-client
-+
-+[17-alpn-empty-server-list-server]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[17-alpn-empty-server-list-client]
-+CipherString = DEFAULT
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-17]
-+ExpectedResult = ServerFail
-+ExpectedServerAlert = NoApplicationProtocol
-+server = 17-alpn-empty-server-list-server-extra
-+client = 17-alpn-empty-server-list-client-extra
-+
-+[17-alpn-empty-server-list-server-extra]
-+ALPNProtocols = 
-+
-+[17-alpn-empty-server-list-client-extra]
-+ALPNProtocols = foo
-+
-+
-diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in
-index 8133075..322b709 100644
---- a/test/ssl-tests/09-alpn.cnf.in
-+++ b/test/ssl-tests/09-alpn.cnf.in
-@@ -322,4 +322,37 @@ our @tests = (
-             "ExpectedALPNProtocol" => undef,
-         },
-     },
-+    {
-+        name => "alpn-empty-client-list",
-+        server => {
-+            extra => {
-+                "ALPNProtocols" => "foo",
-+            },
-+        },
-+        client => {
-+            extra => {
-+                "ALPNProtocols" => "",
-+            },
-+        },
-+        test => {
-+            "ExpectedALPNProtocol" => undef,
-+        },
-+    },
-+    {
-+        name => "alpn-empty-server-list",
-+        server => {
-+            extra => {
-+                "ALPNProtocols" => "",
-+            },
-+        },
-+        client => {
-+            extra => {
-+                "ALPNProtocols" => "foo",
-+            },
-+        },
-+        test => {
-+            "ExpectedResult" => "ServerFail",
-+            "ExpectedServerAlert" => "NoApplicationProtocol",
-+        },
-+    },
- );
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
deleted file mode 100644
index 7319d27bb8..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 86351b8dd4c499de7a0c02313ee54966e978150f Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:41:55 +0100
-Subject: [PATCH 07/10] Correct return values for
- tls_construct_stoc_next_proto_neg
-
-Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
-rather than EXT_RETURN_SENT. This actually makes no difference at all to
-the current control flow since this return value is ignored in this case
-anyway. But lets make it correct anyway.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/53f5677f358c4a4f69830d944ea40e71950673b8]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_srvr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 64ccb3e..b821c7c 100644
---- a/ssl/statem/extensions_srvr.c
-+++ b/ssl/statem/extensions_srvr.c
-@@ -1496,9 +1496,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
-             return EXT_RETURN_FAIL;
-         }
-         s->s3.npn_seen = 1;
-+        return EXT_RETURN_SENT;
-     }
- 
--    return EXT_RETURN_SENT;
-+    return EXT_RETURN_NOT_SENT;
- }
- #endif
- 
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
deleted file mode 100644
index f64938a5ca..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 29f860914824cde6b0aea6ad818b93132930137f Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 11:51:54 +0100
-Subject: [PATCH 08/10] Add ALPN validation in the client
-
-The ALPN protocol selected by the server must be one that we originally
-advertised. We should verify that it is.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/195e15421df113d7283aab2ccff8b8fb06df5465]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index 1ab3c13..ff9c009 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
-                         X509 *x, size_t chainidx)
- {
-     size_t len;
-+    PACKET confpkt, protpkt;
-+    int valid = 0;
- 
-     /* We must have requested it. */
-     if (!s->s3.alpn_sent) {
-@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
-         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
-+
-+    /* It must be a protocol that we sent */
-+    if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
-+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-+        return 0;
-+    }
-+    while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
-+        if (PACKET_remaining(&protpkt) != len)
-+            continue;
-+        if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
-+            /* Valid protocol found */
-+            valid = 1;
-+            break;
-+        }
-+    }
-+
-+    if (!valid) {
-+        /* The protocol sent from the server does not match one we advertised */
-+        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-+        return 0;
-+    }
-+
-     OPENSSL_free(s->s3.alpn_selected);
-     s->s3.alpn_selected = OPENSSL_malloc(len);
-     if (s->s3.alpn_selected == NULL) {
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
deleted file mode 100644
index fb1cef5067..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
+++ /dev/null
@@ -1,271 +0,0 @@
-From 6a5484b0d3fcf9a868c7e3e5b62e5eedc90b6080 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:09:41 +0100
-Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
-
-We already had some tests elsewhere - but this extends that testing with
-additional tests.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7c95191434415d1c9b7fe9b130df13cce630b6b5]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 229 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 15cb906..7a55a2b 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
-     return ret;
- }
- 
-+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
-+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
-+
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
-+                         unsigned int *outlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    default:
-+    case 0:
-+        *out = fooprot;
-+        *outlen = sizeof(fooprot);
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 1:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 2:
-+        return SSL_TLSEXT_ERR_NOACK;
-+    }
-+}
-+
-+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
-+                         const unsigned char *in, unsigned int inlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    case 0:
-+    case 1:
-+        *out = (unsigned char *)(fooprot + 1);
-+        *outlen = *fooprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 3:
-+        *out = (unsigned char *)(barprot + 1);
-+        *outlen = *barprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 4:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    default:
-+    case 2:
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+}
-+
-+/*
-+ * Test the NPN callbacks
-+ * Test 0: advert = foo, select = foo
-+ * Test 1: advert = <empty>, select = foo
-+ * Test 2: no advert
-+ * Test 3: advert = foo, select = bar
-+ * Test 4: advert = foo, select = <empty> (should fail)
-+ */
-+static int test_npn(int idx)
-+{
-+    SSL_CTX *sctx = NULL, *cctx = NULL;
-+    SSL *serverssl = NULL, *clientssl = NULL;
-+    int testresult = 0;
-+
-+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+                                       TLS_client_method(), 0, TLS1_2_VERSION,
-+                                       &sctx, &cctx, cert, privkey)))
-+        goto end;
-+
-+    SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
-+    SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
-+
-+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+                                      NULL)))
-+        goto end;
-+
-+    if (idx == 4) {
-+        /* We don't allow empty selection of NPN, so this should fail */
-+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+                                              SSL_ERROR_NONE)))
-+            goto end;
-+    } else {
-+        const unsigned char *prot;
-+        unsigned int protlen;
-+
-+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+                                             SSL_ERROR_NONE)))
-+            goto end;
-+
-+        SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
-+        switch (idx) {
-+        case 0:
-+        case 1:
-+            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+                goto end;
-+            break;
-+        case 2:
-+            if (!TEST_uint_eq(protlen, 0))
-+                goto end;
-+            break;
-+        case 3:
-+            if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
-+                goto end;
-+            break;
-+        default:
-+            TEST_error("Should not get here");
-+            goto end;
-+        }
-+    }
-+
-+    testresult = 1;
-+ end:
-+    SSL_free(serverssl);
-+    SSL_free(clientssl);
-+    SSL_CTX_free(sctx);
-+    SSL_CTX_free(cctx);
-+
-+    return testresult;
-+}
-+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
-+
-+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
-+                           unsigned char *outlen, const unsigned char *in,
-+                           unsigned int inlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    case 0:
-+        *out = (unsigned char *)(fooprot + 1);
-+        *outlen = *fooprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 2:
-+        *out = (unsigned char *)(barprot + 1);
-+        *outlen = *barprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 3:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    default:
-+    case 1:
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+    return 0;
-+}
-+
-+/*
-+ * Test the ALPN callbacks
-+ * Test 0: client = foo, select = foo
-+ * Test 1: client = <empty>, select = none
-+ * Test 2: client = foo, select = bar (should fail)
-+ * Test 3: client = foo, select = <empty> (should fail)
-+ */
-+static int test_alpn(int idx)
-+{
-+    SSL_CTX *sctx = NULL, *cctx = NULL;
-+    SSL *serverssl = NULL, *clientssl = NULL;
-+    int testresult = 0;
-+    const unsigned char *prots = fooprot;
-+    unsigned int protslen = sizeof(fooprot);
-+
-+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+                                       TLS_client_method(), 0, 0,
-+                                       &sctx, &cctx, cert, privkey)))
-+        goto end;
-+
-+    SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
-+
-+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+                                      NULL)))
-+        goto end;
-+
-+    if (idx == 1) {
-+        prots = NULL;
-+        protslen = 0;
-+    }
-+
-+    /* SSL_set_alpn_protos returns 0 for success! */
-+    if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
-+        goto end;
-+
-+    if (idx == 2 || idx == 3) {
-+        /* We don't allow empty selection of NPN, so this should fail */
-+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+                                              SSL_ERROR_NONE)))
-+            goto end;
-+    } else {
-+        const unsigned char *prot;
-+        unsigned int protlen;
-+
-+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+                                             SSL_ERROR_NONE)))
-+            goto end;
-+
-+        SSL_get0_alpn_selected(clientssl, &prot, &protlen);
-+        switch (idx) {
-+        case 0:
-+            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+                goto end;
-+            break;
-+        case 1:
-+            if (!TEST_uint_eq(protlen, 0))
-+                goto end;
-+            break;
-+        default:
-+            TEST_error("Should not get here");
-+            goto end;
-+        }
-+    }
-+
-+    testresult = 1;
-+ end:
-+    SSL_free(serverssl);
-+    SSL_free(clientssl);
-+    SSL_CTX_free(sctx);
-+    SSL_CTX_free(cctx);
-+
-+    return testresult;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
- 
- int setup_tests(void)
-@@ -12190,6 +12415,10 @@ int setup_tests(void)
-     ADD_TEST(test_data_retry);
-     ADD_ALL_TESTS(test_multi_resume, 5);
-     ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+    ADD_ALL_TESTS(test_npn, 5);
-+#endif
-+    ADD_ALL_TESTS(test_alpn, 4);
-     return 1;
- 
-  err:
--- 
-2.44.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.2.bb b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
similarity index 94%
rename from meta/recipes-connectivity/openssl/openssl_3.2.2.bb
rename to meta/recipes-connectivity/openssl/openssl_3.2.3.bb
index 3242dd69c6..53139df40c 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.2.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
@@ -7,28 +7,18 @@ SECTION = "libs/network"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
 
-SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://0001-Added-handshake-history-reporting-when-test-fails.patch \
-           file://CVE-2024-5535_1.patch \
-           file://CVE-2024-5535_2.patch \
-           file://CVE-2024-5535_3.patch \
-           file://CVE-2024-5535_4.patch \
-           file://CVE-2024-5535_5.patch \
-           file://CVE-2024-5535_6.patch \
-           file://CVE-2024-5535_7.patch \
-           file://CVE-2024-5535_8.patch \
-           file://CVE-2024-5535_9.patch \
-           file://CVE-2024-5535_10.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "197149c18d9e9f292c43f0400acaba12e5f52cacfe050f3d199277ea738ec2e7"
+SRC_URI[sha256sum] = "52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.34.1

[OE-core][scarthgap 04/16] python3: upgrade 3.12.4 -> 3.12.5

[Steve Sakoman]

From: Trevor Gamblin <tgamblin@baylibre.com>

Changelog: https://docs.python.org/release/3.12.5/whatsnew/changelog.html

(From OE-Core rev: d9e2ebd6b24b802d1d4cd38b3b910e068c308809)

Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python/{python3_3.12.4.bb => python3_3.12.5.bb}             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3_3.12.4.bb => python3_3.12.5.bb} (99%)

diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.5.bb
similarity index 99%
rename from meta/recipes-devtools/python/python3_3.12.4.bb
rename to meta/recipes-devtools/python/python3_3.12.5.bb
index 3ac83166ac..5c3b7a92f8 100644
--- a/meta/recipes-devtools/python/python3_3.12.4.bb
+++ b/meta/recipes-devtools/python/python3_3.12.5.bb
@@ -42,7 +42,7 @@ SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
            "
 
-SRC_URI[sha256sum] = "f6d419a6d8743ab26700801b4908d26d97e8b986e14f95de31b32de2b0e79554"
+SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
-- 
2.34.1

[OE-core][scarthgap 05/16] python3: skip readline limited history tests

[Steve Sakoman]

From: Trevor Gamblin <tgamblin@baylibre.com>

Python 3.12.5 is failing a newer ptest for reading/writing limited
history when editline (default) is set in PACKAGECONFIG. Skip it for now
until a proper fix (if any) is determined.

A bug has been opened upstream: https://github.com/python/cpython/issues/123018

(From OE-Core rev: de569ddffd5ea36b70c56df21dec9c892e5dee7d)

Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...t_readline-skip-limited-history-test.patch | 41 +++++++++++++++++++
 .../recipes-devtools/python/python3_3.12.5.bb |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch

diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
new file mode 100644
index 0000000000..50a4609f7a
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
@@ -0,0 +1,41 @@
+From d9d916d5ea946c945323679d1709de1b87029b96 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Tue, 13 Aug 2024 11:07:05 -0400
+Subject: [PATCH] test_readline: skip limited history test
+
+This test was added recently and is failing on the ptest image when
+using the default PACKAGECONFIG settings (i.e. with editline instead of
+readline).. Disable it until the proper fix is determined.
+
+A bug has been opened upstream: https://github.com/python/cpython/issues/123018
+
+Upstream-Status: Inappropriate [OE-specific]
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ Lib/test/test_readline.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py
+index 91fd7dd13f9..d81f9bf8eed 100644
+--- a/Lib/test/test_readline.py
++++ b/Lib/test/test_readline.py
+@@ -132,6 +132,7 @@ def test_nonascii_history(self):
+         self.assertEqual(readline.get_history_item(1), "entrée 1")
+         self.assertEqual(readline.get_history_item(2), "entrée 22")
+ 
++    @unittest.skip("Skipping problematic test")
+     def test_write_read_limited_history(self):
+         previous_length = readline.get_history_length()
+         self.addCleanup(readline.set_history_length, previous_length)
+@@ -349,6 +350,7 @@ def test_history_size(self):
+             self.assertEqual(len(lines), history_size)
+             self.assertEqual(lines[-1].strip(), b"last input")
+ 
++    @unittest.skip("Skipping problematic test")
+     def test_write_read_limited_history(self):
+         previous_length = readline.get_history_length()
+         self.addCleanup(readline.set_history_length, previous_length)
+-- 
+2.39.2
+
diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.5.bb
index 5c3b7a92f8..92109d58ce 100644
--- a/meta/recipes-devtools/python/python3_3.12.5.bb
+++ b/meta/recipes-devtools/python/python3_3.12.5.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
 	   file://0001-test_deadlock-skip-problematic-test.patch \
 	   file://0001-test_active_children-skip-problematic-test.patch \
+           file://0001-test_readline-skip-limited-history-test.patch \
            file://CVE-2024-7592.patch \
            file://CVE-2024-8088.patch \
            "
-- 
2.34.1

[OE-core][scarthgap 06/16] python3: Upgrade 3.12.5 -> 3.12.6

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232,
CVE-2023-27043 and other bug fixes.

Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
2. CVE-2024-8088.patch

Release Notes:
https://www.python.org/downloads/release/python-3126/

(From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...t_readline-skip-limited-history-test.patch |  19 +--
 .../python/python3/CVE-2024-7592.patch        | 143 ------------------
 .../python/python3/CVE-2024-8088.patch        | 128 ----------------
 .../{python3_3.12.5.bb => python3_3.12.6.bb}  |   4 +-
 4 files changed, 9 insertions(+), 285 deletions(-)
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
 rename meta/recipes-devtools/python/{python3_3.12.5.bb => python3_3.12.6.bb} (99%)

diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
index 50a4609f7a..e8d297c721 100644
--- a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
+++ b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
@@ -16,11 +16,11 @@ Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
  Lib/test/test_readline.py | 2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py
-index 91fd7dd13f9..d81f9bf8eed 100644
---- a/Lib/test/test_readline.py
-+++ b/Lib/test/test_readline.py
-@@ -132,6 +132,7 @@ def test_nonascii_history(self):
+Index: Python-3.12.6/Lib/test/test_readline.py
+===================================================================
+--- Python-3.12.6.orig/Lib/test/test_readline.py
++++ Python-3.12.6/Lib/test/test_readline.py
+@@ -133,6 +133,7 @@ class TestHistoryManipulation (unittest.
          self.assertEqual(readline.get_history_item(1), "entrée 1")
          self.assertEqual(readline.get_history_item(2), "entrée 22")
  
@@ -28,14 +28,11 @@ index 91fd7dd13f9..d81f9bf8eed 100644
      def test_write_read_limited_history(self):
          previous_length = readline.get_history_length()
          self.addCleanup(readline.set_history_length, previous_length)
-@@ -349,6 +350,7 @@ def test_history_size(self):
-             self.assertEqual(len(lines), history_size)
-             self.assertEqual(lines[-1].strip(), b"last input")
+@@ -371,6 +372,7 @@ readline.write_history_file(history_file
+         self.assertIn(b"done", output)
+ 
  
 +    @unittest.skip("Skipping problematic test")
      def test_write_read_limited_history(self):
          previous_length = readline.get_history_length()
          self.addCleanup(readline.set_history_length, previous_length)
--- 
-2.39.2
-
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
deleted file mode 100644
index 7a6d63005c..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Sun, 25 Aug 2024 00:37:11 +0200
-Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing  "-quoted
- cookie values with backslashes (GH-123075) (#123104)
-
-gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
-
-This fixes CVE-2024-7592.
-(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-
-CVE: CVE-2024-7592
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- Lib/http/cookies.py                           | 34 ++++-------------
- Lib/test/test_http_cookies.py                 | 38 +++++++++++++++++++
- ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |  1 +
- 3 files changed, 47 insertions(+), 26 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 35ac2dc..2c1f021 100644
---- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,8 +184,13 @@ def _quote(str):
-         return '"' + str.translate(_Translator) + '"'
-
-
--_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
--_QuotePatt = re.compile(r"[\\].")
-+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
-+
-+def _unquote_replace(m):
-+    if m[1]:
-+        return chr(int(m[1], 8))
-+    else:
-+        return m[2]
-
- def _unquote(str):
-     # If there aren't any doublequotes,
-@@ -205,30 +210,7 @@ def _unquote(str):
-     #    \012 --> \n
-     #    \"   --> "
-     #
--    i = 0
--    n = len(str)
--    res = []
--    while 0 <= i < n:
--        o_match = _OctalPatt.search(str, i)
--        q_match = _QuotePatt.search(str, i)
--        if not o_match and not q_match:              # Neither matched
--            res.append(str[i:])
--            break
--        # else:
--        j = k = -1
--        if o_match:
--            j = o_match.start(0)
--        if q_match:
--            k = q_match.start(0)
--        if q_match and (not o_match or k < j):     # QuotePatt matched
--            res.append(str[i:k])
--            res.append(str[k+1])
--            i = k + 2
--        else:                                      # OctalPatt matched
--            res.append(str[i:j])
--            res.append(chr(int(str[j+1:j+4], 8)))
--            i = j + 4
--    return _nulljoin(res)
-+    return _unquote_sub(_unquote_replace, str)
-
- # The _getdate() routine is used to set the expiration time in the cookie's HTTP
- # header.  By default, _getdate() returns the current time in the appropriate
-diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
-index 925c869..8879902 100644
---- a/Lib/test/test_http_cookies.py
-+++ b/Lib/test/test_http_cookies.py
-@@ -5,6 +5,7 @@ import unittest
- import doctest
- from http import cookies
- import pickle
-+from test import support
-
-
- class CookieTests(unittest.TestCase):
-@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
-             for k, v in sorted(case['dict'].items()):
-                 self.assertEqual(C[k].value, v)
-
-+    def test_unquote(self):
-+        cases = [
-+            (r'a="b=\""', 'b="'),
-+            (r'a="b=\\"', 'b=\\'),
-+            (r'a="b=\="', 'b=='),
-+            (r'a="b=\n"', 'b=n'),
-+            (r'a="b=\042"', 'b="'),
-+            (r'a="b=\134"', 'b=\\'),
-+            (r'a="b=\377"', 'b=\xff'),
-+            (r'a="b=\400"', 'b=400'),
-+            (r'a="b=\42"', 'b=42'),
-+            (r'a="b=\\042"', 'b=\\042'),
-+            (r'a="b=\\134"', 'b=\\134'),
-+            (r'a="b=\\\""', 'b=\\"'),
-+            (r'a="b=\\\042"', 'b=\\"'),
-+            (r'a="b=\134\""', 'b=\\"'),
-+            (r'a="b=\134\042"', 'b=\\"'),
-+        ]
-+        for encoded, decoded in cases:
-+            with self.subTest(encoded):
-+                C = cookies.SimpleCookie()
-+                C.load(encoded)
-+                self.assertEqual(C['a'].value, decoded)
-+
-+    @support.requires_resource('cpu')
-+    def test_unquote_large(self):
-+        n = 10**6
-+        for encoded in r'\\', r'\134':
-+            with self.subTest(encoded):
-+                data = 'a="b=' + encoded*n + ';"'
-+                C = cookies.SimpleCookie()
-+                C.load(data)
-+                value = C['a'].value
-+                self.assertEqual(value[:3], 'b=\\')
-+                self.assertEqual(value[-2:], '\\;')
-+                self.assertEqual(len(value), n + 3)
-+
-     def test_load(self):
-         C = cookies.SimpleCookie()
-         C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
-diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-new file mode 100644
-index 0000000..6a23456
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-@@ -0,0 +1 @@
-+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
---
-2.40.0
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
deleted file mode 100644
index 13836f1ccc..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From dcc5182f27c1500006a1ef78e10613bb45788dea Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Mon, 12 Aug 2024 02:35:17 +0200
-Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906)
- (#122923)
-
-CVE: CVE-2024-8088
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- Lib/test/test_zipfile/_path/test_path.py      | 17 +++++
- Lib/zipfile/_path/__init__.py                 | 64 ++++++++++++++++++-
- ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst |  1 +
- 3 files changed, 81 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
-
-diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py
-index 06d5aab..90885db 100644
---- a/Lib/test/test_zipfile/_path/test_path.py
-+++ b/Lib/test/test_zipfile/_path/test_path.py
-@@ -577,3 +577,20 @@ class TestPath(unittest.TestCase):
-         zipfile.Path(alpharep)
-         with self.assertRaises(KeyError):
-             alpharep.getinfo('does-not-exist')
-+
-+    def test_malformed_paths(self):
-+        """
-+        Path should handle malformed paths.
-+        """
-+        data = io.BytesIO()
-+        zf = zipfile.ZipFile(data, "w")
-+        zf.writestr("/one-slash.txt", b"content")
-+        zf.writestr("//two-slash.txt", b"content")
-+        zf.writestr("../parent.txt", b"content")
-+        zf.filename = ''
-+        root = zipfile.Path(zf)
-+        assert list(map(str, root.iterdir())) == [
-+            'one-slash.txt',
-+            'two-slash.txt',
-+            'parent.txt',
-+        ]
-diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
-index 78c4135..42f9fde 100644
---- a/Lib/zipfile/_path/__init__.py
-+++ b/Lib/zipfile/_path/__init__.py
-@@ -83,7 +83,69 @@ class InitializedState:
-         super().__init__(*args, **kwargs)
-
-
--class CompleteDirs(InitializedState, zipfile.ZipFile):
-+class SanitizedNames:
-+    """
-+    ZipFile mix-in to ensure names are sanitized.
-+    """
-+
-+    def namelist(self):
-+        return list(map(self._sanitize, super().namelist()))
-+
-+    @staticmethod
-+    def _sanitize(name):
-+        r"""
-+        Ensure a relative path with posix separators and no dot names.
-+
-+        Modeled after
-+        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
-+        but provides consistent cross-platform behavior.
-+
-+        >>> san = SanitizedNames._sanitize
-+        >>> san('/foo/bar')
-+        'foo/bar'
-+        >>> san('//foo.txt')
-+        'foo.txt'
-+        >>> san('foo/.././bar.txt')
-+        'foo/bar.txt'
-+        >>> san('foo../.bar.txt')
-+        'foo../.bar.txt'
-+        >>> san('\\foo\\bar.txt')
-+        'foo/bar.txt'
-+        >>> san('D:\\foo.txt')
-+        'D/foo.txt'
-+        >>> san('\\\\server\\share\\file.txt')
-+        'server/share/file.txt'
-+        >>> san('\\\\?\\GLOBALROOT\\Volume3')
-+        '?/GLOBALROOT/Volume3'
-+        >>> san('\\\\.\\PhysicalDrive1\\root')
-+        'PhysicalDrive1/root'
-+
-+        Retain any trailing slash.
-+        >>> san('abc/')
-+        'abc/'
-+
-+        Raises a ValueError if the result is empty.
-+        >>> san('../..')
-+        Traceback (most recent call last):
-+        ...
-+        ValueError: Empty filename
-+        """
-+
-+        def allowed(part):
-+            return part and part not in {'..', '.'}
-+
-+        # Remove the drive letter.
-+        # Don't use ntpath.splitdrive, because that also strips UNC paths
-+        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
-+        clean = bare.replace('\\', '/')
-+        parts = clean.split('/')
-+        joined = '/'.join(filter(allowed, parts))
-+        if not joined:
-+            raise ValueError("Empty filename")
-+        return joined + '/' * name.endswith('/')
-+
-+
-+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
-     """
-     A ZipFile subclass that ensures that implied directories
-     are always included in the namelist.
-diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
-new file mode 100644
-index 0000000..1be44c9
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
-@@ -0,0 +1 @@
-+:class:`zipfile.Path` objects now sanitize names from the zipfile.
---
-2.40.0
diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.6.bb
similarity index 99%
rename from meta/recipes-devtools/python/python3_3.12.5.bb
rename to meta/recipes-devtools/python/python3_3.12.6.bb
index 92109d58ce..ae69f0e781 100644
--- a/meta/recipes-devtools/python/python3_3.12.5.bb
+++ b/meta/recipes-devtools/python/python3_3.12.6.bb
@@ -35,15 +35,13 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
 	   file://0001-test_deadlock-skip-problematic-test.patch \
 	   file://0001-test_active_children-skip-problematic-test.patch \
            file://0001-test_readline-skip-limited-history-test.patch \
-           file://CVE-2024-7592.patch \
-           file://CVE-2024-8088.patch \
            "
 
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
            "
 
-SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397"
+SRC_URI[sha256sum] = "1999658298cf2fb837dffed8ff3c033ef0c98ef20cf73c5d5f66bed5ab89697c"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
-- 
2.34.1

[OE-core][scarthgap 07/16] buildhistory: Fix intermittent package file list creation

[Steve Sakoman]

From: Pedro Ferreira <pedro.silva.ferreira@criticaltechworks.com>

The directory that buildhistory_list_pkg_files writes to during do_package
is created by do_packagedata so a clean buildhistory doesn't have
files-in-package written during the first build since packagedata happens
after do_package.

Ensure the output package folder is created to avoid missing
files-in-package.txt files.

Also it ensures that in case of `find` fails we leave with
a hard error instead of hiding the error on the for loop.

Signed-off-by: Pedro Silva Ferreira <Pedro.Silva.Ferreira@criticaltechworks.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8de9b8c1e199896b9a7bc5ed64967c6bfbf84bea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/buildhistory.bbclass | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index fd53e92402..d219519f86 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -599,15 +599,12 @@ buildhistory_list_files_no_owners() {
 
 buildhistory_list_pkg_files() {
 	# Create individual files-in-package for each recipe's package
-	for pkgdir in $(find ${PKGDEST}/* -maxdepth 0 -type d); do
+	pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d)
+	for pkgdir in $pkgdirlist; do
 		pkgname=$(basename $pkgdir)
 		outfolder="${BUILDHISTORY_DIR_PACKAGE}/$pkgname"
 		outfile="$outfolder/files-in-package.txt"
-		# Make sure the output folder exists so we can create the file
-		if [ ! -d $outfolder ] ; then
-			bbdebug 2 "Folder $outfolder does not exist, file $outfile not created"
-			continue
-		fi
+		mkdir -p $outfolder
 		buildhistory_list_files $pkgdir $outfile fakeroot
 	done
 }
-- 
2.34.1

[OE-core][scarthgap 08/16] buildhistory: Restoring files from preserve list

[Steve Sakoman]

From: Pedro Ferreira <pedro.silva.ferreira@criticaltechworks.com>

This fix will ensure that, when we activate feature
`BUILDHISTORY_RESET`, files marked to keep on feature
`BUILDHISTORY_PRESERVE` will indeed exist is buildhistory
final path since they are moved to buildhistory/old but
not restored at any point.

Signed-off-by: Pedro Ferreira <Pedro.Silva.Ferreira@criticaltechworks.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f68a45aa238ae5fcdfaca71ba0e7015e9cb720e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/buildhistory.bbclass | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index d219519f86..08970aafea 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -110,6 +110,7 @@ python buildhistory_emit_pkghistory() {
     import json
     import shlex
     import errno
+    import shutil
 
     pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE')
     oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE')
@@ -223,6 +224,20 @@ python buildhistory_emit_pkghistory() {
         items.sort()
         return ' '.join(items)
 
+    def preservebuildhistoryfiles(pkg, preserve):
+        if os.path.exists(os.path.join(oldpkghistdir, pkg)):
+            listofobjs = os.listdir(os.path.join(oldpkghistdir, pkg))
+            for obj in listofobjs:
+                if obj not in preserve:
+                    continue
+                try:
+                    bb.utils.mkdirhier(os.path.join(pkghistdir, pkg))
+                    shutil.copyfile(os.path.join(oldpkghistdir, pkg, obj), os.path.join(pkghistdir, pkg, obj))
+                except IOError as e:
+                    bb.note("Unable to copy file. %s" % e)
+                except EnvironmentError as e:
+                    bb.note("Unable to copy file. %s" % e)
+
     pn = d.getVar('PN')
     pe = d.getVar('PE') or "0"
     pv = d.getVar('PV')
@@ -250,6 +265,14 @@ python buildhistory_emit_pkghistory() {
     if not os.path.exists(pkghistdir):
         bb.utils.mkdirhier(pkghistdir)
     else:
+        # We need to make sure that all files kept in
+        # buildhistory/old are restored successfully
+        # otherwise next block of code wont have files to
+        # check and purge
+        if d.getVar("BUILDHISTORY_RESET"):
+            for pkg in packagelist:
+                preservebuildhistoryfiles(pkg, preserve)
+
         # Remove files for packages that no longer exist
         for item in os.listdir(pkghistdir):
             if item not in preserve:
-- 
2.34.1

[OE-core][scarthgap 09/16] buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

We planned to drop SSTATEPOSTINSTFUNC some time ago with the introduction of
postfuncs. Finally get around to doing that which should make the buildhistory
code a little more readable.

Unfortunately ordering the buildhistory function calls after the sstate ones is
difficult without coding that into the sstate class. This patch does that to
ensure everything functions as expected until we can find a better way. This is
still likely preferable than the generic sstate postfuncs support since the function
flow is much more readable.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c9e2a8fa2f0305ef1247ec405555612326f798f8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-global/sstate.bbclass |  5 +++-
 meta/classes/buildhistory.bbclass  | 39 +++++++++++++++---------------
 2 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/meta/classes-global/sstate.bbclass b/meta/classes-global/sstate.bbclass
index 76a7b59636..93df5fa9e6 100644
--- a/meta/classes-global/sstate.bbclass
+++ b/meta/classes-global/sstate.bbclass
@@ -161,7 +161,10 @@ python () {
     d.setVar('SSTATETASKS', " ".join(unique_tasks))
     for task in unique_tasks:
         d.prependVarFlag(task, 'prefuncs', "sstate_task_prefunc ")
-        d.appendVarFlag(task, 'postfuncs', " sstate_task_postfunc")
+        # Generally sstate should be last, execpt for buildhistory functions
+        postfuncs = (d.getVarFlag(task, 'postfuncs') or "").split()
+        newpostfuncs = [p for p in postfuncs if "buildhistory" not in p] + ["sstate_task_postfunc"] + [p for p in postfuncs if "buildhistory" in p]
+        d.setVarFlag(task, 'postfuncs', " ".join(newpostfuncs))
         d.setVarFlag(task, 'network', '1')
         d.setVarFlag(task + "_setscene", 'network', '1')
 }
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 08970aafea..0b1bd518fe 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -47,11 +47,18 @@ BUILDHISTORY_PUSH_REPO ?= ""
 BUILDHISTORY_TAG ?= "build"
 BUILDHISTORY_PATH_PREFIX_STRIP ?= ""
 
-SSTATEPOSTINSTFUNCS:append = " buildhistory_emit_pkghistory"
-# We want to avoid influencing the signatures of sstate tasks - first the function itself:
-sstate_install[vardepsexclude] += "buildhistory_emit_pkghistory"
-# then the value added to SSTATEPOSTINSTFUNCS:
-SSTATEPOSTINSTFUNCS[vardepvalueexclude] .= "| buildhistory_emit_pkghistory"
+# We want to avoid influencing the signatures of the task so use vardepsexclude
+do_populate_sysroot[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot_setscene[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot[vardepsexclude] += "buildhistory_emit_sysroot"
+
+do_package[postfuncs] += "buildhistory_list_pkg_files"
+do_package_setscene[postfuncs] += "buildhistory_list_pkg_files"
+do_package[vardepsexclude] += "buildhistory_list_pkg_files"
+
+do_packagedata[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata_setscene[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata[vardepsexclude] += "buildhistory_emit_pkghistory"
 
 # Similarly for our function that gets the output signatures
 SSTATEPOSTUNPACKFUNCS:append = " buildhistory_emit_outputsigs"
@@ -91,27 +98,15 @@ buildhistory_emit_sysroot() {
 # Write out metadata about this package for comparison when writing future packages
 #
 python buildhistory_emit_pkghistory() {
-    if d.getVar('BB_CURRENTTASK') in ['populate_sysroot', 'populate_sysroot_setscene']:
-        bb.build.exec_func("buildhistory_emit_sysroot", d)
-        return 0
-
-    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
-        return 0
-
-    if d.getVar('BB_CURRENTTASK') in ['package', 'package_setscene']:
-        # Create files-in-<package-name>.txt files containing a list of files of each recipe's package
-        bb.build.exec_func("buildhistory_list_pkg_files", d)
-        return 0
-
-    if not d.getVar('BB_CURRENTTASK') in ['packagedata', 'packagedata_setscene']:
-        return 0
-
     import re
     import json
     import shlex
     import errno
     import shutil
 
+    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
+        return 0
+
     pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE')
     oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE')
 
@@ -621,6 +616,10 @@ buildhistory_list_files_no_owners() {
 }
 
 buildhistory_list_pkg_files() {
+	if [ "${@bb.utils.contains('BUILDHISTORY_FEATURES', 'package', '1', '0', d)}" = "0" ] ; then
+		return
+	fi
+
 	# Create individual files-in-package for each recipe's package
 	pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d)
 	for pkgdir in $pkgdirlist; do
-- 
2.34.1

[OE-core][scarthgap 10/16] qemu: back port patches to fix riscv64 build failure

[Steve Sakoman]

From: Chen Qi <Qi.Chen@windriver.com>

Backport patches to fix riscv64 build failure.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 ...kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch |  75 ++++++++++++
 ...kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch |  73 ++++++++++++
 ...cv-kvm-change-timer-regs-size-to-u64.patch | 107 ++++++++++++++++++
 4 files changed, 258 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a1d8a309a0..e9f63b9eaf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -49,6 +49,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2024-7409-0002.patch \
            file://CVE-2024-7409-0003.patch \
            file://CVE-2024-7409-0004.patch \
+           file://0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch \
+           file://0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch \
+           file://0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch b/meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch
new file mode 100644
index 0000000000..39a6a85162
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch
@@ -0,0 +1,75 @@
+From bbdcc89678daa5cb131ef22a6cd41a5f7f9dcea9 Mon Sep 17 00:00:00 2001
+From: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Date: Fri, 8 Dec 2023 15:38:31 -0300
+Subject: [PATCH 1/3] target/riscv/kvm: change KVM_REG_RISCV_FP_F to u32
+
+KVM_REG_RISCV_FP_F regs have u32 size according to the API, but by using
+kvm_riscv_reg_id() in RISCV_FP_F_REG() we're returning u64 sizes when
+running with TARGET_RISCV64. The most likely reason why no one noticed
+this is because we're not implementing kvm_cpu_synchronize_state() in
+RISC-V yet.
+
+Create a new helper that returns a KVM ID with u32 size and use it in
+RISCV_FP_F_REG().
+
+Reported-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Message-ID: <20231208183835.2411523-2-dbarboza@ventanamicro.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+(cherry picked from commit 49c211ffca00fdf7c0c29072c224e88527a14838)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+Upstream-Status: Backport [bbdcc89678daa5cb131ef22a6cd41a5f7f9dcea9]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ target/riscv/kvm/kvm-cpu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c
+index c1675158fe..2eef2be86a 100644
+--- a/target/riscv/kvm/kvm-cpu.c
++++ b/target/riscv/kvm/kvm-cpu.c
+@@ -72,6 +72,11 @@ static uint64_t kvm_riscv_reg_id(CPURISCVState *env, uint64_t type,
+     return id;
+ }
+ 
++static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx)
++{
++    return KVM_REG_RISCV | KVM_REG_SIZE_U32 | type | idx;
++}
++
+ #define RISCV_CORE_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_CORE, \
+                  KVM_REG_RISCV_CORE_REG(name))
+ 
+@@ -81,7 +86,7 @@ static uint64_t kvm_riscv_reg_id(CPURISCVState *env, uint64_t type,
+ #define RISCV_TIMER_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_TIMER, \
+                  KVM_REG_RISCV_TIMER_REG(name))
+ 
+-#define RISCV_FP_F_REG(env, idx)  kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_F, idx)
++#define RISCV_FP_F_REG(idx)  kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx)
+ 
+ #define RISCV_FP_D_REG(env, idx)  kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_D, idx)
+ 
+@@ -586,7 +591,7 @@ static int kvm_riscv_get_regs_fp(CPUState *cs)
+     if (riscv_has_ext(env, RVF)) {
+         uint32_t reg;
+         for (i = 0; i < 32; i++) {
+-            ret = kvm_get_one_reg(cs, RISCV_FP_F_REG(env, i), &reg);
++            ret = kvm_get_one_reg(cs, RISCV_FP_F_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+@@ -620,7 +625,7 @@ static int kvm_riscv_put_regs_fp(CPUState *cs)
+         uint32_t reg;
+         for (i = 0; i < 32; i++) {
+             reg = env->fpr[i];
+-            ret = kvm_set_one_reg(cs, RISCV_FP_F_REG(env, i), &reg);
++            ret = kvm_set_one_reg(cs, RISCV_FP_F_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch b/meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch
new file mode 100644
index 0000000000..9480d3e0b5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch
@@ -0,0 +1,73 @@
+From 125b95d79e746cbab6b72683b3382dd372e38c61 Mon Sep 17 00:00:00 2001
+From: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Date: Fri, 8 Dec 2023 15:38:32 -0300
+Subject: [PATCH 2/3] target/riscv/kvm: change KVM_REG_RISCV_FP_D to u64
+
+KVM_REG_RISCV_FP_D regs are always u64 size. Using kvm_riscv_reg_id() in
+RISCV_FP_D_REG() ends up encoding the wrong size if we're running with
+TARGET_RISCV32.
+
+Create a new helper that returns a KVM ID with u64 size and use it with
+RISCV_FP_D_REG().
+
+Reported-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Message-ID: <20231208183835.2411523-3-dbarboza@ventanamicro.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+(cherry picked from commit 450bd6618fda3d2e2ab02b2fce1c79efd5b66084)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+Upstream-Status: Backport [125b95d79e746cbab6b72683b3382dd372e38c61]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ target/riscv/kvm/kvm-cpu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c
+index 2eef2be86a..82ed4455a5 100644
+--- a/target/riscv/kvm/kvm-cpu.c
++++ b/target/riscv/kvm/kvm-cpu.c
+@@ -77,6 +77,11 @@ static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx)
+     return KVM_REG_RISCV | KVM_REG_SIZE_U32 | type | idx;
+ }
+ 
++static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx)
++{
++    return KVM_REG_RISCV | KVM_REG_SIZE_U64 | type | idx;
++}
++
+ #define RISCV_CORE_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_CORE, \
+                  KVM_REG_RISCV_CORE_REG(name))
+ 
+@@ -88,7 +93,7 @@ static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx)
+ 
+ #define RISCV_FP_F_REG(idx)  kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx)
+ 
+-#define RISCV_FP_D_REG(env, idx)  kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_D, idx)
++#define RISCV_FP_D_REG(idx)  kvm_riscv_reg_id_u64(KVM_REG_RISCV_FP_D, idx)
+ 
+ #define KVM_RISCV_GET_CSR(cs, env, csr, reg) \
+     do { \
+@@ -579,7 +584,7 @@ static int kvm_riscv_get_regs_fp(CPUState *cs)
+     if (riscv_has_ext(env, RVD)) {
+         uint64_t reg;
+         for (i = 0; i < 32; i++) {
+-            ret = kvm_get_one_reg(cs, RISCV_FP_D_REG(env, i), &reg);
++            ret = kvm_get_one_reg(cs, RISCV_FP_D_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+@@ -613,7 +618,7 @@ static int kvm_riscv_put_regs_fp(CPUState *cs)
+         uint64_t reg;
+         for (i = 0; i < 32; i++) {
+             reg = env->fpr[i];
+-            ret = kvm_set_one_reg(cs, RISCV_FP_D_REG(env, i), &reg);
++            ret = kvm_set_one_reg(cs, RISCV_FP_D_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch b/meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch
new file mode 100644
index 0000000000..1ea1bcfe70
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch
@@ -0,0 +1,107 @@
+From cbae1080988e0f1af0fb4c816205f7647f6de16f Mon Sep 17 00:00:00 2001
+From: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Date: Fri, 8 Dec 2023 15:38:33 -0300
+Subject: [PATCH 3/3] target/riscv/kvm: change timer regs size to u64
+
+KVM_REG_RISCV_TIMER regs are always u64 according to the KVM API, but at
+this moment we'll return u32 regs if we're running a RISCV32 target.
+
+Use the kvm_riscv_reg_id_u64() helper in RISCV_TIMER_REG() to fix it.
+
+Reported-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Message-ID: <20231208183835.2411523-4-dbarboza@ventanamicro.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+(cherry picked from commit 10f86d1b845087d14b58d65dd2a6e3411d1b6529)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+Upstream-Status: Backport [cbae1080988e0f1af0fb4c816205f7647f6de16f]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ target/riscv/kvm/kvm-cpu.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c
+index 82ed4455a5..ddbe820e10 100644
+--- a/target/riscv/kvm/kvm-cpu.c
++++ b/target/riscv/kvm/kvm-cpu.c
+@@ -88,7 +88,7 @@ static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx)
+ #define RISCV_CSR_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_CSR, \
+                  KVM_REG_RISCV_CSR_REG(name))
+ 
+-#define RISCV_TIMER_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_TIMER, \
++#define RISCV_TIMER_REG(name)  kvm_riscv_reg_id_u64(KVM_REG_RISCV_TIMER, \
+                  KVM_REG_RISCV_TIMER_REG(name))
+ 
+ #define RISCV_FP_F_REG(idx)  kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx)
+@@ -111,17 +111,17 @@ static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx)
+         } \
+     } while (0)
+ 
+-#define KVM_RISCV_GET_TIMER(cs, env, name, reg) \
++#define KVM_RISCV_GET_TIMER(cs, name, reg) \
+     do { \
+-        int ret = kvm_get_one_reg(cs, RISCV_TIMER_REG(env, name), &reg); \
++        int ret = kvm_get_one_reg(cs, RISCV_TIMER_REG(name), &reg); \
+         if (ret) { \
+             abort(); \
+         } \
+     } while (0)
+ 
+-#define KVM_RISCV_SET_TIMER(cs, env, name, reg) \
++#define KVM_RISCV_SET_TIMER(cs, name, reg) \
+     do { \
+-        int ret = kvm_set_one_reg(cs, RISCV_TIMER_REG(env, name), &reg); \
++        int ret = kvm_set_one_reg(cs, RISCV_TIMER_REG(name), &reg); \
+         if (ret) { \
+             abort(); \
+         } \
+@@ -649,10 +649,10 @@ static void kvm_riscv_get_regs_timer(CPUState *cs)
+         return;
+     }
+ 
+-    KVM_RISCV_GET_TIMER(cs, env, time, env->kvm_timer_time);
+-    KVM_RISCV_GET_TIMER(cs, env, compare, env->kvm_timer_compare);
+-    KVM_RISCV_GET_TIMER(cs, env, state, env->kvm_timer_state);
+-    KVM_RISCV_GET_TIMER(cs, env, frequency, env->kvm_timer_frequency);
++    KVM_RISCV_GET_TIMER(cs, time, env->kvm_timer_time);
++    KVM_RISCV_GET_TIMER(cs, compare, env->kvm_timer_compare);
++    KVM_RISCV_GET_TIMER(cs, state, env->kvm_timer_state);
++    KVM_RISCV_GET_TIMER(cs, frequency, env->kvm_timer_frequency);
+ 
+     env->kvm_timer_dirty = true;
+ }
+@@ -666,8 +666,8 @@ static void kvm_riscv_put_regs_timer(CPUState *cs)
+         return;
+     }
+ 
+-    KVM_RISCV_SET_TIMER(cs, env, time, env->kvm_timer_time);
+-    KVM_RISCV_SET_TIMER(cs, env, compare, env->kvm_timer_compare);
++    KVM_RISCV_SET_TIMER(cs, time, env->kvm_timer_time);
++    KVM_RISCV_SET_TIMER(cs, compare, env->kvm_timer_compare);
+ 
+     /*
+      * To set register of RISCV_TIMER_REG(state) will occur a error from KVM
+@@ -676,7 +676,7 @@ static void kvm_riscv_put_regs_timer(CPUState *cs)
+      * TODO If KVM changes, adapt here.
+      */
+     if (env->kvm_timer_state) {
+-        KVM_RISCV_SET_TIMER(cs, env, state, env->kvm_timer_state);
++        KVM_RISCV_SET_TIMER(cs, state, env->kvm_timer_state);
+     }
+ 
+     /*
+@@ -685,7 +685,7 @@ static void kvm_riscv_put_regs_timer(CPUState *cs)
+      * during the migration.
+      */
+     if (migration_is_running(migrate_get_current()->state)) {
+-        KVM_RISCV_GET_TIMER(cs, env, frequency, reg);
++        KVM_RISCV_GET_TIMER(cs, frequency, reg);
+         if (reg != env->kvm_timer_frequency) {
+             error_report("Dst Hosts timer frequency != Src Hosts");
+         }
+-- 
+2.25.1
+
-- 
2.34.1

[OE-core][scarthgap 11/16] gcc: Fix spurious '/' in GLIBC_DYNAMIC_LINKER on microblaze

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Backport from master OE-Core rev: f0eac82b9a1e4549b7d918df768c369ed7ab5183

Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...fine-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch b/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
index b0b77dbfa0..9de883c2c7 100644
--- a/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
+++ b/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
@@ -1,4 +1,4 @@
-From aacfd6e14dd583b1fdc65691def61c5e1bc89708 Mon Sep 17 00:00:00 2001
+From 4067ae345f0ff1fbf37c0348f2af09257513b817 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 29 Mar 2013 09:24:50 +0400
 Subject: [PATCH] Define GLIBC_DYNAMIC_LINKER and UCLIBC_DYNAMIC_LINKER
@@ -185,7 +185,7 @@ index aecaa02a199..62f88f7f9a2 100644
  #undef GNU_USER_TARGET_LINK_SPEC
  #define GNU_USER_TARGET_LINK_SPEC \
 diff --git a/gcc/config/microblaze/linux.h b/gcc/config/microblaze/linux.h
-index e2e2c421c52..6f26480e3b5 100644
+index 5ed8ee518be..299d1a62c81 100644
 --- a/gcc/config/microblaze/linux.h
 +++ b/gcc/config/microblaze/linux.h
 @@ -28,7 +28,7 @@
@@ -193,7 +193,7 @@ index e2e2c421c52..6f26480e3b5 100644
  #define TLS_NEEDS_GOT 1
  
 -#define GLIBC_DYNAMIC_LINKER "/lib/ld.so.1"
-+#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "/ld.so.1"
++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld.so.1"
  #define UCLIBC_DYNAMIC_LINKER "/lib/ld-uClibc.so.0"
  
  #if TARGET_BIG_ENDIAN_DEFAULT == 0 /* LE */
-- 
2.34.1

[OE-core][scarthgap 12/16] udev-extraconf: Add collect flag to mount

[Steve Sakoman]

From: Colin McAllister <colinmca242@gmail.com>

Adds extra "--collect" flag to the mount command within
automount_systemd. This is intended to fix an observed deadlock after
rapidly inserting and removing external media. This is because if the
mount command fails, the transient mount will enter a failed state. The
next time the media is inserted, automount_systemd bails because the
first consition finds that the file path for the failed transient mount
still exists. This leaves the external media unmounted and cannot be
mounted until the mount is fixed via systemctl or the device is
rebooted.

Adding "--collect" ensures that the transient mount is cleaned up after
entering a failed state, which ensures that the media can still be
mounted when it's re-inserted.

(From OE-Core rev: f0cda74d73eb8c14cd6f695f514108f1e94984a6)

Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/udev/udev-extraconf/mount.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index c19e2aa68a..eb84a468be 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -98,7 +98,7 @@ automount_systemd() {
         ;;
     esac
 
-    if ! $MOUNT --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
+    if ! $MOUNT --collect --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
     then
         #logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"$MOUNT_BASE/$name\" failed!"
         rm_dir "$MOUNT_BASE/$name"
-- 
2.34.1

[OE-core][scarthgap 13/16] busybox: Fix cut with "-s" flag

[Steve Sakoman]

From: Colin McAllister <colinmca242@gmail.com>

This fixes and issue that allows blank lines to be incorrectly output
when the "-s" flag is included. This issue propogates into the
populate-volatile.sh script in initscripts. If a volatiles drop file
contains blank lines, a blank line will be included in combined users,
which will incorrectly result in a difference in the number of combined
users versus defined users. If this happens, the volatiles file will not
be executed.

(From OE-Core rev: dfbcf0581ab3dd47037726a7b8aa06f777792473)

Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...1-cut-Fix-s-flag-to-omit-blank-lines.patch | 66 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch

diff --git a/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch b/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
new file mode 100644
index 0000000000..a0a8607b23
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
@@ -0,0 +1,66 @@
+From 199606e960942c29fd8085be812edd3d3697825c Mon Sep 17 00:00:00 2001
+From: Colin McAllister <colinmca242@gmail.com>
+Date: Wed, 17 Jul 2024 07:58:52 -0500
+Subject: [PATCH 1/1] cut: Fix "-s" flag to omit blank lines
+
+Using cut with the delimiter flag ("-d") with the "-s" flag to only
+output lines containing the delimiter will print blank lines. This is
+deviant behavior from cut provided by GNU Coreutils. Blank lines should
+be omitted if "-s" is used with "-d".
+
+This change introduces a somewhat naiive, yet efficient solution, where
+line length is checked before looping though bytes. If line length is
+zero and the "-s" flag is used, the code will jump to parsing the next
+line to avoid printing a newline character.
+
+In addition, a test to cut.tests has been added to ensure that this
+regression is fixed and will not happen again in the future.
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2024-July/090834.html]
+
+Signed-off-by: Colin McAllister <colinmca242@gmail.com>
+---
+ coreutils/cut.c     | 6 ++++++
+ testsuite/cut.tests | 9 +++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/coreutils/cut.c b/coreutils/cut.c
+index 55bdd9386..b7f986f26 100644
+--- a/coreutils/cut.c
++++ b/coreutils/cut.c
+@@ -152,6 +152,12 @@ static void cut_file(FILE *file, const char *delim, const char *odelim,
+ 			unsigned uu = 0, start = 0, end = 0, out = 0;
+ 			int dcount = 0;
+ 
++			/* Blank line? */
++			if (!linelen) {
++				if (option_mask32 & CUT_OPT_SUPPRESS_FLGS)
++					goto next_line;
++			}
++
+ 			/* Loop through bytes, finding next delimiter */
+ 			for (;;) {
+ 				/* End of current range? */
+diff --git a/testsuite/cut.tests b/testsuite/cut.tests
+index 2458c019c..0b401bc00 100755
+--- a/testsuite/cut.tests
++++ b/testsuite/cut.tests
+@@ -65,6 +65,15 @@ testing "cut with -d -f( ) -s" "cut -d' ' -f3 -s input && echo yes" "yes\n" "$in
+ testing "cut with -d -f(a) -s" "cut -da -f3 -s input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+ testing "cut with -d -f(a) -s -n" "cut -da -f3 -s -n input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+ 
++input="\
++
++foo bar baz
++
++bing bong boop
++
++"
++testing "cut with -d -s omits blank lines" "cut -d' ' -f2 -s input" "bar\nbong\n" "$input" ""
++
+ # substitute for awk
+ optional FEATURE_CUT_REGEX
+ testing "cut -DF" "cut -DF 2,7,5" \
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index bc1619d1a8..42dd5f71eb 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -56,6 +56,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-awk-fix-precedence-of-relative-to.patch \
            file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
            file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
+           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
-- 
2.34.1

[OE-core][scarthgap 14/16] bluez5: remove redundant patch for MAX_INPUT

[Steve Sakoman]

From: Guðni Már Gilbert <gudni.m.g@gmail.com>

The solution to the problem upstream was fixed by the following commit:
https://github.com/bluez/bluez/commit/ca6546fe521360fcf905bc115b893f322e706cb2

Now MAX_INPUT is defined for non-glibc systems such as musl.
This fix was added in BlueZ 5.67.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/bluez5/bluez5.inc   |  1 -
 ...shared-util.c-include-linux-limits.h.patch | 27 -------------------
 2 files changed, 28 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index a31d7076ba..3f2f096aac 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -54,7 +54,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
            file://0001-test-gatt-Fix-hung-issue.patch \
-           file://0004-src-shared-util.c-include-linux-limits.h.patch \
            "
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch b/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch
deleted file mode 100644
index 516d859069..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From b53df61b41088b68c127ac76cc71683ac3453b9d Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Mon, 12 Dec 2022 13:10:19 +0100
-Subject: [PATCH] src/shared/util.c: include linux/limits.h
-
-MAX_INPUT is defined in that file. This matters on non-glibc
-systems such as those using musl.
-
-Upstream-Status: Submitted [to linux-bluetooth@vger.kernel.org,luiz.von.dentz@intel.com,frederic.danis@collabora.com]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
-
----
- src/shared/util.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/shared/util.c b/src/shared/util.c
-index c0c2c4a..036dc0d 100644
---- a/src/shared/util.c
-+++ b/src/shared/util.c
-@@ -23,6 +23,7 @@
- #include <unistd.h>
- #include <dirent.h>
- #include <limits.h>
-+#include <linux/limits.h>
- #include <string.h>
- 
- #ifdef HAVE_SYS_RANDOM_H
-- 
2.34.1

[OE-core][scarthgap 15/16] create-sdpx-2.2.bbclass: Switch from exists to isfile checking debugsrc

[Steve Sakoman]

From: Mark Hatle <mark.hatle@amd.com>

While debugsrc is almost always a file (or link), there are apparently
cases where a directory could be returned from the dwarfsrcfiles
processing.  When this happens, the hashing fails and an error results
when building the SPDX documents.

Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 02e262c291c0b2066132b4cb2ca5fda8145284a9)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/create-spdx-2.2.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index d104668ffd..ade1a04be3 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -315,7 +315,8 @@ def add_package_sources_from_debug(d, package_doc, spdx_package, package, packag
                     debugsrc_path = search / debugsrc.replace('/usr/src/kernel/', '')
                 else:
                     debugsrc_path = search / debugsrc.lstrip("/")
-                if not debugsrc_path.exists():
+                # We can only hash files below, skip directories, links, etc.
+                if not os.path.isfile(debugsrc_path):
                     continue
 
                 file_sha256 = bb.utils.sha256_file(debugsrc_path)
-- 
2.34.1

[OE-core][scarthgap 16/16] bind: Fix build with the `httpstats` package config enabled

[Steve Sakoman]

From: Alban Bedel <alban.bedel@aerq.com>

------C65ED3E1A5DE826CA595746785F6AF6F
To: openembedded-core@lists.openembedded.org
CC: Alban Bedel <alban.bedel@aerq.com>
Subject: [PATCH] bind: Fix build with the `httpstats` package config enabled
Date: Wed, 11 Sep 2024 08:26:47 +0200
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0

When the `httpstats` package config is enabled configure fails with
the error:

> configure: error: Specifying libxml2 installation path is not
> supported, adjust PKG_CONFIG_PATH instead

Drop the explicit path from `--with-libxml2` to solve this issue.

Signed-off-by: Alban Bedel <alban.bedel@aerq.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9b076fa51f5e6fd685066fb817c47239960778e6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/bind/bind_9.18.28.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/bind/bind_9.18.28.bb b/meta/recipes-connectivity/bind/bind_9.18.28.bb
index ca2aef233b..4b0948298e 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.28.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.28.bb
@@ -34,7 +34,7 @@ inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-a
 
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
 PACKAGECONFIG ?= "readline"
-PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2"
+PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2"
 PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
 PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
 PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"
-- 
2.34.1

[OE-core][scarthgap 00/16] Patch review

[Steve Sakoman]

Please review this set of changes to scarthgap and have comments back by
end of day Thursday, December 5

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/560

The following changes since commit dac630ab5ee7aa6c5c7c294093adbd11b116c765:

  llvm: reduce size of -dbg package (2024-11-22 05:42:54 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 5.0.5

Changqing Li (2):
  acpica: fix CVE-2024-24856
  libsoup: fix CVE-2024-52530, CVE-2024-52531

Deepthi Hemraj (1):
  glibc: stable 2.39 branch updates

Florian Kreutzer (1):
  dropbear: backport fix for concurrent channel open/close

Gassner, Tobias.ext (1):
  rootfs: Ensure run-postinsts is not uninstalled for
    read-only-rootfs-delayed-postinsts

Hitendra Prajapati (1):
  libsndfile: fix CVE-2024-50612

Jiaying Song (1):
  python3-zipp: fix CVE-2024-5569

Jinfeng Wang (1):
  tzdata&tzcode-native: upgrade 2024a -> 2024b

Markus Volk (2):
  gcc: add a backport patch to fix an issue with tzdata 2024b
  ninja: fix build with python 3.13

Peter Marko (1):
  builder: set CVE_PRODUCT

Robert Yang (1):
  libgcrypt: Fix building error with '-O2' in sysroot path

Soumya Sambu (1):
  python3-requests: upgrade 2.32.1 -> 2.32.2

Trevor Gamblin (1):
  python3-urllib3: upgrade 2.2.1 -> 2.2.2

Yogita Urade (1):
  qemu: upgrade 8.2.3 -> 8.2.7

 meta/lib/oe/rootfs.py                         |    4 +
 meta/lib/oeqa/selftest/cases/overlayfs.py     |   41 +-
 ...e-channels-when-a-PID-hasn-t-started.patch |   45 +
 .../recipes-core/dropbear/dropbear_2022.83.bb |    1 +
 .../glib-2.0/gdatetime-test-fail-0001.patch   |   72 +
 .../glib-2.0/gdatetime-test-fail-0002.patch   |   65 +
 .../glib-2.0/gdatetime-test-fail-0003.patch   |   63 +
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb |    3 +
 meta/recipes-core/glibc/glibc-version.inc     |    2 +-
 meta/recipes-devtools/gcc/gcc-13.3.inc        |    1 +
 ...4fffe3fc82a710bea66ad651720d71c938b8.patch |  549 ++++++++
 ...4efb41c039789b81f0dc0d67c1ed0faea17c.patch |   62 +
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |    5 +-
 ...s_2.31.0.bb => python3-requests_2.32.0.bb} |    2 +-
 ...lib3_2.2.1.bb => python3-urllib3_2.2.2.bb} |    2 +-
 .../python/python3-zipp/CVE-2024-5569.patch   |  138 ++
 .../python/python3-zipp_3.17.0.bb             |    1 +
 ...u-native_8.2.3.bb => qemu-native_8.2.7.bb} |    0
 ...e_8.2.3.bb => qemu-system-native_8.2.7.bb} |    0
 meta/recipes-devtools/qemu/qemu.inc           |   14 +-
 ...kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch |   75 --
 ...kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch |   73 -
 ...cv-kvm-change-timer-regs-size-to-u64.patch |  107 --
 .../qemu/qemu/CVE-2024-4467-0001.patch        |  112 --
 .../qemu/qemu/CVE-2024-4467-0002.patch        |   55 -
 .../qemu/qemu/CVE-2024-4467-0003.patch        |   57 -
 .../qemu/qemu/CVE-2024-4467-0004.patch        | 1187 -----------------
 .../qemu/qemu/CVE-2024-4467-0005.patch        |  239 ----
 .../qemu/qemu/CVE-2024-7409-0001.patch        |  167 ---
 .../qemu/qemu/CVE-2024-7409-0002.patch        |  175 ---
 .../qemu/qemu/CVE-2024-7409-0003.patch        |  126 --
 .../qemu/qemu/CVE-2024-7409-0004.patch        |  164 ---
 .../qemu/{qemu_8.2.3.bb => qemu_8.2.7.bb}     |    0
 .../acpica/acpica_20240322.bb                 |    3 +-
 .../acpica/files/CVE-2024-24856.patch         |   31 +
 meta/recipes-extended/timezone/timezone.inc   |    6 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |    3 +-
 .../libsndfile1/CVE-2024-50612.patch          |  412 ++++++
 .../libsndfile/libsndfile1_1.2.2.bb           |    1 +
 ...ilding-error-with-O2-in-sysroot-path.patch |   64 +
 ...ilding-error-with-O2-in-sysroot-path.patch |   39 -
 .../libgcrypt/libgcrypt_1.10.3.bb             |    2 +-
 .../libsoup-3.4.4/CVE-2024-52530.patch        |  150 +++
 .../libsoup-3.4.4/CVE-2024-52531-1.patch      |  116 ++
 .../libsoup-3.4.4/CVE-2024-52531-2.patch      |   40 +
 .../libsoup-3.4.4/CVE-2024-52531-3.patch      |  136 ++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |    4 +
 scripts/install-buildtools                    |    4 +-
 48 files changed, 2016 insertions(+), 2602 deletions(-)
 create mode 100644 meta/recipes-core/dropbear/dropbear/0007-Don-t-close-channels-when-a-PID-hasn-t-started.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/gdatetime-test-fail-0001.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/gdatetime-test-fail-0002.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/gdatetime-test-fail-0003.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc/gcc.git-ab884fffe3fc82a710bea66ad651720d71c938b8.patch
 create mode 100644 meta/recipes-devtools/ninja/ninja/885b4efb41c039789b81f0dc0d67c1ed0faea17c.patch
 rename meta/recipes-devtools/python/{python3-requests_2.31.0.bb => python3-requests_2.32.0.bb} (84%)
 rename meta/recipes-devtools/python/{python3-urllib3_2.2.1.bb => python3-urllib3_2.2.2.bb} (86%)
 create mode 100644 meta/recipes-devtools/python/python3-zipp/CVE-2024-5569.patch
 rename meta/recipes-devtools/qemu/{qemu-native_8.2.3.bb => qemu-native_8.2.7.bb} (100%)
 rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.3.bb => qemu-system-native_8.2.7.bb} (100%)
 delete mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0001.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0002.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0003.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0004.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0005.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0001.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0002.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0003.patch
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0004.patch
 rename meta/recipes-devtools/qemu/{qemu_8.2.3.bb => qemu_8.2.7.bb} (100%)
 create mode 100644 meta/recipes-extended/acpica/files/CVE-2024-24856.patch
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2024-50612.patch
 create mode 100644 meta/recipes-support/libgcrypt/files/0001-Fix-building-error-with-O2-in-sysroot-path.patch
 delete mode 100644 meta/recipes-support/libgcrypt/files/0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch

-- 
2.34.1

[OE-core][scarthgap 00/16] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, March 7

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1127

The following changes since commit c74a6d6afc52606825e583cae1162e13a5369498:

  ccache.conf: Add include_file_ctime to sloppiness (2025-02-27 12:19:58 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Alexis Cellier (1):
  systemd: add libpcre2 as RRECOMMENDS if pcre2 is enabled

Archana Polampalli (4):
  ffmpeg: fix CVE-2025-25473
  ffmpeg: fix CVE-2025-25471
  ffmpeg: fix CVE-2025-22921
  ffmpeg: fix CVE-2025-0518

Poonam Jadhav (1):
  curl: ignore CVE-2025-0725

Vijay Anusuri (10):
  openssh: Fix CVE-2025-26466
  xwayland: Fix CVE-2024-9632
  xwayland: Fix CVE-2025-26594
  xwayland: Fix CVE-2025-26595
  xwayland: Fix CVE-2025-26596
  xwayland: Fix CVE-2025-26597
  xwayland: Fix CVE-2025-26598
  xwayland: Fix CVE-2025-26599
  xwayland: Fix CVE-2025-26600
  xwayland: Fix CVE-2025-26601

 .../openssh/openssh/CVE-2025-26466.patch      |  38 +++++
 .../openssh/openssh_9.6p1.bb                  |   1 +
 meta/recipes-core/systemd/systemd_255.17.bb   |   2 +-
 .../xwayland/xwayland/CVE-2024-9632.patch     |  59 ++++++++
 .../xwayland/xwayland/CVE-2025-26594-1.patch  |  54 +++++++
 .../xwayland/xwayland/CVE-2025-26594-2.patch  |  51 +++++++
 .../xwayland/xwayland/CVE-2025-26595.patch    |  65 +++++++++
 .../xwayland/xwayland/CVE-2025-26596.patch    |  49 +++++++
 .../xwayland/xwayland/CVE-2025-26597.patch    |  46 ++++++
 .../xwayland/xwayland/CVE-2025-26598.patch    | 120 ++++++++++++++++
 .../xwayland/xwayland/CVE-2025-26599-1.patch  |  66 +++++++++
 .../xwayland/xwayland/CVE-2025-26599-2.patch  | 129 +++++++++++++++++
 .../xwayland/xwayland/CVE-2025-26600.patch    |  68 +++++++++
 .../xwayland/xwayland/CVE-2025-26601-1.patch  |  71 ++++++++++
 .../xwayland/xwayland/CVE-2025-26601-2.patch  |  85 +++++++++++
 .../xwayland/xwayland/CVE-2025-26601-3.patch  |  52 +++++++
 .../xwayland/xwayland/CVE-2025-26601-4.patch  | 132 ++++++++++++++++++
 .../xwayland/xwayland_23.2.5.bb               |  17 ++-
 .../ffmpeg/ffmpeg/CVE-2025-0518.patch         |  34 +++++
 .../ffmpeg/ffmpeg/CVE-2025-22921.patch        |  34 +++++
 .../ffmpeg/ffmpeg/CVE-2025-25471.patch        |  39 ++++++
 .../ffmpeg/ffmpeg/CVE-2025-25473.patch        |  36 +++++
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb |   4 +
 meta/recipes-support/curl/curl_8.7.1.bb       |   2 +
 24 files changed, 1252 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25471.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch

-- 
2.43.0

[OE-core][scarthgap 00/16] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, June 12

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1777

The following changes since commit 29e623b2ad00555788412fa520fbb9ffec794cbb:

  systemd: upgrade 255.18 -> 255.21 (2025-06-05 09:11:42 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Andrew Fernandes (1):
  gtk+: add missing libdrm dependency

Changqing Li (12):
  libsoup-2.4: fix CVE-2025-32052
  libsoup: fix CVE-2025-32052
  libsoup: fix CVE-2025-32051
  libsoup-2.4: fix CVE-2025-32050
  libsoup: fix CVE-2025-32050
  libsoup-2.4: fix CVE-2025-46421
  libsoup: fix CVE-2025-46421
  libsoup-2.4: fix CVE-2025-4948
  libsoup: fix CVE-2025-4948
  libsoup-2.4: fix CVE-2025-4476
  libsoup-2.4: fix CVE-2025-2784
  libsoup: fix CVE-2025-2784

Peter Marko (2):
  python3: upgrade 3.12.9 -> 3.12.11
  testimage: get real os-release file

Vijay Anusuri (1):
  kea: upgrade 2.4.1 -> 2.4.2

 meta/classes-recipe/testimage.bbclass         |   4 +-
 .../kea/{kea_2.4.1.bb => kea_2.4.2.bb}        |   4 +-
 ...shebang-overflow-on-python-config.py.patch |   2 +-
 ...-use-prefix-value-from-build-configu.patch |   2 +-
 ...sts-due-to-load-variability-on-YP-AB.patch |   6 +-
 ...001-ctypes-correct-gcc-check-in-test.patch |  53 -------
 ...e-treat-overflow-in-UID-GID-as-failu.patch |   2 +-
 ..._fileno-test-due-to-load-variability.patch |   2 +-
 ...orlines-skip-due-to-load-variability.patch |   2 +-
 .../python/python3/makerace.patch             |   2 +-
 .../{python3_3.12.9.bb => python3_3.12.11.bb} |   3 +-
 meta/recipes-gnome/gtk+/gtk4_4.14.1.bb        |   1 +
 .../libsoup/libsoup-2.4/CVE-2025-2784.patch   |  56 +++++++
 .../libsoup/libsoup-2.4/CVE-2025-32050.patch  |  29 ++++
 .../libsoup/libsoup-2.4/CVE-2025-32052.patch  |  32 ++++
 .../libsoup/libsoup-2.4/CVE-2025-4476.patch   |  38 +++++
 .../libsoup/libsoup-2.4/CVE-2025-46421.patch  |  47 ++++++
 .../libsoup/libsoup-2.4/CVE-2025-4948.patch   |  38 +++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |   6 +
 .../libsoup/libsoup-3.4.4/CVE-2025-2784.patch | 137 +++++++++++++++++
 .../libsoup-3.4.4/CVE-2025-32050.patch        |  29 ++++
 .../libsoup-3.4.4/CVE-2025-32051-1.patch      |  29 ++++
 .../libsoup-3.4.4/CVE-2025-32051-2.patch      |  57 +++++++
 .../libsoup-3.4.4/CVE-2025-32052.patch        |  31 ++++
 .../libsoup-3.4.4/CVE-2025-46421.patch        | 139 ++++++++++++++++++
 .../libsoup/libsoup-3.4.4/CVE-2025-4948.patch |  97 ++++++++++++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |   7 +
 27 files changed, 788 insertions(+), 67 deletions(-)
 rename meta/recipes-connectivity/kea/{kea_2.4.1.bb => kea_2.4.2.bb} (94%)
 delete mode 100644 meta/recipes-devtools/python/python3/0001-ctypes-correct-gcc-check-in-test.patch
 rename meta/recipes-devtools/python/{python3_3.12.9.bb => python3_3.12.11.bb} (99%)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch

-- 
2.43.0

[OE-core][scarthgap 00/16] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Monday, July 28

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2084

The following changes since commit 24c0ab18045920bb5c1e965c0ea6d176fd6de234:

  oe-debuginfod: add option for data storage (2025-07-16 14:09:39 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Alexander Kanavin (1):
  mtools: upgrade 4.0.43 -> 4.0.44

Archana Polampalli (1):
  openssl: CVE-2024-41996

Deepesh Varatharajan (2):
  binutils: Fix CVE-2025-7545
  glibc: stable 2.39 branch updates

Hitendra Prajapati (1):
  libpam: fix CVE-2025-6020

Jinfeng Wang (1):
  mtools: upgrade 4.0.48 -> 4.0.49

Peter Marko (2):
  orc: set CVE_PRODUCT
  openssl: patch CVE-2025-27587

Richard Purdie (1):
  mtools: upgrade 4.0.46 -> 4.0.47

Roland Kovacs (2):
  libxml2: fix CVE-2025-49795
  sqlite3: fix CVE-2025-6965

Vijay Anusuri (1):
  xserver-xorg: upgrade 21.1.6 -> 21.1.18

Wang Mingyu (3):
  mtools: upgrade 4.0.44 -> 4.0.45
  mtools: upgrade 4.0.45 -> 4.0.46
  mtools: upgrade 4.0.47 -> 4.0.48

Yash Shinde (1):
  binutils: Fix CVE-2025-7546

 .../openssl/openssl/CVE-2024-41996.patch      |   44 +
 .../openssl/openssl/CVE-2025-27587-1.patch    | 1918 +++++++++++++++++
 .../openssl/openssl/CVE-2025-27587-2.patch    |  129 ++
 .../openssl/openssl_3.2.4.bb                  |    3 +
 meta/recipes-core/glibc/glibc-version.inc     |    2 +-
 .../libxml/libxml2/CVE-2025-49795.patch       |   92 +
 meta/recipes-core/libxml/libxml2_2.12.10.bb   |    1 +
 .../binutils/binutils-2.42.inc                |    2 +
 .../binutils/0023-CVE-2025-7545.patch         |   39 +
 .../binutils/0023-CVE-2025-7546.patch         |   58 +
 .../mtools/mtools/clang_UNUSED.patch          |   19 +-
 .../mtools/disable-hardcoded-configs.patch    |    7 +-
 .../mtools/mtools/mtools-makeinfo.patch       |   19 +-
 .../{mtools_4.0.43.bb => mtools_4.0.49.bb}    |    2 +-
 meta/recipes-devtools/orc/orc_0.4.40.bb       |    3 +
 .../libpam/0001-pam-inline-pam-asprintf.patch |  101 +
 .../libpam/0002-pam-namespace-rebase.patch    |  750 +++++++
 .../pam/libpam/CVE-2025-6020-01.patch         | 1128 ++++++++++
 .../pam/libpam/CVE-2025-6020-02.patch         |  187 ++
 .../pam/libpam/CVE-2025-6020-03.patch         |   35 +
 meta/recipes-extended/pam/libpam_1.5.3.bb     |    5 +
 ...org_21.1.16.bb => xserver-xorg_21.1.18.bb} |    2 +-
 .../sqlite/sqlite3/CVE-2025-6965.patch        |  112 +
 meta/recipes-support/sqlite/sqlite3_3.45.3.bb |    1 +
 24 files changed, 4636 insertions(+), 23 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-49795.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7546.patch
 rename meta/recipes-devtools/mtools/{mtools_4.0.43.bb => mtools_4.0.49.bb} (93%)
 create mode 100644 meta/recipes-extended/pam/libpam/0001-pam-inline-pam-asprintf.patch
 create mode 100644 meta/recipes-extended/pam/libpam/0002-pam-namespace-rebase.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-01.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-02.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-03.patch
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.16.bb => xserver-xorg_21.1.18.bb} (92%)
 create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch

-- 
2.43.0

[OE-core][scarthgap 00/16] Patch review

[Yoann Congal]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 31.

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551

[0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t

The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:

  Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:

  python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)

----------------------------------------------------------------

Hitendra Prajapati (2):
  libxml-parser-perl: fix for CVE-2006-10003
  busybox: fix for CVE-2026-26157, CVE-2026-26158

João Marcos Costa (Schneider Electric) (1):
  spdx: add option to include only compiled sources

Martin Jansa (3):
  dtc: backport fix for build with glibc-2.43
  elfutils: don't add -Werror to avoid discarded-qualifiers
  binutils: backport patch to fix build with glibc-2.43 on host

Michael Halstead (2):
  yocto-uninative: Update to 5.0 for needed patchelf updates
  yocto-uninative: Update to 5.1 for glibc 2.43

Nguyen Dat Tho (1):
  python3-cryptography: Fix CVE-2026-26007

Paul Barker (1):
  tzdata,tzcode-native: Upgrade 2025b -> 2025c

Richard Purdie (1):
  pseudo: Add fix for glibc 2.43

Sunil Dora (1):
  rust: Enable dynamic linking with llvm

Vijay Anusuri (3):
  python3-pyopenssl: Fix CVE-2026-27448
  python3-pyopenssl: Fix CVE-2026-27459
  gnutls: Fix CVE-2025-14831

sureshha (1):
  systemd: backport patch to fix journal-file issue

 meta/classes/spdx-common.bbclass              |   3 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/lib/oe/spdx30_tasks.py                   |  12 +
 .../CVE-2026-26157-CVE-2026-26158-01.patch    | 198 +++++++
 .../CVE-2026-26157-CVE-2026-26158-02.patch    |  37 ++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |   2 +
 ...not-trigger-assertion-on-removed-or-.patch |  65 +++
 meta/recipes-core/systemd/systemd_255.21.bb   |   1 +
 .../binutils/binutils-2.42.inc                |   1 +
 ...tect-against-standard-library-macros.patch |  31 ++
 .../elfutils/elfutils_0.191.bb                |   1 +
 ...001-config-eu.am-do-not-force-Werror.patch |  34 ++
 .../libxml-parser-perl/CVE-2006-10003.patch   |  73 +++
 .../perl/libxml-parser-perl_2.47.bb           |   1 +
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++
 .../python/python3-cryptography_42.0.5.bb     |   1 +
 .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++
 .../python3-pyopenssl/CVE-2026-27459.patch    | 109 ++++
 .../python/python3-pyopenssl_24.0.0.bb        |   5 +
 meta/recipes-devtools/rust/rust_1.75.0.bb     |   2 +
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../0001-Fix-discarded-const-qualifiers.patch |  85 +++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
 .../gnutls/gnutls/CVE-2025-14831-1.patch      |  61 +++
 .../gnutls/gnutls/CVE-2025-14831-2.patch      |  30 ++
 .../gnutls/gnutls/CVE-2025-14831-3.patch      |  45 ++
 .../gnutls/gnutls/CVE-2025-14831-4.patch      | 200 +++++++
 .../gnutls/gnutls/CVE-2025-14831-5.patch      | 500 ++++++++++++++++++
 .../gnutls/gnutls/CVE-2025-14831-6.patch      | 119 +++++
 .../gnutls/gnutls/CVE-2025-14831-7.patch      | 150 ++++++
 .../gnutls/gnutls/CVE-2025-14831-8.patch      | 105 ++++
 .../gnutls/gnutls/CVE-2025-14831-9.patch      | 437 +++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   9 +
 34 files changed, 2600 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
 create mode 100644 meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
 create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
 create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch

Re: [OE-core][scarthgap 00/16] Patch review

[Yoann Congal]

On Mon Mar 30, 2026 at 12:37 AM CEST, Yoann Congal wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551
>
> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t

*sigh* I need to check on my tooling because it did not sent the right
branch. Please ignore this series. I'll send the correct one shortly.

Sorry for the noise.

> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
>
>   Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
>
>   python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
>
> ----------------------------------------------------------------
>
> Hitendra Prajapati (2):
>   libxml-parser-perl: fix for CVE-2006-10003
>   busybox: fix for CVE-2026-26157, CVE-2026-26158
>
> João Marcos Costa (Schneider Electric) (1):
>   spdx: add option to include only compiled sources
>
> Martin Jansa (3):
>   dtc: backport fix for build with glibc-2.43
>   elfutils: don't add -Werror to avoid discarded-qualifiers
>   binutils: backport patch to fix build with glibc-2.43 on host
>
> Michael Halstead (2):
>   yocto-uninative: Update to 5.0 for needed patchelf updates
>   yocto-uninative: Update to 5.1 for glibc 2.43
>
> Nguyen Dat Tho (1):
>   python3-cryptography: Fix CVE-2026-26007
>
> Paul Barker (1):
>   tzdata,tzcode-native: Upgrade 2025b -> 2025c
>
> Richard Purdie (1):
>   pseudo: Add fix for glibc 2.43
>
> Sunil Dora (1):
>   rust: Enable dynamic linking with llvm
>
> Vijay Anusuri (3):
>   python3-pyopenssl: Fix CVE-2026-27448
>   python3-pyopenssl: Fix CVE-2026-27459
>   gnutls: Fix CVE-2025-14831
>
> sureshha (1):
>   systemd: backport patch to fix journal-file issue
>
>  meta/classes/spdx-common.bbclass              |   3 +
>  meta/conf/distro/include/yocto-uninative.inc  |  10 +-
>  meta/lib/oe/spdx30_tasks.py                   |  12 +
>  .../CVE-2026-26157-CVE-2026-26158-01.patch    | 198 +++++++
>  .../CVE-2026-26157-CVE-2026-26158-02.patch    |  37 ++
>  meta/recipes-core/busybox/busybox_1.36.1.bb   |   2 +
>  ...not-trigger-assertion-on-removed-or-.patch |  65 +++
>  meta/recipes-core/systemd/systemd_255.21.bb   |   1 +
>  .../binutils/binutils-2.42.inc                |   1 +
>  ...tect-against-standard-library-macros.patch |  31 ++
>  .../elfutils/elfutils_0.191.bb                |   1 +
>  ...001-config-eu.am-do-not-force-Werror.patch |  34 ++
>  .../libxml-parser-perl/CVE-2006-10003.patch   |  73 +++
>  .../perl/libxml-parser-perl_2.47.bb           |   1 +
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
>  .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++
>  .../python/python3-cryptography_42.0.5.bb     |   1 +
>  .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++
>  .../python3-pyopenssl/CVE-2026-27459.patch    | 109 ++++
>  .../python/python3-pyopenssl_24.0.0.bb        |   5 +
>  meta/recipes-devtools/rust/rust_1.75.0.bb     |   2 +
>  meta/recipes-extended/timezone/timezone.inc   |   6 +-
>  .../0001-Fix-discarded-const-qualifiers.patch |  85 +++
>  meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
>  .../gnutls/gnutls/CVE-2025-14831-1.patch      |  61 +++
>  .../gnutls/gnutls/CVE-2025-14831-2.patch      |  30 ++
>  .../gnutls/gnutls/CVE-2025-14831-3.patch      |  45 ++
>  .../gnutls/gnutls/CVE-2025-14831-4.patch      | 200 +++++++
>  .../gnutls/gnutls/CVE-2025-14831-5.patch      | 500 ++++++++++++++++++
>  .../gnutls/gnutls/CVE-2025-14831-6.patch      | 119 +++++
>  .../gnutls/gnutls/CVE-2025-14831-7.patch      | 150 ++++++
>  .../gnutls/gnutls/CVE-2025-14831-8.patch      | 105 ++++
>  .../gnutls/gnutls/CVE-2025-14831-9.patch      | 437 +++++++++++++++
>  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   9 +
>  34 files changed, 2600 insertions(+), 9 deletions(-)
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
>  create mode 100644 meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
>  create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
>  create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
>  create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
>  create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
>  create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch


-- 
Yoann Congal
Smile ECS